Changeset 130303 in webkit for trunk/Source/JavaScriptCore/heap

Timestamp:

Oct 3, 2012, 10:51:28 AM (13 years ago)

Author:

[email protected]

Message:

Delayed structure sweep can leak structures without bound
​https://bugs.webkit.org/show_bug.cgi?id=96546

Reviewed by Geoffrey Garen.

This patch gets rid of the separate Structure allocator in the MarkedSpace and adds two new destructor-only
allocators. We now have separate allocators for our three types of objects: those objects with no destructors,
those objects with destructors and with immortal structures, and those objects with destructors that don't have
immortal structures. All of the objects of the third type (destructors without immortal structures) now
inherit from a new class named JSDestructibleObject (which in turn is a subclass of JSNonFinalObject), which stores
the ClassInfo for these classes at a fixed offset for safe retrieval during sweeping/destruction.

Source/JavaScriptCore:

• API/JSCallbackConstructor.cpp: Use JSDestructibleObject for JSCallbackConstructor.

(JSC):
(JSC::JSCallbackConstructor::JSCallbackConstructor):

• API/JSCallbackConstructor.h:

(JSCallbackConstructor):

• API/JSCallbackObject.cpp: Inherit from JSDestructibleObject for normal JSCallbackObjects and use a finalizer for

JSCallbackObject<JSGlobalObject>, since JSGlobalObject also uses a finalizer.
(JSC):
(JSC::::create): We need to move the create function for JSCallbackObject<JSGlobalObject> out of line so we can add
the finalizer for it. We don't want to add the finalizer is something like finishCreation in case somebody decides
to subclass this. We use this same technique for many other subclasses of JSGlobalObject.
(JSC::::createStructure):

• API/JSCallbackObject.h:

(JSCallbackObject):
(JSC):

• API/JSClassRef.cpp: Change all the JSCallbackObject<JSNonFinalObject> to use JSDestructibleObject instead.

(OpaqueJSClass::prototype):

• API/JSObjectRef.cpp: Ditto.

(JSObjectMake):
(JSObjectGetPrivate):
(JSObjectSetPrivate):
(JSObjectGetPrivateProperty):
(JSObjectSetPrivateProperty):
(JSObjectDeletePrivateProperty):

• API/JSValueRef.cpp: Ditto.

(JSValueIsObjectOfClass):

• API/JSWeakObjectMapRefPrivate.cpp: Ditto.
• JSCTypedArrayStubs.h:

(JSC):

• JavaScriptCore.xcodeproj/project.pbxproj:
• dfg/DFGSpeculativeJIT.h: Use the proper allocator type when doing inline allocation in the DFG.

(JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
(JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):

• heap/Heap.cpp:

(JSC):

• heap/Heap.h: Add accessors for the various types of allocators now. Also remove the isSafeToSweepStructures function

since it's always safe to sweep Structures now.
(JSC::Heap::allocatorForObjectWithNormalDestructor):
(JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
(Heap):
(JSC::Heap::allocateWithNormalDestructor):
(JSC):
(JSC::Heap::allocateWithImmortalStructureDestructor):

• heap/IncrementalSweeper.cpp: Remove all the logic to detect when it's safe to sweep Structures from the

IncrementalSweeper since it's always safe to sweep Structures now.
(JSC::IncrementalSweeper::IncrementalSweeper):
(JSC::IncrementalSweeper::sweepNextBlock):
(JSC::IncrementalSweeper::startSweeping):
(JSC::IncrementalSweeper::willFinishSweeping):
(JSC):

• heap/IncrementalSweeper.h:

(IncrementalSweeper):

• heap/MarkedAllocator.cpp: Remove the logic that was preventing us from sweeping Structures if it wasn't safe. Add

tracking of the specific destructor type of allocator.
(JSC::MarkedAllocator::tryAllocateHelper):
(JSC::MarkedAllocator::allocateBlock):

• heap/MarkedAllocator.h:

(JSC::MarkedAllocator::destructorType):
(MarkedAllocator):
(JSC::MarkedAllocator::MarkedAllocator):
(JSC::MarkedAllocator::init):

• heap/MarkedBlock.cpp: Add all the destructor type stuff to MarkedBlocks so that we do the right thing when sweeping.

We also use the stored destructor type to determine the right thing to do in all JSCell::classInfo() calls.
(JSC::MarkedBlock::create):
(JSC::MarkedBlock::MarkedBlock):
(JSC):
(JSC::MarkedBlock::specializedSweep):
(JSC::MarkedBlock::sweep):
(JSC::MarkedBlock::sweepHelper):

• heap/MarkedBlock.h:

(JSC):
(JSC::MarkedBlock::allocator):
(JSC::MarkedBlock::destructorType):

• heap/MarkedSpace.cpp: Add the new destructor allocators to MarkedSpace.

(JSC::MarkedSpace::MarkedSpace):
(JSC::MarkedSpace::resetAllocators):
(JSC::MarkedSpace::canonicalizeCellLivenessData):
(JSC::MarkedSpace::isPagedOut):
(JSC::MarkedSpace::freeBlock):

• heap/MarkedSpace.h:

(MarkedSpace):
(JSC::MarkedSpace::immortalStructureDestructorAllocatorFor):
(JSC::MarkedSpace::normalDestructorAllocatorFor):
(JSC::MarkedSpace::allocateWithImmortalStructureDestructor):
(JSC::MarkedSpace::allocateWithNormalDestructor):
(JSC::MarkedSpace::forEachBlock):

• heap/SlotVisitor.cpp: Add include because the symbol was needed in an inlined function.
• jit/JIT.h: Make sure we use the correct allocator when doing inline allocations in the baseline JIT.
• jit/JITInlineMethods.h:

(JSC::JIT::emitAllocateBasicJSObject):
(JSC::JIT::emitAllocateJSFinalObject):
(JSC::JIT::emitAllocateJSArray):

• jsc.cpp:

(GlobalObject::create): Add finalizer here since JSGlobalObject needs to use a finalizer instead of inheriting from
JSDestructibleObject.

• runtime/Arguments.cpp: Inherit from JSDestructibleObject.

(JSC):

• runtime/Arguments.h:

(Arguments):
(JSC::Arguments::Arguments):

• runtime/ErrorPrototype.cpp: Added an assert to make sure we have a trivial destructor.

(JSC):

• runtime/Executable.h: Indicate that all of the Executable* classes have immortal Structures.

(JSC):

• runtime/InternalFunction.cpp: Inherit from JSDestructibleObject.

(JSC):
(JSC::InternalFunction::InternalFunction):

• runtime/InternalFunction.h:

(InternalFunction):

• runtime/JSCell.h: Added two static bools, needsDestruction and hasImmortalStructure, that classes can override

to indicate at compile time which part of the heap they should be allocated in.
(JSC::allocateCell): Use the appropriate allocator depending on the destructor type.

• runtime/JSDestructibleObject.h: Added. New class that stores the ClassInfo of any subclass so that it can be

accessed safely when the object is being destroyed.
(JSC):
(JSDestructibleObject):
(JSC::JSDestructibleObject::classInfo):
(JSC::JSDestructibleObject::JSDestructibleObject):
(JSC::JSCell::classInfo): Checks the current MarkedBlock to see where it should get the ClassInfo from so that it's always safe.

• runtime/JSGlobalObject.cpp: JSGlobalObject now uses a finalizer instead of a destructor so that it can avoid forcing all

of its relatives in the inheritance hierarchy (e.g. JSScope) to use destructors as well.
(JSC::JSGlobalObject::reset):

• runtime/JSGlobalObject.h:

(JSGlobalObject):
(JSC::JSGlobalObject::createRareDataIfNeeded): Since we always create a finalizer now, we don't have to worry about adding one
for the m_rareData field when it's created.
(JSC::JSGlobalObject::create):
(JSC):

• runtime/JSGlobalThis.h: Inherit from JSDestructibleObject.

(JSGlobalThis):
(JSC::JSGlobalThis::JSGlobalThis):

• runtime/JSPropertyNameIterator.h: Has an immortal Structure.

(JSC):

• runtime/JSScope.cpp:

(JSC):

• runtime/JSString.h: Has an immortal Structure.

(JSC):

• runtime/JSWrapperObject.h: Inherit from JSDestructibleObject.

(JSWrapperObject):
(JSC::JSWrapperObject::JSWrapperObject):

• runtime/MathObject.cpp: Cleaning up some of the inheritance stuff.

(JSC):

• runtime/NameInstance.h: Inherit from JSDestructibleObject.

(NameInstance):

• runtime/RegExp.h: Has immortal Structure.

(JSC):

• runtime/RegExpObject.cpp: Inheritance cleanup.

(JSC):

• runtime/SparseArrayValueMap.h: Has immortal Structure.

(JSC):

• runtime/Structure.h: Has immortal Structure.

(JSC):

• runtime/StructureChain.h: Ditto.

(JSC):

• runtime/SymbolTable.h: Ditto.

(SharedSymbolTable):
(JSC):

Source/WebCore:

No new tests.

• ForwardingHeaders/runtime/JSDestructableObject.h: Added.
• bindings/js/JSDOMWrapper.h: Inherits from JSDestructibleObject.

(JSDOMWrapper):
(WebCore::JSDOMWrapper::JSDOMWrapper):

• bindings/scripts/CodeGeneratorJS.pm: Add finalizers to anything that inherits from JSGlobalObject,

e.g. JSDOMWindow and JSWorkerContexts. For those classes we also need to define needsDestruction as true.
(GenerateHeader):

• bridge/objc/objc_runtime.h: Inherit from JSDestructibleObject.

(ObjcFallbackObjectImp):

• bridge/objc/objc_runtime.mm:

(Bindings):
(JSC::Bindings::ObjcFallbackObjectImp::ObjcFallbackObjectImp):

• bridge/runtime_array.cpp: Use a finalizer so that JSArray isn't forced to inherit from JSDestructibleObject.

(JSC):
(JSC::RuntimeArray::destroy):

• bridge/runtime_array.h:

(JSC::RuntimeArray::create):
(JSC):

• bridge/runtime_object.cpp: Inherit from JSDestructibleObject.

(Bindings):
(JSC::Bindings::RuntimeObject::RuntimeObject):

• bridge/runtime_object.h:

(RuntimeObject):

Location:

trunk/Source/JavaScriptCore/heap

Files:

• Heap.cpp (modified) (1 diff)
• Heap.h (modified) (5 diffs)
• IncrementalSweeper.cpp (modified) (8 diffs)
• IncrementalSweeper.h (modified) (2 diffs)
• MarkedAllocator.cpp (modified) (3 diffs)
• MarkedAllocator.h (modified) (5 diffs)
• MarkedBlock.cpp (modified) (6 diffs)
• MarkedBlock.h (modified) (8 diffs)
• MarkedSpace.cpp (modified) (5 diffs)
• MarkedSpace.h (modified) (5 diffs)
• SlotVisitor.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -943 +943 @@
 }
 
-bool Heap::isSafeToSweepStructures()
-{
-    return !m_sweeper || m_sweeper->structuresCanBeSwept();
-}
-
 void Heap::didStartVMShutdown()
 {

trunk/Source/JavaScriptCore/heap/Heap.h

@@ -113 +113 @@
         MarkedAllocator& firstAllocatorWithoutDestructors() { return m_objectSpace.firstAllocator(); }
         MarkedAllocator& allocatorForObjectWithoutDestructor(size_t bytes) { return m_objectSpace.allocatorFor(bytes); }
-        MarkedAllocator& allocatorForObjectWithDestructor(size_t bytes) { return m_objectSpace.destructorAllocatorFor(bytes); }
+        MarkedAllocator& allocatorForObjectWithNormalDestructor(size_t bytes) { return m_objectSpace.normalDestructorAllocatorFor(bytes); }
+        MarkedAllocator& allocatorForObjectWithImmortalStructureDestructor(size_t bytes) { return m_objectSpace.immortalStructureDestructorAllocatorFor(bytes); }
         CopiedAllocator& storageAllocator() { return m_storageSpace.allocator(); }
         CheckedBoolean tryAllocateStorage(size_t, void**);
@@ -170 +171 @@
 
         bool isPagedOut(double deadline);
-        bool isSafeToSweepStructures();
         void didStartVMShutdown();
 
@@ -186 +186 @@
         template<typename T> friend void* allocateCell(Heap&, size_t);
 
-        void* allocateWithDestructor(size_t);
-        void* allocateWithoutDestructor(size_t);
-        void* allocateStructure(size_t);
+        void* allocateWithImmortalStructureDestructor(size_t); // For use with special objects whose Structures never die.
+        void* allocateWithNormalDestructor(size_t); // For use with objects that inherit directly or indirectly from JSDestructibleObject.
+        void* allocateWithoutDestructor(size_t); // For use with objects without destructors.
 
         static const size_t minExtraCost = 256;
@@ -364 +364 @@
     }
 
-    inline void* Heap::allocateWithDestructor(size_t bytes)
+    inline void* Heap::allocateWithNormalDestructor(size_t bytes)
     {
         ASSERT(isValidAllocation(bytes));
-        return m_objectSpace.allocateWithDestructor(bytes);
+        return m_objectSpace.allocateWithNormalDestructor(bytes);
+    }
+    
+    inline void* Heap::allocateWithImmortalStructureDestructor(size_t bytes)
+    {
+        ASSERT(isValidAllocation(bytes));
+        return m_objectSpace.allocateWithImmortalStructureDestructor(bytes);
     }
     
@@ -376 +382 @@
     }
    
-    inline void* Heap::allocateStructure(size_t bytes)
-    {
-        return m_objectSpace.allocateStructure(bytes);
-    }
- 
     inline CheckedBoolean Heap::tryAllocateStorage(size_t bytes, void** outPtr)
     {

trunk/Source/JavaScriptCore/heap/IncrementalSweeper.cpp

@@ -49 +49 @@
     : HeapTimer(heap->globalData(), runLoop)
     , m_currentBlockToSweepIndex(0)
-    , m_structuresCanBeSwept(false)
 {
 }
@@ -73 +72 @@
     : HeapTimer(heap->globalData())
     , m_currentBlockToSweepIndex(0)
-    , m_structuresCanBeSwept(false)
 {
 }
@@ -120 +118 @@
     while (m_currentBlockToSweepIndex < m_blocksToSweep.size()) {
         MarkedBlock* block = m_blocksToSweep[m_currentBlockToSweepIndex++];
-        if (block->onlyContainsStructures())
-            m_structuresCanBeSwept = true;
-        else
-            ASSERT(!m_structuresCanBeSwept);
 
         if (!block->needsSweeping())
@@ -140 +134 @@
     m_globalData->heap.objectSpace().forEachBlock(functor);
     m_currentBlockToSweepIndex = 0;
-    m_structuresCanBeSwept = false;
     scheduleTimer();
 }
@@ -147 +140 @@
 {
     m_currentBlockToSweepIndex = 0;
-    m_structuresCanBeSwept = true;
     m_blocksToSweep.clear();
     if (m_globalData)
@@ -157 +149 @@
 IncrementalSweeper::IncrementalSweeper(JSGlobalData* globalData)
     : HeapTimer(globalData)
-    , m_structuresCanBeSwept(false)
 {
 }
@@ -172 +163 @@
 void IncrementalSweeper::startSweeping(const HashSet<MarkedBlock*>&)
 {
-    m_structuresCanBeSwept = false;
 }
 
 void IncrementalSweeper::willFinishSweeping()
 {
-    m_structuresCanBeSwept = true;
 }
 
@@ -186 +175 @@
 #endif
 
-bool IncrementalSweeper::structuresCanBeSwept()
-{
-    return m_structuresCanBeSwept;
-}
-
 } // namespace JSC

trunk/Source/JavaScriptCore/heap/IncrementalSweeper.h

@@ -57 +57 @@
     virtual void doWork();
     void sweepNextBlock();
-    bool structuresCanBeSwept();
     void willFinishSweeping();
 
@@ -79 +78 @@
     
 #endif
-    bool m_structuresCanBeSwept;
 };
 

trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp

@@ -31 +31 @@
 {
     if (!m_freeList.head) {
-        if (m_onlyContainsStructures && !m_heap->isSafeToSweepStructures()) {
-            if (m_currentBlock) {
-                m_currentBlock->didConsumeFreeList();
-                m_currentBlock = 0;
-            }
-            // We sweep another random block here so that we can make progress
-            // toward being able to sweep Structures.
-            m_heap->sweeper()->sweepNextBlock();
-            return 0;
-        }
-
         for (MarkedBlock*& block = m_blocksToSweep; block; block = block->next()) {
             MarkedBlock::FreeList freeList = block->sweep(MarkedBlock::SweepToFreeList);
@@ -125 +114 @@
     if (blockSize == MarkedBlock::blockSize) {
         PageAllocationAligned allocation = m_heap->blockAllocator().allocate();
-        return MarkedBlock::create(allocation, m_heap, cellSize, m_cellsNeedDestruction, m_onlyContainsStructures);
+        return MarkedBlock::create(allocation, this, cellSize, m_destructorType);
     }
 
@@ -131 +120 @@
     if (!static_cast<bool>(allocation))
         CRASH();
-    return MarkedBlock::create(allocation, m_heap, cellSize, m_cellsNeedDestruction, m_onlyContainsStructures);
+    return MarkedBlock::create(allocation, this, cellSize, m_destructorType);
 }
 

trunk/Source/JavaScriptCore/heap/MarkedAllocator.h

@@ -24 +24 @@
     void canonicalizeCellLivenessData();
     size_t cellSize() { return m_cellSize; }
-    bool cellsNeedDestruction() { return m_cellsNeedDestruction; }
-    bool onlyContainsStructures() { return m_onlyContainsStructures; }
+    MarkedBlock::DestructorType destructorType() { return m_destructorType; }
     void* allocate(size_t);
     Heap* heap() { return m_heap; }
@@ -33 +32 @@
     void addBlock(MarkedBlock*);
     void removeBlock(MarkedBlock*);
-    void init(Heap*, MarkedSpace*, size_t cellSize, bool cellsNeedDestruction, bool onlyContainsStructures);
+    void init(Heap*, MarkedSpace*, size_t cellSize, MarkedBlock::DestructorType);
 
     bool isPagedOut(double deadline);
@@ -50 +49 @@
     DoublyLinkedList<MarkedBlock> m_blockList;
     size_t m_cellSize;
-    bool m_cellsNeedDestruction;
-    bool m_onlyContainsStructures;
+    MarkedBlock::DestructorType m_destructorType;
     Heap* m_heap;
     MarkedSpace* m_markedSpace;
@@ -60 +58 @@
     , m_blocksToSweep(0)
     , m_cellSize(0)
-    , m_cellsNeedDestruction(true)
-    , m_onlyContainsStructures(false)
+    , m_destructorType(MarkedBlock::None)
     , m_heap(0)
     , m_markedSpace(0)
@@ -67 +64 @@
 }
 
-inline void MarkedAllocator::init(Heap* heap, MarkedSpace* markedSpace, size_t cellSize, bool cellsNeedDestruction, bool onlyContainsStructures)
+inline void MarkedAllocator::init(Heap* heap, MarkedSpace* markedSpace, size_t cellSize, MarkedBlock::DestructorType destructorType)
 {
     m_heap = heap;
     m_markedSpace = markedSpace;
     m_cellSize = cellSize;
-    m_cellsNeedDestruction = cellsNeedDestruction;
-    m_onlyContainsStructures = onlyContainsStructures;
+    m_destructorType = destructorType;
 }
 

trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp

@@ -29 +29 @@
 #include "IncrementalSweeper.h"
 #include "JSCell.h"
-#include "JSObject.h"
+#include "JSDestructibleObject.h"
 
 
 namespace JSC {
 
-MarkedBlock* MarkedBlock::create(const PageAllocationAligned& allocation, Heap* heap, size_t cellSize, bool cellsNeedDestruction, bool onlyContainsStructures)
+MarkedBlock* MarkedBlock::create(const PageAllocationAligned& allocation, MarkedAllocator* allocator, size_t cellSize, DestructorType destructorType)
 {
-    return new (NotNull, allocation.base()) MarkedBlock(allocation, heap, cellSize, cellsNeedDestruction, onlyContainsStructures);
+    return new (NotNull, allocation.base()) MarkedBlock(allocation, allocator, cellSize, destructorType);
 }
 
-MarkedBlock::MarkedBlock(const PageAllocationAligned& allocation, Heap* heap, size_t cellSize, bool cellsNeedDestruction, bool onlyContainsStructures)
+MarkedBlock::MarkedBlock(const PageAllocationAligned& allocation, MarkedAllocator* allocator, size_t cellSize, DestructorType destructorType)
     : HeapBlock<MarkedBlock>(allocation)
     , m_atomsPerCell((cellSize + atomSize - 1) / atomSize)
     , m_endAtom(atomsPerBlock - m_atomsPerCell + 1)
-    , m_cellsNeedDestruction(cellsNeedDestruction)
-    , m_onlyContainsStructures(onlyContainsStructures)
+    , m_destructorType(destructorType)
+    , m_allocator(allocator)
     , m_state(New) // All cells start out unmarked.
-    , m_weakSet(heap->globalData())
+    , m_weakSet(allocator->heap()->globalData())
 {
-    ASSERT(heap);
+    ASSERT(allocator);
     HEAP_LOG_BLOCK_STATE_TRANSITION(this);
 }
@@ -66 +66 @@
 }
 
-template<MarkedBlock::BlockState blockState, MarkedBlock::SweepMode sweepMode, bool destructorCallNeeded>
+template<MarkedBlock::BlockState blockState, MarkedBlock::SweepMode sweepMode, MarkedBlock::DestructorType dtorType>
 MarkedBlock::FreeList MarkedBlock::specializedSweep()
 {
     ASSERT(blockState != Allocated && blockState != FreeListed);
-    ASSERT(destructorCallNeeded || sweepMode != SweepOnly);
+    ASSERT(!(dtorType == MarkedBlock::None && sweepMode == SweepOnly));
 
     // This produces a free list that is ordered in reverse through the block.
@@ -83 +83 @@
         JSCell* cell = reinterpret_cast_ptr<JSCell*>(&atoms()[i]);
 
-        if (destructorCallNeeded && blockState != New)
+        if (dtorType != MarkedBlock::None && blockState != New)
             callDestructor(cell);
 
@@ -104 +104 @@
     m_weakSet.sweep();
 
-    if (sweepMode == SweepOnly && !m_cellsNeedDestruction)
+    if (sweepMode == SweepOnly && m_destructorType == MarkedBlock::None)
         return FreeList();
 
-    if (m_cellsNeedDestruction)
-        return sweepHelper<true>(sweepMode);
-    return sweepHelper<false>(sweepMode);
+    if (m_destructorType == MarkedBlock::ImmortalStructure)
+        return sweepHelper<MarkedBlock::ImmortalStructure>(sweepMode);
+    if (m_destructorType == MarkedBlock::Normal)
+        return sweepHelper<MarkedBlock::Normal>(sweepMode);
+    return sweepHelper<MarkedBlock::None>(sweepMode);
 }
 
-template<bool destructorCallNeeded>
+template<MarkedBlock::DestructorType dtorType>
 MarkedBlock::FreeList MarkedBlock::sweepHelper(SweepMode sweepMode)
 {
@@ -118 +120 @@
     case New:
         ASSERT(sweepMode == SweepToFreeList);
-        return specializedSweep<New, SweepToFreeList, destructorCallNeeded>();
+        return specializedSweep<New, SweepToFreeList, dtorType>();
     case FreeListed:
         // Happens when a block transitions to fully allocated.
@@ -127 +129 @@
         return FreeList();
     case Marked:
-        ASSERT(!m_onlyContainsStructures || heap()->isSafeToSweepStructures());
         return sweepMode == SweepToFreeList
-            ? specializedSweep<Marked, SweepToFreeList, destructorCallNeeded>()
-            : specializedSweep<Marked, SweepOnly, destructorCallNeeded>();
+            ? specializedSweep<Marked, SweepToFreeList, dtorType>()
+            : specializedSweep<Marked, SweepOnly, dtorType>();
     }
 

trunk/Source/JavaScriptCore/heap/MarkedBlock.h

@@ -53 +53 @@
     class Heap;
     class JSCell;
+    class MarkedAllocator;
 
     typedef uintptr_t Bits;
@@ -113 +114 @@
         };
 
-        static MarkedBlock* create(const PageAllocationAligned&, Heap*, size_t cellSize, bool cellsNeedDestruction, bool onlyContainsStructures);
+        enum DestructorType { None, ImmortalStructure, Normal };
+        static MarkedBlock* create(const PageAllocationAligned&, MarkedAllocator*, size_t cellSize, DestructorType);
 
         static bool isAtomAligned(const void*);
@@ -121 +123 @@
         void lastChanceToFinalize();
 
+        MarkedAllocator* allocator() const;
         Heap* heap() const;
         JSGlobalData* globalData() const;
@@ -144 +147 @@
 
         size_t cellSize();
-        bool cellsNeedDestruction();
-        bool onlyContainsStructures();
+        DestructorType destructorType();
 
         size_t size();
@@ -195 +197 @@
 
         enum BlockState { New, FreeListed, Allocated, Marked };
-        template<bool destructorCallNeeded> FreeList sweepHelper(SweepMode = SweepOnly);
+        template<DestructorType> FreeList sweepHelper(SweepMode = SweepOnly);
 
         typedef char Atom[atomSize];
 
-        MarkedBlock(const PageAllocationAligned&, Heap*, size_t cellSize, bool cellsNeedDestruction, bool onlyContainsStructures);
+        MarkedBlock(const PageAllocationAligned&, MarkedAllocator*, size_t cellSize, DestructorType);
         Atom* atoms();
         size_t atomNumber(const void*);
         void callDestructor(JSCell*);
-        template<BlockState, SweepMode, bool destructorCallNeeded> FreeList specializedSweep();
+        template<BlockState, SweepMode, DestructorType> FreeList specializedSweep();
         
 #if ENABLE(GGC)
@@ -216 +218 @@
         WTF::Bitmap<atomsPerBlock, WTF::BitmapNotAtomic> m_marks;
 #endif
-        bool m_cellsNeedDestruction;
-        bool m_onlyContainsStructures;
+        DestructorType m_destructorType;
+        MarkedAllocator* m_allocator;
         BlockState m_state;
         WeakSet m_weakSet;
@@ -262 +264 @@
     }
 
+    inline MarkedAllocator* MarkedBlock::allocator() const
+    {
+        return m_allocator;
+    }
+
     inline Heap* MarkedBlock::heap() const
     {
@@ -327 +334 @@
     }
 
-    inline bool MarkedBlock::cellsNeedDestruction()
-    {
-        return m_cellsNeedDestruction; 
-    }
-
-    inline bool MarkedBlock::onlyContainsStructures()
-    {
-        return m_onlyContainsStructures;
+    inline MarkedBlock::DestructorType MarkedBlock::destructorType()
+    {
+        return m_destructorType; 
     }
 

trunk/Source/JavaScriptCore/heap/MarkedSpace.cpp

@@ -82 +82 @@
 {
     for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep) {
-        allocatorFor(cellSize).init(heap, this, cellSize, false, false);
-        destructorAllocatorFor(cellSize).init(heap, this, cellSize, true, false);
-    }
-
-    for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) {
-        allocatorFor(cellSize).init(heap, this, cellSize, false, false);
-        destructorAllocatorFor(cellSize).init(heap, this, cellSize, true, false);
-    }
-
-    m_largeAllocator.init(heap, this, 0, true, false);
-    m_structureAllocator.init(heap, this, WTF::roundUpToMultipleOf(32, sizeof(Structure)), true, true);
+        allocatorFor(cellSize).init(heap, this, cellSize, MarkedBlock::None);
+        normalDestructorAllocatorFor(cellSize).init(heap, this, cellSize, MarkedBlock::Normal);
+        immortalStructureDestructorAllocatorFor(cellSize).init(heap, this, cellSize, MarkedBlock::ImmortalStructure);
+    }
+
+    for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) {
+        allocatorFor(cellSize).init(heap, this, cellSize, MarkedBlock::None);
+        normalDestructorAllocatorFor(cellSize).init(heap, this, cellSize, MarkedBlock::Normal);
+        immortalStructureDestructorAllocatorFor(cellSize).init(heap, this, cellSize, MarkedBlock::ImmortalStructure);
+    }
+
+    m_normalSpace.largeAllocator.init(heap, this, 0, MarkedBlock::None);
+    m_normalDestructorSpace.largeAllocator.init(heap, this, 0, MarkedBlock::Normal);
+    m_immortalStructureDestructorSpace.largeAllocator.init(heap, this, 0, MarkedBlock::ImmortalStructure);
 }
 
@@ -121 +124 @@
     for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep) {
         allocatorFor(cellSize).reset();
-        destructorAllocatorFor(cellSize).reset();
+        normalDestructorAllocatorFor(cellSize).reset();
+        immortalStructureDestructorAllocatorFor(cellSize).reset();
     }
 
     for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) {
         allocatorFor(cellSize).reset();
-        destructorAllocatorFor(cellSize).reset();
-    }
-
-    m_largeAllocator.reset();
-    m_structureAllocator.reset();
+        normalDestructorAllocatorFor(cellSize).reset();
+        immortalStructureDestructorAllocatorFor(cellSize).reset();
+    }
+
+    m_normalSpace.largeAllocator.reset();
+    m_normalDestructorSpace.largeAllocator.reset();
+    m_immortalStructureDestructorSpace.largeAllocator.reset();
 }
 
@@ -148 +154 @@
     for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep) {
         allocatorFor(cellSize).canonicalizeCellLivenessData();
-        destructorAllocatorFor(cellSize).canonicalizeCellLivenessData();
+        normalDestructorAllocatorFor(cellSize).canonicalizeCellLivenessData();
+        immortalStructureDestructorAllocatorFor(cellSize).canonicalizeCellLivenessData();
     }
 
     for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) {
         allocatorFor(cellSize).canonicalizeCellLivenessData();
-        destructorAllocatorFor(cellSize).canonicalizeCellLivenessData();
-    }
-
-    m_largeAllocator.canonicalizeCellLivenessData();
-    m_structureAllocator.canonicalizeCellLivenessData();
+        normalDestructorAllocatorFor(cellSize).canonicalizeCellLivenessData();
+        immortalStructureDestructorAllocatorFor(cellSize).canonicalizeCellLivenessData();
+    }
+
+    m_normalSpace.largeAllocator.canonicalizeCellLivenessData();
+    m_normalDestructorSpace.largeAllocator.canonicalizeCellLivenessData();
+    m_immortalStructureDestructorSpace.largeAllocator.canonicalizeCellLivenessData();
 }
 
@@ -163 +172 @@
 {
     for (size_t cellSize = preciseStep; cellSize <= preciseCutoff; cellSize += preciseStep) {
-        if (allocatorFor(cellSize).isPagedOut(deadline) || destructorAllocatorFor(cellSize).isPagedOut(deadline))
+        if (allocatorFor(cellSize).isPagedOut(deadline) 
+            || normalDestructorAllocatorFor(cellSize).isPagedOut(deadline) 
+            || immortalStructureDestructorAllocatorFor(cellSize).isPagedOut(deadline))
             return true;
     }
 
     for (size_t cellSize = impreciseStep; cellSize <= impreciseCutoff; cellSize += impreciseStep) {
-        if (allocatorFor(cellSize).isPagedOut(deadline) || destructorAllocatorFor(cellSize).isPagedOut(deadline))
+        if (allocatorFor(cellSize).isPagedOut(deadline) 
+            || normalDestructorAllocatorFor(cellSize).isPagedOut(deadline) 
+            || immortalStructureDestructorAllocatorFor(cellSize).isPagedOut(deadline))
             return true;
     }
 
-    if (m_largeAllocator.isPagedOut(deadline))
+    if (m_normalSpace.largeAllocator.isPagedOut(deadline)
+        || m_normalDestructorSpace.largeAllocator.isPagedOut(deadline)
+        || m_immortalStructureDestructorSpace.largeAllocator.isPagedOut(deadline))
         return true;
 
-    if (m_structureAllocator.isPagedOut(deadline))
-        return true;
-
     return false;
 }
@@ -183 +195 @@
 void MarkedSpace::freeBlock(MarkedBlock* block)
 {
-    allocatorFor(block).removeBlock(block);
+    block->allocator()->removeBlock(block);
     m_blocks.remove(block);
     if (block->capacity() == MarkedBlock::blockSize) {

trunk/Source/JavaScriptCore/heap/MarkedSpace.h

@@ -77 +77 @@
     MarkedAllocator& firstAllocator();
     MarkedAllocator& allocatorFor(size_t);
-    MarkedAllocator& allocatorFor(MarkedBlock*);
-    MarkedAllocator& destructorAllocatorFor(size_t);
-    void* allocateWithDestructor(size_t);
+    MarkedAllocator& immortalStructureDestructorAllocatorFor(size_t);
+    MarkedAllocator& normalDestructorAllocatorFor(size_t);
+    void* allocateWithNormalDestructor(size_t);
+    void* allocateWithImmortalStructureDestructor(size_t);
     void* allocateWithoutDestructor(size_t);
-    void* allocateStructure(size_t);
  
     void resetAllocators();
@@ -132 +132 @@
         FixedArray<MarkedAllocator, preciseCount> preciseAllocators;
         FixedArray<MarkedAllocator, impreciseCount> impreciseAllocators;
+        MarkedAllocator largeAllocator;
     };
 
-    Subspace m_destructorSpace;
+    Subspace m_normalDestructorSpace;
+    Subspace m_immortalStructureDestructorSpace;
     Subspace m_normalSpace;
-    MarkedAllocator m_largeAllocator;
-    MarkedAllocator m_structureAllocator;
 
     Heap* m_heap;
@@ -187 +187 @@
     if (bytes <= impreciseCutoff)
         return m_normalSpace.impreciseAllocators[(bytes - 1) / impreciseStep];
-    return m_largeAllocator;
-}
-
-inline MarkedAllocator& MarkedSpace::allocatorFor(MarkedBlock* block)
-{
-    if (block->onlyContainsStructures())
-        return m_structureAllocator;
-
-    if (block->cellsNeedDestruction())
-        return destructorAllocatorFor(block->cellSize());
-
-    return allocatorFor(block->cellSize());
-}
-
-inline MarkedAllocator& MarkedSpace::destructorAllocatorFor(size_t bytes)
+    return m_normalSpace.largeAllocator;
+}
+
+inline MarkedAllocator& MarkedSpace::immortalStructureDestructorAllocatorFor(size_t bytes)
 {
     ASSERT(bytes);
     if (bytes <= preciseCutoff)
-        return m_destructorSpace.preciseAllocators[(bytes - 1) / preciseStep];
+        return m_immortalStructureDestructorSpace.preciseAllocators[(bytes - 1) / preciseStep];
     if (bytes <= impreciseCutoff)
-        return m_normalSpace.impreciseAllocators[(bytes - 1) / impreciseStep];
-    return m_largeAllocator;
+        return m_immortalStructureDestructorSpace.impreciseAllocators[(bytes - 1) / impreciseStep];
+    return m_immortalStructureDestructorSpace.largeAllocator;
+}
+
+inline MarkedAllocator& MarkedSpace::normalDestructorAllocatorFor(size_t bytes)
+{
+    ASSERT(bytes);
+    if (bytes <= preciseCutoff)
+        return m_normalDestructorSpace.preciseAllocators[(bytes - 1) / preciseStep];
+    if (bytes <= impreciseCutoff)
+        return m_normalDestructorSpace.impreciseAllocators[(bytes - 1) / impreciseStep];
+    return m_normalDestructorSpace.largeAllocator;
 }
 
@@ -216 +215 @@
 }
 
-inline void* MarkedSpace::allocateWithDestructor(size_t bytes)
-{
-    return destructorAllocatorFor(bytes).allocate(bytes);
-}
-
-inline void* MarkedSpace::allocateStructure(size_t bytes)
-{
-    return m_structureAllocator.allocate(bytes);
+inline void* MarkedSpace::allocateWithImmortalStructureDestructor(size_t bytes)
+{
+    return immortalStructureDestructorAllocatorFor(bytes).allocate(bytes);
+}
+
+inline void* MarkedSpace::allocateWithNormalDestructor(size_t bytes)
+{
+    return normalDestructorAllocatorFor(bytes).allocate(bytes);
 }
 
@@ -230 +229 @@
     for (size_t i = 0; i < preciseCount; ++i) {
         m_normalSpace.preciseAllocators[i].forEachBlock(functor);
-        m_destructorSpace.preciseAllocators[i].forEachBlock(functor);
+        m_normalDestructorSpace.preciseAllocators[i].forEachBlock(functor);
+        m_immortalStructureDestructorSpace.preciseAllocators[i].forEachBlock(functor);
     }
 
     for (size_t i = 0; i < impreciseCount; ++i) {
         m_normalSpace.impreciseAllocators[i].forEachBlock(functor);
-        m_destructorSpace.impreciseAllocators[i].forEachBlock(functor);
+        m_normalDestructorSpace.impreciseAllocators[i].forEachBlock(functor);
+        m_immortalStructureDestructorSpace.impreciseAllocators[i].forEachBlock(functor);
     }
 
-    m_largeAllocator.forEachBlock(functor);
-    m_structureAllocator.forEachBlock(functor);
+    m_normalSpace.largeAllocator.forEachBlock(functor);
+    m_normalDestructorSpace.largeAllocator.forEachBlock(functor);
+    m_immortalStructureDestructorSpace.largeAllocator.forEachBlock(functor);
 
     return functor.returnValue();

trunk/Source/JavaScriptCore/heap/SlotVisitor.cpp

@@ -6 +6 @@
 #include "CopiedSpaceInlineMethods.h"
 #include "JSArray.h"
+#include "JSDestructibleObject.h"
 #include "JSGlobalData.h"
 #include "JSObject.h"