<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[225891] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/225891">225891</a></dd>
<dt>Author</dt> <dd>sbarati@apple.com</dd>
<dt>Date</dt> <dd>2017-12-13 20:10:02 -0800 (Wed, 13 Dec 2017)</dd>
</dl>

<h3>Log Message</h3>
<pre>Arrow functions need their own structure because they have different properties than sloppy functions
https://bugs.webkit.org/show_bug.cgi?id=180779
<rdar://problem/35814591>

Reviewed by Mark Lam.

JSTests:

* stress/arrow-function-needs-its-own-structure.js: Added.
(assert):
(readPrototype):
(noInline.let.f1):
(noInline):

Source/JavaScriptCore:

We were using the same structure for sloppy functions and
arrow functions. This broke our IC caching machinery because
these two types of functions actually have different properties.
This patch gives them different structures.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewFunction):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
* runtime/FunctionConstructor.cpp:
(JSC::constructFunctionSkippingEvalEnabledCheck):
* runtime/JSFunction.cpp:
(JSC::JSFunction::selectStructureForNewFuncExp):
(JSC::JSFunction::create):
* runtime/JSFunction.h:
* runtime/JSFunctionInlines.h:
(JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::arrowFunctionStructure const):</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkJSTestsChangeLog">trunk/JSTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeFunctionConstructorcpp">trunk/Source/JavaScriptCore/runtime/FunctionConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSFunctioncpp">trunk/Source/JavaScriptCore/runtime/JSFunction.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSFunctionh">trunk/Source/JavaScriptCore/runtime/JSFunction.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSFunctionInlinesh">trunk/Source/JavaScriptCore/runtime/JSFunctionInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGlobalObjectcpp">trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGlobalObjecth">trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkJSTestsstressarrowfunctionneedsitsownstructurejs">trunk/JSTests/stress/arrow-function-needs-its-own-structure.js</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkJSTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/JSTests/ChangeLog (225890 => 225891)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/ChangeLog  2017-12-14 03:05:39 UTC (rev 225890)
+++ trunk/JSTests/ChangeLog     2017-12-14 04:10:02 UTC (rev 225891)
</span><span class="lines">@@ -1,5 +1,19 @@
</span><span class="cx"> 2017-12-13  Saam Barati  <sbarati@apple.com>
</span><span class="cx"> 
</span><ins>+        Arrow functions need their own structure because they have different properties than sloppy functions
+        https://bugs.webkit.org/show_bug.cgi?id=180779
+        <rdar://problem/35814591>
+
+        Reviewed by Mark Lam.
+
+        * stress/arrow-function-needs-its-own-structure.js: Added.
+        (assert):
+        (readPrototype):
+        (noInline.let.f1):
+        (noInline):
+
+2017-12-13  Saam Barati  <sbarati@apple.com>
+
</ins><span class="cx">         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
</span><span class="cx">         https://bugs.webkit.org/show_bug.cgi?id=163579
</span><span class="cx">         <rdar://problem/35455798>
</span></span></pre></div>
<a id="trunkJSTestsstressarrowfunctionneedsitsownstructurejs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/stress/arrow-function-needs-its-own-structure.js (0 => 225891)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/arrow-function-needs-its-own-structure.js                           (rev 0)
+++ trunk/JSTests/stress/arrow-function-needs-its-own-structure.js      2017-12-14 04:10:02 UTC (rev 225891)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+function assert(b) {
+    if (!b)
+        throw new Error;
+}
+
+function readPrototype(f) {
+    return f.prototype;
+}
+noInline(readPrototype);
+
+{
+    let f1 = function () { };
+    let f2 = () => undefined;
+    for (let i = 0; i < 100; ++i) {
+        assert(!f2.hasOwnProperty("prototype"));
+        assert(f1.hasOwnProperty("prototype"));
+    }
+
+    for (let i = 0; i < 100; ++i)
+        assert(readPrototype(f2) === undefined);
+    assert(readPrototype(f1) !== undefined);
+    assert(readPrototype(f1) === f1.prototype);
+}
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (225890 => 225891)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog    2017-12-14 03:05:39 UTC (rev 225890)
+++ trunk/Source/JavaScriptCore/ChangeLog       2017-12-14 04:10:02 UTC (rev 225891)
</span><span class="lines">@@ -1,3 +1,36 @@
</span><ins>+2017-12-13  Saam Barati  <sbarati@apple.com>
+
+        Arrow functions need their own structure because they have different properties than sloppy functions
+        https://bugs.webkit.org/show_bug.cgi?id=180779
+        <rdar://problem/35814591>
+
+        Reviewed by Mark Lam.
+
+        We were using the same structure for sloppy functions and
+        arrow functions. This broke our IC caching machinery because
+        these two types of functions actually have different properties.
+        This patch gives them different structures.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewFunction):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunctionSkippingEvalEnabledCheck):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::selectStructureForNewFuncExp):
+        (JSC::JSFunction::create):
+        * runtime/JSFunction.h:
+        * runtime/JSFunctionInlines.h:
+        (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::arrowFunctionStructure const):
+
</ins><span class="cx"> 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
</span><span class="cx"> 
</span><span class="cx">         InferredValue should use IsoSubspace
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (225890 => 225891)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h  2017-12-14 03:05:39 UTC (rev 225890)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h     2017-12-14 04:10:02 UTC (rev 225891)
</span><span class="lines">@@ -2298,15 +2298,12 @@
</span><span class="cx">             m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->asyncFunctionStructure());
</span><span class="cx">         break;
</span><span class="cx"> 
</span><del>-    case NewFunction:
-        if (node->castOperand<FunctionExecutable*>()->isStrictMode()) {
-            forNode(node).set(
-                m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->strictFunctionStructure());
-        } else {
-            forNode(node).set(
-                m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->sloppyFunctionStructure());
-        }
</del><ins>+    case NewFunction: {
+        JSGlobalObject* globalObject = m_codeBlock->globalObjectFor(node->origin.semantic);
+        Structure* structure = JSFunction::selectStructureForNewFuncExp(globalObject, node->castOperand<FunctionExecutable*>());
+        forNode(node).set(m_graph, structure);
</ins><span class="cx">         break;
</span><ins>+    }
</ins><span class="cx">         
</span><span class="cx">     case GetCallee:
</span><span class="cx">         if (FunctionExecutable* executable = jsDynamicCast<FunctionExecutable*>(m_vm, m_codeBlock->ownerExecutable())) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (225890 => 225891)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp    2017-12-14 03:05:39 UTC (rev 225890)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp       2017-12-14 04:10:02 UTC (rev 225891)
</span><span class="lines">@@ -6782,17 +6782,16 @@
</span><span class="cx"> 
</span><span class="cx">     RegisteredStructure structure = m_jit.graph().registerStructure(
</span><span class="cx">         [&] () {
</span><ins>+            JSGlobalObject* globalObject = m_jit.graph().globalObjectFor(node->origin.semantic);
</ins><span class="cx">             switch (nodeType) {
</span><span class="cx">             case NewGeneratorFunction:
</span><del>-                return m_jit.graph().globalObjectFor(node->origin.semantic)->generatorFunctionStructure();
</del><ins>+                return globalObject->generatorFunctionStructure();
</ins><span class="cx">             case NewAsyncFunction:
</span><del>-                return m_jit.graph().globalObjectFor(node->origin.semantic)->asyncFunctionStructure();
</del><ins>+                return globalObject->asyncFunctionStructure();
</ins><span class="cx">             case NewAsyncGeneratorFunction:
</span><del>-                return m_jit.graph().globalObjectFor(node->origin.semantic)->asyncGeneratorFunctionStructure();
</del><ins>+                return globalObject->asyncGeneratorFunctionStructure();
</ins><span class="cx">             case NewFunction:
</span><del>-                if (node->castOperand<FunctionExecutable*>()->isStrictMode())
-                    return m_jit.graph().globalObjectFor(node->origin.semantic)->strictFunctionStructure();
-                return m_jit.graph().globalObjectFor(node->origin.semantic)->sloppyFunctionStructure();
</del><ins>+                return JSFunction::selectStructureForNewFuncExp(globalObject, node->castOperand<FunctionExecutable*>());
</ins><span class="cx">             default:
</span><span class="cx">                 RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">             }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (225890 => 225891)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp      2017-12-14 03:05:39 UTC (rev 225890)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2017-12-14 04:10:02 UTC (rev 225891)
</span><span class="lines">@@ -4736,22 +4736,19 @@
</span><span class="cx">             setJSValue(callResult);
</span><span class="cx">             return;
</span><span class="cx">         }
</span><del>-        
</del><span class="cx"> 
</span><span class="cx">         RegisteredStructure structure = m_graph.registerStructure(
</span><span class="cx">             [&] () {
</span><ins>+                JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
</ins><span class="cx">                 switch (m_node->op()) {
</span><span class="cx">                 case NewGeneratorFunction:
</span><del>-                    return m_graph.globalObjectFor(m_node->origin.semantic)->generatorFunctionStructure();
</del><ins>+                    return globalObject->generatorFunctionStructure();
</ins><span class="cx">                 case NewAsyncFunction:
</span><del>-                    return m_graph.globalObjectFor(m_node->origin.semantic)->asyncFunctionStructure();
</del><ins>+                    return globalObject->asyncFunctionStructure();
</ins><span class="cx">                 case NewAsyncGeneratorFunction:
</span><del>-                    return m_graph.globalObjectFor(m_node->origin.semantic)->asyncGeneratorFunctionStructure();
</del><ins>+                    return globalObject->asyncGeneratorFunctionStructure();
</ins><span class="cx">                 case NewFunction:
</span><del>-                    if (m_node->castOperand<FunctionExecutable*>()->isStrictMode())
-                        return m_graph.globalObjectFor(m_node->origin.semantic)->strictFunctionStructure();
-                    return m_graph.globalObjectFor(m_node->origin.semantic)->sloppyFunctionStructure();
-                    break;
</del><ins>+                    return JSFunction::selectStructureForNewFuncExp(globalObject, m_node->castOperand<FunctionExecutable*>());
</ins><span class="cx">                 default:
</span><span class="cx">                     RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">                 }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeFunctionConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/FunctionConstructor.cpp (225890 => 225891)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/FunctionConstructor.cpp      2017-12-14 03:05:39 UTC (rev 225890)
+++ trunk/Source/JavaScriptCore/runtime/FunctionConstructor.cpp 2017-12-14 04:10:02 UTC (rev 225891)
</span><span class="lines">@@ -175,10 +175,7 @@
</span><span class="cx">     Structure* structure = nullptr;
</span><span class="cx">     switch (functionConstructionMode) {
</span><span class="cx">     case FunctionConstructionMode::Function:
</span><del>-        if (function->isStrictMode())
-            structure = globalObject->strictFunctionStructure();
-        else
-            structure = globalObject->sloppyFunctionStructure();
</del><ins>+        structure = JSFunction::selectStructureForNewFuncExp(globalObject, function);
</ins><span class="cx">         break;
</span><span class="cx">     case FunctionConstructionMode::Generator:
</span><span class="cx">         structure = globalObject->generatorFunctionStructure();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSFunctioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSFunction.cpp (225890 => 225891)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSFunction.cpp       2017-12-14 03:05:39 UTC (rev 225890)
+++ trunk/Source/JavaScriptCore/runtime/JSFunction.cpp  2017-12-14 04:10:02 UTC (rev 225891)
</span><span class="lines">@@ -65,10 +65,18 @@
</span><span class="cx">     return isHostFunction();
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+Structure* JSFunction::selectStructureForNewFuncExp(JSGlobalObject* globalObject, FunctionExecutable* executable)
+{
+    if (executable->isArrowFunction())
+        return globalObject->arrowFunctionStructure();
+    if (executable->isStrictMode())
+        return globalObject->strictFunctionStructure();
+    return globalObject->sloppyFunctionStructure();
+}
+
</ins><span class="cx"> JSFunction* JSFunction::create(VM& vm, FunctionExecutable* executable, JSScope* scope)
</span><span class="cx"> {
</span><del>-    Structure* structure = executable->isStrictMode() ? scope->globalObject(vm)->strictFunctionStructure() : scope->globalObject(vm)->sloppyFunctionStructure();
-    return create(vm, executable, scope, structure);
</del><ins>+    return create(vm, executable, scope, selectStructureForNewFuncExp(scope->globalObject(vm), executable));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> JSFunction* JSFunction::create(VM& vm, FunctionExecutable* executable, JSScope* scope, Structure* structure)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSFunctionh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSFunction.h (225890 => 225891)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSFunction.h 2017-12-14 03:05:39 UTC (rev 225890)
+++ trunk/Source/JavaScriptCore/runtime/JSFunction.h    2017-12-14 04:10:02 UTC (rev 225891)
</span><span class="lines">@@ -70,6 +70,8 @@
</span><span class="cx">         return sizeof(JSFunction);
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    static Structure* selectStructureForNewFuncExp(JSGlobalObject*, FunctionExecutable*);
+
</ins><span class="cx">     JS_EXPORT_PRIVATE static JSFunction* create(VM&, JSGlobalObject*, int length, const String& name, NativeFunction, Intrinsic = NoIntrinsic, NativeFunction nativeConstructor = callHostFunctionAsConstructor, const DOMJIT::Signature* = nullptr);
</span><span class="cx">     
</span><span class="cx">     static JSFunction* createWithInvalidatedReallocationWatchpoint(VM&, FunctionExecutable*, JSScope*);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSFunctionInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSFunctionInlines.h (225890 => 225891)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSFunctionInlines.h  2017-12-14 03:05:39 UTC (rev 225890)
+++ trunk/Source/JavaScriptCore/runtime/JSFunctionInlines.h     2017-12-14 04:10:02 UTC (rev 225891)
</span><span class="lines">@@ -35,8 +35,7 @@
</span><span class="cx">     VM& vm, FunctionExecutable* executable, JSScope* scope)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(executable->singletonFunction()->hasBeenInvalidated());
</span><del>-    Structure* structure = executable->isStrictMode() ? scope->globalObject(vm)->strictFunctionStructure() : scope->globalObject(vm)->sloppyFunctionStructure();
-    return createImpl(vm, executable, scope, structure);
</del><ins>+    return createImpl(vm, executable, scope, selectStructureForNewFuncExp(scope->globalObject(vm), executable));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline JSFunction::JSFunction(VM& vm, FunctionExecutable* executable, JSScope* scope, Structure* structure)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGlobalObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp (225890 => 225891)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp   2017-12-14 03:05:39 UTC (rev 225890)
+++ trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp      2017-12-14 04:10:02 UTC (rev 225891)
</span><span class="lines">@@ -388,6 +388,7 @@
</span><span class="cx"> 
</span><span class="cx">     m_strictFunctionStructure.set(vm, this, JSFunction::createStructure(vm, this, m_functionPrototype.get()));
</span><span class="cx">     m_sloppyFunctionStructure.set(vm, this, JSFunction::createStructure(vm, this, m_functionPrototype.get()));
</span><ins>+    m_arrowFunctionStructure.set(vm, this, JSFunction::createStructure(vm, this, m_functionPrototype.get()));
</ins><span class="cx">     m_customGetterSetterFunctionStructure.initLater(
</span><span class="cx">         [] (const Initializer<Structure>& init) {
</span><span class="cx">             init.set(JSCustomGetterSetterFunction::createStructure(init.vm, init.owner, init.owner->m_functionPrototype.get()));
</span><span class="lines">@@ -1314,6 +1315,7 @@
</span><span class="cx">     visitor.append(thisObject->m_calleeStructure);
</span><span class="cx">     visitor.append(thisObject->m_strictFunctionStructure);
</span><span class="cx">     visitor.append(thisObject->m_sloppyFunctionStructure);
</span><ins>+    visitor.append(thisObject->m_arrowFunctionStructure);
</ins><span class="cx">     thisObject->m_customGetterSetterFunctionStructure.visit(visitor);
</span><span class="cx">     thisObject->m_boundFunctionStructure.visit(visitor);
</span><span class="cx">     visitor.append(thisObject->m_getterSetterStructure);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGlobalObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h (225890 => 225891)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h     2017-12-14 03:05:39 UTC (rev 225890)
+++ trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h        2017-12-14 04:10:02 UTC (rev 225891)
</span><span class="lines">@@ -322,6 +322,7 @@
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_nullPrototypeObjectStructure;
</span><span class="cx">     WriteBarrier<Structure> m_calleeStructure;
</span><span class="cx">     WriteBarrier<Structure> m_strictFunctionStructure;
</span><ins>+    WriteBarrier<Structure> m_arrowFunctionStructure;
</ins><span class="cx">     WriteBarrier<Structure> m_sloppyFunctionStructure;
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_boundFunctionStructure;
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_customGetterSetterFunctionStructure;
</span><span class="lines">@@ -631,6 +632,7 @@
</span><span class="cx">     Structure* calleeStructure() const { return m_calleeStructure.get(); }
</span><span class="cx">     Structure* strictFunctionStructure() const { return m_strictFunctionStructure.get(); }
</span><span class="cx">     Structure* sloppyFunctionStructure() const { return m_sloppyFunctionStructure.get(); }
</span><ins>+    Structure* arrowFunctionStructure() const { return m_arrowFunctionStructure.get(); }
</ins><span class="cx">     Structure* boundFunctionStructure() const { return m_boundFunctionStructure.get(this); }
</span><span class="cx">     Structure* customGetterSetterFunctionStructure() const { return m_customGetterSetterFunctionStructure.get(this); }
</span><span class="cx">     Structure* getterSetterStructure() const { return m_getterSetterStructure.get(); }
</span></span></pre>
</div>
</div>

</body>
</html>