WebKit Bugzilla
Attachment 340393 Details for
Bug 185601
: [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-185601-20180515124914.patch (text/plain), 64.68 KB, created by
Yusuke Suzuki
on 2018-05-14 20:49:15 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Yusuke Suzuki
Created:
2018-05-14 20:49:15 PDT
Size:
64.68 KB
patch
obsolete
>Subversion Revision: 231785 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 088cc11dd416ca1f6e0f389885c8603b2d612757..2c787df8b89b5c1e76c42fad1ffca61b09d1546b 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,102 @@ >+2018-05-14 Yusuke Suzuki <utatane.tea@gmail.com> >+ >+ [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function >+ https://bugs.webkit.org/show_bug.cgi?id=185601 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check TypeOfShouldCallGetCallData >+ before calling getCallData when we would like to check whether a given object is callable >+ since getCallData is a virtual call. When we call the object anyway, directly calling getCallData >+ is fine. But if we would like to check whether the object is callable, we can have non >+ callable objects frequently. In that case, we should not call getCallData if we can avoid it. >+ >+ To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable} >+ and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform >+ OverridesGetCallData checking before calling getCallData. >+ >+ We found that this virtual call exists in JSON.stringify's critial path. Checking >+ OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%. >+ >+ baseline patched >+ >+ json-stringify-tinderbox 38.807+-0.350 ^ 37.216+-0.337 ^ definitely 1.0427x faster >+ >+ In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path >+ since major cases are covered by this fast JSFunctionType checking. >+ >+ * API/JSCallbackObject.h: >+ * dfg/DFGAbstractInterpreterInlines.h: >+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): >+ * dfg/DFGOperations.cpp: >+ * dfg/DFGSpeculativeJIT.cpp: >+ (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull): >+ (JSC::DFG::SpeculativeJIT::compileIsFunction): >+ * ftl/FTLLowerDFGToB3.cpp: >+ (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof): >+ * jit/AssemblyHelpers.h: >+ (JSC::AssemblyHelpers::emitTypeOf): >+ * runtime/ExceptionHelpers.cpp: >+ (JSC::createError): >+ (JSC::createInvalidFunctionApplyParameterError): >+ * runtime/FunctionPrototype.cpp: >+ (JSC::functionProtoFuncToString): >+ * runtime/InternalFunction.h: >+ * runtime/JSCJSValue.h: >+ * runtime/JSCJSValueInlines.h: >+ (JSC::JSValue::isFunction const): >+ (JSC::JSValue::isCallable const): >+ * runtime/JSCell.h: >+ * runtime/JSCellInlines.h: >+ (JSC::JSCell::isFunction): >+ ALWAYS_INLINE works well for my environment. >+ (JSC::JSCell::isCallable): >+ * runtime/JSFunction.h: >+ * runtime/JSONObject.cpp: >+ (JSC::Stringifier::toJSON): >+ (JSC::Stringifier::toJSONImpl): >+ (JSC::Stringifier::appendStringifiedValue): >+ * runtime/JSObjectInlines.h: >+ (JSC::createListFromArrayLike): >+ * runtime/JSTypeInfo.h: >+ (JSC::TypeInfo::overridesGetCallData const): >+ (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted. >+ * runtime/Operations.cpp: >+ (JSC::jsTypeStringForValue): >+ (JSC::jsIsObjectTypeOrNull): >+ * runtime/ProxyObject.h: >+ * runtime/RuntimeType.cpp: >+ (JSC::runtimeTypeForValue): >+ * runtime/RuntimeType.h: >+ * runtime/Structure.cpp: >+ (JSC::Structure::Structure): >+ * runtime/TypeProfilerLog.cpp: >+ (JSC::TypeProfilerLog::TypeProfilerLog): >+ (JSC::TypeProfilerLog::processLogEntries): >+ * runtime/TypeProfilerLog.h: >+ * runtime/VM.cpp: >+ (JSC::VM::enableTypeProfiler): >+ * tools/JSDollarVM.cpp: >+ (JSC::functionFindTypeForExpression): >+ (JSC::functionReturnTypeFor): >+ (JSC::functionHasBasicBlockExecuted): >+ (JSC::functionBasicBlockExecutionCount): >+ * wasm/js/JSWebAssemblyHelpers.h: >+ (JSC::getWasmBufferFromValue): >+ * wasm/js/JSWebAssemblyInstance.cpp: >+ (JSC::JSWebAssemblyInstance::create): >+ * wasm/js/WebAssemblyFunction.cpp: >+ (JSC::callWebAssemblyFunction): >+ * wasm/js/WebAssemblyInstanceConstructor.cpp: >+ (JSC::constructJSWebAssemblyInstance): >+ * wasm/js/WebAssemblyModuleRecord.cpp: >+ (JSC::WebAssemblyModuleRecord::link): >+ * wasm/js/WebAssemblyPrototype.cpp: >+ (JSC::webAssemblyInstantiateFunc): >+ (JSC::webAssemblyInstantiateStreamingInternal): >+ * wasm/js/WebAssemblyWrapperFunction.cpp: >+ (JSC::WebAssemblyWrapperFunction::finishCreation): >+ > 2018-05-14 Andy VanWagoner <andy@vanwagoner.family> > > [INTL] Handle error in defineProperty for supported locales length >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 81d9fdac01a4a201adcbc985efa1e7dda3f6ba5d..22971fa8a21e7325a013f50c168aa19438998e4d 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,40 @@ >+2018-05-14 Yusuke Suzuki <utatane.tea@gmail.com> >+ >+ [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function >+ https://bugs.webkit.org/show_bug.cgi?id=185601 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ No behavior change. >+ >+ * Modules/plugins/QuickTimePluginReplacement.mm: >+ (WebCore::QuickTimePluginReplacement::ensureReplacementScriptInjected): >+ * bindings/js/JSCustomElementRegistryCustom.cpp: >+ (WebCore::getCustomElementCallback): >+ * bindings/js/JSDOMConstructorBase.h: >+ * bindings/js/JSDOMConvertCallbacks.h: >+ (WebCore::Converter<IDLCallbackFunction<T>>::convert): >+ * bindings/js/JSDOMPromise.cpp: >+ (WebCore::DOMPromise::whenSettled): >+ * bindings/js/ReadableStream.cpp: >+ (WebCore::ReadableStream::pipeTo): >+ (WebCore::ReadableStream::tee): >+ * bindings/js/ReadableStreamDefaultController.cpp: >+ (WebCore::ReadableStreamDefaultController::invoke): >+ * bindings/scripts/CodeGeneratorJS.pm: >+ (GenerateHeader): >+ (GenerateOverloadDispatcher): >+ * bindings/scripts/test/JS/JSTestObj.h: >+ * bindings/scripts/test/JS/JSTestPluginInterface.h: >+ * bridge/objc/objc_runtime.h: >+ * bridge/runtime_method.h: >+ * bridge/runtime_object.h: >+ * html/HTMLMediaElement.cpp: >+ (WebCore::HTMLMediaElement::ensureMediaControlsInjectedScript): >+ * testing/Internals.cpp: >+ (WebCore::Internals::parserMetaData): >+ (WebCore::Internals::cloneArrayBuffer): >+ > 2018-05-14 Wenson Hsieh <wenson_hsieh@apple.com> > > Unreviewed, fix the iOS build after r231779 >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index 65eb7171747e50fede6199f1ed75722c849fbd3e..6085c2f624ff4b6801f894ceec85d53226b5d6e8 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,12 @@ >+2018-05-14 Yusuke Suzuki <utatane.tea@gmail.com> >+ >+ [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function >+ https://bugs.webkit.org/show_bug.cgi?id=185601 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * WebProcess/Plugins/Netscape/JSNPObject.h: >+ > 2018-05-14 Brady Eidson <beidson@apple.com> > > Add an API test to guard against regressions while re-entering setDefersLoading:. >diff --git a/Source/JavaScriptCore/API/JSCallbackObject.h b/Source/JavaScriptCore/API/JSCallbackObject.h >index d4020b10e5b581ce3143bea6b0d3c3770a6f1526..9c478ce3a20a91dfe0eb17a5ec000e3c99cf5945 100644 >--- a/Source/JavaScriptCore/API/JSCallbackObject.h >+++ b/Source/JavaScriptCore/API/JSCallbackObject.h >@@ -134,7 +134,7 @@ class JSCallbackObject final : public Parent { > > public: > typedef Parent Base; >- static const unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesGetPropertyNames | TypeOfShouldCallGetCallData; >+ static const unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesGetPropertyNames | OverridesGetCallData; > > ~JSCallbackObject(); > >diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >index 84844e4191026a6573dc8e82e0b5199d692c4dc7..5c1c5f2833859b1a51806ca2b7cc319659840fbb 100644 >--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >@@ -1260,7 +1260,7 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi > JSObject* object = asObject(child.value()); > if (object->type() == JSFunctionType) > setConstant(node, jsBoolean(false)); >- else if (!(object->inlineTypeFlags() & TypeOfShouldCallGetCallData)) >+ else if (!(object->inlineTypeFlags() & OverridesGetCallData)) > setConstant(node, jsBoolean(!child.value().asCell()->structure()->masqueradesAsUndefined(m_codeBlock->globalObjectFor(node->origin.semantic)))); > else { > // FIXME: This could just call getCallData. >@@ -1275,7 +1275,7 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi > JSObject* object = asObject(child.value()); > if (object->type() == JSFunctionType) > setConstant(node, jsBoolean(true)); >- else if (!(object->inlineTypeFlags() & TypeOfShouldCallGetCallData)) >+ else if (!(object->inlineTypeFlags() & OverridesGetCallData)) > setConstant(node, jsBoolean(false)); > else { > // FIXME: This could just call getCallData. >diff --git a/Source/JavaScriptCore/dfg/DFGOperations.cpp b/Source/JavaScriptCore/dfg/DFGOperations.cpp >index 9c2f44b7869a0e92602ec148cb02a5e28b3842c2..5b0947e3d5f5bd8e6250bd9ec549e8b966eb80fc 100644 >--- a/Source/JavaScriptCore/dfg/DFGOperations.cpp >+++ b/Source/JavaScriptCore/dfg/DFGOperations.cpp >@@ -1741,14 +1741,8 @@ size_t JIT_OPERATION operationObjectIsObject(ExecState* exec, JSGlobalObject* gl > > if (object->structure(vm)->masqueradesAsUndefined(globalObject)) > return false; >- if (object->type() == JSFunctionType) >+ if (object->isFunction(vm)) > return false; >- if (object->inlineTypeFlags() & TypeOfShouldCallGetCallData) { >- CallData callData; >- if (object->methodTable(vm)->getCallData(object, callData) != CallType::None) >- return false; >- } >- > return true; > } > >@@ -1761,14 +1755,8 @@ size_t JIT_OPERATION operationObjectIsFunction(ExecState* exec, JSGlobalObject* > > if (object->structure(vm)->masqueradesAsUndefined(globalObject)) > return false; >- if (object->type() == JSFunctionType) >+ if (object->isFunction(vm)) > return true; >- if (object->inlineTypeFlags() & TypeOfShouldCallGetCallData) { >- CallData callData; >- if (object->methodTable(vm)->getCallData(object, callData) != CallType::None) >- return true; >- } >- > return false; > } > >@@ -1781,14 +1769,8 @@ JSCell* JIT_OPERATION operationTypeOfObject(ExecState* exec, JSGlobalObject* glo > > if (object->structure(vm)->masqueradesAsUndefined(globalObject)) > return vm.smallStrings.undefinedString(); >- if (object->type() == JSFunctionType) >+ if (object->isFunction(vm)) > return vm.smallStrings.functionString(); >- if (object->inlineTypeFlags() & TypeOfShouldCallGetCallData) { >- CallData callData; >- if (object->methodTable(vm)->getCallData(object, callData) != CallType::None) >- return vm.smallStrings.functionString(); >- } >- > return vm.smallStrings.objectString(); > } > >@@ -1801,14 +1783,8 @@ int32_t JIT_OPERATION operationTypeOfObjectAsTypeofType(ExecState* exec, JSGloba > > if (object->structure(vm)->masqueradesAsUndefined(globalObject)) > return static_cast<int32_t>(TypeofType::Undefined); >- if (object->type() == JSFunctionType) >+ if (object->isFunction(vm)) > return static_cast<int32_t>(TypeofType::Function); >- if (object->inlineTypeFlags() & TypeOfShouldCallGetCallData) { >- CallData callData; >- if (object->methodTable(vm)->getCallData(object, callData) != CallType::None) >- return static_cast<int32_t>(TypeofType::Function); >- } >- > return static_cast<int32_t>(TypeofType::Object); > } > >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >index 6653642951eeb3bbd2aa0ee8e21b8df36f6c5494..dbcfccfa2feaa03d95c483c95632c5b56f531b94 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >@@ -8756,7 +8756,7 @@ void SpeculativeJIT::compileIsObjectOrNull(Node* node) > JITCompiler::Jump slowPath = m_jit.branchTest8( > JITCompiler::NonZero, > JITCompiler::Address(valueRegs.payloadGPR(), JSCell::typeInfoFlagsOffset()), >- TrustedImm32(MasqueradesAsUndefined | TypeOfShouldCallGetCallData)); >+ TrustedImm32(MasqueradesAsUndefined | OverridesGetCallData)); > > isNull.link(&m_jit); > m_jit.move(TrustedImm32(1), resultGPR); >@@ -8794,7 +8794,7 @@ void SpeculativeJIT::compileIsFunction(Node* node) > JITCompiler::Jump slowPath = m_jit.branchTest8( > JITCompiler::NonZero, > JITCompiler::Address(valueRegs.payloadGPR(), JSCell::typeInfoFlagsOffset()), >- TrustedImm32(MasqueradesAsUndefined | TypeOfShouldCallGetCallData)); >+ TrustedImm32(MasqueradesAsUndefined | OverridesGetCallData)); > > notCell.link(&m_jit); > notObject.link(&m_jit); >diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >index 1a92f0604cb34516e65a67eb46f64309ca24f738..21f30abe0060fed2be3c9579eaa668d969392027 100644 >--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >@@ -15100,7 +15100,7 @@ class LowerDFGToB3 { > return m_out.booleanFalse; > return m_out.testNonZero32( > m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoFlags), >- m_out.constInt32(MasqueradesAsUndefined | TypeOfShouldCallGetCallData)); >+ m_out.constInt32(MasqueradesAsUndefined | OverridesGetCallData)); > } > > LValue isType(LValue cell, JSType type) >diff --git a/Source/JavaScriptCore/jit/AssemblyHelpers.h b/Source/JavaScriptCore/jit/AssemblyHelpers.h >index 20998e349ef11337b95b9cca703a4339bc3db50d..ecd1885d1cc770d9fd2faa00dd50fde8da21a710 100644 >--- a/Source/JavaScriptCore/jit/AssemblyHelpers.h >+++ b/Source/JavaScriptCore/jit/AssemblyHelpers.h >@@ -1528,7 +1528,7 @@ class AssemblyHelpers : public MacroAssembler { > branchTest8( > NonZero, > Address(cellGPR, JSCell::typeInfoFlagsOffset()), >- TrustedImm32(MasqueradesAsUndefined | TypeOfShouldCallGetCallData))); >+ TrustedImm32(MasqueradesAsUndefined | OverridesGetCallData))); > functor(TypeofType::Object, false); > > notObject.link(this); >diff --git a/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp b/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp >index 699144b4a7ed372d9a937b64a49c279f9d3e7faf..63653b3f8b2d7da4b5c74ce34c8c0c7e2342ad8d 100644 >--- a/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp >+++ b/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp >@@ -270,7 +270,7 @@ JSObject* createError(ExecState* exec, JSValue value, const String& message, Err > > String errorMessage = makeString(errorDescriptionForValue(exec, value)->value(exec), ' ', message); > scope.assertNoException(); >- JSObject* exception = createTypeError(exec, errorMessage, appender, runtimeTypeForValue(value)); >+ JSObject* exception = createTypeError(exec, errorMessage, appender, runtimeTypeForValue(vm, value)); > ASSERT(exception->isErrorInstance()); > > return exception; >@@ -278,7 +278,8 @@ JSObject* createError(ExecState* exec, JSValue value, const String& message, Err > > JSObject* createInvalidFunctionApplyParameterError(ExecState* exec, JSValue value) > { >- JSObject* exception = createTypeError(exec, makeString("second argument to Function.prototype.apply must be an Array-like object"), defaultSourceAppender, runtimeTypeForValue(value)); >+ VM& vm = exec->vm(); >+ JSObject* exception = createTypeError(exec, makeString("second argument to Function.prototype.apply must be an Array-like object"), defaultSourceAppender, runtimeTypeForValue(vm, value)); > ASSERT(exception->isErrorInstance()); > return exception; > } >diff --git a/Source/JavaScriptCore/runtime/FunctionPrototype.cpp b/Source/JavaScriptCore/runtime/FunctionPrototype.cpp >index a39539bd0146e397c51164763b574aeb02d4c2fb..162f46b179056cb817203cf0b66972d799e31646 100644 >--- a/Source/JavaScriptCore/runtime/FunctionPrototype.cpp >+++ b/Source/JavaScriptCore/runtime/FunctionPrototype.cpp >@@ -125,13 +125,10 @@ EncodedJSValue JSC_HOST_CALL functionProtoFuncToString(ExecState* exec) > > if (thisValue.isObject()) { > JSObject* object = asObject(thisValue); >- if (object->inlineTypeFlags() & TypeOfShouldCallGetCallData) { >- CallData callData; >- if (object->methodTable(vm)->getCallData(object, callData) != CallType::None) { >- if (auto* classInfo = object->classInfo(vm)) { >- scope.release(); >- return JSValue::encode(jsMakeNontrivialString(exec, "function ", classInfo->className, "() {\n [native code]\n}")); >- } >+ if (object->isFunction(vm)) { >+ if (auto* classInfo = object->classInfo(vm)) { >+ scope.release(); >+ return JSValue::encode(jsMakeNontrivialString(exec, "function ", classInfo->className, "() {\n [native code]\n}")); > } > } > } >diff --git a/Source/JavaScriptCore/runtime/InternalFunction.h b/Source/JavaScriptCore/runtime/InternalFunction.h >index ff56706bf6527bcf0829c5581385da09e74cbada..2dc5f2589c6ad09fdd1acfc2c919a098b02b4de2 100644 >--- a/Source/JavaScriptCore/runtime/InternalFunction.h >+++ b/Source/JavaScriptCore/runtime/InternalFunction.h >@@ -36,7 +36,7 @@ class InternalFunction : public JSDestructibleObject { > friend class LLIntOffsetsExtractor; > public: > typedef JSDestructibleObject Base; >- static const unsigned StructureFlags = Base::StructureFlags | ImplementsHasInstance | ImplementsDefaultHasInstance | TypeOfShouldCallGetCallData; >+ static const unsigned StructureFlags = Base::StructureFlags | ImplementsHasInstance | ImplementsDefaultHasInstance | OverridesGetCallData; > > template<typename CellType> > static IsoSubspace* subspaceFor(VM& vm) >diff --git a/Source/JavaScriptCore/runtime/JSCJSValue.h b/Source/JavaScriptCore/runtime/JSCJSValue.h >index 91dc1a40f14e37672f4101604c0690e6097e18fc..94d5a515e96c9f21aed82bb0bec9e6da69662af3 100644 >--- a/Source/JavaScriptCore/runtime/JSCJSValue.h >+++ b/Source/JavaScriptCore/runtime/JSCJSValue.h >@@ -218,9 +218,8 @@ class JSValue { > > // Querying the type. > bool isEmpty() const; >- bool isFunction() const; >- bool isFunction(CallType&, CallData&) const; >- bool isCallable(CallType&, CallData&) const; >+ bool isFunction(VM&) const; >+ bool isCallable(VM&, CallType&, CallData&) const; > bool isConstructor() const; > bool isConstructor(ConstructType&, ConstructData&) const; > bool isUndefined() const; >diff --git a/Source/JavaScriptCore/runtime/JSCJSValueInlines.h b/Source/JavaScriptCore/runtime/JSCJSValueInlines.h >index 3aee0c47e6334168cd02309b646a24357814f1f5..55b1218eaf3a7a99df13873a913feac81d17fc8a 100644 >--- a/Source/JavaScriptCore/runtime/JSCJSValueInlines.h >+++ b/Source/JavaScriptCore/runtime/JSCJSValueInlines.h >@@ -759,27 +759,18 @@ inline JSObject* JSValue::toObject(ExecState* exec, JSGlobalObject* globalObject > return isCell() ? asCell()->toObject(exec, globalObject) : toObjectSlowCase(exec, globalObject); > } > >-inline bool JSValue::isFunction() const >+inline bool JSValue::isFunction(VM& vm) const > { > if (!isCell()) > return false; >- JSCell* cell = asCell(); >- CallData ignored; >- return cell->methodTable()->getCallData(cell, ignored) != CallType::None; >+ return asCell()->isFunction(vm); > } > >-inline bool JSValue::isFunction(CallType& callType, CallData& callData) const >-{ >- return isCallable(callType, callData); >-} >- >-inline bool JSValue::isCallable(CallType& callType, CallData& callData) const >+inline bool JSValue::isCallable(VM& vm, CallType& callType, CallData& callData) const > { > if (!isCell()) > return false; >- JSCell* cell = asCell(); >- callType = cell->methodTable()->getCallData(cell, callData); >- return callType != CallType::None; >+ return asCell()->isCallable(vm, callType, callData); > } > > inline bool JSValue::isConstructor() const >diff --git a/Source/JavaScriptCore/runtime/JSCell.h b/Source/JavaScriptCore/runtime/JSCell.h >index f8d5ac955f1b65ea2897ea88471bd106ae016741..f509373e31c5d0cf9a236eb83b3e37583d153373 100644 >--- a/Source/JavaScriptCore/runtime/JSCell.h >+++ b/Source/JavaScriptCore/runtime/JSCell.h >@@ -115,6 +115,8 @@ class JSCell : public HeapCell { > bool isGetterSetter() const; > bool isCustomGetterSetter() const; > bool isProxy() const; >+ bool isFunction(VM&); >+ bool isCallable(VM&, CallType&, CallData&); > bool inherits(VM&, const ClassInfo*) const; > template<typename Target> bool inherits(VM&) const; > bool isAPIValueWrapper() const; >@@ -153,7 +155,7 @@ class JSCell : public HeapCell { > > // Returns information about how to call/construct this cell as a function/constructor. May tell > // you that the cell is not callable or constructor (default is that it's not either). If it >- // says that the function is callable, and the TypeOfShouldCallGetCallData type flag is set, and >+ // says that the function is callable, and the OverridesGetCallData type flag is set, and > // this is an object, then typeof will return "function" instead of "object". These methods > // cannot change their minds and must be thread-safe. They are sometimes called from compiler > // threads. >diff --git a/Source/JavaScriptCore/runtime/JSCellInlines.h b/Source/JavaScriptCore/runtime/JSCellInlines.h >index 8028b89fa0fef8b80db5ba6b5f94ba8bb597a429..fee1a8429c5fd9c44008078f3ea3a52bb8ebb7c3 100644 >--- a/Source/JavaScriptCore/runtime/JSCellInlines.h >+++ b/Source/JavaScriptCore/runtime/JSCellInlines.h >@@ -218,6 +218,25 @@ inline bool JSCell::isProxy() const > return m_type == ImpureProxyType || m_type == PureForwardingProxyType; > } > >+ALWAYS_INLINE bool JSCell::isFunction(VM& vm) >+{ >+ if (type() == JSFunctionType) >+ return true; >+ if (inlineTypeFlags() & OverridesGetCallData) { >+ CallData ignoredCallData; >+ return methodTable(vm)->getCallData(this, ignoredCallData) != CallType::None; >+ } >+ return false; >+} >+ >+inline bool JSCell::isCallable(VM& vm, CallType& callType, CallData& callData) >+{ >+ if (type() != JSFunctionType && !(inlineTypeFlags() & OverridesGetCallData)) >+ return false; >+ callType = methodTable(vm)->getCallData(this, callData); >+ return callType != CallType::None; >+} >+ > inline bool JSCell::isAPIValueWrapper() const > { > return m_type == APIValueWrapperType; >diff --git a/Source/JavaScriptCore/runtime/JSFunction.h b/Source/JavaScriptCore/runtime/JSFunction.h >index 0350d8cd46eccb5b8301ae2239c86b32fcb9c76e..c3fb0c39d2546fb5463c733cb42e06ced563301f 100644 >--- a/Source/JavaScriptCore/runtime/JSFunction.h >+++ b/Source/JavaScriptCore/runtime/JSFunction.h >@@ -69,7 +69,7 @@ class JSFunction : public JSCallee { > } > > typedef JSCallee Base; >- const static unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames; >+ const static unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames | OverridesGetCallData; > > static size_t allocationSize(Checked<size_t> inlineCapacity) > { >diff --git a/Source/JavaScriptCore/runtime/JSONObject.cpp b/Source/JavaScriptCore/runtime/JSONObject.cpp >index b3a7808b64fe36a86a28134fe79ab1ddcdfd3a01..7d8439417eec863bb497975ebf54d2f0b9abf006 100644 >--- a/Source/JavaScriptCore/runtime/JSONObject.cpp >+++ b/Source/JavaScriptCore/runtime/JSONObject.cpp >@@ -111,7 +111,7 @@ class Stringifier { > friend class Holder; > > JSValue toJSON(JSValue, const PropertyNameForFunctionCall&); >- JSValue toJSONImpl(JSValue value, JSValue toJSONFunction, const PropertyNameForFunctionCall&); >+ JSValue toJSONImpl(VM&, JSValue, JSValue toJSONFunction, const PropertyNameForFunctionCall&); > > enum StringifyResult { StringifyFailed, StringifySucceeded, StringifyFailedDueToUndefinedOrSymbolValue }; > StringifyResult appendStringifiedValue(StringBuilder&, JSValue, const Holder&, const PropertyNameForFunctionCall&); >@@ -299,14 +299,14 @@ ALWAYS_INLINE JSValue Stringifier::toJSON(JSValue value, const PropertyNameForFu > JSValue toJSONFunction = slot.getValue(m_exec, vm.propertyNames->toJSON); > RETURN_IF_EXCEPTION(scope, { }); > scope.release(); >- return toJSONImpl(value, toJSONFunction, propertyName); >+ return toJSONImpl(vm, value, toJSONFunction, propertyName); > } > >-JSValue Stringifier::toJSONImpl(JSValue value, JSValue toJSONFunction, const PropertyNameForFunctionCall& propertyName) >+JSValue Stringifier::toJSONImpl(VM& vm, JSValue value, JSValue toJSONFunction, const PropertyNameForFunctionCall& propertyName) > { > CallType callType; > CallData callData; >- if (!toJSONFunction.isCallable(callType, callData)) >+ if (!toJSONFunction.isCallable(vm, callType, callData)) > return value; > > MarkedArgumentBuffer args; >@@ -380,9 +380,7 @@ Stringifier::StringifyResult Stringifier::appendStringifiedValue(StringBuilder& > return StringifyFailed; > > JSObject* object = asObject(value); >- >- CallData callData; >- if (object->methodTable(vm)->getCallData(object, callData) != CallType::None) { >+ if (object->isFunction(vm)) { > if (holder.isArray()) { > builder.appendLiteral("null"); > return StringifySucceeded; >diff --git a/Source/JavaScriptCore/runtime/JSObjectInlines.h b/Source/JavaScriptCore/runtime/JSObjectInlines.h >index 9fc266c3a2f9e87533b086ae99d12a8fd6f6ff5c..7209c3a0ad677c97f2f5600cc73e737c82814b91 100644 >--- a/Source/JavaScriptCore/runtime/JSObjectInlines.h >+++ b/Source/JavaScriptCore/runtime/JSObjectInlines.h >@@ -48,7 +48,7 @@ void createListFromArrayLike(ExecState* exec, JSValue arrayLikeValue, RuntimeTyp > JSValue next = arrayLikeValue.get(exec, index); > RETURN_IF_EXCEPTION(scope, void()); > >- RuntimeType type = runtimeTypeForValue(next); >+ RuntimeType type = runtimeTypeForValue(vm, next); > if (!(type & legalTypesFilter)) { > throwTypeError(exec, scope, errorMessage); > return; >diff --git a/Source/JavaScriptCore/runtime/JSTypeInfo.h b/Source/JavaScriptCore/runtime/JSTypeInfo.h >index fc4bb445f616dcfbe5731c78552e53702197bd56..fa44ab3c63a40fa4bbed2803c78a2515187aebe0 100644 >--- a/Source/JavaScriptCore/runtime/JSTypeInfo.h >+++ b/Source/JavaScriptCore/runtime/JSTypeInfo.h >@@ -39,7 +39,7 @@ class LLIntOffsetsExtractor; > > static const unsigned MasqueradesAsUndefined = 1; // WebCore uses MasqueradesAsUndefined to make document.all undetectable. > static const unsigned ImplementsDefaultHasInstance = 1 << 1; >-static const unsigned TypeOfShouldCallGetCallData = 1 << 2; // Need this flag if you override getCallData() and you want typeof to use this to determine if it should say "function". Currently we always set this flag when we override getCallData(). >+static const unsigned OverridesGetCallData = 1 << 2; // Need this flag if you implement [[Callable]] interface, which means overriding getCallData. The object may not be callable since getCallData can say it is not callable. > static const unsigned OverridesGetOwnPropertySlot = 1 << 3; > static const unsigned OverridesToThis = 1 << 4; // If this is false then this returns something other than 'this'. Non-object cells that are visible to JS have this set as do some exotic objects. > static const unsigned HasStaticPropertyTable = 1 << 5; >@@ -85,7 +85,7 @@ class TypeInfo { > bool masqueradesAsUndefined() const { return isSetOnFlags1(MasqueradesAsUndefined); } > bool implementsHasInstance() const { return isSetOnFlags2(ImplementsHasInstance); } > bool implementsDefaultHasInstance() const { return isSetOnFlags1(ImplementsDefaultHasInstance); } >- bool typeOfShouldCallGetCallData() const { return isSetOnFlags1(TypeOfShouldCallGetCallData); } >+ bool overridesGetCallData() const { return isSetOnFlags1(OverridesGetCallData); } > bool overridesGetOwnPropertySlot() const { return overridesGetOwnPropertySlot(inlineTypeFlags()); } > static bool overridesGetOwnPropertySlot(InlineTypeFlags flags) { return flags & OverridesGetOwnPropertySlot; } > static bool hasStaticPropertyTable(InlineTypeFlags flags) { return flags & HasStaticPropertyTable; } >diff --git a/Source/JavaScriptCore/runtime/Operations.cpp b/Source/JavaScriptCore/runtime/Operations.cpp >index 97cfa07a9694022256c9c38a66c76433517cd65e..57aec03367afcf45f51e584fe36855955a8c17ae 100644 >--- a/Source/JavaScriptCore/runtime/Operations.cpp >+++ b/Source/JavaScriptCore/runtime/Operations.cpp >@@ -90,14 +90,8 @@ JSValue jsTypeStringForValue(VM& vm, JSGlobalObject* globalObject, JSValue v) > // as null when doing comparisons. > if (object->structure(vm)->masqueradesAsUndefined(globalObject)) > return vm.smallStrings.undefinedString(); >- if (object->type() == JSFunctionType) >+ if (object->isFunction(vm)) > return vm.smallStrings.functionString(); >- if (object->inlineTypeFlags() & TypeOfShouldCallGetCallData) { >- CallData callData; >- JSObject* object = asObject(v); >- if (object->methodTable(vm)->getCallData(object, callData) != CallType::None) >- return vm.smallStrings.functionString(); >- } > } > return vm.smallStrings.objectString(); > } >@@ -119,9 +113,8 @@ bool jsIsObjectTypeOrNull(CallFrame* callFrame, JSValue v) > if (type >= ObjectType) { > if (asObject(v)->structure(vm)->masqueradesAsUndefined(callFrame->lexicalGlobalObject())) > return false; >- CallData callData; > JSObject* object = asObject(v); >- if (object->methodTable(vm)->getCallData(object, callData) != CallType::None) >+ if (object->isFunction(vm)) > return false; > } > return true; >diff --git a/Source/JavaScriptCore/runtime/ProxyObject.h b/Source/JavaScriptCore/runtime/ProxyObject.h >index ebb1fa23cc4a738fc4ad84dc04050c33a2f4063a..d204a9d49cbb5a5d1a9f5b65254aaae568b83375 100644 >--- a/Source/JavaScriptCore/runtime/ProxyObject.h >+++ b/Source/JavaScriptCore/runtime/ProxyObject.h >@@ -34,7 +34,7 @@ class ProxyObject final : public JSNonFinalObject { > public: > typedef JSNonFinalObject Base; > >- const static unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | TypeOfShouldCallGetCallData | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames | ProhibitsPropertyCaching; >+ const static unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetCallData | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames | ProhibitsPropertyCaching; > > static ProxyObject* create(ExecState* exec, JSGlobalObject* globalObject, JSValue target, JSValue handler) > { >diff --git a/Source/JavaScriptCore/runtime/RuntimeType.cpp b/Source/JavaScriptCore/runtime/RuntimeType.cpp >index dfd8cc96a7d6a5685ca1f501be23712d93961e2d..2f94f10f529e5613506b8f5b203e4aac753370ff 100644 >--- a/Source/JavaScriptCore/runtime/RuntimeType.cpp >+++ b/Source/JavaScriptCore/runtime/RuntimeType.cpp >@@ -32,7 +32,7 @@ > > namespace JSC { > >-RuntimeType runtimeTypeForValue(JSValue value) >+RuntimeType runtimeTypeForValue(VM& vm, JSValue value) > { > if (UNLIKELY(!value)) > return TypeNothing; >@@ -51,7 +51,7 @@ RuntimeType runtimeTypeForValue(JSValue value) > return TypeBoolean; > if (value.isObject()) > return TypeObject; >- if (value.isFunction()) >+ if (value.isFunction(vm)) > return TypeFunction; > if (value.isSymbol()) > return TypeSymbol; >diff --git a/Source/JavaScriptCore/runtime/RuntimeType.h b/Source/JavaScriptCore/runtime/RuntimeType.h >index 82f395f4b4e0da0448f15009c64b99008d820272..82388eb0a47391c76facf1b5071b3efbb87769a4 100644 >--- a/Source/JavaScriptCore/runtime/RuntimeType.h >+++ b/Source/JavaScriptCore/runtime/RuntimeType.h >@@ -48,7 +48,7 @@ typedef uint16_t RuntimeTypeMask; > static const RuntimeTypeMask RuntimeTypeMaskAllTypes = TypeFunction | TypeUndefined | TypeNull | TypeBoolean | TypeAnyInt | TypeNumber | TypeString | TypeObject | TypeSymbol; > > class JSValue; >-RuntimeType runtimeTypeForValue(JSValue); >+RuntimeType runtimeTypeForValue(VM&, JSValue); > String runtimeTypeAsString(RuntimeType); > > ALWAYS_INLINE bool runtimeTypeIsPrimitive(RuntimeTypeMask type) >diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp >index ee3f65f7ba3d027f038186b94adddf4eca7cddd7..00f87b0a6fa3104be6ab3fde026b9c9924f1237e 100644 >--- a/Source/JavaScriptCore/runtime/Structure.cpp >+++ b/Source/JavaScriptCore/runtime/Structure.cpp >@@ -208,6 +208,7 @@ Structure::Structure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, co > ASSERT(!hasRareData()); > ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); > ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); >+ ASSERT(!this->typeInfo().overridesGetCallData() || m_classInfo->methodTable.getCallData != &JSCell::getCallData); > } > > const ClassInfo Structure::s_info = { "Structure", nullptr, nullptr, nullptr, CREATE_METHOD_TABLE(Structure) }; >@@ -243,6 +244,7 @@ Structure::Structure(VM& vm) > > ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); > ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); >+ ASSERT(!this->typeInfo().overridesGetCallData() || m_classInfo->methodTable.getCallData != &JSCell::getCallData); > } > > Structure::Structure(VM& vm, Structure* previous, DeferredStructureTransitionWatchpointFire* deferred) >@@ -286,6 +288,7 @@ Structure::Structure(VM& vm, Structure* previous, DeferredStructureTransitionWat > m_globalObject.set(vm, this, previous->m_globalObject.get()); > ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); > ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties()); >+ ASSERT(!this->typeInfo().overridesGetCallData() || m_classInfo->methodTable.getCallData != &JSCell::getCallData); > } > > Structure::~Structure() >diff --git a/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp b/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp >index 2ce3f38759d86c9c72fbdb89786362b94d7db4c1..79c842edd7d6fc0a9cab5cfb796fdceb1fbfcbf2 100644 >--- a/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp >+++ b/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp >@@ -40,8 +40,9 @@ namespace TypeProfilerLogInternal { > static const bool verbose = false; > } > >-TypeProfilerLog::TypeProfilerLog() >- : m_logSize(50000) >+TypeProfilerLog::TypeProfilerLog(VM& vm) >+ : m_vm(vm) >+ , m_logSize(50000) > , m_logStartPtr(new LogEntry[m_logSize]) > , m_currentLogEntryPtr(m_logStartPtr) > , m_logEndPtr(m_logStartPtr + m_logSize) >@@ -95,7 +96,7 @@ void TypeProfilerLog::processLogEntries(const String& reason) > shape = iter->value; > } > >- RuntimeType type = runtimeTypeForValue(value); >+ RuntimeType type = runtimeTypeForValue(m_vm, value); > TypeLocation* location = entry->location; > location->m_lastSeenType = type; > if (location->m_globalTypeSet) >diff --git a/Source/JavaScriptCore/runtime/TypeProfilerLog.h b/Source/JavaScriptCore/runtime/TypeProfilerLog.h >index 394193348c6e94044039ccec678a330bb8843ed5..93870438f3700f2243e8c5a5a10d802e7cd08d08 100644 >--- a/Source/JavaScriptCore/runtime/TypeProfilerLog.h >+++ b/Source/JavaScriptCore/runtime/TypeProfilerLog.h >@@ -53,7 +53,7 @@ class TypeProfilerLog { > }; > > >- TypeProfilerLog(); >+ TypeProfilerLog(VM&); > ~TypeProfilerLog(); > > JS_EXPORT_PRIVATE void processLogEntries(const String&); >@@ -67,6 +67,7 @@ class TypeProfilerLog { > private: > friend class LLIntOffsetsExtractor; > >+ VM& m_vm; > unsigned m_logSize; > LogEntry* m_logStartPtr; > LogEntry* m_currentLogEntryPtr; >diff --git a/Source/JavaScriptCore/runtime/VM.cpp b/Source/JavaScriptCore/runtime/VM.cpp >index fb00478ec54b021af6ad194806a2631796c03f41..8c90631ed40b5f7e633330707b8b4f68962a1cc0 100644 >--- a/Source/JavaScriptCore/runtime/VM.cpp >+++ b/Source/JavaScriptCore/runtime/VM.cpp >@@ -1043,7 +1043,7 @@ bool VM::enableTypeProfiler() > { > auto enableTypeProfiler = [this] () { > this->m_typeProfiler = std::make_unique<TypeProfiler>(); >- this->m_typeProfilerLog = std::make_unique<TypeProfilerLog>(); >+ this->m_typeProfilerLog = std::make_unique<TypeProfilerLog>(*this); > }; > > return enableProfilerWithRespectToCount(m_typeProfilerEnabledCount, enableTypeProfiler); >diff --git a/Source/JavaScriptCore/tools/JSDollarVM.cpp b/Source/JavaScriptCore/tools/JSDollarVM.cpp >index 5ae0b0825374a41119d6103f4a51dbab8b1d7338..de17afb412f0e0ab72b78d772891caf2a35fa23f 100644 >--- a/Source/JavaScriptCore/tools/JSDollarVM.cpp >+++ b/Source/JavaScriptCore/tools/JSDollarVM.cpp >@@ -1614,7 +1614,7 @@ static EncodedJSValue JSC_HOST_CALL functionFindTypeForExpression(ExecState* exe > vm.typeProfilerLog()->processLogEntries(ASCIILiteral("jsc Testing API: functionFindTypeForExpression")); > > JSValue functionValue = exec->argument(0); >- RELEASE_ASSERT(functionValue.isFunction()); >+ RELEASE_ASSERT(functionValue.isFunction(vm)); > FunctionExecutable* executable = (jsDynamicCast<JSFunction*>(vm, functionValue.asCell()->getObject()))->jsExecutable(); > > RELEASE_ASSERT(exec->argument(1).isString()); >@@ -1633,7 +1633,7 @@ static EncodedJSValue JSC_HOST_CALL functionReturnTypeFor(ExecState* exec) > vm.typeProfilerLog()->processLogEntries(ASCIILiteral("jsc Testing API: functionReturnTypeFor")); > > JSValue functionValue = exec->argument(0); >- RELEASE_ASSERT(functionValue.isFunction()); >+ RELEASE_ASSERT(functionValue.isFunction(vm)); > FunctionExecutable* executable = (jsDynamicCast<JSFunction*>(vm, functionValue.asCell()->getObject()))->jsExecutable(); > > unsigned offset = executable->typeProfilingStartOffset(); >@@ -1655,7 +1655,7 @@ static EncodedJSValue JSC_HOST_CALL functionHasBasicBlockExecuted(ExecState* exe > RELEASE_ASSERT(vm.controlFlowProfiler()); > > JSValue functionValue = exec->argument(0); >- RELEASE_ASSERT(functionValue.isFunction()); >+ RELEASE_ASSERT(functionValue.isFunction(vm)); > FunctionExecutable* executable = (jsDynamicCast<JSFunction*>(vm, functionValue.asCell()->getObject()))->jsExecutable(); > > RELEASE_ASSERT(exec->argument(1).isString()); >@@ -1674,7 +1674,7 @@ static EncodedJSValue JSC_HOST_CALL functionBasicBlockExecutionCount(ExecState* > RELEASE_ASSERT(vm.controlFlowProfiler()); > > JSValue functionValue = exec->argument(0); >- RELEASE_ASSERT(functionValue.isFunction()); >+ RELEASE_ASSERT(functionValue.isFunction(vm)); > FunctionExecutable* executable = (jsDynamicCast<JSFunction*>(vm, functionValue.asCell()->getObject()))->jsExecutable(); > > RELEASE_ASSERT(exec->argument(1).isString()); >diff --git a/Source/JavaScriptCore/wasm/js/JSWebAssemblyHelpers.h b/Source/JavaScriptCore/wasm/js/JSWebAssemblyHelpers.h >index c51286b7da960c73eaae1f2877fe62939347e4fe..e6514b007dc665a828932d812e94b1efa563aed9 100644 >--- a/Source/JavaScriptCore/wasm/js/JSWebAssemblyHelpers.h >+++ b/Source/JavaScriptCore/wasm/js/JSWebAssemblyHelpers.h >@@ -65,13 +65,13 @@ ALWAYS_INLINE std::pair<const uint8_t*, size_t> getWasmBufferFromValue(ExecState > JSArrayBufferView* arrayBufferView = value.getObject() ? jsDynamicCast<JSArrayBufferView*>(vm, value.getObject()) : nullptr; > if (!(arrayBuffer || arrayBufferView)) { > throwException(exec, throwScope, createTypeError(exec, >- ASCIILiteral("first argument must be an ArrayBufferView or an ArrayBuffer"), defaultSourceAppender, runtimeTypeForValue(value))); >+ ASCIILiteral("first argument must be an ArrayBufferView or an ArrayBuffer"), defaultSourceAppender, runtimeTypeForValue(vm, value))); > return { nullptr, 0 }; > } > > if (arrayBufferView ? arrayBufferView->isNeutered() : arrayBuffer->impl()->isNeutered()) { > throwException(exec, throwScope, createTypeError(exec, >- ASCIILiteral("underlying TypedArray has been detatched from the ArrayBuffer"), defaultSourceAppender, runtimeTypeForValue(value))); >+ ASCIILiteral("underlying TypedArray has been detatched from the ArrayBuffer"), defaultSourceAppender, runtimeTypeForValue(vm, value))); > return { nullptr, 0 }; > } > >diff --git a/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp b/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp >index 8cf0504a8182af521a369279957163c3d93d0a10..6bd056bf310ee7ab09debe6ea3436b1950a08969 100644 >--- a/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp >+++ b/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp >@@ -218,7 +218,7 @@ JSWebAssemblyInstance* JSWebAssemblyInstance::create(VM& vm, ExecState* exec, co > RETURN_IF_EXCEPTION(throwScope, nullptr); > // 2. If Type(o) is not Object, throw a TypeError. > if (!importModuleValue.isObject()) >- return exception(createTypeError(exec, importFailMessage(import, "import", "must be an object"), defaultSourceAppender, runtimeTypeForValue(importModuleValue))); >+ return exception(createTypeError(exec, importFailMessage(import, "import", "must be an object"), defaultSourceAppender, runtimeTypeForValue(vm, importModuleValue))); > > // 3. Let v be the value of performing Get(o, i.item_name) > JSObject* object = jsCast<JSObject*>(importModuleValue); >diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp b/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >index bb674889e24c6dae09251f00a5b8becdb7f46f41..888bdb91a4482824a05c351cbf29effc2e092c8a 100644 >--- a/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >+++ b/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >@@ -55,7 +55,7 @@ static EncodedJSValue JSC_HOST_CALL callWebAssemblyFunction(ExecState* exec) > auto scope = DECLARE_THROW_SCOPE(vm); > WebAssemblyFunction* wasmFunction = jsDynamicCast<WebAssemblyFunction*>(vm, exec->jsCallee()); > if (!wasmFunction) >- return JSValue::encode(throwException(exec, scope, createTypeError(exec, "expected a WebAssembly function", defaultSourceAppender, runtimeTypeForValue(exec->jsCallee())))); >+ return JSValue::encode(throwException(exec, scope, createTypeError(exec, "expected a WebAssembly function", defaultSourceAppender, runtimeTypeForValue(vm, exec->jsCallee())))); > Wasm::SignatureIndex signatureIndex = wasmFunction->signatureIndex(); > const Wasm::Signature& signature = Wasm::SignatureInformation::get(signatureIndex); > >diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp b/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp >index 2089e4f7153b2690fa78a3eba72651479fcd5e86..e206c7e8bf4a23beef0c04b686a5eadb723e8f34 100644 >--- a/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp >+++ b/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp >@@ -66,13 +66,13 @@ static EncodedJSValue JSC_HOST_CALL constructJSWebAssemblyInstance(ExecState* ex > // If moduleObject is not a WebAssembly.Module instance, a TypeError is thrown. > JSWebAssemblyModule* module = jsDynamicCast<JSWebAssemblyModule*>(vm, exec->argument(0)); > if (!module) >- return JSValue::encode(throwException(exec, scope, createTypeError(exec, ASCIILiteral("first argument to WebAssembly.Instance must be a WebAssembly.Module"), defaultSourceAppender, runtimeTypeForValue(exec->argument(0))))); >+ return JSValue::encode(throwException(exec, scope, createTypeError(exec, ASCIILiteral("first argument to WebAssembly.Instance must be a WebAssembly.Module"), defaultSourceAppender, runtimeTypeForValue(vm, exec->argument(0))))); > > // If the importObject parameter is not undefined and Type(importObject) is not Object, a TypeError is thrown. > JSValue importArgument = exec->argument(1); > JSObject* importObject = importArgument.getObject(); > if (!importArgument.isUndefined() && !importObject) >- return JSValue::encode(throwException(exec, scope, createTypeError(exec, ASCIILiteral("second argument to WebAssembly.Instance must be undefined or an Object"), defaultSourceAppender, runtimeTypeForValue(importArgument)))); >+ return JSValue::encode(throwException(exec, scope, createTypeError(exec, ASCIILiteral("second argument to WebAssembly.Instance must be undefined or an Object"), defaultSourceAppender, runtimeTypeForValue(vm, importArgument)))); > > Structure* instanceStructure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), exec->lexicalGlobalObject()->WebAssemblyInstanceStructure()); > RETURN_IF_EXCEPTION(scope, { }); >diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp b/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp >index be1b42b227b8d53d78cdafca43c09220528c5dc2..4c00a84fdd4c1074e9d8695a19a2a1160624188e 100644 >--- a/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp >+++ b/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp >@@ -136,7 +136,7 @@ void WebAssemblyModuleRecord::link(ExecState* exec, JSValue, JSObject* importObj > RETURN_IF_EXCEPTION(scope, void()); > // 2. If Type(o) is not Object, throw a TypeError. > if (!importModuleValue.isObject()) >- return exception(createTypeError(exec, importFailMessage(import, "import", "must be an object"), defaultSourceAppender, runtimeTypeForValue(importModuleValue))); >+ return exception(createTypeError(exec, importFailMessage(import, "import", "must be an object"), defaultSourceAppender, runtimeTypeForValue(vm, importModuleValue))); > > // 3. Let v be the value of performing Get(o, i.item_name) > JSObject* object = jsCast<JSObject*>(importModuleValue); >@@ -189,7 +189,7 @@ void WebAssemblyModuleRecord::link(ExecState* exec, JSValue, JSObject* importObj > case Wasm::ExternalKind::Function: { > // 4. If i is a function import: > // i. If IsCallable(v) is false, throw a WebAssembly.LinkError. >- if (!value.isFunction()) >+ if (!value.isFunction(vm)) > return exception(createJSWebAssemblyLinkError(exec, vm, importFailMessage(import, "import function", "must be callable"))); > > Wasm::Instance* calleeInstance = nullptr; >diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp b/Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp >index 6b8be61ea43c7a5e05b56a9822c617b39a40a705..be55f052ed30435598b552813d9795f20491e70a 100644 >--- a/Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp >+++ b/Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp >@@ -271,7 +271,7 @@ static EncodedJSValue JSC_HOST_CALL webAssemblyInstantiateFunc(ExecState* exec) > JSObject* importObject = importArgument.getObject(); > if (UNLIKELY(!importArgument.isUndefined() && !importObject)) { > promise->reject(exec, createTypeError(exec, >- ASCIILiteral("second argument to WebAssembly.instantiate must be undefined or an Object"), defaultSourceAppender, runtimeTypeForValue(importArgument))); >+ ASCIILiteral("second argument to WebAssembly.instantiate must be undefined or an Object"), defaultSourceAppender, runtimeTypeForValue(vm, importArgument))); > CLEAR_AND_RETURN_IF_EXCEPTION(catchScope, JSValue::encode(promise->promise())); > } else { > JSValue firstArgument = exec->argument(0); >@@ -340,7 +340,7 @@ EncodedJSValue JSC_HOST_CALL webAssemblyInstantiateStreamingInternal(ExecState* > JSObject* importObject = importArgument.getObject(); > if (UNLIKELY(!importArgument.isUndefined() && !importObject)) { > promise->reject(exec, createTypeError(exec, >- ASCIILiteral("second argument to WebAssembly.instantiateStreaming must be undefined or an Object"), defaultSourceAppender, runtimeTypeForValue(importArgument))); >+ ASCIILiteral("second argument to WebAssembly.instantiateStreaming must be undefined or an Object"), defaultSourceAppender, runtimeTypeForValue(vm, importArgument))); > CLEAR_AND_RETURN_IF_EXCEPTION(catchScope, JSValue::encode(promise->promise())); > } else { > if (globalObject->globalObjectMethodTable()->instantiateStreaming) { >diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.cpp b/Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.cpp >index 918d579dd198d9c72b32b65e6047ca73fbeff398..36f378306be727c029531db492a8d00927291a6e 100644 >--- a/Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.cpp >+++ b/Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.cpp >@@ -72,7 +72,7 @@ WebAssemblyWrapperFunction* WebAssemblyWrapperFunction::create(VM& vm, JSGlobalO > void WebAssemblyWrapperFunction::finishCreation(VM& vm, NativeExecutable* executable, unsigned length, const String& name, JSObject* function, JSWebAssemblyInstance* instance) > { > Base::finishCreation(vm, executable, length, name, instance); >- RELEASE_ASSERT(JSValue(function).isFunction()); >+ RELEASE_ASSERT(JSValue(function).isFunction(vm)); > m_function.set(vm, this, function); > } > >diff --git a/Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm b/Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm >index fca6002fb5cfe109d389cc7c7fd6dd2ea2e9a7a7..7206cdcddbdb0da9e9b5466f319513b45fee3ae3 100644 >--- a/Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm >+++ b/Source/WebCore/Modules/plugins/QuickTimePluginReplacement.mm >@@ -159,7 +159,7 @@ bool QuickTimePluginReplacement::ensureReplacementScriptInjected() > JSC::ExecState* exec = globalObject->globalExec(); > > JSC::JSValue replacementFunction = globalObject->get(exec, JSC::Identifier::fromString(exec, "createPluginReplacement")); >- if (replacementFunction.isFunction()) >+ if (replacementFunction.isFunction(vm)) > return true; > > scriptController.evaluateInWorld(ScriptSourceCode(quickTimePluginReplacementScript()), world); >diff --git a/Source/WebCore/bindings/js/JSCustomElementRegistryCustom.cpp b/Source/WebCore/bindings/js/JSCustomElementRegistryCustom.cpp >index d87c6e50545af12facdfee989d518f0993c0deed..103d4768e9bf6f9a26328e38dd1c6ea877006304 100644 >--- a/Source/WebCore/bindings/js/JSCustomElementRegistryCustom.cpp >+++ b/Source/WebCore/bindings/js/JSCustomElementRegistryCustom.cpp >@@ -49,7 +49,7 @@ static JSObject* getCustomElementCallback(ExecState& state, JSObject& prototype, > RETURN_IF_EXCEPTION(scope, nullptr); > if (callback.isUndefined()) > return nullptr; >- if (!callback.isFunction()) { >+ if (!callback.isFunction(vm)) { > throwTypeError(&state, scope, ASCIILiteral("A custom element callback must be a function")); > return nullptr; > } >diff --git a/Source/WebCore/bindings/js/JSDOMConstructorBase.h b/Source/WebCore/bindings/js/JSDOMConstructorBase.h >index a142e5ad63eb42ed26ebc696ced47aedff24ed7a..d75e885c9d5380a27ae1b5ca93673fbe2194e317 100644 >--- a/Source/WebCore/bindings/js/JSDOMConstructorBase.h >+++ b/Source/WebCore/bindings/js/JSDOMConstructorBase.h >@@ -28,7 +28,7 @@ class JSDOMConstructorBase : public JSDOMObject { > public: > using Base = JSDOMObject; > >- static const unsigned StructureFlags = Base::StructureFlags | JSC::ImplementsHasInstance | JSC::ImplementsDefaultHasInstance | JSC::TypeOfShouldCallGetCallData; >+ static const unsigned StructureFlags = Base::StructureFlags | JSC::ImplementsHasInstance | JSC::ImplementsDefaultHasInstance | JSC::OverridesGetCallData; > static JSC::Structure* createStructure(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue); > > protected: >diff --git a/Source/WebCore/bindings/js/JSDOMConvertCallbacks.h b/Source/WebCore/bindings/js/JSDOMConvertCallbacks.h >index 570e84ca66f7443a4eedc091fcb16645f33c4724..6cdc79399dbbf693ee43850dd0e69b9ad3ba2053 100644 >--- a/Source/WebCore/bindings/js/JSDOMConvertCallbacks.h >+++ b/Source/WebCore/bindings/js/JSDOMConvertCallbacks.h >@@ -40,7 +40,7 @@ template<typename T> struct Converter<IDLCallbackFunction<T>> : DefaultConverter > JSC::VM& vm = state.vm(); > auto scope = DECLARE_THROW_SCOPE(vm); > >- if (!value.isFunction()) { >+ if (!value.isFunction(vm)) { > exceptionThrower(state, scope); > return nullptr; > } >diff --git a/Source/WebCore/bindings/js/JSDOMPromise.cpp b/Source/WebCore/bindings/js/JSDOMPromise.cpp >index 928b3e1500a85992b29d742a67004bdb73f07f0b..979fa5c720f18687166d86e852c3b48da29e79c7 100644 >--- a/Source/WebCore/bindings/js/JSDOMPromise.cpp >+++ b/Source/WebCore/bindings/js/JSDOMPromise.cpp >@@ -64,7 +64,7 @@ void DOMPromise::whenSettled(std::function<void()>&& callback) > const JSC::Identifier& privateName = vm.propertyNames->builtinNames().thenPrivateName(); > auto* promise = this->promise(); > auto thenFunction = promise->get(&state, privateName); >- ASSERT(thenFunction.isFunction()); >+ ASSERT(thenFunction.isFunction(vm)); > > JSC::MarkedArgumentBuffer arguments; > arguments.append(handler); >diff --git a/Source/WebCore/bindings/js/ReadableStream.cpp b/Source/WebCore/bindings/js/ReadableStream.cpp >index 446aab5496805012503f0ba4c1009c6b2e148670..5d6186b6a9fbc88c51a528a8d57477512c1c9193 100644 >--- a/Source/WebCore/bindings/js/ReadableStream.cpp >+++ b/Source/WebCore/bindings/js/ReadableStream.cpp >@@ -79,7 +79,7 @@ void ReadableStream::pipeTo(ReadableStreamSink& sink) > const Identifier& privateName = clientData->builtinFunctions().readableStreamInternalsBuiltins().readableStreamPipeToPrivateName(); > > auto readableStreamPipeTo = m_globalObject->get(&state, privateName); >- ASSERT(readableStreamPipeTo.isFunction()); >+ ASSERT(readableStreamPipeTo.isFunction(state.vm())); > > MarkedArgumentBuffer arguments; > arguments.append(readableStream()); >@@ -95,7 +95,7 @@ std::pair<Ref<ReadableStream>, Ref<ReadableStream>> ReadableStream::tee() > const Identifier& privateName = clientData->builtinFunctions().readableStreamInternalsBuiltins().readableStreamTeePrivateName(); > > auto readableStreamTee = m_globalObject->get(&state, privateName); >- ASSERT(readableStreamTee.isFunction()); >+ ASSERT(readableStreamTee.isFunction(state.vm())); > > MarkedArgumentBuffer arguments; > arguments.append(readableStream()); >diff --git a/Source/WebCore/bindings/js/ReadableStreamDefaultController.cpp b/Source/WebCore/bindings/js/ReadableStreamDefaultController.cpp >index ca968015d8f8a4ad2308ee04629dec09f1baf55c..572ef567011912148531e508277c64e1922845e9 100644 >--- a/Source/WebCore/bindings/js/ReadableStreamDefaultController.cpp >+++ b/Source/WebCore/bindings/js/ReadableStreamDefaultController.cpp >@@ -57,7 +57,7 @@ JSC::JSValue ReadableStreamDefaultController::invoke(JSC::ExecState& state, JSC: > auto function = object.get(&state, JSC::Identifier::fromString(&state, propertyName)); > RETURN_IF_EXCEPTION(scope, JSC::JSValue()); > >- if (!function.isFunction()) { >+ if (!function.isFunction(vm)) { > if (!function.isUndefined()) > throwTypeError(&state, scope, ASCIILiteral("ReadableStream trying to call a property that is not callable")); > return JSC::jsUndefined(); >diff --git a/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm b/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm >index b69c6dc9cbc8a5eb5cc9b2c7a2e8559ff1e216c5..910369d20744685dcebaa1364aacca6aee8270c9 100644 >--- a/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm >+++ b/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm >@@ -2634,7 +2634,7 @@ sub GenerateHeader > if (InstanceOverridesGetCallData($interface)) { > push(@headerContent, " static JSC::CallType getCallData(JSC::JSCell*, JSC::CallData&);\n\n"); > $headerIncludes{"<JavaScriptCore/CallData.h>"} = 1; >- $structureFlags{"JSC::TypeOfShouldCallGetCallData"} = 1; >+ $structureFlags{"JSC::OverridesGetCallData"} = 1; > } > > if ($interface->extendedAttributes->{CustomGetPrototype}) { >@@ -3419,7 +3419,7 @@ sub GenerateOverloadDispatcher > &$generateOverloadCallIfNecessary($overload, "distinguishingArg.isObject() && asObject(distinguishingArg)->type() == ErrorInstanceType"); > > $overload = GetOverloadThatMatches($S, $d, \&$isObjectOrCallbackFunctionParameter); >- &$generateOverloadCallIfNecessary($overload, "distinguishingArg.isFunction()"); >+ &$generateOverloadCallIfNecessary($overload, "distinguishingArg.isFunction(vm)"); > > # FIXME: Avoid invoking GetMethod(object, Symbol.iterator) again in convert<IDLSequence<T>>(...). > $overload = GetOverloadThatMatches($S, $d, \&$isSequenceOrFrozenArrayParameter); >diff --git a/Source/WebCore/bindings/scripts/test/JS/JSTestObj.h b/Source/WebCore/bindings/scripts/test/JS/JSTestObj.h >index f8ba535e57cf28d6430693d5857732d57faa8ac1..85424433f82e4febd75f635507b0e7af9d58f954 100644 >--- a/Source/WebCore/bindings/scripts/test/JS/JSTestObj.h >+++ b/Source/WebCore/bindings/scripts/test/JS/JSTestObj.h >@@ -75,7 +75,7 @@ class JSTestObj : public JSDOMWrapper<TestObj> { > static JSC::JSValue testStaticCustomPromiseFunction(JSC::ExecState&, Ref<DeferredPromise>&&); > JSC::JSValue testCustomReturnsOwnPromiseFunction(JSC::ExecState&); > public: >- static const unsigned StructureFlags = JSC::HasStaticPropertyTable | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::TypeOfShouldCallGetCallData | Base::StructureFlags; >+ static const unsigned StructureFlags = JSC::HasStaticPropertyTable | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetCallData | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | Base::StructureFlags; > protected: > JSTestObj(JSC::Structure*, JSDOMGlobalObject&, Ref<TestObj>&&); > >diff --git a/Source/WebCore/bindings/scripts/test/JS/JSTestPluginInterface.h b/Source/WebCore/bindings/scripts/test/JS/JSTestPluginInterface.h >index 5156a1c08def1e370a2d4c2ea8783a3c0629001d..37a30ec9bf25254d26d23bcb328b681d24d46f10 100644 >--- a/Source/WebCore/bindings/scripts/test/JS/JSTestPluginInterface.h >+++ b/Source/WebCore/bindings/scripts/test/JS/JSTestPluginInterface.h >@@ -57,7 +57,7 @@ class JSTestPluginInterface : public JSDOMWrapper<TestPluginInterface> { > > static JSC::JSValue getConstructor(JSC::VM&, const JSC::JSGlobalObject*); > public: >- static const unsigned StructureFlags = JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::TypeOfShouldCallGetCallData | Base::StructureFlags; >+ static const unsigned StructureFlags = JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetCallData | JSC::OverridesGetOwnPropertySlot | Base::StructureFlags; > protected: > JSTestPluginInterface(JSC::Structure*, JSDOMGlobalObject&, Ref<TestPluginInterface>&&); > >diff --git a/Source/WebCore/bridge/objc/objc_runtime.h b/Source/WebCore/bridge/objc/objc_runtime.h >index eee19a62c498ca802a606780fcfa23c52009662b..22d880550f470b6ad1f8cce74ff2cd443580b4b9 100644 >--- a/Source/WebCore/bridge/objc/objc_runtime.h >+++ b/Source/WebCore/bridge/objc/objc_runtime.h >@@ -93,7 +93,7 @@ class ObjcArray : public Array { > class ObjcFallbackObjectImp : public JSDestructibleObject { > public: > typedef JSDestructibleObject Base; >- static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | TypeOfShouldCallGetCallData; >+ static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetCallData; > > static ObjcFallbackObjectImp* create(ExecState* exec, JSGlobalObject* globalObject, ObjcInstance* instance, const String& propertyName) > { >diff --git a/Source/WebCore/bridge/runtime_method.h b/Source/WebCore/bridge/runtime_method.h >index 5a8597333a4a38b867afc36515d70a3868927126..2eefd8e4a23a7894e15f7055594d5a329b0d6e84 100644 >--- a/Source/WebCore/bridge/runtime_method.h >+++ b/Source/WebCore/bridge/runtime_method.h >@@ -35,7 +35,7 @@ namespace JSC { > class WEBCORE_EXPORT RuntimeMethod : public InternalFunction { > public: > typedef InternalFunction Base; >- static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | TypeOfShouldCallGetCallData; >+ static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetCallData; > > template<typename CellType> > static IsoSubspace* subspaceFor(VM& vm) >diff --git a/Source/WebCore/bridge/runtime_object.h b/Source/WebCore/bridge/runtime_object.h >index 72f03cfd0299b8386609a5b0dd3357a98b6e16cd..92d04fa192b733b78ab8a15a5ce50ac4e3aad782 100644 >--- a/Source/WebCore/bridge/runtime_object.h >+++ b/Source/WebCore/bridge/runtime_object.h >@@ -35,7 +35,7 @@ namespace Bindings { > class WEBCORE_EXPORT RuntimeObject : public JSDestructibleObject { > public: > typedef JSDestructibleObject Base; >- static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames | TypeOfShouldCallGetCallData; >+ static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames | OverridesGetCallData; > > static RuntimeObject* create(VM& vm, Structure* structure, RefPtr<Instance>&& instance) > { >diff --git a/Source/WebCore/html/HTMLMediaElement.cpp b/Source/WebCore/html/HTMLMediaElement.cpp >index 96cf8b9b14a0e91fb480e2ce303d3682c03efa2b..237cec79930f4ff4675b9870dd2079e8b3770fb3 100644 >--- a/Source/WebCore/html/HTMLMediaElement.cpp >+++ b/Source/WebCore/html/HTMLMediaElement.cpp >@@ -7083,7 +7083,7 @@ bool HTMLMediaElement::ensureMediaControlsInjectedScript() > JSC::ExecState* exec = globalObject->globalExec(); > > JSC::JSValue functionValue = globalObject->get(exec, JSC::Identifier::fromString(exec, "createControls")); >- if (functionValue.isFunction()) >+ if (functionValue.isFunction(vm)) > return true; > > #ifndef NDEBUG >diff --git a/Source/WebCore/testing/Internals.cpp b/Source/WebCore/testing/Internals.cpp >index 21c39761e259bf7e3f73a138ca504afc6d6706c4..0d19795898bbe3190ed2fa419055f41306a3e044 100644 >--- a/Source/WebCore/testing/Internals.cpp >+++ b/Source/WebCore/testing/Internals.cpp >@@ -2050,7 +2050,7 @@ String Internals::parserMetaData(JSC::JSValue code) > exec->iterate(iter); > CodeBlock* codeBlock = iter.codeBlock(); > executable = codeBlock->ownerScriptExecutable(); >- } else if (code.isFunction()) { >+ } else if (code.isFunction(vm)) { > JSFunction* funcObj = JSC::jsCast<JSFunction*>(code.toObject(exec)); > executable = funcObj->jsExecutable(); > } else >@@ -4021,7 +4021,7 @@ JSValue Internals::cloneArrayBuffer(JSC::ExecState& state, JSValue buffer, JSVal > PropertySlot propertySlot(value, PropertySlot::InternalMethodType::Get); > globalObject->methodTable(vm)->getOwnPropertySlot(globalObject, &state, privateName, propertySlot); > value = propertySlot.getValue(&state, privateName); >- ASSERT(value.isFunction()); >+ ASSERT(value.isFunction(vm)); > > JSObject* function = value.getObject(); > CallData callData; >diff --git a/Source/WebKit/WebProcess/Plugins/Netscape/JSNPObject.h b/Source/WebKit/WebProcess/Plugins/Netscape/JSNPObject.h >index 3f89de8ba9088dbe569ffdd623c1d246c9f5cc6a..63db339c4913713390456884a6213eb379fa79d2 100644 >--- a/Source/WebKit/WebProcess/Plugins/Netscape/JSNPObject.h >+++ b/Source/WebKit/WebProcess/Plugins/Netscape/JSNPObject.h >@@ -44,7 +44,7 @@ class NPRuntimeObjectMap; > class JSNPObject final : public JSC::JSDestructibleObject { > public: > typedef JSC::JSDestructibleObject Base; >- static const unsigned StructureFlags = Base::StructureFlags | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::TypeOfShouldCallGetCallData; >+ static const unsigned StructureFlags = Base::StructureFlags | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::OverridesGetCallData; > > template<typename CellType> > static JSC::IsoSubspace* subspaceFor(JSC::VM& vm)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=340393">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
saam
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185601
:
340290
|
340291
|
340292
|
340294
|
340295
|
340323
|
340329
|
340331
|
340333
| 340393