Changeset 160796 in webkit

Timestamp:

Dec 18, 2013 2:50:40 PM (10 years ago)

Author:

mhahnenberg@apple.com

Message:

DFG should have a separate StoreBarrier node
​https://bugs.webkit.org/show_bug.cgi?id=125530

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

This is in preparation for GenGC. We use a separate StoreBarrier node instead of making them implicitly
part of other nodes so that it's easier to run analyses on them, e.g. for the StoreBarrierElisionPhase.
They are inserted during the fixup phase. Initially they do not generate any code.

• CMakeLists.txt:
• GNUmakefile.list.am:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
• JavaScriptCore.xcodeproj/project.pbxproj:
• dfg/DFGAbstractHeap.h:
• dfg/DFGAbstractInterpreter.h:

(JSC::DFG::AbstractInterpreter::isKnownNotCell):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::::executeEffects):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberizeForAllocation):
(JSC::DFG::clobberize):

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants): Whenever we insert new nodes that require StoreBarriers,
we have to add those new StoreBarriers too. It's important to note that AllocatePropertyStorage and
ReallocatePropertyStorage nodes require their StoreBarriers to come after them since they allocate first,
which could cause a GC, and then store the resulting buffer into their JSCell, which requires the barrier.
If we ever require that write barriers occur before stores, we'll have to split these nodes into
AllocatePropertyStorage + StoreBarrier + PutPropertyStorage.

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::insertStoreBarrier):

• dfg/DFGNode.h:

(JSC::DFG::Node::isStoreBarrier):

• dfg/DFGNodeType.h:
• dfg/DFGOSRExitCompiler32_64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit):

• dfg/DFGOSRExitCompiler64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit):

• dfg/DFGPlan.cpp:

(JSC::DFG::Plan::compileInThreadImpl):

• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileStoreBarrier):
(JSC::DFG::SpeculativeJIT::genericWriteBarrier): The fast path write barrier check. It loads the
byte that contains the mark bit of the object.
(JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): If the fast path check fails we try to store the
cell in the WriteBarrierBuffer so as to avoid frequently flushing all registers in order to make a C call.
(JSC::DFG::SpeculativeJIT::writeBarrier):
(JSC::DFG::SpeculativeJIT::osrWriteBarrier): More barebones version of the write barrier to be executed
during an OSR exit into baseline code. We must do this so that the baseline JIT object and array profiles
are properly cleared during GC.

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::writeBarrier):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::writeBarrier):

• dfg/DFGStoreBarrierElisionPhase.cpp: Added. New DFG phase that does block-local elision of redundant

StoreBarriers. Every time a StoreBarrier on a particular object is executed, a bit is set indicating that
that object doesn't need any more StoreBarriers.
(JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
(JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Nodes that could cause a GC reset the bits for all of the
objects known in the current block.
(JSC::DFG::StoreBarrierElisionPhase::allocatesFreshObject): A node that creates a new object automatically
sets the bit for that object since if a GC occurred as the result of that object's allocation then that
object would not need a barrier since it would be guaranteed to be a young generation object until the
next GC point.
(JSC::DFG::StoreBarrierElisionPhase::noticeFreshObject):
(JSC::DFG::StoreBarrierElisionPhase::getBaseOfStore):
(JSC::DFG::StoreBarrierElisionPhase::shouldBeElided):
(JSC::DFG::StoreBarrierElisionPhase::elideBarrier):
(JSC::DFG::StoreBarrierElisionPhase::handleNode):
(JSC::DFG::StoreBarrierElisionPhase::handleBlock):
(JSC::DFG::StoreBarrierElisionPhase::run):
(JSC::DFG::performStoreBarrierElision):

• dfg/DFGStoreBarrierElisionPhase.h: Added.
• heap/Heap.cpp:

(JSC::Heap::Heap):
(JSC::Heap::flushWriteBarrierBuffer):

• heap/Heap.h:

(JSC::Heap::writeBarrier):

• heap/MarkedBlock.h:

(JSC::MarkedBlock::offsetOfMarks):

• heap/WriteBarrierBuffer.cpp: Added. The WriteBarrierBuffer buffers a set of JSCells that are awaiting

a pending WriteBarrier. This buffer is used by the DFG to avoid the overhead of calling out to C repeatedly
to invoke a write barrier on a single JSCell. Instead the DFG has inline code to fill the WriteBarrier buffer
until its full, and then to call out to C to flush it. The WriteBarrierBuffer will also be flushed prior to
each EdenCollection.
(JSC::WriteBarrierBuffer::WriteBarrierBuffer):
(JSC::WriteBarrierBuffer::~WriteBarrierBuffer):
(JSC::WriteBarrierBuffer::flush):
(JSC::WriteBarrierBuffer::reset):
(JSC::WriteBarrierBuffer::add):

• heap/WriteBarrierBuffer.h: Added.

(JSC::WriteBarrierBuffer::currentIndexOffset):
(JSC::WriteBarrierBuffer::capacityOffset):
(JSC::WriteBarrierBuffer::bufferOffset):

• jit/JITOperations.cpp:
• jit/JITOperations.h:
• runtime/VM.h:

Source/WTF:

• wtf/Platform.h: Added an #define for ENABLE(GGC) which will be used for landing things related to GenGC.

Location:

trunk/Source

Files:

• JavaScriptCore/CMakeLists.txt (modified) (2 diffs)
• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/GNUmakefile.list.am (modified) (2 diffs)
• JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (modified) (4 diffs)
• JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters (modified) (4 diffs)
• JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (8 diffs)
• JavaScriptCore/dfg/DFGAbstractHeap.h (modified) (1 diff)
• JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• JavaScriptCore/dfg/DFGClobberize.h (modified) (9 diffs)
• JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (modified) (3 diffs)
• JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (11 diffs)
• JavaScriptCore/dfg/DFGNode.h (modified) (2 diffs)
• JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp (modified) (2 diffs)
• JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp (modified) (2 diffs)
• JavaScriptCore/dfg/DFGPlan.cpp (modified) (2 diffs)
• JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (1 diff)
• JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (7 diffs)
• JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (5 diffs)
• JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (15 diffs)
• JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (15 diffs)
• JavaScriptCore/dfg/DFGStoreBarrierElisionPhase.cpp (added)
• JavaScriptCore/dfg/DFGStoreBarrierElisionPhase.h (added)
• JavaScriptCore/dfg/DFGVariableAccessData.h (modified) (1 diff)
• JavaScriptCore/heap/Heap.cpp (modified) (2 diffs)
• JavaScriptCore/heap/Heap.h (modified) (5 diffs)
• JavaScriptCore/heap/MarkedBlock.h (modified) (3 diffs)
• JavaScriptCore/heap/WriteBarrierBuffer.cpp (added)
• JavaScriptCore/heap/WriteBarrierBuffer.h (added)
• JavaScriptCore/jit/JITOperations.cpp (modified) (1 diff)
• JavaScriptCore/jit/JITOperations.h (modified) (2 diffs)
• JavaScriptCore/runtime/VM.h (modified) (2 diffs)
• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/Platform.h (modified) (1 diff)

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -173 +173 @@
     dfg/DFGSpeculativeJIT64.cpp
     dfg/DFGStackLayoutPhase.cpp
+    dfg/DFGStoreBarrierElisionPhase.cpp
     dfg/DFGStrengthReductionPhase.cpp
     dfg/DFGThunks.cpp
@@ -220 +221 @@
     heap/WeakHandleOwner.cpp
     heap/WeakSet.cpp
+    heap/WriteBarrierBuffer.cpp
     heap/WriteBarrierSupport.cpp
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        DFG should have a separate StoreBarrier node
+        https://bugs.webkit.org/show_bug.cgi?id=125530
+
+        Reviewed by Filip Pizlo.
+
+        This is in preparation for GenGC. We use a separate StoreBarrier node instead of making them implicitly 
+        part of other nodes so that it's easier to run analyses on them, e.g. for the StoreBarrierElisionPhase. 
+        They are inserted during the fixup phase. Initially they do not generate any code.
+
+        * CMakeLists.txt:
+        * GNUmakefile.list.am:
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGAbstractHeap.h:
+        * dfg/DFGAbstractInterpreter.h:
+        (JSC::DFG::AbstractInterpreter::isKnownNotCell):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberizeForAllocation):
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants): Whenever we insert new nodes that require StoreBarriers,
+        we have to add those new StoreBarriers too. It's important to note that AllocatePropertyStorage and 
+        ReallocatePropertyStorage nodes require their StoreBarriers to come after them since they allocate first,
+        which could cause a GC, and then store the resulting buffer into their JSCell, which requires the barrier.
+        If we ever require that write barriers occur before stores, we'll have to split these nodes into 
+        AllocatePropertyStorage + StoreBarrier + PutPropertyStorage.
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::insertStoreBarrier):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::isStoreBarrier):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOSRExitCompiler32_64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit):
+        * dfg/DFGOSRExitCompiler64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit):
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThreadImpl):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
+        (JSC::DFG::SpeculativeJIT::genericWriteBarrier): The fast path write barrier check. It loads the 
+        byte that contains the mark bit of the object. 
+        (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): If the fast path check fails we try to store the 
+        cell in the WriteBarrierBuffer so as to avoid frequently flushing all registers in order to make a C call.
+        (JSC::DFG::SpeculativeJIT::writeBarrier):
+        (JSC::DFG::SpeculativeJIT::osrWriteBarrier): More barebones version of the write barrier to be executed 
+        during an OSR exit into baseline code. We must do this so that the baseline JIT object and array profiles 
+        are properly cleared during GC.
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::cachedPutById):
+        (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::writeBarrier):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::cachedPutById):
+        (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::writeBarrier):
+        * dfg/DFGStoreBarrierElisionPhase.cpp: Added. New DFG phase that does block-local elision of redundant
+        StoreBarriers. Every time a StoreBarrier on a particular object is executed, a bit is set indicating that 
+        that object doesn't need any more StoreBarriers. 
+        (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
+        (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Nodes that could cause a GC reset the bits for all of the 
+        objects known in the current block. 
+        (JSC::DFG::StoreBarrierElisionPhase::allocatesFreshObject): A node that creates a new object automatically 
+        sets the bit for that object since if a GC occurred as the result of that object's allocation then that 
+        object would not need a barrier since it would be guaranteed to be a young generation object until the 
+        next GC point.
+        (JSC::DFG::StoreBarrierElisionPhase::noticeFreshObject):
+        (JSC::DFG::StoreBarrierElisionPhase::getBaseOfStore):
+        (JSC::DFG::StoreBarrierElisionPhase::shouldBeElided):
+        (JSC::DFG::StoreBarrierElisionPhase::elideBarrier):
+        (JSC::DFG::StoreBarrierElisionPhase::handleNode):
+        (JSC::DFG::StoreBarrierElisionPhase::handleBlock):
+        (JSC::DFG::StoreBarrierElisionPhase::run):
+        (JSC::DFG::performStoreBarrierElision):
+        * dfg/DFGStoreBarrierElisionPhase.h: Added.
+        * heap/Heap.cpp:
+        (JSC::Heap::Heap):
+        (JSC::Heap::flushWriteBarrierBuffer):
+        * heap/Heap.h:
+        (JSC::Heap::writeBarrier):
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::offsetOfMarks):
+        * heap/WriteBarrierBuffer.cpp: Added. The WriteBarrierBuffer buffers a set of JSCells that are awaiting 
+        a pending WriteBarrier. This buffer is used by the DFG to avoid the overhead of calling out to C repeatedly
+        to invoke a write barrier on a single JSCell. Instead the DFG has inline code to fill the WriteBarrier buffer
+        until its full, and then to call out to C to flush it. The WriteBarrierBuffer will also be flushed prior to 
+        each EdenCollection.
+        (JSC::WriteBarrierBuffer::WriteBarrierBuffer):
+        (JSC::WriteBarrierBuffer::~WriteBarrierBuffer):
+        (JSC::WriteBarrierBuffer::flush):
+        (JSC::WriteBarrierBuffer::reset):
+        (JSC::WriteBarrierBuffer::add):
+        * heap/WriteBarrierBuffer.h: Added.
+        (JSC::WriteBarrierBuffer::currentIndexOffset):
+        (JSC::WriteBarrierBuffer::capacityOffset):
+        (JSC::WriteBarrierBuffer::bufferOffset):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * runtime/VM.h:
+
 2013-12-18  Carlos Garcia Campos  <cgarcia@igalia.com>
 

trunk/Source/JavaScriptCore/GNUmakefile.list.am

@@ -388 +388 @@
         Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp \
         Source/JavaScriptCore/dfg/DFGStackLayoutPhase.h \
+        Source/JavaScriptCore/dfg/DFGStoreBarrierElisionPhase.cpp \
+        Source/JavaScriptCore/dfg/DFGStoreBarrierElisionPhase.h \
         Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp \
         Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.h \
@@ -577 +579 @@
         Source/JavaScriptCore/heap/WeakSetInlines.h \
         Source/JavaScriptCore/heap/WeakReferenceHarvester.h \
+        Source/JavaScriptCore/heap/WriteBarrierBuffer.cpp \
+        Source/JavaScriptCore/heap/WriteBarrierBuffer.h \
         Source/JavaScriptCore/heap/WriteBarrierSupport.cpp \
         Source/JavaScriptCore/heap/WriteBarrierSupport.h \

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj

@@ -429 +429 @@
     <ClCompile Include="..\dfg\DFGSSALoweringPhase.cpp" />
     <ClCompile Include="..\dfg\DFGStackLayoutPhase.cpp" />
+    <ClCompile Include="..\dfg\DFGStoreBarrierElisionPhase.cpp" />
     <ClCompile Include="..\dfg\DFGStrengthReductionPhase.cpp" />
     <ClCompile Include="..\dfg\DFGThunks.cpp" />
@@ -472 +473 @@
     <ClCompile Include="..\heap\WeakHandleOwner.cpp" />
     <ClCompile Include="..\heap\WeakSet.cpp" />
+    <ClCompile Include="..\heap\WriteBarrierBuffer.cpp" />
     <ClCompile Include="..\heap\WriteBarrierSupport.cpp" />
     <ClCompile Include="..\inspector\InspectorAgentRegistry.cpp" />
@@ -949 +951 @@
     <ClInclude Include="..\dfg\DFGSSALoweringPhase.h" />
     <ClInclude Include="..\dfg\DFGStackLayoutPhase.h" />
+    <ClInclude Include="..\dfg\DFGStoreBarrierElisionPhase.h" />
     <ClInclude Include="..\dfg\DFGStrengthReductionPhase.h" />
     <ClInclude Include="..\dfg\DFGStructureAbstractValue.h" />
@@ -1027 +1030 @@
     <ClInclude Include="..\heap\WeakSet.h" />
     <ClInclude Include="..\heap\WeakSetInlines.h" />
+    <ClInclude Include="..\heap\WriteBarrierBuffer.h" />
     <ClInclude Include="..\heap\WriteBarrierSupport.h" />
     <ClInclude Include="..\inspector\InspectorAgentBase.h" />

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters

@@ -280 +280 @@
       <Filter>heap</Filter>
     </ClCompile>
+    <ClCompile Include="..\heap\WriteBarrierBuffer.cpp">
+      <Filter>heap</Filter>
+    </ClCompile>
     <ClCompile Include="..\heap\WriteBarrierSupport.cpp">
       <Filter>heap</Filter>
@@ -1148 +1151 @@
     </ClCompile>
     <ClCompile Include="..\dfg\DFGStackLayoutPhase.cpp">
+      <Filter>dfg</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dfg\DFGStoreBarrierElisionPhase.cpp">
       <Filter>dfg</Filter>
     </ClCompile>
@@ -1755 +1761 @@
       <Filter>heap</Filter>
     </ClInclude>
+    <ClInclude Include="..\heap\WriteBarrierBuffer.h">
+      <Filter>heap</Filter>
+    </ClInclude>
     <ClInclude Include="..\heap\WriteBarrierSupport.h">
       <Filter>heap</Filter>
@@ -3056 +3065 @@
     </ClInclude>
     <ClInclude Include="..\dfg\DFGStackLayoutPhase.h">
+      <Filter>dfg</Filter>
+    </ClInclude>
+    <ClInclude Include="..\dfg\DFGStoreBarrierElisionPhase.h">
       <Filter>dfg</Filter>
     </ClInclude>

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -719 +719 @@
                 2A2825D018341F2D0087FBA9 /* DelayedReleaseScope.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A2825CF18341F2D0087FBA9 /* DelayedReleaseScope.h */; };
                 2A48D1911772365B00C65A5F /* APICallbackFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = C211B574176A224D000E2A23 /* APICallbackFunction.h */; };
+                2A4EC90B1860D6C20094F782 /* WriteBarrierBuffer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2A4EC9091860D6C20094F782 /* WriteBarrierBuffer.cpp */; };
+                2A4EC90C1860D6C20094F782 /* WriteBarrierBuffer.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A4EC90A1860D6C20094F782 /* WriteBarrierBuffer.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 2A6F462617E959CE00C45C98 /* HeapOperation.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A6F462517E959CE00C45C98 /* HeapOperation.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 2A7A58EF1808A4C40020BDF7 /* DeferGC.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2A7A58EE1808A4C40020BDF7 /* DeferGC.cpp */; };
                 2AAD964A18569417001F93BE /* RecursiveAllocationScope.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AAD964918569417001F93BE /* RecursiveAllocationScope.h */; };
+                2ACCF3DE185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2ACCF3DC185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.cpp */; };
+                2ACCF3DF185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 2ACCF3DD185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.h */; };
                 2AD8932B17E3868F00668276 /* HeapIterationScope.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AD8932917E3868F00668276 /* HeapIterationScope.h */; };
                 371D842D17C98B6E00ECF994 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 371D842C17C98B6E00ECF994 /* libz.dylib */; };
@@ -2022 +2026 @@
                 2600B5A5152BAAA70091EE5F /* JSStringJoiner.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSStringJoiner.h; sourceTree = "<group>"; };
                 2A2825CF18341F2D0087FBA9 /* DelayedReleaseScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DelayedReleaseScope.h; sourceTree = "<group>"; };
+                2A4EC9091860D6C20094F782 /* WriteBarrierBuffer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WriteBarrierBuffer.cpp; sourceTree = "<group>"; };
+                2A4EC90A1860D6C20094F782 /* WriteBarrierBuffer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WriteBarrierBuffer.h; sourceTree = "<group>"; };
                 2A6F462517E959CE00C45C98 /* HeapOperation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HeapOperation.h; sourceTree = "<group>"; };
                 2A7A58EE1808A4C40020BDF7 /* DeferGC.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DeferGC.cpp; sourceTree = "<group>"; };
                 2AAD964918569417001F93BE /* RecursiveAllocationScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = RecursiveAllocationScope.h; sourceTree = "<group>"; };
+                2ACCF3DC185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGStoreBarrierElisionPhase.cpp; path = dfg/DFGStoreBarrierElisionPhase.cpp; sourceTree = "<group>"; };
+                2ACCF3DD185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGStoreBarrierElisionPhase.h; path = dfg/DFGStoreBarrierElisionPhase.h; sourceTree = "<group>"; };
                 2AD8932917E3868F00668276 /* HeapIterationScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HeapIterationScope.h; sourceTree = "<group>"; };
                 371D842C17C98B6E00ECF994 /* libz.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libz.dylib; path = usr/lib/libz.dylib; sourceTree = SDKROOT; };
@@ -3112 +3120 @@
                         isa = PBXGroup;
                         children = (
+                                2A4EC9091860D6C20094F782 /* WriteBarrierBuffer.cpp */,
+                                2A4EC90A1860D6C20094F782 /* WriteBarrierBuffer.h */,
                                 14816E19154CC56C00B8054C /* BlockAllocator.cpp */,
                                 14816E1A154CC56C00B8054C /* BlockAllocator.h */,
@@ -3848 +3858 @@
                         isa = PBXGroup;
                         children = (
+                                2ACCF3DC185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.cpp */,
+                                2ACCF3DD185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.h */,
                                 A77A423617A0BBFD00A8DB81 /* DFGAbstractHeap.cpp */,
                                 A77A423717A0BBFD00A8DB81 /* DFGAbstractHeap.h */,
@@ -4362 +4374 @@
                                 86ADD1450FDDEA980006EEC2 /* ARMv7Assembler.h in Headers */,
                                 65C0285D1717966800351E35 /* ARMv7DOpcode.h in Headers */,
+                                2A4EC90C1860D6C20094F782 /* WriteBarrierBuffer.h in Headers */,
                                 A532439218569709002ED692 /* CodeGeneratorInspector.py in Headers */,
                                 A532439318569709002ED692 /* CodeGeneratorInspectorStrings.py in Headers */,
@@ -5051 +5064 @@
                                 A7CA3AE417DA41AE006538AF /* WeakMapConstructor.h in Headers */,
                                 A7CA3AEC17DA5168006538AF /* WeakMapData.h in Headers */,
+                                2ACCF3DF185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.h in Headers */,
                                 A55D93AC18514F7900400DED /* InspectorTypeBuilder.h in Headers */,
                                 A7CA3AE617DA41AE006538AF /* WeakMapPrototype.h in Headers */,
@@ -5706 +5720 @@
                                 A78853F917972629001440E4 /* IntendedStructureChain.cpp in Sources */,
                                 147F39CF107EC37600427A48 /* InternalFunction.cpp in Sources */,
+                                2ACCF3DE185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.cpp in Sources */,
                                 1429D7D40ED2128200B89619 /* Interpreter.cpp in Sources */,
                                 1429D92F0ED22D7000B89619 /* JIT.cpp in Sources */,
@@ -5718 +5733 @@
                                 BCDD51EB0FB8DF74004A8BDC /* JITOpcodes.cpp in Sources */,
                                 A71236E51195F33C00BD2174 /* JITOpcodes32_64.cpp in Sources */,
+                                2A4EC90B1860D6C20094F782 /* WriteBarrierBuffer.cpp in Sources */,
                                 0F24E54C17EE274900ABB217 /* JITOperations.cpp in Sources */,
                                 86CC85C40EE7A89400288682 /* JITPropertyAccess.cpp in Sources */,

trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h

@@ -69 +69 @@
     macro(TypedArrayProperties) \
     macro(GCState) \
+    macro(BarrierState) \
     macro(RegExpState) \
     macro(InternalState) \

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1589 +1589 @@
         break;
 
+    case ConditionalStoreBarrier: {
+        if (!needsTypeCheck(node->child2().node(), ~SpecCell))
+            m_state.setFoundConstants(true);
+        filter(node->child1(), SpecCell);
+        break;
+    }
+
+    case StoreBarrier: {
+        filter(node->child1(), SpecCell);
+        break;
+    }
+
+    case StoreBarrierWithNullCheck: {
+        break;
+    }
+
     case CheckTierUpAndOSREnter:
     case LoopHint:

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -36 +36 @@
 
 namespace JSC { namespace DFG {
+
+template<typename ReadFunctor, typename WriteFunctor>
+void clobberizeForAllocation(ReadFunctor& read, WriteFunctor& write)
+{
+    read(GCState);
+    read(BarrierState);
+    write(GCState);
+    write(BarrierState);
+}
 
 template<typename ReadFunctor, typename WriteFunctor>
@@ -161 +170 @@
     case CreateActivation:
     case CreateArguments:
+        clobberizeForAllocation(read, write);
         write(SideState);
         write(Watchpoint_fire);
-        read(GCState);
-        write(GCState);
         return;
         
@@ -174 +182 @@
     case CreateThis:
         read(MiscFields);
-        read(GCState);
-        write(GCState);
+        clobberizeForAllocation(read, write);
         return;
 
@@ -436 +443 @@
     case AllocatePropertyStorage:
         write(JSObject_butterfly);
-        read(GCState);
-        write(GCState);
+        clobberizeForAllocation(read, write);
         return;
         
@@ -443 +449 @@
         read(JSObject_butterfly);
         write(JSObject_butterfly);
-        read(GCState);
-        write(GCState);
+        clobberizeForAllocation(read, write);
         return;
         
@@ -457 +462 @@
         write(JSCell_structure);
         write(JSObject_butterfly);
-        read(GCState);
-        write(GCState);
+        clobberizeForAllocation(read, write);
         return;
         
@@ -545 +549 @@
     case NewFunction:
     case NewFunctionExpression:
-        read(GCState);
-        write(GCState);
+        clobberizeForAllocation(read, write);
         return;
         
     case NewTypedArray:
+        clobberizeForAllocation(read, write);
         switch (node->child1().useKind()) {
         case Int32Use:
-            read(GCState);
-            write(GCState);
             return;
         case UntypedUse:
@@ -642 +644 @@
     case ThrowReferenceError:
         write(SideState);
-        read(GCState);
-        write(GCState);
+        clobberizeForAllocation(read, write);
         return;
         
@@ -650 +651 @@
         read(InternalState);
         write(InternalState);
+        return;
+
+    case StoreBarrier:
+    case ConditionalStoreBarrier:
+    case StoreBarrierWithNullCheck:
+        read(BarrierState);
+        write(BarrierState);
         return;
         

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -301 +301 @@
                     ASSERT(status.newStructure()->outOfLineCapacity());
                     ASSERT(!isInlineOffset(status.offset()));
-                    propertyStorage = Edge(m_insertionSet.insertNode(
+                    Node* allocatePropertyStorage = m_insertionSet.insertNode(
                         indexInBlock, SpecNone, AllocatePropertyStorage,
-                        codeOrigin, OpInfo(transitionData), childEdge));
+                        codeOrigin, OpInfo(transitionData), childEdge);
+                    m_insertionSet.insertNode(indexInBlock, SpecNone, StoreBarrier, codeOrigin, Edge(node->child1().node(), KnownCellUse));
+                    propertyStorage = Edge(allocatePropertyStorage);
                 } else {
                     ASSERT(structure->outOfLineCapacity());
@@ -309 +311 @@
                     ASSERT(!isInlineOffset(status.offset()));
                     
-                    propertyStorage = Edge(m_insertionSet.insertNode(
+                    Node* reallocatePropertyStorage = m_insertionSet.insertNode(
                         indexInBlock, SpecNone, ReallocatePropertyStorage, codeOrigin,
                         OpInfo(transitionData), childEdge,
                         Edge(m_insertionSet.insertNode(
-                            indexInBlock, SpecNone, GetButterfly, codeOrigin, childEdge))));
+                            indexInBlock, SpecNone, GetButterfly, codeOrigin, childEdge)));
+                    m_insertionSet.insertNode(indexInBlock, SpecNone, StoreBarrier, codeOrigin, Edge(node->child1().node(), KnownCellUse));
+                    propertyStorage = Edge(reallocatePropertyStorage);
                 }
                 
                 if (status.isSimpleTransition()) {
-                    m_insertionSet.insertNode(
-                        indexInBlock, SpecNone, PutStructure, codeOrigin, 
-                        OpInfo(transitionData), childEdge);
-                }
-                
+                    Node* putStructure = m_graph.addNode(SpecNone, PutStructure, codeOrigin, OpInfo(transitionData), childEdge);
+                    m_insertionSet.insertNode(indexInBlock, SpecNone, StoreBarrier, codeOrigin, Edge(node->child1().node(), KnownCellUse));
+                    m_insertionSet.insert(indexInBlock, putStructure);
+                }
+
                 node->convertToPutByOffset(m_graph.m_storageAccessData.size(), propertyStorage);
+                m_insertionSet.insertNode(indexInBlock, SpecNone, ConditionalStoreBarrier, codeOrigin, 
+                    Edge(node->child2().node(), KnownCellUse), Edge(node->child3().node(), UntypedUse));
                 
                 StorageAccessData storageAccessData;
@@ -330 +336 @@
                 break;
             }
-                
+
+            case ConditionalStoreBarrier: {
+                if (!m_interpreter.needsTypeCheck(node->child2().node(), ~SpecCell)) {
+                    node->convertToPhantom();
+                    eliminated = true;
+                }
+                break;
+            }
+
+            case StoreBarrier:
+            case StoreBarrierWithNullCheck: {
+                break;
+            }
+
             default:
                 break;

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -550 +550 @@
                 fixEdge<NumberUse>(child3);
                 break;
+            case Array::Contiguous:
+            case Array::ArrayStorage:
+            case Array::SlowPutArrayStorage:
+            case Array::Arguments:
+                fixEdge<KnownCellUse>(child1);
+                fixEdge<Int32Use>(child2);
+                insertStoreBarrier(m_indexInBlock, child1, child3);
+                break;
             default:
                 fixEdge<KnownCellUse>(child1);
@@ -582 +590 @@
             case Array::Double:
                 fixEdge<RealNumberUse>(node->child2());
+                break;
+            case Array::Contiguous:
+            case Array::ArrayStorage:
+                insertStoreBarrier(m_indexInBlock, node->child1(), node->child2());
                 break;
             default:
@@ -768 +780 @@
         }
             
+        case PutStructure: {
+            fixEdge<KnownCellUse>(node->child1());
+            insertStoreBarrier(m_indexInBlock, node->child1());
+            break;
+        }
+
+        case PutClosureVar: {
+            fixEdge<KnownCellUse>(node->child1());
+            insertStoreBarrier(m_indexInBlock, node->child1(), node->child3());
+            break;
+        }
+
         case GetClosureRegisters:
-        case PutClosureVar:
         case SkipTopScope:
         case SkipScope:
-        case PutStructure:
-        case AllocatePropertyStorage:
-        case ReallocatePropertyStorage:
         case GetScope: {
             fixEdge<KnownCellUse>(node->child1());
@@ -780 +800 @@
         }
             
+        case AllocatePropertyStorage:
+        case ReallocatePropertyStorage: {
+            fixEdge<KnownCellUse>(node->child1());
+            insertStoreBarrier(m_indexInBlock + 1, node->child1());
+            break;
+        }
+
         case GetById:
         case GetByIdFlush: {
@@ -801 +828 @@
         }
             
+        case PutById:
+        case PutByIdDirect: {
+            fixEdge<CellUse>(node->child1());
+            insertStoreBarrier(m_indexInBlock, node->child1(), node->child2());
+            break;
+        }
+
         case CheckExecutable:
         case CheckStructure:
         case StructureTransitionWatchpoint:
         case CheckFunction:
-        case PutById:
-        case PutByIdDirect:
         case CheckHasInstance:
         case CreateThis:
@@ -833 +865 @@
                 fixEdge<KnownCellUse>(node->child1());
             fixEdge<KnownCellUse>(node->child2());
+            insertStoreBarrier(m_indexInBlock, node->child2(), node->child3());
             break;
         }
@@ -892 +925 @@
             RELEASE_ASSERT_NOT_REACHED();
             break;
+        
+        case PutGlobalVar: {
+            Node* globalObjectNode = m_insertionSet.insertNode(m_indexInBlock, SpecNone, WeakJSConstant, node->codeOrigin, 
+                OpInfo(m_graph.globalObjectFor(node->codeOrigin)));
+            Node* barrierNode = m_graph.addNode(SpecNone, ConditionalStoreBarrier, m_currentNode->codeOrigin, 
+                Edge(globalObjectNode, KnownCellUse), Edge(node->child1().node(), UntypedUse));
+            fixupNode(barrierNode);
+            m_insertionSet.insert(m_indexInBlock, barrierNode);
+            break;
+        }
+
+        case TearOffActivation: {
+            Node* barrierNode = m_graph.addNode(SpecNone, StoreBarrierWithNullCheck, m_currentNode->codeOrigin, 
+                Edge(node->child1().node(), UntypedUse));
+            fixupNode(barrierNode);
+            m_insertionSet.insert(m_indexInBlock, barrierNode);
+            break;
+        }
 
         case IsString:
@@ -915 +966 @@
         case GetClosureVar:
         case GetGlobalVar:
-        case PutGlobalVar:
         case NotifyWrite:
         case VariableWatchpoint:
@@ -932 +982 @@
         case IsFunction:
         case CreateActivation:
-        case TearOffActivation:
         case CreateArguments:
         case PhantomArguments:
@@ -952 +1001 @@
         case ExtractOSREntryLocal:
         case LoopHint:
+        case StoreBarrier:
+        case ConditionalStoreBarrier:
+        case StoreBarrierWithNullCheck:
         case FunctionReentryWatchpoint:
         case TypedArrayWatchpoint:
@@ -1504 +1556 @@
     }
     
+    void insertStoreBarrier(unsigned indexInBlock, Edge child1, Edge child2 = Edge())
+    {
+        Node* barrierNode;
+        if (!child2)
+            barrierNode = m_graph.addNode(SpecNone, StoreBarrier, m_currentNode->codeOrigin, Edge(child1.node(), child1.useKind()));
+        else {
+            barrierNode = m_graph.addNode(SpecNone, ConditionalStoreBarrier, m_currentNode->codeOrigin, 
+                Edge(child1.node(), child1.useKind()), Edge(child2.node(), child2.useKind()));
+        }
+        fixupNode(barrierNode);
+        m_insertionSet.insert(indexInBlock, barrierNode);
+    }
+
     void fixIntEdge(Edge& edge)
     {

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -607 +607 @@
         return bitwise_cast<Node*>(m_opInfo);
     }
-    
+
+    bool isStoreBarrier()
+    {
+        switch (op()) {
+        case StoreBarrier:
+        case ConditionalStoreBarrier:
+        case StoreBarrierWithNullCheck:
+            return true;
+        default:
+            return false;
+        }
+    }
+
     bool hasIdentifier()
     {
@@ -1556 +1568 @@
         Node* replacement;
         BasicBlock* owner;
+        bool needsBarrier;
     } misc;
 };

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -292 +292 @@
     /* baseline JIT to redo the watchdog timer check, and service the timer. */ \
     macro(CheckWatchdogTimer, NodeMustGenerate) \
+    /* Write barriers ! */\
+    macro(StoreBarrier, NodeMustGenerate) \
+    macro(ConditionalStoreBarrier, NodeMustGenerate) \
+    macro(StoreBarrierWithNullCheck, NodeMustGenerate) \
 
 // This enum generates a monotonically increasing id for all Node types,

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp

@@ -31 +31 @@
 #include "DFGOperations.h"
 #include "DFGOSRExitCompilerCommon.h"
+#include "DFGSpeculativeJIT.h"
 #include "Operations.h"
 #include <wtf/DataLog.h>
@@ -449 +450 @@
         }
     }
-    
-    // 11) And finish.
-    
+
+#if ENABLE(GGC) 
+    // 11) Write barrier the owner executable because we're jumping into a different block.
+    for (CodeOrigin codeOrigin = exit.m_codeOrigin; ; codeOrigin = codeOrigin.inlineCallFrame->caller) {
+        CodeBlock* baselineCodeBlock = m_jit.baselineCodeBlockFor(codeOrigin);
+        m_jit.move(AssemblyHelpers::TrustedImmPtr(baselineCodeBlock->ownerExecutable()), GPRInfo::nonArgGPR0); 
+        SpeculativeJIT::osrWriteBarrier(m_jit, GPRInfo::nonArgGPR0, GPRInfo::nonArgGPR1, GPRInfo::nonArgGPR2);
+        if (!codeOrigin.inlineCallFrame)
+            break;
+    }
+#endif
+
+    // 12) And finish.
     adjustAndJumpToTarget(m_jit, exit);
 }

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp

@@ -31 +31 @@
 #include "DFGOperations.h"
 #include "DFGOSRExitCompilerCommon.h"
+#include "DFGSpeculativeJIT.h"
 #include "Operations.h"
 #include "VirtualRegister.h"
@@ -403 +404 @@
         }
     }
-    
-    // 11) And finish.
-    
+
+#if ENABLE(GGC) 
+    // 11) Write barrier the owner executable because we're jumping into a different block.
+    for (CodeOrigin codeOrigin = exit.m_codeOrigin; ; codeOrigin = codeOrigin.inlineCallFrame->caller) {
+        CodeBlock* baselineCodeBlock = m_jit.baselineCodeBlockFor(codeOrigin);
+        m_jit.move(AssemblyHelpers::TrustedImmPtr(baselineCodeBlock->ownerExecutable()), GPRInfo::nonArgGPR0); 
+        SpeculativeJIT::osrWriteBarrier(m_jit, GPRInfo::nonArgGPR0, GPRInfo::nonArgGPR1, GPRInfo::nonArgGPR2);
+        if (!codeOrigin.inlineCallFrame)
+            break;
+    }
+#endif
+
+    // 12) And finish.
     adjustAndJumpToTarget(m_jit, exit);
 }

trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp

@@ -55 +55 @@
 #include "DFGSSALoweringPhase.h"
 #include "DFGStackLayoutPhase.h"
+#include "DFGStoreBarrierElisionPhase.h"
 #include "DFGStrengthReductionPhase.h"
 #include "DFGTierUpCheckInjectionPhase.h"
@@ -224 +225 @@
     dfg.m_fixpointState = FixpointConverged;
 
+    performStoreBarrierElision(dfg);
     performStoreElimination(dfg);
     

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -547 +547 @@
 #ifndef NDEBUG
         // These get ignored because they don't return anything.
+        case StoreBarrier:
+        case ConditionalStoreBarrier:
+        case StoreBarrierWithNullCheck:
         case PutByValDirect:
         case PutByVal:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -242 +242 @@
     case Int52ToDouble:
     case Int52ToValue:
+    case StoreBarrier:
+    case ConditionalStoreBarrier:
+    case StoreBarrierWithNullCheck:
     case InvalidationPoint:
     case NotifyWrite:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -38 +38 @@
 #include "JSCJSValueInlines.h"
 #include "LinkBuffer.h"
+#include "WriteBarrierBuffer.h"
 #include <wtf/MathExtras.h>
 
@@ -908 +909 @@
         use(child3);
     }
-}
-
-void SpeculativeJIT::writeBarrier(GPRReg ownerGPR, GPRReg valueGPR, Edge valueUse, WriteBarrierUseKind useKind, GPRReg scratch1, GPRReg scratch2)
-{
-    UNUSED_PARAM(ownerGPR);
-    UNUSED_PARAM(valueGPR);
-    UNUSED_PARAM(scratch1);
-    UNUSED_PARAM(scratch2);
-    UNUSED_PARAM(useKind);
-
-    if (isKnownNotCell(valueUse.node()))
-        return;
-
-#if ENABLE(WRITE_BARRIER_PROFILING)
-    JITCompiler::emitCount(m_jit, WriteBarrierCounters::jitCounterFor(useKind));
-#endif
-}
-
-void SpeculativeJIT::writeBarrier(GPRReg ownerGPR, JSCell* value, WriteBarrierUseKind useKind, GPRReg scratch1, GPRReg scratch2)
-{
-    UNUSED_PARAM(ownerGPR);
-    UNUSED_PARAM(value);
-    UNUSED_PARAM(scratch1);
-    UNUSED_PARAM(scratch2);
-    UNUSED_PARAM(useKind);
-    
-    if (Heap::isMarked(value))
-        return;
-
-#if ENABLE(WRITE_BARRIER_PROFILING)
-    JITCompiler::emitCount(m_jit, WriteBarrierCounters::jitCounterFor(useKind));
-#endif
-}
-
-void SpeculativeJIT::writeBarrier(JSCell* owner, GPRReg valueGPR, Edge valueUse, WriteBarrierUseKind useKind, GPRReg scratch)
-{
-    UNUSED_PARAM(owner);
-    UNUSED_PARAM(valueGPR);
-    UNUSED_PARAM(scratch);
-    UNUSED_PARAM(useKind);
-
-    if (isKnownNotCell(valueUse.node()))
-        return;
-
-#if ENABLE(WRITE_BARRIER_PROFILING)
-    JITCompiler::emitCount(m_jit, WriteBarrierCounters::jitCounterFor(useKind));
-#endif
 }
 
@@ -4330 +4284 @@
     
     SpeculateCellOperand base(this, node->child1());
-    GPRTemporary scratch(this);
+    GPRTemporary scratch1(this);
         
     GPRReg baseGPR = base.gpr();
-    GPRReg scratchGPR = scratch.gpr();
+    GPRReg scratchGPR1 = scratch1.gpr();
         
     ASSERT(!node->structureTransitionData().previousStructure->outOfLineCapacity());
@@ -4340 +4294 @@
     JITCompiler::Jump slowPath =
         emitAllocateBasicStorage(
-            TrustedImm32(initialOutOfLineCapacity * sizeof(JSValue)), scratchGPR);
-
-    m_jit.addPtr(JITCompiler::TrustedImm32(sizeof(IndexingHeader)), scratchGPR);
+            TrustedImm32(initialOutOfLineCapacity * sizeof(JSValue)), scratchGPR1);
+
+    m_jit.addPtr(JITCompiler::TrustedImm32(sizeof(IndexingHeader)), scratchGPR1);
         
     addSlowPathGenerator(
-        slowPathCall(slowPath, this, operationAllocatePropertyStorageWithInitialCapacity, scratchGPR));
-        
-    m_jit.storePtr(scratchGPR, JITCompiler::Address(baseGPR, JSObject::butterflyOffset()));
-        
-    storageResult(scratchGPR, node);
+        slowPathCall(slowPath, this, operationAllocatePropertyStorageWithInitialCapacity, scratchGPR1));
+
+    m_jit.storePtr(scratchGPR1, JITCompiler::Address(baseGPR, JSObject::butterflyOffset()));
+
+    storageResult(scratchGPR1, node);
 }
 
@@ -4368 +4322 @@
         callOperation(operationReallocateButterflyToGrowPropertyStorage, result.gpr(), baseGPR, newSize / sizeof(JSValue));
         
+        MacroAssembler::Jump notNull = m_jit.branchTestPtr(MacroAssembler::NonZero, result.gpr());
+        m_jit.breakpoint();
+        notNull.link(&m_jit);
+
         storageResult(result.gpr(), node);
         return;
@@ -4383 +4341 @@
         
     JITCompiler::Jump slowPath =
-        emitAllocateBasicStorage(TrustedImm32(newSize), scratchGPR2);
-
-    m_jit.addPtr(JITCompiler::TrustedImm32(sizeof(IndexingHeader)), scratchGPR2);
+        emitAllocateBasicStorage(TrustedImm32(newSize), scratchGPR1);
+
+    m_jit.addPtr(JITCompiler::TrustedImm32(sizeof(IndexingHeader)), scratchGPR1);
         
     addSlowPathGenerator(
-        slowPathCall(slowPath, this, operationAllocatePropertyStorage, scratchGPR2, newSize / sizeof(JSValue)));
-    // We have scratchGPR2 = new storage, scratchGPR1 = scratch
+        slowPathCall(slowPath, this, operationAllocatePropertyStorage, scratchGPR1, newSize / sizeof(JSValue)));
+
+    // We have scratchGPR1 = new storage, scratchGPR2 = scratch
     for (ptrdiff_t offset = 0; offset < static_cast<ptrdiff_t>(oldSize); offset += sizeof(void*)) {
-        m_jit.loadPtr(JITCompiler::Address(oldStorageGPR, -(offset + sizeof(JSValue) + sizeof(void*))), scratchGPR1);
-        m_jit.storePtr(scratchGPR1, JITCompiler::Address(scratchGPR2, -(offset + sizeof(JSValue) + sizeof(void*))));
-    }
-    m_jit.storePtr(scratchGPR2, JITCompiler::Address(baseGPR, JSObject::butterflyOffset()));
-    
-    storageResult(scratchGPR2, node);
+        m_jit.loadPtr(JITCompiler::Address(oldStorageGPR, -(offset + sizeof(JSValue) + sizeof(void*))), scratchGPR2);
+        m_jit.storePtr(scratchGPR2, JITCompiler::Address(scratchGPR1, -(offset + sizeof(JSValue) + sizeof(void*))));
+    }
+    m_jit.storePtr(scratchGPR1, JITCompiler::Address(baseGPR, JSObject::butterflyOffset()));
+
+    storageResult(scratchGPR1, node);
 }
 
@@ -5452 +5411 @@
 }
 
+#if ENABLE(GGC)
+void SpeculativeJIT::compileStoreBarrier(Node* node)
+{
+    switch (node->op()) {
+    case ConditionalStoreBarrier: {
+        compileBaseValueStoreBarrier(node->child1(), node->child2());
+        break;
+    }
+
+    case StoreBarrier: {
+        SpeculateCellOperand base(this, node->child1());
+        GPRTemporary scratch1(this);
+        GPRTemporary scratch2(this);
+    
+        writeBarrier(base.gpr(), scratch1.gpr(), scratch2.gpr());
+        break;
+    }
+
+    case StoreBarrierWithNullCheck: {
+        JSValueOperand base(this, node->child1());
+        GPRTemporary scratch1(this);
+        GPRTemporary scratch2(this);
+    
+#if USE(JSVALUE64)
+        JITCompiler::Jump isNull = m_jit.branchTest64(JITCompiler::Zero, base.gpr());
+        writeBarrier(base.gpr(), scratch1.gpr(), scratch2.gpr());
+#else
+        JITCompiler::Jump isNull = m_jit.branch32(JITCompiler::Equal, base.tagGPR(), TrustedImm32(JSValue::EmptyValueTag));
+        writeBarrier(base.payloadGPR(), scratch1.gpr(), scratch2.gpr());
+#endif
+        isNull.link(&m_jit);
+        break;
+    }
+
+    default:
+        RELEASE_ASSERT_NOT_REACHED();
+        break;
+    }
+
+    noResult(node);
+}
+
+JITCompiler::Jump SpeculativeJIT::genericWriteBarrier(CCallHelpers& jit, GPRReg owner, GPRReg scratch1, GPRReg scratch2)
+{
+    jit.move(owner, scratch1);
+    jit.move(owner, scratch2);
+
+    jit.andPtr(MacroAssembler::TrustedImmPtr(MarkedBlock::blockMask), scratch1);
+    jit.andPtr(MacroAssembler::TrustedImmPtr(~MarkedBlock::blockMask), scratch2);
+
+    // Shift index
+#if USE(JSVALUE64)
+    jit.rshift64(MacroAssembler::TrustedImm32(MarkedBlock::atomShiftAmount + MarkedBlock::markByteShiftAmount), scratch2);
+#else
+    jit.rshift32(MacroAssembler::TrustedImm32(MarkedBlock::atomShiftAmount + MarkedBlock::markByteShiftAmount), scratch2);
+#endif
+
+    // Emit load and branch
+    return jit.branchTest8(MacroAssembler::Zero, MacroAssembler::BaseIndex(scratch1, scratch2, MacroAssembler::TimesOne, MarkedBlock::offsetOfMarks()));
+}
+
+JITCompiler::Jump SpeculativeJIT::genericWriteBarrier(CCallHelpers& jit, JSCell* owner)
+{
+    MarkedBlock* block = MarkedBlock::blockFor(owner);
+    size_t markIndex = (reinterpret_cast<size_t>(owner) & ~MarkedBlock::blockMask) >> (MarkedBlock::atomShiftAmount + MarkedBlock::markByteShiftAmount);
+    uint8_t* address = reinterpret_cast<uint8_t*>(reinterpret_cast<char*>(block) + MarkedBlock::offsetOfMarks()) + markIndex;
+    return jit.branchTest8(MacroAssembler::Zero, MacroAssembler::AbsoluteAddress(address));
+}
+
+MacroAssembler::Call SpeculativeJIT::storeToWriteBarrierBuffer(CCallHelpers& jit, GPRReg cell, GPRReg scratch1, GPRReg scratch2)
+{
+    ASSERT(scratch1 != scratch2);
+    // Load WriteBarrierBuffer from Heap
+    WriteBarrierBuffer* writeBarrierBuffer = &jit.vm()->heap.m_writeBarrierBuffer;
+    jit.move(TrustedImmPtr(writeBarrierBuffer), scratch1);
+    // Load currentIndex
+    jit.load32(MacroAssembler::Address(scratch1, WriteBarrierBuffer::currentIndexOffset()), scratch2);
+    // Branch if currentIndex >= capacity
+    JITCompiler::Jump needToFlush = jit.branch32(MacroAssembler::AboveOrEqual, scratch2, MacroAssembler::Address(scratch1, WriteBarrierBuffer::capacityOffset()));
+
+    // Store new currentIndex
+    jit.add32(TrustedImm32(1), scratch2);
+    jit.store32(scratch2, MacroAssembler::Address(scratch1, WriteBarrierBuffer::currentIndexOffset()));
+
+    // Load buffer
+    jit.loadPtr(MacroAssembler::Address(scratch1, WriteBarrierBuffer::bufferOffset()), scratch1);
+    // Store cell into buffer. We use an offset of -sizeof(void*) because we already added 1 to scratch2.
+    jit.storePtr(cell, MacroAssembler::BaseIndex(scratch1, scratch2, MacroAssembler::ScalePtr, static_cast<int32_t>(-sizeof(void*))));
+
+    // Jump to done
+    JITCompiler::Jump done = jit.jump();
+    // Link from branch
+    needToFlush.link(&jit);
+
+    // Call C slow path.
+    for (unsigned i = 0; i < GPRInfo::numberOfRegisters; ++i)
+        jit.storePtr(GPRInfo::toRegister(i), &jit.vm()->writeBarrierRegisterBuffer[i]);
+
+#if CPU(X86)
+    jit.push(scratch1);
+    jit.push(scratch1);
+#endif
+
+    jit.setupArgumentsWithExecState(cell);
+    MacroAssembler::Call call = jit.call();
+
+#if CPU(X86)
+    jit.pop(scratch1);
+    jit.pop(scratch1);
+#endif
+
+    for (unsigned i = GPRInfo::numberOfRegisters; i--;)
+        jit.loadPtr(&jit.vm()->writeBarrierRegisterBuffer[i], GPRInfo::toRegister(i));
+
+    // Link Done
+    done.link(&jit);
+
+    return call;
+}
+
+void SpeculativeJIT::storeToWriteBarrierBuffer(GPRReg cell, GPRReg scratch1, GPRReg scratch2)
+{
+    ASSERT(scratch1 != scratch2);
+    WriteBarrierBuffer* writeBarrierBuffer = &m_jit.vm()->heap.m_writeBarrierBuffer;
+    m_jit.move(TrustedImmPtr(writeBarrierBuffer), scratch1);
+    m_jit.load32(MacroAssembler::Address(scratch1, WriteBarrierBuffer::currentIndexOffset()), scratch2);
+    JITCompiler::Jump needToFlush = m_jit.branch32(MacroAssembler::AboveOrEqual, scratch2, MacroAssembler::Address(scratch1, WriteBarrierBuffer::capacityOffset()));
+
+    m_jit.add32(TrustedImm32(1), scratch2);
+    m_jit.store32(scratch2, MacroAssembler::Address(scratch1, WriteBarrierBuffer::currentIndexOffset()));
+
+    m_jit.loadPtr(MacroAssembler::Address(scratch1, WriteBarrierBuffer::bufferOffset()), scratch1);
+    // We use an offset of -sizeof(void*) because we already added 1 to scratch2.
+    m_jit.storePtr(cell, MacroAssembler::BaseIndex(scratch1, scratch2, MacroAssembler::ScalePtr, static_cast<int32_t>(-sizeof(void*))));
+
+    JITCompiler::Jump done = m_jit.jump();
+    needToFlush.link(&m_jit);
+
+    silentSpillAllRegisters(InvalidGPRReg);
+    callOperation(operationFlushWriteBarrierBuffer, cell);
+    silentFillAllRegisters(InvalidGPRReg);
+
+    done.link(&m_jit);
+}
+
+void SpeculativeJIT::storeToWriteBarrierBuffer(JSCell* cell, GPRReg scratch1, GPRReg scratch2)
+{
+    ASSERT(scratch1 != scratch2);
+    WriteBarrierBuffer* writeBarrierBuffer = &m_jit.vm()->heap.m_writeBarrierBuffer;
+    m_jit.move(TrustedImmPtr(writeBarrierBuffer), scratch1);
+    m_jit.load32(MacroAssembler::Address(scratch1, WriteBarrierBuffer::currentIndexOffset()), scratch2);
+    JITCompiler::Jump needToFlush = m_jit.branch32(MacroAssembler::AboveOrEqual, scratch2, MacroAssembler::Address(scratch1, WriteBarrierBuffer::capacityOffset()));
+
+    m_jit.add32(TrustedImm32(1), scratch2);
+    m_jit.store32(scratch2, MacroAssembler::Address(scratch1, WriteBarrierBuffer::currentIndexOffset()));
+
+    m_jit.loadPtr(MacroAssembler::Address(scratch1, WriteBarrierBuffer::bufferOffset()), scratch1);
+    // We use an offset of -sizeof(void*) because we already added 1 to scratch2.
+    m_jit.storePtr(TrustedImmPtr(cell), MacroAssembler::BaseIndex(scratch1, scratch2, MacroAssembler::ScalePtr, static_cast<int32_t>(-sizeof(void*))));
+
+    JITCompiler::Jump done = m_jit.jump();
+    needToFlush.link(&m_jit);
+
+    // Call C slow path
+    silentSpillAllRegisters(InvalidGPRReg);
+    callOperation(operationFlushWriteBarrierBuffer, cell);
+    silentFillAllRegisters(InvalidGPRReg);
+
+    done.link(&m_jit);
+}
+
+void SpeculativeJIT::writeBarrier(GPRReg ownerGPR, JSCell* value, GPRReg scratch1, GPRReg scratch2)
+{
+    if (Heap::isMarked(value))
+        return;
+
+    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(m_jit, ownerGPR, scratch1, scratch2);
+    storeToWriteBarrierBuffer(ownerGPR, scratch1, scratch2);
+    definitelyNotMarked.link(&m_jit);
+}
+
+void SpeculativeJIT::osrWriteBarrier(CCallHelpers& jit, GPRReg owner, GPRReg scratch1, GPRReg scratch2)
+{
+    UNUSED_PARAM(jit);
+    UNUSED_PARAM(owner);
+    UNUSED_PARAM(scratch1);
+    UNUSED_PARAM(scratch2);
+    ASSERT(owner != scratch1);
+    ASSERT(owner != scratch2);
+
+    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(jit, owner, scratch1, scratch2);
+
+    for (unsigned i = 0; i < GPRInfo::numberOfRegisters; ++i)
+        jit.storePtr(GPRInfo::toRegister(i), &jit.vm()->writeBarrierRegisterBuffer[i]);
+
+    // We need these extra slots because setupArgumentsWithExecState will use poke on x86.
+#if CPU(X86)
+    jit.push(scratch1);
+    jit.push(scratch1);
+    jit.push(scratch1);
+#endif
+
+    jit.setupArgumentsWithExecState(owner);
+    jit.move(TrustedImmPtr(reinterpret_cast<void*>(operationOSRWriteBarrier)), scratch1);
+    jit.call(scratch1);
+
+#if CPU(X86)
+    jit.pop(scratch1);
+    jit.pop(scratch1);
+    jit.pop(scratch1);
+#endif
+    for (unsigned i = GPRInfo::numberOfRegisters; i--;)
+        jit.loadPtr(&jit.vm()->writeBarrierRegisterBuffer[i], GPRInfo::toRegister(i)); 
+
+    definitelyNotMarked.link(&jit);
+}
+
+MacroAssembler::Call SpeculativeJIT::writeBarrier(CCallHelpers& jit, GPRReg owner, GPRReg scratch1, GPRReg scratch2)
+{
+    ASSERT(owner != scratch1);
+    ASSERT(owner != scratch2);
+
+    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(jit, owner, scratch1, scratch2);
+    MacroAssembler::Call call = storeToWriteBarrierBuffer(jit, owner, scratch1, scratch2);
+    definitelyNotMarked.link(&jit);
+    return call;
+}
+
+void SpeculativeJIT::writeBarrier(GPRReg ownerGPR, GPRReg scratch1, GPRReg scratch2)
+{
+    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(m_jit, ownerGPR, scratch1, scratch2);
+    storeToWriteBarrierBuffer(ownerGPR, scratch1, scratch2);
+    definitelyNotMarked.link(&m_jit);
+}
+#else
+void SpeculativeJIT::compileStoreBarrier(Node* node)
+{
+    DFG_NODE_DO_TO_CHILDREN(m_jit.graph(), node, speculate);
+    noResult(node);
+}
+#endif // ENABLE(GGC)
+
 } } // namespace JSC::DFG
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -290 +290 @@
     }
 
-    void writeBarrier(GPRReg ownerGPR, GPRReg valueGPR, Edge valueUse, WriteBarrierUseKind, GPRReg scratchGPR1 = InvalidGPRReg, GPRReg scratchGPR2 = InvalidGPRReg);
-    void writeBarrier(GPRReg ownerGPR, JSCell* value, WriteBarrierUseKind, GPRReg scratchGPR1 = InvalidGPRReg, GPRReg scratchGPR2 = InvalidGPRReg);
-    void writeBarrier(JSCell* owner, GPRReg valueGPR, Edge valueUse, WriteBarrierUseKind, GPRReg scratchGPR1 = InvalidGPRReg);
+#if ENABLE(GGC)
+    static MacroAssembler::Call storeToWriteBarrierBuffer(CCallHelpers& jit, GPRReg cell, GPRReg scratch1, GPRReg scratch2);
+    void storeToWriteBarrierBuffer(GPRReg cell, GPRReg scratch1, GPRReg scratch2);
+    void storeToWriteBarrierBuffer(JSCell*, GPRReg scratch1, GPRReg scratch2);
+
+    static JITCompiler::Jump genericWriteBarrier(CCallHelpers& jit, GPRReg owner, GPRReg scratch1, GPRReg scratch2);
+    static JITCompiler::Jump genericWriteBarrier(CCallHelpers& jit, JSCell* owner);
+    static void osrWriteBarrier(CCallHelpers&, GPRReg owner, GPRReg scratch1, GPRReg scratch2);
+    static MacroAssembler::Call writeBarrier(CCallHelpers&, GPRReg owner, GPRReg scratch1, GPRReg scratch2);
+    void writeBarrier(GPRReg owner, GPRReg scratch1, GPRReg scratch2);
+    void writeBarrier(GPRReg owner, JSCell* value, GPRReg scratch1, GPRReg scratch2);
+
+    void writeBarrier(GPRReg owner, GPRReg value, Edge valueUse, GPRReg scratch1, GPRReg scratch2);
+    void writeBarrier(JSCell* owner, GPRReg value, Edge valueUse, GPRReg scratch1, GPRReg scratch2);
+#endif
+    void compileStoreBarrier(Node*);
 
     static GPRReg selectScratchGPR(GPRReg preserve1 = InvalidGPRReg, GPRReg preserve2 = InvalidGPRReg, GPRReg preserve3 = InvalidGPRReg, GPRReg preserve4 = InvalidGPRReg)
@@ -701 +714 @@
 #if USE(JSVALUE64)
     void cachedGetById(CodeOrigin, GPRReg baseGPR, GPRReg resultGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget = JITCompiler::Jump(), SpillRegistersMode = NeedToSpill);
-    void cachedPutById(CodeOrigin, GPRReg base, GPRReg value, Edge valueUse, GPRReg scratchGPR, unsigned identifierNumber, PutKind, JITCompiler::Jump slowPathTarget = JITCompiler::Jump());
+    void cachedPutById(CodeOrigin, GPRReg base, GPRReg value, GPRReg scratchGPR, unsigned identifierNumber, PutKind, JITCompiler::Jump slowPathTarget = JITCompiler::Jump());
 #elif USE(JSVALUE32_64)
     void cachedGetById(CodeOrigin, GPRReg baseTagGPROrNone, GPRReg basePayloadGPR, GPRReg resultTagGPR, GPRReg resultPayloadGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget = JITCompiler::Jump(), SpillRegistersMode = NeedToSpill);
-    void cachedPutById(CodeOrigin, GPRReg basePayloadGPR, GPRReg valueTagGPR, GPRReg valuePayloadGPR, Edge valueUse, GPRReg scratchGPR, unsigned identifierNumber, PutKind, JITCompiler::Jump slowPathTarget = JITCompiler::Jump());
+    void cachedPutById(CodeOrigin, GPRReg basePayloadGPR, GPRReg valueTagGPR, GPRReg valuePayloadGPR, GPRReg scratchGPR, unsigned identifierNumber, PutKind, JITCompiler::Jump slowPathTarget = JITCompiler::Jump());
 #endif
     
     void compileIn(Node*);
     
+    void compileBaseValueStoreBarrier(Edge& baseEdge, Edge& valueEdge);
+
     void nonSpeculativeNonPeepholeCompareNull(Edge operand, bool invert = false);
     void nonSpeculativePeepholeBranchNull(Edge operand, Node* branchNode, bool invert = false);
@@ -1060 +1075 @@
     }
 
+    JITCompiler::Call callOperation(V_JITOperation_EC operation, JSCell* arg1)
+    {
+        m_jit.setupArgumentsWithExecState(TrustedImmPtr(arg1));
+        return appendCallWithExceptionCheck(operation);
+    }
+
     JITCompiler::Call callOperation(V_JITOperation_ECIcf operation, GPRReg arg1, InlineCallFrame* inlineCallFrame)
     {
@@ -1076 +1097 @@
         return appendCallWithExceptionCheck(operation);
     }
-
     JITCompiler::Call callOperation(V_JITOperation_ECC operation, GPRReg arg1, GPRReg arg2)
     {
         m_jit.setupArgumentsWithExecState(arg1, arg2);
+        return appendCallWithExceptionCheck(operation);
+    }
+    JITCompiler::Call callOperation(V_JITOperation_ECC operation, GPRReg arg1, JSCell* arg2)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, TrustedImmPtr(arg2));
+        return appendCallWithExceptionCheck(operation);
+    }
+    JITCompiler::Call callOperation(V_JITOperation_ECC operation, JSCell* arg1, GPRReg arg2)
+    {
+        m_jit.setupArgumentsWithExecState(TrustedImmPtr(arg1), arg2);
         return appendCallWithExceptionCheck(operation);
     }
@@ -1341 +1371 @@
         return appendCallWithExceptionCheck(operation);
     }
-
     JITCompiler::Call callOperation(V_JITOperation_EJPP operation, GPRReg arg1, GPRReg arg2, void* pointer)
     {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -201 +201 @@
 }
 
-void SpeculativeJIT::cachedPutById(CodeOrigin codeOrigin, GPRReg basePayloadGPR, GPRReg valueTagGPR, GPRReg valuePayloadGPR, Edge valueUse, GPRReg scratchGPR, unsigned identifierNumber, PutKind putKind, JITCompiler::Jump slowPathTarget)
+void SpeculativeJIT::cachedPutById(CodeOrigin codeOrigin, GPRReg basePayloadGPR, GPRReg valueTagGPR, GPRReg valuePayloadGPR, GPRReg scratchGPR, unsigned identifierNumber, PutKind putKind, JITCompiler::Jump slowPathTarget)
 {
-    writeBarrier(basePayloadGPR, valueTagGPR, valueUse, WriteBarrierForPropertyAccess, scratchGPR);
-    
     JITPutByIdGenerator gen(
         m_jit.codeBlock(), codeOrigin, usedRegisters(), GPRInfo::callFrameRegister,
@@ -1113 +1111 @@
 }
 
+void SpeculativeJIT::compileBaseValueStoreBarrier(Edge& baseEdge, Edge& valueEdge)
+{
+#if ENABLE(GGC)
+    ASSERT(!isKnownNotCell(valueEdge.node()));
+
+    SpeculateCellOperand base(this, baseEdge);
+    JSValueOperand value(this, valueEdge);
+    GPRTemporary scratch1(this);
+    GPRTemporary scratch2(this);
+
+    writeBarrier(base.gpr(), value.tagGPR(), valueEdge, scratch1.gpr(), scratch2.gpr());
+#else
+    UNUSED_PARAM(baseEdge);
+    UNUSED_PARAM(valueEdge);
+#endif
+}
+
 void SpeculativeJIT::compileObjectEquality(Node* node)
 {
@@ -2612 +2627 @@
             if (!m_compileOkay)
                 return;
-        
-            if (Heap::isWriteBarrierEnabled()) {
-                GPRTemporary scratch(this);
-                writeBarrier(baseReg, valueTagReg, child3, WriteBarrierForPropertyAccess, scratch.gpr());
-            }
-            
+
             compileContiguousPutByVal(node, base, property, value, valuePayloadReg, valueTagReg);
             break;
@@ -2634 +2644 @@
             if (!m_compileOkay)
                 return;
-            
-            {
-                GPRTemporary scratch(this);
-                GPRReg scratchReg = scratch.gpr();
-                writeBarrier(baseReg, valueTagReg, child3, WriteBarrierForPropertyAccess, scratchReg);
-            }
-            
+
             StorageOperand storage(this, child4);
             GPRReg storageReg = storage.gpr();
@@ -2820 +2824 @@
             GPRReg valuePayloadGPR = value.payloadGPR();
 
-            if (Heap::isWriteBarrierEnabled()) {
-                GPRTemporary scratch(this);
-                writeBarrier(baseGPR, valueTagGPR, node->child2(), WriteBarrierForPropertyAccess, scratch.gpr(), storageLengthGPR);
-            }
-
             m_jit.load32(MacroAssembler::Address(storageGPR, Butterfly::offsetOfPublicLength()), storageLengthGPR);
             MacroAssembler::Jump slowPath = m_jit.branch32(MacroAssembler::AboveOrEqual, storageLengthGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfVectorLength()));
@@ -2872 +2871 @@
             GPRReg valueTagGPR = value.tagGPR();
             GPRReg valuePayloadGPR = value.payloadGPR();
-
-            if (Heap::isWriteBarrierEnabled()) {
-                GPRTemporary scratch(this);
-                writeBarrier(baseGPR, valueTagGPR, node->child2(), WriteBarrierForPropertyAccess, scratch.gpr(), storageLengthGPR);
-            }
 
             m_jit.load32(MacroAssembler::Address(storageGPR, ArrayStorage::lengthOffset()), storageLengthGPR);
@@ -3674 +3668 @@
     }
     case PutClosureVar: {
-        SpeculateCellOperand scope(this, node->child1());
         StorageOperand registers(this, node->child2());
         JSValueOperand value(this, node->child3());
         GPRTemporary scratchRegister(this);
-        GPRReg scopeGPR = scope.gpr();
+
         GPRReg registersGPR = registers.gpr();
         GPRReg valueTagGPR = value.tagGPR();
         GPRReg valuePayloadGPR = value.payloadGPR();
-        GPRReg scratchGPR = scratchRegister.gpr();
+
+        speculate(node, node->child1());
 
         m_jit.store32(valueTagGPR, JITCompiler::Address(registersGPR, node->varNumber() * sizeof(Register) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)));
         m_jit.store32(valuePayloadGPR, JITCompiler::Address(registersGPR, node->varNumber() * sizeof(Register) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)));
-        writeBarrier(scopeGPR, valueTagGPR, node->child3(), WriteBarrierForVariableAccess, scratchGPR);
         noResult(node);
         break;
@@ -3883 +3876 @@
         GPRReg baseGPR = base.gpr();
         
-#if ENABLE(WRITE_BARRIER_PROFILING)
-        // Must always emit this write barrier as the structure transition itself requires it
-        writeBarrier(baseGPR, node->structureTransitionData().newStructure, WriteBarrierForGenericAccess);
-#endif
-        
         m_jit.storePtr(MacroAssembler::TrustedImmPtr(node->structureTransitionData().newStructure), MacroAssembler::Address(baseGPR, JSCell::structureOffset()));
         
@@ -3949 +3937 @@
         
     case PutByOffset: {
-#if ENABLE(WRITE_BARRIER_PROFILING)
-        SpeculateCellOperand base(this, node->child2());
-#endif
         StorageOperand storage(this, node->child1());
         JSValueOperand value(this, node->child3());
@@ -3958 +3943 @@
         GPRReg valueTagGPR = value.tagGPR();
         GPRReg valuePayloadGPR = value.payloadGPR();
-        
-#if ENABLE(WRITE_BARRIER_PROFILING)
-        writeBarrier(base.gpr(), valueTagGPR, node->child3(), WriteBarrierForPropertyAccess);
-#endif
+
+        speculate(node, node->child2());
 
         StorageAccessData& storageAccessData = m_jit.graph().m_storageAccessData[node->storageAccessDataIndex()];
@@ -3982 +3965 @@
         GPRReg scratchGPR = scratch.gpr();
         
-        base.use();
-        value.use();
-
-        cachedPutById(node->codeOrigin, baseGPR, valueTagGPR, valuePayloadGPR, node->child2(), scratchGPR, node->identifierNumber(), NotDirect);
-        
-        noResult(node, UseChildrenCalledExplicitly);
+        cachedPutById(node->codeOrigin, baseGPR, valueTagGPR, valuePayloadGPR, scratchGPR, node->identifierNumber(), NotDirect);
+        
+        noResult(node);
         break;
     }
@@ -4001 +3981 @@
         GPRReg scratchGPR = scratch.gpr();
         
-        base.use();
-        value.use();
-
-        cachedPutById(node->codeOrigin, baseGPR, valueTagGPR, valuePayloadGPR, node->child2(), scratchGPR, node->identifierNumber(), Direct);
-
-        noResult(node, UseChildrenCalledExplicitly);
+        cachedPutById(node->codeOrigin, baseGPR, valueTagGPR, valuePayloadGPR, scratchGPR, node->identifierNumber(), Direct);
+
+        noResult(node);
         break;
     }
@@ -4024 +4001 @@
     case PutGlobalVar: {
         JSValueOperand value(this, node->child1());
-        if (Heap::isWriteBarrierEnabled()) {
-            GPRTemporary scratch(this);
-            GPRReg scratchReg = scratch.gpr();
-            
-            writeBarrier(m_jit.globalObjectFor(node->codeOrigin), value.tagGPR(), node->child1(), WriteBarrierForVariableAccess, scratchReg);
-        }
 
         // FIXME: if we happen to have a spare register - and _ONLY_ if we happen to have
@@ -4695 +4666 @@
         break;
 
+    case StoreBarrier:
+    case ConditionalStoreBarrier:
+    case StoreBarrierWithNullCheck: {
+        compileStoreBarrier(node);
+        break;
+    }
+
     case ForceOSRExit: {
         terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
@@ -4753 +4731 @@
 }
 
+#if ENABLE(GGC)
+void SpeculativeJIT::writeBarrier(GPRReg ownerGPR, GPRReg valueTagGPR, Edge valueUse, GPRReg scratch1, GPRReg scratch2)
+{
+    JITCompiler::Jump isNotCell;
+    if (!isKnownCell(valueUse.node()))
+        isNotCell = m_jit.branch32(JITCompiler::NotEqual, valueTagGPR, JITCompiler::TrustedImm32(JSValue::CellTag));
+
+    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(m_jit, ownerGPR, scratch1, scratch2);
+    storeToWriteBarrierBuffer(ownerGPR, scratch1, scratch2);
+    definitelyNotMarked.link(&m_jit);
+
+    if (!isKnownCell(valueUse.node()))
+        isNotCell.link(&m_jit);
+}
+
+void SpeculativeJIT::writeBarrier(JSCell* owner, GPRReg valueTagGPR, Edge valueUse, GPRReg scratch1, GPRReg scratch2)
+{
+    JITCompiler::Jump isNotCell;
+    if (!isKnownCell(valueUse.node()))
+        isNotCell = m_jit.branch32(JITCompiler::NotEqual, valueTagGPR, JITCompiler::TrustedImm32(JSValue::CellTag));
+
+    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(m_jit, owner);
+    storeToWriteBarrierBuffer(owner, scratch1, scratch2);
+    definitelyNotMarked.link(&m_jit);
+
+    if (!isKnownCell(valueUse.node()))
+        isNotCell.link(&m_jit);
+}
+#endif // ENABLE(GGC)
+
 #endif
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -207 +207 @@
 }
 
-void SpeculativeJIT::cachedPutById(CodeOrigin codeOrigin, GPRReg baseGPR, GPRReg valueGPR, Edge valueUse, GPRReg scratchGPR, unsigned identifierNumber, PutKind putKind, JITCompiler::Jump slowPathTarget)
+void SpeculativeJIT::cachedPutById(CodeOrigin codeOrigin, GPRReg baseGPR, GPRReg valueGPR, GPRReg scratchGPR, unsigned identifierNumber, PutKind putKind, JITCompiler::Jump slowPathTarget)
 {
-    writeBarrier(baseGPR, valueGPR, valueUse, WriteBarrierForPropertyAccess, scratchGPR);
-
     JITPutByIdGenerator gen(
         m_jit.codeBlock(), codeOrigin, usedRegisters(), GPRInfo::callFrameRegister,
@@ -1474 +1472 @@
 }
 
+void SpeculativeJIT::compileBaseValueStoreBarrier(Edge& baseEdge, Edge& valueEdge)
+{
+#if ENABLE(GGC)
+    ASSERT(!isKnownNotCell(valueEdge.node()));
+
+    SpeculateCellOperand base(this, baseEdge);
+    JSValueOperand value(this, valueEdge);
+    GPRTemporary scratch1(this);
+    GPRTemporary scratch2(this);
+
+    writeBarrier(base.gpr(), value.gpr(), valueEdge, scratch1.gpr(), scratch2.gpr());
+#else
+    UNUSED_PARAM(baseEdge);
+    UNUSED_PARAM(valueEdge);
+#endif
+}
+
 void SpeculativeJIT::compileObjectEquality(Node* node)
 {
@@ -2908 +2923 @@
                         MacroAssembler::Below, valueReg, GPRInfo::tagTypeNumberRegister));
             }
-        
-            if (arrayMode.type() == Array::Contiguous && Heap::isWriteBarrierEnabled()) {
-                GPRTemporary scratch(this);
-                writeBarrier(baseReg, value.gpr(), child3, WriteBarrierForPropertyAccess, scratch.gpr());
-            }
 
             StorageOperand storage(this, child4);
@@ -2988 +2998 @@
             if (!m_compileOkay)
                 return;
-        
-            if (Heap::isWriteBarrierEnabled()) {
-                GPRTemporary scratch(this);
-                writeBarrier(baseReg, value.gpr(), child3, WriteBarrierForPropertyAccess, scratch.gpr());
-            }
 
             StorageOperand storage(this, child4);
@@ -3093 +3098 @@
                     MacroAssembler::Address(
                         baseReg, Arguments::offsetOfSlowArgumentData())));
-    
+
             m_jit.move(propertyReg, scratch2Reg);
             m_jit.signExtend32ToPtr(scratch2Reg, scratch2Reg);
@@ -3194 +3199 @@
             }
 
-            if (node->arrayMode().type() != Array::Int32 && Heap::isWriteBarrierEnabled()) {
-                GPRTemporary scratch(this);
-                writeBarrier(baseGPR, valueGPR, node->child2(), WriteBarrierForPropertyAccess, scratch.gpr(), storageLengthGPR);
-            }
-            
             m_jit.load32(MacroAssembler::Address(storageGPR, Butterfly::offsetOfPublicLength()), storageLengthGPR);
             MacroAssembler::Jump slowPath = m_jit.branch32(MacroAssembler::AboveOrEqual, storageLengthGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfVectorLength()));
@@ -3242 +3242 @@
             JSValueOperand value(this, node->child2());
             GPRReg valueGPR = value.gpr();
-
-            if (Heap::isWriteBarrierEnabled()) {
-                GPRTemporary scratch(this);
-                writeBarrier(baseGPR, valueGPR, node->child2(), WriteBarrierForPropertyAccess, scratch.gpr(), storageLengthGPR);
-            }
 
             m_jit.load32(MacroAssembler::Address(storageGPR, ArrayStorage::lengthOffset()), storageLengthGPR);
@@ -3980 +3975 @@
     }
     case PutClosureVar: {
-        SpeculateCellOperand scope(this, node->child1());
         StorageOperand registers(this, node->child2());
         JSValueOperand value(this, node->child3());
-        GPRTemporary scratchRegister(this);
-
-        GPRReg scopeGPR = scope.gpr();
+
         GPRReg registersGPR = registers.gpr();
         GPRReg valueGPR = value.gpr();
-        GPRReg scratchGPR = scratchRegister.gpr();
+
+        speculate(node, node->child1());
 
         m_jit.store64(valueGPR, JITCompiler::Address(registersGPR, node->varNumber() * sizeof(Register)));
-        writeBarrier(scopeGPR, valueGPR, node->child3(), WriteBarrierForVariableAccess, scratchGPR);
         noResult(node);
         break;
@@ -4180 +4172 @@
 
         SpeculateCellOperand base(this, node->child1());
+        GPRTemporary scratch1(this);
+        GPRTemporary scratch2(this);
         GPRReg baseGPR = base.gpr();
-        
-        
-#if ENABLE(WRITE_BARRIER_PROFILING)
-        // Must always emit this write barrier as the structure transition itself requires it
-        writeBarrier(baseGPR, node->structureTransitionData().newStructure, WriteBarrierForGenericAccess);
-#endif
         
         m_jit.storePtr(MacroAssembler::TrustedImmPtr(node->structureTransitionData().newStructure), MacroAssembler::Address(baseGPR, JSCell::structureOffset()));
@@ -4246 +4234 @@
         
     case PutByOffset: {
-#if ENABLE(WRITE_BARRIER_PROFILING)
-        SpeculateCellOperand base(this, node->child2());
-#endif
         StorageOperand storage(this, node->child1());
         JSValueOperand value(this, node->child3());
+        GPRTemporary scratch1(this);
+        GPRTemporary scratch2(this);
 
         GPRReg storageGPR = storage.gpr();
         GPRReg valueGPR = value.gpr();
-        
-#if ENABLE(WRITE_BARRIER_PROFILING)
-        writeBarrier(base.gpr(), value.gpr(), node->child3(), WriteBarrierForPropertyAccess);
-#endif
+
+        speculate(node, node->child2());
 
         StorageAccessData& storageAccessData = m_jit.graph().m_storageAccessData[node->storageAccessDataIndex()];
         
         m_jit.store64(valueGPR, JITCompiler::Address(storageGPR, offsetRelativeToBase(storageAccessData.offset)));
-        
+
         noResult(node);
         break;
@@ -4276 +4261 @@
         GPRReg scratchGPR = scratch.gpr();
         
-        base.use();
-        value.use();
-
-        cachedPutById(node->codeOrigin, baseGPR, valueGPR, node->child2(), scratchGPR, node->identifierNumber(), NotDirect);
-        
-        noResult(node, UseChildrenCalledExplicitly);
+        cachedPutById(node->codeOrigin, baseGPR, valueGPR, scratchGPR, node->identifierNumber(), NotDirect);
+
+        noResult(node);
         break;
     }
@@ -4294 +4276 @@
         GPRReg scratchGPR = scratch.gpr();
         
-        base.use();
-        value.use();
-
-        cachedPutById(node->codeOrigin, baseGPR, valueGPR, node->child2(), scratchGPR, node->identifierNumber(), Direct);
-
-        noResult(node, UseChildrenCalledExplicitly);
+        cachedPutById(node->codeOrigin, baseGPR, valueGPR, scratchGPR, node->identifierNumber(), Direct);
+
+        noResult(node);
         break;
     }
@@ -4314 +4293 @@
     case PutGlobalVar: {
         JSValueOperand value(this, node->child1());
-        
-        if (Heap::isWriteBarrierEnabled()) {
-            GPRTemporary scratch(this);
-            GPRReg scratchReg = scratch.gpr();
-            
-            writeBarrier(m_jit.globalObjectFor(node->codeOrigin), value.gpr(), node->child1(), WriteBarrierForVariableAccess, scratchReg);
-        }
-        
+
         m_jit.store64(value.gpr(), node->registerPointer());
 
@@ -4974 +4946 @@
         break;
 
+    case StoreBarrier:
+    case ConditionalStoreBarrier:
+    case StoreBarrierWithNullCheck: {
+        compileStoreBarrier(node);
+        break;
+    }
+
 #if ENABLE(FTL_JIT)        
     case CheckTierUpInLoop: {
@@ -5054 +5033 @@
 }
 
+#if ENABLE(GGC)
+void SpeculativeJIT::writeBarrier(GPRReg ownerGPR, GPRReg valueGPR, Edge valueUse, GPRReg scratch1, GPRReg scratch2)
+{
+    JITCompiler::Jump isNotCell;
+    if (!isKnownCell(valueUse.node()))
+        isNotCell = m_jit.branchTest64(JITCompiler::NonZero, valueGPR, GPRInfo::tagMaskRegister);
+
+    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(m_jit, ownerGPR, scratch1, scratch2);
+    storeToWriteBarrierBuffer(ownerGPR, scratch1, scratch2);
+    definitelyNotMarked.link(&m_jit);
+
+    if (!isKnownCell(valueUse.node()))
+        isNotCell.link(&m_jit);
+}
+
+void SpeculativeJIT::writeBarrier(JSCell* owner, GPRReg valueGPR, Edge valueUse, GPRReg scratch1, GPRReg scratch2)
+{
+    JITCompiler::Jump isNotCell;
+    if (!isKnownCell(valueUse.node()))
+        isNotCell = m_jit.branchTest64(JITCompiler::NonZero, valueGPR, GPRInfo::tagMaskRegister);
+
+    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(m_jit, owner);
+    storeToWriteBarrierBuffer(owner, scratch1, scratch2);
+    definitelyNotMarked.link(&m_jit);
+
+    if (!isKnownCell(valueUse.node()))
+        isNotCell.link(&m_jit);
+}
+#endif // ENABLE(GGC)
+
 #endif
 

trunk/Source/JavaScriptCore/dfg/DFGVariableAccessData.h

@@ -355 +355 @@
         return FlushedAt(flushFormat(), machineLocal());
     }
-    
+
 private:
     // This is slightly space-inefficient, since anything we're unified with

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -270 +270 @@
     , m_handleSet(vm)
     , m_isSafeToCollect(false)
+#if ENABLE(GGC)
+    , m_writeBarrierBuffer(128)
+#endif
     , m_vm(vm)
     , m_lastGCLength(0)
@@ -997 +1000 @@
 }
 
+void Heap::flushWriteBarrierBuffer(JSCell* cell)
+{
+#if ENABLE(GGC)
+    m_writeBarrierBuffer.flush(*this);
+    m_writeBarrierBuffer.add(cell);
+#else
+    UNUSED_PARAM(cell);
+#endif
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/heap/Heap.h

@@ -40 +40 @@
 #include "SlotVisitor.h"
 #include "WeakHandleOwner.h"
+#include "WriteBarrierBuffer.h"
 #include "WriteBarrierSupport.h"
 #include <wtf/HashCountedSet.h>
@@ -78 +79 @@
     public:
         friend class JIT;
+        friend class DFG::SpeculativeJIT;
         friend class GCThreadSharedData;
         static Heap* heap(const JSValue); // 0 for immediate values
@@ -94 +96 @@
 
         static bool isWriteBarrierEnabled();
+        static void writeBarrier(const JSCell*);
         static void writeBarrier(const JSCell*, JSValue);
         static void writeBarrier(const JSCell*, JSCell*);
         static uint8_t* addressOfCardFor(JSCell*);
+
+        void flushWriteBarrierBuffer(JSCell*);
 
         Heap(VM*, HeapType);
@@ -285 +290 @@
         bool m_isSafeToCollect;
 
+#if ENABLE(GGC)
+        WriteBarrierBuffer m_writeBarrierBuffer;
+#endif
+
         VM* m_vm;
         double m_lastGCLength;
@@ -371 +380 @@
     }
 
+    inline void Heap::writeBarrier(const JSCell*)
+    {
+        WriteBarrierCounters::countWriteBarrier();
+    }
+
     inline void Heap::writeBarrier(const JSCell*, JSCell*)
     {

trunk/Source/JavaScriptCore/heap/MarkedBlock.h

@@ -74 +74 @@
     public:
         static const size_t atomSize = 8; // bytes
+        static const size_t atomShiftAmount = 4; // log_2(atomSize) FIXME: Change atomSize to 16.
         static const size_t blockSize = 64 * KB;
         static const size_t blockMask = ~(blockSize - 1); // blockSize must be a power of two.
@@ -79 +80 @@
         static const size_t atomsPerBlock = blockSize / atomSize;
         static const size_t atomMask = atomsPerBlock - 1;
+
+        static const size_t markByteShiftAmount = 3; // log_2(word size for m_marks) FIXME: Change word size for m_marks to uint8_t.
 
         struct FreeCell {
@@ -168 +171 @@
         template <typename Functor> void forEachLiveCell(Functor&);
         template <typename Functor> void forEachDeadCell(Functor&);
+
+        static ptrdiff_t offsetOfMarks() { return OBJECT_OFFSETOF(MarkedBlock, m_marks); }
 
     private:

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -1697 +1697 @@
 }
 
+void JIT_OPERATION operationFlushWriteBarrierBuffer(ExecState* exec, JSCell* cell)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+    vm->heap.flushWriteBarrierBuffer(cell);
+}
+
+void JIT_OPERATION operationOSRWriteBarrier(ExecState* exec, JSCell* cell)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+    exec->heap()->writeBarrier(cell);
+}
+
+// NB: We don't include the value as part of the barrier because the write barrier elision
+// phase in the DFG only tracks whether the object being stored to has been barriered. It 
+// would be much more complicated to try to model the value being stored as well.
+void JIT_OPERATION operationUnconditionalWriteBarrier(ExecState* exec, JSCell* cell)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+    Heap::writeBarrier(cell);
+}
+
+void JIT_OPERATION operationInitGlobalConst(ExecState* exec, Instruction* pc)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    JSValue value = exec->r(pc[2].u.operand).jsValue();
+    pc[1].u.registerPointer->set(*vm, exec->codeBlock()->globalObject(), value);
+}
+
 void JIT_OPERATION lookupExceptionHandler(ExecState* exec)
 {

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -142 +142 @@
 typedef void JIT_OPERATION (*V_JITOperation_ECCIcf)(ExecState*, JSCell*, JSCell*, InlineCallFrame*);
 typedef void JIT_OPERATION (*V_JITOperation_ECJJ)(ExecState*, JSCell*, EncodedJSValue, EncodedJSValue);
+typedef void JIT_OPERATION (*V_JITOperation_ECPSPS)(ExecState*, JSCell*, void*, size_t, void*, size_t);
 typedef void JIT_OPERATION (*V_JITOperation_ECZ)(ExecState*, JSCell*, int32_t);
 typedef void JIT_OPERATION (*V_JITOperation_ECC)(ExecState*, JSCell*, JSCell*);
@@ -278 +279 @@
 void JIT_OPERATION operationPutToScope(ExecState*, Instruction* bytecodePC) WTF_INTERNAL;
 
+void JIT_OPERATION operationFlushWriteBarrierBuffer(ExecState*, JSCell*);
+void JIT_OPERATION operationWriteBarrier(ExecState*, JSCell*, JSCell*);
+void JIT_OPERATION operationUnconditionalWriteBarrier(ExecState*, JSCell*);
+void JIT_OPERATION operationOSRWriteBarrier(ExecState*, JSCell*);
+
+void JIT_OPERATION operationInitGlobalConst(ExecState*, Instruction*);
+
 } // extern "C"
 

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -32 +32 @@
 #include "DateInstanceCache.h"
 #include "ExecutableAllocator.h"
+#include "GPRInfo.h"
 #include "Heap.h"
 #include "Intrinsic.h"
@@ -388 +389 @@
         const ClassInfo* const jsFinalObjectClassInfo;
 
+        void* writeBarrierRegisterBuffer[GPRInfo::numberOfRegisters];
+
         ReturnAddressPtr exceptionLocation;
         JSValue hostCallReturnValue;

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        DFG should have a separate StoreBarrier node
+        https://bugs.webkit.org/show_bug.cgi?id=125530
+
+        Reviewed by Filip Pizlo.
+
+        * wtf/Platform.h: Added an #define for ENABLE(GGC) which will be used for landing things related to GenGC.
+
 2013-12-16  Daniel Bates  <dabates@apple.com>
 

trunk/Source/WTF/wtf/Platform.h

@@ -785 +785 @@
 #endif
 
+/* Generational collector for JSC */
+#if !defined(ENABLE_GGC)
+#define ENABLE_GGC 0
+#endif
+
 /* Counts uses of write barriers using sampling counters. Be sure to also
    set ENABLE_SAMPLING_COUNTERS to 1. */