Changeset 128813 in webkit

Timestamp:

Sep 17, 2012 3:16:10 PM (12 years ago)

Author:

mhahnenberg@apple.com

Message:

Delayed structure sweep can leak structures without bound
​https://bugs.webkit.org/show_bug.cgi?id=96546

Reviewed by Gavin Barraclough.

This patch gets rid of the separate Structure allocator in the MarkedSpace and adds two new destructor-only
allocators. We now have separate allocators for our three types of objects: those objects with no destructors,
those objects with destructors and with immortal structures, and those objects with destructors that don't have
immortal structures. All of the objects of the third type (destructors without immortal structures) now
inherit from a new class named JSDestructibleObject (which in turn is a subclass of JSNonFinalObject), which stores
the ClassInfo for these classes at a fixed offset for safe retrieval during sweeping/destruction.

Source/JavaScriptCore:

• API/JSCallbackConstructor.cpp: Use JSDestructibleObject for JSCallbackConstructor.

(JSC):
(JSC::JSCallbackConstructor::JSCallbackConstructor):

• API/JSCallbackConstructor.h:

(JSCallbackConstructor):

• API/JSCallbackObject.cpp: Inherit from JSDestructibleObject for normal JSCallbackObjects and use a finalizer for

JSCallbackObject<JSGlobalObject>, since JSGlobalObject also uses a finalizer.
(JSC):
(JSC::::create): We need to move the create function for JSCallbackObject<JSGlobalObject> out of line so we can add
the finalizer for it. We don't want to add the finalizer is something like finishCreation in case somebody decides
to subclass this. We use this same technique for many other subclasses of JSGlobalObject.
(JSC::::createStructure):

• API/JSCallbackObject.h:

(JSCallbackObject):
(JSC):

• API/JSClassRef.cpp: Change all the JSCallbackObject<JSNonFinalObject> to use JSDestructibleObject instead.

(OpaqueJSClass::prototype):

• API/JSObjectRef.cpp: Ditto.

(JSObjectMake):
(JSObjectGetPrivate):
(JSObjectSetPrivate):
(JSObjectGetPrivateProperty):
(JSObjectSetPrivateProperty):
(JSObjectDeletePrivateProperty):

• API/JSValueRef.cpp: Ditto.

(JSValueIsObjectOfClass):

• API/JSWeakObjectMapRefPrivate.cpp: Ditto.
• JSCTypedArrayStubs.h:

(JSC):

• JavaScriptCore.xcodeproj/project.pbxproj:
• dfg/DFGSpeculativeJIT.h: Use the proper allocator type when doing inline allocation in the DFG.

(JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
(JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):

• heap/Heap.cpp:

(JSC):

• heap/Heap.h: Add accessors for the various types of allocators now. Also remove the isSafeToSweepStructures function

since it's always safe to sweep Structures now.
(JSC::Heap::allocatorForObjectWithNormalDestructor):
(JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
(Heap):
(JSC::Heap::allocateWithNormalDestructor):
(JSC):
(JSC::Heap::allocateWithImmortalStructureDestructor):

• heap/IncrementalSweeper.cpp: Remove all the logic to detect when it's safe to sweep Structures from the

IncrementalSweeper since it's always safe to sweep Structures now.
(JSC::IncrementalSweeper::IncrementalSweeper):
(JSC::IncrementalSweeper::sweepNextBlock):
(JSC::IncrementalSweeper::startSweeping):
(JSC::IncrementalSweeper::willFinishSweeping):
(JSC):

• heap/IncrementalSweeper.h:

(IncrementalSweeper):

• heap/MarkedAllocator.cpp: Remove the logic that was preventing us from sweeping Structures if it wasn't safe. Add

tracking of the specific destructor type of allocator.
(JSC::MarkedAllocator::tryAllocateHelper):
(JSC::MarkedAllocator::allocateBlock):

• heap/MarkedAllocator.h:

(JSC::MarkedAllocator::destructorType):
(MarkedAllocator):
(JSC::MarkedAllocator::MarkedAllocator):
(JSC::MarkedAllocator::init):

• heap/MarkedBlock.cpp: Add all the destructor type stuff to MarkedBlocks so that we do the right thing when sweeping.

We also use the stored destructor type to determine the right thing to do in all JSCell::classInfo() calls.
(JSC::MarkedBlock::create):
(JSC::MarkedBlock::MarkedBlock):
(JSC):
(JSC::MarkedBlock::specializedSweep):
(JSC::MarkedBlock::sweep):
(JSC::MarkedBlock::sweepHelper):

• heap/MarkedBlock.h:

(JSC):
(JSC::MarkedBlock::allocator):
(JSC::MarkedBlock::destructorType):

• heap/MarkedSpace.cpp: Add the new destructor allocators to MarkedSpace.

(JSC::MarkedSpace::MarkedSpace):
(JSC::MarkedSpace::resetAllocators):
(JSC::MarkedSpace::canonicalizeCellLivenessData):
(JSC::MarkedSpace::isPagedOut):
(JSC::MarkedSpace::freeBlock):

• heap/MarkedSpace.h:

(MarkedSpace):
(JSC::MarkedSpace::immortalStructureDestructorAllocatorFor):
(JSC::MarkedSpace::normalDestructorAllocatorFor):
(JSC::MarkedSpace::allocateWithImmortalStructureDestructor):
(JSC::MarkedSpace::allocateWithNormalDestructor):
(JSC::MarkedSpace::forEachBlock):

• heap/SlotVisitor.cpp: Add include because the symbol was needed in an inlined function.
• jit/JIT.h: Make sure we use the correct allocator when doing inline allocations in the baseline JIT.
• jit/JITInlineMethods.h:

(JSC::JIT::emitAllocateBasicJSObject):
(JSC::JIT::emitAllocateJSFinalObject):
(JSC::JIT::emitAllocateJSArray):

• jsc.cpp:

(GlobalObject::create): Add finalizer here since JSGlobalObject needs to use a finalizer instead of inheriting from
JSDestructibleObject.

• runtime/Arguments.cpp: Inherit from JSDestructibleObject.

(JSC):

• runtime/Arguments.h:

(Arguments):
(JSC::Arguments::Arguments):

• runtime/ErrorPrototype.cpp: Added an assert to make sure we have a trivial destructor.

(JSC):

• runtime/Executable.h: Indicate that all of the Executable* classes have immortal Structures.

(JSC):

• runtime/InternalFunction.cpp: Inherit from JSDestructibleObject.

(JSC):
(JSC::InternalFunction::InternalFunction):

• runtime/InternalFunction.h:

(InternalFunction):

• runtime/JSCell.h: Added the NEEDS_DESTRUCTOR macro to make it easier for classes to indicate that instead of being

allocated in a destructor MarkedAllocator that they will handle their destruction themselves through the
use of a finalizer.
(JSC):
(HasImmortalStructure): New template to help us determine at compile-time if a particular class
should be allocated in the immortal structure MarkedAllocator. The default value is false. In order
to be allocated in the immortal structure allocator, classes must specialize this template. Also added
a macro to make it easier for classes to specialize the template.
(JSC::allocateCell): Use the appropriate allocator depending on the destructor type.

• runtime/JSDestructibleObject.h: Added. New class that stores the ClassInfo of any subclass so that it can be

accessed safely when the object is being destroyed.
(JSC):
(JSDestructibleObject):
(JSC::JSDestructibleObject::classInfo):
(JSC::JSDestructibleObject::JSDestructibleObject):
(JSC::JSCell::classInfo): Checks the current MarkedBlock to see where it should get the ClassInfo from so that it's always safe.

• runtime/JSGlobalObject.cpp: JSGlobalObject now uses a finalizer instead of a destructor so that it can avoid forcing all

of its relatives in the inheritance hierarchy (e.g. JSScope) to use destructors as well.
(JSC::JSGlobalObject::reset):

• runtime/JSGlobalObject.h:

(JSGlobalObject):
(JSC::JSGlobalObject::createRareDataIfNeeded): Since we always create a finalizer now, we don't have to worry about adding one
for the m_rareData field when it's created.
(JSC::JSGlobalObject::create):
(JSC):

• runtime/JSGlobalThis.h: Inherit from JSDestructibleObject.

(JSGlobalThis):
(JSC::JSGlobalThis::JSGlobalThis):

• runtime/JSPropertyNameIterator.h: Has an immortal Structure.

(JSC):

• runtime/JSScope.cpp:

(JSC):

• runtime/JSString.h: Has an immortal Structure.

(JSC):

• runtime/JSWrapperObject.h: Inherit from JSDestructibleObject.

(JSWrapperObject):
(JSC::JSWrapperObject::JSWrapperObject):

• runtime/MathObject.cpp: Cleaning up some of the inheritance stuff.

(JSC):

• runtime/NameInstance.h: Inherit from JSDestructibleObject.

(NameInstance):

• runtime/RegExp.h: Has immortal Structure.

(JSC):

• runtime/RegExpObject.cpp: Inheritance cleanup.

(JSC):

• runtime/SparseArrayValueMap.h: Has immortal Structure.

(JSC):

• runtime/Structure.h: Has immortal Structure.

(JSC):

• runtime/StructureChain.h: Ditto.

(JSC):

• runtime/SymbolTable.h: Ditto.

(SharedSymbolTable):
(JSC):

Source/WebCore:

No new tests.

• ForwardingHeaders/runtime/JSDestructableObject.h: Added.
• bindings/js/JSDOMWrapper.h: Inherits from JSDestructibleObject.

(JSDOMWrapper):
(WebCore::JSDOMWrapper::JSDOMWrapper):

• bindings/scripts/CodeGeneratorJS.pm: Add finalizers to anything that inherits from JSGlobalObject,

e.g. JSDOMWindow and JSWorkerContexts. For those classes we also need to use the NEEDS_DESTRUCTOR macro.
(GenerateHeader):

• bridge/objc/objc_runtime.h: Inherit from JSDestructibleObject.

(ObjcFallbackObjectImp):

• bridge/objc/objc_runtime.mm:

(Bindings):
(JSC::Bindings::ObjcFallbackObjectImp::ObjcFallbackObjectImp):

• bridge/runtime_array.cpp: Use a finalizer so that JSArray isn't forced to inherit from JSDestructibleObject.

(JSC):
(JSC::RuntimeArray::destroy):

• bridge/runtime_array.h:

(JSC::RuntimeArray::create):
(JSC):

• bridge/runtime_object.cpp: Inherit from JSDestructibleObject.

(Bindings):
(JSC::Bindings::RuntimeObject::RuntimeObject):

• bridge/runtime_object.h:

(RuntimeObject):

Location:

trunk/Source

Files:

• JavaScriptCore/API/JSCallbackConstructor.cpp (modified) (1 diff)
• JavaScriptCore/API/JSCallbackConstructor.h (modified) (1 diff)
• JavaScriptCore/API/JSCallbackObject.cpp (modified) (1 diff)
• JavaScriptCore/API/JSCallbackObject.h (modified) (2 diffs)
• JavaScriptCore/API/JSClassRef.cpp (modified) (1 diff)
• JavaScriptCore/API/JSObjectRef.cpp (modified) (6 diffs)
• JavaScriptCore/API/JSValueRef.cpp (modified) (1 diff)
• JavaScriptCore/API/JSWeakObjectMapRefPrivate.cpp (modified) (1 diff)
• JavaScriptCore/ChangeLog (modified) (2 diffs)
• JavaScriptCore/GNUmakefile.list.am (modified) (1 diff)
• JavaScriptCore/JSCTypedArrayStubs.h (modified) (2 diffs)
• JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (2 diffs)
• JavaScriptCore/heap/Heap.cpp (modified) (1 diff)
• JavaScriptCore/heap/Heap.h (modified) (5 diffs)
• JavaScriptCore/heap/IncrementalSweeper.cpp (modified) (8 diffs)
• JavaScriptCore/heap/IncrementalSweeper.h (modified) (2 diffs)
• JavaScriptCore/heap/MarkedAllocator.cpp (modified) (3 diffs)
• JavaScriptCore/heap/MarkedAllocator.h (modified) (5 diffs)
• JavaScriptCore/heap/MarkedBlock.cpp (modified) (6 diffs)
• JavaScriptCore/heap/MarkedBlock.h (modified) (8 diffs)
• JavaScriptCore/heap/MarkedSpace.cpp (modified) (5 diffs)
• JavaScriptCore/heap/MarkedSpace.h (modified) (5 diffs)
• JavaScriptCore/heap/SlotVisitor.cpp (modified) (1 diff)
• JavaScriptCore/jit/JIT.h (modified) (1 diff)
• JavaScriptCore/jit/JITInlineMethods.h (modified) (3 diffs)
• JavaScriptCore/jsc.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/Arguments.cpp (modified) (1 diff)
• JavaScriptCore/runtime/Arguments.h (modified) (4 diffs)
• JavaScriptCore/runtime/ErrorPrototype.cpp (modified) (1 diff)
• JavaScriptCore/runtime/Executable.h (modified) (5 diffs)
• JavaScriptCore/runtime/InternalFunction.cpp (modified) (1 diff)
• JavaScriptCore/runtime/InternalFunction.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSCell.h (modified) (5 diffs)
• JavaScriptCore/runtime/JSDestructibleObject.h (added)
• JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSGlobalObject.h (modified) (3 diffs)
• JavaScriptCore/runtime/JSGlobalThis.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSPropertyNameIterator.h (modified) (1 diff)
• JavaScriptCore/runtime/JSScope.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSString.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSWrapperObject.h (modified) (3 diffs)
• JavaScriptCore/runtime/MathObject.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/NameInstance.h (modified) (1 diff)
• JavaScriptCore/runtime/RegExp.h (modified) (1 diff)
• JavaScriptCore/runtime/RegExpObject.cpp (modified) (1 diff)
• JavaScriptCore/runtime/SparseArrayValueMap.h (modified) (1 diff)
• JavaScriptCore/runtime/Structure.h (modified) (2 diffs)
• JavaScriptCore/runtime/StructureChain.h (modified) (1 diff)
• JavaScriptCore/runtime/SymbolTable.h (modified) (2 diffs)
• JavaScriptCore/testRegExp.cpp (modified) (2 diffs)
• WebCore/ChangeLog (modified) (2 diffs)
• WebCore/ForwardingHeaders/runtime/JSDestructibleObject.h (added)
• WebCore/bindings/js/JSDOMWrapper.h (modified) (3 diffs)
• WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (3 diffs)
• WebCore/bridge/objc/objc_runtime.h (modified) (1 diff)
• WebCore/bridge/objc/objc_runtime.mm (modified) (1 diff)
• WebCore/bridge/runtime_array.cpp (modified) (2 diffs)
• WebCore/bridge/runtime_array.h (modified) (2 diffs)
• WebCore/bridge/runtime_object.cpp (modified) (1 diff)
• WebCore/bridge/runtime_object.h (modified) (1 diff)

trunk/Source/JavaScriptCore/API/JSCallbackConstructor.cpp

@@ -37 +37 @@
 namespace JSC {
 
-const ClassInfo JSCallbackConstructor::s_info = { "CallbackConstructor", &JSNonFinalObject::s_info, 0, 0, CREATE_METHOD_TABLE(JSCallbackConstructor) };
+const ClassInfo JSCallbackConstructor::s_info = { "CallbackConstructor", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(JSCallbackConstructor) };
 
 JSCallbackConstructor::JSCallbackConstructor(JSGlobalObject* globalObject, Structure* structure, JSClassRef jsClass, JSObjectCallAsConstructorCallback callback)
-    : JSNonFinalObject(globalObject->globalData(), structure)
+    : JSDestructibleObject(globalObject->globalData(), structure)
     , m_class(jsClass)
     , m_callback(callback)

trunk/Source/JavaScriptCore/API/JSCallbackConstructor.h

@@ -28 +28 @@
 
 #include "JSObjectRef.h"
-#include <runtime/JSObject.h>
+#include "runtime/JSDestructibleObject.h"
 
 namespace JSC {
 
-class JSCallbackConstructor : public JSNonFinalObject {
+class JSCallbackConstructor : public JSDestructibleObject {
 public:
-    typedef JSNonFinalObject Base;
+    typedef JSDestructibleObject Base;
 
     static JSCallbackConstructor* create(ExecState* exec, JSGlobalObject* globalObject, Structure* structure, JSClassRef classRef, JSObjectCallAsConstructorCallback callback) 

trunk/Source/JavaScriptCore/API/JSCallbackObject.cpp

@@ -33 +33 @@
 namespace JSC {
 
-ASSERT_CLASS_FITS_IN_CELL(JSCallbackObject<JSNonFinalObject>);
+ASSERT_CLASS_FITS_IN_CELL(JSCallbackObject<JSDestructibleObject>);
 ASSERT_CLASS_FITS_IN_CELL(JSCallbackObject<JSGlobalObject>);
 
 // Define the two types of JSCallbackObjects we support.
-template <> const ClassInfo JSCallbackObject<JSNonFinalObject>::s_info = { "CallbackObject", &JSNonFinalObject::s_info, 0, 0, CREATE_METHOD_TABLE(JSCallbackObject) };
-template <> const ClassInfo JSCallbackObject<JSGlobalObject>::s_info = { "CallbackGlobalObject", &JSGlobalObject::s_info, 0, 0, CREATE_METHOD_TABLE(JSCallbackObject) };
+template <> const ClassInfo JSCallbackObject<JSDestructibleObject>::s_info = { "CallbackObject", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(JSCallbackObject) };
+template <> const ClassInfo JSCallbackObject<JSGlobalObject>::s_info = { "CallbackGlobalObject", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(JSCallbackObject) };
+
+template<>
+JSCallbackObject<JSGlobalObject>* JSCallbackObject<JSGlobalObject>::create(JSGlobalData& globalData, JSClassRef classRef, Structure* structure)
+{
+    JSCallbackObject<JSGlobalObject>* callbackObject = new (NotNull, allocateCell<JSCallbackObject<JSGlobalObject> >(globalData.heap)) JSCallbackObject(globalData, classRef, structure);
+    callbackObject->finishCreation(globalData);
+    globalData.heap.addFinalizer(callbackObject, destroy);
+    return callbackObject;
+}
 
 template <>
-Structure* JSCallbackObject<JSNonFinalObject>::createStructure(JSGlobalData& globalData, JSGlobalObject* globalObject, JSValue proto)
+Structure* JSCallbackObject<JSDestructibleObject>::createStructure(JSGlobalData& globalData, JSGlobalObject* globalObject, JSValue proto)
 { 
     return Structure::create(globalData, globalObject, proto, TypeInfo(ObjectType, StructureFlags), &s_info); 

trunk/Source/JavaScriptCore/API/JSCallbackObject.h

@@ -134 +134 @@
         return callbackObject;
     }
-    static JSCallbackObject* create(JSGlobalData& globalData, JSClassRef classRef, Structure* structure)
-    {
-        JSCallbackObject* callbackObject = new (NotNull, allocateCell<JSCallbackObject>(globalData.heap)) JSCallbackObject(globalData, classRef, structure);
-        callbackObject->finishCreation(globalData);
-        return callbackObject;
-    }
-
+    static JSCallbackObject<Parent>* create(JSGlobalData&, JSClassRef, Structure*);
     void setPrivate(void* data);
     void* getPrivate();
@@ -218 +212 @@
 };
 
+NEEDS_DESTRUCTOR(JSCallbackObject<JSGlobalObject>, false);
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/API/JSClassRef.cpp

@@ -200 +200 @@
 
     // Recursive, but should be good enough for our purposes
-    JSObject* prototype = JSCallbackObject<JSNonFinalObject>::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->callbackObjectStructure(), prototypeClass, &jsClassData); // set jsClassData as the object's private data, so it can clear our reference on destruction
+    JSObject* prototype = JSCallbackObject<JSDestructibleObject>::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->callbackObjectStructure(), prototypeClass, &jsClassData); // set jsClassData as the object's private data, so it can clear our reference on destruction
     if (parentClass) {
         if (JSObject* parentPrototype = parentClass->prototype(exec))

trunk/Source/JavaScriptCore/API/JSObjectRef.cpp

@@ -84 +84 @@
         return toRef(constructEmptyObject(exec));
 
-    JSCallbackObject<JSNonFinalObject>* object = JSCallbackObject<JSNonFinalObject>::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->callbackObjectStructure(), jsClass, data);
+    JSCallbackObject<JSDestructibleObject>* object = JSCallbackObject<JSDestructibleObject>::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->callbackObjectStructure(), jsClass, data);
     if (JSObject* prototype = jsClass->prototype(exec))
         object->setPrototype(exec->globalData(), prototype);
@@ -342 +342 @@
     if (jsObject->inherits(&JSCallbackObject<JSGlobalObject>::s_info))
         return jsCast<JSCallbackObject<JSGlobalObject>*>(jsObject)->getPrivate();
-    if (jsObject->inherits(&JSCallbackObject<JSNonFinalObject>::s_info))
-        return jsCast<JSCallbackObject<JSNonFinalObject>*>(jsObject)->getPrivate();
+    if (jsObject->inherits(&JSCallbackObject<JSDestructibleObject>::s_info))
+        return jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->getPrivate();
     
     return 0;
@@ -356 +356 @@
         return true;
     }
-    if (jsObject->inherits(&JSCallbackObject<JSNonFinalObject>::s_info)) {
-        jsCast<JSCallbackObject<JSNonFinalObject>*>(jsObject)->setPrivate(data);
+    if (jsObject->inherits(&JSCallbackObject<JSDestructibleObject>::s_info)) {
+        jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->setPrivate(data);
         return true;
     }
@@ -373 +373 @@
     if (jsObject->inherits(&JSCallbackObject<JSGlobalObject>::s_info))
         result = jsCast<JSCallbackObject<JSGlobalObject>*>(jsObject)->getPrivateProperty(name);
-    else if (jsObject->inherits(&JSCallbackObject<JSNonFinalObject>::s_info))
-        result = jsCast<JSCallbackObject<JSNonFinalObject>*>(jsObject)->getPrivateProperty(name);
+    else if (jsObject->inherits(&JSCallbackObject<JSDestructibleObject>::s_info))
+        result = jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->getPrivateProperty(name);
     return toRef(exec, result);
 }
@@ -389 +389 @@
         return true;
     }
-    if (jsObject->inherits(&JSCallbackObject<JSNonFinalObject>::s_info)) {
-        jsCast<JSCallbackObject<JSNonFinalObject>*>(jsObject)->setPrivateProperty(exec->globalData(), name, jsValue);
+    if (jsObject->inherits(&JSCallbackObject<JSDestructibleObject>::s_info)) {
+        jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->setPrivateProperty(exec->globalData(), name, jsValue);
         return true;
     }
@@ -406 +406 @@
         return true;
     }
-    if (jsObject->inherits(&JSCallbackObject<JSNonFinalObject>::s_info)) {
-        jsCast<JSCallbackObject<JSNonFinalObject>*>(jsObject)->deletePrivateProperty(name);
+    if (jsObject->inherits(&JSCallbackObject<JSDestructibleObject>::s_info)) {
+        jsCast<JSCallbackObject<JSDestructibleObject>*>(jsObject)->deletePrivateProperty(name);
         return true;
     }

trunk/Source/JavaScriptCore/API/JSValueRef.cpp

@@ -132 +132 @@
         if (o->inherits(&JSCallbackObject<JSGlobalObject>::s_info))
             return jsCast<JSCallbackObject<JSGlobalObject>*>(o)->inherits(jsClass);
-        if (o->inherits(&JSCallbackObject<JSNonFinalObject>::s_info))
-            return jsCast<JSCallbackObject<JSNonFinalObject>*>(o)->inherits(jsClass);
+        if (o->inherits(&JSCallbackObject<JSDestructibleObject>::s_info))
+            return jsCast<JSCallbackObject<JSDestructibleObject>*>(o)->inherits(jsClass);
     }
     return false;

trunk/Source/JavaScriptCore/API/JSWeakObjectMapRefPrivate.cpp

@@ -58 +58 @@
     if (!obj)
         return;
-    ASSERT(obj->inherits(&JSCallbackObject<JSGlobalObject>::s_info) || obj->inherits(&JSCallbackObject<JSNonFinalObject>::s_info));
+    ASSERT(obj->inherits(&JSCallbackObject<JSGlobalObject>::s_info) || obj->inherits(&JSCallbackObject<JSDestructibleObject>::s_info));
     map->map().set(exec->globalData(), key, obj);
 }

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-09-16  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Delayed structure sweep can leak structures without bound
+        https://bugs.webkit.org/show_bug.cgi?id=96546
+
+        Reviewed by Gavin Barraclough.
+
+        This patch gets rid of the separate Structure allocator in the MarkedSpace and adds two new destructor-only
+        allocators. We now have separate allocators for our three types of objects: those objects with no destructors,
+        those objects with destructors and with immortal structures, and those objects with destructors that don't have 
+        immortal structures. All of the objects of the third type (destructors without immortal structures) now 
+        inherit from a new class named JSDestructibleObject (which in turn is a subclass of JSNonFinalObject), which stores 
+        the ClassInfo for these classes at a fixed offset for safe retrieval during sweeping/destruction.
+
+        * API/JSCallbackConstructor.cpp: Use JSDestructibleObject for JSCallbackConstructor.
+        (JSC):
+        (JSC::JSCallbackConstructor::JSCallbackConstructor):
+        * API/JSCallbackConstructor.h:
+        (JSCallbackConstructor):
+        * API/JSCallbackObject.cpp: Inherit from JSDestructibleObject for normal JSCallbackObjects and use a finalizer for 
+        JSCallbackObject<JSGlobalObject>, since JSGlobalObject also uses a finalizer.
+        (JSC):
+        (JSC::::create): We need to move the create function for JSCallbackObject<JSGlobalObject> out of line so we can add 
+        the finalizer for it. We don't want to add the finalizer is something like finishCreation in case somebody decides 
+        to subclass this. We use this same technique for many other subclasses of JSGlobalObject.
+        (JSC::::createStructure):
+        * API/JSCallbackObject.h:
+        (JSCallbackObject):
+        (JSC):
+        * API/JSClassRef.cpp: Change all the JSCallbackObject<JSNonFinalObject> to use JSDestructibleObject instead.
+        (OpaqueJSClass::prototype):
+        * API/JSObjectRef.cpp: Ditto.
+        (JSObjectMake):
+        (JSObjectGetPrivate):
+        (JSObjectSetPrivate):
+        (JSObjectGetPrivateProperty):
+        (JSObjectSetPrivateProperty):
+        (JSObjectDeletePrivateProperty):
+        * API/JSValueRef.cpp: Ditto.
+        (JSValueIsObjectOfClass):
+        * API/JSWeakObjectMapRefPrivate.cpp: Ditto.
+        * JSCTypedArrayStubs.h:
+        (JSC):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGSpeculativeJIT.h: Use the proper allocator type when doing inline allocation in the DFG.
+        (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
+        * heap/Heap.cpp:
+        (JSC):
+        * heap/Heap.h: Add accessors for the various types of allocators now. Also remove the isSafeToSweepStructures function 
+        since it's always safe to sweep Structures now.
+        (JSC::Heap::allocatorForObjectWithNormalDestructor): 
+        (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
+        (Heap):
+        (JSC::Heap::allocateWithNormalDestructor):
+        (JSC):
+        (JSC::Heap::allocateWithImmortalStructureDestructor):
+        * heap/IncrementalSweeper.cpp: Remove all the logic to detect when it's safe to sweep Structures from the 
+        IncrementalSweeper since it's always safe to sweep Structures now.
+        (JSC::IncrementalSweeper::IncrementalSweeper):
+        (JSC::IncrementalSweeper::sweepNextBlock):
+        (JSC::IncrementalSweeper::startSweeping):
+        (JSC::IncrementalSweeper::willFinishSweeping):
+        (JSC):
+        * heap/IncrementalSweeper.h:
+        (IncrementalSweeper):
+        * heap/MarkedAllocator.cpp: Remove the logic that was preventing us from sweeping Structures if it wasn't safe. Add 
+        tracking of the specific destructor type of allocator. 
+        (JSC::MarkedAllocator::tryAllocateHelper):
+        (JSC::MarkedAllocator::allocateBlock):
+        * heap/MarkedAllocator.h:
+        (JSC::MarkedAllocator::destructorType):
+        (MarkedAllocator):
+        (JSC::MarkedAllocator::MarkedAllocator):
+        (JSC::MarkedAllocator::init):
+        * heap/MarkedBlock.cpp: Add all the destructor type stuff to MarkedBlocks so that we do the right thing when sweeping. 
+        We also use the stored destructor type to determine the right thing to do in all JSCell::classInfo() calls.
+        (JSC::MarkedBlock::create):
+        (JSC::MarkedBlock::MarkedBlock):
+        (JSC):
+        (JSC::MarkedBlock::specializedSweep):
+        (JSC::MarkedBlock::sweep):
+        (JSC::MarkedBlock::sweepHelper):
+        * heap/MarkedBlock.h:
+        (JSC):
+        (JSC::MarkedBlock::allocator):
+        (JSC::MarkedBlock::destructorType):
+        * heap/MarkedSpace.cpp: Add the new destructor allocators to MarkedSpace.
+        (JSC::MarkedSpace::MarkedSpace):
+        (JSC::MarkedSpace::resetAllocators):
+        (JSC::MarkedSpace::canonicalizeCellLivenessData):
+        (JSC::MarkedSpace::isPagedOut):
+        (JSC::MarkedSpace::freeBlock):
+        * heap/MarkedSpace.h:
+        (MarkedSpace):
+        (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor):
+        (JSC::MarkedSpace::normalDestructorAllocatorFor):
+        (JSC::MarkedSpace::allocateWithImmortalStructureDestructor):
+        (JSC::MarkedSpace::allocateWithNormalDestructor):
+        (JSC::MarkedSpace::forEachBlock):
+        * heap/SlotVisitor.cpp: Add include because the symbol was needed in an inlined function.
+        * jit/JIT.h: Make sure we use the correct allocator when doing inline allocations in the baseline JIT.
+        * jit/JITInlineMethods.h:
+        (JSC::JIT::emitAllocateBasicJSObject):
+        (JSC::JIT::emitAllocateJSFinalObject):
+        (JSC::JIT::emitAllocateJSArray):
+        * jsc.cpp: 
+        (GlobalObject::create): Add finalizer here since JSGlobalObject needs to use a finalizer instead of inheriting from 
+        JSDestructibleObject.
+        * runtime/Arguments.cpp: Inherit from JSDestructibleObject.
+        (JSC):
+        * runtime/Arguments.h:
+        (Arguments):
+        (JSC::Arguments::Arguments):
+        * runtime/ErrorPrototype.cpp: Added an assert to make sure we have a trivial destructor.
+        (JSC):
+        * runtime/Executable.h: Indicate that all of the Executable* classes have immortal Structures.
+        (JSC):
+        * runtime/InternalFunction.cpp: Inherit from JSDestructibleObject.
+        (JSC):
+        (JSC::InternalFunction::InternalFunction):
+        * runtime/InternalFunction.h:
+        (InternalFunction):
+        * runtime/JSCell.h: Added the NEEDS_DESTRUCTOR  macro to make it easier for classes to indicate that instead of being 
+        allocated in a destructor MarkedAllocator that they will handle their destruction themselves through the 
+        use of a finalizer.
+        (JSC):
+        (HasImmortalStructure): New template to help us determine at compile-time if a particular class 
+        should be allocated in the immortal structure MarkedAllocator. The default value is false. In order 
+        to be allocated in the immortal structure allocator, classes must specialize this template. Also added 
+        a macro to make it easier for classes to specialize the template.
+        (JSC::allocateCell): Use the appropriate allocator depending on the destructor type.
+        * runtime/JSDestructibleObject.h: Added. New class that stores the ClassInfo of any subclass so that it can be 
+        accessed safely when the object is being destroyed.
+        (JSC):
+        (JSDestructibleObject):
+        (JSC::JSDestructibleObject::classInfo):
+        (JSC::JSDestructibleObject::JSDestructibleObject):
+        (JSC::JSCell::classInfo): Checks the current MarkedBlock to see where it should get the ClassInfo from so that it's always safe.
+        * runtime/JSGlobalObject.cpp: JSGlobalObject now uses a finalizer instead of a destructor so that it can avoid forcing all 
+        of its relatives in the inheritance hierarchy (e.g. JSScope) to use destructors as well.
+        (JSC::JSGlobalObject::reset):
+        * runtime/JSGlobalObject.h:
+        (JSGlobalObject):
+        (JSC::JSGlobalObject::createRareDataIfNeeded): Since we always create a finalizer now, we don't have to worry about adding one 
+        for the m_rareData field when it's created.
+        (JSC::JSGlobalObject::create):
+        (JSC):
+        * runtime/JSGlobalThis.h: Inherit from JSDestructibleObject.
+        (JSGlobalThis):
+        (JSC::JSGlobalThis::JSGlobalThis):
+        * runtime/JSPropertyNameIterator.h: Has an immortal Structure.
+        (JSC):
+        * runtime/JSScope.cpp:
+        (JSC):
+        * runtime/JSString.h: Has an immortal Structure.
+        (JSC):
+        * runtime/JSWrapperObject.h: Inherit from JSDestructibleObject.
+        (JSWrapperObject):
+        (JSC::JSWrapperObject::JSWrapperObject):
+        * runtime/MathObject.cpp: Cleaning up some of the inheritance stuff.
+        (JSC):
+        * runtime/NameInstance.h: Inherit from JSDestructibleObject.
+        (NameInstance):
+        * runtime/RegExp.h: Has immortal Structure.
+        (JSC):
+        * runtime/RegExpObject.cpp: Inheritance cleanup.
+        (JSC):
+        * runtime/SparseArrayValueMap.h: Has immortal Structure.
+        (JSC):
+        * runtime/Structure.h: Has immortal Structure.
+        (JSC):
+        * runtime/StructureChain.h: Ditto.
+        (JSC):
+        * runtime/SymbolTable.h: Ditto.
+        (SharedSymbolTable):
+        (JSC):
+
+<<<<<<< .mine
+2012-09-16  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Delayed structure sweep can leak structures without bound
+        https://bugs.webkit.org/show_bug.cgi?id=96546
+
+        Reviewed by Gavin Barraclough.
+
+        This patch gets rid of the separate Structure allocator in the MarkedSpace and adds two new destructor-only
+        allocators. We now have separate allocators for our three types of objects: those objects with no destructors,
+        those objects with destructors and with immortal structures, and those objects with destructors that don't have 
+        immortal structures. All of the objects of the third type (destructors without immortal structures) now 
+        inherit from a new class named JSDestructibleObject (which in turn is a subclass of JSNonFinalObject), which stores 
+        the ClassInfo for these classes at a fixed offset for safe retrieval during sweeping/destruction.
+
+        * API/JSCallbackConstructor.cpp: Use JSDestructibleObject for JSCallbackConstructor.
+        (JSC):
+        (JSC::JSCallbackConstructor::JSCallbackConstructor):
+        * API/JSCallbackConstructor.h:
+        (JSCallbackConstructor):
+        * API/JSCallbackObject.cpp: Inherit from JSDestructibleObject for normal JSCallbackObjects and use a finalizer for 
+        JSCallbackObject<JSGlobalObject>, since JSGlobalObject also uses a finalizer.
+        (JSC):
+        (JSC::::create): We need to move the create function for JSCallbackObject<JSGlobalObject> out of line so we can add 
+        the finalizer for it. We don't want to add the finalizer is something like finishCreation in case somebody decides 
+        to subclass this. We use this same technique for many other subclasses of JSGlobalObject.
+        (JSC::::createStructure):
+        * API/JSCallbackObject.h:
+        (JSCallbackObject):
+        (JSC):
+        * API/JSClassRef.cpp: Change all the JSCallbackObject<JSNonFinalObject> to use JSDestructibleObject instead.
+        (OpaqueJSClass::prototype):
+        * API/JSObjectRef.cpp: Ditto.
+        (JSObjectMake):
+        (JSObjectGetPrivate):
+        (JSObjectSetPrivate):
+        (JSObjectGetPrivateProperty):
+        (JSObjectSetPrivateProperty):
+        (JSObjectDeletePrivateProperty):
+        * API/JSValueRef.cpp: Ditto.
+        (JSValueIsObjectOfClass):
+        * API/JSWeakObjectMapRefPrivate.cpp: Ditto.
+        * JSCTypedArrayStubs.h:
+        (JSC):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGSpeculativeJIT.h: Use the proper allocator type when doing inline allocation in the DFG.
+        (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
+        * heap/Heap.cpp:
+        (JSC):
+        * heap/Heap.h: Add accessors for the various types of allocators now. Also remove the isSafeToSweepStructures function 
+        since it's always safe to sweep Structures now.
+        (JSC::Heap::allocatorForObjectWithNormalDestructor): 
+        (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
+        (Heap):
+        (JSC::Heap::allocateWithNormalDestructor):
+        (JSC):
+        (JSC::Heap::allocateWithImmortalStructureDestructor):
+        * heap/IncrementalSweeper.cpp: Remove all the logic to detect when it's safe to sweep Structures from the 
+        IncrementalSweeper since it's always safe to sweep Structures now.
+        (JSC::IncrementalSweeper::IncrementalSweeper):
+        (JSC::IncrementalSweeper::sweepNextBlock):
+        (JSC::IncrementalSweeper::startSweeping):
+        (JSC::IncrementalSweeper::willFinishSweeping):
+        (JSC):
+        * heap/IncrementalSweeper.h:
+        (IncrementalSweeper):
+        * heap/MarkedAllocator.cpp: Remove the logic that was preventing us from sweeping Structures if it wasn't safe. Add 
+        tracking of the specific destructor type of allocator. 
+        (JSC::MarkedAllocator::tryAllocateHelper):
+        (JSC::MarkedAllocator::allocateBlock):
+        * heap/MarkedAllocator.h:
+        (JSC::MarkedAllocator::destructorType):
+        (MarkedAllocator):
+        (JSC::MarkedAllocator::MarkedAllocator):
+        (JSC::MarkedAllocator::init):
+        * heap/MarkedBlock.cpp: Add all the destructor type stuff to MarkedBlocks so that we do the right thing when sweeping. 
+        We also use the stored destructor type to determine the right thing to do in all JSCell::classInfo() calls.
+        (JSC::MarkedBlock::create):
+        (JSC::MarkedBlock::MarkedBlock):
+        (JSC):
+        (JSC::MarkedBlock::specializedSweep):
+        (JSC::MarkedBlock::sweep):
+        (JSC::MarkedBlock::sweepHelper):
+        * heap/MarkedBlock.h:
+        (JSC):
+        (JSC::MarkedBlock::allocator):
+        (JSC::MarkedBlock::destructorType):
+        * heap/MarkedSpace.cpp: Add the new destructor allocators to MarkedSpace.
+        (JSC::MarkedSpace::MarkedSpace):
+        (JSC::MarkedSpace::resetAllocators):
+        (JSC::MarkedSpace::canonicalizeCellLivenessData):
+        (JSC::MarkedSpace::isPagedOut):
+        (JSC::MarkedSpace::freeBlock):
+        * heap/MarkedSpace.h:
+        (MarkedSpace):
+        (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor):
+        (JSC::MarkedSpace::normalDestructorAllocatorFor):
+        (JSC::MarkedSpace::allocateWithImmortalStructureDestructor):
+        (JSC::MarkedSpace::allocateWithNormalDestructor):
+        (JSC::MarkedSpace::forEachBlock):
+        * heap/SlotVisitor.cpp: Add include because the symbol was needed in an inlined function.
+        * jit/JIT.h: Make sure we use the correct allocator when doing inline allocations in the baseline JIT.
+        * jit/JITInlineMethods.h:
+        (JSC::JIT::emitAllocateBasicJSObject):
+        (JSC::JIT::emitAllocateJSFinalObject):
+        (JSC::JIT::emitAllocateJSArray):
+        * jsc.cpp: 
+        (GlobalObject::create): Add finalizer here since JSGlobalObject needs to use a finalizer instead of inheriting from 
+        JSDestructibleObject.
+        * runtime/Arguments.cpp: Inherit from JSDestructibleObject.
+        (JSC):
+        * runtime/Arguments.h:
+        (Arguments):
+        (JSC::Arguments::Arguments):
+        * runtime/ErrorPrototype.cpp: Added an assert to make sure we have a trivial destructor.
+        (JSC):
+        * runtime/Executable.h: Indicate that all of the Executable* classes have immortal Structures.
+        (JSC):
+        * runtime/InternalFunction.cpp: Inherit from JSDestructibleObject.
+        (JSC):
+        (JSC::InternalFunction::InternalFunction):
+        * runtime/InternalFunction.h:
+        (InternalFunction):
+        * runtime/JSCell.h: Added the NEEDS_DESTRUCTOR  macro to make it easier for classes to indicate that instead of being 
+        allocated in a destructor MarkedAllocator that they will handle their destruction themselves through the 
+        use of a finalizer.
+        (JSC):
+        (HasImmortalStructure): New template to help us determine at compile-time if a particular class 
+        should be allocated in the immortal structure MarkedAllocator. The default value is false. In order 
+        to be allocated in the immortal structure allocator, classes must specialize this template. Also added 
+        a macro to make it easier for classes to specialize the template.
+        (JSC::allocateCell): Use the appropriate allocator depending on the destructor type.
+        * runtime/JSDestructibleObject.h: Added. New class that stores the ClassInfo of any subclass so that it can be 
+        accessed safely when the object is being destroyed.
+        (JSC):
+        (JSDestructibleObject):
+        (JSC::JSDestructibleObject::classInfo):
+        (JSC::JSDestructibleObject::JSDestructibleObject):
+        (JSC::JSCell::classInfo): Checks the current MarkedBlock to see where it should get the ClassInfo from so that it's always safe.
+        * runtime/JSGlobalObject.cpp: JSGlobalObject now uses a finalizer instead of a destructor so that it can avoid forcing all 
+        of its relatives in the inheritance hierarchy (e.g. JSScope) to use destructors as well.
+        (JSC::JSGlobalObject::reset):
+        * runtime/JSGlobalObject.h:
+        (JSGlobalObject):
+        (JSC::JSGlobalObject::createRareDataIfNeeded): Since we always create a finalizer now, we don't have to worry about adding one 
+        for the m_rareData field when it's created.
+        (JSC::JSGlobalObject::create):
+        (JSC):
+        * runtime/JSGlobalThis.h: Inherit from JSDestructibleObject.
+        (JSGlobalThis):
+        (JSC::JSGlobalThis::JSGlobalThis):
+        * runtime/JSPropertyNameIterator.h: Has an immortal Structure.
+        (JSC):
+        * runtime/JSScope.cpp:
+        (JSC):
+        * runtime/JSString.h: Has an immortal Structure.
+        (JSC):
+        * runtime/JSWrapperObject.h: Inherit from JSDestructibleObject.
+        (JSWrapperObject):
+        (JSC::JSWrapperObject::JSWrapperObject):
+        * runtime/MathObject.cpp: Cleaning up some of the inheritance stuff.
+        (JSC):
+        * runtime/NameInstance.h: Inherit from JSDestructibleObject.
+        (NameInstance):
+        * runtime/RegExp.h: Has immortal Structure.
+        (JSC):
+        * runtime/RegExpObject.cpp: Inheritance cleanup.
+        (JSC):
+        * runtime/SparseArrayValueMap.h: Has immortal Structure.
+        (JSC):
+        * runtime/Structure.h: Has immortal Structure.
+        (JSC):
+        * runtime/StructureChain.h: Ditto.
+        (JSC):
+        * runtime/SymbolTable.h: Ditto.
+        (SharedSymbolTable):
+        (JSC):
+
+=======
 2012-09-17  Filip Pizlo  <fpizlo@apple.com>
 
@@ -234 +592 @@
         * llint/LowLevelInterpreter64.asm:
 
+>>>>>>> .r128811
 2012-09-17  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/GNUmakefile.list.am

@@ -534 +534 @@
         Source/JavaScriptCore/runtime/JSDateMath.cpp \
         Source/JavaScriptCore/runtime/JSDateMath.h \
+    Source/JavaScriptCore/runtime/JSDestructibleObject.h \
         Source/JavaScriptCore/runtime/JSFunction.cpp \
         Source/JavaScriptCore/runtime/JSFunction.h \

trunk/Source/JavaScriptCore/JSCTypedArrayStubs.h

@@ -27 +27 @@
 #define JSCTypedArrayStubs_h
 
-#include "JSObject.h"
+#include "JSDestructibleObject.h"
 #include "ObjectPrototype.h"
 #include <wtf/Float32Array.h>
@@ -43 +43 @@
     
 #define TYPED_ARRAY(name, type) \
-class JS##name##Array : public JSNonFinalObject { \
+class JS##name##Array : public JSDestructibleObject { \
 public: \
-    typedef JSNonFinalObject Base; \
+    typedef JSDestructibleObject Base; \
     static JS##name##Array* create(JSC::Structure* structure, JSGlobalObject* globalObject, PassRefPtr<name##Array> impl) \
     { \

trunk/Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj

@@ -842 +842 @@
                                 >
                         </File>
+            <File
+                RelativePath="..\..\runtime\JSDestructibleObject.h"
+                >
+            </File>
                         <File
                                 RelativePath="..\..\runtime\JSFunction.cpp"

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -709 +709 @@
                 C22B31B9140577D700DB475A /* SamplingCounter.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F77008E1402FDD60078EB39 /* SamplingCounter.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 C240305514B404E60079EB64 /* CopiedSpace.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C240305314B404C90079EB64 /* CopiedSpace.cpp */; };
+                C25177F81607D0A6000A233C /* JSDestructibleObject.h in Headers */ = {isa = PBXBuildFile; fileRef = C25177F71607D0A6000A233C /* JSDestructibleObject.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 C25F8BCD157544A900245B71 /* IncrementalSweeper.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C25F8BCB157544A900245B71 /* IncrementalSweeper.cpp */; };
                 C25F8BCE157544A900245B71 /* IncrementalSweeper.h in Headers */ = {isa = PBXBuildFile; fileRef = C25F8BCC157544A900245B71 /* IncrementalSweeper.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -1482 +1483 @@
                 C225494215F7DBAA0065E898 /* SlotVisitor.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SlotVisitor.cpp; sourceTree = "<group>"; };
                 C240305314B404C90079EB64 /* CopiedSpace.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CopiedSpace.cpp; sourceTree = "<group>"; };
+                C25177F71607D0A6000A233C /* JSDestructibleObject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSDestructibleObject.h; sourceTree = "<group>"; };
                 C25F8BCB157544A900245B71 /* IncrementalSweeper.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = IncrementalSweeper.cpp; sourceTree = "<group>"; };
                 C25F8BCC157544A900245B71 /* IncrementalSweeper.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IncrementalSweeper.h; sourceTree = "<group>"; };
@@ -2044 +2046 @@
                         isa = PBXGroup;
                         children = (
+                                C25177F71607D0A6000A233C /* JSDestructibleObject.h */,
                                 0F0CD4C315F6B6B50032F1C0 /* SparseArrayValueMap.cpp */,
                                 0F0CD4C015F1A6040032F1C0 /* PutDirectIndexMode.h */,
@@ -2564 +2567 @@
                                 C2EAD2FC14F0249800A4B159 /* CopiedAllocator.h in Headers */,
                                 C2B916C214DA014E00CBAC86 /* MarkedAllocator.h in Headers */,
+                                C25177F81607D0A6000A233C /* JSDestructibleObject.h in Headers */,
                                 FE20CE9E15F04A9500DF3430 /* LLIntCLoop.h in Headers */,
                                 C21122E215DD9AB300790E3A /* GCThreadSharedData.h in Headers */,

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -2190 +2190 @@
     // It is NOT okay for the structure and the scratch register to be the same thing because if they are then the Structure will 
     // get clobbered. 
-    template <typename ClassType, bool destructor, typename StructureType> 
+    template <typename ClassType, MarkedBlock::DestructorType destructorType, typename StructureType> 
     void emitAllocateBasicJSObject(StructureType structure, GPRReg resultGPR, GPRReg scratchGPR, MacroAssembler::JumpList& slowPath)
     {
         MarkedAllocator* allocator = 0;
-        if (destructor)
-            allocator = &m_jit.globalData()->heap.allocatorForObjectWithDestructor(sizeof(ClassType));
+        if (destructorType == MarkedBlock::Normal)
+            allocator = &m_jit.globalData()->heap.allocatorForObjectWithNormalDestructor(sizeof(ClassType));
+        else if (destructorType == MarkedBlock::ImmortalStructure)
+            allocator = &m_jit.globalData()->heap.allocatorForObjectWithImmortalStructureDestructor(sizeof(ClassType));
         else
             allocator = &m_jit.globalData()->heap.allocatorForObjectWithoutDestructor(sizeof(ClassType));
@@ -2217 +2219 @@
     void emitAllocateJSFinalObject(T structure, GPRReg resultGPR, GPRReg scratchGPR, MacroAssembler::JumpList& slowPath)
     {
-        return emitAllocateBasicJSObject<JSFinalObject, false>(structure, resultGPR, scratchGPR, slowPath);
+        return emitAllocateBasicJSObject<JSFinalObject, MarkedBlock::None>(structure, resultGPR, scratchGPR, slowPath);
     }
 

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -831 +831 @@
 }
 
-bool Heap::isSafeToSweepStructures()
-{
-    return !m_sweeper || m_sweeper->structuresCanBeSwept();
-}
-
 void Heap::didStartVMShutdown()
 {

trunk/Source/JavaScriptCore/heap/Heap.h

@@ -113 +113 @@
         MarkedAllocator& firstAllocatorWithoutDestructors() { return m_objectSpace.firstAllocator(); }
         MarkedAllocator& allocatorForObjectWithoutDestructor(size_t bytes) { return m_objectSpace.allocatorFor(bytes); }
-        MarkedAllocator& allocatorForObjectWithDestructor(size_t bytes) { return m_objectSpace.destructorAllocatorFor(bytes); }
+        MarkedAllocator& allocatorForObjectWithNormalDestructor(size_t bytes) { return m_objectSpace.normalDestructorAllocatorFor(bytes); }
+        MarkedAllocator& allocatorForObjectWithImmortalStructureDestructor(size_t bytes) { return m_objectSpace.immortalStructureDestructorAllocatorFor(bytes); }
         CopiedAllocator& storageAllocator() { return m_storageSpace.allocator(); }
         CheckedBoolean tryAllocateStorage(size_t, void**);
@@ -169 +170 @@
 
         bool isPagedOut(double deadline);
-        bool isSafeToSweepStructures();
         void didStartVMShutdown();
 
@@ -185 +185 @@
         template<typename T> friend void* allocateCell(Heap&, size_t);
 
-        void* allocateWithDestructor(size_t);
-        void* allocateWithoutDestructor(size_t);
-        void* allocateStructure(size_t);
+        void* allocateWithImmortalStructureDestructor(size_t); // For use with special objects whose Structures never die.
+        void* allocateWithNormalDestructor(size_t); // For use with objects that inherit directly or indirectly from JSDestructibleObject.
+        void* allocateWithoutDestructor(size_t); // For use with objects without destructors.
 
         static const size_t minExtraCost = 256;
@@ -362 +362 @@
     }
 
-    inline void* Heap::allocateWithDestructor(size_t bytes)
+    inline void* Heap::allocateWithNormalDestructor(size_t bytes)
     {
         ASSERT(isValidAllocation(bytes));
-        return m_objectSpace.allocateWithDestructor(bytes);
+        return m_objectSpace.allocateWithNormalDestructor(bytes);
+    }
+    
+    inline void* Heap::allocateWithImmortalStructureDestructor(size_t bytes)
+    {
+        ASSERT(isValidAllocation(bytes));
+        return m_objectSpace.allocateWithImmortalStructureDestructor(bytes);
     }
     
@@ -374 +380 @@
     }
    
-    inline void* Heap::allocateStructure(size_t bytes)
-    {
-        return m_objectSpace.allocateStructure(bytes);
-    }
- 
     inline CheckedBoolean Heap::tryAllocateStorage(size_t bytes, void** outPtr)
     {

trunk/Source/JavaScriptCore/heap/IncrementalSweeper.cpp

@@ -49 +49 @@
     : HeapTimer(heap->globalData(), runLoop)
     , m_currentBlockToSweepIndex(0)
-    , m_structuresCanBeSwept(false)
 {
 }
@@ -73 +72 @@
     : HeapTimer(heap->globalData())
     , m_currentBlockToSweepIndex(0)
-    , m_structuresCanBeSwept(false)
 {
 }
@@ -120 +118 @@
     while (m_currentBlockToSweepIndex < m_blocksToSweep.size()) {
         MarkedBlock* block = m_blocksToSweep[m_currentBlockToSweepIndex++];
-        if (block->onlyContainsStructures())
-            m_structuresCanBeSwept = true;
-        else
-            ASSERT(!m_structuresCanBeSwept);
 
         if (!block->needsSweeping())
@@ -140 +134 @@
     m_globalData->heap.objectSpace().forEachBlock(functor);
     m_currentBlockToSweepIndex = 0;
-    m_structuresCanBeSwept = false;
     scheduleTimer();
 }
@@ -147 +140 @@
 {
     m_currentBlockToSweepIndex = 0;
-    m_structuresCanBeSwept = true;
     m_blocksToSweep.clear();
     if (m_globalData)
@@ -157 +149 @@
 IncrementalSweeper::IncrementalSweeper(JSGlobalData* globalData)
     : HeapTimer(globalData)
-    , m_structuresCanBeSwept(false)
 {
 }
@@ -172 +163 @@
 void IncrementalSweeper::startSweeping(const HashSet<MarkedBlock*>&)
 {
-    m_structuresCanBeSwept = false;
 }
 
 void IncrementalSweeper::willFinishSweeping()
 {
-    m_structuresCanBeSwept = true;
 }
 
@@ -186 +175 @@
 #endif
 
-bool IncrementalSweeper::structuresCanBeSwept()
-{
-    return m_structuresCanBeSwept;
-}
-
 } // namespace JSC

trunk/Source/JavaScriptCore/heap/IncrementalSweeper.h

@@ -57 +57 @@
     virtual void doWork();
     void sweepNextBlock();
-    bool structuresCanBeSwept();
     void willFinishSweeping();
 
@@ -79 +78 @@
     
 #endif
-    bool m_structuresCanBeSwept;
 };
 

trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp

@@ -31 +31 @@
 {
     if (!m_freeList.head) {
-        if (m_onlyContainsStructures && !m_heap->isSafeToSweepStructures()) {
-            if (m_currentBlock) {
-                m_currentBlock->didConsumeFreeList();
-                m_currentBlock = 0;
-            }
-            // We sweep another random block here so that we can make progress
-            // toward being able to sweep Structures.
-            m_heap->sweeper()->sweepNextBlock();
-            return 0;
-        }
-
         for (MarkedBlock*& block = m_blocksToSweep; block; block = block->next()) {
             MarkedBlock::FreeList freeList = block->sweep(MarkedBlock::SweepToFreeList);
@@ -125 +114 @@
     if (blockSize == MarkedBlock::blockSize) {
         PageAllocationAligned allocation = m_heap->blockAllocator().allocate();
-        return MarkedBlock::create(allocation, m_heap, cellSize, m_cellsNeedDestruction, m_onlyContainsStructures);
+        return MarkedBlock::create(allocation, this, cellSize, m_destructorType);
     }
 
@@ -131 +120 @@
     if (!static_cast<bool>(allocation))
         CRASH();
-    return MarkedBlock::create(allocation, m_heap, cellSize, m_cellsNeedDestruction, m_onlyContainsStructures);
+    return MarkedBlock::create(allocation, this, cellSize, m_destructorType);
 }
 

trunk/Source/JavaScriptCore/heap/MarkedAllocator.h

@@ -24 +24 @@
     void canonicalizeCellLivenessData();
     size_t cellSize() { return m_cellSize; }
-    bool cellsNeedDestruction() { return m_cellsNeedDestruction; }
-    bool onlyContainsStructures() { return m_onlyContainsStructures; }
+    MarkedBlock::DestructorType destructorType() { return m_destructorType; }
     void* allocate(size_t);
     Heap* heap() { return m_heap; }
@@ -33 +32 @@
     void addBlock(MarkedBlock*);
     void removeBlock(MarkedBlock*);
-    void init(Heap*, MarkedSpace*, size_t cellSize, bool cellsNeedDestruction, bool onlyContainsStructures);
+    void init(Heap*, MarkedSpace*, size_t cellSize, MarkedBlock::DestructorType);
 
     bool isPagedOut(double deadline);
@@ -50 +49 @@
     DoublyLinkedList<MarkedBlock> m_blockList;
     size_t m_cellSize;
-    bool m_cellsNeedDestruction;
-    bool m_onlyContainsStructures;
+    MarkedBlock::DestructorType m_destructorType;
     Heap* m_heap;
     MarkedSpace* m_markedSpace;
@@ -60 +58 @@
     , m_blocksToSweep(0)
     , m_cellSize(0)
-    , m_cellsNeedDestruction(true)
-    , m_onlyContainsStructures(false)
+    , m_destructorType(MarkedBlock::None)
     , m_heap(0)
     , m_markedSpace(0)
@@ -67 +64 @@
 }
 
-inline void MarkedAllocator::init(Heap* heap, MarkedSpace* markedSpace, size_t cellSize, bool cellsNeedDestruction, bool onlyContainsStructures)
+inline void MarkedAllocator::init(Heap* heap, MarkedSpace* markedSpace, size_t cellSize, MarkedBlock::DestructorType destructorType)
 {
     m_heap = heap;
     m_markedSpace = markedSpace;
     m_cellSize = cellSize;
-    m_cellsNeedDestruction = cellsNeedDestruction;
-    m_onlyContainsStructures = onlyContainsStructures;
+    m_destructorType = destructorType;
 }
 

trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp

@@ -29 +29 @@
 #include "IncrementalSweeper.h"
 #include "JSCell.h"
-#include "JSObject.h"
+#include "JSDestructibleObject.h"
 
 
 namespace JSC {
 
-MarkedBlock* MarkedBlock::create(const PageAllocationAligned& allocation, Heap* heap, size_t cellSize, bool cellsNeedDestruction, bool onlyContainsStructures)
+MarkedBlock* MarkedBlock::create(const PageAllocationAligned& allocation, MarkedAllocator* allocator, size_t cellSize, DestructorType destructorType)
 {
-    return new (NotNull, allocation.base()) MarkedBlock(allocation, heap, cellSize, cellsNeedDestruction, onlyContainsStructures);
+    return new (NotNull, allocation.base()) MarkedBlock(allocation, allocator, cellSize, destructorType);
 }
 
-MarkedBlock::MarkedBlock(const PageAllocationAligned& allocation, Heap* heap, size_t cellSize, bool cellsNeedDestruction, bool onlyContainsStructures)
+MarkedBlock::MarkedBlock(const PageAllocationAligned& allocation, MarkedAllocator* allocator, size_t cellSize, DestructorType destructorType)
     : HeapBlock<MarkedBlock>(allocation)
     , m_atomsPerCell((cellSize + atomSize - 1) / atomSize)
     , m_endAtom(atomsPerBlock - m_atomsPerCell + 1)
-    , m_cellsNeedDestruction(cellsNeedDestruction)
-    , m_onlyContainsStructures(onlyContainsStructures)
+    , m_destructorType(destructorType)
+    , m_allocator(allocator)
     , m_state(New) // All cells start out unmarked.
-    , m_weakSet(heap->globalData())
+    , m_weakSet(allocator->heap()->globalData())
 {
-    ASSERT(heap);
+    ASSERT(allocator);
     HEAP_LOG_BLOCK_STATE_TRANSITION(this);
 }
@@ -66 +66 @@
 }
 
-template<MarkedBlock::BlockState blockState, MarkedBlock::SweepMode sweepMode, bool destructorCallNeeded>
+template<MarkedBlock::BlockState blockState, MarkedBlock::SweepMode sweepMode, MarkedBlock::DestructorType dtorType>
 MarkedBlock::FreeList MarkedBlock::specializedSweep()
 {
     ASSERT(blockState != Allocated && blockState != FreeListed);
-    ASSERT(destructorCallNeeded || sweepMode != SweepOnly);
+    ASSERT(!(dtorType == MarkedBlock::None && sweepMode == SweepOnly));
 
     // This produces a free list that is ordered in reverse through the block.
@@ -83 +83 @@
         JSCell* cell = reinterpret_cast_ptr<JSCell*>(&atoms()[i]);
 
-        if (destructorCallNeeded && blockState != New)
+        if (dtorType != MarkedBlock::None && blockState != New)
             callDestructor(cell);
 
@@ -104 +104 @@
     m_weakSet.sweep();
 
-    if (sweepMode == SweepOnly && !m_cellsNeedDestruction)
+    if (sweepMode == SweepOnly && m_destructorType == MarkedBlock::None)
         return FreeList();
 
-    if (m_cellsNeedDestruction)
-        return sweepHelper<true>(sweepMode);
-    return sweepHelper<false>(sweepMode);
+    if (m_destructorType == MarkedBlock::ImmortalStructure)
+        return sweepHelper<MarkedBlock::ImmortalStructure>(sweepMode);
+    if (m_destructorType == MarkedBlock::Normal)
+        return sweepHelper<MarkedBlock::Normal>(sweepMode);
+    return sweepHelper<MarkedBlock::None>(sweepMode);
 }
 
-template<bool destructorCallNeeded>
+template<MarkedBlock::DestructorType dtorType>
 MarkedBlock::FreeList MarkedBlock::sweepHelper(SweepMode sweepMode)
 {
@@ -118 +120 @@
     case New:
         ASSERT(sweepMode == SweepToFreeList);
-        return specializedSweep<New, SweepToFreeList, destructorCallNeeded>();
+        return specializedSweep<New, SweepToFreeList, dtorType>();
     case FreeListed:
         // Happens when a block transitions to fully allocated.
@@ -127 +129 @@
         return FreeList();
     case Marked:
-        ASSERT(!m_onlyContainsStructures || heap()->isSafeToSweepStructures());
         return sweepMode == SweepToFreeList
-            ? specializedSweep<Marked, SweepToFreeList, destructorCallNeeded>()
-            : specializedSweep<Marked, SweepOnly, destructorCallNeeded>();
+            ? specializedSweep<Marked, SweepToFreeList, dtorType>()
+            : specializedSweep<Marked, SweepOnly, dtorType>();
     }
 

trunk/Source/JavaScriptCore/heap/MarkedBlock.h

@@ -53 +53 @@
     class Heap;
     class JSCell;
+    class MarkedAllocator;
 
     typedef uintptr_t Bits;
@@ -113 +114 @@
         };
 
-        static MarkedBlock* create(const PageAllocationAligned&, Heap*, size_t cellSize, bool cellsNeedDestruction, bool onlyContainsStructures);
+        enum DestructorType { None, ImmortalStructure, Normal };
+        static MarkedBlock* create(const PageAllocationAligned&, MarkedAllocator*, size_t cellSize, DestructorType);
 
         static bool isAtomAligned(const void*);
@@ -121 +123 @@
         void lastChanceToFinalize();
 
+        MarkedAllocator* allocator() const;
         Heap* heap() const;
         JSGlobalData* globalData() const;
@@ -144 +147 @@
 
         size_t cellSize();
-        bool cellsNeedDestruction();
-        bool onlyContainsStructures();
+        DestructorType destructorType();
 
         size_t size();
@@ -195 +197 @@
 
         enum BlockState { New, FreeListed, Allocated, Marked };
-        template<bool destructorCallNeeded> FreeList sweepHelper(SweepMode = SweepOnly);
+        template<DestructorType> FreeList sweepHelper(SweepMode = SweepOnly);
 
         typedef char Atom[atomSize];
 
-        MarkedBlock(const PageAllocationAligned&, Heap*, size_t cellSize, bool cellsNeedDestruction, bool onlyContainsStructures);
+        MarkedBlock(const PageAllocationAligned&, MarkedAllocator*, size_t cellSize, DestructorType);
         Atom* atoms();
         size_t atomNumber(const void*);
         void callDestructor(JSCell*);
-        template<BlockState, SweepMode, bool destructorCallNeeded> FreeList specializedSweep();
+        template<BlockState, SweepMode, DestructorType> FreeList specializedSweep();
         
 #if ENABLE(GGC)
@@ -216 +218 @@
         WTF::Bitmap<atomsPerBlock, WTF::BitmapNotAtomic> m_marks;
 #endif
-        bool m_cellsNeedDestruction;
-        bool m_onlyContainsStructures;
+        DestructorType m_destructorType;
+        MarkedAllocator* m_allocator;
         BlockState m_state;
         WeakSet m_weakSet;
@@ -262 +264 @@
     }
 
+    inline MarkedAllocator* MarkedBlock::allocator() const
+    {
+        return m_allocator;
+    }
+
     inline Heap* MarkedBlock::heap() const
     {
@@ -327 +334 @@
     }
 
-    inline bool MarkedBlock::cellsNeedDestruction()
-    {
-        return m_cellsNeedDestruction; 
-    }
-
-    inline bool MarkedBlock::onlyContainsStructures()
-    {
-        return m_onlyContainsStructures;
+    inline MarkedBlock::DestructorType MarkedBlock::destructorType()
+    {
+        return m_destructorType; 
     }
 

trunk/Source/JavaScriptCore/heap/MarkedSpace.cpp

@@ -82 +82 @@
 {
     for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep) {
-        allocatorFor(cellSize).init(heap, this, cellSize, false, false);
-        destructorAllocatorFor(cellSize).init(heap, this, cellSize, true, false);
-    }
-
-    for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) {
-        allocatorFor(cellSize).init(heap, this, cellSize, false, false);
-        destructorAllocatorFor(cellSize).init(heap, this, cellSize, true, false);
-    }
-
-    m_largeAllocator.init(heap, this, 0, true, false);
-    m_structureAllocator.init(heap, this, WTF::roundUpToMultipleOf(32, sizeof(Structure)), true, true);
+        allocatorFor(cellSize).init(heap, this, cellSize, MarkedBlock::None);
+        normalDestructorAllocatorFor(cellSize).init(heap, this, cellSize, MarkedBlock::Normal);
+        immortalStructureDestructorAllocatorFor(cellSize).init(heap, this, cellSize, MarkedBlock::ImmortalStructure);
+    }
+
+    for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) {
+        allocatorFor(cellSize).init(heap, this, cellSize, MarkedBlock::None);
+        normalDestructorAllocatorFor(cellSize).init(heap, this, cellSize, MarkedBlock::Normal);
+        immortalStructureDestructorAllocatorFor(cellSize).init(heap, this, cellSize, MarkedBlock::ImmortalStructure);
+    }
+
+    m_normalSpace.largeAllocator.init(heap, this, 0, MarkedBlock::None);
+    m_normalDestructorSpace.largeAllocator.init(heap, this, 0, MarkedBlock::Normal);
+    m_immortalStructureDestructorSpace.largeAllocator.init(heap, this, 0, MarkedBlock::ImmortalStructure);
 }
 
@@ -121 +124 @@
     for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep) {
         allocatorFor(cellSize).reset();
-        destructorAllocatorFor(cellSize).reset();
+        normalDestructorAllocatorFor(cellSize).reset();
+        immortalStructureDestructorAllocatorFor(cellSize).reset();
     }
 
     for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) {
         allocatorFor(cellSize).reset();
-        destructorAllocatorFor(cellSize).reset();
-    }
-
-    m_largeAllocator.reset();
-    m_structureAllocator.reset();
+        normalDestructorAllocatorFor(cellSize).reset();
+        immortalStructureDestructorAllocatorFor(cellSize).reset();
+    }
+
+    m_normalSpace.largeAllocator.reset();
+    m_normalDestructorSpace.largeAllocator.reset();
+    m_immortalStructureDestructorSpace.largeAllocator.reset();
 }
 
@@ -148 +154 @@
     for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep) {
         allocatorFor(cellSize).canonicalizeCellLivenessData();
-        destructorAllocatorFor(cellSize).canonicalizeCellLivenessData();
+        normalDestructorAllocatorFor(cellSize).canonicalizeCellLivenessData();
+        immortalStructureDestructorAllocatorFor(cellSize).canonicalizeCellLivenessData();
     }
 
     for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) {
         allocatorFor(cellSize).canonicalizeCellLivenessData();
-        destructorAllocatorFor(cellSize).canonicalizeCellLivenessData();
-    }
-
-    m_largeAllocator.canonicalizeCellLivenessData();
-    m_structureAllocator.canonicalizeCellLivenessData();
+        normalDestructorAllocatorFor(cellSize).canonicalizeCellLivenessData();
+        immortalStructureDestructorAllocatorFor(cellSize).canonicalizeCellLivenessData();
+    }
+
+    m_normalSpace.largeAllocator.canonicalizeCellLivenessData();
+    m_normalDestructorSpace.largeAllocator.canonicalizeCellLivenessData();
+    m_immortalStructureDestructorSpace.largeAllocator.canonicalizeCellLivenessData();
 }
 
@@ -163 +172 @@
 {
     for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep) {
-        if (allocatorFor(cellSize).isPagedOut(deadline) || destructorAllocatorFor(cellSize).isPagedOut(deadline))
+        if (allocatorFor(cellSize).isPagedOut(deadline) 
+            || normalDestructorAllocatorFor(cellSize).isPagedOut(deadline) 
+            || immortalStructureDestructorAllocatorFor(cellSize).isPagedOut(deadline))
             return true;
     }
 
     for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) {
-        if (allocatorFor(cellSize).isPagedOut(deadline) || destructorAllocatorFor(cellSize).isPagedOut(deadline))
+        if (allocatorFor(cellSize).isPagedOut(deadline) 
+            || normalDestructorAllocatorFor(cellSize).isPagedOut(deadline) 
+            || immortalStructureDestructorAllocatorFor(cellSize).isPagedOut(deadline))
             return true;
     }
 
-    if (m_largeAllocator.isPagedOut(deadline))
+    if (m_normalSpace.largeAllocator.isPagedOut(deadline)
+        || m_normalDestructorSpace.largeAllocator.isPagedOut(deadline)
+        || m_immortalStructureDestructorSpace.largeAllocator.isPagedOut(deadline))
         return true;
 
-    if (m_structureAllocator.isPagedOut(deadline))
-        return true;
-
     return false;
 }
@@ -183 +195 @@
 void MarkedSpace::freeBlock(MarkedBlock* block)
 {
-    allocatorFor(block).removeBlock(block);
+    block->allocator()->removeBlock(block);
     m_blocks.remove(block);
     if (block->capacity() == MarkedBlock::blockSize) {

trunk/Source/JavaScriptCore/heap/MarkedSpace.h

@@ -77 +77 @@
     MarkedAllocator& firstAllocator();
     MarkedAllocator& allocatorFor(size_t);
-    MarkedAllocator& allocatorFor(MarkedBlock*);
-    MarkedAllocator& destructorAllocatorFor(size_t);
-    void* allocateWithDestructor(size_t);
+    MarkedAllocator& immortalStructureDestructorAllocatorFor(size_t);
+    MarkedAllocator& normalDestructorAllocatorFor(size_t);
+    void* allocateWithNormalDestructor(size_t);
+    void* allocateWithImmortalStructureDestructor(size_t);
     void* allocateWithoutDestructor(size_t);
-    void* allocateStructure(size_t);
  
     void resetAllocators();
@@ -130 +130 @@
         FixedArray<MarkedAllocator, preciseCount> preciseAllocators;
         FixedArray<MarkedAllocator, impreciseCount> impreciseAllocators;
+        MarkedAllocator largeAllocator;
     };
 
-    Subspace m_destructorSpace;
+    Subspace m_normalDestructorSpace;
+    Subspace m_immortalStructureDestructorSpace;
     Subspace m_normalSpace;
-    MarkedAllocator m_largeAllocator;
-    MarkedAllocator m_structureAllocator;
 
     Heap* m_heap;
@@ -169 +169 @@
     if (bytes <= impreciseCutoff)
         return m_normalSpace.impreciseAllocators[(bytes - 1) / impreciseStep];
-    return m_largeAllocator;
-}
-
-inline MarkedAllocator& MarkedSpace::allocatorFor(MarkedBlock* block)
-{
-    if (block->onlyContainsStructures())
-        return m_structureAllocator;
-
-    if (block->cellsNeedDestruction())
-        return destructorAllocatorFor(block->cellSize());
-
-    return allocatorFor(block->cellSize());
-}
-
-inline MarkedAllocator& MarkedSpace::destructorAllocatorFor(size_t bytes)
+    return m_normalSpace.largeAllocator;
+}
+
+inline MarkedAllocator& MarkedSpace::immortalStructureDestructorAllocatorFor(size_t bytes)
 {
     ASSERT(bytes);
     if (bytes <= preciseCutoff)
-        return m_destructorSpace.preciseAllocators[(bytes - 1) / preciseStep];
+        return m_immortalStructureDestructorSpace.preciseAllocators[(bytes - 1) / preciseStep];
     if (bytes <= impreciseCutoff)
-        return m_normalSpace.impreciseAllocators[(bytes - 1) / impreciseStep];
-    return m_largeAllocator;
+        return m_immortalStructureDestructorSpace.impreciseAllocators[(bytes - 1) / impreciseStep];
+    return m_immortalStructureDestructorSpace.largeAllocator;
+}
+
+inline MarkedAllocator& MarkedSpace::normalDestructorAllocatorFor(size_t bytes)
+{
+    ASSERT(bytes);
+    if (bytes <= preciseCutoff)
+        return m_normalDestructorSpace.preciseAllocators[(bytes - 1) / preciseStep];
+    if (bytes <= impreciseCutoff)
+        return m_normalDestructorSpace.impreciseAllocators[(bytes - 1) / impreciseStep];
+    return m_normalDestructorSpace.largeAllocator;
 }
 
@@ -198 +197 @@
 }
 
-inline void* MarkedSpace::allocateWithDestructor(size_t bytes)
-{
-    return destructorAllocatorFor(bytes).allocate(bytes);
-}
-
-inline void* MarkedSpace::allocateStructure(size_t bytes)
-{
-    return m_structureAllocator.allocate(bytes);
+inline void* MarkedSpace::allocateWithImmortalStructureDestructor(size_t bytes)
+{
+    return immortalStructureDestructorAllocatorFor(bytes).allocate(bytes);
+}
+
+inline void* MarkedSpace::allocateWithNormalDestructor(size_t bytes)
+{
+    return normalDestructorAllocatorFor(bytes).allocate(bytes);
 }
 
@@ -212 +211 @@
     for (size_t i = 0; i < preciseCount; ++i) {
         m_normalSpace.preciseAllocators[i].forEachBlock(functor);
-        m_destructorSpace.preciseAllocators[i].forEachBlock(functor);
+        m_normalDestructorSpace.preciseAllocators[i].forEachBlock(functor);
+        m_immortalStructureDestructorSpace.preciseAllocators[i].forEachBlock(functor);
     }
 
     for (size_t i = 0; i < impreciseCount; ++i) {
         m_normalSpace.impreciseAllocators[i].forEachBlock(functor);
-        m_destructorSpace.impreciseAllocators[i].forEachBlock(functor);
+        m_normalDestructorSpace.impreciseAllocators[i].forEachBlock(functor);
+        m_immortalStructureDestructorSpace.impreciseAllocators[i].forEachBlock(functor);
     }
 
-    m_largeAllocator.forEachBlock(functor);
-    m_structureAllocator.forEachBlock(functor);
+    m_normalSpace.largeAllocator.forEachBlock(functor);
+    m_normalDestructorSpace.largeAllocator.forEachBlock(functor);
+    m_immortalStructureDestructorSpace.largeAllocator.forEachBlock(functor);
 
     return functor.returnValue();

trunk/Source/JavaScriptCore/heap/SlotVisitor.cpp

@@ -6 +6 @@
 #include "CopiedSpaceInlineMethods.h"
 #include "JSArray.h"
+#include "JSDestructibleObject.h"
 #include "JSGlobalData.h"
 #include "JSObject.h"

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -435 +435 @@
         void emitWriteBarrier(JSCell* owner, RegisterID value, RegisterID scratch, WriteBarrierMode, WriteBarrierUseKind);
 
-        template<typename ClassType, bool destructor, typename StructureType> void emitAllocateBasicJSObject(StructureType, RegisterID result, RegisterID storagePtr);
+        template<typename ClassType, MarkedBlock::DestructorType, typename StructureType> void emitAllocateBasicJSObject(StructureType, RegisterID result, RegisterID storagePtr);
         void emitAllocateBasicStorage(size_t, ptrdiff_t offsetFromBase, RegisterID result);
         template<typename T> void emitAllocateJSFinalObject(T structure, RegisterID result, RegisterID storagePtr);

trunk/Source/JavaScriptCore/jit/JITInlineMethods.h

@@ -406 +406 @@
 }
 
-template <typename ClassType, bool destructor, typename StructureType> inline void JIT::emitAllocateBasicJSObject(StructureType structure, RegisterID result, RegisterID storagePtr)
+template <typename ClassType, MarkedBlock::DestructorType destructorType, typename StructureType> inline void JIT::emitAllocateBasicJSObject(StructureType structure, RegisterID result, RegisterID storagePtr)
 {
     MarkedAllocator* allocator = 0;
-    if (destructor)
-        allocator = &m_globalData->heap.allocatorForObjectWithDestructor(sizeof(ClassType));
+    if (destructorType == MarkedBlock::Normal)
+        allocator = &m_globalData->heap.allocatorForObjectWithNormalDestructor(sizeof(ClassType));
+    else if (destructorType == MarkedBlock::ImmortalStructure)
+        allocator = &m_globalData->heap.allocatorForObjectWithImmortalStructureDestructor(sizeof(ClassType));
     else
         allocator = &m_globalData->heap.allocatorForObjectWithoutDestructor(sizeof(ClassType));
@@ -429 +431 @@
 template <typename T> inline void JIT::emitAllocateJSFinalObject(T structure, RegisterID result, RegisterID scratch)
 {
-    emitAllocateBasicJSObject<JSFinalObject, false, T>(structure, result, scratch);
+    emitAllocateBasicJSObject<JSFinalObject, MarkedBlock::None, T>(structure, result, scratch);
 }
 
@@ -455 +457 @@
     // Allocate the cell for the array.
     loadPtr(m_codeBlock->globalObject()->addressOfArrayStructure(), scratch);
-    emitAllocateBasicJSObject<JSArray, false>(scratch, cellResult, storagePtr);
+    emitAllocateBasicJSObject<JSArray, MarkedBlock::None>(scratch, cellResult, storagePtr);
 
     // Store all the necessary info in the ArrayStorage.

trunk/Source/JavaScriptCore/jsc.cpp

@@ -177 +177 @@
         GlobalObject* object = new (NotNull, allocateCell<GlobalObject>(globalData.heap)) GlobalObject(globalData, structure);
         object->finishCreation(globalData, arguments);
+        globalData.heap.addFinalizer(object, destroy);
         return object;
     }
@@ -244 +245 @@
     }
 };
+
+
+namespace JSC {
+NEEDS_DESTRUCTOR(GlobalObject, false);
+};
+
 COMPILE_ASSERT(!IsInteger<GlobalObject>::value, WTF_IsInteger_GlobalObject_false);
 ASSERT_CLASS_FITS_IN_CELL(GlobalObject);

trunk/Source/JavaScriptCore/runtime/Arguments.cpp

@@ -36 +36 @@
 ASSERT_CLASS_FITS_IN_CELL(Arguments);
 
-const ClassInfo Arguments::s_info = { "Arguments", &JSNonFinalObject::s_info, 0, 0, CREATE_METHOD_TABLE(Arguments) };
+const ClassInfo Arguments::s_info = { "Arguments", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(Arguments) };
 
 void Arguments::visitChildren(JSCell* cell, SlotVisitor& visitor)

trunk/Source/JavaScriptCore/runtime/Arguments.h

@@ -27 +27 @@
 #include "CodeOrigin.h"
 #include "JSActivation.h"
+#include "JSDestructibleObject.h"
 #include "JSFunction.h"
 #include "JSGlobalObject.h"
@@ -58 +59 @@
     };
 
-    class Arguments : public JSNonFinalObject {
+    class Arguments : public JSDestructibleObject {
     public:
-        typedef JSNonFinalObject Base;
+        typedef JSDestructibleObject Base;
 
         static Arguments* create(JSGlobalData& globalData, CallFrame* callFrame)
@@ -155 +156 @@
 
     inline Arguments::Arguments(CallFrame* callFrame)
-        : JSNonFinalObject(callFrame->globalData(), callFrame->lexicalGlobalObject()->argumentsStructure())
+        : JSDestructibleObject(callFrame->globalData(), callFrame->lexicalGlobalObject()->argumentsStructure())
         , d(adoptPtr(new ArgumentsData))
     {
@@ -161 +162 @@
 
     inline Arguments::Arguments(CallFrame* callFrame, NoParametersType)
-        : JSNonFinalObject(callFrame->globalData(), callFrame->lexicalGlobalObject()->argumentsStructure())
+        : JSDestructibleObject(callFrame->globalData(), callFrame->lexicalGlobalObject()->argumentsStructure())
         , d(adoptPtr(new ArgumentsData))
     {

trunk/Source/JavaScriptCore/runtime/ErrorPrototype.cpp

@@ -32 +32 @@
 
 ASSERT_CLASS_FITS_IN_CELL(ErrorPrototype);
+ASSERT_HAS_TRIVIAL_DESTRUCTOR(ErrorPrototype);
 
 static EncodedJSValue JSC_HOST_CALL errorProtoFuncToString(ExecState*);

trunk/Source/JavaScriptCore/runtime/Executable.h

@@ -258 +258 @@
     };
 
+    HAS_IMMORTAL_STRUCTURE(ExecutableBase);
+
     class NativeExecutable : public ExecutableBase {
         friend class JIT;
@@ -340 +342 @@
     };
 
+    HAS_IMMORTAL_STRUCTURE(NativeExecutable);
+
     class ScriptExecutable : public ExecutableBase {
     public:
@@ -468 +472 @@
     };
 
+    HAS_IMMORTAL_STRUCTURE(EvalExecutable);
+
     class ProgramExecutable : public ScriptExecutable {
         friend class LLIntOffsetsExtractor;
@@ -534 +540 @@
         OwnPtr<ProgramCodeBlock> m_programCodeBlock;
     };
+
+    HAS_IMMORTAL_STRUCTURE(ProgramExecutable);
 
     class FunctionExecutable : public ScriptExecutable {
@@ -755 +763 @@
         WriteBarrier<SharedSymbolTable> m_symbolTable;
     };
+
+    HAS_IMMORTAL_STRUCTURE(FunctionExecutable);
 
     inline JSFunction::JSFunction(JSGlobalData& globalData, FunctionExecutable* executable, JSScope* scope)

trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp

@@ -33 +33 @@
 ASSERT_HAS_TRIVIAL_DESTRUCTOR(InternalFunction);
 
-const ClassInfo InternalFunction::s_info = { "Function", &JSNonFinalObject::s_info, 0, 0, CREATE_METHOD_TABLE(InternalFunction) };
+const ClassInfo InternalFunction::s_info = { "Function", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(InternalFunction) };
 
 InternalFunction::InternalFunction(JSGlobalObject* globalObject, Structure* structure)
-    : JSNonFinalObject(globalObject->globalData(), structure)
+    : JSDestructibleObject(globalObject->globalData(), structure)
 {
 }

trunk/Source/JavaScriptCore/runtime/InternalFunction.h

@@ -25 +25 @@
 #define InternalFunction_h
 
-#include "JSObject.h"
 #include "Identifier.h"
+#include "JSDestructibleObject.h"
 
 namespace JSC {
@@ -32 +32 @@
     class FunctionPrototype;
 
-    class InternalFunction : public JSNonFinalObject {
+    class InternalFunction : public JSDestructibleObject {
     public:
-        typedef JSNonFinalObject Base;
+        typedef JSDestructibleObject Base;
 
         static JS_EXPORTDATA const ClassInfo s_info;

trunk/Source/JavaScriptCore/runtime/JSCell.h

@@ -37 +37 @@
 namespace JSC {
 
+    class JSDestructibleObject;
     class JSGlobalObject;
     class LLIntOffsetsExtractor;
@@ -322 +323 @@
 #endif
 
+    template<class T>
+    struct HasImmortalStructure {
+        static const bool value = false;
+    };
+
+#define HAS_IMMORTAL_STRUCTURE(klass) \
+    template <> \
+    struct HasImmortalStructure<klass> {\
+        static const bool value = true;\
+    }
+
+#define NEEDS_DESTRUCTOR(klass, v) \
+    template <> \
+    struct NeedsDestructor<klass> {\
+        static const bool value = v;\
+    }
+
     template<typename T>
     void* allocateCell(Heap& heap)
@@ -330 +348 @@
 #endif
         JSCell* result = 0;
-        if (NeedsDestructor<T>::value)
-            result = static_cast<JSCell*>(heap.allocateWithDestructor(sizeof(T)));
-        else {
-            ASSERT(T::s_info.methodTable.destroy == JSCell::destroy);
+        if (NeedsDestructor<T>::value && HasImmortalStructure<T>::value)
+            result = static_cast<JSCell*>(heap.allocateWithImmortalStructureDestructor(sizeof(T)));
+        else if (NeedsDestructor<T>::value && !HasImmortalStructure<T>::value)
+            result = static_cast<JSCell*>(heap.allocateWithNormalDestructor(sizeof(T)));
+        else
             result = static_cast<JSCell*>(heap.allocateWithoutDestructor(sizeof(T)));
-        }
         result->clearStructure();
         return result;
@@ -349 +367 @@
 #endif
         JSCell* result = 0;
-        if (NeedsDestructor<T>::value)
-            result = static_cast<JSCell*>(heap.allocateWithDestructor(size));
+        if (NeedsDestructor<T>::value && HasImmortalStructure<T>::value)
+            result = static_cast<JSCell*>(heap.allocateWithImmortalStructureDestructor(size));
+        else if (NeedsDestructor<T>::value && !HasImmortalStructure<T>::value)
+            result = static_cast<JSCell*>(heap.allocateWithNormalDestructor(size));
         else {
             ASSERT(T::s_info.methodTable.destroy == JSCell::destroy);
@@ -370 +390 @@
         return static_cast<To>(from);
     }
-
+    
     template<typename To>
     inline To jsCast(JSValue from)

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -229 +229 @@
     m_argumentsStructure.set(exec->globalData(), this, Arguments::createStructure(exec->globalData(), this, m_objectPrototype.get()));
     m_callbackConstructorStructure.set(exec->globalData(), this, JSCallbackConstructor::createStructure(exec->globalData(), this, m_objectPrototype.get()));
-    m_callbackObjectStructure.set(exec->globalData(), this, JSCallbackObject<JSNonFinalObject>::createStructure(exec->globalData(), this, m_objectPrototype.get()));
+    m_callbackObjectStructure.set(exec->globalData(), this, JSCallbackObject<JSDestructibleObject>::createStructure(exec->globalData(), this, m_objectPrototype.get()));
 
     m_arrayPrototype.set(exec->globalData(), this, ArrayPrototype::create(exec, this, ArrayPrototype::createStructure(exec->globalData(), this, m_objectPrototype.get())));

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -78 +78 @@
     class JSGlobalObject : public JSSegmentedVariableObject {
     private:
-        typedef JSSegmentedVariableObject Base;
         typedef HashSet<RefPtr<OpaqueJSWeakObjectMap> > WeakMapSet;
 
@@ -169 +168 @@
                 return;
             m_rareData = adoptPtr(new JSGlobalObjectRareData);
-            Heap::heap(this)->addFinalizer(this, clearRareData);
         }
         
     public:
+        typedef JSSegmentedVariableObject Base;
+
         static JSGlobalObject* create(JSGlobalData& globalData, Structure* structure)
         {
             JSGlobalObject* globalObject = new (NotNull, allocateCell<JSGlobalObject>(globalData.heap)) JSGlobalObject(globalData, structure);
             globalObject->finishCreation(globalData);
+            globalData.heap.addFinalizer(globalObject, destroy);
             return globalObject;
         }
@@ -380 +381 @@
     };
 
+    // We don't need to be allocated in the destructor space because we use a finalizer instead.
+    NEEDS_DESTRUCTOR(JSGlobalObject, false);
+
     JSGlobalObject* asGlobalObject(JSValue);
 

trunk/Source/JavaScriptCore/runtime/JSGlobalThis.h

@@ -27 +27 @@
 #define JSGlobalThis_h
 
-#include "JSObject.h"
+#include "JSDestructibleObject.h"
 
 namespace JSC {
 
-class JSGlobalThis : public JSNonFinalObject {
+class JSGlobalThis : public JSDestructibleObject {
 public:
-    typedef JSNonFinalObject Base;
+    typedef JSDestructibleObject Base;
 
     static JSGlobalThis* create(JSGlobalData& globalData, Structure* structure)
@@ -53 +53 @@
 protected:
     JSGlobalThis(JSGlobalData& globalData, Structure* structure)
-        : JSNonFinalObject(globalData, structure)
+        : JSDestructibleObject(globalData, structure)
     {
     }

trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.h

@@ -105 +105 @@
     };
 
+    HAS_IMMORTAL_STRUCTURE(JSPropertyNameIterator);
+
     inline void Structure::setEnumerationCache(JSGlobalData& globalData, JSPropertyNameIterator* enumerationCache)
     {

trunk/Source/JavaScriptCore/runtime/JSScope.cpp

@@ -35 +35 @@
 
 ASSERT_CLASS_FITS_IN_CELL(JSScope);
+ASSERT_HAS_TRIVIAL_DESTRUCTOR(JSScope);
 
 void JSScope::visitChildren(JSCell* cell, SlotVisitor& visitor)

trunk/Source/JavaScriptCore/runtime/JSString.h

@@ -60 +60 @@
     JSRopeString* jsStringBuilder(JSGlobalData*);
 
+    HAS_IMMORTAL_STRUCTURE(JSString);
+
     class JSString : public JSCell {
     public:
@@ -321 +323 @@
         mutable FixedArray<WriteBarrier<JSString>, s_maxInternalRopeLength> m_fibers;
     };
+
+    HAS_IMMORTAL_STRUCTURE(JSRopeString);
 
     JSString* asString(JSValue);

trunk/Source/JavaScriptCore/runtime/JSWrapperObject.h

@@ -23 +23 @@
 #define JSWrapperObject_h
 
-#include "JSObject.h"
+#include "JSDestructibleObject.h"
 
 namespace JSC {
@@ -29 +29 @@
     // This class is used as a base for classes such as String,
     // Number, Boolean and Date which are wrappers for primitive types.
-    class JSWrapperObject : public JSNonFinalObject {
+    class JSWrapperObject : public JSDestructibleObject {
     public:
-        typedef JSNonFinalObject Base;
+        typedef JSDestructibleObject Base;
 
         JSValue internalValue() const;
@@ -52 +52 @@
 
     inline JSWrapperObject::JSWrapperObject(JSGlobalData& globalData, Structure* structure)
-        : JSNonFinalObject(globalData, structure)
+        : JSDestructibleObject(globalData, structure)
     {
     }

trunk/Source/JavaScriptCore/runtime/MathObject.cpp

@@ -34 +34 @@
 
 ASSERT_CLASS_FITS_IN_CELL(MathObject);
+ASSERT_HAS_TRIVIAL_DESTRUCTOR(MathObject);
 
 static EncodedJSValue JSC_HOST_CALL mathProtoFuncAbs(ExecState*);
@@ -60 +61 @@
 namespace JSC {
 
-ASSERT_HAS_TRIVIAL_DESTRUCTOR(MathObject);
-
-const ClassInfo MathObject::s_info = { "Math", &JSNonFinalObject::s_info, 0, ExecState::mathTable, CREATE_METHOD_TABLE(MathObject) };
+const ClassInfo MathObject::s_info = { "Math", &Base::s_info, 0, ExecState::mathTable, CREATE_METHOD_TABLE(MathObject) };
 
 /* Source for MathObject.lut.h

trunk/Source/JavaScriptCore/runtime/NameInstance.h

@@ -27 +27 @@
 #define NameInstance_h
 
-#include "JSObject.h"
+#include "JSDestructibleObject.h"
 #include "PrivateName.h"
 
 namespace JSC {
 
-class NameInstance : public JSNonFinalObject {
+class NameInstance : public JSDestructibleObject {
 public:
-    typedef JSNonFinalObject Base;
+    typedef JSDestructibleObject Base;
 
     static const ClassInfo s_info;

trunk/Source/JavaScriptCore/runtime/RegExp.h

@@ -124 +124 @@
     };
 
+    HAS_IMMORTAL_STRUCTURE(RegExp);
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/runtime/RegExpObject.cpp

@@ -51 +51 @@
 
 ASSERT_CLASS_FITS_IN_CELL(RegExpObject);
-
-const ClassInfo RegExpObject::s_info = { "RegExp", &JSNonFinalObject::s_info, 0, ExecState::regExpTable, CREATE_METHOD_TABLE(RegExpObject) };
+ASSERT_HAS_TRIVIAL_DESTRUCTOR(RegExpObject);
+
+const ClassInfo RegExpObject::s_info = { "RegExp", &Base::s_info, 0, ExecState::regExpTable, CREATE_METHOD_TABLE(RegExpObject) };
 
 /* Source for RegExpObject.lut.h

trunk/Source/JavaScriptCore/runtime/SparseArrayValueMap.h

@@ -132 +132 @@
 };
 
+HAS_IMMORTAL_STRUCTURE(SparseArrayValueMap);
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -474 +474 @@
     };
 
-    template <> inline void* allocateCell<Structure>(Heap& heap)
-    {
-#if ENABLE(GC_VALIDATION)
-        ASSERT(!heap.globalData()->isInitializingObject());
-        heap.globalData()->setInitializingObjectClass(&Structure::s_info);
-#endif
-        JSCell* result = static_cast<JSCell*>(heap.allocateStructure(sizeof(Structure)));
-        result->clearStructure();
-        return result;
-    }
+    HAS_IMMORTAL_STRUCTURE(Structure);
 
     inline Structure* Structure::create(JSGlobalData& globalData, JSGlobalObject* globalObject, JSValue prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType)
@@ -629 +620 @@
     }
 
-    inline const ClassInfo* JSCell::classInfo() const
-    {
-#if ENABLE(GC_VALIDATION)
-        return m_structure.unvalidatedGet()->classInfo();
-#else
-        return m_structure->classInfo();
-#endif
-    }
-
 } // namespace JSC
 

trunk/Source/JavaScriptCore/runtime/StructureChain.h

@@ -83 +83 @@
     };
 
+    HAS_IMMORTAL_STRUCTURE(StructureChain);
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/runtime/SymbolTable.h

@@ -328 +328 @@
     class SharedSymbolTable : public JSCell, public SymbolTable {
     public:
+        typedef JSCell Base;
+
         static SharedSymbolTable* create(JSGlobalData& globalData)
         {
@@ -381 +383 @@
         int m_captureEnd;
     };
-    
+   
+    HAS_IMMORTAL_STRUCTURE(SharedSymbolTable);
+ 
 } // namespace JSC
 

trunk/Source/JavaScriptCore/testRegExp.cpp

@@ -116 +116 @@
     static GlobalObject* create(JSGlobalData& globalData, Structure* structure, const Vector<String>& arguments)
     {
-        return new (NotNull, allocateCell<GlobalObject>(globalData.heap)) GlobalObject(globalData, structure, arguments);
+        GlobalObject* globalObject = new (NotNull, allocateCell<GlobalObject>(globalData.heap)) GlobalObject(globalData, structure, arguments);
+        globalData.heap.addFinalizer(globalObject, destroy);
+        return globalObject;
     }
 
@@ -133 +135 @@
     }
 };
+
+namespace JSC {
+NEEDS_DESTRUCTOR(GlobalObject, false);
+}
 
 COMPILE_ASSERT(!IsInteger<GlobalObject>::value, WTF_IsInteger_GlobalObject_false);

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-09-16  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Delayed structure sweep can leak structures without bound
+        https://bugs.webkit.org/show_bug.cgi?id=96546
+
+        Reviewed by Gavin Barraclough.
+
+        This patch gets rid of the separate Structure allocator in the MarkedSpace and adds two new destructor-only
+        allocators. We now have separate allocators for our three types of objects: those objects with no destructors,
+        those objects with destructors and with immortal structures, and those objects with destructors that don't have 
+        immortal structures. All of the objects of the third type (destructors without immortal structures) now 
+        inherit from a new class named JSDestructibleObject (which in turn is a subclass of JSNonFinalObject), which stores 
+        the ClassInfo for these classes at a fixed offset for safe retrieval during sweeping/destruction.
+
+        No new tests.
+
+        * ForwardingHeaders/runtime/JSDestructableObject.h: Added.
+        * bindings/js/JSDOMWrapper.h: Inherits from JSDestructibleObject.
+        (JSDOMWrapper):
+        (WebCore::JSDOMWrapper::JSDOMWrapper):
+        * bindings/scripts/CodeGeneratorJS.pm: Add finalizers to anything that inherits from JSGlobalObject,
+        e.g. JSDOMWindow and JSWorkerContexts. For those classes we also need to use the NEEDS_DESTRUCTOR macro.
+        (GenerateHeader):
+        * bridge/objc/objc_runtime.h: Inherit from JSDestructibleObject.
+        (ObjcFallbackObjectImp):
+        * bridge/objc/objc_runtime.mm:
+        (Bindings):
+        (JSC::Bindings::ObjcFallbackObjectImp::ObjcFallbackObjectImp):
+        * bridge/runtime_array.cpp: Use a finalizer so that JSArray isn't forced to inherit from JSDestructibleObject.
+        (JSC):
+        (JSC::RuntimeArray::destroy):
+        * bridge/runtime_array.h:
+        (JSC::RuntimeArray::create):
+        (JSC):
+        * bridge/runtime_object.cpp: Inherit from JSDestructibleObject.
+        (Bindings):
+        (JSC::Bindings::RuntimeObject::RuntimeObject):
+        * bridge/runtime_object.h:
+        (RuntimeObject):
+
+<<<<<<< .mine
+2012-09-16  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Delayed structure sweep can leak structures without bound
+        https://bugs.webkit.org/show_bug.cgi?id=96546
+
+        Reviewed by Gavin Barraclough.
+
+        This patch gets rid of the separate Structure allocator in the MarkedSpace and adds two new destructor-only
+        allocators. We now have separate allocators for our three types of objects: those objects with no destructors,
+        those objects with destructors and with immortal structures, and those objects with destructors that don't have 
+        immortal structures. All of the objects of the third type (destructors without immortal structures) now 
+        inherit from a new class named JSDestructibleObject (which in turn is a subclass of JSNonFinalObject), which stores 
+        the ClassInfo for these classes at a fixed offset for safe retrieval during sweeping/destruction.
+
+        No new tests.
+
+        * ForwardingHeaders/runtime/JSDestructableObject.h: Added.
+        * bindings/js/JSDOMWrapper.h: Inherits from JSDestructibleObject.
+        (JSDOMWrapper):
+        (WebCore::JSDOMWrapper::JSDOMWrapper):
+        * bindings/scripts/CodeGeneratorJS.pm: Add finalizers to anything that inherits from JSGlobalObject,
+        e.g. JSDOMWindow and JSWorkerContexts. For those classes we also need to use the NEEDS_DESTRUCTOR macro.
+        (GenerateHeader):
+        * bridge/objc/objc_runtime.h: Inherit from JSDestructibleObject.
+        (ObjcFallbackObjectImp):
+        * bridge/objc/objc_runtime.mm:
+        (Bindings):
+        (JSC::Bindings::ObjcFallbackObjectImp::ObjcFallbackObjectImp):
+        * bridge/runtime_array.cpp: Use a finalizer so that JSArray isn't forced to inherit from JSDestructibleObject.
+        (JSC):
+        (JSC::RuntimeArray::destroy):
+        * bridge/runtime_array.h:
+        (JSC::RuntimeArray::create):
+        (JSC):
+        * bridge/runtime_object.cpp: Inherit from JSDestructibleObject.
+        (Bindings):
+        (JSC::Bindings::RuntimeObject::RuntimeObject):
+        * bridge/runtime_object.h:
+        (RuntimeObject):
+
+=======
 2012-09-17  Sheriff Bot  <webkit.review.bot@gmail.com>
 
@@ -362 +444 @@
         (.css-named-flow-collections-view .split-view-contents .named-flow-element):
 
+>>>>>>> .r128811
 2012-09-17  Zan Dobersek  <zandobersek@gmail.com>
 

trunk/Source/WebCore/bindings/js/JSDOMWrapper.h

@@ -24 +24 @@
 
 #include "JSDOMGlobalObject.h"
-#include <runtime/JSObject.h>
+#include <runtime/JSDestructibleObject.h>
 
 namespace WebCore {
@@ -30 +30 @@
 class ScriptExecutionContext;
 
-class JSDOMWrapper : public JSC::JSNonFinalObject {
+class JSDOMWrapper : public JSC::JSDestructibleObject {
 public:
+    typedef JSC::JSDestructibleObject Base;
+
     JSDOMGlobalObject* globalObject() const { return JSC::jsCast<JSDOMGlobalObject*>(JSC::JSNonFinalObject::globalObject()); }
     ScriptExecutionContext* scriptExecutionContext() const { return globalObject()->scriptExecutionContext(); }
@@ -37 +39 @@
 protected:
     JSDOMWrapper(JSC::Structure* structure, JSC::JSGlobalObject* globalObject) 
-        : JSNonFinalObject(globalObject->globalData(), structure)
+        : JSDestructibleObject(globalObject->globalData(), structure)
     {
         ASSERT(scriptExecutionContext());

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -743 +743 @@
         push(@headerContent, "        $className* ptr = new (NotNull, JSC::allocateCell<$className>(globalData.heap)) ${className}(globalData, structure, impl, windowShell);\n");
         push(@headerContent, "        ptr->finishCreation(globalData, windowShell);\n");
+        push(@headerContent, "        globalData.heap.addFinalizer(ptr, destroy);\n");
         push(@headerContent, "        return ptr;\n");
         push(@headerContent, "    }\n\n");
@@ -750 +751 @@
         push(@headerContent, "        $className* ptr = new (NotNull, JSC::allocateCell<$className>(globalData.heap)) ${className}(globalData, structure, impl);\n");
         push(@headerContent, "        ptr->finishCreation(globalData);\n");
+        push(@headerContent, "        globalData.heap.addFinalizer(ptr, destroy);\n");
         push(@headerContent, "        return ptr;\n");
         push(@headerContent, "    }\n\n");
@@ -1008 +1010 @@
 
     push(@headerContent, "};\n\n");
+
+    if ($interfaceName eq "DOMWindow" || $dataNode->extendedAttributes->{"IsWorkerContext"}) {
+        push(@headerContent, "} // namespace WebCore\n\n");
+        push(@headerContent, "namespace JSC {\n");
+        push(@headerContent, "NEEDS_DESTRUCTOR(WebCore::${className}, false);\n\n");
+        push(@headerContent, "} // namespace JSC\n\n");
+        push(@headerContent, "namespace WebCore {\n\n");
+    }
 
     if ($dataNode->extendedAttributes->{"JSInlineGetOwnPropertySlot"} && !$dataNode->extendedAttributes->{"CustomGetOwnPropertySlot"}) {

trunk/Source/WebCore/bridge/objc/objc_runtime.h

@@ -91 +91 @@
 };
 
-class ObjcFallbackObjectImp : public JSNonFinalObject {
+class ObjcFallbackObjectImp : public JSDestructibleObject {
 public:
-    typedef JSNonFinalObject Base;
+    typedef JSDestructibleObject Base;
 
     static ObjcFallbackObjectImp* create(ExecState* exec, JSGlobalObject* globalObject, ObjcInstance* instance, const String& propertyName)

trunk/Source/WebCore/bridge/objc/objc_runtime.mm

@@ -189 +189 @@
 }
 
-const ClassInfo ObjcFallbackObjectImp::s_info = { "ObjcFallbackObject", &JSNonFinalObject::s_info, 0, 0, CREATE_METHOD_TABLE(ObjcFallbackObjectImp) };
+const ClassInfo ObjcFallbackObjectImp::s_info = { "ObjcFallbackObject", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(ObjcFallbackObjectImp) };
 
 ObjcFallbackObjectImp::ObjcFallbackObjectImp(JSGlobalObject* globalObject, Structure* structure, ObjcInstance* i, const String& propertyName)
-    : JSNonFinalObject(globalObject->globalData(), structure)
+    : JSDestructibleObject(globalObject->globalData(), structure)
     , _instance(i)
     , m_item(propertyName)

trunk/Source/WebCore/bridge/runtime_array.cpp

@@ -36 +36 @@
 namespace JSC {
 
-const ClassInfo RuntimeArray::s_info = { "RuntimeArray", &JSArray::s_info, 0, 0, CREATE_METHOD_TABLE(RuntimeArray) };
+const ClassInfo RuntimeArray::s_info = { "RuntimeArray", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(RuntimeArray) };
 
 RuntimeArray::RuntimeArray(ExecState* exec, Structure* structure)
@@ -58 +58 @@
 void RuntimeArray::destroy(JSCell* cell)
 {
-    static_cast<RuntimeArray*>(cell)->RuntimeArray::~RuntimeArray();
+    jsCast<RuntimeArray*>(cell)->RuntimeArray::~RuntimeArray();
 }
 

trunk/Source/WebCore/bridge/runtime_array.h

@@ -44 +44 @@
         RuntimeArray* runtimeArray = new (NotNull, allocateCell<RuntimeArray>(*exec->heap())) RuntimeArray(exec, domStructure);
         runtimeArray->finishCreation(exec->globalData(), array);
+        exec->globalData().heap.addFinalizer(runtimeArray, destroy);
         return runtimeArray;
     }
@@ -89 +90 @@
     BindingsArray* m_array;
 };
+
+NEEDS_DESTRUCTOR(RuntimeArray, false);
     
 } // namespace JSC

trunk/Source/WebCore/bridge/runtime_object.cpp

@@ -36 +36 @@
 namespace Bindings {
 
-const ClassInfo RuntimeObject::s_info = { "RuntimeObject", &JSNonFinalObject::s_info, 0, 0, CREATE_METHOD_TABLE(RuntimeObject) };
+const ClassInfo RuntimeObject::s_info = { "RuntimeObject", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(RuntimeObject) };
 
 RuntimeObject::RuntimeObject(ExecState*, JSGlobalObject* globalObject, Structure* structure, PassRefPtr<Instance> instance)
-    : JSNonFinalObject(globalObject->globalData(), structure)
+    : JSDestructibleObject(globalObject->globalData(), structure)
     , m_instance(instance)
 {

trunk/Source/WebCore/bridge/runtime_object.h

@@ -33 +33 @@
 namespace Bindings {
 
-class RuntimeObject : public JSNonFinalObject {
+class RuntimeObject : public JSDestructibleObject {
 public:
-    typedef JSNonFinalObject Base;
+    typedef JSDestructibleObject Base;
 
     static RuntimeObject* create(ExecState* exec, JSGlobalObject* globalObject, Structure* structure, PassRefPtr<Instance> instance)