<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[202588] trunk/Source</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/202588">202588</a></dd>
<dt>Author</dt> <dd>sbarati@apple.com</dd>
<dt>Date</dt> <dd>2016-06-28 14:30:20 -0700 (Tue, 28 Jun 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>some Watchpoints' ::fireInternal method will call operations that might GC where the GC will cause the watchpoint itself to destruct
https://bugs.webkit.org/show_bug.cgi?id=159198
<rdar://problem/26302360>
Reviewed by Filip Pizlo.
Source/JavaScriptCore:
Firing a watchpoint may cause a GC to happen. This GC could destroy various
Watchpoints themselves while they're in the process of firing. It's not safe
for most Watchpoints to be destructed while they're in the middle of firing.
This GC could also destroy the WatchpointSet itself, and it's not in a safe
state to be destroyed. WatchpointSet::fireAllWatchpoints now defers gc for a
while. This prevents a GC from destructing any Watchpoints while they're
in the process of firing. This bug was being hit by the stress GC bots
because we would destruct a particular Watchpoint while it was firing,
and then we would access its field after it had already been destroyed.
This was causing all kinds of weird symptoms. Also, this was easier to
catch when running with guard malloc because the first access after
destruction would lead to a crash.
* bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
(JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecode/VariableWriteFireDetail.cpp:
(JSC::VariableWriteFireDetail::dump):
(JSC::VariableWriteFireDetail::touch):
* bytecode/VariableWriteFireDetail.h:
* bytecode/Watchpoint.cpp:
(JSC::WatchpointSet::add):
(JSC::WatchpointSet::fireAllSlow):
(JSC::WatchpointSet::fireAllWatchpoints):
(JSC::InlineWatchpointSet::add):
(JSC::InlineWatchpointSet::fireAll):
(JSC::InlineWatchpointSet::inflateSlow):
* bytecode/Watchpoint.h:
(JSC::WatchpointSet::startWatching):
(JSC::WatchpointSet::fireAll):
(JSC::WatchpointSet::touch):
(JSC::WatchpointSet::invalidate):
(JSC::WatchpointSet::isBeingWatched):
(JSC::WatchpointSet::offsetOfState):
(JSC::WatchpointSet::addressOfSetIsNotEmpty):
(JSC::InlineWatchpointSet::startWatching):
(JSC::InlineWatchpointSet::fireAll):
(JSC::InlineWatchpointSet::invalidate):
(JSC::InlineWatchpointSet::touch):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* dfg/DFGOperations.cpp:
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
* jit/JITOperations.cpp:
* jsc.cpp:
(WTF::Masquerader::create):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/ArrayBufferNeuteringWatchpoint.cpp:
(JSC::ArrayBufferNeuteringWatchpoint::fireAll):
* runtime/FunctionRareData.cpp:
(JSC::FunctionRareData::clear):
* runtime/InferredType.cpp:
(JSC::InferredType::willStoreValueSlow):
(JSC::InferredType::makeTopSlow):
(JSC::InferredType::set):
(JSC::InferredType::removeStructure):
(JSC::InferredType::InferredStructureWatchpoint::fireInternal):
* runtime/InferredValue.cpp:
(JSC::InferredValue::notifyWriteSlow):
(JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
* runtime/InferredValue.h:
(JSC::InferredValue::notifyWrite):
(JSC::InferredValue::invalidate):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::haveABadTime):
* runtime/JSSymbolTableObject.h:
(JSC::symbolTablePutTouchWatchpointSet):
(JSC::symbolTablePutInvalidateWatchpointSet):
* runtime/Structure.cpp:
(JSC::Structure::didCachePropertyReplacement):
(JSC::Structure::startWatchingInternalProperties):
(JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
(JSC::DeferredStructureTransitionWatchpointFire::add):
(JSC::Structure::didTransitionFromThisStructure):
(JSC::Structure::prototypeForLookup):
* runtime/StructureInlines.h:
(JSC::Structure::didReplaceProperty):
(JSC::Structure::propertyReplacementWatchpointSet):
* runtime/SymbolTable.h:
(JSC::SymbolTableEntry::isDontEnum):
(JSC::SymbolTableEntry::disableWatching):
* runtime/VM.cpp:
(JSC::VM::addImpureProperty):
(JSC::enableProfilerWithRespectToCount):
Source/WebCore:
* bindings/js/JSDOMWindowBase.cpp:
(WebCore::JSDOMWindowBase::fireFrameClearedWatchpointsForWindow):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateHeader):
* bindings/scripts/test/JS/JSTestEventTarget.h:
(WebCore::JSTestEventTarget::create):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeAdaptiveInferredPropertyValueWatchpointBasecpp">trunk/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeVariableWriteFireDetailcpp">trunk/Source/JavaScriptCore/bytecode/VariableWriteFireDetail.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeVariableWriteFireDetailh">trunk/Source/JavaScriptCore/bytecode/VariableWriteFireDetail.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeWatchpointcpp">trunk/Source/JavaScriptCore/bytecode/Watchpoint.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeWatchpointh">trunk/Source/JavaScriptCore/bytecode/Watchpoint.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp">trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationscpp">trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapCopyBarrierh">trunk/Source/JavaScriptCore/heap/CopyBarrier.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterInterpretercpp">trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationscpp">trunk/Source/JavaScriptCore/jit/JITOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejsccpp">trunk/Source/JavaScriptCore/jsc.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntSlowPathscpp">trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayBufferNeuteringWatchpointcpp">trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeFunctionRareDatacpp">trunk/Source/JavaScriptCore/runtime/FunctionRareData.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeInferredTypecpp">trunk/Source/JavaScriptCore/runtime/InferredType.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeInferredValuecpp">trunk/Source/JavaScriptCore/runtime/InferredValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeInferredValueh">trunk/Source/JavaScriptCore/runtime/InferredValue.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGlobalObjectcpp">trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSSymbolTableObjecth">trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructurecpp">trunk/Source/JavaScriptCore/runtime/Structure.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructureInlinesh">trunk/Source/JavaScriptCore/runtime/StructureInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeSymbolTableh">trunk/Source/JavaScriptCore/runtime/SymbolTable.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMcpp">trunk/Source/JavaScriptCore/runtime/VM.cpp</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSDOMWindowBasecpp">trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptsCodeGeneratorJSpm">trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptstestJSJSTestEventTargeth">trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -1,3 +1,99 @@
</span><ins>+2016-06-28 Saam Barati <sbarati@apple.com>
+
+ some Watchpoints' ::fireInternal method will call operations that might GC where the GC will cause the watchpoint itself to destruct
+ https://bugs.webkit.org/show_bug.cgi?id=159198
+ <rdar://problem/26302360>
+
+ Reviewed by Filip Pizlo.
+
+ Firing a watchpoint may cause a GC to happen. This GC could destroy various
+ Watchpoints themselves while they're in the process of firing. It's not safe
+ for most Watchpoints to be destructed while they're in the middle of firing.
+ This GC could also destroy the WatchpointSet itself, and it's not in a safe
+ state to be destroyed. WatchpointSet::fireAllWatchpoints now defers gc for a
+ while. This prevents a GC from destructing any Watchpoints while they're
+ in the process of firing. This bug was being hit by the stress GC bots
+ because we would destruct a particular Watchpoint while it was firing,
+ and then we would access its field after it had already been destroyed.
+ This was causing all kinds of weird symptoms. Also, this was easier to
+ catch when running with guard malloc because the first access after
+ destruction would lead to a crash.
+
+ * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
+ (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::finishCreation):
+ * bytecode/VariableWriteFireDetail.cpp:
+ (JSC::VariableWriteFireDetail::dump):
+ (JSC::VariableWriteFireDetail::touch):
+ * bytecode/VariableWriteFireDetail.h:
+ * bytecode/Watchpoint.cpp:
+ (JSC::WatchpointSet::add):
+ (JSC::WatchpointSet::fireAllSlow):
+ (JSC::WatchpointSet::fireAllWatchpoints):
+ (JSC::InlineWatchpointSet::add):
+ (JSC::InlineWatchpointSet::fireAll):
+ (JSC::InlineWatchpointSet::inflateSlow):
+ * bytecode/Watchpoint.h:
+ (JSC::WatchpointSet::startWatching):
+ (JSC::WatchpointSet::fireAll):
+ (JSC::WatchpointSet::touch):
+ (JSC::WatchpointSet::invalidate):
+ (JSC::WatchpointSet::isBeingWatched):
+ (JSC::WatchpointSet::offsetOfState):
+ (JSC::WatchpointSet::addressOfSetIsNotEmpty):
+ (JSC::InlineWatchpointSet::startWatching):
+ (JSC::InlineWatchpointSet::fireAll):
+ (JSC::InlineWatchpointSet::invalidate):
+ (JSC::InlineWatchpointSet::touch):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ * dfg/DFGOperations.cpp:
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::execute):
+ * jit/JITOperations.cpp:
+ * jsc.cpp:
+ (WTF::Masquerader::create):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * runtime/ArrayBufferNeuteringWatchpoint.cpp:
+ (JSC::ArrayBufferNeuteringWatchpoint::fireAll):
+ * runtime/FunctionRareData.cpp:
+ (JSC::FunctionRareData::clear):
+ * runtime/InferredType.cpp:
+ (JSC::InferredType::willStoreValueSlow):
+ (JSC::InferredType::makeTopSlow):
+ (JSC::InferredType::set):
+ (JSC::InferredType::removeStructure):
+ (JSC::InferredType::InferredStructureWatchpoint::fireInternal):
+ * runtime/InferredValue.cpp:
+ (JSC::InferredValue::notifyWriteSlow):
+ (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
+ * runtime/InferredValue.h:
+ (JSC::InferredValue::notifyWrite):
+ (JSC::InferredValue::invalidate):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::haveABadTime):
+ * runtime/JSSymbolTableObject.h:
+ (JSC::symbolTablePutTouchWatchpointSet):
+ (JSC::symbolTablePutInvalidateWatchpointSet):
+ * runtime/Structure.cpp:
+ (JSC::Structure::didCachePropertyReplacement):
+ (JSC::Structure::startWatchingInternalProperties):
+ (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
+ (JSC::DeferredStructureTransitionWatchpointFire::add):
+ (JSC::Structure::didTransitionFromThisStructure):
+ (JSC::Structure::prototypeForLookup):
+ * runtime/StructureInlines.h:
+ (JSC::Structure::didReplaceProperty):
+ (JSC::Structure::propertyReplacementWatchpointSet):
+ * runtime/SymbolTable.h:
+ (JSC::SymbolTableEntry::isDontEnum):
+ (JSC::SymbolTableEntry::disableWatching):
+ * runtime/VM.cpp:
+ (JSC::VM::addImpureProperty):
+ (JSC::enableProfilerWithRespectToCount):
+
</ins><span class="cx"> 2016-06-28 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> JSRopeString should use release asserts, not debug asserts, about substring bounds
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeAdaptiveInferredPropertyValueWatchpointBasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -50,10 +50,6 @@
</span><span class="cx">
</span><span class="cx"> void AdaptiveInferredPropertyValueWatchpointBase::fire(const FireDetail& detail)
</span><span class="cx"> {
</span><del>- // We need to defer GC here otherwise we might trigger a GC that could destroy the owner
- // CodeBlock. In particular, this can happen when we add rare data to a structure when
- // we EnsureWatchability.
- DeferGCForAWhile defer(*Heap::heap(m_key.object()));
</del><span class="cx"> // One of the watchpoints fired, but the other one didn't. Make sure that neither of them are
</span><span class="cx"> // in any set anymore. This simplifies things by allowing us to reinstall the watchpoints
</span><span class="cx"> // wherever from scratch.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -2240,7 +2240,7 @@
</span><span class="cx"> instructions[i + 5].u.watchpointSet = op.watchpointSet;
</span><span class="cx"> else if (op.type == ClosureVar || op.type == ClosureVarWithVarInjectionChecks) {
</span><span class="cx"> if (op.watchpointSet)
</span><del>- op.watchpointSet->invalidate(PutToScopeFireDetail(this, ident));
</del><ins>+ op.watchpointSet->invalidate(vm, PutToScopeFireDetail(this, ident));
</ins><span class="cx"> } else if (op.structure)
</span><span class="cx"> instructions[i + 5].u.structure.set(vm, this, op.structure);
</span><span class="cx"> instructions[i + 6].u.pointer = reinterpret_cast<void*>(op.operand);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeVariableWriteFireDetailcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/VariableWriteFireDetail.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/VariableWriteFireDetail.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/bytecode/VariableWriteFireDetail.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -35,9 +35,9 @@
</span><span class="cx"> out.print("Write to ", m_name, " in ", JSValue(m_object));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void VariableWriteFireDetail::touch(WatchpointSet* set, JSObject* object, const PropertyName& name)
</del><ins>+void VariableWriteFireDetail::touch(VM& vm, WatchpointSet* set, JSObject* object, const PropertyName& name)
</ins><span class="cx"> {
</span><del>- set->touch(VariableWriteFireDetail(object, name));
</del><ins>+ set->touch(vm, VariableWriteFireDetail(object, name));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeVariableWriteFireDetailh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/VariableWriteFireDetail.h (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/VariableWriteFireDetail.h 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/bytecode/VariableWriteFireDetail.h 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -43,7 +43,7 @@
</span><span class="cx">
</span><span class="cx"> JS_EXPORT_PRIVATE void dump(PrintStream&) const override;
</span><span class="cx">
</span><del>- JS_EXPORT_PRIVATE static void touch(WatchpointSet*, JSObject*, const PropertyName&);
</del><ins>+ JS_EXPORT_PRIVATE static void touch(VM&, WatchpointSet*, JSObject*, const PropertyName&);
</ins><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> JSObject* m_object;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeWatchpointcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/Watchpoint.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/Watchpoint.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/bytecode/Watchpoint.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -26,6 +26,8 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "Watchpoint.h"
</span><span class="cx">
</span><ins>+#include "HeapInlines.h"
+#include "VM.h"
</ins><span class="cx"> #include <wtf/CompilationThread.h>
</span><span class="cx"> #include <wtf/PassRefPtr.h>
</span><span class="cx">
</span><span class="lines">@@ -81,26 +83,33 @@
</span><span class="cx"> m_state = IsWatched;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void WatchpointSet::fireAllSlow(const FireDetail& detail)
</del><ins>+void WatchpointSet::fireAllSlow(VM& vm, const FireDetail& detail)
</ins><span class="cx"> {
</span><span class="cx"> ASSERT(state() == IsWatched);
</span><span class="cx">
</span><span class="cx"> WTF::storeStoreFence();
</span><span class="cx"> m_state = IsInvalidated; // Do this first. Needed for adaptive watchpoints.
</span><del>- fireAllWatchpoints(detail);
</del><ins>+ fireAllWatchpoints(vm, detail);
</ins><span class="cx"> WTF::storeStoreFence();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void WatchpointSet::fireAllSlow(const char* reason)
</del><ins>+void WatchpointSet::fireAllSlow(VM& vm, const char* reason)
</ins><span class="cx"> {
</span><del>- fireAllSlow(StringFireDetail(reason));
</del><ins>+ fireAllSlow(vm, StringFireDetail(reason));
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-void WatchpointSet::fireAllWatchpoints(const FireDetail& detail)
</del><ins>+void WatchpointSet::fireAllWatchpoints(VM& vm, const FireDetail& detail)
</ins><span class="cx"> {
</span><span class="cx"> // In case there are any adaptive watchpoints, we need to make sure that they see that this
</span><span class="cx"> // watchpoint has been already invalidated.
</span><span class="cx"> RELEASE_ASSERT(hasBeenInvalidated());
</span><ins>+
+ // Firing a watchpoint may cause a GC to happen. This GC could destroy various
+ // Watchpoints themselves while they're in the process of firing. It's not safe
+ // for most Watchpoints to be destructed while they're in the middle of firing.
+ // This GC could also destroy us, and we're not in a safe state to be destroyed.
+ // The safest thing to do is to DeferGCForAWhile to prevent this GC from happening.
+ DeferGCForAWhile deferGC(vm.heap);
</ins><span class="cx">
</span><span class="cx"> while (!m_set.isEmpty()) {
</span><span class="cx"> Watchpoint* watchpoint = m_set.begin();
</span><span class="lines">@@ -130,9 +139,9 @@
</span><span class="cx"> inflate()->add(watchpoint);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void InlineWatchpointSet::fireAll(const char* reason)
</del><ins>+void InlineWatchpointSet::fireAll(VM& vm, const char* reason)
</ins><span class="cx"> {
</span><del>- fireAll(StringFireDetail(reason));
</del><ins>+ fireAll(vm, StringFireDetail(reason));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> WatchpointSet* InlineWatchpointSet::inflateSlow()
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeWatchpointh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/Watchpoint.h (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/Watchpoint.h 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/bytecode/Watchpoint.h 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -90,6 +90,7 @@
</span><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> class InlineWatchpointSet;
</span><ins>+class VM;
</ins><span class="cx">
</span><span class="cx"> class WatchpointSet : public ThreadSafeRefCounted<WatchpointSet> {
</span><span class="cx"> friend class LLIntOffsetsExtractor;
</span><span class="lines">@@ -152,43 +153,43 @@
</span><span class="cx"> WTF::storeStoreFence();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void fireAll(const FireDetail& detail)
</del><ins>+ void fireAll(VM& vm, const FireDetail& detail)
</ins><span class="cx"> {
</span><span class="cx"> if (LIKELY(m_state != IsWatched))
</span><span class="cx"> return;
</span><del>- fireAllSlow(detail);
</del><ins>+ fireAllSlow(vm, detail);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- void fireAll(const char* reason)
</del><ins>+ void fireAll(VM& vm, const char* reason)
</ins><span class="cx"> {
</span><span class="cx"> if (LIKELY(m_state != IsWatched))
</span><span class="cx"> return;
</span><del>- fireAllSlow(reason);
</del><ins>+ fireAllSlow(vm, reason);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- void touch(const FireDetail& detail)
</del><ins>+ void touch(VM& vm, const FireDetail& detail)
</ins><span class="cx"> {
</span><span class="cx"> if (state() == ClearWatchpoint)
</span><span class="cx"> startWatching();
</span><span class="cx"> else
</span><del>- fireAll(detail);
</del><ins>+ fireAll(vm, detail);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- void touch(const char* reason)
</del><ins>+ void touch(VM& vm, const char* reason)
</ins><span class="cx"> {
</span><del>- touch(StringFireDetail(reason));
</del><ins>+ touch(vm, StringFireDetail(reason));
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- void invalidate(const FireDetail& detail)
</del><ins>+ void invalidate(VM& vm, const FireDetail& detail)
</ins><span class="cx"> {
</span><span class="cx"> if (state() == IsWatched)
</span><del>- fireAll(detail);
</del><ins>+ fireAll(vm, detail);
</ins><span class="cx"> m_state = IsInvalidated;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void invalidate(const char* reason)
</del><ins>+ void invalidate(VM& vm, const char* reason)
</ins><span class="cx"> {
</span><del>- invalidate(StringFireDetail(reason));
</del><ins>+ invalidate(vm, StringFireDetail(reason));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool isBeingWatched() const
</span><span class="lines">@@ -200,11 +201,11 @@
</span><span class="cx"> static ptrdiff_t offsetOfState() { return OBJECT_OFFSETOF(WatchpointSet, m_state); }
</span><span class="cx"> int8_t* addressOfSetIsNotEmpty() { return &m_setIsNotEmpty; }
</span><span class="cx">
</span><del>- JS_EXPORT_PRIVATE void fireAllSlow(const FireDetail&); // Call only if you've checked isWatched.
- JS_EXPORT_PRIVATE void fireAllSlow(const char* reason); // Ditto.
</del><ins>+ JS_EXPORT_PRIVATE void fireAllSlow(VM&, const FireDetail&); // Call only if you've checked isWatched.
+ JS_EXPORT_PRIVATE void fireAllSlow(VM&, const char* reason); // Ditto.
</ins><span class="cx">
</span><span class="cx"> private:
</span><del>- void fireAllWatchpoints(const FireDetail&);
</del><ins>+ void fireAllWatchpoints(VM&, const FireDetail&);
</ins><span class="cx">
</span><span class="cx"> friend class InlineWatchpointSet;
</span><span class="cx">
</span><span class="lines">@@ -296,10 +297,10 @@
</span><span class="cx"> m_data = encodeState(IsWatched);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void fireAll(const FireDetail& detail)
</del><ins>+ void fireAll(VM& vm, const FireDetail& detail)
</ins><span class="cx"> {
</span><span class="cx"> if (isFat()) {
</span><del>- fat()->fireAll(detail);
</del><ins>+ fat()->fireAll(vm, detail);
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx"> if (decodeState(m_data) == ClearWatchpoint)
</span><span class="lines">@@ -308,20 +309,20 @@
</span><span class="cx"> WTF::storeStoreFence();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void invalidate(const FireDetail& detail)
</del><ins>+ void invalidate(VM& vm, const FireDetail& detail)
</ins><span class="cx"> {
</span><span class="cx"> if (isFat())
</span><del>- fat()->invalidate(detail);
</del><ins>+ fat()->invalidate(vm, detail);
</ins><span class="cx"> else
</span><span class="cx"> m_data = encodeState(IsInvalidated);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- JS_EXPORT_PRIVATE void fireAll(const char* reason);
</del><ins>+ JS_EXPORT_PRIVATE void fireAll(VM&, const char* reason);
</ins><span class="cx">
</span><del>- void touch(const FireDetail& detail)
</del><ins>+ void touch(VM& vm, const FireDetail& detail)
</ins><span class="cx"> {
</span><span class="cx"> if (isFat()) {
</span><del>- fat()->touch(detail);
</del><ins>+ fat()->touch(vm, detail);
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx"> uintptr_t data = m_data;
</span><span class="lines">@@ -335,9 +336,9 @@
</span><span class="cx"> WTF::storeStoreFence();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void touch(const char* reason)
</del><ins>+ void touch(VM& vm, const char* reason)
</ins><span class="cx"> {
</span><del>- touch(StringFireDetail(reason));
</del><ins>+ touch(vm, StringFireDetail(reason));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Note that for any watchpoint that is visible from the DFG, it would be incorrect to write code like:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -385,7 +385,7 @@
</span><span class="cx"> // notifyWrite(), since that would be cumbersome. Also, watching formal
</span><span class="cx"> // parameters when "arguments" is in play is unlikely to be super profitable.
</span><span class="cx"> // So, we just disable it.
</span><del>- entry.disableWatching();
</del><ins>+ entry.disableWatching(*m_vm);
</ins><span class="cx"> functionSymbolTable->set(NoLockingNecessary, name, entry);
</span><span class="cx"> }
</span><span class="cx"> emitOpcode(op_put_to_scope);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -1445,7 +1445,7 @@
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><span class="cx">
</span><del>- set->touch("Executed NotifyWrite");
</del><ins>+ set->touch(vm, "Executed NotifyWrite");
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JIT_OPERATION operationThrowStackOverflowForVarargs(ExecState* exec)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapCopyBarrierh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/CopyBarrier.h (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/CopyBarrier.h 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/heap/CopyBarrier.h 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx"> #define CopyBarrier_h
</span><span class="cx">
</span><span class="cx"> #include "Heap.h"
</span><ins>+#include "VM.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterInterpretercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -1206,7 +1206,7 @@
</span><span class="cx"> if (numVariables || numFunctions) {
</span><span class="cx"> BatchedTransitionOptimizer optimizer(vm, variableObject);
</span><span class="cx"> if (variableObject->next())
</span><del>- variableObject->globalObject()->varInjectionWatchpoint()->fireAll("Executed eval, fired VarInjection watchpoint");
</del><ins>+ variableObject->globalObject()->varInjectionWatchpoint()->fireAll(vm, "Executed eval, fired VarInjection watchpoint");
</ins><span class="cx">
</span><span class="cx"> for (unsigned i = 0; i < numVariables; ++i) {
</span><span class="cx"> const Identifier& ident = codeBlock->variable(i);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -2078,7 +2078,7 @@
</span><span class="cx"> JSLexicalEnvironment* environment = jsCast<JSLexicalEnvironment*>(scope);
</span><span class="cx"> environment->variableAt(ScopeOffset(pc[6].u.operand)).set(vm, environment, value);
</span><span class="cx"> if (WatchpointSet* set = pc[5].u.watchpointSet)
</span><del>- set->touch("Executed op_put_scope<LocalClosureVar>");
</del><ins>+ set->touch(vm, "Executed op_put_scope<LocalClosureVar>");
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejsccpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jsc.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jsc.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/jsc.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -209,7 +209,7 @@
</span><span class="cx">
</span><span class="cx"> static Masquerader* create(VM& vm, JSGlobalObject* globalObject)
</span><span class="cx"> {
</span><del>- globalObject->masqueradesAsUndefinedWatchpoint()->fireAll("Masquerading object allocated");
</del><ins>+ globalObject->masqueradesAsUndefinedWatchpoint()->fireAll(vm, "Masquerading object allocated");
</ins><span class="cx"> Structure* structure = createStructure(vm, globalObject, jsNull());
</span><span class="cx"> Masquerader* result = new (NotNull, allocateCell<Masquerader>(vm.heap, sizeof(Masquerader))) Masquerader(vm, structure);
</span><span class="cx"> result->finishCreation(vm);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntSlowPathscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -1554,7 +1554,7 @@
</span><span class="cx"> // to have already changed the value of the variable. Otherwise we might watch and constant-fold
</span><span class="cx"> // to the Undefined value from before the assignment.
</span><span class="cx"> if (WatchpointSet* set = pc[5].u.watchpointSet)
</span><del>- set->touch("Executed op_put_scope<LocalClosureVar>");
</del><ins>+ set->touch(vm, "Executed op_put_scope<LocalClosureVar>");
</ins><span class="cx"> LLINT_END();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayBufferNeuteringWatchpointcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -62,7 +62,7 @@
</span><span class="cx">
</span><span class="cx"> void ArrayBufferNeuteringWatchpoint::fireAll()
</span><span class="cx"> {
</span><del>- set()->fireAll("Array buffer was neutered");
</del><ins>+ set()->fireAll(*vm(), "Array buffer was neutered");
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeFunctionRareDatacpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/FunctionRareData.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/FunctionRareData.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/runtime/FunctionRareData.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -88,7 +88,7 @@
</span><span class="cx"> {
</span><span class="cx"> m_objectAllocationProfile.clear();
</span><span class="cx"> m_internalFunctionAllocationProfile.clear();
</span><del>- m_objectAllocationProfileWatchpoint.fireAll(reason);
</del><ins>+ m_objectAllocationProfileWatchpoint.fireAll(*vm(), reason);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeInferredTypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/InferredType.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/InferredType.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/runtime/InferredType.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -419,7 +419,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> InferredTypeFireDetail detail(this, propertyName.uid(), oldType, myType, value);
</span><del>- m_watchpointSet.fireAll(detail);
</del><ins>+ m_watchpointSet.fireAll(vm, detail);
</ins><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -434,7 +434,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> InferredTypeFireDetail detail(this, propertyName.uid(), oldType, Top, JSValue());
</span><del>- m_watchpointSet.fireAll(detail);
</del><ins>+ m_watchpointSet.fireAll(vm, detail);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool InferredType::set(const ConcurrentJITLocker& locker, VM& vm, Descriptor newDescriptor)
</span><span class="lines">@@ -516,7 +516,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> InferredTypeFireDetail detail(this, nullptr, oldDescriptor, newDescriptor, JSValue());
</span><del>- m_watchpointSet.fireAll(detail);
</del><ins>+ m_watchpointSet.fireAll(vm, detail);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void InferredType::InferredStructureWatchpoint::fireInternal(const FireDetail&)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeInferredValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/InferredValue.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/InferredValue.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/runtime/InferredValue.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -92,7 +92,7 @@
</span><span class="cx"> ASSERT(!!m_value);
</span><span class="cx"> if (m_value.get() == value)
</span><span class="cx"> return;
</span><del>- invalidate(detail);
</del><ins>+ invalidate(vm, detail);
</ins><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> case IsInvalidated:
</span><span class="lines">@@ -125,7 +125,7 @@
</span><span class="cx"> if (Heap::isMarked(m_owner->m_value.get().asCell()))
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- m_owner->invalidate(StringFireDetail("InferredValue clean-up during GC"));
</del><ins>+ m_owner->invalidate(*m_owner->vm(), StringFireDetail("InferredValue clean-up during GC"));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeInferredValueh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/InferredValue.h (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/InferredValue.h 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/runtime/InferredValue.h 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -88,10 +88,10 @@
</span><span class="cx"> notifyWriteSlow(vm, value, reason);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void invalidate(const FireDetail& detail)
</del><ins>+ void invalidate(VM& vm, const FireDetail& detail)
</ins><span class="cx"> {
</span><span class="cx"> m_value.clear();
</span><del>- m_set.invalidate(detail);
</del><ins>+ m_set.invalidate(vm, detail);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static const unsigned StructureFlags = StructureIsImmortal | Base::StructureFlags;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGlobalObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -943,7 +943,7 @@
</span><span class="cx"> // Make sure that all allocations or indexed storage transitions that are inlining
</span><span class="cx"> // the assumption that it's safe to transition to a non-SlowPut array storage don't
</span><span class="cx"> // do so anymore.
</span><del>- m_havingABadTimeWatchpoint->fireAll("Having a bad time");
</del><ins>+ m_havingABadTimeWatchpoint->fireAll(vm, "Having a bad time");
</ins><span class="cx"> ASSERT(isHavingABadTime()); // The watchpoint is what tells us that we're having a bad time.
</span><span class="cx">
</span><span class="cx"> // Make sure that all JSArray allocations that load the appropriate structure from
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSSymbolTableObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.h (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.h 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.h 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -146,7 +146,7 @@
</span><span class="cx"> {
</span><span class="cx"> reg->set(vm, object, value);
</span><span class="cx"> if (set)
</span><del>- VariableWriteFireDetail::touch(set, object, propertyName);
</del><ins>+ VariableWriteFireDetail::touch(vm, set, object, propertyName);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template<typename SymbolTableObjectType>
</span><span class="lines">@@ -154,7 +154,7 @@
</span><span class="cx"> {
</span><span class="cx"> reg->set(vm, object, value);
</span><span class="cx"> if (set)
</span><del>- set->invalidate(VariableWriteFireDetail(object, propertyName)); // Don't mess around - if we had found this statically, we would have invalidated it.
</del><ins>+ set->invalidate(vm, VariableWriteFireDetail(object, propertyName)); // Don't mess around - if we had found this statically, we would have invalidated it.
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> enum class SymbolTablePutMode {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructurecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Structure.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Structure.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/runtime/Structure.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -858,7 +858,7 @@
</span><span class="cx">
</span><span class="cx"> void Structure::didCachePropertyReplacement(VM& vm, PropertyOffset offset)
</span><span class="cx"> {
</span><del>- ensurePropertyReplacementWatchpointSet(vm, offset)->fireAll("Did cache property replacement");
</del><ins>+ ensurePropertyReplacementWatchpointSet(vm, offset)->fireAll(vm, "Did cache property replacement");
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void Structure::startWatchingInternalProperties(VM& vm)
</span><span class="lines">@@ -1075,7 +1075,7 @@
</span><span class="cx"> DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire()
</span><span class="cx"> {
</span><span class="cx"> if (m_structure)
</span><del>- m_structure->transitionWatchpointSet().fireAll(StructureFireDetail(m_structure));
</del><ins>+ m_structure->transitionWatchpointSet().fireAll(*m_structure->vm(), StructureFireDetail(m_structure));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void DeferredStructureTransitionWatchpointFire::add(const Structure* structure)
</span><span class="lines">@@ -1096,7 +1096,7 @@
</span><span class="cx"> if (deferred)
</span><span class="cx"> deferred->add(this);
</span><span class="cx"> else
</span><del>- m_transitionWatchpointSet.fireAll(StructureFireDetail(this));
</del><ins>+ m_transitionWatchpointSet.fireAll(*vm(), StructureFireDetail(this));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JSValue Structure::prototypeForLookup(CodeBlock* codeBlock) const
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructureInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/StructureInlines.h (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StructureInlines.h 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/runtime/StructureInlines.h 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -256,7 +256,7 @@
</span><span class="cx"> WatchpointSet* set = map->get(offset);
</span><span class="cx"> if (LIKELY(!set))
</span><span class="cx"> return;
</span><del>- set->fireAll("Property did get replaced");
</del><ins>+ set->fireAll(*vm(), "Property did get replaced");
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> inline WatchpointSet* Structure::propertyReplacementWatchpointSet(PropertyOffset offset)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeSymbolTableh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/SymbolTable.h (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/SymbolTable.h 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/runtime/SymbolTable.h 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -280,10 +280,10 @@
</span><span class="cx"> return bits() & DontEnumFlag;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void disableWatching()
</del><ins>+ void disableWatching(VM& vm)
</ins><span class="cx"> {
</span><span class="cx"> if (WatchpointSet* set = watchpointSet())
</span><del>- set->invalidate("Disabling watching in symbol table");
</del><ins>+ set->invalidate(vm, "Disabling watching in symbol table");
</ins><span class="cx"> if (varOffset().isScope())
</span><span class="cx"> pack(varOffset(), false, isReadOnly(), isDontEnum());
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/JavaScriptCore/runtime/VM.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -748,7 +748,7 @@
</span><span class="cx"> void VM::addImpureProperty(const String& propertyName)
</span><span class="cx"> {
</span><span class="cx"> if (RefPtr<WatchpointSet> watchpointSet = m_impurePropertyWatchpointSets.take(propertyName))
</span><del>- watchpointSet->fireAll("Impure property added");
</del><ins>+ watchpointSet->fireAll(*this, "Impure property added");
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static bool enableProfilerWithRespectToCount(unsigned& counter, std::function<void()> doEnableWork)
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/WebCore/ChangeLog 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -1,3 +1,18 @@
</span><ins>+2016-06-28 Saam Barati <sbarati@apple.com>
+
+ some Watchpoints' ::fireInternal method will call operations that might GC where the GC will cause the watchpoint itself to destruct
+ https://bugs.webkit.org/show_bug.cgi?id=159198
+ <rdar://problem/26302360>
+
+ Reviewed by Filip Pizlo.
+
+ * bindings/js/JSDOMWindowBase.cpp:
+ (WebCore::JSDOMWindowBase::fireFrameClearedWatchpointsForWindow):
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateHeader):
+ * bindings/scripts/test/JS/JSTestEventTarget.h:
+ (WebCore::JSTestEventTarget::create):
+
</ins><span class="cx"> 2016-06-28 Anders Carlsson <andersca@apple.com>
</span><span class="cx">
</span><span class="cx"> Move the user gesture requirement to the ApplePaySession constructor
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSDOMWindowBasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -318,7 +318,7 @@
</span><span class="cx"> if (!wrapper)
</span><span class="cx"> continue;
</span><span class="cx"> JSDOMWindowBase* jsWindow = JSC::jsCast<JSDOMWindowBase*>(wrapper);
</span><del>- jsWindow->m_windowCloseWatchpoints.fireAll("Frame cleared");
</del><ins>+ jsWindow->m_windowCloseWatchpoints.fireAll(vm, "Frame cleared");
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptsCodeGeneratorJSpm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -1126,7 +1126,7 @@
</span><span class="cx"> AddIncludesForTypeInHeader($implType) unless $svgPropertyOrListPropertyType;
</span><span class="cx"> push(@headerContent, " static $className* create(JSC::Structure* structure, JSDOMGlobalObject* globalObject, Ref<$implType>&& impl)\n");
</span><span class="cx"> push(@headerContent, " {\n");
</span><del>- push(@headerContent, " globalObject->masqueradesAsUndefinedWatchpoint()->fireAll(\"Allocated masquerading object\");\n");
</del><ins>+ push(@headerContent, " globalObject->masqueradesAsUndefinedWatchpoint()->fireAll(globalObject->vm(), \"Allocated masquerading object\");\n");
</ins><span class="cx"> push(@headerContent, " $className* ptr = new (NotNull, JSC::allocateCell<$className>(globalObject->vm().heap)) $className(structure, *globalObject, WTFMove(impl));\n");
</span><span class="cx"> push(@headerContent, " ptr->finishCreation(globalObject->vm());\n");
</span><span class="cx"> push(@headerContent, " return ptr;\n");
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptstestJSJSTestEventTargeth"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.h (202587 => 202588)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.h 2016-06-28 21:27:21 UTC (rev 202587)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.h 2016-06-28 21:30:20 UTC (rev 202588)
</span><span class="lines">@@ -31,7 +31,7 @@
</span><span class="cx"> typedef TestEventTarget DOMWrapped;
</span><span class="cx"> static JSTestEventTarget* create(JSC::Structure* structure, JSDOMGlobalObject* globalObject, Ref<TestEventTarget>&& impl)
</span><span class="cx"> {
</span><del>- globalObject->masqueradesAsUndefinedWatchpoint()->fireAll("Allocated masquerading object");
</del><ins>+ globalObject->masqueradesAsUndefinedWatchpoint()->fireAll(globalObject->vm(), "Allocated masquerading object");
</ins><span class="cx"> JSTestEventTarget* ptr = new (NotNull, JSC::allocateCell<JSTestEventTarget>(globalObject->vm().heap)) JSTestEventTarget(structure, *globalObject, WTFMove(impl));
</span><span class="cx"> ptr->finishCreation(globalObject->vm());
</span><span class="cx"> return ptr;
</span></span></pre>
</div>
</div>
</body>
</html>