Changeset 240965 in webkit

Timestamp:

Feb 4, 2019 10:32:08 PM (5 years ago)

Author:

ysuzuki@apple.com

Message:

[JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
​https://bugs.webkit.org/show_bug.cgi?id=193993

Reviewed by Keith Miller.

Source/JavaScriptCore:

JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
And some of them are rarely used. We should allocate it lazily.

In this patch, we make some IsoSubspaces std::unique_ptr<IsoSubspace>. And we add ensureXXXSpace
functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
by using WTF::storeStoreFence when lazily allocating it.

In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
existence of the space before touching this. This is not racy because the main thread is stopped when
the constraint solving is working.

This changes sizeof(VM) from 64736 to 56472.

Another interesting thing is that we removed PreventCollectionScope preventCollectionScope(heap); in
Subspace::initialize. This is really dangerous API since it easily causes dead-lock between the
collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
can run this IsoSubspace code, the collector is never EndPhase. So this is safe.

• API/JSCallbackFunction.h:
• API/ObjCCallbackFunction.h:

(JSC::ObjCCallbackFunction::subspaceFor):

• API/glib/JSCCallbackFunction.h:
• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::finalizeUnconditionally):

• bytecode/CodeBlock.h:
• bytecode/EvalCodeBlock.h:
• bytecode/ExecutableToCodeBlockEdge.h:
• bytecode/FunctionCodeBlock.h:
• bytecode/ModuleProgramCodeBlock.h:
• bytecode/ProgramCodeBlock.h:
• bytecode/UnlinkedFunctionExecutable.cpp:

(JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):

• bytecode/UnlinkedFunctionExecutable.h:
• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileNewObject):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):

• heap/Heap.cpp:

(JSC::Heap::finalizeUnconditionalFinalizers):
(JSC::Heap::deleteAllCodeBlocks):
(JSC::Heap::deleteAllUnlinkedCodeBlocks):
(JSC::Heap::addCoreConstraints):

• heap/Subspace.cpp:

(JSC::Subspace::initialize):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
(JSC::AssemblyHelpers::emitAllocateVariableSizedCell):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_new_object):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_new_object):

• runtime/DirectArguments.h:
• runtime/DirectEvalExecutable.h:
• runtime/ErrorInstance.h:

(JSC::ErrorInstance::subspaceFor):

• runtime/ExecutableBase.h:
• runtime/FunctionExecutable.h:
• runtime/IndirectEvalExecutable.h:
• runtime/InferredValue.cpp:

(JSC::InferredValue::visitChildren):

• runtime/InferredValue.h:
• runtime/InferredValueInlines.h:

(JSC::InferredValue::finalizeUnconditionally):

• runtime/InternalFunction.h:
• runtime/JSAsyncFunction.h:
• runtime/JSAsyncGeneratorFunction.h:
• runtime/JSBoundFunction.h:
• runtime/JSCell.h:

(JSC::subspaceFor):
(JSC::subspaceForConcurrently):

• runtime/JSCellInlines.h:

(JSC::allocatorForNonVirtualConcurrently):

• runtime/JSCustomGetterSetterFunction.h:
• runtime/JSDestructibleObject.h:
• runtime/JSFunction.h:
• runtime/JSGeneratorFunction.h:
• runtime/JSImmutableButterfly.h:
• runtime/JSLexicalEnvironment.h:

(JSC::JSLexicalEnvironment::subspaceFor):

• runtime/JSNativeStdFunction.h:
• runtime/JSSegmentedVariableObject.h:
• runtime/JSString.h:
• runtime/ModuleProgramExecutable.h:
• runtime/NativeExecutable.h:
• runtime/ProgramExecutable.h:
• runtime/PropertyMapHashTable.h:
• runtime/ProxyRevoke.h:
• runtime/ScopedArguments.h:
• runtime/ScriptExecutable.cpp:

(JSC::ScriptExecutable::clearCode):
(JSC::ScriptExecutable::installCode):

• runtime/Structure.h:
• runtime/StructureRareData.h:
• runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
• runtime/VM.cpp:

(JSC::VM::VM):

• runtime/VM.h:

(JSC::VM::SpaceAndSet::SpaceAndSet):
(JSC::VM::SpaceAndSet::setFor):
(JSC::VM::forEachScriptExecutableSpace):
(JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
(JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
(JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
(JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
(JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
(JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.

• runtime/WeakMapImpl.h:

(JSC::WeakMapImpl::subspaceFor):

• wasm/js/JSWebAssemblyCodeBlock.h:
• wasm/js/JSWebAssemblyMemory.h:
• wasm/js/WebAssemblyFunction.h:
• wasm/js/WebAssemblyWrapperFunction.h:

Source/WebCore:

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):

• bridge/runtime_method.h:

Source/WebKit:

• WebProcess/Plugins/Netscape/JSNPMethod.h:
• WebProcess/Plugins/Netscape/JSNPObject.h:

Location:

trunk/Source

Files:

• JavaScriptCore/API/JSCallbackFunction.h (modified) (1 diff)
• JavaScriptCore/API/ObjCCallbackFunction.h (modified) (1 diff)
• JavaScriptCore/API/glib/JSCCallbackFunction.h (modified) (1 diff)
• JavaScriptCore/CMakeLists.txt (modified) (1 diff)
• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• JavaScriptCore/bytecode/CodeBlock.cpp (modified) (2 diffs)
• JavaScriptCore/bytecode/CodeBlock.h (modified) (1 diff)
• JavaScriptCore/bytecode/EvalCodeBlock.h (modified) (1 diff)
• JavaScriptCore/bytecode/ExecutableToCodeBlockEdge.h (modified) (1 diff)
• JavaScriptCore/bytecode/FunctionCodeBlock.h (modified) (1 diff)
• JavaScriptCore/bytecode/ModuleProgramCodeBlock.h (modified) (1 diff)
• JavaScriptCore/bytecode/ProgramCodeBlock.h (modified) (1 diff)
• JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp (modified) (1 diff)
• JavaScriptCore/bytecode/UnlinkedFunctionExecutable.h (modified) (2 diffs)
• JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (3 diffs)
• JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (6 diffs)
• JavaScriptCore/heap/AlignedMemoryAllocator.cpp (modified) (2 diffs)
• JavaScriptCore/heap/Heap.cpp (modified) (5 diffs)
• JavaScriptCore/heap/MarkedSpace.cpp (modified) (1 diff)
• JavaScriptCore/heap/Subspace.cpp (modified) (1 diff)
• JavaScriptCore/jit/AssemblyHelpers.h (modified) (2 diffs)
• JavaScriptCore/jit/JITOpcodes.cpp (modified) (1 diff)
• JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (1 diff)
• JavaScriptCore/runtime/DirectArguments.h (modified) (1 diff)
• JavaScriptCore/runtime/DirectEvalExecutable.h (modified) (1 diff)
• JavaScriptCore/runtime/ErrorInstance.h (modified) (1 diff)
• JavaScriptCore/runtime/ExecutableBase.h (modified) (1 diff)
• JavaScriptCore/runtime/FunctionExecutable.h (modified) (1 diff)
• JavaScriptCore/runtime/IndirectEvalExecutable.h (modified) (1 diff)
• JavaScriptCore/runtime/InferredValue.cpp (modified) (1 diff)
• JavaScriptCore/runtime/InferredValue.h (modified) (1 diff)
• JavaScriptCore/runtime/InferredValueInlines.h (modified) (1 diff)
• JavaScriptCore/runtime/InternalFunction.h (modified) (1 diff)
• JavaScriptCore/runtime/JSAsyncFunction.h (modified) (1 diff)
• JavaScriptCore/runtime/JSAsyncGeneratorFunction.h (modified) (1 diff)
• JavaScriptCore/runtime/JSBoundFunction.h (modified) (1 diff)
• JavaScriptCore/runtime/JSCell.h (modified) (3 diffs)
• JavaScriptCore/runtime/JSCellInlines.h (modified) (3 diffs)
• JavaScriptCore/runtime/JSCustomGetterSetterFunction.h (modified) (1 diff)
• JavaScriptCore/runtime/JSDestructibleObject.h (modified) (1 diff)
• JavaScriptCore/runtime/JSFunction.h (modified) (1 diff)
• JavaScriptCore/runtime/JSGeneratorFunction.h (modified) (1 diff)
• JavaScriptCore/runtime/JSImmutableButterfly.h (modified) (1 diff)
• JavaScriptCore/runtime/JSLexicalEnvironment.h (modified) (1 diff)
• JavaScriptCore/runtime/JSNativeStdFunction.h (modified) (1 diff)
• JavaScriptCore/runtime/JSSegmentedVariableObject.h (modified) (1 diff)
• JavaScriptCore/runtime/JSString.h (modified) (1 diff)
• JavaScriptCore/runtime/ModuleProgramExecutable.h (modified) (1 diff)
• JavaScriptCore/runtime/NativeExecutable.h (modified) (1 diff)
• JavaScriptCore/runtime/ProgramExecutable.h (modified) (1 diff)
• JavaScriptCore/runtime/PropertyMapHashTable.h (modified) (1 diff)
• JavaScriptCore/runtime/ProxyRevoke.h (modified) (1 diff)
• JavaScriptCore/runtime/ScopedArguments.h (modified) (1 diff)
• JavaScriptCore/runtime/ScriptExecutable.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/Structure.h (modified) (1 diff)
• JavaScriptCore/runtime/StructureRareData.h (modified) (1 diff)
• JavaScriptCore/runtime/SubspaceAccess.h (copied) (copied from trunk/Source/JavaScriptCore/runtime/InferredValueInlines.h) (2 diffs)
• JavaScriptCore/runtime/VM.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/VM.h (modified) (3 diffs)
• JavaScriptCore/runtime/WeakMapImpl.h (modified) (1 diff)
• JavaScriptCore/wasm/js/JSWebAssemblyCodeBlock.h (modified) (1 diff)
• JavaScriptCore/wasm/js/JSWebAssemblyMemory.h (modified) (1 diff)
• JavaScriptCore/wasm/js/WebAssemblyFunction.h (modified) (1 diff)
• JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.h (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)
• WebCore/bridge/runtime_method.h (modified) (1 diff)
• WebKit/ChangeLog (modified) (1 diff)
• WebKit/WebProcess/Plugins/Netscape/JSNPMethod.h (modified) (1 diff)
• WebKit/WebProcess/Plugins/Netscape/JSNPObject.h (modified) (1 diff)

trunk/Source/JavaScriptCore/API/JSCallbackFunction.h

@@ -38 +38 @@
     typedef InternalFunction Base;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess mode>
     static IsoSubspace* subspaceFor(VM& vm)
     {
-        return &vm.callbackFunctionSpace;
+        return vm.callbackFunctionSpace<mode>();
     }
 

trunk/Source/JavaScriptCore/API/ObjCCallbackFunction.h

@@ -49 +49 @@
     typedef InternalFunction Base;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess mode>
     static IsoSubspace* subspaceFor(VM& vm)
     {
-        return &vm.objCCallbackFunctionSpace;
+        return vm.objCCallbackFunctionSpace<mode>();
     }
 

trunk/Source/JavaScriptCore/API/glib/JSCCallbackFunction.h

@@ -41 +41 @@
     typedef InternalFunction Base;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -938 +938 @@
     runtime/StructureRareDataInlines.h
     runtime/StructureTransitionTable.h
+    runtime/SubspaceAccess.h
     runtime/Symbol.h
     runtime/SymbolPrototype.h

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
+        https://bugs.webkit.org/show_bug.cgi?id=193993
+
+        Reviewed by Keith Miller.
+
+        JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
+        And some of them are rarely used. We should allocate it lazily.
+
+        In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
+        functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
+        And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
+        returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
+        parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
+        lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
+        by using WTF::storeStoreFence when lazily allocating it.
+
+        In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
+        existence of the space before touching this. This is not racy because the main thread is stopped when
+        the constraint solving is working.
+
+        This changes sizeof(VM) from 64736 to 56472.
+
+        Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
+        `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
+        collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
+        dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
+        of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
+        EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
+        can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
+
+        * API/JSCallbackFunction.h:
+        * API/ObjCCallbackFunction.h:
+        (JSC::ObjCCallbackFunction::subspaceFor):
+        * API/glib/JSCCallbackFunction.h:
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::visitChildren):
+        (JSC::CodeBlock::finalizeUnconditionally):
+        * bytecode/CodeBlock.h:
+        * bytecode/EvalCodeBlock.h:
+        * bytecode/ExecutableToCodeBlockEdge.h:
+        * bytecode/FunctionCodeBlock.h:
+        * bytecode/ModuleProgramCodeBlock.h:
+        * bytecode/ProgramCodeBlock.h:
+        * bytecode/UnlinkedFunctionExecutable.cpp:
+        (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
+        * bytecode/UnlinkedFunctionExecutable.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        (JSC::DFG::SpeculativeJIT::compileMakeRope):
+        (JSC::DFG::SpeculativeJIT::compileNewObject):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
+        * heap/Heap.cpp:
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        (JSC::Heap::deleteAllCodeBlocks):
+        (JSC::Heap::deleteAllUnlinkedCodeBlocks):
+        (JSC::Heap::addCoreConstraints):
+        * heap/Subspace.cpp:
+        (JSC::Subspace::initialize):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
+        (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_object):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_new_object):
+        * runtime/DirectArguments.h:
+        * runtime/DirectEvalExecutable.h:
+        * runtime/ErrorInstance.h:
+        (JSC::ErrorInstance::subspaceFor):
+        * runtime/ExecutableBase.h:
+        * runtime/FunctionExecutable.h:
+        * runtime/IndirectEvalExecutable.h:
+        * runtime/InferredValue.cpp:
+        (JSC::InferredValue::visitChildren):
+        * runtime/InferredValue.h:
+        * runtime/InferredValueInlines.h:
+        (JSC::InferredValue::finalizeUnconditionally):
+        * runtime/InternalFunction.h:
+        * runtime/JSAsyncFunction.h:
+        * runtime/JSAsyncGeneratorFunction.h:
+        * runtime/JSBoundFunction.h:
+        * runtime/JSCell.h:
+        (JSC::subspaceFor):
+        (JSC::subspaceForConcurrently):
+        * runtime/JSCellInlines.h:
+        (JSC::allocatorForNonVirtualConcurrently):
+        * runtime/JSCustomGetterSetterFunction.h:
+        * runtime/JSDestructibleObject.h:
+        * runtime/JSFunction.h:
+        * runtime/JSGeneratorFunction.h:
+        * runtime/JSImmutableButterfly.h:
+        * runtime/JSLexicalEnvironment.h:
+        (JSC::JSLexicalEnvironment::subspaceFor):
+        * runtime/JSNativeStdFunction.h:
+        * runtime/JSSegmentedVariableObject.h:
+        * runtime/JSString.h:
+        * runtime/ModuleProgramExecutable.h:
+        * runtime/NativeExecutable.h:
+        * runtime/ProgramExecutable.h:
+        * runtime/PropertyMapHashTable.h:
+        * runtime/ProxyRevoke.h:
+        * runtime/ScopedArguments.h:
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::clearCode):
+        (JSC::ScriptExecutable::installCode):
+        * runtime/Structure.h:
+        * runtime/StructureRareData.h:
+        * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        (JSC::VM::SpaceAndSet::SpaceAndSet):
+        (JSC::VM::SpaceAndSet::setFor):
+        (JSC::VM::forEachScriptExecutableSpace):
+        (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
+        (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
+        (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
+        (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
+        (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
+        (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
+        * runtime/WeakMapImpl.h:
+        (JSC::WeakMapImpl::subspaceFor):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyMemory.h:
+        * wasm/js/WebAssemblyFunction.h:
+        * wasm/js/WebAssemblyWrapperFunction.h:
+
 2019-02-04  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1766 +1766 @@
                 E3794E761B77EB97005543AE /* ModuleAnalyzer.h in Headers */ = {isa = PBXBuildFile; fileRef = E3794E741B77EB97005543AE /* ModuleAnalyzer.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 E3893A1D2203A7C600E79A74 /* AsyncFromSyncIteratorPrototype.lut.h in Headers */ = {isa = PBXBuildFile; fileRef = E3893A1C2203A7C600E79A74 /* AsyncFromSyncIteratorPrototype.lut.h */; };
+                E39006212208BFC4001019CF /* SubspaceAccess.h in Headers */ = {isa = PBXBuildFile; fileRef = E39006202208BFC3001019CF /* SubspaceAccess.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 E393ADD81FE702D00022D681 /* WeakMapImplInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = E393ADD71FE702CC0022D681 /* WeakMapImplInlines.h */; };
                 E39D45F51D39005600B3B377 /* InterpreterInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = E39D9D841D39000600667282 /* InterpreterInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -4704 +4705 @@
                 E380A76B1DCD7195000F89E6 /* MacroAssemblerHelpers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MacroAssemblerHelpers.h; sourceTree = "<group>"; };
                 E380D66B1F19249D00A59095 /* BuiltinNames.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = BuiltinNames.cpp; sourceTree = "<group>"; };
-                E3893A1C2203A7C600E79A74 /* AsyncFromSyncIteratorPrototype.lut.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AsyncFromSyncIteratorPrototype.lut.h; path = AsyncFromSyncIteratorPrototype.lut.h; sourceTree = "<group>"; };
+                E3893A1C2203A7C600E79A74 /* AsyncFromSyncIteratorPrototype.lut.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AsyncFromSyncIteratorPrototype.lut.h; sourceTree = "<group>"; };
                 E38D060B1F8E814100649CF2 /* JSScriptFetchParameters.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSScriptFetchParameters.h; sourceTree = "<group>"; };
                 E38D060C1F8E814100649CF2 /* ScriptFetchParameters.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ScriptFetchParameters.h; sourceTree = "<group>"; };
                 E38D060D1F8E814100649CF2 /* JSScriptFetchParameters.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSScriptFetchParameters.cpp; sourceTree = "<group>"; };
+                E39006202208BFC3001019CF /* SubspaceAccess.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SubspaceAccess.h; sourceTree = "<group>"; };
                 E393ADD71FE702CC0022D681 /* WeakMapImplInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WeakMapImplInlines.h; sourceTree = "<group>"; };
                 E3963CEC1B73F75000EB4CE5 /* NodesAnalyzeModule.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NodesAnalyzeModule.cpp; sourceTree = "<group>"; };
@@ -7165 +7167 @@
                                 C20BA92C16BB1C1500B3AEA2 /* StructureRareDataInlines.h */,
                                 BC9041470EB9250900FE26FA /* StructureTransitionTable.h */,
+                                E39006202208BFC3001019CF /* SubspaceAccess.h */,
                                 705B41A31A6E501E00716757 /* Symbol.cpp */,
                                 705B41A41A6E501E00716757 /* Symbol.h */,
@@ -9693 +9696 @@
                                 0F44767020C5E2B4008B2C36 /* StubInfoSummary.h in Headers */,
                                 0F7DF1371E2970E10095951B /* Subspace.h in Headers */,
+                                E39006212208BFC4001019CF /* SubspaceAccess.h in Headers */,
                                 0F7DF1381E2970E40095951B /* SubspaceInlines.h in Headers */,
                                 0F4A38FA1C8E13DF00190318 /* SuperSampler.h in Headers */,

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -998 +998 @@
     stronglyVisitWeakReferences(locker, visitor);
     
-    VM::SpaceAndFinalizerSet::finalizerSetFor(*subspace()).add(this);
+    VM::SpaceAndSet::setFor(*subspace()).add(this);
 }
 
@@ -1393 +1393 @@
 #endif // ENABLE(DFG_JIT)
 
-    VM::SpaceAndFinalizerSet::finalizerSetFor(*subspace()).remove(this);
+    VM::SpaceAndSet::setFor(*subspace()).remove(this);
 }
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -115 +115 @@
     static const bool needsDestruction = true;
 
-    template<typename>
+    template<typename, SubspaceAccess>
     static void subspaceFor(VM&) { }
 

trunk/Source/JavaScriptCore/bytecode/EvalCodeBlock.h

@@ -39 +39 @@
     DECLARE_INFO;
 
-    template<typename>
+    template<typename, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/bytecode/ExecutableToCodeBlockEdge.h

@@ -41 +41 @@
     static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/bytecode/FunctionCodeBlock.h

@@ -40 +40 @@
     DECLARE_INFO;
 
-    template<typename>
+    template<typename, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/bytecode/ModuleProgramCodeBlock.h

@@ -40 +40 @@
     DECLARE_INFO;
 
-    template<typename>
+    template<typename, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/bytecode/ProgramCodeBlock.h

@@ -40 +40 @@
     DECLARE_INFO;
 
-    template<typename>
+    template<typename, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp

@@ -238 +238 @@
         break;
     }
-    vm.unlinkedFunctionExecutableSpace.clearableCodeSet.add(this);
+    vm.unlinkedFunctionExecutableSpace.set.add(this);
     return result;
 }

trunk/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.h

@@ -62 +62 @@
     static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {
@@ -121 +121 @@
         m_unlinkedCodeBlockForCall.clear();
         m_unlinkedCodeBlockForConstruct.clear();
-        vm.unlinkedFunctionExecutableSpace.clearableCodeSet.remove(this);
+        vm.unlinkedFunctionExecutableSpace.set.remove(this);
     }
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -131 +131 @@
 
     size_t allocationSize = JSFinalObject::allocationSize(inlineCapacity);
-    Allocator allocator = subspaceFor<JSFinalObject>(*m_jit.vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
+    Allocator allocator = allocatorForNonVirtualConcurrently<JSFinalObject>(*m_jit.vm(), allocationSize, AllocatorForMode::AllocatorIfExists);
     if (allocator) {
         emitAllocateJSObject(resultGPR, JITAllocator::constant(allocator), scratchGPR, TrustedImmPtr(structure), storageGPR, scratch2GPR, slowCases);
@@ -4360 +4360 @@
     
     JITCompiler::JumpList slowPath;
-    Allocator allocatorValue = subspaceFor<JSRopeString>(*m_jit.vm())->allocatorForNonVirtual(sizeof(JSRopeString), AllocatorForMode::AllocatorIfExists);
+    Allocator allocatorValue = allocatorForNonVirtualConcurrently<JSRopeString>(*m_jit.vm(), sizeof(JSRopeString), AllocatorForMode::AllocatorIfExists);
     emitAllocateJSCell(resultGPR, JITAllocator::constant(allocatorValue), allocatorGPR, TrustedImmPtr(m_jit.graph().registerStructure(m_jit.vm()->stringStructure.get())), scratchGPR, slowPath);
         
@@ -12541 +12541 @@
     RegisteredStructure structure = node->structure();
     size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
-    Allocator allocatorValue = subspaceFor<JSFinalObject>(*m_jit.vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
-
+    Allocator allocatorValue = allocatorForNonVirtualConcurrently<JSFinalObject>(*m_jit.vm(), allocationSize, AllocatorForMode::AllocatorIfExists);
     if (!allocatorValue)
         slowPath.append(m_jit.jump());

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -6473 +6473 @@
         LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowPath);
         
-        Allocator allocator = subspaceFor<JSRopeString>(vm())->allocatorForNonVirtual(sizeof(JSRopeString), AllocatorForMode::AllocatorIfExists);
+        Allocator allocator = allocatorForNonVirtualConcurrently<JSRopeString>(vm(), sizeof(JSRopeString), AllocatorForMode::AllocatorIfExists);
         
         LValue result = allocateCell(
@@ -10724 +10724 @@
             if (structure->outOfLineCapacity() || hasIndexedProperties(structure->indexingType())) {
                 size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
-                Allocator cellAllocator = subspaceFor<JSFinalObject>(vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
+                Allocator cellAllocator = allocatorForNonVirtualConcurrently<JSFinalObject>(vm(), allocationSize, AllocatorForMode::AllocatorIfExists);
 
                 bool hasIndexingHeader = hasIndexedProperties(structure->indexingType());
@@ -13191 +13191 @@
         size_t size, StructureType structure, LValue butterfly, LBasicBlock slowPath)
     {
-        Allocator allocator = subspaceFor<ClassType>(vm())->allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists);
+        Allocator allocator = allocatorForNonVirtualConcurrently<ClassType>(vm(), size, AllocatorForMode::AllocatorIfExists);
         return allocateObject(
             m_out.constIntPtr(allocator.localAllocator()), structure, butterfly, slowPath);
@@ -13255 +13255 @@
         LValue size, RegisteredStructure structure, LValue butterfly, LBasicBlock slowPath)
     {
-        LValue allocator = allocatorForSize(*subspaceFor<ClassType>(vm()), size, slowPath);
+        CompleteSubspace* subspace = subspaceForConcurrently<ClassType>(vm());
+        RELEASE_ASSERT_WITH_MESSAGE(subspace, "CompleteSubspace is always allocated");
+        LValue allocator = allocatorForSize(*subspace, size, slowPath);
         return allocateObject(allocator, structure, butterfly, slowPath);
     }
@@ -13263 +13265 @@
         LValue size, Structure* structure, LBasicBlock slowPath)
     {
-        LValue allocator = allocatorForSize(*subspaceFor<ClassType>(vm()), size, slowPath);
+        CompleteSubspace* subspace = subspaceForConcurrently<ClassType>(vm());
+        RELEASE_ASSERT_WITH_MESSAGE(subspace, "CompleteSubspace is always allocated");
+        LValue allocator = allocatorForSize(*subspace, size, slowPath);
         return allocateCell(allocator, structure, slowPath);
     }
@@ -13270 +13274 @@
     {
         size_t allocationSize = JSFinalObject::allocationSize(structure.get()->inlineCapacity());
-        Allocator allocator = subspaceFor<JSFinalObject>(vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
+        Allocator allocator = allocatorForNonVirtualConcurrently<JSFinalObject>(vm(), allocationSize, AllocatorForMode::AllocatorIfExists);
         
         // FIXME: If the allocator is null, we could simply emit a normal C call to the allocator

trunk/Source/JavaScriptCore/heap/AlignedMemoryAllocator.cpp

@@ -28 +28 @@
 
 #include "BlockDirectory.h"
+#include "Heap.h"
 #include "Subspace.h"
 
@@ -45 +46 @@
     
     if (m_directories.isEmpty()) {
+        ASSERT(!mayBeGCThread() || directory->heap()->worldIsStopped());
         for (Subspace* subspace = m_subspaces.first(); subspace; subspace = subspace->nextSubspaceInAlignedMemoryAllocator())
             subspace->didCreateFirstDirectory(directory);

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -568 +568 @@
 void Heap::finalizeUnconditionalFinalizers()
 {
-    finalizeMarkedUnconditionalFinalizers<InferredValue>(vm()->inferredValuesWithFinalizers);
+    if (vm()->m_inferredValueSpace)
+        finalizeMarkedUnconditionalFinalizers<InferredValue>(vm()->m_inferredValueSpace->space);
     vm()->forEachCodeBlockSpace(
         [&] (auto& space) {
-            this->finalizeMarkedUnconditionalFinalizers<CodeBlock>(space.finalizerSet);
+            this->finalizeMarkedUnconditionalFinalizers<CodeBlock>(space.set);
         });
     finalizeMarkedUnconditionalFinalizers<ExecutableToCodeBlockEdge>(vm()->executableToCodeBlockEdgesWithFinalizers);
-    finalizeMarkedUnconditionalFinalizers<JSWeakSet>(vm()->weakSetSpace);
-    finalizeMarkedUnconditionalFinalizers<JSWeakMap>(vm()->weakMapSpace);
-    finalizeMarkedUnconditionalFinalizers<ErrorInstance>(vm()->errorInstanceSpace);
+    if (vm()->m_weakSetSpace)
+        finalizeMarkedUnconditionalFinalizers<JSWeakSet>(*vm()->m_weakSetSpace);
+    if (vm()->m_weakMapSpace)
+        finalizeMarkedUnconditionalFinalizers<JSWeakMap>(*vm()->m_weakMapSpace);
+    if (vm()->m_errorInstanceSpace)
+        finalizeMarkedUnconditionalFinalizers<ErrorInstance>(*vm()->m_errorInstanceSpace);
 
 #if ENABLE(WEBASSEMBLY)
-    finalizeMarkedUnconditionalFinalizers<JSWebAssemblyCodeBlock>(vm()->webAssemblyCodeBlockSpace);
+    if (vm()->m_webAssemblyCodeBlockSpace)
+        finalizeMarkedUnconditionalFinalizers<JSWebAssemblyCodeBlock>(*vm()->m_webAssemblyCodeBlockSpace);
 #endif
 }
@@ -881 +886 @@
         [&] (auto& spaceAndSet) {
             HeapIterationScope heapIterationScope(*this);
-            auto& clearableCodeSet = spaceAndSet.clearableCodeSet;
-            clearableCodeSet.forEachLiveCell(
+            auto& set = spaceAndSet.set;
+            set.forEachLiveCell(
                 [&] (HeapCell* cell, HeapCell::Kind) {
                     ScriptExecutable* executable = static_cast<ScriptExecutable*>(cell);
-                    executable->clearCode(clearableCodeSet);
+                    executable->clearCode(set);
                 });
         });
@@ -897 +902 @@
         // it uses a callee check, but then it will call into dead code.
         HeapIterationScope heapIterationScope(*this);
-        vm.webAssemblyCodeBlockSpace.forEachLiveCell([&] (HeapCell* cell, HeapCell::Kind kind) {
-            ASSERT_UNUSED(kind, kind == HeapCell::JSCell);
-            JSWebAssemblyCodeBlock* codeBlock = static_cast<JSWebAssemblyCodeBlock*>(cell);
-            codeBlock->clearJSCallICs(vm);
-        });
+        if (vm.m_webAssemblyCodeBlockSpace) {
+            vm.m_webAssemblyCodeBlockSpace->forEachLiveCell([&] (HeapCell* cell, HeapCell::Kind kind) {
+                ASSERT_UNUSED(kind, kind == HeapCell::JSCell);
+                JSWebAssemblyCodeBlock* codeBlock = static_cast<JSWebAssemblyCodeBlock*>(cell);
+                codeBlock->clearJSCallICs(vm);
+            });
+        }
     }
 #endif
@@ -917 +924 @@
 
     HeapIterationScope heapIterationScope(*this);
-    vm.unlinkedFunctionExecutableSpace.clearableCodeSet.forEachLiveCell(
+    vm.unlinkedFunctionExecutableSpace.set.forEachLiveCell(
         [&] (HeapCell* cell, HeapCell::Kind) {
             UnlinkedFunctionExecutable* executable = static_cast<UnlinkedFunctionExecutable*>(cell);
@@ -2731 +2738 @@
             
             add(vm.executableToCodeBlockEdgesWithConstraints);
-            add(vm.weakMapSpace);
+            if (vm.m_weakMapSpace)
+                add(*vm.m_weakMapSpace);
         },
         ConstraintVolatility::GreyedByMarking,

trunk/Source/JavaScriptCore/heap/MarkedSpace.cpp

@@ -259 +259 @@
 void MarkedSpace::prepareForAllocation()
 {
+    ASSERT(!mayBeGCThread() || m_heap->worldIsStopped());
     for (Subspace* subspace : m_subspaces)
         subspace->prepareForAllocation();

trunk/Source/JavaScriptCore/heap/Subspace.cpp

@@ -51 +51 @@
 
     Heap& heap = *m_space.heap();
-    PreventCollectionScope preventCollectionScope(heap);
     heap.objectSpace().m_subspaces.append(this);
     m_alignedMemoryAllocator->registerSubspace(this);

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -1753 +1753 @@
         GPRReg scratchGPR2, JumpList& slowPath, size_t size)
     {
-        Allocator allocator = subspaceFor<ClassType>(vm)->allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists);
+        Allocator allocator = allocatorForNonVirtualConcurrently<ClassType>(vm, size, AllocatorForMode::AllocatorIfExists);
         emitAllocateJSObject(resultGPR, JITAllocator::constant(allocator), scratchGPR1, structure, storage, scratchGPR2, slowPath);
     }
@@ -1770 +1770 @@
     void emitAllocateVariableSizedCell(VM& vm, GPRReg resultGPR, StructureType structure, GPRReg allocationSize, GPRReg scratchGPR1, GPRReg scratchGPR2, JumpList& slowPath)
     {
-        CompleteSubspace& subspace = *subspaceFor<ClassType>(vm);
-        emitAllocateVariableSized(resultGPR, subspace, allocationSize, scratchGPR1, scratchGPR2, slowPath);
+        CompleteSubspace* subspace = subspaceForConcurrently<ClassType>(vm);
+        RELEASE_ASSERT_WITH_MESSAGE(subspace, "CompleteSubspace is always allocated");
+        emitAllocateVariableSized(resultGPR, *subspace, allocationSize, scratchGPR1, scratchGPR2, slowPath);
         emitStoreStructureWithTypeInfo(structure, resultGPR, scratchGPR2);
     }

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -97 +97 @@
     Structure* structure = metadata.m_objectAllocationProfile.structure();
     size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
-    Allocator allocator = subspaceFor<JSFinalObject>(*m_vm)->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
+    Allocator allocator = allocatorForNonVirtualConcurrently<JSFinalObject>(*m_vm, allocationSize, AllocatorForMode::AllocatorIfExists);
 
     RegisterID resultReg = regT0;

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -85 +85 @@
     Structure* structure = metadata.m_objectAllocationProfile.structure();
     size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
-    Allocator allocator = subspaceFor<JSFinalObject>(*m_vm)->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
+    Allocator allocator = allocatorForNonVirtualConcurrently<JSFinalObject>(*m_vm, allocationSize, AllocatorForMode::AllocatorIfExists);
 
     RegisterID resultReg = returnValueGPR;

trunk/Source/JavaScriptCore/runtime/DirectArguments.h

@@ -47 +47 @@
     
 public:
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static CompleteSubspace* subspaceFor(VM& vm)
     {
-        RELEASE_ASSERT(!CellType::needsDestruction);
+        static_assert(!CellType::needsDestruction, "");
         return &vm.jsValueGigacageCellSpace;
     }

trunk/Source/JavaScriptCore/runtime/DirectEvalExecutable.h

@@ -32 +32 @@
 class DirectEvalExecutable final : public EvalExecutable {
 public:
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess mode>
     static IsoSubspace* subspaceFor(VM& vm)
     {
-        return &vm.directEvalExecutableSpace.space;
+        return vm.directEvalExecutableSpace<mode>();
     }
 

trunk/Source/JavaScriptCore/runtime/ErrorInstance.h

@@ -73 +73 @@
     bool materializeErrorInfoIfNeeded(VM&, PropertyName);
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess mode>
     static IsoSubspace* subspaceFor(VM& vm)
     {
-        return &vm.errorInstanceSpace;
+        return vm.errorInstanceSpace<mode>();
     }
 

trunk/Source/JavaScriptCore/runtime/ExecutableBase.h

@@ -85 +85 @@
     
     // Force subclasses to override this.
-    template<typename>
+    template<typename, SubspaceAccess>
     static void subspaceFor(VM&) { }
         

trunk/Source/JavaScriptCore/runtime/FunctionExecutable.h

@@ -41 +41 @@
     static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/IndirectEvalExecutable.h

@@ -32 +32 @@
 class IndirectEvalExecutable final : public EvalExecutable {
 public:
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess mode>
     static IsoSubspace* subspaceFor(VM& vm)
     {
-        return &vm.indirectEvalExecutableSpace.space;
+        return vm.indirectEvalExecutableSpace<mode>();
     }
 

trunk/Source/JavaScriptCore/runtime/InferredValue.cpp

@@ -64 +64 @@
         return;
     
-    visitor.vm().inferredValuesWithFinalizers.add(inferredValue);
+    VM::SpaceAndSet::setFor(*inferredValue->subspace()).add(inferredValue);
 }
 

trunk/Source/JavaScriptCore/runtime/InferredValue.h

@@ -46 +46 @@
     typedef JSCell Base;
     
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess mode>
     static IsoSubspace* subspaceFor(VM& vm)
     {
-        return &vm.inferredValueSpace;
+        return vm.inferredValueSpace<mode>();
     }
 

trunk/Source/JavaScriptCore/runtime/InferredValueInlines.h

@@ -41 +41 @@
     }
     
-    vm.inferredValuesWithFinalizers.remove(this);
+    VM::SpaceAndSet::setFor(*subspace()).remove(this);
 }
 

trunk/Source/JavaScriptCore/runtime/InternalFunction.h

@@ -39 +39 @@
     static const unsigned StructureFlags = Base::StructureFlags | ImplementsHasInstance | ImplementsDefaultHasInstance | OverridesGetCallData;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/JSAsyncFunction.h

@@ -39 +39 @@
     const static unsigned StructureFlags = Base::StructureFlags;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/JSAsyncGeneratorFunction.h

@@ -39 +39 @@
     const static unsigned StructureFlags = Base::StructureFlags;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/JSBoundFunction.h

@@ -43 +43 @@
     static_assert(StructureFlags & ImplementsHasInstance, "");
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess mode>
     static IsoSubspace* subspaceFor(VM& vm)
     {
-        return &vm.boundFunctionSpace;
+        return vm.boundFunctionSpace<mode>();
     }
 

trunk/Source/JavaScriptCore/runtime/JSCell.h

@@ -33 +33 @@
 #include "JSTypeInfo.h"
 #include "SlotVisitor.h"
+#include "SubspaceAccess.h"
 #include "TypedArrayType.h"
 #include "WriteBarrier.h"
@@ -89 +90 @@
     // FIXME: Refer to Subspace by reference.
     // https://bugs.webkit.org/show_bug.cgi?id=166988
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static CompleteSubspace* subspaceFor(VM&);
 
@@ -295 +296 @@
 inline auto subspaceFor(VM& vm)
 {
-    return Type::template subspaceFor<Type>(vm);
+    return Type::template subspaceFor<Type, SubspaceAccess::OnMainThread>(vm);
 }
 
+template<typename Type>
+inline auto subspaceForConcurrently(VM& vm)
+{
+    return Type::template subspaceFor<Type, SubspaceAccess::Concurrently>(vm);
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSCellInlines.h

@@ -26 +26 @@
 #pragma once
 
+#include "AllocatorForMode.h"
 #include "AllocatorInlines.h"
 #include "CompleteSubspaceInlines.h"
@@ -146 +147 @@
 }
 
-template<typename CellType>
+template<typename CellType, SubspaceAccess>
 CompleteSubspace* JSCell::subspaceFor(VM& vm)
 {
@@ -152 +153 @@
         return &vm.destructibleCellSpace;
     return &vm.cellSpace;
+}
+
+template<typename Type>
+inline Allocator allocatorForNonVirtualConcurrently(VM& vm, size_t allocationSize, AllocatorForMode mode)
+{
+    if (auto* subspace = subspaceForConcurrently<Type>(vm))
+        return subspace->allocatorForNonVirtual(allocationSize, mode);
+    return { };
 }
 

trunk/Source/JavaScriptCore/runtime/JSCustomGetterSetterFunction.h

@@ -41 +41 @@
     static const unsigned StructureFlags = Base::StructureFlags;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess mode>
     static IsoSubspace* subspaceFor(VM& vm)
     {
-        return &vm.customGetterSetterFunctionSpace;
+        return vm.customGetterSetterFunctionSpace<mode>();
     }
 

trunk/Source/JavaScriptCore/runtime/JSDestructibleObject.h

@@ -38 +38 @@
     static const bool needsDestruction = true;
     
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static CompleteSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/JSFunction.h

@@ -63 +63 @@
 public:
     
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/JSGeneratorFunction.h

@@ -67 +67 @@
     const static unsigned StructureFlags = Base::StructureFlags;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/JSImmutableButterfly.h

@@ -89 +89 @@
     void copyToArguments(ExecState*, VirtualRegister firstElementDest, unsigned offset, unsigned length);
 
-    template<typename>
+    template<typename, SubspaceAccess>
     static CompleteSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/JSLexicalEnvironment.h

@@ -41 +41 @@
     friend class LLIntOffsetsExtractor;
 public:
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static CompleteSubspace* subspaceFor(VM& vm)
     {
-        RELEASE_ASSERT(!CellType::needsDestruction);
+        static_assert(!CellType::needsDestruction, "");
         return &vm.jsValueGigacageCellSpace;
     }

trunk/Source/JavaScriptCore/runtime/JSNativeStdFunction.h

@@ -41 +41 @@
     const static unsigned StructureFlags = Base::StructureFlags;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess mode>
     static IsoSubspace* subspaceFor(VM& vm)
     {
-        return &vm.nativeStdFunctionSpace;
+        return vm.nativeStdFunctionSpace<mode>();
     }
 

trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h

@@ -91 +91 @@
     static void destroy(JSCell*);
     
-    template<typename>
+    template<typename, SubspaceAccess>
     static CompleteSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/JSString.h

@@ -90 +90 @@
     // We specialize the string subspace to get the fastest possible sweep. This wouldn't be
     // necessary if JSString didn't have a destructor.
-    template<typename>
+    template<typename, SubspaceAccess>
     static CompleteSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/ModuleProgramExecutable.h

@@ -37 +37 @@
     static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess mode>
     static IsoSubspace* subspaceFor(VM& vm)
     {
-        return &vm.moduleProgramExecutableSpace.space;
+        return vm.moduleProgramExecutableSpace<mode>();
     }
 

trunk/Source/JavaScriptCore/runtime/NativeExecutable.h

@@ -45 +45 @@
     static void destroy(JSCell*);
     
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/ProgramExecutable.h

@@ -37 +37 @@
     static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/PropertyMapHashTable.h

@@ -124 +124 @@
     static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/ProxyRevoke.h

@@ -37 +37 @@
     static const unsigned StructureFlags = Base::StructureFlags;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess mode>
     static IsoSubspace* subspaceFor(VM& vm)
     {
-        return &vm.proxyRevokeSpace;
+        return vm.proxyRevokeSpace<mode>();
     }
 

trunk/Source/JavaScriptCore/runtime/ScopedArguments.h

@@ -44 +44 @@
 
 public:
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static CompleteSubspace* subspaceFor(VM& vm)
     {
-        RELEASE_ASSERT(!CellType::needsDestruction);
+        static_assert(!CellType::needsDestruction, "");
         return &vm.jsValueGigacageCellSpace;
     }

trunk/Source/JavaScriptCore/runtime/ScriptExecutable.cpp

@@ -69 +69 @@
 {
     Base::clearCode();
-    ASSERT(&VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor(*subspace()) == &clearableCodeSet);
+    ASSERT(&VM::SpaceAndSet::setFor(*subspace()) == &clearableCodeSet);
     clearableCodeSet.remove(this);
 }
@@ -150 +150 @@
     }
 
-    auto& clearableCodeSet = VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor(*subspace());
+    auto& clearableCodeSet = VM::SpaceAndSet::setFor(*subspace());
     if (hasClearableCode())
         clearableCodeSet.add(this);

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -133 +133 @@
     ~Structure();
     
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/StructureRareData.h

@@ -44 +44 @@
     static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/SubspaceAccess.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -21 +21 @@
  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #pragma once
 
-#include "InferredValue.h"
-
 namespace JSC {
 
-void InferredValue::finalizeUnconditionally(VM& vm)
-{
-    JSValue value = m_value.get();
-    
-    if (value && value.isCell()) {
-        if (Heap::isMarked(value.asCell()))
-            return;
-        
-        invalidate(vm, StringFireDetail("InferredValue clean-up during GC"));
-    }
-    
-    vm.inferredValuesWithFinalizers.remove(this);
+enum class SubspaceAccess {
+    OnMainThread,
+    Concurrently,
+};
+
 }
-
-} // namespace JSC
-

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -288 +288 @@
     , eagerlySweptDestructibleObjectSpace("Eagerly Swept JSDestructibleObject", heap, destructibleObjectHeapCellType.get(), fastMallocAllocator.get())
     , segmentedVariableObjectSpace("JSSegmentedVariableObjectSpace", heap, segmentedVariableObjectHeapCellType.get(), fastMallocAllocator.get())
-    , boundFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSBoundFunction)
-    , callbackFunctionSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), JSCallbackFunction)
-    , customGetterSetterFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSCustomGetterSetterFunction)
     , executableToCodeBlockEdgeSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), ExecutableToCodeBlockEdge)
     , functionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSFunction)
-    , inferredValueSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), InferredValue)
     , internalFunctionSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), InternalFunction)
     , nativeExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), NativeExecutable)
-    , nativeStdFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSNativeStdFunction)
-#if JSC_OBJC_API_ENABLED
-    , objCCallbackFunctionSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), ObjCCallbackFunction)
-#endif
     , propertyTableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), PropertyTable)
-    , proxyRevokeSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), ProxyRevoke)
     , structureRareDataSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), StructureRareData)
     , structureSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), Structure)
-    , weakSetSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), JSWeakSet)
-    , weakMapSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), JSWeakMap)
-    , errorInstanceSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), ErrorInstance)
-#if ENABLE(WEBASSEMBLY)
-    , webAssemblyCodeBlockSpace ISO_SUBSPACE_INIT(heap, webAssemblyCodeBlockHeapCellType.get(), JSWebAssemblyCodeBlock)
-    , webAssemblyFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), WebAssemblyFunction)
-    , webAssemblyWrapperFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), WebAssemblyWrapperFunction)
-#endif
     , executableToCodeBlockEdgesWithConstraints(executableToCodeBlockEdgeSpace)
     , executableToCodeBlockEdgesWithFinalizers(executableToCodeBlockEdgeSpace)
-    , inferredValuesWithFinalizers(inferredValueSpace)
     , codeBlockSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), CodeBlock)
-    , directEvalExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), DirectEvalExecutable)
     , functionExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), FunctionExecutable)
-    , indirectEvalExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), IndirectEvalExecutable)
-    , moduleProgramExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), ModuleProgramExecutable)
     , programExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), ProgramExecutable)
     , unlinkedFunctionExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), UnlinkedFunctionExecutable)
@@ -1240 +1219 @@
 }
 
+#define DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(name, heapCellType, type) \
+    IsoSubspace* VM::name##Slow() \
+    { \
+        ASSERT(!m_##name); \
+        auto space = std::make_unique<IsoSubspace> ISO_SUBSPACE_INIT(heap, heapCellType, type); \
+        WTF::storeStoreFence(); \
+        m_##name = WTFMove(space); \
+        return m_##name.get(); \
+    }
+
+
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(boundFunctionSpace, cellHeapCellType.get(), JSBoundFunction)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(callbackFunctionSpace, destructibleObjectHeapCellType.get(), JSCallbackFunction)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(customGetterSetterFunctionSpace, cellHeapCellType.get(), JSCustomGetterSetterFunction)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(errorInstanceSpace, destructibleObjectHeapCellType.get(), ErrorInstance)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(nativeStdFunctionSpace, cellHeapCellType.get(), JSNativeStdFunction)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(proxyRevokeSpace, destructibleObjectHeapCellType.get(), ProxyRevoke)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(weakMapSpace, destructibleObjectHeapCellType.get(), JSWeakMap)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(weakSetSpace, destructibleObjectHeapCellType.get(), JSWeakSet)
+#if JSC_OBJC_API_ENABLED
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(objCCallbackFunctionSpace, destructibleObjectHeapCellType.get(), ObjCCallbackFunction)
+#endif
+#if ENABLE(WEBASSEMBLY)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(webAssemblyCodeBlockSpace, webAssemblyCodeBlockHeapCellType.get(), JSWebAssemblyCodeBlock)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(webAssemblyFunctionSpace, cellHeapCellType.get(), WebAssemblyFunction)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(webAssemblyWrapperFunctionSpace, cellHeapCellType.get(), WebAssemblyWrapperFunction)
+#endif
+
+#undef DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW
+
+#define DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER_SLOW(name, heapCellType, type) \
+    IsoSubspace* VM::name##Slow() \
+    { \
+        ASSERT(!m_##name); \
+        auto space = std::make_unique<SpaceAndSet> ISO_SUBSPACE_INIT(heap, heapCellType, type); \
+        WTF::storeStoreFence(); \
+        m_##name = WTFMove(space); \
+        return &m_##name->space; \
+    }
+
+DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER_SLOW(inferredValueSpace, destructibleCellHeapCellType.get(), InferredValue)
+DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER_SLOW(directEvalExecutableSpace, destructibleCellHeapCellType.get(), DirectEvalExecutable)
+DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER_SLOW(indirectEvalExecutableSpace, destructibleCellHeapCellType.get(), IndirectEvalExecutable)
+DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER_SLOW(moduleProgramExecutableSpace, destructibleCellHeapCellType.get(), ModuleProgramExecutable)
+
+#undef DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER_SLOW
+
 JSGlobalObject* VM::vmEntryGlobalObject(const CallFrame* callFrame) const
 {

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -52 +52 @@
 #include "Strong.h"
 #include "StructureCache.h"
+#include "SubspaceAccess.h"
 #include "VMTraps.h"
 #include "WasmContext.h"
@@ -367 +368 @@
     CompleteSubspace segmentedVariableObjectSpace;
     
-    IsoSubspace boundFunctionSpace;
-    IsoSubspace callbackFunctionSpace;
-    IsoSubspace customGetterSetterFunctionSpace;
     IsoSubspace executableToCodeBlockEdgeSpace;
     IsoSubspace functionSpace;
-    IsoSubspace inferredValueSpace;
     IsoSubspace internalFunctionSpace;
     IsoSubspace nativeExecutableSpace;
-    IsoSubspace nativeStdFunctionSpace;
-#if JSC_OBJC_API_ENABLED
-    IsoSubspace objCCallbackFunctionSpace;
-#endif
     IsoSubspace propertyTableSpace;
-    IsoSubspace proxyRevokeSpace;
     IsoSubspace structureRareDataSpace;
     IsoSubspace structureSpace;
-    IsoSubspace weakSetSpace;
-    IsoSubspace weakMapSpace;
-    IsoSubspace errorInstanceSpace;
+
+#define DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(name) \
+    template<SubspaceAccess mode> \
+    IsoSubspace* name() \
+    { \
+        if (m_##name || mode == SubspaceAccess::Concurrently) \
+            return m_##name.get(); \
+        return name##Slow(); \
+    } \
+    IsoSubspace* name##Slow(); \
+    std::unique_ptr<IsoSubspace> m_##name;
+
+
+#if JSC_OBJC_API_ENABLED
+    DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(objCCallbackFunctionSpace)
+#endif
+    DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(boundFunctionSpace)
+    DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(callbackFunctionSpace)
+    DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(customGetterSetterFunctionSpace)
+    DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(errorInstanceSpace)
+    DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(nativeStdFunctionSpace)
+    DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(proxyRevokeSpace)
+    DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(weakSetSpace)
+    DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(weakMapSpace)
 #if ENABLE(WEBASSEMBLY)
-    IsoSubspace webAssemblyCodeBlockSpace;
-    IsoSubspace webAssemblyFunctionSpace;
-    IsoSubspace webAssemblyWrapperFunctionSpace;
-#endif
+    DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(webAssemblyCodeBlockSpace)
+    DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(webAssemblyFunctionSpace)
+    DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(webAssemblyWrapperFunctionSpace)
+#endif
+
+#undef DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER
     
     IsoCellSet executableToCodeBlockEdgesWithConstraints;
     IsoCellSet executableToCodeBlockEdgesWithFinalizers;
-    IsoCellSet inferredValuesWithFinalizers;
-    
-    struct SpaceAndFinalizerSet {
+
+#define DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER(name) \
+    template<SubspaceAccess mode> \
+    IsoSubspace* name() \
+    { \
+        if (auto* spaceAndSet = m_##name.get()) \
+            return &spaceAndSet->space; \
+        if (mode == SubspaceAccess::Concurrently) \
+            return nullptr; \
+        return name##Slow(); \
+    } \
+    IsoSubspace* name##Slow(); \
+    std::unique_ptr<SpaceAndSet> m_##name;
+    
+    struct SpaceAndSet {
+        WTF_MAKE_STRUCT_FAST_ALLOCATED;
+
         IsoSubspace space;
-        IsoCellSet finalizerSet;
+        IsoCellSet set;
         
         template<typename... Arguments>
-        SpaceAndFinalizerSet(Arguments&&... arguments)
+        SpaceAndSet(Arguments&&... arguments)
             : space(std::forward<Arguments>(arguments)...)
-            , finalizerSet(space)
+            , set(space)
         {
         }
         
-        static IsoCellSet& finalizerSetFor(Subspace& space)
+        static IsoCellSet& setFor(Subspace& space)
         {
             return *bitwise_cast<IsoCellSet*>(
                 bitwise_cast<char*>(&space) -
-                OBJECT_OFFSETOF(SpaceAndFinalizerSet, space) +
-                OBJECT_OFFSETOF(SpaceAndFinalizerSet, finalizerSet));
+                OBJECT_OFFSETOF(SpaceAndSet, space) +
+                OBJECT_OFFSETOF(SpaceAndSet, set));
         }
     };
     
-    SpaceAndFinalizerSet codeBlockSpace;
+    SpaceAndSet codeBlockSpace;
+    DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER(inferredValueSpace)
 
     template<typename Func>
@@ -426 +456 @@
     }
 
-    struct ScriptExecutableSpaceAndSet {
-        IsoSubspace space;
-        IsoCellSet clearableCodeSet;
-
-        template<typename... Arguments>
-        ScriptExecutableSpaceAndSet(Arguments&&... arguments)
-            : space(std::forward<Arguments>(arguments)...)
-            , clearableCodeSet(space)
-        { }
-
-        static IsoCellSet& clearableCodeSetFor(Subspace& space)
-        {
-            return *bitwise_cast<IsoCellSet*>(
-                bitwise_cast<char*>(&space) -
-                OBJECT_OFFSETOF(ScriptExecutableSpaceAndSet, space) +
-                OBJECT_OFFSETOF(ScriptExecutableSpaceAndSet, clearableCodeSet));
-        }
-    };
-
-    ScriptExecutableSpaceAndSet directEvalExecutableSpace;
-    ScriptExecutableSpaceAndSet functionExecutableSpace;
-    ScriptExecutableSpaceAndSet indirectEvalExecutableSpace;
-    ScriptExecutableSpaceAndSet moduleProgramExecutableSpace;
-    ScriptExecutableSpaceAndSet programExecutableSpace;
+    DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER(directEvalExecutableSpace)
+    DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER(indirectEvalExecutableSpace)
+    DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER(moduleProgramExecutableSpace)
+    SpaceAndSet functionExecutableSpace;
+    SpaceAndSet programExecutableSpace;
 
     template<typename Func>
     void forEachScriptExecutableSpace(const Func& func)
     {
-        func(directEvalExecutableSpace);
+        if (m_directEvalExecutableSpace)
+            func(*m_directEvalExecutableSpace);
         func(functionExecutableSpace);
-        func(indirectEvalExecutableSpace);
-        func(moduleProgramExecutableSpace);
+        if (m_indirectEvalExecutableSpace)
+            func(*m_indirectEvalExecutableSpace);
+        if (m_moduleProgramExecutableSpace)
+            func(*m_moduleProgramExecutableSpace);
         func(programExecutableSpace);
     }
 
-    struct UnlinkedFunctionExecutableSpaceAndSet {
-        IsoSubspace space;
-        IsoCellSet clearableCodeSet;
-
-        template<typename... Arguments>
-        UnlinkedFunctionExecutableSpaceAndSet(Arguments&&... arguments)
-            : space(std::forward<Arguments>(arguments)...)
-            , clearableCodeSet(space)
-        { }
-        
-        static IsoCellSet& clearableCodeSetFor(Subspace& space)
-        {
-            return *bitwise_cast<IsoCellSet*>(
-                bitwise_cast<char*>(&space) -
-                OBJECT_OFFSETOF(UnlinkedFunctionExecutableSpaceAndSet, space) +
-                OBJECT_OFFSETOF(UnlinkedFunctionExecutableSpaceAndSet, clearableCodeSet));
-        }
-    };
-
-    UnlinkedFunctionExecutableSpaceAndSet unlinkedFunctionExecutableSpace;
+    SpaceAndSet unlinkedFunctionExecutableSpace;
+
+#undef DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER
 
     VMType vmType;

trunk/Source/JavaScriptCore/runtime/WeakMapImpl.h

@@ -303 +303 @@
     }
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess mode>
     static IsoSubspace* subspaceFor(VM& vm)
     {
         if (isWeakMap())
-            return &vm.weakMapSpace;
-        return &vm.weakSetSpace;
+            return vm.weakMapSpace<mode>();
+        return vm.weakSetSpace<mode>();
     }
 

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlock.h

@@ -60 +60 @@
     }
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess mode>
     static IsoSubspace* subspaceFor(VM& vm)
     {
-        return &vm.webAssemblyCodeBlockSpace;
+        return vm.webAssemblyCodeBlockSpace<mode>();
     }
 

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h

@@ -44 +44 @@
     typedef JSDestructibleObject Base;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess>
     static CompleteSubspace* subspaceFor(VM& vm)
     {

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h

@@ -50 +50 @@
     const static unsigned StructureFlags = Base::StructureFlags;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess mode>
     static IsoSubspace* subspaceFor(VM& vm)
     {
-        return &vm.webAssemblyFunctionSpace;
+        return vm.webAssemblyFunctionSpace<mode>();
     }
 

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.h

@@ -41 +41 @@
     const static unsigned StructureFlags = Base::StructureFlags;
 
-    template<typename CellType>
+    template<typename CellType, SubspaceAccess mode>
     static IsoSubspace* subspaceFor(VM& vm)
     {
-        return &vm.webAssemblyWrapperFunctionSpace;
+        return vm.webAssemblyWrapperFunctionSpace<mode>();
     }
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
+        https://bugs.webkit.org/show_bug.cgi?id=193993
+
+        Reviewed by Keith Miller.
+
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateHeader):
+        * bridge/runtime_method.h:
+
 2019-02-04  Simon Fraser  <simon.fraser@apple.com>
 

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -2759 +2759 @@
             push(@headerContent, "    static void visitOutputConstraints(JSCell*, JSC::SlotVisitor&);\n");
             my $subspaceFunc = IsDOMGlobalObject($interface) ? "globalObjectOutputConstraintSubspaceFor" : "outputConstraintSubspaceFor";
-            push(@headerContent, "    template<typename> static JSC::CompleteSubspace* subspaceFor(JSC::VM& vm) { return $subspaceFunc(vm); }\n");
+            push(@headerContent, "    template<typename, JSC::SubspaceAccess> static JSC::CompleteSubspace* subspaceFor(JSC::VM& vm) { return $subspaceFunc(vm); }\n");
         }
     }

trunk/Source/WebCore/bridge/runtime_method.h

@@ -38 +38 @@
     static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetCallData;
 
-    template<typename CellType>
+    template<typename CellType, JSC::SubspaceAccess>
     static IsoSubspace* subspaceFor(VM& vm)
     {

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
+        https://bugs.webkit.org/show_bug.cgi?id=193993
+
+        Reviewed by Keith Miller.
+
+        * WebProcess/Plugins/Netscape/JSNPMethod.h:
+        * WebProcess/Plugins/Netscape/JSNPObject.h:
+
 2019-02-04  Simon Fraser  <simon.fraser@apple.com>
 

trunk/Source/WebKit/WebProcess/Plugins/Netscape/JSNPMethod.h

@@ -42 +42 @@
     typedef JSC::InternalFunction Base;
 
-    template<typename CellType>
+    template<typename CellType, JSC::SubspaceAccess>
     static JSC::IsoSubspace* subspaceFor(JSC::VM& vm)
     {

trunk/Source/WebKit/WebProcess/Plugins/Netscape/JSNPObject.h

@@ -47 +47 @@
     static const unsigned StructureFlags = Base::StructureFlags | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::OverridesGetCallData;
 
-    template<typename CellType>
+    template<typename CellType, JSC::SubspaceAccess>
     static JSC::IsoSubspace* subspaceFor(JSC::VM& vm)
     {