Currently, when we're in the middle of JSObject::allocatePropertyStorage, our Structure has inconsistent information. The Structure has just had a property added to it and it thinks it is bigger in both size and capacity, but our actual property backing store is still the same size as before. This can lead the garbage collector to do bad things based on this inaccurate information. We should instead check to see if we need to allocate more space first and do so if necessary, and then add the new property to our structure.
Created attachment 137007 [details] Patch
Comment on attachment 137007 [details] Patch Attachment 137007 [details] did not pass win-ews (win): Output: http://queues.webkit.org/results/12391710
Created attachment 137023 [details] Patch
Comment on attachment 137023 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=137023&action=review I think you want an interface like this: // Add property with structure transition newStorage = reallocPropertyStorage(m_propertyStorage.get(), ...); // Returns new storage, does not assign. newStructure = Structure::addPropertyTransition(...); // Returns new structure, does not assign. setPropertyStorage(newStorage, newStructure); // Assigns structure and storage "atomically". // Add property without structure transition newStorage = reallocPropertyStorage(m_propertyStorage.get(), ...); // Returns new storage, does not assign. setPropertyStorage(newStorage, m_structure.get()); // Assigns structure and storage "atomically". Since storage and structure need to be in sync, we should never set one without setting the other. > Source/JavaScriptCore/runtime/JSObject.h:661 > + if (structure()->shouldResizePropertyStorage()) Let's call this "shouldGrowPropertyStorage". "Resize" is imprecise, because we don't shrink. > Source/JavaScriptCore/runtime/JSObject.h:662 > + allocatePropertyStorage(globalData, structure()->propertyStorageCapacity(), structure()->suggestedPropertyStorageResizeAmount()); Let's call this "growPropertyStorage" or "reallocPropertyStorage" to help clarify that we're allocating for a second time. > Source/JavaScriptCore/runtime/JSObject.h:727 > + Structure* structure = Structure::addPropertyTransition(globalData, this->structure(), propertyName, attributes, specificFunction, offset); This addPropertyTransition will allocate a new structure, which can cause a GC. During that GC, our Structure's information about our backing store will be out of date (specifically, it will underestimate the size / capacity of our backing store). I'm not sure if that will definitely cause a problem, but it seems not so good. We never want our information about our backing store to be out of date.
Created attachment 137104 [details] Patch
Comment on attachment 137104 [details] Patch Attachment 137104 [details] did not pass win-ews (win): Output: http://queues.webkit.org/results/12400123
Created attachment 137112 [details] Patch
Comment on attachment 137112 [details] Patch Attachment 137112 [details] did not pass win-ews (win): Output: http://queues.webkit.org/results/12403044
Created attachment 137121 [details] Patch
Comment on attachment 137121 [details] Patch r=me Did the test cases I mentioned pan out?
Comment on attachment 137121 [details] Patch Clearing flags on attachment: 137121 Committed r114255: <http://trac.webkit.org/changeset/114255>
All reviewed patches have been landed. Closing bug.
<rdar://problem/10884040>
Reverted in r116494, this causes many failures if COLLECT_ON_EVERY_ALLOCATION is enabled.
Rolling this change back in since the underlying bug that it revealed should have been fixed in http://trac.webkit.org/changeset/116565.
Created attachment 142313 [details] Patch
Resubmitting patch to make sure everything still builds.
Committed r117343: <http://trac.webkit.org/changeset/117343>