Changeset 95865 in webkit

Timestamp:

Sep 23, 2011 3:05:24 PM (13 years ago)

Author:

oliver@apple.com

Message:

Make write barriers actually do something when enabled
​https://bugs.webkit.org/show_bug.cgi?id=68717

Reviewed by Geoffrey Garen.

../../../../Volumes/Data/git/WebKit/OpenSource/Source/JavaScriptCore:

Add a basic card marking style write barrier to JSC (currently
turned off). This requires two scratch registers in the JIT
so there was some register re-arranging to satisfy that requirement.
Happily this produced a minor perf bump in sunspider (~0.5%).

Turning the barriers on causes an overall regression of around 1.5%

• JavaScriptCore.exp:
• JavaScriptCore.xcodeproj/project.pbxproj:
• assembler/MacroAssemblerX86Common.h:

(JSC::MacroAssemblerX86Common::store8):

• assembler/X86Assembler.h:

(JSC::X86Assembler::movb_i8m):

• dfg/DFGJITCodeGenerator.cpp:

(JSC::DFG::JITCodeGenerator::isKnownNotCell):
(JSC::DFG::JITCodeGenerator::writeBarrier):
(JSC::DFG::JITCodeGenerator::markCellCard):
(JSC::DFG::JITCodeGenerator::cachedPutById):

• dfg/DFGJITCodeGenerator.h:
• dfg/DFGRepatch.cpp:

(JSC::DFG::tryCachePutByID):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• heap/CardSet.h: Added.

(JSC::CardSet::CardSet):
(JSC::::cardForAtom):
(JSC::::cardMarkedForAtom):
(JSC::::markCardForAtom):

• heap/Heap.cpp:
• heap/Heap.h:

(JSC::Heap::addressOfCardFor):
(JSC::Heap::writeBarrierFastCase):

• heap/MarkedBlock.h:

(JSC::MarkedBlock::setDirtyObject):
(JSC::MarkedBlock::addressOfCardFor):
(JSC::MarkedBlock::offsetOfCards):

• jit/JIT.h:
• jit/JITPropertyAccess.cpp:

(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::privateCompilePutByIdTransition):
(JSC::JIT::emit_op_put_scoped_var):
(JSC::JIT::emit_op_put_global_var):
(JSC::JIT::emitWriteBarrier):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::emitSlow_op_put_by_id):
(JSC::JIT::privateCompilePutByIdTransition):
(JSC::JIT::emit_op_put_scoped_var):
(JSC::JIT::emit_op_put_global_var):

../../../../Volumes/Data/git/WebKit/OpenSource/Source/WebCore:

Add a forwarding header, and fix an evaluation ordering
issue that shows up if you try to use write barriers.

• ForwardingHeaders/heap/CardSet.h: Added.
• bindings/js/JSEventListener.h:

(WebCore::JSEventListener::jsFunction):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.exp (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (5 diffs)
• JavaScriptCore/assembler/MacroAssemblerX86Common.h (modified) (1 diff)
• JavaScriptCore/assembler/X86Assembler.h (modified) (2 diffs)
• JavaScriptCore/dfg/DFGJITCodeGenerator.cpp (modified) (4 diffs)
• JavaScriptCore/dfg/DFGJITCodeGenerator.h (modified) (5 diffs)
• JavaScriptCore/dfg/DFGRepatch.cpp (modified) (1 diff)
• JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (7 diffs)
• JavaScriptCore/heap/CardSet.h (added)
• JavaScriptCore/heap/Heap.cpp (modified) (1 diff)
• JavaScriptCore/heap/Heap.h (modified) (4 diffs)
• JavaScriptCore/heap/MarkedBlock.h (modified) (5 diffs)
• JavaScriptCore/jit/JIT.h (modified) (1 diff)
• JavaScriptCore/jit/JITPropertyAccess.cpp (modified) (7 diffs)
• JavaScriptCore/jit/JITPropertyAccess32_64.cpp (modified) (8 diffs)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/ForwardingHeaders/heap/CardSet.h (added)
• WebCore/bindings/js/JSEventListener.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-09-23  Oliver Hunt  <oliver@apple.com>
+
+        Make write barriers actually do something when enabled
+        https://bugs.webkit.org/show_bug.cgi?id=68717
+
+        Reviewed by Geoffrey Garen.
+
+        Add a basic card marking style write barrier to JSC (currently
+        turned off).  This requires two scratch registers in the JIT
+        so there was some register re-arranging to satisfy that requirement.
+        Happily this produced a minor perf bump in sunspider (~0.5%).
+
+        Turning the barriers on causes an overall regression of around 1.5%
+
+        * JavaScriptCore.exp:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::store8):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::movb_i8m):
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::isKnownNotCell):
+        (JSC::DFG::JITCodeGenerator::writeBarrier):
+        (JSC::DFG::JITCodeGenerator::markCellCard):
+        (JSC::DFG::JITCodeGenerator::cachedPutById):
+        * dfg/DFGJITCodeGenerator.h:
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::tryCachePutByID):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * heap/CardSet.h: Added.
+        (JSC::CardSet::CardSet):
+        (JSC::::cardForAtom):
+        (JSC::::cardMarkedForAtom):
+        (JSC::::markCardForAtom):
+        * heap/Heap.cpp:
+        * heap/Heap.h:
+        (JSC::Heap::addressOfCardFor):
+        (JSC::Heap::writeBarrierFastCase):
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::setDirtyObject):
+        (JSC::MarkedBlock::addressOfCardFor):
+        (JSC::MarkedBlock::offsetOfCards):
+        * jit/JIT.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::emit_op_put_by_id):
+        (JSC::JIT::privateCompilePutByIdTransition):
+        (JSC::JIT::emit_op_put_scoped_var):
+        (JSC::JIT::emit_op_put_global_var):
+        (JSC::JIT::emitWriteBarrier):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::emit_op_put_by_id):
+        (JSC::JIT::emitSlow_op_put_by_id):
+        (JSC::JIT::privateCompilePutByIdTransition):
+        (JSC::JIT::emit_op_put_scoped_var):
+        (JSC::JIT::emit_op_put_global_var):
+
 2011-09-23  Thouraya ANDOLSI  <thouraya.andolsi@st.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.exp

@@ -241 +241 @@
 __ZN3JSC4Heap19setActivityCallbackEN3WTF10PassOwnPtrINS_18GCActivityCallbackEEE
 __ZN3JSC4Heap20protectedObjectCountEv
-__ZN3JSC4Heap20writeBarrierSlowCaseEPKNS_6JSCellEPS1_
 __ZN3JSC4Heap25protectedObjectTypeCountsEv
 __ZN3JSC4Heap26protectedGlobalObjectCountEv

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -430 +430 @@
                 A7482E93116A7CAD003B0712 /* JSWeakObjectMapRefInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = A7482E37116A697B003B0712 /* JSWeakObjectMapRefInternal.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 A74DE1D0120B875600D40D5B /* ARMv7Assembler.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A74DE1CB120B86D600D40D5B /* ARMv7Assembler.cpp */; };
+                A7521E131429169A003C8D0C /* CardSet.h in Headers */ = {isa = PBXBuildFile; fileRef = A7521E121429169A003C8D0C /* CardSet.h */; settings = {ATTRIBUTES = (); }; };
                 A75706DE118A2BCF0057F88F /* JITArithmetic32_64.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A75706DD118A2BCF0057F88F /* JITArithmetic32_64.cpp */; };
                 A766B44F0EE8DCD1009518CA /* ExecutableAllocator.h in Headers */ = {isa = PBXBuildFile; fileRef = A7B48DB50EE74CFC00DCBDB6 /* ExecutableAllocator.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -1214 +1215 @@
                 A7482E37116A697B003B0712 /* JSWeakObjectMapRefInternal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSWeakObjectMapRefInternal.h; sourceTree = "<group>"; };
                 A74DE1CB120B86D600D40D5B /* ARMv7Assembler.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ARMv7Assembler.cpp; sourceTree = "<group>"; };
+                A7521E121429169A003C8D0C /* CardSet.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CardSet.h; sourceTree = "<group>"; };
                 A75706DD118A2BCF0057F88F /* JITArithmetic32_64.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JITArithmetic32_64.cpp; sourceTree = "<group>"; };
                 A76C51741182748D00715B05 /* JSInterfaceJIT.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSInterfaceJIT.h; sourceTree = "<group>"; };
@@ -1634 +1636 @@
                                 0FD82F281426CA5A00179C94 /* JettisonedCodeBlocks.cpp */,
                                 0FD82F291426CA5A00179C94 /* JettisonedCodeBlocks.h */,
+                                A70456AE1427FB030037DA68 /* AllocationSpace.cpp */,
                                 A70456AF1427FB150037DA68 /* AllocationSpace.h */,
-                                A70456AE1427FB030037DA68 /* AllocationSpace.cpp */,
-                                0F242DA513F3B1BB007ADD4C /* WeakReferenceHarvester.h */,
-                                0FC815141405118D00CFA603 /* VTableSpectrum.h */,
-                                0FC815121405118600CFA603 /* VTableSpectrum.cpp */,
-                                0FC8150914043BD200CFA603 /* WriteBarrierSupport.h */,
-                                0FC8150814043BCA00CFA603 /* WriteBarrierSupport.cpp */,
+                                A7521E121429169A003C8D0C /* CardSet.h */,
                                 146B14DB12EB5B12001BEC1B /* ConservativeRoots.cpp */,
                                 149DAAF212EB559D0083B12B /* ConservativeRoots.h */,
@@ -1666 +1664 @@
                                 142E3132134FF0A600AFADB5 /* Strong.h */,
                                 141448CC13A1783700F5BA1A /* TinyBloomFilter.h */,
+                                0FC815121405118600CFA603 /* VTableSpectrum.cpp */,
+                                0FC815141405118D00CFA603 /* VTableSpectrum.h */,
                                 142E3133134FF0A600AFADB5 /* Weak.h */,
+                                0F242DA513F3B1BB007ADD4C /* WeakReferenceHarvester.h */,
+                                0FC8150814043BCA00CFA603 /* WriteBarrierSupport.cpp */,
+                                0FC8150914043BD200CFA603 /* WriteBarrierSupport.h */,
                         );
                         path = heap;
@@ -2819 +2822 @@
                                 A70456B01427FB910037DA68 /* AllocationSpace.h in Headers */,
                                 86FA9E92142BBB2E001773B7 /* JSBoundFunction.h in Headers */,
+                                A7521E131429169A003C8D0C /* CardSet.h in Headers */,
                         );
                         runOnlyForDeploymentPostprocessing = 0;

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h

@@ -510 +510 @@
     {
         m_assembler.movl_i32m(imm.m_value, address.offset, address.base);
+    }
+    
+    void store8(TrustedImm32 imm, Address address)
+    {
+        ASSERT(-128 <= imm.m_value && imm.m_value < 128);
+        m_assembler.movb_i8m(imm.m_value, address.offset, address.base);
+    }
+
+    void store8(TrustedImm32 imm, BaseIndex address)
+    {
+        ASSERT(-128 <= imm.m_value && imm.m_value < 128);
+        m_assembler.movb_i8m(imm.m_value, address.offset, address.base, address.index, address.scale);
     }
 

trunk/Source/JavaScriptCore/assembler/X86Assembler.h

@@ -146 +146 @@
         OP_GROUP2_EvIb                  = 0xC1,
         OP_RET                          = 0xC3,
+        OP_GROUP11_EvIb                 = 0xC6,
         OP_GROUP11_EvIz                 = 0xC7,
         OP_INT3                         = 0xCC,
@@ -1056 +1057 @@
         m_formatter.oneByteOp(OP_GROUP11_EvIz, GROUP11_MOV, base, offset);
         m_formatter.immediate32(imm);
+    }
+    
+    void movb_i8m(int imm, int offset, RegisterID base)
+    {
+        ASSERT(-128 <= imm && imm < 128);
+        m_formatter.oneByteOp(OP_GROUP11_EvIb, GROUP11_MOV, base, offset);
+        m_formatter.immediate8(imm);
+    }
+
+    void movb_i8m(int imm, int offset, RegisterID base, RegisterID index, int scale)
+    {
+        ASSERT(-128 <= imm && imm < 128);
+        m_formatter.oneByteOp(OP_GROUP11_EvIb, GROUP11_MOV, base, index, scale, offset);
+        m_formatter.immediate8(imm);
     }
 

trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.cpp

@@ -430 +430 @@
 }
 
+bool JITCodeGenerator::isKnownNotCell(NodeIndex nodeIndex)
+{
+    Node& node = m_jit.graph()[nodeIndex];
+    VirtualRegister virtualRegister = node.virtualRegister();
+    GenerationInfo& info = m_generationInfo[virtualRegister];
+    if (node.hasConstant() && !valueOfJSConstant(nodeIndex).isCell())
+        return true;
+    return !(info.isJSCell() || info.isUnknownJS());
+}
+
 bool JITCodeGenerator::isKnownNotInteger(NodeIndex nodeIndex)
 {
@@ -1167 +1177 @@
 }
 
-void JITCodeGenerator::writeBarrier(MacroAssembler& jit, GPRReg owner, GPRReg scratch, WriteBarrierUseKind useKind)
+void JITCodeGenerator::writeBarrier(MacroAssembler& jit, GPRReg owner, GPRReg scratch1, GPRReg scratch2, WriteBarrierUseKind useKind)
 {
     UNUSED_PARAM(jit);
     UNUSED_PARAM(owner);
-    UNUSED_PARAM(scratch);
+    UNUSED_PARAM(scratch1);
+    UNUSED_PARAM(scratch2);
     UNUSED_PARAM(useKind);
-    ASSERT(owner != scratch);
+    ASSERT(owner != scratch1);
+    ASSERT(owner != scratch2);
+    ASSERT(scratch1 != scratch2);
 
 #if ENABLE(WRITE_BARRIER_PROFILING)
     JITCompiler::emitCount(jit, WriteBarrierCounters::jitCounterFor(useKind));
 #endif
-}
-
-void JITCodeGenerator::cachedPutById(GPRReg baseGPR, GPRReg valueGPR, GPRReg scratchGPR, unsigned identifierNumber, PutKind putKind, JITCompiler::Jump slowPathTarget)
-{
+    markCellCard(jit, owner, scratch1, scratch2);
+}
+
+void JITCodeGenerator::markCellCard(MacroAssembler& jit, GPRReg owner, GPRReg scratch1, GPRReg scratch2)
+{
+    UNUSED_PARAM(jit);
+    UNUSED_PARAM(owner);
+    UNUSED_PARAM(scratch1);
+    UNUSED_PARAM(scratch2);
+    
+#if ENABLE(GGC)
+    jit.move(owner, scratch1);
+    jit.andPtr(TrustedImm32(static_cast<int32_t>(MarkedBlock::blockMask)), scratch1);
+    jit.move(owner, scratch2);
+    jit.andPtr(TrustedImm32(static_cast<int32_t>(~MarkedBlock::blockMask)), scratch2);
+    jit.rshift32(TrustedImm32(MarkedBlock::log2CardSize), scratch2);
+    jit.store8(TrustedImm32(1), MacroAssembler::BaseIndex(scratch1, scratch2, MacroAssembler::TimesOne, MarkedBlock::offsetOfCards()));
+#endif
+}
+
+void JITCodeGenerator::writeBarrier(GPRReg ownerGPR, GPRReg valueGPR, NodeIndex valueIndex, WriteBarrierUseKind useKind, GPRReg scratch1, GPRReg scratch2)
+{
+    UNUSED_PARAM(ownerGPR);
+    UNUSED_PARAM(valueGPR);
+    UNUSED_PARAM(scratch1);
+    UNUSED_PARAM(scratch2);
+    UNUSED_PARAM(useKind);
+
+    if (isKnownNotCell(valueIndex))
+        return;
+
+#if ENABLE(WRITE_BARRIER_PROFILING)
+    JITCompiler::emitCount(jit, WriteBarrierCounters::jitCounterFor(useKind));
+#endif
+
+#if ENABLE(GGC)
+    JITCompiler::Jump rhsNotCell;
+    bool hadCellCheck = false;
+    if (!isKnownCell(valueIndex) && !isCellPrediction(m_jit.graph().getPrediction(m_jit.graph()[valueIndex]))) {
+        hadCellCheck = true;
+        rhsNotCell = m_jit.branchTestPtr(MacroAssembler::NonZero, valueGPR, GPRInfo::tagMaskRegister);
+    }
+
+    GPRTemporary temp1;
+    GPRTemporary temp2;
+    if (scratch1 == InvalidGPRReg) {
+        GPRTemporary scratchGPR(this);
+        temp1.adopt(scratchGPR);
+        scratch1 = temp1.gpr();
+    }
+    if (scratch2 == InvalidGPRReg) {
+        GPRTemporary scratchGPR(this);
+        temp2.adopt(scratchGPR);
+        scratch2 = temp2.gpr();
+    }
+
+    markCellCard(m_jit, ownerGPR, scratch1, scratch2);
+    if (hadCellCheck)
+        rhsNotCell.link(&m_jit);
+#endif
+}
+
+void JITCodeGenerator::writeBarrier(JSCell* owner, GPRReg valueGPR, NodeIndex valueIndex, WriteBarrierUseKind useKind, GPRReg scratch)
+{
+    UNUSED_PARAM(owner);
+    UNUSED_PARAM(valueGPR);
+    UNUSED_PARAM(scratch);
+    UNUSED_PARAM(useKind);
+
+    if (isKnownNotCell(valueIndex))
+        return;
+
+#if ENABLE(WRITE_BARRIER_PROFILING)
+    JITCompiler::emitCount(jit, WriteBarrierCounters::jitCounterFor(useKind));
+#endif
+
+#if ENABLE(GGC)
+    JITCompiler::Jump rhsNotCell;
+    bool hadCellCheck = false;
+    if (!isKnownCell(valueIndex) && !isCellPrediction(m_jit.graph().getPrediction(m_jit.graph()[valueIndex]))) {
+        hadCellCheck = true;
+        rhsNotCell = m_jit.branchTestPtr(MacroAssembler::NonZero, valueGPR, GPRInfo::tagMaskRegister);
+    }
+    
+    GPRTemporary temp;
+    if (scratch == InvalidGPRReg) {
+        GPRTemporary scratchGPR(this);
+        temp.adopt(scratchGPR);
+        scratch = temp.gpr();
+    }
+
+    uint8_t* cardAddress = Heap::addressOfCardFor(owner);
+    m_jit.move(JITCompiler::TrustedImmPtr(cardAddress), scratch);
+    m_jit.store8(JITCompiler::TrustedImm32(1), JITCompiler::Address(scratch));
+
+    if (hadCellCheck)
+        rhsNotCell.link(&m_jit);
+#endif
+}
+
+void JITCodeGenerator::cachedPutById(GPRReg baseGPR, GPRReg valueGPR, NodeIndex valueIndex, GPRReg scratchGPR, unsigned identifierNumber, PutKind putKind, JITCompiler::Jump slowPathTarget)
+{
+    
     JITCompiler::DataLabelPtr structureToCompare;
     JITCompiler::Jump structureCheck = m_jit.branchPtrWithPatch(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), structureToCompare, JITCompiler::TrustedImmPtr(reinterpret_cast<void*>(-1)));
-    
-    writeBarrier(m_jit, baseGPR, scratchGPR, WriteBarrierForPropertyAccess);
+
+    writeBarrier(baseGPR, valueGPR, valueIndex, WriteBarrierForPropertyAccess, scratchGPR);
 
     m_jit.loadPtr(JITCompiler::Address(baseGPR, JSObject::offsetOfPropertyStorage()), scratchGPR);
@@ -1978 +2090 @@
 #endif
 
+GPRTemporary::GPRTemporary()
+    : m_jit(0)
+    , m_gpr(InvalidGPRReg)
+{
+}
+
 GPRTemporary::GPRTemporary(JITCodeGenerator* jit)
     : m_jit(jit)
@@ -2086 +2204 @@
 }
 
+void GPRTemporary::adopt(GPRTemporary& other)
+{
+    ASSERT(!m_jit);
+    ASSERT(m_gpr == InvalidGPRReg);
+    ASSERT(other.m_jit);
+    ASSERT(other.m_gpr != InvalidGPRReg);
+    m_jit = other.m_jit;
+    m_gpr = other.m_gpr;
+    other.m_jit = 0;
+    other.m_gpr = InvalidGPRReg;
+}
+
 FPRTemporary::FPRTemporary(JITCodeGenerator* jit)
     : m_jit(jit)

trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.h

@@ -182 +182 @@
     }
 
-    static void writeBarrier(MacroAssembler&, GPRReg ownerGPR, GPRReg scratchGPR, WriteBarrierUseKind);
+    static void markCellCard(MacroAssembler&, GPRReg ownerGPR, GPRReg scratchGPR1, GPRReg scratchGPR2);
+    static void writeBarrier(MacroAssembler&, GPRReg ownerGPR, GPRReg scratchGPR1, GPRReg scratchGPR2, WriteBarrierUseKind);
+
+    void writeBarrier(GPRReg ownerGPR, GPRReg valueGPR, NodeIndex valueIndex, WriteBarrierUseKind, GPRReg scratchGPR1 = InvalidGPRReg, GPRReg scratchGPR2 = InvalidGPRReg);
+    void writeBarrier(JSCell* owner, GPRReg valueGPR, NodeIndex valueIndex, WriteBarrierUseKind, GPRReg scratchGPR1 = InvalidGPRReg);
 
     static GPRReg selectScratchGPR(GPRReg preserve1 = InvalidGPRReg, GPRReg preserve2 = InvalidGPRReg, GPRReg preserve3 = InvalidGPRReg)
@@ -434 +438 @@
 
     bool isKnownBoolean(NodeIndex);
+
+    bool isKnownNotCell(NodeIndex);
     
     // Checks/accessors for constant values.
@@ -619 +625 @@
 
     JITCompiler::Call cachedGetById(GPRReg baseGPR, GPRReg resultGPR, GPRReg scratchGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget = JITCompiler::Jump(), NodeType = GetById);
-    void cachedPutById(GPRReg baseGPR, GPRReg valueGPR, GPRReg scratchGPR, unsigned identifierNumber, PutKind, JITCompiler::Jump slowPathTarget = JITCompiler::Jump());
+    void cachedPutById(GPRReg base, GPRReg value, NodeIndex valueIndex, GPRReg scratchGPR, unsigned identifierNumber, PutKind, JITCompiler::Jump slowPathTarget = JITCompiler::Jump());
     void cachedGetMethod(GPRReg baseGPR, GPRReg resultGPR, GPRReg scratchGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget = JITCompiler::Jump());
     
@@ -1248 +1254 @@
 class GPRTemporary {
 public:
+    GPRTemporary();
     GPRTemporary(JITCodeGenerator*);
     GPRTemporary(JITCodeGenerator*, GPRReg specific);
@@ -1260 +1267 @@
     GPRTemporary(JITCodeGenerator*, StorageOperand&);
 
+    void adopt(GPRTemporary&);
+
     ~GPRTemporary()
     {
-        m_jit->unlock(gpr());
+        if (m_jit)
+            m_jit->unlock(gpr());
     }
 

trunk/Source/JavaScriptCore/dfg/DFGRepatch.cpp

@@ -518 +518 @@
                     testPrototype(stubJit, scratchGPR, (*it)->storedPrototype(), failureCases);
             }
-            
-            JITCodeGenerator::writeBarrier(stubJit, baseGPR, scratchGPR, WriteBarrierForPropertyAccess);
-            
+
+#if ENABLE(GGC) || ENABLE(WRITE_BARRIER_PROFILING)
+            // Must always emit this write barrier as the structure transition itself requires it
+            GPRReg scratch2 = JITCodeGenerator::selectScratchGPR(baseGPR, valueGPR, scratchGPR);
+            stubJit.push(scratch2);
+            JITCodeGenerator::writeBarrier(stubJit, baseGPR, scratchGPR, scratch2, WriteBarrierForPropertyAccess);
+            stubJit.pop(scratch2);
+#endif
+
             stubJit.storePtr(MacroAssembler::TrustedImmPtr(structure), MacroAssembler::Address(baseGPR, JSCell::structureOffset()));
             if (structure->isUsingInlineStorage())

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -25 +25 @@
 
 #include "config.h"
+
 #include "DFGSpeculativeJIT.h"
 
@@ -1405 +1406 @@
         if (!m_compileOkay)
             return;
-        
-        writeBarrier(m_jit, baseReg, scratchReg, WriteBarrierForPropertyAccess);
+
+        writeBarrier(baseReg, value.gpr(), node.child3(), WriteBarrierForPropertyAccess, scratchReg);
 
         // Check that base is an array, and that property is contained within m_vector (< m_vectorLength).
@@ -1465 +1466 @@
         GPRReg scratchReg = scratch.gpr();
 
-        writeBarrier(m_jit, baseReg, scratchReg, WriteBarrierForPropertyAccess);
+        writeBarrier(base.gpr(), value.gpr(), node.child3(), WriteBarrierForPropertyAccess, scratchReg);
 
         // Get the array storage.
@@ -1796 +1797 @@
         JSValueOperand value(this, node.child2());
         m_jit.storePtr(value.gpr(), JITCompiler::Address(scratchGPR, node.varNumber() * sizeof(Register)));
-        writeBarrier(m_jit, scopeChain.gpr(), scratchGPR, WriteBarrierForVariableAccess);
+        writeBarrier(scopeChain.gpr(), value.gpr(), node.child2(), WriteBarrierForVariableAccess, scratchGPR);
         break;
     }
@@ -1902 +1903 @@
         value.use();
 
-        cachedPutById(baseGPR, valueGPR, scratchGPR, node.identifierNumber(), NotDirect);
+        cachedPutById(baseGPR, valueGPR, node.child2(), scratchGPR, node.identifierNumber(), NotDirect);
         
         noResult(m_compileIndex, UseChildrenCalledExplicitly);
@@ -1920 +1921 @@
         value.use();
 
-        cachedPutById(baseGPR, valueGPR, scratchGPR, node.identifierNumber(), Direct);
+        cachedPutById(baseGPR, valueGPR, node.child2(), scratchGPR, node.identifierNumber(), Direct);
 
         noResult(m_compileIndex, UseChildrenCalledExplicitly);
@@ -1947 +1948 @@
         m_jit.move(MacroAssembler::TrustedImmPtr(m_jit.codeBlock()->globalObject()), globalObjectReg);
 
-        writeBarrier(m_jit, globalObjectReg, scratchReg, WriteBarrierForVariableAccess);
+        writeBarrier(m_jit.codeBlock()->globalObject(), value.gpr(), node.child1(), WriteBarrierForVariableAccess, scratchReg);
 
         m_jit.loadPtr(MacroAssembler::Address(globalObjectReg, JSVariableObject::offsetOfRegisters()), scratchReg);

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -683 +683 @@
 }
 
-#if ENABLE(GGC)
-void Heap::writeBarrierSlowCase(const JSCell* owner, JSCell* cell)
-{
-}
-
-#else
-
-void Heap::writeBarrierSlowCase(const JSCell*, JSCell*)
-{
-}
-#endif
-
 } // namespace JSC

trunk/Source/JavaScriptCore/heap/Heap.h

@@ -75 +75 @@
         static void writeBarrier(const JSCell*, JSValue);
         static void writeBarrier(const JSCell*, JSCell*);
+        static uint8_t* addressOfCardFor(JSCell*);
 
         Heap(JSGlobalData*, HeapSize);
@@ -132 +133 @@
         static const size_t minExtraCost = 256;
         static const size_t maxExtraCost = 1024 * 1024;
-        
-#if ENABLE(GGC)
-        static void writeBarrierFastCase(const JSCell* owner, JSCell*);
-#endif
 
         bool isValidAllocation(size_t);
@@ -158 +155 @@
         RegisterFile& registerFile();
 
-        static void writeBarrierSlowCase(const JSCell*, JSCell*);
-
         void waitForRelativeTimeWhileHoldingLock(double relative);
         void waitForRelativeTime(double relative);
@@ -240 +235 @@
 
 #if ENABLE(GGC)
-    inline void Heap::writeBarrierFastCase(const JSCell* owner, JSCell* cell)
-    {
-        if (MarkedBlock::blockFor(owner)->inNewSpace())
-            return;
-        writeBarrierSlowCase(owner, cell);
-    }
-
-    inline void Heap::writeBarrier(const JSCell* owner, JSCell* cell)
+    inline uint8_t* Heap::addressOfCardFor(JSCell* cell)
+    {
+        return MarkedBlock::blockFor(cell)->addressOfCardFor(cell);
+    }
+
+    inline void Heap::writeBarrier(const JSCell* owner, JSCell*)
     {
         WriteBarrierCounters::countWriteBarrier();
-        writeBarrierFastCase(owner, cell);
+        MarkedBlock::blockFor(owner)->setDirtyObject(owner);
     }
 
     inline void Heap::writeBarrier(const JSCell* owner, JSValue value)
     {
-        WriteBarrierCounters::countWriteBarrier();
         if (!value)
             return;
         if (!value.isCell())
             return;
-        writeBarrierFastCase(owner, value.asCell());
+        writeBarrier(owner, value.asCell());
     }
 #else

trunk/Source/JavaScriptCore/heap/MarkedBlock.h

@@ -23 +23 @@
 #define MarkedBlock_h
 
+#include "CardSet.h"
+
 #include <wtf/Bitmap.h>
 #include <wtf/DoublyLinkedList.h>
@@ -66 +68 @@
         static const size_t atomSize = 4 * sizeof(void*);
         static const size_t blockSize = 16 * KB;
-        static const size_t atomsPerBlock = blockSize / atomSize; // ~0.4% overhead for mark bits.
+        static const size_t blockMask = ~(blockSize - 1); // blockSize must be a power of two.
+
+        static const size_t atomsPerBlock = blockSize / atomSize; // ~0.4% overhead
+        static const size_t bytesPerCard = 512; // 1.6% overhead
+        static const int log2CardSize = 9;
 
         struct FreeCell {
@@ -133 +139 @@
         bool testAndClearMarked(const void*);
         void setMarked(const void*);
+        
+#if ENABLE(GGC)
+        void setDirtyObject(const void* atom)
+        {
+            m_cards.markCardForAtom(atom);
+        }
+
+        uint8_t* addressOfCardFor(const void* atom)
+        {
+            return &m_cards.cardForAtom(atom);
+        }
+
+        static inline size_t offsetOfCards()
+        {
+            return OBJECT_OFFSETOF(MarkedBlock, m_cards);
+        }
+#endif
 
         template <typename Functor> void forEachCell(Functor&);
 
     private:
-        static const size_t blockMask = ~(blockSize - 1); // blockSize must be a power of two.
         static const size_t atomMask = ~(atomSize - 1); // atomSize must be a power of two.
         
@@ -170 +192 @@
             return static_cast<DestructorState>(m_destructorState);
         }
-        
+
+#if ENABLE(GGC)
+        CardSet<bytesPerCard, blockSize> m_cards;
+#endif
+
         size_t m_endAtom; // This is a fuzzy end. Always test for < m_endAtom.
         size_t m_atomsPerCell;
@@ -301 +327 @@
         }
     }
-    
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -317 +317 @@
         void testPrototype(JSValue, JumpList& failureCases);
 
-        void emitWriteBarrier(RegisterID owner, RegisterID scratch, WriteBarrierUseKind);
+        enum WriteBarrierMode { UnconditionalWriteBarrier, ShouldFilterImmediates };
+        // value register in write barrier is used before any scratch registers
+        // so may safely be the same as either of the scratch registers.
+        void emitWriteBarrier(RegisterID owner, RegisterID valueTag, RegisterID scratch, RegisterID scratch2, WriteBarrierMode, WriteBarrierUseKind);
+        void emitWriteBarrier(JSCell* owner, RegisterID value, RegisterID scratch, WriteBarrierMode, WriteBarrierUseKind);
 
         template<typename ClassType, typename StructureType> void emitAllocateBasicJSObject(StructureType, void* vtable, RegisterID result, RegisterID storagePtr);

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -208 +208 @@
 
     Label storeResult(this);
-    emitGetVirtualRegister(value, regT0);
-    storePtr(regT0, BaseIndex(regT2, regT1, ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
+    emitGetVirtualRegister(value, regT3);
+    storePtr(regT3, BaseIndex(regT2, regT1, ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
     Jump end = jump();
     
@@ -216 +216 @@
     branch32(Below, regT1, Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length))).linkTo(storeResult, this);
 
-    move(regT1, regT0);
-    add32(TrustedImm32(1), regT0);
-    store32(regT0, Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length)));
+    add32(TrustedImm32(1), Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length)));
     jump().linkTo(storeResult, this);
 
     end.link(this);
+
+    emitWriteBarrier(regT0, regT3, regT1, regT3, ShouldFilterImmediates, WriteBarrierForPropertyAccess);
 }
 
@@ -440 +440 @@
     emitJumpSlowCaseIfNotJSCell(regT0, baseVReg);
 
-    emitWriteBarrier(regT0, regT2, WriteBarrierForPropertyAccess);
-
     BEGIN_UNINTERRUPTED_SEQUENCE(sequencePutById);
 
@@ -454 +452 @@
     ASSERT_JIT_OFFSET(differenceBetween(hotPathBegin, structureToCompare), patchOffsetPutByIdStructure);
 
-    loadPtr(Address(regT0, JSObject::offsetOfPropertyStorage()), regT0);
-    DataLabel32 displacementLabel = storePtrWithAddressOffsetPatch(regT1, Address(regT0, patchPutByIdDefaultOffset));
+    loadPtr(Address(regT0, JSObject::offsetOfPropertyStorage()), regT2);
+    DataLabel32 displacementLabel = storePtrWithAddressOffsetPatch(regT1, Address(regT2, patchPutByIdDefaultOffset));
 
     END_UNINTERRUPTED_SEQUENCE(sequencePutById);
+
+    emitWriteBarrier(regT0, regT1, regT2, regT3, ShouldFilterImmediates, WriteBarrierForPropertyAccess);
 
     ASSERT_JIT_OFFSET_UNUSED(displacementLabel, differenceBetween(hotPathBegin, displacementLabel), patchOffsetPutByIdPropertyMapOffset);
@@ -538 +538 @@
         restoreReturnAddressBeforeReturn(regT3);
     }
-    
-    emitWriteBarrier(regT0, regT2, WriteBarrierForPropertyAccess);
+
+    // Planting the new structure triggers the write barrier so we need
+    // an unconditional barrier here.
+    emitWriteBarrier(regT0, regT1, regT2, regT3, UnconditionalWriteBarrier, WriteBarrierForPropertyAccess);
 
     storePtr(TrustedImmPtr(newStructure), Address(regT0, JSCell::structureOffset()));
@@ -990 +992 @@
     loadPtr(Address(regT1, OBJECT_OFFSETOF(ScopeChainNode, object)), regT1);
 
-    emitWriteBarrier(regT1, regT2, WriteBarrierForVariableAccess);
+    emitWriteBarrier(regT1, regT0, regT2, regT3, ShouldFilterImmediates, WriteBarrierForVariableAccess);
 
     loadPtr(Address(regT1, JSVariableObject::offsetOfRegisters()), regT1);
@@ -1010 +1012 @@
 
     emitGetVirtualRegister(currentInstruction[2].u.operand, regT0);
+
     move(TrustedImmPtr(globalObject), regT1);
-    
-    emitWriteBarrier(regT1, regT2, WriteBarrierForVariableAccess);
-
     loadPtr(Address(regT1, JSVariableObject::offsetOfRegisters()), regT1);
     storePtr(regT0, Address(regT1, currentInstruction[1].u.operand * sizeof(Register)));
-}
-
-void JIT::emitWriteBarrier(RegisterID owner, RegisterID scratch, WriteBarrierUseKind useKind)
+    emitWriteBarrier(globalObject, regT0, regT2, ShouldFilterImmediates, WriteBarrierForVariableAccess);
+}
+
+#endif // USE(JSVALUE64)
+
+void JIT::emitWriteBarrier(RegisterID owner, RegisterID value, RegisterID scratch, RegisterID scratch2, WriteBarrierMode mode, WriteBarrierUseKind useKind)
+{
+    UNUSED_PARAM(owner);
+    UNUSED_PARAM(scratch);
+    UNUSED_PARAM(scratch2);
+    UNUSED_PARAM(useKind);
+    UNUSED_PARAM(value);
+    UNUSED_PARAM(mode);
+    ASSERT(owner != scratch);
+    ASSERT(owner != scratch2);
+    
+#if ENABLE(WRITE_BARRIER_PROFILING)
+    emitCount(WriteBarrierCounters::jitCounterFor(useKind));
+#endif
+    
+#if ENABLE(GGC)
+    Jump filterCells;
+    if (mode == ShouldFilterImmediates)
+        filterCells = emitJumpIfNotJSCell(value);
+    move(owner, scratch);
+    andPtr(TrustedImm32(static_cast<int32_t>(MarkedBlock::blockMask)), scratch);
+    move(owner, scratch2);
+    andPtr(TrustedImm32(static_cast<int32_t>(~MarkedBlock::blockMask)), scratch2);
+    rshift32(TrustedImm32(MarkedBlock::log2CardSize), scratch2);
+    store8(TrustedImm32(1), BaseIndex(scratch, scratch2, TimesOne, MarkedBlock::offsetOfCards()));
+    if (mode == ShouldFilterImmediates)
+        filterCells.link(this);
+#endif
+}
+
+void JIT::emitWriteBarrier(JSCell* owner, RegisterID value, RegisterID scratch, WriteBarrierMode mode, WriteBarrierUseKind useKind)
 {
     UNUSED_PARAM(owner);
     UNUSED_PARAM(scratch);
     UNUSED_PARAM(useKind);
-    ASSERT(owner != scratch);
+    UNUSED_PARAM(value);
+    UNUSED_PARAM(mode);
     
 #if ENABLE(WRITE_BARRIER_PROFILING)
     emitCount(WriteBarrierCounters::jitCounterFor(useKind));
 #endif
-}
-
-#endif // USE(JSVALUE64)
+    
+#if ENABLE(GGC)
+    Jump filterCells;
+    if (mode == ShouldFilterImmediates)
+        filterCells = emitJumpIfNotJSCell(value);
+    uint8_t* cardAddress = Heap::addressOfCardFor(owner);
+    move(TrustedImmPtr(cardAddress), scratch);
+    store8(TrustedImm32(1), Address(scratch));
+    if (mode == ShouldFilterImmediates)
+        filterCells.link(this);
+#endif
+}
 
 void JIT::testPrototype(JSValue prototype, JumpList& failureCases)

trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -259 +259 @@
     
     addSlowCase(branch32(NotEqual, regT3, TrustedImm32(JSValue::Int32Tag)));
-    emitJumpSlowCaseIfNotJSCell(base, regT1);
-    emitWriteBarrier(regT0, regT1, WriteBarrierForPropertyAccess);
     addSlowCase(branchPtr(NotEqual, Address(regT0), TrustedImmPtr(m_globalData->jsArrayVPtr)));
     addSlowCase(branch32(AboveOrEqual, regT2, Address(regT0, JSArray::vectorLengthOffset())));
     
+    emitJumpSlowCaseIfNotJSCell(base, regT1);
+    emitWriteBarrier(regT0, regT1, regT1, regT3, UnconditionalWriteBarrier, WriteBarrierForPropertyAccess);
+
     loadPtr(Address(regT0, JSArray::storageOffset()), regT3);
     
@@ -397 +398 @@
     emitJumpSlowCaseIfNotJSCell(base, regT1);
     
-    emitWriteBarrier(regT0, regT1, WriteBarrierForPropertyAccess);
-    
     BEGIN_UNINTERRUPTED_SEQUENCE(sequencePutById);
     
@@ -411 +410 @@
     ASSERT_JIT_OFFSET(differenceBetween(hotPathBegin, structureToCompare), patchOffsetPutByIdStructure);
     
-    loadPtr(Address(regT0, JSObject::offsetOfPropertyStorage()), regT0);
-    DataLabel32 displacementLabel1 = storePtrWithAddressOffsetPatch(regT2, Address(regT0, patchPutByIdDefaultOffset)); // payload
-    DataLabel32 displacementLabel2 = storePtrWithAddressOffsetPatch(regT3, Address(regT0, patchPutByIdDefaultOffset)); // tag
+    loadPtr(Address(regT0, JSObject::offsetOfPropertyStorage()), regT1);
+    DataLabel32 displacementLabel1 = storePtrWithAddressOffsetPatch(regT2, Address(regT1, patchPutByIdDefaultOffset)); // payload
+    DataLabel32 displacementLabel2 = storePtrWithAddressOffsetPatch(regT3, Address(regT1, patchPutByIdDefaultOffset)); // tag
     
     END_UNINTERRUPTED_SEQUENCE(sequencePutById);
+
+    emitWriteBarrier(regT0, regT2, regT1, regT2, ShouldFilterImmediates, WriteBarrierForPropertyAccess);
     
     ASSERT_JIT_OFFSET_UNUSED(displacementLabel1, differenceBetween(hotPathBegin, displacementLabel1), patchOffsetPutByIdPropertyMapOffset1);
@@ -431 +432 @@
     
     JITStubCall stubCall(this, direct ? cti_op_put_by_id_direct : cti_op_put_by_id);
-    stubCall.addArgument(regT1, regT0);
+    stubCall.addArgument(base);
     stubCall.addArgument(TrustedImmPtr(&(m_codeBlock->identifier(ident))));
     stubCall.addArgument(regT3, regT2); 
@@ -517 +518 @@
     }
 
-    emitWriteBarrier(regT0, regT1, WriteBarrierForPropertyAccess);
+    emitWriteBarrier(regT0, regT1, regT1, regT3, UnconditionalWriteBarrier, WriteBarrierForPropertyAccess);
 
     storePtr(TrustedImmPtr(newStructure), Address(regT0, JSCell::structureOffset()));
@@ -1044 +1045 @@
     loadPtr(Address(regT2, OBJECT_OFFSETOF(ScopeChainNode, object)), regT2);
 
-    emitWriteBarrier(regT2, regT3, WriteBarrierForVariableAccess);
-
-    loadPtr(Address(regT2, JSVariableObject::offsetOfRegisters()), regT2);
-    emitStore(index, regT1, regT0, regT2);
-    map(m_bytecodeOffset + OPCODE_LENGTH(op_put_scoped_var), value, regT1, regT0);
+    loadPtr(Address(regT2, JSVariableObject::offsetOfRegisters()), regT3);
+    emitStore(index, regT1, regT0, regT3);
+    emitWriteBarrier(regT2, regT1, regT0, regT1, ShouldFilterImmediates, WriteBarrierForVariableAccess);
 }
 
@@ -1075 +1074 @@
     move(TrustedImmPtr(globalObject), regT2);
 
-    emitWriteBarrier(regT2, regT3, WriteBarrierForVariableAccess);
+    emitWriteBarrier(globalObject, regT1, regT3, ShouldFilterImmediates, WriteBarrierForVariableAccess);
 
     loadPtr(Address(regT2, JSVariableObject::offsetOfRegisters()), regT2);
@@ -1082 +1081 @@
 }
 
-void JIT::emitWriteBarrier(RegisterID owner, RegisterID scratch, WriteBarrierUseKind useKind)
-{
-    UNUSED_PARAM(owner);
-    UNUSED_PARAM(scratch);
-    UNUSED_PARAM(useKind);
-    ASSERT(owner != scratch);
-    
-#if ENABLE(WRITE_BARRIER_PROFILING)
-    emitCount(WriteBarrierCounters::jitCounterFor(useKind));
-#endif
-}
-
 } // namespace JSC
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-09-23  Oliver Hunt  <oliver@apple.com>
+
+        Make write barriers actually do something when enabled
+        https://bugs.webkit.org/show_bug.cgi?id=68717
+
+        Reviewed by Geoffrey Garen.
+
+        Add a forwarding header, and fix an evaluation ordering
+        issue that shows up if you try to use write barriers.
+
+        * ForwardingHeaders/heap/CardSet.h: Added.
+        * bindings/js/JSEventListener.h:
+        (WebCore::JSEventListener::jsFunction):
+
 2011-09-23  James Robinson  <jamesr@chromium.org>
 

trunk/Source/WebCore/bindings/js/JSEventListener.h

@@ -75 +75 @@
     inline JSC::JSObject* JSEventListener::jsFunction(ScriptExecutionContext* scriptExecutionContext) const
     {
-        if (!m_jsFunction)
-            m_jsFunction.setMayBeNull(*scriptExecutionContext->globalData(), m_wrapper.get(), initializeJSFunction(scriptExecutionContext));
+        if (!m_jsFunction) {
+            JSC::JSObject* function = initializeJSFunction(scriptExecutionContext);
+            m_jsFunction.setMayBeNull(*scriptExecutionContext->globalData(), m_wrapper.get(), function);
+        }
 
         // Verify that we have a valid wrapper protecting our function from