ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 28 Jul 2017 20:29:09 +0000 (20:29 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 28 Jul 2017 20:29:09 +0000 (20:29 +0000)
commit1068d1772698111fab64dfe29613f87be15e9e35
treeac8736e00a0d304266fd9a96def4dbc0c34477d8
parent32a122d39dfe65d0d88f2e47e41d5dff410e3b90
ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
https://bugs.webkit.org/show_bug.cgi?id=174948
<rdar://problem/33495680>

Reviewed by Filip Pizlo.

JSTests:

* stress/regress-174948.js: Added.

Source/JavaScriptCore:

ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
owner StructureRareData is already known to be dead (in terms of GC liveness) but
hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
requests to fire this watchpoint.

If the GC had the chance to sweep the StructureRareData, thereby destructing the
ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
itself from the WatchpointSet it was on.  Hence, it would not have been fired.

But since the watchpoint hasn't been destructed yet, it still remains on the
WatchpointSet and needs to guard against being fired in this state.  The fix is
to simply return early if its owner StructureRareData is not live.  This has the
effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
not firing as we would expect.

This patch also removes some cargo cult copying of watchpoint code which
instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
used.  This patch removes these unnecessary instantiations.

* bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
* runtime/StructureRareData.cpp:
(JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
(JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220012 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/regress-174948.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp
Source/JavaScriptCore/runtime/StructureRareData.cpp