We want JSArray to be in the imminent no-destructor heap, and the only thing preventing us from doing so is the SparseArrayValueMap pointer in JSArray. We can instead add a finalizer whenever we allocate one of these maps, which is very rarely so the performance hit should be negligible. There is also a void* subclassData, but any classes that use this should have destructors anyways.
Created attachment 124854 [details] Patch
Comment on attachment 124854 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=124854&action=review > Source/JavaScriptCore/runtime/JSArray.cpp:314 > + if (!map) { > map = m_sparseValueMap = new SparseArrayValueMap; > + globalData.heap.addFinalizer(this, finalize); m_sparseValueMap can oscillate between null and non-null. In such a case, this code will register one finalizer for each oscillation, which will result in a double delete. Please write a test case for this condition. You can fix this by setting thisObject->m_sparseValueMap to 0 after deleting it, adding a comment that the finalizer can run more than once, or by never setting m_sparseValueMap to 0, even if it becomes empty.
Created attachment 125001 [details] Patch
Comment on attachment 125001 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=125001&action=review r=me > Source/JavaScriptCore/runtime/JSArray.cpp:203 > +void JSArray::finalize(JSCell* cell) Please add a comment here noting that this function can be called more than once, so a future developer doesn't add unsafe code.
Comment on attachment 125001 [details] Patch Attachment 125001 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/11393541 New failing tests: fast/js/sparse-array.html
Committed r106496: <http://trac.webkit.org/changeset/106496>