jsarena.{cpp,h} are *awful*. Bad things I've discovered so far: - Bug 675150. - In multiple places we compare |nb| (the size of an allocation request) against |a->limit| (a pointer). WTF? - There's this optimization where larger-than-arena-size allocations get an extra pointer in their header so that if they are reallocated, we can avoid searching through the list of JSArenas. But it's hardly ever hit (once in all of SunSpider, a few dozen times in the browser when starting up and loading Gmail). But it complicates things massively. Seriously, I just started out wanting to fix bug 675150, but I'm having trouble seeing how to do incremental fixes, the whole thing is so busted. This code should be about half as long as it currently is.

Please do. Chris had a patch from a year ago that redid things in a template-y manner. Of historical interest, jsarena used to support inline function calls, invoke args, and a few other things before these were all redone. That may explain some of the hackage.

(In reply to comment #0) > > - In multiple places we compare |nb| (the size of an allocation request) > against |a->limit| (a pointer). WTF? Oh god, turns out this is necessary to avoid wrap-arounds in some cases. There's no comment explaining it, of course :(

(In reply to comment #1) > Please do. Chris had a patch from a year ago that redid things in a > template-y manner. Yeah, bug 559408. It landed and bounced, but got marked RESOLVE FIXED nonetheless.

Changes in this patch: - Each oversized block had an extra pointer in its header which allowed its arena to be found in O(1) time; this was used if it was realloc'd. This turned out to not help in practice, AFAICT, and was hugely complex, so I removed it. - It restricts the requested alignments to 1, 2, 4 or 8. This avoids a lot of mucking around with post-header alignment code, because the header is always 8-aligned. (Multiple assertions guarantee this.) - Adds some comments. Passes jstests and jit-tests; I'll do a full try server run before any landing.