Changeset 168443 in webkit

Timestamp:

May 7, 2014 3:00:10 PM (10 years ago)

Author:

mark.lam@apple.com

Message:

REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
<​https://webkit.org/b/131356>

Reviewed by Geoffrey Garen.

The issue is that GC needs to be made aware of writes to m_inferredValue
in the VariableWatchpointSet, but was not. As a result, if a JSCell*
is written to a VariableWatchpointSet m_inferredValue, and that JSCell
does not survive an eden GC shortly after, we will end up with a stale
JSCell pointer left in the m_inferredValue.

This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
using DumpRenderTree with the VM heap in zombie mode.

The fix is to change VariableWatchpointSet m_inferredValue to type
WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
is executed by all the execution engines so that the WriteBarrier semantics
are honored.

We still check if the value to be written is the same as the one in the
inferredValue. We'll by-pass calling the slow path notifyWrite() if the
values are the same.

• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::CodeBlock):

• need to pass the symbolTable to prepareToWatch() because it will be needed for instantiating the VariableWatchpointSet in prepareToWatch().

• bytecode/VariableWatchpointSet.h:

(JSC::VariableWatchpointSet::VariableWatchpointSet):

• VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.

(JSC::VariableWatchpointSet::inferredValue):
(JSC::VariableWatchpointSet::invalidate):
(JSC::VariableWatchpointSet::finalizeUnconditionally):
(JSC::VariableWatchpointSet::addressOfInferredValue):
(JSC::VariableWatchpointSet::notifyWrite): Deleted.

• bytecode/VariableWatchpointSetInlines.h: Added.

(JSC::VariableWatchpointSet::notifyWrite):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::cellConstant):

• Added an assert in case we try to make constants of zombified JSCells again.

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• We now let the slow path handle the cases when the VariableWatchpointSet is in state ClearWatchpoint and IsWatched, and the slow path will ensure that we handle the needed write barrier semantics correctly. We will by-pass the slow path if the value being written is the same as the inferred value.

• ftl/FTLIntrinsicRepository.h:
• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):

• Let the slow path handle the cases when the VariableWatchpointSet is in state ClearWatchpoint and IsWatched. We will by-pass the slow path if the value being written is the same as the inferred value.

• heap/Heap.cpp:

(JSC::Zombify::operator()):

• Use a different value for the zombified bits (to distinguish it from 0xbbadbeef which is used everywhere else).
• heap/Heap.h:

(JSC::Heap::isZombified):

• Provide a convenience test function to check if JSCells are zombified. This is currently only used in an assertion in the DFG bytecode parser, but the intent it that we'll apply this test in other strategic places later to help with early detection of usage of GC'ed objects when we run in zombie mode.

• jit/JITOpcodes.cpp:

(JSC::JIT::emitSlow_op_captured_mov):

• jit/JITOperations.h:
• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitNotifyWrite):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emitNotifyWrite):
(JSC::JIT::emitSlow_op_put_to_scope):

• Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet is in state ClearWatchpoint and IsWatched. We will by-pass the slow path if the value being written is the same as the inferred value.

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet is in state ClearWatchpoint and IsWatched. We will by-pass the slow path if the value being written is the same as the inferred value.

• runtime/CommonSlowPaths.cpp:

• runtime/JSCJSValue.h: Fixed some typos in the comments.
• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::addGlobalVar):
(JSC::JSGlobalObject::addFunction):

• runtime/JSSymbolTableObject.h:

(JSC::symbolTablePut):
(JSC::symbolTablePutWithAttributes):

• runtime/SymbolTable.cpp:

(JSC::SymbolTableEntry::prepareToWatch):
(JSC::SymbolTableEntry::notifyWriteSlow):

• runtime/SymbolTable.h:

(JSC::SymbolTableEntry::notifyWrite):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• bytecode/CodeBlock.cpp (modified) (1 diff)
• bytecode/VariableWatchpointSet.h (modified) (4 diffs)
• bytecode/VariableWatchpointSetInlines.h (added)
• dfg/DFGByteCodeParser.cpp (modified) (2 diffs)
• dfg/DFGOperations.cpp (modified) (1 diff)
• dfg/DFGOperations.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT.h (modified) (3 diffs)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• ftl/FTLIntrinsicRepository.h (modified) (1 diff)
• ftl/FTLLowerDFGToLLVM.cpp (modified) (2 diffs)
• heap/Heap.cpp (modified) (1 diff)
• heap/Heap.h (modified) (3 diffs)
• jit/JITOpcodes.cpp (modified) (1 diff)
• jit/JITOperations.h (modified) (2 diffs)
• jit/JITPropertyAccess.cpp (modified) (1 diff)
• jit/JITPropertyAccess32_64.cpp (modified) (2 diffs)
• llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• llint/LowLevelInterpreter64.asm (modified) (1 diff)
• runtime/CommonSlowPaths.cpp (modified) (3 diffs)
• runtime/JSCJSValue.h (modified) (2 diffs)
• runtime/JSGlobalObject.cpp (modified) (4 diffs)
• runtime/JSSymbolTableObject.h (modified) (4 diffs)
• runtime/SymbolTable.cpp (modified) (5 diffs)
• runtime/SymbolTable.h (modified) (4 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2014-05-07  Mark Lam  <mark.lam@apple.com>
+
+        REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
+        <https://webkit.org/b/131356>
+
+        Reviewed by Geoffrey Garen.
+
+        The issue is that GC needs to be made aware of writes to m_inferredValue
+        in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
+        is written to a VariableWatchpointSet m_inferredValue, and that JSCell
+        does not survive an eden GC shortly after, we will end up with a stale
+        JSCell pointer left in the m_inferredValue.
+
+        This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
+        using DumpRenderTree with the VM heap in zombie mode.
+
+        The fix is to change VariableWatchpointSet m_inferredValue to type
+        WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
+        is executed by all the execution engines so that the WriteBarrier semantics
+        are honored.
+
+        We still check if the value to be written is the same as the one in the
+        inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
+        values are the same.        
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        - need to pass the symbolTable to prepareToWatch() because it will be needed
+          for instantiating the VariableWatchpointSet in prepareToWatch().
+
+        * bytecode/VariableWatchpointSet.h:
+        (JSC::VariableWatchpointSet::VariableWatchpointSet):
+        - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
+          write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
+        (JSC::VariableWatchpointSet::inferredValue):
+        (JSC::VariableWatchpointSet::invalidate):
+        (JSC::VariableWatchpointSet::finalizeUnconditionally):
+        (JSC::VariableWatchpointSet::addressOfInferredValue):
+        (JSC::VariableWatchpointSet::notifyWrite): Deleted.
+        * bytecode/VariableWatchpointSetInlines.h: Added.
+        (JSC::VariableWatchpointSet::notifyWrite):
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::cellConstant):
+        - Added an assert in case we try to make constants of zombified JSCells again.
+
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        - We now let the slow path handle the cases when the VariableWatchpointSet is
+          in state ClearWatchpoint and IsWatched, and the slow path will ensure that
+          we handle the needed write barrier semantics correctly.
+          We will by-pass the slow path if the value being written is the same as the
+          inferred value.
+
+        * ftl/FTLIntrinsicRepository.h:
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
+        - Let the slow path handle the cases when the VariableWatchpointSet is
+          in state ClearWatchpoint and IsWatched.
+          We will by-pass the slow path if the value being written is the same as the
+          inferred value.
+
+        * heap/Heap.cpp:
+        (JSC::Zombify::operator()):
+        - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
+          which is used everywhere else).
+        * heap/Heap.h:
+        (JSC::Heap::isZombified):
+        - Provide a convenience test function to check if JSCells are zombified.  This is
+          currently only used in an assertion in the DFG bytecode parser, but the intent
+          it that we'll apply this test in other strategic places later to help with early
+          detection of usage of GC'ed objects when we run in zombie mode.
+
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emitSlow_op_captured_mov):
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitNotifyWrite):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emitNotifyWrite):
+        (JSC::JIT::emitSlow_op_put_to_scope):
+        - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
+          is in state ClearWatchpoint and IsWatched.
+          We will by-pass the slow path if the value being written is the same as the
+          inferred value.
+        
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
+          is in state ClearWatchpoint and IsWatched.
+          We will by-pass the slow path if the value being written is the same as the
+          inferred value.
+        
+        * runtime/CommonSlowPaths.cpp:
+
+        * runtime/JSCJSValue.h: Fixed some typos in the comments.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::addGlobalVar):
+        (JSC::JSGlobalObject::addFunction):
+        * runtime/JSSymbolTableObject.h:
+        (JSC::symbolTablePut):
+        (JSC::symbolTablePutWithAttributes):
+        * runtime/SymbolTable.cpp:
+        (JSC::SymbolTableEntry::prepareToWatch):
+        (JSC::SymbolTableEntry::notifyWriteSlow):
+        * runtime/SymbolTable.h:
+        (JSC::SymbolTableEntry::notifyWrite):
+
 2014-05-06  Michael Saboff  <msaboff@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1709 +1709 @@
                 FE4A331F15BD2E07006F54F3 /* VMInspector.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE4A331D15BD2E07006F54F3 /* VMInspector.cpp */; };
                 FE4A332015BD2E07006F54F3 /* VMInspector.h in Headers */ = {isa = PBXBuildFile; fileRef = FE4A331E15BD2E07006F54F3 /* VMInspector.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                FE5248F9191442D900B7FDE4 /* VariableWatchpointSetInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = FE5248F8191442D900B7FDE4 /* VariableWatchpointSetInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 FE5932A7183C5A2600A1ECCC /* VMEntryScope.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE5932A5183C5A2600A1ECCC /* VMEntryScope.cpp */; };
                 FE5932A8183C5A2600A1ECCC /* VMEntryScope.h in Headers */ = {isa = PBXBuildFile; fileRef = FE5932A6183C5A2600A1ECCC /* VMEntryScope.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -3334 +3335 @@
                 FE4A331D15BD2E07006F54F3 /* VMInspector.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = VMInspector.cpp; sourceTree = "<group>"; };
                 FE4A331E15BD2E07006F54F3 /* VMInspector.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VMInspector.h; sourceTree = "<group>"; };
+                FE5248F8191442D900B7FDE4 /* VariableWatchpointSetInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VariableWatchpointSetInlines.h; sourceTree = "<group>"; };
                 FE5932A5183C5A2600A1ECCC /* VMEntryScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = VMEntryScope.cpp; sourceTree = "<group>"; };
                 FE5932A6183C5A2600A1ECCC /* VMEntryScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VMEntryScope.h; sourceTree = "<group>"; };
@@ -5030 +5032 @@
                                 0F426A451460CBAB00131F8F /* ValueRecovery.h */,
                                 0F9181C618415CA50057B669 /* VariableWatchpointSet.h */,
+                                FE5248F8191442D900B7FDE4 /* VariableWatchpointSetInlines.h */,
                                 0F426A461460CBAB00131F8F /* VirtualRegister.h */,
                                 0F919D2215853CDE004A4E7D /* Watchpoint.cpp */,
@@ -5492 +5495 @@
                                 A584032018BFFBE1005A0811 /* InspectorAgent.h in Headers */,
                                 2AABCDE718EF294200002096 /* GCLogging.h in Headers */,
+                                FE5248F9191442D900B7FDE4 /* VariableWatchpointSetInlines.h in Headers */,
                                 C2DA778318E259990066FCB6 /* HeapInlines.h in Headers */,
                                 2AACE63D18CA5A0300ED0191 /* GCActivityCallback.h in Headers */,

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1794 +1794 @@
             SymbolTable::Map::iterator iter = m_symbolTable->find(locker, uid);
             ASSERT(iter != m_symbolTable->end(locker));
-            iter->value.prepareToWatch();
+            iter->value.prepareToWatch(symbolTable());
             instructions[i + 3].u.watchpointSet = iter->value.watchpointSet();
             break;

trunk/Source/JavaScriptCore/bytecode/VariableWatchpointSet.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2012, 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2014 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -32 +32 @@
 namespace JSC {
 
+class SymbolTable;
+
 class VariableWatchpointSet : public WatchpointSet {
     friend class LLIntOffsetsExtractor;
 public:
-    VariableWatchpointSet()
+    VariableWatchpointSet(SymbolTable& symbolTable)
         : WatchpointSet(ClearWatchpoint)
+        , m_symbolTable(symbolTable)
     {
     }
@@ -53 +56 @@
     //        either notice that it's invalidated and not install the watchpoint, or
     //        you will have been notified that the watchpoint was fired.
-    JSValue inferredValue() const { return m_inferredValue; }
+    JSValue inferredValue() const { return m_inferredValue.get(); }
     
-    void notifyWrite(JSValue value)
-    {
-        ASSERT(!!value);
-        switch (state()) {
-        case ClearWatchpoint:
-            m_inferredValue = value;
-            startWatching();
-            return;
-
-        case IsWatched:
-            ASSERT(!!m_inferredValue);
-            if (value == m_inferredValue)
-                return;
-            invalidate();
-            return;
-            
-        case IsInvalidated:
-            ASSERT(!m_inferredValue);
-            return;
-        }
-        
-        ASSERT_NOT_REACHED();
-    }
+    inline void notifyWrite(VM&, JSValue);
     
     void invalidate()
     {
-        m_inferredValue = JSValue();
+        m_inferredValue.clear();
         WatchpointSet::invalidate();
     }
@@ -90 +71 @@
         if (!m_inferredValue)
             return;
-        if (!m_inferredValue.isCell())
+        JSValue inferredValue = m_inferredValue.get();
+        if (!inferredValue.isCell())
             return;
-        JSCell* cell = m_inferredValue.asCell();
+        JSCell* cell = inferredValue.asCell();
         if (Heap::isMarked(cell))
             return;
         invalidate();
     }
+
+    WriteBarrier<Unknown>* addressOfInferredValue() { return &m_inferredValue; }
     
-    JSValue* addressOfInferredValue() { return &m_inferredValue; }
-
 private:
-    JSValue m_inferredValue;
+    SymbolTable& m_symbolTable;
+    WriteBarrier<Unknown> m_inferredValue;
 };
 

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -37 +37 @@
 #include "DFGJITCode.h"
 #include "GetByIdStatus.h"
+#include "Heap.h"
 #include "JSActivation.h"
 #include "JSCInlines.h"
@@ -721 +722 @@
     {
         HashMap<JSCell*, Node*>::AddResult result = m_cellConstantNodes.add(cell, nullptr);
-        if (result.isNewEntry)
+        if (result.isNewEntry) {
+            ASSERT(!Heap::isZombified(cell));
             result.iterator->value = addToGraph(WeakJSConstant, OpInfo(cell));
+        }
         
         return result.iterator->value;

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -1019 +1019 @@
 }
 
-void JIT_OPERATION operationInvalidate(ExecState* exec, VariableWatchpointSet* set)
-{
-    VM& vm = exec->vm();
-    NativeCallFrameTracer tracer(&vm, exec);
-
-    set->invalidate();
+void JIT_OPERATION operationNotifyWrite(ExecState* exec, VariableWatchpointSet* set, EncodedJSValue encodedValue)
+{
+    VM& vm = exec->vm();
+    NativeCallFrameTracer tracer(&vm, exec);
+    JSValue value = JSValue::decode(encodedValue);
+
+    set->notifyWrite(vm, value);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -125 +125 @@
 char* JIT_OPERATION operationFindSwitchImmTargetForDouble(ExecState*, EncodedJSValue, size_t tableIndex);
 char* JIT_OPERATION operationSwitchString(ExecState*, size_t tableIndex, JSString*);
-void JIT_OPERATION operationInvalidate(ExecState*, VariableWatchpointSet*);
+void JIT_OPERATION operationNotifyWrite(ExecState*, VariableWatchpointSet*, EncodedJSValue);
 
 #if ENABLE(FTL_JIT)

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1145 +1145 @@
     }
 
-    JITCompiler::Call callOperation(V_JITOperation_EVws operation, VariableWatchpointSet* watchpointSet)
-    {
-        m_jit.setupArgumentsWithExecState(TrustedImmPtr(watchpointSet));
-        return appendCall(operation);
-    }
-
     JITCompiler::Call callOperationWithCallFrameRollbackOnException(V_JITOperation_ECb operation, void* pointer)
     {
@@ -1438 +1432 @@
         m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
         return appendCallWithExceptionCheck(operation);
+    }
+
+    JITCompiler::Call callOperation(V_JITOperation_EVwsJ operation, VariableWatchpointSet* watchpointSet, GPRReg arg)
+    {
+        m_jit.setupArgumentsWithExecState(TrustedImmPtr(watchpointSet), arg);
+        return appendCall(operation);
     }
 
@@ -1703 +1703 @@
         m_jit.setupArgumentsWithExecState(arg1, arg2, EABI_32BIT_DUMMY_ARG SH4_32BIT_DUMMY_ARG arg3Payload, arg3Tag);
         return appendCallWithExceptionCheck(operation);
+    }
+
+    JITCompiler::Call callOperation(V_JITOperation_EVwsJ operation, VariableWatchpointSet* watchpointSet, GPRReg argTag, GPRReg argPayload)
+    {
+        m_jit.setupArgumentsWithExecState(TrustedImmPtr(watchpointSet), argPayload, argTag);
+        return appendCall(operation);
     }
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3899 +3899 @@
         m_jit.load8(set->addressOfState(), tempGPR);
     
-        JITCompiler::JumpList ready;
-    
-        ready.append(m_jit.branch32(JITCompiler::Equal, tempGPR, TrustedImm32(IsInvalidated)));
-    
-        if (set->state() == ClearWatchpoint) {
-            JITCompiler::Jump isWatched =
-                m_jit.branch32(JITCompiler::NotEqual, tempGPR, TrustedImm32(ClearWatchpoint));
-        
-            m_jit.store32(valueTagGPR, &set->addressOfInferredValue()->u.asBits.tag);
-            m_jit.store32(valuePayloadGPR, &set->addressOfInferredValue()->u.asBits.payload);
-            m_jit.store8(TrustedImm32(IsWatched), set->addressOfState());
-            ready.append(m_jit.jump());
-        
-            isWatched.link(&m_jit);
-        }
-
-        JITCompiler::Jump definitelyNotEqual = m_jit.branch32(
+        JITCompiler::Jump isDone = m_jit.branch32(JITCompiler::Equal, tempGPR, TrustedImm32(IsInvalidated));
+        JITCompiler::JumpList notifySlow;
+        notifySlow.append(m_jit.branch32(
             JITCompiler::NotEqual,
-            JITCompiler::AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.payload),
-            valuePayloadGPR);
-        ready.append(m_jit.branch32(
-            JITCompiler::Equal, 
-            JITCompiler::AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.tag),
+            JITCompiler::AbsoluteAddress(set->addressOfInferredValue()->payloadPointer()),
+            valuePayloadGPR));
+        notifySlow.append(m_jit.branch32(
+            JITCompiler::NotEqual, 
+            JITCompiler::AbsoluteAddress(set->addressOfInferredValue()->tagPointer()),
             valueTagGPR));
-        definitelyNotEqual.link(&m_jit);
-    
-        JITCompiler::Jump slowCase = m_jit.branchTest8(
-            JITCompiler::NonZero, JITCompiler::AbsoluteAddress(set->addressOfSetIsNotEmpty()));
-        m_jit.store8(TrustedImm32(IsInvalidated), set->addressOfState());
-        m_jit.store32(
-            TrustedImm32(JSValue::EmptyValueTag),
-            &set->addressOfInferredValue()->u.asBits.tag);
-        m_jit.store32(
-            TrustedImm32(0), &set->addressOfInferredValue()->u.asBits.payload);
-
-        ready.link(&m_jit);
-    
         addSlowPathGenerator(
-            slowPathCall(slowCase, this, operationInvalidate, NoResult, set));
+            slowPathCall(notifySlow, this, operationNotifyWrite, NoResult, set, valueTagGPR, valuePayloadGPR));
+        isDone.link(&m_jit);
     
         noResult(node);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3963 +3963 @@
         m_jit.load8(set->addressOfState(), tempGPR);
     
-        JITCompiler::JumpList ready;
-    
-        ready.append(m_jit.branch32(JITCompiler::Equal, tempGPR, TrustedImm32(IsInvalidated)));
-    
-        if (set->state() == ClearWatchpoint) {
-            JITCompiler::Jump isWatched =
-                m_jit.branch32(JITCompiler::NotEqual, tempGPR, TrustedImm32(ClearWatchpoint));
-        
-            m_jit.store64(valueGPR, set->addressOfInferredValue());
-            m_jit.store8(TrustedImm32(IsWatched), set->addressOfState());
-            ready.append(m_jit.jump());
-        
-            isWatched.link(&m_jit);
-        }
-    
-        ready.append(m_jit.branch64(
-            JITCompiler::Equal, 
-            JITCompiler::AbsoluteAddress(set->addressOfInferredValue()), valueGPR));
-    
-        JITCompiler::Jump slowCase = m_jit.branchTest8(
-            JITCompiler::NonZero, JITCompiler::AbsoluteAddress(set->addressOfSetIsNotEmpty()));
-        m_jit.store8(TrustedImm32(IsInvalidated), set->addressOfState());
-        m_jit.move(TrustedImm64(JSValue::encode(JSValue())), tempGPR);
-        m_jit.store64(tempGPR, set->addressOfInferredValue());
-
-        ready.link(&m_jit);
+        JITCompiler::Jump isDone =
+            m_jit.branch32(JITCompiler::Equal, tempGPR, TrustedImm32(IsInvalidated));
+        JITCompiler::Jump slowCase = m_jit.branch64(JITCompiler::NotEqual,
+            JITCompiler::AbsoluteAddress(set->addressOfInferredValue()), valueGPR);
+        isDone.link(&m_jit);
     
         addSlowPathGenerator(
-            slowPathCall(slowCase, this, operationInvalidate, NoResult, set));
-    
+            slowPathCall(slowCase, this, operationNotifyWrite, NoResult, set, valueGPR));
+
         noResult(node);
         break;

trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h

@@ -88 +88 @@
     macro(V_JITOperation_EC, functionType(voidType, intPtr, intPtr)) \
     macro(V_JITOperation_ECb, functionType(voidType, intPtr, intPtr)) \
-    macro(V_JITOperation_EVws, functionType(voidType, intPtr, intPtr)) \
+    macro(V_JITOperation_EVwsJ, functionType(voidType, intPtr, intPtr, int64)) \
     macro(Z_JITOperation_D, functionType(int32, doubleType))
 

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

@@ -3287 +3287 @@
         
         LBasicBlock isNotInvalidated = FTL_NEW_BLOCK(m_out, ("NotifyWrite not invalidated case"));
-        LBasicBlock isClear = FTL_NEW_BLOCK(m_out, ("NotifyWrite clear case"));
-        LBasicBlock isWatched = FTL_NEW_BLOCK(m_out, ("NotifyWrite watched case"));
-        LBasicBlock invalidate = FTL_NEW_BLOCK(m_out, ("NotifyWrite invalidate case"));
-        LBasicBlock invalidateFast = FTL_NEW_BLOCK(m_out, ("NotifyWrite invalidate fast case"));
-        LBasicBlock invalidateSlow = FTL_NEW_BLOCK(m_out, ("NotifyWrite invalidate slow case"));
+        LBasicBlock notifySlow = FTL_NEW_BLOCK(m_out, ("NotifyWrite notify slow case"));
         LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("NotifyWrite continuation"));
         
@@ -3300 +3296 @@
             usually(continuation), rarely(isNotInvalidated));
         
-        LBasicBlock lastNext = m_out.appendTo(isNotInvalidated, isClear);
-
-        LValue isClearValue;
-        if (set->state() == ClearWatchpoint)
-            isClearValue = m_out.equal(state, m_out.constInt8(ClearWatchpoint));
-        else
-            isClearValue = m_out.booleanFalse;
-        m_out.branch(isClearValue, unsure(isClear), unsure(isWatched));
-        
-        m_out.appendTo(isClear, isWatched);
-        
-        m_out.store64(value, m_out.absolute(set->addressOfInferredValue()));
-        m_out.store8(m_out.constInt8(IsWatched), m_out.absolute(set->addressOfState()));
-        m_out.jump(continuation);
-        
-        m_out.appendTo(isWatched, invalidate);
-        
+        LBasicBlock lastNext = m_out.appendTo(isNotInvalidated, notifySlow);
+
         m_out.branch(
             m_out.equal(value, m_out.load64(m_out.absolute(set->addressOfInferredValue()))),
-            unsure(continuation), unsure(invalidate));
-        
-        m_out.appendTo(invalidate, invalidateFast);
-        
-        m_out.branch(
-            m_out.notZero8(m_out.load8(m_out.absolute(set->addressOfSetIsNotEmpty()))),
-            rarely(invalidateSlow), usually(invalidateFast));
-        
-        m_out.appendTo(invalidateFast, invalidateSlow);
-        
-        m_out.store64(
-            m_out.constInt64(JSValue::encode(JSValue())),
-            m_out.absolute(set->addressOfInferredValue()));
-        m_out.store8(m_out.constInt8(IsInvalidated), m_out.absolute(set->addressOfState()));
-        m_out.jump(continuation);
-        
-        m_out.appendTo(invalidateSlow, continuation);
-        
-        vmCall(m_out.operation(operationInvalidate), m_callFrame, m_out.constIntPtr(set));
+            unsure(continuation), unsure(notifySlow));
+
+        m_out.appendTo(notifySlow, continuation);
+
+        vmCall(m_out.operation(operationNotifyWrite), m_callFrame, m_out.constIntPtr(set), value);
         m_out.jump(continuation);
         

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -1334 +1334 @@
         void* limit = static_cast<void*>(reinterpret_cast<char*>(cell) + MarkedBlock::blockFor(cell)->cellSize());
         for (; current < limit; current++)
-            *current = reinterpret_cast<void*>(0xbbadbeef);
+            *current = zombifiedBits;
     }
 };

trunk/Source/JavaScriptCore/heap/Heap.h

@@ -2 +2 @@
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2013 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2009, 2013-2014 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -74 +74 @@
 }
 
+static void* const zombifiedBits = reinterpret_cast<void*>(0xdeadbeef);
+
 typedef std::pair<JSValue, WTF::String> ValueStringPair;
 typedef HashCountedSet<JSCell*> ProtectCountSet;
@@ -219 +221 @@
 
     void removeCodeBlock(CodeBlock* cb) { m_codeBlocks.remove(cb); }
+
+    static bool isZombified(JSCell* cell) { return *(void**)cell == zombifiedBits; }
 
 private:

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -1203 +1203 @@
     if (!set || set->state() == IsInvalidated)
         return;
+#if USE(JSVALUE32_64)
+    linkSlowCase(iter);
+#endif
     linkSlowCase(iter);
     JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_captured_mov);

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2014 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -165 +165 @@
 typedef void JIT_OPERATION (*V_JITOperation_EPZJ)(ExecState*, void*, int32_t, EncodedJSValue);
 typedef void JIT_OPERATION (*V_JITOperation_ESsiJJI)(ExecState*, StructureStubInfo*, EncodedJSValue, EncodedJSValue, StringImpl*);
-typedef void JIT_OPERATION (*V_JITOperation_EVws)(ExecState*, VariableWatchpointSet*);
+typedef void JIT_OPERATION (*V_JITOperation_EVwsJ)(ExecState*, VariableWatchpointSet*, EncodedJSValue);
 typedef void JIT_OPERATION (*V_JITOperation_EZ)(ExecState*, int32_t);
 typedef void JIT_OPERATION (*V_JITOperation_EVm)(ExecState*, VM*);

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -780 +780 @@
     
     load8(set->addressOfState(), scratch);
-    
-    JumpList ready;
-    
-    ready.append(branch32(Equal, scratch, TrustedImm32(IsInvalidated)));
-    
-    if (set->state() == ClearWatchpoint) {
-        Jump isWatched = branch32(NotEqual, scratch, TrustedImm32(ClearWatchpoint));
-        
-        store64(value, set->addressOfInferredValue());
-        store8(TrustedImm32(IsWatched), set->addressOfState());
-        ready.append(jump());
-        
-        isWatched.link(this);
-    }
-    
-    ready.append(branch64(Equal, AbsoluteAddress(set->addressOfInferredValue()), value));
-    addSlowCase(branchTest8(NonZero, AbsoluteAddress(set->addressOfSetIsNotEmpty())));
-    store8(TrustedImm32(IsInvalidated), set->addressOfState());
-    move(TrustedImm64(JSValue::encode(JSValue())), scratch);
-    store64(scratch, set->addressOfInferredValue());
-    
-    ready.link(this);
+    Jump isDone = branch32(Equal, scratch, TrustedImm32(IsInvalidated));
+    addSlowCase(branch64(NotEqual, AbsoluteAddress(set->addressOfInferredValue()), value));
+    isDone.link(this);
 }
 

trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -813 +813 @@
     
     load8(set->addressOfState(), scratch);
-    
-    JumpList ready;
-    
-    ready.append(branch32(Equal, scratch, TrustedImm32(IsInvalidated)));
-    
-    if (set->state() == ClearWatchpoint) {
-        Jump isWatched = branch32(NotEqual, scratch, TrustedImm32(ClearWatchpoint));
-        
-        store32(tag, &set->addressOfInferredValue()->u.asBits.tag);
-        store32(payload, &set->addressOfInferredValue()->u.asBits.payload);
-        store8(TrustedImm32(IsWatched), set->addressOfState());
-        ready.append(jump());
-        
-        isWatched.link(this);
-    }
-
-    Jump definitelyNotEqual = branch32(
-        NotEqual, AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.payload), payload);
-    ready.append(branch32(
-        Equal, AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.tag), tag));
-    definitelyNotEqual.link(this);
-    addSlowCase(branchTest8(NonZero, AbsoluteAddress(set->addressOfSetIsNotEmpty())));
-    store8(TrustedImm32(IsInvalidated), set->addressOfState());
-    store32(
-        TrustedImm32(JSValue::EmptyValueTag), &set->addressOfInferredValue()->u.asBits.tag);
-    store32(TrustedImm32(0), &set->addressOfInferredValue()->u.asBits.payload);
-    
-    ready.link(this);
+    Jump isDone = branch32(Equal, scratch, TrustedImm32(IsInvalidated));
+
+    JumpList notifySlow = branch32(
+        NotEqual, AbsoluteAddress(set->addressOfInferredValue()->payloadPointer()), payload);
+    notifySlow.append(branch32(
+        NotEqual, AbsoluteAddress(set->addressOfInferredValue()->tagPointer()), tag));
+    addSlowCase(notifySlow);
+
+    isDone.link(this);
 }
 
@@ -901 +882 @@
     if ((resolveType == GlobalVar || resolveType == GlobalVarWithVarInjectionChecks)
         && currentInstruction[5].u.watchpointSet->state() != IsInvalidated)
-        linkCount++;
+        linkCount += 2;
     if (!linkCount)
         return;

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -797 +797 @@
     loadb VariableWatchpointSet::m_state[set], scratch
     bieq scratch, IsInvalidated, .done
-    bineq scratch, ClearWatchpoint, .overwrite
-    storei valueTag, VariableWatchpointSet::m_inferredValue + TagOffset[set]
-    storei valuePayload, VariableWatchpointSet::m_inferredValue + PayloadOffset[set]
-    storeb IsWatched, VariableWatchpointSet::m_state[set]
-    jmp .done
-
-.overwrite:
-    bineq valuePayload, VariableWatchpointSet::m_inferredValue + PayloadOffset[set], .definitelyDifferent
-    bieq valueTag, VariableWatchpointSet::m_inferredValue + TagOffset[set], .done
-.definitelyDifferent:
-    btbnz VariableWatchpointSet::m_setIsNotEmpty[set], slow
-    storei EmptyValueTag, VariableWatchpointSet::m_inferredValue + TagOffset[set]
-    storei 0, VariableWatchpointSet::m_inferredValue + PayloadOffset[set]
-    storeb IsInvalidated, VariableWatchpointSet::m_state[set]
-
+    bineq valuePayload, VariableWatchpointSet::m_inferredValue + PayloadOffset[set], slow
+    bineq valueTag, VariableWatchpointSet::m_inferredValue + TagOffset[set], slow
 .done:
 end

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -657 +657 @@
     loadb VariableWatchpointSet::m_state[set], scratch
     bieq scratch, IsInvalidated, .done
-    bineq scratch, ClearWatchpoint, .overwrite
-    storeq value, VariableWatchpointSet::m_inferredValue[set]
-    storeb IsWatched, VariableWatchpointSet::m_state[set]
-    jmp .done
-
-.overwrite:
-    bqeq value, VariableWatchpointSet::m_inferredValue[set], .done
-    btbnz VariableWatchpointSet::m_setIsNotEmpty[set], slow
-    storeq 0, VariableWatchpointSet::m_inferredValue[set]
-    storeb IsInvalidated, VariableWatchpointSet::m_state[set]
-
-.done:    
+    bqneq value, VariableWatchpointSet::m_inferredValue[set], slow
+.done:
 end
 

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -54 +54 @@
 #include "JSCInlines.h"
 #include "StructureRareDataInlines.h"
+#include "VariableWatchpointSetInlines.h"
 #include <wtf/StringPrintStream.h>
 
@@ -263 +264 @@
     JSValue value = OP_C(2).jsValue();
     if (VariableWatchpointSet* set = pc[3].u.watchpointSet)
-        set->notifyWrite(value);
+        set->notifyWrite(vm, value);
     RETURN(value);
 }
@@ -274 +275 @@
     JSValue value = JSFunction::create(vm, codeBlock->functionDecl(pc[2].u.operand), exec->scope());
     if (VariableWatchpointSet* set = pc[3].u.watchpointSet)
-        set->notifyWrite(value);
+        set->notifyWrite(vm, value);
     RETURN(value);
 }

trunk/Source/JavaScriptCore/runtime/JSCJSValue.h

@@ -334 +334 @@
      * This range of NaN space is represented by 64-bit numbers begining with the 16-bit
      * hex patterns 0xFFFE and 0xFFFF - we rely on the fact that no valid double-precision
-     * numbers will begin fall in these ranges.
+     * numbers will fall in these ranges.
      *
      * The top 16-bits denote the type of the encoded JSValue:
@@ -348 +348 @@
      * no encoded double-precision value will begin with the pattern 0x0000 or 0xFFFF.
      * Values must be decoded by reversing this operation before subsequent floating point
-     * operations my be peformed.
+     * operations may be peformed.
      *
      * 32-bit signed integers are marked with the 16-bit tag 0xFFFF.

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2007, 2008, 2009 Apple Inc. All rights reserved.
+ * Copyright (C) 2007, 2008, 2009, 2014 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Cameron Zwarich (cwzwarich@uwaterloo.ca)
  *
@@ -116 +116 @@
 #include "StringConstructor.h"
 #include "StringPrototype.h"
+#include "VariableWatchpointSetInlines.h"
 #include "WeakMapConstructor.h"
 #include "WeakMapPrototype.h"
@@ -243 +244 @@
     SymbolTableEntry newEntry(index, (constantMode == IsConstant) ? ReadOnly : 0);
     if (constantMode == IsVariable)
-        newEntry.prepareToWatch();
+        newEntry.prepareToWatch(symbolTable());
     SymbolTable::Map::AddResult result = symbolTable()->add(locker, ident.impl(), newEntry);
     if (result.isNewEntry)
@@ -257 +258 @@
 void JSGlobalObject::addFunction(ExecState* exec, const Identifier& propertyName, JSValue value)
 {
-    removeDirect(exec->vm(), propertyName); // Newly declared functions overwrite existing properties.
+    VM& vm = exec->vm();
+    removeDirect(vm, propertyName); // Newly declared functions overwrite existing properties.
     NewGlobalVar var = addGlobalVar(propertyName, IsVariable);
     registerAt(var.registerNumber).set(exec->vm(), this, value);
     if (var.set)
-        var.set->notifyWrite(value);
+        var.set->notifyWrite(vm, value);
 }
 

trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2012, 2014 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -33 +33 @@
 #include "PropertyDescriptor.h"
 #include "SymbolTable.h"
+#include "VariableWatchpointSetInlines.h"
 
 namespace JSC {
@@ -139 +140 @@
         }
         if (VariableWatchpointSet* set = iter->value.watchpointSet())
-            set->notifyWrite(value);
+            set->notifyWrite(vm, value);
         reg = &object->registerAt(fastEntry.getIndex());
     }
@@ -166 +167 @@
         ASSERT(!entry.isNull());
         if (VariableWatchpointSet* set = entry.watchpointSet())
-            set->notifyWrite(value);
+            set->notifyWrite(vm, value);
         entry.setAttributes(attributes);
         reg = &object->registerAt(entry.getIndex());

trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2012, 2014 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -33 +33 @@
 #include "JSCInlines.h"
 #include "SlotVisitorInlines.h"
+#include "VariableWatchpointSetInlines.h"
 
 namespace JSC {
@@ -66 +67 @@
 }
 
-void SymbolTableEntry::prepareToWatch()
+void SymbolTableEntry::prepareToWatch(SymbolTable* symbolTable)
 {
     FatEntry* entry = inflate();
     if (entry->m_watchpoints)
         return;
-    entry->m_watchpoints = adoptRef(new VariableWatchpointSet());
+    entry->m_watchpoints = adoptRef(new VariableWatchpointSet(*symbolTable));
 }
 
@@ -79 +80 @@
 }
 
-void SymbolTableEntry::notifyWriteSlow(JSValue value)
+void SymbolTableEntry::notifyWriteSlow(VM& vm, JSValue value)
 {
     VariableWatchpointSet* watchpoints = fatEntry()->m_watchpoints.get();
@@ -85 +86 @@
         return;
     
-    watchpoints->notifyWrite(value);
+    watchpoints->notifyWrite(vm, value);
 }
 

trunk/Source/JavaScriptCore/runtime/SymbolTable.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2007, 2008, 2012, 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2007, 2008, 2012-2014 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -219 +219 @@
     JSValue inferredValue();
     
-    void prepareToWatch();
+    void prepareToWatch(SymbolTable*);
     
     void addWatchpoint(Watchpoint*);
@@ -230 +230 @@
     }
     
-    ALWAYS_INLINE void notifyWrite(JSValue value)
+    ALWAYS_INLINE void notifyWrite(VM& vm, JSValue value)
     {
         if (LIKELY(!isFat()))
             return;
-        notifyWriteSlow(value);
+        notifyWriteSlow(vm, value);
     }
     
@@ -258 +258 @@
     
     SymbolTableEntry& copySlow(const SymbolTableEntry&);
-    JS_EXPORT_PRIVATE void notifyWriteSlow(JSValue);
+    JS_EXPORT_PRIVATE void notifyWriteSlow(VM&, JSValue);
     
     bool isFat() const