Changeset 182899 in webkit

Timestamp:

Apr 16, 2015 12:15:09 PM (9 years ago)

Author:

commit-queue@webkit.org

Message:

Extract the allocation profile from JSFunction into a rare object
​https://bugs.webkit.org/show_bug.cgi?id=143807
.:

Patch by Basile Clement <​basile_clement@apple.com> on 2015-04-16
Reviewed by Filip Pizlo.

• WebKit.xcworkspace/contents.xcworkspacedata:

Source/JavaScriptCore:

Patch by Basile Clement <​basile_clement@apple.com> on 2015-04-16
Reviewed by Filip Pizlo.

The allocation profile is only needed for those functions that are used
to create objects with [new].
Extracting it into its own JSCell removes the need for JSFunction and
JSCallee to be JSDestructibleObjects, which should improve performances in most
cases at the cost of an extra pointer dereference when the allocation profile
is actually needed.

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
• JavaScriptCore.xcodeproj/project.pbxproj:
• dfg/DFGOperations.cpp:
• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_create_this):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_create_this):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

• runtime/FunctionRareData.cpp: Added.

(JSC::FunctionRareData::create):
(JSC::FunctionRareData::destroy):
(JSC::FunctionRareData::createStructure):
(JSC::FunctionRareData::visitChildren):
(JSC::FunctionRareData::FunctionRareData):
(JSC::FunctionRareData::~FunctionRareData):
(JSC::FunctionRareData::finishCreation):

• runtime/FunctionRareData.h: Added.

(JSC::FunctionRareData::offsetOfAllocationProfile):
(JSC::FunctionRareData::allocationProfile):
(JSC::FunctionRareData::allocationStructure):
(JSC::FunctionRareData::allocationProfileWatchpointSet):

• runtime/JSBoundFunction.cpp:

(JSC::JSBoundFunction::destroy): Deleted.

• runtime/JSBoundFunction.h:
• runtime/JSCallee.cpp:

(JSC::JSCallee::destroy): Deleted.

• runtime/JSCallee.h:
• runtime/JSFunction.cpp:

(JSC::JSFunction::JSFunction):
(JSC::JSFunction::createRareData):
(JSC::JSFunction::visitChildren):
(JSC::JSFunction::put):
(JSC::JSFunction::defineOwnProperty):
(JSC::JSFunction::destroy): Deleted.
(JSC::JSFunction::createAllocationProfile): Deleted.

• runtime/JSFunction.h:

(JSC::JSFunction::offsetOfRareData):
(JSC::JSFunction::rareData):
(JSC::JSFunction::allocationStructure):
(JSC::JSFunction::allocationProfileWatchpointSet):
(JSC::JSFunction::offsetOfAllocationProfile): Deleted.
(JSC::JSFunction::allocationProfile): Deleted.

• runtime/JSFunctionInlines.h:

(JSC::JSFunction::JSFunction):

• runtime/VM.cpp:

(JSC::VM::VM):

• runtime/VM.h:

Location:

trunk

Files:

• ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/CMakeLists.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (modified) (2 diffs)
• Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters (modified) (2 diffs)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (5 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (1 diff)
• Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/FunctionRareData.cpp (added)
• Source/JavaScriptCore/runtime/FunctionRareData.h (added)
• Source/JavaScriptCore/runtime/JSBoundFunction.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSBoundFunction.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCallee.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCallee.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSFunction.cpp (modified) (6 diffs)
• Source/JavaScriptCore/runtime/JSFunction.h (modified) (6 diffs)
• Source/JavaScriptCore/runtime/JSFunctionInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/VM.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/VM.h (modified) (1 diff)
• WebKit.xcworkspace/contents.xcworkspacedata (modified) (1 diff)

trunk/ChangeLog

@@ +1 @@
+2015-04-16  Basile Clement  <basile_clement@apple.com>
+
+        Extract the allocation profile from JSFunction into a rare object
+        https://bugs.webkit.org/show_bug.cgi?id=143807
+
+        Reviewed by Filip Pizlo.
+
+        * WebKit.xcworkspace/contents.xcworkspacedata:
+
 2015-04-16  Csaba Osztrogonác  <ossy@webkit.org>
 

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -449 +449 @@
     runtime/FunctionHasExecutedCache.cpp
     runtime/FunctionPrototype.cpp
+    runtime/FunctionRareData.cpp
     runtime/GetterSetter.cpp
     runtime/Identifier.cpp

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-04-16  Basile Clement  <basile_clement@apple.com>
+ 
+        Extract the allocation profile from JSFunction into a rare object
+        https://bugs.webkit.org/show_bug.cgi?id=143807
+ 
+        Reviewed by Filip Pizlo.
+ 
+        The allocation profile is only needed for those functions that are used
+        to create objects with [new].
+        Extracting it into its own JSCell removes the need for JSFunction and
+        JSCallee to be JSDestructibleObjects, which should improve performances in most
+        cases at the cost of an extra pointer dereference when the allocation profile
+        is actually needed.
+ 
+        * CMakeLists.txt:
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_create_this):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_create_this):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/FunctionRareData.cpp: Added.
+        (JSC::FunctionRareData::create):
+        (JSC::FunctionRareData::destroy):
+        (JSC::FunctionRareData::createStructure):
+        (JSC::FunctionRareData::visitChildren):
+        (JSC::FunctionRareData::FunctionRareData):
+        (JSC::FunctionRareData::~FunctionRareData):
+        (JSC::FunctionRareData::finishCreation):
+        * runtime/FunctionRareData.h: Added.
+        (JSC::FunctionRareData::offsetOfAllocationProfile):
+        (JSC::FunctionRareData::allocationProfile):
+        (JSC::FunctionRareData::allocationStructure):
+        (JSC::FunctionRareData::allocationProfileWatchpointSet):
+        * runtime/JSBoundFunction.cpp:
+        (JSC::JSBoundFunction::destroy): Deleted.
+        * runtime/JSBoundFunction.h:
+        * runtime/JSCallee.cpp:
+        (JSC::JSCallee::destroy): Deleted.
+        * runtime/JSCallee.h:
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::JSFunction):
+        (JSC::JSFunction::createRareData):
+        (JSC::JSFunction::visitChildren):
+        (JSC::JSFunction::put):
+        (JSC::JSFunction::defineOwnProperty):
+        (JSC::JSFunction::destroy): Deleted.
+        (JSC::JSFunction::createAllocationProfile): Deleted.
+        * runtime/JSFunction.h:
+        (JSC::JSFunction::offsetOfRareData):
+        (JSC::JSFunction::rareData):
+        (JSC::JSFunction::allocationStructure):
+        (JSC::JSFunction::allocationProfileWatchpointSet):
+        (JSC::JSFunction::offsetOfAllocationProfile): Deleted.
+        (JSC::JSFunction::allocationProfile): Deleted.
+        * runtime/JSFunctionInlines.h:
+        (JSC::JSFunction::JSFunction):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+ 
 2015-04-16  Csaba Osztrogonác  <ossy@webkit.org>
 

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj

@@ -717 +717 @@
     <ClCompile Include="..\runtime\FunctionHasExecutedCache.cpp" />
     <ClCompile Include="..\runtime\FunctionPrototype.cpp" />
+    <ClCompile Include="..\runtime\FunctionRareData.cpp" />
     <ClCompile Include="..\runtime\GetterSetter.cpp" />
     <ClCompile Include="..\runtime\Identifier.cpp" />
@@ -1497 +1498 @@
     <ClInclude Include="..\runtime\FunctionHasExecutedCache.h" />
     <ClInclude Include="..\runtime\FunctionPrototype.h" />
+    <ClInclude Include="..\runtime\FunctionRareData.h" />
     <ClInclude Include="..\runtime\GenericArguments.h" />
     <ClInclude Include="..\runtime\GenericArgumentsInlines.h" />

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters

@@ -607 +607 @@
       <Filter>runtime</Filter>
     </ClCompile>
+    <ClCompile Include="..\runtime\FunctionRareData.cpp">
+      <Filter>runtime</Filter>
+    </ClCompile>
     <ClCompile Include="..\runtime\GetterSetter.cpp">
       <Filter>runtime</Filter>
@@ -2632 +2635 @@
     </ClInclude>
     <ClInclude Include="..\runtime\FunctionPrototype.h">
+      <Filter>runtime</Filter>
+    </ClInclude>
+    <ClInclude Include="..\runtime\FunctionRareData.h">
       <Filter>runtime</Filter>
     </ClInclude>

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -954 +954 @@
                 5DBB1525131D0BD70056AD36 /* minidom.js in Copy Support Script */ = {isa = PBXBuildFile; fileRef = 1412110D0A48788700480255 /* minidom.js */; };
                 5DE6E5B30E1728EC00180407 /* create_hash_table in Headers */ = {isa = PBXBuildFile; fileRef = F692A8540255597D01FF60F7 /* create_hash_table */; settings = {ATTRIBUTES = (); }; };
+                62D2D38F1ADF103F000206C1 /* FunctionRareData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 62D2D38D1ADF103F000206C1 /* FunctionRareData.cpp */; };
+                62D2D3901ADF103F000206C1 /* FunctionRareData.h in Headers */ = {isa = PBXBuildFile; fileRef = 62D2D38E1ADF103F000206C1 /* FunctionRareData.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 6507D29E0E871E5E00D7D896 /* JSTypeInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 6507D2970E871E4A00D7D896 /* JSTypeInfo.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 651122FD14046A4C002B101D /* JavaScriptCore.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 932F5BD90822A1C700736975 /* JavaScriptCore.framework */; };
@@ -2645 +2647 @@
                 5DDDF44614FEE72200B4FB4D /* LLIntDesiredOffsets.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LLIntDesiredOffsets.h; path = LLIntOffsets/LLIntDesiredOffsets.h; sourceTree = BUILT_PRODUCTS_DIR; };
                 5DE3D0F40DD8DDFB00468714 /* WebKitAvailability.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WebKitAvailability.h; sourceTree = "<group>"; };
+                62D2D38D1ADF103F000206C1 /* FunctionRareData.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = FunctionRareData.cpp; sourceTree = "<group>"; };
+                62D2D38E1ADF103F000206C1 /* FunctionRareData.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = FunctionRareData.h; sourceTree = "<group>"; };
                 6507D2970E871E4A00D7D896 /* JSTypeInfo.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSTypeInfo.h; sourceTree = "<group>"; };
                 651122E5140469BA002B101D /* testRegExp.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = testRegExp.cpp; sourceTree = "<group>"; };
@@ -4398 +4402 @@
                                 F692A85C0255597D01FF60F7 /* FunctionPrototype.cpp */,
                                 F692A85D0255597D01FF60F7 /* FunctionPrototype.h */,
+                                62D2D38D1ADF103F000206C1 /* FunctionRareData.cpp */,
+                                62D2D38E1ADF103F000206C1 /* FunctionRareData.h */,
                                 0FE050111AA9091100D33B33 /* GenericArguments.h */,
                                 0FE050121AA9091100D33B33 /* GenericArgumentsInlines.h */,
@@ -5625 +5631 @@
                                 0FB7F39715ED8E4600F167B2 /* Butterfly.h in Headers */,
                                 0FB7F39815ED8E4600F167B2 /* ButterflyInlines.h in Headers */,
+                                62D2D3901ADF103F000206C1 /* FunctionRareData.h in Headers */,
                                 C2FCAE1117A9C24E0034C735 /* BytecodeBasicBlock.h in Headers */,
                                 0F21C27F14BEAA8200ADC64B /* BytecodeConventions.h in Headers */,
@@ -7446 +7453 @@
                                 A5BA15EE182340B400A82E69 /* RemoteInspectorXPCConnection.mm in Sources */,
                                 0F24E55017EE274900ABB217 /* Repatch.cpp in Sources */,
+                                62D2D38F1ADF103F000206C1 /* FunctionRareData.cpp in Sources */,
                                 0F7700921402FF3C0078EB39 /* SamplingCounter.cpp in Sources */,
                                 1429D8850ED21C3D00B89619 /* SamplingTool.cpp in Sources */,

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -230 +230 @@
 #endif
     
-    return constructEmptyObject(exec, jsCast<JSFunction*>(constructor)->allocationProfile(exec, inlineCapacity)->structure());
+    return constructEmptyObject(exec, jsCast<JSFunction*>(constructor)->rareData(exec, inlineCapacity)->allocationProfile()->structure());
 }
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3498 +3498 @@
         GPRReg structureGPR = structure.gpr();
         GPRReg scratchGPR = scratch.gpr();
+        // Rare data is only used to access the allocator & structure
+        // We can avoid using an additional GPR this way
+        GPRReg rareDataGPR = structureGPR;
         
         MacroAssembler::JumpList slowPath;
 
-        m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
-        m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
-        slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, allocatorGPR));
+        m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
+        slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR));
+        m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
+        m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
         emitAllocateJSObject(resultGPR, allocatorGPR, structureGPR, TrustedImmPtr(0), scratchGPR, slowPath);
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3569 +3569 @@
         GPRReg structureGPR = structure.gpr();
         GPRReg scratchGPR = scratch.gpr();
+        // Rare data is only used to access the allocator & structure
+        // We can avoid using an additional GPR this way
+        GPRReg rareDataGPR = structureGPR;
 
         MacroAssembler::JumpList slowPath;
-        
-        m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
-        m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
-        slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, allocatorGPR));
+
+        m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
+        slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR));
+        m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
+        m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
         emitAllocateJSObject(resultGPR, allocatorGPR, structureGPR, TrustedImmPtr(0), scratchGPR, slowPath);
 

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -696 +696 @@
     int callee = currentInstruction[2].u.operand;
     RegisterID calleeReg = regT0;
+    RegisterID rareDataReg = regT0;
     RegisterID resultReg = regT0;
     RegisterID allocatorReg = regT1;
@@ -702 +703 @@
 
     emitGetVirtualRegister(callee, calleeReg);
-    loadPtr(Address(calleeReg, JSFunction::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
-    loadPtr(Address(calleeReg, JSFunction::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
-    addSlowCase(branchTestPtr(Zero, allocatorReg));
+    loadPtr(Address(calleeReg, JSFunction::offsetOfRareData()), rareDataReg);
+    addSlowCase(branchTestPtr(Zero, rareDataReg));
+    loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
+    loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
 
     emitAllocateJSObject(allocatorReg, structureReg, resultReg, scratchReg);

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -915 +915 @@
     int callee = currentInstruction[2].u.operand;
     RegisterID calleeReg = regT0;
+    RegisterID rareDataReg = regT0;
     RegisterID resultReg = regT0;
     RegisterID allocatorReg = regT1;
@@ -921 +922 @@
 
     emitLoadPayload(callee, calleeReg);
-    loadPtr(Address(calleeReg, JSFunction::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
-    loadPtr(Address(calleeReg, JSFunction::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
-    addSlowCase(branchTestPtr(Zero, allocatorReg));
+    loadPtr(Address(calleeReg, JSFunction::offsetOfRareData()), rareDataReg);
+    addSlowCase(branchTestPtr(Zero, rareDataReg));
+    loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
+    loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
 
     emitAllocateJSObject(allocatorReg, structureReg, resultReg, scratchReg);

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -741 +741 @@
     loadi 8[PC], t0
     loadp PayloadOffset[cfr, t0, 8], t0
-    loadp JSFunction::m_allocationProfile + ObjectAllocationProfile::m_allocator[t0], t1
-    loadp JSFunction::m_allocationProfile + ObjectAllocationProfile::m_structure[t0], t2
-    btpz t1, .opCreateThisSlow
+    loadp JSFunction::m_rareData[t0], t4
+    btpz t4, .opCreateThisSlow
+    loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_allocator[t4], t1
+    loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_structure[t4], t2
     allocateJSObject(t1, t2, t0, t3, .opCreateThisSlow)
     loadi 4[PC], t1

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -627 +627 @@
     loadisFromInstruction(2, t0)
     loadp [cfr, t0, 8], t0
-    loadp JSFunction::m_allocationProfile + ObjectAllocationProfile::m_allocator[t0], t1
-    loadp JSFunction::m_allocationProfile + ObjectAllocationProfile::m_structure[t0], t2
-    btpz t1, .opCreateThisSlow
+    loadp JSFunction::m_rareData[t0], t4
+    btpz t4, .opCreateThisSlow
+    loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_allocator[t4], t1
+    loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_structure[t4], t2
     allocateJSObject(t1, t2, t0, t3, .opCreateThisSlow)
     loadisFromInstruction(1, t1)

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -237 +237 @@
 
     size_t inlineCapacity = pc[3].u.operand;
-    Structure* structure = constructor->allocationProfile(exec, inlineCapacity)->structure();
+    Structure* structure = constructor->rareData(exec, inlineCapacity)->allocationProfile()->structure();
     RETURN(constructEmptyObject(exec, structure));
 }

trunk/Source/JavaScriptCore/runtime/JSBoundFunction.cpp

@@ -87 +87 @@
 }
 
-void JSBoundFunction::destroy(JSCell* cell)
-{
-    static_cast<JSBoundFunction*>(cell)->JSBoundFunction::~JSBoundFunction();
-}
-
 bool JSBoundFunction::customHasInstance(JSObject* object, ExecState* exec, JSValue value)
 {

trunk/Source/JavaScriptCore/runtime/JSBoundFunction.h

@@ -41 +41 @@
     static JSBoundFunction* create(VM&, JSGlobalObject*, JSObject* targetFunction, JSValue boundThis, JSValue boundArgs, int, const String&);
     
-    static void destroy(JSCell*);
-
     static bool customHasInstance(JSObject*, ExecState*, JSValue);
 

trunk/Source/JavaScriptCore/runtime/JSCallee.cpp

@@ -40 +40 @@
 const ClassInfo JSCallee::s_info = { "Callee", &Base::s_info, 0, CREATE_METHOD_TABLE(JSCallee) };
 
-void JSCallee::destroy(JSCell* cell)
-{
-    static_cast<JSCallee*>(cell)->JSCallee::~JSCallee();
-}
-
 JSCallee::JSCallee(VM& vm, JSGlobalObject* globalObject, Structure* structure)
     : Base(vm, structure)

trunk/Source/JavaScriptCore/runtime/JSCallee.h

@@ -27 +27 @@
 #define JSCallee_h
 
-#include "JSDestructibleObject.h"
 #include "JSGlobalObject.h"
+#include "JSObject.h"
 #include "JSScope.h"
 
@@ -37 +37 @@
 
 
-class JSCallee : public JSDestructibleObject {
+class JSCallee : public JSNonFinalObject {
     friend class JIT;
 #if ENABLE(DFG_JIT)
@@ -46 +46 @@
 
 public:
-    typedef JSDestructibleObject Base;
+    typedef JSNonFinalObject Base;
     const static unsigned StructureFlags = Base::StructureFlags | ImplementsHasInstance;
 
@@ -56 +56 @@
     }
     
-    static void destroy(JSCell*);
-
     JSScope* scope()
     {

trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

@@ -86 +86 @@
 }
 
-void JSFunction::destroy(JSCell* cell)
-{
-    static_cast<JSFunction*>(cell)->JSFunction::~JSFunction();
-}
-
 JSFunction::JSFunction(VM& vm, JSGlobalObject* globalObject, Structure* structure)
     : Base(vm, globalObject, structure)
     , m_executable()
-    // We initialize blind so that changes to the prototype after function creation but before
-    // the optimizer kicks in don't disable optimizations. Once the optimizer kicks in, the
-    // watchpoint will start watching and any changes will both force deoptimization and disable
-    // future attempts to optimize. This is necessary because we are guaranteed that the
-    // allocation profile is changed exactly once prior to optimizations kicking in. We could be
-    // smarter and count the number of times the prototype is clobbered and only optimize if it
-    // was clobbered exactly once, but that seems like overkill. In almost all cases it will be
-    // clobbered once, and if it's clobbered more than once, that will probably only occur
-    // before we started optimizing, anyway.
-    , m_allocationProfileWatchpoint(ClearWatchpoint)
 {
 }
@@ -124 +109 @@
 }
 
-ObjectAllocationProfile* JSFunction::createAllocationProfile(ExecState* exec, size_t inlineCapacity)
+FunctionRareData* JSFunction::createRareData(ExecState* exec, size_t inlineCapacity)
 {
     VM& vm = exec->vm();
@@ -130 +115 @@
     if (!prototype)
         prototype = globalObject()->objectPrototype();
-    m_allocationProfile.initialize(globalObject()->vm(), this, prototype, inlineCapacity);
-    return &m_allocationProfile;
+    FunctionRareData* rareData = FunctionRareData::create(vm, prototype, inlineCapacity);
+    m_rareData.set(vm, this, rareData);
+    return m_rareData.get();
 }
 
@@ -177 +163 @@
 
     visitor.append(&thisObject->m_executable);
-    thisObject->m_allocationProfile.visitAggregate(visitor);
+    if (thisObject->m_rareData)
+        visitor.append(&thisObject->m_rareData);
 }
 
@@ -403 +390 @@
         PropertySlot slot(thisObject);
         thisObject->methodTable(exec->vm())->getOwnPropertySlot(thisObject, exec, propertyName, slot);
-        thisObject->m_allocationProfile.clear();
-        thisObject->m_allocationProfileWatchpoint.fireAll("Store to prototype property of a function");
-        // Don't allow this to be cached, since a [[Put]] must clear m_allocationProfile.
+        if (thisObject->m_rareData) {
+            thisObject->m_rareData->allocationProfileWatchpointSet().fireAll("Store to prototype property of a function");
+            thisObject->m_rareData.clear();
+        }
+        // Don't allow this to be cached, since a [[Put]] must clear m_rareData.
         PutPropertySlot dontCache(thisObject);
         Base::put(thisObject, exec, propertyName, value, dontCache);
@@ -450 +439 @@
         PropertySlot slot(thisObject);
         thisObject->methodTable(exec->vm())->getOwnPropertySlot(thisObject, exec, propertyName, slot);
-        thisObject->m_allocationProfile.clear();
-        thisObject->m_allocationProfileWatchpoint.fireAll("Store to prototype property of a function");
+        if (thisObject->m_rareData) {
+            thisObject->m_rareData->allocationProfileWatchpointSet().fireAll("Store to prototype property of a function");
+            thisObject->m_rareData.clear();
+        }
         return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
     }

trunk/Source/JavaScriptCore/runtime/JSFunction.h

@@ -25 +25 @@
 #define JSFunction_h
 
+#include "FunctionRareData.h"
 #include "InternalFunction.h"
 #include "JSCallee.h"
 #include "JSScope.h"
-#include "ObjectAllocationProfile.h"
 #include "Watchpoint.h"
 
@@ -49 +49 @@
 
 JS_EXPORT_PRIVATE String getCalculatedDisplayName(CallFrame*, JSObject*);
-    
+
 class JSFunction : public JSCallee {
     friend class JIT;
@@ -67 +67 @@
 
     static JSFunction* createBuiltinFunction(VM&, FunctionExecutable*, JSGlobalObject*);
-
-    static void destroy(JSCell*);
 
     JS_EXPORT_PRIVATE String name(ExecState*);
@@ -101 +99 @@
     }
 
-    static inline ptrdiff_t offsetOfAllocationProfile()
+    static inline ptrdiff_t offsetOfRareData()
     {
-        return OBJECT_OFFSETOF(JSFunction, m_allocationProfile);
+        return OBJECT_OFFSETOF(JSFunction, m_rareData);
     }
 
-    ObjectAllocationProfile* allocationProfile(ExecState* exec, unsigned inlineCapacity)
+    FunctionRareData* rareData(ExecState* exec, unsigned inlineCapacity)
     {
-        if (UNLIKELY(m_allocationProfile.isNull()))
-            return createAllocationProfile(exec, inlineCapacity);
-        return &m_allocationProfile;
+        if (UNLIKELY(!m_rareData))
+            return createRareData(exec, inlineCapacity);
+        return m_rareData.get();
     }
 
-    Structure* allocationStructure() { return m_allocationProfile.structure(); }
+    Structure* allocationStructure()
+    {
+        ASSERT(m_rareData);
+        return m_rareData.get()->allocationStructure();
+    }
 
     InlineWatchpointSet& allocationProfileWatchpointSet()
     {
-        return m_allocationProfileWatchpoint;
+        ASSERT(m_rareData);
+        return m_rareData.get()->allocationProfileWatchpointSet();
     }
 
@@ -132 +135 @@
     using Base::finishCreation;
 
-    ObjectAllocationProfile* createAllocationProfile(ExecState*, size_t inlineCapacity);
+    FunctionRareData* createRareData(ExecState*, size_t inlineCapacity);
 
     static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
@@ -161 +164 @@
 
     WriteBarrier<ExecutableBase> m_executable;
-    ObjectAllocationProfile m_allocationProfile;
-    InlineWatchpointSet m_allocationProfileWatchpoint;
+    WriteBarrier<FunctionRareData> m_rareData;
 };
 

trunk/Source/JavaScriptCore/runtime/JSFunctionInlines.h

@@ -42 +42 @@
     : Base(vm, scope, scope->globalObject()->functionStructure())
     , m_executable(vm, this, executable)
-    , m_allocationProfileWatchpoint(ClearWatchpoint) // See comment in JSFunction.cpp concerning the reason for using ClearWatchpoint as opposed to IsWatched.
+    , m_rareData()
 {
 }

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -232 +232 @@
     weakMapDataStructure.set(*this, WeakMapData::createStructure(*this, 0, jsNull()));
     inferredValueStructure.set(*this, InferredValue::createStructure(*this, 0, jsNull()));
+    functionRareDataStructure.set(*this, FunctionRareData::createStructure(*this, 0, jsNull()));
 #if ENABLE(PROMISES)
     promiseDeferredStructure.set(*this, JSPromiseDeferred::createStructure(*this, 0, jsNull()));

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -272 +272 @@
     Strong<Structure> weakMapDataStructure;
     Strong<Structure> inferredValueStructure;
+    Strong<Structure> functionRareDataStructure;
 #if ENABLE(PROMISES)
     Strong<Structure> promiseDeferredStructure;

trunk/WebKit.xcworkspace/contents.xcworkspacedata

@@ -2 +2 @@
 <Workspace
    version = "1.0">
+   <FileRef
+      location = "group:Source/JavaScriptCore/runtime/FunctionRareData.cpp">
+   </FileRef>
+   <FileRef
+      location = "group:Source/JavaScriptCore/runtime/FunctionRareData.h">
+   </FileRef>
+   <FileRef
+      location = "group:Source">
+   </FileRef>
    <FileRef
       location = "group:Source/bmalloc/bmalloc.xcodeproj">