<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[243560] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/243560">243560</a></dd>
<dt>Author</dt> <dd>ysuzuki@apple.com</dd>
<dt>Date</dt> <dd>2019-03-27 13:29:29 -0700 (Wed, 27 Mar 2019)</dd>
</dl>

<h3>Log Message</h3>
<pre>[JSC] Owner of watchpoints should validate at GC finalizing phase
https://bugs.webkit.org/show_bug.cgi?id=195827

Reviewed by Filip Pizlo.

JSTests:

* stress/gc-should-reap-dead-watchpoints.js: Added.
(foo):
(A.prototype.y):
(A):

Source/JavaScriptCore:

This patch fixes JSC's watchpoint liveness issue by the following two policies.

1. Watchpoint should have owner cell, and "fire" operation should be gaurded with owner cell's isLive check.

Watchpoints should hold its owner cell, and fire procedure should be guarded by `owner->isLive()`.
When the owner cell is destroyed, these watchpoints are destroyed too. But this destruction can
be delayed due to incremental sweeper. So the following condition can happen.

When we have a watchpoint like the following.

    class XXXWatchpoint {
        ObjectPropertyCondition m_key;
        JSCell* m_owner;
    };

Both m_key's cell and m_owner is now unreachable from the root. So eventually, m_owner cell's destructor
is called and this watchpoint will be destroyed. But before that, m_key's cell can be destroyed. And this
watchpoint's fire procedure can be called since m_owner's destructor is not called yet. In this situation,
we encounter the destroyed cell held in m_key. This problem can be avoided if we guard fire procedure with
`m_owner->isLive()`. Until the owner cell is destroyed, this guard avoids "fire" procedure execution. And
once the destructor of m_owner is called, this watchpoint will be destroyed too.

2. Watchpoint liveness should be maintained by owner cell's unconditional finalizer

Watchpoints often hold weak references to the other cell (like, m_key in the above example). If we do not
delete watchpoints with dead cells when these weak cells become dead, these watchpoints continue holding dead cells,
and watchpoint's fire operation can use these dead cells accidentally. isLive / isStillLive check for these weak cells
in fire operation is not useful. Because these dead cells can be reused to the other live cells eventually, and this
isLive / isStillLive checks fail to see these cells are live if they are reused. Appropriate way is deleting watchpoints
with dead cells when finalizing GC. In this patch, we do this in unconditional finalizers in owner cells of watchpoints.
We already did this in CodeBlock etc. We add the same thing to StructureRareData which owns watchpoints for toString operations.

* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
(JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::StructureWatchpoint): Deleted.
(JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::PropertyWatchpoint): Deleted.
* bytecode/CodeBlockJettisoningWatchpoint.h:
(JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): Deleted.
* bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
* bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const): Deleted.
* bytecode/StructureStubClearingWatchpoint.cpp:
(JSC::StructureStubClearingWatchpoint::fireInternal):
(JSC::WatchpointsOnStructureStubInfo::isValid const):
* bytecode/StructureStubClearingWatchpoint.h:
(JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint): Deleted.
* dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
(JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::isValid const):
* dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
* dfg/DFGAdaptiveStructureWatchpoint.cpp:
(JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
* dfg/DFGAdaptiveStructureWatchpoint.h:
(JSC::DFG::AdaptiveStructureWatchpoint::key const): Deleted.
* dfg/DFGDesiredWatchpoints.cpp:
(JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
* heap/Heap.cpp:
(JSC::Heap::finalizeUnconditionalFinalizers):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setupGetByIdPrototypeCache):
* runtime/ArrayBuffer.cpp:
(JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
* runtime/ArrayBufferNeuteringWatchpointSet.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp.
(JSC::ArrayBufferNeuteringWatchpointSet::ArrayBufferNeuteringWatchpointSet):
(JSC::ArrayBufferNeuteringWatchpointSet::destroy):
(JSC::ArrayBufferNeuteringWatchpointSet::create):
(JSC::ArrayBufferNeuteringWatchpointSet::createStructure):
(JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
* runtime/ArrayBufferNeuteringWatchpointSet.h: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h.
* runtime/FunctionRareData.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
* runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
(JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint): Deleted.
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::finalizeUnconditionally):
* runtime/StructureRareData.h:
* runtime/VM.cpp:
(JSC::VM::VM):</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkJSTestsChangeLog">trunk/JSTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoreSourcestxt">trunk/Source/JavaScriptCore/Sources.txt</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeAdaptiveInferredPropertyValueWatchpointBaseh">trunk/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockJettisoningWatchpointh">trunk/Source/JavaScriptCore/bytecode/CodeBlockJettisoningWatchpoint.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeLLIntPrototypeLoadAdaptiveStructureWatchpointcpp">trunk/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeLLIntPrototypeLoadAdaptiveStructureWatchpointh">trunk/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeStructureStubClearingWatchpointcpp">trunk/Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeStructureStubClearingWatchpointh">trunk/Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAdaptiveInferredPropertyValueWatchpointcpp">trunk/Source/JavaScriptCore/dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAdaptiveInferredPropertyValueWatchpointh">trunk/Source/JavaScriptCore/dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAdaptiveStructureWatchpointcpp">trunk/Source/JavaScriptCore/dfg/DFGAdaptiveStructureWatchpoint.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAdaptiveStructureWatchpointh">trunk/Source/JavaScriptCore/dfg/DFGAdaptiveStructureWatchpoint.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGDesiredWatchpointscpp">trunk/Source/JavaScriptCore/dfg/DFGDesiredWatchpoints.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeapcpp">trunk/Source/JavaScriptCore/heap/Heap.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntSlowPathscpp">trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayBuffercpp">trunk/Source/JavaScriptCore/runtime/ArrayBuffer.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeFunctionRareDatah">trunk/Source/JavaScriptCore/runtime/FunctionRareData.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGlobalObjectcpp">trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeObjectPropertyChangeAdaptiveWatchpointh">trunk/Source/JavaScriptCore/runtime/ObjectPropertyChangeAdaptiveWatchpoint.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructureRareDatacpp">trunk/Source/JavaScriptCore/runtime/StructureRareData.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructureRareDatah">trunk/Source/JavaScriptCore/runtime/StructureRareData.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMcpp">trunk/Source/JavaScriptCore/runtime/VM.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkJSTestsstressgcshouldreapdeadwatchpointsjs">trunk/JSTests/stress/gc-should-reap-dead-watchpoints.js</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayBufferNeuteringWatchpointSetcpp">trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpointSet.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayBufferNeuteringWatchpointSeth">trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpointSet.h</a></li>
</ul>

<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayBufferNeuteringWatchpointcpp">trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayBufferNeuteringWatchpointh">trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkJSTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/JSTests/ChangeLog (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/ChangeLog  2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/JSTests/ChangeLog     2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Owner of watchpoints should validate at GC finalizing phase
+        https://bugs.webkit.org/show_bug.cgi?id=195827
+
+        Reviewed by Filip Pizlo.
+
+        * stress/gc-should-reap-dead-watchpoints.js: Added.
+        (foo):
+        (A.prototype.y):
+        (A):
+
</ins><span class="cx"> 2019-03-26  Dominik Infuehr  <dinfuehr@igalia.com>
</span><span class="cx"> 
</span><span class="cx">         Skip WebAssembly test on 32-bit systems
</span></span></pre></div>
<a id="trunkJSTestsstressgcshouldreapdeadwatchpointsjs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/stress/gc-should-reap-dead-watchpoints.js (0 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/gc-should-reap-dead-watchpoints.js                          (rev 0)
+++ trunk/JSTests/stress/gc-should-reap-dead-watchpoints.js     2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -0,0 +1,25 @@
</span><ins>+//@ requireOptions("--forceEagerCompilation=true")
+
+// This test should not crash.
+
+let a;
+
+function foo(s) {
+    try {
+        eval(s);
+    } catch (e) {
+        gc();
+        a / 1;
+        a = null;
+    }
+}
+
+foo('zz');
+foo('class A { y() {} }; a=new A; zz');
+foo('class C { y() {} }; gc();');
+
+class A {
+    y() {}
+}
+
+A.prototype.z = 0
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog    2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/ChangeLog       2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -1,3 +1,93 @@
</span><ins>+2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Owner of watchpoints should validate at GC finalizing phase
+        https://bugs.webkit.org/show_bug.cgi?id=195827
+
+        Reviewed by Filip Pizlo.
+
+        This patch fixes JSC's watchpoint liveness issue by the following two policies.
+
+        1. Watchpoint should have owner cell, and "fire" operation should be gaurded with owner cell's isLive check.
+
+        Watchpoints should hold its owner cell, and fire procedure should be guarded by `owner->isLive()`.
+        When the owner cell is destroyed, these watchpoints are destroyed too. But this destruction can
+        be delayed due to incremental sweeper. So the following condition can happen.
+
+        When we have a watchpoint like the following.
+
+            class XXXWatchpoint {
+                ObjectPropertyCondition m_key;
+                JSCell* m_owner;
+            };
+
+        Both m_key's cell and m_owner is now unreachable from the root. So eventually, m_owner cell's destructor
+        is called and this watchpoint will be destroyed. But before that, m_key's cell can be destroyed. And this
+        watchpoint's fire procedure can be called since m_owner's destructor is not called yet. In this situation,
+        we encounter the destroyed cell held in m_key. This problem can be avoided if we guard fire procedure with
+        `m_owner->isLive()`. Until the owner cell is destroyed, this guard avoids "fire" procedure execution. And
+        once the destructor of m_owner is called, this watchpoint will be destroyed too.
+
+        2. Watchpoint liveness should be maintained by owner cell's unconditional finalizer
+
+        Watchpoints often hold weak references to the other cell (like, m_key in the above example). If we do not
+        delete watchpoints with dead cells when these weak cells become dead, these watchpoints continue holding dead cells,
+        and watchpoint's fire operation can use these dead cells accidentally. isLive / isStillLive check for these weak cells
+        in fire operation is not useful. Because these dead cells can be reused to the other live cells eventually, and this
+        isLive / isStillLive checks fail to see these cells are live if they are reused. Appropriate way is deleting watchpoints
+        with dead cells when finalizing GC. In this patch, we do this in unconditional finalizers in owner cells of watchpoints.
+        We already did this in CodeBlock etc. We add the same thing to StructureRareData which owns watchpoints for toString operations.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
+        (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::StructureWatchpoint): Deleted.
+        (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::PropertyWatchpoint): Deleted.
+        * bytecode/CodeBlockJettisoningWatchpoint.h:
+        (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint): Deleted.
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
+        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
+        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
+        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const): Deleted.
+        * bytecode/StructureStubClearingWatchpoint.cpp:
+        (JSC::StructureStubClearingWatchpoint::fireInternal):
+        (JSC::WatchpointsOnStructureStubInfo::isValid const):
+        * bytecode/StructureStubClearingWatchpoint.h:
+        (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint): Deleted.
+        * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
+        (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::isValid const):
+        * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
+        * dfg/DFGAdaptiveStructureWatchpoint.cpp:
+        (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
+        * dfg/DFGAdaptiveStructureWatchpoint.h:
+        (JSC::DFG::AdaptiveStructureWatchpoint::key const): Deleted.
+        * dfg/DFGDesiredWatchpoints.cpp:
+        (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
+        * heap/Heap.cpp:
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::setupGetByIdPrototypeCache):
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
+        * runtime/ArrayBufferNeuteringWatchpointSet.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp.
+        (JSC::ArrayBufferNeuteringWatchpointSet::ArrayBufferNeuteringWatchpointSet):
+        (JSC::ArrayBufferNeuteringWatchpointSet::destroy):
+        (JSC::ArrayBufferNeuteringWatchpointSet::create):
+        (JSC::ArrayBufferNeuteringWatchpointSet::createStructure):
+        (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
+        * runtime/ArrayBufferNeuteringWatchpointSet.h: Renamed from Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h.
+        * runtime/FunctionRareData.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
+        * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
+        (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint): Deleted.
+        * runtime/StructureRareData.cpp:
+        (JSC::StructureRareData::finalizeUnconditionally):
+        * runtime/StructureRareData.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+
</ins><span class="cx"> 2019-03-26  Saam Barati  <sbarati@apple.com>
</span><span class="cx"> 
</span><span class="cx">         FTL: Emit code to validate AI's state when running the compiled code
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj     2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj        2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -744,7 +744,7 @@
</span><span class="cx">          0FFB922016D033B70055A5DB /* NodeConstructors.h in Headers */ = {isa = PBXBuildFile; fileRef = 930DAD030FB1EB1A0082D205 /* NodeConstructors.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          0FFC92161B94FB3E0071DD66 /* DFGPropertyTypeKey.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FFC92151B94FB3E0071DD66 /* DFGPropertyTypeKey.h */; };
</span><span class="cx">          0FFC99D1184EC8AD009C10AB /* ConstantMode.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FFC99D0184EC8AD009C10AB /* ConstantMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><del>-               0FFC99D5184EE318009C10AB /* ArrayBufferNeuteringWatchpoint.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FFC99D3184EE318009C10AB /* ArrayBufferNeuteringWatchpoint.h */; settings = {ATTRIBUTES = (Private, ); }; };
</del><ins>+                0FFC99D5184EE318009C10AB /* ArrayBufferNeuteringWatchpointSet.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FFC99D3184EE318009C10AB /* ArrayBufferNeuteringWatchpointSet.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">           0FFFC95814EF90A200C72532 /* DFGCFAPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FFFC94C14EF909500C72532 /* DFGCFAPhase.h */; };
</span><span class="cx">          0FFFC95A14EF90A900C72532 /* DFGCSEPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FFFC94E14EF909500C72532 /* DFGCSEPhase.h */; };
</span><span class="cx">          0FFFC95C14EF90AF00C72532 /* DFGPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FFFC95014EF909500C72532 /* DFGPhase.h */; };
</span><span class="lines">@@ -3113,8 +3113,8 @@
</span><span class="cx">          0FFB80BB20A794700006AAF6 /* JITCodeInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JITCodeInlines.h; sourceTree = "<group>"; };
</span><span class="cx">          0FFC92151B94FB3E0071DD66 /* DFGPropertyTypeKey.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGPropertyTypeKey.h; path = dfg/DFGPropertyTypeKey.h; sourceTree = "<group>"; };
</span><span class="cx">          0FFC99D0184EC8AD009C10AB /* ConstantMode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ConstantMode.h; sourceTree = "<group>"; };
</span><del>-               0FFC99D2184EE318009C10AB /* ArrayBufferNeuteringWatchpoint.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ArrayBufferNeuteringWatchpoint.cpp; sourceTree = "<group>"; };
-               0FFC99D3184EE318009C10AB /* ArrayBufferNeuteringWatchpoint.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ArrayBufferNeuteringWatchpoint.h; sourceTree = "<group>"; };
</del><ins>+                0FFC99D2184EE318009C10AB /* ArrayBufferNeuteringWatchpointSet.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ArrayBufferNeuteringWatchpointSet.cpp; sourceTree = "<group>"; };
+               0FFC99D3184EE318009C10AB /* ArrayBufferNeuteringWatchpointSet.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ArrayBufferNeuteringWatchpointSet.h; sourceTree = "<group>"; };
</ins><span class="cx">           0FFFC94B14EF909500C72532 /* DFGCFAPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGCFAPhase.cpp; path = dfg/DFGCFAPhase.cpp; sourceTree = "<group>"; };
</span><span class="cx">          0FFFC94C14EF909500C72532 /* DFGCFAPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGCFAPhase.h; path = dfg/DFGCFAPhase.h; sourceTree = "<group>"; };
</span><span class="cx">          0FFFC94D14EF909500C72532 /* DFGCSEPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGCSEPhase.cpp; path = dfg/DFGCSEPhase.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -6632,8 +6632,8 @@
</span><span class="cx">                          0F6B1CB71861244C00845D97 /* ArityCheckMode.h */,
</span><span class="cx">                          A7A8AF2517ADB5F2005AB174 /* ArrayBuffer.cpp */,
</span><span class="cx">                          A7A8AF2617ADB5F3005AB174 /* ArrayBuffer.h */,
</span><del>-                               0FFC99D2184EE318009C10AB /* ArrayBufferNeuteringWatchpoint.cpp */,
-                               0FFC99D3184EE318009C10AB /* ArrayBufferNeuteringWatchpoint.h */,
</del><ins>+                                0FFC99D2184EE318009C10AB /* ArrayBufferNeuteringWatchpointSet.cpp */,
+                               0FFC99D3184EE318009C10AB /* ArrayBufferNeuteringWatchpointSet.h */,
</ins><span class="cx">                           0F30FB601DC2DE96003124F2 /* ArrayBufferSharingMode.h */,
</span><span class="cx">                          A7A8AF2717ADB5F3005AB174 /* ArrayBufferView.cpp */,
</span><span class="cx">                          A7A8AF2817ADB5F3005AB174 /* ArrayBufferView.h */,
</span><span class="lines">@@ -8512,7 +8512,7 @@
</span><span class="cx">                          86ADD1450FDDEA980006EEC2 /* ARMv7Assembler.h in Headers */,
</span><span class="cx">                          0F8335B81639C1EA001443B5 /* ArrayAllocationProfile.h in Headers */,
</span><span class="cx">                          A7A8AF3517ADB5F3005AB174 /* ArrayBuffer.h in Headers */,
</span><del>-                               0FFC99D5184EE318009C10AB /* ArrayBufferNeuteringWatchpoint.h in Headers */,
</del><ins>+                                0FFC99D5184EE318009C10AB /* ArrayBufferNeuteringWatchpointSet.h in Headers */,
</ins><span class="cx">                           0F30FB611DC2DE99003124F2 /* ArrayBufferSharingMode.h in Headers */,
</span><span class="cx">                          A7A8AF3717ADB5F3005AB174 /* ArrayBufferView.h in Headers */,
</span><span class="cx">                          BC18C3E60E16F5CD00B34460 /* ArrayConstructor.h in Headers */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreSourcestxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/Sources.txt (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/Sources.txt  2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/Sources.txt     2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -692,7 +692,7 @@
</span><span class="cx"> runtime/AbstractModuleRecord.cpp
</span><span class="cx"> runtime/ArgList.cpp
</span><span class="cx"> runtime/ArrayBuffer.cpp
</span><del>-runtime/ArrayBufferNeuteringWatchpoint.cpp
</del><ins>+runtime/ArrayBufferNeuteringWatchpointSet.cpp
</ins><span class="cx"> runtime/ArrayBufferView.cpp
</span><span class="cx"> runtime/ArrayConstructor.cpp
</span><span class="cx"> runtime/ArrayConventions.cpp
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeAdaptiveInferredPropertyValueWatchpointBaseh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.h (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.h       2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.h  2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -50,13 +50,13 @@
</span><span class="cx">     virtual void handleFire(VM&, const FireDetail&) = 0;
</span><span class="cx"> 
</span><span class="cx"> private:
</span><del>-    class StructureWatchpoint : public Watchpoint {
</del><ins>+    class StructureWatchpoint final : public Watchpoint {
</ins><span class="cx">     public:
</span><span class="cx">         StructureWatchpoint() { }
</span><span class="cx">     protected:
</span><span class="cx">         void fireInternal(VM&, const FireDetail&) override;
</span><span class="cx">     };
</span><del>-    class PropertyWatchpoint : public Watchpoint {
</del><ins>+    class PropertyWatchpoint final : public Watchpoint {
</ins><span class="cx">     public:
</span><span class="cx">         PropertyWatchpoint() { }
</span><span class="cx">     protected:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockJettisoningWatchpointh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlockJettisoningWatchpoint.h (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlockJettisoningWatchpoint.h    2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlockJettisoningWatchpoint.h       2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -31,7 +31,7 @@
</span><span class="cx"> 
</span><span class="cx"> class CodeBlock;
</span><span class="cx"> 
</span><del>-class CodeBlockJettisoningWatchpoint : public Watchpoint {
</del><ins>+class CodeBlockJettisoningWatchpoint final : public Watchpoint {
</ins><span class="cx"> public:
</span><span class="cx">     CodeBlockJettisoningWatchpoint(CodeBlock* codeBlock)
</span><span class="cx">         : m_codeBlock(codeBlock)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeLLIntPrototypeLoadAdaptiveStructureWatchpointcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp   2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp      2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -32,8 +32,9 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint(const ObjectPropertyCondition& key, OpGetById::Metadata& getByIdMetadata)
-    : m_key(key)
</del><ins>+LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint(CodeBlock* owner, const ObjectPropertyCondition& key, OpGetById::Metadata& getByIdMetadata)
+    : m_owner(owner)
+    , m_key(key)
</ins><span class="cx">     , m_getByIdMetadata(getByIdMetadata)
</span><span class="cx"> {
</span><span class="cx">     RELEASE_ASSERT(key.watchingRequiresStructureTransitionWatchpoint());
</span><span class="lines">@@ -49,6 +50,9 @@
</span><span class="cx"> 
</span><span class="cx"> void LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal(VM& vm, const FireDetail&)
</span><span class="cx"> {
</span><ins>+    if (!m_owner->isLive())
+        return;
+
</ins><span class="cx">     if (m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
</span><span class="cx">         install(vm);
</span><span class="cx">         return;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeLLIntPrototypeLoadAdaptiveStructureWatchpointh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h     2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h        2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -31,9 +31,9 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-class LLIntPrototypeLoadAdaptiveStructureWatchpoint : public Watchpoint {
</del><ins>+class LLIntPrototypeLoadAdaptiveStructureWatchpoint final : public Watchpoint {
</ins><span class="cx"> public:
</span><del>-    LLIntPrototypeLoadAdaptiveStructureWatchpoint(const ObjectPropertyCondition&, OpGetById::Metadata&);
</del><ins>+    LLIntPrototypeLoadAdaptiveStructureWatchpoint(CodeBlock*, const ObjectPropertyCondition&, OpGetById::Metadata&);
</ins><span class="cx"> 
</span><span class="cx">     void install(VM&);
</span><span class="cx"> 
</span><span class="lines">@@ -45,6 +45,7 @@
</span><span class="cx">     void fireInternal(VM&, const FireDetail&) override;
</span><span class="cx"> 
</span><span class="cx"> private:
</span><ins>+    CodeBlock* m_owner;
</ins><span class="cx">     ObjectPropertyCondition m_key;
</span><span class="cx">     OpGetById::Metadata& m_getByIdMetadata;
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeStructureStubClearingWatchpointcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.cpp (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.cpp 2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.cpp    2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -36,6 +36,9 @@
</span><span class="cx"> 
</span><span class="cx"> void StructureStubClearingWatchpoint::fireInternal(VM& vm, const FireDetail&)
</span><span class="cx"> {
</span><ins>+    if (!m_holder.isValid())
+        return;
+
</ins><span class="cx">     if (!m_key || !m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
</span><span class="cx">         // This will implicitly cause my own demise: stub reset removes all watchpoints.
</span><span class="cx">         // That works, because deleting a watchpoint removes it from the set's list, and
</span><span class="lines">@@ -54,6 +57,11 @@
</span><span class="cx">     m_key.object()->structure(vm)->addTransitionWatchpoint(this);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+inline bool WatchpointsOnStructureStubInfo::isValid() const
+{
+    return m_codeBlock->isLive();
+}
+
</ins><span class="cx"> StructureStubClearingWatchpoint* WatchpointsOnStructureStubInfo::addWatchpoint(const ObjectPropertyCondition& key)
</span><span class="cx"> {
</span><span class="cx">     return m_watchpoints.add(key, *this);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeStructureStubClearingWatchpointh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.h (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.h   2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.h      2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -40,7 +40,7 @@
</span><span class="cx"> class StructureStubInfo;
</span><span class="cx"> class WatchpointsOnStructureStubInfo;
</span><span class="cx"> 
</span><del>-class StructureStubClearingWatchpoint : public Watchpoint {
</del><ins>+class StructureStubClearingWatchpoint final : public Watchpoint {
</ins><span class="cx">     WTF_MAKE_NONCOPYABLE(StructureStubClearingWatchpoint);
</span><span class="cx">     WTF_MAKE_FAST_ALLOCATED;
</span><span class="cx"> public:
</span><span class="lines">@@ -78,6 +78,8 @@
</span><span class="cx">     
</span><span class="cx">     CodeBlock* codeBlock() const { return m_codeBlock; }
</span><span class="cx">     StructureStubInfo* stubInfo() const { return m_stubInfo; }
</span><ins>+
+    bool isValid() const;
</ins><span class="cx">     
</span><span class="cx"> private:
</span><span class="cx">     CodeBlock* m_codeBlock;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAdaptiveInferredPropertyValueWatchpointcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp   2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp      2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -51,6 +51,11 @@
</span><span class="cx">     m_codeBlock->jettison(Profiler::JettisonDueToUnprofiledWatchpoint, CountReoptimization, &lazyDetail);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+bool AdaptiveInferredPropertyValueWatchpoint::isValid() const
+{
+    return m_codeBlock->isLive();
+}
+
</ins><span class="cx"> } } // namespace JSC::DFG
</span><span class="cx"> 
</span><span class="cx"> #endif // ENABLE(DFG_JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAdaptiveInferredPropertyValueWatchpointh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h     2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h        2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -31,12 +31,14 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC { namespace DFG {
</span><span class="cx"> 
</span><del>-class AdaptiveInferredPropertyValueWatchpoint : public AdaptiveInferredPropertyValueWatchpointBase {
</del><ins>+class AdaptiveInferredPropertyValueWatchpoint final : public AdaptiveInferredPropertyValueWatchpointBase {
</ins><span class="cx"> public:
</span><span class="cx">     typedef AdaptiveInferredPropertyValueWatchpointBase Base;
</span><span class="cx">     AdaptiveInferredPropertyValueWatchpoint(const ObjectPropertyCondition&, CodeBlock*);
</span><span class="cx"> 
</span><span class="cx"> private:
</span><ins>+    bool isValid() const override;
+
</ins><span class="cx">     void handleFire(VM&, const FireDetail&) override;
</span><span class="cx"> 
</span><span class="cx">     CodeBlock* m_codeBlock;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAdaptiveStructureWatchpointcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAdaptiveStructureWatchpoint.cpp (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAdaptiveStructureWatchpoint.cpp       2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/dfg/DFGAdaptiveStructureWatchpoint.cpp  2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -52,6 +52,9 @@
</span><span class="cx"> 
</span><span class="cx"> void AdaptiveStructureWatchpoint::fireInternal(VM& vm, const FireDetail& detail)
</span><span class="cx"> {
</span><ins>+    if (!m_codeBlock->isLive())
+        return;
+
</ins><span class="cx">     if (m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
</span><span class="cx">         install(vm);
</span><span class="cx">         return;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAdaptiveStructureWatchpointh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAdaptiveStructureWatchpoint.h (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAdaptiveStructureWatchpoint.h 2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/dfg/DFGAdaptiveStructureWatchpoint.h    2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -32,7 +32,7 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC { namespace DFG {
</span><span class="cx"> 
</span><del>-class AdaptiveStructureWatchpoint : public Watchpoint {
</del><ins>+class AdaptiveStructureWatchpoint final : public Watchpoint {
</ins><span class="cx"> public:
</span><span class="cx">     AdaptiveStructureWatchpoint(const ObjectPropertyCondition&, CodeBlock*);
</span><span class="cx">     
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGDesiredWatchpointscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGDesiredWatchpoints.cpp (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDesiredWatchpoints.cpp        2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/dfg/DFGDesiredWatchpoints.cpp   2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -28,7 +28,7 @@
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(DFG_JIT)
</span><span class="cx"> 
</span><del>-#include "ArrayBufferNeuteringWatchpoint.h"
</del><ins>+#include "ArrayBufferNeuteringWatchpointSet.h"
</ins><span class="cx"> #include "CodeBlock.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> 
</span><span class="lines">@@ -39,8 +39,8 @@
</span><span class="cx"> {
</span><span class="cx">     VM& vm = *codeBlock->vm();
</span><span class="cx">     Watchpoint* watchpoint = common.watchpoints.add(codeBlock);
</span><del>-    ArrayBufferNeuteringWatchpoint* neuteringWatchpoint =
-        ArrayBufferNeuteringWatchpoint::create(vm);
</del><ins>+    ArrayBufferNeuteringWatchpointSet* neuteringWatchpoint =
+        ArrayBufferNeuteringWatchpointSet::create(vm);
</ins><span class="cx">     neuteringWatchpoint->set().add(watchpoint);
</span><span class="cx">     codeBlock->addConstant(neuteringWatchpoint);
</span><span class="cx">     // FIXME: We don't need to set this watchpoint at all for shared buffers.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeapcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/Heap.cpp (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/Heap.cpp        2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/heap/Heap.cpp   2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -595,6 +595,7 @@
</span><span class="cx">             this->finalizeMarkedUnconditionalFinalizers<CodeBlock>(space.set);
</span><span class="cx">         });
</span><span class="cx">     finalizeMarkedUnconditionalFinalizers<ExecutableToCodeBlockEdge>(vm()->executableToCodeBlockEdgesWithFinalizers);
</span><ins>+    finalizeMarkedUnconditionalFinalizers<StructureRareData>(vm()->structureRareDataSpace);
</ins><span class="cx">     if (vm()->m_weakSetSpace)
</span><span class="cx">         finalizeMarkedUnconditionalFinalizers<JSWeakSet>(*vm()->m_weakSetSpace);
</span><span class="cx">     if (vm()->m_weakMapSpace)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntSlowPathscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp     2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp        2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -727,7 +727,7 @@
</span><span class="cx">             return;
</span><span class="cx">         if (condition.condition().kind() == PropertyCondition::Presence)
</span><span class="cx">             offset = condition.condition().offset();
</span><del>-        watchpoints.add(condition, metadata)->install(vm);
</del><ins>+        watchpoints.add(codeBlock, condition, metadata)->install(vm);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     ASSERT((offset == invalidOffset) == slot.isUnset());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayBuffercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ArrayBuffer.cpp (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayBuffer.cpp      2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/runtime/ArrayBuffer.cpp 2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -26,7 +26,7 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "ArrayBuffer.h"
</span><span class="cx"> 
</span><del>-#include "ArrayBufferNeuteringWatchpoint.h"
</del><ins>+#include "ArrayBufferNeuteringWatchpointSet.h"
</ins><span class="cx"> #include "JSArrayBufferView.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include <wtf/Gigacage.h>
</span><span class="lines">@@ -382,7 +382,7 @@
</span><span class="cx">         JSCell* cell = incomingReferenceAt(i);
</span><span class="cx">         if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(vm, cell))
</span><span class="cx">             view->neuter();
</span><del>-        else if (ArrayBufferNeuteringWatchpoint* watchpoint = jsDynamicCast<ArrayBufferNeuteringWatchpoint*>(vm, cell))
</del><ins>+        else if (ArrayBufferNeuteringWatchpointSet* watchpoint = jsDynamicCast<ArrayBufferNeuteringWatchpointSet*>(vm, cell))
</ins><span class="cx">             watchpoint->fireAll();
</span><span class="cx">     }
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayBufferNeuteringWatchpointcpp"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp   2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp      2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -1,69 +0,0 @@
</span><del>-/*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#include "config.h"
-#include "ArrayBufferNeuteringWatchpoint.h"
-
-#include "JSCInlines.h"
-
-namespace JSC {
-
-const ClassInfo ArrayBufferNeuteringWatchpoint::s_info = {
-    "ArrayBufferNeuteringWatchpoint", nullptr, nullptr, nullptr,
-    CREATE_METHOD_TABLE(ArrayBufferNeuteringWatchpoint)
-};
-
-ArrayBufferNeuteringWatchpoint::ArrayBufferNeuteringWatchpoint(VM& vm)
-    : Base(vm, vm.arrayBufferNeuteringWatchpointStructure.get())
-    , m_set(adoptRef(*new WatchpointSet(IsWatched)))
-{
-}
-
-void ArrayBufferNeuteringWatchpoint::destroy(JSCell* cell)
-{
-    static_cast<ArrayBufferNeuteringWatchpoint*>(cell)->ArrayBufferNeuteringWatchpoint::~ArrayBufferNeuteringWatchpoint();
-}
-
-ArrayBufferNeuteringWatchpoint* ArrayBufferNeuteringWatchpoint::create(VM& vm)
-{
-    ArrayBufferNeuteringWatchpoint* result = new
-        (NotNull, allocateCell<ArrayBufferNeuteringWatchpoint>(vm.heap))
-        ArrayBufferNeuteringWatchpoint(vm);
-    result->finishCreation(vm);
-    return result;
-}
-
-Structure* ArrayBufferNeuteringWatchpoint::createStructure(VM& vm)
-{
-    return Structure::create(vm, 0, jsNull(), TypeInfo(CellType, StructureFlags), info());
-}
-
-void ArrayBufferNeuteringWatchpoint::fireAll()
-{
-    m_set->fireAll(*vm(), "Array buffer was neutered");
-}
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayBufferNeuteringWatchpointh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h     2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h        2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -1,57 +0,0 @@
</span><del>-/*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#pragma once
-
-#include "JSCast.h"
-#include "Watchpoint.h"
-
-namespace JSC {
-
-class ArrayBufferNeuteringWatchpoint final : public JSCell {
-public:
-    typedef JSCell Base;
-    static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
-
-    DECLARE_INFO;
-    
-    static ArrayBufferNeuteringWatchpoint* create(VM&);
-
-    static const bool needsDestruction = true;
-    static void destroy(JSCell*);
-    
-    static Structure* createStructure(VM&);
-    
-    WatchpointSet& set() { return m_set.get(); }
-    
-    void fireAll();
-
-private:
-    explicit ArrayBufferNeuteringWatchpoint(VM&);
-    
-    Ref<WatchpointSet> m_set;
-};
-
-} // namespace JSC
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayBufferNeuteringWatchpointSetcppfromrev243558trunkSourceJavaScriptCoreruntimeArrayBufferNeuteringWatchpointcpp"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpointSet.cpp (from rev 243558, trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp) (0 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpointSet.cpp                                (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpointSet.cpp   2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -0,0 +1,69 @@
</span><ins>+/*
+ * Copyright (C) 2013 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#include "config.h"
+#include "ArrayBufferNeuteringWatchpointSet.h"
+
+#include "JSCInlines.h"
+
+namespace JSC {
+
+const ClassInfo ArrayBufferNeuteringWatchpointSet::s_info = {
+    "ArrayBufferNeuteringWatchpointSet", nullptr, nullptr, nullptr,
+    CREATE_METHOD_TABLE(ArrayBufferNeuteringWatchpointSet)
+};
+
+ArrayBufferNeuteringWatchpointSet::ArrayBufferNeuteringWatchpointSet(VM& vm)
+    : Base(vm, vm.arrayBufferNeuteringWatchpointStructure.get())
+    , m_set(adoptRef(*new WatchpointSet(IsWatched)))
+{
+}
+
+void ArrayBufferNeuteringWatchpointSet::destroy(JSCell* cell)
+{
+    static_cast<ArrayBufferNeuteringWatchpointSet*>(cell)->ArrayBufferNeuteringWatchpointSet::~ArrayBufferNeuteringWatchpointSet();
+}
+
+ArrayBufferNeuteringWatchpointSet* ArrayBufferNeuteringWatchpointSet::create(VM& vm)
+{
+    ArrayBufferNeuteringWatchpointSet* result = new
+        (NotNull, allocateCell<ArrayBufferNeuteringWatchpointSet>(vm.heap))
+        ArrayBufferNeuteringWatchpointSet(vm);
+    result->finishCreation(vm);
+    return result;
+}
+
+Structure* ArrayBufferNeuteringWatchpointSet::createStructure(VM& vm)
+{
+    return Structure::create(vm, 0, jsNull(), TypeInfo(CellType, StructureFlags), info());
+}
+
+void ArrayBufferNeuteringWatchpointSet::fireAll()
+{
+    m_set->fireAll(*vm(), "Array buffer was neutered");
+}
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayBufferNeuteringWatchpointSethfromrev243558trunkSourceJavaScriptCoreruntimeArrayBufferNeuteringWatchpointh"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpointSet.h (from rev 243558, trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h) (0 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpointSet.h                          (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpointSet.h     2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -0,0 +1,57 @@
</span><ins>+/*
+ * Copyright (C) 2013 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#pragma once
+
+#include "JSCast.h"
+#include "Watchpoint.h"
+
+namespace JSC {
+
+class ArrayBufferNeuteringWatchpointSet final : public JSCell {
+public:
+    typedef JSCell Base;
+    static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
+
+    DECLARE_INFO;
+    
+    static ArrayBufferNeuteringWatchpointSet* create(VM&);
+
+    static const bool needsDestruction = true;
+    static void destroy(JSCell*);
+    
+    static Structure* createStructure(VM&);
+    
+    WatchpointSet& set() { return m_set.get(); }
+    
+    void fireAll();
+
+private:
+    explicit ArrayBufferNeuteringWatchpointSet(VM&);
+    
+    Ref<WatchpointSet> m_set;
+};
+
+} // namespace JSC
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeFunctionRareDatah"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/FunctionRareData.h (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/FunctionRareData.h   2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/runtime/FunctionRareData.h      2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -116,7 +116,7 @@
</span><span class="cx"> 
</span><span class="cx"> private:
</span><span class="cx"> 
</span><del>-    class AllocationProfileClearingWatchpoint : public Watchpoint {
</del><ins>+    class AllocationProfileClearingWatchpoint final : public Watchpoint {
</ins><span class="cx">     public:
</span><span class="cx">         AllocationProfileClearingWatchpoint(FunctionRareData* rareData)
</span><span class="cx">             : m_rareData(rareData)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGlobalObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp   2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp      2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -1103,57 +1103,57 @@
</span><span class="cx"> 
</span><span class="cx">     {
</span><span class="cx">         ObjectPropertyCondition condition = setupAdaptiveWatchpoint(arrayIteratorPrototype, m_vm.propertyNames->next);
</span><del>-        m_arrayIteratorPrototypeNext = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(condition, m_arrayIteratorProtocolWatchpoint);
</del><ins>+        m_arrayIteratorPrototypeNext = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, condition, m_arrayIteratorProtocolWatchpoint);
</ins><span class="cx">         m_arrayIteratorPrototypeNext->install(vm);
</span><span class="cx">     }
</span><span class="cx">     {
</span><span class="cx">         ObjectPropertyCondition condition = setupAdaptiveWatchpoint(this->arrayPrototype(), m_vm.propertyNames->iteratorSymbol);
</span><del>-        m_arrayPrototypeSymbolIteratorWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(condition, m_arrayIteratorProtocolWatchpoint);
</del><ins>+        m_arrayPrototypeSymbolIteratorWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, condition, m_arrayIteratorProtocolWatchpoint);
</ins><span class="cx">         m_arrayPrototypeSymbolIteratorWatchpoint->install(vm);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     {
</span><span class="cx">         ObjectPropertyCondition condition = setupAdaptiveWatchpoint(mapIteratorPrototype, m_vm.propertyNames->next);
</span><del>-        m_mapIteratorPrototypeNextWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(condition, m_mapIteratorProtocolWatchpoint);
</del><ins>+        m_mapIteratorPrototypeNextWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, condition, m_mapIteratorProtocolWatchpoint);
</ins><span class="cx">         m_mapIteratorPrototypeNextWatchpoint->install(vm);
</span><span class="cx">     }
</span><span class="cx">     {
</span><span class="cx">         ObjectPropertyCondition condition = setupAdaptiveWatchpoint(m_mapPrototype.get(), m_vm.propertyNames->iteratorSymbol);
</span><del>-        m_mapPrototypeSymbolIteratorWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(condition, m_mapIteratorProtocolWatchpoint);
</del><ins>+        m_mapPrototypeSymbolIteratorWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, condition, m_mapIteratorProtocolWatchpoint);
</ins><span class="cx">         m_mapPrototypeSymbolIteratorWatchpoint->install(vm);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     {
</span><span class="cx">         ObjectPropertyCondition condition = setupAdaptiveWatchpoint(setIteratorPrototype, m_vm.propertyNames->next);
</span><del>-        m_setIteratorPrototypeNextWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(condition, m_setIteratorProtocolWatchpoint);
</del><ins>+        m_setIteratorPrototypeNextWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, condition, m_setIteratorProtocolWatchpoint);
</ins><span class="cx">         m_setIteratorPrototypeNextWatchpoint->install(vm);
</span><span class="cx">     }
</span><span class="cx">     {
</span><span class="cx">         ObjectPropertyCondition condition = setupAdaptiveWatchpoint(m_setPrototype.get(), m_vm.propertyNames->iteratorSymbol);
</span><del>-        m_setPrototypeSymbolIteratorWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(condition, m_setIteratorProtocolWatchpoint);
</del><ins>+        m_setPrototypeSymbolIteratorWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, condition, m_setIteratorProtocolWatchpoint);
</ins><span class="cx">         m_setPrototypeSymbolIteratorWatchpoint->install(vm);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     {
</span><span class="cx">         ObjectPropertyCondition condition = setupAdaptiveWatchpoint(m_stringIteratorPrototype.get(), m_vm.propertyNames->next);
</span><del>-        m_stringIteratorPrototypeNextWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(condition, m_stringIteratorProtocolWatchpoint);
</del><ins>+        m_stringIteratorPrototypeNextWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, condition, m_stringIteratorProtocolWatchpoint);
</ins><span class="cx">         m_stringIteratorPrototypeNextWatchpoint->install(vm);
</span><span class="cx">     }
</span><span class="cx">     {
</span><span class="cx">         ObjectPropertyCondition condition = setupAdaptiveWatchpoint(m_stringPrototype.get(), m_vm.propertyNames->iteratorSymbol);
</span><del>-        m_stringPrototypeSymbolIteratorWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(condition, m_stringIteratorProtocolWatchpoint);
</del><ins>+        m_stringPrototypeSymbolIteratorWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, condition, m_stringIteratorProtocolWatchpoint);
</ins><span class="cx">         m_stringPrototypeSymbolIteratorWatchpoint->install(vm);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     {
</span><span class="cx">         ObjectPropertyCondition condition = setupAdaptiveWatchpoint(m_mapPrototype.get(), m_vm.propertyNames->set);
</span><del>-        m_mapPrototypeSetWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(condition, m_mapSetWatchpoint);
</del><ins>+        m_mapPrototypeSetWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, condition, m_mapSetWatchpoint);
</ins><span class="cx">         m_mapPrototypeSetWatchpoint->install(vm);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     {
</span><span class="cx">         ObjectPropertyCondition condition = setupAdaptiveWatchpoint(m_setPrototype.get(), m_vm.propertyNames->add);
</span><del>-        m_setPrototypeAddWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(condition, m_setAddWatchpoint);
</del><ins>+        m_setPrototypeAddWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, condition, m_setAddWatchpoint);
</ins><span class="cx">         m_setPrototypeAddWatchpoint->install(vm);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -1164,7 +1164,7 @@
</span><span class="cx">         this->symbolPrototype();
</span><span class="cx"> 
</span><span class="cx">         ObjectPropertyCondition condition = setupAdaptiveWatchpoint(numberPrototype, m_vm.propertyNames->toString);
</span><del>-        m_numberPrototypeToStringWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(condition, m_numberToStringWatchpoint);
</del><ins>+        m_numberPrototypeToStringWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, condition, m_numberToStringWatchpoint);
</ins><span class="cx">         m_numberPrototypeToStringWatchpoint->install(vm);
</span><span class="cx">         m_numberProtoToStringFunction.set(vm, this, jsCast<JSFunction*>(numberPrototype->getDirect(vm, vm.propertyNames->toString)));
</span><span class="cx">     }
</span><span class="lines">@@ -1892,10 +1892,10 @@
</span><span class="cx">     RELEASE_ASSERT(!m_arraySpeciesWatchpoint.isBeingWatched());
</span><span class="cx">     m_arraySpeciesWatchpoint.touch(vm, "Set up array species watchpoint.");
</span><span class="cx"> 
</span><del>-    m_arrayPrototypeConstructorWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(constructorCondition, m_arraySpeciesWatchpoint);
</del><ins>+    m_arrayPrototypeConstructorWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, constructorCondition, m_arraySpeciesWatchpoint);
</ins><span class="cx">     m_arrayPrototypeConstructorWatchpoint->install(vm);
</span><span class="cx"> 
</span><del>-    m_arrayConstructorSpeciesWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(speciesCondition, m_arraySpeciesWatchpoint);
</del><ins>+    m_arrayConstructorSpeciesWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(this, speciesCondition, m_arraySpeciesWatchpoint);
</ins><span class="cx">     m_arrayConstructorSpeciesWatchpoint->install(vm);
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeObjectPropertyChangeAdaptiveWatchpointh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ObjectPropertyChangeAdaptiveWatchpoint.h (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ObjectPropertyChangeAdaptiveWatchpoint.h     2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/runtime/ObjectPropertyChangeAdaptiveWatchpoint.h        2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -30,11 +30,12 @@
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="cx"> template<typename Watchpoint>
</span><del>-class ObjectPropertyChangeAdaptiveWatchpoint : public AdaptiveInferredPropertyValueWatchpointBase {
</del><ins>+class ObjectPropertyChangeAdaptiveWatchpoint final : public AdaptiveInferredPropertyValueWatchpointBase {
</ins><span class="cx"> public:
</span><span class="cx">     using Base = AdaptiveInferredPropertyValueWatchpointBase;
</span><del>-    ObjectPropertyChangeAdaptiveWatchpoint(const ObjectPropertyCondition& condition, Watchpoint& watchpoint)
</del><ins>+    ObjectPropertyChangeAdaptiveWatchpoint(JSCell* owner, const ObjectPropertyCondition& condition, Watchpoint& watchpoint)
</ins><span class="cx">         : Base(condition)
</span><ins>+        , m_owner(owner)
</ins><span class="cx">         , m_watchpoint(watchpoint)
</span><span class="cx">     {
</span><span class="cx">         RELEASE_ASSERT(watchpoint.stateOnJSThread() == IsWatched);
</span><span class="lines">@@ -41,11 +42,17 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx"> private:
</span><ins>+    bool isValid() const override
+    {
+        return m_owner->isLive();
+    }
+
</ins><span class="cx">     void handleFire(VM& vm, const FireDetail&) override
</span><span class="cx">     {
</span><span class="cx">         m_watchpoint.fireAll(vm, StringFireDetail("Object Property is changed."));
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    JSCell* m_owner;
</ins><span class="cx">     Watchpoint& m_watchpoint;
</span><span class="cx"> };
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructureRareDatacpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/StructureRareData.cpp (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StructureRareData.cpp        2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/runtime/StructureRareData.cpp   2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -78,7 +78,7 @@
</span><span class="cx"> 
</span><span class="cx"> // ----------- Object.prototype.toString() helper watchpoint classes -----------
</span><span class="cx"> 
</span><del>-class ObjectToStringAdaptiveInferredPropertyValueWatchpoint : public AdaptiveInferredPropertyValueWatchpointBase {
</del><ins>+class ObjectToStringAdaptiveInferredPropertyValueWatchpoint final : public AdaptiveInferredPropertyValueWatchpointBase {
</ins><span class="cx"> public:
</span><span class="cx">     typedef AdaptiveInferredPropertyValueWatchpointBase Base;
</span><span class="cx">     ObjectToStringAdaptiveInferredPropertyValueWatchpoint(const ObjectPropertyCondition&, StructureRareData*);
</span><span class="lines">@@ -90,12 +90,14 @@
</span><span class="cx">     StructureRareData* m_structureRareData;
</span><span class="cx"> };
</span><span class="cx"> 
</span><del>-class ObjectToStringAdaptiveStructureWatchpoint : public Watchpoint {
</del><ins>+class ObjectToStringAdaptiveStructureWatchpoint final : public Watchpoint {
</ins><span class="cx"> public:
</span><span class="cx">     ObjectToStringAdaptiveStructureWatchpoint(const ObjectPropertyCondition&, StructureRareData*);
</span><span class="cx"> 
</span><span class="cx">     void install(VM&);
</span><span class="cx"> 
</span><ins>+    const ObjectPropertyCondition& key() const { return m_key; }
+
</ins><span class="cx"> protected:
</span><span class="cx">     void fireInternal(VM&, const FireDetail&) override;
</span><span class="cx">     
</span><span class="lines">@@ -169,6 +171,22 @@
</span><span class="cx">     m_objectToStringValue.clear();
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void StructureRareData::finalizeUnconditionally(VM& vm)
+{
+    if (m_objectToStringAdaptiveInferredValueWatchpoint) {
+        if (!m_objectToStringAdaptiveInferredValueWatchpoint->key().isStillLive(vm)) {
+            clearObjectToStringValue();
+            return;
+        }
+    }
+    for (auto* watchpoint : m_objectToStringAdaptiveWatchpointSet) {
+        if (!watchpoint->key().isStillLive(vm)) {
+            clearObjectToStringValue();
+            return;
+        }
+    }
+}
+
</ins><span class="cx"> // ------------- Methods for Object.prototype.toString() helper watchpoint classes --------------
</span><span class="cx"> 
</span><span class="cx"> ObjectToStringAdaptiveStructureWatchpoint::ObjectToStringAdaptiveStructureWatchpoint(const ObjectPropertyCondition& key, StructureRareData* structureRareData)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructureRareDatah"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/StructureRareData.h (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StructureRareData.h  2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/runtime/StructureRareData.h     2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -90,6 +90,8 @@
</span><span class="cx"> 
</span><span class="cx">     DECLARE_EXPORT_INFO;
</span><span class="cx"> 
</span><ins>+    void finalizeUnconditionally(VM&);
+
</ins><span class="cx"> private:
</span><span class="cx">     friend class Structure;
</span><span class="cx">     friend class ObjectToStringAdaptiveStructureWatchpoint;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.cpp (243559 => 243560)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.cpp       2019-03-27 20:25:15 UTC (rev 243559)
+++ trunk/Source/JavaScriptCore/runtime/VM.cpp  2019-03-27 20:29:29 UTC (rev 243560)
</span><span class="lines">@@ -30,7 +30,7 @@
</span><span class="cx"> #include "VM.h"
</span><span class="cx"> 
</span><span class="cx"> #include "ArgList.h"
</span><del>-#include "ArrayBufferNeuteringWatchpoint.h"
</del><ins>+#include "ArrayBufferNeuteringWatchpointSet.h"
</ins><span class="cx"> #include "BuiltinExecutables.h"
</span><span class="cx"> #include "BytecodeIntrinsicRegistry.h"
</span><span class="cx"> #include "CodeBlock.h"
</span><span class="lines">@@ -381,7 +381,7 @@
</span><span class="cx">     structureChainStructure.set(*this, StructureChain::createStructure(*this, 0, jsNull()));
</span><span class="cx">     sparseArrayValueMapStructure.set(*this, SparseArrayValueMap::createStructure(*this, 0, jsNull()));
</span><span class="cx">     templateObjectDescriptorStructure.set(*this, JSTemplateObjectDescriptor::createStructure(*this, 0, jsNull()));
</span><del>-    arrayBufferNeuteringWatchpointStructure.set(*this, ArrayBufferNeuteringWatchpoint::createStructure(*this));
</del><ins>+    arrayBufferNeuteringWatchpointStructure.set(*this, ArrayBufferNeuteringWatchpointSet::createStructure(*this));
</ins><span class="cx">     unlinkedFunctionExecutableStructure.set(*this, UnlinkedFunctionExecutable::createStructure(*this, 0, jsNull()));
</span><span class="cx">     unlinkedProgramCodeBlockStructure.set(*this, UnlinkedProgramCodeBlock::createStructure(*this, 0, jsNull()));
</span><span class="cx">     unlinkedEvalCodeBlockStructure.set(*this, UnlinkedEvalCodeBlock::createStructure(*this, 0, jsNull()));
</span></span></pre>
</div>
</div>

</body>
</html>