Changeset 208953 in webkit

Timestamp:

Nov 21, 2016 3:54:43 PM (7 years ago)

Author:

Yusuke Suzuki

Message:

Crash in com.apple.JavaScriptCore: WTF::ThreadSpecific<WTF::WTFThreadData, + 142
​https://bugs.webkit.org/show_bug.cgi?id=164898

Reviewed by Darin Adler.

JSTests:

• stress/tagged-template-registry-key-collect.js: Added.

(shouldBe):
(tag):
(i.eval):

• stress/tagged-template-registry-key.js: Added.

(shouldBe):
(tag):
(a):
(b):

Source/JavaScriptCore:

The callsite object (JSArray) of tagged template literal is managed by WeakGCMap since
same tagged template literal need to return an identical object.
The problem is that we used TemplateRegistryKey as the key of the WeakGCMap. WeakGCMap
can prune its entries in the collector thread. At that time, this TemplateRegistryKey
is deallocated. Since it includes String (and then, StringImpl), we accidentally call
ref(), deref() and StringImpl::destroy() in the different thread from the main thread
while this TemplateRegistryKey is allocated in the main thread.

Instead, we use TemplateRegistryKey* as the key of WeakGCMap. Then, to keep its liveness
while the entry of the WeakGCMap is alive, the callsite object has the reference to
the JSTemplateRegistryKey. And it holds Ref<TemplateRegistryKey>.

And now we need to lookup WeakGCMap with TemplateRegistryKey*. To do so, we create
interning system for TemplateRegistryKey. It is similar to AtomicStringTable and
SymbolRegistry. TemplateRegistryKey is allocated from this table. This table atomize the
TemplateRegistryKey. So we can use the pointer comparison between TemplateRegistryKey.
It allows us to lookup the entry from WeakGCMap by TemplateRegistryKey*.

• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• builtins/BuiltinNames.h:
• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
(JSC::BytecodeGenerator::emitGetTemplateObject):

• bytecompiler/BytecodeGenerator.h:
• runtime/JSGlobalObject.cpp:

(JSC::getTemplateObject):

• runtime/JSTemplateRegistryKey.cpp:

(JSC::JSTemplateRegistryKey::JSTemplateRegistryKey):
(JSC::JSTemplateRegistryKey::create):

• runtime/JSTemplateRegistryKey.h:
• runtime/TemplateRegistry.cpp:

(JSC::TemplateRegistry::getTemplateObject):

• runtime/TemplateRegistry.h:
• runtime/TemplateRegistryKey.cpp: Copied from Source/JavaScriptCore/runtime/TemplateRegistry.h.

(JSC::TemplateRegistryKey::~TemplateRegistryKey):

• runtime/TemplateRegistryKey.h:

(JSC::TemplateRegistryKey::calculateHash):
(JSC::TemplateRegistryKey::create):
(JSC::TemplateRegistryKey::TemplateRegistryKey):

• runtime/TemplateRegistryKeyTable.cpp: Added.

(JSC::TemplateRegistryKeyTranslator::hash):
(JSC::TemplateRegistryKeyTranslator::equal):
(JSC::TemplateRegistryKeyTranslator::translate):
(JSC::TemplateRegistryKeyTable::~TemplateRegistryKeyTable):
(JSC::TemplateRegistryKeyTable::createKey):
(JSC::TemplateRegistryKeyTable::unregister):

• runtime/TemplateRegistryKeyTable.h: Copied from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.

(JSC::TemplateRegistryKeyTable::KeyHash::hash):
(JSC::TemplateRegistryKeyTable::KeyHash::equal):

• runtime/VM.h:

(JSC::VM::templateRegistryKeyTable):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/tagged-template-registry-key-collect.js (added)
• JSTests/stress/tagged-template-registry-key.js (added)
• Source/JavaScriptCore/CMakeLists.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (5 diffs)
• Source/JavaScriptCore/builtins/BuiltinNames.h (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSTemplateRegistryKey.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/TemplateRegistry.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/TemplateRegistry.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp (copied) (copied from trunk/Source/JavaScriptCore/runtime/TemplateRegistry.h) (2 diffs)
• Source/JavaScriptCore/runtime/TemplateRegistryKey.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/TemplateRegistryKeyTable.cpp (added)
• Source/JavaScriptCore/runtime/TemplateRegistryKeyTable.h (copied) (copied from trunk/Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h) (2 diffs)
• Source/JavaScriptCore/runtime/VM.h (modified) (3 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2016-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        Crash in com.apple.JavaScriptCore: WTF::ThreadSpecific<WTF::WTFThreadData, + 142
+        https://bugs.webkit.org/show_bug.cgi?id=164898
+
+        Reviewed by Darin Adler.
+
+        * stress/tagged-template-registry-key-collect.js: Added.
+        (shouldBe):
+        (tag):
+        (i.eval):
+        * stress/tagged-template-registry-key.js: Added.
+        (shouldBe):
+        (tag):
+        (a):
+        (b):
+
 2016-11-20  Caitlin Potter  <caitp@igalia.com>
 

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -867 +867 @@
     runtime/SymbolTable.cpp
     runtime/TemplateRegistry.cpp
+    runtime/TemplateRegistryKey.cpp
+    runtime/TemplateRegistryKeyTable.cpp
     runtime/TestRunnerUtils.cpp
     runtime/ThrowScope.cpp

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        Crash in com.apple.JavaScriptCore: WTF::ThreadSpecific<WTF::WTFThreadData, + 142
+        https://bugs.webkit.org/show_bug.cgi?id=164898
+
+        Reviewed by Darin Adler.
+
+        The callsite object (JSArray) of tagged template literal is managed by WeakGCMap since
+        same tagged template literal need to return an identical object.
+        The problem is that we used TemplateRegistryKey as the key of the WeakGCMap. WeakGCMap
+        can prune its entries in the collector thread. At that time, this TemplateRegistryKey
+        is deallocated. Since it includes String (and then, StringImpl), we accidentally call
+        ref(), deref() and StringImpl::destroy() in the different thread from the main thread
+        while this TemplateRegistryKey is allocated in the main thread.
+
+        Instead, we use TemplateRegistryKey* as the key of WeakGCMap. Then, to keep its liveness
+        while the entry of the WeakGCMap is alive, the callsite object has the reference to
+        the JSTemplateRegistryKey. And it holds Ref<TemplateRegistryKey>.
+
+        And now we need to lookup WeakGCMap with TemplateRegistryKey*. To do so, we create
+        interning system for TemplateRegistryKey. It is similar to AtomicStringTable and
+        SymbolRegistry. TemplateRegistryKey is allocated from this table. This table atomize the
+        TemplateRegistryKey. So we can use the pointer comparison between TemplateRegistryKey.
+        It allows us to lookup the entry from WeakGCMap by TemplateRegistryKey*.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * builtins/BuiltinNames.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
+        (JSC::BytecodeGenerator::emitGetTemplateObject):
+        * bytecompiler/BytecodeGenerator.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::getTemplateObject):
+        * runtime/JSTemplateRegistryKey.cpp:
+        (JSC::JSTemplateRegistryKey::JSTemplateRegistryKey):
+        (JSC::JSTemplateRegistryKey::create):
+        * runtime/JSTemplateRegistryKey.h:
+        * runtime/TemplateRegistry.cpp:
+        (JSC::TemplateRegistry::getTemplateObject):
+        * runtime/TemplateRegistry.h:
+        * runtime/TemplateRegistryKey.cpp: Copied from Source/JavaScriptCore/runtime/TemplateRegistry.h.
+        (JSC::TemplateRegistryKey::~TemplateRegistryKey):
+        * runtime/TemplateRegistryKey.h:
+        (JSC::TemplateRegistryKey::calculateHash):
+        (JSC::TemplateRegistryKey::create):
+        (JSC::TemplateRegistryKey::TemplateRegistryKey):
+        * runtime/TemplateRegistryKeyTable.cpp: Added.
+        (JSC::TemplateRegistryKeyTranslator::hash):
+        (JSC::TemplateRegistryKeyTranslator::equal):
+        (JSC::TemplateRegistryKeyTranslator::translate):
+        (JSC::TemplateRegistryKeyTable::~TemplateRegistryKeyTable):
+        (JSC::TemplateRegistryKeyTable::createKey):
+        (JSC::TemplateRegistryKeyTable::unregister):
+        * runtime/TemplateRegistryKeyTable.h: Copied from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
+        (JSC::TemplateRegistryKeyTable::KeyHash::hash):
+        (JSC::TemplateRegistryKeyTable::KeyHash::equal):
+        * runtime/VM.h:
+        (JSC::VM::templateRegistryKeyTable):
+
 2016-11-21  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -2330 +2330 @@
                 FEF040511AAE662D00BD28B0 /* CompareAndSwapTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FEF040501AAE662D00BD28B0 /* CompareAndSwapTest.cpp */; };
                 FEFD6FC61D5E7992008F2F0B /* JSStringInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = FEFD6FC51D5E7970008F2F0B /* JSStringInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                1A8826B1653C4CD1A642983B /* TemplateRegistryKeyTable.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 8B47F234366C4B72AC852A7E /* TemplateRegistryKeyTable.cpp */; };
+                78274D8E4C4D4FCD9A1DC6E6 /* TemplateRegistryKey.cpp in Sources */ = {isa = PBXBuildFile; fileRef = BDB4B5E099CD4C1BB3C1CF05 /* TemplateRegistryKey.cpp */; };
+                95D4261AF4C84CE2ACBAC981 /* TemplateRegistryKeyTable.h in Headers */ = {isa = PBXBuildFile; fileRef = 08FC2F37AB76483A9966688F /* TemplateRegistryKeyTable.h */; settings = {ATTRIBUTES = (Private, ); }; };
 /* End PBXBuildFile section */
 
@@ -4820 +4823 @@
                 FEF040521AAEC4ED00BD28B0 /* CompareAndSwapTest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CompareAndSwapTest.h; path = API/tests/CompareAndSwapTest.h; sourceTree = "<group>"; };
                 FEFD6FC51D5E7970008F2F0B /* JSStringInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSStringInlines.h; sourceTree = "<group>"; };
+                8B47F234366C4B72AC852A7E /* TemplateRegistryKeyTable.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = TemplateRegistryKeyTable.cpp; path = TemplateRegistryKeyTable.cpp; sourceTree = "<group>"; };
+                BDB4B5E099CD4C1BB3C1CF05 /* TemplateRegistryKey.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = TemplateRegistryKey.cpp; path = TemplateRegistryKey.cpp; sourceTree = "<group>"; };
+                08FC2F37AB76483A9966688F /* TemplateRegistryKeyTable.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = TemplateRegistryKeyTable.h; path = TemplateRegistryKeyTable.h; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
@@ -6638 +6644 @@
                                 A7DCB77912E3D90500911940 /* WriteBarrier.h */,
                                 C2B6D75218A33793004A9301 /* WriteBarrierInlines.h */,
+                                8B47F234366C4B72AC852A7E /* TemplateRegistryKeyTable.cpp */,
+                                BDB4B5E099CD4C1BB3C1CF05 /* TemplateRegistryKey.cpp */,
+                                08FC2F37AB76483A9966688F /* TemplateRegistryKeyTable.h */,
                         );
                         path = runtime;
@@ -8972 +8981 @@
                                 D9722752DC54459B9125B539 /* JSModuleLoader.h in Headers */,
                                 473DA4A4764C45FE871B0485 /* DefinePropertyAttributes.h in Headers */,
+                                95D4261AF4C84CE2ACBAC981 /* TemplateRegistryKeyTable.h in Headers */,
                         );
                         runOnlyForDeploymentPostprocessing = 0;
@@ -10364 +10374 @@
                                 0F2BBD991C5FF3F50023EF23 /* B3VariableValue.cpp in Sources */,
                                 13FECE06D3B445FCB6C93461 /* JSModuleLoader.cpp in Sources */,
+                                1A8826B1653C4CD1A642983B /* TemplateRegistryKeyTable.cpp in Sources */,
+                                78274D8E4C4D4FCD9A1DC6E6 /* TemplateRegistryKey.cpp in Sources */,
                         );
                         runOnlyForDeploymentPostprocessing = 0;

trunk/Source/JavaScriptCore/builtins/BuiltinNames.h

@@ -82 +82 @@
     macro(homeObject) \
     macro(getTemplateObject) \
+    macro(templateRegistryKey) \
     macro(enqueueJob) \
     macro(handler) \

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -2996 +2996 @@
 }
 
-JSTemplateRegistryKey* BytecodeGenerator::addTemplateRegistryKeyConstant(const TemplateRegistryKey& templateRegistryKey)
-{
-    JSTemplateRegistryKey*& templateRegistryKeyInMap = m_templateRegistryKeyMap.add(templateRegistryKey, nullptr).iterator->value;
-    if (!templateRegistryKeyInMap) {
-        templateRegistryKeyInMap = JSTemplateRegistryKey::create(*vm(), templateRegistryKey);
-        addConstantValue(templateRegistryKeyInMap);
-    }
-    return templateRegistryKeyInMap;
+JSTemplateRegistryKey* BytecodeGenerator::addTemplateRegistryKeyConstant(Ref<TemplateRegistryKey>&& templateRegistryKey)
+{
+    return m_templateRegistryKeyMap.ensure(templateRegistryKey.copyRef(), [&] {
+        auto* result = JSTemplateRegistryKey::create(*vm(), WTFMove(templateRegistryKey));
+        addConstantValue(result);
+        return result;
+    }).iterator->value;
 }
 
@@ -4399 +4398 @@
 
     CallArguments arguments(*this, nullptr);
-    emitLoad(arguments.thisRegister(), JSValue(addTemplateRegistryKeyConstant(TemplateRegistryKey(rawStrings, cookedStrings))));
+    emitLoad(arguments.thisRegister(), JSValue(addTemplateRegistryKeyConstant(m_vm->templateRegistryKeyTable().createKey(rawStrings, cookedStrings))));
     return emitCall(dst, getTemplateObject.get(), NoExpectedFunction, arguments, taggedTemplate->divot(), taggedTemplate->divotStart(), taggedTemplate->divotEnd(), DebuggableCall::No);
 }

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -802 +802 @@
         typedef HashMap<double, JSValue> NumberMap;
         typedef HashMap<UniquedStringImpl*, JSString*, IdentifierRepHash> IdentifierStringMap;
-        typedef HashMap<TemplateRegistryKey, JSTemplateRegistryKey*> TemplateRegistryKeyMap;
+        typedef HashMap<Ref<TemplateRegistryKey>, JSTemplateRegistryKey*> TemplateRegistryKeyMap;
         
         // Helper for emitCall() and emitConstruct(). This works because the set of
@@ -886 +886 @@
     public:
         JSString* addStringConstant(const Identifier&);
-        JSTemplateRegistryKey* addTemplateRegistryKeyConstant(const TemplateRegistryKey&);
+        JSTemplateRegistryKey* addTemplateRegistryKeyConstant(Ref<TemplateRegistryKey>&&);
 
         Vector<UnlinkedInstruction, 0, UnsafeVectorOverflow>& instructions() { return m_instructions; }

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -291 +291 @@
     JSValue thisValue = exec->thisValue();
     ASSERT(thisValue.inherits(JSTemplateRegistryKey::info()));
-    return JSValue::encode(exec->lexicalGlobalObject()->templateRegistry().getTemplateObject(exec, jsCast<JSTemplateRegistryKey*>(thisValue)->templateRegistryKey()));
+    return JSValue::encode(exec->lexicalGlobalObject()->templateRegistry().getTemplateObject(exec, jsCast<JSTemplateRegistryKey*>(thisValue)));
 }
 

trunk/Source/JavaScriptCore/runtime/JSTemplateRegistryKey.cpp

@@ -36 +36 @@
 
 
-JSTemplateRegistryKey::JSTemplateRegistryKey(VM& vm, const TemplateRegistryKey& templateRegistryKey)
+JSTemplateRegistryKey::JSTemplateRegistryKey(VM& vm, Ref<TemplateRegistryKey>&& templateRegistryKey)
     : Base(vm, vm.templateRegistryKeyStructure.get())
-    , m_templateRegistryKey(templateRegistryKey)
+    , m_templateRegistryKey(WTFMove(templateRegistryKey))
 {
 }
 
-JSTemplateRegistryKey* JSTemplateRegistryKey::create(VM& vm, const TemplateRegistryKey& templateRegistryKey)
+JSTemplateRegistryKey* JSTemplateRegistryKey::create(VM& vm, Ref<TemplateRegistryKey>&& templateRegistryKey)
 {
-    JSTemplateRegistryKey* result = new (NotNull, allocateCell<JSTemplateRegistryKey>(vm.heap)) JSTemplateRegistryKey(vm, templateRegistryKey);
+    JSTemplateRegistryKey* result = new (NotNull, allocateCell<JSTemplateRegistryKey>(vm.heap)) JSTemplateRegistryKey(vm, WTFMove(templateRegistryKey));
     result->finishCreation(vm);
     return result;

trunk/Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h

@@ -36 +36 @@
     typedef JSDestructibleObject Base;
 
-    static JSTemplateRegistryKey* create(VM&, const TemplateRegistryKey&);
+    static JSTemplateRegistryKey* create(VM&, Ref<TemplateRegistryKey>&&);
 
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
@@ -45 +45 @@
     DECLARE_INFO;
 
-    const TemplateRegistryKey& templateRegistryKey() const { return m_templateRegistryKey; }
+    const TemplateRegistryKey& templateRegistryKey() const { return m_templateRegistryKey.get(); }
 
 protected:
@@ -51 +51 @@
 
 private:
-    JSTemplateRegistryKey(VM&, const TemplateRegistryKey&);
+    JSTemplateRegistryKey(VM&, Ref<TemplateRegistryKey>&&);
 
-    TemplateRegistryKey m_templateRegistryKey;
+    Ref<TemplateRegistryKey> m_templateRegistryKey;
 };
 

trunk/Source/JavaScriptCore/runtime/TemplateRegistry.cpp

@@ -28 +28 @@
 #include "TemplateRegistry.h"
 
+#include "BuiltinNames.h"
 #include "JSCInlines.h"
 #include "JSGlobalObject.h"
+#include "JSTemplateRegistryKey.h"
 #include "ObjectConstructor.h"
+#include "TemplateRegistryKey.h"
 #include "WeakGCMapInlines.h"
 
@@ -40 +43 @@
 }
 
-JSArray* TemplateRegistry::getTemplateObject(ExecState* exec, const TemplateRegistryKey& templateKey)
+JSArray* TemplateRegistry::getTemplateObject(ExecState* exec, JSTemplateRegistryKey* templateKeyObject)
 {
-    JSArray* cached = m_templateMap.get(templateKey);
+    auto& templateKey = templateKeyObject->templateRegistryKey();
+    JSArray* cached = m_templateMap.get(&templateKey);
     if (cached)
         return cached;
@@ -64 +68 @@
     templateObject->putDirect(vm, exec->propertyNames().raw, rawObject, ReadOnly | DontEnum | DontDelete);
 
+    // Template JSArray hold the reference to JSTemplateRegistryKey to make TemplateRegistryKey pointer live until this JSArray is collected.
+    // TemplateRegistryKey pointer is used for TemplateRegistry's key.
+    templateObject->putDirect(vm, vm.propertyNames->builtinNames().templateRegistryKeyPrivateName(), templateKeyObject, ReadOnly | DontEnum | DontDelete);
+
     objectConstructorFreeze(exec, templateObject);
     ASSERT(!scope.exception());
 
-    m_templateMap.set(templateKey, templateObject);
+    m_templateMap.set(&templateKey, templateObject);
 
     return templateObject;

trunk/Source/JavaScriptCore/runtime/TemplateRegistry.h

@@ -27 +27 @@
 
 #include "JSArray.h"
-#include "TemplateRegistryKey.h"
 #include "WeakGCMap.h"
 #include <limits>
@@ -33 +32 @@
 namespace JSC {
 
+class JSTemplateRegistryKey;
+class TemplateRegistryKey;
+
 class TemplateRegistry {
 public:
     TemplateRegistry(VM&);
 
-    JSArray* getTemplateObject(ExecState*, const TemplateRegistryKey&);
+    JSArray* getTemplateObject(ExecState*, JSTemplateRegistryKey*);
 
 private:
-    WeakGCMap<TemplateRegistryKey, JSArray> m_templateMap;
+    WeakGCMap<const TemplateRegistryKey*, JSArray> m_templateMap;
 };
 

trunk/Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Yusuke Suzuki <utatane.tea@gmail.com>.
+ * Copyright (C) 2016 Yusuke Suzuki <utatane.tea@gmail.com>.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -24 +24 @@
  */
 
-#pragma once
+#include "config.h"
+#include "TemplateRegistryKey.h"
 
-#include "JSArray.h"
-#include "TemplateRegistryKey.h"
-#include "WeakGCMap.h"
-#include <limits>
+#include "TemplateRegistryKeyTable.h"
 
 namespace JSC {
 
-class TemplateRegistry {
-public:
-    TemplateRegistry(VM&);
-
-    JSArray* getTemplateObject(ExecState*, const TemplateRegistryKey&);
-
-private:
-    WeakGCMap<TemplateRegistryKey, JSArray> m_templateMap;
-};
+TemplateRegistryKey::~TemplateRegistryKey()
+{
+    if (m_table)
+        m_table->unregister(*this);
+}
 
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/TemplateRegistryKey.h

@@ -33 +33 @@
 namespace JSC {
 
-class TemplateRegistryKey {
+class TemplateRegistryKeyTable;
+
+class TemplateRegistryKey : public RefCounted<TemplateRegistryKey> {
 public:
+    friend class TemplateRegistryKeyTable;
     typedef Vector<String, 4> StringVector;
 
-    TemplateRegistryKey(const StringVector& rawStrings, const StringVector& cookedStrings);
     enum DeletedValueTag { DeletedValue };
     TemplateRegistryKey(DeletedValueTag);
@@ -61 +63 @@
     };
 
+    static unsigned calculateHash(const StringVector& rawStrings);
+    ~TemplateRegistryKey();
+
 private:
+    static Ref<TemplateRegistryKey> create(const StringVector& rawStrings, const StringVector& cookedStrings)
+    {
+        return adoptRef(*new TemplateRegistryKey(rawStrings, cookedStrings));
+    }
+
+    TemplateRegistryKey(const StringVector& rawStrings, const StringVector& cookedStrings);
+
+    TemplateRegistryKeyTable* m_table { nullptr };
     StringVector m_rawStrings;
     StringVector m_cookedStrings;
@@ -70 +83 @@
     : m_rawStrings(rawStrings)
     , m_cookedStrings(cookedStrings)
+    , m_hash(calculateHash(rawStrings))
 {
-    m_hash = 0;
-    for (const String& string : rawStrings)
-        m_hash += WTF::StringHash::hash(string);
 }
 
@@ -84 +95 @@
     : m_hash(0)
 {
+}
+
+inline unsigned TemplateRegistryKey::calculateHash(const StringVector& rawStrings)
+{
+    StringHasher hasher;
+    for (const String& string : rawStrings) {
+        if (string.is8Bit())
+            hasher.addCharacters(string.characters8(), string.length());
+        else
+            hasher.addCharacters(string.characters16(), string.length());
+    }
+    return hasher.hash();
 }
 

trunk/Source/JavaScriptCore/runtime/TemplateRegistryKeyTable.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Yusuke Suzuki <utatane.tea@gmail.com>.
+ * Copyright (C) 2016 Yusuke Suzuki <utatane.tea@gmail.com>.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26 +26 @@
 #pragma once
 
-#include "JSDestructibleObject.h"
-#include "Structure.h"
 #include "TemplateRegistryKey.h"
+#include <wtf/Forward.h>
+#include <wtf/HashSet.h>
+#include <wtf/Noncopyable.h>
 
 namespace JSC {
 
-class JSTemplateRegistryKey final : public JSDestructibleObject {
+class TemplateRegistryKeyTable {
+    WTF_MAKE_NONCOPYABLE(TemplateRegistryKeyTable);
 public:
-    typedef JSDestructibleObject Base;
+    using StringVector = Vector<String, 4>;
 
-    static JSTemplateRegistryKey* create(VM&, const TemplateRegistryKey&);
+    TemplateRegistryKeyTable() = default;
 
-    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
-    {
-        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
-    }
+    Ref<TemplateRegistryKey> createKey(const StringVector& rawStrings, const StringVector& cookedStrings);
 
-    DECLARE_INFO;
+    void unregister(TemplateRegistryKey&);
 
-    const TemplateRegistryKey& templateRegistryKey() const { return m_templateRegistryKey; }
-
-protected:
-    static void destroy(JSCell*);
+    ~TemplateRegistryKeyTable();
 
 private:
-    JSTemplateRegistryKey(VM&, const TemplateRegistryKey&);
+    struct KeyHash {
+        static unsigned hash(const TemplateRegistryKey* key) { return key->hash(); }
+        static bool equal(const TemplateRegistryKey* a, const TemplateRegistryKey* b) { return *a == *b; }
+        static const bool safeToCompareToEmptyOrDeleted = false;
+    };
 
-    TemplateRegistryKey m_templateRegistryKey;
+    HashSet<TemplateRegistryKey*, KeyHash> m_atomicTable;
 };
 

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -49 +49 @@
 #include "SourceCode.h"
 #include "Strong.h"
+#include "TemplateRegistryKeyTable.h"
 #include "ThunkGenerators.h"
 #include "VMEntryRecord.h"
@@ -350 +351 @@
     AtomicStringTable* m_atomicStringTable;
     WTF::SymbolRegistry m_symbolRegistry;
+    TemplateRegistryKeyTable m_templateRegistryKeytable;
     CommonIdentifiers* propertyNames;
     const MarkedArgumentBuffer* emptyList; // Lists are supposed to be allocated on the stack to have their elements properly marked, which is not the case here - but this list has nothing to mark.
@@ -362 +364 @@
     AtomicStringTable* atomicStringTable() const { return m_atomicStringTable; }
     WTF::SymbolRegistry& symbolRegistry() { return m_symbolRegistry; }
+
+    TemplateRegistryKeyTable& templateRegistryKeyTable() { return m_templateRegistryKeytable; }
 
     WeakGCMap<SymbolImpl*, Symbol, PtrHash<SymbolImpl*>> symbolImplToSymbolMap;