Changeset 47022 in webkit

Timestamp:

Aug 10, 2009 9:35:02 PM (15 years ago)

Author:

oliver@apple.com

Message:

Stack overflow crash in JavaScript garbage collector mark pass
​https://bugs.webkit.org/show_bug.cgi?id=12216

Reviewed by Gavin Barraclough and Sam Weinig

Make the GC mark phase iterative by using an explicit mark stack.
To do this marking any single object is performed in multiple stages

• The object is appended to the MarkStack, this sets the marked bit for the object using the new markDirect() function, and then returns
• When the MarkStack is drain()ed the object is popped off the stack and markChildren(MarkStack&) is called on the object to collect all of its children. drain() then repeats until the stack is empty.

Additionally I renamed a number of methods from 'mark' to 'markAggregate'
in order to make it more clear that marking of those object was not
going to result in an actual recursive mark.

Location:

trunk

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/GNUmakefile.am (modified) (2 diffs)
• JavaScriptCore/JavaScriptCore.exp (modified) (6 diffs)
• JavaScriptCore/JavaScriptCore.gypi (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.pri (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (7 diffs)
• JavaScriptCore/bytecode/CodeBlock.cpp (modified) (1 diff)
• JavaScriptCore/bytecode/CodeBlock.h (modified) (1 diff)
• JavaScriptCore/bytecode/EvalCodeCache.h (modified) (1 diff)
• JavaScriptCore/debugger/DebuggerActivation.cpp (modified) (2 diffs)
• JavaScriptCore/debugger/DebuggerActivation.h (modified) (2 diffs)
• JavaScriptCore/interpreter/Register.h (modified) (3 diffs)
• JavaScriptCore/interpreter/RegisterFile.h (modified) (2 diffs)
• JavaScriptCore/parser/Nodes.cpp (modified) (4 diffs)
• JavaScriptCore/parser/Nodes.h (modified) (4 diffs)
• JavaScriptCore/runtime/ArgList.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/ArgList.h (modified) (1 diff)
• JavaScriptCore/runtime/Arguments.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/Arguments.h (modified) (2 diffs)
• JavaScriptCore/runtime/Collector.cpp (modified) (15 diffs)
• JavaScriptCore/runtime/Collector.h (modified) (3 diffs)
• JavaScriptCore/runtime/GetterSetter.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/GetterSetter.h (modified) (4 diffs)
• JavaScriptCore/runtime/GlobalEvalFunction.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/GlobalEvalFunction.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSAPIValueWrapper.h (modified) (3 diffs)
• JavaScriptCore/runtime/JSActivation.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/JSActivation.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSArray.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSArray.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSCell.h (modified) (6 diffs)
• JavaScriptCore/runtime/JSFunction.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSFunction.h (modified) (1 diff)
• JavaScriptCore/runtime/JSGlobalData.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/JSGlobalData.h (modified) (3 diffs)
• JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/JSGlobalObject.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSNotAnObject.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSNotAnObject.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSONObject.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/JSONObject.h (modified) (1 diff)
• JavaScriptCore/runtime/JSObject.cpp (modified) (4 diffs)
• JavaScriptCore/runtime/JSObject.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSPropertyNameIterator.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSPropertyNameIterator.h (modified) (5 diffs)
• JavaScriptCore/runtime/JSStaticScopeObject.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSStaticScopeObject.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSType.h (modified) (1 diff)
• JavaScriptCore/runtime/JSValue.h (modified) (3 diffs)
• JavaScriptCore/runtime/JSWrapperObject.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSWrapperObject.h (modified) (1 diff)
• JavaScriptCore/runtime/MarkStack.cpp (copied) (copied from trunk/WebCore/bindings/js/JSWorkerCustom.cpp) (2 diffs)
• JavaScriptCore/runtime/MarkStack.h (added)
• JavaScriptCore/runtime/MarkStackPosix.cpp (copied) (copied from trunk/WebCore/bindings/js/JSWorkerCustom.cpp) (2 diffs)
• JavaScriptCore/runtime/MarkStackWin.cpp (copied) (copied from trunk/WebCore/bindings/js/JSWorkerCustom.cpp) (2 diffs)
• JavaScriptCore/runtime/ScopeChain.h (modified) (2 diffs)
• JavaScriptCore/runtime/ScopeChainMark.h (modified) (2 diffs)
• JavaScriptCore/runtime/SmallStrings.cpp (modified) (1 diff)
• JavaScriptCore/runtime/Structure.h (modified) (3 diffs)
• JavaScriptGlue/ChangeLog (modified) (1 diff)
• JavaScriptGlue/JSValueWrapper.cpp (modified) (2 diffs)
• JavaScriptGlue/UserObjectImp.cpp (modified) (2 diffs)
• JavaScriptGlue/UserObjectImp.h (modified) (2 diffs)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/nested-object-gc-expected.txt (added)
• LayoutTests/fast/js/nested-object-gc.html (added)
• LayoutTests/fast/js/resources/js-test-pre.js (modified) (1 diff)
• LayoutTests/fast/js/resources/nested-object-gc.js (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/JSAbstractWorkerCustom.cpp (modified) (3 diffs)
• WebCore/bindings/js/JSDOMApplicationCacheCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSDOMBinding.cpp (modified) (5 diffs)
• WebCore/bindings/js/JSDOMBinding.h (modified) (3 diffs)
• WebCore/bindings/js/JSDOMGlobalObject.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSDOMGlobalObject.h (modified) (1 diff)
• WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSDOMWindowShell.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSDOMWindowShell.h (modified) (1 diff)
• WebCore/bindings/js/JSDedicatedWorkerContextCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSDocumentCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSEventListener.cpp (modified) (1 diff)
• WebCore/bindings/js/JSEventListener.h (modified) (1 diff)
• WebCore/bindings/js/JSMessageChannelCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSMessagePortCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSNavigatorCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSNodeCustom.cpp (modified) (5 diffs)
• WebCore/bindings/js/JSNodeFilterCondition.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSNodeFilterCondition.h (modified) (2 diffs)
• WebCore/bindings/js/JSNodeFilterCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSNodeIteratorCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSQuarantinedObjectWrapper.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSQuarantinedObjectWrapper.h (modified) (2 diffs)
• WebCore/bindings/js/JSSVGElementInstanceCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSSharedWorkerContextCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSSharedWorkerCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSStyleSheetCustom.cpp (modified) (3 diffs)
• WebCore/bindings/js/JSTreeWalkerCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSWebSocketCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSWorkerContextCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSWorkerCustom.cpp (modified) (1 diff)
• WebCore/bindings/js/JSXMLHttpRequestCustom.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSXMLHttpRequestUploadCustom.cpp (modified) (2 diffs)
• WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)
• WebCore/dom/EventListener.h (modified) (3 diffs)
• WebCore/dom/NodeFilter.h (modified) (2 diffs)
• WebCore/dom/NodeFilterCondition.h (modified) (3 diffs)
• WebCore/dom/RegisteredEventListener.h (modified) (2 diffs)
• WebCore/page/DOMWindow.h (modified) (1 diff)
• WebCore/workers/WorkerContext.h (modified) (1 diff)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2009-08-07  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Stack overflow crash in JavaScript garbage collector mark pass
+        https://bugs.webkit.org/show_bug.cgi?id=12216
+
+        Make the GC mark phase iterative by using an explicit mark stack.
+        To do this marking any single object is performed in multiple stages
+          * The object is appended to the MarkStack, this sets the marked
+            bit for the object using the new markDirect() function, and then
+            returns
+          * When the MarkStack is drain()ed the object is popped off the stack
+            and markChildren(MarkStack&) is called on the object to collect 
+            all of its children.  drain() then repeats until the stack is empty.
+
+        Additionally I renamed a number of methods from 'mark' to 'markAggregate'
+        in order to make it more clear that marking of those object was not
+        going to result in an actual recursive mark.
+
+        * GNUmakefile.am
+        * JavaScriptCore.exp:
+        * JavaScriptCore.gypi:
+        * JavaScriptCore.pri:
+        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::markAggregate):
+        * bytecode/CodeBlock.h:
+        * bytecode/EvalCodeCache.h:
+        (JSC::EvalCodeCache::markAggregate):
+        * debugger/DebuggerActivation.cpp:
+        (JSC::DebuggerActivation::markChildren):
+        * debugger/DebuggerActivation.h:
+        * interpreter/Register.h:
+        * interpreter/RegisterFile.h:
+        (JSC::RegisterFile::markGlobals):
+        (JSC::RegisterFile::markCallFrames):
+        * parser/Nodes.cpp:
+        (JSC::ScopeNodeData::markAggregate):
+        (JSC::EvalNode::markAggregate):
+        (JSC::FunctionBodyNode::markAggregate):
+        * parser/Nodes.h:
+        (JSC::ScopeNode::markAggregate):
+        * runtime/ArgList.cpp:
+        (JSC::MarkedArgumentBuffer::markLists):
+        * runtime/ArgList.h:
+        * runtime/Arguments.cpp:
+        (JSC::Arguments::markChildren):
+        * runtime/Arguments.h:
+        * runtime/Collector.cpp:
+        (JSC::Heap::markConservatively):
+        (JSC::Heap::markCurrentThreadConservativelyInternal):
+        (JSC::Heap::markCurrentThreadConservatively):
+        (JSC::Heap::markOtherThreadConservatively):
+        (JSC::Heap::markStackObjectsConservatively):
+        (JSC::Heap::markProtectedObjects):
+        (JSC::Heap::collect):
+        * runtime/Collector.h:
+        * runtime/GetterSetter.cpp:
+        (JSC::GetterSetter::markChildren):
+        * runtime/GetterSetter.h:
+        (JSC::GetterSetter::GetterSetter):
+        (JSC::GetterSetter::createStructure):
+        * runtime/GlobalEvalFunction.cpp:
+        (JSC::GlobalEvalFunction::markChildren):
+        * runtime/GlobalEvalFunction.h:
+        * runtime/JSActivation.cpp:
+        (JSC::JSActivation::markChildren):
+        * runtime/JSActivation.h:
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::markChildren):
+        * runtime/JSArray.h:
+        * runtime/JSCell.h:
+        (JSC::JSCell::markCellDirect):
+        (JSC::JSCell::markChildren):
+        (JSC::JSValue::markDirect):
+        (JSC::JSValue::markChildren):
+        (JSC::JSValue::hasChildren):
+        (JSC::MarkStack::append):
+        (JSC::MarkStack::drain):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::markChildren):
+        * runtime/JSFunction.h:
+        * runtime/JSGlobalData.cpp:
+        (JSC::JSGlobalData::JSGlobalData):
+        * runtime/JSGlobalData.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::markIfNeeded):
+        (JSC::JSGlobalObject::markChildren):
+        * runtime/JSGlobalObject.h:
+        * runtime/JSNotAnObject.cpp:
+        (JSC::JSNotAnObject::markChildren):
+        * runtime/JSNotAnObject.h:
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::markAggregate):
+        (JSC::JSONObject::markStringifiers):
+        * runtime/JSONObject.h:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::markChildren):
+        (JSC::JSObject::defineGetter):
+        (JSC::JSObject::defineSetter):
+        * runtime/JSObject.h:
+        * runtime/JSPropertyNameIterator.cpp:
+        (JSC::JSPropertyNameIterator::markChildren):
+        * runtime/JSPropertyNameIterator.h:
+        (JSC::JSPropertyNameIterator::createStructure):
+        (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
+        (JSC::JSPropertyNameIterator::create):
+        * runtime/JSStaticScopeObject.cpp:
+        (JSC::JSStaticScopeObject::markChildren):
+        * runtime/JSStaticScopeObject.h:
+        * runtime/JSType.h:
+        (JSC::):
+        * runtime/JSValue.h:
+        * runtime/JSWrapperObject.cpp:
+        (JSC::JSWrapperObject::markChildren):
+        * runtime/JSWrapperObject.h:
+        * runtime/MarkStack.cpp: Added.
+        (JSC::MarkStack::compact):
+        * runtime/MarkStack.h: Added.
+        (JSC::):
+        (JSC::MarkStack::MarkStack):
+        (JSC::MarkStack::append):
+        (JSC::MarkStack::appendValues):
+        (JSC::MarkStack::~MarkStack):
+        (JSC::MarkStack::MarkSet::MarkSet):
+        (JSC::MarkStack::pageSize):
+        
+        MarkStackArray is a non-shrinking, mmap-based vector type
+        used for storing objects to be marked.
+        (JSC::MarkStack::MarkStackArray::MarkStackArray):
+        (JSC::MarkStack::MarkStackArray::~MarkStackArray):
+        (JSC::MarkStack::MarkStackArray::expand):
+        (JSC::MarkStack::MarkStackArray::append):
+        (JSC::MarkStack::MarkStackArray::removeLast):
+        (JSC::MarkStack::MarkStackArray::isEmpty):
+        (JSC::MarkStack::MarkStackArray::size):
+        (JSC::MarkStack::MarkStackArray::shrinkAllocation):
+        * runtime/MarkStackPosix.cpp: Added.
+        (JSC::MarkStack::allocateStack):
+        (JSC::MarkStack::releaseStack):
+        * runtime/MarkStackWin.cpp: Added.
+        (JSC::MarkStack::allocateStack):
+        (JSC::MarkStack::releaseStack):
+
+        * runtime/ScopeChain.h:
+        * runtime/ScopeChainMark.h:
+        (JSC::ScopeChain::markAggregate):
+        * runtime/SmallStrings.cpp:
+        (JSC::SmallStrings::mark):
+        * runtime/Structure.h:
+        (JSC::Structure::markAggregate):
+
 2009-08-10  Mark Rowe  <mrowe@apple.com>
         

trunk/JavaScriptCore/GNUmakefile.am

@@ -192 +192 @@
         JavaScriptCore/runtime/LiteralParser.cpp \
         JavaScriptCore/runtime/LiteralParser.h \
+        JavaScriptCore/runtime/MarkStack.cpp \
+        JavaScriptCore/runtime/MarkStack.h \
+        JavaScriptCore/runtime/MarkStackPosix.cpp \
         JavaScriptCore/runtime/SmallStrings.cpp \
         JavaScriptCore/runtime/SmallStrings.h \
@@ -437 +440 @@
         JavaScriptCore/runtime/Lookup.cpp \
         JavaScriptCore/runtime/Lookup.h \
+        JavaScriptCore/runtime/MarkStack.cpp \
+        JavaScriptCore/runtime/MarkStack.h \
+        JavaScriptCore/runtime/MarkStackWin.cpp \
         JavaScriptCore/runtime/MathObject.cpp \
         JavaScriptCore/runtime/MathObject.h \

trunk/JavaScriptCore/JavaScriptCore.exp

@@ -132 +132 @@
 __ZN3JSC14JSGlobalObject12defineGetterEPNS_9ExecStateERKNS_10IdentifierEPNS_8JSObjectE
 __ZN3JSC14JSGlobalObject12defineSetterEPNS_9ExecStateERKNS_10IdentifierEPNS_8JSObjectE
+__ZN3JSC14JSGlobalObject12markChildrenERNS_9MarkStackE
 __ZN3JSC14JSGlobalObject17putWithAttributesEPNS_9ExecStateERKNS_10IdentifierENS_7JSValueEj
 __ZN3JSC14JSGlobalObject3putEPNS_9ExecStateERKNS_10IdentifierENS_7JSValueERNS_15PutPropertySlotE  
 __ZN3JSC14JSGlobalObject4initEPNS_8JSObjectE
-__ZN3JSC14JSGlobalObject4markEv
 __ZN3JSC14JSGlobalObjectD2Ev
 __ZN3JSC14JSGlobalObjectnwEmPNS_12JSGlobalDataE
@@ -142 +142 @@
 __ZN3JSC14TimeoutChecker5resetEv
 __ZN3JSC14constructArrayEPNS_9ExecStateERKNS_7ArgListE
-__ZN3JSC15JSWrapperObject4markEv
+__ZN3JSC15JSWrapperObject12markChildrenERNS_9MarkStackE
 __ZN3JSC15toInt32SlowCaseEdRb
 __ZN3JSC16FunctionBodyNode13finishParsingEPNS_10IdentifierEm
@@ -237 +237 @@
 __ZN3JSC8JSObject12lookupGetterEPNS_9ExecStateERKNS_10IdentifierE
 __ZN3JSC8JSObject12lookupSetterEPNS_9ExecStateERKNS_10IdentifierE
+__ZN3JSC8JSObject12markChildrenERNS_9MarkStackE
 __ZN3JSC8JSObject14deletePropertyEPNS_9ExecStateERKNS_10IdentifierE
 __ZN3JSC8JSObject14deletePropertyEPNS_9ExecStateEj
@@ -252 +253 @@
 __ZN3JSC8JSObject3putEPNS_9ExecStateERKNS_10IdentifierENS_7JSValueERNS_15PutPropertySlotE
 __ZN3JSC8JSObject3putEPNS_9ExecStateEjNS_7JSValueE  
-__ZN3JSC8JSObject4markEv
 __ZN3JSC8Profiler13stopProfilingEPNS_9ExecStateERKNS_7UStringE
 __ZN3JSC8Profiler14startProfilingEPNS_9ExecStateERKNS_7UStringE
@@ -260 +260 @@
 __ZN3JSC9CodeBlockD1Ev
 __ZN3JSC9CodeBlockD2Ev
+__ZN3JSC9MarkStack10s_pageSizeE
+__ZN3JSC9MarkStack12releaseStackEPvm
+__ZN3JSC9MarkStack13allocateStackEm
 __ZN3JSC9Structure17stopIgnoringLeaksEv
 __ZN3JSC9Structure18startIgnoringLeaksEv
@@ -327 +330 @@
 __ZNK3JSC12StringObject8toStringEPNS_9ExecStateE
 __ZNK3JSC14JSGlobalObject14isDynamicScopeEv
+
 __ZNK3JSC16FunctionBodyNode14isHostFunctionEv
 __ZNK3JSC16InternalFunction9classInfoEv

trunk/JavaScriptCore/JavaScriptCore.gypi

@@ -266 +266 @@
             'runtime/Lookup.cpp',
             'runtime/Lookup.h',
+            'runtime/MarkStack.cpp',
+            'runtime/MarkStack.h',
+            'runtime/MarkStackWin.cpp',
             'runtime/MathObject.cpp',
             'runtime/MathObject.h',

trunk/JavaScriptCore/JavaScriptCore.pri

@@ -99 +99 @@
     runtime/JSONObject.cpp \
     runtime/LiteralParser.cpp \
+    runtime/MarkStack.cpp \
+    runtime/MarkStackPosix.cpp \
     runtime/TimeoutChecker.cpp \
     bytecode/CodeBlock.cpp \

trunk/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj

@@ -882 +882 @@
                         <File
                                 RelativePath="..\..\runtime\Lookup.h"
+                                >
+                        </File>
+                        <File
+                                RelativePath="..\..\runtime\MarkStack.h"
+                                >
+                        </File>
+                        <File
+                                RelativePath="..\..\runtime\MarkStack.cpp"
+                                >
+                        </File>
+                        <File
+                                RelativePath="..\..\runtime\MarkStackWin.cpp"
                                 >
                         </File>

trunk/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -197 +197 @@
                 A72701B90DADE94900E548D7 /* ExceptionHelpers.h in Headers */ = {isa = PBXBuildFile; fileRef = A72701B30DADE94900E548D7 /* ExceptionHelpers.h */; };
                 A727FF6B0DA3092200E548D7 /* JSPropertyNameIterator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A727FF660DA3053B00E548D7 /* JSPropertyNameIterator.cpp */; };
+                A74B3499102A5F8E0032AB98 /* MarkStack.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A74B3498102A5F8E0032AB98 /* MarkStack.cpp */; };
                 A766B44F0EE8DCD1009518CA /* ExecutableAllocator.h in Headers */ = {isa = PBXBuildFile; fileRef = A7B48DB50EE74CFC00DCBDB6 /* ExecutableAllocator.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 A76EE6590FAE59D5003F069A /* NativeFunctionWrapper.h in Headers */ = {isa = PBXBuildFile; fileRef = A76EE6580FAE59D5003F069A /* NativeFunctionWrapper.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                A7795590101A74D500114E55 /* MarkStack.h in Headers */ = {isa = PBXBuildFile; fileRef = A779558F101A74D500114E55 /* MarkStack.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 A782F1A50EEC9FA20036273F /* ExecutableAllocatorPosix.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A782F1A40EEC9FA20036273F /* ExecutableAllocatorPosix.cpp */; };
                 A791EF280F11E07900AE1F68 /* JSByteArray.h in Headers */ = {isa = PBXBuildFile; fileRef = A791EF260F11E07900AE1F68 /* JSByteArray.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -205 +207 @@
                 A7A1F7AD0F252B3C00E184E2 /* ByteArray.h in Headers */ = {isa = PBXBuildFile; fileRef = A7A1F7AB0F252B3C00E184E2 /* ByteArray.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 A7B48F490EE8936F00DCBDB6 /* ExecutableAllocator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A7B48DB60EE74CFC00DCBDB6 /* ExecutableAllocator.cpp */; };
+                A7C530E4102A3813005BC741 /* MarkStackPosix.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A7C530E3102A3813005BC741 /* MarkStackPosix.cpp */; };
                 A7E2EA6B0FB460CF00601F06 /* LiteralParser.h in Headers */ = {isa = PBXBuildFile; fileRef = A7E2EA690FB460CF00601F06 /* LiteralParser.h */; };
                 A7E2EA6C0FB460CF00601F06 /* LiteralParser.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A7E2EA6A0FB460CF00601F06 /* LiteralParser.cpp */; };
@@ -739 +742 @@
                 A727FF650DA3053B00E548D7 /* JSPropertyNameIterator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSPropertyNameIterator.h; sourceTree = "<group>"; };
                 A727FF660DA3053B00E548D7 /* JSPropertyNameIterator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSPropertyNameIterator.cpp; sourceTree = "<group>"; };
+                A74B3498102A5F8E0032AB98 /* MarkStack.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = MarkStack.cpp; sourceTree = "<group>"; };
                 A76EE6580FAE59D5003F069A /* NativeFunctionWrapper.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NativeFunctionWrapper.h; sourceTree = "<group>"; };
+                A779558F101A74D500114E55 /* MarkStack.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MarkStack.h; sourceTree = "<group>"; };
                 A782F1A40EEC9FA20036273F /* ExecutableAllocatorPosix.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ExecutableAllocatorPosix.cpp; sourceTree = "<group>"; };
                 A791EF260F11E07900AE1F68 /* JSByteArray.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSByteArray.h; sourceTree = "<group>"; };
@@ -747 +752 @@
                 A7B48DB50EE74CFC00DCBDB6 /* ExecutableAllocator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ExecutableAllocator.h; sourceTree = "<group>"; };
                 A7B48DB60EE74CFC00DCBDB6 /* ExecutableAllocator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ExecutableAllocator.cpp; sourceTree = "<group>"; };
+                A7C530E3102A3813005BC741 /* MarkStackPosix.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = MarkStackPosix.cpp; sourceTree = "<group>"; };
                 A7E2EA690FB460CF00601F06 /* LiteralParser.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LiteralParser.h; sourceTree = "<group>"; };
                 A7E2EA6A0FB460CF00601F06 /* LiteralParser.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = LiteralParser.cpp; sourceTree = "<group>"; };
@@ -1491 +1497 @@
                                 F692A8850255597D01FF60F7 /* UString.cpp */,
                                 F692A8860255597D01FF60F7 /* UString.h */,
+                                A779558F101A74D500114E55 /* MarkStack.h */,
+                                A7C530E3102A3813005BC741 /* MarkStackPosix.cpp */,
+                                A74B3498102A5F8E0032AB98 /* MarkStack.cpp */,
                         );
                         path = runtime;
@@ -1893 +1902 @@
                                 1429DABF0ED263E700B89619 /* WRECParser.h in Headers */,
                                 9688CB160ED12B4E001D649F /* X86Assembler.h in Headers */,
+                                A7795590101A74D500114E55 /* MarkStack.h in Headers */,
                         );
                         runOnlyForDeploymentPostprocessing = 0;
@@ -2259 +2269 @@
                                 1429DAE10ED2645B00B89619 /* WRECGenerator.cpp in Sources */,
                                 1429DAC00ED263E700B89619 /* WRECParser.cpp in Sources */,
+                                A7C530E4102A3813005BC741 /* MarkStackPosix.cpp in Sources */,
+                                A74B3499102A5F8E0032AB98 /* MarkStack.cpp in Sources */,
                         );
                         runOnlyForDeploymentPostprocessing = 0;

trunk/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1429 +1429 @@
 }
 
-void CodeBlock::mark()
-{
-    for (size_t i = 0; i < m_constantRegisters.size(); ++i)
+void CodeBlock::markAggregate(MarkStack& markStack)
+{
+    for (size_t i = 0; i < m_constantRegisters.size(); ++i) {
         if (!m_constantRegisters[i].marked())
-            m_constantRegisters[i].mark();
+            markStack.append(m_constantRegisters[i].jsValue());
+    }
 
     for (size_t i = 0; i < m_functionExpressions.size(); ++i)
-        m_functionExpressions[i]->body()->mark();
+        m_functionExpressions[i]->body()->markAggregate(markStack);
 
     if (m_rareData) {
         for (size_t i = 0; i < m_rareData->m_functions.size(); ++i)
-            m_rareData->m_functions[i]->body()->mark();
-
-        m_rareData->m_evalCodeCache.mark();
+            m_rareData->m_functions[i]->body()->markAggregate(markStack);
+
+        m_rareData->m_evalCodeCache.markAggregate(markStack);
     }
 }

trunk/JavaScriptCore/bytecode/CodeBlock.h

@@ -256 +256 @@
         ~CodeBlock();
 
-        void mark();
+        void markAggregate(MarkStack&);
         void refStructures(Instruction* vPC) const;
         void derefStructures(Instruction* vPC) const;

trunk/JavaScriptCore/bytecode/EvalCodeCache.h

@@ -69 +69 @@
         bool isEmpty() const { return m_cacheMap.isEmpty(); }
 
-        void mark()
+        void markAggregate(MarkStack& markStack)
         {
             EvalCacheMap::iterator end = m_cacheMap.end();
             for (EvalCacheMap::iterator ptr = m_cacheMap.begin(); ptr != end; ++ptr)
-                ptr->second->mark();
+                ptr->second->markAggregate(markStack);
         }
     private:

trunk/JavaScriptCore/debugger/DebuggerActivation.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -39 +39 @@
 }
 
-void DebuggerActivation::mark()
+void DebuggerActivation::markChildren(MarkStack& markStack)
 {
-    JSObject::mark();
-    if (m_activation && !m_activation->marked())
-        m_activation->mark();
+    JSObject::markChildren(markStack);
+
+    if (m_activation)
+        markStack.append(m_activation);
 }
 

trunk/JavaScriptCore/debugger/DebuggerActivation.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -37 +37 @@
         DebuggerActivation(JSObject*);
 
-        virtual void mark();
+        virtual void markChildren(MarkStack&);
         virtual UString className() const;
         virtual bool getOwnPropertySlot(ExecState*, const Identifier& propertyName, PropertySlot&);

trunk/JavaScriptCore/interpreter/Register.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -57 +57 @@
 
         bool marked() const;
-        void mark();
+        void markChildren(MarkStack&);
         
         Register(JSActivation*);
@@ -121 +121 @@
     }
 
-    ALWAYS_INLINE void Register::mark()
-    {
-        jsValue().mark();
-    }
-    
     // Interpreter functions
 

trunk/JavaScriptCore/interpreter/RegisterFile.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -137 +137 @@
         Register* lastGlobal() const { return m_start - m_numGlobals; }
         
-        void markGlobals(Heap* heap) { heap->markConservatively(lastGlobal(), m_start); }
-        void markCallFrames(Heap* heap) { heap->markConservatively(m_start, m_end); }
+        void markGlobals(MarkStack& markStack, Heap* heap) { heap->markConservatively(markStack, lastGlobal(), m_start); }
+        void markCallFrames(MarkStack& markStack, Heap* heap) { heap->markConservatively(markStack, m_start, m_end); }
 
     private:

trunk/JavaScriptCore/parser/Nodes.cpp

@@ -1819 +1819 @@
 }
 
-void ScopeNodeData::mark()
+void ScopeNodeData::markAggregate(MarkStack& markStack)
 {
     FunctionStack::iterator end = m_functionStack.end();
@@ -1826 +1826 @@
         if (!body->isGenerated())
             continue;
-        body->generatedBytecode().mark();
+        body->generatedBytecode().markAggregate(markStack);
     }
 }
@@ -1973 +1973 @@
 }
 
-void EvalNode::mark()
+void EvalNode::markAggregate(MarkStack& markStack)
 {
     // We don't need to mark our own CodeBlock as the JSGlobalObject takes care of that
-    data()->mark();
+    data()->markAggregate(markStack);
 }
 
@@ -2031 +2031 @@
 }
 
-void FunctionBodyNode::mark()
+void FunctionBodyNode::markAggregate(MarkStack& markStack)
 {
     if (m_code)
-        m_code->mark();
+        m_code->markAggregate(markStack);
 }
 

trunk/JavaScriptCore/parser/Nodes.h

@@ -1391 +1391 @@
         StatementVector m_children;
 
-        void mark();
+        void markAggregate(MarkStack&);
     };
 
@@ -1437 +1437 @@
         }
 
-        virtual void mark() { }
+        virtual void markAggregate(MarkStack&) { }
 
 #if ENABLE(JIT)
@@ -1516 +1516 @@
         EvalCodeBlock& bytecodeForExceptionInfoReparse(ScopeChainNode*, CodeBlock*);
 
-        virtual void mark();
+        virtual void markAggregate(MarkStack&);
 
 #if ENABLE(JIT)
@@ -1564 +1564 @@
         bool isHostFunction() const;
 
-        virtual void mark();
+        virtual void markAggregate(MarkStack&);
 
         void finishParsing(const SourceCode&, ParameterNode*);

trunk/JavaScriptCore/runtime/ArgList.cpp

@@ -1 +1 @@
 /*
- *  Copyright (C) 2003, 2004, 2005, 2006, 2007 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2009 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -38 +38 @@
 }
 
-void MarkedArgumentBuffer::markLists(ListSet& markSet)
+void MarkedArgumentBuffer::markLists(MarkStack& markStack, ListSet& markSet)
 {
     ListSet::iterator end = markSet.end();
     for (ListSet::iterator it = markSet.begin(); it != end; ++it) {
         MarkedArgumentBuffer* list = *it;
-
-        iterator end2 = list->end();
-        for (iterator it2 = list->begin(); it2 != end2; ++it2)
-            if (!(*it2).marked())
-                (*it2).mark();
+        markStack.appendValues(reinterpret_cast<JSValue*>(list->m_buffer), list->m_size);
     }
 }

trunk/JavaScriptCore/runtime/ArgList.h

@@ -136 +136 @@
         const_iterator end() const { return m_buffer + m_size; }
 
-        static void markLists(ListSet&);
+        static void markLists(MarkStack&, ListSet&);
 
     private:

trunk/JavaScriptCore/runtime/Arguments.cpp

@@ -2 +2 @@
  *  Copyright (C) 1999-2002 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
  *  Copyright (C) 2007 Maks Orlovich
@@ -44 +44 @@
 }
 
-void Arguments::mark()
-{
-    JSObject::mark();
-
-    if (d->registerArray) {
-        for (unsigned i = 0; i < d->numParameters; ++i) {
-            if (!d->registerArray[i].marked())
-                d->registerArray[i].mark();
-        }
-    }
+void Arguments::markChildren(MarkStack& markStack)
+{
+    JSObject::markChildren(markStack);
+
+    if (d->registerArray)
+        markStack.appendValues(reinterpret_cast<JSValue*>(d->registerArray.get()), d->numParameters);
 
     if (d->extraArguments) {
         unsigned numExtraArguments = d->numArguments - d->numParameters;
-        for (unsigned i = 0; i < numExtraArguments; ++i) {
-            if (!d->extraArguments[i].marked())
-                d->extraArguments[i].mark();
-        }
-    }
-
-    if (!d->callee->marked())
-        d->callee->mark();
-
-    if (d->activation && !d->activation->marked())
-        d->activation->mark();
+        markStack.appendValues(reinterpret_cast<JSValue*>(d->extraArguments), numExtraArguments);
+    }
+
+    markStack.append(d->callee);
+
+    if (d->activation)
+        markStack.append(d->activation);
 }
 

trunk/JavaScriptCore/runtime/Arguments.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003, 2006, 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
  *  Copyright (C) 2007 Maks Orlovich
@@ -62 +62 @@
         static const ClassInfo info;
 
-        virtual void mark();
+        virtual void markChildren(MarkStack&);
 
         void fillArgList(ExecState*, MarkedArgumentBuffer&);

trunk/JavaScriptCore/runtime/Collector.cpp

@@ -1 +1 @@
 /*
- *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Eric Seidel <eric@webkit.org>
  *
@@ -31 +31 @@
 #include "JSString.h"
 #include "JSValue.h"
+#include "MarkStack.h"
 #include "Nodes.h"
 #include "Tracing.h"
@@ -643 +644 @@
 #define IS_HALF_CELL_ALIGNED(p) (((intptr_t)(p) & (CELL_MASK >> 1)) == 0)
 
-void Heap::markConservatively(void* start, void* end)
+void Heap::markConservatively(MarkStack& markStack, void* start, void* end)
 {
     if (start > end) {
@@ -684 +685 @@
                 if ((primaryBlocks[block] == blockAddr) & (offset <= lastCellOffset)) {
                     if (reinterpret_cast<CollectorCell*>(xAsBits)->u.freeCell.zeroIfFree != 0) {
-                        JSCell* imp = reinterpret_cast<JSCell*>(xAsBits);
-                        if (!imp->marked())
-                            imp->mark();
+                        markStack.append(reinterpret_cast<JSCell*>(xAsBits));
+                        markStack.drain();
                     }
                     break;
@@ -697 +697 @@
 }
 
-void NEVER_INLINE Heap::markCurrentThreadConservativelyInternal()
+void NEVER_INLINE Heap::markCurrentThreadConservativelyInternal(MarkStack& markStack)
 {
     void* dummy;
     void* stackPointer = &dummy;
     void* stackBase = currentThreadStackBase();
-    markConservatively(stackPointer, stackBase);
-}
-
-void Heap::markCurrentThreadConservatively()
+    markConservatively(markStack, stackPointer, stackBase);
+}
+
+void Heap::markCurrentThreadConservatively(MarkStack& markStack)
 {
     // setjmp forces volatile registers onto the stack
@@ -718 +718 @@
 #endif
 
-    markCurrentThreadConservativelyInternal();
+    markCurrentThreadConservativelyInternal(markStack);
 }
 
@@ -850 +850 @@
 }
 
-void Heap::markOtherThreadConservatively(Thread* thread)
+void Heap::markOtherThreadConservatively(MarkStack& markStack, Thread* thread)
 {
     suspendThread(thread->platformThread);
@@ -858 +858 @@
 
     // mark the thread's registers
-    markConservatively(static_cast<void*>(&regs), static_cast<void*>(reinterpret_cast<char*>(&regs) + regSize));
+    markConservatively(markStack, static_cast<void*>(&regs), static_cast<void*>(reinterpret_cast<char*>(&regs) + regSize));
 
     void* stackPointer = otherThreadStackPointer(regs);
-    markConservatively(stackPointer, thread->stackBase);
+    markConservatively(markStack, stackPointer, thread->stackBase);
 
     resumeThread(thread->platformThread);
@@ -868 +868 @@
 #endif
 
-void Heap::markStackObjectsConservatively()
-{
-    markCurrentThreadConservatively();
+void Heap::markStackObjectsConservatively(MarkStack& markStack)
+{
+    markCurrentThreadConservatively(markStack);
 
 #if ENABLE(JSC_MULTIPLE_THREADS)
@@ -880 +880 @@
 #ifndef NDEBUG
         // Forbid malloc during the mark phase. Marking a thread suspends it, so 
-        // a malloc inside mark() would risk a deadlock with a thread that had been 
+        // a malloc inside markChildren() would risk a deadlock with a thread that had been 
         // suspended while holding the malloc lock.
         fastMallocForbid();
@@ -888 +888 @@
         for (Thread* thread = m_registeredThreads; thread; thread = thread->next) {
             if (!pthread_equal(thread->posixThread, pthread_self()))
-                markOtherThreadConservatively(thread);
+                markOtherThreadConservatively(markStack, thread);
         }
 #ifndef NDEBUG
@@ -948 +948 @@
 }
 
-void Heap::markProtectedObjects()
+void Heap::markProtectedObjects(MarkStack& markStack)
 {
     if (m_protectedValuesMutex)
@@ -956 +956 @@
     for (ProtectCountSet::iterator it = m_protectedValues.begin(); it != end; ++it) {
         JSCell* val = it->first;
-        if (!val->marked())
-            val->mark();
+        if (!val->marked()) {
+            markStack.append(val);
+            markStack.drain();
+        }
     }
 
@@ -1062 +1064 @@
     return numLiveObjects;
 }
-    
+
 bool Heap::collect()
 {
@@ -1081 +1083 @@
 
     // MARK: first mark all referenced objects recursively starting out from the set of root objects
-
-    markStackObjectsConservatively();
-    markProtectedObjects();
+    MarkStack& markStack = m_globalData->markStack;
+    markStackObjectsConservatively(markStack);
+    markProtectedObjects(markStack);
     if (m_markListSet && m_markListSet->size())
-        MarkedArgumentBuffer::markLists(*m_markListSet);
+        MarkedArgumentBuffer::markLists(markStack, *m_markListSet);
     if (m_globalData->exception && !m_globalData->exception.marked())
-        m_globalData->exception.mark();
-    m_globalData->interpreter->registerFile().markCallFrames(this);
+        markStack.append(m_globalData->exception);
+    m_globalData->interpreter->registerFile().markCallFrames(markStack, this);
     m_globalData->smallStrings.mark();
     if (m_globalData->scopeNodeBeingReparsed)
-        m_globalData->scopeNodeBeingReparsed->mark();
+        m_globalData->scopeNodeBeingReparsed->markAggregate(markStack);
     if (m_globalData->firstStringifierToMark)
-        JSONObject::markStringifiers(m_globalData->firstStringifierToMark);
-
+        JSONObject::markStringifiers(markStack, m_globalData->firstStringifierToMark);
+
+    markStack.drain();
+    markStack.compact();
     JAVASCRIPTCORE_GC_MARKED();
 

trunk/JavaScriptCore/runtime/Collector.h

@@ -40 +40 @@
 namespace JSC {
 
-    class MarkedArgumentBuffer;
     class CollectorBlock;
     class JSCell;
     class JSGlobalData;
     class JSValue;
+    class MarkedArgumentBuffer;
+    class MarkStack;
 
     enum OperationInProgress { NoOperation, Allocation, Collection };
@@ -112 +113 @@
         static void markCell(JSCell*);
 
-        void markConservatively(void* start, void* end);
+        void markConservatively(MarkStack&, void* start, void* end);
 
         HashSet<MarkedArgumentBuffer*>& markListSet() { if (!m_markListSet) m_markListSet = new HashSet<MarkedArgumentBuffer*>; return *m_markListSet; }
@@ -134 +135 @@
 
         void recordExtraCost(size_t);
-        void markProtectedObjects();
-        void markCurrentThreadConservatively();
-        void markCurrentThreadConservativelyInternal();
-        void markOtherThreadConservatively(Thread*);
-        void markStackObjectsConservatively();
+        void markProtectedObjects(MarkStack&);
+        void markCurrentThreadConservatively(MarkStack&);
+        void markCurrentThreadConservativelyInternal(MarkStack&);
+        void markOtherThreadConservatively(MarkStack&, Thread*);
+        void markStackObjectsConservatively(MarkStack&);
 
         typedef HashCountedSet<JSCell*> ProtectCountSet;

trunk/JavaScriptCore/runtime/GetterSetter.cpp

@@ -2 +2 @@
  *  Copyright (C) 1999-2002 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2004, 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2004, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -29 +29 @@
 namespace JSC {
 
-void GetterSetter::mark()
+void GetterSetter::markChildren(MarkStack& markStack)
 {
-    JSCell::mark();
+    JSCell::markChildren(markStack);
 
     if (m_getter && !m_getter->marked())
-        m_getter->mark();
+        markStack.append(m_getter);
     if (m_setter && !m_setter->marked())
-        m_setter->mark();
+        markStack.append(m_setter);
 }
 

trunk/JavaScriptCore/runtime/GetterSetter.h

@@ -2 +2 @@
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -34 +34 @@
     class GetterSetter : public JSCell {
     public:
-        GetterSetter()
-            : JSCell(0)
+        GetterSetter(ExecState* exec)
+            : JSCell(exec->globalData().getterSetterStructure.get())
             , m_getter(0)
             , m_setter(0)
@@ -41 +41 @@
         }
 
-        virtual void mark();
+        virtual void markChildren(MarkStack&);
 
         JSObject* getter() const { return m_getter; }
@@ -47 +47 @@
         JSObject* setter() const { return m_setter; }
         void setSetter(JSObject* setter) { m_setter = setter; }
-
+        static PassRefPtr<Structure> createStructure(JSValue prototype)
+        {
+            return Structure::create(prototype, TypeInfo(GetterSetterType));
+        }
     private:
         virtual bool isGetterSetter() const;

trunk/JavaScriptCore/runtime/GlobalEvalFunction.cpp

@@ -2 +2 @@
  *  Copyright (C) 1999-2002 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
  *  Copyright (C) 2007 Maks Orlovich
@@ -40 +40 @@
 }
 
-void GlobalEvalFunction::mark()
+void GlobalEvalFunction::markChildren(MarkStack& markStack)
 {
-    PrototypeFunction::mark();
-    if (!m_cachedGlobalObject->marked())
-        m_cachedGlobalObject->mark();
+    PrototypeFunction::markChildren(markStack);
+    markStack.append(m_cachedGlobalObject);
 }
 

trunk/JavaScriptCore/runtime/GlobalEvalFunction.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003, 2006, 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
  *  Copyright (C) 2007 Maks Orlovich
@@ -37 +37 @@
 
     private:
-        virtual void mark();
+        virtual void markChildren(MarkStack&);
 
         JSGlobalObject* m_cachedGlobalObject;

trunk/JavaScriptCore/runtime/JSAPIValueWrapper.h

@@ -27 +27 @@
 
 #include "JSCell.h"
+#include "CallFrame.h"
 
 namespace JSC {
@@ -43 +44 @@
         virtual UString toString(ExecState*) const;
         virtual JSObject* toObject(ExecState*) const;
+        static PassRefPtr<Structure> createStructure(JSValue prototype)
+        {
+            return Structure::create(prototype, TypeInfo(CompoundType));
+        }
 
+        
     private:
-        JSAPIValueWrapper(JSValue value)
-            : JSCell(0)
+        JSAPIValueWrapper(ExecState* exec, JSValue value)
+            : JSCell(exec->globalData().apiWrapperStructure.get())
             , m_value(value)
         {
@@ -56 +62 @@
     inline JSValue jsAPIValueWrapper(ExecState* exec, JSValue value)
     {
-        return new (exec) JSAPIValueWrapper(value);
+        return new (exec) JSAPIValueWrapper(exec, value);
     }
 

trunk/JavaScriptCore/runtime/JSActivation.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -50 +50 @@
 }
 
-void JSActivation::mark()
+void JSActivation::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
     Register* registerArray = d()->registerArray.get();
@@ -60 +60 @@
     size_t numParametersMinusThis = d()->functionBody->generatedBytecode().m_numParameters - 1;
 
-    size_t i = 0;
-    size_t count = numParametersMinusThis; 
-    for ( ; i < count; ++i) {
-        Register& r = registerArray[i];
-        if (!r.marked())
-            r.mark();
-    }
+    size_t count = numParametersMinusThis;
+    markStack.appendValues(registerArray, count);
 
     size_t numVars = d()->functionBody->generatedBytecode().m_numVars;
 
     // Skip the call frame, which sits between the parameters and vars.
-    i += RegisterFile::CallFrameHeaderSize;
-    count += RegisterFile::CallFrameHeaderSize + numVars;
-
-    for ( ; i < count; ++i) {
-        Register& r = registerArray[i];
-        if (r.jsValue() && !r.marked())
-            r.mark();
-    }
+    markStack.appendValues(registerArray + count + RegisterFile::CallFrameHeaderSize, numVars, MayContainNullValues);
 }
 

trunk/JavaScriptCore/runtime/JSActivation.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -47 +47 @@
         virtual ~JSActivation();
 
-        virtual void mark();
+        virtual void markChildren(MarkStack&);
 
         virtual bool isDynamicScope() const;

trunk/JavaScriptCore/runtime/JSArray.cpp

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003, 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *  Copyright (C) 2003 Peter Kelly (pmk@post.com)
  *  Copyright (C) 2006 Alexey Proskuryakov (ap@nypop.com)
@@ -602 +602 @@
 }
 
-void JSArray::mark()
-{
-    JSObject::mark();
+void JSArray::markChildren(MarkStack& markStack)
+{
+    JSObject::markChildren(markStack);
 
     ArrayStorage* storage = m_storage;
 
     unsigned usedVectorLength = min(storage->m_length, storage->m_vectorLength);
-    for (unsigned i = 0; i < usedVectorLength; ++i) {
-        JSValue value = storage->m_vector[i];
-        if (value && !value.marked())
-            value.mark();
-    }
+    markStack.appendValues(storage->m_vector, usedVectorLength, MayContainNullValues);
 
     if (SparseArrayValueMap* map = storage->m_sparseValueMap) {
         SparseArrayValueMap::iterator end = map->end();
-        for (SparseArrayValueMap::iterator it = map->begin(); it != end; ++it) {
-            JSValue value = it->second;
-            if (!value.marked())
-                value.mark();
-        }
+        for (SparseArrayValueMap::iterator it = map->begin(); it != end; ++it)
+            markStack.append(it->second);
     }
 }

trunk/JavaScriptCore/runtime/JSArray.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003, 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -89 +89 @@
         virtual bool deleteProperty(ExecState*, unsigned propertyName);
         virtual void getPropertyNames(ExecState*, PropertyNameArray&);
-        virtual void mark();
+        virtual void markChildren(MarkStack&);
 
         void* lazyCreationData();

trunk/JavaScriptCore/runtime/JSCell.h

@@ -2 +2 @@
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003, 2004, 2005, 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2004, 2005, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -86 +86 @@
         void* operator new(size_t, JSGlobalData*);
         void* operator new(size_t, void* placementNewDestination) { return placementNewDestination; }
-        virtual void mark();
+
+        void markCellDirect();
+        virtual void markChildren(MarkStack&);
         bool marked() const;
 
@@ -154 +156 @@
     }
 
-    inline void JSCell::mark()
-    {
-        return Heap::markCell(this);
+    inline void JSCell::markCellDirect()
+    {
+        Heap::markCell(this);
+    }
+
+    inline void JSCell::markChildren(MarkStack&)
+    {
+        ASSERT(marked());
     }
 
@@ -225 +232 @@
     }
 
-    inline void JSValue::mark()
-    {
-        asCell()->mark(); // callers should check !marked() before calling mark(), so this should only be called with cells
+    inline void JSValue::markDirect()
+    {
+        ASSERT(!marked());
+        asCell()->markCellDirect();
+    }
+
+    inline void JSValue::markChildren(MarkStack& markStack)
+    {
+        ASSERT(marked());
+        asCell()->markChildren(markStack);
     }
 
@@ -340 +354 @@
         return JSValue();
     }
+    
+    inline bool JSValue::hasChildren() const
+    {
+        return asCell()->structure()->typeInfo().type() >= CompoundType;
+    }
+    
 
     inline JSObject* JSValue::toObject(ExecState* exec) const
@@ -351 +371 @@
     }
 
+    ALWAYS_INLINE void MarkStack::append(JSCell* cell)
+    {
+        ASSERT(cell);
+        if (cell->marked())
+            return;
+        cell->markCellDirect();
+        if (cell->structure()->typeInfo().type() >= CompoundType)
+            m_values.append(cell);
+    }
+
+    inline void MarkStack::drain() {
+        while (!m_markSets.isEmpty() || !m_values.isEmpty()) {
+            while ((!m_markSets.isEmpty()) && m_values.size() < 50) {
+                const MarkSet& current = m_markSets.removeLast();
+                JSValue* ptr = current.m_values;
+                JSValue* end = current.m_end;
+                if (current.m_properties == NoNullValues) {
+                    while (ptr != end)
+                        append(*ptr++);
+                } else {
+                    while (ptr != end) {
+                        if (JSValue value = *ptr++)
+                            append(value);
+                    }
+                }
+            }
+            while (!m_values.isEmpty()) {
+                JSCell* current = m_values.removeLast();
+                ASSERT(current->marked());
+                current->markChildren(*this);
+            }
+        }
+    }
 } // namespace JSC
 

trunk/JavaScriptCore/runtime/JSFunction.cpp

@@ -2 +2 @@
  *  Copyright (C) 1999-2002 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
  *  Copyright (C) 2007 Maks Orlovich
@@ -84 +84 @@
 }
 
-void JSFunction::mark()
-{
-    Base::mark();
-    m_body->mark();
+void JSFunction::markChildren(MarkStack& markStack)
+{
+    Base::markChildren(markStack);
+    m_body->markAggregate(markStack);
     if (!isHostFunction())
-        scopeChain().mark();
+        scopeChain().markAggregate(markStack);
 }
 

trunk/JavaScriptCore/runtime/JSFunction.h

@@ -69 +69 @@
         FunctionBodyNode* body() const { return m_body.get(); }
 
-        virtual void mark();
+        virtual void markChildren(MarkStack&);
 
         static JS_EXPORTDATA const ClassInfo info;

trunk/JavaScriptCore/runtime/JSGlobalData.cpp

@@ -34 +34 @@
 #include "CommonIdentifiers.h"
 #include "FunctionConstructor.h"
+#include "GetterSetter.h"
 #include "Interpreter.h"
 #include "JSActivation.h"
+#include "JSAPIValueWrapper.h"
 #include "JSArray.h"
 #include "JSByteArray.h"
@@ -42 +44 @@
 #include "JSLock.h"
 #include "JSNotAnObject.h"
+#include "JSPropertyNameIterator.h"
 #include "JSStaticScopeObject.h"
 #include "Parser.h"
@@ -119 +122 @@
     , notAnObjectErrorStubStructure(JSNotAnObjectErrorStub::createStructure(jsNull()))
     , notAnObjectStructure(JSNotAnObject::createStructure(jsNull()))
+    , propertyNameIteratorStructure(JSPropertyNameIterator::createStructure(jsNull()))
+    , getterSetterStructure(GetterSetter::createStructure(jsNull()))
+    , apiWrapperStructure(JSAPIValueWrapper::createStructure(jsNull()))
 #if USE(JSVALUE32)
     , numberStructure(JSNumberCell::createStructure(jsNull()))

trunk/JavaScriptCore/runtime/JSGlobalData.h

@@ -34 +34 @@
 #include "JITStubs.h"
 #include "JSValue.h"
+#include "MarkStack.h"
 #include "SmallStrings.h"
 #include "TimeoutChecker.h"
@@ -98 +99 @@
         RefPtr<Structure> notAnObjectErrorStubStructure;
         RefPtr<Structure> notAnObjectStructure;
+        RefPtr<Structure> propertyNameIteratorStructure;
+        RefPtr<Structure> getterSetterStructure;
+        RefPtr<Structure> apiWrapperStructure;
+
 #if USE(JSVALUE32)
         RefPtr<Structure> numberStructure;
@@ -144 +149 @@
         Stringifier* firstStringifierToMark;
 
+        MarkStack markStack;
     private:
         JSGlobalData(bool isShared, const VPtrSet&);

trunk/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -81 +81 @@
 static const int preferredScriptCheckTimeInterval = 1000;
 
-static inline void markIfNeeded(JSValue v)
-{
-    if (v && !v.marked())
-        v.mark();
-}
-
-static inline void markIfNeeded(const RefPtr<Structure>& s)
+static inline void markIfNeeded(MarkStack& markStack, JSValue v)
+{
+    if (v)
+        markStack.append(v);
+}
+
+static inline void markIfNeeded(MarkStack& markStack, const RefPtr<Structure>& s)
 {
     if (s)
-        s->mark();
+        s->markAggregate(markStack);
 }
 
@@ -358 +358 @@
 }
 
-void JSGlobalObject::mark()
-{
-    JSVariableObject::mark();
+void JSGlobalObject::markChildren(MarkStack& markStack)
+{
+    JSVariableObject::markChildren(markStack);
     
     HashSet<ProgramCodeBlock*>::const_iterator end = codeBlocks().end();
     for (HashSet<ProgramCodeBlock*>::const_iterator it = codeBlocks().begin(); it != end; ++it)
-        (*it)->mark();
+        (*it)->markAggregate(markStack);
 
     RegisterFile& registerFile = globalData()->interpreter->registerFile();
     if (registerFile.globalObject() == this)
-        registerFile.markGlobals(&globalData()->heap);
-
-    markIfNeeded(d()->regExpConstructor);
-    markIfNeeded(d()->errorConstructor);
-    markIfNeeded(d()->evalErrorConstructor);
-    markIfNeeded(d()->rangeErrorConstructor);
-    markIfNeeded(d()->referenceErrorConstructor);
-    markIfNeeded(d()->syntaxErrorConstructor);
-    markIfNeeded(d()->typeErrorConstructor);
-    markIfNeeded(d()->URIErrorConstructor);
-
-    markIfNeeded(d()->evalFunction);
-    markIfNeeded(d()->callFunction);
-    markIfNeeded(d()->applyFunction);
-
-    markIfNeeded(d()->objectPrototype);
-    markIfNeeded(d()->functionPrototype);
-    markIfNeeded(d()->arrayPrototype);
-    markIfNeeded(d()->booleanPrototype);
-    markIfNeeded(d()->stringPrototype);
-    markIfNeeded(d()->numberPrototype);
-    markIfNeeded(d()->datePrototype);
-    markIfNeeded(d()->regExpPrototype);
-
-    markIfNeeded(d()->methodCallDummy);
-
-    markIfNeeded(d()->errorStructure);
+        registerFile.markGlobals(markStack, &globalData()->heap);
+
+    markIfNeeded(markStack, d()->regExpConstructor);
+    markIfNeeded(markStack, d()->errorConstructor);
+    markIfNeeded(markStack, d()->evalErrorConstructor);
+    markIfNeeded(markStack, d()->rangeErrorConstructor);
+    markIfNeeded(markStack, d()->referenceErrorConstructor);
+    markIfNeeded(markStack, d()->syntaxErrorConstructor);
+    markIfNeeded(markStack, d()->typeErrorConstructor);
+    markIfNeeded(markStack, d()->URIErrorConstructor);
+
+    markIfNeeded(markStack, d()->evalFunction);
+    markIfNeeded(markStack, d()->callFunction);
+    markIfNeeded(markStack, d()->applyFunction);
+
+    markIfNeeded(markStack, d()->objectPrototype);
+    markIfNeeded(markStack, d()->functionPrototype);
+    markIfNeeded(markStack, d()->arrayPrototype);
+    markIfNeeded(markStack, d()->booleanPrototype);
+    markIfNeeded(markStack, d()->stringPrototype);
+    markIfNeeded(markStack, d()->numberPrototype);
+    markIfNeeded(markStack, d()->datePrototype);
+    markIfNeeded(markStack, d()->regExpPrototype);
+
+    markIfNeeded(markStack, d()->methodCallDummy);
+
+    markIfNeeded(markStack, d()->errorStructure);
 
     // No need to mark the other structures, because their prototypes are all
@@ -404 +404 @@
 
     size_t size = d()->registerArraySize;
-    for (size_t i = 0; i < size; ++i) {
-        Register& r = registerArray[i];
-        if (!r.marked())
-            r.mark();
-    }
+    markStack.appendValues(reinterpret_cast<JSValue*>(registerArray), size);
 }
 

trunk/JavaScriptCore/runtime/JSGlobalObject.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 2007 Eric Seidel <eric@webkit.org>
- *  Copyright (C) 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2007, 2008, 2009 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -167 +167 @@
         virtual ~JSGlobalObject();
 
-        virtual void mark();
+        virtual void markChildren(MarkStack&);
 
         virtual bool getOwnPropertySlot(ExecState*, const Identifier&, PropertySlot&);

trunk/JavaScriptCore/runtime/JSNotAnObject.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -75 +75 @@
 
 // Marking
-void JSNotAnObject::mark()
+void JSNotAnObject::markChildren(MarkStack& markStack)
 {
-    JSCell::mark();
-    if (!m_exception->marked())
-        m_exception->mark();
+    JSObject::markChildren(markStack);
+    markStack.append(m_exception);
 }
 

trunk/JavaScriptCore/runtime/JSNotAnObject.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -76 +76 @@
 
         // Marking
-        virtual void mark();
+        virtual void markChildren(MarkStack&);
 
         // JSObject methods

trunk/JavaScriptCore/runtime/JSONObject.cpp

@@ -68 +68 @@
     JSValue stringify(JSValue);
 
-    void mark();
+    void markAggregate(MarkStack&);
 
 private:
@@ -222 +222 @@
 }
 
-void Stringifier::mark()
+void Stringifier::markAggregate(MarkStack& markStack)
 {
     for (Stringifier* stringifier = this; stringifier; stringifier = stringifier->m_nextStringifierToMark) {
         size_t size = m_holderStack.size();
-        for (size_t i = 0; i < size; ++i) {
-            JSObject* object = m_holderStack[i].object();
-            if (!object->marked())
-                object->mark();
-        }
+        for (size_t i = 0; i < size; ++i)
+            markStack.append(m_holderStack[i].object());
     }
 }
@@ -585 +582 @@
 }
 
-void JSONObject::markStringifiers(Stringifier* stringifier)
-{
-    stringifier->mark();
+void JSONObject::markStringifiers(MarkStack& markStack, Stringifier* stringifier)
+{
+    stringifier->markAggregate(markStack);
 }
 

trunk/JavaScriptCore/runtime/JSONObject.h

@@ -45 +45 @@
         }
 
-        static void markStringifiers(Stringifier*);
+        static void markStringifiers(MarkStack&, Stringifier*);
 
     private:

trunk/JavaScriptCore/runtime/JSObject.cpp

@@ -2 +2 @@
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003, 2004, 2005, 2006, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2004, 2005, 2006, 2008, 2009 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Eric Seidel (eric@webkit.org)
  *
@@ -63 +63 @@
 ASSERT_CLASS_FITS_IN_CELL(JSObject);
 
-void JSObject::mark()
+void JSObject::markChildren(MarkStack& markStack)
 {
     JSOBJECT_MARK_BEGIN();
 
-    JSCell::mark();
-    m_structure->mark();
+    JSCell::markChildren(markStack);
+    m_structure->markAggregate(markStack);
 
     PropertyStorage storage = propertyStorage();
-
     size_t storageSize = m_structure->propertyStorageSize();
-    for (size_t i = 0; i < storageSize; ++i) {
-        JSValue v = JSValue::decode(storage[i]);
-        if (!v.marked())
-            v.mark();
-    }
+    markStack.appendValues(reinterpret_cast<JSValue*>(storage), storageSize);
 
     JSOBJECT_MARK_END();
@@ -311 +306 @@
 
     PutPropertySlot slot;
-    GetterSetter* getterSetter = new (exec) GetterSetter;
+    GetterSetter* getterSetter = new (exec) GetterSetter(exec);
     putDirectInternal(exec->globalData(), propertyName, getterSetter, Getter, true, slot);
 
@@ -338 +333 @@
 
     PutPropertySlot slot;
-    GetterSetter* getterSetter = new (exec) GetterSetter;
+    GetterSetter* getterSetter = new (exec) GetterSetter(exec);
     putDirectInternal(exec->globalData(), propertyName, getterSetter, Setter, true, slot);
 

trunk/JavaScriptCore/runtime/JSObject.h

@@ -2 +2 @@
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -74 +74 @@
         explicit JSObject(PassRefPtr<Structure>);
 
-        virtual void mark();
+        virtual void markChildren(MarkStack&);
 
         // The inline virtual destructor cannot be the first virtual function declared

trunk/JavaScriptCore/runtime/JSPropertyNameIterator.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -74 +74 @@
 }
 
-void JSPropertyNameIterator::mark()
+void JSPropertyNameIterator::markChildren(MarkStack& markStack)
 {
-    JSCell::mark();
-    if (m_object && !m_object->marked())
-        m_object->mark();
+    JSCell::markChildren(markStack);
+    if (m_object)
+        markStack.append(m_object);
 }
 

trunk/JavaScriptCore/runtime/JSPropertyNameIterator.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -52 +52 @@
         virtual JSObject* toObject(ExecState*) const;
 
-        virtual void mark();
+        virtual void markChildren(MarkStack&);
 
         JSValue next(ExecState*);
         void invalidate();
-
+        
+        static PassRefPtr<Structure> createStructure(JSValue prototype)
+        {
+            return Structure::create(prototype, TypeInfo(CompoundType));
+        }
     private:
-        JSPropertyNameIterator();
-        JSPropertyNameIterator(JSObject*, PassRefPtr<PropertyNameArrayData> propertyNameArrayData);
+        JSPropertyNameIterator(ExecState*);
+        JSPropertyNameIterator(ExecState*, JSObject*, PassRefPtr<PropertyNameArrayData> propertyNameArrayData);
 
         JSObject* m_object;
@@ -67 +71 @@
     };
 
-inline JSPropertyNameIterator::JSPropertyNameIterator()
-    : JSCell(0)
+inline JSPropertyNameIterator::JSPropertyNameIterator(ExecState* exec)
+    : JSCell(exec->globalData().propertyNameIteratorStructure.get())
     , m_object(0)
     , m_position(0)
@@ -75 +79 @@
 }
 
-inline JSPropertyNameIterator::JSPropertyNameIterator(JSObject* object, PassRefPtr<PropertyNameArrayData> propertyNameArrayData)
-    : JSCell(0)
+inline JSPropertyNameIterator::JSPropertyNameIterator(ExecState* exec, JSObject* object, PassRefPtr<PropertyNameArrayData> propertyNameArrayData)
+    : JSCell(exec->globalData().propertyNameIteratorStructure.get())
     , m_object(object)
     , m_data(propertyNameArrayData)
@@ -87 +91 @@
 {
     if (v.isUndefinedOrNull())
-        return new (exec) JSPropertyNameIterator;
+        return new (exec) JSPropertyNameIterator(exec);
 
     JSObject* o = v.toObject(exec);
     PropertyNameArray propertyNames(exec);
     o->getPropertyNames(exec, propertyNames);
-    return new (exec) JSPropertyNameIterator(o, propertyNames.releaseData());
+    return new (exec) JSPropertyNameIterator(exec, o, propertyNames.releaseData());
 }
 

trunk/JavaScriptCore/runtime/JSStaticScopeObject.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -32 +32 @@
 ASSERT_CLASS_FITS_IN_CELL(JSStaticScopeObject);
 
-void JSStaticScopeObject::mark()
+void JSStaticScopeObject::markChildren(MarkStack& markStack)
 {
-    JSVariableObject::mark();
-    
-    if (!d()->registerStore.marked())
-        d()->registerStore.mark();
+    JSVariableObject::markChildren(markStack);
+    markStack.append(d()->registerStore.jsValue());
 }
 

trunk/JavaScriptCore/runtime/JSStaticScopeObject.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -51 +51 @@
         }
         virtual ~JSStaticScopeObject();
-        virtual void mark();
+        virtual void markChildren(MarkStack&);
         bool isDynamicScope() const;
         virtual JSObject* toThisObject(ExecState*) const;

trunk/JavaScriptCore/runtime/JSType.h

@@ -34 +34 @@
         NullType          = 4,
         StringType        = 5,
-        ObjectType        = 6,
-        GetterSetterType  = 7
+        
+        // The CompoundType value must come before any JSType that may have children
+        CompoundType      = 6,
+        ObjectType        = 7,
+        GetterSetterType  = 8
     };
 

trunk/JavaScriptCore/runtime/JSValue.h

@@ -2 +2 @@
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003, 2004, 2005, 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2004, 2005, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -43 +43 @@
     class JSObject;
     class JSString;
+    class MarkStack;
     class PropertySlot;
     class PutPropertySlot;
@@ -173 +174 @@
 
         // Garbage collection.
-        void mark();
+        void markChildren(MarkStack&);
+        bool hasChildren() const;
         bool marked() const;
+        void markDirect();
 
         // Object operations, with the toObject operation included.

trunk/JavaScriptCore/runtime/JSWrapperObject.cpp

@@ -1 +1 @@
 /*
  *  Copyright (C) 2006 Maks Orlovich
- *  Copyright (C) 2006 Apple Computer, Inc.
+ *  Copyright (C) 2006, 2009 Apple, Inc.
  *
  *  This library is free software; you can redistribute it and/or
@@ -27 +27 @@
 ASSERT_CLASS_FITS_IN_CELL(JSWrapperObject);
 
-void JSWrapperObject::mark() 
+void JSWrapperObject::markChildren(MarkStack& markStack) 
 {
-    JSObject::mark();
-    if (m_internalValue && !m_internalValue.marked())
-        m_internalValue.mark();
+    JSObject::markChildren(markStack);
+    if (m_internalValue)
+        markStack.append(m_internalValue);
 }
 

trunk/JavaScriptCore/runtime/JSWrapperObject.h

@@ -37 +37 @@
         void setInternalValue(JSValue);
         
-        virtual void mark();
+        virtual void markChildren(MarkStack&);
         
     private:

trunk/JavaScriptCore/runtime/MarkStack.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008, 2009 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -25 +25 @@
 
 #include "config.h"
+#include "MarkStack.h"
 
-#if ENABLE(WORKERS)
+namespace JSC
+{
 
-#include "JSWorker.h"
+size_t MarkStack::s_pageSize = 0;
 
-#include "JSDOMGlobalObject.h"
-#include "Worker.h"
-
-using namespace JSC;
-
-namespace WebCore {
-    
-void JSWorker::mark()
+void MarkStack::compact()
 {
-    Base::mark();
-
-    markIfNotNull(static_cast<Worker*>(impl())->onmessage());
+    ASSERT(s_pageSize);
+    m_values.shrinkAllocation(s_pageSize);
+    m_markSets.shrinkAllocation(s_pageSize);
 }
 
-} // namespace WebCore
-
-#endif // ENABLE(WORKERS)
+}

trunk/JavaScriptCore/runtime/MarkStackPosix.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008, 2009 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26 +26 @@
 #include "config.h"
 
-#if ENABLE(WORKERS)
 
-#include "JSWorker.h"
+#include "MarkStack.h"
+#include <sys/mman.h>
 
-#include "JSDOMGlobalObject.h"
-#include "Worker.h"
-
-using namespace JSC;
-
-namespace WebCore {
-    
-void JSWorker::mark()
+namespace JSC {
+void* MarkStack::allocateStack(size_t size)
 {
-    Base::mark();
-
-    markIfNotNull(static_cast<Worker*>(impl())->onmessage());
+    return mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
+}
+void MarkStack::releaseStack(void* addr, size_t size)
+{
+    munmap(addr, size);
 }
 
-} // namespace WebCore
-
-#endif // ENABLE(WORKERS)
+}

trunk/JavaScriptCore/runtime/MarkStackWin.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008, 2009 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26 +26 @@
 #include "config.h"
 
-#if ENABLE(WORKERS)
 
-#include "JSWorker.h"
+#include "MarkStack.h"
 
-#include "JSDOMGlobalObject.h"
-#include "Worker.h"
+#include "windows.h"
 
-using namespace JSC;
-
-namespace WebCore {
-    
-void JSWorker::mark()
+namespace JSC {
+void* MarkStack::allocateStack(size_t size)
 {
-    Base::mark();
-
-    markIfNotNull(static_cast<Worker*>(impl())->onmessage());
+    return VirtualAlloc(0, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+}
+void MarkStack::releaseStack(void* addr, size_t size)
+{
+    VirtualFree(addr, size, MEM_RELEASE);
 }
 
-} // namespace WebCore
-
-#endif // ENABLE(WORKERS)
+}

trunk/JavaScriptCore/runtime/ScopeChain.h

@@ -1 +1 @@
 /*
- *  Copyright (C) 2003, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2008, 2009 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -205 +205 @@
         JSGlobalObject* globalObject() const { return m_node->globalObject(); }
 
-        void mark() const;
+        void markAggregate(MarkStack&) const;
 
         // Caution: this should only be used if the codeblock this is being used

trunk/JavaScriptCore/runtime/ScopeChainMark.h

@@ -1 +1 @@
 /*
- *  Copyright (C) 2003, 2006, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2006, 2008, 2009 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -26 +26 @@
 namespace JSC {
 
-    inline void ScopeChain::mark() const
+    inline void ScopeChain::markAggregate(MarkStack& markStack) const
     {
-        for (ScopeChainNode* n = m_node; n; n = n->next) {
-            JSObject* o = n->object;
-            if (!o->marked())
-                o->mark();
-        }
+        for (ScopeChainNode* n = m_node; n; n = n->next)
+            markStack.append(n->object);
     }
 

trunk/JavaScriptCore/runtime/SmallStrings.cpp

@@ -86 +86 @@
 {
     if (m_emptyString && !m_emptyString->marked())
-        m_emptyString->mark();
+        m_emptyString->markCellDirect();
     for (unsigned i = 0; i < numCharactersToStore; ++i) {
         if (m_singleCharacterStrings[i] && !m_singleCharacterStrings[i]->marked())
-            m_singleCharacterStrings[i]->mark();
+            m_singleCharacterStrings[i]->markCellDirect();
     }
 }

trunk/JavaScriptCore/runtime/Structure.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30 +30 @@
 #include "JSType.h"
 #include "JSValue.h"
+#include "MarkStack.h"
 #include "PropertyMapHashTable.h"
 #include "StructureChain.h"
@@ -73 +74 @@
         ~Structure();
 
-        void mark()
-        {
-            if (!m_prototype.marked())
-                m_prototype.mark();
+        void markAggregate(MarkStack& markStack)
+        {
+            markStack.append(m_prototype);
         }
 

trunk/JavaScriptGlue/ChangeLog

@@ +1 @@
+2009-08-07  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        Stack overflow crash in JavaScript garbage collector mark pass
+        https://bugs.webkit.org/show_bug.cgi?id=12216
+
+        Make JSGlue interact with the new iterative mark logic.
+
+        * JSValueWrapper.cpp:
+        (JSValueWrapper::JSObjectMark):
+          Unfortunately JSGlue exposes recursive marking so we can only flatten
+          the recursion.  We just create a local mark stack if necessary and mark
+          the given object iteratively from this point.
+        * UserObjectImp.cpp:
+        (UserObjectImp::markChildren):
+        * UserObjectImp.h:
+
 2009-08-06  Mark Rowe  <mrowe@apple.com>
 

trunk/JavaScriptGlue/JSValueWrapper.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2005 Apple Computer, Inc.  All rights reserved.
+ * Copyright (C) 2005, 2009 Apple Computer, Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -195 +195 @@
 {
     JSValueWrapper* ptr = (JSValueWrapper*)data;
-    if (ptr)
-    {
-        ptr->fValue.get().mark();
-    }
-}
+    if (ptr && !ptr->fValue.get().marked())
+    {
+        // This results in recursive marking but will be otherwise safe and correct.
+        MarkStack markStack;
+        markStack.append(ptr->fValue.get());
+        markStack.drain();
+    }
+}

trunk/JavaScriptGlue/UserObjectImp.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2005, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2005, 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -410 +410 @@
 }
 
-void UserObjectImp::mark()
-{
-    JSObject::mark();
+void UserObjectImp::markChildren(MarkStack& markStack)
+{
+    JSObject::markChildren(markStack);
     if (fJSUserObject)
         fJSUserObject->Mark();

trunk/JavaScriptGlue/UserObjectImp.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2005, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2005, 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -56 +56 @@
     virtual UString toString(ExecState *exec) const;
 
-    virtual void mark();
+    virtual void markChildren(MarkStack&);
 
     JSUserObject *GetJSUserObject() const;

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2009-08-07  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        Stack overflow crash in JavaScript garbage collector mark pass
+        https://bugs.webkit.org/show_bug.cgi?id=12216
+
+        Add a testcase that requires marking of a deeply nested object.
+
+        * fast/js/nested-object-gc-expected.txt: Added.
+        * fast/js/nested-object-gc.html: Added.
+        * fast/js/resources/js-test-pre.js:
+            Add a gc() function that triggers a gc or calls the gc controller if it's present
+        * fast/js/resources/nested-object-gc.js: Added.
+
 2009-08-10  Jeremy Orlow  <jorlow@chromium.org>
 

trunk/LayoutTests/fast/js/resources/js-test-pre.js

@@ -187 +187 @@
     testFailed(_a + " should throw " + (typeof _e == "undefined" ? "an exception" : _ev) + ". Was " + _av + ".");
 }
+
+function gc() {
+    if (typeof GCController !== "undefined")
+        GCController.collect();
+    else {
+        function gcRec(n) {
+            if (n < 1)
+                return {};
+            var temp = {i: "ab" + i + (i / 100000)};
+            temp += "foo";
+            gcRec(n-1);
+        }
+        for (var i = 0; i < 1000; i++)
+            gcRec(10)
+    }
+}

trunk/WebCore/ChangeLog

@@ +1 @@
+2009-08-07  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Sam Weinig
+
+        Stack overflow crash in JavaScript garbage collector mark pass
+        https://bugs.webkit.org/show_bug.cgi?id=12216
+
+        Make WebCore use the new iterative marking logic.
+
+        Tests: fast/js/nested-object-gc.html
+
+        * bindings/js/JSAbstractWorkerCustom.cpp:
+        (WebCore::JSAbstractWorker::markChildren):
+        * bindings/js/JSDOMApplicationCacheCustom.cpp:
+        (WebCore::JSDOMApplicationCache::markChildren):
+        * bindings/js/JSDOMBinding.cpp:
+        (WebCore::markDOMNodesForDocument):
+        (WebCore::markActiveObjectsForContext):
+        (WebCore::markDOMObjectWrapper):
+        * bindings/js/JSDOMBinding.h:
+        (WebCore::DOMObjectWithGlobalPointer::markChildren):
+        * bindings/js/JSDOMGlobalObject.cpp:
+        (WebCore::JSDOMGlobalObject::markChildren):
+        * bindings/js/JSDOMGlobalObject.h:
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::markChildren):
+        * bindings/js/JSDOMWindowShell.cpp:
+        (WebCore::JSDOMWindowShell::markChildren):
+        * bindings/js/JSDOMWindowShell.h:
+        * bindings/js/JSDedicatedWorkerContextCustom.cpp:
+        (WebCore::JSDedicatedWorkerContext::markChildren):
+        * bindings/js/JSDocumentCustom.cpp:
+        (WebCore::JSDocument::markChildren):
+        * bindings/js/JSEventListener.cpp:
+        (WebCore::JSEventListener::markJSFunction):
+        * bindings/js/JSEventListener.h:
+        * bindings/js/JSMessageChannelCustom.cpp:
+        (WebCore::JSMessageChannel::markChildren):
+        * bindings/js/JSMessagePortCustom.cpp:
+        (WebCore::JSMessagePort::markChildren):
+        * bindings/js/JSNavigatorCustom.cpp:
+        (WebCore::JSNavigator::markChildren):
+        * bindings/js/JSNodeCustom.cpp:
+        (WebCore::JSNode::markChildren):
+        * bindings/js/JSNodeFilterCondition.cpp:
+        (WebCore::JSNodeFilterCondition::markAggregate):
+        * bindings/js/JSNodeFilterCondition.h:
+        * bindings/js/JSNodeFilterCustom.cpp:
+        (WebCore::JSNodeFilter::markChildren):
+        * bindings/js/JSNodeIteratorCustom.cpp:
+        (WebCore::JSNodeIterator::markChildren):
+        * bindings/js/JSQuarantinedObjectWrapper.cpp:
+        (WebCore::JSQuarantinedObjectWrapper::markChildren):
+        * bindings/js/JSQuarantinedObjectWrapper.h:
+        * bindings/js/JSSVGElementInstanceCustom.cpp:
+        (WebCore::JSSVGElementInstance::markChildren):
+        * bindings/js/JSSharedWorkerCustom.cpp:
+        (WebCore::JSSharedWorker::markChildren):
+        * bindings/js/JSStyleSheetCustom.cpp:
+        (WebCore::JSStyleSheet::markChildren):
+        * bindings/js/JSTreeWalkerCustom.cpp:
+        (WebCore::JSTreeWalker::markChildren):
+        * bindings/js/JSWebSocketCustom.cpp:
+        (WebCore::JSWebSocket::markChildren):
+        * bindings/js/JSWorkerContextCustom.cpp:
+        (WebCore::JSWorkerContext::markChildren):
+        * bindings/js/JSWorkerCustom.cpp:
+        (WebCore::JSWorker::markChildren):
+        * bindings/js/JSXMLHttpRequestCustom.cpp:
+        (WebCore::JSXMLHttpRequest::markChildren):
+        * bindings/js/JSXMLHttpRequestUploadCustom.cpp:
+        (WebCore::JSXMLHttpRequestUpload::markChildren):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        * dom/EventListener.h:
+        (WebCore::EventListener::markJSFunction):
+        (WebCore::markIfNotNull):
+        * dom/NodeFilter.h:
+        (WebCore::NodeFilter::markAggregate):
+        * dom/NodeFilterCondition.h:
+        (WebCore::NodeFilterCondition::markAggregate):
+        * dom/RegisteredEventListener.h:
+        (WebCore::markEventListeners):
+        * page/DOMWindow.h:
+        * workers/WorkerContext.h:
+
 2009-08-10  Jeremy Orlow  <jorlow@chromium.org>
 

trunk/WebCore/bindings/js/JSAbstractWorkerCustom.cpp

@@ -1 +1 @@
 /*
  * Copyright (C) 2009 Google Inc. All rights reserved.
+ * Copyright (C) 2009 Apple, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -44 +45 @@
 namespace WebCore {
 
-void JSAbstractWorker::mark()
+void JSAbstractWorker::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
-    markIfNotNull(m_impl->onerror());
+    markIfNotNull(markStack, m_impl->onerror());
 
     typedef AbstractWorker::EventListenersMap EventListenersMap;
@@ -55 +56 @@
     for (EventListenersMap::iterator mapIter = eventListeners.begin(); mapIter != eventListeners.end(); ++mapIter) {
         for (ListenerVector::iterator vecIter = mapIter->second.begin(); vecIter != mapIter->second.end(); ++vecIter)
-            (*vecIter)->markJSFunction();
+            (*vecIter)->markJSFunction(markStack);
     }
 }

trunk/WebCore/bindings/js/JSDOMApplicationCacheCustom.cpp

@@ -43 +43 @@
 namespace WebCore {
 
-void JSDOMApplicationCache::mark()
+void JSDOMApplicationCache::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
-    markIfNotNull(m_impl->onchecking());
-    markIfNotNull(m_impl->onerror());
-    markIfNotNull(m_impl->onnoupdate());
-    markIfNotNull(m_impl->ondownloading());
-    markIfNotNull(m_impl->onprogress());
-    markIfNotNull(m_impl->onupdateready());
-    markIfNotNull(m_impl->oncached());
-    markIfNotNull(m_impl->onobsolete());
+    markIfNotNull(markStack, m_impl->onchecking());
+    markIfNotNull(markStack, m_impl->onerror());
+    markIfNotNull(markStack, m_impl->onnoupdate());
+    markIfNotNull(markStack, m_impl->ondownloading());
+    markIfNotNull(markStack, m_impl->onprogress());
+    markIfNotNull(markStack, m_impl->onupdateready());
+    markIfNotNull(markStack, m_impl->oncached());
+    markIfNotNull(markStack, m_impl->onobsolete());
 
     typedef DOMApplicationCache::EventListenersMap EventListenersMap;
@@ -61 +61 @@
     for (EventListenersMap::iterator mapIter = eventListeners.begin(); mapIter != eventListeners.end(); ++mapIter) {
         for (ListenerVector::iterator vecIter = mapIter->second.begin(); vecIter != mapIter->second.end(); ++vecIter)
-            (*vecIter)->markJSFunction();
+            (*vecIter)->markJSFunction(markStack);
     }
 }

trunk/WebCore/bindings/js/JSDOMBinding.cpp

@@ -294 +294 @@
 }
 
-void markDOMNodesForDocument(Document* doc)
+void markDOMNodesForDocument(MarkStack& markStack, Document* doc)
 {
     JSWrapperCache& nodeDict = doc->wrapperCache();
@@ -300 +300 @@
     for (JSWrapperCache::iterator nodeIt = nodeDict.begin(); nodeIt != nodeEnd; ++nodeIt) {
         JSNode* jsNode = nodeIt->second;
-        if (!jsNode->marked() && isObservableThroughDOM(jsNode))
-            jsNode->mark();
-    }
-}
-
-void markActiveObjectsForContext(JSGlobalData& globalData, ScriptExecutionContext* scriptExecutionContext)
+        if (isObservableThroughDOM(jsNode))
+            markStack.append(jsNode);
+    }
+}
+
+void markActiveObjectsForContext(MarkStack& markStack, JSGlobalData& globalData, ScriptExecutionContext* scriptExecutionContext)
 {
     // If an element has pending activity that may result in event listeners being called
@@ -318 +318 @@
             // However, some ActiveDOMObjects don't have JS wrappers (timers created by setTimeout is one example).
             // FIXME: perhaps need to make sure even timers have a markable 'wrapper'.
-            if (wrapper && !wrapper->marked())
-                wrapper->mark();
+            if (wrapper)
+                markStack.append(wrapper);
         }
     }
@@ -329 +329 @@
         if (!(*iter)->locallyEntangledPort() || (*iter)->hasPendingActivity()) {
             DOMObject* wrapper = getCachedDOMObjectWrapper(globalData, *iter);
-            if (wrapper && !wrapper->marked())
-                wrapper->mark();
+            if (wrapper)
+                markStack.append(wrapper);
         }
     }
@@ -347 +347 @@
 }
 
-void markDOMObjectWrapper(JSGlobalData& globalData, void* object)
+void markDOMObjectWrapper(MarkStack& markStack, JSGlobalData& globalData, void* object)
 {
     if (!object)
         return;
     DOMObject* wrapper = getCachedDOMObjectWrapper(globalData, object);
-    if (!wrapper || wrapper->marked())
-        return;
-    wrapper->mark();
+    if (!wrapper)
+        return;
+    markStack.append(wrapper);
 }
 

trunk/WebCore/bindings/js/JSDOMBinding.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003, 2004, 2005, 2006, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2004, 2005, 2006, 2008, 2009 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Samuel Weinig <sam@webkit.org>
  *  Copyright (C) 2009 Google, Inc. All rights reserved.
@@ -86 +86 @@
         virtual ~DOMObjectWithGlobalPointer() {}
 
-        void mark()
-        {
-            DOMObject::mark();
-            if (!m_globalObject->marked())
-                m_globalObject->mark();
+        void markChildren(JSC::MarkStack& markStack)
+        {
+            DOMObject::markChildren(markStack);
+            markStack.append(m_globalObject);
         }
 
@@ -138 +137 @@
     void forgetAllDOMNodesForDocument(Document*);
     void updateDOMNodeDocument(Node*, Document* oldDocument, Document* newDocument);
-    void markDOMNodesForDocument(Document*);
-    void markActiveObjectsForContext(JSC::JSGlobalData&, ScriptExecutionContext*);
-    void markDOMObjectWrapper(JSC::JSGlobalData& globalData, void* object);
+    void markDOMNodesForDocument(JSC::MarkStack&, Document*);
+    void markActiveObjectsForContext(JSC::MarkStack&, JSC::JSGlobalData&, ScriptExecutionContext*);
+    void markDOMObjectWrapper(JSC::MarkStack&, JSC::JSGlobalData& globalData, void* object);
 
     JSC::Structure* getCachedDOMStructure(JSDOMGlobalObject*, const JSC::ClassInfo*);

trunk/WebCore/bindings/js/JSDOMGlobalObject.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -59 +59 @@
 }
 
-void JSDOMGlobalObject::mark()
+void JSDOMGlobalObject::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
     JSDOMStructureMap::iterator end = structures().end();
     for (JSDOMStructureMap::iterator it = structures().begin(); it != end; ++it)
-        it->second->mark();
+        it->second->markAggregate(markStack);
 
     JSDOMConstructorMap::iterator end2 = constructors().end();
-    for (JSDOMConstructorMap::iterator it2 = constructors().begin(); it2 != end2; ++it2) {
-        if (!it2->second->marked())
-            it2->second->mark();
-    }
+    for (JSDOMConstructorMap::iterator it2 = constructors().begin(); it2 != end2; ++it2)
+        markStack.append(it2->second);
 }
 

trunk/WebCore/bindings/js/JSDOMGlobalObject.h

@@ -75 +75 @@
         Event* currentEvent() const;
 
-        virtual void mark();
+        virtual void markChildren(JSC::MarkStack&);
 
     protected:

trunk/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -69 +69 @@
 namespace WebCore {
 
-void JSDOMWindow::mark()
-{
-    Base::mark();
-
-    markEventListeners(impl()->eventListeners());
+void JSDOMWindow::markChildren(MarkStack& markStack)
+{
+    Base::markChildren(markStack);
+
+    markEventListeners(markStack, impl()->eventListeners());
 
     JSGlobalData& globalData = *Heap::heap(this)->globalData();
 
-    markDOMObjectWrapper(globalData, impl()->optionalConsole());
-    markDOMObjectWrapper(globalData, impl()->optionalHistory());
-    markDOMObjectWrapper(globalData, impl()->optionalLocationbar());
-    markDOMObjectWrapper(globalData, impl()->optionalMenubar());
-    markDOMObjectWrapper(globalData, impl()->optionalNavigator());
-    markDOMObjectWrapper(globalData, impl()->optionalPersonalbar());
-    markDOMObjectWrapper(globalData, impl()->optionalScreen());
-    markDOMObjectWrapper(globalData, impl()->optionalScrollbars());
-    markDOMObjectWrapper(globalData, impl()->optionalSelection());
-    markDOMObjectWrapper(globalData, impl()->optionalStatusbar());
-    markDOMObjectWrapper(globalData, impl()->optionalToolbar());
-    markDOMObjectWrapper(globalData, impl()->optionalLocation());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalConsole());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalHistory());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalLocationbar());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalMenubar());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalNavigator());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalPersonalbar());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalScreen());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalScrollbars());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalSelection());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalStatusbar());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalToolbar());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalLocation());
 #if ENABLE(DOM_STORAGE)
-    markDOMObjectWrapper(globalData, impl()->optionalSessionStorage());
-    markDOMObjectWrapper(globalData, impl()->optionalLocalStorage());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalSessionStorage());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalLocalStorage());
 #endif
 #if ENABLE(OFFLINE_WEB_APPLICATIONS)
-    markDOMObjectWrapper(globalData, impl()->optionalApplicationCache());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalApplicationCache());
 #endif
 }

trunk/WebCore/bindings/js/JSDOMWindowShell.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -72 +72 @@
 // ----
 
-void JSDOMWindowShell::mark()
+void JSDOMWindowShell::markChildren(MarkStack& markStack)
 {
-    Base::mark();
-    if (m_window && !m_window->marked())
-        m_window->mark();
+    Base::markChildren(markStack);
+    if (m_window)
+        markStack.append(m_window);
 }
 

trunk/WebCore/bindings/js/JSDOMWindowShell.h

@@ -65 +65 @@
 
     private:
-        virtual void mark();
+        virtual void markChildren(JSC::MarkStack&);
         virtual JSC::UString className() const;
         virtual bool getOwnPropertySlot(JSC::ExecState*, const JSC::Identifier& propertyName, JSC::PropertySlot&);

trunk/WebCore/bindings/js/JSDedicatedWorkerContextCustom.cpp

@@ -1 +1 @@
 /*
  * Copyright (C) 2009 Google Inc. All rights reserved.
+ * Copyright (C) 2009 Apple, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -39 +40 @@
 namespace WebCore {
 
-void JSDedicatedWorkerContext::mark()
+void JSDedicatedWorkerContext::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
-    markIfNotNull(impl()->onmessage());
+    markIfNotNull(markStack, impl()->onmessage());
 }
 

trunk/WebCore/bindings/js/JSDocumentCustom.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2007, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2007, 2008, 2009 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -40 +40 @@
 namespace WebCore {
 
-void JSDocument::mark()
+void JSDocument::markChildren(MarkStack& markStack)
 {
-    JSNode::mark();
-    markDOMNodesForDocument(impl());
-    markActiveObjectsForContext(*Heap::heap(this)->globalData(), impl());
+    JSNode::markChildren(markStack);
+    markDOMNodesForDocument(markStack, impl());
+    markActiveObjectsForContext(markStack, *Heap::heap(this)->globalData(), impl());
 }
 

trunk/WebCore/bindings/js/JSEventListener.cpp

@@ -52 +52 @@
 }
 
-void JSEventListener::markJSFunction()
-{
-    if (m_jsFunction && !m_jsFunction->marked())
-        m_jsFunction->mark();
-    if (m_globalObject && !m_globalObject->marked())
-        m_globalObject->mark();
+void JSEventListener::markJSFunction(MarkStack& markStack)
+{
+    if (m_jsFunction)
+        markStack.append(m_jsFunction);
+    if (m_globalObject)
+        markStack.append(m_globalObject);
 }
 

trunk/WebCore/bindings/js/JSEventListener.h

@@ -44 +44 @@
 
     private:
-        virtual void markJSFunction();
+        virtual void markJSFunction(JSC::MarkStack&);
         virtual void handleEvent(Event*, bool isWindowEvent);
         virtual bool reportError(const String& message, const String& url, int lineNumber);

trunk/WebCore/bindings/js/JSMessageChannelCustom.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -33 +33 @@
 namespace WebCore {
     
-void JSMessageChannel::mark()
+void JSMessageChannel::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
     if (MessagePort* port = m_impl->port1()) {
         DOMObject* wrapper = getCachedDOMObjectWrapper(*Heap::heap(this)->globalData(), port);
-        if (wrapper && !wrapper->marked())
-            wrapper->mark();
+        if (wrapper)
+            markStack.append(wrapper);
     }
 
     if (MessagePort* port = m_impl->port2()) {
         DOMObject* wrapper = getCachedDOMObjectWrapper(*Heap::heap(this)->globalData(), port);
-        if (wrapper && !wrapper->marked())
-            wrapper->mark();
+        if (wrapper)
+            markStack.append(wrapper);
     }
 }

trunk/WebCore/bindings/js/JSMessagePortCustom.cpp

@@ -39 +39 @@
 namespace WebCore {
 
-void JSMessagePort::mark()
+void JSMessagePort::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
-    markIfNotNull(m_impl->onmessage());
+    markIfNotNull(markStack, m_impl->onmessage());
 
     // If we have a locally entangled port, we can directly mark it as reachable. Ports that are remotely entangled are marked in-use by markActiveObjectsForContext().
     if (MessagePort* entangledPort = m_impl->locallyEntangledPort()) {
         DOMObject* wrapper = getCachedDOMObjectWrapper(*Heap::heap(this)->globalData(), entangledPort);
-        if (wrapper && !wrapper->marked())
-            wrapper->mark();
+        if (wrapper)
+            markStack.append(wrapper);
     }
 
@@ -57 +57 @@
     for (EventListenersMap::iterator mapIter = eventListeners.begin(); mapIter != eventListeners.end(); ++mapIter) {
         for (ListenerVector::iterator vecIter = mapIter->second.begin(); vecIter != mapIter->second.end(); ++vecIter) 
-            (*vecIter)->markJSFunction();
+            (*vecIter)->markJSFunction(markStack);
     }
 }

trunk/WebCore/bindings/js/JSNavigatorCustom.cpp

@@ -30 +30 @@
 using namespace JSC;
 
-void JSNavigator::mark()
+void JSNavigator::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
     JSGlobalData& globalData = *Heap::heap(this)->globalData();
 
-    markDOMObjectWrapper(globalData, impl()->optionalGeolocation());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalGeolocation());
 }
 

trunk/WebCore/bindings/js/JSNodeCustom.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2007 Apple Inc. All rights reserved.
+ * Copyright (C) 2007, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -137 +137 @@
 }
 
-void JSNode::mark()
-{
-    ASSERT(!marked());
-
+void JSNode::markChildren(MarkStack& markStack)
+{
     Node* node = m_impl.get();
+
+    Base::markChildren(markStack);
+    markEventListeners(markStack, node->eventListeners());
 
     // Nodes in the document are kept alive by JSDocument::mark, so, if we're in
@@ -147 +148 @@
     // mark any other nodes.
     if (node->inDocument()) {
-        Base::mark();
-        markEventListeners(node->eventListeners());
-        if (Document* doc = node->ownerDocument())
+        if (Document* doc = node->ownerDocument()) {
             if (DOMObject* docWrapper = getCachedDOMObjectWrapper(*Heap::heap(this)->globalData(), doc))
-                if (!docWrapper->marked())
-                    docWrapper->mark();
+                markStack.append(docWrapper);
+        }
         return;
     }
@@ -164 +163 @@
     // Nodes in a subtree are marked by the tree's root, so, if the root is already
     // marking the tree, we don't need to explicitly mark any other nodes.
-    if (root->inSubtreeMark()) {
-        Base::mark();
-        markEventListeners(node->eventListeners());
+    if (root->inSubtreeMark())
         return;
-    }
 
     // Mark the whole tree subtree.
@@ -174 +170 @@
     for (Node* nodeToMark = root; nodeToMark; nodeToMark = nodeToMark->traverseNextNode()) {
         JSNode* wrapper = getCachedDOMNodeWrapper(m_impl->document(), nodeToMark);
-        if (wrapper) {
-            if (!wrapper->marked())
-                wrapper->mark();
-        } else if (nodeToMark == node) {
-            // This is the case where the map from the document to wrappers has
-            // been cleared out, but a wrapper is being marked. For now, we'll
-            // let the rest of the tree of wrappers get collected, because we have
-            // no good way of finding them. Later we should test behavior of other
-            // browsers and see if we need to preserve other wrappers in this case.
-            if (!marked())
-                mark();
-        }
+        if (wrapper)
+            markStack.append(wrapper);
     }
     root->setInSubtreeMark(false);
-
-    // Double check that we actually ended up marked. This assert caught problems in the past.
-    ASSERT(marked());
 }
 

trunk/WebCore/bindings/js/JSNodeFilterCondition.cpp

@@ -1 +1 @@
 /*
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2007, 2008, 2009 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -37 +37 @@
 }
 
-void JSNodeFilterCondition::mark()
+void JSNodeFilterCondition::markAggregate(MarkStack& markStack)
 {
-    if (!m_filter.marked())
-        m_filter.mark();
+    markStack.append(m_filter);
 }
 

trunk/WebCore/bindings/js/JSNodeFilterCondition.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2007, 2008, 2009 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -40 +40 @@
 
         virtual short acceptNode(ScriptState*, Node*) const;
-        virtual void mark();
+        virtual void markAggregate(JSC::MarkStack&);
 
         mutable JSC::JSValue m_filter;

trunk/WebCore/bindings/js/JSNodeFilterCustom.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2007, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2007, 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -36 +36 @@
 namespace WebCore {
 
-void JSNodeFilter::mark()
+void JSNodeFilter::markChildren(MarkStack& markStack)
 {
-    impl()->mark();
-    Base::mark();
+    Base::markChildren(markStack);
+    impl()->markAggregate(markStack);
 }
 

trunk/WebCore/bindings/js/JSNodeIteratorCustom.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2006, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2006, 2008, 2009 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -30 +30 @@
 namespace WebCore {
 
-void JSNodeIterator::mark()
+void JSNodeIterator::markChildren(MarkStack& markStack)
 {
+    Base::markChildren(markStack);
+
     if (NodeFilter* filter = m_impl->filter())
-        filter->mark();
-    
-    Base::mark();
+        filter->markAggregate(markStack);
 }
 

trunk/WebCore/bindings/js/JSQuarantinedObjectWrapper.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -93 +93 @@
 }
 
-void JSQuarantinedObjectWrapper::mark()
-{
-    JSObject::mark();
-
-    if (!m_unwrappedObject->marked())
-        m_unwrappedObject->mark();
-    if (!m_unwrappedGlobalObject->marked())
-        m_unwrappedGlobalObject->mark();
+void JSQuarantinedObjectWrapper::markChildren(MarkStack& markStack)
+{
+    JSObject::markChildren(markStack);
+
+    markStack.append(m_unwrappedObject);
+    markStack.append(m_unwrappedGlobalObject);
 }
 

trunk/WebCore/bindings/js/JSQuarantinedObjectWrapper.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -54 +54 @@
         JSQuarantinedObjectWrapper(JSC::ExecState* unwrappedExec, JSC::JSObject* unwrappedObject, PassRefPtr<JSC::Structure>);
 
-        virtual void mark();
+        virtual void markChildren(JSC::MarkStack&);
 
     private:

trunk/WebCore/bindings/js/JSSVGElementInstanceCustom.cpp

@@ -1 +1 @@
 /*
  * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
+ * Copyright (C) 2009 Apple, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -38 +39 @@
 namespace WebCore {
 
-void JSSVGElementInstance::mark()
+void JSSVGElementInstance::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
     // Mark the wrapper for our corresponding element, so it can mark its event handlers.
     JSNode* correspondingWrapper = getCachedDOMNodeWrapper(impl()->correspondingElement()->document(), impl()->correspondingElement());
-    if (correspondingWrapper && !correspondingWrapper->marked())
-        correspondingWrapper->mark();
+    if (correspondingWrapper)
+        markStack.append(correspondingWrapper);
 }
 

trunk/WebCore/bindings/js/JSSharedWorkerContextCustom.cpp

@@ -39 +39 @@
 namespace WebCore {
 
-void JSSharedWorkerContext::mark()
+void JSSharedWorkerContext::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
-    markIfNotNull(impl()->onconnect());
+    markIfNotNull(markStack, impl()->onconnect());
 }
 

trunk/WebCore/bindings/js/JSSharedWorkerCustom.cpp

@@ -42 +42 @@
 namespace WebCore {
 
-void JSSharedWorker::mark()
+void JSSharedWorker::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
     if (MessagePort* port = impl()->port()) {
         DOMObject* wrapper = getCachedDOMObjectWrapper(*Heap::heap(this)->globalData(), port);
-        if (wrapper && !wrapper->marked())
-            wrapper->mark();
+        if (wrapper)
+            markStack.append(wrapper);
     }
 }

trunk/WebCore/bindings/js/JSStyleSheetCustom.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2007, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2007, 2008, 2009 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -53 +53 @@
 }
 
-void JSStyleSheet::mark()
+void JSStyleSheet::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
     // This prevents us from having a style sheet with a dangling ownerNode pointer.
@@ -63 +63 @@
     // a lot of disentangling of the CSS DOM objects that would need to happen first.
     if (Node* ownerNode = impl()->ownerNode()) {
-        if (JSNode* ownerNodeWrapper = getCachedDOMNodeWrapper(ownerNode->document(), ownerNode)) {
-            if (!ownerNodeWrapper->marked())
-                ownerNodeWrapper->mark();
-        }
+        if (JSNode* ownerNodeWrapper = getCachedDOMNodeWrapper(ownerNode->document(), ownerNode))
+            markStack.append(ownerNodeWrapper);
     }
 }

trunk/WebCore/bindings/js/JSTreeWalkerCustom.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2006, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2006, 2008, 2009 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -30 +30 @@
 namespace WebCore {
     
-void JSTreeWalker::mark()
+void JSTreeWalker::markChildren(MarkStack& markStack)
 {
+    Base::markChildren(markStack);
+
     if (NodeFilter* filter = m_impl->filter())
-        filter->mark();
-    
-    Base::mark();
+        filter->markAggregate(markStack);
 }
     

trunk/WebCore/bindings/js/JSWebSocketCustom.cpp

@@ -1 +1 @@
 /*
  * Copyright (C) 2009 Google Inc.  All rights reserved.
+ * Copyright (C) 2009 Apple, Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -43 +44 @@
 namespace WebCore {
 
-void JSWebSocket::mark()
+void JSWebSocket::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
     if (m_impl->readyState() != WebSocket::CLOSED)
-        markIfNotNull(m_impl->onmessage());
+        markIfNotNull(markStack, m_impl->onmessage());
     // FIXME: mark if EventListeners is registered.
 }

trunk/WebCore/bindings/js/JSWorkerContextCustom.cpp

@@ -48 +48 @@
 namespace WebCore {
 
-void JSWorkerContext::mark()
+void JSWorkerContext::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
     JSGlobalData& globalData = *this->globalData();
 
-    markActiveObjectsForContext(globalData, scriptExecutionContext());
+    markActiveObjectsForContext(markStack, globalData, scriptExecutionContext());
 
-    markDOMObjectWrapper(globalData, impl()->optionalLocation());
-    markDOMObjectWrapper(globalData, impl()->optionalNavigator());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalLocation());
+    markDOMObjectWrapper(markStack, globalData, impl()->optionalNavigator());
 
-    markIfNotNull(impl()->onerror());
+    markIfNotNull(markStack, impl()->onerror());
 
     typedef WorkerContext::EventListenersMap EventListenersMap;
@@ -66 +66 @@
     for (EventListenersMap::iterator mapIter = eventListeners.begin(); mapIter != eventListeners.end(); ++mapIter) {
         for (ListenerVector::iterator vecIter = mapIter->second.begin(); vecIter != mapIter->second.end(); ++vecIter)
-            (*vecIter)->markJSFunction();
+            (*vecIter)->markJSFunction(markStack);
     }
 }

trunk/WebCore/bindings/js/JSWorkerCustom.cpp

@@ -37 +37 @@
 namespace WebCore {
     
-void JSWorker::mark()
+void JSWorker::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
-    markIfNotNull(static_cast<Worker*>(impl())->onmessage());
+    markIfNotNull(markStack, static_cast<Worker*>(impl())->onmessage());
 }
 

trunk/WebCore/bindings/js/JSXMLHttpRequestCustom.cpp

@@ -50 +50 @@
 namespace WebCore {
 
-void JSXMLHttpRequest::mark()
+void JSXMLHttpRequest::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
     if (XMLHttpRequestUpload* upload = m_impl->optionalUpload()) {
         DOMObject* wrapper = getCachedDOMObjectWrapper(*Heap::heap(this)->globalData(), upload);
-        if (wrapper && !wrapper->marked())
-            wrapper->mark();
+        if (wrapper)
+            markStack.append(wrapper);
     }
 
-    markIfNotNull(m_impl->onreadystatechange());
-    markIfNotNull(m_impl->onabort());
-    markIfNotNull(m_impl->onerror());
-    markIfNotNull(m_impl->onload());
-    markIfNotNull(m_impl->onloadstart());
-    markIfNotNull(m_impl->onprogress());
+    markIfNotNull(markStack, m_impl->onreadystatechange());
+    markIfNotNull(markStack, m_impl->onabort());
+    markIfNotNull(markStack, m_impl->onerror());
+    markIfNotNull(markStack, m_impl->onload());
+    markIfNotNull(markStack, m_impl->onloadstart());
+    markIfNotNull(markStack, m_impl->onprogress());
     
     typedef XMLHttpRequest::EventListenersMap EventListenersMap;
@@ -72 +72 @@
     for (EventListenersMap::iterator mapIter = eventListeners.begin(); mapIter != eventListeners.end(); ++mapIter) {
         for (ListenerVector::iterator vecIter = mapIter->second.begin(); vecIter != mapIter->second.end(); ++vecIter)
-            (*vecIter)->markJSFunction();
+            (*vecIter)->markJSFunction(markStack);
     }
 }

trunk/WebCore/bindings/js/JSXMLHttpRequestUploadCustom.cpp

@@ -42 +42 @@
 namespace WebCore {
 
-void JSXMLHttpRequestUpload::mark()
+void JSXMLHttpRequestUpload::markChildren(MarkStack& markStack)
 {
-    Base::mark();
+    Base::markChildren(markStack);
 
     if (XMLHttpRequest* xmlHttpRequest = m_impl->associatedXMLHttpRequest()) {
         DOMObject* wrapper = getCachedDOMObjectWrapper(*Heap::heap(this)->globalData(), xmlHttpRequest);
-        if (wrapper && !wrapper->marked())
-            wrapper->mark();
+        if (wrapper)
+            markStack.append(wrapper);
     }
 
-    markIfNotNull(m_impl->onabort());
-    markIfNotNull(m_impl->onerror());
-    markIfNotNull(m_impl->onload());
-    markIfNotNull(m_impl->onloadstart());
-    markIfNotNull(m_impl->onprogress());
+    markIfNotNull(markStack, m_impl->onabort());
+    markIfNotNull(markStack, m_impl->onerror());
+    markIfNotNull(markStack, m_impl->onload());
+    markIfNotNull(markStack, m_impl->onloadstart());
+    markIfNotNull(markStack, m_impl->onprogress());
     
     typedef XMLHttpRequestUpload::EventListenersMap EventListenersMap;
@@ -63 +63 @@
     for (EventListenersMap::iterator mapIter = eventListeners.begin(); mapIter != eventListeners.end(); ++mapIter) {
         for (ListenerVector::iterator vecIter = mapIter->second.begin(); vecIter != mapIter->second.end(); ++vecIter)
-            (*vecIter)->markJSFunction();
+            (*vecIter)->markJSFunction(markStack);
     }
 }

trunk/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -505 +505 @@
 
     # Custom mark function
-    push(@headerContent, "    virtual void mark();\n\n") if $dataNode->extendedAttributes->{"CustomMarkFunction"};
+    push(@headerContent, "    virtual void markChildren(JSC::MarkStack&);\n\n") if $dataNode->extendedAttributes->{"CustomMarkFunction"};
 
     # Custom pushEventHandlerScope function

trunk/WebCore/dom/EventListener.h

@@ -27 +27 @@
 namespace JSC {
     class JSObject;
+    class MarkStack;
 }
 
@@ -43 +44 @@
 #if USE(JSC)
         virtual JSC::JSObject* jsFunction() const { return 0; }
-        virtual void markJSFunction() { }
+        virtual void markJSFunction(JSC::MarkStack&) { }
 #endif
 
@@ -53 +54 @@
 
 #if USE(JSC)
-    inline void markIfNotNull(EventListener* listener) { if (listener) listener->markJSFunction(); }
+    inline void markIfNotNull(JSC::MarkStack& markStack, EventListener* listener) { if (listener) listener->markJSFunction(markStack); }
 #endif
 

trunk/WebCore/dom/NodeFilter.h

@@ -4 +4 @@
  * Copyright (C) 2001 Peter Kelly (pmk@post.com)
  * Copyright (C) 2006 Samuel Weinig (sam.weinig@gmail.com)
- * Copyright (C) 2004, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2004, 2008, 2009 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -72 +72 @@
 
         short acceptNode(ScriptState*, Node*) const;
-        void mark() { m_condition->mark(); };
+        void markAggregate(JSC::MarkStack& markStack) { m_condition->markAggregate(markStack); };
 
         // For non-JS bindings. Silently ignores the JavaScript exception if any.

trunk/WebCore/dom/NodeFilterCondition.h

@@ -4 +4 @@
  * Copyright (C) 2001 Peter Kelly (pmk@post.com)
  * Copyright (C) 2006 Samuel Weinig (sam.weinig@gmail.com)
- * Copyright (C) 2004, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2004, 2008, 2009 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -29 +29 @@
 #include <wtf/RefCounted.h>
 
+namespace JSC {
+    class MarkStack;
+}
+
 namespace WebCore {
 
@@ -37 +41 @@
         virtual ~NodeFilterCondition() { }
         virtual short acceptNode(ScriptState*, Node*) const = 0;
-        virtual void mark() { }
+        virtual void markAggregate(JSC::MarkStack&) { }
     };
 

trunk/WebCore/dom/RegisteredEventListener.h

@@ -3 +3 @@
  * Copyright (C) 2001 Tobias Anton (anton@stud.fbi.fh-darmstadt.de)
  * Copyright (C) 2006 Samuel Weinig (sam.weinig@gmail.com)
- * Copyright (C) 2003, 2004, 2005, 2006, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2003, 2004, 2005, 2006, 2008, 2009 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -56 +56 @@
 
 #if USE(JSC)
-    inline void markEventListeners(const RegisteredEventListenerVector& listeners)
+    inline void markEventListeners(JSC::MarkStack& markStack, const RegisteredEventListenerVector& listeners)
     {
         for (size_t i = 0; i < listeners.size(); ++i)
-            listeners[i]->listener()->markJSFunction();
+            listeners[i]->listener()->markJSFunction(markStack);
     }
 

trunk/WebCore/page/DOMWindow.h

@@ -372 +372 @@
         void releaseEvents();
 
-        // These methods are used for GC marking. See JSDOMWindow::mark() in
+        // These methods are used for GC marking. See JSDOMWindow::markChildren(MarkStack&) in
         // JSDOMWindowCustom.cpp.
         Screen* optionalScreen() const { return m_screen.get(); }

trunk/WebCore/workers/WorkerContext.h

@@ -107 +107 @@
         virtual void forwardException(const String& errorMessage, int lineNumber, const String& sourceURL) = 0;
 
-        // These methods are used for GC marking. See JSWorkerContext::mark() in
+        // These methods are used for GC marking. See JSWorkerContext::markChildren(MarkStack&) in
         // JSWorkerContextCustom.cpp.
         WorkerNavigator* optionalNavigator() const { return m_navigator.get(); }