Changeset 64937 in webkit

Timestamp:

Aug 7, 2010 10:29:38 PM (14 years ago)

Author:

eric@webkit.org

Message:

2010-08-07 Michael Saboff <​msaboff@apple.com>

Reviewed by Geoffrey Garen.

Revert JSArray to point to the beginning of the contained ArrayStorage
struct. This is described in
​https://bugs.webkit.org/show_bug.cgi?id=43526.

• jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::emit_op_put_by_val): (JSC::JIT::privateCompilePatchGetArrayLength):
• jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_by_val): (JSC::JIT::emit_op_put_by_val): (JSC::JIT::privateCompilePatchGetArrayLength):
• runtime/JSArray.cpp: (JSC::JSArray::JSArray): (JSC::JSArray::~JSArray): (JSC::JSArray::getOwnPropertySlot): (JSC::JSArray::getOwnPropertyDescriptor): (JSC::JSArray::put): (JSC::JSArray::putSlowCase): (JSC::JSArray::deleteProperty): (JSC::JSArray::getOwnPropertyNames): (JSC::JSArray::getNewVectorLength): (JSC::JSArray::increaseVectorLength): (JSC::JSArray::increaseVectorPrefixLength): (JSC::JSArray::setLength): (JSC::JSArray::pop): (JSC::JSArray::push): (JSC::JSArray::shiftCount): (JSC::JSArray::unshiftCount): (JSC::JSArray::sortNumeric): (JSC::JSArray::sort): (JSC::JSArray::fillArgList): (JSC::JSArray::copyToRegisters): (JSC::JSArray::compactForSorting): (JSC::JSArray::subclassData): (JSC::JSArray::setSubclassData): (JSC::JSArray::checkConsistency):
• runtime/JSArray.h: (JSC::JSArray::length): (JSC::JSArray::canGetIndex): (JSC::JSArray::getIndex): (JSC::JSArray::setIndex): (JSC::JSArray::uncheckedSetIndex): (JSC::JSArray::markChildrenDirect):

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• jit/JITPropertyAccess.cpp (modified) (3 diffs)
• jit/JITPropertyAccess32_64.cpp (modified) (3 diffs)
• runtime/JSArray.cpp (modified) (58 diffs)
• runtime/JSArray.h (modified) (7 diffs)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2010-08-07  Michael Saboff  <msaboff@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Revert JSArray to point to the beginning of the contained ArrayStorage
+        struct.  This is described in
+        https://bugs.webkit.org/show_bug.cgi?id=43526.
+
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::privateCompilePatchGetArrayLength):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::privateCompilePatchGetArrayLength):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::JSArray):
+        (JSC::JSArray::~JSArray):
+        (JSC::JSArray::getOwnPropertySlot):
+        (JSC::JSArray::getOwnPropertyDescriptor):
+        (JSC::JSArray::put):
+        (JSC::JSArray::putSlowCase):
+        (JSC::JSArray::deleteProperty):
+        (JSC::JSArray::getOwnPropertyNames):
+        (JSC::JSArray::getNewVectorLength):
+        (JSC::JSArray::increaseVectorLength):
+        (JSC::JSArray::increaseVectorPrefixLength):
+        (JSC::JSArray::setLength):
+        (JSC::JSArray::pop):
+        (JSC::JSArray::push):
+        (JSC::JSArray::shiftCount):
+        (JSC::JSArray::unshiftCount):
+        (JSC::JSArray::sortNumeric):
+        (JSC::JSArray::sort):
+        (JSC::JSArray::fillArgList):
+        (JSC::JSArray::copyToRegisters):
+        (JSC::JSArray::compactForSorting):
+        (JSC::JSArray::subclassData):
+        (JSC::JSArray::setSubclassData):
+        (JSC::JSArray::checkConsistency):
+        * runtime/JSArray.h:
+        (JSC::JSArray::length):
+        (JSC::JSArray::canGetIndex):
+        (JSC::JSArray::getIndex):
+        (JSC::JSArray::setIndex):
+        (JSC::JSArray::uncheckedSetIndex):
+        (JSC::JSArray::markChildrenDirect):
+
 2010-08-07  Kwang Yul Seo  <skyul@company100.net>
 

trunk/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -107 +107 @@
     addSlowCase(branchPtr(NotEqual, Address(regT0), ImmPtr(m_globalData->jsArrayVPtr)));
 
-    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSArray, m_vector)), regT2);
+    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSArray, m_storage)), regT2);
     addSlowCase(branch32(AboveOrEqual, regT1, Address(regT0, OBJECT_OFFSETOF(JSArray, m_vectorLength))));
 
-    loadPtr(BaseIndex(regT2, regT1, ScalePtr), regT0);
+    loadPtr(BaseIndex(regT2, regT1, ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])), regT0);
     addSlowCase(branchTestPtr(Zero, regT0));
 
@@ -218 +218 @@
     addSlowCase(branch32(AboveOrEqual, regT1, Address(regT0, OBJECT_OFFSETOF(JSArray, m_vectorLength))));
 
-    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSArray, m_vector)), regT2);
-    Jump empty = branchTestPtr(Zero, BaseIndex(regT2, regT1, ScalePtr));
+    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSArray, m_storage)), regT2);
+    Jump empty = branchTestPtr(Zero, BaseIndex(regT2, regT1, ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
 
     Label storeResult(this);
     emitGetVirtualRegister(value, regT0);
-    storePtr(regT0, BaseIndex(regT2, regT1, ScalePtr));
+    storePtr(regT0, BaseIndex(regT2, regT1, ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
     Jump end = jump();
     
     empty.link(this);
-    add32(Imm32(1), Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_numValuesInVector)-OBJECT_OFFSETOF(ArrayStorage, m_vector)));
-    branch32(Below, regT1, Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length)-OBJECT_OFFSETOF(ArrayStorage, m_vector))).linkTo(storeResult, this);
+    add32(Imm32(1), Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_numValuesInVector)));
+    branch32(Below, regT1, Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length))).linkTo(storeResult, this);
 
     move(regT1, regT0);
     add32(Imm32(1), regT0);
-    store32(regT0, Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length)-OBJECT_OFFSETOF(ArrayStorage, m_vector)));
+    store32(regT0, Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length)));
     jump().linkTo(storeResult, this);
 
@@ -737 +737 @@
 
     // Checks out okay! - get the length from the storage
-    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSArray, m_vector)), regT3);
-    load32(Address(regT3, OBJECT_OFFSETOF(ArrayStorage, m_length)-OBJECT_OFFSETOF(ArrayStorage, m_vector)), regT2);
+    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSArray, m_storage)), regT3);
+    load32(Address(regT3, OBJECT_OFFSETOF(ArrayStorage, m_length)), regT2);
     Jump failureCases2 = branch32(Above, regT2, Imm32(JSImmediate::maxImmediateInt));
 

trunk/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -315 +315 @@
     addSlowCase(branchPtr(NotEqual, Address(regT0), ImmPtr(m_globalData->jsArrayVPtr)));
     
-    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSArray, m_vector)), regT3);
+    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSArray, m_storage)), regT3);
     addSlowCase(branch32(AboveOrEqual, regT2, Address(regT0, OBJECT_OFFSETOF(JSArray, m_vectorLength))));
     
-    load32(BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1); // tag
-    load32(BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0); // payload
+    load32(BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1); // tag
+    load32(BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0); // payload
     addSlowCase(branch32(Equal, regT1, Imm32(JSValue::EmptyValueTag)));
     
@@ -368 +368 @@
     addSlowCase(branch32(AboveOrEqual, regT2, Address(regT0, OBJECT_OFFSETOF(JSArray, m_vectorLength))));
     
-    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSArray, m_vector)), regT3);
-    
-    Jump empty = branch32(Equal, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)), Imm32(JSValue::EmptyValueTag));
+    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSArray, m_storage)), regT3);
+    
+    Jump empty = branch32(Equal, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), Imm32(JSValue::EmptyValueTag));
     
     Label storeResult(this);
     emitLoad(value, regT1, regT0);
-    store32(regT0, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload))); // payload
-    store32(regT1, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag))); // tag
+    store32(regT0, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload))); // payload
+    store32(regT1, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag))); // tag
     Jump end = jump();
     
     empty.link(this);
-    add32(Imm32(1), Address(regT3, OBJECT_OFFSETOF(ArrayStorage, m_numValuesInVector)-OBJECT_OFFSETOF(ArrayStorage, m_vector)));
-    branch32(Below, regT2, Address(regT3, OBJECT_OFFSETOF(ArrayStorage, m_length)-OBJECT_OFFSETOF(ArrayStorage, m_vector))).linkTo(storeResult, this);
+    add32(Imm32(1), Address(regT3, OBJECT_OFFSETOF(ArrayStorage, m_numValuesInVector)));
+    branch32(Below, regT2, Address(regT3, OBJECT_OFFSETOF(ArrayStorage, m_length))).linkTo(storeResult, this);
     
     add32(Imm32(1), regT2, regT0);
-    store32(regT0, Address(regT3, OBJECT_OFFSETOF(ArrayStorage, m_length)-OBJECT_OFFSETOF(ArrayStorage, m_vector)));
+    store32(regT0, Address(regT3, OBJECT_OFFSETOF(ArrayStorage, m_length)));
     jump().linkTo(storeResult, this);
     
@@ -745 +745 @@
     
     // Checks out okay! - get the length from the storage
-    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSArray, m_vector)), regT2);
-    load32(Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length)-OBJECT_OFFSETOF(ArrayStorage, m_vector)), regT2);
+    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSArray, m_storage)), regT2);
+    load32(Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length)), regT2);
     
     Jump failureCases2 = branch32(Above, regT2, Imm32(INT_MAX));

trunk/JavaScriptCore/runtime/JSArray.cpp

@@ -132 +132 @@
     unsigned initialCapacity = 0;
 
-    ArrayStorage* storage = static_cast<ArrayStorage*>(fastZeroedMalloc(storageSize(initialCapacity)));
-    storage->m_allocBase = storage;
+    m_storage = static_cast<ArrayStorage*>(fastZeroedMalloc(storageSize(initialCapacity)));
+    m_storage->m_allocBase = m_storage;
     m_indexBias = 0;
-    setArrayStorage(storage);
     m_vectorLength = initialCapacity;
 
@@ -150 +149 @@
     unsigned initialCapacity = 0;
 
-    ArrayStorage* storage = static_cast<ArrayStorage*>(fastZeroedMalloc(storageSize(initialCapacity)));
-    storage->m_allocBase = storage;
+    m_storage = static_cast<ArrayStorage*>(fastZeroedMalloc(storageSize(initialCapacity)));
+    m_storage->m_allocBase = m_storage;
     m_indexBias = 0;
-    setArrayStorage(storage);
     m_vectorLength = initialCapacity;
 
@@ -170 +168 @@
         initialCapacity = min(BASE_VECTOR_LEN, MIN_SPARSE_ARRAY_INDEX);
     
-    ArrayStorage* storage = static_cast<ArrayStorage*>(fastMalloc(storageSize(initialCapacity)));
-    storage->m_allocBase = storage;
-    storage->m_length = initialLength;
+    m_storage = static_cast<ArrayStorage*>(fastMalloc(storageSize(initialCapacity)));
+    m_storage->m_allocBase = m_storage;
+    m_storage->m_length = initialLength;
     m_indexBias = 0;
     m_vectorLength = initialCapacity;
-    setArrayStorage(storage);    
-    storage->m_sparseValueMap = 0;
-    storage->subclassData = 0;
-    storage->reportedMapCapacity = 0;
+    m_storage->m_sparseValueMap = 0;
+    m_storage->subclassData = 0;
+    m_storage->reportedMapCapacity = 0;
 
     if (creationMode == CreateCompact) {
 #if CHECK_ARRAY_CONSISTENCY
-        storage->m_inCompactInitialization = !!initialCapacity;
+        m_storage->m_inCompactInitialization = !!initialCapacity;
 #endif
-        storage->m_length = 0;
-        storage->m_numValuesInVector = initialCapacity;
+        m_storage->m_length = 0;
+        m_storage->m_numValuesInVector = initialCapacity;
     } else {
 #if CHECK_ARRAY_CONSISTENCY
         storage->m_inCompactInitialization = false;
 #endif
-        storage->m_length = initialLength;
-        storage->m_numValuesInVector = 0;
-        JSValue* vector = m_vector;
+        m_storage->m_length = initialLength;
+        m_storage->m_numValuesInVector = 0;
+        JSValue* vector = m_storage->m_vector;
         for (size_t i = 0; i < initialCapacity; ++i)
             vector[i] = JSValue();
@@ -207 +204 @@
     unsigned initialCapacity = list.size();
 
-    ArrayStorage* storage = static_cast<ArrayStorage*>(fastMalloc(storageSize(initialCapacity)));
-    storage->m_allocBase = storage;
+    m_storage = static_cast<ArrayStorage*>(fastMalloc(storageSize(initialCapacity)));
+    m_storage->m_allocBase = m_storage;
     m_indexBias = 0;
-    storage->m_length = initialCapacity;
+    m_storage->m_length = initialCapacity;
     m_vectorLength = initialCapacity;
-    storage->m_numValuesInVector = initialCapacity;
-    storage->m_sparseValueMap = 0;
-    storage->subclassData = 0;
-    storage->reportedMapCapacity = 0;
+    m_storage->m_numValuesInVector = initialCapacity;
+    m_storage->m_sparseValueMap = 0;
+    m_storage->subclassData = 0;
+    m_storage->reportedMapCapacity = 0;
 #if CHECK_ARRAY_CONSISTENCY
-    storage->m_inCompactInitialization = false;
+    m_storage->m_inCompactInitialization = false;
 #endif
-    setArrayStorage(storage);
 
     size_t i = 0;
-    JSValue* vector = m_vector;
+    JSValue* vector = m_storage->m_vector;
     ArgList::const_iterator end = list.end();
     for (ArgList::const_iterator it = list.begin(); it != end; ++it, ++i)
@@ -237 +233 @@
     checkConsistency(DestructorConsistencyCheck);
 
-    ArrayStorage* storage = arrayStorage();
-    delete storage->m_sparseValueMap;
-    fastFree(storage->m_allocBase);
+    delete m_storage->m_sparseValueMap;
+    fastFree(m_storage->m_allocBase);
 }
 
 bool JSArray::getOwnPropertySlot(ExecState* exec, unsigned i, PropertySlot& slot)
 {
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
     
     if (i >= storage->m_length) {
@@ -253 +248 @@
 
     if (i < m_vectorLength) {
-        JSValue& valueSlot = m_vector[i];
+        JSValue& valueSlot = storage->m_vector[i];
         if (valueSlot) {
             slot.setValueSlot(&valueSlot);
@@ -293 +288 @@
     }
 
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
     
     bool isArrayIndex;
@@ -301 +296 @@
             return false;
         if (i < m_vectorLength) {
-            JSValue& value = m_vector[i];
+            JSValue& value = storage->m_vector[i];
             if (value) {
                 descriptor.setDescriptor(value, 0);
@@ -346 +341 @@
     checkConsistency();
 
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
 
     unsigned length = storage->m_length;
@@ -355 +350 @@
 
     if (i < m_vectorLength) {
-        JSValue& valueSlot = m_vector[i];
+        JSValue& valueSlot = storage->m_vector[i];
         if (valueSlot) {
             valueSlot = value;
@@ -372 +367 @@
 NEVER_INLINE void JSArray::putSlowCase(ExecState* exec, unsigned i, JSValue value)
 {
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
     
     SparseArrayValueMap* map = storage->m_sparseValueMap;
@@ -410 +405 @@
     if (!map || map->isEmpty()) {
         if (increaseVectorLength(i + 1)) {
-            m_vector[i] = value;
-            ++arrayStorage()->m_numValuesInVector;
+            storage = m_storage;
+            storage->m_vector[i] = value;
+            ++storage->m_numValuesInVector;
             checkConsistency();
         } else
@@ -446 +442 @@
     }
 
-    storage = reinterpret_cast<ArrayStorage*>(static_cast<char*>(baseStorage) + m_indexBias * sizeof(JSValue));
-    storage->m_allocBase = baseStorage;
-    setArrayStorage(storage);
+    m_storage = reinterpret_cast<ArrayStorage*>(static_cast<char*>(baseStorage) + m_indexBias * sizeof(JSValue));
+    m_storage->m_allocBase = baseStorage;
+    storage = m_storage;
     
     unsigned vectorLength = m_vectorLength;
+    JSValue* vector = storage->m_vector;
 
     if (newNumValuesInVector == storage->m_numValuesInVector + 1) {
         for (unsigned j = vectorLength; j < newVectorLength; ++j)
-            m_vector[j] = JSValue();
+            vector[j] = JSValue();
         if (i > MIN_SPARSE_ARRAY_INDEX)
             map->remove(i);
     } else {
         for (unsigned j = vectorLength; j < max(vectorLength, MIN_SPARSE_ARRAY_INDEX); ++j)
-            m_vector[j] = JSValue();
+            vector[j] = JSValue();
         for (unsigned j = max(vectorLength, MIN_SPARSE_ARRAY_INDEX); j < newVectorLength; ++j)
-            m_vector[j] = map->take(j);
+            vector[j] = map->take(j);
     }
 
@@ -469 +466 @@
     storage->m_numValuesInVector = newNumValuesInVector;
 
-    m_vector[i] = value;
+    storage->m_vector[i] = value;
 
     checkConsistency();
@@ -493 +490 @@
     checkConsistency();
 
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
     
     if (i < m_vectorLength) {
-        JSValue& valueSlot = m_vector[i];
+        JSValue& valueSlot = storage->m_vector[i];
         if (!valueSlot) {
             checkConsistency();
@@ -532 +529 @@
     // which almost certainly means a different structure for PropertyNameArray.
 
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
     
     unsigned usedVectorLength = min(storage->m_length, m_vectorLength);
     for (unsigned i = 0; i < usedVectorLength; ++i) {
-        if (m_vector[i])
+        if (storage->m_vector[i])
             propertyNames.add(Identifier::from(exec, i));
     }
@@ -557 +554 @@
 
     unsigned increasedLength;
-    unsigned length = arrayStorage()->m_length;
+    unsigned length = m_storage->m_length;
 
     if (desiredLength < length)
@@ -584 +581 @@
     // to the vector. Callers have to account for that, because they can do it more efficiently.
 
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
 
     unsigned vectorLength = m_vectorLength;
@@ -595 +592 @@
         return false;
 
-    storage = reinterpret_cast<ArrayStorage*>(static_cast<char*>(baseStorage) + m_indexBias * sizeof(JSValue));
-    storage->m_allocBase = baseStorage;
-    setArrayStorage(storage);
-
-    JSValue* vector = m_vector;
+    storage = m_storage = reinterpret_cast<ArrayStorage*>(static_cast<char*>(baseStorage) + m_indexBias * sizeof(JSValue));
+    m_storage->m_allocBase = baseStorage;
+
+    JSValue* vector = storage->m_vector;
     for (unsigned i = vectorLength; i < newVectorLength; ++i)
         vector[i] = JSValue();
@@ -615 +611 @@
     // to the vector. Callers have to account for that, because they can do it more efficiently.
     
-    ArrayStorage* storage = arrayStorage();
-    ArrayStorage* newStorage;
+    ArrayStorage* storage = m_storage;
     
     unsigned vectorLength = m_vectorLength;
@@ -629 +624 @@
     m_indexBias += newVectorLength - newLength;
     
-    newStorage = reinterpret_cast<ArrayStorage*>(static_cast<char*>(newBaseStorage) + m_indexBias * sizeof(JSValue));
-
-    memcpy(newStorage, storage, storageSize(0));
-    memcpy(&newStorage->m_vector[newLength - m_vectorLength], &storage->m_vector[0], vectorLength * sizeof(JSValue));
-    
-    newStorage->m_allocBase = newBaseStorage;
+    m_storage = reinterpret_cast<ArrayStorage*>(static_cast<char*>(newBaseStorage) + m_indexBias * sizeof(JSValue));
+
+    memcpy(m_storage, storage, storageSize(0));
+    memcpy(&m_storage->m_vector[newLength - m_vectorLength], &storage->m_vector[0], vectorLength * sizeof(JSValue));
+    
+    m_storage->m_allocBase = newBaseStorage;
     m_vectorLength = newLength;
     
     fastFree(storage->m_allocBase);
 
-    setArrayStorage(newStorage);
-    
     Heap::heap(this)->reportExtraMemoryCost(storageSize(newVectorLength) - storageSize(vectorLength));
     
@@ -649 +642 @@
 void JSArray::setLength(unsigned newLength)
 {
+    ArrayStorage* storage = m_storage;
+    
 #if CHECK_ARRAY_CONSISTENCY
-    if (!m_storage->m_inCompactInitialization)
+    if (!storage->m_inCompactInitialization)
         checkConsistency();
     else
-        m_storage->m_inCompactInitialization = false;
+        storage->m_inCompactInitialization = false;
 #endif
 
-    ArrayStorage* storage = arrayStorage();
-    
     unsigned length = storage->m_length;
 
@@ -663 +656 @@
         unsigned usedVectorLength = min(length, m_vectorLength);
         for (unsigned i = newLength; i < usedVectorLength; ++i) {
-            JSValue& valueSlot = m_vector[i];
+            JSValue& valueSlot = storage->m_vector[i];
             bool hadValue = valueSlot;
             valueSlot = JSValue();
@@ -692 +685 @@
     checkConsistency();
 
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
     
     unsigned length = storage->m_length;
@@ -703 +696 @@
 
     if (length < m_vectorLength) {
-        JSValue& valueSlot = m_vector[length];
+        JSValue& valueSlot = storage->m_vector[length];
         if (valueSlot) {
             --storage->m_numValuesInVector;
@@ -736 +729 @@
     checkConsistency();
     
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
 
     if (storage->m_length < m_vectorLength) {
-        m_vector[storage->m_length] = value;
+        storage->m_vector[storage->m_length] = value;
         ++storage->m_numValuesInVector;
         ++storage->m_length;
@@ -750 +743 @@
         if (!map || map->isEmpty()) {
             if (increaseVectorLength(storage->m_length + 1)) {
-                storage = arrayStorage();
-                m_vector[storage->m_length] = value;
+                storage = m_storage;
+                storage->m_vector[storage->m_length] = value;
                 ++storage->m_numValuesInVector;
                 ++storage->m_length;
@@ -770 +763 @@
     ASSERT(count > 0);
     
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
     
     unsigned oldLength = storage->m_length;
@@ -783 +776 @@
         // 15.4.4.9 steps 11 through 13.
         for (unsigned i = count; i < oldLength; ++i) {
-            if ((i >= m_vectorLength) || (!m_vector[i])) {
+            if ((i >= m_vectorLength) || (!m_storage->m_vector[i])) {
                 PropertySlot slot(this);
                 JSValue p = prototype();
@@ -791 +784 @@
         }
 
-        storage = arrayStorage(); // The put() above could have grown the vector and realloc'ed storage.
+        storage = m_storage; // The put() above could have grown the vector and realloc'ed storage.
 
         // Need to decrement numValuesInvector based on number of real entries
         for (unsigned i = 0; i < (unsigned)count; ++i)
-            if ((i < m_vectorLength) && (m_vector[i]))
+            if ((i < m_vectorLength) && (storage->m_vector[i]))
                 --storage->m_numValuesInVector;
     } else
@@ -810 +803 @@
             char* newBaseStorage = reinterpret_cast<char*>(storage) + count * sizeof(JSValue);
             memmove(newBaseStorage, storage, storageSize(0));
-            storage = reinterpret_cast<ArrayStorage*>(newBaseStorage);
+            m_storage = reinterpret_cast<ArrayStorage*>(newBaseStorage);
 
             m_indexBias += count;
-            setArrayStorage(storage);
         }
     }
@@ -820 +812 @@
 void JSArray::unshiftCount(ExecState* exec, int count)
 {
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
 
     ASSERT(m_indexBias >= 0);
@@ -833 +825 @@
         // 15.4.4.13 steps 8 through 10.
         for (unsigned i = 0; i < length; ++i) {
-            if ((i >= m_vectorLength) || (!m_vector[i])) {
+            if ((i >= m_vectorLength) || (!m_storage->m_vector[i])) {
                 PropertySlot slot(this);
                 JSValue p = prototype();
@@ -842 +834 @@
     }
     
-    storage = arrayStorage(); // The put() above could have grown the vector and realloc'ed storage.
+    storage = m_storage; // The put() above could have grown the vector and realloc'ed storage.
     
     if (m_indexBias >= count) {
@@ -848 +840 @@
         char* newBaseStorage = reinterpret_cast<char*>(storage) - count * sizeof(JSValue);
         memmove(newBaseStorage, storage, storageSize(0));
-        storage = reinterpret_cast<ArrayStorage*>(newBaseStorage);
-        setArrayStorage(storage);
+        m_storage = reinterpret_cast<ArrayStorage*>(newBaseStorage);
         m_vectorLength += count;
     } else if (!increaseVectorPrefixLength(m_vectorLength + count)) {
@@ -856 +847 @@
     }
 
+    JSValue* vector = m_storage->m_vector;
     for (int i = 0; i < count; i++)
-        m_vector[i] = JSValue();
+        vector[i] = JSValue();
 }
 
@@ -883 +875 @@
 void JSArray::sortNumeric(ExecState* exec, JSValue compareFunction, CallType callType, const CallData& callData)
 {
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
 
     unsigned lengthNotIncludingUndefined = compactForSorting();
@@ -897 +889 @@
     size_t size = storage->m_numValuesInVector;
     for (size_t i = 0; i < size; ++i) {
-        if (!m_vector[i].isNumber()) {
+        if (!storage->m_vector[i].isNumber()) {
             allValuesAreNumbers = false;
             break;
@@ -909 +901 @@
     // also don't require mergesort's stability, since there's no user visible
     // side-effect from swapping the order of equal primitive values.
-    qsort(m_vector, size, sizeof(JSValue), compareNumbersForQSort);
+    qsort(storage->m_vector, size, sizeof(JSValue), compareNumbersForQSort);
 
     checkConsistency(SortConsistencyCheck);
@@ -916 +908 @@
 void JSArray::sort(ExecState* exec)
 {
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
 
     unsigned lengthNotIncludingUndefined = compactForSorting();
@@ -939 +931 @@
 
     for (size_t i = 0; i < lengthNotIncludingUndefined; i++) {
-        JSValue value = m_vector[i];
+        JSValue value = storage->m_vector[i];
         ASSERT(!value.isUndefined());
         values[i].first = value;
@@ -971 +963 @@
 
     for (size_t i = 0; i < lengthNotIncludingUndefined; i++)
-        m_vector[i] = values[i].first;
+        storage->m_vector[i] = values[i].first;
 
     checkConsistency(SortConsistencyCheck);
@@ -1058 +1050 @@
     checkConsistency();
 
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
 
     // FIXME: This ignores exceptions raised in the compare function or in toNumber.
@@ -1097 +1089 @@
     // Iterate over the array, ignoring missing values, counting undefined ones, and inserting all other ones into the tree.
     for (; numDefined < usedVectorLength; ++numDefined) {
-        JSValue v = m_vector[numDefined];
+        JSValue v = storage->m_vector[numDefined];
         if (!v || v.isUndefined())
             break;
@@ -1104 +1096 @@
     }
     for (unsigned i = numDefined; i < usedVectorLength; ++i) {
-        JSValue v = m_vector[i];
+        JSValue v = storage->m_vector[i];
         if (v) {
             if (v.isUndefined())
@@ -1128 +1120 @@
         }
         
-        storage = arrayStorage();
+        storage = m_storage;
 
         SparseArrayValueMap::iterator end = map->end();
@@ -1150 +1142 @@
     iter.start_iter_least(tree);
     for (unsigned i = 0; i < numDefined; ++i) {
-        m_vector[i] = tree.abstractor().m_nodes[*iter].value;
+        storage->m_vector[i] = tree.abstractor().m_nodes[*iter].value;
         ++iter;
     }
@@ -1156 +1148 @@
     // Put undefined values back in.
     for (unsigned i = numDefined; i < newUsedVectorLength; ++i)
-        m_vector[i] = jsUndefined();
+        storage->m_vector[i] = jsUndefined();
 
     // Ensure that unused values in the vector are zeroed out.
     for (unsigned i = newUsedVectorLength; i < usedVectorLength; ++i)
-        m_vector[i] = JSValue();
+        storage->m_vector[i] = JSValue();
 
     storage->m_numValuesInVector = newUsedVectorLength;
@@ -1169 +1161 @@
 void JSArray::fillArgList(ExecState* exec, MarkedArgumentBuffer& args)
 {
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
 
     JSValue* vector = storage->m_vector;
@@ -1187 +1179 @@
 void JSArray::copyToRegisters(ExecState* exec, Register* buffer, uint32_t maxSize)
 {
-    ASSERT(arrayStorage()->m_length >= maxSize);
+    ASSERT(m_storage->m_length >= maxSize);
     UNUSED_PARAM(maxSize);
-    JSValue* vector = m_vector;
+    JSValue* vector = m_storage->m_vector;
     unsigned vectorEnd = min(maxSize, m_vectorLength);
     unsigned i = 0;
@@ -1207 +1199 @@
     checkConsistency();
 
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
 
     unsigned usedVectorLength = min(storage->m_length, m_vectorLength);
@@ -1215 +1207 @@
 
     for (; numDefined < usedVectorLength; ++numDefined) {
-        JSValue v = m_vector[numDefined];
+        JSValue v = storage->m_vector[numDefined];
         if (!v || v.isUndefined())
             break;
     }
     for (unsigned i = numDefined; i < usedVectorLength; ++i) {
-        JSValue v = m_vector[i];
+        JSValue v = storage->m_vector[i];
         if (v) {
             if (v.isUndefined())
                 ++numUndefined;
             else
-                m_vector[numDefined++] = v;
+                storage->m_vector[numDefined++] = v;
         }
     }
@@ -1239 +1231 @@
                 return 0;
 
-            storage = arrayStorage();
+            storage = m_storage;
         }
 
         SparseArrayValueMap::iterator end = map->end();
         for (SparseArrayValueMap::iterator it = map->begin(); it != end; ++it)
-            m_vector[numDefined++] = it->second;
+            storage->m_vector[numDefined++] = it->second;
 
         delete map;
@@ -1251 +1243 @@
 
     for (unsigned i = numDefined; i < newUsedVectorLength; ++i)
-        m_vector[i] = jsUndefined();
+        storage->m_vector[i] = jsUndefined();
     for (unsigned i = newUsedVectorLength; i < usedVectorLength; ++i)
-        m_vector[i] = JSValue();
+        storage->m_vector[i] = JSValue();
 
     storage->m_numValuesInVector = newUsedVectorLength;
@@ -1264 +1256 @@
 void* JSArray::subclassData() const
 {
-    return arrayStorage()->subclassData;
+    return m_storage->subclassData;
 }
 
 void JSArray::setSubclassData(void* d)
 {
-    arrayStorage()->subclassData = d;
+    m_storage->subclassData = d;
 }
 
@@ -1276 +1268 @@
 void JSArray::checkConsistency(ConsistencyCheckType type)
 {
-    ArrayStorage* storage = arrayStorage();
+    ArrayStorage* storage = m_storage;
 
     ASSERT(storage);
@@ -1284 +1276 @@
     unsigned numValuesInVector = 0;
     for (unsigned i = 0; i < m_vectorLength; ++i) {
-        if (JSValue value = m_vector[i]) {
+        if (JSValue value = storage->m_vector[i]) {
             ASSERT(i < storage->m_length);
             if (type != DestructorConsistencyCheck)
@@ -1302 +1294 @@
             unsigned index = it->first;
             ASSERT(index < storage->m_length);
-            ASSERT(index >= m_vectorLength);
+            ASSERT(index >= storage->m_vectorLength);
             ASSERT(index <= MAX_ARRAY_INDEX);
             ASSERT(it->second);

trunk/JavaScriptCore/runtime/JSArray.h

@@ -78 +78 @@
         static JS_EXPORTDATA const ClassInfo info;
         
-        unsigned length() const { return arrayStorage()->m_length; }
+        unsigned length() const { return m_storage->m_length; }
         void setLength(unsigned); // OK to use on new arrays, but not if it might be a RegExpMatchArray.
 
@@ -91 +91 @@
         void unshiftCount(ExecState*, int count);
 
-        bool canGetIndex(unsigned i) { return i < m_vectorLength && m_vector[i]; }
+        bool canGetIndex(unsigned i) { return i < m_vectorLength && m_storage->m_vector[i]; }
         JSValue getIndex(unsigned i)
         {
             ASSERT(canGetIndex(i));
-            return m_vector[i];
+            return m_storage->m_vector[i];
         }
 
@@ -103 +103 @@
             ASSERT(canSetIndex(i));
             
-            JSValue& x = m_vector[i];
+            JSValue& x = m_storage->m_vector[i];
             if (!x) {
-                ArrayStorage *storage = arrayStorage();
+                ArrayStorage *storage = m_storage;
                 ++storage->m_numValuesInVector;
                 if (i >= storage->m_length)
@@ -116 +116 @@
         {
             ASSERT(canSetIndex(i));
-            ArrayStorage *storage = arrayStorage();
+            ArrayStorage *storage = m_storage;
 #if CHECK_ARRAY_CONSISTENCY
             ASSERT(storage->m_inCompactInitialization);
@@ -144 +144 @@
         void setSubclassData(void*);
         
-        inline ArrayStorage *arrayStorage() const
-        {
-            return reinterpret_cast<ArrayStorage*>(reinterpret_cast<char*>(m_vector) - (sizeof(ArrayStorage) - sizeof(JSValue)));
-        }
-
-        inline void setArrayStorage(ArrayStorage *storage)
-        {
-            m_vector = &storage->m_vector[0];
-        }
-
     private:
         virtual const ClassInfo* classInfo() const { return &info; }
@@ -171 +161 @@
         unsigned m_vectorLength; // The valid length of m_vector
         int m_indexBias; // The number of JSValue sized blocks before ArrayStorage.
-        JSValue* m_vector; // Copy of ArrayStorage.m_vector.  Used for quick vector access and to materialize ArrayStorage ptr.
+        ArrayStorage *m_storage;
     };
 
@@ -197 +187 @@
         JSObject::markChildrenDirect(markStack);
         
-        ArrayStorage* storage = arrayStorage();
+        ArrayStorage* storage = m_storage;
 
         unsigned usedVectorLength = std::min(storage->m_length, m_vectorLength);