Is this working as intended?

The initial repro prints 'foo' forever in both Firefox and Safari, even after explicitly collecting garbage.

I think this is a V8 bug. mlippautz@ can you please take a look?

Note: For the second repro, it just follows from the first repro that the entry is dropped. You don't actually set the key in the map using this indirection. `rules` can be GC'ed as there are no references to it, which then makes this the same as the first repro.

Thanks for having a look gsathya@

> `rules` can be GC'ed as there are no references to it, which then makes this the same as the first repro.

I'm surprised V8 is smart enough to do this. I would expect `rules` to be in the scope record for the anonymous function and V8 not to GC since presumably the anonymous function could just call `eval` to access `rules`. Obviously this isn't happening here, but I didn't think V8 would be able to do this.

Regardless, the second example isn't important if you believe the first one really is a bug.

Looks like the wrapper for document.styleSheets[0].cssRules[0] is dropped and consequently 'foo' is also dropped from the WeakMap.

This should not happen. Will take a loop.

Minimal repro that requires
  --js-flags="--expose-natives-syntax --expose-gc"

<html>
 <head>
  <style>
   .doesntexit { display: none }
  </style>
  <script>
    document.styleSheets[0].cssRules[0].prop = 'asdf';
    function log_it() {
      %DebugPrint('start');
      console.log(document.styleSheets[0].cssRules[0].prop);
      %DebugPrint('end');
    }
    log_it();
    gc();
    log_it();
  </script>
 <body>
 </body>
</html>

We drop the JS object and get a new one on the second invocation of 'log_it()'.

It looks to me like blink::CSSStyleSheet [1] lacks the wrapper tracing annotations. 

The reason this is also observable through WeakMap is that WeakMap adds an internal property for hashing and that one is gone (different) when we do the access after GC.

[1] https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/css/css_style_sheet.h?l=49

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/44d897b0a752f08649e686fc6106e6130a6beca2

commit 44d897b0a752f08649e686fc6106e6130a6beca2
Author: Michael Lippautz <mlippautz@chromium.org>
Date: Tue May 15 16:38:11 2018

[wrapper-tracing] Properly trace rule lists of StyleSheet

Otherwise the JS wrappers will get lost.

Bug:  chromium:830910 
Change-Id: I7f746698b6ce05d9b2e3ce26f778a2e08d0c3cd6
Reviewed-on: https://chromium-review.googlesource.com/1059251
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#558742}
[modify] https://crrev.com/44d897b0a752f08649e686fc6106e6130a6beca2/third_party/WebKit/LayoutTests/fast/dom/StyleSheet/gc-rule-children-wrappers-expected.txt
[modify] https://crrev.com/44d897b0a752f08649e686fc6106e6130a6beca2/third_party/WebKit/LayoutTests/fast/dom/gc-9-expected.txt
[add] https://crrev.com/44d897b0a752f08649e686fc6106e6130a6beca2/third_party/WebKit/LayoutTests/fast/dom/gc-stylesheet-rule-property.html
[modify] https://crrev.com/44d897b0a752f08649e686fc6106e6130a6beca2/third_party/blink/renderer/core/css/css_style_sheet.cc
[modify] https://crrev.com/44d897b0a752f08649e686fc6106e6130a6beca2/third_party/blink/renderer/core/css/css_style_sheet.h

We actually did have layout test coverage for the DOM path used in the repro and it was known that properties were dropped on GC. 

All such issues will be fixed with the unfified heap that's under development. 

For now, the specific issue here and quite a few related ones are fixed.

Thanks mlippautz@. Is there a bug I can follow for the unified heap?

We are traversing the whole window object and storing all values we encounter in a WeakMap. So any leftover issue will still likely be a problem for us (this results in hard-to-debug failures in our project).

For now we're simply using a regular Map. It's not memory efficient, but it's an acceptable workaround. We would like to remove the workaround once it's no longer needed though.

> Thanks mlippautz@. Is there a bug I can follow for the unified heap?

We are landing individual pieces right now. I created issue 843903 to track the overall progress; still need to block on the sub projects. Expect something in the range of months. 

> We are traversing the whole window object and storing all values we encounter in a WeakMap. So any leftover issue will still likely be a problem for us (this results in hard-to-debug failures in our project).

This is one of the reasons we are unifying this. Keeping code correct across components using separate garbage collections is otherwise error prone.

That said, while we know of corner cases (or stuff that was just never cleaned up like this one which was hard to get right in the old architecture), in general it should work and it would be awesome if you could report back on things that are broken.