There are many places in the code for JSObject and JSArray where they are manipulating their Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks like it will make this dance even more intricate. To make everybody's lives easier we should use the DeferGC mechanism in these functions to make these GC critical sections both obvious in the code and trivially safe. Deferring collections will usually only last marginally longer, thus we should not incur any additional overhead.
Created attachment 209405 [details] Patch
Still running benchmarks.
Comment on attachment 209405 [details] Patch If we used DeferGC when creating JS objects, we could remove the whole "finishConstruction" dance and switch back to normal C++ constructors.
Comment on attachment 209405 [details] Patch Clearing flags on attachment: 209405 Committed r154471: <http://trac.webkit.org/changeset/154471>
All reviewed patches have been landed. Closing bug.