[objects] Fix torque definition of JSFunction

The code and prototype_or_initial_map fields are marked as weak in the torque definition of JSFunction. Given we don't have any annotations that generate BodyDescriptors or the C++ class specifying weak there didn't reflect in the actual C++ implementation. In the C++ implementation we were treating those as strong pointers and the rest of the code also expects them as strong pointers and doesn't actually deal with cleared weak references. Since JSFunction's header doesn't have any weak references we can just fallback to JSObject::BodyDescriptor that iterates through all header fields and the other JSObject fields as strong pointers. This is what was happening because JSFunction didn't have a body descriptor and we were falling back to JSObject::BodyDescriptor So this is a clean up CL to avoid confusion. There shouldn't be any change in behaviour. So this CL basically: 1. Drops weak from the torque definition to match with implementation 2. Changes JSFunction::BodyDescriptor to JSObject::BodyDescriptor when iterating over objects to be consistent with other JSObjects with strong pointers. Change-Id: I7c3e49f1759164a0f2517b3d5b8d0e5169b025ff Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2987827 Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#75387}
2021-06-25 10:44:20 +01:00 · 2021-06-25 10:44:20 +01:00 · 26ebc4f7aa
commit 26ebc4f7aa
parent f9aa571577
2 changed files with 11 additions and 12 deletions
--- a/src/objects/js-function.tq
+++ b/src/objects/js-function.tq
@ -24,10 +24,10 @@ extern class JSFunction extends JSFunctionOrBoundFunction {
  shared_function_info: SharedFunctionInfo;
  context: Context;
  feedback_cell: FeedbackCell;
-  @if(V8_EXTERNAL_CODE_SPACE) weak code: CodeDataContainer;
-  @ifnot(V8_EXTERNAL_CODE_SPACE) weak code: Code;
+  @if(V8_EXTERNAL_CODE_SPACE) code: CodeDataContainer;
+  @ifnot(V8_EXTERNAL_CODE_SPACE) code: Code;
  // Space for the following field may or may not be allocated.
-  @noVerifier weak prototype_or_initial_map: JSReceiver|Map;
+  @noVerifier prototype_or_initial_map: JSReceiver|Map;
 }

 type JSFunctionWithPrototypeSlot extends JSFunction;
--- a/src/objects/objects-body-descriptors-inl.h
+++ b/src/objects/objects-body-descriptors-inl.h
@ -1067,6 +1067,14 @@ ReturnType BodyDescriptorApply(InstanceType type, T1 p1, T2 p2, T3 p3, T4 p4) {
    case JS_STRING_ITERATOR_PROTOTYPE_TYPE:
    case JS_STRING_ITERATOR_TYPE:
    case JS_TYPED_ARRAY_PROTOTYPE_TYPE:
+    case JS_FUNCTION_TYPE:
+    case JS_PROMISE_CONSTRUCTOR_TYPE:
+    case JS_REG_EXP_CONSTRUCTOR_TYPE:
+    case JS_ARRAY_CONSTRUCTOR_TYPE:
+#define TYPED_ARRAY_CONSTRUCTORS_SWITCH(Type, type, TYPE, Ctype) \
+  case TYPE##_TYPED_ARRAY_CONSTRUCTOR_TYPE:
+      TYPED_ARRAYS(TYPED_ARRAY_CONSTRUCTORS_SWITCH)
+#undef TYPED_ARRAY_CONSTRUCTORS_SWITCH
 #ifdef V8_INTL_SUPPORT
    case JS_V8_BREAK_ITERATOR_TYPE:
    case JS_COLLATOR_TYPE:
@ -1105,15 +1113,6 @@ ReturnType BodyDescriptorApply(InstanceType type, T1 p1, T2 p2, T3 p3, T4 p4) {
      return Op::template apply<JSDataView::BodyDescriptor>(p1, p2, p3, p4);
    case JS_TYPED_ARRAY_TYPE:
      return Op::template apply<JSTypedArray::BodyDescriptor>(p1, p2, p3, p4);
-    case JS_FUNCTION_TYPE:
-    case JS_PROMISE_CONSTRUCTOR_TYPE:
-    case JS_REG_EXP_CONSTRUCTOR_TYPE:
-    case JS_ARRAY_CONSTRUCTOR_TYPE:
-#define TYPED_ARRAY_CONSTRUCTORS_SWITCH(Type, type, TYPE, Ctype) \
-  case TYPE##_TYPED_ARRAY_CONSTRUCTOR_TYPE:
-      TYPED_ARRAYS(TYPED_ARRAY_CONSTRUCTORS_SWITCH)
-#undef TYPED_ARRAY_CONSTRUCTORS_SWITCH
-      return Op::template apply<JSFunction::BodyDescriptor>(p1, p2, p3, p4);
    case WEAK_CELL_TYPE:
      return Op::template apply<WeakCell::BodyDescriptor>(p1, p2, p3, p4);
    case JS_WEAK_REF_TYPE: