Diff
Modified: branches/safari-605-branch/Source/_javascript_Core/ChangeLog (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-02-14 06:57:32 UTC (rev 228460)
@@ -1,5 +1,69 @@
2018-02-13 Jason Marcell <jmarc...@apple.com>
+ Cherry-pick r228420. rdar://problem/37521084
+
+ 2018-02-10 Filip Pizlo <fpi...@apple.com>
+
+ Lock down JSFunction
+ https://bugs.webkit.org/show_bug.cgi?id=182652
+
+ Reviewed by Saam Barati.
+
+ This poisons pointers in JSFunction and puts all of the types in the JSFunction hierarchy in
+ isospaces.
+
+ This is so neutral on JetStream: 0.01% slower with p = 0.969211.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
+ (JSC::DFG::SpeculativeJIT::compileNewFunction):
+ (JSC::DFG::SpeculativeJIT::compileCreateThis):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
+ (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
+ (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
+ (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+ (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
+ (JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer):
+ * ftl/FTLOutput.h:
+ (JSC::FTL::Output::weakPointer):
+ (JSC::FTL::Output::weakPoisonedPointer):
+ * heap/MarkedSpace.cpp:
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_create_this):
+ * jit/ThunkGenerators.cpp:
+ (JSC::virtualThunkFor):
+ (JSC::nativeForGenerator):
+ (JSC::boundThisNoArgsFunctionCallGenerator):
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/JSAsyncFunction.h:
+ (JSC::JSAsyncFunction::subspaceFor):
+ * runtime/JSAsyncGeneratorFunction.h:
+ (JSC::JSAsyncGeneratorFunction::subspaceFor):
+ * runtime/JSBoundFunction.h:
+ (JSC::JSBoundFunction::subspaceFor):
+ * runtime/JSCPoison.h:
+ * runtime/JSCustomGetterSetterFunction.h:
+ (JSC::JSCustomGetterSetterFunction::subspaceFor):
+ * runtime/JSFunction.h:
+ (JSC::JSFunction::subspaceFor):
+ * runtime/JSGeneratorFunction.h:
+ (JSC::JSGeneratorFunction::subspaceFor):
+ * runtime/JSNativeStdFunction.h:
+ (JSC::JSNativeStdFunction::subspaceFor):
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+ * runtime/VM.h:
+ * wasm/js/WebAssemblyFunction.h:
+ * wasm/js/WebAssemblyWrapperFunction.h:
+
+2018-02-13 Jason Marcell <jmarc...@apple.com>
+
Cherry-pick r228438. rdar://problem/37521089
2018-02-13 Saam Barati <sbar...@apple.com>
Modified: branches/safari-605-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-02-14 06:57:32 UTC (rev 228460)
@@ -6718,15 +6718,15 @@
}
template <typename ClassType>
-void SpeculativeJIT::compileNewFunctionCommon(GPRReg resultGPR, RegisteredStructure structure, GPRReg scratch1GPR, GPRReg scratch2GPR, GPRReg scopeGPR, MacroAssembler::JumpList& slowPath, size_t size, FunctionExecutable* executable, ptrdiff_t offsetOfScopeChain, ptrdiff_t offsetOfExecutable, ptrdiff_t offsetOfRareData)
+void SpeculativeJIT::compileNewFunctionCommon(GPRReg resultGPR, RegisteredStructure structure, GPRReg scratch1GPR, GPRReg scratch2GPR, GPRReg scopeGPR, MacroAssembler::JumpList& slowPath, size_t size, FunctionExecutable* executable)
{
auto butterfly = TrustedImmPtr(nullptr);
auto mask = TrustedImm32(0);
emitAllocateJSObjectWithKnownSize<ClassType>(resultGPR, TrustedImmPtr(structure), butterfly, mask, scratch1GPR, scratch2GPR, slowPath, size);
- m_jit.storePtr(scopeGPR, JITCompiler::Address(resultGPR, offsetOfScopeChain));
- m_jit.storePtr(TrustedImmPtr::weakPointer(m_jit.graph(), executable), JITCompiler::Address(resultGPR, offsetOfExecutable));
- m_jit.storePtr(TrustedImmPtr(0), JITCompiler::Address(resultGPR, offsetOfRareData));
+ m_jit.storePtr(scopeGPR, JITCompiler::Address(resultGPR, JSFunction::offsetOfScopeChain()));
+ m_jit.storePtr(TrustedImmPtr::weakPoisonedPointer<JSFunctionPoison>(m_jit.graph(), executable), JITCompiler::Address(resultGPR, JSFunction::offsetOfExecutable()));
+ m_jit.storePtr(TrustedImmPtr(0), JITCompiler::Address(resultGPR, JSFunction::offsetOfRareData()));
m_jit.mutatorFence(*m_jit.vm());
}
@@ -6788,25 +6788,25 @@
JITCompiler::JumpList slowPath;
if (nodeType == NewFunction) {
- compileNewFunctionCommon<JSFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSFunction::allocationSize(0), executable, JSFunction::offsetOfScopeChain(), JSFunction::offsetOfExecutable(), JSFunction::offsetOfRareData());
+ compileNewFunctionCommon<JSFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSFunction::allocationSize(0), executable);
addSlowPathGenerator(slowPathCall(slowPath, this, operationNewFunctionWithInvalidatedReallocationWatchpoint, resultGPR, scopeGPR, executable));
}
if (nodeType == NewGeneratorFunction) {
- compileNewFunctionCommon<JSGeneratorFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSGeneratorFunction::allocationSize(0), executable, JSGeneratorFunction::offsetOfScopeChain(), JSGeneratorFunction::offsetOfExecutable(), JSGeneratorFunction::offsetOfRareData());
+ compileNewFunctionCommon<JSGeneratorFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSGeneratorFunction::allocationSize(0), executable);
addSlowPathGenerator(slowPathCall(slowPath, this, operationNewGeneratorFunctionWithInvalidatedReallocationWatchpoint, resultGPR, scopeGPR, executable));
}
if (nodeType == NewAsyncFunction) {
- compileNewFunctionCommon<JSAsyncFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSAsyncFunction::allocationSize(0), executable, JSAsyncFunction::offsetOfScopeChain(), JSAsyncFunction::offsetOfExecutable(), JSAsyncFunction::offsetOfRareData());
+ compileNewFunctionCommon<JSAsyncFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSAsyncFunction::allocationSize(0), executable);
addSlowPathGenerator(slowPathCall(slowPath, this, operationNewAsyncFunctionWithInvalidatedReallocationWatchpoint, resultGPR, scopeGPR, executable));
}
if (nodeType == NewAsyncGeneratorFunction) {
- compileNewFunctionCommon<JSAsyncGeneratorFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSAsyncGeneratorFunction::allocationSize(0), executable, JSAsyncGeneratorFunction::offsetOfScopeChain(), JSAsyncGeneratorFunction::offsetOfExecutable(), JSAsyncGeneratorFunction::offsetOfRareData());
+ compileNewFunctionCommon<JSAsyncGeneratorFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSAsyncGeneratorFunction::allocationSize(0), executable);
addSlowPathGenerator(slowPathCall(slowPath, this, operationNewAsyncGeneratorFunctionWithInvalidatedReallocationWatchpoint, resultGPR, scopeGPR, executable));
}
@@ -11436,6 +11436,7 @@
JITCompiler::Address(calleeGPR, JSCell::typeInfoTypeOffset()), TrustedImm32(JSFunctionType)));
m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR));
+ m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSFunctionPoison::key()), rareDataGPR);
m_jit.load32(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
@@ -11446,6 +11447,7 @@
emitAllocateJSObject(resultGPR, JITAllocator::variable(), allocatorGPR, structureGPR, butterfly, mask, scratchGPR, slowPath);
m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
+ m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSFunctionPoison::key()), rareDataGPR);
m_jit.load32(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfInlineCapacity()), inlineCapacityGPR);
m_jit.emitInitializeInlineStorage(resultGPR, inlineCapacityGPR);
m_jit.mutatorFence(*m_jit.vm());
Modified: branches/safari-605-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2018-02-14 06:57:32 UTC (rev 228460)
@@ -121,7 +121,7 @@
explicit TrustedImmPtr(T* value)
: m_value(value)
{
- static_assert(!std::is_base_of<HeapCell, T>::value, "To use a GC pointer, the graph must be aware of it. Use SpeculativeJIT::TrustedImmPtr::weakPointer instead.");
+ static_assert(!std::is_base_of<JSCell, T>::value, "To use a GC pointer, the graph must be aware of it. Use SpeculativeJIT::TrustedImmPtr::weakPointer instead.");
}
explicit TrustedImmPtr(RegisteredStructure structure)
@@ -153,16 +153,17 @@
static TrustedImmPtr weakPointer(Graph& graph, JSCell* cell)
{
- // There are weird relationships in how optimized CodeBlocks
- // point to other CodeBlocks. We don't want to have them be
- // part of the weak pointer set. For example, an optimized CodeBlock
- // having a weak pointer to itself will cause it to get collected.
- ASSERT(!jsDynamicCast<CodeBlock*>(graph.m_vm, cell));
-
graph.m_plan.weakReferences.addLazily(cell);
return TrustedImmPtr(bitwise_cast<size_t>(cell));
}
+ template<typename Key>
+ static TrustedImmPtr weakPoisonedPointer(Graph& graph, JSCell* cell)
+ {
+ graph.m_plan.weakReferences.addLazily(cell);
+ return TrustedImmPtr(bitwise_cast<size_t>(cell) ^ Key::key());
+ }
+
operator MacroAssembler::TrustedImmPtr() const { return m_value; }
intptr_t asIntptr()
@@ -3044,7 +3045,7 @@
Edge valueUse, JITCompiler::JumpList& slowPathCases, bool isClamped = false);
void loadFromIntTypedArray(GPRReg baseReg, GPRReg storageReg, GPRReg propertyReg, GPRReg resultReg, TypedArrayType);
void setIntTypedArrayLoadResult(Node*, GPRReg resultReg, TypedArrayType, bool canSpeculate = false);
- template <typename ClassType> void compileNewFunctionCommon(GPRReg, RegisteredStructure, GPRReg, GPRReg, GPRReg, MacroAssembler::JumpList&, size_t, FunctionExecutable*, ptrdiff_t, ptrdiff_t, ptrdiff_t);
+ template <typename ClassType> void compileNewFunctionCommon(GPRReg, RegisteredStructure, GPRReg, GPRReg, GPRReg, MacroAssembler::JumpList&, size_t, FunctionExecutable*);
void compileNewFunction(Node*);
void compileSetFunctionName(Node*);
void compileNewRegexp(Node*);
Modified: branches/safari-605-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2018-02-14 06:57:32 UTC (rev 228460)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -4242,6 +4242,7 @@
GPRReg resultGPR = result.gpr();
speculateCellType(node->child1(), functionGPR, SpecFunction, JSFunctionType);
m_jit.loadPtr(JITCompiler::Address(functionGPR, JSFunction::offsetOfExecutable()), resultGPR);
+ m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSFunctionPoison::key()), resultGPR);
cellResult(resultGPR, node);
break;
}
Modified: branches/safari-605-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-02-14 06:57:32 UTC (rev 228460)
@@ -2931,7 +2931,10 @@
{
LValue cell = lowCell(m_node->child1());
speculateFunction(m_node->child1(), cell);
- setJSValue(m_out.loadPtr(cell, m_heaps.JSFunction_executable));
+ setJSValue(
+ m_out.bitXor(
+ m_out.loadPtr(cell, m_heaps.JSFunction_executable),
+ m_out.constIntPtr(JSFunctionPoison::key())));
}
void compileArrayify()
@@ -4856,7 +4859,7 @@
// We don't need memory barriers since we just fast-created the function, so it
// must be young.
m_out.storePtr(scope, fastObject, m_heaps.JSFunction_scope);
- m_out.storePtr(weakPointer(executable), fastObject, m_heaps.JSFunction_executable);
+ m_out.storePtr(weakPoisonedPointer<JSFunctionPoison>(executable), fastObject, m_heaps.JSFunction_executable);
m_out.storePtr(m_out.intPtrZero, fastObject, m_heaps.JSFunction_rareData);
mutatorFence();
@@ -15667,15 +15670,16 @@
LValue weakPointer(JSCell* pointer)
{
- // There are weird relationships in how optimized CodeBlocks
- // point to other CodeBlocks. We don't want to have them be
- // part of the weak pointer set. For example, an optimized CodeBlock
- // having a weak pointer to itself will cause it to get collected.
- RELEASE_ASSERT(!jsDynamicCast<CodeBlock*>(vm(), pointer));
-
addWeakReference(pointer);
return m_out.weakPointer(m_graph, pointer);
}
+
+ template<typename Key>
+ LValue weakPoisonedPointer(JSCell* pointer)
+ {
+ addWeakReference(pointer);
+ return m_out.weakPoisonedPointer<Key>(m_graph, pointer);
+ }
LValue frozenPointer(FrozenValue* value)
{
Modified: branches/safari-605-branch/Source/_javascript_Core/ftl/FTLOutput.h (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/ftl/FTLOutput.h 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/ftl/FTLOutput.h 2018-02-14 06:57:32 UTC (rev 228460)
@@ -111,18 +111,22 @@
{
ASSERT(graph.m_plan.weakReferences.contains(cell));
- if (sizeof(void*) == 8)
- return constInt64(bitwise_cast<intptr_t>(cell));
- return constInt32(bitwise_cast<intptr_t>(cell));
+ return constIntPtr(bitwise_cast<intptr_t>(cell));
}
+ template<typename Key>
+ LValue weakPoisonedPointer(DFG::Graph& graph, JSCell* cell)
+ {
+ ASSERT(graph.m_plan.weakReferences.contains(cell));
+
+ return constIntPtr(bitwise_cast<intptr_t>(cell) ^ Key::key());
+ }
+
LValue weakPointer(DFG::FrozenValue* value)
{
RELEASE_ASSERT(value->value().isCell());
- if (sizeof(void*) == 8)
- return constInt64(bitwise_cast<intptr_t>(value->cell()));
- return constInt32(bitwise_cast<intptr_t>(value->cell()));
+ return constIntPtr(bitwise_cast<intptr_t>(value->cell()));
}
template<typename T>
Modified: branches/safari-605-branch/Source/_javascript_Core/heap/MarkedSpace.cpp (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/heap/MarkedSpace.cpp 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/heap/MarkedSpace.cpp 2018-02-14 06:57:32 UTC (rev 228460)
@@ -141,7 +141,6 @@
// https://bugs.webkit.org/show_bug.cgi?id=179876
add(sizeof(UnlinkedFunctionCodeBlock));
add(sizeof(JSString));
- add(sizeof(JSFunction));
{
// Sort and deduplicate.
Modified: branches/safari-605-branch/Source/_javascript_Core/jit/JITOpcodes.cpp (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/jit/JITOpcodes.cpp 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/jit/JITOpcodes.cpp 2018-02-14 06:57:32 UTC (rev 228460)
@@ -767,6 +767,7 @@
addSlowCase(branch8(NotEqual, Address(calleeReg, JSCell::typeInfoTypeOffset()), TrustedImm32(JSFunctionType)));
loadPtr(Address(calleeReg, JSFunction::offsetOfRareData()), rareDataReg);
addSlowCase(branchTestPtr(Zero, rareDataReg));
+ xorPtr(TrustedImmPtr(JSFunctionPoison::key()), rareDataReg);
load32(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
addSlowCase(branch32(Equal, allocatorReg, TrustedImm32(Allocator().offset())));
@@ -782,6 +783,7 @@
emitAllocateJSObject(resultReg, JITAllocator::variable(), allocatorReg, structureReg, butterfly, mask, scratchReg, slowCases);
emitGetVirtualRegister(callee, scratchReg);
loadPtr(Address(scratchReg, JSFunction::offsetOfRareData()), scratchReg);
+ xorPtr(TrustedImmPtr(JSFunctionPoison::key()), scratchReg);
load32(Address(scratchReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfInlineCapacity()), scratchReg);
emitInitializeInlineStorage(resultReg, scratchReg);
addSlowCase(slowCases);
Modified: branches/safari-605-branch/Source/_javascript_Core/jit/Repatch.cpp (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/jit/Repatch.cpp 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/jit/Repatch.cpp 2018-02-14 06:57:32 UTC (rev 228460)
@@ -936,6 +936,7 @@
stubJit.loadPtr(
CCallHelpers::Address(calleeGPR, JSFunction::offsetOfExecutable()),
scratchGPR);
+ stubJit.xorPtr(CCallHelpers::TrustedImmPtr(JSFunctionPoison::key()), scratchGPR);
comparisonValueGPR = scratchGPR;
} else
Modified: branches/safari-605-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp 2018-02-14 06:57:32 UTC (rev 228460)
@@ -204,6 +204,7 @@
jit.loadPtr(
CCallHelpers::Address(GPRInfo::regT0, JSFunction::offsetOfExecutable()),
GPRInfo::regT4);
+ jit.xorPtr(CCallHelpers::TrustedImmPtr(JSFunctionPoison::key()), GPRInfo::regT4);
jit.loadPtr(
CCallHelpers::Address(
GPRInfo::regT4, ExecutableBase::offsetOfJITCodeWithArityCheckFor(
@@ -292,6 +293,7 @@
jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, JSInterfaceJIT::regT1);
if (thunkFunctionType == ThunkFunctionType::JSFunction) {
jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, JSFunction::offsetOfExecutable()), JSInterfaceJIT::regT1);
+ jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), JSInterfaceJIT::regT1);
jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, executableOffsetToFunction));
} else
jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, InternalFunction::offsetOfNativeFunctionFor(kind)));
@@ -307,6 +309,7 @@
jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, X86Registers::esi);
if (thunkFunctionType == ThunkFunctionType::JSFunction) {
jit.loadPtr(JSInterfaceJIT::Address(X86Registers::esi, JSFunction::offsetOfExecutable()), X86Registers::r9);
+ jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), X86Registers::r9);
jit.loadPtr(JSInterfaceJIT::Address(X86Registers::r9, executableOffsetToFunction), X86Registers::r9);
} else
jit.loadPtr(JSInterfaceJIT::Address(X86Registers::esi, InternalFunction::offsetOfNativeFunctionFor(kind)), X86Registers::r9);
@@ -326,6 +329,7 @@
jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, X86Registers::edx);
if (thunkFunctionType == ThunkFunctionType::JSFunction) {
jit.loadPtr(JSInterfaceJIT::Address(X86Registers::edx, JSFunction::offsetOfExecutable()), X86Registers::r9);
+ jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), X86Registers::r9);
jit.call(JSInterfaceJIT::Address(X86Registers::r9, executableOffsetToFunction));
} else
jit.call(JSInterfaceJIT::Address(X86Registers::edx, InternalFunction::offsetOfNativeFunctionFor(kind)));
@@ -344,6 +348,7 @@
jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, ARM64Registers::x1);
if (thunkFunctionType == ThunkFunctionType::JSFunction) {
jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x1, JSFunction::offsetOfExecutable()), ARM64Registers::x2);
+ jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), ARM64Registers::x2);
jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x2, executableOffsetToFunction), ARM64Registers::x2);
} else
jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x1, InternalFunction::offsetOfNativeFunctionFor(kind)), ARM64Registers::x2);
@@ -364,6 +369,7 @@
jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, JSInterfaceJIT::argumentGPR1);
if (thunkFunctionType == ThunkFunctionType::JSFunction) {
jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::argumentGPR1, JSFunction::offsetOfExecutable()), JSInterfaceJIT::regT2);
+ jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), JSInterfaceJIT::regT2);
jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::regT2, executableOffsetToFunction));
} else
jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::argumentGPR1, InternalFunction::offsetOfNativeFunctionFor(kind)));
@@ -1164,6 +1170,7 @@
jit.loadPtr(
CCallHelpers::Address(GPRInfo::regT3, JSFunction::offsetOfExecutable()),
GPRInfo::regT0);
+ jit.xorPtr(CCallHelpers::TrustedImmPtr(JSFunctionPoison::key()), GPRInfo::regT0);
jit.loadPtr(
CCallHelpers::Address(
GPRInfo::regT0, ExecutableBase::offsetOfJITCodeWithArityCheckFor(CodeForCall)),
Modified: branches/safari-605-branch/Source/_javascript_Core/llint/LowLevelInterpreter.asm (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2018-02-14 06:57:32 UTC (rev 228460)
@@ -940,7 +940,7 @@
assert(macro (ok) bilt index, FirstConstantRegisterIndex, ok end)
end
-macro functionForCallCodeBlockGetter(targetRegister)
+macro functionForCallCodeBlockGetter(targetRegister, scratch)
if JSVALUE64
loadp Callee[cfr], targetRegister
else
@@ -947,11 +947,12 @@
loadp Callee + PayloadOffset[cfr], targetRegister
end
loadp JSFunction::m_executable[targetRegister], targetRegister
+ unpoison(_g_JSFunctionPoison, targetRegister, scratch)
loadp FunctionExecutable::m_codeBlockForCall[targetRegister], targetRegister
loadp ExecutableToCodeBlockEdge::m_codeBlock[targetRegister], targetRegister
end
-macro functionForConstructCodeBlockGetter(targetRegister)
+macro functionForConstructCodeBlockGetter(targetRegister, scratch)
if JSVALUE64
loadp Callee[cfr], targetRegister
else
@@ -958,11 +959,12 @@
loadp Callee + PayloadOffset[cfr], targetRegister
end
loadp JSFunction::m_executable[targetRegister], targetRegister
+ unpoison(_g_JSFunctionPoison, targetRegister, scratch)
loadp FunctionExecutable::m_codeBlockForConstruct[targetRegister], targetRegister
loadp ExecutableToCodeBlockEdge::m_codeBlock[targetRegister], targetRegister
end
-macro notFunctionCodeBlockGetter(targetRegister)
+macro notFunctionCodeBlockGetter(targetRegister, ignored)
loadp CodeBlock[cfr], targetRegister
end
@@ -985,7 +987,7 @@
callSlowPath(traceSlowPath)
addp maxFrameExtentForSlowPathCall, sp
end
- codeBlockGetter(t1)
+ codeBlockGetter(t1, t2)
if not C_LOOP
baddis 5, CodeBlock::m_llintExecuteCounter + BaselineExecutionCounter::m_counter[t1], .continue
if JSVALUE64
@@ -1014,7 +1016,7 @@
end
jmp r0
.recover:
- codeBlockGetter(t1)
+ codeBlockGetter(t1, t2)
.continue:
end
@@ -1055,7 +1057,7 @@
.stackHeightOKGetCodeBlock:
# Stack check slow path returned that the stack was ok.
# Since they were clobbered, need to get CodeBlock and new sp
- codeBlockGetter(t1)
+ codeBlockGetter(t1, t2)
getFrameRegisterSizeForCodeBlock(t1, t0)
subp cfr, t0, t0
Modified: branches/safari-605-branch/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2018-02-14 06:57:32 UTC (rev 228460)
@@ -2102,6 +2102,7 @@
move cfr, a0
loadp Callee[cfr], t1
loadp JSFunction::m_executable[t1], t1
+ unpoison(_g_JSFunctionPoison, t1, t2)
checkStackPointerAlignment(t3, 0xdead0001)
if C_LOOP
loadp _g_NativeCodePoison, t2
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/JSAsyncFunction.h (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/JSAsyncFunction.h 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/JSAsyncFunction.h 2018-02-14 06:57:32 UTC (rev 228460)
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2016 Caitlin Potter <ca...@igalia.com>.
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -37,6 +38,12 @@
const static unsigned StructureFlags = Base::StructureFlags;
+ template<typename CellType>
+ static IsoSubspace* subspaceFor(VM& vm)
+ {
+ return &vm.asyncFunctionSpace;
+ }
+
DECLARE_EXPORT_INFO;
static JSAsyncFunction* create(VM&, FunctionExecutable*, JSScope*);
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/JSAsyncGeneratorFunction.h (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/JSAsyncGeneratorFunction.h 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/JSAsyncGeneratorFunction.h 2018-02-14 06:57:32 UTC (rev 228460)
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2017 Oleksandr Skachkov <gskach...@gmail.com>.
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -37,6 +38,12 @@
const static unsigned StructureFlags = Base::StructureFlags;
+ template<typename CellType>
+ static IsoSubspace* subspaceFor(VM& vm)
+ {
+ return &vm.asyncGeneratorFunctionSpace;
+ }
+
DECLARE_EXPORT_INFO;
static JSAsyncGeneratorFunction* create(VM&, FunctionExecutable*, JSScope*);
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/JSBoundFunction.h (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/JSBoundFunction.h 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/JSBoundFunction.h 2018-02-14 06:57:32 UTC (rev 228460)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -41,6 +41,12 @@
typedef JSFunction Base;
const static unsigned StructureFlags = ~ImplementsDefaultHasInstance & Base::StructureFlags;
+ template<typename CellType>
+ static IsoSubspace* subspaceFor(VM& vm)
+ {
+ return &vm.boundFunctionSpace;
+ }
+
static JSBoundFunction* create(VM&, ExecState*, JSGlobalObject*, JSObject* targetFunction, JSValue boundThis, JSArray* boundArgs, int, const String& name);
static bool customHasInstance(JSObject*, ExecState*, JSValue);
@@ -69,6 +75,8 @@
void finishCreation(VM&, NativeExecutable*, int length);
+ // FIXME: Consider poisoning these pointers.
+ // https://bugs.webkit.org/show_bug.cgi?id=182713
WriteBarrier<JSObject> m_targetFunction;
WriteBarrier<Unknown> m_boundThis;
WriteBarrier<JSArray> m_boundArgs;
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/JSCPoison.h (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/JSCPoison.h 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/JSCPoison.h 2018-02-14 06:57:32 UTC (rev 228460)
@@ -39,6 +39,7 @@
v(JSAPIWrapperObject) \
v(JSArrayBuffer) \
v(JSCallbackObject) \
+ v(JSFunction) \
v(JSGlobalObject) \
v(JSScriptFetchParameters) \
v(JSScriptFetcher) \
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/JSCustomGetterSetterFunction.h (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/JSCustomGetterSetterFunction.h 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/JSCustomGetterSetterFunction.h 2018-02-14 06:57:32 UTC (rev 228460)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -40,6 +40,12 @@
static const unsigned StructureFlags = Base::StructureFlags;
+ template<typename CellType>
+ static IsoSubspace* subspaceFor(VM& vm)
+ {
+ return &vm.customGetterSetterFunctionSpace;
+ }
+
static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
ASSERT(globalObject);
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/JSFunction.h (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/JSFunction.h 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/JSFunction.h 2018-02-14 06:57:32 UTC (rev 228460)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2000 Harri Porten (por...@kde.org)
- * Copyright (C) 2003, 2006-2009, 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2018 Apple Inc. All rights reserved.
* Copyright (C) 2007 Cameron Zwarich (cwzwar...@uwaterloo.ca)
* Copyright (C) 2007 Maks Orlovich
*
@@ -61,6 +61,13 @@
friend class InternalFunction;
public:
+
+ template<typename CellType>
+ static IsoSubspace* subspaceFor(VM& vm)
+ {
+ return &vm.functionSpace;
+ }
+
typedef JSCallee Base;
const static unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames;
@@ -212,8 +219,11 @@
static EncodedJSValue lengthGetter(ExecState*, EncodedJSValue, PropertyName);
static EncodedJSValue nameGetter(ExecState*, EncodedJSValue, PropertyName);
- WriteBarrier<ExecutableBase> m_executable;
- WriteBarrier<FunctionRareData> m_rareData;
+ template<typename T>
+ using PoisonedBarrier = PoisonedWriteBarrier<JSFunctionPoison, T>;
+
+ PoisonedBarrier<ExecutableBase> m_executable;
+ PoisonedBarrier<FunctionRareData> m_rareData;
};
} // namespace JSC
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/JSGeneratorFunction.h (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/JSGeneratorFunction.h 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/JSGeneratorFunction.h 2018-02-14 06:57:32 UTC (rev 228460)
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2015 Yusuke Suzuki <utatane....@gmail.com>.
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -66,6 +67,12 @@
const static unsigned StructureFlags = Base::StructureFlags;
+ template<typename CellType>
+ static IsoSubspace* subspaceFor(VM& vm)
+ {
+ return &vm.generatorFunctionSpace;
+ }
+
DECLARE_EXPORT_INFO;
static JSGeneratorFunction* create(VM&, FunctionExecutable*, JSScope*);
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/JSNativeStdFunction.h (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/JSNativeStdFunction.h 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/JSNativeStdFunction.h 2018-02-14 06:57:32 UTC (rev 228460)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -40,6 +40,12 @@
const static unsigned StructureFlags = Base::StructureFlags;
+ template<typename CellType>
+ static IsoSubspace* subspaceFor(VM& vm)
+ {
+ return &vm.nativeStdFunctionSpace;
+ }
+
DECLARE_EXPORT_INFO;
JS_EXPORT_PRIVATE static JSNativeStdFunction* create(VM&, JSGlobalObject*, int length, const String& name, NativeStdFunction&&, Intrinsic = NoIntrinsic, NativeFunction nativeConstructor = callHostFunctionAsConstructor);
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/VM.cpp (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/VM.cpp 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/VM.cpp 2018-02-14 06:57:32 UTC (rev 228460)
@@ -68,8 +68,11 @@
#include "JITWorklist.h"
#include "JSAPIValueWrapper.h"
#include "JSArray.h"
+#include "JSAsyncFunction.h"
#include "JSBigInt.h"
+#include "JSBoundFunction.h"
#include "JSCInlines.h"
+#include "JSCustomGetterSetterFunction.h"
#include "JSDestructibleObjectHeapCellType.h"
#include "JSFixedArray.h"
#include "JSFunction.h"
@@ -131,6 +134,8 @@
#include "WasmWorklist.h"
#include "Watchdog.h"
#include "WeakGCMapInlines.h"
+#include "WebAssemblyFunction.h"
+#include "WebAssemblyWrapperFunction.h"
#include <wtf/CurrentTime.h>
#include <wtf/ProcessID.h>
#include <wtf/ReadWriteLock.h>
@@ -250,14 +255,21 @@
#if ENABLE(WEBASSEMBLY)
, webAssemblyCodeBlockSpace("JSWebAssemblyCodeBlockSpace", heap, webAssemblyCodeBlockHeapCellType.get(), fastMallocAllocator.get())
#endif
+ , asyncFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSAsyncFunction)
+ , asyncGeneratorFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSAsyncGeneratorFunction)
+ , boundFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSBoundFunction)
+ , customGetterSetterFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSCustomGetterSetterFunction)
, directEvalExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), DirectEvalExecutable)
, executableToCodeBlockEdgeSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), ExecutableToCodeBlockEdge)
, functionExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), FunctionExecutable)
+ , functionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSFunction)
+ , generatorFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSGeneratorFunction)
, indirectEvalExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), IndirectEvalExecutable)
, inferredTypeSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), InferredType)
, inferredValueSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), InferredValue)
, moduleProgramExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), ModuleProgramExecutable)
, nativeExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), NativeExecutable)
+ , nativeStdFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSNativeStdFunction)
, programExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), ProgramExecutable)
, propertyTableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), PropertyTable)
, structureRareDataSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), StructureRareData)
@@ -264,6 +276,10 @@
, structureSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), Structure)
, weakSetSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), JSWeakSet)
, weakMapSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), JSWeakMap)
+#if ENABLE(WEBASSEMBLY)
+ , webAssemblyFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), WebAssemblyFunction)
+ , webAssemblyWrapperFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), WebAssemblyWrapperFunction)
+#endif
, executableToCodeBlockEdgesWithConstraints(executableToCodeBlockEdgeSpace)
, executableToCodeBlockEdgesWithFinalizers(executableToCodeBlockEdgeSpace)
, inferredTypesWithFinalizers(inferredTypeSpace)
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/VM.h (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/VM.h 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/VM.h 2018-02-14 06:57:32 UTC (rev 228460)
@@ -339,14 +339,21 @@
CompleteSubspace webAssemblyCodeBlockSpace;
#endif
+ IsoSubspace asyncFunctionSpace;
+ IsoSubspace asyncGeneratorFunctionSpace;
+ IsoSubspace boundFunctionSpace;
+ IsoSubspace customGetterSetterFunctionSpace;
IsoSubspace directEvalExecutableSpace;
IsoSubspace executableToCodeBlockEdgeSpace;
IsoSubspace functionExecutableSpace;
+ IsoSubspace functionSpace;
+ IsoSubspace generatorFunctionSpace;
IsoSubspace indirectEvalExecutableSpace;
IsoSubspace inferredTypeSpace;
IsoSubspace inferredValueSpace;
IsoSubspace moduleProgramExecutableSpace;
IsoSubspace nativeExecutableSpace;
+ IsoSubspace nativeStdFunctionSpace;
IsoSubspace programExecutableSpace;
IsoSubspace propertyTableSpace;
IsoSubspace structureRareDataSpace;
@@ -353,6 +360,10 @@
IsoSubspace structureSpace;
IsoSubspace weakSetSpace;
IsoSubspace weakMapSpace;
+#if ENABLE(WEBASSEMBLY)
+ IsoSubspace webAssemblyFunctionSpace;
+ IsoSubspace webAssemblyWrapperFunctionSpace;
+#endif
IsoCellSet executableToCodeBlockEdgesWithConstraints;
IsoCellSet executableToCodeBlockEdgesWithFinalizers;
Modified: branches/safari-605-branch/Source/_javascript_Core/wasm/js/WebAssemblyFunction.h (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/wasm/js/WebAssemblyFunction.h 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/wasm/js/WebAssemblyFunction.h 2018-02-14 06:57:32 UTC (rev 228460)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -48,6 +48,12 @@
const static unsigned StructureFlags = Base::StructureFlags | TypeOfShouldCallGetCallData;
+ template<typename CellType>
+ static IsoSubspace* subspaceFor(VM& vm)
+ {
+ return &vm.webAssemblyFunctionSpace;
+ }
+
DECLARE_EXPORT_INFO;
JS_EXPORT_PRIVATE static WebAssemblyFunction* create(VM&, JSGlobalObject*, unsigned, const String&, JSWebAssemblyInstance*, Wasm::Callee& jsEntrypoint, Wasm::WasmEntrypointLoadLocation, Wasm::SignatureIndex);
Modified: branches/safari-605-branch/Source/_javascript_Core/wasm/js/WebAssemblyWrapperFunction.h (228459 => 228460)
--- branches/safari-605-branch/Source/_javascript_Core/wasm/js/WebAssemblyWrapperFunction.h 2018-02-14 06:05:38 UTC (rev 228459)
+++ branches/safari-605-branch/Source/_javascript_Core/wasm/js/WebAssemblyWrapperFunction.h 2018-02-14 06:57:32 UTC (rev 228460)
@@ -38,6 +38,12 @@
const static unsigned StructureFlags = Base::StructureFlags;
+ template<typename CellType>
+ static IsoSubspace* subspaceFor(VM& vm)
+ {
+ return &vm.webAssemblyWrapperFunctionSpace;
+ }
+
DECLARE_INFO;
static WebAssemblyWrapperFunction* create(VM&, JSGlobalObject*, JSObject*, unsigned importIndex, JSWebAssemblyInstance*, Wasm::SignatureIndex);
