Bug 181655 - Replace isFreeListedCell with some machinery to determine if a cell is dead-but-not-destructed
Summary: Replace isFreeListedCell with some machinery to determine if a cell is dead-b...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-15 12:11 PST by Filip Pizlo
Modified: 2018-01-15 12:11 PST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2018-01-15 12:11:29 PST 
Due to https://bugs.webkit.org/show_bug.cgi?id=172548, we now have a variety of watchpoints (and any event handler that deregisters during destruction) check if their owner object is still live if they are fired. This protects the case where the owner is dead-but-not-destructed.

This "is live" query requires sometimes dealing with free-listed blocks, since an object might as "am I live" due to some watchpoint while the block that it was allocated out of is still in the free-listed state.  That's annoying, since that means walking the free-lists of active blocks.

But notice that a block that is free-listed cannot have any dead-but-not-destructed objects in it. Therefore, we should simplify our solution to bug 172548 to use a HeapCell::isDeadButNotDestructed(), which can automatically return false if the owning block is free-listed.