https://bugs.webkit.org/show_bug.cgi?id=174948
<rdar://problem/
33495680>
Reviewed by Filip Pizlo.
JSTests:
* stress/regress-174948.js: Added.
Source/JavaScriptCore:
ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData. If its
owner StructureRareData is already known to be dead (in terms of GC liveness) but
hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
requests to fire this watchpoint.
If the GC had the chance to sweep the StructureRareData, thereby destructing the
ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
itself from the WatchpointSet it was on. Hence, it would not have been fired.
But since the watchpoint hasn't been destructed yet, it still remains on the
WatchpointSet and needs to guard against being fired in this state. The fix is
to simply return early if its owner StructureRareData is not live. This has the
effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
not firing as we would expect.
This patch also removes some cargo cult copying of watchpoint code which
instantiates a StringFireDetail. In a few cases, that StringFireDetail is never
used. This patch removes these unnecessary instantiations.
* bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
* runtime/StructureRareData.cpp:
(JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
(JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220012
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2017-07-28 Mark Lam <mark.lam@apple.com>
+
+ ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
+ https://bugs.webkit.org/show_bug.cgi?id=174948
+ <rdar://problem/33495680>
+
+ Reviewed by Filip Pizlo.
+
+ * stress/regress-174948.js: Added.
+
2017-07-28 Yusuke Suzuki <utatane.tea@gmail.com>
ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
--- /dev/null
++new function() {};
+new function() {};
+edenGC();
+(function() {}).prototype[0] = 0;
+
+2017-07-28 Mark Lam <mark.lam@apple.com>
+
+ ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
+ https://bugs.webkit.org/show_bug.cgi?id=174948
+ <rdar://problem/33495680>
+
+ Reviewed by Filip Pizlo.
+
+ ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData. If its
+ owner StructureRareData is already known to be dead (in terms of GC liveness) but
+ hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
+ requests to fire this watchpoint.
+
+ If the GC had the chance to sweep the StructureRareData, thereby destructing the
+ ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
+ itself from the WatchpointSet it was on. Hence, it would not have been fired.
+
+ But since the watchpoint hasn't been destructed yet, it still remains on the
+ WatchpointSet and needs to guard against being fired in this state. The fix is
+ to simply return early if its owner StructureRareData is not live. This has the
+ effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
+ not firing as we would expect.
+
+ This patch also removes some cargo cult copying of watchpoint code which
+ instantiates a StringFireDetail. In a few cases, that StringFireDetail is never
+ used. This patch removes these unnecessary instantiations.
+
+ * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
+ (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
+ * runtime/StructureRareData.cpp:
+ (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
+ (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
+
2017-07-28 Yusuke Suzuki <utatane.tea@gmail.com>
ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
m_key.object()->structure()->addTransitionWatchpoint(this);
}
-void LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal(const FireDetail& detail)
+void LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal(const FireDetail&)
{
if (m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
install();
return;
}
- StringPrintStream out;
- out.print("ObjectToStringValue Adaptation of ", m_key, " failed: ", detail);
-
- StringFireDetail stringDetail(out.toCString().data());
-
CodeBlock::clearLLIntGetByIdCache(m_getByIdInstruction);
}
m_key.object()->structure()->addTransitionWatchpoint(this);
}
-void ObjectToStringAdaptiveStructureWatchpoint::fireInternal(const FireDetail& detail)
+void ObjectToStringAdaptiveStructureWatchpoint::fireInternal(const FireDetail&)
{
+ if (!m_structureRareData->isLive())
+ return;
+
if (m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
install();
return;
}
- StringPrintStream out;
- out.print("ObjectToStringValue Adaptation of ", m_key, " failed: ", detail);
-
- StringFireDetail stringDetail(out.toCString().data());
-
m_structureRareData->clearObjectToStringValue();
}
return m_structureRareData->isLive();
}
-void ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire(const FireDetail& detail)
+void ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire(const FireDetail&)
{
- StringPrintStream out;
- out.print("Adaptation of ", key(), " failed: ", detail);
-
- StringFireDetail stringDetail(out.toCString().data());
-
m_structureRareData->clearObjectToStringValue();
}
git://git.webkit.org / WebKit-https.git / commitdiff