Bug 228892
| Summary: | [JSC] Custom getter / setter functions can be collected | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Yusuke Suzuki <ysuzuki> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | ashvayka, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Yusuke Suzuki
It is weakly held. This means that they can be collected if nobody references it.
So,
{
var getter = Object.getOwnPropertyDescriptor(RegExp, "rightContext").get;
getter.mark = true;
}
// Make GC happens.
{
var getter = Object.getOwnPropertyDescriptor(RegExp, "rightContext").get;
print(getter.mark); // => undefined
}
We need to keep these accessors strongly in the holder.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Shvayka
Wow, this is a great catch!
Since there could be a lot of `Object.getOwnPropertyDescriptors(%WebIDLInterface%.prototype)` out there in the web, my first approach would be creating separate HashSet on JSGlobalObject that is strong, and leverage Structure::didTransitionFromThisStructure() (m_transitionWatchpointSet) to copy JSCustom{Getter,Setter}Function objects there, so we can avoid overriding MethodTable::destroy() for performance reasons.
Alexey Shvayka
So the idea is to keep them weak unless they transition from initial structure.
Alexey Shvayka
Hmm, a watchpoint won't help preserve the first marked getter / setter correctly as we have no place to check it except JSObject::getOwnPropertyDescriptor().
Instead, we should subclass WeakHandleOwner, check for modified structure in its finalize(), and tweak WeakGCSet to accept it.
Radar WebKit Bug Importer
<rdar://problem/81928455>