Changeset 92233 in webkit

Timestamp:

Aug 2, 2011 2:22:34 PM (13 years ago)

Author:

fpizlo@apple.com

Message:

JSC GC uses dummy cells to avoid having to remember which cells
it has already destroyed
​https://bugs.webkit.org/show_bug.cgi?id=65556

Reviewed by Oliver Hunt.

This gets rid of dummy cells, and ensures that it's not necessary
to invoke a destructor on cells that have already been swept. In
the common case, a block knows that either all of its free cells
still need to have destructors called, or none of them do, which
minimizes the amount of branching that needs to happen per cell
when performing a sweep.

This is performance neutral on SunSpider and V8. It is meant as
a stepping stone to simplify the implementation of more
sophisticated sweeping algorithms.

• heap/Heap.cpp:

(JSC::CountFunctor::ClearMarks::operator()):

• heap/MarkedBlock.cpp:

(JSC::MarkedBlock::initForCellSize):
(JSC::MarkedBlock::callDestructor):
(JSC::MarkedBlock::specializedReset):
(JSC::MarkedBlock::reset):
(JSC::MarkedBlock::specializedSweep):
(JSC::MarkedBlock::sweep):
(JSC::MarkedBlock::produceFreeList):
(JSC::MarkedBlock::lazySweep):
(JSC::MarkedBlock::blessNewBlockForFastPath):
(JSC::MarkedBlock::blessNewBlockForSlowPath):
(JSC::MarkedBlock::canonicalizeBlock):

• heap/MarkedBlock.h:

(JSC::MarkedBlock::FreeCell::setNoObject):
(JSC::MarkedBlock::setDestructorState):
(JSC::MarkedBlock::destructorState):
(JSC::MarkedBlock::notifyMayHaveFreshFreeCells):

• runtime/JSCell.cpp:
• runtime/JSCell.h:

(JSC::JSCell::JSCell::JSCell):

• runtime/JSGlobalData.cpp:

(JSC::JSGlobalData::JSGlobalData):
(JSC::JSGlobalData::clearBuiltinStructures):

• runtime/JSGlobalData.h:
• runtime/Structure.h:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• heap/Heap.cpp (modified) (1 diff)
• heap/MarkedBlock.cpp (modified) (6 diffs)
• heap/MarkedBlock.h (modified) (7 diffs)
• runtime/JSCell.cpp (modified) (1 diff)
• runtime/JSCell.h (modified) (4 diffs)
• runtime/JSGlobalData.cpp (modified) (2 diffs)
• runtime/JSGlobalData.h (modified) (1 diff)
• runtime/Structure.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-08-02  Filip Pizlo  <fpizlo@apple.com>
+
+        JSC GC uses dummy cells to avoid having to remember which cells
+        it has already destroyed
+        https://bugs.webkit.org/show_bug.cgi?id=65556
+
+        Reviewed by Oliver Hunt.
+        
+        This gets rid of dummy cells, and ensures that it's not necessary
+        to invoke a destructor on cells that have already been swept.  In
+        the common case, a block knows that either all of its free cells
+        still need to have destructors called, or none of them do, which
+        minimizes the amount of branching that needs to happen per cell
+        when performing a sweep.
+        
+        This is performance neutral on SunSpider and V8.  It is meant as
+        a stepping stone to simplify the implementation of more
+        sophisticated sweeping algorithms.
+
+        * heap/Heap.cpp:
+        (JSC::CountFunctor::ClearMarks::operator()):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::initForCellSize):
+        (JSC::MarkedBlock::callDestructor):
+        (JSC::MarkedBlock::specializedReset):
+        (JSC::MarkedBlock::reset):
+        (JSC::MarkedBlock::specializedSweep):
+        (JSC::MarkedBlock::sweep):
+        (JSC::MarkedBlock::produceFreeList):
+        (JSC::MarkedBlock::lazySweep):
+        (JSC::MarkedBlock::blessNewBlockForFastPath):
+        (JSC::MarkedBlock::blessNewBlockForSlowPath):
+        (JSC::MarkedBlock::canonicalizeBlock):
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::FreeCell::setNoObject):
+        (JSC::MarkedBlock::setDestructorState):
+        (JSC::MarkedBlock::destructorState):
+        (JSC::MarkedBlock::notifyMayHaveFreshFreeCells):
+        * runtime/JSCell.cpp:
+        * runtime/JSCell.h:
+        (JSC::JSCell::JSCell::JSCell):
+        * runtime/JSGlobalData.cpp:
+        (JSC::JSGlobalData::JSGlobalData):
+        (JSC::JSGlobalData::clearBuiltinStructures):
+        * runtime/JSGlobalData.h:
+        * runtime/Structure.h:
+
 2011-08-01  Michael Saboff  <msaboff@apple.com>
 

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -109 +109 @@
 {
     block->clearMarks();
+    block->notifyMayHaveFreshFreeCells();
 }
 

trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp

@@ -58 +58 @@
     m_atomsPerCell = (cellSize + atomSize - 1) / atomSize;
     m_endAtom = atomsPerBlock - m_atomsPerCell + 1;
+    setDestructorState(SomeFreeCellsStillHaveObjects);
+}
+
+template<MarkedBlock::DestructorState specializedDestructorState>
+void MarkedBlock::callDestructor(JSCell* cell, void* jsFinalObjectVPtr)
+{
+    if (specializedDestructorState == FreeCellsDontHaveObjects)
+        return;
+    void* vptr = cell->vptr();
+    if (specializedDestructorState == AllFreeCellsHaveObjects || vptr) {
+        if (vptr == jsFinalObjectVPtr) {
+            JSFinalObject* object = reinterpret_cast<JSFinalObject*>(cell);
+            object->JSFinalObject::~JSFinalObject();
+        } else
+            cell->~JSCell();
+    }
+}
+
+template<MarkedBlock::DestructorState specializedDestructorState>
+void MarkedBlock::specializedReset()
+{
+    void* jsFinalObjectVPtr = m_heap->globalData()->jsFinalObjectVPtr;
+
+    for (size_t i = firstAtom(); i < m_endAtom; i += m_atomsPerCell)
+        callDestructor<specializedDestructorState>(reinterpret_cast<JSCell*>(&atoms()[i]), jsFinalObjectVPtr);
 }
 
 void MarkedBlock::reset()
 {
-    for (size_t i = firstAtom(); i < m_endAtom; i += m_atomsPerCell)
-        reinterpret_cast<JSCell*>(&atoms()[i])->~JSCell();
+    switch (destructorState()) {
+    case FreeCellsDontHaveObjects:
+    case SomeFreeCellsStillHaveObjects:
+        specializedReset<SomeFreeCellsStillHaveObjects>();
+        break;
+    default:
+        ASSERT(destructorState() == AllFreeCellsHaveObjects);
+        specializedReset<AllFreeCellsHaveObjects>();
+        break;
+    }
+}
+
+template<MarkedBlock::DestructorState specializedDestructorState>
+void MarkedBlock::specializedSweep()
+{
+    if (specializedDestructorState != FreeCellsDontHaveObjects) {
+        void* jsFinalObjectVPtr = m_heap->globalData()->jsFinalObjectVPtr;
+        
+        for (size_t i = firstAtom(); i < m_endAtom; i += m_atomsPerCell) {
+            if (m_marks.get(i))
+                continue;
+            
+            JSCell* cell = reinterpret_cast<JSCell*>(&atoms()[i]);
+            callDestructor<specializedDestructorState>(cell, jsFinalObjectVPtr);
+            cell->setVPtr(0);
+        }
+        
+        setDestructorState(FreeCellsDontHaveObjects);
+    }
 }
 
 void MarkedBlock::sweep()
 {
-    Structure* dummyMarkableCellStructure = m_heap->globalData()->dummyMarkableCellStructure.get();
-
-    for (size_t i = firstAtom(); i < m_endAtom; i += m_atomsPerCell) {
-        if (m_marks.get(i))
-            continue;
-
-        JSCell* cell = reinterpret_cast<JSCell*>(&atoms()[i]);
-        cell->~JSCell();
-        new (cell) JSCell(*m_heap->globalData(), dummyMarkableCellStructure);
-    }
-}
-
-MarkedBlock::FreeCell* MarkedBlock::lazySweep()
+    HEAP_DEBUG_BLOCK(this);
+    
+    switch (destructorState()) {
+    case FreeCellsDontHaveObjects:
+        break;
+    case SomeFreeCellsStillHaveObjects:
+        specializedSweep<SomeFreeCellsStillHaveObjects>();
+        break;
+    default:
+        ASSERT(destructorState() == AllFreeCellsHaveObjects);
+        specializedSweep<AllFreeCellsHaveObjects>();
+        break;
+    }
+}
+
+template<MarkedBlock::DestructorState specializedDestructorState>
+ALWAYS_INLINE MarkedBlock::FreeCell* MarkedBlock::produceFreeList()
 {
     // This returns a free list that is ordered in reverse through the block.
@@ -93 +149 @@
         if (!m_marks.testAndSet(i)) {
             JSCell* cell = reinterpret_cast<JSCell*>(&atoms()[i]);
-            if (cell->vptr() == jsFinalObjectVPtr) {
-                JSFinalObject* object = reinterpret_cast<JSFinalObject*>(cell);
-                object->JSFinalObject::~JSFinalObject();
-            } else
-                cell->~JSCell();
+            if (specializedDestructorState != FreeCellsDontHaveObjects)
+                callDestructor<specializedDestructorState>(cell, jsFinalObjectVPtr);
             FreeCell* freeCell = reinterpret_cast<FreeCell*>(cell);
             freeCell->next = result;
@@ -104 +157 @@
     }
     
+    // This is sneaky: if we're producing a free list then we intend to
+    // fill up the free cells in the block with objects, which means that
+    // if we have a new GC then all of the free stuff in this block will
+    // comprise objects rather than empty cells.
+    setDestructorState(AllFreeCellsHaveObjects);
+
     return result;
+}
+
+MarkedBlock::FreeCell* MarkedBlock::lazySweep()
+{
+    // This returns a free list that is ordered in reverse through the block.
+    // This is fine, since the allocation code makes no assumptions about the
+    // order of the free list.
+    
+    HEAP_DEBUG_BLOCK(this);
+    
+    switch (destructorState()) {
+    case FreeCellsDontHaveObjects:
+        return produceFreeList<FreeCellsDontHaveObjects>();
+    case SomeFreeCellsStillHaveObjects:
+        return produceFreeList<SomeFreeCellsStillHaveObjects>();
+    default:
+        ASSERT(destructorState() == AllFreeCellsHaveObjects);
+        return produceFreeList<AllFreeCellsHaveObjects>();
+    }
 }
 
@@ -112 +190 @@
     // as in lazySweep() above.
     
+    HEAP_DEBUG_BLOCK(this);
+
     FreeCell* result = 0;
     for (size_t i = firstAtom(); i < m_endAtom; i += m_atomsPerCell) {
@@ -119 +199 @@
         result = freeCell;
     }
+    
+    // See produceFreeList(). If we're here then we intend to fill the
+    // block with objects, so once a GC happens, all free cells will be
+    // occupied by objects.
+    setDestructorState(AllFreeCellsHaveObjects);
+
     return result;
 }
@@ -124 +210 @@
 void MarkedBlock::blessNewBlockForSlowPath()
 {
-    Structure* dummyMarkableCellStructure = m_heap->globalData()->dummyMarkableCellStructure.get();
+    HEAP_DEBUG_BLOCK(this);
+
+    m_marks.clearAll();
     for (size_t i = firstAtom(); i < m_endAtom; i += m_atomsPerCell)
-        new (&atoms()[i]) JSCell(*m_heap->globalData(), dummyMarkableCellStructure, JSCell::CreatingEarlyCell);
+        reinterpret_cast<FreeCell*>(&atoms()[i])->setNoObject();
+    
+    setDestructorState(FreeCellsDontHaveObjects);
 }
 
 void MarkedBlock::canonicalizeBlock(FreeCell* firstFreeCell)
 {
-    Structure* dummyMarkableCellStructure = m_heap->globalData()->dummyMarkableCellStructure.get();
-    
-    for (FreeCell* current = firstFreeCell; current;) {
-        FreeCell* next = current->next;
-        size_t i = atomNumber(current);
+    HEAP_DEBUG_BLOCK(this);
+    
+    ASSERT(destructorState() == AllFreeCellsHaveObjects);
+    
+    if (firstFreeCell) {
+        for (FreeCell* current = firstFreeCell; current;) {
+            FreeCell* next = current->next;
+            size_t i = atomNumber(current);
+            
+            m_marks.clear(i);
+            
+            current->setNoObject();
+            
+            current = next;
+        }
         
-        m_marks.clear(i);
-        new (static_cast<void*>(current)) JSCell(*m_heap->globalData(), dummyMarkableCellStructure, JSCell::CreatingEarlyCell);
-
-        current = next;
+        setDestructorState(SomeFreeCellsStillHaveObjects);
     }
 }

trunk/Source/JavaScriptCore/heap/MarkedBlock.h

@@ -29 +29 @@
 #include <wtf/StdLibExtras.h>
 
+// Set to log state transitions of blocks.
+#define HEAP_LOG_BLOCK_STATE_TRANSITIONS 0
+
+#if HEAP_LOG_BLOCK_STATE_TRANSITIONS
+#define HEAP_DEBUG_BLOCK(block) do {                                    \
+        printf("%s:%d %s: block %s = %p\n",                             \
+               __FILE__, __LINE__, __FUNCTION__, #block, (block));      \
+    } while (false)
+#else
+#define HEAP_DEBUG_BLOCK(block) ((void)0)
+#endif
+
 namespace JSC {
-
+    
     class Heap;
     class JSCell;
@@ -38 +50 @@
     static const size_t KB = 1024;
     
-    void destructor(JSCell*); // Defined in JSCell.h.
+    // A marked block is a page-aligned container for heap-allocated objects.
+    // Objects are allocated within cells of the marked block. For a given
+    // marked block, all cells have the same size. Objects smaller than the
+    // cell size may be allocated in the marked block, in which case the
+    // allocation suffers from internal fragmentation: wasted space whose
+    // size is equal to the difference between the cell size and the object
+    // size.
 
     class MarkedBlock : public DoublyLinkedListNode<MarkedBlock> {
@@ -53 +71 @@
         struct FreeCell {
             FreeCell* next;
+            
+            void setNoObject()
+            {
+                // This relies on FreeCell not having a vtable, and the next field
+                // falling exactly where a vtable would have been.
+                next = 0;
+            }
         };
         
@@ -97 +122 @@
         FreeCell* lazySweep();
         
+        // Notify the block that destructors may have to be called again.
+        void notifyMayHaveFreshFreeCells();
+        
         void initForCellSize(size_t cellSize);
         
@@ -133 +161 @@
         static const size_t blockMask = ~(blockSize - 1); // blockSize must be a power of two.
         static const size_t atomMask = ~(atomSize - 1); // atomSize must be a power of two.
+        
+        enum DestructorState { FreeCellsDontHaveObjects, SomeFreeCellsStillHaveObjects, AllFreeCellsHaveObjects };
 
         typedef char Atom[atomSize];
@@ -141 +171 @@
         size_t atomNumber(const void*);
         size_t ownerSetNumber(const JSCell*);
-
+        
+        template<DestructorState destructorState>
+        static void callDestructor(JSCell*, void* jsFinalObjectVPtr);
+        
+        template<DestructorState destructorState>
+        void specializedReset();
+        
+        template<DestructorState destructorState>
+        void specializedSweep();
+        
+        template<DestructorState destructorState>
+        MarkedBlock::FreeCell* produceFreeList();
+        
+        void setDestructorState(DestructorState destructorState)
+        {
+            m_destructorState = static_cast<int8_t>(destructorState);
+        }
+        
+        DestructorState destructorState()
+        {
+            return static_cast<DestructorState>(m_destructorState);
+        }
+        
         size_t m_endAtom; // This is a fuzzy end. Always test for < m_endAtom.
         size_t m_atomsPerCell;
         WTF::Bitmap<blockSize / atomSize> m_marks;
         bool m_inNewSpace;
+        int8_t m_destructorState; // use getters/setters for this, particularly since we may want to compact this (effectively log(3)/log(2)-bit) field into other fields
         OwnerSet m_ownerSets[ownerSetsPerBlock];
         PageAllocationAligned m_allocation;
@@ -186 +239 @@
     {
         m_inNewSpace = inNewSpace;
+    }
+    
+    inline void MarkedBlock::notifyMayHaveFreshFreeCells()
+    {
+        HEAP_DEBUG_BLOCK(this);
+        
+        // This is called at the beginning of GC. If this block is
+        // AllFreeCellsHaveObjects, then it means that we filled up
+        // the block in this collection. If it's in any other state,
+        // then this collection will potentially produce new free
+        // cells; new free cells always have objects. Hence if the
+        // state currently claims that there are no objects in free
+        // cells then we need to bump it over. Otherwise leave it be.
+        // This all crucially relies on the collector canonicalizing
+        // blocks before doing anything else, as canonicalizeBlocks
+        // will correctly set SomeFreeCellsStillHaveObjects for
+        // blocks that were only partially filled during this
+        // mutation cycle.
+        
+        if (destructorState() == FreeCellsDontHaveObjects)
+            setDestructorState(SomeFreeCellsStillHaveObjects);
     }
 

trunk/Source/JavaScriptCore/runtime/JSCell.cpp

@@ -30 +30 @@
 
 namespace JSC {
-
-const ClassInfo JSCell::s_dummyCellInfo = { "DummyCell", 0, 0, 0 };
 
 bool JSCell::getUInt32(uint32_t&) const

trunk/Source/JavaScriptCore/runtime/JSCell.h

@@ -72 +72 @@
         friend class StructureChain;
         friend class RegExp;
-        friend void destructor(JSCell*);
 
         enum CreatingEarlyCellTag { CreatingEarlyCell };
@@ -84 +83 @@
         JSCell(JSGlobalData&, Structure*, CreatingEarlyCellTag);
         virtual ~JSCell();
-        static const ClassInfo s_dummyCellInfo;
 
     public:
-        static Structure* createDummyStructure(JSGlobalData&);
-
         // Querying the type.
         bool isString() const;
@@ -181 +177 @@
             m_structure.setEarlyValue(globalData, this, structure);
         // Very first set of allocations won't have a real structure.
-        ASSERT(m_structure || !globalData.dummyMarkableCellStructure);
+        ASSERT(m_structure || !globalData.structureStructure);
     }
 
@@ -351 +347 @@
     }
 
-    inline void destructor(JSCell* cell)
-    {
-        cell->~JSCell();
-    }
-
     template <typename T> void* allocateCell(Heap& heap)
     {

trunk/Source/JavaScriptCore/runtime/JSGlobalData.cpp

@@ -228 +228 @@
     programExecutableStructure.set(*this, ProgramExecutable::createStructure(*this, jsNull()));
     functionExecutableStructure.set(*this, FunctionExecutable::createStructure(*this, jsNull()));
-    dummyMarkableCellStructure.set(*this, JSCell::createDummyStructure(*this));
     regExpStructure.set(*this, RegExp::createStructure(*this, jsNull()));
     structureChainStructure.set(*this, StructureChain::createStructure(*this, jsNull()));
@@ -287 +286 @@
     programExecutableStructure.clear();
     functionExecutableStructure.clear();
-    dummyMarkableCellStructure.clear();
     regExpStructure.clear();
     structureChainStructure.clear();

trunk/Source/JavaScriptCore/runtime/JSGlobalData.h

@@ -174 +174 @@
         Strong<Structure> programExecutableStructure;
         Strong<Structure> functionExecutableStructure;
-        Strong<Structure> dummyMarkableCellStructure;
         Strong<Structure> regExpStructure;
         Strong<Structure> structureChainStructure;

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -285 +285 @@
     }
 
-    inline Structure* JSCell::createDummyStructure(JSGlobalData& globalData)
-    {
-        return Structure::create(globalData, jsNull(), TypeInfo(UnspecifiedType), AnonymousSlotCount, &s_dummyCellInfo);
-    }
-
     ALWAYS_INLINE void MarkStack::internalAppend(JSCell* cell)
     {