AdaptiveInferredPropertyValueWatchpoint can trigger a GC that frees its CodeBlock and thus itself
https://bugs.webkit.org/show_bug.cgi?id=154146
Reviewed by Filip Pizlo.
Consider the following: there is some CodeBlock, C, that is watching some object, O, with a
structure, S, for replacements. Also, suppose that C has no references anymore and is due to
be GCed. Now, when some new property is added to O, S will create a new structure S' and
fire its transition watchpoints. Since C is watching S for replacements it will attempt to
have its AdaptiveInferredPropertyValueWatchpoint relocate itself to S'. To do so, it needs
it allocate RareData on S'. This allocation may cause a GC, which frees C while still
executing its watchpoint handler. The solution to this is to defer GC while running
AdaptiveInferredPropertyValueWatchpointBase handlers.
* bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
(JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@196497 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp b/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp
index 04d98f6..9f02e8c 100644
--- a/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp
+++ b/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp
@@ -50,6 +50,10 @@
void AdaptiveInferredPropertyValueWatchpointBase::fire(const FireDetail& detail)
{
+ // We need to defer GC here otherwise we might trigger a GC that could destroy the owner
+ // CodeBlock. In particular, this can happen when we add rare data to a structure when
+ // we EnsureWatchability.
+ DeferGCForAWhile defer(*Heap::heap(m_key.object()));
// One of the watchpoints fired, but the other one didn't. Make sure that neither of them are
// in any set anymore. This simplifies things by allowing us to reinstall the watchpoints
// wherever from scratch.
