Changeset 43432 in webkit for trunk/JavaScriptCore

Timestamp:

May 9, 2009, 1:35:57 AM (16 years ago)

Author:

[email protected]

Message:

2009-05-09 Maciej Stachowiak <​[email protected]>

Reviewed by Gavin Barraclough.

Original patch by John McCall. Updated by Cameron Zwarich. Further refined by me.

• Assorted speedups to property access

~.3%-1% speedup on SunSpider

1) When we know from the structure ID that an object is using inline storage, plant direct
loads and stores against it; no need to indirect through storage pointer.

2) Also because of the above, union the property storage pointer with the first inline property
slot and add an extra inline property slot.

• assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::CodeLocationInstruction::CodeLocationInstruction): (JSC::AbstractMacroAssembler::CodeLocationInstruction::patchLoadToLEA): (JSC::::CodeLocationCommon::instructionAtOffset):
• assembler/MacroAssembler.h: (JSC::MacroAssembler::storePtr):
• assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::store32):
• assembler/MacroAssemblerX86_64.h: (JSC::MacroAssemblerX86_64::storePtr):
• assembler/X86Assembler.h: (JSC::X86Assembler::movq_EAXm): (JSC::X86Assembler::movl_rm): (JSC::X86Assembler::patchLoadToLEA):
• jit/JIT.cpp: (JSC::JIT::privateCompileMainPass):
• jit/JIT.h:
• jit/JITPropertyAccess.cpp: (JSC::JIT::compileGetByIdHotPath): (JSC::JIT::compilePutByIdHotPath): (JSC::JIT::compilePutDirectOffset): (JSC::JIT::compileGetDirectOffset): (JSC::JIT::privateCompilePutByIdTransition): (JSC::JIT::patchGetByIdSelf): (JSC::JIT::patchPutByIdReplace): (JSC::JIT::privateCompileGetByIdSelf): (JSC::JIT::privateCompileGetByIdProto): (JSC::JIT::privateCompileGetByIdSelfList): (JSC::JIT::privateCompileGetByIdProtoList): (JSC::JIT::privateCompileGetByIdChainList): (JSC::JIT::privateCompileGetByIdChain): (JSC::JIT::privateCompilePutByIdReplace):
• runtime/JSObject.cpp: (JSC::JSObject::mark): (JSC::JSObject::removeDirect):
• runtime/JSObject.h: (JSC::JSObject::propertyStorage): (JSC::JSObject::getDirect): (JSC::JSObject::getOffset): (JSC::JSObject::offsetForLocation): (JSC::JSObject::locationForOffset): (JSC::JSObject::getDirectOffset): (JSC::JSObject::putDirectOffset): (JSC::JSObject::isUsingInlineStorage): (JSC::JSObject::): (JSC::JSObject::JSObject): (JSC::JSObject::~JSObject): (JSC::Structure::isUsingInlineStorage): (JSC::JSObject::putDirect): (JSC::JSObject::putDirectWithoutTransition): (JSC::JSObject::allocatePropertyStorageInline):
• runtime/Structure.h:

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• assembler/AbstractMacroAssembler.h (modified) (4 diffs)
• assembler/MacroAssembler.h (modified) (1 diff)
• assembler/MacroAssemblerX86.h (modified) (1 diff)
• assembler/MacroAssemblerX86_64.h (modified) (1 diff)
• assembler/X86Assembler.h (modified) (3 diffs)
• jit/JIT.cpp (modified) (1 diff)
• jit/JIT.h (modified) (3 diffs)
• jit/JITPropertyAccess.cpp (modified) (15 diffs)
• runtime/JSObject.cpp (modified) (2 diffs)
• runtime/JSObject.h (modified) (17 diffs)
• runtime/Structure.h (modified) (1 diff)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2009-05-09  Maciej Stachowiak  <[email protected]>
+
+        Reviewed by Gavin Barraclough.
+        
+        Original patch by John McCall. Updated by Cameron Zwarich. Further refined by me.
+        
+        - Assorted speedups to property access
+        
+        ~.3%-1% speedup on SunSpider
+        
+        1) When we know from the structure ID that an object is using inline storage, plant direct
+        loads and stores against it; no need to indirect through storage pointer.
+        
+        2) Also because of the above, union the property storage pointer with the first inline property
+        slot and add an extra inline property slot.
+
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::CodeLocationInstruction::CodeLocationInstruction):
+        (JSC::AbstractMacroAssembler::CodeLocationInstruction::patchLoadToLEA):
+        (JSC::::CodeLocationCommon::instructionAtOffset):
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::storePtr):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::store32):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::storePtr):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::movq_EAXm):
+        (JSC::X86Assembler::movl_rm):
+        (JSC::X86Assembler::patchLoadToLEA):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::compileGetByIdHotPath):
+        (JSC::JIT::compilePutByIdHotPath):
+        (JSC::JIT::compilePutDirectOffset):
+        (JSC::JIT::compileGetDirectOffset):
+        (JSC::JIT::privateCompilePutByIdTransition):
+        (JSC::JIT::patchGetByIdSelf):
+        (JSC::JIT::patchPutByIdReplace):
+        (JSC::JIT::privateCompileGetByIdSelf):
+        (JSC::JIT::privateCompileGetByIdProto):
+        (JSC::JIT::privateCompileGetByIdSelfList):
+        (JSC::JIT::privateCompileGetByIdProtoList):
+        (JSC::JIT::privateCompileGetByIdChainList):
+        (JSC::JIT::privateCompileGetByIdChain):
+        (JSC::JIT::privateCompilePutByIdReplace):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::mark):
+        (JSC::JSObject::removeDirect):
+        * runtime/JSObject.h:
+        (JSC::JSObject::propertyStorage):
+        (JSC::JSObject::getDirect):
+        (JSC::JSObject::getOffset):
+        (JSC::JSObject::offsetForLocation):
+        (JSC::JSObject::locationForOffset):
+        (JSC::JSObject::getDirectOffset):
+        (JSC::JSObject::putDirectOffset):
+        (JSC::JSObject::isUsingInlineStorage):
+        (JSC::JSObject::):
+        (JSC::JSObject::JSObject):
+        (JSC::JSObject::~JSObject):
+        (JSC::Structure::isUsingInlineStorage):
+        (JSC::JSObject::putDirect):
+        (JSC::JSObject::putDirectWithoutTransition):
+        (JSC::JSObject::allocatePropertyStorageInline):
+        * runtime/Structure.h:
+
 2009-05-09  Geoffrey Garen  <[email protected]>
 

trunk/JavaScriptCore/assembler/AbstractMacroAssembler.h

@@ -38 +38 @@
     class Jump;
     class PatchBuffer;
+    class CodeLocationInstruction;
     class CodeLocationLabel;
     class CodeLocationJump;
@@ -407 +408 @@
         // methods may be used to recover a handle that has nopw been
         // retained, based on a known fixed relative offset from one that has.
+        CodeLocationInstruction instructionAtOffset(int offset);
         CodeLocationLabel labelAtOffset(int offset);
         CodeLocationJump jumpAtOffset(int offset);
@@ -423 +425 @@
 
         void* m_location;
+    };
+
+    // CodeLocationInstruction:
+    //
+    // An arbitrary instruction in the JIT code.
+    class CodeLocationInstruction : public CodeLocationCommon {
+        friend class CodeLocationCommon;
+    public:
+        CodeLocationInstruction()
+        {
+        }
+
+        void patchLoadToLEA() {
+            AssemblerType::patchLoadToLEA(reinterpret_cast<intptr_t>(this->m_location));
+        }
+
+    private:
+        explicit CodeLocationInstruction(void* location)
+            : CodeLocationCommon(location)
+        {
+        }
     };
 
@@ -805 +828 @@
 
 template <class AssemblerType>
+typename AbstractMacroAssembler<AssemblerType>::CodeLocationInstruction AbstractMacroAssembler<AssemblerType>::CodeLocationCommon::instructionAtOffset(int offset)
+{
+    return typename AbstractMacroAssembler::CodeLocationInstruction(reinterpret_cast<char*>(m_location) + offset);
+}
+
+template <class AssemblerType>
 typename AbstractMacroAssembler<AssemblerType>::CodeLocationLabel AbstractMacroAssembler<AssemblerType>::CodeLocationCommon::labelAtOffset(int offset)
 {

trunk/JavaScriptCore/assembler/MacroAssembler.h

@@ -243 +243 @@
     }
 
+    void storePtr(RegisterID src, void* address)
+    {
+        store32(src, address);
+    }
+
     void storePtr(ImmPtr imm, ImplicitAddress address)
     {

trunk/JavaScriptCore/assembler/MacroAssemblerX86.h

@@ -71 +71 @@
     }
 
+    void store32(RegisterID src, void* address)
+    {
+        m_assembler.movl_rm(src, address);
+    }
+
     Jump branch32(Condition cond, AbsoluteAddress left, RegisterID right)
     {

trunk/JavaScriptCore/assembler/MacroAssemblerX86_64.h

@@ -242 +242 @@
         m_assembler.movq_rm(src, address.offset, address.base, address.index, address.scale);
     }
+    
+    void storePtr(RegisterID src, void* address)
+    {
+        if (src == X86::eax)
+            m_assembler.movq_EAXm(address);
+        else {
+            swap(X86::eax, src);
+            m_assembler.movq_EAXm(address);
+            swap(X86::eax, src);
+        }
+    }
 
     void storePtr(ImmPtr imm, ImplicitAddress address)

trunk/JavaScriptCore/assembler/X86Assembler.h

@@ -938 +938 @@
     }
 
+    void movq_EAXm(void* addr)
+    {
+        m_formatter.oneByteOp64(OP_MOV_OvEAX);
+        m_formatter.immediate64(reinterpret_cast<int64_t>(addr));
+    }
+
     void movq_mr(int offset, RegisterID base, RegisterID dst)
     {
@@ -972 +978 @@
     
 #else
+    void movl_rm(RegisterID src, void* addr)
+    {
+        if (src == X86::eax)
+            movl_EAXm(addr);
+        else 
+            m_formatter.oneByteOp(OP_MOV_EvGv, src, addr);
+    }
+    
     void movl_mr(void* addr, RegisterID dst)
     {
@@ -1287 +1301 @@
         ASSERT(linkOffset == static_cast<int>(linkOffset));
         reinterpret_cast<int*>(reinterpret_cast<ptrdiff_t>(code) + from.m_offset)[-1] = linkOffset;
+    }
+
+    static void patchLoadToLEA(intptr_t where)
+    {
+        char* ptr = reinterpret_cast<char*>(where);
+        ptr[0] = OP_LEA;
     }
     

trunk/JavaScriptCore/jit/JIT.cpp

@@ -595 +595 @@
 
             // Load cached property
-            loadPtr(Address(regT0, FIELD_OFFSET(JSGlobalObject, m_propertyStorage)), regT0);
+            // Assume that the global object always uses external storage.
+            loadPtr(Address(regT0, FIELD_OFFSET(JSGlobalObject, m_externalStorage)), regT0);
             load32(offsetAddr, regT1);
             loadPtr(BaseIndex(regT0, regT1, ScalePtr), regT0);

trunk/JavaScriptCore/jit/JIT.h

@@ -227 +227 @@
         // These architecture specific value are used to enable patching - see comment on op_put_by_id.
         static const int patchOffsetPutByIdStructure = 10;
+        static const int patchOffsetPutByIdExternalLoad = 20;
+        static const int patchLengthPutByIdExternalLoad = 4;
         static const int patchOffsetPutByIdPropertyMapOffset = 31;
         // These architecture specific value are used to enable patching - see comment on op_get_by_id.
         static const int patchOffsetGetByIdStructure = 10;
         static const int patchOffsetGetByIdBranchToSlowCase = 20;
+        static const int patchOffsetGetByIdExternalLoad = 20;
+        static const int patchLengthGetByIdExternalLoad = 4;
         static const int patchOffsetGetByIdPropertyMapOffset = 31;
         static const int patchOffsetGetByIdPutResult = 31;
@@ -242 +246 @@
         // These architecture specific value are used to enable patching - see comment on op_put_by_id.
         static const int patchOffsetPutByIdStructure = 7;
+        static const int patchOffsetPutByIdExternalLoad = 13;
+        static const int patchLengthPutByIdExternalLoad = 3;
         static const int patchOffsetPutByIdPropertyMapOffset = 22;
         // These architecture specific value are used to enable patching - see comment on op_get_by_id.
         static const int patchOffsetGetByIdStructure = 7;
         static const int patchOffsetGetByIdBranchToSlowCase = 13;
+        static const int patchOffsetGetByIdExternalLoad = 13;
+        static const int patchLengthGetByIdExternalLoad = 3;
         static const int patchOffsetGetByIdPropertyMapOffset = 22;
         static const int patchOffsetGetByIdPutResult = 22;
@@ -380 +388 @@
         enum CompileOpStrictEqType { OpStrictEq, OpNStrictEq };
         void compileOpStrictEq(Instruction* instruction, CompileOpStrictEqType type);
+
+        void compileGetDirectOffset(RegisterID base, RegisterID result, Structure* structure, size_t cachedOffset);
+        void compileGetDirectOffset(JSObject* base, RegisterID temp, RegisterID result, size_t cachedOffset);
+        void compilePutDirectOffset(RegisterID base, RegisterID value, Structure* structure, size_t cachedOffset);
 
         void compileFastArith_op_add(Instruction*);

trunk/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -109 +109 @@
     ASSERT(differenceBetween(hotPathBegin, structureCheck) == patchOffsetGetByIdBranchToSlowCase);
 
-    loadPtr(Address(regT0, FIELD_OFFSET(JSObject, m_propertyStorage)), regT0);
+    Label externalLoad(this);
+    loadPtr(Address(regT0, FIELD_OFFSET(JSObject, m_externalStorage)), regT0);
+    Label externalLoadComplete(this);
+    ASSERT(differenceBetween(hotPathBegin, externalLoad) == patchOffsetGetByIdExternalLoad);
+    ASSERT(differenceBetween(externalLoad, externalLoadComplete) == patchLengthGetByIdExternalLoad);
+
     DataLabel32 displacementLabel = loadPtrWithAddressOffsetPatch(Address(regT0, patchGetByIdDefaultOffset), regT0);
     ASSERT(differenceBetween(hotPathBegin, displacementLabel) == patchOffsetGetByIdPropertyMapOffset);
@@ -164 +169 @@
 
     // Plant a load from a bogus ofset in the object's property map; we will patch this later, if it is to be used.
-    loadPtr(Address(regT0, FIELD_OFFSET(JSObject, m_propertyStorage)), regT0);
+    Label externalLoad(this);
+    loadPtr(Address(regT0, FIELD_OFFSET(JSObject, m_externalStorage)), regT0);
+    Label externalLoadComplete(this);
+    ASSERT(differenceBetween(hotPathBegin, externalLoad) == patchOffsetPutByIdExternalLoad);
+    ASSERT(differenceBetween(externalLoad, externalLoadComplete) == patchLengthPutByIdExternalLoad);
+
     DataLabel32 displacementLabel = storePtrWithAddressOffsetPatch(regT1, Address(regT0, patchGetByIdDefaultOffset));
     ASSERT(differenceBetween(hotPathBegin, displacementLabel) == patchOffsetPutByIdPropertyMapOffset);
@@ -182 +192 @@
     // Track the location of the call; this will be used to recover patch information.
     m_propertyAccessCompilationInfo[propertyAccessInstructionIndex].callReturnLocation = call;
+}
+
+// Compile a store into an object's property storage.  May overwrite the
+// value in objectReg.
+void JIT::compilePutDirectOffset(RegisterID base, RegisterID value, Structure* structure, size_t cachedOffset)
+{
+    int offset = cachedOffset * sizeof(JSValue);
+    if (structure->isUsingInlineStorage())
+        offset += FIELD_OFFSET(JSObject, m_inlineStorage);
+    else
+        loadPtr(Address(base, FIELD_OFFSET(JSObject, m_externalStorage)), base);
+    storePtr(value, Address(base, offset));
+}
+
+// Compile a load from an object's property storage.  May overwrite base.
+void JIT::compileGetDirectOffset(RegisterID base, RegisterID result, Structure* structure, size_t cachedOffset)
+{
+    int offset = cachedOffset * sizeof(JSValue);
+    if (structure->isUsingInlineStorage())
+        offset += FIELD_OFFSET(JSObject, m_inlineStorage);
+    else
+        loadPtr(Address(base, FIELD_OFFSET(JSObject, m_externalStorage)), base);
+    loadPtr(Address(base, offset), result);
+}
+
+void JIT::compileGetDirectOffset(JSObject* base, RegisterID temp, RegisterID result, size_t cachedOffset)
+{
+    if (base->isUsingInlineStorage())
+        loadPtr(static_cast<void*>(&base->m_inlineStorage[cachedOffset]), result);
+    else {
+        PropertyStorage* protoPropertyStorage = &base->m_externalStorage;
+        loadPtr(static_cast<void*>(protoPropertyStorage), temp);
+        loadPtr(Address(temp, cachedOffset * sizeof(JSValue)), result);
+    } 
 }
 
@@ -254 +298 @@
 
     // write the value
-    loadPtr(Address(regT0, FIELD_OFFSET(JSObject, m_propertyStorage)), regT0);
-    storePtr(regT1, Address(regT0, cachedOffset * sizeof(JSValue)));
+    compilePutDirectOffset(regT0, regT1, newStructure, cachedOffset);
 
     ret();
@@ -283 +326 @@
     returnAddress.relinkCallerToFunction(JITStubs::cti_op_get_by_id_self_fail);
 
+    int offset = sizeof(JSValue) * cachedOffset;
+
+    // If we're patching to use inline storage, convert the initial load to a lea; this avoids the extra load
+    // and makes the subsequent load's offset automatically correct
+    if (structure->isUsingInlineStorage())
+        stubInfo->hotPathBegin.instructionAtOffset(patchOffsetGetByIdExternalLoad).patchLoadToLEA();
+
     // Patch the offset into the propoerty map to load from, then patch the Structure to look for.
     stubInfo->hotPathBegin.dataLabelPtrAtOffset(patchOffsetGetByIdStructure).repatch(structure);
-    stubInfo->hotPathBegin.dataLabel32AtOffset(patchOffsetGetByIdPropertyMapOffset).repatch(cachedOffset * sizeof(JSValue));
+    stubInfo->hotPathBegin.dataLabel32AtOffset(patchOffsetGetByIdPropertyMapOffset).repatch(offset);
 }
 
@@ -294 +344 @@
     returnAddress.relinkCallerToFunction(JITStubs::cti_op_put_by_id_generic);
 
+    int offset = sizeof(JSValue) * cachedOffset;
+
+    // If we're patching to use inline storage, convert the initial load to a lea; this avoids the extra load
+    // and makes the subsequent load's offset automatically correct
+    if (structure->isUsingInlineStorage())
+        stubInfo->hotPathBegin.instructionAtOffset(patchOffsetGetByIdExternalLoad).patchLoadToLEA();
+
     // Patch the offset into the propoerty map to load from, then patch the Structure to look for.
     stubInfo->hotPathBegin.dataLabelPtrAtOffset(patchOffsetPutByIdStructure).repatch(structure);
-    stubInfo->hotPathBegin.dataLabel32AtOffset(patchOffsetPutByIdPropertyMapOffset).repatch(cachedOffset * sizeof(JSValue));
+    stubInfo->hotPathBegin.dataLabel32AtOffset(patchOffsetPutByIdPropertyMapOffset).repatch(offset);
 }
 
@@ -345 +402 @@
 
     // Checks out okay! - getDirectOffset
-    loadPtr(Address(regT0, FIELD_OFFSET(JSObject, m_propertyStorage)), regT0);
-    loadPtr(Address(regT0, cachedOffset * sizeof(JSValue)), regT0);
+    compileGetDirectOffset(regT0, regT0, structure, cachedOffset);
     ret();
 
@@ -386 +442 @@
 
     // Checks out okay! - getDirectOffset
-    PropertyStorage* protoPropertyStorage = &protoObject->m_propertyStorage;
-    loadPtr(static_cast<void*>(protoPropertyStorage), regT1);
-    loadPtr(Address(regT1, cachedOffset * sizeof(JSValue)), regT0);
+    compileGetDirectOffset(protoObject, regT1, regT0, cachedOffset);
 
     Jump success = jump();
@@ -424 +478 @@
 
     // Checks out okay! - getDirectOffset
-    PropertyStorage* protoPropertyStorage = &protoObject->m_propertyStorage;
-    loadPtr(protoPropertyStorage, regT1);
-    loadPtr(Address(regT1, cachedOffset * sizeof(JSValue)), regT0);
+    compileGetDirectOffset(protoObject, regT1, regT0, cachedOffset);
 
     ret();
@@ -447 +499 @@
 {
     Jump failureCase = checkStructure(regT0, structure);
-    loadPtr(Address(regT0, FIELD_OFFSET(JSObject, m_propertyStorage)), regT0);
-    loadPtr(Address(regT0, cachedOffset * sizeof(JSValue)), regT0);
+    compileGetDirectOffset(regT0, regT0, structure, cachedOffset);
     Jump success = jump();
 
@@ -494 +545 @@
 
     // Checks out okay! - getDirectOffset
-    PropertyStorage* protoPropertyStorage = &protoObject->m_propertyStorage;
-    loadPtr(protoPropertyStorage, regT1);
-    loadPtr(Address(regT1, cachedOffset * sizeof(JSValue)), regT0);
+    compileGetDirectOffset(protoObject, regT1, regT0, cachedOffset);
 
     Jump success = jump();
@@ -550 +599 @@
     ASSERT(protoObject);
 
-    PropertyStorage* protoPropertyStorage = &protoObject->m_propertyStorage;
-    loadPtr(protoPropertyStorage, regT1);
-    loadPtr(Address(regT1, cachedOffset * sizeof(JSValue)), regT0);
+    compileGetDirectOffset(protoObject, regT1, regT0, cachedOffset);
     Jump success = jump();
 
@@ -610 +657 @@
     ASSERT(protoObject);
 
-    PropertyStorage* protoPropertyStorage = &protoObject->m_propertyStorage;
-    loadPtr(protoPropertyStorage, regT1);
-    loadPtr(Address(regT1, cachedOffset * sizeof(JSValue)), regT0);
+    compileGetDirectOffset(protoObject, regT1, regT0, cachedOffset);
     Jump success = jump();
 
@@ -658 +703 @@
     ASSERT(protoObject);
 
-    PropertyStorage* protoPropertyStorage = &protoObject->m_propertyStorage;
-    loadPtr(protoPropertyStorage, regT1);
-    loadPtr(Address(regT1, cachedOffset * sizeof(JSValue)), regT0);
+    compileGetDirectOffset(protoObject, regT1, regT0, cachedOffset);
+    compilePutDirectOffset(regT0, regT1, structure, cachedOffset);
     ret();
 
@@ -680 +724 @@
 
     // checks out okay! - putDirectOffset
-    loadPtr(Address(regT0, FIELD_OFFSET(JSObject, m_propertyStorage)), regT0);
-    storePtr(regT1, Address(regT0, cachedOffset * sizeof(JSValue)));
+    compilePutDirectOffset(regT0, regT1, structure, cachedOffset);
     ret();
 

trunk/JavaScriptCore/runtime/JSObject.cpp

@@ -70 +70 @@
     m_structure->mark();
 
+    PropertyStorage storage = propertyStorage();
+
     size_t storageSize = m_structure->propertyStorageSize();
     for (size_t i = 0; i < storageSize; ++i) {
-        JSValue v = m_propertyStorage[i];
+        JSValue v = JSValue::decode(storage[i]);
         if (!v.marked())
             v.mark();
@@ -472 +474 @@
         offset = m_structure->removePropertyWithoutTransition(propertyName);
         if (offset != WTF::notFound)
-            m_propertyStorage[offset] = jsUndefined();
+            putDirectOffset(offset, jsUndefined());
         return;
     }
 
     RefPtr<Structure> structure = Structure::removePropertyTransition(m_structure, propertyName, offset);
+    setStructure(structure.release());
     if (offset != WTF::notFound)
-        m_propertyStorage[offset] = jsUndefined();
-    setStructure(structure.release());
+        putDirectOffset(offset, jsUndefined());
 }
 

trunk/JavaScriptCore/runtime/JSObject.h

@@ -52 +52 @@
     };
 
-    typedef JSValue* PropertyStorage;
+    typedef EncodedJSValue* PropertyStorage;
+    typedef EncodedJSValue const * ConstPropertyStorage;
 
     class JSObject : public JSCell {
@@ -76 +77 @@
         Structure* inheritorID();
 
-        PropertyStorage& propertyStorage() { return m_propertyStorage; }
+        ConstPropertyStorage propertyStorage() const { return (isUsingInlineStorage() ? m_inlineStorage : m_externalStorage); }
+        PropertyStorage propertyStorage() { return (isUsingInlineStorage() ? m_inlineStorage : m_externalStorage); }
 
         virtual UString className() const;
@@ -126 +128 @@
         {
             size_t offset = m_structure->get(propertyName);
-            return offset != WTF::notFound ? m_propertyStorage[offset] : JSValue();
+            return offset != WTF::notFound ? getDirectOffset(offset) : JSValue();
+        }
+
+        size_t getOffset(const Identifier& propertyName)
+        {
+            return m_structure->get(propertyName);
         }
 
@@ -141 +148 @@
         }
 
-        size_t offsetForLocation(JSValue* location)
-        {
-            return location - m_propertyStorage;
+        size_t offsetForLocation(JSValue* location) const
+        {
+            return location - reinterpret_cast<JSValue const *>(propertyStorage());
+        }
+
+        JSValue const * locationForOffset(size_t offset) const
+        {
+            return reinterpret_cast<JSValue const *>(&propertyStorage()[offset]);
         }
 
         JSValue* locationForOffset(size_t offset)
         {
-            return &m_propertyStorage[offset];
+            return reinterpret_cast<JSValue*>(&propertyStorage()[offset]);
         }
 
@@ -164 +176 @@
 
         // Fast access to known property offsets.
-        JSValue getDirectOffset(size_t offset) { return m_propertyStorage[offset]; }
-        void putDirectOffset(size_t offset, JSValue value) { m_propertyStorage[offset] = value; }
+        JSValue getDirectOffset(size_t offset) const { return JSValue::decode(propertyStorage()[offset]); }
+        void putDirectOffset(size_t offset, JSValue value) { propertyStorage()[offset] = JSValue::encode(value); }
 
         void fillGetterPropertySlot(PropertySlot&, JSValue* location);
@@ -182 +194 @@
         void allocatePropertyStorage(size_t oldSize, size_t newSize);
         void allocatePropertyStorageInline(size_t oldSize, size_t newSize);
-        bool usingInlineStorage() const { return m_propertyStorage == m_inlineStorage; }
-
-        static const size_t inlineStorageCapacity = 2;
+        bool isUsingInlineStorage() const { return m_structure->isUsingInlineStorage(); }
+
+        static const size_t inlineStorageCapacity = 3;
         static const size_t nonInlineBaseStorageCapacity = 16;
 
@@ -203 +215 @@
         RefPtr<Structure> m_inheritorID;
 
-        PropertyStorage m_propertyStorage;        
-        JSValue m_inlineStorage[inlineStorageCapacity];
+        union {
+            PropertyStorage m_externalStorage;
+            EncodedJSValue m_inlineStorage[inlineStorageCapacity];
+        };
     };
 
@@ -219 +233 @@
 inline JSObject::JSObject(PassRefPtr<Structure> structure)
     : JSCell(structure.releaseRef()) // ~JSObject balances this ref()
-    , m_propertyStorage(m_inlineStorage)
 {
     ASSERT(m_structure);
@@ -230 +243 @@
 {
     ASSERT(m_structure);
-    if (m_propertyStorage != m_inlineStorage)
-        delete [] m_propertyStorage;
+    if (!isUsingInlineStorage())
+        delete [] m_externalStorage;
     m_structure->deref();
 }
@@ -258 +271 @@
         return m_inheritorID.get();
     return createInheritorID();
+}
+
+inline bool Structure::isUsingInlineStorage() const
+{
+    return (propertyStorageCapacity() == JSObject::inlineStorageCapacity);
 }
 
@@ -395 +413 @@
             if (checkReadOnly && currentAttributes & ReadOnly)
                 return;
-            m_propertyStorage[offset] = value;
+            putDirectOffset(offset, value);
             slot.setExistingProperty(this, offset);
             return;
@@ -406 +424 @@
 
         ASSERT(offset < m_structure->propertyStorageCapacity());
-        m_propertyStorage[offset] = value;
+        putDirectOffset(offset, value);
         slot.setNewProperty(this, offset);
         return;
@@ -418 +436 @@
 
         ASSERT(offset < structure->propertyStorageCapacity());
-        m_propertyStorage[offset] = value;
+        setStructure(structure.release());
+        putDirectOffset(offset, value);
         slot.setNewProperty(this, offset);
         slot.setWasTransition(true);
-        setStructure(structure.release());
         return;
     }
@@ -430 +448 @@
         if (checkReadOnly && currentAttributes & ReadOnly)
             return;
-        m_propertyStorage[offset] = value;
+        putDirectOffset(offset, value);
         slot.setExistingProperty(this, offset);
         return;
@@ -440 +458 @@
 
     ASSERT(offset < structure->propertyStorageCapacity());
-    m_propertyStorage[offset] = value;
+    setStructure(structure.release());
+    putDirectOffset(offset, value);
     slot.setNewProperty(this, offset);
     slot.setWasTransition(true);
-    setStructure(structure.release());
 }
 
@@ -452 +470 @@
     if (currentCapacity != m_structure->propertyStorageCapacity())
         allocatePropertyStorage(currentCapacity, m_structure->propertyStorageCapacity());
-    m_propertyStorage[offset] = value;
+    putDirectOffset(offset, value);
 }
 
@@ -541 +559 @@
     ASSERT(newSize > oldSize);
 
-    JSValue* oldPropertyStorage = m_propertyStorage;
-    m_propertyStorage = new JSValue[newSize];
+    // It's important that this function not rely on m_structure, since
+    // we might be in the middle of a transition.
+    bool wasInline = (oldSize == JSObject::inlineStorageCapacity);
+
+    PropertyStorage oldPropertyStorage = (wasInline ? m_inlineStorage : m_externalStorage);
+    PropertyStorage newPropertyStorage = new EncodedJSValue[newSize];
 
     for (unsigned i = 0; i < oldSize; ++i)
-        m_propertyStorage[i] = oldPropertyStorage[i];
-
-    if (oldPropertyStorage != m_inlineStorage)
+       newPropertyStorage[i] = oldPropertyStorage[i];
+
+    if (!wasInline)
         delete [] oldPropertyStorage;
+
+    m_externalStorage = newPropertyStorage;
 }
 

trunk/JavaScriptCore/runtime/Structure.h

@@ -96 +96 @@
         size_t propertyStorageCapacity() const { return m_propertyStorageCapacity; }
         size_t propertyStorageSize() const { return m_propertyTable ? m_propertyTable->keyCount + (m_propertyTable->deletedOffsets ? m_propertyTable->deletedOffsets->size() : 0) : m_offset + 1; }
+        bool isUsingInlineStorage() const;
 
         size_t get(const Identifier& propertyName);