Title: [228420] trunk/Source/_javascript_Core
Revision
228420
Author
fpi...@apple.com
Date
2018-02-13 09:02:45 -0800 (Tue, 13 Feb 2018)

Log Message

Lock down JSFunction
https://bugs.webkit.org/show_bug.cgi?id=182652

Reviewed by Saam Barati.
        
This poisons pointers in JSFunction and puts all of the types in the JSFunction hierarchy in
isospaces.
        
This is so neutral on JetStream: 0.01% slower with p = 0.969211.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
(JSC::DFG::SpeculativeJIT::compileNewFunction):
(JSC::DFG::SpeculativeJIT::compileCreateThis):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
(JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
(JSC::FTL::DFG::LowerDFGToB3::weakPointer):
(JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer):
* ftl/FTLOutput.h:
(JSC::FTL::Output::weakPointer):
(JSC::FTL::Output::weakPoisonedPointer):
* heap/MarkedSpace.cpp:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_create_this):
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSAsyncFunction.h:
(JSC::JSAsyncFunction::subspaceFor):
* runtime/JSAsyncGeneratorFunction.h:
(JSC::JSAsyncGeneratorFunction::subspaceFor):
* runtime/JSBoundFunction.h:
(JSC::JSBoundFunction::subspaceFor):
* runtime/JSCPoison.h:
* runtime/JSCustomGetterSetterFunction.h:
(JSC::JSCustomGetterSetterFunction::subspaceFor):
* runtime/JSFunction.h:
(JSC::JSFunction::subspaceFor):
* runtime/JSGeneratorFunction.h:
(JSC::JSGeneratorFunction::subspaceFor):
* runtime/JSNativeStdFunction.h:
(JSC::JSNativeStdFunction::subspaceFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* wasm/js/WebAssemblyFunction.h:
* wasm/js/WebAssemblyWrapperFunction.h:

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (228419 => 228420)


--- trunk/Source/_javascript_Core/ChangeLog	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-02-13 17:02:45 UTC (rev 228420)
@@ -1,3 +1,63 @@
+2018-02-10  Filip Pizlo  <fpi...@apple.com>
+
+        Lock down JSFunction
+        https://bugs.webkit.org/show_bug.cgi?id=182652
+
+        Reviewed by Saam Barati.
+        
+        This poisons pointers in JSFunction and puts all of the types in the JSFunction hierarchy in
+        isospaces.
+        
+        This is so neutral on JetStream: 0.01% slower with p = 0.969211.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
+        (JSC::DFG::SpeculativeJIT::compileNewFunction):
+        (JSC::DFG::SpeculativeJIT::compileCreateThis):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
+        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
+        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+        (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
+        (JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer):
+        * ftl/FTLOutput.h:
+        (JSC::FTL::Output::weakPointer):
+        (JSC::FTL::Output::weakPoisonedPointer):
+        * heap/MarkedSpace.cpp:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_create_this):
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+        (JSC::nativeForGenerator):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/JSAsyncFunction.h:
+        (JSC::JSAsyncFunction::subspaceFor):
+        * runtime/JSAsyncGeneratorFunction.h:
+        (JSC::JSAsyncGeneratorFunction::subspaceFor):
+        * runtime/JSBoundFunction.h:
+        (JSC::JSBoundFunction::subspaceFor):
+        * runtime/JSCPoison.h:
+        * runtime/JSCustomGetterSetterFunction.h:
+        (JSC::JSCustomGetterSetterFunction::subspaceFor):
+        * runtime/JSFunction.h:
+        (JSC::JSFunction::subspaceFor):
+        * runtime/JSGeneratorFunction.h:
+        (JSC::JSGeneratorFunction::subspaceFor):
+        * runtime/JSNativeStdFunction.h:
+        (JSC::JSNativeStdFunction::subspaceFor):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * wasm/js/WebAssemblyFunction.h:
+        * wasm/js/WebAssemblyWrapperFunction.h:
+
 2018-02-12  Saam Barati  <sbar...@apple.com>
 
         Add a GetIndexMask node and make it an input to GetByVal for array and typed array accesses in DFG SSA

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (228419 => 228420)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2018-02-13 17:02:45 UTC (rev 228420)
@@ -6718,15 +6718,15 @@
 }
 
 template <typename ClassType>
-void SpeculativeJIT::compileNewFunctionCommon(GPRReg resultGPR, RegisteredStructure structure, GPRReg scratch1GPR, GPRReg scratch2GPR, GPRReg scopeGPR, MacroAssembler::JumpList& slowPath, size_t size, FunctionExecutable* executable, ptrdiff_t offsetOfScopeChain, ptrdiff_t offsetOfExecutable, ptrdiff_t offsetOfRareData)
+void SpeculativeJIT::compileNewFunctionCommon(GPRReg resultGPR, RegisteredStructure structure, GPRReg scratch1GPR, GPRReg scratch2GPR, GPRReg scopeGPR, MacroAssembler::JumpList& slowPath, size_t size, FunctionExecutable* executable)
 {
     auto butterfly = TrustedImmPtr(nullptr);
     auto mask = TrustedImm32(0);
     emitAllocateJSObjectWithKnownSize<ClassType>(resultGPR, TrustedImmPtr(structure), butterfly, mask, scratch1GPR, scratch2GPR, slowPath, size);
     
-    m_jit.storePtr(scopeGPR, JITCompiler::Address(resultGPR, offsetOfScopeChain));
-    m_jit.storePtr(TrustedImmPtr::weakPointer(m_jit.graph(), executable), JITCompiler::Address(resultGPR, offsetOfExecutable));
-    m_jit.storePtr(TrustedImmPtr(0), JITCompiler::Address(resultGPR, offsetOfRareData));
+    m_jit.storePtr(scopeGPR, JITCompiler::Address(resultGPR, JSFunction::offsetOfScopeChain()));
+    m_jit.storePtr(TrustedImmPtr::weakPoisonedPointer<JSFunctionPoison>(m_jit.graph(), executable), JITCompiler::Address(resultGPR, JSFunction::offsetOfExecutable()));
+    m_jit.storePtr(TrustedImmPtr(0), JITCompiler::Address(resultGPR, JSFunction::offsetOfRareData()));
     
     m_jit.mutatorFence(*m_jit.vm());
 }
@@ -6788,25 +6788,25 @@
     JITCompiler::JumpList slowPath;
     
     if (nodeType == NewFunction) {
-        compileNewFunctionCommon<JSFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSFunction::allocationSize(0), executable, JSFunction::offsetOfScopeChain(), JSFunction::offsetOfExecutable(), JSFunction::offsetOfRareData());
+        compileNewFunctionCommon<JSFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSFunction::allocationSize(0), executable);
             
         addSlowPathGenerator(slowPathCall(slowPath, this, operationNewFunctionWithInvalidatedReallocationWatchpoint, resultGPR, scopeGPR, executable));
     }
 
     if (nodeType == NewGeneratorFunction) {
-        compileNewFunctionCommon<JSGeneratorFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSGeneratorFunction::allocationSize(0), executable, JSGeneratorFunction::offsetOfScopeChain(), JSGeneratorFunction::offsetOfExecutable(), JSGeneratorFunction::offsetOfRareData());
+        compileNewFunctionCommon<JSGeneratorFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSGeneratorFunction::allocationSize(0), executable);
 
         addSlowPathGenerator(slowPathCall(slowPath, this, operationNewGeneratorFunctionWithInvalidatedReallocationWatchpoint, resultGPR, scopeGPR, executable));
     }
 
     if (nodeType == NewAsyncFunction) {
-        compileNewFunctionCommon<JSAsyncFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSAsyncFunction::allocationSize(0), executable, JSAsyncFunction::offsetOfScopeChain(), JSAsyncFunction::offsetOfExecutable(), JSAsyncFunction::offsetOfRareData());
+        compileNewFunctionCommon<JSAsyncFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSAsyncFunction::allocationSize(0), executable);
 
         addSlowPathGenerator(slowPathCall(slowPath, this, operationNewAsyncFunctionWithInvalidatedReallocationWatchpoint, resultGPR, scopeGPR, executable));
     }
 
     if (nodeType == NewAsyncGeneratorFunction) {
-        compileNewFunctionCommon<JSAsyncGeneratorFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSAsyncGeneratorFunction::allocationSize(0), executable, JSAsyncGeneratorFunction::offsetOfScopeChain(), JSAsyncGeneratorFunction::offsetOfExecutable(), JSAsyncGeneratorFunction::offsetOfRareData());
+        compileNewFunctionCommon<JSAsyncGeneratorFunction>(resultGPR, structure, scratch1GPR, scratch2GPR, scopeGPR, slowPath, JSAsyncGeneratorFunction::allocationSize(0), executable);
         
         addSlowPathGenerator(slowPathCall(slowPath, this, operationNewAsyncGeneratorFunctionWithInvalidatedReallocationWatchpoint, resultGPR, scopeGPR, executable));
     }
@@ -11485,6 +11485,7 @@
         JITCompiler::Address(calleeGPR, JSCell::typeInfoTypeOffset()), TrustedImm32(JSFunctionType)));
     m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
     slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR));
+    m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSFunctionPoison::key()), rareDataGPR);
     m_jit.load32(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
     m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
 
@@ -11495,6 +11496,7 @@
     emitAllocateJSObject(resultGPR, JITAllocator::variable(), allocatorGPR, structureGPR, butterfly, mask, scratchGPR, slowPath);
 
     m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
+    m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSFunctionPoison::key()), rareDataGPR);
     m_jit.load32(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfInlineCapacity()), inlineCapacityGPR);
     m_jit.emitInitializeInlineStorage(resultGPR, inlineCapacityGPR);
     m_jit.mutatorFence(*m_jit.vm());

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (228419 => 228420)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h	2018-02-13 17:02:45 UTC (rev 228420)
@@ -121,7 +121,7 @@
         explicit TrustedImmPtr(T* value)
             : m_value(value)
         {
-            static_assert(!std::is_base_of<HeapCell, T>::value, "To use a GC pointer, the graph must be aware of it. Use SpeculativeJIT::TrustedImmPtr::weakPointer instead.");
+            static_assert(!std::is_base_of<JSCell, T>::value, "To use a GC pointer, the graph must be aware of it. Use SpeculativeJIT::TrustedImmPtr::weakPointer instead.");
         }
 
         explicit TrustedImmPtr(RegisteredStructure structure)
@@ -153,16 +153,17 @@
 
         static TrustedImmPtr weakPointer(Graph& graph, JSCell* cell)
         {     
-            // There are weird relationships in how optimized CodeBlocks
-            // point to other CodeBlocks. We don't want to have them be
-            // part of the weak pointer set. For example, an optimized CodeBlock
-            // having a weak pointer to itself will cause it to get collected.
-            ASSERT(!jsDynamicCast<CodeBlock*>(graph.m_vm, cell));
-
             graph.m_plan.weakReferences.addLazily(cell);
             return TrustedImmPtr(bitwise_cast<size_t>(cell));
         }
 
+        template<typename Key>
+        static TrustedImmPtr weakPoisonedPointer(Graph& graph, JSCell* cell)
+        {     
+            graph.m_plan.weakReferences.addLazily(cell);
+            return TrustedImmPtr(bitwise_cast<size_t>(cell) ^ Key::key());
+        }
+
         operator MacroAssembler::TrustedImmPtr() const { return m_value; }
 
         intptr_t asIntptr()
@@ -3081,7 +3082,7 @@
         Edge valueUse, JITCompiler::JumpList& slowPathCases, bool isClamped = false);
     void loadFromIntTypedArray(GPRReg baseReg, GPRReg storageReg, GPRReg propertyReg, GPRReg resultReg, TypedArrayType);
     void setIntTypedArrayLoadResult(Node*, GPRReg resultReg, TypedArrayType, bool canSpeculate = false);
-    template <typename ClassType> void compileNewFunctionCommon(GPRReg, RegisteredStructure, GPRReg, GPRReg, GPRReg, MacroAssembler::JumpList&, size_t, FunctionExecutable*, ptrdiff_t, ptrdiff_t, ptrdiff_t);
+    template <typename ClassType> void compileNewFunctionCommon(GPRReg, RegisteredStructure, GPRReg, GPRReg, GPRReg, MacroAssembler::JumpList&, size_t, FunctionExecutable*);
     void compileNewFunction(Node*);
     void compileSetFunctionName(Node*);
     void compileNewRegexp(Node*);

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (228419 => 228420)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2018-02-13 17:02:45 UTC (rev 228420)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -4252,6 +4252,7 @@
         GPRReg resultGPR = result.gpr();
         speculateCellType(node->child1(), functionGPR, SpecFunction, JSFunctionType);
         m_jit.loadPtr(JITCompiler::Address(functionGPR, JSFunction::offsetOfExecutable()), resultGPR);
+        m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSFunctionPoison::key()), resultGPR);
         cellResult(resultGPR, node);
         break;
     }

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (228419 => 228420)


--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2018-02-13 17:02:45 UTC (rev 228420)
@@ -2944,7 +2944,10 @@
     {
         LValue cell = lowCell(m_node->child1());
         speculateFunction(m_node->child1(), cell);
-        setJSValue(m_out.loadPtr(cell, m_heaps.JSFunction_executable));
+        setJSValue(
+            m_out.bitXor(
+                m_out.loadPtr(cell, m_heaps.JSFunction_executable),
+                m_out.constIntPtr(JSFunctionPoison::key())));
     }
     
     void compileArrayify()
@@ -4869,7 +4872,7 @@
         // We don't need memory barriers since we just fast-created the function, so it
         // must be young.
         m_out.storePtr(scope, fastObject, m_heaps.JSFunction_scope);
-        m_out.storePtr(weakPointer(executable), fastObject, m_heaps.JSFunction_executable);
+        m_out.storePtr(weakPoisonedPointer<JSFunctionPoison>(executable), fastObject, m_heaps.JSFunction_executable);
         m_out.storePtr(m_out.intPtrZero, fastObject, m_heaps.JSFunction_rareData);
         
         mutatorFence();
@@ -15725,15 +15728,16 @@
 
     LValue weakPointer(JSCell* pointer)
     {
-        // There are weird relationships in how optimized CodeBlocks
-        // point to other CodeBlocks. We don't want to have them be
-        // part of the weak pointer set. For example, an optimized CodeBlock
-        // having a weak pointer to itself will cause it to get collected.
-        RELEASE_ASSERT(!jsDynamicCast<CodeBlock*>(vm(), pointer));
-
         addWeakReference(pointer);
         return m_out.weakPointer(m_graph, pointer);
     }
+    
+    template<typename Key>
+    LValue weakPoisonedPointer(JSCell* pointer)
+    {
+        addWeakReference(pointer);
+        return m_out.weakPoisonedPointer<Key>(m_graph, pointer);
+    }
 
     LValue frozenPointer(FrozenValue* value)
     {

Modified: trunk/Source/_javascript_Core/ftl/FTLOutput.h (228419 => 228420)


--- trunk/Source/_javascript_Core/ftl/FTLOutput.h	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/ftl/FTLOutput.h	2018-02-13 17:02:45 UTC (rev 228420)
@@ -111,18 +111,22 @@
     {
         ASSERT(graph.m_plan.weakReferences.contains(cell));
 
-        if (sizeof(void*) == 8)
-            return constInt64(bitwise_cast<intptr_t>(cell));
-        return constInt32(bitwise_cast<intptr_t>(cell));
+        return constIntPtr(bitwise_cast<intptr_t>(cell));
     }
 
+    template<typename Key>
+    LValue weakPoisonedPointer(DFG::Graph& graph, JSCell* cell)
+    {
+        ASSERT(graph.m_plan.weakReferences.contains(cell));
+
+        return constIntPtr(bitwise_cast<intptr_t>(cell) ^ Key::key());
+    }
+
     LValue weakPointer(DFG::FrozenValue* value)
     {
         RELEASE_ASSERT(value->value().isCell());
 
-        if (sizeof(void*) == 8)
-            return constInt64(bitwise_cast<intptr_t>(value->cell()));
-        return constInt32(bitwise_cast<intptr_t>(value->cell()));
+        return constIntPtr(bitwise_cast<intptr_t>(value->cell()));
     }
 
     template<typename T>

Modified: trunk/Source/_javascript_Core/heap/MarkedSpace.cpp (228419 => 228420)


--- trunk/Source/_javascript_Core/heap/MarkedSpace.cpp	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/heap/MarkedSpace.cpp	2018-02-13 17:02:45 UTC (rev 228420)
@@ -141,7 +141,6 @@
             // https://bugs.webkit.org/show_bug.cgi?id=179876
             add(sizeof(UnlinkedFunctionCodeBlock));
             add(sizeof(JSString));
-            add(sizeof(JSFunction));
 
             {
                 // Sort and deduplicate.

Modified: trunk/Source/_javascript_Core/jit/JITOpcodes.cpp (228419 => 228420)


--- trunk/Source/_javascript_Core/jit/JITOpcodes.cpp	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/jit/JITOpcodes.cpp	2018-02-13 17:02:45 UTC (rev 228420)
@@ -767,6 +767,7 @@
     addSlowCase(branch8(NotEqual, Address(calleeReg, JSCell::typeInfoTypeOffset()), TrustedImm32(JSFunctionType)));
     loadPtr(Address(calleeReg, JSFunction::offsetOfRareData()), rareDataReg);
     addSlowCase(branchTestPtr(Zero, rareDataReg));
+    xorPtr(TrustedImmPtr(JSFunctionPoison::key()), rareDataReg);
     load32(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
     loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
     addSlowCase(branch32(Equal, allocatorReg, TrustedImm32(Allocator().offset())));
@@ -782,6 +783,7 @@
     emitAllocateJSObject(resultReg, JITAllocator::variable(), allocatorReg, structureReg, butterfly, mask, scratchReg, slowCases);
     emitGetVirtualRegister(callee, scratchReg);
     loadPtr(Address(scratchReg, JSFunction::offsetOfRareData()), scratchReg);
+    xorPtr(TrustedImmPtr(JSFunctionPoison::key()), scratchReg);
     load32(Address(scratchReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfInlineCapacity()), scratchReg);
     emitInitializeInlineStorage(resultReg, scratchReg);
     addSlowCase(slowCases);

Modified: trunk/Source/_javascript_Core/jit/Repatch.cpp (228419 => 228420)


--- trunk/Source/_javascript_Core/jit/Repatch.cpp	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/jit/Repatch.cpp	2018-02-13 17:02:45 UTC (rev 228420)
@@ -936,6 +936,7 @@
         stubJit.loadPtr(
             CCallHelpers::Address(calleeGPR, JSFunction::offsetOfExecutable()),
             scratchGPR);
+        stubJit.xorPtr(CCallHelpers::TrustedImmPtr(JSFunctionPoison::key()), scratchGPR);
         
         comparisonValueGPR = scratchGPR;
     } else

Modified: trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp (228419 => 228420)


--- trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp	2018-02-13 17:02:45 UTC (rev 228420)
@@ -204,6 +204,7 @@
     jit.loadPtr(
         CCallHelpers::Address(GPRInfo::regT0, JSFunction::offsetOfExecutable()),
         GPRInfo::regT4);
+    jit.xorPtr(CCallHelpers::TrustedImmPtr(JSFunctionPoison::key()), GPRInfo::regT4);
     jit.loadPtr(
         CCallHelpers::Address(
             GPRInfo::regT4, ExecutableBase::offsetOfJITCodeWithArityCheckFor(
@@ -292,6 +293,7 @@
     jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, JSInterfaceJIT::regT1);
     if (thunkFunctionType == ThunkFunctionType::JSFunction) {
         jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, JSFunction::offsetOfExecutable()), JSInterfaceJIT::regT1);
+        jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), JSInterfaceJIT::regT1);
         jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, executableOffsetToFunction));
     } else
         jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, InternalFunction::offsetOfNativeFunctionFor(kind)));
@@ -307,6 +309,7 @@
     jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, X86Registers::esi);
     if (thunkFunctionType == ThunkFunctionType::JSFunction) {
         jit.loadPtr(JSInterfaceJIT::Address(X86Registers::esi, JSFunction::offsetOfExecutable()), X86Registers::r9);
+        jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), X86Registers::r9);
         jit.loadPtr(JSInterfaceJIT::Address(X86Registers::r9, executableOffsetToFunction), X86Registers::r9);
     } else
         jit.loadPtr(JSInterfaceJIT::Address(X86Registers::esi, InternalFunction::offsetOfNativeFunctionFor(kind)), X86Registers::r9);
@@ -326,6 +329,7 @@
     jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, X86Registers::edx);
     if (thunkFunctionType == ThunkFunctionType::JSFunction) {
         jit.loadPtr(JSInterfaceJIT::Address(X86Registers::edx, JSFunction::offsetOfExecutable()), X86Registers::r9);
+        jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), X86Registers::r9);
         jit.call(JSInterfaceJIT::Address(X86Registers::r9, executableOffsetToFunction));
     } else
         jit.call(JSInterfaceJIT::Address(X86Registers::edx, InternalFunction::offsetOfNativeFunctionFor(kind)));
@@ -344,6 +348,7 @@
     jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, ARM64Registers::x1);
     if (thunkFunctionType == ThunkFunctionType::JSFunction) {
         jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x1, JSFunction::offsetOfExecutable()), ARM64Registers::x2);
+        jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), ARM64Registers::x2);
         jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x2, executableOffsetToFunction), ARM64Registers::x2);
     } else
         jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x1, InternalFunction::offsetOfNativeFunctionFor(kind)), ARM64Registers::x2);
@@ -364,6 +369,7 @@
     jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, JSInterfaceJIT::argumentGPR1);
     if (thunkFunctionType == ThunkFunctionType::JSFunction) {
         jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::argumentGPR1, JSFunction::offsetOfExecutable()), JSInterfaceJIT::regT2);
+        jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), JSInterfaceJIT::regT2);
         jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::regT2, executableOffsetToFunction));
     } else
         jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::argumentGPR1, InternalFunction::offsetOfNativeFunctionFor(kind)));
@@ -1164,6 +1170,7 @@
     jit.loadPtr(
         CCallHelpers::Address(GPRInfo::regT3, JSFunction::offsetOfExecutable()),
         GPRInfo::regT0);
+    jit.xorPtr(CCallHelpers::TrustedImmPtr(JSFunctionPoison::key()), GPRInfo::regT0);
     jit.loadPtr(
         CCallHelpers::Address(
             GPRInfo::regT0, ExecutableBase::offsetOfJITCodeWithArityCheckFor(CodeForCall)),

Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm (228419 => 228420)


--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm	2018-02-13 17:02:45 UTC (rev 228420)
@@ -940,7 +940,7 @@
     assert(macro (ok) bilt index, FirstConstantRegisterIndex, ok end)
 end
 
-macro functionForCallCodeBlockGetter(targetRegister)
+macro functionForCallCodeBlockGetter(targetRegister, scratch)
     if JSVALUE64
         loadp Callee[cfr], targetRegister
     else
@@ -947,11 +947,12 @@
         loadp Callee + PayloadOffset[cfr], targetRegister
     end
     loadp JSFunction::m_executable[targetRegister], targetRegister
+    unpoison(_g_JSFunctionPoison, targetRegister, scratch)
     loadp FunctionExecutable::m_codeBlockForCall[targetRegister], targetRegister
     loadp ExecutableToCodeBlockEdge::m_codeBlock[targetRegister], targetRegister
 end
 
-macro functionForConstructCodeBlockGetter(targetRegister)
+macro functionForConstructCodeBlockGetter(targetRegister, scratch)
     if JSVALUE64
         loadp Callee[cfr], targetRegister
     else
@@ -958,11 +959,12 @@
         loadp Callee + PayloadOffset[cfr], targetRegister
     end
     loadp JSFunction::m_executable[targetRegister], targetRegister
+    unpoison(_g_JSFunctionPoison, targetRegister, scratch)
     loadp FunctionExecutable::m_codeBlockForConstruct[targetRegister], targetRegister
     loadp ExecutableToCodeBlockEdge::m_codeBlock[targetRegister], targetRegister
 end
 
-macro notFunctionCodeBlockGetter(targetRegister)
+macro notFunctionCodeBlockGetter(targetRegister, ignored)
     loadp CodeBlock[cfr], targetRegister
 end
 
@@ -985,7 +987,7 @@
         callSlowPath(traceSlowPath)
         addp maxFrameExtentForSlowPathCall, sp
     end
-    codeBlockGetter(t1)
+    codeBlockGetter(t1, t2)
     if not C_LOOP
         baddis 5, CodeBlock::m_llintExecuteCounter + BaselineExecutionCounter::m_counter[t1], .continue
         if JSVALUE64
@@ -1014,7 +1016,7 @@
         end
         jmp r0
     .recover:
-        codeBlockGetter(t1)
+        codeBlockGetter(t1, t2)
     .continue:
     end
 
@@ -1055,7 +1057,7 @@
 .stackHeightOKGetCodeBlock:
     # Stack check slow path returned that the stack was ok.
     # Since they were clobbered, need to get CodeBlock and new sp
-    codeBlockGetter(t1)
+    codeBlockGetter(t1, t2)
     getFrameRegisterSizeForCodeBlock(t1, t0)
     subp cfr, t0, t0
 

Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (228419 => 228420)


--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm	2018-02-13 17:02:45 UTC (rev 228420)
@@ -2102,6 +2102,7 @@
     move cfr, a0
     loadp Callee[cfr], t1
     loadp JSFunction::m_executable[t1], t1
+    unpoison(_g_JSFunctionPoison, t1, t2)
     checkStackPointerAlignment(t3, 0xdead0001)
     if C_LOOP
         loadp _g_NativeCodePoison, t2

Modified: trunk/Source/_javascript_Core/runtime/JSAsyncFunction.h (228419 => 228420)


--- trunk/Source/_javascript_Core/runtime/JSAsyncFunction.h	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/runtime/JSAsyncFunction.h	2018-02-13 17:02:45 UTC (rev 228420)
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2016 Caitlin Potter <ca...@igalia.com>.
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -37,6 +38,12 @@
 
     const static unsigned StructureFlags = Base::StructureFlags;
 
+    template<typename CellType>
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.asyncFunctionSpace;
+    }
+
     DECLARE_EXPORT_INFO;
 
     static JSAsyncFunction* create(VM&, FunctionExecutable*, JSScope*);

Modified: trunk/Source/_javascript_Core/runtime/JSAsyncGeneratorFunction.h (228419 => 228420)


--- trunk/Source/_javascript_Core/runtime/JSAsyncGeneratorFunction.h	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/runtime/JSAsyncGeneratorFunction.h	2018-02-13 17:02:45 UTC (rev 228420)
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2017 Oleksandr Skachkov <gskach...@gmail.com>.
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -37,6 +38,12 @@
 
     const static unsigned StructureFlags = Base::StructureFlags;
 
+    template<typename CellType>
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.asyncGeneratorFunctionSpace;
+    }
+
     DECLARE_EXPORT_INFO;
 
     static JSAsyncGeneratorFunction* create(VM&, FunctionExecutable*, JSScope*);

Modified: trunk/Source/_javascript_Core/runtime/JSBoundFunction.h (228419 => 228420)


--- trunk/Source/_javascript_Core/runtime/JSBoundFunction.h	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/runtime/JSBoundFunction.h	2018-02-13 17:02:45 UTC (rev 228420)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -41,6 +41,12 @@
     typedef JSFunction Base;
     const static unsigned StructureFlags = ~ImplementsDefaultHasInstance & Base::StructureFlags;
 
+    template<typename CellType>
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.boundFunctionSpace;
+    }
+
     static JSBoundFunction* create(VM&, ExecState*, JSGlobalObject*, JSObject* targetFunction, JSValue boundThis, JSArray* boundArgs, int, const String& name);
     
     static bool customHasInstance(JSObject*, ExecState*, JSValue);
@@ -69,6 +75,8 @@
     
     void finishCreation(VM&, NativeExecutable*, int length);
 
+    // FIXME: Consider poisoning these pointers.
+    // https://bugs.webkit.org/show_bug.cgi?id=182713
     WriteBarrier<JSObject> m_targetFunction;
     WriteBarrier<Unknown> m_boundThis;
     WriteBarrier<JSArray> m_boundArgs;

Modified: trunk/Source/_javascript_Core/runtime/JSCPoison.h (228419 => 228420)


--- trunk/Source/_javascript_Core/runtime/JSCPoison.h	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/runtime/JSCPoison.h	2018-02-13 17:02:45 UTC (rev 228420)
@@ -39,6 +39,7 @@
     v(JSAPIWrapperObject) \
     v(JSArrayBuffer) \
     v(JSCallbackObject) \
+    v(JSFunction) \
     v(JSGlobalObject) \
     v(JSScriptFetchParameters) \
     v(JSScriptFetcher) \

Modified: trunk/Source/_javascript_Core/runtime/JSCustomGetterSetterFunction.h (228419 => 228420)


--- trunk/Source/_javascript_Core/runtime/JSCustomGetterSetterFunction.h	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/runtime/JSCustomGetterSetterFunction.h	2018-02-13 17:02:45 UTC (rev 228420)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -40,6 +40,12 @@
 
     static const unsigned StructureFlags = Base::StructureFlags;
 
+    template<typename CellType>
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.customGetterSetterFunctionSpace;
+    }
+
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
     {
         ASSERT(globalObject);

Modified: trunk/Source/_javascript_Core/runtime/JSFunction.h (228419 => 228420)


--- trunk/Source/_javascript_Core/runtime/JSFunction.h	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/runtime/JSFunction.h	2018-02-13 17:02:45 UTC (rev 228420)
@@ -1,6 +1,6 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (por...@kde.org)
- *  Copyright (C) 2003, 2006-2009, 2015-2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2018 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Cameron Zwarich (cwzwar...@uwaterloo.ca)
  *  Copyright (C) 2007 Maks Orlovich
  *
@@ -61,6 +61,13 @@
     friend class InternalFunction;
 
 public:
+    
+    template<typename CellType>
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.functionSpace;
+    }
+    
     typedef JSCallee Base;
     const static unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames;
 
@@ -212,8 +219,11 @@
     static EncodedJSValue lengthGetter(ExecState*, EncodedJSValue, PropertyName);
     static EncodedJSValue nameGetter(ExecState*, EncodedJSValue, PropertyName);
 
-    WriteBarrier<ExecutableBase> m_executable;
-    WriteBarrier<FunctionRareData> m_rareData;
+    template<typename T>
+    using PoisonedBarrier = PoisonedWriteBarrier<JSFunctionPoison, T>;
+    
+    PoisonedBarrier<ExecutableBase> m_executable;
+    PoisonedBarrier<FunctionRareData> m_rareData;
 };
 
 } // namespace JSC

Modified: trunk/Source/_javascript_Core/runtime/JSGeneratorFunction.h (228419 => 228420)


--- trunk/Source/_javascript_Core/runtime/JSGeneratorFunction.h	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/runtime/JSGeneratorFunction.h	2018-02-13 17:02:45 UTC (rev 228420)
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2015 Yusuke Suzuki <utatane....@gmail.com>.
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -66,6 +67,12 @@
 
     const static unsigned StructureFlags = Base::StructureFlags;
 
+    template<typename CellType>
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.generatorFunctionSpace;
+    }
+
     DECLARE_EXPORT_INFO;
 
     static JSGeneratorFunction* create(VM&, FunctionExecutable*, JSScope*);

Modified: trunk/Source/_javascript_Core/runtime/JSNativeStdFunction.h (228419 => 228420)


--- trunk/Source/_javascript_Core/runtime/JSNativeStdFunction.h	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/runtime/JSNativeStdFunction.h	2018-02-13 17:02:45 UTC (rev 228420)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -40,6 +40,12 @@
 
     const static unsigned StructureFlags = Base::StructureFlags;
 
+    template<typename CellType>
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.nativeStdFunctionSpace;
+    }
+
     DECLARE_EXPORT_INFO;
 
     JS_EXPORT_PRIVATE static JSNativeStdFunction* create(VM&, JSGlobalObject*, int length, const String& name, NativeStdFunction&&, Intrinsic = NoIntrinsic, NativeFunction nativeConstructor = callHostFunctionAsConstructor);

Modified: trunk/Source/_javascript_Core/runtime/VM.cpp (228419 => 228420)


--- trunk/Source/_javascript_Core/runtime/VM.cpp	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/runtime/VM.cpp	2018-02-13 17:02:45 UTC (rev 228420)
@@ -68,8 +68,11 @@
 #include "JITWorklist.h"
 #include "JSAPIValueWrapper.h"
 #include "JSArray.h"
+#include "JSAsyncFunction.h"
 #include "JSBigInt.h"
+#include "JSBoundFunction.h"
 #include "JSCInlines.h"
+#include "JSCustomGetterSetterFunction.h"
 #include "JSDestructibleObjectHeapCellType.h"
 #include "JSFixedArray.h"
 #include "JSFunction.h"
@@ -131,6 +134,8 @@
 #include "WasmWorklist.h"
 #include "Watchdog.h"
 #include "WeakGCMapInlines.h"
+#include "WebAssemblyFunction.h"
+#include "WebAssemblyWrapperFunction.h"
 #include <wtf/CurrentTime.h>
 #include <wtf/ProcessID.h>
 #include <wtf/ReadWriteLock.h>
@@ -250,16 +255,23 @@
 #if ENABLE(WEBASSEMBLY)
     , webAssemblyCodeBlockSpace("JSWebAssemblyCodeBlockSpace", heap, webAssemblyCodeBlockHeapCellType.get(), fastMallocAllocator.get())
 #endif
+    , asyncFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSAsyncFunction)
+    , asyncGeneratorFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSAsyncGeneratorFunction)
+    , boundFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSBoundFunction)
+    , customGetterSetterFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSCustomGetterSetterFunction)
     , directEvalExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), DirectEvalExecutable)
     , errorInstanceSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), ErrorInstance)
     , exceptionSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), Exception)
     , executableToCodeBlockEdgeSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), ExecutableToCodeBlockEdge)
     , functionExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), FunctionExecutable)
+    , functionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSFunction)
+    , generatorFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSGeneratorFunction)
     , indirectEvalExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), IndirectEvalExecutable)
     , inferredTypeSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), InferredType)
     , inferredValueSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), InferredValue)
     , moduleProgramExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), ModuleProgramExecutable)
     , nativeExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), NativeExecutable)
+    , nativeStdFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSNativeStdFunction)
     , programExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), ProgramExecutable)
     , propertyTableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), PropertyTable)
     , structureRareDataSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), StructureRareData)
@@ -266,6 +278,10 @@
     , structureSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), Structure)
     , weakSetSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), JSWeakSet)
     , weakMapSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), JSWeakMap)
+#if ENABLE(WEBASSEMBLY)
+    , webAssemblyFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), WebAssemblyFunction)
+    , webAssemblyWrapperFunctionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), WebAssemblyWrapperFunction)
+#endif
     , errorInstancesWithFinalizers(errorInstanceSpace)
     , exceptionsWithFinalizers(exceptionSpace)
     , executableToCodeBlockEdgesWithConstraints(executableToCodeBlockEdgeSpace)

Modified: trunk/Source/_javascript_Core/runtime/VM.h (228419 => 228420)


--- trunk/Source/_javascript_Core/runtime/VM.h	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/runtime/VM.h	2018-02-13 17:02:45 UTC (rev 228420)
@@ -338,16 +338,23 @@
     CompleteSubspace webAssemblyCodeBlockSpace;
 #endif
     
+    IsoSubspace asyncFunctionSpace;
+    IsoSubspace asyncGeneratorFunctionSpace;
+    IsoSubspace boundFunctionSpace;
+    IsoSubspace customGetterSetterFunctionSpace;
     IsoSubspace directEvalExecutableSpace;
     IsoSubspace errorInstanceSpace;
     IsoSubspace exceptionSpace;
     IsoSubspace executableToCodeBlockEdgeSpace;
     IsoSubspace functionExecutableSpace;
+    IsoSubspace functionSpace;
+    IsoSubspace generatorFunctionSpace;
     IsoSubspace indirectEvalExecutableSpace;
     IsoSubspace inferredTypeSpace;
     IsoSubspace inferredValueSpace;
     IsoSubspace moduleProgramExecutableSpace;
     IsoSubspace nativeExecutableSpace;
+    IsoSubspace nativeStdFunctionSpace;
     IsoSubspace programExecutableSpace;
     IsoSubspace propertyTableSpace;
     IsoSubspace structureRareDataSpace;
@@ -354,6 +361,10 @@
     IsoSubspace structureSpace;
     IsoSubspace weakSetSpace;
     IsoSubspace weakMapSpace;
+#if ENABLE(WEBASSEMBLY)
+    IsoSubspace webAssemblyFunctionSpace;
+    IsoSubspace webAssemblyWrapperFunctionSpace;
+#endif
     
     IsoCellSet errorInstancesWithFinalizers;
     IsoCellSet exceptionsWithFinalizers;

Modified: trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.h (228419 => 228420)


--- trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.h	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.h	2018-02-13 17:02:45 UTC (rev 228420)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -48,6 +48,12 @@
 
     const static unsigned StructureFlags = Base::StructureFlags | TypeOfShouldCallGetCallData;
 
+    template<typename CellType>
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.webAssemblyFunctionSpace;
+    }
+
     DECLARE_EXPORT_INFO;
 
     JS_EXPORT_PRIVATE static WebAssemblyFunction* create(VM&, JSGlobalObject*, unsigned, const String&, JSWebAssemblyInstance*, Wasm::Callee& jsEntrypoint, Wasm::WasmEntrypointLoadLocation, Wasm::SignatureIndex);

Modified: trunk/Source/_javascript_Core/wasm/js/WebAssemblyWrapperFunction.h (228419 => 228420)


--- trunk/Source/_javascript_Core/wasm/js/WebAssemblyWrapperFunction.h	2018-02-13 16:51:10 UTC (rev 228419)
+++ trunk/Source/_javascript_Core/wasm/js/WebAssemblyWrapperFunction.h	2018-02-13 17:02:45 UTC (rev 228420)
@@ -38,6 +38,12 @@
 
     const static unsigned StructureFlags = Base::StructureFlags;
 
+    template<typename CellType>
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.webAssemblyWrapperFunctionSpace;
+    }
+
     DECLARE_INFO;
 
     static WebAssemblyWrapperFunction* create(VM&, JSGlobalObject*, JSObject*, unsigned importIndex, JSWebAssemblyInstance*, Wasm::SignatureIndex);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to