Changeset 64938 in webkit

Timestamp:

Aug 7, 2010 11:04:59 PM (14 years ago)

Author:

eric@webkit.org

Message:

2010-08-07 Nathan Lawrence <​nlawrence@apple.com>

Reviewed by Geoffrey Garen.

The JIT code contains a number of direct references to GC'd objects.
When we have movable objects, these references will need to be
updated.

• Android.mk:
• CMakeLists.txt:
• GNUmakefile.am:
• JavaScriptCore.gypi:
• JavaScriptCore.pro:
• JavaScriptCore.xcodeproj/project.pbxproj:
• assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::int32AtLocation): (JSC::AbstractMacroAssembler::pointerAtLocation): (JSC::AbstractMacroAssembler::jumpTarget):
• assembler/MacroAssembler.h: (JSC::MacroAssembler::loadPtrWithPatch):

Normally, loadPtr will optimize when the register is eax. Since
the slightly smaller instruction changes the offsets, it messes up
our ability to repatch the code. We added this new instruction
that garuntees a constant size.

• assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::load32WithPatch):

Changed load32 in the same way described above.

(JSC::MacroAssemblerX86::load32):

Moved the logic to optimize laod32 from movl_mr to load32

(JSC::MacroAssemblerX86::store32):

Moved the logic to optimize store32 from movl_rm to store32

• assembler/X86Assembler.h: (JSC::X86Assembler::movl_rm): (JSC::X86Assembler::movl_mr): (JSC::X86Assembler::int32AtLocation): (JSC::X86Assembler::pointerAtLocation): (JSC::X86Assembler::jumpTarget):
• bytecode/CodeBlock.cpp: (JSC::CodeBlock::markAggregate):
• bytecode/Instruction.h:

As described in StructureStubInfo.h, we needed to add additional
fields to both StructureStubInfo and
PolymorphicAccessStructureList so that we can determine the
structure of the JITed code at patch time.

(JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
(JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):

• bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::markAggregate):

Added this function to mark the JITed code that correosponds to
this structure stub info.

• bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::initGetByIdProto): (JSC::StructureStubInfo::initGetByIdChain): (JSC::StructureStubInfo::):
• jit/JIT.h:
• jit/JITMarkObjects.cpp: Added. (JSC::JIT::patchPrototypeStructureAddress): (JSC::JIT::patchGetDirectOffset): (JSC::JIT::markGetByIdProto): (JSC::JIT::markGetByIdChain): (JSC::JIT::markGetByIdProtoList): (JSC::JIT::markPutByIdTransition): (JSC::JIT::markGlobalObjectReference):
• jit/JITPropertyAccess.cpp:

Added asserts for the patch offsets.

(JSC::JIT::compileGetDirectOffset):
(JSC::JIT::testPrototype):
(JSC::JIT::privateCompilePutByIdTransition):
(JSC::JIT::privateCompileGetByIdProto):
(JSC::JIT::privateCompileGetByIdProtoList):
(JSC::JIT::privateCompileGetByIdChainList):
(JSC::JIT::privateCompileGetByIdChain):

• jit/JITPropertyAccess32_64.cpp: (JSC::JIT::compileGetDirectOffset): (JSC::JIT::testPrototype): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::privateCompileGetByIdProto): (JSC::JIT::privateCompileGetByIdProtoList): (JSC::JIT::privateCompileGetByIdChainList): (JSC::JIT::privateCompileGetByIdChain):
• jit/JITStubs.cpp: (JSC::setupPolymorphicProtoList):
• wtf/Platform.h:

Added ENABLE_MOVABLE_GC_OBJECTS flag

Location:

trunk/JavaScriptCore

Files:

• Android.mk (modified) (1 diff)
• CMakeLists.txt (modified) (1 diff)
• ChangeLog (modified) (1 diff)
• GNUmakefile.am (modified) (1 diff)
• JavaScriptCore.gypi (modified) (1 diff)
• JavaScriptCore.pro (modified) (1 diff)
• JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• assembler/AbstractMacroAssembler.h (modified) (1 diff)
• assembler/MacroAssembler.h (modified) (1 diff)
• assembler/MacroAssemblerX86.h (modified) (2 diffs)
• assembler/X86Assembler.h (modified) (2 diffs)
• bytecode/CodeBlock.cpp (modified) (1 diff)
• bytecode/Instruction.h (modified) (5 diffs)
• bytecode/StructureStubInfo.cpp (modified) (2 diffs)
• bytecode/StructureStubInfo.h (modified) (6 diffs)
• jit/JIT.h (modified) (4 diffs)
• jit/JITMarkObjects.cpp (added)
• jit/JITPropertyAccess.cpp (modified) (15 diffs)
• jit/JITPropertyAccess32_64.cpp (modified) (18 diffs)
• jit/JITStubs.cpp (modified) (1 diff)
• wtf/Platform.h (modified) (1 diff)

trunk/JavaScriptCore/Android.mk

@@ -53 +53 @@
         jit/JITCall.cpp \
         jit/JITCall32_64.cpp \
+        jit/JITMarkObjects.cpp \
         jit/JITOpcodes.cpp \
         jit/JITPropertyAccess.cpp \

trunk/JavaScriptCore/CMakeLists.txt

@@ -56 +56 @@
     jit/JITCall.cpp
     jit/JIT.cpp
+    jit/JITMarkObjects.cpp
     jit/JITOpcodes32_64.cpp
     jit/JITOpcodes.cpp

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2010-08-07  Nathan Lawrence  <nlawrence@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        The JIT code contains a number of direct references to GC'd objects.
+        When we have movable objects, these references will need to be
+        updated.
+
+        * Android.mk:
+        * CMakeLists.txt:
+        * GNUmakefile.am:
+        * JavaScriptCore.gypi:
+        * JavaScriptCore.pro:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::int32AtLocation):
+        (JSC::AbstractMacroAssembler::pointerAtLocation):
+        (JSC::AbstractMacroAssembler::jumpTarget):
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::loadPtrWithPatch):
+            Normally, loadPtr will optimize when the register is eax.  Since
+            the slightly smaller instruction changes the offsets, it messes up
+            our ability to repatch the code.  We added this new instruction
+            that garuntees a constant size.
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::load32WithPatch):
+            Changed load32 in the same way described above.
+        (JSC::MacroAssemblerX86::load32):
+            Moved the logic to optimize laod32 from movl_mr to load32
+        (JSC::MacroAssemblerX86::store32):
+            Moved the logic to optimize store32 from movl_rm to store32
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::movl_rm):
+        (JSC::X86Assembler::movl_mr):
+        (JSC::X86Assembler::int32AtLocation):
+        (JSC::X86Assembler::pointerAtLocation):
+        (JSC::X86Assembler::jumpTarget):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::markAggregate):
+        * bytecode/Instruction.h:
+            As described in StructureStubInfo.h, we needed to add additional
+            fields to both StructureStubInfo and
+            PolymorphicAccessStructureList so that we can determine the
+            structure of the JITed code at patch time.
+        (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
+        (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
+        * bytecode/StructureStubInfo.cpp:
+        (JSC::StructureStubInfo::markAggregate):
+            Added this function to mark the JITed code that correosponds to
+            this structure stub info.
+        * bytecode/StructureStubInfo.h:
+        (JSC::StructureStubInfo::initGetByIdProto):
+        (JSC::StructureStubInfo::initGetByIdChain):
+        (JSC::StructureStubInfo::):
+        * jit/JIT.h:
+        * jit/JITMarkObjects.cpp: Added.
+        (JSC::JIT::patchPrototypeStructureAddress):
+        (JSC::JIT::patchGetDirectOffset):
+        (JSC::JIT::markGetByIdProto):
+        (JSC::JIT::markGetByIdChain):
+        (JSC::JIT::markGetByIdProtoList):
+        (JSC::JIT::markPutByIdTransition):
+        (JSC::JIT::markGlobalObjectReference):
+        * jit/JITPropertyAccess.cpp:
+            Added asserts for the patch offsets.
+        (JSC::JIT::compileGetDirectOffset):
+        (JSC::JIT::testPrototype):
+        (JSC::JIT::privateCompilePutByIdTransition):
+        (JSC::JIT::privateCompileGetByIdProto):
+        (JSC::JIT::privateCompileGetByIdProtoList):
+        (JSC::JIT::privateCompileGetByIdChainList):
+        (JSC::JIT::privateCompileGetByIdChain):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::compileGetDirectOffset):
+        (JSC::JIT::testPrototype):
+        (JSC::JIT::privateCompilePutByIdTransition):
+        (JSC::JIT::privateCompileGetByIdProto):
+        (JSC::JIT::privateCompileGetByIdProtoList):
+        (JSC::JIT::privateCompileGetByIdChainList):
+        (JSC::JIT::privateCompileGetByIdChain):
+        * jit/JITStubs.cpp:
+        (JSC::setupPolymorphicProtoList):
+        * wtf/Platform.h:
+            Added ENABLE_MOVABLE_GC_OBJECTS flag
+
 2010-08-07  Michael Saboff  <msaboff@apple.com>
 

trunk/JavaScriptCore/GNUmakefile.am

@@ -166 +166 @@
         JavaScriptCore/jit/JIT.h \
         JavaScriptCore/jit/JITInlineMethods.h \
+        JavaScriptCore/jit/JITMarkObjects.cpp \
         JavaScriptCore/jit/JITOpcodes32_64.cpp \
         JavaScriptCore/jit/JITOpcodes.cpp \

trunk/JavaScriptCore/JavaScriptCore.gypi

@@ -119 +119 @@
             'jit/JITCode.h',
             'jit/JITInlineMethods.h',
+            'jit/JITMarkObjects.cpp',
             'jit/JITOpcodes.cpp',
             'jit/JITOpcodes32_64.cpp',

trunk/JavaScriptCore/JavaScriptCore.pro

@@ -101 +101 @@
     jit/JITCall32_64.cpp \
     jit/JIT.cpp \
+    jit/JITMarkObjects.cpp \
     jit/JITOpcodes.cpp \
     jit/JITOpcodes32_64.cpp \

trunk/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj

@@ -1690 +1690 @@
                         </File>
                         <File
+                                RelativePath="..\..\jit\JITMarkObjects.cpp"
+                                >
+                        <File
                                 RelativePath="..\..\jit\JITOpcodes.cpp"
                                 >

trunk/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -510 +510 @@
                 BCFD8C930EEB2EE700283848 /* JumpTable.h in Headers */ = {isa = PBXBuildFile; fileRef = BCFD8C910EEB2EE700283848 /* JumpTable.h */; };
                 C0A272630E50A06300E96E15 /* NotFound.h in Headers */ = {isa = PBXBuildFile; fileRef = C0A2723F0E509F1E00E96E15 /* NotFound.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                DD23669811DBB22D00AF47C8 /* JITMarkObjects.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DD23669711DBB22D00AF47C8 /* JITMarkObjects.cpp */; };
                 DD2724681208D1FF00F9ABE7 /* AlignedMemoryAllocator.h in Headers */ = {isa = PBXBuildFile; fileRef = DD2724671208D1FF00F9ABE7 /* AlignedMemoryAllocator.h */; };
                 DD2724691208D1FF00F9ABE7 /* AlignedMemoryAllocator.h in Headers */ = {isa = PBXBuildFile; fileRef = DD2724671208D1FF00F9ABE7 /* AlignedMemoryAllocator.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -1063 +1064 @@
                 D21202280AD4310C00ED79B6 /* DateConversion.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = DateConversion.cpp; sourceTree = "<group>"; };
                 D21202290AD4310C00ED79B6 /* DateConversion.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = DateConversion.h; sourceTree = "<group>"; };
+                DD23669711DBB22D00AF47C8 /* JITMarkObjects.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JITMarkObjects.cpp; sourceTree = "<group>"; };
                 DD2724671208D1FF00F9ABE7 /* AlignedMemoryAllocator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AlignedMemoryAllocator.h; sourceTree = "<group>"; };
                 DD377CBB12072C18006A2517 /* Bitmap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Bitmap.h; sourceTree = "<group>"; };
@@ -1273 +1275 @@
                         isa = PBXGroup;
                         children = (
+                                DD23669711DBB22D00AF47C8 /* JITMarkObjects.cpp */,
                                 A7B48DB60EE74CFC00DCBDB6 /* ExecutableAllocator.cpp */,
                                 A7B48DB50EE74CFC00DCBDB6 /* ExecutableAllocator.h */,
@@ -2676 +2679 @@
                                 DDF7ABD511F60ED200108E36 /* GCActivityCallbackCF.cpp in Sources */,
                                 8627E5EB11F1281900A313B5 /* PageAllocation.cpp in Sources */,
+                                DD23669811DBB22D00AF47C8 /* JITMarkObjects.cpp in Sources */,
                                 DDE82AD71209D955005C1756 /* GCHandle.cpp in Sources */,
                         );

trunk/JavaScriptCore/assembler/AbstractMacroAssembler.h

@@ -522 +522 @@
     }
 
+    static int32_t int32AtLocation(CodeLocationDataLabel32 dataLabel32)
+    {
+        return AssemblerType::int32AtLocation(dataLabel32.dataLocation());
+    }
+
+    static void* pointerAtLocation(CodeLocationDataLabelPtr dataLabelPtr)
+    {
+        return AssemblerType::pointerAtLocation(dataLabelPtr.dataLocation());
+    }
+
+    static void* jumpTarget(CodeLocationJump jump)
+    {
+        return AssemblerType::jumpTarget(jump.dataLocation());
+    }
+
     static void repatchInt32(CodeLocationDataLabel32 dataLabel32, int32_t value)
     {

trunk/JavaScriptCore/assembler/MacroAssembler.h

@@ -210 +210 @@
     }
 
+    void loadPtrWithPatch(void* address, RegisterID dest)
+    {
+        load32WithPatch(address, dest);
+    }
 
     void loadPtr(ImplicitAddress address, RegisterID dest)

trunk/JavaScriptCore/assembler/MacroAssemblerX86.h

@@ -83 +83 @@
     }
 
+    void load32WithPatch(void* address, RegisterID dest)
+    {
+        m_assembler.movl_mr(address, dest);
+    }
+
     void load32(void* address, RegisterID dest)
     {
-        m_assembler.movl_mr(address, dest);
+        if (dest == X86Registers::eax)
+            m_assembler.movl_mEAX(address);
+        else
+            m_assembler.movl_mr(address, dest);
     }
 
@@ -106 +114 @@
     void store32(RegisterID src, void* address)
     {
-        m_assembler.movl_rm(src, address);
+        if (src == X86Registers::eax)
+            m_assembler.movl_EAXm(address);
+        else
+            m_assembler.movl_rm(src, address);
     }
 

trunk/JavaScriptCore/assembler/X86Assembler.h

@@ -1155 +1155 @@
     void movl_rm(RegisterID src, void* addr)
     {
-        if (src == X86Registers::eax)
-            movl_EAXm(addr);
-        else 
-            m_formatter.oneByteOp(OP_MOV_EvGv, src, addr);
+        m_formatter.oneByteOp(OP_MOV_EvGv, src, addr);
     }
     
     void movl_mr(void* addr, RegisterID dst)
     {
-        if (dst == X86Registers::eax)
-            movl_mEAX(addr);
-        else
-            m_formatter.oneByteOp(OP_MOV_GvEv, dst, addr);
+        m_formatter.oneByteOp(OP_MOV_GvEv, dst, addr);
     }
 
@@ -1558 +1552 @@
 
         setPointer(reinterpret_cast<char*>(code) + where.m_offset, value);
+    }
+
+    static int32_t int32AtLocation(void* where)
+    {
+        return static_cast<int32_t*>(where)[-1];
+    }
+
+    static void* pointerAtLocation(void* where)
+    {
+        return static_cast<void**>(where)[-1];
+    }
+
+    static void* jumpTarget(void* jump)
+    {
+        intptr_t src = reinterpret_cast<intptr_t>(jump);
+        int32_t offset = static_cast<int32_t*>(jump)[-1];
+        return reinterpret_cast<void*>(src + offset);
     }
 

trunk/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1521 +1521 @@
         m_functionDecls[i]->markAggregate(markStack);
     markStack.append(m_globalObject);
+#if ENABLE(MOVABLE_GC_OBJECTS)
+    // This is the code that is responsible for marking the actual pointers
+    // to JSCell*s in the JIT'ed code.  Normally, these pointers are marked
+    // elsewhere, however when we have movable objects, we will need to update
+    // all of the references.
+    for (size_t i = 0; i < m_structureStubInfos.size(); ++i)
+        m_structureStubInfos[i].markAggregate(markStack, this);
+#endif
 }
 

trunk/JavaScriptCore/bytecode/Instruction.h

@@ -64 +64 @@
                 StructureChain* chain;
             } u;
+#if ENABLE(MOVABLE_GC_OBJECTS)
+            int count;
+            PropertySlot::CachedPropertyType propertyType;
+#endif
 
             void set(PolymorphicAccessStructureListStubRoutineType _stubRoutine, Structure* _base)
@@ -73 +77 @@
             }
             
+#if ENABLE(MOVABLE_GC_OBJECTS)
+            void set(PolymorphicAccessStructureListStubRoutineType _stubRoutine, Structure* _base, Structure* _proto, PropertySlot::CachedPropertyType _propertyType)
+#else
             void set(PolymorphicAccessStructureListStubRoutineType _stubRoutine, Structure* _base, Structure* _proto)
+#endif
             {
                 stubRoutine = _stubRoutine;
@@ -79 +87 @@
                 u.proto = _proto;
                 isChain = false;
+#if ENABLE(MOVABLE_GC_OBJECTS)
+                propertyType = _propertyType;
+#endif
             }
             
+#if ENABLE(MOVABLE_GC_OBJECTS)
+            void set(PolymorphicAccessStructureListStubRoutineType _stubRoutine, Structure* _base, StructureChain* _chain, int _count, PropertySlot::CachedPropertyType _propertyType)
+#else
             void set(PolymorphicAccessStructureListStubRoutineType _stubRoutine, Structure* _base, StructureChain* _chain)
+#endif
             {
                 stubRoutine = _stubRoutine;
@@ -87 +102 @@
                 u.chain = _chain;
                 isChain = true;
+#if ENABLE(MOVABLE_GC_OBJECTS)
+                count = _count;
+                propertyType = _propertyType;
+#endif
             }
         } list[POLYMORPHIC_LIST_CACHE_SIZE];
@@ -95 +114 @@
         }
 
+#if ENABLE(MOVABLE_GC_OBJECTS)
+        PolymorphicAccessStructureList(PolymorphicAccessStructureListStubRoutineType stubRoutine, Structure* firstBase, Structure* firstProto, PropertySlot::CachedPropertyType propertyType)
+        {
+            list[0].set(stubRoutine, firstBase, firstProto, propertyType);
+        }
+#else
         PolymorphicAccessStructureList(PolymorphicAccessStructureListStubRoutineType stubRoutine, Structure* firstBase, Structure* firstProto)
         {
             list[0].set(stubRoutine, firstBase, firstProto);
         }
-
+#endif
+
+#if ENABLE(MOVABLE_GC_OBJECTS)
+        PolymorphicAccessStructureList(PolymorphicAccessStructureListStubRoutineType stubRoutine, Structure* firstBase, StructureChain* firstChain, int count, PropertySlot::CachedPropertyType propertyType)
+        {
+            list[0].set(stubRoutine, firstBase, firstChain, count, propertyType);
+        }
+#else
         PolymorphicAccessStructureList(PolymorphicAccessStructureListStubRoutineType stubRoutine, Structure* firstBase, StructureChain* firstChain)
         {
             list[0].set(stubRoutine, firstBase, firstChain);
         }
+#endif
 
         void derefStructures(int count)

trunk/JavaScriptCore/bytecode/StructureStubInfo.cpp

@@ -26 +26 @@
 #include "config.h"
 #include "StructureStubInfo.h"
+
+#include "JIT.h"
 
 namespace JSC {
@@ -76 +78 @@
     }
 }
+
+#if ENABLE(MOVABLE_GC_OBJECTS)
+void StructureStubInfo::markAggregate(MarkStack& markStack, CodeBlock* codeBlock)
+{
+    switch (accessType) {
+    case access_get_by_id_proto:
+        JIT::markGetByIdProto(markStack, codeBlock, this);
+        return;
+    case access_get_by_id_chain:
+        JIT::markGetByIdChain(markStack, codeBlock, this);
+        return;
+    case access_get_by_id_proto_list:
+        JIT::markGetByIdProtoList(markStack, codeBlock, this);
+        return;
+    case access_put_by_id_transition:
+        JIT::markPutByIdTransition(markStack, codeBlock, this);
+        return;
+    case access_get_by_id_self:
+    case access_get_by_id_self_list:
+    case access_put_by_id_replace:
+    case access_get_by_id:
+    case access_put_by_id:
+    case access_get_by_id_generic:
+    case access_put_by_id_generic:
+    case access_get_array_length:
+    case access_get_string_length:
+        return;
+    default:
+        ASSERT_NOT_REACHED();
+    }
+}
+#endif
+
 #endif
 

trunk/JavaScriptCore/bytecode/StructureStubInfo.h

@@ -31 +31 @@
 #include "Instruction.h"
 #include "MacroAssembler.h"
+#include "PropertySlot.h"
 #include "Opcode.h"
 #include "Structure.h"
@@ -67 +68 @@
         }
 
+#if ENABLE(MOVABLE_GC_OBJECTS)
+        void initGetByIdProto(Structure* baseObjectStructure, Structure* prototypeStructure, CodeLocationLabel routine, PropertySlot::CachedPropertyType propertyType)
+#else
         void initGetByIdProto(Structure* baseObjectStructure, Structure* prototypeStructure, CodeLocationLabel routine)
+#endif
         {
             accessType = access_get_by_id_proto;
@@ -78 +83 @@
 
             stubRoutine = routine;
-        }
-
+
+#if ENABLE(MOVABLE_GC_OBJECTS)
+            u.getByIdProto.propertyType = propertyType;
+#endif
+        }
+
+#if ENABLE(MOVABLE_GC_OBJECTS)
+        void initGetByIdChain(Structure* baseObjectStructure, StructureChain* chain, CodeLocationLabel routine, int count, PropertySlot::CachedPropertyType propertyType)
+#else
         void initGetByIdChain(Structure* baseObjectStructure, StructureChain* chain, CodeLocationLabel routine)
+#endif
         {
             accessType = access_get_by_id_chain;
@@ -91 +104 @@
 
             stubRoutine = routine;
+
+#if ENABLE(MOVABLE_GC_OBJECTS)
+            u.getByIdChain.count = count;
+            u.getByIdChain.propertyType = propertyType;
+#endif
         }
 
@@ -140 +158 @@
 
         void deref();
+#if ENABLE(MOVABLE_GC_OBJECTS)
+        void markAggregate(MarkStack&, CodeBlock*);
+#endif
 
         bool seenOnce()
@@ -161 +182 @@
                 Structure* baseObjectStructure;
                 Structure* prototypeStructure;
+#if ENABLE(MOVABLE_GC_OBJECTS)
+                // The propertyType is required to properly determine the
+                // structure of the underlying code so that we may patch it
+                // correctly.  Different code is generated for different
+                // property types, and therefore, the offsets that we need to
+                // patch at will change.
+                PropertySlot::CachedPropertyType propertyType;
+#endif
             } getByIdProto;
             struct {
                 Structure* baseObjectStructure;
                 StructureChain* chain;
+#if ENABLE(MOVABLE_GC_OBJECTS)
+                // We need the count so that we can iterate over the prototype
+                // chain, marking all of the references to objects.
+                int count;
+                PropertySlot::CachedPropertyType propertyType;
+#endif
             } getByIdChain;
             struct {

trunk/JavaScriptCore/jit/JIT.h

@@ -238 +238 @@
         static void patchMethodCallProto(CodeBlock* codeblock, MethodCallLinkInfo&, JSFunction*, Structure*, JSObject*, ReturnAddressPtr);
 
+#if ENABLE(MOVABLE_GC_OBJECTS)
+        static void patchPrototypeStructureAddress(CodeLocationDataLabelPtr, MarkStack&, RepatchBuffer&);
+        static void patchGetDirectOffset(CodeLocationLabel, MarkStack&, RepatchBuffer&, PropertySlot::CachedPropertyType);
+        static void markGetByIdChainInternal(CodeLocationLabel, MarkStack&, RepatchBuffer&, PropertySlot::CachedPropertyType);
+
+        static void markGetByIdProto(MarkStack&, CodeBlock*, StructureStubInfo*);
+        static void markGetByIdChain(MarkStack&, CodeBlock*, StructureStubInfo*);
+        static void markGetByIdProtoList(MarkStack&, CodeBlock*, StructureStubInfo*);
+        static void markPutByIdTransition(MarkStack&, CodeBlock*, StructureStubInfo*);
+        static void markGlobalObjectReference(MarkStack&, CodeBlock*, CodeLocationDataLabelPtr);
+#endif
+
         static bool compilePatchGetArrayLength(JSGlobalData* globalData, CodeBlock* codeBlock, StructureStubInfo* stubInfo, ReturnAddressPtr returnAddress)
         {
@@ -296 +308 @@
         void emitLoadInt32ToDouble(unsigned index, FPRegisterID value);
 
-        void testPrototype(JSValue, JumpList& failureCases);
+        unsigned testPrototype(JSValue, JumpList& failureCases);
 
 #if USE(JSVALUE32_64)
@@ -367 +379 @@
         static const int patchOffsetMethodCheckProtoStruct = 18;
         static const int patchOffsetMethodCheckPutFunction = 29;
+
+        static const int patchOffsetGetByIdProtoStruct = 19;
+        static const int patchOffsetPutByIdProtoStruct = 12;
+        static const int patchLengthTestPrototype = 16;
+        static const int patchLengthBranchPtr = 10;
+        static const int patchLengthMove = 6;
+        static const int patchLengthStore = 10;
 #elif CPU(ARM_TRADITIONAL)
         // These architecture specific value are used to enable patching - see comment on op_put_by_id.
@@ -537 +556 @@
         static const int patchOffsetMethodCheckProtoStruct = 30;
         static const int patchOffsetMethodCheckPutFunction = 50;
+
+        static const int patchOffsetGetByIdProtoStruct = 40;
+        static const int patchOffsetPutByIdProtoStruct = 20;
+        static const int patchLengthTestPrototype = 29;
+        static const int patchLengthBranchPtr = 9;
+        static const int patchLengthMove = 10;
+        static const int patchLengthStore = 13;
 #elif CPU(X86)
         // These architecture specific value are used to enable patching - see comment on op_put_by_id.

trunk/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -574 +574 @@
 }
 
-void JIT::compileGetDirectOffset(JSObject* base, RegisterID temp, RegisterID result, size_t cachedOffset)
+void JIT::compileGetDirectOffset(JSObject* base, RegisterID, RegisterID result, size_t cachedOffset)
 {
     if (base->isUsingInlineStorage())
@@ -580 +580 @@
     else {
         PropertyStorage* protoPropertyStorage = &base->m_externalStorage;
-        loadPtr(static_cast<void*>(protoPropertyStorage), temp);
-        loadPtr(Address(temp, cachedOffset * sizeof(JSValue)), result);
+        loadPtr(static_cast<void*>(protoPropertyStorage), result);
+        loadPtr(Address(result, cachedOffset * sizeof(JSValue)), result);
     } 
 }
 
-void JIT::testPrototype(JSValue prototype, JumpList& failureCases)
+unsigned JIT::testPrototype(JSValue prototype, JumpList& failureCases)
 {
     if (prototype.isNull())
-        return;
-
+        return 0;
+
+    Label testPrototypeBegin(this);
     // We have a special case for X86_64 here because X86 instructions that take immediate values
     // only take 32 bit immediate values, wheras the pointer constants we are using here are 64 bit
@@ -600 +601 @@
     failureCases.append(branchPtr(NotEqual, AbsoluteAddress(&asCell(prototype)->m_structure), ImmPtr(asCell(prototype)->structure())));
 #endif
+    ASSERT_JIT_OFFSET(differenceBetween(testPrototypeBegin, Label(this)), patchLengthTestPrototype);
+
+    return patchLengthTestPrototype;
 }
 
 bool JIT::privateCompilePutByIdTransition(StructureStubInfo* stubInfo, Structure* oldStructure, Structure* newStructure, size_t cachedOffset, StructureChain* chain, ReturnAddressPtr returnAddress, bool direct)
 {
+    Label putByIdTransitionBegin(this);
     JumpList failureCases;
     // Check eax is an object of the right Structure.
     failureCases.append(emitJumpIfNotJSCell(regT0));
     failureCases.append(branchPtr(NotEqual, Address(regT0, OBJECT_OFFSETOF(JSCell, m_structure)), ImmPtr(oldStructure)));
-    testPrototype(oldStructure->storedPrototype(), failureCases);
+
+    unsigned offset = patchOffsetPutByIdProtoStruct + patchLengthBranchPtr;
+    ASSERT_JIT_OFFSET(differenceBetween(putByIdTransitionBegin, Label(this)), offset);
+
+    offset += testPrototype(oldStructure->storedPrototype(), failureCases);
+    ASSERT_JIT_OFFSET(differenceBetween(putByIdTransitionBegin, Label(this)), offset);
 
     // ecx = baseObject->m_structure
     if (!direct) {
-        for (RefPtr<Structure>* it = chain->head(); *it; ++it)
-            testPrototype((*it)->storedPrototype(), failureCases);
+        for (RefPtr<Structure>* it = chain->head(); *it; ++it) {
+            offset += testPrototype((*it)->storedPrototype(), failureCases);
+            ASSERT_JIT_OFFSET(differenceBetween(putByIdTransitionBegin, Label(this)), offset);
+        }
     }
 
@@ -772 +784 @@
 bool JIT::privateCompileGetByIdProto(StructureStubInfo* stubInfo, Structure* structure, Structure* prototypeStructure, const Identifier& ident, const PropertySlot& slot, size_t cachedOffset, ReturnAddressPtr returnAddress, CallFrame* callFrame)
 {
+    Label getByIdProtoBegin(this);
     // The prototype object definitely exists (if this stub exists the CodeBlock is referencing a Structure that is
     // referencing the prototype object - let's speculatively load it's table nice and early!)
@@ -788 +801 @@
 #endif
 
+    ASSERT_JIT_OFFSET(differenceBetween(getByIdProtoBegin, Label(this)), patchOffsetGetByIdProtoStruct + patchLengthBranchPtr);
     bool needsStubLink = false;
     
@@ -838 +852 @@
     // We don't want to patch more than once - in future go to cti_op_put_by_id_generic.
     repatchBuffer.relinkCallerToFunction(returnAddress, FunctionPtr(cti_op_get_by_id_proto_list));
+#if ENABLE(MOVABLE_GC_OBJECTS)
+    stubInfo->initGetByIdProto(structure, prototypeStructure, entryLabel, slot.cachedPropertyType());
+#else
     stubInfo->initGetByIdProto(structure, prototypeStructure, entryLabel);
+#endif
     return true;
 }
@@ -909 +927 @@
 bool JIT::privateCompileGetByIdProtoList(StructureStubInfo* stubInfo, Structure* structure, Structure* prototypeStructure, const Identifier& ident, const PropertySlot& slot, size_t cachedOffset, CallFrame* callFrame)
 {
+    Label getByIdProtoListBegin(this);
     PolymorphicAccessStructureList* prototypeStructures = stubInfo->u.getByIdProtoList.structureList;
     int currentIndex = stubInfo->u.getByIdProtoList.listSize;
@@ -927 +946 @@
     Jump failureCases2 = branchPtr(NotEqual, AbsoluteAddress(prototypeStructureAddress), ImmPtr(prototypeStructure));
 #endif
+
+    ASSERT_JIT_OFFSET(differenceBetween(getByIdProtoListBegin, Label(this)), patchOffsetGetByIdProtoStruct + patchLengthBranchPtr);
 
     // Checks out okay!
@@ -974 +995 @@
     structure->ref();
     prototypeStructure->ref();
+#if ENABLE(MOVABLE_GC_OBJECTS)
+    prototypeStructures->list[currentIndex].set(entryLabel, structure, prototypeStructure, slot.cachedPropertyType());
+#else
     prototypeStructures->list[currentIndex].set(entryLabel, structure, prototypeStructure);
+#endif
 
     // Finally patch the jump to slow case back in the hot path to jump here instead.
@@ -990 +1015 @@
 
     ASSERT(count);
+
+    Label getByIdChainListBegin(this);
     JumpList bucketsOfFail;
 
@@ -1003 +1030 @@
         currStructure = it->get();
         testPrototype(protoObject, bucketsOfFail);
+        ASSERT_JIT_OFFSET(differenceBetween(getByIdChainListBegin, Label(this)),
+            patchOffsetGetByIdProtoStruct + patchLengthBranchPtr + i * patchLengthTestPrototype);
     }
     ASSERT(protoObject);
@@ -1051 +1080 @@
     structure->ref();
     chain->ref();
+#if ENABLE(MOVABLE_GC_OBJECTS)
+    prototypeStructures->list[currentIndex].set(entryLabel, structure, chain, count, slot.cachedPropertyType());
+#else
     prototypeStructures->list[currentIndex].set(entryLabel, structure, chain);
+#endif
 
     // Finally patch the jump to slow case back in the hot path to jump here instead.
@@ -1065 +1098 @@
     ASSERT(count);
 
+    Label getByIdChainBegin(this);
     JumpList bucketsOfFail;
 
@@ -1077 +1111 @@
         currStructure = it->get();
         testPrototype(protoObject, bucketsOfFail);
+        ASSERT_JIT_OFFSET(differenceBetween(getByIdChainBegin, Label(this)),
+            patchOffsetGetByIdProtoStruct + patchLengthBranchPtr + i * patchLengthTestPrototype);
     }
     ASSERT(protoObject);
@@ -1128 +1164 @@
     // We don't want to patch more than once - in future go to cti_op_put_by_id_generic.
     repatchBuffer.relinkCallerToFunction(returnAddress, FunctionPtr(cti_op_get_by_id_proto_list));
+#if ENABLE(MOVABLE_GC_OBJECTS)
+    stubInfo->initGetByIdChain(structure, chain, entryLabel, count, slot.cachedPropertyType());
+#else
     stubInfo->initGetByIdChain(structure, chain, entryLabel);
+#endif
+
     return true;
 }

trunk/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -575 +575 @@
 void JIT::compileGetDirectOffset(JSObject* base, RegisterID temp, RegisterID resultTag, RegisterID resultPayload, size_t cachedOffset)
 {
+    Label directOffsetBegin(this);
     if (base->isUsingInlineStorage()) {
-        load32(reinterpret_cast<char*>(&base->m_inlineStorage[cachedOffset]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload), resultPayload);
+        // On X86, load32 will optimize for a slightly smaller instruction in the case that resultPayoad is regT0
+        // Since we want this instruction to always be the same length, we use load32WithPatch to avoid this problem
+        load32WithPatch(reinterpret_cast<char*>(&base->m_inlineStorage[cachedOffset]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload), resultPayload);
+        ASSERT_JIT_OFFSET(differenceBetween(directOffsetBegin, Label(this)), patchLengthMove);
         load32(reinterpret_cast<char*>(&base->m_inlineStorage[cachedOffset]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag), resultTag);
         return;
@@ -584 +588 @@
     
     PropertyStorage* protoPropertyStorage = &base->m_externalStorage;
-    loadPtr(static_cast<void*>(protoPropertyStorage), temp);
+    loadPtrWithPatch(static_cast<void*>(protoPropertyStorage), temp);
+    ASSERT_JIT_OFFSET(differenceBetween(directOffsetBegin, Label(this)), patchLengthMove);
     load32(Address(temp, offset + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), resultPayload);
     load32(Address(temp, offset + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), resultTag);
 }
 
-void JIT::testPrototype(JSValue prototype, JumpList& failureCases)
+unsigned JIT::testPrototype(JSValue prototype, JumpList& failureCases)
 {
     if (prototype.isNull())
-        return;
-    
+        return 0;
+    
+    Label testPrototypeBegin(this);
     // We have a special case for X86_64 here because X86 instructions that take immediate values
     // only take 32 bit immediate values, wheras the pointer constants we are using here are 64 bit
@@ -604 +610 @@
     failureCases.append(branchPtr(NotEqual, AbsoluteAddress(&asCell(prototype)->m_structure), ImmPtr(asCell(prototype)->structure())));
 #endif
+    ASSERT_JIT_OFFSET(differenceBetween(testPrototypeBegin, Label(this)), patchLengthTestPrototype);
+
+    return patchLengthTestPrototype;
 }
 
@@ -610 +619 @@
     // It is assumed that regT0 contains the basePayload and regT1 contains the baseTag.  The value can be found on the stack.
     
+    Label putByIdTransitionBegin(this);
     JumpList failureCases;
     failureCases.append(branch32(NotEqual, regT1, Imm32(JSValue::CellTag)));
     failureCases.append(branchPtr(NotEqual, Address(regT0, OBJECT_OFFSETOF(JSCell, m_structure)), ImmPtr(oldStructure)));
-    testPrototype(oldStructure->storedPrototype(), failureCases);
+
+    int offset = patchOffsetPutByIdProtoStruct + patchLengthBranchPtr;
+    ASSERT_JIT_OFFSET(differenceBetween(putByIdTransitionBegin, Label(this)), offset);
+
+    offset += testPrototype(oldStructure->storedPrototype(), failureCases);
+    ASSERT_JIT_OFFSET(differenceBetween(putByIdTransitionBegin, Label(this)), offset);
     
     if (!direct) {
         // Verify that nothing in the prototype chain has a setter for this property. 
-        for (RefPtr<Structure>* it = chain->head(); *it; ++it)
-            testPrototype((*it)->storedPrototype(), failureCases);
+        for (RefPtr<Structure>* it = chain->head(); *it; ++it) {
+            offset += testPrototype((*it)->storedPrototype(), failureCases);
+            ASSERT_JIT_OFFSET(differenceBetween(putByIdTransitionBegin, Label(this)), offset);
+        }
     }
-
+    
     // Reallocate property storage if needed.
     Call callTarget;
@@ -783 +800 @@
     // regT0 holds a JSCell*
     
+    Label getByIdProtoBegin(this);
     // The prototype object definitely exists (if this stub exists the CodeBlock is referencing a Structure that is
     // referencing the prototype object - let's speculatively load it's table nice and early!)
@@ -797 +815 @@
     Jump failureCases2 = branchPtr(NotEqual, AbsoluteAddress(prototypeStructureAddress), ImmPtr(prototypeStructure));
 #endif
+    ASSERT_JIT_OFFSET(differenceBetween(getByIdProtoBegin, Label(this)), patchOffsetGetByIdProtoStruct + patchLengthBranchPtr);
+
     bool needsStubLink = false;
     // Checks out okay!
@@ -849 +869 @@
     // We don't want to patch more than once - in future go to cti_op_put_by_id_generic.
     repatchBuffer.relinkCallerToFunction(returnAddress, FunctionPtr(cti_op_get_by_id_proto_list));
+#if ENABLE(MOVABLE_GC_OBJECTS)
+    stubInfo->initGetByIdProto(structure, prototypeStructure, entryLabel, slot.cachedPropertyType());
+#else
     stubInfo->initGetByIdProto(structure, prototypeStructure, entryLabel);
+#endif
     return true;
 }
@@ -927 +951 @@
     // regT0 holds a JSCell*
     
+    Label getByIdProtoListBegin(this);
     // The prototype object definitely exists (if this stub exists the CodeBlock is referencing a Structure that is
     // referencing the prototype object - let's speculatively load it's table nice and early!)
@@ -942 +967 @@
     Jump failureCases2 = branchPtr(NotEqual, AbsoluteAddress(prototypeStructureAddress), ImmPtr(prototypeStructure));
 #endif
+    ASSERT_JIT_OFFSET(differenceBetween(getByIdProtoListBegin, Label(this)), patchOffsetGetByIdProtoStruct + patchLengthBranchPtr);
     
     bool needsStubLink = false;
@@ -962 +988 @@
     } else
         compileGetDirectOffset(protoObject, regT2, regT1, regT0, cachedOffset);
-    
+
     Jump success = jump();
     
@@ -987 +1013 @@
     structure->ref();
     prototypeStructure->ref();
+#if ENABLE(MOVABLE_GC_OBJECTS)
+    prototypeStructures->list[currentIndex].set(entryLabel, structure, prototypeStructure, slot.cachedPropertyType());
+#else
     prototypeStructures->list[currentIndex].set(entryLabel, structure, prototypeStructure);
-    
+#endif
+
     // Finally patch the jump to slow case back in the hot path to jump here instead.
     CodeLocationJump jumpLocation = stubInfo->hotPathBegin.jumpAtOffset(patchOffsetGetByIdBranchToSlowCase);
@@ -1005 +1035 @@
     ASSERT(count);
     
+    Label getByIdChainListBegin(this);
     JumpList bucketsOfFail;
     
@@ -1017 +1048 @@
         currStructure = it->get();
         testPrototype(protoObject, bucketsOfFail);
+
+        ASSERT_JIT_OFFSET(differenceBetween(getByIdChainListBegin, Label(this)),
+            patchOffsetGetByIdProtoStruct + patchLengthBranchPtr + static_cast<int>(i) * patchLengthTestPrototype);
     }
     ASSERT(protoObject);
@@ -1039 +1073 @@
     } else
         compileGetDirectOffset(protoObject, regT2, regT1, regT0, cachedOffset);
-
+    
     Jump success = jump();
     
@@ -1065 +1099 @@
     structure->ref();
     chain->ref();
+#if ENABLE(MOVABLE_GC_OBJECTS)
+    prototypeStructures->list[currentIndex].set(entryLabel, structure, chain, count, slot.cachedPropertyType());
+#else
     prototypeStructures->list[currentIndex].set(entryLabel, structure, chain);
-    
+#endif
+
     // Finally patch the jump to slow case back in the hot path to jump here instead.
     CodeLocationJump jumpLocation = stubInfo->hotPathBegin.jumpAtOffset(patchOffsetGetByIdBranchToSlowCase);
@@ -1080 +1118 @@
     ASSERT(count);
     
+    Label getByIdChainBegin(this);
     JumpList bucketsOfFail;
     
@@ -1092 +1131 @@
         currStructure = it->get();
         testPrototype(protoObject, bucketsOfFail);
+
+        ASSERT_JIT_OFFSET(differenceBetween(getByIdChainBegin, Label(this)),
+            patchOffsetGetByIdProtoStruct + patchLengthBranchPtr + static_cast<int>(i) * patchLengthTestPrototype);
     }
     ASSERT(protoObject);
@@ -1142 +1184 @@
     // We don't want to patch more than once - in future go to cti_op_put_by_id_generic.
     repatchBuffer.relinkCallerToFunction(returnAddress, FunctionPtr(cti_op_get_by_id_proto_list));
+#if ENABLE(MOVABLE_GC_OBJECTS)
+    stubInfo->initGetByIdChain(structure, chain, entryLabel, count, slot.cachedPropertyType());
+#else
     stubInfo->initGetByIdChain(structure, chain, entryLabel);
+#endif
     return true;
 }

trunk/JavaScriptCore/jit/JITStubs.cpp

@@ -1598 +1598 @@
 {
     if (stubInfo->accessType == access_get_by_id_proto)
+#if ENABLE(MOVABLE_GC_OBJECTS)
+        stubInfo->initGetByIdProtoList(new PolymorphicAccessStructureList(stubInfo->stubRoutine, stubInfo->u.getByIdProto.baseObjectStructure, stubInfo->u.getByIdProto.prototypeStructure, stubInfo->u.getByIdProto.propertyType));
+#else
         stubInfo->initGetByIdProtoList(new PolymorphicAccessStructureList(stubInfo->stubRoutine, stubInfo->u.getByIdProto.baseObjectStructure, stubInfo->u.getByIdProto.prototypeStructure));
+#endif
     else if (stubInfo->accessType == access_get_by_id_chain)
+#if ENABLE(MOVABLE_GC_OBJECTS)
+        stubInfo->initGetByIdProtoList(new PolymorphicAccessStructureList(stubInfo->stubRoutine, stubInfo->u.getByIdChain.baseObjectStructure, stubInfo->u.getByIdChain.chain, stubInfo->u.getByIdChain.count, stubInfo->u.getByIdChain.propertyType));
+#else
         stubInfo->initGetByIdProtoList(new PolymorphicAccessStructureList(stubInfo->stubRoutine, stubInfo->u.getByIdChain.baseObjectStructure, stubInfo->u.getByIdChain.chain));
+#endif
     ASSERT(stubInfo->accessType == access_get_by_id_proto_list);
 }

trunk/JavaScriptCore/wtf/Platform.h

@@ -1083 +1083 @@
 #define ENABLE_JSC_ZOMBIES 0
 
+#define ENABLE_MOVABLE_GC_OBJECTS 0
+
 /* FIXME: Eventually we should enable this for all platforms and get rid of the define. */
 #if PLATFORM(MAC) || PLATFORM(WIN)