Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (128145 => 128146)
--- trunk/Source/_javascript_Core/ChangeLog 2012-09-11 05:03:55 UTC (rev 128145)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-09-11 05:05:53 UTC (rev 128146)
@@ -1,3 +1,43 @@
+2012-09-10 Mark Hahnenberg <[email protected]>
+
+ Remove m_classInfo from JSCell
+ https://bugs.webkit.org/show_bug.cgi?id=96311
+
+ Reviewed by Oliver Hunt.
+
+ Now that no one is using the ClassInfo in JSCell, we can remove it for the greater good. This is a 1.5% win on v8v7 and
+ a 1.7% win on kraken, and is an overall performance progression.
+
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): Had to rearrange the order of when we take things off the free list
+ and when we store the Structure in the object because we would clobber the free list otherwise. This made it not okay for
+ the structure argument and the scratch register to alias one another. Also removed the store of the ClassInfo pointer in the
+ object. Yay!
+ (SpeculativeJIT):
+ * dfg/DFGSpeculativeJIT32_64.cpp: Since it's no longer okay for for the scratch register and structure register to alias
+ one another as stated above, had to add an extra temporary for passing the Structure.
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp: Ditto.
+ (JSC::DFG::SpeculativeJIT::compile):
+ * jit/JITInlineMethods.h:
+ (JSC::JIT::emitAllocateBasicJSObject): Similar changes to DFG's inline allocation except that it removed the object from
+ the free list first, so no changes were necessary there.
+ * llint/LowLevelInterpreter.asm: Change the constants for amount of inline storage to match PropertyOffset.h and remove
+ the store of the ClassInfo pointer during inline allocation.
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/JSCell.h: Remove the m_classInfo field and associated methods.
+ (JSCell):
+ * runtime/JSObject.h:
+ (JSObject):
+ * runtime/PropertyOffset.h: Expand the number of inline storage properties to take up the extra space that we're freeing
+ with the removal of the ClassInfo pointer.
+ (JSC):
+ * runtime/Structure.h:
+ (JSC):
+ (JSC::JSCell::JSCell):
+ (JSC::JSCell::finishCreation):
+
2012-09-10 Geoffrey Garen <[email protected]>
Added large allocation support to MarkedSpace
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (128145 => 128146)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2012-09-11 05:03:55 UTC (rev 128145)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2012-09-11 05:05:53 UTC (rev 128146)
@@ -2161,7 +2161,9 @@
void compileNewFunctionNoCheck(Node&);
void compileNewFunctionExpression(Node&);
bool compileRegExpExec(Node&);
-
+
+ // It is NOT okay for the structure and the scratch register to be the same thing because if they are then the Structure will
+ // get clobbered.
template <typename ClassType, bool destructor, typename StructureType>
void emitAllocateBasicJSObject(StructureType structure, GPRReg resultGPR, GPRReg scratchGPR, MacroAssembler::JumpList& slowPath)
{
@@ -2176,24 +2178,16 @@
// The object is half-allocated: we have what we know is a fresh object, but
// it's still on the GC's free list.
-
- // Ditch the structure by placing it into the structure slot, so that we can reuse
- // scratchGPR.
- m_jit.storePtr(structure, MacroAssembler::Address(resultGPR, JSObject::structureOffset()));
-
- // Now that we have scratchGPR back, remove the object from the free list
m_jit.loadPtr(MacroAssembler::Address(resultGPR), scratchGPR);
m_jit.storePtr(scratchGPR, &allocator->m_freeList.head);
+
+ // Initialize the object's Structure.
+ m_jit.storePtr(structure, MacroAssembler::Address(resultGPR, JSCell::structureOffset()));
- // Initialize the object's classInfo pointer
- m_jit.storePtr(MacroAssembler::TrustedImmPtr(&ClassType::s_info), MacroAssembler::Address(resultGPR, JSCell::classInfoOffset()));
-
// Initialize the object's property storage pointer.
m_jit.storePtr(MacroAssembler::TrustedImmPtr(0), MacroAssembler::Address(resultGPR, ClassType::offsetOfOutOfLineStorage()));
}
- // It is acceptable to have structure be equal to scratch, so long as you're fine
- // with the structure GPR being clobbered.
template<typename T>
void emitAllocateJSFinalObject(T structure, GPRReg resultGPR, GPRReg scratchGPR, MacroAssembler::JumpList& slowPath)
{
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (128145 => 128146)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2012-09-11 05:03:55 UTC (rev 128145)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2012-09-11 05:05:53 UTC (rev 128146)
@@ -3296,18 +3296,20 @@
SpeculateCellOperand callee(this, node.child1());
GPRTemporary result(this);
+ GPRTemporary structure(this);
GPRTemporary scratch(this);
GPRReg calleeGPR = callee.gpr();
GPRReg resultGPR = result.gpr();
+ GPRReg structureGPR = structure.gpr();
GPRReg scratchGPR = scratch.gpr();
// Load the inheritorID. If the inheritorID is not set, go to slow path.
- m_jit.loadPtr(MacroAssembler::Address(calleeGPR, JSFunction::offsetOfCachedInheritorID()), scratchGPR);
+ m_jit.loadPtr(MacroAssembler::Address(calleeGPR, JSFunction::offsetOfCachedInheritorID()), structureGPR);
MacroAssembler::JumpList slowPath;
- slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, scratchGPR));
+ slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, structureGPR));
- emitAllocateJSFinalObject(scratchGPR, resultGPR, scratchGPR, slowPath);
+ emitAllocateJSFinalObject(structureGPR, resultGPR, scratchGPR, slowPath);
addSlowPathGenerator(slowPathCall(slowPath, this, operationCreateThis, resultGPR, calleeGPR));
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (128145 => 128146)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2012-09-11 05:03:55 UTC (rev 128145)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2012-09-11 05:05:53 UTC (rev 128146)
@@ -3289,18 +3289,20 @@
SpeculateCellOperand callee(this, node.child1());
GPRTemporary result(this);
+ GPRTemporary structure(this);
GPRTemporary scratch(this);
GPRReg calleeGPR = callee.gpr();
GPRReg resultGPR = result.gpr();
+ GPRReg structureGPR = structure.gpr();
GPRReg scratchGPR = scratch.gpr();
// Load the inheritorID. If the inheritorID is not set, go to slow path.
- m_jit.loadPtr(MacroAssembler::Address(calleeGPR, JSFunction::offsetOfCachedInheritorID()), scratchGPR);
+ m_jit.loadPtr(MacroAssembler::Address(calleeGPR, JSFunction::offsetOfCachedInheritorID()), structureGPR);
MacroAssembler::JumpList slowPath;
- slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, scratchGPR));
+ slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, structureGPR));
- emitAllocateJSFinalObject(scratchGPR, resultGPR, scratchGPR, slowPath);
+ emitAllocateJSFinalObject(structureGPR, resultGPR, scratchGPR, slowPath);
addSlowPathGenerator(slowPathCall(slowPath, this, operationCreateThis, resultGPR, calleeGPR));
Modified: trunk/Source/_javascript_Core/jit/JITInlineMethods.h (128145 => 128146)
--- trunk/Source/_javascript_Core/jit/JITInlineMethods.h 2012-09-11 05:03:55 UTC (rev 128145)
+++ trunk/Source/_javascript_Core/jit/JITInlineMethods.h 2012-09-11 05:05:53 UTC (rev 128146)
@@ -422,9 +422,6 @@
// initialize the object's structure
storePtr(structure, Address(result, JSCell::structureOffset()));
- // initialize the object's classInfo pointer
- storePtr(TrustedImmPtr(&ClassType::s_info), Address(result, JSCell::classInfoOffset()));
-
// initialize the object's property storage pointer
storePtr(TrustedImmPtr(0), Address(result, ClassType::offsetOfOutOfLineStorage()));
}
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm (128145 => 128146)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2012-09-11 05:03:55 UTC (rev 128145)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2012-09-11 05:05:53 UTC (rev 128146)
@@ -86,9 +86,9 @@
# Property storage constants
if JSVALUE64
- const InlineStorageCapacity = 5
-else
const InlineStorageCapacity = 6
+else
+ const InlineStorageCapacity = 7
end
# Allocation constants
@@ -310,7 +310,7 @@
.stackHeightOK:
end
-macro allocateBasicJSObject(sizeClassIndex, classInfoOffset, structure, result, scratch1, scratch2, slowCase)
+macro allocateBasicJSObject(sizeClassIndex, structure, result, scratch1, scratch2, slowCase)
if ALWAYS_ALLOCATE_SLOW
jmp slowCase
else
@@ -338,8 +338,6 @@
storep scratch2, offsetOfMySizeClass + offsetOfFirstFreeCell[scratch1]
# Initialize the object.
- loadp classInfoOffset[scratch1], scratch2
- storep scratch2, [result]
storep structure, JSCell::m_structure[result]
storep 0, JSObject::m_outOfLineStorage[result]
end
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (128145 => 128146)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2012-09-11 05:03:55 UTC (rev 128145)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2012-09-11 05:05:53 UTC (rev 128146)
@@ -352,7 +352,7 @@
loadp Callee[cfr], t0
loadp JSFunction::m_cachedInheritorID[t0], t2
btpz t2, .opCreateThisSlow
- allocateBasicJSObject(JSFinalObjectSizeClassIndex, JSGlobalData::jsFinalObjectClassInfo, t2, t0, t1, t3, .opCreateThisSlow)
+ allocateBasicJSObject(JSFinalObjectSizeClassIndex, t2, t0, t1, t3, .opCreateThisSlow)
loadi 4[PC], t1
storei CellTag, TagOffset[cfr, t1, 8]
storei t0, PayloadOffset[cfr, t1, 8]
@@ -384,7 +384,7 @@
loadp CodeBlock[cfr], t0
loadp CodeBlock::m_globalObject[t0], t0
loadp JSGlobalObject::m_emptyObjectStructure[t0], t1
- allocateBasicJSObject(JSFinalObjectSizeClassIndex, JSGlobalData::jsFinalObjectClassInfo, t1, t0, t2, t3, .opNewObjectSlow)
+ allocateBasicJSObject(JSFinalObjectSizeClassIndex, t1, t0, t2, t3, .opNewObjectSlow)
loadi 4[PC], t1
storei CellTag, TagOffset[cfr, t1, 8]
storei t0, PayloadOffset[cfr, t1, 8]
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (128145 => 128146)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2012-09-11 05:03:55 UTC (rev 128145)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2012-09-11 05:05:53 UTC (rev 128146)
@@ -236,7 +236,7 @@
loadp Callee[cfr], t0
loadp JSFunction::m_cachedInheritorID[t0], t2
btpz t2, .opCreateThisSlow
- allocateBasicJSObject(JSFinalObjectSizeClassIndex, JSGlobalData::jsFinalObjectClassInfo, t2, t0, t1, t3, .opCreateThisSlow)
+ allocateBasicJSObject(JSFinalObjectSizeClassIndex, t2, t0, t1, t3, .opCreateThisSlow)
loadis 8[PB, PC, 8], t1
storep t0, [cfr, t1, 8]
dispatch(2)
@@ -267,7 +267,7 @@
loadp CodeBlock[cfr], t0
loadp CodeBlock::m_globalObject[t0], t0
loadp JSGlobalObject::m_emptyObjectStructure[t0], t1
- allocateBasicJSObject(JSFinalObjectSizeClassIndex, JSGlobalData::jsFinalObjectClassInfo, t1, t0, t2, t3, .opNewObjectSlow)
+ allocateBasicJSObject(JSFinalObjectSizeClassIndex, t1, t0, t2, t3, .opNewObjectSlow)
loadis 8[PB, PC, 8], t1
storep t0, [cfr, t1, 8]
dispatch(2)
Modified: trunk/Source/_javascript_Core/runtime/JSCell.h (128145 => 128146)
--- trunk/Source/_javascript_Core/runtime/JSCell.h 2012-09-11 05:03:55 UTC (rev 128145)
+++ trunk/Source/_javascript_Core/runtime/JSCell.h 2012-09-11 05:05:53 UTC (rev 128146)
@@ -109,7 +109,6 @@
// Object operations, with the toObject operation included.
const ClassInfo* classInfo() const;
- const ClassInfo* validatedClassInfo() const;
const MethodTable* methodTable() const;
static void put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
@@ -134,11 +133,6 @@
return OBJECT_OFFSETOF(JSCell, m_structure);
}
- static ptrdiff_t classInfoOffset()
- {
- return OBJECT_OFFSETOF(JSCell, m_classInfo);
- }
-
void* structureAddress()
{
return &m_structure;
@@ -171,7 +165,6 @@
private:
friend class LLIntOffsetsExtractor;
- const ClassInfo* m_classInfo;
WriteBarrier<Structure> m_structure;
};
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (128145 => 128146)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2012-09-11 05:03:55 UTC (rev 128145)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2012-09-11 05:05:53 UTC (rev 128146)
@@ -346,9 +346,6 @@
Structure* createInheritorID(JSGlobalData&);
StorageBarrier m_outOfLineStorage;
-#if USE(JSVALUE32_64)
- void* m_padding;
-#endif
};
Modified: trunk/Source/_javascript_Core/runtime/PropertyOffset.h (128145 => 128146)
--- trunk/Source/_javascript_Core/runtime/PropertyOffset.h 2012-09-11 05:03:55 UTC (rev 128145)
+++ trunk/Source/_javascript_Core/runtime/PropertyOffset.h 2012-09-11 05:05:53 UTC (rev 128146)
@@ -34,9 +34,9 @@
namespace JSC {
#if USE(JSVALUE32_64)
+#define INLINE_STORAGE_CAPACITY 7
+#else
#define INLINE_STORAGE_CAPACITY 6
-#else
-#define INLINE_STORAGE_CAPACITY 5
#endif
typedef int PropertyOffset;
Modified: trunk/Source/_javascript_Core/runtime/Structure.h (128145 => 128146)
--- trunk/Source/_javascript_Core/runtime/Structure.h 2012-09-11 05:03:55 UTC (rev 128145)
+++ trunk/Source/_javascript_Core/runtime/Structure.h 2012-09-11 05:05:53 UTC (rev 128146)
@@ -554,16 +554,6 @@
m_structure.set(globalData, this, structure);
}
- inline const ClassInfo* JSCell::validatedClassInfo() const
- {
-#if ENABLE(GC_VALIDATION)
- ASSERT(m_structure.unvalidatedGet()->classInfo() == m_classInfo);
-#else
- ASSERT(m_structure->classInfo() == m_classInfo);
-#endif
- return m_classInfo;
- }
-
ALWAYS_INLINE void SlotVisitor::internalAppend(JSCell* cell)
{
ASSERT(!m_isCheckingForDefaultMarkViolation);
@@ -603,8 +593,7 @@
}
inline JSCell::JSCell(JSGlobalData& globalData, Structure* structure)
- : m_classInfo(structure->classInfo())
- , m_structure(globalData, this, structure)
+ : m_structure(globalData, this, structure)
{
}
@@ -616,7 +605,6 @@
if (structure)
#endif
m_structure.setEarlyValue(globalData, this, structure);
- m_classInfo = structure->classInfo();
// Very first set of allocations won't have a real structure.
ASSERT(m_structure || !globalData.structureStructure);
}
