Changeset 190546 in webkit

Timestamp:

Oct 3, 2015 6:45:21 PM (9 years ago)

Author:

commit-queue@webkit.org

Message:

Unreviewed, rolling out r190522.
​https://bugs.webkit.org/show_bug.cgi?id=149787

Caused a lot of leaks (Requested by ap on #webkit).

Reverted changeset:

"Unreviewed, rolling back in r190450"
​https://bugs.webkit.org/show_bug.cgi?id=149727
​http://trac.webkit.org/changeset/190522

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/CodeBlock.cpp (modified) (45 diffs)
• bytecode/CodeBlock.h (modified) (26 diffs)
• bytecode/CodeOrigin.cpp (modified) (4 diffs)
• bytecode/CodeOrigin.h (modified) (1 diff)
• bytecode/DeferredCompilationCallback.cpp (modified) (1 diff)
• bytecode/DeferredCompilationCallback.h (modified) (1 diff)
• bytecode/EvalCodeCache.h (modified) (1 diff)
• bytecode/InlineCallFrame.cpp (modified) (2 diffs)
• bytecode/InlineCallFrame.h (modified) (6 diffs)
• bytecode/PolymorphicAccess.cpp (modified) (2 diffs)
• bytecode/StructureStubInfo.cpp (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (2 diffs)
• dfg/DFGCommonData.cpp (modified) (1 diff)
• dfg/DFGDesiredTransitions.cpp (modified) (3 diffs)
• dfg/DFGDesiredTransitions.h (modified) (3 diffs)
• dfg/DFGDesiredWeakReferences.cpp (modified) (1 diff)
• dfg/DFGDriver.cpp (modified) (1 diff)
• dfg/DFGGraph.cpp (modified) (1 diff)
• dfg/DFGGraph.h (modified) (2 diffs)
• dfg/DFGJITCode.h (modified) (3 diffs)
• dfg/DFGJITFinalizer.cpp (modified) (3 diffs)
• dfg/DFGOSRExitCompilerCommon.cpp (modified) (3 diffs)
• dfg/DFGOSRExitPreparation.cpp (modified) (1 diff)
• dfg/DFGOperations.cpp (modified) (6 diffs)
• dfg/DFGPlan.cpp (modified) (9 diffs)
• dfg/DFGPlan.h (modified) (3 diffs)
• dfg/DFGToFTLDeferredCompilationCallback.cpp (modified) (3 diffs)
• dfg/DFGToFTLDeferredCompilationCallback.h (modified) (1 diff)
• dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp (modified) (3 diffs)
• dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h (modified) (1 diff)
• dfg/DFGWorklist.cpp (modified) (3 diffs)
• dfg/DFGWorklist.h (modified) (2 diffs)
• ftl/FTLJITFinalizer.cpp (modified) (4 diffs)
• heap/CodeBlockSet.cpp (modified) (6 diffs)
• heap/CodeBlockSet.h (modified) (3 diffs)
• heap/Heap.cpp (modified) (8 diffs)
• interpreter/Interpreter.cpp (modified) (1 diff)
• interpreter/StackVisitor.cpp (modified) (1 diff)
• jit/AssemblyHelpers.cpp (modified) (1 diff)
• jit/AssemblyHelpers.h (modified) (1 diff)
• jit/GCAwareJITStubRoutine.h (modified) (1 diff)
• jit/JITCode.h (modified) (1 diff)
• jit/JITOpcodes.cpp (modified) (1 diff)
• jit/JITOperations.cpp (modified) (1 diff)
• jit/JITToDFGDeferredCompilationCallback.cpp (modified) (3 diffs)
• jit/JITToDFGDeferredCompilationCallback.h (modified) (1 diff)
• jit/Repatch.cpp (modified) (17 diffs)
• llint/LLIntSlowPaths.cpp (modified) (4 diffs)
• profiler/ProfilerOriginStack.cpp (modified) (1 diff)
• runtime/CommonSlowPaths.cpp (modified) (3 diffs)
• runtime/CommonSlowPaths.h (modified) (2 diffs)
• runtime/Executable.cpp (modified) (24 diffs)
• runtime/Executable.h (modified) (19 diffs)
• runtime/VM.cpp (modified) (1 diff)
• runtime/VM.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-10-03  Commit Queue  <commit-queue@webkit.org>
+
+        Unreviewed, rolling out r190522.
+        https://bugs.webkit.org/show_bug.cgi?id=149787
+
+        Caused a lot of leaks (Requested by ap on #webkit).
+
+        Reverted changeset:
+
+        "Unreviewed, rolling back in r190450"
+        https://bugs.webkit.org/show_bug.cgi?id=149727
+        http://trac.webkit.org/changeset/190522
+
 2015-10-02  Matt Baker  <mattbaker@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -83 +83 @@
 namespace JSC {
 
-const ClassInfo CodeBlock::s_info = {
-    "CodeBlock", 0, 0,
-    CREATE_METHOD_TABLE(CodeBlock)
-};
-
-const ClassInfo FunctionCodeBlock::s_info = {
-    "FunctionCodeBlock", &Base::s_info, 0,
-    CREATE_METHOD_TABLE(FunctionCodeBlock)
-};
-
-#if ENABLE(WEBASSEMBLY)
-const ClassInfo WebAssemblyCodeBlock::s_info = {
-    "WebAssemblyCodeBlock", &Base::s_info, 0,
-    CREATE_METHOD_TABLE(WebAssemblyCodeBlock)
-};
-#endif
-
-const ClassInfo GlobalCodeBlock::s_info = {
-    "GlobalCodeBlock", &Base::s_info, 0,
-    CREATE_METHOD_TABLE(GlobalCodeBlock)
-};
-
-const ClassInfo ProgramCodeBlock::s_info = {
-    "ProgramCodeBlock", &Base::s_info, 0,
-    CREATE_METHOD_TABLE(ProgramCodeBlock)
-};
-
-const ClassInfo ModuleProgramCodeBlock::s_info = {
-    "ModuleProgramCodeBlock", &Base::s_info, 0,
-    CREATE_METHOD_TABLE(ModuleProgramCodeBlock)
-};
-
-const ClassInfo EvalCodeBlock::s_info = {
-    "EvalCodeBlock", &Base::s_info, 0,
-    CREATE_METHOD_TABLE(EvalCodeBlock)
-};
-
-void FunctionCodeBlock::destroy(JSCell* cell)
-{
-    jsCast<FunctionCodeBlock*>(cell)->~FunctionCodeBlock();
-}
-
-#if ENABLE(WEBASSEMBLY)
-void WebAssemblyCodeBlock::destroy(JSCell* cell)
-{
-    jsCast<WebAssemblyCodeBlock*>(cell)->~WebAssemblyCodeBlock();
-}
-#endif
-
-void ProgramCodeBlock::destroy(JSCell* cell)
-{
-    jsCast<ProgramCodeBlock*>(cell)->~ProgramCodeBlock();
-}
-
-void ModuleProgramCodeBlock::destroy(JSCell* cell)
-{
-    jsCast<ModuleProgramCodeBlock*>(cell)->~ModuleProgramCodeBlock();
-}
-
-void EvalCodeBlock::destroy(JSCell* cell)
-{
-    jsCast<EvalCodeBlock*>(cell)->~EvalCodeBlock();
-}
-
 CString CodeBlock::inferredName() const
 {
@@ -218 +154 @@
     out.print(":[", RawPointer(this), "->");
     if (!!m_alternative)
-        out.print(RawPointer(alternative()), "->");
+        out.print(RawPointer(m_alternative.get()), "->");
     out.print(RawPointer(ownerExecutable()), ", ", jitType, codeType());
 
@@ -1650 +1586 @@
 } // anonymous namespace
 
-CodeBlock::CodeBlock(VM* vm, Structure* structure, CopyParsedBlockTag, CodeBlock& other)
-    : JSCell(*vm, structure)
-    , m_globalObject(other.m_globalObject)
+CodeBlock::CodeBlock(CopyParsedBlockTag, CodeBlock& other)
+    : m_globalObject(other.m_globalObject)
     , m_heap(other.m_heap)
     , m_numCalleeRegisters(other.m_numCalleeRegisters)
@@ -1660 +1595 @@
     , m_didFailFTLCompilation(false)
     , m_hasBeenCompiledWithFTL(false)
-    , m_unlinkedCode(*other.m_vm, this, other.m_unlinkedCode.get())
+    , m_unlinkedCode(*other.m_vm, other.m_ownerExecutable.get(), other.m_unlinkedCode.get())
     , m_hasDebuggerStatement(false)
     , m_steppingMode(SteppingModeDisabled)
     , m_numBreakpoints(0)
-    , m_ownerExecutable(*other.m_vm, this, other.m_ownerExecutable.get())
+    , m_ownerExecutable(*other.m_vm, other.m_ownerExecutable.get(), other.m_ownerExecutable.get())
     , m_vm(other.m_vm)
     , m_instructions(other.m_instructions)
@@ -1689 +1624 @@
 #endif
 {
-    m_visitWeaklyHasBeenCalled.store(false, std::memory_order_relaxed);
+    m_visitStronglyHasBeenCalled.store(false, std::memory_order_relaxed);
+    m_visitAggregateHasBeenCalled.store(false, std::memory_order_relaxed);
 
     ASSERT(m_heap->isDeferred());
@@ -1695 +1631 @@
 
     setNumParameters(other.numParameters());
-}
-
-void CodeBlock::finishCreation(VM& vm, CopyParsedBlockTag, CodeBlock& other)
-{
-    Base::finishCreation(vm);
-
     optimizeAfterWarmUp();
     jitAfterWarmUp();
@@ -1714 +1644 @@
     
     m_heap->m_codeBlocks.add(this);
-}
-
-CodeBlock::CodeBlock(VM* vm, Structure* structure, ScriptExecutable* ownerExecutable, UnlinkedCodeBlock* unlinkedCodeBlock,
-    JSScope* scope, PassRefPtr<SourceProvider> sourceProvider, unsigned sourceOffset, unsigned firstLineColumnOffset)
-    : JSCell(*vm, structure)
-    , m_globalObject(scope->globalObject()->vm(), this, scope->globalObject())
+    m_heap->reportExtraMemoryAllocated(sizeof(CodeBlock));
+}
+
+CodeBlock::CodeBlock(ScriptExecutable* ownerExecutable, UnlinkedCodeBlock* unlinkedCodeBlock, JSScope* scope, PassRefPtr<SourceProvider> sourceProvider, unsigned sourceOffset, unsigned firstLineColumnOffset)
+    : m_globalObject(scope->globalObject()->vm(), ownerExecutable, scope->globalObject())
     , m_heap(&m_globalObject->vm().heap)
     , m_numCalleeRegisters(unlinkedCodeBlock->m_numCalleeRegisters)
@@ -1727 +1656 @@
     , m_didFailFTLCompilation(false)
     , m_hasBeenCompiledWithFTL(false)
-    , m_unlinkedCode(m_globalObject->vm(), this, unlinkedCodeBlock)
+    , m_unlinkedCode(m_globalObject->vm(), ownerExecutable, unlinkedCodeBlock)
     , m_hasDebuggerStatement(false)
     , m_steppingMode(SteppingModeDisabled)
     , m_numBreakpoints(0)
-    , m_ownerExecutable(m_globalObject->vm(), this, ownerExecutable)
+    , m_ownerExecutable(m_globalObject->vm(), ownerExecutable, ownerExecutable)
     , m_vm(unlinkedCodeBlock->vm())
     , m_thisRegister(unlinkedCodeBlock->thisRegister())
@@ -1750 +1679 @@
 #endif
 {
-    m_visitWeaklyHasBeenCalled.store(false, std::memory_order_relaxed);
+    m_visitStronglyHasBeenCalled.store(false, std::memory_order_relaxed);
+    m_visitAggregateHasBeenCalled.store(false, std::memory_order_relaxed);
 
     ASSERT(m_heap->isDeferred());
@@ -1757 +1687 @@
     ASSERT(m_source);
     setNumParameters(unlinkedCodeBlock->numParameters());
-}
-
-void CodeBlock::finishCreation(VM& vm, ScriptExecutable* ownerExecutable, UnlinkedCodeBlock* unlinkedCodeBlock,
-    JSScope* scope)
-{
-    Base::finishCreation(vm);
-
-    if (vm.typeProfiler() || vm.controlFlowProfiler())
-        vm.functionHasExecutedCache()->removeUnexecutedRange(ownerExecutable->sourceID(), ownerExecutable->typeProfilingStartOffset(), ownerExecutable->typeProfilingEndOffset());
+
+    if (vm()->typeProfiler() || vm()->controlFlowProfiler())
+        vm()->functionHasExecutedCache()->removeUnexecutedRange(ownerExecutable->sourceID(), ownerExecutable->typeProfilingStartOffset(), ownerExecutable->typeProfilingEndOffset());
 
     setConstantRegisters(unlinkedCodeBlock->constantRegisters(), unlinkedCodeBlock->constantsSourceCodeRepresentation());
     if (unlinkedCodeBlock->usesGlobalObject())
-        m_constantRegisters[unlinkedCodeBlock->globalObjectRegister().toConstantIndex()].set(*m_vm, this, m_globalObject.get());
+        m_constantRegisters[unlinkedCodeBlock->globalObjectRegister().toConstantIndex()].set(*m_vm, ownerExecutable, m_globalObject.get());
 
     for (unsigned i = 0; i < LinkTimeConstantCount; i++) {
         LinkTimeConstant type = static_cast<LinkTimeConstant>(i);
         if (unsigned registerIndex = unlinkedCodeBlock->registerIndexForLinkTimeConstant(type))
-            m_constantRegisters[registerIndex].set(*m_vm, this, m_globalObject->jsCellForLinkTimeConstant(type));
+            m_constantRegisters[registerIndex].set(*m_vm, ownerExecutable, m_globalObject->jsCellForLinkTimeConstant(type));
     }
 
@@ -1789 +1713 @@
                     symbolTable->prepareForTypeProfiling(locker);
                 }
-                m_constantRegisters[i].set(*m_vm, this, symbolTable->cloneScopePart(*m_vm));
+                m_constantRegisters[i].set(*m_vm, ownerExecutable, symbolTable->cloneScopePart(*m_vm));
                 clonedConstantSymbolTables.add(i + FirstConstantRegisterIndex);
             }
@@ -1809 +1733 @@
     for (size_t count = unlinkedCodeBlock->numberOfFunctionDecls(), i = 0; i < count; ++i) {
         UnlinkedFunctionExecutable* unlinkedExecutable = unlinkedCodeBlock->functionDecl(i);
-        if (vm.typeProfiler() || vm.controlFlowProfiler())
-            vm.functionHasExecutedCache()->insertUnexecutedRange(ownerExecutable->sourceID(), unlinkedExecutable->typeProfilingStartOffset(), unlinkedExecutable->typeProfilingEndOffset());
-        m_functionDecls[i].set(*m_vm, this, unlinkedExecutable->link(*m_vm, ownerExecutable->source()));
+        if (vm()->typeProfiler() || vm()->controlFlowProfiler())
+            vm()->functionHasExecutedCache()->insertUnexecutedRange(ownerExecutable->sourceID(), unlinkedExecutable->typeProfilingStartOffset(), unlinkedExecutable->typeProfilingEndOffset());
+        m_functionDecls[i].set(*m_vm, ownerExecutable, unlinkedExecutable->link(*m_vm, ownerExecutable->source()));
     }
 
@@ -1817 +1741 @@
     for (size_t count = unlinkedCodeBlock->numberOfFunctionExprs(), i = 0; i < count; ++i) {
         UnlinkedFunctionExecutable* unlinkedExecutable = unlinkedCodeBlock->functionExpr(i);
-        if (vm.typeProfiler() || vm.controlFlowProfiler())
-            vm.functionHasExecutedCache()->insertUnexecutedRange(ownerExecutable->sourceID(), unlinkedExecutable->typeProfilingStartOffset(), unlinkedExecutable->typeProfilingEndOffset());
-        m_functionExprs[i].set(*m_vm, this, unlinkedExecutable->link(*m_vm, ownerExecutable->source()));
+        if (vm()->typeProfiler() || vm()->controlFlowProfiler())
+            vm()->functionHasExecutedCache()->insertUnexecutedRange(ownerExecutable->sourceID(), unlinkedExecutable->typeProfilingStartOffset(), unlinkedExecutable->typeProfilingEndOffset());
+        m_functionExprs[i].set(*m_vm, ownerExecutable, unlinkedExecutable->link(*m_vm, ownerExecutable->source()));
     }
 
@@ -1898 +1822 @@
         unsigned opLength = opcodeLength(pc[0].u.opcode);
 
-        instructions[i] = vm.interpreter->getOpcode(pc[0].u.opcode);
+        instructions[i] = vm()->interpreter->getOpcode(pc[0].u.opcode);
         for (size_t j = 1; j < opLength; ++j) {
             if (sizeof(int32_t) != sizeof(intptr_t))
@@ -1957 +1881 @@
 
             instructions[i + opLength - 1] = objectAllocationProfile;
-            objectAllocationProfile->initialize(vm,
+            objectAllocationProfile->initialize(*vm(),
                 ownerExecutable, m_globalObject->objectPrototype(), inferredInlineCapacity);
             break;
@@ -2006 +1930 @@
                     if (stronglyReferencedModuleEnvironments.add(jsCast<JSModuleEnvironment*>(op.lexicalEnvironment)).isNewEntry)
                         addConstant(op.lexicalEnvironment);
-                    instructions[i + 6].u.jsCell.set(vm, this, op.lexicalEnvironment);
+                    instructions[i + 6].u.jsCell.set(*vm(), ownerExecutable, op.lexicalEnvironment);
                 } else
-                    instructions[i + 6].u.symbolTable.set(vm, this, op.lexicalEnvironment->symbolTable());
+                    instructions[i + 6].u.symbolTable.set(*vm(), ownerExecutable, op.lexicalEnvironment->symbolTable());
             } else if (JSScope* constantScope = JSScope::constantScopeForCodeBlock(op.type, this))
-                instructions[i + 6].u.jsCell.set(vm, this, constantScope);
+                instructions[i + 6].u.jsCell.set(*vm(), ownerExecutable, constantScope);
             else
                 instructions[i + 6].u.pointer = nullptr;
@@ -2043 +1967 @@
                 instructions[i + 5].u.watchpointSet = op.watchpointSet;
             else if (op.structure)
-                instructions[i + 5].u.structure.set(vm, this, op.structure);
+                instructions[i + 5].u.structure.set(*vm(), ownerExecutable, op.structure);
             instructions[i + 6].u.pointer = reinterpret_cast<void*>(op.operand);
             break;
@@ -2080 +2004 @@
                     op.watchpointSet->invalidate(PutToScopeFireDetail(this, ident));
             } else if (op.structure)
-                instructions[i + 5].u.structure.set(vm, this, op.structure);
+                instructions[i + 5].u.structure.set(*vm(), ownerExecutable, op.structure);
             instructions[i + 6].u.pointer = reinterpret_cast<void*>(op.operand);
 
@@ -2087 +2011 @@
 
         case op_profile_type: {
-            RELEASE_ASSERT(vm.typeProfiler());
+            RELEASE_ASSERT(vm()->typeProfiler());
             // The format of this instruction is: op_profile_type regToProfile, TypeLocation*, flag, identifier?, resolveType?
             size_t instructionOffset = i + opLength - 1;
@@ -2117 +2041 @@
                     // If our parent scope was created while profiling was disabled, it will not have prepared for profiling yet.
                     symbolTable->prepareForTypeProfiling(locker);
-                    globalVariableID = symbolTable->uniqueIDForVariable(locker, impl, vm);
-                    globalTypeSet = symbolTable->globalTypeSetForVariable(locker, impl, vm);
+                    globalVariableID = symbolTable->uniqueIDForVariable(locker, impl, *vm());
+                    globalTypeSet = symbolTable->globalTypeSetForVariable(locker, impl, *vm());
                 } else
                     globalVariableID = TypeProfilerNoGlobalIDExists;
@@ -2131 +2055 @@
                 ConcurrentJITLocker locker(symbolTable->m_lock);
                 // If our parent scope was created while profiling was disabled, it will not have prepared for profiling yet.
-                globalVariableID = symbolTable->uniqueIDForVariable(locker, ident.impl(), vm);
-                globalTypeSet = symbolTable->globalTypeSetForVariable(locker, ident.impl(), vm);
+                globalVariableID = symbolTable->uniqueIDForVariable(locker, ident.impl(), *vm());
+                globalTypeSet = symbolTable->globalTypeSetForVariable(locker, ident.impl(), *vm());
 
                 break;
@@ -2158 +2082 @@
             }
 
-            std::pair<TypeLocation*, bool> locationPair = vm.typeProfiler()->typeLocationCache()->getTypeLocation(globalVariableID,
-                ownerExecutable->sourceID(), divotStart, divotEnd, globalTypeSet, &vm);
+            std::pair<TypeLocation*, bool> locationPair = vm()->typeProfiler()->typeLocationCache()->getTypeLocation(globalVariableID,
+                ownerExecutable->sourceID(), divotStart, divotEnd, globalTypeSet, vm());
             TypeLocation* location = locationPair.first;
             bool isNewLocation = locationPair.second;
@@ -2167 +2091 @@
 
             if (shouldAnalyze && isNewLocation)
-                vm.typeProfiler()->insertNewLocation(location);
+                vm()->typeProfiler()->insertNewLocation(location);
 
             instructions[i + 2].u.location = location;
@@ -2185 +2109 @@
     }
 
-    if (vm.controlFlowProfiler())
+    if (vm()->controlFlowProfiler())
         insertBasicBlockBoundariesForControlFlowProfiler(instructions);
 
@@ -2205 +2129 @@
     
     m_heap->m_codeBlocks.add(this);
-    m_heap->reportExtraMemoryAllocated(m_instructions.size() * sizeof(Instruction));
+    m_heap->reportExtraMemoryAllocated(sizeof(CodeBlock) + m_instructions.size() * sizeof(Instruction));
 }
 
 #if ENABLE(WEBASSEMBLY)
-CodeBlock::CodeBlock(VM* vm, Structure* structure, WebAssemblyExecutable* ownerExecutable, VM& vm, JSGlobalObject* globalObject)
-    : JSCell(vm, structure)
-    , m_globalObject(globalObject->vm(), this, globalObject)
+CodeBlock::CodeBlock(WebAssemblyExecutable* ownerExecutable, VM& vm, JSGlobalObject* globalObject)
+    : m_globalObject(globalObject->vm(), ownerExecutable, globalObject)
     , m_heap(&m_globalObject->vm().heap)
     , m_numCalleeRegisters(0)
@@ -2222 +2145 @@
     , m_steppingMode(SteppingModeDisabled)
     , m_numBreakpoints(0)
-    , m_ownerExecutable(m_globalObject->vm(), this, ownerExecutable)
+    , m_ownerExecutable(m_globalObject->vm(), ownerExecutable, ownerExecutable)
     , m_vm(&vm)
     , m_isStrictMode(false)
@@ -2236 +2159 @@
 {
     ASSERT(m_heap->isDeferred());
-}
-
-void CodeBlock::finishCreation(VM& vm, WebAssemblyExecutable*, JSGlobalObject*)
-{
-    Base::finishCreation(vm);
 
     m_heap->m_codeBlocks.add(this);
+    m_heap->reportExtraMemoryAllocated(sizeof(CodeBlock));
 }
 #endif
@@ -2254 +2173 @@
     dumpValueProfiles();
 #endif
-
+    while (m_incomingLLIntCalls.begin() != m_incomingLLIntCalls.end())
+        m_incomingLLIntCalls.begin()->remove();
+#if ENABLE(JIT)
     // We may be destroyed before any CodeBlocks that refer to us are destroyed.
     // Consider that two CodeBlocks become unreachable at the same time. There
@@ -2261 +2182 @@
     // CodeBlock(s) that have calls into us, then the CallLinkInfo vector's
     // destructor will try to remove nodes from our (no longer valid) linked list.
-    unlinkIncomingCalls();
+    while (m_incomingCalls.begin() != m_incomingCalls.end())
+        m_incomingCalls.begin()->remove();
+    while (m_incomingPolymorphicCalls.begin() != m_incomingPolymorphicCalls.end())
+        m_incomingPolymorphicCalls.begin()->remove();
     
     // Note that our outgoing calls will be removed from other CodeBlocks'
@@ -2267 +2191 @@
     // destructors.
 
-#if ENABLE(JIT)
     for (Bag<StructureStubInfo>::iterator iter = m_stubInfos.begin(); !!iter; ++iter)
         (*iter)->deref();
 #endif // ENABLE(JIT)
-}
-
-void CodeBlock::setAlternative(VM& vm, CodeBlock* alternative)
-{
-    m_alternative.set(vm, this, alternative);
 }
 
@@ -2298 +2216 @@
         return 0;
     DFG::JITCode* jitCode = m_jitCode->dfg();
-    return jitCode->osrEntryBlock();
+    return jitCode->osrEntryBlock.get();
 #else // ENABLE(FTL_JIT)
     return 0;
@@ -2304 +2222 @@
 }
 
-void CodeBlock::visitWeakly(SlotVisitor& visitor)
-{
-    bool setByMe = m_visitWeaklyHasBeenCalled.compareExchangeStrong(false, true);
+void CodeBlock::visitStrongly(SlotVisitor& visitor)
+{
+    bool setByMe = m_visitStronglyHasBeenCalled.compareExchangeStrong(false, true);
     if (!setByMe)
         return;
 
-    if (Heap::isMarked(this))
+    visitAggregate(visitor);
+
+    stronglyVisitStrongReferences(visitor);
+    stronglyVisitWeakReferences(visitor);
+    propagateTransitions(visitor);
+}
+
+void CodeBlock::visitAggregate(SlotVisitor& visitor)
+{
+    // I may be asked to scan myself more than once, and it may even happen concurrently.
+    // To this end, use an atomic operation to check (and set) if I've been called already.
+    // Only one thread may proceed past this point - whichever one wins the atomic set race.
+    bool setByMe = m_visitAggregateHasBeenCalled.compareExchangeStrong(false, true);
+    if (!setByMe)
         return;
-
-    if (shouldVisitStrongly()) {
-        visitor.appendUnbarrieredReadOnlyPointer(this);
-        return;
-    }
+    
+    if (!!m_alternative)
+        m_alternative->visitAggregate(visitor);
+    
+    if (CodeBlock* otherBlock = specialOSREntryBlockOrNull())
+        otherBlock->visitAggregate(visitor);
+
+    visitor.reportExtraMemoryVisited(ownerExecutable(), sizeof(CodeBlock));
+    if (m_jitCode)
+        visitor.reportExtraMemoryVisited(ownerExecutable(), m_jitCode->size());
+    if (m_instructions.size()) {
+        // Divide by refCount() because m_instructions points to something that is shared
+        // by multiple CodeBlocks, and we only want to count it towards the heap size once.
+        // Having each CodeBlock report only its proportional share of the size is one way
+        // of accomplishing this.
+        visitor.reportExtraMemoryVisited(ownerExecutable(), m_instructions.size() * sizeof(Instruction) / m_instructions.refCount());
+    }
+
+    visitor.append(&m_unlinkedCode);
 
     // There are two things that may use unconditional finalizers: inline cache clearing
@@ -2322 +2267 @@
     // is probably quite close to 1. So we add one no matter what and when it runs, it
     // figures out whether it has any work to do.
-    visitor.addUnconditionalFinalizer(&m_unconditionalFinalizer);
-
+    visitor.addUnconditionalFinalizer(this);
+    
+    m_allTransitionsHaveBeenMarked = false;
+    
+    if (shouldVisitStrongly()) {
+        visitStrongly(visitor);
+        return;
+    }
+    
     if (!JITCode::isOptimizingJIT(jitType()))
         return;
 
-    // If we jettison ourselves we'll install our alternative, so make sure that it
-    // survives GC even if we don't.
-    visitor.append(&m_alternative);
-    
     // There are two things that we use weak reference harvesters for: DFG fixpoint for
     // jettisoning, and trying to find structures that would be live based on some
     // inline cache. So it makes sense to register them regardless.
-    visitor.addWeakReferenceHarvester(&m_weakReferenceHarvester);
+    visitor.addWeakReferenceHarvester(this);
 
 #if ENABLE(DFG_JIT)
@@ -2345 +2293 @@
     // other reasons, that this iteration should run again; it will notify us of this
     // decision by calling harvestWeakReferences().
-
-    m_allTransitionsHaveBeenMarked = false;
+    
+    m_jitCode->dfgCommon()->livenessHasBeenProved = false;
+    
     propagateTransitions(visitor);
-
-    m_jitCode->dfgCommon()->livenessHasBeenProved = false;
     determineLiveness(visitor);
 #endif // ENABLE(DFG_JIT)
-}
-
-void CodeBlock::visitChildren(JSCell* cell, SlotVisitor& visitor)
-{
-    CodeBlock* thisObject = jsCast<CodeBlock*>(cell);
-    ASSERT_GC_OBJECT_INHERITS(thisObject, info());
-    JSCell::visitChildren(thisObject, visitor);
-    thisObject->visitChildren(visitor);
-}
-
-void CodeBlock::visitChildren(SlotVisitor& visitor)
-{
-    // There are two things that may use unconditional finalizers: inline cache clearing
-    // and jettisoning. The probability of us wanting to do at least one of those things
-    // is probably quite close to 1. So we add one no matter what and when it runs, it
-    // figures out whether it has any work to do.
-    visitor.addUnconditionalFinalizer(&m_unconditionalFinalizer);
-
-    if (CodeBlock* otherBlock = specialOSREntryBlockOrNull())
-        visitor.appendUnbarrieredReadOnlyPointer(otherBlock);
-
-    if (m_jitCode)
-        visitor.reportExtraMemoryVisited(this, m_jitCode->size());
-    if (m_instructions.size())
-        visitor.reportExtraMemoryVisited(this, m_instructions.size() * sizeof(Instruction) / m_instructions.refCount());
-
-    visitor.append(&m_unlinkedCode);
-
-    stronglyVisitStrongReferences(visitor);
-    stronglyVisitWeakReferences(visitor);
-
-    m_allTransitionsHaveBeenMarked = false;
-    propagateTransitions(visitor);
 }
 
@@ -2414 +2328 @@
     // - Code blocks that don't have any dead weak references.
 
-    return Heap::isMarked(this);
+    if (m_visitStronglyHasBeenCalled.load(std::memory_order_relaxed))
+        return true;
+
+#if ENABLE(DFG_JIT)
+    if (JITCode::isOptimizingJIT(jitType())) {
+        if (m_jitCode->dfgCommon()->livenessHasBeenProved)
+            return true;
+    }
+#endif
+
+    return false;
 }
 
@@ -2424 +2348 @@
 }
 
-static std::chrono::milliseconds timeToLive(JITCode::JITType jitType)
-{
-    switch (jitType) {
-    case JITCode::InterpreterThunk:
-        return std::chrono::duration_cast<std::chrono::milliseconds>(
-            std::chrono::seconds(5));
-    case JITCode::BaselineJIT:
-        // Effectively 10 additional seconds, since BaselineJIT and
-        // InterpreterThunk share a CodeBlock.
-        return std::chrono::duration_cast<std::chrono::milliseconds>(
-            std::chrono::seconds(15));
-    case JITCode::DFGJIT:
-        return std::chrono::duration_cast<std::chrono::milliseconds>(
-            std::chrono::seconds(20));
-    case JITCode::FTLJIT:
-        return std::chrono::duration_cast<std::chrono::milliseconds>(
-            std::chrono::seconds(60));
-    default:
-        return std::chrono::milliseconds::max();
-    }
-}
-
 bool CodeBlock::shouldJettisonDueToOldAge()
 {
-    if (Heap::isMarked(this))
+    if (m_visitStronglyHasBeenCalled.load(std::memory_order_relaxed))
         return false;
 
-    if (timeSinceCreation() < timeToLive(jitType()))
+    if (timeSinceCreation() < JITCode::timeToLive(jitType()))
         return false;
 
@@ -2604 +2506 @@
     // come back here again, and scan the strong references.
     dfgCommon->livenessHasBeenProved = true;
-    visitor.appendUnbarrieredReadOnlyPointer(this);
+    stronglyVisitStrongReferences(visitor);
 #endif // ENABLE(DFG_JIT)
 }
 
-void CodeBlock::WeakReferenceHarvester::visitWeakReferences(SlotVisitor& visitor)
-{
-    CodeBlock* codeBlock =
-        bitwise_cast<CodeBlock*>(
-            bitwise_cast<char*>(this) - OBJECT_OFFSETOF(CodeBlock, m_weakReferenceHarvester));
-
-    codeBlock->propagateTransitions(visitor);
-    codeBlock->determineLiveness(visitor);
+void CodeBlock::visitWeakReferences(SlotVisitor& visitor)
+{
+    propagateTransitions(visitor);
+    determineLiveness(visitor);
 }
 
@@ -2735 +2633 @@
 }
 
-void CodeBlock::UnconditionalFinalizer::finalizeUnconditionally()
-{
-    CodeBlock* codeBlock = bitwise_cast<CodeBlock*>(
-        bitwise_cast<char*>(this) - OBJECT_OFFSETOF(CodeBlock, m_unconditionalFinalizer));
-
+void CodeBlock::finalizeUnconditionally()
+{
 #if ENABLE(DFG_JIT)
-    if (codeBlock->shouldJettisonDueToWeakReference()) {
-        codeBlock->jettison(Profiler::JettisonDueToWeakReference);
+    if (shouldJettisonDueToWeakReference()) {
+        jettison(Profiler::JettisonDueToWeakReference);
         return;
     }
 #endif // ENABLE(DFG_JIT)
 
-    if (codeBlock->shouldJettisonDueToOldAge()) {
-        codeBlock->jettison(Profiler::JettisonDueToOldAge);
+    if (shouldJettisonDueToOldAge()) {
+        jettison(Profiler::JettisonDueToOldAge);
         return;
     }
 
-    if (JITCode::couldBeInterpreted(codeBlock->jitType()))
-        codeBlock->finalizeLLIntInlineCaches();
+    if (JITCode::couldBeInterpreted(jitType()))
+        finalizeLLIntInlineCaches();
 
 #if ENABLE(JIT)
-    if (!!codeBlock->jitCode())
-        codeBlock->finalizeBaselineJITInlineCaches();
+    if (!!jitCode())
+        finalizeBaselineJITInlineCaches();
 #endif
 }
@@ -2852 +2747 @@
     // the OSR exit against.
 
-    visitor.append(&m_alternative);
+    alternative()->visitStrongly(visitor);
 
 #if ENABLE(DFG_JIT)
@@ -2858 +2753 @@
     if (dfgCommon->inlineCallFrames) {
         for (auto* inlineCallFrame : *dfgCommon->inlineCallFrames) {
-            ASSERT(inlineCallFrame->baselineCodeBlock);
-            visitor.append(&inlineCallFrame->baselineCodeBlock);
+            ASSERT(inlineCallFrame->baselineCodeBlock());
+            inlineCallFrame->baselineCodeBlock()->visitStrongly(visitor);
         }
     }
@@ -3068 +2963 @@
         m_incomingLLIntCalls.begin()->unlink();
 #if ENABLE(JIT)
+    if (m_incomingCalls.isEmpty() && m_incomingPolymorphicCalls.isEmpty())
+        return;
     while (m_incomingCalls.begin() != m_incomingCalls.end())
         m_incomingCalls.begin()->unlink(*vm());
@@ -3081 +2978 @@
 }
 
-CodeBlock* CodeBlock::newReplacement()
+PassRefPtr<CodeBlock> CodeBlock::newReplacement()
 {
     return ownerScriptExecutable()->newReplacementCodeBlockFor(specializationKind());
@@ -3087 +2984 @@
 
 #if ENABLE(JIT)
-CodeBlock* CodeBlock::replacement()
-{
-    const ClassInfo* classInfo = this->classInfo();
-
-    if (classInfo == FunctionCodeBlock::info())
-        return jsCast<FunctionExecutable*>(ownerExecutable())->codeBlockFor(m_isConstructor ? CodeForConstruct : CodeForCall);
-
-    if (classInfo == EvalCodeBlock::info())
-        return jsCast<EvalExecutable*>(ownerExecutable())->codeBlock();
-
-    if (classInfo == ProgramCodeBlock::info())
-        return jsCast<ProgramExecutable*>(ownerExecutable())->codeBlock();
-
-    if (classInfo == ModuleProgramCodeBlock::info())
-        return jsCast<ModuleProgramExecutable*>(ownerExecutable())->codeBlock();
+CodeBlock* ProgramCodeBlock::replacement()
+{
+    return jsCast<ProgramExecutable*>(ownerExecutable())->codeBlock();
+}
+
+CodeBlock* ModuleProgramCodeBlock::replacement()
+{
+    return jsCast<ModuleProgramExecutable*>(ownerExecutable())->codeBlock();
+}
+
+CodeBlock* EvalCodeBlock::replacement()
+{
+    return jsCast<EvalExecutable*>(ownerExecutable())->codeBlock();
+}
+
+CodeBlock* FunctionCodeBlock::replacement()
+{
+    return jsCast<FunctionExecutable*>(ownerExecutable())->codeBlockFor(m_isConstructor ? CodeForConstruct : CodeForCall);
+}
+
+DFG::CapabilityLevel ProgramCodeBlock::capabilityLevelInternal()
+{
+    return DFG::programCapabilityLevel(this);
+}
+
+DFG::CapabilityLevel ModuleProgramCodeBlock::capabilityLevelInternal()
+{
+    return DFG::programCapabilityLevel(this);
+}
+
+DFG::CapabilityLevel EvalCodeBlock::capabilityLevelInternal()
+{
+    return DFG::evalCapabilityLevel(this);
+}
+
+DFG::CapabilityLevel FunctionCodeBlock::capabilityLevelInternal()
+{
+    if (m_isConstructor)
+        return DFG::functionForConstructCapabilityLevel(this);
+    return DFG::functionForCallCapabilityLevel(this);
+}
 
 #if ENABLE(WEBASSEMBLY)
-    if (classInfo == WebAssemblyCodeBlock::info())
-        return nullptr
+CodeBlock* WebAssemblyCodeBlock::replacement()
+{
+    return nullptr;
+}
+
+DFG::CapabilityLevel WebAssemblyCodeBlock::capabilityLevelInternal()
+{
+    return DFG::CannotCompile;
+}
 #endif
-
-    RELEASE_ASSERT_NOT_REACHED();
-    return nullptr;
-}
-
-DFG::CapabilityLevel CodeBlock::computeCapabilityLevel()
-{
-    const ClassInfo* classInfo = this->classInfo();
-
-    if (classInfo == FunctionCodeBlock::info()) {
-        if (m_isConstructor)
-            return DFG::functionForConstructCapabilityLevel(this);
-        return DFG::functionForCallCapabilityLevel(this);
-    }
-
-    if (classInfo == EvalCodeBlock::info())
-        return DFG::evalCapabilityLevel(this);
-
-    if (classInfo == ProgramCodeBlock::info())
-        return DFG::programCapabilityLevel(this);
-
-    if (classInfo == ModuleProgramCodeBlock::info())
-        return DFG::programCapabilityLevel(this);
-
-#if ENABLE(WEBASSEMBLY)
-    if (classInfo == WebAssemblyCodeBlock::info())
-        return DFG::CannotCompile;
 #endif
-
-    RELEASE_ASSERT_NOT_REACHED();
-    return DFG::CannotCompile;
-}
-
-#endif // ENABLE(JIT)
 
 void CodeBlock::jettison(Profiler::JettisonReason reason, ReoptimizationMode mode, const FireDetail* detail)
@@ -3244 +3141 @@
     if (!codeOrigin.inlineCallFrame)
         return globalObject();
-    return codeOrigin.inlineCallFrame->baselineCodeBlock->globalObject();
+    return jsCast<FunctionExecutable*>(codeOrigin.inlineCallFrame->executable.get())->eitherCodeBlock()->globalObject();
 }
 
@@ -4084 +3981 @@
 DFG::CapabilityLevel CodeBlock::capabilityLevel()
 {
-    DFG::CapabilityLevel result = computeCapabilityLevel();
+    DFG::CapabilityLevel result = capabilityLevelInternal();
     m_capabilityLevelState = result;
     return result;

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -39 +39 @@
 #include "CodeBlockHash.h"
 #include "CodeBlockSet.h"
+#include "ConcurrentJITLock.h"
 #include "CodeOrigin.h"
 #include "CodeType.h"
 #include "CompactJITCodeMap.h"
-#include "ConcurrentJITLock.h"
 #include "DFGCommon.h"
 #include "DFGExitProfile.h"
@@ -50 +50 @@
 #include "ExpressionRangeInfo.h"
 #include "HandlerInfo.h"
+#include "ObjectAllocationProfile.h"
+#include "Options.h"
+#include "PutPropertySlot.h"
 #include "Instruction.h"
 #include "JITCode.h"
 #include "JITWriteBarrier.h"
-#include "JSCell.h"
 #include "JSGlobalObject.h"
 #include "JumpTable.h"
 #include "LLIntCallLinkInfo.h"
 #include "LazyOperandValueProfile.h"
-#include "ObjectAllocationProfile.h"
-#include "Options.h"
 #include "ProfilerCompilation.h"
 #include "ProfilerJettisonReason.h"
-#include "PutPropertySlot.h"
 #include "RegExpObject.h"
 #include "StructureStubInfo.h"
@@ -87 +86 @@
 enum ReoptimizationMode { DontCountReoptimization, CountReoptimization };
 
-class CodeBlock : public JSCell {
-    typedef JSCell Base;
+class CodeBlock : public ThreadSafeRefCounted<CodeBlock>, public UnconditionalFinalizer, public WeakReferenceHarvester {
+    WTF_MAKE_FAST_ALLOCATED;
     friend class BytecodeLivenessAnalysis;
     friend class JIT;
     friend class LLIntOffsetsExtractor;
-
-    class UnconditionalFinalizer : public JSC::UnconditionalFinalizer { 
-        virtual void finalizeUnconditionally() override;
-    };
-
-    class WeakReferenceHarvester : public JSC::WeakReferenceHarvester {
-        virtual void visitWeakReferences(SlotVisitor&) override;
-    };
-
 public:
     enum CopyParsedBlockTag { CopyParsedBlock };
-
-    static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
-
-    DECLARE_INFO;
-
 protected:
-    CodeBlock(VM*, Structure*, CopyParsedBlockTag, CodeBlock& other);
-    CodeBlock(VM*, Structure*, ScriptExecutable* ownerExecutable, UnlinkedCodeBlock*, JSScope*, PassRefPtr<SourceProvider>, unsigned sourceOffset, unsigned firstLineColumnOffset);
+    CodeBlock(CopyParsedBlockTag, CodeBlock& other);
+        
+    CodeBlock(ScriptExecutable* ownerExecutable, UnlinkedCodeBlock*, JSScope*, PassRefPtr<SourceProvider>, unsigned sourceOffset, unsigned firstLineColumnOffset);
 #if ENABLE(WEBASSEMBLY)
-    CodeBlock(VM*, Structure*, WebAssemblyExecutable* ownerExecutable, VM&, JSGlobalObject*);
-#endif
-
-    void finishCreation(VM&, CopyParsedBlockTag, CodeBlock& other);
-    void finishCreation(VM&, ScriptExecutable* ownerExecutable, UnlinkedCodeBlock*, JSScope*);
-#if ENABLE(WEBASSEMBLY)
-    void finishCreation(VM&, WebAssemblyExecutable* ownerExecutable, JSGlobalObject*);
+    CodeBlock(WebAssemblyExecutable* ownerExecutable, VM&, JSGlobalObject*);
 #endif
 
@@ -125 +105 @@
 
 public:
-    JS_EXPORT_PRIVATE ~CodeBlock();
+    JS_EXPORT_PRIVATE virtual ~CodeBlock();
 
     UnlinkedCodeBlock* unlinkedCodeBlock() const { return m_unlinkedCode.get(); }
@@ -145 +125 @@
     static ptrdiff_t offsetOfNumParameters() { return OBJECT_OFFSETOF(CodeBlock, m_numParameters); }
 
-    CodeBlock* alternative() const { return static_cast<CodeBlock*>(m_alternative.get()); }
-    void setAlternative(VM&, CodeBlock*);
+    CodeBlock* alternative() { return m_alternative.get(); }
+    void setAlternative(PassRefPtr<CodeBlock> alternative) { m_alternative = alternative; }
 
     template <typename Functor> void forEachRelatedCodeBlock(Functor&& functor)
@@ -169 +149 @@
         return specializationFromIsConstruct(m_isConstructor);
     }
-
-    CodeBlock* alternativeForJettison();    
+    
     CodeBlock* baselineAlternative();
     
@@ -177 +156 @@
     CodeBlock* baselineVersion();
 
-    static void visitChildren(JSCell*, SlotVisitor&);
-    void visitChildren(SlotVisitor&);
-    void visitWeakly(SlotVisitor&);
-    void clearVisitWeaklyHasBeenCalled();
+    void clearMarks();
+    void visitAggregate(SlotVisitor&);
+    void visitStrongly(SlotVisitor&);
 
     void dumpSource();
@@ -288 +266 @@
 
     // Exactly equivalent to codeBlock->ownerExecutable()->newReplacementCodeBlockFor(codeBlock->specializationKind())
-    CodeBlock* newReplacement();
+    PassRefPtr<CodeBlock> newReplacement();
     
     void setJITCode(PassRefPtr<JITCode> code)
@@ -314 +292 @@
     
 #if ENABLE(JIT)
-    CodeBlock* replacement();
-
-    DFG::CapabilityLevel computeCapabilityLevel();
+    virtual CodeBlock* replacement() = 0;
+
+    virtual DFG::CapabilityLevel capabilityLevelInternal() = 0;
     DFG::CapabilityLevel capabilityLevel();
     DFG::CapabilityLevel capabilityLevelState() { return m_capabilityLevelState; }
@@ -566 +544 @@
         unsigned result = m_constantRegisters.size();
         m_constantRegisters.append(WriteBarrier<Unknown>());
-        m_constantRegisters.last().set(m_globalObject->vm(), this, v);
+        m_constantRegisters.last().set(m_globalObject->vm(), m_ownerExecutable.get(), v);
         m_constantsSourceCodeRepresentation.append(SourceCodeRepresentation::Other);
         return result;
@@ -918 +896 @@
 
 protected:
+    virtual void visitWeakReferences(SlotVisitor&) override;
+    virtual void finalizeUnconditionally() override;
     void finalizeLLIntInlineCaches();
     void finalizeBaselineJITInlineCaches();
@@ -944 +924 @@
         m_constantRegisters.resizeToFit(count);
         for (size_t i = 0; i < count; i++)
-            m_constantRegisters[i].set(*m_vm, this, constants[i].get());
+            m_constantRegisters[i].set(*m_vm, ownerExecutable(), constants[i].get());
         m_constantsSourceCodeRepresentation = constantsSourceCodeRepresentation;
     }
@@ -951 +931 @@
     {
         ASSERT(isConstantRegisterIndex(index) && static_cast<size_t>(index - FirstConstantRegisterIndex) < m_constantRegisters.size());
-        m_constantRegisters[index - FirstConstantRegisterIndex].set(m_globalObject->vm(), this, value);
+        m_constantRegisters[index - FirstConstantRegisterIndex].set(m_globalObject->vm(), m_ownerExecutable.get(), value);
     }
 
@@ -1023 +1003 @@
     bool m_needsActivation;
 
-    Atomic<bool> m_visitWeaklyHasBeenCalled;
+    Atomic<bool> m_visitAggregateHasBeenCalled;
+    Atomic<bool> m_visitStronglyHasBeenCalled;
 
     RefPtr<SourceProvider> m_source;
@@ -1065 +1046 @@
     Vector<WriteBarrier<FunctionExecutable>> m_functionExprs;
 
-    WriteBarrier<CodeBlock> m_alternative;
+    RefPtr<CodeBlock> m_alternative;
     
     BaselineExecutionCounter m_llintExecuteCounter;
@@ -1085 +1066 @@
     DFG::CapabilityLevel m_capabilityLevelState;
 #endif
-
-    UnconditionalFinalizer m_unconditionalFinalizer;
-    WeakReferenceHarvester m_weakReferenceHarvester;
 };
 
@@ -1094 +1072 @@
 
 class GlobalCodeBlock : public CodeBlock {
-    typedef CodeBlock Base;
-    DECLARE_INFO;
-
 protected:
-    GlobalCodeBlock(VM* vm, Structure* structure, CopyParsedBlockTag, GlobalCodeBlock& other)
-        : CodeBlock(vm, structure, CopyParsedBlock, other)
-    {
-    }
-
-    GlobalCodeBlock(VM* vm, Structure* structure, ScriptExecutable* ownerExecutable, UnlinkedCodeBlock* unlinkedCodeBlock, JSScope* scope, PassRefPtr<SourceProvider> sourceProvider, unsigned sourceOffset, unsigned firstLineColumnOffset)
-        : CodeBlock(vm, structure, ownerExecutable, unlinkedCodeBlock, scope, sourceProvider, sourceOffset, firstLineColumnOffset)
+    GlobalCodeBlock(CopyParsedBlockTag, GlobalCodeBlock& other)
+    : CodeBlock(CopyParsedBlock, other)
+    {
+    }
+        
+    GlobalCodeBlock(ScriptExecutable* ownerExecutable, UnlinkedCodeBlock* unlinkedCodeBlock, JSScope* scope, PassRefPtr<SourceProvider> sourceProvider, unsigned sourceOffset, unsigned firstLineColumnOffset)
+        : CodeBlock(ownerExecutable, unlinkedCodeBlock, scope, sourceProvider, sourceOffset, firstLineColumnOffset)
     {
     }
@@ -1111 +1086 @@
 class ProgramCodeBlock : public GlobalCodeBlock {
 public:
-    typedef GlobalCodeBlock Base;
-    DECLARE_INFO;
-
-    static ProgramCodeBlock* create(VM* vm, CopyParsedBlockTag, ProgramCodeBlock& other)
-    {
-        ProgramCodeBlock* instance = new (NotNull, allocateCell<ProgramCodeBlock>(vm->heap))
-            ProgramCodeBlock(vm, vm->programCodeBlockStructure.get(), CopyParsedBlock, other);
-        instance->finishCreation(*vm, CopyParsedBlock, other);
-        return instance;
-    }
-
-    static ProgramCodeBlock* create(VM* vm, ProgramExecutable* ownerExecutable, UnlinkedProgramCodeBlock* unlinkedCodeBlock,
-        JSScope* scope, PassRefPtr<SourceProvider> sourceProvider, unsigned firstLineColumnOffset)
-    {
-        ProgramCodeBlock* instance = new (NotNull, allocateCell<ProgramCodeBlock>(vm->heap))
-            ProgramCodeBlock(vm, vm->programCodeBlockStructure.get(), ownerExecutable, unlinkedCodeBlock, scope, sourceProvider, firstLineColumnOffset);
-        instance->finishCreation(*vm, ownerExecutable, unlinkedCodeBlock, scope);
-        return instance;
-    }
-
-    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
-    {
-        return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
-    }
-
-private:
-    ProgramCodeBlock(VM* vm, Structure* structure, CopyParsedBlockTag, ProgramCodeBlock& other)
-        : GlobalCodeBlock(vm, structure, CopyParsedBlock, other)
-    {
-    }
-
-    ProgramCodeBlock(VM* vm, Structure* structure, ProgramExecutable* ownerExecutable, UnlinkedProgramCodeBlock* unlinkedCodeBlock,
-        JSScope* scope, PassRefPtr<SourceProvider> sourceProvider, unsigned firstLineColumnOffset)
-        : GlobalCodeBlock(vm, structure, ownerExecutable, unlinkedCodeBlock, scope, sourceProvider, 0, firstLineColumnOffset)
-    {
-    }
-
-    static void destroy(JSCell*);
+    ProgramCodeBlock(CopyParsedBlockTag, ProgramCodeBlock& other)
+    : GlobalCodeBlock(CopyParsedBlock, other)
+    {
+    }
+
+    ProgramCodeBlock(ProgramExecutable* ownerExecutable, UnlinkedProgramCodeBlock* unlinkedCodeBlock, JSScope* scope, PassRefPtr<SourceProvider> sourceProvider, unsigned firstLineColumnOffset)
+        : GlobalCodeBlock(ownerExecutable, unlinkedCodeBlock, scope, sourceProvider, 0, firstLineColumnOffset)
+    {
+    }
+
+#if ENABLE(JIT)
+protected:
+    virtual CodeBlock* replacement() override;
+    virtual DFG::CapabilityLevel capabilityLevelInternal() override;
+#endif
 };
 
 class ModuleProgramCodeBlock : public GlobalCodeBlock {
 public:
-    typedef GlobalCodeBlock Base;
-    DECLARE_INFO;
-
-    static ModuleProgramCodeBlock* create(VM* vm, CopyParsedBlockTag, ModuleProgramCodeBlock& other)
-    {
-        ModuleProgramCodeBlock* instance = new (NotNull, allocateCell<ModuleProgramCodeBlock>(vm->heap))
-            ModuleProgramCodeBlock(vm, vm->moduleProgramCodeBlockStructure.get(), CopyParsedBlock, other);
-        instance->finishCreation(*vm, CopyParsedBlock, other);
-        return instance;
-    }
-
-    static ModuleProgramCodeBlock* create(VM* vm, ModuleProgramExecutable* ownerExecutable, UnlinkedModuleProgramCodeBlock* unlinkedCodeBlock,
-        JSScope* scope, PassRefPtr<SourceProvider> sourceProvider, unsigned firstLineColumnOffset)
-    {
-        ModuleProgramCodeBlock* instance = new (NotNull, allocateCell<ModuleProgramCodeBlock>(vm->heap))
-            ModuleProgramCodeBlock(vm, vm->moduleProgramCodeBlockStructure.get(), ownerExecutable, unlinkedCodeBlock, scope, sourceProvider, firstLineColumnOffset);
-        instance->finishCreation(*vm, ownerExecutable, unlinkedCodeBlock, scope);
-        return instance;
-    }
-
-    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
-    {
-        return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
-    }
-
-private:
-    ModuleProgramCodeBlock(VM* vm, Structure* structure, CopyParsedBlockTag, ModuleProgramCodeBlock& other)
-        : GlobalCodeBlock(vm, structure, CopyParsedBlock, other)
-    {
-    }
-
-    ModuleProgramCodeBlock(VM* vm, Structure* structure, ModuleProgramExecutable* ownerExecutable, UnlinkedModuleProgramCodeBlock* unlinkedCodeBlock,
-        JSScope* scope, PassRefPtr<SourceProvider> sourceProvider, unsigned firstLineColumnOffset)
-        : GlobalCodeBlock(vm, structure, ownerExecutable, unlinkedCodeBlock, scope, sourceProvider, 0, firstLineColumnOffset)
-    {
-    }
-
-    static void destroy(JSCell*);
+    ModuleProgramCodeBlock(CopyParsedBlockTag, ModuleProgramCodeBlock& other)
+        : GlobalCodeBlock(CopyParsedBlock, other)
+    {
+    }
+
+    ModuleProgramCodeBlock(ModuleProgramExecutable* ownerExecutable, UnlinkedModuleProgramCodeBlock* unlinkedCodeBlock, JSScope* scope, PassRefPtr<SourceProvider> sourceProvider, unsigned firstLineColumnOffset)
+        : GlobalCodeBlock(ownerExecutable, unlinkedCodeBlock, scope, sourceProvider, 0, firstLineColumnOffset)
+    {
+    }
+
+#if ENABLE(JIT)
+protected:
+    virtual CodeBlock* replacement() override;
+    virtual DFG::CapabilityLevel capabilityLevelInternal() override;
+#endif
 };
 
 class EvalCodeBlock : public GlobalCodeBlock {
 public:
-    typedef GlobalCodeBlock Base;
-    DECLARE_INFO;
-
-    static EvalCodeBlock* create(VM* vm, CopyParsedBlockTag, EvalCodeBlock& other)
-    {
-        EvalCodeBlock* instance = new (NotNull, allocateCell<EvalCodeBlock>(vm->heap))
-            EvalCodeBlock(vm, vm->evalCodeBlockStructure.get(), CopyParsedBlock, other);
-        instance->finishCreation(*vm, CopyParsedBlock, other);
-        return instance;
-    }
-
-    static EvalCodeBlock* create(VM* vm, EvalExecutable* ownerExecutable, UnlinkedEvalCodeBlock* unlinkedCodeBlock,
-        JSScope* scope, PassRefPtr<SourceProvider> sourceProvider)
-    {
-        EvalCodeBlock* instance = new (NotNull, allocateCell<EvalCodeBlock>(vm->heap))
-            EvalCodeBlock(vm, vm->evalCodeBlockStructure.get(), ownerExecutable, unlinkedCodeBlock, scope, sourceProvider);
-        instance->finishCreation(*vm, ownerExecutable, unlinkedCodeBlock, scope);
-        return instance;
-    }
-
-    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
-    {
-        return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
-    }
-
+    EvalCodeBlock(CopyParsedBlockTag, EvalCodeBlock& other)
+        : GlobalCodeBlock(CopyParsedBlock, other)
+    {
+    }
+        
+    EvalCodeBlock(EvalExecutable* ownerExecutable, UnlinkedEvalCodeBlock* unlinkedCodeBlock, JSScope* scope, PassRefPtr<SourceProvider> sourceProvider)
+        : GlobalCodeBlock(ownerExecutable, unlinkedCodeBlock, scope, sourceProvider, 0, 1)
+    {
+    }
+    
     const Identifier& variable(unsigned index) { return unlinkedEvalCodeBlock()->variable(index); }
     unsigned numVariables() { return unlinkedEvalCodeBlock()->numVariables(); }
     
-private:
-    EvalCodeBlock(VM* vm, Structure* structure, CopyParsedBlockTag, EvalCodeBlock& other)
-        : GlobalCodeBlock(vm, structure, CopyParsedBlock, other)
-    {
-    }
-        
-    EvalCodeBlock(VM* vm, Structure* structure, EvalExecutable* ownerExecutable, UnlinkedEvalCodeBlock* unlinkedCodeBlock,
-        JSScope* scope, PassRefPtr<SourceProvider> sourceProvider)
-        : GlobalCodeBlock(vm, structure, ownerExecutable, unlinkedCodeBlock, scope, sourceProvider, 0, 1)
-    {
-    }
-    
-    static void destroy(JSCell*);
-
+#if ENABLE(JIT)
+protected:
+    virtual CodeBlock* replacement() override;
+    virtual DFG::CapabilityLevel capabilityLevelInternal() override;
+#endif
+    
 private:
     UnlinkedEvalCodeBlock* unlinkedEvalCodeBlock() const { return jsCast<UnlinkedEvalCodeBlock*>(unlinkedCodeBlock()); }
@@ -1243 +1149 @@
 class FunctionCodeBlock : public CodeBlock {
 public:
-    typedef CodeBlock Base;
-    DECLARE_INFO;
-
-    static FunctionCodeBlock* create(VM* vm, CopyParsedBlockTag, FunctionCodeBlock& other)
-    {
-        FunctionCodeBlock* instance = new (NotNull, allocateCell<FunctionCodeBlock>(vm->heap))
-            FunctionCodeBlock(vm, vm->functionCodeBlockStructure.get(), CopyParsedBlock, other);
-        instance->finishCreation(*vm, CopyParsedBlock, other);
-        return instance;
-    }
-
-    static FunctionCodeBlock* create(VM* vm, FunctionExecutable* ownerExecutable, UnlinkedFunctionCodeBlock* unlinkedCodeBlock, JSScope* scope,
-        PassRefPtr<SourceProvider> sourceProvider, unsigned sourceOffset, unsigned firstLineColumnOffset)
-    {
-        FunctionCodeBlock* instance = new (NotNull, allocateCell<FunctionCodeBlock>(vm->heap))
-            FunctionCodeBlock(vm, vm->functionCodeBlockStructure.get(), ownerExecutable, unlinkedCodeBlock, scope, sourceProvider, sourceOffset, firstLineColumnOffset);
-        instance->finishCreation(*vm, ownerExecutable, unlinkedCodeBlock, scope);
-        return instance;
-    }
-
-    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
-    {
-        return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
-    }
-
-private:
-    FunctionCodeBlock(VM* vm, Structure* structure, CopyParsedBlockTag, FunctionCodeBlock& other)
-        : CodeBlock(vm, structure, CopyParsedBlock, other)
-    {
-    }
-
-    FunctionCodeBlock(VM* vm, Structure* structure, FunctionExecutable* ownerExecutable, UnlinkedFunctionCodeBlock* unlinkedCodeBlock, JSScope* scope,
-        PassRefPtr<SourceProvider> sourceProvider, unsigned sourceOffset, unsigned firstLineColumnOffset)
-        : CodeBlock(vm, structure, ownerExecutable, unlinkedCodeBlock, scope, sourceProvider, sourceOffset, firstLineColumnOffset)
-    {
-    }
-    
-    static void destroy(JSCell*);
+    FunctionCodeBlock(CopyParsedBlockTag, FunctionCodeBlock& other)
+        : CodeBlock(CopyParsedBlock, other)
+    {
+    }
+
+    FunctionCodeBlock(FunctionExecutable* ownerExecutable, UnlinkedFunctionCodeBlock* unlinkedCodeBlock, JSScope* scope, PassRefPtr<SourceProvider> sourceProvider, unsigned sourceOffset, unsigned firstLineColumnOffset)
+        : CodeBlock(ownerExecutable, unlinkedCodeBlock, scope, sourceProvider, sourceOffset, firstLineColumnOffset)
+    {
+    }
+    
+#if ENABLE(JIT)
+protected:
+    virtual CodeBlock* replacement() override;
+    virtual DFG::CapabilityLevel capabilityLevelInternal() override;
+#endif
 };
 
@@ -1286 +1169 @@
 class WebAssemblyCodeBlock : public CodeBlock {
 public:
-    DECLARE_INFO;
-
-    static WebAssemblyCodeBlock* create(VM* vm, CopyParsedBlockTag, WebAssemblyCodeBlock& other)
-    {
-        WebAssemblyCodeBlock* instance = new (NotNull, allocateCell<WebAssemblyCodeBlock>(vm->heap))
-            WebAssemblyCodeBlock(vm, vm->webAssemblyCodeBlockStructure.get(), CopyParsedBlock, other);
-        instance->finishCreation(*vm);
-        return instance;
-    }
-
-    static WebAssemblyCodeBlock* create(VM* vm, WebAssemblyExecutable* ownerExecutable, JSGlobalObject* globalObject)
-    {
-        WebAssemblyCodeBlock* instance = new (NotNull, allocateCell<WebAssemblyCodeBlock>(vm->heap))
-            WebAssemblyCodeBlock(vm, vm->webAssemblyCodeBlockStructure.get(), ownerExecutable, globalObject);
-        instance->finishCreation(*vm);
-        return instance;
-    }
-
-    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
-    {
-        return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
-    }
-
-private:
-    WebAssemblyCodeBlock(VM& vm, Structure* structure, CopyParsedBlockTag, WebAssemblyCodeBlock& other)
-        : CodeBlock(vm, structure, CopyParsedBlock, other)
-    {
-    }
-
-    WebAssemblyCodeBlock(VM& vm, Structure* structure, WebAssemblyExecutable* ownerExecutable, JSGlobalObject* globalObject)
-        : CodeBlock(vm, structure, ownerExecutable, vm, globalObject)
-    {
-    }
-
-    static void destroy(JSCell*);
+    WebAssemblyCodeBlock(CopyParsedBlockTag, WebAssemblyCodeBlock& other)
+        : CodeBlock(CopyParsedBlock, other)
+    {
+    }
+
+    WebAssemblyCodeBlock(WebAssemblyExecutable* ownerExecutable, VM& vm, JSGlobalObject* globalObject)
+        : CodeBlock(ownerExecutable, vm, globalObject)
+    {
+    }
+
+#if ENABLE(JIT)
+protected:
+    virtual CodeBlock* replacement() override;
+    virtual DFG::CapabilityLevel capabilityLevelInternal() override;
+#endif
 };
 #endif
@@ -1348 +1211 @@
 }
 
-inline void CodeBlock::clearVisitWeaklyHasBeenCalled()
+inline void CodeBlock::clearMarks()
 {
-    m_visitWeaklyHasBeenCalled.store(false, std::memory_order_relaxed);
+    m_visitStronglyHasBeenCalled.store(false, std::memory_order_relaxed);
+    m_visitAggregateHasBeenCalled.store(false, std::memory_order_relaxed);
 }
 
@@ -1375 +1239 @@
     if (!codeBlock)
         return;
-
-    // Try to recover gracefully if we forget to execute a barrier for a
-    // CodeBlock that does value profiling. This is probably overkill, but we
-    // have always done it.
-    Heap::heap(codeBlock)->writeBarrier(codeBlock);
+    
+    // Force GC to visit all CodeBlocks on the stack, including old CodeBlocks
+    // that have not executed a barrier. This is overkill, but we have always
+    // done this, and it might help us recover gracefully if we forget to execute
+    // a barrier when a CodeBlock needs it.
+    codeBlock->clearMarks();
 
     m_currentlyExecuting.add(codeBlock);
@@ -1388 +1253 @@
     switch (type()) {
     case ProgramExecutableType: {
-        if (CodeBlock* codeBlock = static_cast<CodeBlock*>(jsCast<ProgramExecutable*>(this)->m_programCodeBlock.get()))
+        if (CodeBlock* codeBlock = jsCast<ProgramExecutable*>(this)->m_programCodeBlock.get())
             codeBlock->forEachRelatedCodeBlock(std::forward<Functor>(functor));
         break;
@@ -1394 +1259 @@
 
     case EvalExecutableType: {
-        if (CodeBlock* codeBlock = static_cast<CodeBlock*>(jsCast<EvalExecutable*>(this)->m_evalCodeBlock.get()))
+        if (CodeBlock* codeBlock = jsCast<EvalExecutable*>(this)->m_evalCodeBlock.get())
             codeBlock->forEachRelatedCodeBlock(std::forward<Functor>(functor));
         break;
@@ -1402 +1267 @@
         Functor f(std::forward<Functor>(functor));
         FunctionExecutable* executable = jsCast<FunctionExecutable*>(this);
-        if (CodeBlock* codeBlock = static_cast<CodeBlock*>(executable->m_codeBlockForCall.get()))
+        if (CodeBlock* codeBlock = executable->m_codeBlockForCall.get())
             codeBlock->forEachRelatedCodeBlock(f);
-        if (CodeBlock* codeBlock = static_cast<CodeBlock*>(executable->m_codeBlockForConstruct.get()))
+        if (CodeBlock* codeBlock = executable->m_codeBlockForConstruct.get())
             codeBlock->forEachRelatedCodeBlock(f);
         break;
@@ -1410 +1275 @@
 
     case ModuleProgramExecutableType: {
-        if (CodeBlock* codeBlock = static_cast<CodeBlock*>(jsCast<ModuleProgramExecutable*>(this)->m_moduleProgramCodeBlock.get()))
+        if (CodeBlock* codeBlock = jsCast<ModuleProgramExecutable*>(this)->m_moduleProgramCodeBlock.get())
             codeBlock->forEachRelatedCodeBlock(std::forward<Functor>(functor));
         break;

trunk/Source/JavaScriptCore/bytecode/CodeOrigin.cpp

@@ -76 +76 @@
             return true;
         
-        if (a.inlineCallFrame->baselineCodeBlock.get() != b.inlineCallFrame->baselineCodeBlock.get())
+        if (a.inlineCallFrame->executable.get() != b.inlineCallFrame->executable.get())
             return false;
         
@@ -99 +99 @@
             return result;
         
-        result += WTF::PtrHash<JSCell*>::hash(codeOrigin.inlineCallFrame->baselineCodeBlock.get());
+        result += WTF::PtrHash<JSCell*>::hash(codeOrigin.inlineCallFrame->executable.get());
         
         codeOrigin = codeOrigin.inlineCallFrame->directCaller;
@@ -116 +116 @@
 }
 
-CodeBlock* CodeOrigin::codeOriginOwner() const
+ScriptExecutable* CodeOrigin::codeOriginOwner() const
 {
     if (!inlineCallFrame)
         return 0;
-    return inlineCallFrame->baselineCodeBlock.get();
+    return inlineCallFrame->executable.get();
 }
 
@@ -144 +144 @@
         
         if (InlineCallFrame* frame = stack[i].inlineCallFrame) {
-            out.print(frame->briefFunctionInformation(), ":<", RawPointer(frame->baselineCodeBlock.get()), "> ");
+            out.print(frame->briefFunctionInformation(), ":<", RawPointer(frame->executable.get()), "> ");
             if (frame->isClosureCall)
                 out.print("(closure) ");

trunk/Source/JavaScriptCore/bytecode/CodeOrigin.h

@@ -88 +88 @@
     // If the code origin corresponds to inlined code, gives you the heap object that
     // would have owned the code if it had not been inlined. Otherwise returns 0.
-    CodeBlock* codeOriginOwner() const;
+    ScriptExecutable* codeOriginOwner() const;
     
     int stackOffset() const;

trunk/Source/JavaScriptCore/bytecode/DeferredCompilationCallback.cpp

@@ -34 +34 @@
 DeferredCompilationCallback::~DeferredCompilationCallback() { }
 
-void DeferredCompilationCallback::compilationDidComplete(CodeBlock* codeBlock, CodeBlock*, CompilationResult result)
+void DeferredCompilationCallback::compilationDidComplete(CodeBlock* codeBlock, CompilationResult result)
 {
     dumpCompiledSourcesIfNeeded();

trunk/Source/JavaScriptCore/bytecode/DeferredCompilationCallback.h

@@ -43 +43 @@
     virtual ~DeferredCompilationCallback();
 
-    virtual void compilationDidBecomeReadyAsynchronously(CodeBlock*, CodeBlock* profiledDFGCodeBlock) = 0;
-    virtual void compilationDidComplete(CodeBlock*, CodeBlock* profiledDFGCodeBlock, CompilationResult);
+    virtual void compilationDidBecomeReadyAsynchronously(CodeBlock*) = 0;
+    virtual void compilationDidComplete(CodeBlock*, CompilationResult);
 
     Vector<DeferredSourceDump>& ensureDeferredSourceDump();

trunk/Source/JavaScriptCore/bytecode/EvalCodeCache.h

@@ -52 +52 @@
         }
         
-        EvalExecutable* getSlow(ExecState* exec, JSCell* owner, bool inStrictContext, ThisTDZMode thisTDZMode, const String& evalSource, JSScope* scope)
+        EvalExecutable* getSlow(ExecState* exec, ScriptExecutable* owner, bool inStrictContext, ThisTDZMode thisTDZMode, const String& evalSource, JSScope* scope)
         {
             VariableEnvironment variablesUnderTDZ;

trunk/Source/JavaScriptCore/bytecode/InlineCallFrame.cpp

@@ -48 +48 @@
 CodeBlockHash InlineCallFrame::hash() const
 {
-    return baselineCodeBlock->hash();
+    return jsCast<FunctionExecutable*>(executable.get())->codeBlockFor(
+        specializationKind())->hash();
 }
 
 CString InlineCallFrame::hashAsStringIfPossible() const
 {
-    return baselineCodeBlock->hashAsStringIfPossible();
+    return jsCast<FunctionExecutable*>(executable.get())->codeBlockFor(
+        specializationKind())->hashAsStringIfPossible();
 }
 
 CString InlineCallFrame::inferredName() const
 {
-    return jsCast<FunctionExecutable*>(baselineCodeBlock->ownerExecutable())->inferredName().utf8();
+    return jsCast<FunctionExecutable*>(executable.get())->inferredName().utf8();
+}
+
+CodeBlock* InlineCallFrame::baselineCodeBlock() const
+{
+    return jsCast<FunctionExecutable*>(executable.get())->baselineCodeBlockFor(specializationKind());
 }
 
@@ -68 +75 @@
 void InlineCallFrame::dumpInContext(PrintStream& out, DumpContext* context) const
 {
-    out.print(briefFunctionInformation(), ":<", RawPointer(baselineCodeBlock.get()));
-    if (isStrictMode())
+    out.print(briefFunctionInformation(), ":<", RawPointer(executable.get()));
+    if (executable->isStrictMode())
         out.print(" (StrictMode)");
     out.print(", bc#", directCaller.bytecodeIndex, ", ", static_cast<Kind>(kind));

trunk/Source/JavaScriptCore/bytecode/InlineCallFrame.h

@@ -30 +30 @@
 #include "CodeBlockHash.h"
 #include "CodeOrigin.h"
+#include "Executable.h"
 #include "ValueRecovery.h"
 #include "WriteBarrier.h"
@@ -42 +43 @@
 struct InlineCallFrame;
 class ExecState;
+class ScriptExecutable;
 class JSFunction;
 
@@ -173 +175 @@
     
     Vector<ValueRecovery> arguments; // Includes 'this'.
-    WriteBarrier<CodeBlock> baselineCodeBlock;
+    WriteBarrier<ScriptExecutable> executable;
     ValueRecovery calleeRecovery;
     CodeOrigin directCaller;
@@ -208 +210 @@
     CString hashAsStringIfPossible() const;
     
+    CodeBlock* baselineCodeBlock() const;
+    
     void setStackOffset(signed offset)
     {
@@ -216 +220 @@
     ptrdiff_t callerFrameOffset() const { return stackOffset * sizeof(Register) + CallFrame::callerFrameOffset(); }
     ptrdiff_t returnPCOffset() const { return stackOffset * sizeof(Register) + CallFrame::returnPCOffset(); }
-
-    bool isStrictMode() const { return baselineCodeBlock->isStrictMode(); }
 
     void dumpBriefFunctionInformation(PrintStream&) const;
@@ -230 +232 @@
 {
     RELEASE_ASSERT(inlineCallFrame);
-    return inlineCallFrame->baselineCodeBlock.get();
+    ScriptExecutable* executable = inlineCallFrame->executable.get();
+    RELEASE_ASSERT(executable->structure()->classInfo() == FunctionExecutable::info());
+    return static_cast<FunctionExecutable*>(executable)->baselineCodeBlockFor(inlineCallFrame->specializationKind());
 }
 

trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp

@@ -412 +412 @@
 
         // We will emit code that has a weak reference that isn't otherwise listed anywhere.
-        state.weakReferences.append(WriteBarrier<JSCell>(vm, codeBlock, structure));
+        state.weakReferences.append(WriteBarrier<JSCell>(vm, codeBlock->ownerExecutable(), structure));
         
         jit.move(CCallHelpers::TrustedImmPtr(condition.object()), scratchGPR);
@@ -1171 +1171 @@
         doesCalls |= entry->doesCalls();
     
-    m_stubRoutine = createJITStubRoutine(code, vm, codeBlock, doesCalls);
+    m_stubRoutine = createJITStubRoutine(code, vm, codeBlock->ownerExecutable(), doesCalls);
     m_watchpoints = WTF::move(state.watchpoints);
     if (!state.weakReferences.isEmpty())

trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp

@@ -63 +63 @@
     
     std::unique_ptr<AccessCase> previousCase =
-        AccessCase::fromStructureStubInfo(vm, codeBlock, *this);
+        AccessCase::fromStructureStubInfo(vm, codeBlock->ownerExecutable(), *this);
     if (previousCase)
         accessCases.append(WTF::move(previousCase));

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -4634 +4634 @@
         
         m_inlineCallFrame = byteCodeParser->m_graph.m_plan.inlineCallFrames->add();
-        byteCodeParser->m_graph.freeze(codeBlock->baselineVersion());
+        byteCodeParser->m_graph.freeze(codeBlock->ownerExecutable());
         // The owner is the machine code block, and we already have a barrier on that when the
         // plan finishes.
-        m_inlineCallFrame->baselineCodeBlock.setWithoutWriteBarrier(codeBlock->baselineVersion());
+        m_inlineCallFrame->executable.setWithoutWriteBarrier(codeBlock->ownerScriptExecutable());
         m_inlineCallFrame->setStackOffset(inlineCallFrameStart.offset() - JSStack::CallFrameHeaderSize);
         if (callee) {
@@ -4829 +4829 @@
         dataLog("Parsing ", *m_codeBlock, "\n");
     
-    m_dfgCodeBlock = m_graph.m_plan.profiledDFGCodeBlock;
+    m_dfgCodeBlock = m_graph.m_plan.profiledDFGCodeBlock.get();
     if (isFTL(m_graph.m_plan.mode) && m_dfgCodeBlock
         && Options::enablePolyvariantDevirtualization()) {

trunk/Source/JavaScriptCore/dfg/DFGCommonData.cpp

@@ -90 +90 @@
             }
             
-            if (CodeBlock* baselineCodeBlock = inlineCallFrame->baselineCodeBlock.get())
-                trackedReferences.check(baselineCodeBlock);
+            if (ScriptExecutable* executable = inlineCallFrame->executable.get())
+                trackedReferences.check(executable);
             
             if (inlineCallFrame->calleeRecovery.isConstant())

trunk/Source/JavaScriptCore/dfg/DFGDesiredTransitions.cpp

@@ -35 +35 @@
 namespace JSC { namespace DFG {
 
-DesiredTransition::DesiredTransition(CodeBlock* codeBlock, CodeBlock* codeOriginOwner, Structure* oldStructure, Structure* newStructure)
+DesiredTransition::DesiredTransition(CodeBlock* codeBlock, ScriptExecutable* codeOriginOwner, Structure* oldStructure, Structure* newStructure)
     : m_codeBlock(codeBlock)
     , m_codeOriginOwner(codeOriginOwner)
@@ -47 +47 @@
     common->transitions.append(
         WeakReferenceTransition(
-            vm, m_codeBlock,
+            vm, m_codeBlock->ownerExecutable(),
             m_codeOriginOwner,
             m_oldStructure, m_newStructure));
@@ -67 +67 @@
 }
 
-void DesiredTransitions::addLazily(CodeBlock* codeBlock, CodeBlock* codeOriginOwner, Structure* oldStructure, Structure* newStructure)
+void DesiredTransitions::addLazily(CodeBlock* codeBlock, ScriptExecutable* codeOriginOwner, Structure* oldStructure, Structure* newStructure)
 {
     m_transitions.append(DesiredTransition(codeBlock, codeOriginOwner, oldStructure, newStructure));

trunk/Source/JavaScriptCore/dfg/DFGDesiredTransitions.h

@@ -45 +45 @@
 class DesiredTransition {
 public:
-    DesiredTransition(CodeBlock*, CodeBlock* codeOriginOwner, Structure*, Structure*);
+    DesiredTransition(CodeBlock*, ScriptExecutable*, Structure*, Structure*);
 
     void reallyAdd(VM&, CommonData*);
@@ -53 +53 @@
 private:
     CodeBlock* m_codeBlock;
-    CodeBlock* m_codeOriginOwner;
+    ScriptExecutable* m_codeOriginOwner;
     Structure* m_oldStructure;
     Structure* m_newStructure;
@@ -63 +63 @@
     ~DesiredTransitions();
 
-    void addLazily(CodeBlock*, CodeBlock* codeOriginOwner, Structure*, Structure*);
+    void addLazily(CodeBlock*, ScriptExecutable*, Structure*, Structure*);
     void reallyAdd(VM&, CommonData*);
     void visitChildren(SlotVisitor&);

trunk/Source/JavaScriptCore/dfg/DFGDesiredWeakReferences.cpp

@@ -71 +71 @@
         if (Structure* structure = jsDynamicCast<Structure*>(target)) {
             common->weakStructureReferences.append(
-                WriteBarrier<Structure>(vm, m_codeBlock, structure));
+                WriteBarrier<Structure>(vm, m_codeBlock->ownerExecutable(), structure));
         } else {
             common->weakReferences.append(
-                WriteBarrier<JSCell>(vm, m_codeBlock, target));
+                WriteBarrier<JSCell>(vm, m_codeBlock->ownerExecutable(), target));
         }
     }

trunk/Source/JavaScriptCore/dfg/DFGDriver.cpp

@@ -122 +122 @@
         callback);
     if (result != CompilationDeferred)
-        callback->compilationDidComplete(codeBlock, profiledDFGCodeBlock, result);
+        callback->compilationDidComplete(codeBlock, result);
     return result;
 }

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -62 +62 @@
     : m_vm(vm)
     , m_plan(plan)
-    , m_codeBlock(m_plan.codeBlock)
+    , m_codeBlock(m_plan.codeBlock.get())
     , m_profiledBlock(m_codeBlock->alternative())
     , m_allocator(longLivedState.m_allocator)

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -349 +349 @@
             return m_codeBlock->ownerScriptExecutable();
         
-        return inlineCallFrame->baselineCodeBlock->ownerScriptExecutable();
+        return inlineCallFrame->executable.get();
     }
     
@@ -373 +373 @@
         if (!codeOrigin.inlineCallFrame)
             return m_codeBlock->isStrictMode();
-        return codeOrigin.inlineCallFrame->isStrictMode();
+        return jsCast<FunctionExecutable*>(codeOrigin.inlineCallFrame->executable.get())->isStrictMode();
     }
     

trunk/Source/JavaScriptCore/dfg/DFGJITCode.h

@@ -29 +29 @@
 #if ENABLE(DFG_JIT)
 
-#include "CodeBlock.h"
 #include "CompilationResult.h"
 #include "DFGCommonData.h"
@@ -116 +115 @@
     
     void shrinkToFit();
-
-#if ENABLE(FTL_JIT)
-    CodeBlock* osrEntryBlock() { return m_osrEntryBlock.get(); }
-    void setOSREntryBlock(VM& vm, const JSCell* owner, CodeBlock* osrEntryBlock) { m_osrEntryBlock.set(vm, owner, osrEntryBlock); }
-    void clearOSREntryBlock() { m_osrEntryBlock.clear(); }
-#endif
     
 private:
@@ -136 +129 @@
     uint8_t nestedTriggerIsSet { 0 };
     UpperTierExecutionCounter tierUpCounter;
-    WriteBarrier<CodeBlock> m_osrEntryBlock;
+    RefPtr<CodeBlock> osrEntryBlock;
     unsigned osrEntryRetry;
     bool abandonOSREntry;

trunk/Source/JavaScriptCore/dfg/DFGJITFinalizer.cpp

@@ -58 +58 @@
 {
     m_jitCode->initializeCodeRef(
-        FINALIZE_DFG_CODE(*m_linkBuffer, ("DFG JIT code for %s", toCString(CodeBlockWithJITType(m_plan.codeBlock, JITCode::DFGJIT)).data())),
+        FINALIZE_DFG_CODE(*m_linkBuffer, ("DFG JIT code for %s", toCString(CodeBlockWithJITType(m_plan.codeBlock.get(), JITCode::DFGJIT)).data())),
         MacroAssemblerCodePtr());
     
@@ -72 +72 @@
     RELEASE_ASSERT(!m_withArityCheck.isEmptyValue());
     m_jitCode->initializeCodeRef(
-        FINALIZE_DFG_CODE(*m_linkBuffer, ("DFG JIT code for %s", toCString(CodeBlockWithJITType(m_plan.codeBlock, JITCode::DFGJIT)).data())),
+        FINALIZE_DFG_CODE(*m_linkBuffer, ("DFG JIT code for %s", toCString(CodeBlockWithJITType(m_plan.codeBlock.get(), JITCode::DFGJIT)).data())),
         m_withArityCheck);
     m_plan.codeBlock->setJITCode(m_jitCode);
@@ -84 +84 @@
 {
 #if ENABLE(FTL_JIT)
-    m_jitCode->optimizeAfterWarmUp(m_plan.codeBlock);
+    m_jitCode->optimizeAfterWarmUp(m_plan.codeBlock.get());
 #endif // ENABLE(FTL_JIT)
     

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp

@@ -70 +70 @@
                 AssemblyHelpers::NonZero,
                 AssemblyHelpers::AbsoluteAddress(
-                    inlineCallFrame->baselineCodeBlock->ownerScriptExecutable()->addressOfDidTryToEnterInLoop())));
+                    inlineCallFrame->executable->addressOfDidTryToEnterInLoop())));
     }
     
@@ -269 +269 @@
 void adjustAndJumpToTarget(CCallHelpers& jit, const OSRExitBase& exit, bool isExitingToOpCatch)
 {
-    CodeBlock* baselineCodeBlock = jit.baselineCodeBlockFor(exit.m_codeOrigin);
-    jit.move(AssemblyHelpers::TrustedImmPtr(baselineCodeBlock), GPRInfo::argumentGPR1);
+    jit.move(AssemblyHelpers::TrustedImmPtr(jit.codeBlock()->ownerExecutable()), GPRInfo::argumentGPR1);
     osrWriteBarrier(jit, GPRInfo::argumentGPR1, GPRInfo::nonArgGPR0);
     InlineCallFrameSet* inlineCallFrames = jit.codeBlock()->jitCode()->dfgCommon()->inlineCallFrames.get();
     if (inlineCallFrames) {
         for (InlineCallFrame* inlineCallFrame : *inlineCallFrames) {
-            CodeBlock* baselineCodeBlock = inlineCallFrame->baselineCodeBlock.get();
-            jit.move(AssemblyHelpers::TrustedImmPtr(baselineCodeBlock), GPRInfo::argumentGPR1);
+            ScriptExecutable* ownerExecutable = inlineCallFrame->executable.get();
+            jit.move(AssemblyHelpers::TrustedImmPtr(ownerExecutable), GPRInfo::argumentGPR1);
             osrWriteBarrier(jit, GPRInfo::argumentGPR1, GPRInfo::nonArgGPR0);
         }
@@ -284 +283 @@
         jit.addPtr(AssemblyHelpers::TrustedImm32(exit.m_codeOrigin.inlineCallFrame->stackOffset * sizeof(EncodedJSValue)), GPRInfo::callFrameRegister);
 
+    CodeBlock* baselineCodeBlock = jit.baselineCodeBlockFor(exit.m_codeOrigin);
     Vector<BytecodeAndMachineOffset>& decodedCodeMap = jit.decodedCodeMapFor(baselineCodeBlock);
     

trunk/Source/JavaScriptCore/dfg/DFGOSRExitPreparation.cpp

@@ -43 +43 @@
     
     for (; codeOrigin.inlineCallFrame; codeOrigin = codeOrigin.inlineCallFrame->directCaller) {
-        CodeBlock* codeBlock = codeOrigin.inlineCallFrame->baselineCodeBlock.get();
+        CodeBlock* codeBlock = codeOrigin.inlineCallFrame->baselineCodeBlock();
         if (codeBlock->jitType() == JSC::JITCode::BaselineJIT)
             continue;

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -1308 +1308 @@
     bool didTryToEnterIntoInlinedLoops = false;
     for (InlineCallFrame* inlineCallFrame = exit->m_codeOrigin.inlineCallFrame; inlineCallFrame; inlineCallFrame = inlineCallFrame->directCaller.inlineCallFrame) {
-        if (inlineCallFrame->baselineCodeBlock->ownerScriptExecutable()->didTryToEnterInLoop()) {
+        if (inlineCallFrame->executable->didTryToEnterInLoop()) {
             didTryToEnterIntoInlinedLoops = true;
             break;
@@ -1378 +1378 @@
     // We need to compile the code.
     compile(
-        *vm, codeBlock->newReplacement(), codeBlock, FTLMode, UINT_MAX,
-        Operands<JSValue>(), ToFTLDeferredCompilationCallback::create());
+        *vm, codeBlock->newReplacement().get(), codeBlock, FTLMode, UINT_MAX,
+        Operands<JSValue>(), ToFTLDeferredCompilationCallback::create(codeBlock));
 }
 
@@ -1464 +1464 @@
         return 0;
     
-    if (CodeBlock* entryBlock = jitCode->osrEntryBlock()) {
+    if (CodeBlock* entryBlock = jitCode->osrEntryBlock.get()) {
         void* address = FTL::prepareOSREntry(
             exec, codeBlock, entryBlock, bytecodeIndex, streamIndex);
@@ -1478 +1478 @@
         // OSR entry failed. Oh no! This implies that we need to retry. We retry
         // without exponential backoff and we only do this for the entry code block.
-        jitCode->clearOSREntryBlock();
+        jitCode->osrEntryBlock = nullptr;
         jitCode->osrEntryRetry = 0;
         return 0;
@@ -1495 +1495 @@
     jitCode->reconstruct(
         exec, codeBlock, CodeOrigin(bytecodeIndex), streamIndex, mustHandleValues);
-    CodeBlock* replacementCodeBlock = codeBlock->newReplacement();
+    RefPtr<CodeBlock> replacementCodeBlock = codeBlock->newReplacement();
     CompilationResult forEntryResult = compile(
-        *vm, replacementCodeBlock, codeBlock, FTLForOSREntryMode, bytecodeIndex,
-        mustHandleValues, ToFTLForOSREntryDeferredCompilationCallback::create());
-    
-    if (forEntryResult != CompilationSuccessful)
+        *vm, replacementCodeBlock.get(), codeBlock, FTLForOSREntryMode, bytecodeIndex,
+        mustHandleValues, ToFTLForOSREntryDeferredCompilationCallback::create(codeBlock));
+    
+    if (forEntryResult != CompilationSuccessful) {
+        ASSERT(forEntryResult == CompilationDeferred || replacementCodeBlock->hasOneRef());
         return 0;
+    }
 
     // It's possible that the for-entry compile already succeeded. In that case OSR
@@ -1507 +1509 @@
     // We signal to try again after a while if that happens.
     void* address = FTL::prepareOSREntry(
-        exec, codeBlock, jitCode->osrEntryBlock(), bytecodeIndex, streamIndex);
+        exec, codeBlock, jitCode->osrEntryBlock.get(), bytecodeIndex, streamIndex);
     return static_cast<char*>(address);
 }

trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp

@@ -132 +132 @@
 } // anonymous namespace
 
-Plan::Plan(CodeBlock* passedCodeBlock, CodeBlock* profiledDFGCodeBlock,
+Plan::Plan(PassRefPtr<CodeBlock> passedCodeBlock, CodeBlock* profiledDFGCodeBlock,
     CompilationMode mode, unsigned osrEntryBytecodeIndex,
     const Operands<JSValue>& mustHandleValues)
@@ -141 +141 @@
     , osrEntryBytecodeIndex(osrEntryBytecodeIndex)
     , mustHandleValues(mustHandleValues)
-    , compilation(codeBlock->vm()->m_perBytecodeProfiler ? adoptRef(new Profiler::Compilation(codeBlock->vm()->m_perBytecodeProfiler->ensureBytecodesFor(codeBlock), profilerCompilationKindForMode(mode))) : 0)
+    , compilation(codeBlock->vm()->m_perBytecodeProfiler ? adoptRef(new Profiler::Compilation(codeBlock->vm()->m_perBytecodeProfiler->ensureBytecodesFor(codeBlock.get()), profilerCompilationKindForMode(mode))) : 0)
     , inlineCallFrames(adoptRef(new InlineCallFrameSet()))
-    , identifiers(codeBlock)
-    , weakReferences(codeBlock)
+    , identifiers(codeBlock.get())
+    , weakReferences(codeBlock.get())
     , willTryToTierUp(false)
     , stage(Preparing)
@@ -536 +536 @@
 void Plan::reallyAdd(CommonData* commonData)
 {
-    watchpoints.reallyAdd(codeBlock, *commonData);
+    watchpoints.reallyAdd(codeBlock.get(), *commonData);
     identifiers.reallyAdd(vm, commonData);
     weakReferences.reallyAdd(vm, commonData);
@@ -554 +554 @@
 void Plan::notifyReady()
 {
-    callback->compilationDidBecomeReadyAsynchronously(codeBlock, profiledDFGCodeBlock);
+    callback->compilationDidBecomeReadyAsynchronously(codeBlock.get());
     stage = Ready;
 }
@@ -561 +561 @@
 {
     // We will establish new references from the code block to things. So, we need a barrier.
-    vm.heap.writeBarrier(codeBlock);
+    vm.heap.writeBarrier(codeBlock->ownerExecutable());
     
     if (!isStillValid())
@@ -597 +597 @@
 void Plan::finalizeAndNotifyCallback()
 {
-    callback->compilationDidComplete(codeBlock, profiledDFGCodeBlock, finalizeWithoutNotifyingCallback());
+    callback->compilationDidComplete(codeBlock.get(), finalizeWithoutNotifyingCallback());
 }
 
@@ -605 +605 @@
 }
 
-void Plan::rememberCodeBlocks()
+void Plan::clearCodeBlockMarks()
 {
     // Compilation writes lots of values to a CodeBlock without performing
@@ -611 +611 @@
     // all our CodeBlocks must be visited during GC.
 
-    Heap::heap(codeBlock)->writeBarrier(codeBlock);
+    codeBlock->clearMarks();
+    codeBlock->alternative()->clearMarks();
     if (profiledDFGCodeBlock)
-        Heap::heap(profiledDFGCodeBlock)->writeBarrier(profiledDFGCodeBlock);
+        profiledDFGCodeBlock->clearMarks();
 }
 
@@ -624 +625 @@
         visitor.appendUnbarrieredValue(&mustHandleValues[i]);
 
-    visitor.appendUnbarrieredReadOnlyPointer(codeBlock);
-    visitor.appendUnbarrieredReadOnlyPointer(profiledDFGCodeBlock);
+    codeBlock->visitStrongly(visitor);
+    codeBlock->alternative()->visitStrongly(visitor);
+    if (profiledDFGCodeBlock)
+        profiledDFGCodeBlock->visitStrongly(visitor);
 
     if (inlineCallFrames) {
         for (auto* inlineCallFrame : *inlineCallFrames) {
-            ASSERT(inlineCallFrame->baselineCodeBlock.get());
-            visitor.appendUnbarrieredReadOnlyPointer(inlineCallFrame->baselineCodeBlock.get());
+            ASSERT(inlineCallFrame->baselineCodeBlock());
+            inlineCallFrame->baselineCodeBlock()->visitStrongly(visitor);
         }
     }

trunk/Source/JavaScriptCore/dfg/DFGPlan.h

@@ -56 +56 @@
 struct Plan : public ThreadSafeRefCounted<Plan> {
     Plan(
-        CodeBlock* codeBlockToCompile, CodeBlock* profiledDFGCodeBlock,
+        PassRefPtr<CodeBlock> codeBlockToCompile, CodeBlock* profiledDFGCodeBlock,
         CompilationMode, unsigned osrEntryBytecodeIndex,
         const Operands<JSValue>& mustHandleValues);
@@ -72 +72 @@
     CompilationKey key();
     
-    void rememberCodeBlocks();
+    void clearCodeBlockMarks();
     void checkLivenessAndVisitChildren(SlotVisitor&);
     bool isKnownToBeLiveDuringGC();
@@ -78 +78 @@
     
     VM& vm;
-
-    // These can be raw pointers because we visit them during every GC in checkLivenessAndVisitChildren.
-    CodeBlock* codeBlock;
-    CodeBlock* profiledDFGCodeBlock;
-
+    RefPtr<CodeBlock> codeBlock;
+    RefPtr<CodeBlock> profiledDFGCodeBlock;
     CompilationMode mode;
     const unsigned osrEntryBytecodeIndex;

trunk/Source/JavaScriptCore/dfg/DFGToFTLDeferredCompilationCallback.cpp

@@ -36 +36 @@
 namespace JSC { namespace DFG {
 
-ToFTLDeferredCompilationCallback::ToFTLDeferredCompilationCallback()
+ToFTLDeferredCompilationCallback::ToFTLDeferredCompilationCallback(
+    PassRefPtr<CodeBlock> dfgCodeBlock)
+    : m_dfgCodeBlock(dfgCodeBlock)
 {
 }
@@ -42 +44 @@
 ToFTLDeferredCompilationCallback::~ToFTLDeferredCompilationCallback() { }
 
-Ref<ToFTLDeferredCompilationCallback> ToFTLDeferredCompilationCallback::create()
+Ref<ToFTLDeferredCompilationCallback> ToFTLDeferredCompilationCallback::create(PassRefPtr<CodeBlock> dfgCodeBlock)
 {
-    return adoptRef(*new ToFTLDeferredCompilationCallback());
+    return adoptRef(*new ToFTLDeferredCompilationCallback(dfgCodeBlock));
 }
 
 void ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously(
-    CodeBlock* codeBlock, CodeBlock* profiledDFGCodeBlock)
+    CodeBlock* codeBlock)
 {
     if (Options::verboseOSR()) {
         dataLog(
-            "Optimizing compilation of ", *codeBlock, " (for ", *profiledDFGCodeBlock,
+            "Optimizing compilation of ", *codeBlock, " (for ", *m_dfgCodeBlock,
             ") did become ready.\n");
     }
     
-    profiledDFGCodeBlock->jitCode()->dfg()->forceOptimizationSlowPathConcurrently(
-        profiledDFGCodeBlock);
+    m_dfgCodeBlock->jitCode()->dfg()->forceOptimizationSlowPathConcurrently(
+        m_dfgCodeBlock.get());
 }
 
 void ToFTLDeferredCompilationCallback::compilationDidComplete(
-    CodeBlock* codeBlock, CodeBlock* profiledDFGCodeBlock, CompilationResult result)
+    CodeBlock* codeBlock, CompilationResult result)
 {
     if (Options::verboseOSR()) {
         dataLog(
-            "Optimizing compilation of ", *codeBlock, " (for ", *profiledDFGCodeBlock,
+            "Optimizing compilation of ", *codeBlock, " (for ", *m_dfgCodeBlock,
             ") result: ", result, "\n");
     }
     
-    if (profiledDFGCodeBlock->replacement() != profiledDFGCodeBlock) {
+    if (m_dfgCodeBlock->replacement() != m_dfgCodeBlock) {
         if (Options::verboseOSR()) {
             dataLog(
                 "Dropping FTL code block ", *codeBlock, " on the floor because the "
-                "DFG code block ", *profiledDFGCodeBlock, " was jettisoned.\n");
+                "DFG code block ", *m_dfgCodeBlock, " was jettisoned.\n");
         }
         return;
@@ -81 +83 @@
         codeBlock->ownerScriptExecutable()->installCode(codeBlock);
     
-    profiledDFGCodeBlock->jitCode()->dfg()->setOptimizationThresholdBasedOnCompilationResult(
-        profiledDFGCodeBlock, result);
+    m_dfgCodeBlock->jitCode()->dfg()->setOptimizationThresholdBasedOnCompilationResult(
+        m_dfgCodeBlock.get(), result);
 
-    DeferredCompilationCallback::compilationDidComplete(codeBlock, profiledDFGCodeBlock, result);
+    DeferredCompilationCallback::compilationDidComplete(codeBlock, result);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGToFTLDeferredCompilationCallback.h

@@ -41 +41 @@
 class ToFTLDeferredCompilationCallback : public DeferredCompilationCallback {
 protected:
-    ToFTLDeferredCompilationCallback();
+    ToFTLDeferredCompilationCallback(PassRefPtr<CodeBlock> dfgCodeBlock);
 
 public:
     virtual ~ToFTLDeferredCompilationCallback();
 
-    static Ref<ToFTLDeferredCompilationCallback> create();
+    static Ref<ToFTLDeferredCompilationCallback> create(PassRefPtr<CodeBlock> dfgCodeBlock);
     
-    virtual void compilationDidBecomeReadyAsynchronously(CodeBlock*, CodeBlock* profiledDFGCodeBlock);
-    virtual void compilationDidComplete(CodeBlock*, CodeBlock* profiledDFGCodeBlock, CompilationResult);
+    virtual void compilationDidBecomeReadyAsynchronously(CodeBlock*);
+    virtual void compilationDidComplete(CodeBlock*, CompilationResult);
+
+private:
+    RefPtr<CodeBlock> m_dfgCodeBlock;
 };
 

trunk/Source/JavaScriptCore/dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp

@@ -36 +36 @@
 namespace JSC { namespace DFG {
 
-ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback()
+ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback(
+    PassRefPtr<CodeBlock> dfgCodeBlock)
+    : m_dfgCodeBlock(dfgCodeBlock)
 {
 }
@@ -44 +46 @@
 }
 
-Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create()
+Ref<ToFTLForOSREntryDeferredCompilationCallback>ToFTLForOSREntryDeferredCompilationCallback::create(
+    PassRefPtr<CodeBlock> dfgCodeBlock)
 {
-    return adoptRef(*new ToFTLForOSREntryDeferredCompilationCallback());
+    return adoptRef(*new ToFTLForOSREntryDeferredCompilationCallback(dfgCodeBlock));
 }
 
 void ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously(
-    CodeBlock* codeBlock, CodeBlock* profiledDFGCodeBlock)
+    CodeBlock* codeBlock)
 {
     if (Options::verboseOSR()) {
         dataLog(
-            "Optimizing compilation of ", *codeBlock, " (for ", *profiledDFGCodeBlock,
+            "Optimizing compilation of ", *codeBlock, " (for ", *m_dfgCodeBlock,
             ") did become ready.\n");
     }
     
-    profiledDFGCodeBlock->jitCode()->dfg()->forceOptimizationSlowPathConcurrently(
-        profiledDFGCodeBlock);
+    m_dfgCodeBlock->jitCode()->dfg()->forceOptimizationSlowPathConcurrently(
+        m_dfgCodeBlock.get());
 }
 
 void ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete(
-    CodeBlock* codeBlock, CodeBlock* profiledDFGCodeBlock, CompilationResult result)
+    CodeBlock* codeBlock, CompilationResult result)
 {
     if (Options::verboseOSR()) {
         dataLog(
-            "Optimizing compilation of ", *codeBlock, " (for ", *profiledDFGCodeBlock,
+            "Optimizing compilation of ", *codeBlock, " (for ", *m_dfgCodeBlock,
             ") result: ", result, "\n");
     }
     
-    JITCode* jitCode = profiledDFGCodeBlock->jitCode()->dfg();
+    JITCode* jitCode = m_dfgCodeBlock->jitCode()->dfg();
         
     switch (result) {
     case CompilationSuccessful:
-        jitCode->setOSREntryBlock(*codeBlock->vm(), profiledDFGCodeBlock, codeBlock);
+        jitCode->osrEntryBlock = codeBlock;
         break;
     case CompilationFailed:
@@ -88 +91 @@
     }
     
-    DeferredCompilationCallback::compilationDidComplete(codeBlock, profiledDFGCodeBlock, result);
+    DeferredCompilationCallback::compilationDidComplete(codeBlock, result);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h

@@ -41 +41 @@
 class ToFTLForOSREntryDeferredCompilationCallback : public DeferredCompilationCallback {
 protected:
-    ToFTLForOSREntryDeferredCompilationCallback();
+    ToFTLForOSREntryDeferredCompilationCallback(PassRefPtr<CodeBlock> dfgCodeBlock);
 
 public:
     virtual ~ToFTLForOSREntryDeferredCompilationCallback();
 
-    static Ref<ToFTLForOSREntryDeferredCompilationCallback> create();
+    static Ref<ToFTLForOSREntryDeferredCompilationCallback> create(PassRefPtr<CodeBlock> dfgCodeBlock);
     
-    virtual void compilationDidBecomeReadyAsynchronously(CodeBlock*, CodeBlock* profiledDFGCodeBlock);
-    virtual void compilationDidComplete(CodeBlock*, CodeBlock* profiledDFGCodeBlock, CompilationResult);
+    virtual void compilationDidBecomeReadyAsynchronously(CodeBlock*);
+    virtual void compilationDidComplete(CodeBlock*, CompilationResult);
+
+private:
+    RefPtr<CodeBlock> m_dfgCodeBlock;
 };
 

trunk/Source/JavaScriptCore/dfg/DFGWorklist.cpp

@@ -208 +208 @@
 }
 
-void Worklist::rememberCodeBlocks(VM& vm)
+void Worklist::clearCodeBlockMarks(VM& vm)
 {
     LockHolder locker(m_lock);
@@ -215 +215 @@
         if (&plan->vm != &vm)
             continue;
-        plan->rememberCodeBlocks();
+        plan->clearCodeBlockMarks();
     }
 }
@@ -468 +468 @@
 }
 
-void rememberCodeBlocks(VM& vm)
+void clearCodeBlockMarks(VM& vm)
 {
     for (unsigned i = DFG::numberOfWorklists(); i--;) {
         if (DFG::Worklist* worklist = DFG::worklistForIndexOrNull(i))
-            worklist->rememberCodeBlocks(vm);
+            worklist->clearCodeBlockMarks(vm);
     }
 }

trunk/Source/JavaScriptCore/dfg/DFGWorklist.h

@@ -58 +58 @@
     void completeAllPlansForVM(VM&);
 
-    void rememberCodeBlocks(VM&);
+    void clearCodeBlockMarks(VM&);
 
     void waitUntilAllPlansForVMAreReady(VM&);
@@ -142 +142 @@
 
 void completeAllPlansForVM(VM&);
-void rememberCodeBlocks(VM&);
+void clearCodeBlockMarks(VM&);
 
 } } // namespace JSC::DFG

trunk/Source/JavaScriptCore/ftl/FTLJITFinalizer.cpp

@@ -100 +100 @@
             FINALIZE_DFG_CODE(
                 *exitThunksLinkBuffer,
-                ("FTL exit thunks for %s", toCString(CodeBlockWithJITType(m_plan.codeBlock, JITCode::FTLJIT)).data())));
+                ("FTL exit thunks for %s", toCString(CodeBlockWithJITType(m_plan.codeBlock.get(), JITCode::FTLJIT)).data())));
     } // else this function had no OSR exits, so no exit thunks.
     
@@ -117 +117 @@
             *sideCodeLinkBuffer,
             ("FTL side code for %s",
-                toCString(CodeBlockWithJITType(m_plan.codeBlock, JITCode::FTLJIT)).data()))
+                toCString(CodeBlockWithJITType(m_plan.codeBlock.get(), JITCode::FTLJIT)).data()))
             .executableMemory());
     }
@@ -125 +125 @@
             *handleExceptionsLinkBuffer,
             ("FTL exception handler for %s",
-                toCString(CodeBlockWithJITType(m_plan.codeBlock, JITCode::FTLJIT)).data()))
+                toCString(CodeBlockWithJITType(m_plan.codeBlock.get(), JITCode::FTLJIT)).data()))
             .executableMemory());
     }
@@ -138 +138 @@
         FINALIZE_DFG_CODE(
             *entrypointLinkBuffer,
-            ("FTL entrypoint thunk for %s with LLVM generated code at %p", toCString(CodeBlockWithJITType(m_plan.codeBlock, JITCode::FTLJIT)).data(), function)));
+            ("FTL entrypoint thunk for %s with LLVM generated code at %p", toCString(CodeBlockWithJITType(m_plan.codeBlock.get(), JITCode::FTLJIT)).data(), function)));
     
     m_plan.codeBlock->setJITCode(jitCode);

trunk/Source/JavaScriptCore/heap/CodeBlockSet.cpp

@@ -42 +42 @@
 CodeBlockSet::~CodeBlockSet()
 {
+    for (CodeBlock* codeBlock : m_oldCodeBlocks)
+        codeBlock->deref();
+
+    for (CodeBlock* codeBlock : m_newCodeBlocks)
+        codeBlock->deref();
 }
 
-void CodeBlockSet::add(CodeBlock* codeBlock)
+void CodeBlockSet::add(PassRefPtr<CodeBlock> codeBlock)
 {
-    bool isNewEntry = m_newCodeBlocks.add(codeBlock).isNewEntry;
+    CodeBlock* block = codeBlock.leakRef();
+    bool isNewEntry = m_newCodeBlocks.add(block).isNewEntry;
     ASSERT_UNUSED(isNewEntry, isNewEntry);
 }
@@ -59 +65 @@
 {
     for (CodeBlock* codeBlock : m_oldCodeBlocks)
-        codeBlock->clearVisitWeaklyHasBeenCalled();
+        codeBlock->clearMarks();
 
     // We promote after we clear marks on the old generation CodeBlocks because
@@ -66 +72 @@
 }
 
+void CodeBlockSet::clearMarksForEdenCollection(const Vector<const JSCell*>& rememberedSet)
+{
+    // This ensures that we will revisit CodeBlocks in remembered Executables even if they were previously marked.
+    for (const JSCell* cell : rememberedSet) {
+        ScriptExecutable* executable = const_cast<ScriptExecutable*>(jsDynamicCast<const ScriptExecutable*>(cell));
+        if (!executable)
+            continue;
+        executable->forEachCodeBlock([this](CodeBlock* codeBlock) {
+            codeBlock->clearMarks();
+            m_remembered.add(codeBlock);
+        });
+    }
+}
+
 void CodeBlockSet::deleteUnmarkedAndUnreferenced(HeapOperation collectionType)
 {
     HashSet<CodeBlock*>& set = collectionType == EdenCollection ? m_newCodeBlocks : m_oldCodeBlocks;
-    Vector<CodeBlock*> unmarked;
-    for (CodeBlock* codeBlock : set) {
-        if (Heap::isMarked(codeBlock))
-            continue;
-        unmarked.append(codeBlock);
-    }
 
-    for (CodeBlock* codeBlock : unmarked) {
-        codeBlock->classInfo()->methodTable.destroy(codeBlock);
-        set.remove(codeBlock);
+    // This needs to be a fixpoint because code blocks that are unmarked may
+    // refer to each other. For example, a DFG code block that is owned by
+    // the GC may refer to an FTL for-entry code block that is also owned by
+    // the GC.
+    Vector<CodeBlock*, 16> toRemove;
+    if (verbose)
+        dataLog("Fixpointing over unmarked, set size = ", set.size(), "...\n");
+    for (;;) {
+        for (CodeBlock* codeBlock : set) {
+            if (!codeBlock->hasOneRef())
+                continue;
+            codeBlock->deref();
+            toRemove.append(codeBlock);
+        }
+        if (verbose)
+            dataLog("    Removing ", toRemove.size(), " blocks.\n");
+        if (toRemove.isEmpty())
+            break;
+        for (CodeBlock* codeBlock : toRemove)
+            set.remove(codeBlock);
+        toRemove.resize(0);
     }
 
@@ -88 +120 @@
 void CodeBlockSet::remove(CodeBlock* codeBlock)
 {
+    codeBlock->deref();
     if (m_oldCodeBlocks.contains(codeBlock)) {
         m_oldCodeBlocks.remove(codeBlock);
@@ -96 +129 @@
 }
 
+void CodeBlockSet::traceMarked(SlotVisitor& visitor)
+{
+    if (verbose)
+        dataLog("Tracing ", m_currentlyExecuting.size(), " code blocks.\n");
+
+    // We strongly visit the currently executing set because jettisoning code
+    // is not valuable once it's on the stack. We're past the point where
+    // jettisoning would avoid the cost of OSR exit.
+    for (const RefPtr<CodeBlock>& codeBlock : m_currentlyExecuting)
+        codeBlock->visitStrongly(visitor);
+
+    // We strongly visit the remembered set because jettisoning old code during
+    // Eden GC is unsound. There might be an old object with a strong reference
+    // to the code.
+    for (const RefPtr<CodeBlock>& codeBlock : m_remembered)
+        codeBlock->visitStrongly(visitor);
+}
+
 void CodeBlockSet::rememberCurrentlyExecutingCodeBlocks(Heap* heap)
 {
     if (verbose)
         dataLog("Remembering ", m_currentlyExecuting.size(), " code blocks.\n");
-    for (CodeBlock* codeBlock : m_currentlyExecuting)
-        heap->addToRememberedSet(codeBlock);
+    for (const RefPtr<CodeBlock>& codeBlock : m_currentlyExecuting)
+        heap->addToRememberedSet(codeBlock->ownerExecutable());
+
+    // It's safe to clear these RefPtr sets because we won't delete the CodeBlocks
+    // in them until the next GC, and we'll recompute them at that time.
     m_currentlyExecuting.clear();
+    m_remembered.clear();
 }
 
@@ -117 +172 @@
     out.print("], currentlyExecuting = [");
     comma = CommaPrinter();
-    for (CodeBlock* codeBlock : m_currentlyExecuting)
-        out.print(comma, pointerDump(codeBlock));
+    for (const RefPtr<CodeBlock>& codeBlock : m_currentlyExecuting)
+        out.print(comma, pointerDump(codeBlock.get()));
     out.print("]}");
 }

trunk/Source/JavaScriptCore/heap/CodeBlockSet.h

@@ -54 +54 @@
     
     // Add a CodeBlock. This is only called by CodeBlock constructors.
-    void add(CodeBlock*);
+    void add(PassRefPtr<CodeBlock>);
     
+    // Clear mark bits for certain CodeBlocks depending on the type of collection.
+    void clearMarksForEdenCollection(const Vector<const JSCell*>&);
+
     // Clear all mark bits for all CodeBlocks.
     void clearMarksForFullCollection();
@@ -70 +73 @@
     void remove(CodeBlock*);
     
+    // Trace all marked code blocks. The CodeBlock is free to make use of
+    // mayBeExecuting.
+    void traceMarked(SlotVisitor&);
+
     // Add all currently executing CodeBlocks to the remembered set to be 
     // re-scanned during the next collection.
@@ -98 +105 @@
     void promoteYoungCodeBlocks();
 
+    // This is not a set of RefPtr<CodeBlock> because we need to be able to find
+    // arbitrary bogus pointers. I could have written a thingy that had peek types
+    // and all, but that seemed like overkill.
     HashSet<CodeBlock*> m_oldCodeBlocks;
     HashSet<CodeBlock*> m_newCodeBlocks;
-    HashSet<CodeBlock*> m_currentlyExecuting;
+    HashSet<RefPtr<CodeBlock>> m_currentlyExecuting;
+    HashSet<RefPtr<CodeBlock>> m_remembered;
 };
 

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -521 +521 @@
     ASSERT(isValidThreadState(m_vm));
 
+    Vector<const JSCell*> rememberedSet(m_slotVisitor.markStack().size());
+    m_slotVisitor.markStack().fillVector(rememberedSet);
+
+#if ENABLE(DFG_JIT)
+    DFG::clearCodeBlockMarks(*m_vm);
+#endif
+    if (m_operationInProgress == EdenCollection)
+        m_codeBlocks.clearMarksForEdenCollection(rememberedSet);
+    else
+        m_codeBlocks.clearMarksForFullCollection();
+
     // We gather conservative roots before clearing mark bits because conservative
     // gathering uses the mark bits to determine whether a reference is valid.
@@ -528 +539 @@
     gatherScratchBufferRoots(conservativeRoots);
 
-#if ENABLE(DFG_JIT)
-    DFG::rememberCodeBlocks(*m_vm);
-#endif
-
-    if (m_operationInProgress == FullCollection) {
+    clearLivenessData();
+
+    if (m_operationInProgress == FullCollection)
         m_opaqueRoots.clear();
-        m_slotVisitor.clearMarkStack();
-    }
-
-    Vector<const JSCell*> rememberedSet(m_slotVisitor.markStack().size());
-    m_slotVisitor.markStack().fillVector(rememberedSet);
-
-    clearLivenessData();
-
 
     m_shouldHashCons = m_vm->haveEnoughNewStringsToHashCons();
@@ -582 +583 @@
         ParallelModeEnabler enabler(m_slotVisitor);
 
-        m_slotVisitor.donateAndDrain();
         visitExternalRememberedSet();
         visitSmallStrings();
@@ -698 +698 @@
 {
     GCPHASE(ClearLivenessData);
-    if (m_operationInProgress == FullCollection)
-        m_codeBlocks.clearMarksForFullCollection();
-
     m_objectSpace.clearNewlyAllocated();
     m_objectSpace.clearMarks();
@@ -822 +819 @@
 {
     GCPHASE(TraceCodeBlocksAndJITStubRoutines);
+    m_codeBlocks.traceMarked(m_slotVisitor);
     m_jitStubRoutines.traceMarkedStubRoutines(m_slotVisitor);
 
@@ -966 +964 @@
     // we'll end up returning to deleted code.
     RELEASE_ASSERT(!m_vm->entryScope);
-    ASSERT(m_operationInProgress == NoOperation);
 
     completeAllDFGPlans();
 
-    for (ExecutableBase* executable : m_executables)
-        executable->clearCode();
+    for (ExecutableBase* current : m_executables) {
+        if (!current->isFunctionExecutable())
+            continue;
+        static_cast<FunctionExecutable*>(current)->clearCode();
+    }
+
+    ASSERT(m_operationInProgress == FullCollection || m_operationInProgress == NoOperation);
+    m_codeBlocks.clearMarksForFullCollection();
+    m_codeBlocks.deleteUnmarkedAndUnreferenced(FullCollection);
 }
 
@@ -991 +995 @@
             continue;
 
-        // Eagerly dereference the Executable's JITCode in order to run watchpoint
-        // destructors. Otherwise, watchpoints might fire for deleted CodeBlocks.
-        current->clearCode();
+        // We do this because executable memory is limited on some platforms and because
+        // CodeBlock requires eager finalization.
+        ExecutableBase::clearCodeVirtual(current);
         std::swap(m_executables[i], m_executables.last());
         m_executables.removeLast();
@@ -1147 +1151 @@
     if (shouldDoFullCollection(collectionType)) {
         m_operationInProgress = FullCollection;
+        m_slotVisitor.clearMarkStack();
         m_shouldDoFullCollection = false;
         if (Options::logGC())

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -174 +174 @@
 
         ThisTDZMode thisTDZMode = callerCodeBlock->unlinkedCodeBlock()->constructorKind() == ConstructorKind::Derived ? ThisTDZMode::AlwaysCheck : ThisTDZMode::CheckIfNeeded;
-        eval = callerCodeBlock->evalCodeCache().getSlow(callFrame, callerCodeBlock, callerCodeBlock->isStrictMode(), thisTDZMode, programSource, callerScopeChain);
+        eval = callerCodeBlock->evalCodeCache().getSlow(callFrame, callerCodeBlock->ownerScriptExecutable(), callerCodeBlock->isStrictMode(), thisTDZMode, programSource, callerScopeChain);
         if (!eval)
             return jsUndefined();

trunk/Source/JavaScriptCore/interpreter/StackVisitor.cpp

@@ -171 +171 @@
         else
             m_frame.m_argumentCountIncludingThis = inlineCallFrame->arguments.size();
-        m_frame.m_codeBlock = inlineCallFrame->baselineCodeBlock.get();
+        m_frame.m_codeBlock = inlineCallFrame->baselineCodeBlock();
         m_frame.m_bytecodeOffset = codeOrigin->bytecodeIndex;
 

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp

@@ -39 +39 @@
         return m_codeBlock->ownerExecutable();
     
-    return codeOrigin.inlineCallFrame->baselineCodeBlock->ownerExecutable();
+    return codeOrigin.inlineCallFrame->executable.get();
 }
 

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -1075 +1075 @@
         if (!codeOrigin.inlineCallFrame)
             return codeBlock()->isStrictMode();
-        return codeOrigin.inlineCallFrame->isStrictMode();
+        return jsCast<FunctionExecutable*>(codeOrigin.inlineCallFrame->executable.get())->isStrictMode();
     }
     

trunk/Source/JavaScriptCore/jit/GCAwareJITStubRoutine.h

@@ -116 +116 @@
 // that codeBlock gets "executed" more than once.
 #define FINALIZE_CODE_FOR_GC_AWARE_STUB(codeBlock, patchBuffer, makesCalls, cell, dataLogFArguments) \
-    (createJITStubRoutine(FINALIZE_CODE_FOR((codeBlock), (patchBuffer), dataLogFArguments), *(codeBlock)->vm(), (codeBlock), (makesCalls), (cell)))
+    (createJITStubRoutine(FINALIZE_CODE_FOR((codeBlock), (patchBuffer), dataLogFArguments), *(codeBlock)->vm(), (codeBlock)->ownerExecutable(), (makesCalls), (cell)))
 
 } // namespace JSC

trunk/Source/JavaScriptCore/jit/JITCode.h

@@ -122 +122 @@
     }
 
+    static std::chrono::milliseconds timeToLive(JITType jitType)
+    {
+        switch (jitType) {
+        case InterpreterThunk:
+            return std::chrono::duration_cast<std::chrono::milliseconds>(
+                std::chrono::seconds(5));
+        case BaselineJIT:
+            // Effectively 10 additional seconds, since BaselineJIT and
+            // InterpreterThunk share a CodeBlock.
+            return std::chrono::duration_cast<std::chrono::milliseconds>(
+                std::chrono::seconds(15));
+        case DFGJIT:
+            return std::chrono::duration_cast<std::chrono::milliseconds>(
+                std::chrono::seconds(20));
+        case FTLJIT:
+            return std::chrono::duration_cast<std::chrono::milliseconds>(
+                std::chrono::seconds(60));
+        default:
+            return std::chrono::milliseconds::max();
+        }
+    }
+
     static bool isLowerTier(JITType expectedLower, JITType expectedHigher)
     {

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -667 +667 @@
         emitInitRegister(virtualRegisterForLocal(j).offset());
 
-    emitWriteBarrier(m_codeBlock);
+    emitWriteBarrier(m_codeBlock->ownerExecutable());
 
     emitEnterOptimizationCheck();

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -1274 +1274 @@
         }
 
-        CodeBlock* replacementCodeBlock = codeBlock->newReplacement();
+        RefPtr<CodeBlock> replacementCodeBlock = codeBlock->newReplacement();
         CompilationResult result = DFG::compile(
-            vm, replacementCodeBlock, nullptr, DFG::DFGMode, bytecodeIndex,
+            vm, replacementCodeBlock.get(), 0, DFG::DFGMode, bytecodeIndex,
             mustHandleValues, JITToDFGDeferredCompilationCallback::create());
         
-        if (result != CompilationSuccessful)
+        if (result != CompilationSuccessful) {
+            ASSERT(result == CompilationDeferred || replacementCodeBlock->hasOneRef());
             return encodeResult(0, 0);
+        }
     }
     

trunk/Source/JavaScriptCore/jit/JITToDFGDeferredCompilationCallback.cpp

@@ -44 +44 @@
 
 void JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously(
-    CodeBlock* codeBlock, CodeBlock* profiledDFGCodeBlock)
+    CodeBlock* codeBlock)
 {
-    ASSERT_UNUSED(profiledDFGCodeBlock, !profiledDFGCodeBlock);
     ASSERT(codeBlock->alternative()->jitType() == JITCode::BaselineJIT);
     
@@ -56 +55 @@
 
 void JITToDFGDeferredCompilationCallback::compilationDidComplete(
-    CodeBlock* codeBlock, CodeBlock* profiledDFGCodeBlock, CompilationResult result)
+    CodeBlock* codeBlock, CompilationResult result)
 {
-    ASSERT(!profiledDFGCodeBlock);
     ASSERT(codeBlock->alternative()->jitType() == JITCode::BaselineJIT);
     
@@ -69 +67 @@
     codeBlock->alternative()->setOptimizationThresholdBasedOnCompilationResult(result);
 
-    DeferredCompilationCallback::compilationDidComplete(codeBlock, profiledDFGCodeBlock, result);
+    DeferredCompilationCallback::compilationDidComplete(codeBlock, result);
 }
 

trunk/Source/JavaScriptCore/jit/JITToDFGDeferredCompilationCallback.h

@@ -45 +45 @@
     static Ref<JITToDFGDeferredCompilationCallback> create();
     
-    virtual void compilationDidBecomeReadyAsynchronously(CodeBlock*, CodeBlock* profiledDFGCodeBlock) override;
-    virtual void compilationDidComplete(CodeBlock*, CodeBlock* profiledDFGCodeBlock, CompilationResult) override;
+    virtual void compilationDidBecomeReadyAsynchronously(CodeBlock*) override;
+    virtual void compilationDidComplete(CodeBlock*, CompilationResult) override;
 };
 

trunk/Source/JavaScriptCore/jit/Repatch.cpp

@@ -228 +228 @@
 
     CodeBlock* codeBlock = exec->codeBlock();
+    ScriptExecutable* owner = codeBlock->ownerScriptExecutable();
     VM& vm = exec->vm();
 
@@ -233 +234 @@
 
     if (isJSArray(baseValue) && propertyName == exec->propertyNames().length)
-        newCase = AccessCase::getLength(vm, codeBlock, AccessCase::ArrayLength);
+        newCase = AccessCase::getLength(vm, owner, AccessCase::ArrayLength);
     else if (isJSString(baseValue) && propertyName == exec->propertyNames().length)
-        newCase = AccessCase::getLength(vm, codeBlock, AccessCase::StringLength);
+        newCase = AccessCase::getLength(vm, owner, AccessCase::StringLength);
     else {
         if (!slot.isCacheable() && !slot.isUnset())
@@ -266 +267 @@
             structure->startWatchingPropertyForReplacements(vm, slot.cachedOffset());
             repatchByIdSelfAccess(codeBlock, stubInfo, structure, slot.cachedOffset(), operationGetByIdOptimize, true);
-            stubInfo.initGetByIdSelf(vm, codeBlock, structure, slot.cachedOffset());
+            stubInfo.initGetByIdSelf(vm, codeBlock->ownerExecutable(), structure, slot.cachedOffset());
             return RetryCacheLater;
         }
@@ -279 +280 @@
             if (slot.isUnset()) {
                 conditionSet = generateConditionsForPropertyMiss(
-                    vm, codeBlock, exec, structure, propertyName.impl());
+                    vm, codeBlock->ownerExecutable(), exec, structure, propertyName.impl());
             } else {
                 conditionSet = generateConditionsForPrototypePropertyHit(
-                    vm, codeBlock, exec, structure, slot.slotBase(),
+                    vm, codeBlock->ownerExecutable(), exec, structure, slot.slotBase(),
                     propertyName.impl());
             }
@@ -303 +304 @@
 
         newCase = AccessCase::get(
-            vm, codeBlock, type, offset, structure, conditionSet, loadTargetFromProxy,
+            vm, owner, type, offset, structure, conditionSet, loadTargetFromProxy,
             slot.watchpointSet(), slot.isCacheableCustom() ? slot.customGetter() : nullptr,
             slot.isCacheableCustom() ? slot.slotBase() : nullptr);
@@ -357 +358 @@
     
     CodeBlock* codeBlock = exec->codeBlock();
+    ScriptExecutable* owner = codeBlock->ownerScriptExecutable();
     VM& vm = exec->vm();
 
@@ -384 +386 @@
                     appropriateOptimizingPutByIdFunction(slot, putKind), false);
                 stubInfo.initPutByIdReplace(
-                    vm, codeBlock, structure, slot.cachedOffset());
+                    vm, codeBlock->ownerExecutable(), structure, slot.cachedOffset());
                 return RetryCacheLater;
             }
 
-            newCase = AccessCase::replace(vm, codeBlock, structure, slot.cachedOffset());
+            newCase = AccessCase::replace(vm, owner, structure, slot.cachedOffset());
         } else {
             ASSERT(slot.type() == PutPropertySlot::NewProperty);
@@ -410 +412 @@
                 conditionSet =
                     generateConditionsForPropertySetterMiss(
-                        vm, codeBlock, exec, newStructure, ident.impl());
+                        vm, owner, exec, newStructure, ident.impl());
                 if (!conditionSet.isValid())
                     return GiveUpOnCache;
             }
 
-            newCase = AccessCase::transition(vm, codeBlock, structure, newStructure, offset, conditionSet);
+            newCase = AccessCase::transition(vm, owner, structure, newStructure, offset, conditionSet);
         }
     } else if (slot.isCacheableCustom() || slot.isCacheableSetter()) {
@@ -424 +426 @@
                 conditionSet =
                     generateConditionsForPrototypePropertyHitCustom(
-                        vm, codeBlock, exec, structure, slot.base(), ident.impl());
+                        vm, owner, exec, structure, slot.base(), ident.impl());
                 if (!conditionSet.isValid())
                     return GiveUpOnCache;
@@ -430 +432 @@
 
             newCase = AccessCase::setter(
-                vm, codeBlock, AccessCase::CustomSetter, structure, invalidOffset, conditionSet,
+                vm, owner, AccessCase::CustomSetter, structure, invalidOffset, conditionSet,
                 slot.customSetter(), slot.base());
         } else {
@@ -439 +441 @@
                 conditionSet =
                     generateConditionsForPrototypePropertyHit(
-                        vm, codeBlock, exec, structure, slot.base(), ident.impl());
+                        vm, owner, exec, structure, slot.base(), ident.impl());
                 if (!conditionSet.isValid())
                     return GiveUpOnCache;
@@ -447 +449 @@
 
             newCase = AccessCase::setter(
-                vm, codeBlock, AccessCase::Setter, structure, offset, conditionSet);
+                vm, owner, AccessCase::Setter, structure, offset, conditionSet);
         }
     }
@@ -490 +492 @@
     
     CodeBlock* codeBlock = exec->codeBlock();
+    ScriptExecutable* owner = codeBlock->ownerScriptExecutable();
     VM& vm = exec->vm();
     Structure* structure = base->structure(vm);
@@ -497 +500 @@
         if (slot.slotBase() != base) {
             conditionSet = generateConditionsForPrototypePropertyHit(
-                vm, codeBlock, exec, structure, slot.slotBase(), ident.impl());
+                vm, codeBlock->ownerExecutable(), exec, structure, slot.slotBase(), ident.impl());
         }
     } else {
         conditionSet = generateConditionsForPropertyMiss(
-            vm, codeBlock, exec, structure, ident.impl());
+            vm, codeBlock->ownerExecutable(), exec, structure, ident.impl());
     }
     if (!conditionSet.isValid())
@@ -507 +510 @@
 
     std::unique_ptr<AccessCase> newCase = AccessCase::in(
-        vm, codeBlock, wasFound ? AccessCase::InHit : AccessCase::InMiss, structure, conditionSet);
+        vm, owner, wasFound ? AccessCase::InHit : AccessCase::InMiss, structure, conditionSet);
 
     MacroAssemblerCodePtr codePtr = stubInfo.addAccessCase(vm, codeBlock, ident, WTF::move(newCase));
@@ -556 +559 @@
     
     ASSERT(!callLinkInfo.isLinked());
-    callLinkInfo.setCallee(exec->callerFrame()->vm(), callLinkInfo.hotPathBegin(), callerCodeBlock, callee);
-    callLinkInfo.setLastSeenCallee(exec->callerFrame()->vm(), callerCodeBlock, callee);
+    callLinkInfo.setCallee(exec->callerFrame()->vm(), callLinkInfo.hotPathBegin(), callerCodeBlock->ownerExecutable(), callee);
+    callLinkInfo.setLastSeenCallee(exec->callerFrame()->vm(), callerCodeBlock->ownerExecutable(), callee);
     if (shouldShowDisassemblyFor(callerCodeBlock))
         dataLog("Linking call in ", *callerCodeBlock, " at ", callLinkInfo.codeOrigin(), " to ", pointerDump(calleeCodeBlock), ", entrypoint at ", codePtr, "\n");
@@ -874 +877 @@
                 toCString(*callerCodeBlock).data(), callLinkInfo.callReturnLocation().labelAtOffset(0).executableAddress(),
                 toCString(listDump(callCases)).data())),
-        *vm, callerCodeBlock, exec->callerFrame(), callLinkInfo, callCases,
+        *vm, callerCodeBlock->ownerExecutable(), exec->callerFrame(), callLinkInfo, callCases,
         WTF::move(fastCounts)));
     

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -577 +577 @@
             && !structure->typeInfo().prohibitsPropertyCaching()
             && !structure->typeInfo().newImpurePropertyFiresWatchpoints()) {
-            vm.heap.writeBarrier(codeBlock);
+            vm.heap.writeBarrier(codeBlock->ownerExecutable());
             
             ConcurrentJITLocker locker(codeBlock->m_lock);
@@ -642 +642 @@
             && baseCell == slot.base()) {
 
-            vm.heap.writeBarrier(codeBlock);
+            vm.heap.writeBarrier(codeBlock->ownerExecutable());
             
             if (slot.type() == PutPropertySlot::NewProperty) {
@@ -659 +659 @@
                             ASSERT(chain);
                             pc[7].u.structureChain.set(
-                                vm, codeBlock, chain);
+                                vm, codeBlock->ownerExecutable(), chain);
                         }
                         pc[8].u.putByIdFlags = static_cast<PutByIdFlags>(
@@ -1191 +1191 @@
         if (callLinkInfo->isOnList())
             callLinkInfo->remove();
-        callLinkInfo->callee.set(vm, callerCodeBlock, callee);
-        callLinkInfo->lastSeenCallee.set(vm, callerCodeBlock, callee);
+        callLinkInfo->callee.set(vm, callerCodeBlock->ownerExecutable(), callee);
+        callLinkInfo->lastSeenCallee.set(vm, callerCodeBlock->ownerExecutable(), callee);
         callLinkInfo->machineCodeTarget = codePtr;
         if (codeBlock)

trunk/Source/JavaScriptCore/profiler/ProfilerOriginStack.cpp

@@ -53 +53 @@
     for (unsigned i = 1; i < stack.size(); ++i) {
         append(Origin(
-            database.ensureBytecodesFor(stack[i].inlineCallFrame->baselineCodeBlock.get()),
+            database.ensureBytecodesFor(stack[i].inlineCallFrame->baselineCodeBlock()),
             stack[i].bytecodeIndex));
     }

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -232 +232 @@
     auto& cacheWriteBarrier = pc[4].u.jsCell;
     if (!cacheWriteBarrier)
-        cacheWriteBarrier.set(exec->vm(), exec->codeBlock(), constructor);
+        cacheWriteBarrier.set(exec->vm(), exec->codeBlock()->ownerExecutable(), constructor);
     else if (cacheWriteBarrier.unvalidatedGet() != JSCell::seenMultipleCalleeObjects() && cacheWriteBarrier.get() != constructor)
         cacheWriteBarrier.setWithoutWriteBarrier(JSCell::seenMultipleCalleeObjects());
@@ -251 +251 @@
             if (otherStructure)
                 pc[3].u.toThisStatus = ToThisConflicted;
-            pc[2].u.structure.set(vm, exec->codeBlock(), myStructure);
+            pc[2].u.structure.set(vm, exec->codeBlock()->ownerExecutable(), myStructure);
         }
     } else {
@@ -527 +527 @@
 {
     BEGIN();
-    CodeBlock* codeBlock = exec->codeBlock();
-    Heap::heap(codeBlock)->writeBarrier(codeBlock);
+    ExecutableBase* ownerExecutable = exec->codeBlock()->ownerExecutable();
+    Heap::heap(ownerExecutable)->writeBarrier(ownerExecutable);
     END();
 }

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h

@@ -130 +130 @@
 
         ConcurrentJITLocker locker(codeBlock->m_lock);
-        pc[5].u.structure.set(exec->vm(), codeBlock, scope->structure());
+        pc[5].u.structure.set(exec->vm(), codeBlock->ownerExecutable(), scope->structure());
         pc[6].u.operand = slot.cachedOffset();
     }
@@ -163 +163 @@
             {
                 ConcurrentJITLocker locker(codeBlock->m_lock);
-                pc[5].u.structure.set(exec->vm(), codeBlock, structure);
+                pc[5].u.structure.set(exec->vm(), codeBlock->ownerExecutable(), structure);
                 pc[6].u.operand = slot.cachedOffset();
             }

trunk/Source/JavaScriptCore/runtime/Executable.cpp

@@ -61 +61 @@
     m_numParametersForCall = NUM_PARAMETERS_NOT_COMPILED;
     m_numParametersForConstruct = NUM_PARAMETERS_NOT_COMPILED;
-
-    if (classInfo() == FunctionExecutable::info()) {
-        FunctionExecutable* executable = jsCast<FunctionExecutable*>(this);
-        executable->m_codeBlockForCall.clear();
-        executable->m_codeBlockForConstruct.clear();
-        return;
-    }
-
-    if (classInfo() == EvalExecutable::info()) {
-        EvalExecutable* executable = jsCast<EvalExecutable*>(this);
-        executable->m_evalCodeBlock.clear();
-        executable->m_unlinkedEvalCodeBlock.clear();
-        return;
-    }
-    
-    if (classInfo() == ProgramExecutable::info()) {
-        ProgramExecutable* executable = jsCast<ProgramExecutable*>(this);
-        executable->m_programCodeBlock.clear();
-        executable->m_unlinkedProgramCodeBlock.clear();
-        return;
-    }
-
-    if (classInfo() == ModuleProgramExecutable::info()) {
-        ModuleProgramExecutable* executable = jsCast<ModuleProgramExecutable*>(this);
-        executable->m_moduleProgramCodeBlock.clear();
-        executable->m_unlinkedModuleProgramCodeBlock.clear();
-        executable->m_moduleEnvironmentSymbolTable.clear();
-        return;
-    }
-    
-#if ENABLE(WEBASSEMBLY)
-    if (classInfo() == WebAssemblyExecutable::info()) {
-        WebAssemblyExecutable* executable = jsCast<WebAssemblyExecutable*>(this);
-        executable->m_codeBlockForCall.clear();
-        return;
-    }
-#endif
-
-    ASSERT(classInfo() == NativeExecutable::info());
 }
 
@@ -163 +124 @@
     ASSERT(vm.heap.isDeferred());
     
-    CodeBlock* oldCodeBlock = nullptr;
+    RefPtr<CodeBlock> oldCodeBlock;
     
     switch (codeType) {
@@ -172 +133 @@
         ASSERT(kind == CodeForCall);
         
-        oldCodeBlock = executable->m_programCodeBlock.get();
-        executable->m_programCodeBlock.setMayBeNull(vm, this, codeBlock);
+        oldCodeBlock = executable->m_programCodeBlock;
+        executable->m_programCodeBlock = codeBlock;
         break;
     }
@@ -183 +144 @@
         ASSERT(kind == CodeForCall);
 
-        oldCodeBlock = executable->m_moduleProgramCodeBlock.get();
-        executable->m_moduleProgramCodeBlock.setMayBeNull(vm, this, codeBlock);
+        oldCodeBlock = executable->m_moduleProgramCodeBlock;
+        executable->m_moduleProgramCodeBlock = codeBlock;
         break;
     }
@@ -194 +155 @@
         ASSERT(kind == CodeForCall);
         
-        oldCodeBlock = executable->m_evalCodeBlock.get();
-        executable->m_evalCodeBlock.setMayBeNull(vm, this, codeBlock);
+        oldCodeBlock = executable->m_evalCodeBlock;
+        executable->m_evalCodeBlock = codeBlock;
         break;
     }
@@ -205 +166 @@
         switch (kind) {
         case CodeForCall:
-            oldCodeBlock = executable->m_codeBlockForCall.get();
-            executable->m_codeBlockForCall.setMayBeNull(vm, this, codeBlock);
+            oldCodeBlock = executable->m_codeBlockForCall;
+            executable->m_codeBlockForCall = codeBlock;
             break;
         case CodeForConstruct:
-            oldCodeBlock = executable->m_codeBlockForConstruct.get();
-            executable->m_codeBlockForConstruct.setMayBeNull(vm, this, codeBlock);
+            oldCodeBlock = executable->m_codeBlockForConstruct;
+            executable->m_codeBlockForConstruct = codeBlock;
             break;
         }
@@ -250 +211 @@
 }
 
-CodeBlock* ScriptExecutable::newCodeBlockFor(
+RefPtr<CodeBlock> ScriptExecutable::newCodeBlockFor(
     CodeSpecializationKind kind, JSFunction* function, JSScope* scope, JSObject*& exception)
 {
@@ -264 +225 @@
         RELEASE_ASSERT(!executable->m_evalCodeBlock);
         RELEASE_ASSERT(!function);
-        return EvalCodeBlock::create(vm,
+        return adoptRef(new EvalCodeBlock(
             executable, executable->m_unlinkedEvalCodeBlock.get(), scope,
-            executable->source().provider());
+            executable->source().provider()));
     }
     
@@ -274 +235 @@
         RELEASE_ASSERT(!executable->m_programCodeBlock);
         RELEASE_ASSERT(!function);
-        return ProgramCodeBlock::create(vm,
+        return adoptRef(new ProgramCodeBlock(
             executable, executable->m_unlinkedProgramCodeBlock.get(), scope,
-            executable->source().provider(), executable->source().startColumn());
+            executable->source().provider(), executable->source().startColumn()));
     }
 
@@ -284 +245 @@
         RELEASE_ASSERT(!executable->m_moduleProgramCodeBlock);
         RELEASE_ASSERT(!function);
-        return ModuleProgramCodeBlock::create(vm,
+        return adoptRef(new ModuleProgramCodeBlock(
             executable, executable->m_unlinkedModuleProgramCodeBlock.get(), scope,
-            executable->source().provider(), executable->source().startColumn());
+            executable->source().provider(), executable->source().startColumn()));
     }
 
@@ -316 +277 @@
     unsigned startColumn = executable->source().startColumn();
 
-    return FunctionCodeBlock::create(vm,
-        executable, unlinkedCodeBlock, scope, provider, sourceOffset, startColumn);
-}
-
-CodeBlock* ScriptExecutable::newReplacementCodeBlockFor(
+    return adoptRef(new FunctionCodeBlock(
+        executable, unlinkedCodeBlock, scope, provider, sourceOffset, startColumn));
+}
+
+PassRefPtr<CodeBlock> ScriptExecutable::newReplacementCodeBlockFor(
     CodeSpecializationKind kind)
 {
@@ -328 +289 @@
         EvalCodeBlock* baseline = static_cast<EvalCodeBlock*>(
             executable->m_evalCodeBlock->baselineVersion());
-        EvalCodeBlock* result = EvalCodeBlock::create(vm(),
-            CodeBlock::CopyParsedBlock, *baseline);
-        result->setAlternative(*vm(), baseline);
+        RefPtr<EvalCodeBlock> result = adoptRef(new EvalCodeBlock(
+            CodeBlock::CopyParsedBlock, *baseline));
+        result->setAlternative(baseline);
         return result;
     }
@@ -339 +300 @@
         ProgramCodeBlock* baseline = static_cast<ProgramCodeBlock*>(
             executable->m_programCodeBlock->baselineVersion());
-        ProgramCodeBlock* result = ProgramCodeBlock::create(vm(),
-            CodeBlock::CopyParsedBlock, *baseline);
-        result->setAlternative(*vm(), baseline);
+        RefPtr<ProgramCodeBlock> result = adoptRef(new ProgramCodeBlock(
+            CodeBlock::CopyParsedBlock, *baseline));
+        result->setAlternative(baseline);
         return result;
     }
@@ -350 +311 @@
         ModuleProgramCodeBlock* baseline = static_cast<ModuleProgramCodeBlock*>(
             executable->m_moduleProgramCodeBlock->baselineVersion());
-        ModuleProgramCodeBlock* result = ModuleProgramCodeBlock::create(vm(),
-            CodeBlock::CopyParsedBlock, *baseline);
-        result->setAlternative(*vm(), baseline);
+        RefPtr<ModuleProgramCodeBlock> result = adoptRef(new ModuleProgramCodeBlock(
+            CodeBlock::CopyParsedBlock, *baseline));
+        result->setAlternative(baseline);
         return result;
     }
@@ -360 +321 @@
     FunctionCodeBlock* baseline = static_cast<FunctionCodeBlock*>(
         executable->codeBlockFor(kind)->baselineVersion());
-    FunctionCodeBlock* result = FunctionCodeBlock::create(vm(),
-        CodeBlock::CopyParsedBlock, *baseline);
-    result->setAlternative(*vm(), baseline);
+    RefPtr<FunctionCodeBlock> result = adoptRef(new FunctionCodeBlock(
+        CodeBlock::CopyParsedBlock, *baseline));
+    result->setAlternative(baseline);
     return result;
 }
@@ -390 +351 @@
     
     JSObject* exception = 0;
-    CodeBlock* codeBlock = newCodeBlockFor(kind, function, scope, exception);
+    RefPtr<CodeBlock> codeBlock = newCodeBlockFor(kind, function, scope, exception);
     if (!codeBlock) {
         RELEASE_ASSERT(exception);
@@ -400 +361 @@
     
     if (Options::useLLInt())
-        setupLLInt(vm, codeBlock);
+        setupLLInt(vm, codeBlock.get());
     else
-        setupJIT(vm, codeBlock);
-    
-    installCode(*codeBlock->vm(), codeBlock, codeBlock->codeType(), codeBlock->specializationKind());
+        setupJIT(vm, codeBlock.get());
+    
+    installCode(*codeBlock->vm(), codeBlock.get(), codeBlock->codeType(), codeBlock->specializationKind());
     return 0;
 }
@@ -542 +503 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
     ScriptExecutable::visitChildren(thisObject, visitor);
+    if (thisObject->m_evalCodeBlock)
+        thisObject->m_evalCodeBlock->visitAggregate(visitor);
     visitor.append(&thisObject->m_unlinkedEvalCodeBlock);
-    if (thisObject->m_evalCodeBlock)
-        thisObject->m_evalCodeBlock->visitWeakly(visitor);
+}
+
+void EvalExecutable::clearCode()
+{
+    m_evalCodeBlock = nullptr;
+    m_unlinkedEvalCodeBlock.clear();
+    Base::clearCode();
 }
 
@@ -651 +619 @@
     visitor.append(&thisObject->m_unlinkedProgramCodeBlock);
     if (thisObject->m_programCodeBlock)
-        thisObject->m_programCodeBlock->visitWeakly(visitor);
+        thisObject->m_programCodeBlock->visitAggregate(visitor);
+}
+
+void ProgramExecutable::clearCode()
+{
+    m_programCodeBlock = nullptr;
+    m_unlinkedProgramCodeBlock.clear();
+    Base::clearCode();
 }
 
@@ -662 +637 @@
     visitor.append(&thisObject->m_moduleEnvironmentSymbolTable);
     if (thisObject->m_moduleProgramCodeBlock)
-        thisObject->m_moduleProgramCodeBlock->visitWeakly(visitor);
+        thisObject->m_moduleProgramCodeBlock->visitAggregate(visitor);
+}
+
+void ModuleProgramExecutable::clearCode()
+{
+    m_moduleProgramCodeBlock = nullptr;
+    m_unlinkedModuleProgramCodeBlock.clear();
+    m_moduleEnvironmentSymbolTable.clear();
+    Base::clearCode();
 }
 
@@ -685 +668 @@
     ScriptExecutable::visitChildren(thisObject, visitor);
     if (thisObject->m_codeBlockForCall)
-        thisObject->m_codeBlockForCall->visitWeakly(visitor);
+        thisObject->m_codeBlockForCall->visitAggregate(visitor);
     if (thisObject->m_codeBlockForConstruct)
-        thisObject->m_codeBlockForConstruct->visitWeakly(visitor);
+        thisObject->m_codeBlockForConstruct->visitAggregate(visitor);
     visitor.append(&thisObject->m_unlinkedExecutable);
     visitor.append(&thisObject->m_singletonFunction);
+}
+
+void FunctionExecutable::clearCode()
+{
+    m_codeBlockForCall = nullptr;
+    m_codeBlockForConstruct = nullptr;
+    Base::clearCode();
 }
 
@@ -727 +717 @@
     ExecutableBase::visitChildren(thisObject, visitor);
     if (thisObject->m_codeBlockForCall)
-        thisObject->m_codeBlockForCall->visitWeakly(visitor);
+        thisObject->m_codeBlockForCall->visitAggregate(visitor);
     visitor.append(&thisObject->m_module);
+}
+
+void WebAssemblyExecutable::clearCode()
+{
+    m_codeBlockForCall = nullptr;
+    Base::clearCode();
 }
 
@@ -739 +735 @@
     DeferGC deferGC(vm.heap);
 
-    WebAssemblyCodeBlock* codeBlock = WebAssemblyCodeBlock::create(vm,
-        this, exec->lexicalGlobalObject()));
-
-    WASMFunctionParser::compile(vm, codeBlock, m_module.get(), m_source, m_functionIndex);
+    RefPtr<WebAssemblyCodeBlock> codeBlock = adoptRef(new WebAssemblyCodeBlock(
+        this, vm, exec->lexicalGlobalObject()));
+
+    WASMFunctionParser::compile(vm, codeBlock.get(), m_module.get(), m_source, m_functionIndex);
 
     m_jitCodeForCall = codeBlock->jitCode();
@@ -748 +744 @@
     m_numParametersForCall = codeBlock->numParameters();
 
-    m_codeBlockForCall.set(vm, this, codeBlock);
+    m_codeBlockForCall = codeBlock;
 
     Heap::heap(this)->writeBarrier(this);

trunk/Source/JavaScriptCore/runtime/Executable.h

@@ -140 +140 @@
 
 public:
+    static void clearCodeVirtual(ExecutableBase*);
+
     PassRefPtr<JITCode> generatedJITCodeForCall()
     {
@@ -305 +307 @@
 
 private:
-    friend class ExecutableBase;
-
     NativeExecutable(VM& vm, NativeFunction function, NativeFunction constructor)
         : ExecutableBase(vm, vm.nativeExecutableStructure.get(), NUM_PARAMETERS_IS_HOST)
@@ -377 +377 @@
     void installCode(CodeBlock*);
     void installCode(VM&, CodeBlock*, CodeType, CodeSpecializationKind);
-    CodeBlock* newCodeBlockFor(CodeSpecializationKind, JSFunction*, JSScope*, JSObject*& exception);
-    CodeBlock* newReplacementCodeBlockFor(CodeSpecializationKind);
+    RefPtr<CodeBlock> newCodeBlockFor(CodeSpecializationKind, JSFunction*, JSScope*, JSObject*& exception);
+    PassRefPtr<CodeBlock> newReplacementCodeBlockFor(CodeSpecializationKind);
     
     JSObject* prepareForExecution(ExecState* exec, JSFunction* function, JSScope* scope, CodeSpecializationKind kind)
@@ -390 +390 @@
 
 private:
-    friend class ExecutableBase;
     JSObject* prepareForExecutionImpl(ExecState*, JSFunction*, JSScope*, CodeSpecializationKind);
 
@@ -449 +448 @@
     DECLARE_INFO;
 
+    void clearCode();
+
     ExecutableInfo executableInfo() const { return ExecutableInfo(needsActivation(), usesEval(), isStrictMode(), false, false, ConstructorKind::None, false); }
 
@@ -455 +456 @@
 
 private:
-    friend class ExecutableBase;
     friend class ScriptExecutable;
     EvalExecutable(ExecState*, const SourceCode&, bool);
@@ -461 +461 @@
     static void visitChildren(JSCell*, SlotVisitor&);
 
-    WriteBarrier<EvalCodeBlock> m_evalCodeBlock;
+    RefPtr<EvalCodeBlock> m_evalCodeBlock;
     WriteBarrier<UnlinkedEvalCodeBlock> m_unlinkedEvalCodeBlock;
 };
@@ -502 +502 @@
     DECLARE_INFO;
 
+    void clearCode();
+
     ExecutableInfo executableInfo() const { return ExecutableInfo(needsActivation(), usesEval(), isStrictMode(), false, false, ConstructorKind::None, false); }
 
 private:
-    friend class ExecutableBase;
     friend class ScriptExecutable;
 
@@ -513 +514 @@
 
     WriteBarrier<UnlinkedProgramCodeBlock> m_unlinkedProgramCodeBlock;
-    WriteBarrier<ProgramCodeBlock> m_programCodeBlock;
+    RefPtr<ProgramCodeBlock> m_programCodeBlock;
 };
 
@@ -543 +544 @@
     DECLARE_INFO;
 
+    void clearCode();
+
     ExecutableInfo executableInfo() const { return ExecutableInfo(needsActivation(), usesEval(), isStrictMode(), false, false, ConstructorKind::None, false); }
     UnlinkedModuleProgramCodeBlock* unlinkedModuleProgramCodeBlock() { return m_unlinkedModuleProgramCodeBlock.get(); }
@@ -549 +552 @@
 
 private:
-    friend class ExecutableBase;
     friend class ScriptExecutable;
 
@@ -558 +560 @@
     WriteBarrier<UnlinkedModuleProgramCodeBlock> m_unlinkedModuleProgramCodeBlock;
     WriteBarrier<SymbolTable> m_moduleEnvironmentSymbolTable;
-    WriteBarrier<ModuleProgramCodeBlock> m_moduleProgramCodeBlock;
+    RefPtr<ModuleProgramCodeBlock> m_moduleProgramCodeBlock;
 };
 
@@ -599 +601 @@
     bool isGeneratedForCall() const
     {
-        return !!m_codeBlockForCall;
+        return m_codeBlockForCall;
     }
 
@@ -609 +611 @@
     bool isGeneratedForConstruct() const
     {
-        return m_codeBlockForConstruct.get();
+        return m_codeBlockForConstruct;
     }
 
@@ -675 +677 @@
     DECLARE_INFO;
 
+    void clearCode();
+    
     InferredValue* singletonFunction() { return m_singletonFunction.get(); }
 
 private:
-    friend class ExecutableBase;
     FunctionExecutable(
         VM&, const SourceCode&, UnlinkedFunctionExecutable*, unsigned firstLine, 
@@ -688 +691 @@
     
     WriteBarrier<UnlinkedFunctionExecutable> m_unlinkedExecutable;
-    WriteBarrier<FunctionCodeBlock> m_codeBlockForCall;
-    WriteBarrier<FunctionCodeBlock> m_codeBlockForConstruct;
+    RefPtr<FunctionCodeBlock> m_codeBlockForCall;
+    RefPtr<FunctionCodeBlock> m_codeBlockForConstruct;
     RefPtr<TypeSet> m_returnStatementTypeSet;
     unsigned m_parametersStartOffset;
@@ -717 +720 @@
     DECLARE_INFO;
 
+    void clearCode();
+
     void prepareForExecution(ExecState*);
 
@@ -725 +730 @@
 
 private:
-    friend class ExecutableBase;
     WebAssemblyExecutable(VM&, const SourceCode&, JSWASMModule*, unsigned functionIndex);
 
@@ -734 +738 @@
     unsigned m_functionIndex;
 
-    WriteBarrier<WebAssemblyCodeBlock> m_codeBlockForCall;
+    RefPtr<WebAssemblyCodeBlock> m_codeBlockForCall;
 };
 #endif
 
-} // namespace JSC
-
-#endif // Executable_h
+inline void ExecutableBase::clearCodeVirtual(ExecutableBase* executable)
+{
+    switch (executable->type()) {
+    case EvalExecutableType:
+        return jsCast<EvalExecutable*>(executable)->clearCode();
+    case ProgramExecutableType:
+        return jsCast<ProgramExecutable*>(executable)->clearCode();
+    case FunctionExecutableType:
+        return jsCast<FunctionExecutable*>(executable)->clearCode();
+#if ENABLE(WEBASSEMBLY)
+    case WebAssemblyExecutableType:
+        return jsCast<WebAssemblyExecutable*>(executable)->clearCode();
+#endif
+    case ModuleProgramExecutableType:
+        return jsCast<ModuleProgramExecutable*>(executable)->clearCode();
+    default:
+        return jsCast<NativeExecutable*>(executable)->clearCode();
+    }
+}
+
+}
+
+#endif

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -249 +249 @@
     promiseDeferredStructure.set(*this, JSPromiseDeferred::createStructure(*this, 0, jsNull()));
     internalPromiseDeferredStructure.set(*this, JSInternalPromiseDeferred::createStructure(*this, 0, jsNull()));
-    programCodeBlockStructure.set(*this, ProgramCodeBlock::createStructure(*this, 0, jsNull()));
-    moduleProgramCodeBlockStructure.set(*this, ModuleProgramCodeBlock::createStructure(*this, 0, jsNull()));
-    evalCodeBlockStructure.set(*this, EvalCodeBlock::createStructure(*this, 0, jsNull()));
-    functionCodeBlockStructure.set(*this, FunctionCodeBlock::createStructure(*this, 0, jsNull()));
-#if ENABLE(WEBASSEMBLY)
-    webAssemblyCodeBlockStructure.set(*this, WebAssemblyCodeBlock::createStructure(*this, 0, jsNull()));
-#endif
-
     iterationTerminator.set(*this, JSFinalObject::create(*this, JSFinalObject::createStructure(*this, 0, jsNull(), 1)));
     nativeStdFunctionCellStructure.set(*this, NativeStdFunctionCell::createStructure(*this, 0, jsNull()));

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -310 +310 @@
     Strong<Structure> internalPromiseDeferredStructure;
     Strong<Structure> nativeStdFunctionCellStructure;
-    Strong<Structure> programCodeBlockStructure;
-    Strong<Structure> moduleProgramCodeBlockStructure;
-    Strong<Structure> evalCodeBlockStructure;
-    Strong<Structure> functionCodeBlockStructure;
-    Strong<Structure> webAssemblyCodeBlockStructure;
-
     Strong<JSCell> iterationTerminator;
     Strong<JSCell> emptyPropertyNameEnumerator;