Changeset 28106 in webkit for trunk/JavaScriptCore

Timestamp:

Nov 28, 2007, 2:08:09 AM (18 years ago)

Author:

[email protected]

Message:

JavaScriptCore:

Reviewed by Darin and Geoff.

• Fixed "Stack overflow crash in JavaScript garbage collector mark pass" ​http://bugs.webkit.org/show_bug.cgi?id=12216

Implement mark stack. This version is not suitable for prime time because it makes a
huge allocation on every collect, and potentially makes marking of detached subtrees
slow. But it is an 0.4% SunSpider speedup even without much tweaking.

The basic approach is to replace mark() methods with
markChildren(MarkStack&) methods. Reachable references are pushed
onto a mark stack (which encapsulates ignoring already-marked
references).

Objects are no longer responsible for actually setting their own
mark bits, the collector does that. This means that for objects on
the number heap we don't have to call markChildren() at all since
we know there aren't any.

The mark phase of collect pushes roots onto the mark stack
and drains it as often as possible.

To make this approach viable requires a constant-size mark stack
and a slow fallback approach for when the stack size is exceeded,
plus optimizations to make the required stack small in common
cases. This should be doable.

• JavaScriptCore.exp: Export new symbols.
• JavaScriptCore.xcodeproj/project.pbxproj: Add new file.
• kjs/collector.cpp: (KJS::Collector::heapAllocate): (KJS::drainMarkStack): Helper for all of the below. (KJS::Collector::markStackObjectsConservatively): Use mark stack. (KJS::Collector::markCurrentThreadConservatively): ditto (KJS::Collector::markOtherThreadConservatively): ditto (KJS::Collector::markProtectedObjects): ditto (KJS::Collector::markMainThreadOnlyObjects): ditto (KJS::Collector::collect): ditto
• kjs/collector.h: (KJS::Collector::cellMayHaveRefs): Helper for MarkStack.

• kjs/MarkStack.h: Added. The actual mark stack implementation. (KJS::MarkStack::push): (KJS::MarkStack::pushAtom): (KJS::MarkStack::pop): (KJS::MarkStack::isEmpty): (KJS::MarkStack::reserveCapacity):

Changed mark() methods to markChildren() methods:

• kjs/ExecState.cpp: (KJS::ExecState::markChildren):
• kjs/ExecState.h:
• kjs/JSWrapperObject.cpp: (KJS::JSWrapperObject::markChildren):
• kjs/JSWrapperObject.h:
• kjs/array_instance.cpp: (KJS::ArrayInstance::markChildren):
• kjs/array_instance.h:
• kjs/bool_object.cpp: (BooleanInstance::markChildren):
• kjs/bool_object.h:
• kjs/error_object.cpp:
• kjs/error_object.h:
• kjs/function.cpp: (KJS::FunctionImp::markChildren): (KJS::Arguments::Arguments): (KJS::Arguments::markChildren): (KJS::ActivationImp::markChildren):
• kjs/function.h:
• kjs/internal.cpp: (KJS::GetterSetterImp::markChildren):
• kjs/interpreter.cpp: (KJS::Interpreter::markRoots):
• kjs/interpreter.h:
• kjs/list.cpp: (KJS::List::markProtectedListsSlowCase):
• kjs/list.h: (KJS::List::markProtectedLists):
• kjs/object.cpp: (KJS::JSObject::markChildren):
• kjs/object.h: (KJS::ScopeChain::markChildren):
• kjs/property_map.cpp: (KJS::PropertyMap::markChildren):
• kjs/property_map.h:
• kjs/scope_chain.h:
• kjs/string_object.cpp: (KJS::StringInstance::markChildren):
• kjs/string_object.h:

JavaScriptGlue:

Reviewed by Darin and Geoff.

Fixups for JavaScriptCore mark stack.

• JSObject.cpp: (JSUserObject::Mark):
• JSObject.h:
• JSValueWrapper.cpp: (JSValueWrapper::JSObjectMark):
• JSValueWrapper.h:
• UserObjectImp.cpp:
• UserObjectImp.h:

WebCore:

Reviewed by Darin and Geoff.

Implement mark stack. This version is not suitable for prime time because it makes a
huge allocation on every collect, and potentially makes marking of detached subtrees
slow. But it is a .2% - .4% speedup even without much tweaking.

I replaced mark() methods with markChildren() as usual. One
optimization that is lost is avoiding walking detached DOM
subtrees more than once to mark them; since marking is not
recursive there's no obvious way to bracket operation on the tree
any more.

• bindings/js/JSDocumentCustom.cpp: (WebCore::JSDocument::markChildren):
• bindings/js/JSNodeCustom.cpp: (WebCore::JSNode::markChildren):
• bindings/js/JSNodeFilterCondition.cpp:
• bindings/js/JSNodeFilterCondition.h:
• bindings/js/JSNodeFilterCustom.cpp: (WebCore::JSNodeFilter::markChildren):
• bindings/js/JSNodeIteratorCustom.cpp: (WebCore::JSNodeIterator::markChildren):
• bindings/js/JSTreeWalkerCustom.cpp: (WebCore::JSTreeWalker::markChildren):
• bindings/js/JSXMLHttpRequest.cpp: (KJS::JSXMLHttpRequest::markChildren):
• bindings/js/JSXMLHttpRequest.h:
• bindings/js/kjs_binding.cpp: (KJS::ScriptInterpreter::markDOMNodesForDocument):
• bindings/js/kjs_binding.h:
• bindings/js/kjs_events.cpp: (WebCore::JSUnprotectedEventListener::markChildren):
• bindings/js/kjs_events.h:
• bindings/js/kjs_window.cpp: (KJS::Window::markChildren):
• bindings/js/kjs_window.h:
• bindings/scripts/CodeGeneratorJS.pm:
• dom/Node.cpp: (WebCore::Node::Node):
• dom/Node.h:
• dom/NodeFilter.h:
• dom/NodeFilterCondition.h:

LayoutTests:

Not reviewed.

• Test cases for "Stack overflow crash in JavaScript garbage collector mark pass" ​http://bugs.webkit.org/show_bug.cgi?id=12216

I have fixed this with the mark stack work.

• fast/js/gc-breadth-2-expected.txt: Added.
• fast/js/gc-breadth-2.html: Added.
• fast/js/gc-breadth-expected.txt: Added.
• fast/js/gc-breadth.html: Added.
• fast/js/gc-depth-expected.txt: Added.
• fast/js/gc-depth.html: Added.
• fast/js/resources/gc-breadth-2.js: Added.
• fast/js/resources/gc-breadth.js: Added.
• fast/js/resources/gc-depth.js: Added.

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• JavaScriptCore.exp (modified) (5 diffs)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• kjs/ExecState.cpp (modified) (1 diff)
• kjs/ExecState.h (modified) (1 diff)
• kjs/JSWrapperObject.cpp (modified) (1 diff)
• kjs/JSWrapperObject.h (modified) (2 diffs)
• kjs/array_instance.cpp (modified) (2 diffs)
• kjs/array_instance.h (modified) (1 diff)
• kjs/bool_object.cpp (modified) (1 diff)
• kjs/bool_object.h (modified) (1 diff)
• kjs/collector.cpp (modified) (14 diffs)
• kjs/collector.h (modified) (7 diffs)
• kjs/error_object.cpp (modified) (1 diff)
• kjs/error_object.h (modified) (1 diff)
• kjs/function.cpp (modified) (4 diffs)
• kjs/function.h (modified) (3 diffs)
• kjs/internal.cpp (modified) (1 diff)
• kjs/interpreter.cpp (modified) (1 diff)
• kjs/interpreter.h (modified) (1 diff)
• kjs/list.cpp (modified) (2 diffs)
• kjs/list.h (modified) (2 diffs)
• kjs/object.cpp (modified) (2 diffs)
• kjs/object.h (modified) (4 diffs)
• kjs/property_map.cpp (modified) (2 diffs)
• kjs/property_map.h (modified) (2 diffs)
• kjs/scope_chain.h (modified) (1 diff)
• kjs/string_object.cpp (modified) (1 diff)
• kjs/string_object.h (modified) (1 diff)
• kjs/value.h (modified) (6 diffs)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2007-11-28  Maciej Stachowiak  <[email protected]>
+
+        Reviewed by Darin and Geoff.
+
+        - Fixed "Stack overflow crash in JavaScript garbage collector mark pass"
+        http://bugs.webkit.org/show_bug.cgi?id=12216
+        
+        Implement mark stack. This version is not suitable for prime time because it makes a
+        huge allocation on every collect, and potentially makes marking of detached subtrees
+        slow. But it is an 0.4% SunSpider speedup even without much tweaking.
+        
+        The basic approach is to replace mark() methods with
+        markChildren(MarkStack&) methods. Reachable references are pushed
+        onto a mark stack (which encapsulates ignoring already-marked
+        references). 
+        
+        Objects are no longer responsible for actually setting their own
+        mark bits, the collector does that. This means that for objects on
+        the number heap we don't have to call markChildren() at all since
+        we know there aren't any.
+        
+        The mark phase of collect pushes roots onto the mark stack
+        and drains it as often as possible.
+        
+        To make this approach viable requires a constant-size mark stack
+        and a slow fallback approach for when the stack size is exceeded,
+        plus optimizations to make the required stack small in common
+        cases. This should be doable.
+
+        * JavaScriptCore.exp: Export new symbols.
+        * JavaScriptCore.xcodeproj/project.pbxproj: Add new file.
+        * kjs/collector.cpp:
+        (KJS::Collector::heapAllocate):
+        (KJS::drainMarkStack): Helper for all of the below.
+        (KJS::Collector::markStackObjectsConservatively): Use mark stack.
+        (KJS::Collector::markCurrentThreadConservatively): ditto
+        (KJS::Collector::markOtherThreadConservatively): ditto
+        (KJS::Collector::markProtectedObjects): ditto
+        (KJS::Collector::markMainThreadOnlyObjects): ditto
+        (KJS::Collector::collect): ditto
+        * kjs/collector.h:
+        (KJS::Collector::cellMayHaveRefs): Helper for MarkStack.
+
+        * kjs/MarkStack.h: Added. The actual mark stack implementation.
+        (KJS::MarkStack::push):
+        (KJS::MarkStack::pushAtom):
+        (KJS::MarkStack::pop):
+        (KJS::MarkStack::isEmpty):
+        (KJS::MarkStack::reserveCapacity):
+
+        Changed mark() methods to markChildren() methods:
+        
+        * kjs/ExecState.cpp:
+        (KJS::ExecState::markChildren):
+        * kjs/ExecState.h:
+        * kjs/JSWrapperObject.cpp:
+        (KJS::JSWrapperObject::markChildren):
+        * kjs/JSWrapperObject.h:
+        * kjs/array_instance.cpp:
+        (KJS::ArrayInstance::markChildren):
+        * kjs/array_instance.h:
+        * kjs/bool_object.cpp:
+        (BooleanInstance::markChildren):
+        * kjs/bool_object.h:
+        * kjs/error_object.cpp:
+        * kjs/error_object.h:
+        * kjs/function.cpp:
+        (KJS::FunctionImp::markChildren):
+        (KJS::Arguments::Arguments):
+        (KJS::Arguments::markChildren):
+        (KJS::ActivationImp::markChildren):
+        * kjs/function.h:
+        * kjs/internal.cpp:
+        (KJS::GetterSetterImp::markChildren):
+        * kjs/interpreter.cpp:
+        (KJS::Interpreter::markRoots):
+        * kjs/interpreter.h:
+        * kjs/list.cpp:
+        (KJS::List::markProtectedListsSlowCase):
+        * kjs/list.h:
+        (KJS::List::markProtectedLists):
+        * kjs/object.cpp:
+        (KJS::JSObject::markChildren):
+        * kjs/object.h:
+        (KJS::ScopeChain::markChildren):
+        * kjs/property_map.cpp:
+        (KJS::PropertyMap::markChildren):
+        * kjs/property_map.h:
+        * kjs/scope_chain.h:
+        * kjs/string_object.cpp:
+        (KJS::StringInstance::markChildren):
+        * kjs/string_object.h:
+
 2007-11-27  Alp Toker  <[email protected]>
 

trunk/JavaScriptCore/JavaScriptCore.exp

@@ -123 +123 @@
 __ZN3KJS11Interpreter24setShouldPrintExceptionsEb
 __ZN3KJS11Interpreter27resetGlobalObjectPropertiesEv
-__ZN3KJS11Interpreter4markEv
 __ZN3KJS11Interpreter6s_hookE
 __ZN3KJS11Interpreter8evaluateERKNS_7UStringEiPKNS_5UCharEiPNS_7JSValueE
 __ZN3KJS11Interpreter8evaluateERKNS_7UStringEiS3_PNS_7JSValueE
+__ZN3KJS11Interpreter9markRootsERNS_9MarkStackE
 __ZN3KJS11InterpreterC1Ev
 __ZN3KJS11InterpreterC2Ev
@@ -145 +145 @@
 __ZN3KJS13SavedBuiltinsD1Ev
 __ZN3KJS13jsOwnedStringERKNS_7UStringE
+__ZN3KJS14StringInstance12markChildrenERNS_9MarkStackE
 __ZN3KJS14StringInstance14deletePropertyEPNS_9ExecStateERKNS_10IdentifierE
 __ZN3KJS14StringInstance16getPropertyNamesEPNS_9ExecStateERNS_17PropertyNameArrayE
@@ -153 +154 @@
 __ZN3KJS14StringInstanceC1EPNS_8JSObjectERKNS_7UStringE
 __ZN3KJS14StringInstanceC2EPNS_8JSObjectERKNS_7UStringE
-__ZN3KJS15JSWrapperObject4markEv
 __ZN3KJS15SavedPropertiesC1Ev
 __ZN3KJS15SavedPropertiesD1Ev
@@ -202 +202 @@
 __ZN3KJS8DebuggerD2Ev
 __ZN3KJS8JSObject11hasInstanceEPNS_9ExecStateEPNS_7JSValueE
+__ZN3KJS8JSObject12markChildrenERNS_9MarkStackE
 __ZN3KJS8JSObject12removeDirectERKNS_10IdentifierE
 __ZN3KJS8JSObject14callAsFunctionEPNS_9ExecStateEPS0_RKNS_4ListE
@@ -213 +214 @@
 __ZN3KJS8JSObject3putEPNS_9ExecStateEjPNS_7JSValueEi
 __ZN3KJS8JSObject4callEPNS_9ExecStateEPS0_RKNS_4ListE
-__ZN3KJS8JSObject4markEv
 __ZN3KJS8JSObject9constructEPNS_9ExecStateERKNS_4ListE
 __ZN3KJS8JSObject9constructEPNS_9ExecStateERKNS_4ListERKNS_10IdentifierERKNS_7UStringEi

trunk/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -100 +100 @@
                 6592C319098B7DE10003D4F6 /* VectorTraits.h in Headers */ = {isa = PBXBuildFile; fileRef = 6592C317098B7DE10003D4F6 /* VectorTraits.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 65A7A5E00CD1D50E00061F8E /* LabelStack.h in Headers */ = {isa = PBXBuildFile; fileRef = 65B813A80CD1D01900DF59D6 /* LabelStack.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                65A8B8DB0CF408F400DC7C27 /* MarkStack.h in Headers */ = {isa = PBXBuildFile; fileRef = 65A8B8D80CF408E900DC7C27 /* MarkStack.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 65B1749A09D0FEB700820339 /* array_object.lut.h in Headers */ = {isa = PBXBuildFile; fileRef = 65B1749909D0FEB700820339 /* array_object.lut.h */; };
                 65B174F509D100FA00820339 /* math_object.lut.h in Headers */ = {isa = PBXBuildFile; fileRef = 65B174F109D100FA00820339 /* math_object.lut.h */; };
@@ -511 +512 @@
                 6592C316098B7DE10003D4F6 /* Vector.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = Vector.h; sourceTree = "<group>"; };
                 6592C317098B7DE10003D4F6 /* VectorTraits.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = VectorTraits.h; sourceTree = "<group>"; };
+                65A8B8D80CF408E900DC7C27 /* MarkStack.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MarkStack.h; sourceTree = "<group>"; };
                 65B1749909D0FEB700820339 /* array_object.lut.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = file; name = array_object.lut.h; path = ../../../../../symroots/Debug/DerivedSources/JavaScriptCore/array_object.lut.h; sourceTree = "<group>"; };
                 65B174BE09D1000200820339 /* chartables.c */ = {isa = PBXFileReference; explicitFileType = sourcecode.c.c; fileEncoding = 30; path = chartables.c; sourceTree = "<group>"; };
@@ -1009 +1011 @@
                                 F692A8690255597D01FF60F7 /* lookup.h */,
                                 F692A86A0255597D01FF60F7 /* math_object.cpp */,
+                                65A8B8D80CF408E900DC7C27 /* MarkStack.h */,
                                 F692A86B0255597D01FF60F7 /* math_object.h */,
                                 F692A86D0255597D01FF60F7 /* nodes.cpp */,
@@ -1171 +1174 @@
                                 65F340940CD6C1C000C0CA8B /* LocalStorage.h in Headers */,
                                 5DBD18B00C5401A700C15EAE /* MallocZoneSupport.h in Headers */,
+                                65A8B8DB0CF408F400DC7C27 /* MarkStack.h in Headers */,
                                 BCF655590A2049710038A194 /* MathExtras.h in Headers */,
                                 932F5B840822A1C700736975 /* NP_jsobject.h in Headers */,

trunk/JavaScriptCore/kjs/ExecState.cpp

@@ -89 +89 @@
 }
 
-void ExecState::mark()
+void ExecState::markChildren(MarkStack& stack)
 {
     for (ExecState* exec = this; exec; exec = exec->m_callingExecState)
-        exec->m_scopeChain.mark();
+        exec->m_scopeChain.markChildren(stack);
 }
 

trunk/JavaScriptCore/kjs/ExecState.h

@@ -101 +101 @@
         void setGlobalObject(JSGlobalObject*);
         
-        void mark();
+        void markChildren(MarkStack&);
         
         // This is a workaround to avoid accessing the global variables for these identifiers in

trunk/JavaScriptCore/kjs/JSWrapperObject.cpp

@@ -25 +25 @@
 namespace KJS {
 
-void JSWrapperObject::mark() 
+void JSWrapperObject::markChildren(MarkStack& stack) 
 {
-    JSObject::mark();
-    if (m_internalValue && !m_internalValue->marked())
-        m_internalValue->mark();
+    JSObject::markChildren(stack);
+    stack.pushAtom(m_internalValue);
 }
 

trunk/JavaScriptCore/kjs/JSWrapperObject.h

@@ -57 +57 @@
         void setInternalValue(JSValue* v);
         
-        virtual void mark();
+        virtual void markChildren(MarkStack& stack);
         
     private:
@@ -65 +65 @@
     inline JSWrapperObject::JSWrapperObject(JSValue* proto)
         : JSObject(proto)
-        , m_internalValue(0)
+        , m_internalValue(jsNull())
     {
     }

trunk/JavaScriptCore/kjs/array_instance.cpp

@@ -403 +403 @@
 }
 
-void ArrayInstance::mark()
-{
-    JSObject::mark();
+void ArrayInstance::markChildren(MarkStack& stack)
+{
+    JSObject::markChildren(stack);
 
     ArrayStorage* storage = m_storage;
@@ -412 +412 @@
     for (unsigned i = 0; i < usedVectorLength; ++i) {
         JSValue* value = storage->m_vector[i];
-        if (value && !value->marked())
-            value->mark();
+        if (value)
+            stack.push(value);
     }
 
     if (SparseArrayValueMap* map = storage->m_sparseValueMap) {
         SparseArrayValueMap::iterator end = map->end();
-        for (SparseArrayValueMap::iterator it = map->begin(); it != end; ++it) {
-            JSValue* value = it->second;
-            if (!value->marked())
-                value->mark();
-        }
+        for (SparseArrayValueMap::iterator it = map->begin(); it != end; ++it)
+            stack.push(it->second);
     }
 }

trunk/JavaScriptCore/kjs/array_instance.h

@@ -43 +43 @@
     virtual void getPropertyNames(ExecState*, PropertyNameArray&);
 
-    virtual void mark();
+    virtual void markChildren(MarkStack&);
 
     virtual const ClassInfo* classInfo() const { return &info; }

trunk/JavaScriptCore/kjs/bool_object.cpp

@@ -37 +37 @@
   : JSWrapperObject(proto)
 {
+}
+
+void BooleanInstance::markChildren(MarkStack& stack)
+{
+    JSObject::markChildren(stack);
+    ASSERT(JSImmediate::isImmediate(internalValue()));
 }
 

trunk/JavaScriptCore/kjs/bool_object.h

@@ -33 +33 @@
 
     virtual const ClassInfo *classInfo() const { return &info; }
+    virtual void markChildren(MarkStack& stack);
     static const ClassInfo info;
   };

trunk/JavaScriptCore/kjs/collector.cpp

@@ -27 +27 @@
 #include "internal.h"
 #include "list.h"
+#include "MarkStack.h"
 #include "value.h"
 #include <algorithm>
@@ -278 +279 @@
     targetBlock = (Block*)allocateBlock();
     targetBlock->freeList = targetBlock->cells;
+    if (heapType == PrimaryHeap)
+        targetBlock->mayHaveRefs = 1;
     targetBlockUsedCells = 0;
     heap.blocks[usedBlocks] = (CollectorBlock*)targetBlock;
@@ -480 +483 @@
 #define IS_HALF_CELL_ALIGNED(p) (((intptr_t)(p) & (CELL_MASK >> 1)) == 0)
 
-void Collector::markStackObjectsConservatively(void *start, void *end)
+static inline void drainMarkStack(MarkStack& stack)
+{
+    while (!stack.isEmpty())
+        stack.pop()->markChildren(stack);
+}
+
+
+void Collector::markStackObjectsConservatively(MarkStack& stack, void *start, void *end)
 {
   if (start > end) {
@@ -522 +532 @@
                   if (((CollectorCell*)xAsBits)->u.freeCell.zeroIfFree != 0) {
                       JSCell* imp = reinterpret_cast<JSCell*>(xAsBits);
-                      if (!imp->marked())
-                          imp->mark();
+                      stack.push(imp);
+                      drainMarkStack(stack);
                   }
                   break;
@@ -534 +544 @@
 }
 
-void Collector::markCurrentThreadConservatively()
+void Collector::markCurrentThreadConservatively(MarkStack& stack)
 {
     // setjmp forces volatile registers onto the stack
@@ -551 +561 @@
     void* stackBase = currentThreadStackBase();
 
-    markStackObjectsConservatively(stackPointer, stackBase);
+    markStackObjectsConservatively(stack, stackPointer, stackBase);
 }
 
@@ -694 +704 @@
 }
 
-void Collector::markOtherThreadConservatively(Thread* thread)
+void Collector::markOtherThreadConservatively(MarkStack& stack, Thread* thread)
 {
   suspendThread(thread->platformThread);
@@ -702 +712 @@
 
   // mark the thread's registers
-  markStackObjectsConservatively((void*)&regs, (void*)((char*)&regs + regSize));
+  markStackObjectsConservatively(stack, (void*)&regs, (void*)((char*)&regs + regSize));
  
   void* stackPointer = otherThreadStackPointer(regs);
   void* stackBase = otherThreadStackBase(regs, thread);
-  markStackObjectsConservatively(stackPointer, stackBase);
+  markStackObjectsConservatively(stack, stackPointer, stackBase);
 
   resumeThread(thread->platformThread);
@@ -713 +723 @@
 #endif
 
-void Collector::markStackObjectsConservatively()
-{
-  markCurrentThreadConservatively();
+void Collector::markStackObjectsConservatively(MarkStack& stack)
+{
+  markCurrentThreadConservatively(stack);
 
 #if USE(MULTIPLE_THREADS)
   for (Thread *thread = registeredThreads; thread != NULL; thread = thread->next) {
     if (!pthread_equal(thread->posixThread, pthread_self())) {
-      markOtherThreadConservatively(thread);
+        markOtherThreadConservatively(stack, thread);
     }
   }
@@ -772 +782 @@
 }
 
-void Collector::markProtectedObjects()
+void Collector::markProtectedObjects(MarkStack& stack)
 {
   ProtectCountSet& protectedValues = KJS::protectedValues();
   ProtectCountSet::iterator end = protectedValues.end();
   for (ProtectCountSet::iterator it = protectedValues.begin(); it != end; ++it) {
-    JSCell *val = it->first;
-    if (!val->marked())
-      val->mark();
-  }
-}
-
-void Collector::markMainThreadOnlyObjects()
+    stack.push(it->first);
+    drainMarkStack(stack);
+  }
+}
+
+void Collector::markMainThreadOnlyObjects(MarkStack& stack)
 {
 #if USE(MULTIPLE_THREADS)
@@ -815 +824 @@
                     if (!curBlock->marked.get(i)) {
                         JSCell* imp = reinterpret_cast<JSCell*>(cell);
-                        imp->mark();
+                        stack.push(imp);
+                        drainMarkStack(stack);
                     }
                     if (++count == mainThreadOnlyObjectCount)
@@ -951 +961 @@
   // MARK: first mark all referenced objects recursively starting out from the set of root objects
 
+  size_t originalLiveObjects = primaryHeap.numLiveObjects + numberHeap.numLiveObjects;
+
+  MarkStack stack;
+  stack.reserveCapacity(primaryHeap.numLiveObjects);
+
 #ifndef NDEBUG
   // Forbid malloc during the mark phase. Marking a thread suspends it, so 
-  // a malloc inside mark() would risk a deadlock with a thread that had been 
+  // a malloc inside markChildren() would risk a deadlock with a thread that had been 
   // suspended while holding the malloc lock.
   fastMallocForbid();
@@ -961 +976 @@
     Interpreter* scr = Interpreter::s_hook;
     do {
-      scr->mark();
+      scr->markRoots(stack);
+      drainMarkStack(stack);
       scr = scr->next;
     } while (scr != Interpreter::s_hook);
   }
 
-  markStackObjectsConservatively();
-  markProtectedObjects();
-  List::markProtectedLists();
+  markStackObjectsConservatively(stack);
+  markProtectedObjects(stack);
+  List::markProtectedLists(stack);
+  drainMarkStack(stack);
 #if USE(MULTIPLE_THREADS)
   if (!currentThreadIsMainThread)
-    markMainThreadOnlyObjects();
+    markMainThreadOnlyObjects(stack);
 #endif
 
@@ -978 +995 @@
 #endif
     
-  size_t originalLiveObjects = primaryHeap.numLiveObjects + numberHeap.numLiveObjects;
   size_t numLiveObjects = sweep<PrimaryHeap>(currentThreadIsMainThread);
   numLiveObjects += sweep<NumberHeap>(currentThreadIsMainThread);

trunk/JavaScriptCore/kjs/collector.h

@@ -32 +32 @@
 namespace KJS {
 
+  class CollectorBlock;
   class JSCell;
   class JSValue;
-  class CollectorBlock;
+  class MarkStack;
 
   class Collector {
@@ -66 +67 @@
     static bool isCellMarked(const JSCell*);
     static void markCell(JSCell*);
+    static bool cellMayHaveRefs(const JSCell*);
 
     enum HeapType { PrimaryHeap, NumberHeap };
@@ -79 +81 @@
 
     static void recordExtraCost(size_t);
-    static void markProtectedObjects();
-    static void markMainThreadOnlyObjects();
-    static void markCurrentThreadConservatively();
-    static void markOtherThreadConservatively(Thread*);
-    static void markStackObjectsConservatively();
-    static void markStackObjectsConservatively(void* start, void* end);
+    static void markProtectedObjects(MarkStack&);
+    static void markMainThreadOnlyObjects(MarkStack&);
+    static void markCurrentThreadConservatively(MarkStack&);
+    static void markOtherThreadConservatively(MarkStack&, Thread*);
+    static void markStackObjectsConservatively(MarkStack&);
+    static void markStackObjectsConservatively(MarkStack&, void* start, void* end);
 
     static size_t mainThreadOnlyObjectCount;
@@ -108 +110 @@
   const size_t CELL_MASK = CELL_SIZE - 1;
   const size_t CELL_ALIGN_MASK = ~CELL_MASK;
-  const size_t CELLS_PER_BLOCK = (BLOCK_SIZE * 8 - sizeof(uint32_t) * 8 - sizeof(void *) * 8 - 2 * (7 + 3 * 8)) / (CELL_SIZE * 8 + 2);
+  const size_t CELLS_PER_BLOCK = (BLOCK_SIZE * 8 - sizeof(uint32_t) * 8 - sizeof(uint32_t) * 8 - sizeof(void *) * 8 - 2 * (7 + 3 * 8)) / (CELL_SIZE * 8 + 2);
   const size_t SMALL_CELLS_PER_BLOCK = 2 * CELLS_PER_BLOCK;
   const size_t BITMAP_SIZE = (CELLS_PER_BLOCK + 7) / 8;
@@ -146 +148 @@
     uint32_t usedCells;
     CollectorCell* freeList;
+    uint32_t mayHaveRefs;
     CollectorBitmap marked;
     CollectorBitmap collectOnMainThreadOnly;
@@ -155 +158 @@
     uint32_t usedCells;
     SmallCollectorCell* freeList;
+    uint32_t mayHaveRefs;
     CollectorBitmap marked;
     CollectorBitmap collectOnMainThreadOnly;
@@ -182 +186 @@
   {
     cellBlock(cell)->marked.set(cellOffset(cell));
+  }
+
+  inline bool Collector::cellMayHaveRefs(const JSCell* cell)
+  {
+    return cellBlock(cell)->mayHaveRefs;
   }
 

trunk/JavaScriptCore/kjs/error_object.cpp

@@ -157 +157 @@
 }
 
-void NativeErrorImp::mark()
-{
-  JSObject::mark();
-  if (proto && !proto->marked())
-    proto->mark();
-}

trunk/JavaScriptCore/kjs/error_object.h

@@ -76 +76 @@
     virtual JSValue *callAsFunction(ExecState *exec, JSObject *thisObj, const List &args);
 
-    virtual void mark();
-
     virtual const ClassInfo *classInfo() const { return &info; }
     static const ClassInfo info;

trunk/JavaScriptCore/kjs/function.cpp

@@ -62 +62 @@
 }
 
-void FunctionImp::mark()
-{
-    InternalFunctionImp::mark();
-    _scope.mark();
+void FunctionImp::markChildren(MarkStack& stack)
+{
+    InternalFunctionImp::markChildren(stack);
+    _scope.markChildren(stack);
 }
 
@@ -332 +332 @@
 // ECMA 10.1.8
 Arguments::Arguments(ExecState* exec, FunctionImp* func, const List& args, ActivationImp* act)
-: JSObject(exec->lexicalInterpreter()->builtinObjectPrototype()), 
-_activationObject(act),
-indexToNameMap(func, args)
+  : JSObject(exec->lexicalInterpreter()->builtinObjectPrototype()) 
+  , _activationObject(act)
+  , indexToNameMap(func, args)
 {
   putDirect(exec->propertyNames().callee, func, DontEnum);
@@ -348 +348 @@
 }
 
-void Arguments::mark() 
-{
-  JSObject::mark();
-  if (_activationObject && !_activationObject->marked())
-    _activationObject->mark();
+void Arguments::markChildren(MarkStack& stack) 
+{
+  JSObject::markChildren(stack);
+  stack.push(_activationObject);
 }
 
@@ -485 +484 @@
 }
 
-void ActivationImp::mark()
-{
-    JSObject::mark();
+void ActivationImp::markChildren(MarkStack& stack)
+{
+    JSObject::markChildren(stack);
 
     size_t size = d->localStorage.size();
-    for (size_t i = 0; i < size; ++i) {
-        JSValue* value = d->localStorage[i].value;
-        if (!value->marked())
-            value->mark();
-    }
+    for (size_t i = 0; i < size; ++i)
+        stack.push(d->localStorage[i].value);
     
-    ASSERT(d->function);
-    if (!d->function->marked())
-        d->function->mark();
-
-    if (d->argumentsObject && !d->argumentsObject->marked())
-        d->argumentsObject->mark();
+    stack.push(d->function);
+    if (d->argumentsObject)
+      stack.push(d->argumentsObject);
 }
 

trunk/JavaScriptCore/kjs/function.h

@@ -96 +96 @@
     const ScopeChain& scope() const { return _scope; }
 
-    virtual void mark();
+    virtual void markChildren(MarkStack&);
 
   private:
@@ -125 +125 @@
   public:
     Arguments(ExecState*, FunctionImp* func, const List& args, ActivationImp* act);
-    virtual void mark();
+    virtual void markChildren(MarkStack&);
     virtual bool getOwnPropertySlot(ExecState*, const Identifier&, PropertySlot&);
     virtual void put(ExecState*, const Identifier& propertyName, JSValue* value, int attr = None);
@@ -165 +165 @@
     static const ClassInfo info;
 
-    virtual void mark();
+    virtual void markChildren(MarkStack&);
 
     bool isActivation() { return true; }

trunk/JavaScriptCore/kjs/internal.cpp

@@ -145 +145 @@
 
 // --------------------------- GetterSetterImp ---------------------------------
-void GetterSetterImp::mark()
-{
-    JSCell::mark();
-    
-    if (getter && !getter->marked())
-        getter->mark();
-    if (setter && !setter->marked())
-        setter->mark();
+void GetterSetterImp::markChildren(MarkStack& stack)
+{
+    if (getter)
+        stack.push(getter);
+    if (setter)
+        stack.push(setter);
 }
 

trunk/JavaScriptCore/kjs/interpreter.cpp

@@ -545 +545 @@
 }
 
-void Interpreter::mark()
+void Interpreter::markRoots(MarkStack& stack)
 {
     if (m_currentExec)
-        m_currentExec->mark();
-
-    if (m_globalExec.exception() && !m_globalExec.exception()->marked())
-        m_globalExec.exception()->mark();
-
-    if (m_globalObject && !m_globalObject->marked())
-        m_globalObject->mark();
-
-    if (m_Object && !m_Object->marked())
-        m_Object->mark();
-    if (m_Function && !m_Function->marked())
-        m_Function->mark();
-    if (m_Array && !m_Array->marked())
-        m_Array->mark();
-    if (m_Boolean && !m_Boolean->marked())
-        m_Boolean->mark();
-    if (m_String && !m_String->marked())
-        m_String->mark();
-    if (m_Number && !m_Number->marked())
-        m_Number->mark();
-    if (m_Date && !m_Date->marked())
-        m_Date->mark();
-    if (m_RegExp && !m_RegExp->marked())
-        m_RegExp->mark();
-    if (m_Error && !m_Error->marked())
-        m_Error->mark();
-    
-    if (m_ObjectPrototype && !m_ObjectPrototype->marked())
-        m_ObjectPrototype->mark();
-    if (m_FunctionPrototype && !m_FunctionPrototype->marked())
-        m_FunctionPrototype->mark();
-    if (m_ArrayPrototype && !m_ArrayPrototype->marked())
-        m_ArrayPrototype->mark();
-    if (m_BooleanPrototype && !m_BooleanPrototype->marked())
-        m_BooleanPrototype->mark();
-    if (m_StringPrototype && !m_StringPrototype->marked())
-        m_StringPrototype->mark();
-    if (m_NumberPrototype && !m_NumberPrototype->marked())
-        m_NumberPrototype->mark();
-    if (m_DatePrototype && !m_DatePrototype->marked())
-        m_DatePrototype->mark();
-    if (m_RegExpPrototype && !m_RegExpPrototype->marked())
-        m_RegExpPrototype->mark();
-    if (m_ErrorPrototype && !m_ErrorPrototype->marked())
-        m_ErrorPrototype->mark();
-    
-    if (m_EvalError && !m_EvalError->marked())
-        m_EvalError->mark();
-    if (m_RangeError && !m_RangeError->marked())
-        m_RangeError->mark();
-    if (m_ReferenceError && !m_ReferenceError->marked())
-        m_ReferenceError->mark();
-    if (m_SyntaxError && !m_SyntaxError->marked())
-        m_SyntaxError->mark();
-    if (m_TypeError && !m_TypeError->marked())
-        m_TypeError->mark();
-    if (m_UriError && !m_UriError->marked())
-        m_UriError->mark();
-    
-    if (m_EvalErrorPrototype && !m_EvalErrorPrototype->marked())
-        m_EvalErrorPrototype->mark();
-    if (m_RangeErrorPrototype && !m_RangeErrorPrototype->marked())
-        m_RangeErrorPrototype->mark();
-    if (m_ReferenceErrorPrototype && !m_ReferenceErrorPrototype->marked())
-        m_ReferenceErrorPrototype->mark();
-    if (m_SyntaxErrorPrototype && !m_SyntaxErrorPrototype->marked())
-        m_SyntaxErrorPrototype->mark();
-    if (m_TypeErrorPrototype && !m_TypeErrorPrototype->marked())
-        m_TypeErrorPrototype->mark();
-    if (m_UriErrorPrototype && !m_UriErrorPrototype->marked())
-        m_UriErrorPrototype->mark();
+        m_currentExec->markChildren(stack);
+
+    if (m_globalExec.exception())
+        stack.push(m_globalExec.exception());
+
+    if (m_globalObject)
+        stack.push(m_globalObject);
+
+    if (m_Object)
+       stack.push(m_Object);
+    if (m_Function)
+        stack.push(m_Function);
+    if (m_Array)
+        stack.push(m_Array);
+    if (m_Boolean)
+        stack.push(m_Boolean);
+    if (m_String)
+        stack.push(m_String);
+    if (m_Number)
+        stack.push(m_Number);
+    if (m_Date)
+        stack.push(m_Date);
+    if (m_RegExp)
+        stack.push(m_RegExp);
+    if (m_Error)
+        stack.push(m_Error);
+    
+    if (m_ObjectPrototype)
+        stack.push(m_ObjectPrototype);
+    if (m_FunctionPrototype)
+        stack.push(m_FunctionPrototype);
+    if (m_ArrayPrototype)
+        stack.push(m_ArrayPrototype);
+    if (m_BooleanPrototype)
+        stack.push(m_BooleanPrototype);
+    if (m_StringPrototype)
+        stack.push(m_StringPrototype);
+    if (m_NumberPrototype)
+        stack.push(m_NumberPrototype);
+    if (m_DatePrototype)
+        stack.push(m_DatePrototype);
+    if (m_RegExpPrototype)
+        stack.push(m_RegExpPrototype);
+    if (m_ErrorPrototype)
+        stack.push(m_ErrorPrototype);
+    
+    if (m_EvalError)
+        stack.push(m_EvalError);
+    if (m_RangeError)
+        stack.push(m_RangeError);
+    if (m_ReferenceError)
+        stack.push(m_ReferenceError);
+    if (m_SyntaxError)
+        stack.push(m_SyntaxError);
+    if (m_TypeError)
+        stack.push(m_TypeError);
+    if (m_UriError)
+        stack.push(m_UriError);
+    
+    if (m_EvalErrorPrototype)
+        stack.push(m_EvalErrorPrototype);
+    if (m_RangeErrorPrototype)
+        stack.push(m_RangeErrorPrototype);
+    if (m_ReferenceErrorPrototype)
+        stack.push(m_ReferenceErrorPrototype);
+    if (m_SyntaxErrorPrototype)
+        stack.push(m_SyntaxErrorPrototype);
+    if (m_TypeErrorPrototype)
+        stack.push(m_TypeErrorPrototype);
+    if (m_UriErrorPrototype)
+        stack.push(m_UriErrorPrototype);
 }
 

trunk/JavaScriptCore/kjs/interpreter.h

@@ -291 +291 @@
      * implementing custom mark methods must make sure to chain to this one.
      */
-    virtual void mark();
+    virtual void markRoots(MarkStack&);
 
     static bool shouldPrintExceptions();

trunk/JavaScriptCore/kjs/list.cpp

@@ -44 +44 @@
 }
 
-void List::markProtectedListsSlowCase()
+void List::markProtectedListsSlowCase(MarkStack& stack)
 {
     ListSet::iterator end = markSet().end();
@@ -51 +51 @@
 
         iterator end2 = list->end();
-        for (iterator it2 = list->begin(); it2 != end2; ++it2) {
-            JSValue* v = *it2;
-            if (!v->marked())
-                v->mark();
-        }
+        for (iterator it2 = list->begin(); it2 != end2; ++it2)
+            stack.push(*it2);
     }
 }

trunk/JavaScriptCore/kjs/list.h

@@ -86 +86 @@
         const_iterator end() const { return m_vector.end(); }
 
-        static void markProtectedLists()
+        static void markProtectedLists(MarkStack& stack)
         {
             if (!markSet().size())
                 return;
-            markProtectedListsSlowCase();
+            markProtectedListsSlowCase(stack);
         }
 
@@ -97 +97 @@
     private:
         static ListSet& markSet();
-        static void markProtectedListsSlowCase();
+        static void markProtectedListsSlowCase(MarkStack&);
 
         void expandAndAppend(JSValue*);

trunk/JavaScriptCore/kjs/object.cpp

@@ -114 +114 @@
 // ------------------------------ JSObject ------------------------------------
 
-void JSObject::mark()
-{
-  JSCell::mark();
-
+void JSObject::markChildren(MarkStack& stack)
+{
 #if JAVASCRIPT_MARK_TRACING
   static int markStackDepth = 0;
@@ -127 +125 @@
 #endif
   
-  JSValue *proto = _proto;
-  if (!proto->marked())
-    proto->mark();
-
-  _prop.mark();
+  stack.push(_proto);
+  _prop.markChildren(stack);
   
 #if JAVASCRIPT_MARK_TRACING

trunk/JavaScriptCore/kjs/object.h

@@ -28 +28 @@
 #include "JSType.h"
 #include "CommonIdentifiers.h"
+#include "MarkStack.h"
 #include "interpreter.h"
 #include "property_map.h"
@@ -85 +86 @@
     virtual JSObject *toObject(ExecState *exec) const;
       
-    virtual void mark();
+    virtual void markChildren(MarkStack&);
       
     JSObject *getGetter() { return getter; }
@@ -112 +113 @@
     JSObject();
 
-    virtual void mark();
+    virtual void markChildren(MarkStack&);
     virtual JSType type() const;
 
@@ -587 +588 @@
 // FIXME: Put this function in a separate file named something like scope_chain_mark.h -- can't put it in scope_chain.h since it depends on JSObject.
 
-inline void ScopeChain::mark()
-{
-    for (ScopeChainNode *n = _node; n; n = n->next) {
-        JSObject *o = n->object;
-        if (!o->marked())
-            o->mark();
+inline void ScopeChain::markChildren(MarkStack& stack)
+{
+    for (ScopeChainNode* n = _node; n; n = n->next) {
+        JSObject* o = n->object;
+        stack.push(o);
     }
 }

trunk/JavaScriptCore/kjs/property_map.cpp

@@ -623 +623 @@
 }
 
-void PropertyMap::mark() const
-{
-    if (!m_usingTable) {
-#if USE_SINGLE_ENTRY
-        if (m_singleEntryKey) {
-            JSValue* v = m_u.singleEntryValue;
-            if (!v->marked())
-                v->mark();
-        }
+void PropertyMap::markChildren(MarkStack& stack) const
+{
+    if (!m_usingTable) {
+#if USE_SINGLE_ENTRY
+        if (m_singleEntryKey)
+            stack.push(m_u.singleEntryValue);
 #endif
         return;
@@ -637 +634 @@
 
     unsigned entryCount = m_u.table->keyCount + m_u.table->deletedSentinelCount;
-    for (unsigned i = 1; i <= entryCount; i++) {
-        JSValue* v = m_u.table->entries()[i].value;
-        if (!v->marked())
-            v->mark();
-    }
+    for (unsigned i = 1; i <= entryCount; i++)
+        stack.push(m_u.table->entries()[i].value);
 }
 

trunk/JavaScriptCore/kjs/property_map.h

@@ -30 +30 @@
     class JSObject;
     class JSValue;
+    class MarkStack;
     class PropertyNameArray;
     
@@ -60 +61 @@
         JSValue** getLocation(const Identifier& name);
 
-        void mark() const;
+        void markChildren(MarkStack&) const;
         void getEnumerablePropertyNames(PropertyNameArray&) const;
 

trunk/JavaScriptCore/kjs/scope_chain.h

@@ -83 +83 @@
         void pop();
         
-        void mark();
+        void markChildren(MarkStack&);
 
 #ifndef NDEBUG        

trunk/JavaScriptCore/kjs/string_object.cpp

@@ -128 +128 @@
     propertyNames.add(Identifier(UString::from(i)));
   return JSObject::getPropertyNames(exec, propertyNames);
+}
+
+void StringInstance::markChildren(MarkStack& stack) 
+{
+    JSObject::markChildren(stack);
+    stack.pushAtom(internalValue());
 }
 

trunk/JavaScriptCore/kjs/string_object.h

@@ -47 +47 @@
 
     StringImp* internalValue() const { return static_cast<StringImp*>(JSWrapperObject::internalValue());}
+    virtual void markChildren(MarkStack& stack);
 
   private:

trunk/JavaScriptCore/kjs/value.h

@@ -34 +34 @@
 class JSObject;
 class JSCell;
+class MarkStack;
 
 struct ClassInfo;
@@ -48 +49 @@
     friend class JSCell; // so it can derive from this class
     friend class Collector; // so it can call asCell()
+    friend class MarkStack; // so it can call asCell()
 
 private:
@@ -106 +108 @@
 
     // Garbage collection.
-    void mark();
+    void markChildren(MarkStack&);
     bool marked() const;
 
@@ -165 +167 @@
     // Garbage collection.
     void *operator new(size_t);
-    virtual void mark();
+    virtual void markChildren(MarkStack&);
     bool marked() const;
 };
@@ -291 +293 @@
 }
 
-inline void JSCell::mark()
-{
-    return Collector::markCell(this);
+inline void JSCell::markChildren(MarkStack&)
+{
 }
 
@@ -407 +408 @@
 }
 
-inline void JSValue::mark()
-{
-    ASSERT(!JSImmediate::isImmediate(this)); // callers should check !marked() before calling mark()
-    asCell()->mark();
+inline void JSValue::markChildren(MarkStack& stack)
+{
+    ASSERT(!JSImmediate::isImmediate(this)); // callers should check !marked() before calling markChildren()
+    asCell()->markChildren(stack);
 }