Changeset 123417 in webkit

Timestamp:

Jul 23, 2012 7:13:19 PM (12 years ago)

Author:

fpizlo@apple.com

Message:

Property storage should grow in reverse address direction, to support butterflies
​https://bugs.webkit.org/show_bug.cgi?id=91788

Reviewed by Geoffrey Garen.

Changes property storage to grow to the left, and changes the property storage pointer to point
one 8-byte word (i.e. JSValue) to the right of the first value in the storage.

Also improved debug support somewhat, by adding a describe() function to the jsc command-line,
and a slow mode of object access in LLInt.

• assembler/ARMv7Assembler.h:

(JSC::ARMv7Assembler::repatchCompact):

• assembler/MacroAssemblerARMv7.h:

(MacroAssemblerARMv7):
(JSC::MacroAssemblerARMv7::isCompactPtrAlignedAddressOffset):
(JSC::MacroAssemblerARMv7::load32WithCompactAddressOffsetPatch):

• assembler/MacroAssemblerX86Common.h:

(JSC::MacroAssemblerX86Common::isCompactPtrAlignedAddressOffset):
(JSC::MacroAssemblerX86Common::repatchCompact):

• assembler/X86Assembler.h:

(JSC::X86Assembler::repatchCompact):

• bytecode/CodeBlock.cpp:

(JSC::dumpStructure):

• bytecode/GetByIdStatus.h:

(JSC::GetByIdStatus::GetByIdStatus):

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGRepatch.cpp:

(JSC::DFG::tryCacheGetByID):
(JSC::DFG::emitPutTransitionStub):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• heap/ConservativeRoots.cpp:

(JSC::ConservativeRoots::genericAddPointer):

• heap/CopiedSpace.h:

(CopiedSpace):

• heap/CopiedSpaceInlineMethods.h:

(JSC::CopiedSpace::pinIfNecessary):
(JSC):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::compileGetDirectOffset):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::compileGetDirectOffset):

• jit/JITStubs.cpp:

(JSC::JITThunks::tryCacheGetByID):

• jsc.cpp:

(GlobalObject::finishCreation):
(functionDescribe):

• llint/LLIntCommon.h:
• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/JSObject.cpp:

(JSC::JSObject::visitChildren):
(JSC::JSFinalObject::visitChildren):
(JSC::JSObject::growOutOfLineStorage):

• runtime/JSObject.h:

(JSC::JSObject::getDirectLocation):
(JSC::JSObject::offsetForLocation):

• runtime/JSValue.h:

(JSValue):

• runtime/PropertyOffset.h:

(JSC::offsetInOutOfLineStorage):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• assembler/ARMv7Assembler.h (modified) (1 diff)
• assembler/MacroAssemblerARMv7.h (modified) (2 diffs)
• assembler/MacroAssemblerX86Common.h (modified) (2 diffs)
• assembler/X86Assembler.h (modified) (1 diff)
• bytecode/CodeBlock.cpp (modified) (1 diff)
• bytecode/GetByIdStatus.h (modified) (2 diffs)
• dfg/DFGOperations.cpp (modified) (2 diffs)
• dfg/DFGOperations.h (modified) (1 diff)
• dfg/DFGRepatch.cpp (modified) (3 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
• dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• heap/ConservativeRoots.cpp (modified) (1 diff)
• heap/CopiedSpace.h (modified) (1 diff)
• heap/CopiedSpaceInlineMethods.h (modified) (1 diff)
• jit/JITPropertyAccess.cpp (modified) (2 diffs)
• jit/JITPropertyAccess32_64.cpp (modified) (2 diffs)
• jit/JITStubs.cpp (modified) (1 diff)
• jsc.cpp (modified) (3 diffs)
• llint/LLIntCommon.h (modified) (1 diff)
• llint/LLIntSlowPaths.cpp (modified) (2 diffs)
• llint/LowLevelInterpreter32_64.asm (modified) (2 diffs)
• llint/LowLevelInterpreter64.asm (modified) (1 diff)
• runtime/JSObject.cpp (modified) (4 diffs)
• runtime/JSObject.h (modified) (3 diffs)
• runtime/JSValue.h (modified) (1 diff)
• runtime/PropertyOffset.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-07-23  Filip Pizlo  <fpizlo@apple.com>
+
+        Property storage should grow in reverse address direction, to support butterflies
+        https://bugs.webkit.org/show_bug.cgi?id=91788
+
+        Reviewed by Geoffrey Garen.
+
+        Changes property storage to grow to the left, and changes the property storage pointer to point
+        one 8-byte word (i.e. JSValue) to the right of the first value in the storage.
+        
+        Also improved debug support somewhat, by adding a describe() function to the jsc command-line,
+        and a slow mode of object access in LLInt.
+
+        * assembler/ARMv7Assembler.h:
+        (JSC::ARMv7Assembler::repatchCompact):
+        * assembler/MacroAssemblerARMv7.h:
+        (MacroAssemblerARMv7):
+        (JSC::MacroAssemblerARMv7::isCompactPtrAlignedAddressOffset):
+        (JSC::MacroAssemblerARMv7::load32WithCompactAddressOffsetPatch):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::isCompactPtrAlignedAddressOffset):
+        (JSC::MacroAssemblerX86Common::repatchCompact):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::repatchCompact):
+        * bytecode/CodeBlock.cpp:
+        (JSC::dumpStructure):
+        * bytecode/GetByIdStatus.h:
+        (JSC::GetByIdStatus::GetByIdStatus):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::tryCacheGetByID):
+        (JSC::DFG::emitPutTransitionStub):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * heap/ConservativeRoots.cpp:
+        (JSC::ConservativeRoots::genericAddPointer):
+        * heap/CopiedSpace.h:
+        (CopiedSpace):
+        * heap/CopiedSpaceInlineMethods.h:
+        (JSC::CopiedSpace::pinIfNecessary):
+        (JSC):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::compileGetDirectOffset):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::compileGetDirectOffset):
+        * jit/JITStubs.cpp:
+        (JSC::JITThunks::tryCacheGetByID):
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (functionDescribe):
+        * llint/LLIntCommon.h:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::visitChildren):
+        (JSC::JSFinalObject::visitChildren):
+        (JSC::JSObject::growOutOfLineStorage):
+        * runtime/JSObject.h:
+        (JSC::JSObject::getDirectLocation):
+        (JSC::JSObject::offsetForLocation):
+        * runtime/JSValue.h:
+        (JSValue):
+        * runtime/PropertyOffset.h:
+        (JSC::offsetInOutOfLineStorage):
+
 2012-07-23  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/assembler/ARMv7Assembler.h

@@ -2096 +2096 @@
     }
     
-    static void repatchCompact(void* where, int32_t value)
-    {
-        ASSERT(value >= 0);
-        ASSERT(ARMThumbImmediate::makeUInt12(value).isUInt7());
-        setUInt7ForLoad(where, ARMThumbImmediate::makeUInt12(value));
+    static void repatchCompact(void* where, int32_t offset)
+    {
+        ASSERT(offset >= -255 && offset <= 255);
+
+        bool add = true;
+        if (offset < 0) {
+            add = false;
+            offset = -offset;
+        }
+        
+        offset |= (add << 9);
+        offset |= (1 << 10);
+        offset |= (1 << 11);
+
+        uint16_t* location = reinterpret_cast<uint16_t*>(where);
+        location[1] &= ~((1 << 12) - 1);
+        location[1] |= offset;
+        cacheFlush(location, sizeof(uint16_t) * 2);
     }
 

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h

@@ -54 +54 @@
     typedef ARMv7Assembler::JumpType JumpType;
     typedef ARMv7Assembler::JumpLinkType JumpLinkType;
-    // Magic number is the biggest useful offset we can get on ARMv7 with
-    // a LDR_imm_T2 encoding
-    static const int MaximumCompactPtrAlignedAddressOffset = 124;
-    
+
+    static bool isCompactPtrAlignedAddressOffset(ptrdiff_t value)
+    {
+        return value >= -255 && value <= 255;
+    }
+
     Vector<LinkRecord>& jumpsToLink() { return m_assembler.jumpsToLink(); }
     void* unlinkedCode() { return m_assembler.unlinkedCode(); }
@@ -643 +645 @@
     }
     
-    // FIXME: we should be able to plant a compact load relative to/from any base/dest register.
     DataLabelCompact load32WithCompactAddressOffsetPatch(Address address, RegisterID dest)
     {
         RegisterID base = address.base;
         
-        if (base >= ARMRegisters::r8) {
-            move(base, addressTempRegister);
-            base = addressTempRegister;
-        }
-
         DataLabelCompact label(this);
-        ASSERT(address.offset >= 0);
-        ASSERT(address.offset <= MaximumCompactPtrAlignedAddressOffset);
-        ASSERT(ARMThumbImmediate::makeUInt12(address.offset).isUInt7());
-
-        if (dest >= ARMRegisters::r8) {
-            m_assembler.ldrCompact(addressTempRegister, base, ARMThumbImmediate::makeUInt12(address.offset));
-            move(addressTempRegister, dest);
-        } else
-            m_assembler.ldrCompact(dest, base, ARMThumbImmediate::makeUInt12(address.offset));
+        ASSERT(isCompactPtrAlignedAddressOffset(address.offset));
+
+        m_assembler.ldr(dest, base, address.offset, true, false);
         return label;
     }

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h

@@ -48 +48 @@
     typedef X86Assembler::XMMRegisterID XMMRegisterID;
     
-    static const int MaximumCompactPtrAlignedAddressOffset = 127;
+    static bool isCompactPtrAlignedAddressOffset(ptrdiff_t value)
+    {
+        return value >= -128 && value <= 127;
+    }
 
     enum RelationalCondition {
@@ -495 +498 @@
     static void repatchCompact(CodeLocationDataLabelCompact dataLabelCompact, int32_t value)
     {
-        ASSERT(value >= 0);
-        ASSERT(value < MaximumCompactPtrAlignedAddressOffset);
+        ASSERT(isCompactPtrAlignedAddressOffset(value));
         AssemblerType_T::repatchCompact(dataLabelCompact.dataLocation(), value);
     }

trunk/Source/JavaScriptCore/assembler/X86Assembler.h

@@ -1830 +1830 @@
     static void repatchCompact(void* where, int32_t value)
     {
-        ASSERT(value >= 0);
+        ASSERT(value >= std::numeric_limits<int8_t>::min());
         ASSERT(value <= std::numeric_limits<int8_t>::max());
         setInt8(where, value);

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -256 +256 @@
     dataLog("%s = %p", name, structure);
     
-    size_t offset = structure->get(exec->globalData(), ident);
-    if (offset != notFound)
-        dataLog(" (offset = %lu)", static_cast<unsigned long>(offset));
+    PropertyOffset offset = structure->get(exec->globalData(), ident);
+    if (offset != invalidOffset)
+        dataLog(" (offset = %d)", offset);
 }
 #endif

trunk/Source/JavaScriptCore/bytecode/GetByIdStatus.h

@@ -54 +54 @@
     GetByIdStatus(
         State state, bool wasSeenInJIT, const StructureSet& structureSet = StructureSet(),
-        size_t offset = invalidOffset, JSValue specificValue = JSValue(), Vector<Structure*> chain = Vector<Structure*>())
+        PropertyOffset offset = invalidOffset, JSValue specificValue = JSValue(), Vector<Structure*> chain = Vector<Structure*>())
         : m_state(state)
         , m_structureSet(structureSet)
@@ -62 +62 @@
         , m_wasSeenInJIT(wasSeenInJIT)
     {
-        ASSERT((state == Simple) == (offset != notFound));
+        ASSERT((state == Simple) == (offset != invalidOffset));
     }
     

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -1249 +1249 @@
     if (!globalData.heap.tryAllocateStorage(initialOutOfLineCapacity * sizeof(JSValue), &result))
         CRASH();
-    return reinterpret_cast<char*>(result);
+    return reinterpret_cast<char*>(reinterpret_cast<JSValue*>(result) + initialOutOfLineCapacity + 1);
 }
 
@@ -1258 +1258 @@
     if (!globalData.heap.tryAllocateStorage(newSize, &result))
         CRASH();
-    return reinterpret_cast<char*>(result);
+    return reinterpret_cast<char*>(reinterpret_cast<JSValue*>(result) + 1) + newSize;
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -107 +107 @@
 typedef char* DFG_OPERATION (*P_DFGOperation_E)(ExecState*);
 typedef char* DFG_OPERATION (*P_DFGOperation_ES)(ExecState*, size_t);
+typedef char* DFG_OPERATION (*P_DFGOperation_EPS)(ExecState*, void*, size_t);
 
 // These routines are provide callbacks out to C++ implementations of operations too complex to JIT.

trunk/Source/JavaScriptCore/dfg/DFGRepatch.cpp

@@ -302 +302 @@
     // Optimize self access.
     if (slot.slotBase() == baseValue) {
-        if ((slot.cachedPropertyType() != PropertySlot::Value) || ((slot.cachedOffset() * sizeof(JSValue)) > (unsigned)MacroAssembler::MaximumCompactPtrAlignedAddressOffset)) {
+        if ((slot.cachedPropertyType() != PropertySlot::Value)
+            || !MacroAssembler::isCompactPtrAlignedAddressOffset(offsetRelativeToPatchedStorage(slot.cachedOffset()))) {
             dfgRepatchCall(codeBlock, stubInfo.callReturnLocation, operationGetByIdBuildList);
             return true;
@@ -825 +826 @@
             stubJit.negPtr(scratchGPR1);
             stubJit.addPtr(MacroAssembler::AbsoluteAddress(&copiedAllocator->m_currentPayloadEnd), scratchGPR1);
-            stubJit.subPtr(MacroAssembler::TrustedImm32(newSize), scratchGPR1);
+            stubJit.addPtr(MacroAssembler::TrustedImm32(sizeof(JSValue)), scratchGPR1);
         } else {
             size_t oldSize = oldStructure->outOfLineCapacity() * sizeof(JSValue);
@@ -836 +837 @@
             stubJit.negPtr(scratchGPR1);
             stubJit.addPtr(MacroAssembler::AbsoluteAddress(&copiedAllocator->m_currentPayloadEnd), scratchGPR1);
-            stubJit.subPtr(MacroAssembler::TrustedImm32(newSize), scratchGPR1);
+            stubJit.addPtr(MacroAssembler::TrustedImm32(sizeof(JSValue)), scratchGPR1);
             // We have scratchGPR1 = new storage, scratchGPR3 = old storage, scratchGPR2 = available
-            for (size_t offset = 0; offset < oldSize; offset += sizeof(void*)) {
-                stubJit.loadPtr(MacroAssembler::Address(scratchGPR3, offset), scratchGPR2);
-                stubJit.storePtr(scratchGPR2, MacroAssembler::Address(scratchGPR1, offset));
+            for (ptrdiff_t offset = 0; offset < static_cast<ptrdiff_t>(oldSize); offset += sizeof(void*)) {
+                stubJit.loadPtr(MacroAssembler::Address(scratchGPR3, -(offset + sizeof(JSValue) * 2)), scratchGPR2);
+                stubJit.storePtr(scratchGPR2, MacroAssembler::Address(scratchGPR1, -(offset + sizeof(JSValue) * 2)));
             }
         }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -3158 +3158 @@
     m_jit.negPtr(scratchGPR);
     m_jit.addPtr(JITCompiler::AbsoluteAddress(&copiedAllocator->m_currentPayloadEnd), scratchGPR);
-    m_jit.subPtr(JITCompiler::TrustedImm32(newSize), scratchGPR);
+    m_jit.addPtr(JITCompiler::TrustedImm32(sizeof(JSValue)), scratchGPR);
         
     addSlowPathGenerator(
@@ -3192 +3192 @@
     m_jit.negPtr(scratchGPR2);
     m_jit.addPtr(JITCompiler::AbsoluteAddress(&copiedAllocator->m_currentPayloadEnd), scratchGPR2);
-    m_jit.subPtr(JITCompiler::TrustedImm32(newSize), scratchGPR2);
+    m_jit.addPtr(JITCompiler::TrustedImm32(sizeof(JSValue)), scratchGPR2);
         
     addSlowPathGenerator(
         slowPathCall(slowPath, this, operationAllocatePropertyStorage, scratchGPR2, newSize));
     // We have scratchGPR2 = new storage, scratchGPR1 = scratch
-    for (size_t offset = 0; offset < oldSize; offset += sizeof(void*)) {
-        m_jit.loadPtr(JITCompiler::Address(oldStorageGPR, offset), scratchGPR1);
-        m_jit.storePtr(scratchGPR1, JITCompiler::Address(scratchGPR2, offset));
+    for (ptrdiff_t offset = 0; offset < static_cast<ptrdiff_t>(oldSize); offset += sizeof(void*)) {
+        m_jit.loadPtr(JITCompiler::Address(oldStorageGPR, -(offset + sizeof(JSValue) * 2)), scratchGPR1);
+        m_jit.storePtr(scratchGPR1, JITCompiler::Address(scratchGPR2, -(offset + sizeof(JSValue) * 2)));
     }
     m_jit.storePtr(scratchGPR2, JITCompiler::Address(baseGPR, JSObject::offsetOfOutOfLineStorage()));

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1162 +1162 @@
         return appendCallWithExceptionCheckSetResult(operation, result);
     }
+    JITCompiler::Call callOperation(P_DFGOperation_EPS operation, GPRReg result, GPRReg old, size_t size)
+    {
+        m_jit.setupArgumentsWithExecState(old, TrustedImmPtr(size));
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
     JITCompiler::Call callOperation(J_DFGOperation_E operation, GPRReg result)
     {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3914 +3914 @@
         isOutOfLine.link(&m_jit);
 #endif
-        m_jit.load32(JITCompiler::BaseIndex(resultPayloadGPR, resolveInfoGPR, JITCompiler::TimesEight, OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag) - inlineStorageCapacity * static_cast<ptrdiff_t>(sizeof(JSValue))), resultTagGPR);
-        m_jit.load32(JITCompiler::BaseIndex(resultPayloadGPR, resolveInfoGPR, JITCompiler::TimesEight, OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload) - inlineStorageCapacity * static_cast<ptrdiff_t>(sizeof(JSValue))), resultPayloadGPR);
+        m_jit.neg32(resolveInfoGPR);
+        m_jit.signExtend32ToPtr(resolveInfoGPR, resolveInfoGPR);
+        m_jit.load32(JITCompiler::BaseIndex(resultPayloadGPR, resolveInfoGPR, JITCompiler::TimesEight, OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag) + (inlineStorageCapacity - 2) * static_cast<ptrdiff_t>(sizeof(JSValue))), resultTagGPR);
+        m_jit.load32(JITCompiler::BaseIndex(resultPayloadGPR, resolveInfoGPR, JITCompiler::TimesEight, OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload) + (inlineStorageCapacity - 2) * static_cast<ptrdiff_t>(sizeof(JSValue))), resultPayloadGPR);
 
         addSlowPathGenerator(

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3903 +3903 @@
         isOutOfLine.link(&m_jit);
 #endif
+        m_jit.neg32(resolveInfoGPR);
+        m_jit.signExtend32ToPtr(resolveInfoGPR, resolveInfoGPR);
         m_jit.loadPtr(JITCompiler::Address(globalObjectGPR, JSObject::offsetOfOutOfLineStorage()), resultGPR);
-        m_jit.loadPtr(JITCompiler::BaseIndex(resultGPR, resolveInfoGPR, JITCompiler::ScalePtr, -inlineStorageCapacity * static_cast<ptrdiff_t>(sizeof(JSValue))), resultGPR);
+        m_jit.loadPtr(JITCompiler::BaseIndex(resultGPR, resolveInfoGPR, JITCompiler::ScalePtr, (inlineStorageCapacity - 2) * static_cast<ptrdiff_t>(sizeof(JSValue))), resultGPR);
         
         addSlowPathGenerator(

trunk/Source/JavaScriptCore/heap/ConservativeRoots.cpp

@@ -67 +67 @@
 {
     markHook.mark(p);
-    
-    CopiedBlock* block;
-    if (m_copiedSpace->contains(p, block))
-        m_copiedSpace->pin(block);
+
+    m_copiedSpace->pinIfNecessary(p);
     
     MarkedBlock* candidate = MarkedBlock::blockFor(p);

trunk/Source/JavaScriptCore/heap/CopiedSpace.h

@@ -69 +69 @@
     bool contains(CopiedBlock*);
     bool contains(void*, CopiedBlock*&);
+    
+    void pinIfNecessary(void* pointer);
 
     size_t size();

trunk/Source/JavaScriptCore/heap/CopiedSpaceInlineMethods.h

@@ -56 +56 @@
 {
     block->m_isPinned = true;
+}
+
+inline void CopiedSpace::pinIfNecessary(void* opaquePointer)
+{
+    // Pointers into the copied space come in the following varieties:
+    // 1)  Pointers to the start of a span of memory. This is the most
+    //     natural though not necessarily the most common.
+    // 2)  Pointers to one value-sized (8 byte) word past the end of
+    //     a span of memory. This currently occurs with semi-butterflies
+    //     and should be fixed soon, once the other half of the
+    //     butterfly lands.
+    // 3)  Pointers to the innards arising from loop induction variable
+    //     optimizations (either manual ones or automatic, by the
+    //     compiler).
+    // 4)  Pointers to the end of a span of memory in arising from
+    //     induction variable optimizations combined with the
+    //     GC-to-compiler contract laid out in the C spec: a pointer to
+    //     the end of a span of memory must be considered to be a
+    //     pointer to that memory.
+    
+    EncodedJSValue* pointer = reinterpret_cast<EncodedJSValue*>(opaquePointer);
+    CopiedBlock* block;
+
+    // Handle (1) and (3).
+    if (contains(pointer, block))
+        pin(block);
+    
+    // Handle (4). We don't have to explicitly check and pin the block under this
+    // pointer because it cannot possibly point to something that cases (1) and
+    // (3) above or case (2) below wouldn't already catch.
+    pointer--;
+    
+    // Handle (2)
+    pointer--;
+    if (contains(pointer, block))
+        pin(block);
 }
 

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -160 +160 @@
         Jump isInline = branch32(LessThan, offset, TrustedImm32(inlineStorageCapacity));
         loadPtr(Address(base, JSObject::offsetOfOutOfLineStorage()), scratch);
+        neg32(offset);
         Jump done = jump();
         isInline.link(this);
-        addPtr(TrustedImm32(JSObject::offsetOfInlineStorage() + inlineStorageCapacity * sizeof(EncodedJSValue)), base, scratch);
+        addPtr(TrustedImm32(JSObject::offsetOfInlineStorage() - (inlineStorageCapacity - 2) * sizeof(EncodedJSValue)), base, scratch);
         done.link(this);
     } else {
@@ -171 +172 @@
 #endif
         loadPtr(Address(base, JSObject::offsetOfOutOfLineStorage()), scratch);
-    }
-    loadPtr(BaseIndex(scratch, offset, ScalePtr, -inlineStorageCapacity * static_cast<ptrdiff_t>(sizeof(JSValue))), result);
+        neg32(offset);
+    }
+    signExtend32ToPtr(offset, offset);
+    loadPtr(BaseIndex(scratch, offset, ScalePtr, (inlineStorageCapacity - 2) * static_cast<ptrdiff_t>(sizeof(JSValue))), result);
 }
 

trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -1019 +1019 @@
         Jump isInline = branch32(LessThan, offset, TrustedImm32(inlineStorageCapacity));
         loadPtr(Address(base, JSObject::offsetOfOutOfLineStorage()), base);
+        neg32(offset);
         Jump done = jump();
         isInline.link(this);
-        addPtr(TrustedImmPtr(JSObject::offsetOfInlineStorage() + inlineStorageCapacity * sizeof(EncodedJSValue)), base);
+        addPtr(TrustedImmPtr(JSObject::offsetOfInlineStorage() - (inlineStorageCapacity - 2) * sizeof(EncodedJSValue)), base);
         done.link(this);
     } else {
@@ -1030 +1031 @@
 #endif
         loadPtr(Address(base, JSObject::offsetOfOutOfLineStorage()), base);
-    }
-    load32(BaseIndex(base, offset, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload) - inlineStorageCapacity * sizeof(EncodedJSValue)), resultPayload);
-    load32(BaseIndex(base, offset, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag) - inlineStorageCapacity * sizeof(EncodedJSValue)), resultTag);
+        neg32(offset);
+    }
+    load32(BaseIndex(base, offset, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload) + (inlineStorageCapacity - 2) * sizeof(EncodedJSValue)), resultPayload);
+    load32(BaseIndex(base, offset, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag) + (inlineStorageCapacity - 2) * sizeof(EncodedJSValue)), resultTag);
 }
 

trunk/Source/JavaScriptCore/jit/JITStubs.cpp

@@ -933 +933 @@
         // set this up, so derefStructures can do it's job.
         stubInfo->initGetByIdSelf(callFrame->globalData(), codeBlock->ownerExecutable(), structure);
-        if ((slot.cachedPropertyType() != PropertySlot::Value) || ((slot.cachedOffset() * sizeof(JSValue)) > (unsigned)MacroAssembler::MaximumCompactPtrAlignedAddressOffset))
+        if ((slot.cachedPropertyType() != PropertySlot::Value)
+            || !MacroAssembler::isCompactPtrAlignedAddressOffset(offsetRelativeToPatchedStorage(slot.cachedOffset())))
             ctiPatchCallByReturnAddress(codeBlock, returnAddress, FunctionPtr(cti_op_get_by_id_self_fail));
         else

trunk/Source/JavaScriptCore/jsc.cpp

@@ -85 +85 @@
 static EncodedJSValue JSC_HOST_CALL functionPrint(ExecState*);
 static EncodedJSValue JSC_HOST_CALL functionDebug(ExecState*);
+static EncodedJSValue JSC_HOST_CALL functionDescribe(ExecState*);
 static EncodedJSValue JSC_HOST_CALL functionJSCStack(ExecState*);
 static EncodedJSValue JSC_HOST_CALL functionGC(ExecState*);
@@ -192 +193 @@
         
         addFunction(globalData, "debug", functionDebug, 1);
+        addFunction(globalData, "describe", functionDescribe, 1);
         addFunction(globalData, "print", functionPrint, 1);
         addFunction(globalData, "quit", functionQuit, 0);
@@ -296 +298 @@
 {
     fprintf(stderr, "--> %s\n", exec->argument(0).toString(exec)->value(exec).utf8().data());
+    return JSValue::encode(jsUndefined());
+}
+
+EncodedJSValue JSC_HOST_CALL functionDescribe(ExecState* exec)
+{
+    fprintf(stderr, "--> %s\n", exec->argument(0).description());
     return JSValue::encode(jsUndefined());
 }

trunk/Source/JavaScriptCore/llint/LLIntCommon.h

@@ -37 +37 @@
 #define LLINT_ALWAYS_ALLOCATE_SLOW 0
 
+// Disable inline caching of get_by_id and put_by_id.
+#define LLINT_ALWAYS_ACCESS_SLOW 0
+
 // Enable OSR into the JIT. Disabling this while the LLInt is enabled effectively
 // turns off all JIT'ing, since in LLInt's parlance, OSR subsumes any form of JIT

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -884 +884 @@
     LLINT_OP(1) = result;
 
-    if (baseValue.isCell()
+    if (!LLINT_ALWAYS_ACCESS_SLOW
+        && baseValue.isCell()
         && slot.isCacheable()
         && slot.slotBase() == baseValue
@@ -936 +937 @@
     LLINT_CHECK_EXCEPTION();
     
-    if (baseValue.isCell()
+    if (!LLINT_ALWAYS_ACCESS_SLOW
+        && baseValue.isCell()
         && slot.isCacheable()) {
         

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -922 +922 @@
 macro loadPropertyAtVariableOffsetKnownNotFinal(propertyOffset, objectAndStorage, tag, payload)
     assert(macro (ok) bigteq propertyOffset, InlineStorageCapacity, ok end)
+    negi propertyOffset
     loadp JSObject::m_outOfLineStorage[objectAndStorage], objectAndStorage
-    loadi TagOffset - 8 * InlineStorageCapacity[objectAndStorage, propertyOffset, 8], tag
-    loadi PayloadOffset - 8 * InlineStorageCapacity[objectAndStorage, propertyOffset, 8], payload
+    loadi TagOffset + (InlineStorageCapacity - 2) * 8[objectAndStorage, propertyOffset, 8], tag
+    loadi PayloadOffset + (InlineStorageCapacity - 2) * 8[objectAndStorage, propertyOffset, 8], payload
 end
 
@@ -930 +931 @@
     bilt propertyOffset, InlineStorageCapacity, .isInline
     loadp JSObject::m_outOfLineStorage[objectAndStorage], objectAndStorage
+    negi propertyOffset
     jmp .ready
 .isInline:
-    addp JSFinalObject::m_inlineStorage + InlineStorageCapacity * 8, objectAndStorage
+    addp JSFinalObject::m_inlineStorage - (InlineStorageCapacity - 2) * 8, objectAndStorage
 .ready:
-    loadi TagOffset - 8 * InlineStorageCapacity[objectAndStorage, propertyOffset, 8], tag
-    loadi PayloadOffset - 8 * InlineStorageCapacity[objectAndStorage, propertyOffset, 8], payload
+    loadi TagOffset + (InlineStorageCapacity - 2) * 8[objectAndStorage, propertyOffset, 8], tag
+    loadi PayloadOffset + (InlineStorageCapacity - 2) * 8[objectAndStorage, propertyOffset, 8], payload
 end
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -779 +779 @@
 
 
-macro loadPropertyAtVariableOffsetKnownNotFinal(propertyOffset, objectAndStorage, value)
-    assert(macro (ok) bigteq propertyOffset, InlineStorageCapacity, ok end)
+macro loadPropertyAtVariableOffsetKnownNotFinal(propertyOffsetAsPointer, objectAndStorage, value)
+    assert(macro (ok) bigteq propertyOffsetAsPointer, InlineStorageCapacity, ok end)
+    negp propertyOffsetAsPointer
     loadp JSObject::m_outOfLineStorage[objectAndStorage], objectAndStorage
-    loadp -8 * InlineStorageCapacity[objectAndStorage, propertyOffset, 8], value
-end
-
-macro loadPropertyAtVariableOffset(propertyOffset, objectAndStorage, value)
-    bilt propertyOffset, InlineStorageCapacity, .isInline
+    loadp (InlineStorageCapacity - 2) * 8[objectAndStorage, propertyOffsetAsPointer, 8], value
+end
+
+macro loadPropertyAtVariableOffset(propertyOffsetAsInt, objectAndStorage, value)
+    bilt propertyOffsetAsInt, InlineStorageCapacity, .isInline
     loadp JSObject::m_outOfLineStorage[objectAndStorage], objectAndStorage
+    negi propertyOffsetAsInt
+    sxi2p propertyOffsetAsInt, propertyOffsetAsInt
     jmp .ready
 .isInline:
-    addp JSFinalObject::m_inlineStorage + InlineStorageCapacity * 8, objectAndStorage
+    addp JSFinalObject::m_inlineStorage - (InlineStorageCapacity - 2) * 8, objectAndStorage
 .ready:
-    loadp -8 * InlineStorageCapacity[objectAndStorage, propertyOffset, 8], value
+    loadp (InlineStorageCapacity - 2) * 8[objectAndStorage, propertyOffsetAsInt, 8], value
 end
 

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -100 +100 @@
     if (storage) {
         size_t storageSize = thisObject->structure()->outOfLineSizeForKnownNonFinalObject();
+        size_t capacity = thisObject->structure()->outOfLineCapacity();
         // We have this extra temp here to slake GCC's thirst for the blood of those who dereference type-punned pointers.
-        void* temp = storage;
-        visitor.copyAndAppend(&temp, thisObject->structure()->outOfLineCapacity() * sizeof(WriteBarrierBase<Unknown>), storage->slot(), storageSize);
-        storage = static_cast<PropertyStorage>(temp);
+        void* temp = storage - capacity - 1;
+        visitor.copyAndAppend(&temp, capacity * sizeof(WriteBarrierBase<Unknown>), (storage - storageSize - 1)->slot(), storageSize);
+        storage = static_cast<PropertyStorage>(temp) + capacity + 1;
         thisObject->m_outOfLineStorage.set(storage, StorageBarrier::Unchecked);
     }
@@ -129 +130 @@
     if (storage) {
         size_t storageSize = thisObject->structure()->outOfLineSizeForKnownFinalObject();
+        size_t capacity = thisObject->structure()->outOfLineCapacity();
         // We have this extra temp here to slake GCC's thirst for the blood of those who dereference type-punned pointers.
-        void* temp = storage;
-        visitor.copyAndAppend(&temp, thisObject->structure()->outOfLineCapacity() * sizeof(WriteBarrierBase<Unknown>), storage->slot(), storageSize);
-        storage = static_cast<PropertyStorage>(temp);
+        void* temp = storage - capacity - 1;
+        visitor.copyAndAppend(&temp, thisObject->structure()->outOfLineCapacity() * sizeof(WriteBarrierBase<Unknown>), (storage - storageSize - 1)->slot(), storageSize);
+        storage = static_cast<PropertyStorage>(temp) + capacity + 1;
         thisObject->m_outOfLineStorage.set(storage, StorageBarrier::Unchecked);
     }
@@ -596 +598 @@
     // It's important that this function not rely on structure(), since
     // we might be in the middle of a transition.
-
+    
     PropertyStorage oldPropertyStorage = m_outOfLineStorage.get();
     PropertyStorage newPropertyStorage = 0;
@@ -604 +606 @@
     if (!globalData.heap.tryAllocateStorage(sizeof(WriteBarrierBase<Unknown>) * newSize, &temp))
         CRASH();
-    newPropertyStorage = static_cast<PropertyStorage>(temp);
+    newPropertyStorage = static_cast<PropertyStorage>(temp) + newSize + 1;
     
-    memcpy(newPropertyStorage, oldPropertyStorage, sizeof(WriteBarrierBase<Unknown>) * oldSize);
+    memcpy(newPropertyStorage - oldSize - 1, oldPropertyStorage - oldSize - 1, sizeof(WriteBarrierBase<Unknown>) * oldSize);
 
     ASSERT(newPropertyStorage);

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -174 +174 @@
             PropertyOffset offset = structure()->get(globalData, propertyName);
             checkOffset(offset, structure()->typeInfo().type());
-            return offset != invalidOffset ? locationForOffset(offset) : 0;
+            return isValidOffset(offset) ? locationForOffset(offset) : 0;
         }
 
@@ -181 +181 @@
             JSCell* specificFunction;
             PropertyOffset offset = structure()->get(globalData, propertyName, attributes, specificFunction);
-            return offset != invalidOffset ? locationForOffset(offset) : 0;
+            return isValidOffset(offset) ? locationForOffset(offset) : 0;
         }
 
@@ -228 +228 @@
                 result = offsetInInlineStorage;
             else
-                result = location - outOfLineStorage() + firstOutOfLineOffset;
+                result = outOfLineStorage() - location + (inlineStorageCapacity - 2);
             validateOffset(result, structure()->typeInfo().type());
             return result;

trunk/Source/JavaScriptCore/runtime/JSValue.h

@@ -255 +255 @@
         JSValue structureOrUndefined() const;
 
-        char* description() const;
+        JS_EXPORT_PRIVATE char* description() const;
 
         JS_EXPORT_PRIVATE JSObject* synthesizePrototype(ExecState*) const;

trunk/Source/JavaScriptCore/runtime/PropertyOffset.h

@@ -119 +119 @@
     validateOffset(offset);
     ASSERT(isOutOfLineOffset(offset));
-    return offset - firstOutOfLineOffset;
+    return -static_cast<ptrdiff_t>(offset - firstOutOfLineOffset) - 2;
 }