Changeset 82849 in webkit

Timestamp:

Apr 4, 2011 11:41:15 AM (13 years ago)

Author:

oliver@apple.com

Message:

2011-04-01 Oliver Hunt <​oliver@apple.com>

Reviewed by Geoffrey Garen.

Make StructureChain GC allocated
​https://bugs.webkit.org/show_bug.cgi?id=56695

Make StructureChain GC allocated, and make the various owners
mark it correctly.

• JavaScriptCore.exp:
• bytecode/CodeBlock.cpp: (JSC::CodeBlock::dump): (JSC::CodeBlock::derefStructures): (JSC::CodeBlock::refStructures): (JSC::CodeBlock::markAggregate):
• bytecode/Instruction.h: (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set): (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList): (JSC::PolymorphicAccessStructureList::derefStructures): (JSC::PolymorphicAccessStructureList::markAggregate): (JSC::Instruction::Instruction):
• bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::deref): (JSC::StructureStubInfo::markAggregate):
• bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::initGetByIdChain): (JSC::StructureStubInfo::initPutByIdTransition):
• bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall): (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
• collector/handles/Handle.h: (JSC::HandleConverter::operator->): (JSC::HandleConverter::operator*):
• interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute):
• jit/JITOpcodes.cpp: (JSC::JIT::emit_op_jneq_ptr):
• jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_jneq_ptr):
• jit/JITPropertyAccess.cpp: (JSC::JIT::privateCompileGetByIdChainList):
• jit/JITPropertyAccess32_64.cpp: (JSC::JIT::privateCompileGetByIdChainList):
• jit/JITStubs.cpp: (JSC::JITThunks::tryCachePutByID): (JSC::JITThunks::tryCacheGetByID): (JSC::getPolymorphicAccessStructureListSlot): (JSC::DEFINE_STUB_FUNCTION):
• runtime/JSCell.h:
• runtime/JSGlobalData.cpp: (JSC::JSGlobalData::JSGlobalData):
• runtime/JSGlobalData.h:
• runtime/JSGlobalObject.cpp: (JSC::markIfNeeded):
• runtime/JSGlobalObject.h: (JSC::Structure::prototypeChain):
• runtime/JSObject.h: (JSC::JSObject::putDirectInternal): (JSC::JSObject::markChildrenDirect):
• runtime/JSPropertyNameIterator.cpp: (JSC::JSPropertyNameIterator::create): (JSC::JSPropertyNameIterator::get): (JSC::JSPropertyNameIterator::markChildren):
• runtime/JSPropertyNameIterator.h: (JSC::JSPropertyNameIterator::setCachedPrototypeChain):
• runtime/JSZombie.cpp: (JSC::JSZombie::leakedZombieStructure):
• runtime/JSZombie.h:
• runtime/MarkStack.h: (JSC::MarkStack::append):
• runtime/MarkedBlock.cpp: (JSC::MarkedBlock::sweep):
• runtime/Structure.cpp: (JSC::Structure::addPropertyTransition):
• runtime/Structure.h: (JSC::Structure::markAggregate):
• runtime/StructureChain.cpp: (JSC::StructureChain::StructureChain): (JSC::StructureChain::~StructureChain): (JSC::StructureChain::markChildren):
• runtime/StructureChain.h: (JSC::StructureChain::create): (JSC::StructureChain::createStructure):
• runtime/WriteBarrier.h: (JSC::WriteBarrierBase::get): (JSC::WriteBarrierBase::operator*): (JSC::WriteBarrierBase::operator->):

2011-04-01 Oliver Hunt <​oliver@apple.com>

Reviewed by Geoffrey Garen.

Make StructureChain GC allocated
​https://bugs.webkit.org/show_bug.cgi?id=56695

Update for new Structure marking function

• bindings/js/JSDOMGlobalObject.cpp: (WebCore::JSDOMGlobalObject::markChildren):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.exp (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def (modified) (1 diff)
• JavaScriptCore/bytecode/CodeBlock.cpp (modified) (6 diffs)
• JavaScriptCore/bytecode/Instruction.h (modified) (8 diffs)
• JavaScriptCore/bytecode/StructureStubInfo.cpp (modified) (3 diffs)
• JavaScriptCore/bytecode/StructureStubInfo.h (modified) (7 diffs)
• JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (2 diffs)
• JavaScriptCore/collector/handles/Handle.h (modified) (2 diffs)
• JavaScriptCore/interpreter/Interpreter.cpp (modified) (1 diff)
• JavaScriptCore/jit/JITOpcodes.cpp (modified) (1 diff)
• JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (1 diff)
• JavaScriptCore/jit/JITPropertyAccess.cpp (modified) (1 diff)
• JavaScriptCore/jit/JITPropertyAccess32_64.cpp (modified) (1 diff)
• JavaScriptCore/jit/JITStubs.cpp (modified) (6 diffs)
• JavaScriptCore/runtime/JSCell.h (modified) (1 diff)
• JavaScriptCore/runtime/JSGlobalData.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSGlobalData.h (modified) (1 diff)
• JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSGlobalObject.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSObject.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSPropertyNameIterator.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/JSPropertyNameIterator.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSZombie.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSZombie.h (modified) (1 diff)
• JavaScriptCore/runtime/MarkStack.h (modified) (1 diff)
• JavaScriptCore/runtime/MarkedBlock.cpp (modified) (1 diff)
• JavaScriptCore/runtime/Structure.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/Structure.h (modified) (5 diffs)
• JavaScriptCore/runtime/StructureChain.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/StructureChain.h (modified) (2 diffs)
• JavaScriptCore/runtime/WriteBarrier.h (modified) (2 diffs)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/JSDOMGlobalObject.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-04-01  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Make StructureChain GC allocated
+        https://bugs.webkit.org/show_bug.cgi?id=56695
+
+        Make StructureChain GC allocated, and make the various owners
+        mark it correctly.
+
+        * JavaScriptCore.exp:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dump):
+        (JSC::CodeBlock::derefStructures):
+        (JSC::CodeBlock::refStructures):
+        (JSC::CodeBlock::markAggregate):
+        * bytecode/Instruction.h:
+        (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
+        (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
+        (JSC::PolymorphicAccessStructureList::derefStructures):
+        (JSC::PolymorphicAccessStructureList::markAggregate):
+        (JSC::Instruction::Instruction):
+        * bytecode/StructureStubInfo.cpp:
+        (JSC::StructureStubInfo::deref):
+        (JSC::StructureStubInfo::markAggregate):
+        * bytecode/StructureStubInfo.h:
+        (JSC::StructureStubInfo::initGetByIdChain):
+        (JSC::StructureStubInfo::initPutByIdTransition):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
+        (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
+        * collector/handles/Handle.h:
+        (JSC::HandleConverter::operator->):
+        (JSC::HandleConverter::operator*):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::privateExecute):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_jneq_ptr):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_jneq_ptr):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::privateCompileGetByIdChainList):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::privateCompileGetByIdChainList):
+        * jit/JITStubs.cpp:
+        (JSC::JITThunks::tryCachePutByID):
+        (JSC::JITThunks::tryCacheGetByID):
+        (JSC::getPolymorphicAccessStructureListSlot):
+        (JSC::DEFINE_STUB_FUNCTION):
+        * runtime/JSCell.h:
+        * runtime/JSGlobalData.cpp:
+        (JSC::JSGlobalData::JSGlobalData):
+        * runtime/JSGlobalData.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::markIfNeeded):
+        * runtime/JSGlobalObject.h:
+        (JSC::Structure::prototypeChain):
+        * runtime/JSObject.h:
+        (JSC::JSObject::putDirectInternal):
+        (JSC::JSObject::markChildrenDirect):
+        * runtime/JSPropertyNameIterator.cpp:
+        (JSC::JSPropertyNameIterator::create):
+        (JSC::JSPropertyNameIterator::get):
+        (JSC::JSPropertyNameIterator::markChildren):
+        * runtime/JSPropertyNameIterator.h:
+        (JSC::JSPropertyNameIterator::setCachedPrototypeChain):
+        * runtime/JSZombie.cpp:
+        (JSC::JSZombie::leakedZombieStructure):
+        * runtime/JSZombie.h:
+        * runtime/MarkStack.h:
+        (JSC::MarkStack::append):
+        * runtime/MarkedBlock.cpp:
+        (JSC::MarkedBlock::sweep):
+        * runtime/Structure.cpp:
+        (JSC::Structure::addPropertyTransition):
+        * runtime/Structure.h:
+        (JSC::Structure::markAggregate):
+        * runtime/StructureChain.cpp:
+        (JSC::StructureChain::StructureChain):
+        (JSC::StructureChain::~StructureChain):
+        (JSC::StructureChain::markChildren):
+        * runtime/StructureChain.h:
+        (JSC::StructureChain::create):
+        (JSC::StructureChain::createStructure):
+        * runtime/WriteBarrier.h:
+        (JSC::WriteBarrierBase::get):
+        (JSC::WriteBarrierBase::operator*):
+        (JSC::WriteBarrierBase::operator->):
+
 2011-04-01  Geoffrey Garen  <ggaren@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.exp

@@ -315 +315 @@
 __ZN3JSC9Structure17stopIgnoringLeaksEv
 __ZN3JSC9Structure18startIgnoringLeaksEv
-__ZN3JSC9Structure21addPropertyTransitionEPS0_RKNS_10IdentifierEjPNS_6JSCellERm
+__ZN3JSC9Structure21addPropertyTransitionERNS_12JSGlobalDataEPS0_RKNS_10IdentifierEjPNS_6JSCellERm
 __ZN3JSC9Structure22materializePropertyMapEv
 __ZN3JSC9Structure25changePrototypeTransitionEPS0_NS_7JSValueE

trunk/Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def

@@ -52 +52 @@
     ?addBytes@SHA1@WTF@@QAEXPBEI@Z
     ?addCurrentThread@MachineThreads@JSC@@QAEXXZ
-    ?addPropertyTransition@Structure@JSC@@SA?AV?$PassRefPtr@VStructure@JSC@@@WTF@@PAV12@ABVIdentifier@2@IPAVJSCell@2@AAI@Z
+    ?addPropertyTransition@Structure@JSC@@SA?AV?$PassRefPtr@VStructure@JSC@@@WTF@@AAVJSGlobalData@2@PAV12@ABVIdentifier@2@IPAVJSCell@2@AAI@Z
     ?addPropertyTransitionToExistingStructure@Structure@JSC@@SA?AV?$PassRefPtr@VStructure@JSC@@@WTF@@PAV12@ABVIdentifier@2@IPAVJSCell@2@AAI@Z
     ?addPropertyWithoutTransition@Structure@JSC@@QAEIABVIdentifier@2@IPAVJSCell@2@@Z

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -732 +732 @@
             int r0 = (++it)->u.operand;
             int id0 = (++it)->u.operand;
-            JSValue scope = JSValue((++it)->u.jsCell);
+            JSValue scope = JSValue((++it)->u.jsCell.get());
             ++it;
             int depth = (++it)->u.operand;
@@ -1438 +1438 @@
     if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_chain)) {
         vPC[4].u.structure->deref();
-        vPC[5].u.structureChain->deref();
         return;
     }
@@ -1444 +1443 @@
         vPC[4].u.structure->deref();
         vPC[5].u.structure->deref();
-        vPC[6].u.structureChain->deref();
         return;
     }
@@ -1487 +1485 @@
     if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_chain)) {
         vPC[4].u.structure->ref();
-        vPC[5].u.structureChain->ref();
         return;
     }
@@ -1493 +1490 @@
         vPC[4].u.structure->ref();
         vPC[5].u.structure->ref();
-        vPC[6].u.structureChain->ref();
         return;
     }
@@ -1528 +1524 @@
             markStack.append(&callLinkInfo(i).callee);
 #endif
+#if ENABLE(INTERPRETER)
+    Interpreter* interpreter = m_globalData->interpreter;
+    for (size_t size = m_propertyAccessInstructions.size(), i = 0; i < size; ++i) {
+        Instruction* vPC = &m_instructions[m_propertyAccessInstructions[i]];
+        if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_chain))
+            markStack.append(&vPC[5].u.structureChain);
+        else if (vPC[0].u.opcode == interpreter->getOpcode(op_put_by_id_transition))
+            markStack.append(&vPC[6].u.structureChain);
+    }
+#endif
+#if ENABLE(JIT)
+    for (size_t size = m_globalResolveInfos.size(), i = 0; i < size; ++i) {
+        if (Structure* structure = m_globalResolveInfos[i].structure)
+            structure->markAggregate(markStack);
+    }
+
+    for (size_t size = m_structureStubInfos.size(), i = 0; i < size; ++i)
+        m_structureStubInfos[i].markAggregate(markStack);
+
+    for (size_t size = m_methodCallLinkInfos.size(), i = 0; i < size; ++i) {
+        if (Structure* structure = m_methodCallLinkInfos[i].cachedStructure) {
+            // Both members must be filled at the same time
+            structure->markAggregate(markStack);
+            ASSERT(!!m_methodCallLinkInfos[i].cachedPrototypeStructure);
+            m_methodCallLinkInfos[i].cachedPrototypeStructure->markAggregate(markStack);
+        }
+    }
+#endif
 }
 

trunk/Source/JavaScriptCore/bytecode/Instruction.h

@@ -34 +34 @@
 #include "PropertySlot.h"
 #include "Structure.h"
+#include "StructureChain.h"
 #include <wtf/VectorTraits.h>
 
@@ -64 +65 @@
             union {
                 Structure* proto;
-                StructureChain* chain;
+                WriteBarrierBase<StructureChain> chain;
             } u;
 
@@ -83 +84 @@
             }
             
-            void set(PolymorphicAccessStructureListStubRoutineType _stubRoutine, Structure* _base, StructureChain* _chain)
+            void set(JSGlobalData& globalData, JSCell* owner, PolymorphicAccessStructureListStubRoutineType _stubRoutine, Structure* _base, StructureChain* _chain)
             {
                 stubRoutine = _stubRoutine;
                 base = _base;
-                u.chain = _chain;
+                u.chain.set(globalData, owner, _chain);
                 isChain = true;
             }
@@ -102 +103 @@
         }
 
-        PolymorphicAccessStructureList(PolymorphicAccessStructureListStubRoutineType stubRoutine, Structure* firstBase, StructureChain* firstChain)
+        PolymorphicAccessStructureList(JSGlobalData& globalData, JSCell* owner, PolymorphicAccessStructureListStubRoutineType stubRoutine, Structure* firstBase, StructureChain* firstChain)
         {
-            list[0].set(stubRoutine, firstBase, firstChain);
+            list[0].set(globalData, owner, stubRoutine, firstBase, firstChain);
         }
 
@@ -116 +117 @@
 
                 if (info.u.proto) {
-                    if (info.isChain)
-                        info.u.chain->deref();
-                    else
+                    if (!info.isChain)
                         info.u.proto->deref();
                 }
+            }
+        }
+
+        void markAggregate(MarkStack& markStack, int count)
+        {
+            for (int i = 0; i < count; ++i) {
+                PolymorphicStubInfo& info = list[i];
+                ASSERT(info.base);
+                
+                if (info.u.chain && info.isChain)
+                    markStack.append(&info.u.chain);
             }
         }
@@ -131 +141 @@
             // We have to initialize one of the pointer members to ensure that
             // the entire struct is initialized, when opcode is not a pointer.
-            u.jsCell = 0;
+            u.jsCell.clear();
 #endif
             u.opcode = opcode;
@@ -140 +150 @@
             // We have to initialize one of the pointer members to ensure that
             // the entire struct is initialized in 64-bit.
-            u.jsCell = 0;
+            u.jsCell.clear();
             u.operand = operand;
         }
 
         Instruction(Structure* structure) { u.structure = structure; }
-        Instruction(StructureChain* structureChain) { u.structureChain = structureChain; }
-        Instruction(JSCell* jsCell) { u.jsCell = jsCell; }
+        Instruction(JSGlobalData& globalData, JSCell* owner, StructureChain* structureChain)
+        {
+            u.structureChain.clear();
+            u.structureChain.set(globalData, owner, structureChain);
+        }
+        Instruction(JSGlobalData& globalData, JSCell* owner, JSCell* jsCell)
+        {
+            u.jsCell.clear();
+            u.jsCell.set(globalData, owner, jsCell);
+        }
         Instruction(PolymorphicAccessStructureList* polymorphicStructures) { u.polymorphicStructures = polymorphicStructures; }
         Instruction(PropertySlot::GetValueFunc getterFunc) { u.getterFunc = getterFunc; }
@@ -154 +172 @@
             int operand;
             Structure* structure;
-            StructureChain* structureChain;
-            JSCell* jsCell;
+            WriteBarrierBase<StructureChain> structureChain;
+            WriteBarrierBase<JSCell> jsCell;
             PolymorphicAccessStructureList* polymorphicStructures;
             PropertySlot::GetValueFunc getterFunc;

trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp

@@ -45 +45 @@
     case access_get_by_id_chain:
         u.getByIdChain.baseObjectStructure->deref();
-        u.getByIdChain.chain->deref();
         return;
     case access_get_by_id_self_list: {
@@ -61 +60 @@
     case access_put_by_id_transition:
         u.putByIdTransition.previousStructure->deref();
-        u.putByIdTransition.structure->deref();
-        u.putByIdTransition.chain->deref();
         return;
     case access_put_by_id_replace:
@@ -79 +76 @@
     }
 }
+
+void StructureStubInfo::markAggregate(MarkStack& markStack)
+{
+    switch (accessType) {
+    case access_get_by_id_self:
+        u.getByIdSelf.baseObjectStructure->markAggregate(markStack);
+        return;
+    case access_get_by_id_proto:
+        u.getByIdProto.baseObjectStructure->markAggregate(markStack);
+        u.getByIdProto.prototypeStructure->markAggregate(markStack);
+        return;
+    case access_get_by_id_chain:
+        u.getByIdChain.baseObjectStructure->markAggregate(markStack);
+        markStack.append(&u.getByIdChain.chain);
+        return;
+    case access_get_by_id_self_list: {
+        PolymorphicAccessStructureList* polymorphicStructures = u.getByIdSelfList.structureList;
+        polymorphicStructures->markAggregate(markStack, u.getByIdSelfList.listSize);
+        return;
+    }
+    case access_get_by_id_proto_list: {
+        PolymorphicAccessStructureList* polymorphicStructures = u.getByIdProtoList.structureList;
+        polymorphicStructures->markAggregate(markStack, u.getByIdProtoList.listSize);
+        return;
+    }
+    case access_put_by_id_transition:
+        u.putByIdTransition.previousStructure->markAggregate(markStack);
+        u.putByIdTransition.structure->markAggregate(markStack);
+        markStack.append(&u.putByIdTransition.chain);
+        return;
+    case access_put_by_id_replace:
+        u.putByIdReplace.baseObjectStructure->markAggregate(markStack);
+        return;
+    case access_get_by_id:
+    case access_put_by_id:
+    case access_get_by_id_generic:
+    case access_put_by_id_generic:
+    case access_get_array_length:
+    case access_get_string_length:
+        // These instructions don't ref their Structures.
+        return;
+    default:
+        ASSERT_NOT_REACHED();
+    }
+}
 #endif
 

trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.h

@@ -78 +78 @@
         }
 
-        void initGetByIdChain(Structure* baseObjectStructure, StructureChain* chain)
+        void initGetByIdChain(JSGlobalData& globalData, JSCell* owner, Structure* baseObjectStructure, StructureChain* chain)
         {
             accessType = access_get_by_id_chain;
@@ -85 +85 @@
             baseObjectStructure->ref();
 
-            u.getByIdChain.chain = chain;
-            chain->ref();
+            u.getByIdChain.chain.set(globalData, owner, chain);
         }
 
@@ -107 +106 @@
         // PutById*
 
-        void initPutByIdTransition(Structure* previousStructure, Structure* structure, StructureChain* chain)
+        void initPutByIdTransition(JSGlobalData& globalData, JSCell* owner, Structure* previousStructure, Structure* structure, StructureChain* chain)
         {
             accessType = access_put_by_id_transition;
@@ -117 +116 @@
             structure->ref();
 
-            u.putByIdTransition.chain = chain;
-            chain->ref();
+            u.putByIdTransition.chain.set(globalData, owner, chain);
         }
 
@@ -130 +128 @@
 
         void deref();
+        void markAggregate(MarkStack&);
 
         bool seenOnce()
@@ -154 +153 @@
             struct {
                 Structure* baseObjectStructure;
-                StructureChain* chain;
+                WriteBarrierBase<StructureChain> chain;
             } getByIdChain;
             struct {
@@ -167 +166 @@
                 Structure* previousStructure;
                 Structure* structure;
-                StructureChain* chain;
+                WriteBarrierBase<StructureChain> chain;
             } putByIdTransition;
             struct {

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -926 +926 @@
     emitOpcode(op_jneq_ptr);
     instructions().append(cond->index());
-    instructions().append(m_scopeChain->globalObject->callFunction());
+    instructions().append(Instruction(*m_globalData, m_codeBlock->ownerExecutable(), m_scopeChain->globalObject->callFunction()));
     instructions().append(target->bind(begin, instructions().size()));
     return target;
@@ -937 +937 @@
     emitOpcode(op_jneq_ptr);
     instructions().append(cond->index());
-    instructions().append(m_scopeChain->globalObject->applyFunction());
+    instructions().append(Instruction(*m_globalData, m_codeBlock->ownerExecutable(), m_scopeChain->globalObject->applyFunction()));
     instructions().append(target->bind(begin, instructions().size()));
     return target;

trunk/Source/JavaScriptCore/collector/handles/Handle.h

@@ -105 +105 @@
 
 template <typename Base, typename T> struct HandleConverter {
-    T* operator->() { return static_cast<Base*>(this)->get(); }
-    const T* operator->() const { return static_cast<const Base*>(this)->get(); }
-    T* operator*() { return static_cast<Base*>(this)->get(); }
-    const T* operator*() const { return static_cast<const Base*>(this)->get(); }
+    T* operator->()
+    {
+#if ENABLE(JSC_ZOMBIES)
+        ASSERT(!static_cast<const Base*>(this)->get() || !static_cast<const Base*>(this)->get()->isZombie());
+#endif
+        return static_cast<Base*>(this)->get();
+    }
+    const T* operator->() const
+    {
+#if ENABLE(JSC_ZOMBIES)
+        ASSERT(!static_cast<const Base*>(this)->get() || !static_cast<const Base*>(this)->get()->isZombie());
+#endif
+        return static_cast<const Base*>(this)->get();
+    }
+
+    T* operator*()
+    {
+#if ENABLE(JSC_ZOMBIES)
+        ASSERT(!static_cast<const Base*>(this)->get() || !static_cast<const Base*>(this)->get()->isZombie());
+#endif
+        return static_cast<Base*>(this)->get();
+    }
+    const T* operator*() const
+    {
+#if ENABLE(JSC_ZOMBIES)
+        ASSERT(!static_cast<const Base*>(this)->get() || !static_cast<const Base*>(this)->get()->isZombie());
+#endif
+        return static_cast<const Base*>(this)->get();
+    }
 };
 
@@ -119 +144 @@
 
 private:
-    JSValue jsValue() const { return static_cast<const Base*>(this)->get(); }
+    JSValue jsValue() const
+    {
+#if ENABLE(JSC_ZOMBIES)
+        ASSERT(!static_cast<const Base*>(this)->get() || !static_cast<const Base*>(this)->get().isZombie());
+#endif
+        return static_cast<const Base*>(this)->get();
+    }
 };
 

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -3538 +3538 @@
          */
         int src = vPC[1].u.operand;
-        JSValue ptr = JSValue(vPC[2].u.jsCell);
         int target = vPC[3].u.operand;
         JSValue srcValue = callFrame->r(src).jsValue();
-        if (srcValue != ptr) {
+        if (srcValue != vPC[2].u.jsCell.get()) {
             vPC += target;
             NEXT_INSTRUCTION();

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -763 +763 @@
 {
     unsigned src = currentInstruction[1].u.operand;
-    JSCell* ptr = currentInstruction[2].u.jsCell;
+    JSCell* ptr = currentInstruction[2].u.jsCell.get();
     unsigned target = currentInstruction[3].u.operand;
     

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -980 +980 @@
 {
     unsigned src = currentInstruction[1].u.operand;
-    JSCell* ptr = currentInstruction[2].u.jsCell;
+    JSCell* ptr = currentInstruction[2].u.jsCell.get();
     unsigned target = currentInstruction[3].u.operand;
 

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -980 +980 @@
     // Track the stub we have created so that it will be deleted later.
     structure->ref();
-    chain->ref();
-    prototypeStructures->list[currentIndex].set(entryLabel, structure, chain);
+    prototypeStructures->list[currentIndex].set(callFrame->globalData(), m_codeBlock->ownerExecutable(), entryLabel, structure, chain);
 
     // Finally patch the jump to slow case back in the hot path to jump here instead.

trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -1008 +1008 @@
     // Track the stub we have created so that it will be deleted later.
     structure->ref();
-    chain->ref();
-    prototypeStructures->list[currentIndex].set(entryLabel, structure, chain);
+    prototypeStructures->list[currentIndex].set(callFrame->globalData(), m_codeBlock->ownerExecutable(), entryLabel, structure, chain);
     
     // Finally patch the jump to slow case back in the hot path to jump here instead.

trunk/Source/JavaScriptCore/jit/JITStubs.cpp

@@ -772 +772 @@
 
         StructureChain* prototypeChain = structure->prototypeChain(callFrame);
-        stubInfo->initPutByIdTransition(structure->previousID(), structure, prototypeChain);
+        stubInfo->initPutByIdTransition(callFrame->globalData(), codeBlock->ownerExecutable(), structure->previousID(), structure, prototypeChain);
         JIT::compilePutByIdTransition(callFrame->scopeChain()->globalData, codeBlock, stubInfo, structure->previousID(), structure, slot.cachedOffset(), prototypeChain, returnAddress, direct);
         return;
@@ -867 +867 @@
 
     StructureChain* prototypeChain = structure->prototypeChain(callFrame);
-    stubInfo->initGetByIdChain(structure, prototypeChain);
+    stubInfo->initGetByIdChain(callFrame->globalData(), codeBlock->ownerExecutable(), structure, prototypeChain);
     JIT::compileGetByIdChain(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, structure, prototypeChain, count, propertyName, slot, offset, returnAddress);
 }
@@ -1554 +1554 @@
 }
 
-static PolymorphicAccessStructureList* getPolymorphicAccessStructureListSlot(StructureStubInfo* stubInfo, int& listIndex)
+static PolymorphicAccessStructureList* getPolymorphicAccessStructureListSlot(JSGlobalData& globalData, ScriptExecutable* owner, StructureStubInfo* stubInfo, int& listIndex)
 {
     PolymorphicAccessStructureList* prototypeStructureList = 0;
@@ -1566 +1566 @@
         break;
     case access_get_by_id_chain:
-        prototypeStructureList = new PolymorphicAccessStructureList(stubInfo->stubRoutine, stubInfo->u.getByIdChain.baseObjectStructure, stubInfo->u.getByIdChain.chain);
+        prototypeStructureList = new PolymorphicAccessStructureList(globalData, owner, stubInfo->stubRoutine, stubInfo->u.getByIdChain.baseObjectStructure, stubInfo->u.getByIdChain.chain.get());
         stubInfo->stubRoutine = CodeLocationLabel();
         stubInfo->initGetByIdProtoList(prototypeStructureList, 2);
@@ -1654 +1654 @@
 
         int listIndex;
-        PolymorphicAccessStructureList* prototypeStructureList = getPolymorphicAccessStructureListSlot(stubInfo, listIndex);
+        PolymorphicAccessStructureList* prototypeStructureList = getPolymorphicAccessStructureListSlot(callFrame->globalData(), codeBlock->ownerExecutable(), stubInfo, listIndex);
         if (listIndex < POLYMORPHIC_LIST_CACHE_SIZE) {
             JIT::compileGetByIdProtoList(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, prototypeStructureList, listIndex, structure, slotBaseObject->structure(), propertyName, slot, offset);
@@ -1664 +1664 @@
         ASSERT(!baseValue.asCell()->structure()->isDictionary());
         int listIndex;
-        PolymorphicAccessStructureList* prototypeStructureList = getPolymorphicAccessStructureListSlot(stubInfo, listIndex);
+        PolymorphicAccessStructureList* prototypeStructureList = getPolymorphicAccessStructureListSlot(callFrame->globalData(), codeBlock->ownerExecutable(), stubInfo, listIndex);
         
         if (listIndex < POLYMORPHIC_LIST_CACHE_SIZE) {

trunk/Source/JavaScriptCore/runtime/JSCell.h

@@ -69 +69 @@
         friend class MarkedBlock;
         friend class ScopeChainNode;
+        friend class StructureChain;
 
     private:

trunk/Source/JavaScriptCore/runtime/JSGlobalData.cpp

@@ -185 +185 @@
     functionExecutableStructure = FunctionExecutable::createStructure(*this, jsNull());
     dummyMarkableCellStructure = JSCell::createDummyStructure(*this);
+    structureChainStructure = StructureChain::createStructure(*this, jsNull());
 
     interpreter = new Interpreter(*this);

trunk/Source/JavaScriptCore/runtime/JSGlobalData.h

@@ -162 +162 @@
         RefPtr<Structure> functionExecutableStructure;
         RefPtr<Structure> dummyMarkableCellStructure;
+        RefPtr<Structure> structureChainStructure;
 
         static void storeVPtrs();

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -87 +87 @@
 static inline void markIfNeeded(MarkStack& markStack, const RefPtr<Structure>& s)
 {
-    if (s && s->storedPrototype())
-        markStack.append(s->storedPrototypeSlot());
+    if (s)
+        s->markAggregate(markStack);
 }
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -29 +29 @@
 #include "NumberPrototype.h"
 #include "StringPrototype.h"
+#include "StructureChain.h"
 #include <wtf/HashSet.h>
 #include <wtf/OwnPtr.h>
@@ -363 +364 @@
         if (!isValid(exec, m_cachedPrototypeChain.get())) {
             JSValue prototype = prototypeForLookup(exec);
-            m_cachedPrototypeChain = StructureChain::create(prototype.isNull() ? 0 : asObject(prototype)->structure());
+            m_cachedPrototypeChain.set(exec->globalData(), StructureChain::create(exec->globalData(), prototype.isNull() ? 0 : asObject(prototype)->structure()), 0);
         }
         return m_cachedPrototypeChain.get();

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -646 +646 @@
         return false;
 
-    RefPtr<Structure> structure = Structure::addPropertyTransition(m_structure, propertyName, attributes, specificFunction, offset);
+    RefPtr<Structure> structure = Structure::addPropertyTransition(globalData, m_structure, propertyName, attributes, specificFunction, offset);
 
     if (currentCapacity != structure->propertyStorageCapacity())
@@ -816 +816 @@
     JSCell::markChildren(markStack);
 
-    markStack.append(m_structure->storedPrototypeSlot());
+    m_structure->markAggregate(markStack);
     PropertyStorage storage = propertyStorage();
     size_t storageSize = m_structure->propertyStorageSize();

trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp

@@ -78 +78 @@
     }
 
-    jsPropertyNameIterator->setCachedPrototypeChain(structureChain);
+    jsPropertyNameIterator->setCachedPrototypeChain(exec->globalData(), structureChain);
     jsPropertyNameIterator->setCachedStructure(o->structure());
     o->structure()->setEnumerationCache(exec->globalData(), jsPropertyNameIterator);
@@ -87 +87 @@
 {
     JSValue identifier = m_jsStrings[i].get();
-    if (m_cachedStructure == base->structure() && m_cachedPrototypeChain == base->structure()->prototypeChain(exec))
+    if (m_cachedStructure == base->structure() && m_cachedPrototypeChain.get() == base->structure()->prototypeChain(exec))
         return identifier;
 
@@ -98 +98 @@
 {
     markStack.appendValues(m_jsStrings.get(), m_jsStringsSize, MayContainNullValues);
+    if (m_cachedPrototypeChain)
+        markStack.append(&m_cachedPrototypeChain);
 }
 

trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.h

@@ -74 +74 @@
         Structure* cachedStructure() { return m_cachedStructure.get(); }
 
-        void setCachedPrototypeChain(NonNullPassRefPtr<StructureChain> cachedPrototypeChain) { m_cachedPrototypeChain = cachedPrototypeChain; }
+        void setCachedPrototypeChain(JSGlobalData& globalData, StructureChain* cachedPrototypeChain) { m_cachedPrototypeChain.set(globalData, this, cachedPrototypeChain); }
         StructureChain* cachedPrototypeChain() { return m_cachedPrototypeChain.get(); }
 
@@ -85 +85 @@
 
         RefPtr<Structure> m_cachedStructure;
-        RefPtr<StructureChain> m_cachedPrototypeChain;
+        WriteBarrier<StructureChain> m_cachedPrototypeChain;
         uint32_t m_numCacheableSlots;
         uint32_t m_jsStringsSize;

trunk/Source/JavaScriptCore/runtime/JSZombie.cpp

@@ -36 +36 @@
 const ClassInfo JSZombie::s_info = { "Zombie", 0, 0, 0 };
 
-Structure* JSZombie::leakedZombieStructure() {
+Structure* JSZombie::leakedZombieStructure(JSGlobalData& globalData)
+{
     static Structure* structure = 0;
     if (!structure) {
         Structure::startIgnoringLeaks();
-        structure = Structure::create(jsNull(), TypeInfo(UnspecifiedType), 0, &s_info).leakRef();
+        structure = Structure::create(globalData, jsNull(), TypeInfo(UnspecifiedType), 0, &s_info).leakRef();
         Structure::stopIgnoringLeaks();
     }

trunk/Source/JavaScriptCore/runtime/JSZombie.h

@@ -42 +42 @@
 
     virtual bool isZombie() const { return true; }
-    static Structure* leakedZombieStructure();
+    static Structure* leakedZombieStructure(JSGlobalData&);
 
     virtual bool isGetterSetter() const { ASSERT_NOT_REACHED(); return false; }

trunk/Source/JavaScriptCore/runtime/MarkStack.h

@@ -216 +216 @@
     template <typename T> inline void MarkStack::append(DeprecatedPtr<T>* slot)
     {
-        internalAppend(slot->get());
+        internalAppend(*slot->slot());
     }
     
     template <typename T> inline void MarkStack::append(WriteBarrierBase<T>* slot)
     {
-        internalAppend(slot->get());
+        internalAppend(*slot->slot());
     }
 

trunk/Source/JavaScriptCore/runtime/MarkedBlock.cpp

@@ -79 +79 @@
             const ClassInfo* info = cell->classInfo();
             cell->~JSCell();
-            new (cell) JSZombie(info, JSZombie::leakedZombieStructure());
+            new (cell) JSZombie(info, JSZombie::leakedZombieStructure(*m_heap->globalData()));
             m_marks.set(i);
         }

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -368 +368 @@
 }
 
-PassRefPtr<Structure> Structure::addPropertyTransition(Structure* structure, const Identifier& propertyName, unsigned attributes, JSCell* specificValue, size_t& offset)
+PassRefPtr<Structure> Structure::addPropertyTransition(JSGlobalData& globalData, Structure* structure, const Identifier& propertyName, unsigned attributes, JSCell* specificValue, size_t& offset)
 {
     // If we have a specific function, we may have got to this point if there is
@@ -400 +400 @@
     RefPtr<Structure> transition = create(structure);
 
-    transition->m_cachedPrototypeChain = structure->m_cachedPrototypeChain;
+    transition->m_cachedPrototypeChain.set(globalData, structure->m_cachedPrototypeChain.get(), 0);
     transition->m_previous = structure;
     transition->m_nameInPrevious = propertyName.impl();

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -33 +33 @@
 #include "PropertyNameArray.h"
 #include "Protect.h"
-#include "StructureChain.h"
 #include "StructureTransitionTable.h"
 #include "JSTypeInfo.h"
@@ -47 +46 @@
     class PropertyNameArray;
     class PropertyNameArrayData;
+    class StructureChain;
 
     struct ClassInfo;
@@ -74 +74 @@
         static void dumpStatistics();
 
-        static PassRefPtr<Structure> addPropertyTransition(Structure*, const Identifier& propertyName, unsigned attributes, JSCell* specificValue, size_t& offset);
+        static PassRefPtr<Structure> addPropertyTransition(JSGlobalData&, Structure*, const Identifier& propertyName, unsigned attributes, JSCell* specificValue, size_t& offset);
         static PassRefPtr<Structure> addPropertyTransitionToExistingStructure(Structure*, const Identifier& propertyName, unsigned attributes, JSCell* specificValue, size_t& offset);
         static PassRefPtr<Structure> removePropertyTransition(Structure*, const Identifier& propertyName, size_t& offset);
@@ -105 +105 @@
 
         JSValue storedPrototype() const { return m_prototype.get(); }
-        DeprecatedPtr<Unknown>* storedPrototypeSlot() { return &m_prototype; }
         JSValue prototypeForLookup(ExecState*) const;
         StructureChain* prototypeChain(ExecState*) const;
+        void markAggregate(MarkStack& markStack)
+        {
+            if (m_prototype)
+                markStack.append(&m_prototype);
+        }
 
         Structure* previousID() const { return m_previous.get(); }
@@ -211 +215 @@
 
         DeprecatedPtr<Unknown> m_prototype;
-        mutable RefPtr<StructureChain> m_cachedPrototypeChain;
+        mutable WeakGCPtr<StructureChain> m_cachedPrototypeChain;
 
         RefPtr<Structure> m_previous;

trunk/Source/JavaScriptCore/runtime/StructureChain.cpp

@@ -33 +33 @@
 namespace JSC {
 
-StructureChain::StructureChain(Structure* head)
+StructureChain::StructureChain(NonNullPassRefPtr<Structure> structure, Structure* head)
+    : JSCell(structure.releaseRef())
 {
     size_t size = 0;
@@ -47 +48 @@
 }
 
+StructureChain::~StructureChain()
+{
+}
+
+void StructureChain::markChildren(MarkStack& markStack)
+{
+    size_t i = 0;
+    while (m_vector[i])
+        m_vector[i++]->markAggregate(markStack);
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/StructureChain.h

@@ -27 +27 @@
 #define StructureChain_h
 
+#include "JSCell.h"
+
 #include <wtf/OwnArrayPtr.h>
 #include <wtf/PassRefPtr.h>
@@ -36 +38 @@
     class Structure;
 
-    class StructureChain : public RefCounted<StructureChain> {
+    class StructureChain : public JSCell {
         friend class JIT;
 
     public:
-        static PassRefPtr<StructureChain> create(Structure* head) { return adoptRef(new StructureChain(head)); }
+        static StructureChain* create(JSGlobalData& globalData, Structure* head) { return new (&globalData) StructureChain(globalData.structureChainStructure, head); }
         RefPtr<Structure>* head() { return m_vector.get(); }
+        void markChildren(MarkStack&);
+
+        static PassRefPtr<Structure> createStructure(JSGlobalData& globalData, JSValue prototype) { return Structure::create(globalData, prototype, TypeInfo(CompoundType, OverridesMarkChildren), 0, 0); }
 
     private:
-        StructureChain(Structure* head);
-
+        StructureChain(NonNullPassRefPtr<Structure>, Structure* head);
+        ~StructureChain();
         OwnArrayPtr<RefPtr<Structure> > m_vector;
     };

trunk/Source/JavaScriptCore/runtime/WriteBarrier.h

@@ -95 +95 @@
     void set(JSGlobalData&, const JSCell*, T* value) { this->m_cell = reinterpret_cast<JSCell*>(value); }
     
-    T* get() const { return reinterpret_cast<T*>(m_cell); }
-    T* operator*() const { return static_cast<T*>(m_cell); }
-    T* operator->() const { return static_cast<T*>(m_cell); }
+    T* get() const
+    {
+        return reinterpret_cast<T*>(m_cell);
+    }
+
+    T* operator*() const
+    {
+        return static_cast<T*>(m_cell);
+    }
+
+    T* operator->() const
+    {
+        return static_cast<T*>(m_cell);
+    }
+
     void clear() { m_cell = 0; }
     
@@ -117 +129 @@
     void set(JSGlobalData&, const JSCell*, JSValue value) { m_value = JSValue::encode(value); }
     void setWithoutWriteBarrier(JSValue value) { m_value = JSValue::encode(value); }
-    JSValue get() const { return JSValue::decode(m_value); }
+    JSValue get() const
+    {
+#if ENABLE(JSC_ZOMBIES)
+        ASSERT(!JSValue::decode(m_value) || !JSValue::decode(m_value).isZombie());
+#endif
+        return JSValue::decode(m_value);
+    }
     void clear() { m_value = JSValue::encode(JSValue()); }
     void setUndefined() { m_value = JSValue::encode(jsUndefined()); }

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-04-01  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Make StructureChain GC allocated
+        https://bugs.webkit.org/show_bug.cgi?id=56695
+
+        Update for new Structure marking function
+
+        * bindings/js/JSDOMGlobalObject.cpp:
+        (WebCore::JSDOMGlobalObject::markChildren):
+
 2011-04-04  Pavel Feldman  <pfeldman@google.com>
 

trunk/Source/WebCore/bindings/js/JSDOMGlobalObject.cpp

@@ -57 +57 @@
     JSDOMStructureMap::iterator end = structures().end();
     for (JSDOMStructureMap::iterator it = structures().begin(); it != end; ++it)
-        markStack.append(it->second->storedPrototypeSlot());
+        it->second->markAggregate(markStack);
 
     JSDOMConstructorMap::iterator end2 = constructors().end();