NEW 228892
[JSC] Custom getter / setter functions can be collected 
https://bugs.webkit.org/show_bug.cgi?id=228892
Summary [JSC] Custom getter / setter functions can be collected
Yusuke Suzuki
Reported 2021-08-06 22:15:57 PDT
It is weakly held. This means that they can be collected if nobody references it. So, { var getter = Object.getOwnPropertyDescriptor(RegExp, "rightContext").get; getter.mark = true; } // Make GC happens. { var getter = Object.getOwnPropertyDescriptor(RegExp, "rightContext").get; print(getter.mark); // => undefined } We need to keep these accessors strongly in the holder.
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Shvayka
Comment 1 2021-08-06 22:36:08 PDT
Wow, this is a great catch! Since there could be a lot of `Object.getOwnPropertyDescriptors(%WebIDLInterface%.prototype)` out there in the web, my first approach would be creating separate HashSet on JSGlobalObject that is strong, and leverage Structure::didTransitionFromThisStructure() (m_transitionWatchpointSet) to copy JSCustom{Getter,Setter}Function objects there, so we can avoid overriding MethodTable::destroy() for performance reasons.
Alexey Shvayka
Comment 2 2021-08-06 22:37:21 PDT
So the idea is to keep them weak unless they transition from initial structure.
Alexey Shvayka
Comment 3 2021-08-06 23:01:44 PDT
Hmm, a watchpoint won't help preserve the first marked getter / setter correctly as we have no place to check it except JSObject::getOwnPropertyDescriptor(). Instead, we should subclass WeakHandleOwner, check for modified structure in its finalize(), and tweak WeakGCSet to accept it.
Radar WebKit Bug Importer
Comment 4 2021-08-13 22:16:17 PDT
<rdar://problem/81928455>
Note You need to log in before you can comment on or make changes to this bug.