- Revision
- 192536
- Author
- akl...@apple.com
- Date
- 2015-11-17 14:13:41 -0800 (Tue, 17 Nov 2015)
Log Message
[JSC] JSPropertyNameEnumerator could be destructorless.
<https://webkit.org/b/151242>
Reviewed by Mark Lam.
Make JSPropertyNameEnumerator destructorless and have it store the property names
cache in CopiedSpace. This was the most popular occupant of 64-byte destructor cells
in MarkedSpace, so making it destructorless gets rid of some ill-filled MarkedBlocks.
This patch had two issues on 32-bit platforms when first landed:
- Copied space allocations are required to be 8-byte divisible in size.
- WriteBarrier<Unknown> and WriteBarrier<JSString> are not the same size on 32-bit;
the former is a 64-bit EncodedJSValue internally, and the latter is a 32-bit JSCell*.
My patch was reinterpret_cast'ing a WriteBarrier<JSString> to a WriteBarrier<Unknown>
when passing to SlotVisitor::appendValues(), which led to invalid addresses getting
marked and strings getting GC'd prematurely.
* heap/CopyToken.h:
* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::finishCreation):
(JSC::JSPropertyNameEnumerator::visitChildren):
(JSC::JSPropertyNameEnumerator::copyBackingStore):
(JSC::JSPropertyNameEnumerator::destroy): Deleted.
* runtime/JSPropertyNameEnumerator.h:
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (192535 => 192536)
--- trunk/Source/_javascript_Core/ChangeLog 2015-11-17 22:09:07 UTC (rev 192535)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-11-17 22:13:41 UTC (rev 192536)
@@ -1,3 +1,32 @@
+2015-11-17 Andreas Kling <akl...@apple.com>
+
+ [JSC] JSPropertyNameEnumerator could be destructorless.
+ <https://webkit.org/b/151242>
+
+ Reviewed by Mark Lam.
+
+ Make JSPropertyNameEnumerator destructorless and have it store the property names
+ cache in CopiedSpace. This was the most popular occupant of 64-byte destructor cells
+ in MarkedSpace, so making it destructorless gets rid of some ill-filled MarkedBlocks.
+
+ This patch had two issues on 32-bit platforms when first landed:
+
+ - Copied space allocations are required to be 8-byte divisible in size.
+
+ - WriteBarrier<Unknown> and WriteBarrier<JSString> are not the same size on 32-bit;
+ the former is a 64-bit EncodedJSValue internally, and the latter is a 32-bit JSCell*.
+ My patch was reinterpret_cast'ing a WriteBarrier<JSString> to a WriteBarrier<Unknown>
+ when passing to SlotVisitor::appendValues(), which led to invalid addresses getting
+ marked and strings getting GC'd prematurely.
+
+ * heap/CopyToken.h:
+ * runtime/JSPropertyNameEnumerator.cpp:
+ (JSC::JSPropertyNameEnumerator::finishCreation):
+ (JSC::JSPropertyNameEnumerator::visitChildren):
+ (JSC::JSPropertyNameEnumerator::copyBackingStore):
+ (JSC::JSPropertyNameEnumerator::destroy): Deleted.
+ * runtime/JSPropertyNameEnumerator.h:
+
2015-11-17 Mark Lam <mark....@apple.com>
Refactoring: move branchMul32's imm arg to the 3rd argument to be consistent.
Modified: trunk/Source/_javascript_Core/heap/CopyToken.h (192535 => 192536)
--- trunk/Source/_javascript_Core/heap/CopyToken.h 2015-11-17 22:09:07 UTC (rev 192535)
+++ trunk/Source/_javascript_Core/heap/CopyToken.h 2015-11-17 22:13:41 UTC (rev 192536)
@@ -32,7 +32,8 @@
ButterflyCopyToken,
TypedArrayVectorCopyToken,
MapBackingStoreCopyToken,
- DirectArgumentsOverridesCopyToken
+ DirectArgumentsOverridesCopyToken,
+ JSPropertyNameEnumeratorCopyToken,
};
} // namespace JSC
Modified: trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp (192535 => 192536)
--- trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp 2015-11-17 22:09:07 UTC (rev 192535)
+++ trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp 2015-11-17 22:13:41 UTC (rev 192536)
@@ -26,6 +26,8 @@
#include "config.h"
#include "JSPropertyNameEnumerator.h"
+#include "CopiedBlockInlines.h"
+#include "CopyVisitorInlines.h"
#include "JSCInlines.h"
#include "StrongInlines.h"
@@ -70,25 +72,46 @@
m_endStructurePropertyIndex = endStructurePropertyIndex;
m_endGenericPropertyIndex = vector.size();
- m_propertyNames.resizeToFit(vector.size());
- for (unsigned i = 0; i < vector.size(); ++i) {
- const Identifier& identifier = vector[i];
- m_propertyNames[i].set(vm, this, jsString(&vm, identifier.string()));
+ if (!vector.isEmpty()) {
+ void* backingStore;
+ RELEASE_ASSERT(vm.heap.tryAllocateStorage(this, propertyNameCacheSize(), &backingStore));
+ WriteBarrier<JSString>* propertyNames = reinterpret_cast<WriteBarrier<JSString>*>(backingStore);
+ m_propertyNames.set(vm, this, propertyNames);
+
+ for (unsigned i = 0; i < vector.size(); ++i)
+ propertyNames[i].set(vm, this, jsString(&vm, vector[i].string()));
}
}
-void JSPropertyNameEnumerator::destroy(JSCell* cell)
-{
- jsCast<JSPropertyNameEnumerator*>(cell)->JSPropertyNameEnumerator::~JSPropertyNameEnumerator();
-}
-
void JSPropertyNameEnumerator::visitChildren(JSCell* cell, SlotVisitor& visitor)
{
Base::visitChildren(cell, visitor);
JSPropertyNameEnumerator* thisObject = jsCast<JSPropertyNameEnumerator*>(cell);
- for (unsigned i = 0; i < thisObject->m_propertyNames.size(); ++i)
- visitor.append(&thisObject->m_propertyNames[i]);
visitor.append(&thisObject->m_prototypeChain);
+
+ if (thisObject->cachedPropertyNameCount()) {
+ for (unsigned i = 0; i < thisObject->cachedPropertyNameCount(); ++i)
+ visitor.append(&thisObject->m_propertyNames.getWithoutBarrier()[i]);
+ visitor.copyLater(
+ thisObject, JSPropertyNameEnumeratorCopyToken,
+ thisObject->m_propertyNames.getWithoutBarrier(), thisObject->propertyNameCacheSize());
+ }
}
+void JSPropertyNameEnumerator::copyBackingStore(JSCell* cell, CopyVisitor& visitor, CopyToken token)
+{
+ JSPropertyNameEnumerator* thisObject = jsCast<JSPropertyNameEnumerator*>(cell);
+ ASSERT_GC_OBJECT_INHERITS(thisObject, info());
+
+ RELEASE_ASSERT(token == JSPropertyNameEnumeratorCopyToken);
+
+ void* oldPropertyNames = thisObject->m_propertyNames.getWithoutBarrier();
+ if (visitor.checkIfShouldCopy(oldPropertyNames)) {
+ WriteBarrier<JSString>* newPropertyNames = static_cast<WriteBarrier<JSString>*>(visitor.allocateNewSpace(thisObject->propertyNameCacheSize()));
+ memcpy(newPropertyNames, oldPropertyNames, thisObject->propertyNameCacheSize());
+ thisObject->m_propertyNames.setWithoutBarrier(newPropertyNames);
+ visitor.didCopy(oldPropertyNames, thisObject->propertyNameCacheSize());
+ }
+}
+
} // namespace JSC
Modified: trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.h (192535 => 192536)
--- trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.h 2015-11-17 22:09:07 UTC (rev 192535)
+++ trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.h 2015-11-17 22:13:41 UTC (rev 192536)
@@ -43,9 +43,6 @@
static JSPropertyNameEnumerator* create(VM&);
static JSPropertyNameEnumerator* create(VM&, Structure*, uint32_t, uint32_t, PropertyNameArray&);
- static const bool needsDestruction = true;
- static void destroy(JSCell*);
-
static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
@@ -55,9 +52,9 @@
JSString* propertyNameAtIndex(uint32_t index) const
{
- if (index >= m_propertyNames.size())
+ if (index >= cachedPropertyNameCount())
return nullptr;
- return m_propertyNames[index].get();
+ return m_propertyNames.get(this)[index].get();
}
StructureChain* cachedPrototypeChain() const { return m_prototypeChain.get(); }
@@ -81,18 +78,30 @@
static ptrdiff_t cachedInlineCapacityOffset() { return OBJECT_OFFSETOF(JSPropertyNameEnumerator, m_cachedInlineCapacity); }
static ptrdiff_t cachedPropertyNamesVectorOffset()
{
- return OBJECT_OFFSETOF(JSPropertyNameEnumerator, m_propertyNames) + Vector<WriteBarrier<JSString>>::dataMemoryOffset();
+ return OBJECT_OFFSETOF(JSPropertyNameEnumerator, m_propertyNames);
}
static void visitChildren(JSCell*, SlotVisitor&);
+ static void copyBackingStore(JSCell*, CopyVisitor&, CopyToken);
+ uint32_t cachedPropertyNameCount() const
+ {
+ // Note that this depends on m_endGenericPropertyIndex being the number of entries in m_propertyNames.
+ return m_endGenericPropertyIndex;
+ }
+
+ size_t propertyNameCacheSize() const
+ {
+ return WTF::roundUpToMultipleOf<8>(cachedPropertyNameCount() * sizeof(WriteBarrier<JSString>));
+ }
+
private:
JSPropertyNameEnumerator(VM&, StructureID, uint32_t);
void finishCreation(VM&, uint32_t, uint32_t, PassRefPtr<PropertyNameArrayData>);
- Vector<WriteBarrier<JSString>> m_propertyNames;
+ CopyBarrier<WriteBarrier<JSString>> m_propertyNames;
+ WriteBarrier<StructureChain> m_prototypeChain;
StructureID m_cachedStructureID;
- WriteBarrier<StructureChain> m_prototypeChain;
uint32_t m_indexedLength;
uint32_t m_endStructurePropertyIndex;
uint32_t m_endGenericPropertyIndex;