Changeset 180797 in webkit

Timestamp:

Feb 27, 2015 4:29:22 PM (9 years ago)

Author:

ggaren@apple.com

Message:

bmalloc: Pathological madvise churn on the free(malloc(x)) benchmark
​https://bugs.webkit.org/show_bug.cgi?id=142058

Reviewed by Andreas Kling.

The churn was caused by repeatedly splitting an object with physical
pages from an object without, and then merging them back together again.
The merge would conservatively forget that we had physical pages, forcing
a new call to madvise on the next allocation.

This patch more strictly segregates objects in the heap from objects in
the VM heap, with these changes:

(1) Objects in the heap are not allowed to merge with objects in the VM
heap, and vice versa -- since that would erase our precise knowledge of
which physical pages had been allocated.

(2) The VM heap is exclusively responsible for allocating and deallocating
physical pages.

(3) The heap free list must consider entries for objects that are in the
VM heap to be invalid, and vice versa. (This condition can arise
because the free list does not eagerly remove items.)

With these changes, we can know that any valid object in the heap's free
list already has physical pages, and does not need to call madvise.

Note that the VM heap -- as before -- might sometimes contain ranges
or pieces of ranges that have physical pages, since we allow splitting
of ranges at granularities smaller than the VM page size. These ranges
can eventually merge with ranges in the heap during scavenging.

• bmalloc.xcodeproj/project.pbxproj:

• bmalloc/BoundaryTag.h:

(bmalloc::BoundaryTag::owner):
(bmalloc::BoundaryTag::setOwner):
(bmalloc::BoundaryTag::initSentinel):
(bmalloc::BoundaryTag::hasPhysicalPages): Deleted.
(bmalloc::BoundaryTag::setHasPhysicalPages): Deleted. Replaced the concept
of "has physical pages" with a bit indicating which heap owns the large
object. This is a more precise concept, since the old bit was really a
Yes / Maybe bit.

• bmalloc/Deallocator.cpp:

• bmalloc/FreeList.cpp: Adopt

(bmalloc::FreeList::takeGreedy):
(bmalloc::FreeList::take):
(bmalloc::FreeList::removeInvalidAndDuplicateEntries):

• bmalloc/FreeList.h:

(bmalloc::FreeList::push): Added API for considering the owner when
deciding if a free list entry is valid.

• bmalloc/Heap.cpp:

(bmalloc::Heap::Heap): Adopt new API.

(bmalloc::Heap::scavengeLargeRanges): Scavenge all ranges with no minimum,
since some ranges might be able to merge with ranges in the VM heap, and
they won't be allowed to until we scavenge them.

(bmalloc::Heap::allocateSmallPage):
(bmalloc::Heap::allocateMediumPage):
(bmalloc::Heap::allocateLarge): New VM heap API makes this function
simpler, since we always get back physical pages now.

• bmalloc/Heap.h:
• bmalloc/LargeObject.h:

(bmalloc::LargeObject::end):
(bmalloc::LargeObject::owner):
(bmalloc::LargeObject::setOwner):
(bmalloc::LargeObject::isValidAndFree):
(bmalloc::LargeObject::merge): Do not merge objects across heaps since
that causes madvise churn.
(bmalloc::LargeObject::validateSelf):
(bmalloc::LargeObject::init):
(bmalloc::LargeObject::hasPhysicalPages): Deleted.
(bmalloc::LargeObject::setHasPhysicalPages): Deleted. Propogate the Owner API.

• bmalloc/Owner.h: Added.

• bmalloc/SegregatedFreeList.cpp:

(bmalloc::SegregatedFreeList::SegregatedFreeList):
(bmalloc::SegregatedFreeList::insert):
(bmalloc::SegregatedFreeList::takeGreedy):
(bmalloc::SegregatedFreeList::take):

• bmalloc/SegregatedFreeList.h: Propogate the owner API.

• bmalloc/VMAllocate.h:

(bmalloc::vmDeallocatePhysicalPagesSloppy):
(bmalloc::vmAllocatePhysicalPagesSloppy): Clarified these functions and
removed an edge case.

• bmalloc/VMHeap.cpp:

(bmalloc::VMHeap::VMHeap):

• bmalloc/VMHeap.h:

(bmalloc::VMHeap::allocateSmallPage):
(bmalloc::VMHeap::allocateMediumPage):
(bmalloc::VMHeap::allocateLargeObject):
(bmalloc::VMHeap::deallocateLargeObject): Be sure to give each object
a new chance to merge, since it might have been prohibited from merging
before by virtue of not being in the VM heap.

(bmalloc::VMHeap::allocateLargeRange): Deleted.
(bmalloc::VMHeap::deallocateLargeRange): Deleted.

Location:

trunk/Source/bmalloc

Files:

• ChangeLog (modified) (1 diff)
• bmalloc.xcodeproj/project.pbxproj (modified) (4 diffs)
• bmalloc/BoundaryTag.h (modified) (4 diffs)
• bmalloc/Deallocator.cpp (modified) (1 diff)
• bmalloc/FreeList.cpp (modified) (8 diffs)
• bmalloc/FreeList.h (modified) (2 diffs)
• bmalloc/Heap.cpp (modified) (7 diffs)
• bmalloc/Heap.h (modified) (1 diff)
• bmalloc/LargeObject.h (modified) (10 diffs)
• bmalloc/Owner.h (added)
• bmalloc/SegregatedFreeList.cpp (modified) (4 diffs)
• bmalloc/SegregatedFreeList.h (modified) (2 diffs)
• bmalloc/VMAllocate.h (modified) (2 diffs)
• bmalloc/VMHeap.cpp (modified) (1 diff)
• bmalloc/VMHeap.h (modified) (6 diffs)

trunk/Source/bmalloc/ChangeLog

@@ +1 @@
+2015-02-27  Geoffrey Garen  <ggaren@apple.com>
+
+        bmalloc: Pathological madvise churn on the free(malloc(x)) benchmark
+        https://bugs.webkit.org/show_bug.cgi?id=142058
+
+        Reviewed by Andreas Kling.
+
+        The churn was caused by repeatedly splitting an object with physical
+        pages from an object without, and then merging them back together again.
+        The merge would conservatively forget that we had physical pages, forcing
+        a new call to madvise on the next allocation.
+
+        This patch more strictly segregates objects in the heap from objects in
+        the VM heap, with these changes:
+
+        (1) Objects in the heap are not allowed to merge with objects in the VM
+        heap, and vice versa -- since that would erase our precise knowledge of
+        which physical pages had been allocated.
+
+        (2) The VM heap is exclusively responsible for allocating and deallocating
+        physical pages.
+
+        (3) The heap free list must consider entries for objects that are in the
+        VM heap to be invalid, and vice versa. (This condition can arise
+        because the free list does not eagerly remove items.)
+
+        With these changes, we can know that any valid object in the heap's free
+        list already has physical pages, and does not need to call madvise.
+
+        Note that the VM heap -- as before -- might sometimes contain ranges
+        or pieces of ranges that have physical pages, since we allow splitting
+        of ranges at granularities smaller than the VM page size. These ranges
+        can eventually merge with ranges in the heap during scavenging.
+
+        * bmalloc.xcodeproj/project.pbxproj:
+
+        * bmalloc/BoundaryTag.h:
+        (bmalloc::BoundaryTag::owner):
+        (bmalloc::BoundaryTag::setOwner):
+        (bmalloc::BoundaryTag::initSentinel):
+        (bmalloc::BoundaryTag::hasPhysicalPages): Deleted.
+        (bmalloc::BoundaryTag::setHasPhysicalPages): Deleted. Replaced the concept
+        of "has physical pages" with a bit indicating which heap owns the large
+        object. This is a more precise concept, since the old bit was really a
+        Yes / Maybe bit.
+
+        * bmalloc/Deallocator.cpp:
+
+        * bmalloc/FreeList.cpp: Adopt
+        (bmalloc::FreeList::takeGreedy):
+        (bmalloc::FreeList::take):
+        (bmalloc::FreeList::removeInvalidAndDuplicateEntries):
+        * bmalloc/FreeList.h:
+        (bmalloc::FreeList::push): Added API for considering the owner when
+        deciding if a free list entry is valid.
+
+        * bmalloc/Heap.cpp:
+        (bmalloc::Heap::Heap): Adopt new API.
+
+        (bmalloc::Heap::scavengeLargeRanges): Scavenge all ranges with no minimum,
+        since some ranges might be able to merge with ranges in the VM heap, and
+        they won't be allowed to until we scavenge them.
+
+        (bmalloc::Heap::allocateSmallPage):
+        (bmalloc::Heap::allocateMediumPage):
+        (bmalloc::Heap::allocateLarge): New VM heap API makes this function
+        simpler, since we always get back physical pages now.
+
+        * bmalloc/Heap.h:
+        * bmalloc/LargeObject.h:
+        (bmalloc::LargeObject::end):
+        (bmalloc::LargeObject::owner):
+        (bmalloc::LargeObject::setOwner):
+        (bmalloc::LargeObject::isValidAndFree):
+        (bmalloc::LargeObject::merge): Do not merge objects across heaps since
+        that causes madvise churn.
+        (bmalloc::LargeObject::validateSelf):
+        (bmalloc::LargeObject::init):
+        (bmalloc::LargeObject::hasPhysicalPages): Deleted.
+        (bmalloc::LargeObject::setHasPhysicalPages): Deleted. Propogate the Owner API.
+
+        * bmalloc/Owner.h: Added.
+
+        * bmalloc/SegregatedFreeList.cpp:
+        (bmalloc::SegregatedFreeList::SegregatedFreeList):
+        (bmalloc::SegregatedFreeList::insert):
+        (bmalloc::SegregatedFreeList::takeGreedy):
+        (bmalloc::SegregatedFreeList::take):
+        * bmalloc/SegregatedFreeList.h: Propogate the owner API.
+
+        * bmalloc/VMAllocate.h:
+        (bmalloc::vmDeallocatePhysicalPagesSloppy):
+        (bmalloc::vmAllocatePhysicalPagesSloppy): Clarified these functions and
+        removed an edge case.
+
+        * bmalloc/VMHeap.cpp:
+        (bmalloc::VMHeap::VMHeap):
+        * bmalloc/VMHeap.h:
+        (bmalloc::VMHeap::allocateSmallPage):
+        (bmalloc::VMHeap::allocateMediumPage):
+        (bmalloc::VMHeap::allocateLargeObject):
+        (bmalloc::VMHeap::deallocateLargeObject): Be sure to give each object
+        a new chance to merge, since it might have been prohibited from merging
+        before by virtue of not being in the VM heap.
+
+        (bmalloc::VMHeap::allocateLargeRange): Deleted.
+        (bmalloc::VMHeap::deallocateLargeRange): Deleted.
+
 2015-02-26  Geoffrey Garen  <ggaren@apple.com>
 

trunk/Source/bmalloc/bmalloc.xcodeproj/project.pbxproj

@@ -27 +27 @@
                 14C919C918FCC59F0028DB43 /* BPlatform.h in Headers */ = {isa = PBXBuildFile; fileRef = 14C919C818FCC59F0028DB43 /* BPlatform.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 14CC394C18EA8858004AFE34 /* libbmalloc.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 14F271BE18EA3963008C152F /* libbmalloc.a */; };
+                14D2CD9B1AA12CFB00770440 /* Owner.h in Headers */ = {isa = PBXBuildFile; fileRef = 14D2CD9A1AA12CFB00770440 /* Owner.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 14DD788C18F48CAE00950702 /* LargeChunk.h in Headers */ = {isa = PBXBuildFile; fileRef = 147AAA8818CD17CE002201E4 /* LargeChunk.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 14DD788D18F48CC600950702 /* BeginTag.h in Headers */ = {isa = PBXBuildFile; fileRef = 1417F64518B54A700076FA3F /* BeginTag.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -139 +140 @@
                 14C919C818FCC59F0028DB43 /* BPlatform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = BPlatform.h; path = bmalloc/BPlatform.h; sourceTree = "<group>"; };
                 14CC394418EA8743004AFE34 /* libmbmalloc.dylib */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.dylib"; includeInIndex = 0; path = libmbmalloc.dylib; sourceTree = BUILT_PRODUCTS_DIR; };
+                14D2CD9A1AA12CFB00770440 /* Owner.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = Owner.h; path = bmalloc/Owner.h; sourceTree = "<group>"; };
                 14D9DB4517F2447100EAAB79 /* FixedVector.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; name = FixedVector.h; path = bmalloc/FixedVector.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
                 14DA32071885F9E6007269E0 /* Line.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; name = Line.h; path = bmalloc/Line.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
@@ -225 +227 @@
                                 147AAA8818CD17CE002201E4 /* LargeChunk.h */,
                                 14C6216E1A9A9A6200E72293 /* LargeObject.h */,
+                                14D2CD9A1AA12CFB00770440 /* Owner.h */,
                                 146BEE2118C845AE0002D5A2 /* SegregatedFreeList.cpp */,
                                 146BEE1E18C841C50002D5A2 /* SegregatedFreeList.h */,
@@ -354 +357 @@
                                 14DD78C818F48D7500950702 /* FixedVector.h in Headers */,
                                 14DD78B718F48D6B00950702 /* MediumLine.h in Headers */,
+                                14D2CD9B1AA12CFB00770440 /* Owner.h in Headers */,
                                 14DD78B618F48D6B00950702 /* MediumChunk.h in Headers */,
                                 14DD78BC18F48D6B00950702 /* SmallLine.h in Headers */,

trunk/Source/bmalloc/bmalloc/BoundaryTag.h

@@ -28 +28 @@
 
 #include "BAssert.h"
+#include "Owner.h"
 #include "Range.h"
 #include "Sizes.h"
@@ -50 +51 @@
     void setEnd(bool isEnd) { m_isEnd = isEnd; }
 
-    bool hasPhysicalPages() { return m_hasPhysicalPages; }
-    void setHasPhysicalPages(bool hasPhysicalPages) { m_hasPhysicalPages = hasPhysicalPages; }
+    Owner owner() { return m_owner; }
+    void setOwner(Owner owner) { m_owner = owner; }
     
     bool isMarked() { return m_isMarked; }
@@ -85 +86 @@
     bool m_isFree: 1;
     bool m_isEnd: 1;
-    bool m_hasPhysicalPages: 1;
+    Owner m_owner: 1;
     bool m_isMarked: 1;
     unsigned m_compactBegin: compactBeginBits;
@@ -122 +123 @@
     setRange(Range(nullptr, largeMin));
     setFree(false);
+    setOwner(Owner::VMHeap);
 }
 

trunk/Source/bmalloc/bmalloc/Deallocator.cpp

@@ -25 +25 @@
 
 #include "BAssert.h"
-#include "BeginTag.h"
 #include "LargeChunk.h"
 #include "Deallocator.h"

trunk/Source/bmalloc/bmalloc/FreeList.cpp

@@ -24 +24 @@
  */
 
-#include "BeginTag.h"
 #include "LargeChunk.h"
 #include "FreeList.h"
@@ -31 +30 @@
 namespace bmalloc {
 
-LargeObject FreeList::takeGreedy(size_t size)
+LargeObject FreeList::takeGreedy(Owner owner)
 {
     for (size_t i = m_vector.size(); i-- > 0; ) {
@@ -37 +36 @@
         // so we need to validate each free list entry before using it.
         LargeObject largeObject(LargeObject::DoNotValidate, m_vector[i].begin());
-        if (!largeObject.isValidAndFree(m_vector[i].size())) {
+        if (!largeObject.isValidAndFree(owner, m_vector[i].size())) {
             m_vector.pop(i);
             continue;
         }
-
-        if (largeObject.size() < size)
-            continue;
 
         m_vector.pop(i);
@@ -52 +48 @@
 }
 
-LargeObject FreeList::take(size_t size)
+LargeObject FreeList::take(Owner owner, size_t size)
 {
     LargeObject first;
@@ -60 +56 @@
         // we need to validate each free list entry before using it.
         LargeObject largeObject(LargeObject::DoNotValidate, m_vector[i].begin());
-        if (!largeObject.isValidAndFree(m_vector[i].size())) {
+        if (!largeObject.isValidAndFree(owner, m_vector[i].size())) {
             m_vector.pop(i);
             continue;
@@ -77 +73 @@
 }
 
-LargeObject FreeList::take(size_t alignment, size_t size, size_t unalignedSize)
+LargeObject FreeList::take(Owner owner, size_t alignment, size_t size, size_t unalignedSize)
 {
     BASSERT(isPowerOfTwo(alignment));
@@ -88 +84 @@
         // we need to validate each free list entry before using it.
         LargeObject largeObject(LargeObject::DoNotValidate, m_vector[i].begin());
-        if (!largeObject.isValidAndFree(m_vector[i].size())) {
+        if (!largeObject.isValidAndFree(owner, m_vector[i].size())) {
             m_vector.pop(i);
             continue;
@@ -108 +104 @@
 }
 
-void FreeList::removeInvalidAndDuplicateEntries()
+void FreeList::removeInvalidAndDuplicateEntries(Owner owner)
 {
     for (size_t i = m_vector.size(); i-- > 0; ) {
         LargeObject largeObject(LargeObject::DoNotValidate, m_vector[i].begin());
-        if (!largeObject.isValidAndFree(m_vector[i].size())) {
+        if (!largeObject.isValidAndFree(owner, m_vector[i].size())) {
             m_vector.pop(i);
             continue;

trunk/Source/bmalloc/bmalloc/FreeList.h

@@ -38 +38 @@
     FreeList();
 
-    void push(const LargeObject&);
+    void push(Owner, const LargeObject&);
 
-    LargeObject take(size_t);
-    LargeObject take(size_t alignment, size_t, size_t unalignedSize);
+    LargeObject take(Owner, size_t);
+    LargeObject take(Owner, size_t alignment, size_t, size_t unalignedSize);
     
-    LargeObject takeGreedy(size_t);
+    LargeObject takeGreedy(Owner);
 
-    void removeInvalidAndDuplicateEntries();
+    void removeInvalidAndDuplicateEntries(Owner);
     
 private:
@@ -58 +58 @@
 }
 
-inline void FreeList::push(const LargeObject& largeObject)
+inline void FreeList::push(Owner owner, const LargeObject& largeObject)
 {
     BASSERT(largeObject.isFree());
     if (m_vector.size() == m_limit) {
-        removeInvalidAndDuplicateEntries();
+        removeInvalidAndDuplicateEntries(owner);
         m_limit = std::max(m_vector.size() * freeListGrowFactor, freeListSearchDepth);
     }

trunk/Source/bmalloc/bmalloc/Heap.cpp

@@ -47 +47 @@
 
 Heap::Heap(std::lock_guard<StaticMutex>&)
-    : m_isAllocatingPages(false)
+    : m_largeObjects(Owner::Heap)
+    , m_isAllocatingPages(false)
     , m_scavenger(*this, &Heap::concurrentScavenge)
 {
@@ -145 +146 @@
         }
 
-        LargeObject largeObject = m_largeObjects.takeGreedy(vmPageSize);
+        LargeObject largeObject = m_largeObjects.takeGreedy();
         if (!largeObject)
             return;
-        m_vmHeap.deallocateLargeRange(lock, largeObject);
+        m_vmHeap.deallocateLargeObject(lock, largeObject);
     }
 }
@@ -241 +242 @@
         if (m_smallPages.size())
             return m_smallPages.pop();
-        
-        SmallPage* page = m_vmHeap.allocateSmallPage();
-        vmAllocatePhysicalPages(page->begin()->begin(), vmPageSize);
-        return page;
+        return m_vmHeap.allocateSmallPage();
     }();
 
@@ -266 +264 @@
         if (m_mediumPages.size())
             return m_mediumPages.pop();
-        
-        MediumPage* page = m_vmHeap.allocateMediumPage();
-        vmAllocatePhysicalPages(page->begin()->begin(), vmPageSize);
-        return page;
+        return m_vmHeap.allocateMediumPage();
     }();
 
@@ -376 +371 @@
 
     largeObject.setFree(false);
-
-    if (!largeObject.hasPhysicalPages()) {
-        vmAllocatePhysicalPagesSloppy(largeObject.begin(), largeObject.size());
-        largeObject.setHasPhysicalPages(true);
-    }
-    
     return largeObject.begin();
 }
@@ -395 +384 @@
     LargeObject largeObject = m_largeObjects.take(size);
     if (!largeObject)
-        largeObject = m_vmHeap.allocateLargeRange(size);
+        largeObject = m_vmHeap.allocateLargeObject(size);
 
     return allocateLarge(lock, largeObject, size);
@@ -416 +405 @@
     LargeObject largeObject = m_largeObjects.take(alignment, size, unalignedSize);
     if (!largeObject)
-        largeObject = m_vmHeap.allocateLargeRange(alignment, size, unalignedSize);
+        largeObject = m_vmHeap.allocateLargeObject(alignment, size, unalignedSize);
 
     size_t alignmentMask = alignment - 1;
-    if (!test(largeObject.begin(), alignmentMask))
-        return allocateLarge(lock, largeObject, size);
-
-    // Because we allocate VM left-to-right, we must explicitly allocate the
-    // unaligned space on the left in order to break off the aligned space
-    // we want in the middle.
-    size_t prefixSize = roundUpToMultipleOf(alignment, largeObject.begin() + largeMin) - largeObject.begin();
-    std::pair<LargeObject, LargeObject> pair = largeObject.split(prefixSize);
-    allocateLarge(lock, pair.first, prefixSize);
-    allocateLarge(lock, pair.second, size);
-    deallocateLarge(lock, pair.first);
-    return pair.second.begin();
+    if (test(largeObject.begin(), alignmentMask)) {
+        size_t prefixSize = roundUpToMultipleOf(alignment, largeObject.begin() + largeMin) - largeObject.begin();
+        std::pair<LargeObject, LargeObject> pair = largeObject.split(prefixSize);
+        m_largeObjects.insert(pair.first);
+        largeObject = pair.second;
+    }
+
+    return allocateLarge(lock, largeObject, size);
 }
 

trunk/Source/bmalloc/bmalloc/Heap.h

@@ -87 +87 @@
     void splitLarge(BeginTag*, size_t, EndTag*&, Range&);
     void mergeLarge(BeginTag*&, EndTag*&, Range&);
-    void mergeLargeLeft(EndTag*&, BeginTag*&, Range&, bool& hasPhysicalPages);
-    void mergeLargeRight(EndTag*&, BeginTag*&, Range&, bool& hasPhysicalPages);
+    void mergeLargeLeft(EndTag*&, BeginTag*&, Range&, bool& inVMHeap);
+    void mergeLargeRight(EndTag*&, BeginTag*&, Range&, bool& inVMHeap);
     
     void concurrentScavenge();

trunk/Source/bmalloc/bmalloc/LargeObject.h

@@ -47 +47 @@
 
     char* begin() const { return static_cast<char*>(m_object); }
+    char* end() const { return begin() + size(); }
     size_t size() const { return m_beginTag->size(); }
     Range range() const { return Range(m_object, size()); }
@@ -53 +54 @@
     bool isFree() const;
     
-    bool hasPhysicalPages() const;
-    void setHasPhysicalPages(bool) const;
+    Owner owner() const;
+    void setOwner(Owner) const;
     
     bool isMarked() const;
     void setMarked(bool) const;
     
-    bool isValidAndFree(size_t) const;
+    bool isValidAndFree(Owner, size_t) const;
 
     LargeObject merge() const;
@@ -117 +118 @@
 }
 
-inline bool LargeObject::hasPhysicalPages() const
-{
-    validate();
-    return m_beginTag->hasPhysicalPages();
-}
-
-inline void LargeObject::setHasPhysicalPages(bool hasPhysicalPages) const
-{
-    validate();
-    m_beginTag->setHasPhysicalPages(hasPhysicalPages);
-    m_endTag->setHasPhysicalPages(hasPhysicalPages);
+inline Owner LargeObject::owner() const
+{
+    validate();
+    return m_beginTag->owner();
+}
+
+inline void LargeObject::setOwner(Owner owner) const
+{
+    validate();
+    m_beginTag->setOwner(owner);
+    m_endTag->setOwner(owner);
 }
 
@@ -143 +144 @@
 }
 
-inline bool LargeObject::isValidAndFree(size_t expectedSize) const
+inline bool LargeObject::isValidAndFree(Owner expectedOwner, size_t expectedSize) const
 {
     if (!m_beginTag->isFree())
@@ -157 +158 @@
         return false;
 
+    if (m_beginTag->owner() != expectedOwner)
+        return false;
+    
     return true;
 }
@@ -164 +168 @@
     validate();
     BASSERT(isFree());
-
-    bool hasPhysicalPages = m_beginTag->hasPhysicalPages();
 
     BeginTag* beginTag = m_beginTag;
     EndTag* endTag = m_endTag;
     Range range = this->range();
+    Owner owner = this->owner();
     
     EndTag* prev = beginTag->prev();
-    if (prev->isFree()) {
+    if (prev->isFree() && prev->owner() == owner) {
         Range left(range.begin() - prev->size(), prev->size());
         range = Range(left.begin(), left.size() + range.size());
-        hasPhysicalPages &= prev->hasPhysicalPages();
 
         prev->clear();
@@ -184 +186 @@
 
     BeginTag* next = endTag->next();
-    if (next->isFree()) {
+    if (next->isFree() && next->owner() == owner) {
         Range right(range.end(), next->size());
         range = Range(range.begin(), range.size() + right.size());
 
-        hasPhysicalPages &= next->hasPhysicalPages();
-
         endTag->clear();
         next->clear();
@@ -198 +198 @@
     beginTag->setRange(range);
     beginTag->setFree(true);
-    beginTag->setHasPhysicalPages(hasPhysicalPages);
+    beginTag->setOwner(owner);
     endTag->init(beginTag);
 
@@ -239 +239 @@
     BASSERT(m_beginTag->size() == m_endTag->size());
     BASSERT(m_beginTag->isFree() == m_endTag->isFree());
-    BASSERT(m_beginTag->hasPhysicalPages() == m_endTag->hasPhysicalPages());
+    BASSERT(m_beginTag->owner() == m_endTag->owner());
     BASSERT(m_beginTag->isMarked() == m_endTag->isMarked());
 }
@@ -265 +265 @@
     beginTag->setRange(range);
     beginTag->setFree(true);
-    beginTag->setHasPhysicalPages(false);
+    beginTag->setOwner(Owner::VMHeap);
 
     EndTag* endTag = LargeChunk::endTag(range.begin(), range.size());

trunk/Source/bmalloc/bmalloc/SegregatedFreeList.cpp

@@ -28 +28 @@
 namespace bmalloc {
 
-SegregatedFreeList::SegregatedFreeList()
+SegregatedFreeList::SegregatedFreeList(Owner owner)
+    : m_owner(owner)
 {
     BASSERT(static_cast<size_t>(&select(largeMax) - m_freeLists.begin()) == m_freeLists.size() - 1);
@@ -35 +36 @@
 void SegregatedFreeList::insert(const LargeObject& largeObject)
 {
+    BASSERT(largeObject.owner() == m_owner);
     auto& list = select(largeObject.size());
-    list.push(largeObject);
+    list.push(m_owner, largeObject);
 }
 
-LargeObject SegregatedFreeList::takeGreedy(size_t size)
+LargeObject SegregatedFreeList::takeGreedy()
 {
     for (size_t i = m_freeLists.size(); i-- > 0; ) {
-        LargeObject largeObject = m_freeLists[i].takeGreedy(size);
+        LargeObject largeObject = m_freeLists[i].takeGreedy(m_owner);
         if (!largeObject)
             continue;
@@ -54 +56 @@
 {
     for (auto* list = &select(size); list != m_freeLists.end(); ++list) {
-        LargeObject largeObject = list->take(size);
+        LargeObject largeObject = list->take(m_owner, size);
         if (!largeObject)
             continue;
@@ -66 +68 @@
 {
     for (auto* list = &select(size); list != m_freeLists.end(); ++list) {
-        LargeObject largeObject = list->take(alignment, size, unalignedSize);
+        LargeObject largeObject = list->take(m_owner, alignment, size, unalignedSize);
         if (!largeObject)
             continue;

trunk/Source/bmalloc/bmalloc/SegregatedFreeList.h

@@ -34 +34 @@
 class SegregatedFreeList {
 public:
-    SegregatedFreeList();
+    SegregatedFreeList(Owner);
 
     void insert(const LargeObject&);
@@ -55 +55 @@
     // removes stale items from the free list while searching. Eagerly removes
     // the returned object from the free list.
-    LargeObject takeGreedy(size_t);
-    
+    LargeObject takeGreedy();
+
 private:
     FreeList& select(size_t);
 
+    Owner m_owner;
     std::array<FreeList, 19> m_freeLists;
 };

trunk/Source/bmalloc/bmalloc/VMAllocate.h

@@ -132 +132 @@
 }
 
-// Trims requests that are un-page-aligned. NOTE: size must be at least a page.
+// Trims requests that are un-page-aligned.
 inline void vmDeallocatePhysicalPagesSloppy(void* p, size_t size)
 {
-    BASSERT(size >= vmPageSize);
-
     char* begin = roundUpToMultipleOf<vmPageSize>(static_cast<char*>(p));
     char* end = roundDownToMultipleOf<vmPageSize>(static_cast<char*>(p) + size);
 
-    Range range(begin, end - begin);
-    if (!range)
+    if (begin >= end)
         return;
-    vmDeallocatePhysicalPages(range.begin(), range.size());
+
+    vmDeallocatePhysicalPages(begin, end - begin);
 }
 
@@ -152 +150 @@
     char* end = roundUpToMultipleOf<vmPageSize>(static_cast<char*>(p) + size);
 
-    Range range(begin, end - begin);
-    if (!range)
+    if (begin >= end)
         return;
-    vmAllocatePhysicalPages(range.begin(), range.size());
+
+    vmAllocatePhysicalPages(begin, end - begin);
 }
 

trunk/Source/bmalloc/bmalloc/VMHeap.cpp

@@ -34 +34 @@
 
 VMHeap::VMHeap()
+    : m_largeObjects(Owner::VMHeap)
 {
 }

trunk/Source/bmalloc/bmalloc/VMHeap.h

@@ -53 +53 @@
     SmallPage* allocateSmallPage();
     MediumPage* allocateMediumPage();
-    LargeObject allocateLargeRange(size_t);
-    LargeObject allocateLargeRange(size_t alignment, size_t, size_t unalignedSize);
+    LargeObject allocateLargeObject(size_t);
+    LargeObject allocateLargeObject(size_t alignment, size_t, size_t unalignedSize);
 
     void deallocateSmallPage(std::unique_lock<StaticMutex>&, SmallPage*);
     void deallocateMediumPage(std::unique_lock<StaticMutex>&, MediumPage*);
-    void deallocateLargeRange(std::unique_lock<StaticMutex>&, LargeObject&);
+    void deallocateLargeObject(std::unique_lock<StaticMutex>&, LargeObject&);
 
 private:
+    LargeObject allocateLargeObject(LargeObject&, size_t);
     void grow();
 
@@ -76 +77 @@
         grow();
 
-    return m_smallPages.pop();
+    SmallPage* page = m_smallPages.pop();
+    vmAllocatePhysicalPages(page->begin()->begin(), vmPageSize);
+    return page;
 }
 
@@ -84 +87 @@
         grow();
 
-    return m_mediumPages.pop();
+    MediumPage* page = m_mediumPages.pop();
+    vmAllocatePhysicalPages(page->begin()->begin(), vmPageSize);
+    return page;
 }
 
-inline LargeObject VMHeap::allocateLargeRange(size_t size)
+inline LargeObject VMHeap::allocateLargeObject(LargeObject& largeObject, size_t size)
+{
+    BASSERT(largeObject.isFree());
+
+    if (largeObject.size() - size > largeMin) {
+        std::pair<LargeObject, LargeObject> split = largeObject.split(size);
+        largeObject = split.first;
+        m_largeObjects.insert(split.second);
+    }
+
+    vmAllocatePhysicalPagesSloppy(largeObject.begin(), largeObject.size());
+    largeObject.setOwner(Owner::Heap);
+    return largeObject.begin();
+}
+
+inline LargeObject VMHeap::allocateLargeObject(size_t size)
 {
     LargeObject largeObject = m_largeObjects.take(size);
@@ -95 +115 @@
         BASSERT(largeObject);
     }
-    return largeObject;
+
+    return allocateLargeObject(largeObject, size);
 }
 
-inline LargeObject VMHeap::allocateLargeRange(size_t alignment, size_t size, size_t unalignedSize)
+inline LargeObject VMHeap::allocateLargeObject(size_t alignment, size_t size, size_t unalignedSize)
 {
     LargeObject largeObject = m_largeObjects.take(alignment, size, unalignedSize);
@@ -106 +127 @@
         BASSERT(largeObject);
     }
-    return largeObject;
+
+    size_t alignmentMask = alignment - 1;
+    if (test(largeObject.begin(), alignmentMask))
+        return allocateLargeObject(largeObject, unalignedSize);
+    return allocateLargeObject(largeObject, size);
 }
 
@@ -127 +152 @@
 }
 
-inline void VMHeap::deallocateLargeRange(std::unique_lock<StaticMutex>& lock, LargeObject& largeObject)
+inline void VMHeap::deallocateLargeObject(std::unique_lock<StaticMutex>& lock, LargeObject& largeObject)
 {
-    // Temporarily mark this range as allocated to prevent clients from merging
-    // with it and then reallocating it while we're messing with its physical pages.
-    largeObject.setFree(false);
+    largeObject.setOwner(Owner::VMHeap);
+    
+    // If we couldn't merge with our neighbors before because they were in the
+    // VM heap, we can merge with them now.
+    LargeObject merged = largeObject.merge();
+
+    // Temporarily mark this object as allocated to prevent clients from merging
+    // with it or allocating it while we're messing with its physical pages.
+    merged.setFree(false);
 
     lock.unlock();
-    vmDeallocatePhysicalPagesSloppy(largeObject.begin(), largeObject.size());
+    vmDeallocatePhysicalPagesSloppy(merged.begin(), merged.size());
     lock.lock();
 
-    largeObject.setFree(true);
-    largeObject.setHasPhysicalPages(false);
+    merged.setFree(true);
 
-    m_largeObjects.insert(largeObject);
+    m_largeObjects.insert(merged);
 }