Changeset 107445 in webkit

Timestamp:

Feb 10, 2012 2:44:09 PM (12 years ago)

Author:

mhahnenberg@apple.com

Message:

Split MarkedSpace into destructor and destructor-free subspaces
​https://bugs.webkit.org/show_bug.cgi?id=77761

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject): Switched over to use destructor-free space.

• heap/Heap.h:

(JSC::Heap::allocatorForObjectWithoutDestructor): Added to give clients (e.g. the JIT) the ability to
pick which subspace they want to allocate out of.
(JSC::Heap::allocatorForObjectWithDestructor): Ditto.
(Heap):
(JSC::Heap::allocateWithDestructor): Added private function for CellAllocator to use.
(JSC):
(JSC::Heap::allocateWithoutDestructor): Ditto.

• heap/MarkedAllocator.cpp: Added the cellsNeedDestruction flag to allocators so that they can allocate

their MarkedBlocks correctly.
(JSC::MarkedAllocator::allocateBlock):

• heap/MarkedAllocator.h:

(JSC::MarkedAllocator::cellsNeedDestruction):
(MarkedAllocator):
(JSC::MarkedAllocator::MarkedAllocator):
(JSC):
(JSC::MarkedAllocator::init): Replaced custom set functions, which were only used upon initialization, with
an init function that does all of that stuff in fewer lines.

• heap/MarkedBlock.cpp:

(JSC::MarkedBlock::create):
(JSC::MarkedBlock::recycle):
(JSC::MarkedBlock::MarkedBlock):
(JSC::MarkedBlock::callDestructor): Templatized, along with specializedSweep and sweepHelper, to make
checking the m_cellsNeedDestructor flag faster and cleaner looking.
(JSC):
(JSC::MarkedBlock::specializedSweep):
(JSC::MarkedBlock::sweep):
(JSC::MarkedBlock::sweepHelper):

• heap/MarkedBlock.h:

(MarkedBlock):
(JSC::MarkedBlock::cellsNeedDestruction):
(JSC):

• heap/MarkedSpace.cpp:

(JSC::MarkedSpace::MarkedSpace):
(JSC::MarkedSpace::resetAllocators):
(JSC::MarkedSpace::canonicalizeCellLivenessData):
(JSC::TakeIfUnmarked::operator()):

• heap/MarkedSpace.h:

(MarkedSpace):
(Subspace):
(JSC::MarkedSpace::allocatorFor): Needed function to differentiate between the two broad subspaces of
allocators.
(JSC):
(JSC::MarkedSpace::destructorAllocatorFor): Ditto.
(JSC::MarkedSpace::allocateWithoutDestructor): Ditto.
(JSC::MarkedSpace::allocateWithDestructor): Ditto.
(JSC::MarkedSpace::forEachBlock):

• jit/JIT.h:
• jit/JITInlineMethods.h: Modified to use the proper allocator for JSFinalObjects and others.

(JSC::JIT::emitAllocateBasicJSObject):
(JSC::JIT::emitAllocateJSFinalObject):
(JSC::JIT::emitAllocateJSFunction):

• runtime/JSArray.cpp:

(JSC):

• runtime/JSArray.h:

(JSArray):
(JSC::JSArray::create):
(JSC):
(JSC::JSArray::tryCreateUninitialized):

• runtime/JSCell.h:

(JSCell):
(JSC):
(NeedsDestructor): Template struct that calculates at compile time whether the class in question requires
destruction or not using the compiler type trait has_trivial_destructor. allocateCell then checks this
constant to decide whether to allocate in the destructor or destructor-free parts of the heap.
(JSC::allocateCell):

• runtime/JSFunction.cpp:

(JSC):

• runtime/JSFunction.h:

(JSFunction):

• runtime/JSObject.cpp:

(JSC):

• runtime/JSObject.h:

(JSNonFinalObject):
(JSC):
(JSFinalObject):
(JSC::JSFinalObject::create):

Source/WebCore:

No new tests.

• bindings/js/JSDOMWindowShell.cpp: Removed old operator new, which was just used in the create

function so that we can use allocateCell instead.
(WebCore):

• bindings/js/JSDOMWindowShell.h:

(WebCore::JSDOMWindowShell::create):
(JSDOMWindowShell):

• bindings/scripts/CodeGeneratorJS.pm: Added destructor back to root JS DOM nodes (e.g. JSNode, etc)

because their destroy functions need to be called, so we don't want the NeedsDestructor struct to
think they don't need destruction due to having empty/trivial destructors.
Removed ASSERT_HAS_TRIVIAL_DESTRUCTOR from all JS DOM wrapper auto-generated objects because their
ancestors now have non-trivial destructors.
(GenerateHeader):
(GenerateImplementation):
(GenerateConstructorDefinition):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• JavaScriptCore/heap/Heap.h (modified) (3 diffs)
• JavaScriptCore/heap/MarkedAllocator.cpp (modified) (1 diff)
• JavaScriptCore/heap/MarkedAllocator.h (modified) (4 diffs)
• JavaScriptCore/heap/MarkedBlock.cpp (modified) (6 diffs)
• JavaScriptCore/heap/MarkedBlock.h (modified) (5 diffs)
• JavaScriptCore/heap/MarkedSpace.cpp (modified) (3 diffs)
• JavaScriptCore/heap/MarkedSpace.h (modified) (4 diffs)
• JavaScriptCore/jit/JIT.h (modified) (1 diff)
• JavaScriptCore/jit/JITInlineMethods.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSArray.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSArray.h (modified) (3 diffs)
• JavaScriptCore/runtime/JSCell.h (modified) (3 diffs)
• JavaScriptCore/runtime/JSFunction.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSFunction.h (modified) (1 diff)
• JavaScriptCore/runtime/JSObject.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/JSObject.h (modified) (6 diffs)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/JSDOMWindowShell.cpp (modified) (1 diff)
• WebCore/bindings/js/JSDOMWindowShell.h (modified) (2 diffs)
• WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (4 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-02-10  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Split MarkedSpace into destructor and destructor-free subspaces
+        https://bugs.webkit.org/show_bug.cgi?id=77761
+
+        Reviewed by Geoffrey Garen.
+
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject): Switched over to use destructor-free space.
+        * heap/Heap.h:
+        (JSC::Heap::allocatorForObjectWithoutDestructor): Added to give clients (e.g. the JIT) the ability to 
+        pick which subspace they want to allocate out of.
+        (JSC::Heap::allocatorForObjectWithDestructor): Ditto.
+        (Heap):
+        (JSC::Heap::allocateWithDestructor): Added private function for CellAllocator to use.
+        (JSC):
+        (JSC::Heap::allocateWithoutDestructor): Ditto.
+        * heap/MarkedAllocator.cpp: Added the cellsNeedDestruction flag to allocators so that they can allocate 
+        their MarkedBlocks correctly.
+        (JSC::MarkedAllocator::allocateBlock):
+        * heap/MarkedAllocator.h:
+        (JSC::MarkedAllocator::cellsNeedDestruction):
+        (MarkedAllocator):
+        (JSC::MarkedAllocator::MarkedAllocator):
+        (JSC):
+        (JSC::MarkedAllocator::init): Replaced custom set functions, which were only used upon initialization, with
+        an init function that does all of that stuff in fewer lines.
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::create):
+        (JSC::MarkedBlock::recycle):
+        (JSC::MarkedBlock::MarkedBlock):
+        (JSC::MarkedBlock::callDestructor): Templatized, along with specializedSweep and sweepHelper, to make 
+        checking the m_cellsNeedDestructor flag faster and cleaner looking.
+        (JSC):
+        (JSC::MarkedBlock::specializedSweep):
+        (JSC::MarkedBlock::sweep):
+        (JSC::MarkedBlock::sweepHelper):
+        * heap/MarkedBlock.h:
+        (MarkedBlock):
+        (JSC::MarkedBlock::cellsNeedDestruction):
+        (JSC):
+        * heap/MarkedSpace.cpp:
+        (JSC::MarkedSpace::MarkedSpace):
+        (JSC::MarkedSpace::resetAllocators):
+        (JSC::MarkedSpace::canonicalizeCellLivenessData):
+        (JSC::TakeIfUnmarked::operator()):
+        * heap/MarkedSpace.h:
+        (MarkedSpace):
+        (Subspace):
+        (JSC::MarkedSpace::allocatorFor): Needed function to differentiate between the two broad subspaces of 
+        allocators.
+        (JSC):
+        (JSC::MarkedSpace::destructorAllocatorFor): Ditto.
+        (JSC::MarkedSpace::allocateWithoutDestructor): Ditto.
+        (JSC::MarkedSpace::allocateWithDestructor): Ditto.
+        (JSC::MarkedSpace::forEachBlock):
+        * jit/JIT.h:
+        * jit/JITInlineMethods.h: Modified to use the proper allocator for JSFinalObjects and others.
+        (JSC::JIT::emitAllocateBasicJSObject):
+        (JSC::JIT::emitAllocateJSFinalObject):
+        (JSC::JIT::emitAllocateJSFunction):
+        * runtime/JSArray.cpp:
+        (JSC):
+        * runtime/JSArray.h:
+        (JSArray):
+        (JSC::JSArray::create):
+        (JSC):
+        (JSC::JSArray::tryCreateUninitialized):
+        * runtime/JSCell.h:
+        (JSCell):
+        (JSC):
+        (NeedsDestructor): Template struct that calculates at compile time whether the class in question requires 
+        destruction or not using the compiler type trait __has_trivial_destructor. allocateCell then checks this 
+        constant to decide whether to allocate in the destructor or destructor-free parts of the heap.
+        (JSC::allocateCell): 
+        * runtime/JSFunction.cpp:
+        (JSC):
+        * runtime/JSFunction.h:
+        (JSFunction):
+        * runtime/JSObject.cpp:
+        (JSC):
+        * runtime/JSObject.h:
+        (JSNonFinalObject):
+        (JSC):
+        (JSFinalObject):
+        (JSC::JSFinalObject::create):
+
 2012-02-10  Adrienne Walker  <enne@google.com>
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1566 +1566 @@
     void emitAllocateJSFinalObject(T structure, GPRReg resultGPR, GPRReg scratchGPR, MacroAssembler::JumpList& slowPath)
     {
-        MarkedAllocator* allocator = &m_jit.globalData()->heap.allocatorForObject(sizeof(JSFinalObject));
+        MarkedAllocator* allocator = &m_jit.globalData()->heap.allocatorForObjectWithoutDestructor(sizeof(JSFinalObject));
         
         m_jit.loadPtr(&allocator->m_firstFreeCell, resultGPR);

trunk/Source/JavaScriptCore/heap/Heap.h

@@ -96 +96 @@
         inline bool isBusy();
         
-        MarkedAllocator& allocatorForObject(size_t bytes) { return m_objectSpace.allocatorFor(bytes); }
-        void* allocate(size_t);
+        MarkedAllocator& allocatorForObjectWithoutDestructor(size_t bytes) { return m_objectSpace.allocatorFor(bytes); }
+        MarkedAllocator& allocatorForObjectWithDestructor(size_t bytes) { return m_objectSpace.destructorAllocatorFor(bytes); }
         CheckedBoolean tryAllocateStorage(size_t, void**);
         CheckedBoolean tryReallocateStorage(void**, size_t, size_t);
@@ -143 +143 @@
         friend class SlotVisitor;
         friend class CodeBlock;
+        template<typename T> friend void* allocateCell(Heap&);
+
+        void* allocateWithDestructor(size_t);
+        void* allocateWithoutDestructor(size_t);
 
         size_t waterMark();
@@ -335 +339 @@
     }
 
-    inline void* Heap::allocate(size_t bytes)
+    inline void* Heap::allocateWithDestructor(size_t bytes)
     {
         ASSERT(isValidAllocation(bytes));
-        return m_objectSpace.allocate(bytes);
+        return m_objectSpace.allocateWithDestructor(bytes);
+    }
+    
+    inline void* Heap::allocateWithoutDestructor(size_t bytes)
+    {
+        ASSERT(isValidAllocation(bytes));
+        return m_objectSpace.allocateWithoutDestructor(bytes);
     }
     

trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp

@@ -98 +98 @@
     }
     if (block)
-        block = MarkedBlock::recycle(block, m_heap, m_cellSize);
+        block = MarkedBlock::recycle(block, m_heap, m_cellSize, m_cellsNeedDestruction);
     else if (allocationEffort == AllocationCanFail)
         return 0;
     else
-        block = MarkedBlock::create(m_heap, m_cellSize);
+        block = MarkedBlock::create(m_heap, m_cellSize, m_cellsNeedDestruction);
     
     m_markedSpace->didAddBlock(block);

trunk/Source/JavaScriptCore/heap/MarkedAllocator.h

@@ -23 +23 @@
     void zapFreeList();
     size_t cellSize() { return m_cellSize; }
+    bool cellsNeedDestruction() { return m_cellsNeedDestruction; }
     void* allocate();
     Heap* heap() { return m_heap; }
@@ -30 +31 @@
     void addBlock(MarkedBlock*);
     void removeBlock(MarkedBlock*);
-    void setHeap(Heap* heap) { m_heap = heap; }
-    void setCellSize(size_t cellSize) { m_cellSize = cellSize; }
-    void setMarkedSpace(MarkedSpace* space) { m_markedSpace = space; }
+    void init(Heap*, MarkedSpace*, size_t cellSize, bool cellsNeedDestruction);
     
 private:
@@ -44 +43 @@
     DoublyLinkedList<HeapBlock> m_blockList;
     size_t m_cellSize;
+    bool m_cellsNeedDestruction;
     Heap* m_heap;
     MarkedSpace* m_markedSpace;
@@ -52 +52 @@
     , m_currentBlock(0)
     , m_cellSize(0)
+    , m_cellsNeedDestruction(true)
     , m_heap(0)
     , m_markedSpace(0)
 {
 }
-    
+
+inline void MarkedAllocator::init(Heap* heap, MarkedSpace* markedSpace, size_t cellSize, bool cellsNeedDestruction)
+{
+    m_heap = heap;
+    m_markedSpace = markedSpace;
+    m_cellSize = cellSize;
+    m_cellsNeedDestruction = cellsNeedDestruction;
+}
+
 inline void* MarkedAllocator::allocate()
 {

trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp

@@ -33 +33 @@
 namespace JSC {
 
-MarkedBlock* MarkedBlock::create(Heap* heap, size_t cellSize)
+MarkedBlock* MarkedBlock::create(Heap* heap, size_t cellSize, bool cellsNeedDestruction)
 {
     PageAllocationAligned allocation = PageAllocationAligned::allocate(blockSize, blockSize, OSAllocator::JSGCHeapPages);
     if (!static_cast<bool>(allocation))
         CRASH();
-    return new (NotNull, allocation.base()) MarkedBlock(allocation, heap, cellSize);
-}
-
-MarkedBlock* MarkedBlock::recycle(MarkedBlock* block, Heap* heap, size_t cellSize)
-{
-    return new (NotNull, block) MarkedBlock(block->m_allocation, heap, cellSize);
+    return new (NotNull, allocation.base()) MarkedBlock(allocation, heap, cellSize, cellsNeedDestruction);
+}
+
+MarkedBlock* MarkedBlock::recycle(MarkedBlock* block, Heap* heap, size_t cellSize, bool cellsNeedDestruction)
+{
+    return new (NotNull, block) MarkedBlock(block->m_allocation, heap, cellSize, cellsNeedDestruction);
 }
 
@@ -51 +51 @@
 }
 
-MarkedBlock::MarkedBlock(PageAllocationAligned& allocation, Heap* heap, size_t cellSize)
+MarkedBlock::MarkedBlock(PageAllocationAligned& allocation, Heap* heap, size_t cellSize, bool cellsNeedDestruction)
     : HeapBlock(allocation)
     , m_atomsPerCell((cellSize + atomSize - 1) / atomSize)
     , m_endAtom(atomsPerBlock - m_atomsPerCell + 1)
+    , m_cellsNeedDestruction(cellsNeedDestruction)
     , m_state(New) // All cells start out unmarked.
     , m_heap(heap)
@@ -71 +72 @@
     m_heap->m_destroyedTypeCounts.countVPtr(vptr);
 #endif
-    if (cell->classInfo() != &JSFinalObject::s_info)
-        cell->methodTable()->destroy(cell);
+    ASSERT(cell->classInfo() != &JSFinalObject::s_info);
+    cell->methodTable()->destroy(cell);
 
     cell->zap();
 }
 
-template<MarkedBlock::BlockState blockState, MarkedBlock::SweepMode sweepMode>
+template<MarkedBlock::BlockState blockState, MarkedBlock::SweepMode sweepMode, bool destructorCallNeeded>
 MarkedBlock::FreeCell* MarkedBlock::specializedSweep()
 {
     ASSERT(blockState != Allocated && blockState != FreeListed);
+    ASSERT(destructorCallNeeded || sweepMode != SweepOnly);
 
     // This produces a free list that is ordered in reverse through the block.
@@ -94 +96 @@
             continue;
 
-        if (blockState != New)
+        if (destructorCallNeeded && blockState != New)
             callDestructor(cell);
 
@@ -112 +114 @@
     HEAP_LOG_BLOCK_STATE_TRANSITION(this);
 
+    if (sweepMode == SweepOnly && !m_cellsNeedDestruction)
+        return 0;
+
+    if (m_cellsNeedDestruction)
+        return sweepHelper<true>(sweepMode);
+    return sweepHelper<false>(sweepMode);
+}
+
+template<bool destructorCallNeeded>
+MarkedBlock::FreeCell* MarkedBlock::sweepHelper(SweepMode sweepMode)
+{
     switch (m_state) {
     case New:
         ASSERT(sweepMode == SweepToFreeList);
-        return specializedSweep<New, SweepToFreeList>();
+        return specializedSweep<New, SweepToFreeList, destructorCallNeeded>();
     case FreeListed:
         // Happens when a block transitions to fully allocated.
@@ -125 +138 @@
     case Marked:
         return sweepMode == SweepToFreeList
-            ? specializedSweep<Marked, SweepToFreeList>()
-            : specializedSweep<Marked, SweepOnly>();
+            ? specializedSweep<Marked, SweepToFreeList, destructorCallNeeded>()
+            : specializedSweep<Marked, SweepOnly, destructorCallNeeded>();
     case Zapped:
         return sweepMode == SweepToFreeList
-            ? specializedSweep<Zapped, SweepToFreeList>()
-            : specializedSweep<Zapped, SweepOnly>();
+            ? specializedSweep<Zapped, SweepToFreeList, destructorCallNeeded>()
+            : specializedSweep<Zapped, SweepOnly, destructorCallNeeded>();
     }
 

trunk/Source/JavaScriptCore/heap/MarkedBlock.h

@@ -90 +90 @@
         };
 
-        static MarkedBlock* create(Heap*, size_t cellSize);
-        static MarkedBlock* recycle(MarkedBlock*, Heap*, size_t cellSize);
+        static MarkedBlock* create(Heap*, size_t cellSize, bool cellsNeedDestruction);
+        static MarkedBlock* recycle(MarkedBlock*, Heap*, size_t cellSize, bool cellsNeedDestruction);
         static void destroy(MarkedBlock*);
 
@@ -116 +116 @@
 
         size_t cellSize();
+        bool cellsNeedDestruction();
 
         size_t size();
@@ -160 +161 @@
 
         enum BlockState { New, FreeListed, Allocated, Marked, Zapped };
+        template<bool destructorCallNeeded> FreeCell* sweepHelper(SweepMode = SweepOnly);
 
         typedef char Atom[atomSize];
 
-        MarkedBlock(PageAllocationAligned&, Heap*, size_t cellSize);
+        MarkedBlock(PageAllocationAligned&, Heap*, size_t cellSize, bool cellsNeedDestruction);
         Atom* atoms();
         size_t atomNumber(const void*);
         void callDestructor(JSCell*);
-        template<BlockState, SweepMode> FreeCell* specializedSweep();
+        template<BlockState, SweepMode, bool destructorCallNeeded> FreeCell* specializedSweep();
         
 #if ENABLE(GGC)
@@ -180 +182 @@
         WTF::Bitmap<atomsPerBlock, WTF::BitmapNotAtomic> m_marks;
 #endif
+        bool m_cellsNeedDestruction;
         BlockState m_state;
         Heap* m_heap;
@@ -242 +245 @@
     {
         return m_atomsPerCell * atomSize;
+    }
+
+    inline bool MarkedBlock::cellsNeedDestruction()
+    {
+        return m_cellsNeedDestruction; 
     }
 

trunk/Source/JavaScriptCore/heap/MarkedSpace.cpp

@@ -37 +37 @@
 {
     for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep) {
-        allocatorFor(cellSize).setCellSize(cellSize);
-        allocatorFor(cellSize).setHeap(heap);
-        allocatorFor(cellSize).setMarkedSpace(this);
+        allocatorFor(cellSize).init(heap, this, cellSize, false);
+        destructorAllocatorFor(cellSize).init(heap, this, cellSize, true);
     }
 
     for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) {
-        allocatorFor(cellSize).setCellSize(cellSize);
-        allocatorFor(cellSize).setHeap(heap);
-        allocatorFor(cellSize).setMarkedSpace(this);
+        allocatorFor(cellSize).init(heap, this, cellSize, false);
+        destructorAllocatorFor(cellSize).init(heap, this, cellSize, true);
     }
 }
@@ -54 +52 @@
     m_nurseryWaterMark = 0;
 
-    for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep)
+    for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep) {
         allocatorFor(cellSize).reset();
+        destructorAllocatorFor(cellSize).reset();
+    }
 
-    for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep)
+    for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) {
         allocatorFor(cellSize).reset();
+        destructorAllocatorFor(cellSize).reset();
+    }
 }
 
 void MarkedSpace::canonicalizeCellLivenessData()
 {
-    for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep)
+    for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep) {
         allocatorFor(cellSize).zapFreeList();
+        destructorAllocatorFor(cellSize).zapFreeList();
+    }
 
-    for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep)
+    for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) {
         allocatorFor(cellSize).zapFreeList();
+        destructorAllocatorFor(cellSize).zapFreeList();
+    }
 }
 
@@ -108 +114 @@
         return;
     
-    m_markedSpace->allocatorFor(block->cellSize()).removeBlock(block);
+    m_markedSpace->allocatorFor(block).removeBlock(block);
     m_empties.append(block);
 }

trunk/Source/JavaScriptCore/heap/MarkedSpace.h

@@ -53 +53 @@
 
     MarkedAllocator& allocatorFor(size_t);
-    void* allocate(size_t);
+    MarkedAllocator& allocatorFor(MarkedBlock*);
+    MarkedAllocator& destructorAllocatorFor(size_t);
+    void* allocateWithDestructor(size_t);
+    void* allocateWithoutDestructor(size_t);
     
     void resetAllocators();
@@ -87 +90 @@
     static const size_t impreciseCount = impreciseCutoff / impreciseStep;
 
-    FixedArray<MarkedAllocator, preciseCount> m_preciseSizeClasses;
-    FixedArray<MarkedAllocator, impreciseCount> m_impreciseSizeClasses;
+    struct Subspace {
+        FixedArray<MarkedAllocator, preciseCount> preciseAllocators;
+        FixedArray<MarkedAllocator, impreciseCount> impreciseAllocators;
+    };
+
+    Subspace m_destructorSpace;
+    Subspace m_normalSpace;
+
     size_t m_waterMark;
     size_t m_nurseryWaterMark;
@@ -125 +134 @@
     ASSERT(bytes && bytes <= maxCellSize);
     if (bytes <= preciseCutoff)
-        return m_preciseSizeClasses[(bytes - 1) / preciseStep];
-    return m_impreciseSizeClasses[(bytes - 1) / impreciseStep];
+        return m_normalSpace.preciseAllocators[(bytes - 1) / preciseStep];
+    return m_normalSpace.impreciseAllocators[(bytes - 1) / impreciseStep];
 }
 
-inline void* MarkedSpace::allocate(size_t bytes)
+inline MarkedAllocator& MarkedSpace::allocatorFor(MarkedBlock* block)
+{
+    if (block->cellsNeedDestruction())
+        return destructorAllocatorFor(block->cellSize());
+    return allocatorFor(block->cellSize());
+}
+
+inline MarkedAllocator& MarkedSpace::destructorAllocatorFor(size_t bytes)
+{
+    ASSERT(bytes && bytes <= maxCellSize);
+    if (bytes <= preciseCutoff)
+        return m_destructorSpace.preciseAllocators[(bytes - 1) / preciseStep];
+    return m_destructorSpace.impreciseAllocators[(bytes - 1) / impreciseStep];
+}
+
+inline void* MarkedSpace::allocateWithoutDestructor(size_t bytes)
 {
     return allocatorFor(bytes).allocate();
+}
+
+inline void* MarkedSpace::allocateWithDestructor(size_t bytes)
+{
+    return destructorAllocatorFor(bytes).allocate();
 }
 
@@ -137 +166 @@
 {
     for (size_t i = 0; i < preciseCount; ++i) {
-        m_preciseSizeClasses[i].forEachBlock(functor);
+        m_normalSpace.preciseAllocators[i].forEachBlock(functor);
+        m_destructorSpace.preciseAllocators[i].forEachBlock(functor);
     }
 
     for (size_t i = 0; i < impreciseCount; ++i) {
-        m_impreciseSizeClasses[i].forEachBlock(functor);
+        m_normalSpace.impreciseAllocators[i].forEachBlock(functor);
+        m_destructorSpace.impreciseAllocators[i].forEachBlock(functor);
     }
 

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -336 +336 @@
         void emitWriteBarrier(JSCell* owner, RegisterID value, RegisterID scratch, WriteBarrierMode, WriteBarrierUseKind);
 
-        template<typename ClassType, typename StructureType> void emitAllocateBasicJSObject(StructureType, RegisterID result, RegisterID storagePtr);
+        template<typename ClassType, bool destructor, typename StructureType> void emitAllocateBasicJSObject(StructureType, RegisterID result, RegisterID storagePtr);
         template<typename T> void emitAllocateJSFinalObject(T structure, RegisterID result, RegisterID storagePtr);
         void emitAllocateJSFunction(FunctionExecutable*, RegisterID scopeChain, RegisterID result, RegisterID storagePtr);

trunk/Source/JavaScriptCore/jit/JITInlineMethods.h

@@ -403 +403 @@
 }
 
-template <typename ClassType, typename StructureType> inline void JIT::emitAllocateBasicJSObject(StructureType structure, RegisterID result, RegisterID storagePtr)
-{
-    MarkedAllocator* allocator = &m_globalData->heap.allocatorForObject(sizeof(ClassType));
+template <typename ClassType, bool destructor, typename StructureType> inline void JIT::emitAllocateBasicJSObject(StructureType structure, RegisterID result, RegisterID storagePtr)
+{
+    MarkedAllocator* allocator = 0;
+    if (destructor)
+        allocator = &m_globalData->heap.allocatorForObjectWithDestructor(sizeof(ClassType));
+    else
+        allocator = &m_globalData->heap.allocatorForObjectWithoutDestructor(sizeof(ClassType));
     loadPtr(&allocator->m_firstFreeCell, result);
     addSlowCase(branchTestPtr(Zero, result));
@@ -429 +433 @@
 template <typename T> inline void JIT::emitAllocateJSFinalObject(T structure, RegisterID result, RegisterID scratch)
 {
-    emitAllocateBasicJSObject<JSFinalObject>(structure, result, scratch);
+    emitAllocateBasicJSObject<JSFinalObject, false, T>(structure, result, scratch);
 }
 
 inline void JIT::emitAllocateJSFunction(FunctionExecutable* executable, RegisterID scopeChain, RegisterID result, RegisterID storagePtr)
 {
-    emitAllocateBasicJSObject<JSFunction>(TrustedImmPtr(m_codeBlock->globalObject()->namedFunctionStructure()), result, storagePtr);
+    emitAllocateBasicJSObject<JSFunction, true>(TrustedImmPtr(m_codeBlock->globalObject()->namedFunctionStructure()), result, storagePtr);
 
     // store the function's scope chain

trunk/Source/JavaScriptCore/runtime/JSArray.cpp

@@ -43 +43 @@
 
 ASSERT_CLASS_FITS_IN_CELL(JSArray);
+ASSERT_HAS_TRIVIAL_DESTRUCTOR(JSArray);
 
 // Overview of JSArray

trunk/Source/JavaScriptCore/runtime/JSArray.h

@@ -136 +136 @@
         static void finalize(JSCell*);
 
-        static JSArray* create(JSGlobalData& globalData, Structure* structure, unsigned initialLength = 0)
-        {
-            JSArray* array = new (NotNull, allocateCell<JSArray>(globalData.heap)) JSArray(globalData, structure);
-            array->finishCreation(globalData, initialLength);
-            return array;
-        }
+        static JSArray* create(JSGlobalData&, Structure*, unsigned initialLength = 0);
 
         // tryCreateUninitialized is used for fast construction of arrays whose size and
@@ -148 +143 @@
         //   - call 'initializeIndex' for all properties in sequence, for 0 <= i < initialLength.
         //   - called 'completeInitialization' after all properties have been initialized.
-        static JSArray* tryCreateUninitialized(JSGlobalData& globalData, Structure* structure, unsigned initialLength)
-        {
-            JSArray* array = new (NotNull, allocateCell<JSArray>(globalData.heap)) JSArray(globalData, structure);
-            return array->tryFinishCreationUninitialized(globalData, initialLength);
-        }
+        static JSArray* tryCreateUninitialized(JSGlobalData&, Structure*, unsigned initialLength);
 
         JS_EXPORT_PRIVATE static bool defineOwnProperty(JSObject*, ExecState*, const Identifier&, PropertyDescriptor&, bool throwException);
@@ -300 +291 @@
     };
 
+    inline JSArray* JSArray::create(JSGlobalData& globalData, Structure* structure, unsigned initialLength)
+    {
+        JSArray* array = new (NotNull, allocateCell<JSArray>(globalData.heap)) JSArray(globalData, structure);
+        array->finishCreation(globalData, initialLength);
+        return array;
+    }
+
+    inline JSArray* JSArray::tryCreateUninitialized(JSGlobalData& globalData, Structure* structure, unsigned initialLength)
+    {
+        JSArray* array = new (NotNull, allocateCell<JSArray>(globalData.heap)) JSArray(globalData, structure);
+        return array->tryFinishCreationUninitialized(globalData, initialLength);
+    }
+
     JSArray* asArray(JSValue);
 

trunk/Source/JavaScriptCore/runtime/JSCell.h

@@ -62 +62 @@
         friend class JSValue;
         friend class MarkedBlock;
+        template<typename T> friend void* allocateCell(Heap&);
 
     public:
@@ -308 +309 @@
     }
 
-    template <typename T> void* allocateCell(Heap& heap)
+#if COMPILER(CLANG)
+    template<class T>
+    struct NeedsDestructor {
+        static const bool value = !__has_trivial_destructor(T);
+    };
+#else
+    // Write manual specializations for this struct template if you care about non-clang compilers.
+    template<class T>
+    struct NeedsDestructor {
+        static const bool value = true;
+    };
+#endif
+
+    template<typename T>
+    void* allocateCell(Heap& heap)
     {
 #if ENABLE(GC_VALIDATION)
@@ -315 +330 @@
         heap.globalData()->setInitializingObject(true);
 #endif
-        JSCell* result = static_cast<JSCell*>(heap.allocate(sizeof(T)));
+        JSCell* result = 0;
+        if (NeedsDestructor<T>::value)
+            result = static_cast<JSCell*>(heap.allocateWithDestructor(sizeof(T)));
+        else {
+            ASSERT(T::s_info.methodTable.destroy == JSCell::destroy);
+            result = static_cast<JSCell*>(heap.allocateWithoutDestructor(sizeof(T)));
+        }
         result->clearStructure();
         return result;

trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

@@ -51 +51 @@
 
 ASSERT_CLASS_FITS_IN_CELL(JSFunction);
+ASSERT_HAS_TRIVIAL_DESTRUCTOR(JSFunction);
 
 const ClassInfo JSFunction::s_info = { "Function", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(JSFunction) };
@@ -107 +108 @@
     setStructure(exec->globalData(), scopeChainNode->globalObject->namedFunctionStructure());
     putDirectOffset(exec->globalData(), scopeChainNode->globalObject->functionNameOffset(), executable->nameValue());
-}
-
-void JSFunction::destroy(JSCell* cell)
-{
-    JSFunction* thisObject = jsCast<JSFunction*>(cell);
-    ASSERT(thisObject->classInfo()->isSubClassOf(&JSFunction::s_info));
-    thisObject->JSFunction::~JSFunction();
 }
 

trunk/Source/JavaScriptCore/runtime/JSFunction.h

@@ -65 +65 @@
         }
         
-        static void destroy(JSCell*);
-
         JS_EXPORT_PRIVATE const UString& name(ExecState*);
         JS_EXPORT_PRIVATE const UString displayName(ExecState*);

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -49 +49 @@
 
 ASSERT_HAS_TRIVIAL_DESTRUCTOR(JSObject);
+ASSERT_HAS_TRIVIAL_DESTRUCTOR(JSFinalObject);
 
 const char* StrictModeReadonlyPropertyWriteError = "Attempted to assign to readonly property.";
@@ -55 +56 @@
 
 const ClassInfo JSFinalObject::s_info = { "Object", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(JSFinalObject) };
-
-void JSFinalObject::destroy(JSCell* cell)
-{
-    jsCast<JSFinalObject*>(cell)->JSFinalObject::~JSFinalObject();
-}
-
-void JSNonFinalObject::destroy(JSCell* cell)
-{
-    jsCast<JSNonFinalObject*>(cell)->JSNonFinalObject::~JSNonFinalObject();
-}
 
 static inline void getClassPropertyNames(ExecState* exec, const ClassInfo* classInfo, PropertyNameArray& propertyNames, EnumerationMode mode)
@@ -83 +74 @@
         }
     }
-}
-
-void JSObject::destroy(JSCell* cell)
-{
-    jsCast<JSObject*>(cell)->JSObject::~JSObject();
 }
 

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -85 +85 @@
         typedef JSCell Base;
 
-        JS_EXPORT_PRIVATE static void destroy(JSCell*);
-
         JS_EXPORT_PRIVATE static void visitChildren(JSCell*, SlotVisitor&);
 
@@ -324 +322 @@
         }
 
-        JS_EXPORT_PRIVATE static void destroy(JSCell*);
-
     protected:
         explicit JSNonFinalObject(JSGlobalData& globalData, Structure* structure)
@@ -344 +340 @@
     };
 
+    class JSFinalObject;
+
     // JSFinalObject is a type of JSObject that contains sufficent internal
     // storage to fully make use of the colloctor cell containing it.
@@ -352 +350 @@
         typedef JSObject Base;
 
-        static JSFinalObject* create(ExecState* exec, Structure* structure)
-        {
-            JSFinalObject* finalObject = new (NotNull, allocateCell<JSFinalObject>(*exec->heap())) JSFinalObject(exec->globalData(), structure);
-            finalObject->finishCreation(exec->globalData());
-            return finalObject;
-        }
-
+        static JSFinalObject* create(ExecState*, Structure*);
         static Structure* createStructure(JSGlobalData& globalData, JSGlobalObject* globalObject, JSValue prototype)
         {
@@ -375 +367 @@
         }
 
-        static void destroy(JSCell*);
-
     private:
         explicit JSFinalObject(JSGlobalData& globalData, Structure* structure)
@@ -387 +377 @@
         WriteBarrierBase<Unknown> m_inlineStorage[JSFinalObject_inlineStorageCapacity];
     };
+
+inline JSFinalObject* JSFinalObject::create(ExecState* exec, Structure* structure)
+{
+    JSFinalObject* finalObject = new (NotNull, allocateCell<JSFinalObject>(*exec->heap())) JSFinalObject(exec->globalData(), structure);
+    finalObject->finishCreation(exec->globalData());
+    return finalObject;
+}
 
 inline bool isJSFinalObject(JSCell* cell)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-02-10  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Split MarkedSpace into destructor and destructor-free subspaces
+        https://bugs.webkit.org/show_bug.cgi?id=77761
+
+        Reviewed by Geoffrey Garen.
+
+        No new tests.
+
+        * bindings/js/JSDOMWindowShell.cpp: Removed old operator new, which was just used in the create
+        function so that we can use allocateCell instead.
+        (WebCore):
+        * bindings/js/JSDOMWindowShell.h:
+        (WebCore::JSDOMWindowShell::create):
+        (JSDOMWindowShell):
+        * bindings/scripts/CodeGeneratorJS.pm: Added destructor back to root JS DOM nodes (e.g. JSNode, etc)
+        because their destroy functions need to be called, so we don't want the NeedsDestructor struct to 
+        think they don't need destruction due to having empty/trivial destructors.
+        Removed ASSERT_HAS_TRIVIAL_DESTRUCTOR from all JS DOM wrapper auto-generated objects because their 
+        ancestors now have non-trivial destructors. 
+        (GenerateHeader):
+        (GenerateImplementation):
+        (GenerateConstructorDefinition):
+
 2012-02-10  Anders Carlsson  <andersca@apple.com>
 

trunk/Source/WebCore/bindings/js/JSDOMWindowShell.cpp

@@ -150 +150 @@
 }
 
-void* JSDOMWindowShell::operator new(size_t size)
-{
-    Heap& heap = JSDOMWindow::commonJSGlobalData()->heap;
-#if ENABLE(GC_VALIDATION)
-    ASSERT(!heap.globalData()->isInitializingObject());
-    heap.globalData()->setInitializingObject(true);
-#endif
-    return heap.allocate(size);
-}
-
 // ----
 // Conversion methods

trunk/Source/WebCore/bindings/js/JSDOMWindowShell.h

@@ -59 +59 @@
         static JSDOMWindowShell* create(PassRefPtr<DOMWindow> window, JSC::Structure* structure, DOMWrapperWorld* world) 
         {
-            JSDOMWindowShell* shell = new JSDOMWindowShell(structure, world);
+            JSC::Heap& heap = JSDOMWindow::commonJSGlobalData()->heap;
+            JSDOMWindowShell* shell = new (NotNull, JSC::allocateCell<JSDOMWindowShell>(heap)) JSDOMWindowShell(structure, world);
             shell->finishCreation(*world->globalData(), window);
             return shell; 
@@ -76 +77 @@
 
     private:
-        void* operator new(size_t);
         static const unsigned StructureFlags = JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | Base::StructureFlags;
 

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -795 +795 @@
     if (!$hasParent) {
         push(@headerContent, "    static void destroy(JSC::JSCell*);\n");
+        push(@headerContent, "    ~${className}();\n");
     }
 
@@ -1341 +1342 @@
 
     push(@implContent, "ASSERT_CLASS_FITS_IN_CELL($className);\n");
-    if ($interfaceName ne "DOMWindow" && !$dataNode->extendedAttributes->{"IsWorkerContext"}) {
-        push(@implContent, "ASSERT_HAS_TRIVIAL_DESTRUCTOR($className);\n\n");
-    }
 
     my $numAttributes = GenerateAttributesHashTable($object, $dataNode);
@@ -1616 +1614 @@
         push(@implContent, "{\n");
         push(@implContent, "    ${className}* thisObject = jsCast<${className}*>(cell);\n");
-        push(@implContent, "    thisObject->releaseImplIfNotNull();\n");
+        push(@implContent, "    thisObject->${className}::~${className}();\n");
+        push(@implContent, "}\n\n");
+
+        # We also need a destructor for the allocateCell to work properly with the destructor-free part of the heap.
+        # Otherwise, these destroy functions/destructors won't get called.
+        push(@implContent, "${className}::~${className}()\n");
+        push(@implContent, "{\n");
+        push(@implContent, "    releaseImplIfNotNull();\n");
         push(@implContent, "}\n\n");
     }
@@ -3371 +3376 @@
         push(@$outputArray, "}\n\n");
     } else {
-        push(@$outputArray, "ASSERT_HAS_TRIVIAL_DESTRUCTOR(${constructorClassName});\n\n");
-
         push(@$outputArray, "const ClassInfo ${constructorClassName}::s_info = { \"${visibleClassName}Constructor\", &Base::s_info, &${constructorClassName}Table, 0, CREATE_METHOD_TABLE($constructorClassName) };\n\n");
         push(@$outputArray, "${constructorClassName}::${constructorClassName}(Structure* structure, JSDOMGlobalObject* globalObject)\n");