Changeset 144910 in webkit

Timestamp:

Mar 6, 2013 4:52:16 AM (11 years ago)

Author:

akling@apple.com

Message:

Unused Structure property tables waste 14MB on Membuster.
<​http://webkit.org/b/110854>
<rdar://problem/13292104>

Reviewed by Geoffrey Garen.

Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
14 MB progression on Membuster3.

This time it should stick; I've been through all the tests with COLLECT_ON_EVERY_ALLOCATION.
The issue with the last version was that Structure::m_offset could be used uninitialized
when re-materializing a previously GC'd property table, causing some sanity checks to fail.

• CMakeLists.txt:
• GNUmakefile.list.am:
• JavaScriptCore.gypi:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• Target.pri:

Added PropertyTable.cpp.

• runtime/PropertyTable.cpp: Added.

(JSC::PropertyTable::create):
(JSC::PropertyTable::clone):
(JSC::PropertyTable::PropertyTable):
(JSC::PropertyTable::destroy):
(JSC::PropertyTable::~PropertyTable):
(JSC::PropertyTable::visitChildren):

Moved marking of property table values here from Structure::visitChildren().

• runtime/WriteBarrier.h:

(JSC::WriteBarrierBase::get):

Move m_cell to a local before using it multiple times. This avoids a multiple-access race when
Structure::checkOffsetConsistency() is used in assertions on the main thread while a marking thread
zaps the property table.

• runtime/Structure.h:

(JSC::Structure::materializePropertyMapIfNecessary):
(JSC::Structure::materializePropertyMapIfNecessaryForPinning):

• runtime/StructureInlines.h:

(JSC::Structure::propertyTable):

Added a getter for the Structure's PropertyTable that ASSERTs GC currently isn't active.
Because GC can zap an unpinned property table at any time, it's not entirely safe to access it.
Renamed the variable itself to m_propertyTableUnsafe to force call sites into explaining themselves.

(JSC::Structure::putWillGrowOutOfLineStorage):
(JSC::Structure::checkOffsetConsistency):

Moved these out of Structure.h to break header dependency cycle between Structure/PropertyTable.

• runtime/Structure.cpp:

(JSC::Structure::visitChildren):

Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.

(JSC::Structure::takePropertyTableOrCloneIfPinned):

Added for setting up the property table in a new transition, this code is now shared between
addPropertyTransition() and nonPropertyTransition().

• runtime/JSGlobalData.h:
• runtime/JSGlobalData.cpp:

(JSC::JSGlobalData::JSGlobalData):

Add a global propertyTableStructure.

• runtime/PropertyMapHashTable.h:

(PropertyTable):
(JSC::PropertyTable::createStructure):
(JSC::PropertyTable::copy):

Make PropertyTable a GC object.

• runtime/Structure.cpp:

(JSC::Structure::dumpStatistics):
(JSC::Structure::materializePropertyMap):
(JSC::Structure::despecifyDictionaryFunction):
(JSC::Structure::addPropertyTransition):
(JSC::Structure::changePrototypeTransition):
(JSC::Structure::despecifyFunctionTransition):
(JSC::Structure::attributeChangeTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::sealTransition):
(JSC::Structure::freezeTransition):
(JSC::Structure::preventExtensionsTransition):
(JSC::Structure::nonPropertyTransition):
(JSC::Structure::isSealed):
(JSC::Structure::isFrozen):
(JSC::Structure::flattenDictionaryStructure):
(JSC::Structure::pin):
(JSC::Structure::copyPropertyTable):
(JSC::Structure::copyPropertyTableForPinning):
(JSC::Structure::get):
(JSC::Structure::despecifyFunction):
(JSC::Structure::despecifyAllFunctions):
(JSC::Structure::putSpecificValue):
(JSC::Structure::remove):
(JSC::Structure::createPropertyMap):
(JSC::Structure::getPropertyNamesFromStructure):
(JSC::Structure::checkConsistency):

Location:

trunk/Source/JavaScriptCore

Files:

• CMakeLists.txt (modified) (1 diff)
• ChangeLog (modified) (1 diff)
• GNUmakefile.list.am (modified) (1 diff)
• JavaScriptCore.gypi (modified) (1 diff)
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Target.pri (modified) (1 diff)
• runtime/JSGlobalData.cpp (modified) (1 diff)
• runtime/JSGlobalData.h (modified) (1 diff)
• runtime/PropertyMapHashTable.h (modified) (9 diffs)
• runtime/PropertyTable.cpp (added)
• runtime/Structure.cpp (modified) (34 diffs)
• runtime/Structure.h (modified) (10 diffs)
• runtime/StructureInlines.h (modified) (4 diffs)
• runtime/WriteBarrier.h (modified) (1 diff)

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -282 +282 @@
     runtime/PropertyNameArray.cpp
     runtime/PropertySlot.cpp
+    runtime/PropertyTable.cpp
     runtime/PrototypeMap.cpp
     runtime/RegExp.cpp

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-03-06  Andreas Kling  <akling@apple.com>
+
+        Unused Structure property tables waste 14MB on Membuster.
+        <http://webkit.org/b/110854>
+        <rdar://problem/13292104>
+
+        Reviewed by Geoffrey Garen.
+
+        Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
+        14 MB progression on Membuster3.
+
+        This time it should stick; I've been through all the tests with COLLECT_ON_EVERY_ALLOCATION.
+        The issue with the last version was that Structure::m_offset could be used uninitialized
+        when re-materializing a previously GC'd property table, causing some sanity checks to fail.
+
+        * CMakeLists.txt:
+        * GNUmakefile.list.am:
+        * JavaScriptCore.gypi:
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Target.pri:
+
+            Added PropertyTable.cpp.
+
+        * runtime/PropertyTable.cpp: Added.
+        (JSC::PropertyTable::create):
+        (JSC::PropertyTable::clone):
+        (JSC::PropertyTable::PropertyTable):
+        (JSC::PropertyTable::destroy):
+        (JSC::PropertyTable::~PropertyTable):
+        (JSC::PropertyTable::visitChildren):
+
+            Moved marking of property table values here from Structure::visitChildren().
+
+        * runtime/WriteBarrier.h:
+        (JSC::WriteBarrierBase::get):
+
+            Move m_cell to a local before using it multiple times. This avoids a multiple-access race when
+            Structure::checkOffsetConsistency() is used in assertions on the main thread while a marking thread
+            zaps the property table.
+
+        * runtime/Structure.h:
+        (JSC::Structure::materializePropertyMapIfNecessary):
+        (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
+        * runtime/StructureInlines.h:
+        (JSC::Structure::propertyTable):
+
+            Added a getter for the Structure's PropertyTable that ASSERTs GC currently isn't active.
+            Because GC can zap an unpinned property table at any time, it's not entirely safe to access it.
+            Renamed the variable itself to m_propertyTableUnsafe to force call sites into explaining themselves.
+
+        (JSC::Structure::putWillGrowOutOfLineStorage):
+        (JSC::Structure::checkOffsetConsistency):
+
+            Moved these out of Structure.h to break header dependency cycle between Structure/PropertyTable.
+
+        * runtime/Structure.cpp:
+        (JSC::Structure::visitChildren):
+
+            Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.
+
+        (JSC::Structure::takePropertyTableOrCloneIfPinned):
+
+            Added for setting up the property table in a new transition, this code is now shared between
+            addPropertyTransition() and nonPropertyTransition().
+
+        * runtime/JSGlobalData.h:
+        * runtime/JSGlobalData.cpp:
+        (JSC::JSGlobalData::JSGlobalData):
+
+            Add a global propertyTableStructure.
+
+        * runtime/PropertyMapHashTable.h:
+        (PropertyTable):
+        (JSC::PropertyTable::createStructure):
+        (JSC::PropertyTable::copy):
+
+            Make PropertyTable a GC object.
+
+        * runtime/Structure.cpp:
+        (JSC::Structure::dumpStatistics):
+        (JSC::Structure::materializePropertyMap):
+        (JSC::Structure::despecifyDictionaryFunction):
+        (JSC::Structure::addPropertyTransition):
+        (JSC::Structure::changePrototypeTransition):
+        (JSC::Structure::despecifyFunctionTransition):
+        (JSC::Structure::attributeChangeTransition):
+        (JSC::Structure::toDictionaryTransition):
+        (JSC::Structure::sealTransition):
+        (JSC::Structure::freezeTransition):
+        (JSC::Structure::preventExtensionsTransition):
+        (JSC::Structure::nonPropertyTransition):
+        (JSC::Structure::isSealed):
+        (JSC::Structure::isFrozen):
+        (JSC::Structure::flattenDictionaryStructure):
+        (JSC::Structure::pin):
+        (JSC::Structure::copyPropertyTable):
+        (JSC::Structure::copyPropertyTableForPinning):
+        (JSC::Structure::get):
+        (JSC::Structure::despecifyFunction):
+        (JSC::Structure::despecifyAllFunctions):
+        (JSC::Structure::putSpecificValue):
+        (JSC::Structure::remove):
+        (JSC::Structure::createPropertyMap):
+        (JSC::Structure::getPropertyNamesFromStructure):
+        (JSC::Structure::checkConsistency):
+
 2013-03-05  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/GNUmakefile.list.am

@@ -725 +725 @@
         Source/JavaScriptCore/runtime/PropertySlot.cpp \
         Source/JavaScriptCore/runtime/PropertySlot.h \
+        Source/JavaScriptCore/runtime/PropertyTable.cpp \
         Source/JavaScriptCore/runtime/PrototypeMap.cpp \
         Source/JavaScriptCore/runtime/PrototypeMap.h \

trunk/Source/JavaScriptCore/JavaScriptCore.gypi

@@ -759 +759 @@
             'runtime/PropertySlot.cpp',
             'runtime/PropertySlot.h',
+            'runtime/PropertyTable.cpp',
             'runtime/PropertyStorage.h',
             'runtime/Protect.h',

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj

@@ -306 +306 @@
     <ClCompile Include="..\runtime\PropertyNameArray.cpp" />
     <ClCompile Include="..\runtime\PropertySlot.cpp" />
+    <ClCompile Include="..\runtime\PropertyTable.cpp" />
     <ClCompile Include="..\runtime\PrototypeMap.cpp" />
     <ClCompile Include="..\runtime\RegExp.cpp" />

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -706 +706 @@
                 A7FB61001040C38B0017A286 /* PropertyDescriptor.h in Headers */ = {isa = PBXBuildFile; fileRef = A7FB604B103F5EAB0017A286 /* PropertyDescriptor.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 A8A4748E151A8306004123FF /* libWTF.a in Frameworks */ = {isa = PBXBuildFile; fileRef = A8A4748D151A8306004123FF /* libWTF.a */; };
+                ADE39FFF16DD144B0003CD4A /* PropertyTable.cpp in Sources */ = {isa = PBXBuildFile; fileRef = AD1CF06816DCAB2D00B97123 /* PropertyTable.cpp */; };
                 BC02E90D0E1839DB000F9297 /* ErrorConstructor.h in Headers */ = {isa = PBXBuildFile; fileRef = BC02E9050E1839DB000F9297 /* ErrorConstructor.h */; };
                 BC02E90F0E1839DB000F9297 /* ErrorPrototype.h in Headers */ = {isa = PBXBuildFile; fileRef = BC02E9070E1839DB000F9297 /* ErrorPrototype.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -1623 +1624 @@
                 A8E894310CD0602400367179 /* JSCallbackObjectFunctions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCallbackObjectFunctions.h; sourceTree = "<group>"; };
                 A8E894330CD0603F00367179 /* JSGlobalObject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSGlobalObject.h; sourceTree = "<group>"; };
+                AD1CF06816DCAB2D00B97123 /* PropertyTable.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PropertyTable.cpp; sourceTree = "<group>"; };
                 BC021BF2136900C300FC5467 /* ToolExecutable.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = ToolExecutable.xcconfig; sourceTree = "<group>"; };
                 BC02E9040E1839DB000F9297 /* ErrorConstructor.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ErrorConstructor.cpp; sourceTree = "<group>"; };
@@ -2511 +2513 @@
                                 65621E6C089E859700760F35 /* PropertySlot.h */,
                                 0FB7F39015ED8E3800F167B2 /* PropertyStorage.h */,
+                                AD1CF06816DCAB2D00B97123 /* PropertyTable.cpp */,
                                 65C02FBB0637462A003E7EE6 /* Protect.h */,
                                 14D844A216AA2C7000A65AF0 /* PrototypeMap.cpp */,
@@ -4032 +4035 @@
                                 0FBE0F7616C1DB0F0082C5E8 /* DFGUnificationPhase.cpp in Sources */,
                                 0F493AFA16D0CAD30084508B /* SourceProvider.cpp in Sources */,
+                                ADE39FFF16DD144B0003CD4A /* PropertyTable.cpp in Sources */,
                         );
                         runOnlyForDeploymentPostprocessing = 0;

trunk/Source/JavaScriptCore/Target.pri

@@ -300 +300 @@
     runtime/PropertyNameArray.cpp \
     runtime/PropertySlot.cpp \
+    runtime/PropertyTable.cpp \
     runtime/PrototypeMap.cpp \
     runtime/RegExpConstructor.cpp \

trunk/Source/JavaScriptCore/runtime/JSGlobalData.cpp

@@ -233 +233 @@
     unlinkedEvalCodeBlockStructure.set(*this, UnlinkedEvalCodeBlock::createStructure(*this, 0, jsNull()));
     unlinkedFunctionCodeBlockStructure.set(*this, UnlinkedFunctionCodeBlock::createStructure(*this, 0, jsNull()));
+    propertyTableStructure.set(*this, PropertyTable::createStructure(*this, 0, jsNull()));
     smallStrings.initializeCommonStrings(*this);
 

trunk/Source/JavaScriptCore/runtime/JSGlobalData.h

@@ -257 +257 @@
         Strong<Structure> unlinkedEvalCodeBlockStructure;
         Strong<Structure> unlinkedFunctionCodeBlockStructure;
+        Strong<Structure> propertyTableStructure;
 
         IdentifierTable* identifierTable;

trunk/Source/JavaScriptCore/runtime/PropertyMapHashTable.h

@@ -23 +23 @@
 
 #include "PropertyOffset.h"
+#include "Structure.h"
 #include "WriteBarrier.h"
 #include <wtf/HashTable.h>
@@ -86 +87 @@
 };
 
-class PropertyTable {
-    WTF_MAKE_FAST_ALLOCATED;
+class PropertyTable : public JSCell {
 
     // This is the implementation for 'iterator' and 'const_iterator',
@@ -130 +130 @@
 
 public:
+    static const bool needsDestruction = true;
+    static const bool hasImmortalStructure = true;
+    static void destroy(JSCell*);
+
+    static JS_EXPORTDATA const ClassInfo s_info;
+
+    static Structure* createStructure(JSGlobalData& globalData, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        return Structure::create(globalData, globalObject, prototype, TypeInfo(CompoundType, OverridesVisitChildren), &s_info);
+    }
+
+    static void visitChildren(JSCell*, SlotVisitor&);
+
     typedef StringImpl* KeyType;
     typedef PropertyMapEntry ValueType;
@@ -143 +156 @@
 
     // Constructor is passed an initial capacity, a PropertyTable to copy, or both.
-    explicit PropertyTable(unsigned initialCapacity);
-    PropertyTable(JSGlobalData&, JSCell*, const PropertyTable&);
-    PropertyTable(JSGlobalData&, JSCell*, unsigned initialCapacity, const PropertyTable&);
+    static PropertyTable* create(JSGlobalData&, unsigned initialCapacity);
+    static PropertyTable* clone(JSGlobalData&, JSCell* owner, const PropertyTable&);
+    static PropertyTable* clone(JSGlobalData&, JSCell* owner, unsigned initialCapacity, const PropertyTable&);
     ~PropertyTable();
 
@@ -182 +195 @@
 
     // Copy this PropertyTable, ensuring the copy has at least the capacity provided.
-    PassOwnPtr<PropertyTable> copy(JSGlobalData&, JSCell* owner, unsigned newCapacity);
+    PropertyTable* copy(JSGlobalData&, JSCell* owner, unsigned newCapacity);
 
 #ifndef NDEBUG
@@ -190 +203 @@
 
 private:
+    PropertyTable(JSGlobalData&, unsigned initialCapacity);
+    PropertyTable(JSGlobalData&, JSCell*, const PropertyTable&);
+    PropertyTable(JSGlobalData&, JSCell*, unsigned initialCapacity, const PropertyTable&);
+
     PropertyTable(const PropertyTable&);
     // Used to insert a value known not to be in the table, and where we know capacity to be available.
@@ -240 +257 @@
 };
 
-inline PropertyTable::PropertyTable(unsigned initialCapacity)
-    : m_indexSize(sizeForCapacity(initialCapacity))
-    , m_indexMask(m_indexSize - 1)
-    , m_index(static_cast<unsigned*>(fastZeroedMalloc(dataSize())))
-    , m_keyCount(0)
-    , m_deletedCount(0)
-{
-    ASSERT(isPowerOf2(m_indexSize));
-}
-
-inline PropertyTable::PropertyTable(JSGlobalData&, JSCell* owner, const PropertyTable& other)
-    : m_indexSize(other.m_indexSize)
-    , m_indexMask(other.m_indexMask)
-    , m_index(static_cast<unsigned*>(fastMalloc(dataSize())))
-    , m_keyCount(other.m_keyCount)
-    , m_deletedCount(other.m_deletedCount)
-{
-    ASSERT(isPowerOf2(m_indexSize));
-
-    memcpy(m_index, other.m_index, dataSize());
-
-    iterator end = this->end();
-    for (iterator iter = begin(); iter != end; ++iter) {
-        iter->key->ref();
-        Heap::writeBarrier(owner, iter->specificValue.get());
-    }
-
-    // Copy the m_deletedOffsets vector.
-    Vector<PropertyOffset>* otherDeletedOffsets = other.m_deletedOffsets.get();
-    if (otherDeletedOffsets)
-        m_deletedOffsets = adoptPtr(new Vector<PropertyOffset>(*otherDeletedOffsets));
-}
-
-inline PropertyTable::PropertyTable(JSGlobalData&, JSCell* owner, unsigned initialCapacity, const PropertyTable& other)
-    : m_indexSize(sizeForCapacity(initialCapacity))
-    , m_indexMask(m_indexSize - 1)
-    , m_index(static_cast<unsigned*>(fastZeroedMalloc(dataSize())))
-    , m_keyCount(0)
-    , m_deletedCount(0)
-{
-    ASSERT(isPowerOf2(m_indexSize));
-    ASSERT(initialCapacity >= other.m_keyCount);
-
-    const_iterator end = other.end();
-    for (const_iterator iter = other.begin(); iter != end; ++iter) {
-        ASSERT(canInsert());
-        reinsert(*iter);
-        iter->key->ref();
-        Heap::writeBarrier(owner, iter->specificValue.get());
-    }
-
-    // Copy the m_deletedOffsets vector.
-    Vector<PropertyOffset>* otherDeletedOffsets = other.m_deletedOffsets.get();
-    if (otherDeletedOffsets)
-        m_deletedOffsets = adoptPtr(new Vector<PropertyOffset>(*otherDeletedOffsets));
-}
-
-inline PropertyTable::~PropertyTable()
-{
-    iterator end = this->end();
-    for (iterator iter = begin(); iter != end; ++iter)
-        iter->key->deref();
-
-    fastFree(m_index);
-}
-
 inline PropertyTable::iterator PropertyTable::begin()
 {
@@ -503 +454 @@
 }
 
-inline PassOwnPtr<PropertyTable> PropertyTable::copy(JSGlobalData& globalData, JSCell* owner, unsigned newCapacity)
+inline PropertyTable* PropertyTable::copy(JSGlobalData& globalData, JSCell* owner, unsigned newCapacity)
 {
     ASSERT(newCapacity >= m_keyCount);
@@ -510 +461 @@
     // save rehashing all keys.
     if (sizeForCapacity(newCapacity) == m_indexSize)
-        return adoptPtr(new PropertyTable(globalData, owner, *this));
-    return adoptPtr(new PropertyTable(globalData, owner, newCapacity, *this));
+        return PropertyTable::clone(globalData, owner, *this);
+    return PropertyTable::clone(globalData, owner, newCapacity, *this);
 }
 

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -132 +132 @@
         }
 
-        if (structure->m_propertyTable) {
+        if (structure->propertyTable()) {
             ++numberWithPropertyMaps;
-            totalPropertyMapsSize += structure->m_propertyTable->sizeInMemory();
+            totalPropertyMapsSize += structure->propertyTable()->sizeInMemory();
         }
     }
@@ -235 +235 @@
 {
     ASSERT(structure()->classInfo() == &s_info);
-    ASSERT(!m_propertyTable);
+    ASSERT(!propertyTable());
 
     Vector<Structure*, 8> structures;
@@ -245 +245 @@
     while ((structure = structure->previousID())) {
         if (structure->m_isPinnedPropertyTable) {
-            ASSERT(structure->m_propertyTable);
+            ASSERT(structure->propertyTable());
             ASSERT(!structure->previousID());
 
-            m_propertyTable = structure->m_propertyTable->copy(globalData, 0, numberOfSlotsForLastOffset(m_offset, m_inlineCapacity));
+            propertyTable().set(globalData, this, structure->propertyTable()->copy(globalData, 0, numberOfSlotsForLastOffset(m_offset, m_inlineCapacity)));
             break;
         }
@@ -255 +255 @@
     }
 
-    if (!m_propertyTable)
-        createPropertyMap(numberOfSlotsForLastOffset(m_offset, m_inlineCapacity));
+    if (!propertyTable())
+        createPropertyMap(globalData, numberOfSlotsForLastOffset(m_offset, m_inlineCapacity));
 
     for (ptrdiff_t i = structures.size() - 1; i >= 0; --i) {
@@ -263 +263 @@
             continue;
         PropertyMapEntry entry(globalData, this, structure->m_nameInPrevious.get(), structure->m_offset, structure->m_attributesInPrevious, structure->m_specificValueInPrevious.get());
-        m_propertyTable->add(entry, m_offset, PropertyTable::PropertyOffsetMustNotChange);
+        propertyTable()->add(entry, m_offset, PropertyTable::PropertyOffsetMustNotChange);
     }
     
@@ -288 +288 @@
 
     ASSERT(isDictionary());
-    ASSERT(m_propertyTable);
-
-    PropertyMapEntry* entry = m_propertyTable->find(rep).first;
+    ASSERT(propertyTable());
+
+    PropertyMapEntry* entry = propertyTable()->find(rep).first;
     ASSERT(entry);
     entry->specificValue.clear();
@@ -373 +373 @@
     transition->m_attributesInPrevious = attributes;
     transition->m_specificValueInPrevious.setMayBeNull(globalData, transition, specificValue);
-
-    if (structure->m_propertyTable) {
-        structure->checkOffsetConsistency();
-        if (structure->m_isPinnedPropertyTable)
-            transition->m_propertyTable = structure->m_propertyTable->copy(globalData, transition, structure->m_propertyTable->size() + 1);
-        else
-            transition->m_propertyTable = structure->m_propertyTable.release();
-    } else {
-        if (structure->previousID())
-            transition->materializePropertyMap(globalData);
-        else
-            transition->createPropertyMap();
-    }
+    transition->propertyTable().set(globalData, transition, structure->takePropertyTableOrCloneIfPinned(globalData, transition));
     transition->m_offset = structure->m_offset;
 
@@ -416 +404 @@
 
     structure->materializePropertyMapIfNecessary(globalData);
-    transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
+    transition->propertyTable().set(globalData, transition, structure->copyPropertyTableForPinning(globalData, transition));
     transition->m_offset = structure->m_offset;
     transition->pin();
@@ -432 +420 @@
 
     structure->materializePropertyMapIfNecessary(globalData);
-    transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
+    transition->propertyTable().set(globalData, transition, structure->copyPropertyTableForPinning(globalData, transition));
     transition->m_offset = structure->m_offset;
     transition->pin();
@@ -453 +441 @@
 
         structure->materializePropertyMapIfNecessary(globalData);
-        transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
+        transition->propertyTable().set(globalData, transition, structure->copyPropertyTableForPinning(globalData, transition));
         transition->m_offset = structure->m_offset;
         transition->pin();
@@ -460 +448 @@
     }
 
-    ASSERT(structure->m_propertyTable);
-    PropertyMapEntry* entry = structure->m_propertyTable->find(propertyName.uid()).first;
+    ASSERT(structure->propertyTable());
+    PropertyMapEntry* entry = structure->propertyTable()->find(propertyName.uid()).first;
     ASSERT(entry);
     entry->attributes = attributes;
@@ -476 +464 @@
 
     structure->materializePropertyMapIfNecessary(globalData);
-    transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
+    transition->propertyTable().set(globalData, transition, structure->copyPropertyTableForPinning(globalData, transition));
     transition->m_offset = structure->m_offset;
     transition->m_dictionaryKind = kind;
@@ -500 +488 @@
     Structure* transition = preventExtensionsTransition(globalData, structure);
 
-    if (transition->m_propertyTable) {
-        PropertyTable::iterator end = transition->m_propertyTable->end();
-        for (PropertyTable::iterator iter = transition->m_propertyTable->begin(); iter != end; ++iter)
+    if (transition->propertyTable()) {
+        PropertyTable::iterator end = transition->propertyTable()->end();
+        for (PropertyTable::iterator iter = transition->propertyTable()->begin(); iter != end; ++iter)
             iter->attributes |= DontDelete;
     }
@@ -515 +503 @@
     Structure* transition = preventExtensionsTransition(globalData, structure);
 
-    if (transition->m_propertyTable) {
-        PropertyTable::iterator iter = transition->m_propertyTable->begin();
-        PropertyTable::iterator end = transition->m_propertyTable->end();
+    if (transition->propertyTable()) {
+        PropertyTable::iterator iter = transition->propertyTable()->begin();
+        PropertyTable::iterator end = transition->propertyTable()->end();
         if (iter != end)
             transition->m_hasReadOnlyOrGetterSetterPropertiesExcludingProto = true;
@@ -536 +524 @@
 
     structure->materializePropertyMapIfNecessary(globalData);
-    transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
+    transition->propertyTable().set(globalData, transition, structure->copyPropertyTableForPinning(globalData, transition));
     transition->m_offset = structure->m_offset;
     transition->m_preventExtensions = true;
@@ -543 +531 @@
     transition->checkOffsetConsistency();
     return transition;
+}
+
+PropertyTable* Structure::takePropertyTableOrCloneIfPinned(JSGlobalData& globalData, Structure* owner)
+{
+    materializePropertyMapIfNecessaryForPinning(globalData);
+    if (m_isPinnedPropertyTable)
+        return propertyTable()->copy(globalData, owner, propertyTable()->size() + 1);
+    PropertyTable* takenPropertyTable = propertyTable().get();
+    propertyTable().clear();
+    return takenPropertyTable;
 }
 
@@ -570 +568 @@
     transition->m_attributesInPrevious = attributes;
     transition->m_indexingType = indexingType;
+    transition->propertyTable().set(globalData, transition, structure->takePropertyTableOrCloneIfPinned(globalData, transition));
     transition->m_offset = structure->m_offset;
     checkOffset(transition->m_offset, transition->inlineCapacity());
-    
-    if (structure->m_propertyTable) {
-        structure->checkOffsetConsistency();
-        if (structure->m_isPinnedPropertyTable)
-            transition->m_propertyTable = structure->m_propertyTable->copy(globalData, transition, structure->m_propertyTable->size() + 1);
-        else
-            transition->m_propertyTable = structure->m_propertyTable.release();
-    } else {
-        if (structure->previousID())
-            transition->materializePropertyMap(globalData);
-        else
-            transition->createPropertyMap();
-    }
     
     structure->m_transitionTable.add(globalData, transition);
@@ -598 +584 @@
 
     materializePropertyMapIfNecessary(globalData);
-    if (!m_propertyTable)
+    if (!propertyTable())
         return true;
 
-    PropertyTable::iterator end = m_propertyTable->end();
-    for (PropertyTable::iterator iter = m_propertyTable->begin(); iter != end; ++iter) {
+    PropertyTable::iterator end = propertyTable()->end();
+    for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) {
         if ((iter->attributes & DontDelete) != DontDelete)
             return false;
@@ -616 +602 @@
 
     materializePropertyMapIfNecessary(globalData);
-    if (!m_propertyTable)
+    if (!propertyTable())
         return true;
 
-    PropertyTable::iterator end = m_propertyTable->end();
-    for (PropertyTable::iterator iter = m_propertyTable->begin(); iter != end; ++iter) {
+    PropertyTable::iterator end = propertyTable()->end();
+    for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) {
         if (!(iter->attributes & DontDelete))
             return false;
@@ -634 +620 @@
     ASSERT(isDictionary());
     if (isUncacheableDictionary()) {
-        ASSERT(m_propertyTable);
-
-        size_t propertyCount = m_propertyTable->size();
+        ASSERT(propertyTable());
+
+        size_t propertyCount = propertyTable()->size();
 
         // Holds our values compacted by insertion order.
@@ -643 +629 @@
         // Copies out our values from their hashed locations, compacting property table offsets as we go.
         unsigned i = 0;
-        PropertyTable::iterator end = m_propertyTable->end();
+        PropertyTable::iterator end = propertyTable()->end();
         m_offset = invalidOffset;
-        for (PropertyTable::iterator iter = m_propertyTable->begin(); iter != end; ++iter, ++i) {
+        for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter, ++i) {
             values[i] = object->getDirect(iter->offset);
             m_offset = iter->offset = offsetForPropertyNumber(i, m_inlineCapacity);
@@ -654 +640 @@
             object->putDirect(globalData, offsetForPropertyNumber(i, m_inlineCapacity), values[i]);
 
-        m_propertyTable->clearDeletedOffsets();
+        propertyTable()->clearDeletedOffsets();
         checkOffsetConsistency();
     }
@@ -689 +675 @@
 void Structure::pin()
 {
-    ASSERT(m_propertyTable);
+    ASSERT(propertyTable());
     m_isPinnedPropertyTable = true;
     clearPreviousID();
@@ -738 +724 @@
 #endif
 
-PassOwnPtr<PropertyTable> Structure::copyPropertyTable(JSGlobalData& globalData, Structure* owner)
-{
-    return adoptPtr(m_propertyTable ? new PropertyTable(globalData, owner, *m_propertyTable) : 0);
-}
-
-PassOwnPtr<PropertyTable> Structure::copyPropertyTableForPinning(JSGlobalData& globalData, Structure* owner)
-{
-    return adoptPtr(m_propertyTable ? new PropertyTable(globalData, owner, *m_propertyTable) : new PropertyTable(numberOfSlotsForLastOffset(m_offset, m_inlineCapacity)));
+PropertyTable* Structure::copyPropertyTable(JSGlobalData& globalData, Structure* owner)
+{
+    if (!propertyTable())
+        return 0;
+    return PropertyTable::clone(globalData, owner, *propertyTable().get());
+}
+
+PropertyTable* Structure::copyPropertyTableForPinning(JSGlobalData& globalData, Structure* owner)
+{
+    if (propertyTable())
+        return PropertyTable::clone(globalData, owner, *propertyTable().get());
+    return PropertyTable::create(globalData, numberOfSlotsForLastOffset(m_offset, m_inlineCapacity));
 }
 
@@ -753 +743 @@
 
     materializePropertyMapIfNecessary(globalData);
-    if (!m_propertyTable)
+    if (!propertyTable())
         return invalidOffset;
 
-    PropertyMapEntry* entry = m_propertyTable->find(propertyName.uid()).first;
+    PropertyMapEntry* entry = propertyTable()->find(propertyName.uid()).first;
     if (!entry)
         return invalidOffset;
@@ -768 +758 @@
 {
     materializePropertyMapIfNecessary(globalData);
-    if (!m_propertyTable)
+    if (!propertyTable())
         return false;
 
-    PropertyMapEntry* entry = m_propertyTable->find(propertyName.uid()).first;
+    PropertyMapEntry* entry = propertyTable()->find(propertyName.uid()).first;
     if (!entry)
         return false;
@@ -783 +773 @@
 {
     materializePropertyMapIfNecessary(globalData);
-    if (!m_propertyTable)
+    if (!propertyTable())
         return;
 
-    PropertyTable::iterator end = m_propertyTable->end();
-    for (PropertyTable::iterator iter = m_propertyTable->begin(); iter != end; ++iter)
+    PropertyTable::iterator end = propertyTable()->end();
+    for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter)
         iter->specificValue.clear();
 }
@@ -801 +791 @@
     StringImpl* rep = propertyName.uid();
 
-    if (!m_propertyTable)
-        createPropertyMap();
-
-    PropertyOffset newOffset = m_propertyTable->nextOffset(m_inlineCapacity);
-
-    m_propertyTable->add(PropertyMapEntry(globalData, this, rep, newOffset, attributes, specificValue), m_offset, PropertyTable::PropertyOffsetMayChange);
+    if (!propertyTable())
+        createPropertyMap(globalData);
+
+    PropertyOffset newOffset = propertyTable()->nextOffset(m_inlineCapacity);
+
+    propertyTable()->add(PropertyMapEntry(globalData, this, rep, newOffset, attributes, specificValue), m_offset, PropertyTable::PropertyOffsetMayChange);
     
     checkConsistency();
@@ -818 +808 @@
     StringImpl* rep = propertyName.uid();
 
-    if (!m_propertyTable)
+    if (!propertyTable())
         return invalidOffset;
 
-    PropertyTable::find_iterator position = m_propertyTable->find(rep);
+    PropertyTable::find_iterator position = propertyTable()->find(rep);
     if (!position.first)
         return invalidOffset;
@@ -827 +817 @@
     PropertyOffset offset = position.first->offset;
 
-    m_propertyTable->remove(position);
-    m_propertyTable->addDeletedOffset(offset);
+    propertyTable()->remove(position);
+    propertyTable()->addDeletedOffset(offset);
 
     checkConsistency();
@@ -834 +824 @@
 }
 
-void Structure::createPropertyMap(unsigned capacity)
-{
-    ASSERT(!m_propertyTable);
+void Structure::createPropertyMap(JSGlobalData& globalData, unsigned capacity)
+{
+    ASSERT(!propertyTable());
 
     checkConsistency();
-    m_propertyTable = adoptPtr(new PropertyTable(capacity));
+    propertyTable().set(globalData, this, PropertyTable::create(globalData, capacity));
 }
 
@@ -845 +835 @@
 {
     materializePropertyMapIfNecessary(globalData);
-    if (!m_propertyTable)
+    if (!propertyTable())
         return;
 
     bool knownUnique = !propertyNames.size();
 
-    PropertyTable::iterator end = m_propertyTable->end();
-    for (PropertyTable::iterator iter = m_propertyTable->begin(); iter != end; ++iter) {
+    PropertyTable::iterator end = propertyTable()->end();
+    for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) {
         ASSERT(m_hasNonEnumerableProperties || !(iter->attributes & DontEnum));
         if (iter->key->isIdentifier() && (!(iter->attributes & DontEnum) || mode == IncludeDontEnumProperties)) {
@@ -883 +873 @@
     visitor.append(&thisObject->m_previousOrRareData);
     visitor.append(&thisObject->m_specificValueInPrevious);
-    if (thisObject->m_propertyTable) {
-        PropertyTable::iterator end = thisObject->m_propertyTable->end();
-        for (PropertyTable::iterator ptr = thisObject->m_propertyTable->begin(); ptr != end; ++ptr)
-            visitor.append(&ptr->specificValue);
-    }
+
+    if (thisObject->m_isPinnedPropertyTable) {
+        ASSERT(thisObject->m_propertyTableUnsafe);
+        visitor.append(&thisObject->m_propertyTableUnsafe);
+    } else if (thisObject->m_propertyTableUnsafe)
+        thisObject->m_propertyTableUnsafe.clear();
 }
 
@@ -978 +969 @@
 void Structure::checkConsistency()
 {
-    if (!m_propertyTable)
+    if (!propertyTable())
         return;
 
     if (!m_hasNonEnumerableProperties) {
-        PropertyTable::iterator end = m_propertyTable->end();
-        for (PropertyTable::iterator iter = m_propertyTable->begin(); iter != end; ++iter) {
+        PropertyTable::iterator end = propertyTable()->end();
+        for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) {
             ASSERT(!(iter->attributes & DontEnum));
         }
     }
 
-    m_propertyTable->checkConsistency();
+    propertyTable()->checkConsistency();
 }
 

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -32 +32 @@
 #include "JSCell.h"
 #include "JSType.h"
-#include "PropertyMapHashTable.h"
 #include "PropertyName.h"
 #include "PropertyNameArray.h"
+#include "PropertyOffset.h"
 #include "Protect.h"
 #include "StructureRareData.h"
@@ -41 +41 @@
 #include "Watchpoint.h"
 #include "Weak.h"
-#include <wtf/PassOwnPtr.h>
 #include <wtf/PassRefPtr.h>
 #include <wtf/RefCounted.h>
@@ -52 +51 @@
 class PropertyNameArray;
 class PropertyNameArrayData;
+class PropertyTable;
 class StructureChain;
 class SlotVisitor;
@@ -109 +109 @@
     bool isExtensible() const { return !m_preventExtensions; }
     bool didTransition() const { return m_didTransition; }
-    bool putWillGrowOutOfLineStorage()
-    {
-        checkOffsetConsistency();
-            
-        ASSERT(outOfLineCapacity() >= outOfLineSize());
-            
-        if (!m_propertyTable) {
-            unsigned currentSize = numberOfOutOfLineSlotsForLastOffset(m_offset);
-            ASSERT(outOfLineCapacity() >= currentSize);
-            return currentSize == outOfLineCapacity();
-        }
-            
-        ASSERT(totalStorageCapacity() >= m_propertyTable->propertyStorageSize());
-        if (m_propertyTable->hasDeletedOffset())
-            return false;
-            
-        ASSERT(totalStorageCapacity() >= m_propertyTable->size());
-        return m_propertyTable->size() == totalStorageCapacity();
-    }
+    bool putWillGrowOutOfLineStorage();
     JS_EXPORT_PRIVATE size_t suggestedNewOutOfLineStorageCapacity(); 
 
@@ -383 +365 @@
     PropertyOffset remove(PropertyName);
 
-    void createPropertyMap(unsigned keyCount = 0);
+    void createPropertyMap(JSGlobalData&, unsigned keyCount = 0);
     void checkConsistency();
 
@@ -389 +371 @@
     void despecifyAllFunctions(JSGlobalData&);
 
-    PassOwnPtr<PropertyTable> copyPropertyTable(JSGlobalData&, Structure* owner);
-    PassOwnPtr<PropertyTable> copyPropertyTableForPinning(JSGlobalData&, Structure* owner);
+    WriteBarrier<PropertyTable>& propertyTable();
+    PropertyTable* takePropertyTableOrCloneIfPinned(JSGlobalData&, Structure* owner);
+    PropertyTable* copyPropertyTable(JSGlobalData&, Structure* owner);
+    PropertyTable* copyPropertyTableForPinning(JSGlobalData&, Structure* owner);
     JS_EXPORT_PRIVATE void materializePropertyMap(JSGlobalData&);
     void materializePropertyMapIfNecessary(JSGlobalData& globalData)
@@ -396 +380 @@
         ASSERT(structure()->classInfo() == &s_info);
         ASSERT(checkOffsetConsistency());
-        if (!m_propertyTable && previousID())
+        if (!propertyTable() && previousID())
             materializePropertyMap(globalData);
     }
@@ -403 +387 @@
         ASSERT(structure()->classInfo() == &s_info);
         checkOffsetConsistency();
-        if (!m_propertyTable)
+        if (!propertyTable())
             materializePropertyMap(globalData);
     }
@@ -446 +430 @@
     }
         
-    ALWAYS_INLINE bool checkOffsetConsistency() const
-    {
-        if (!m_propertyTable) {
-            ASSERT(!m_isPinnedPropertyTable);
-            return true;
-        }
-            
-        RELEASE_ASSERT(numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) == m_propertyTable->propertyStorageSize());
-        unsigned totalSize = m_propertyTable->propertyStorageSize();
-        RELEASE_ASSERT((totalSize < inlineCapacity() ? 0 : totalSize - inlineCapacity()) == numberOfOutOfLineSlotsForLastOffset(m_offset));
-            
-        return true;
-    }
+    bool checkOffsetConsistency() const;
 
     void allocateRareData(JSGlobalData&);
@@ -483 +455 @@
     StructureTransitionTable m_transitionTable;
 
-    OwnPtr<PropertyTable> m_propertyTable;
+    // Should be accessed through propertyTable(). During GC, it may be set to 0 by another thread.
+    WriteBarrier<PropertyTable> m_propertyTableUnsafe;
 
     mutable InlineWatchpointSet m_transitionWatchpointSet;

trunk/Source/JavaScriptCore/runtime/StructureInlines.h

@@ -27 +27 @@
 #define StructureInlines_h
 
+#include "PropertyMapHashTable.h"
 #include "Structure.h"
 
@@ -62 +63 @@
     ASSERT(structure()->classInfo() == &s_info);
     materializePropertyMapIfNecessary(globalData);
-    if (!m_propertyTable)
+    if (!propertyTable())
         return invalidOffset;
 
-    PropertyMapEntry* entry = m_propertyTable->find(propertyName.uid()).first;
+    PropertyMapEntry* entry = propertyTable()->find(propertyName.uid()).first;
     return entry ? entry->offset : invalidOffset;
 }
@@ -73 +74 @@
     ASSERT(structure()->classInfo() == &s_info);
     materializePropertyMapIfNecessary(globalData);
-    if (!m_propertyTable)
+    if (!propertyTable())
         return invalidOffset;
 
-    PropertyMapEntry* entry = m_propertyTable->findWithString(name.impl()).first;
+    PropertyMapEntry* entry = propertyTable()->findWithString(name.impl()).first;
     return entry ? entry->offset : invalidOffset;
 }
@@ -180 +181 @@
 }
 
+inline bool Structure::putWillGrowOutOfLineStorage()
+{
+    checkOffsetConsistency();
+
+    ASSERT(outOfLineCapacity() >= outOfLineSize());
+
+    if (!propertyTable()) {
+        unsigned currentSize = numberOfOutOfLineSlotsForLastOffset(m_offset);
+        ASSERT(outOfLineCapacity() >= currentSize);
+        return currentSize == outOfLineCapacity();
+    }
+
+    ASSERT(totalStorageCapacity() >= propertyTable()->propertyStorageSize());
+    if (propertyTable()->hasDeletedOffset())
+        return false;
+
+    ASSERT(totalStorageCapacity() >= propertyTable()->size());
+    return propertyTable()->size() == totalStorageCapacity();
+}
+
+ALWAYS_INLINE WriteBarrier<PropertyTable>& Structure::propertyTable()
+{
+    ASSERT(!globalObject() || !globalObject()->globalData().heap.isBusy());
+    return m_propertyTableUnsafe;
+}
+
+ALWAYS_INLINE bool Structure::checkOffsetConsistency() const
+{
+    PropertyTable* propertyTable = m_propertyTableUnsafe.get();
+
+    if (!propertyTable) {
+        ASSERT(!m_isPinnedPropertyTable);
+        return true;
+    }
+
+    RELEASE_ASSERT(numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) == propertyTable->propertyStorageSize());
+    unsigned totalSize = propertyTable->propertyStorageSize();
+    RELEASE_ASSERT((totalSize < inlineCapacity() ? 0 : totalSize - inlineCapacity()) == numberOfOutOfLineSlotsForLastOffset(m_offset));
+
+    return true;
+}
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/runtime/WriteBarrier.h

@@ -100 +100 @@
     T* get() const
     {
-        if (m_cell)
-            validateCell(m_cell);
-        return reinterpret_cast<T*>(static_cast<void*>(m_cell));
+        // Copy m_cell to a local to avoid multiple-read issues. (See <http://webkit.org/b/110854>)
+        JSCell* cell = m_cell;
+        if (cell)
+            validateCell(cell);
+        return reinterpret_cast<T*>(static_cast<void*>(cell));
     }