Context Navigation

← Previous Changeset
Next Changeset →

Changeset 189616 in webkit

Timestamp:

Sep 11, 2015, 2:16:37 AM (10 years ago)

Author:

[email protected]

Message:

[JSC] Weak should only accept cell pointees.
<https://webkit.org/b/148955>

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Since WeakImpls only support pointing to JSCell derived objects,
enforce that at compile time by having the API use JSCell* instead of JSValue.

WeakHandleOwner callbacks now get JSCell& and JSCell*& respectively instead
of wrapping the cell pointer in a Handle<Unknown>.

Also added a static_assert so Weak<T> can't be instantiated with a T that's
not convertible to JSCell.

API/JSAPIWrapperObject.mm:

(JSAPIWrapperObjectHandleOwner::finalize):
(JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
(JSC::JSAPIWrapperObject::finishCreation):

API/JSManagedValue.mm:

(JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
(JSManagedValueHandleOwner::finalize):

builtins/BuiltinExecutables.cpp:

(JSC::BuiltinExecutables::finalize):

builtins/BuiltinExecutables.h:
heap/Heap.cpp:

(JSC::Heap::addFinalizer):
(JSC::Heap::FinalizerOwner::finalize):

heap/Heap.h:
heap/WeakBlock.cpp:

(JSC::WeakBlock::visit):
(JSC::WeakBlock::reap):

heap/WeakHandleOwner.cpp:

(JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
(JSC::WeakHandleOwner::finalize):

heap/WeakHandleOwner.h:
heap/WeakImpl.h:

(JSC::WeakImpl::WeakImpl):
(JSC::WeakImpl::state):
(JSC::WeakImpl::cell):
(JSC::WeakImpl::asWeakImpl):
(JSC::WeakImpl::jsValue): Deleted.

heap/WeakInlines.h:

(JSC::Weak<T>::Weak):
(JSC::>):
(JSC::Weak<T>::operator):
(JSC::Weak<T>::get):
(JSC::Weak<T>::was):

heap/WeakSet.h:
heap/WeakSetInlines.h:

(JSC::WeakSet::allocate):
(JSC::WeakBlock::finalize):

jit/JITThunks.cpp:

(JSC::JITThunks::finalize):

jit/JITThunks.h:
jsc.cpp:

(WTF::ElementHandleOwner::isReachableFromOpaqueRoots): Deleted.

runtime/JSCell.h:

(JSC::jsCast):

runtime/RegExpCache.cpp:

(JSC::RegExpCache::finalize):

runtime/RegExpCache.h:
runtime/Structure.cpp:

(JSC::StructureTransitionTable::singleTransition):
(JSC::StructureTransitionTable::setSingleTransition):

Source/WebCore:

Update WebCore bindings for the new Weak and Weak-related signatures.

bindings/js/JSCSSRuleListCustom.cpp:

(WebCore::JSCSSRuleListOwner::isReachableFromOpaqueRoots):

bindings/js/JSCSSValueCustom.cpp:

(WebCore::JSCSSValueOwner::isReachableFromOpaqueRoots):
(WebCore::JSCSSValueOwner::finalize):

bindings/js/JSCallbackData.cpp:

(WebCore::JSCallbackDataWeak::WeakOwner::isReachableFromOpaqueRoots):

bindings/js/JSCallbackData.h:
bindings/js/JSMutationObserverCustom.cpp:

(WebCore::JSMutationObserverOwner::isReachableFromOpaqueRoots):

bindings/js/JSNodeCustom.cpp:

(WebCore::isReachableFromDOM):
(WebCore::JSNodeOwner::isReachableFromOpaqueRoots):

bindings/js/JSNodeListCustom.cpp:

(WebCore::JSNodeListOwner::isReachableFromOpaqueRoots):

bindings/js/JSTextTrackCueCustom.cpp:

(WebCore::JSTextTrackCueOwner::isReachableFromOpaqueRoots):

bindings/js/WebCoreTypedArrayController.cpp:

(WebCore::WebCoreTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
(WebCore::WebCoreTypedArrayController::JSArrayBufferOwner::finalize):

bindings/js/WebCoreTypedArrayController.h:
bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):
(GenerateImplementation):

bindings/scripts/test/JS/JSTestActiveDOMObject.cpp:

(WebCore::JSTestActiveDOMObjectOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestActiveDOMObjectOwner::finalize):

bindings/scripts/test/JS/JSTestActiveDOMObject.h:
bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp:

(WebCore::JSTestCustomConstructorWithNoInterfaceObjectOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestCustomConstructorWithNoInterfaceObjectOwner::finalize):

bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.h:
bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp:

(WebCore::JSTestCustomNamedGetterOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestCustomNamedGetterOwner::finalize):

bindings/scripts/test/JS/JSTestCustomNamedGetter.h:
bindings/scripts/test/JS/JSTestEventConstructor.cpp:

(WebCore::JSTestEventConstructorOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestEventConstructorOwner::finalize):

bindings/scripts/test/JS/JSTestEventConstructor.h:
bindings/scripts/test/JS/JSTestEventTarget.cpp:

(WebCore::JSTestEventTargetOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestEventTargetOwner::finalize):

bindings/scripts/test/JS/JSTestEventTarget.h:
bindings/scripts/test/JS/JSTestException.cpp:

(WebCore::JSTestExceptionOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestExceptionOwner::finalize):

bindings/scripts/test/JS/JSTestException.h:
bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp:

(WebCore::JSTestGenerateIsReachableOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestGenerateIsReachableOwner::finalize):

bindings/scripts/test/JS/JSTestGenerateIsReachable.h:
bindings/scripts/test/JS/JSTestInterface.cpp:

(WebCore::JSTestInterfaceOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestInterfaceOwner::finalize):

bindings/scripts/test/JS/JSTestInterface.h:
bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp:

(WebCore::JSTestMediaQueryListListenerOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestMediaQueryListListenerOwner::finalize):

bindings/scripts/test/JS/JSTestMediaQueryListListener.h:
bindings/scripts/test/JS/JSTestNamedConstructor.cpp:

(WebCore::JSTestNamedConstructorOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestNamedConstructorOwner::finalize):

bindings/scripts/test/JS/JSTestNamedConstructor.h:
bindings/scripts/test/JS/JSTestNondeterministic.cpp:

(WebCore::JSTestNondeterministicOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestNondeterministicOwner::finalize):

bindings/scripts/test/JS/JSTestNondeterministic.h:
bindings/scripts/test/JS/JSTestObj.cpp:

(WebCore::JSTestObjOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestObjOwner::finalize):

bindings/scripts/test/JS/JSTestObj.h:
bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp:

(WebCore::JSTestOverloadedConstructorsOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestOverloadedConstructorsOwner::finalize):

bindings/scripts/test/JS/JSTestOverloadedConstructors.h:
bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp:

(WebCore::JSTestOverrideBuiltinsOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestOverrideBuiltinsOwner::finalize):

bindings/scripts/test/JS/JSTestOverrideBuiltins.h:
bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp:

(WebCore::JSTestSerializedScriptValueInterfaceOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestSerializedScriptValueInterfaceOwner::finalize):

bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.h:
bindings/scripts/test/JS/JSTestTypedefs.cpp:

(WebCore::JSTestTypedefsOwner::isReachableFromOpaqueRoots):
(WebCore::JSTestTypedefsOwner::finalize):

bindings/scripts/test/JS/JSTestTypedefs.h:
bindings/scripts/test/JS/JSattribute.cpp:

(WebCore::JSattributeOwner::isReachableFromOpaqueRoots):
(WebCore::JSattributeOwner::finalize):

bindings/scripts/test/JS/JSattribute.h:
bindings/scripts/test/JS/JSreadonly.cpp:

(WebCore::JSreadonlyOwner::isReachableFromOpaqueRoots):
(WebCore::JSreadonlyOwner::finalize):

bindings/scripts/test/JS/JSreadonly.h:
bridge/runtime_root.cpp:

(JSC::Bindings::RootObject::finalize):

bridge/runtime_root.h:

Source/WebKit2:

WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:

(WebKit::NPRuntimeObjectMap::finalize):

WebProcess/Plugins/Netscape/NPRuntimeObjectMap.h:

Location:

trunk/Source

Files:

: 74 edited

JavaScriptCore/API/JSAPIWrapperObject.mm (modified) (3 diffs)
JavaScriptCore/API/JSManagedValue.mm (modified) (3 diffs)
JavaScriptCore/ChangeLog (modified) (1 diff)
JavaScriptCore/builtins/BuiltinExecutables.cpp (modified) (1 diff)
JavaScriptCore/builtins/BuiltinExecutables.h (modified) (1 diff)
JavaScriptCore/heap/Heap.cpp (modified) (1 diff)
JavaScriptCore/heap/Heap.h (modified) (1 diff)
JavaScriptCore/heap/WeakBlock.cpp (modified) (3 diffs)
JavaScriptCore/heap/WeakHandleOwner.cpp (modified) (1 diff)
JavaScriptCore/heap/WeakHandleOwner.h (modified) (1 diff)
JavaScriptCore/heap/WeakImpl.h (modified) (4 diffs)
JavaScriptCore/heap/WeakInlines.h (modified) (4 diffs)
JavaScriptCore/heap/WeakSet.h (modified) (1 diff)
JavaScriptCore/heap/WeakSetInlines.h (modified) (3 diffs)
JavaScriptCore/jit/JITThunks.cpp (modified) (1 diff)
JavaScriptCore/jit/JITThunks.h (modified) (1 diff)
JavaScriptCore/jsc.cpp (modified) (1 diff)
JavaScriptCore/runtime/JSCell.h (modified) (1 diff)
JavaScriptCore/runtime/RegExpCache.cpp (modified) (1 diff)
JavaScriptCore/runtime/RegExpCache.h (modified) (1 diff)
JavaScriptCore/runtime/Structure.cpp (modified) (3 diffs)
WebCore/ChangeLog (modified) (1 diff)
WebCore/bindings/js/JSCSSRuleListCustom.cpp (modified) (1 diff)
WebCore/bindings/js/JSCSSValueCustom.cpp (modified) (2 diffs)
WebCore/bindings/js/JSCallbackData.cpp (modified) (1 diff)
WebCore/bindings/js/JSCallbackData.h (modified) (1 diff)
WebCore/bindings/js/JSMutationObserverCustom.cpp (modified) (1 diff)
WebCore/bindings/js/JSNodeCustom.cpp (modified) (2 diffs)
WebCore/bindings/js/JSNodeListCustom.cpp (modified) (1 diff)
WebCore/bindings/js/JSTextTrackCueCustom.cpp (modified) (2 diffs)
WebCore/bindings/js/WebCoreTypedArrayController.cpp (modified) (2 diffs)
WebCore/bindings/js/WebCoreTypedArrayController.h (modified) (2 diffs)
WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (8 diffs)
WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestEventConstructor.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestEventTarget.cpp (modified) (2 diffs)
WebCore/bindings/scripts/test/JS/JSTestEventTarget.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestException.cpp (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestException.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestInterface.cpp (modified) (2 diffs)
WebCore/bindings/scripts/test/JS/JSTestInterface.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp (modified) (2 diffs)
WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestNondeterministic.cpp (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestNondeterministic.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestObj.cpp (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestObj.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSTestTypedefs.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSattribute.cpp (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSattribute.h (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSreadonly.cpp (modified) (1 diff)
WebCore/bindings/scripts/test/JS/JSreadonly.h (modified) (1 diff)
WebCore/bridge/runtime_root.cpp (modified) (1 diff)
WebCore/bridge/runtime_root.h (modified) (1 diff)
WebKit2/ChangeLog (modified) (1 diff)
WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp (modified) (1 diff)
WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.h (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/API/JSAPIWrapperObject.mm

-              r179728
+              r189616
 #if JSC_OBJC_API_ENABLED
 class JSAPIWrapperObjectHandleOwner : public JSC::WeakHandleOwner {
+class JSAPIWrapperObjectHandleOwner final : public JSC::WeakHandleOwner {
 public:
     virtual void finalize(JSC::Handle<JSC::Unknown>, void*) override;
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void*) override;
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
 };
 …
+}
 void JSAPIWrapperObjectHandleOwner::finalize(JSC::Handle<JSC::Unknown> handle, void*)
+void JSAPIWrapperObjectHandleOwner::finalize(JSC::JSCell*& cell, void*)
+{
     JSC::JSAPIWrapperObject* wrapperObject = JSC::jsCast<JSC::JSAPIWrapperObject*>(handle.get().asCell());
     if (!wrapperObject->wrappedObject())
+    auto& wrapperObject = JSC::jsCast<JSC::JSAPIWrapperObject&>(*cell);
+    if (!wrapperObject.wrappedObject())
         return;
     JSC::Heap::heap(wrapperObject)->releaseSoon(adoptNS(static_cast<id>(wrapperObject->wrappedObject())));
     JSC::WeakSet::deallocate(JSC::WeakImpl::asWeakImpl(handle.slot()));
+    JSC::Heap::heap(&wrapperObject)->releaseSoon(adoptNS(static_cast<id>(wrapperObject.wrappedObject())));
+    JSC::WeakSet::deallocate(JSC::WeakImpl::asWeakImpl(&cell));
+}
 bool JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, JSC::SlotVisitor& visitor)
+bool JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, JSC::SlotVisitor& visitor)
+{
     JSC::JSAPIWrapperObject* wrapperObject = JSC::jsCast<JSC::JSAPIWrapperObject*>(handle.get().asCell());
+    JSC::JSAPIWrapperObject& wrapperObject = JSC::jsCast<JSC::JSAPIWrapperObject&>(cell);
     // We use the JSGlobalObject when processing weak handles to prevent the situation where using
     // the same Objective-C object in multiple global objects keeps all of the global objects alive.
     if (!wrapperObject->wrappedObject())
+    if (!wrapperObject.wrappedObject())
         return false;
     return JSC::Heap::isMarked(wrapperObject->structure()->globalObject()) && visitor.containsOpaqueRoot(wrapperObject->wrappedObject());
+    return JSC::Heap::isMarked(wrapperObject.globalObject()) && visitor.containsOpaqueRoot(wrapperObject.wrappedObject());
+}
 …
+{
     Base::finishCreation(vm);
     WeakSet::allocate(this, jsAPIWrapperObjectHandleOwner(), 0); // Balanced in JSAPIWrapperObjectHandleOwner::finalize.
+    WeakSet::allocate(*this, jsAPIWrapperObjectHandleOwner(), 0); // Balanced in JSAPIWrapperObjectHandleOwner::finalize.
+}

trunk/Source/JavaScriptCore/API/JSManagedValue.mm

-              r174110
+              r189616
 #import <wtf/spi/cocoa/NSMapTableSPI.h>
 class JSManagedValueHandleOwner : public JSC::WeakHandleOwner {
+class JSManagedValueHandleOwner final : public JSC::WeakHandleOwner {
 public:
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context) override;
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
 };
 …
 @end
 bool JSManagedValueHandleOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor& visitor)
+bool JSManagedValueHandleOwner::isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor& visitor)
+{
     JSManagedValue *managedValue = static_cast<JSManagedValue *>(context);
 …
+}
 void JSManagedValueHandleOwner::finalize(JSC::Handle<JSC::Unknown>, void* context)
+void JSManagedValueHandleOwner::finalize(JSC::JSCell*&, void* context)
+{
     JSManagedValue *managedValue = static_cast<JSManagedValue *>(context);

trunk/Source/JavaScriptCore/ChangeLog

-              r189599
+              r189616
+-09-11  Andreas Kling  <[email protected]>
+        [JSC] Weak should only accept cell pointees.
+        <https://webkit.org/b/148955>
+        Reviewed by Geoffrey Garen.
+        Since WeakImpls only support pointing to JSCell derived objects,
+        enforce that at compile time by having the API use JSCell* instead of JSValue.
+        WeakHandleOwner callbacks now get JSCell& and JSCell*& respectively instead
+        of wrapping the cell pointer in a Handle<Unknown>.
+        Also added a static_assert so Weak<T> can't be instantiated with a T that's
+        not convertible to JSCell.
+        * API/JSAPIWrapperObject.mm:
+        (JSAPIWrapperObjectHandleOwner::finalize):
+        (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
+        (JSC::JSAPIWrapperObject::finishCreation):
+        * API/JSManagedValue.mm:
+        (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
+        (JSManagedValueHandleOwner::finalize):
+        * builtins/BuiltinExecutables.cpp:
+        (JSC::BuiltinExecutables::finalize):
+        * builtins/BuiltinExecutables.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::addFinalizer):
+        (JSC::Heap::FinalizerOwner::finalize):
+        * heap/Heap.h:
+        * heap/WeakBlock.cpp:
+        (JSC::WeakBlock::visit):
+        (JSC::WeakBlock::reap):
+        * heap/WeakHandleOwner.cpp:
+        (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
+        (JSC::WeakHandleOwner::finalize):
+        * heap/WeakHandleOwner.h:
+        * heap/WeakImpl.h:
+        (JSC::WeakImpl::WeakImpl):
+        (JSC::WeakImpl::state):
+        (JSC::WeakImpl::cell):
+        (JSC::WeakImpl::asWeakImpl):
+        (JSC::WeakImpl::jsValue): Deleted.
+        * heap/WeakInlines.h:
+        (JSC::Weak<T>::Weak):
+        (JSC::>):
+        (JSC::Weak<T>::operator):
+        (JSC::Weak<T>::get):
+        (JSC::Weak<T>::was):
+        * heap/WeakSet.h:
+        * heap/WeakSetInlines.h:
+        (JSC::WeakSet::allocate):
+        (JSC::WeakBlock::finalize):
+        * jit/JITThunks.cpp:
+        (JSC::JITThunks::finalize):
+        * jit/JITThunks.h:
+        * jsc.cpp:
+        (WTF::ElementHandleOwner::isReachableFromOpaqueRoots): Deleted.
+        * runtime/JSCell.h:
+        (JSC::jsCast):
+        * runtime/RegExpCache.cpp:
+        (JSC::RegExpCache::finalize):
+        * runtime/RegExpCache.h:
+        * runtime/Structure.cpp:
+        (JSC::StructureTransitionTable::singleTransition):
+        (JSC::StructureTransitionTable::setSingleTransition):
 -09-10  Sukolsak Sakshuwong  <[email protected]>

trunk/Source/JavaScriptCore/builtins/BuiltinExecutables.cpp

r188417	r189616
109	109	}
110	110
111		void BuiltinExecutables::finalize(~~Handle<Unknown>~~, void* context)
	111	void BuiltinExecutables::finalize(JSCell&, void context)
112	112	{
113	113	static_cast<Weak<UnlinkedFunctionExecutable>*>(context)->clear();

trunk/Source/JavaScriptCore/builtins/BuiltinExecutables.h

r187205	r189616
54	54
55	55	private:
56		void finalize(~~Handle<Unknown>~~, void* context) override;
	56	void finalize(JSCell&, void context) override;
57	57
58	58	VM& m_vm;

trunk/Source/JavaScriptCore/heap/Heap.cpp

-              r189553
+              r189616
 void Heap::addFinalizer(JSCell* cell, Finalizer finalizer)
+{
+    WeakSet::allocate(cell, &m_finalizerOwner, reinterpret_cast<void*>(finalizer)); // Balanced by FinalizerOwner::finalize().
+}
+void Heap::FinalizerOwner::finalize(Handle<Unknown> handle, void* context)
+{
+    HandleSlot slot = handle.slot();
+    WeakSet::allocate(*cell, &m_finalizerOwner, reinterpret_cast<void*>(finalizer)); // Balanced by FinalizerOwner::finalize().
+}
+void Heap::FinalizerOwner::finalize(JSCell*& cell, void* context)
+{
     Finalizer finalizer = reinterpret_cast<Finalizer>(context);
     finalizer(slot->asCell());
     WeakSet::deallocate(WeakImpl::asWeakImpl(slot));
+    finalizer(cell);
+    WeakSet::deallocate(WeakImpl::asWeakImpl(&cell));
+}

trunk/Source/JavaScriptCore/heap/Heap.h

-              r189515
+              r189616
     static const size_t minExtraMemory = 256;
     class FinalizerOwner : public WeakHandleOwner {
         virtual void finalize(Handle<Unknown>, void* context) override;
+    class FinalizerOwner final : public WeakHandleOwner {
+        void finalize(JSCell*&, void* context) override;
     };

trunk/Source/JavaScriptCore/heap/WeakBlock.cpp

-              r183769
+              r189616
             continue;
+        const JSValue& jsValue = weakImpl->jsValue();
+        if (m_markedBlock->isMarkedOrNewlyAllocated(jsValue.asCell()))
+        if (m_markedBlock->isMarkedOrNewlyAllocated(weakImpl->m_cell))
             continue;
 …
             continue;
         if (!weakHandleOwner->isReachableFromOpaqueRoots(Handle<Unknown>::wrapSlot(&const_cast<JSValue&>(jsValue)), weakImpl->context(), visitor))
+        if (!weakHandleOwner->isReachableFromOpaqueRoots(*weakImpl->m_cell, weakImpl->context(), visitor))
             continue;
         heapRootVisitor.visit(&const_cast<JSValue&>(jsValue));
+        heapRootVisitor.visit(&weakImpl->m_cell);
+    }
+}
 …
             continue;
         if (m_markedBlock->isMarkedOrNewlyAllocated(weakImpl->jsValue().asCell())) {
+        if (m_markedBlock->isMarkedOrNewlyAllocated(weakImpl->cell())) {
             ASSERT(weakImpl->state() == WeakImpl::Live);
             continue;

trunk/Source/JavaScriptCore/heap/WeakHandleOwner.cpp

r163844	r189616
38	38	}
39	39
40		bool WeakHandleOwner::isReachableFromOpaqueRoots(~~Handle<Unknown>~~, void*, SlotVisitor&)
	40	bool WeakHandleOwner::isReachableFromOpaqueRoots(JSCell&, void*, SlotVisitor&)
41	41	{
42	42	return false;
43	43	}
44	44
45		void WeakHandleOwner::finalize(~~Handle<Unknown>~~, void*)
	45	void WeakHandleOwner::finalize(JSCell&, void)
46	46	{
47	47	}

trunk/Source/JavaScriptCore/heap/WeakHandleOwner.h

-              r113141
+              r189616
 public:
     virtual ~WeakHandleOwner();
     virtual bool isReachableFromOpaqueRoots(Handle<Unknown>, void* context, SlotVisitor&);
     virtual void finalize(Handle<Unknown>, void* context);
+    virtual bool isReachableFromOpaqueRoots(JSCell&, void* context, SlotVisitor&);
+    virtual void finalize(JSCell*&, void* context);
 };

trunk/Source/JavaScriptCore/heap/WeakImpl.h

-              r143909
+              r189616
 /*
  * Copyright (C) 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2015 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
     WeakImpl();
     WeakImpl(JSValue, WeakHandleOwner*, void* context);
+    WeakImpl(JSCell&, WeakHandleOwner*, void* context);
     State state();
+    State state() const;
     void setState(State);
     const JSValue& jsValue();
+    JSCell* cell();
     WeakHandleOwner* weakHandleOwner();
     void* context();
     static WeakImpl* asWeakImpl(JSValue*);
+    static WeakImpl* asWeakImpl(JSCell**);
 private:
+    const JSValue m_jsValue;
+    WeakHandleOwner* m_weakHandleOwner;
+    void* m_context;
+    friend class WeakBlock;
+    JSCell* m_cell { nullptr };
+    WeakHandleOwner* m_weakHandleOwner { nullptr };
+    void* m_context { nullptr };
 };
 inline WeakImpl::WeakImpl()
-    : m_weakHandleOwner(0)
-    , m_context(0)
+{
     setState(Deallocated);
+}
 inline WeakImpl::WeakImpl(JSValue jsValue, WeakHandleOwner* weakHandleOwner, void* context)
     : m_jsValue(jsValue)
+inline WeakImpl::WeakImpl(JSCell& cell, WeakHandleOwner* weakHandleOwner, void* context)
+    : m_cell(&cell)
     , m_weakHandleOwner(weakHandleOwner)
     , m_context(context)
+{
     ASSERT(state() == Live);
-    ASSERT(m_jsValue && m_jsValue.isCell());
+}
 inline WeakImpl::State WeakImpl::state()
+inline WeakImpl::State WeakImpl::state() const
+{
     return static_cast<State>(reinterpret_cast<uintptr_t>(m_weakHandleOwner) & StateMask);
 …
+}
 inline const JSValue& WeakImpl::jsValue()
+inline JSCell* WeakImpl::cell()
+{
     return m_jsValue;
+    return m_cell;
+}
 …
+}
 inline WeakImpl* WeakImpl::asWeakImpl(JSValue* slot)
+inline WeakImpl* WeakImpl::asWeakImpl(JSCell** slot)
+{
     return reinterpret_cast_ptr<WeakImpl*>(reinterpret_cast_ptr<char*>(slot) + OBJECT_OFFSETOF(WeakImpl, m_jsValue));
+    return reinterpret_cast_ptr<WeakImpl*>(reinterpret_cast_ptr<char*>(slot));
+}

trunk/Source/JavaScriptCore/heap/WeakInlines.h

r188040	r189616
35	35
36	36	template<typename T> inline Weak<T>::Weak(T* cell, WeakHandleOwner* weakOwner, void* context)
37		: m_impl(cell ? WeakSet::allocate(cell, weakOwner, context) : 0)
	37	: m_impl(cell ? WeakSet::allocate(*cell, weakOwner, context) : 0)
38	38	{
	39	static_assert((std::is_convertible<T, JSCell>::value), "JSC::Weak can only be used with cell types.");
39	40	}
40	41
…	…
74	75	{
75	76	ASSERT(m_impl && m_impl->state() == WeakImpl::Live);
76		return jsCast<T*>(m_impl->~~jsValue().asC~~ell());
	77	return jsCast<T*>(m_impl->cell());
77	78	}
78	79
…	…
80	81	{
81	82	ASSERT(m_impl && m_impl->state() == WeakImpl::Live);
82		return jsCast<T>(m_impl->~~jsValue().asC~~ell());
	83	return jsCast<T>(m_impl->cell());
83	84	}
84	85
…	…
87	88	if (!m_impl \|\| m_impl->state() != WeakImpl::Live)
88	89	return 0;
89		return jsCast<T*>(m_impl->~~jsValue().asC~~ell());
	90	return jsCast<T*>(m_impl->cell());
90	91	}
91	92
92	93	template<typename T> inline bool Weak<T>::was(T* other) const
93	94	{
94		return static_cast<T*>(m_impl->~~jsValue().asC~~ell()) == other;
	95	return static_cast<T*>(m_impl->cell()) == other;
95	96	}
96	97
97	98	template<typename T> inline bool Weak<T>::operator!() const
98	99	{
99		return !m_impl \|\| !m_impl->~~jsValue~~() \|\| m_impl->state() != WeakImpl::Live;
	100	return !m_impl \|\| !m_impl->cell() \|\| m_impl->state() != WeakImpl::Live;
100	101	}
101	102

trunk/Source/JavaScriptCore/heap/WeakSet.h

r183769	r189616
39	39
40	40	public:
41		static WeakImpl* allocate(JS~~Value~~, WeakHandleOwner* = 0, void* context = 0);
	41	static WeakImpl* allocate(JSCell&, WeakHandleOwner* = 0, void* context = 0);
42	42	static void deallocate(WeakImpl*);
43	43

trunk/Source/JavaScriptCore/heap/WeakSetInlines.h

-              r148479
+              r189616
 namespace JSC {
 inline WeakImpl* WeakSet::allocate(JSValue jsValue, WeakHandleOwner* weakHandleOwner, void* context)
+inline WeakImpl* WeakSet::allocate(JSCell& cell, WeakHandleOwner* weakHandleOwner, void* context)
+{
     WeakSet& weakSet = MarkedBlock::blockFor(jsValue.asCell())->weakSet();
+    WeakSet& weakSet = MarkedBlock::blockFor(&cell)->weakSet();
     WeakBlock::FreeCell* allocator = weakSet.m_allocator;
     if (UNLIKELY(!allocator))
 …
     WeakImpl* weakImpl = WeakBlock::asWeakImpl(allocator);
     return new (NotNull, weakImpl) WeakImpl(jsValue, weakHandleOwner, context);
+    return new (NotNull, weakImpl) WeakImpl(cell, weakHandleOwner, context);
+}
 …
     if (!weakHandleOwner)
         return;
     weakHandleOwner->finalize(Handle<Unknown>::wrapSlot(&const_cast<JSValue&>(weakImpl->jsValue())), weakImpl->context());
+    weakHandleOwner->finalize(weakImpl->m_cell, weakImpl->context());
+}

trunk/Source/JavaScriptCore/jit/JITThunks.cpp

r188499	r189616
77	77	}
78	78
79		void JITThunks::finalize(~~Handle<Unknown> handle~~, void*)
	79	void JITThunks::finalize(JSCell& cell, void)
80	80	{
81		auto* nativeExecutable = jsCast<NativeExecutable*>(~~handle.get().asCell()~~);
	81	auto* nativeExecutable = jsCast<NativeExecutable*>(cell);
82	82	weakRemove(*m_hostFunctionStubMap, std::make_pair(nativeExecutable->function(), nativeExecutable->constructor()), nativeExecutable);
83	83	}

trunk/Source/JavaScriptCore/jit/JITThunks.h

r188499	r189616
64	64
65	65	private:
66		void finalize(~~Handle<Unknown>~~, void* context) override;
	66	void finalize(JSCell&, void context) override;
67	67
68	68	typedef HashMap<ThunkGenerator, MacroAssemblerCodeRef> CTIStubMap;

trunk/Source/JavaScriptCore/jsc.cpp

-              r189591
+              r189616
 };
 class ElementHandleOwner : public WeakHandleOwner {
+class ElementHandleOwner final : public WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+    {
         Element* element = jsCast<Element*>(handle.slot()->asCell());
         return visitor.containsOpaqueRoot(element->root());
+    virtual bool isReachableFromOpaqueRoots(JSCell& cell, void*, SlotVisitor& visitor)
+    {
+        auto& element = jsCast<Element&>(cell);
+        return visitor.containsOpaqueRoot(element.root());
+    }
 };

trunk/Source/JavaScriptCore/runtime/JSCell.h

-              r184328
+              r189616
 template<typename To, typename From>
+inline To& jsCast(From& from)
+{
+    ASSERT_WITH_SECURITY_IMPLICATION(from.JSCell::inherits(std::remove_reference<To>::type::info()));
+    return static_cast<To&>(from);
+}
+template<typename To, typename From>
 inline To jsCast(From* from)
+{

trunk/Source/JavaScriptCore/runtime/RegExpCache.cpp

r188397	r189616
57	57	}
58	58
59		void RegExpCache::finalize(~~Handle<Unknown> handle~~, void*)
	59	void RegExpCache::finalize(JSCell& cell, void)
60	60	{
61		RegExp* regExp = ~~static_cast<RegExp*>(handle.get().asCell()~~);
	61	RegExp* regExp = jsCast<RegExp*>(cell);
62	62	weakRemove(m_weakCache, regExp->key(), regExp);
63	63	}

trunk/Source/JavaScriptCore/runtime/RegExpCache.h

r188394	r189616
55	55	static const int maxStrongCacheableEntries = 32;
56	56
57		v~~irtual void finalize(Handle<Unknown>~~, void* context) override;
	57	void finalize(JSCell&, void context) override;
58	58
59	59	RegExp* lookupOrCreate(const WTF::String& patternString, RegExpFlags);

trunk/Source/JavaScriptCore/runtime/Structure.cpp

-              r189596
+              r189616
 class SingleSlotTransitionWeakOwner final : public WeakHandleOwner {
     void finalize(Handle<Unknown>, void* context) override
+    void finalize(JSCell*&, void* context) override
+    {
         StructureTransitionTable* table = reinterpret_cast<StructureTransitionTable*>(context);
 …
     if (WeakImpl* impl = this->weakImpl()) {
         if (impl->state() == WeakImpl::Live)
             return jsCast<Structure*>(impl->jsValue().asCell());
+            return jsCast<Structure*>(impl->cell());
+    }
     return nullptr;
 …
     if (WeakImpl* impl = this->weakImpl())
         WeakSet::deallocate(impl);
     WeakImpl* impl = WeakSet::allocate(structure, &singleSlotTransitionWeakOwner(), this);
+    WeakImpl* impl = WeakSet::allocate(*structure, &singleSlotTransitionWeakOwner(), this);
     m_data = reinterpret_cast<intptr_t>(impl) | UsingSingleSlotFlag;
+}

trunk/Source/WebCore/ChangeLog

-              r189598
+              r189616
+-09-11  Andreas Kling  <[email protected]>
+        [JSC] Weak should only accept cell pointees.
+        <https://webkit.org/b/148955>
+        Reviewed by Geoffrey Garen.
+        Update WebCore bindings for the new Weak and Weak-related signatures.
+        * bindings/js/JSCSSRuleListCustom.cpp:
+        (WebCore::JSCSSRuleListOwner::isReachableFromOpaqueRoots):
+        * bindings/js/JSCSSValueCustom.cpp:
+        (WebCore::JSCSSValueOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSCSSValueOwner::finalize):
+        * bindings/js/JSCallbackData.cpp:
+        (WebCore::JSCallbackDataWeak::WeakOwner::isReachableFromOpaqueRoots):
+        * bindings/js/JSCallbackData.h:
+        * bindings/js/JSMutationObserverCustom.cpp:
+        (WebCore::JSMutationObserverOwner::isReachableFromOpaqueRoots):
+        * bindings/js/JSNodeCustom.cpp:
+        (WebCore::isReachableFromDOM):
+        (WebCore::JSNodeOwner::isReachableFromOpaqueRoots):
+        * bindings/js/JSNodeListCustom.cpp:
+        (WebCore::JSNodeListOwner::isReachableFromOpaqueRoots):
+        * bindings/js/JSTextTrackCueCustom.cpp:
+        (WebCore::JSTextTrackCueOwner::isReachableFromOpaqueRoots):
+        * bindings/js/WebCoreTypedArrayController.cpp:
+        (WebCore::WebCoreTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
+        (WebCore::WebCoreTypedArrayController::JSArrayBufferOwner::finalize):
+        * bindings/js/WebCoreTypedArrayController.h:
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateHeader):
+        (GenerateImplementation):
+        * bindings/scripts/test/JS/JSTestActiveDOMObject.cpp:
+        (WebCore::JSTestActiveDOMObjectOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestActiveDOMObjectOwner::finalize):
+        * bindings/scripts/test/JS/JSTestActiveDOMObject.h:
+        * bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp:
+        (WebCore::JSTestCustomConstructorWithNoInterfaceObjectOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestCustomConstructorWithNoInterfaceObjectOwner::finalize):
+        * bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.h:
+        * bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp:
+        (WebCore::JSTestCustomNamedGetterOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestCustomNamedGetterOwner::finalize):
+        * bindings/scripts/test/JS/JSTestCustomNamedGetter.h:
+        * bindings/scripts/test/JS/JSTestEventConstructor.cpp:
+        (WebCore::JSTestEventConstructorOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestEventConstructorOwner::finalize):
+        * bindings/scripts/test/JS/JSTestEventConstructor.h:
+        * bindings/scripts/test/JS/JSTestEventTarget.cpp:
+        (WebCore::JSTestEventTargetOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestEventTargetOwner::finalize):
+        * bindings/scripts/test/JS/JSTestEventTarget.h:
+        * bindings/scripts/test/JS/JSTestException.cpp:
+        (WebCore::JSTestExceptionOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestExceptionOwner::finalize):
+        * bindings/scripts/test/JS/JSTestException.h:
+        * bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp:
+        (WebCore::JSTestGenerateIsReachableOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestGenerateIsReachableOwner::finalize):
+        * bindings/scripts/test/JS/JSTestGenerateIsReachable.h:
+        * bindings/scripts/test/JS/JSTestInterface.cpp:
+        (WebCore::JSTestInterfaceOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestInterfaceOwner::finalize):
+        * bindings/scripts/test/JS/JSTestInterface.h:
+        * bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp:
+        (WebCore::JSTestMediaQueryListListenerOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestMediaQueryListListenerOwner::finalize):
+        * bindings/scripts/test/JS/JSTestMediaQueryListListener.h:
+        * bindings/scripts/test/JS/JSTestNamedConstructor.cpp:
+        (WebCore::JSTestNamedConstructorOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestNamedConstructorOwner::finalize):
+        * bindings/scripts/test/JS/JSTestNamedConstructor.h:
+        * bindings/scripts/test/JS/JSTestNondeterministic.cpp:
+        (WebCore::JSTestNondeterministicOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestNondeterministicOwner::finalize):
+        * bindings/scripts/test/JS/JSTestNondeterministic.h:
+        * bindings/scripts/test/JS/JSTestObj.cpp:
+        (WebCore::JSTestObjOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestObjOwner::finalize):
+        * bindings/scripts/test/JS/JSTestObj.h:
+        * bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp:
+        (WebCore::JSTestOverloadedConstructorsOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestOverloadedConstructorsOwner::finalize):
+        * bindings/scripts/test/JS/JSTestOverloadedConstructors.h:
+        * bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp:
+        (WebCore::JSTestOverrideBuiltinsOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestOverrideBuiltinsOwner::finalize):
+        * bindings/scripts/test/JS/JSTestOverrideBuiltins.h:
+        * bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp:
+        (WebCore::JSTestSerializedScriptValueInterfaceOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestSerializedScriptValueInterfaceOwner::finalize):
+        * bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.h:
+        * bindings/scripts/test/JS/JSTestTypedefs.cpp:
+        (WebCore::JSTestTypedefsOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSTestTypedefsOwner::finalize):
+        * bindings/scripts/test/JS/JSTestTypedefs.h:
+        * bindings/scripts/test/JS/JSattribute.cpp:
+        (WebCore::JSattributeOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSattributeOwner::finalize):
+        * bindings/scripts/test/JS/JSattribute.h:
+        * bindings/scripts/test/JS/JSreadonly.cpp:
+        (WebCore::JSreadonlyOwner::isReachableFromOpaqueRoots):
+        (WebCore::JSreadonlyOwner::finalize):
+        * bindings/scripts/test/JS/JSreadonly.h:
+        * bridge/runtime_root.cpp:
+        (JSC::Bindings::RootObject::finalize):
+        * bridge/runtime_root.h:
 -09-10  Chris Fleizach  <[email protected]>

trunk/Source/WebCore/bindings/js/JSCSSRuleListCustom.cpp

-              r165757
+              r189616
 namespace WebCore {
 bool JSCSSRuleListOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+bool JSCSSRuleListOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
     JSCSSRuleList* jsCSSRuleList = jsCast<JSCSSRuleList*>(handle.slot()->asCell());
     if (!jsCSSRuleList->hasCustomProperties())
+    auto& jsCSSRuleList = jsCast<JSCSSRuleList&>(cell);
+    if (!jsCSSRuleList.hasCustomProperties())
         return false;
     if (CSSStyleSheet* styleSheet = jsCSSRuleList->impl().styleSheet())
+    if (CSSStyleSheet* styleSheet = jsCSSRuleList.impl().styleSheet())
         return visitor.containsOpaqueRoot(root(styleSheet));
     if (CSSRule* cssRule = jsCSSRuleList->impl().item(0))
+    if (CSSRule* cssRule = jsCSSRuleList.impl().item(0))
         return visitor.containsOpaqueRoot(root(cssRule));
     return false;

trunk/Source/WebCore/bindings/js/JSCSSValueCustom.cpp

-              r183523
+              r189616
 namespace WebCore {
 bool JSCSSValueOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void* context, SlotVisitor& visitor)
+bool JSCSSValueOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void* context, SlotVisitor& visitor)
+{
     JSCSSValue* jsCSSValue = jsCast<JSCSSValue*>(handle.slot()->asCell());
     if (!jsCSSValue->hasCustomProperties())
+    auto& jsCSSValue = jsCast<JSCSSValue&>(cell);
+    if (!jsCSSValue.hasCustomProperties())
         return false;
     DOMWrapperWorld* world = static_cast<DOMWrapperWorld*>(context);
     void* root = world->m_cssValueRoots.get(&jsCSSValue->impl());
+    DOMWrapperWorld& world = *static_cast<DOMWrapperWorld*>(context);
+    void* root = world.m_cssValueRoots.get(&jsCSSValue.impl());
     if (!root)
         return false;
 …
+}
 void JSCSSValueOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+void JSCSSValueOwner::finalize(JSC::JSCell*& cell, void* context)
+{
     JSCSSValue* jsCSSValue = jsCast<JSCSSValue*>(handle.slot()->asCell());
+    auto& jsCSSValue = jsCast<JSCSSValue&>(*cell);
     DOMWrapperWorld& world = *static_cast<DOMWrapperWorld*>(context);
     world.m_cssValueRoots.remove(&jsCSSValue->impl());
     uncacheWrapper(world, &jsCSSValue->impl(), jsCSSValue);
+    world.m_cssValueRoots.remove(&jsCSSValue.impl());
+    uncacheWrapper(world, &jsCSSValue.impl(), &jsCSSValue);
+}

trunk/Source/WebCore/bindings/js/JSCallbackData.cpp

r189230	r189616
91	91	}
92	92
93		bool JSCallbackDataWeak::WeakOwner::isReachableFromOpaqueRoots(JSC::~~Handle<JSC::Unknown>~~, void* context, SlotVisitor& visitor)
	93	bool JSCallbackDataWeak::WeakOwner::isReachableFromOpaqueRoots(JSC::JSCell&, void* context, SlotVisitor& visitor)
94	94	{
95	95	return visitor.containsOpaqueRoot(context);

trunk/Source/WebCore/bindings/js/JSCallbackData.h

-              r189230
+              r189616
 private:
     class WeakOwner : public JSC::WeakHandleOwner {
         virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
+    class WeakOwner final : public JSC::WeakHandleOwner {
+        bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
     };
     WeakOwner m_weakOwner;

trunk/Source/WebCore/bindings/js/JSMutationObserverCustom.cpp

r170167	r189616
62	62	}
63	63
64		bool JSMutationObserverOwner::isReachableFromOpaqueRoots(JSC::~~Handle<JSC::Unknown> handle~~, void*, SlotVisitor& visitor)
	64	bool JSMutationObserverOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
65	65	{
66		MutationObserver& observer = jsCast<JSMutationObserver*>(handle.slot()->asCell())->impl();
	66	MutationObserver& observer = jsCast<JSMutationObserver&>(cell).impl();
67	67	auto observedNodes = observer.getObservedNodes();
68	68	for (auto it = observedNodes.begin(), end = observedNodes.end(); it != end; ++it) {

trunk/Source/WebCore/bindings/js/JSNodeCustom.cpp

-              r188187
+              r189616
 using namespace HTMLNames;
 static inline bool isReachableFromDOM(Node* node, SlotVisitor& visitor)
+{
     if (!node->inDocument()) {
         if (is<Element>(*node)) {
             auto& element = downcast<Element>(*node);
+static inline bool isReachableFromDOM(Node& node, SlotVisitor& visitor)
+{
+    if (!node.inDocument()) {
+        if (is<Element>(node)) {
+            auto& element = downcast<Element>(node);
             // If a wrapper is the last reference to an image element
 …
         // If a node is firing event listeners, its wrapper is observable because
         // its wrapper is responsible for marking those event listeners.
         if (node->isFiringEventListeners())
+        if (node.isFiringEventListeners())
             return true;
+    }
     return visitor.containsOpaqueRoot(root(node));
+}
 bool JSNodeOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     JSNode* jsNode = jsCast<JSNode*>(handle.slot()->asCell());
     return isReachableFromDOM(&jsNode->impl(), visitor);
+    return visitor.containsOpaqueRoot(root(&node));
+}
+bool JSNodeOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    auto& jsNode = jsCast<JSNode&>(cell);
+    return isReachableFromDOM(jsNode.impl(), visitor);
+}

trunk/Source/WebCore/bindings/js/JSNodeListCustom.cpp

-              r188829
+              r189616
 namespace WebCore {
 bool JSNodeListOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+bool JSNodeListOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
     JSNodeList* jsNodeList = jsCast<JSNodeList*>(handle.slot()->asCell());
     if (!jsNodeList->hasCustomProperties())
+    auto& jsNodeList = jsCast<JSNodeList&>(cell);
+    if (!jsNodeList.hasCustomProperties())
         return false;
     if (jsNodeList->impl().isLiveNodeList())
         return visitor.containsOpaqueRoot(root(static_cast<LiveNodeList&>(jsNodeList->impl()).ownerNode()));
     if (jsNodeList->impl().isChildNodeList())
         return visitor.containsOpaqueRoot(root(static_cast<ChildNodeList&>(jsNodeList->impl()).ownerNode()));
     if (jsNodeList->impl().isEmptyNodeList())
         return visitor.containsOpaqueRoot(root(static_cast<EmptyNodeList&>(jsNodeList->impl()).ownerNode()));
+    if (jsNodeList.impl().isLiveNodeList())
+        return visitor.containsOpaqueRoot(root(static_cast<LiveNodeList&>(jsNodeList.impl()).ownerNode()));
+    if (jsNodeList.impl().isChildNodeList())
+        return visitor.containsOpaqueRoot(root(static_cast<ChildNodeList&>(jsNodeList.impl()).ownerNode()));
+    if (jsNodeList.impl().isEmptyNodeList())
+        return visitor.containsOpaqueRoot(root(static_cast<EmptyNodeList&>(jsNodeList.impl()).ownerNode()));
     return false;
+}

trunk/Source/WebCore/bindings/js/JSTextTrackCueCustom.cpp

-              r167794
+              r189616
 namespace WebCore {
 bool JSTextTrackCueOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+bool JSTextTrackCueOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
     JSTextTrackCue* jsTextTrackCue = jsCast<JSTextTrackCue*>(handle.slot()->asCell());
     TextTrackCue& textTrackCue = jsTextTrackCue->impl();
+    auto& jsTextTrackCue = jsCast<JSTextTrackCue&>(cell);
+    TextTrackCue& textTrackCue = jsTextTrackCue.impl();
     // If the cue is firing event listeners, its wrapper is reachable because
 …
     // If the cue has no event listeners and has no custom properties, it is not reachable.
     if (!textTrackCue.hasEventListeners() && !jsTextTrackCue->hasCustomProperties())
+    if (!textTrackCue.hasEventListeners() && !jsTextTrackCue.hasCustomProperties())
         return false;

trunk/Source/WebCore/bindings/js/WebCoreTypedArrayController.cpp

r165757	r189616
48	48	}
49	49
50		bool WebCoreTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots(JSC::~~Handle<JSC::Unknown> handle~~, void*, JSC::SlotVisitor& visitor)
	50	bool WebCoreTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, JSC::SlotVisitor& visitor)
51	51	{
52		auto& wrapper = JSC::jsCast<JSC::JSArrayBuffer>(handle.slot()->asCell());
	52	auto& wrapper = JSC::jsCast<JSC::JSArrayBuffer&>(cell);
53	53	if (!wrapper.hasCustomProperties())
54	54	return false;
…	…
56	56	}
57	57
58		void WebCoreTypedArrayController::JSArrayBufferOwner::finalize(JSC::~~Handle<JSC::Unknown> handle~~, void* context)
	58	void WebCoreTypedArrayController::JSArrayBufferOwner::finalize(JSC::JSCell& cell, void context)
59	59	{
60		auto& wrapper = static_cast<JSC::JSArrayBuffer>(handle.slot()->asCell());
	60	auto& wrapper = static_cast<JSC::JSArrayBuffer&>(*cell);
61	61	auto& buffer = *wrapper.impl();
62	62	uncacheWrapper(static_cast<DOMWrapperWorld>(context), &buffer, &wrapper);

trunk/Source/WebCore/bindings/js/WebCoreTypedArrayController.h

-              r166124
+              r189616
 namespace WebCore {
 class WebCoreTypedArrayController : public JSC::TypedArrayController {
+class WebCoreTypedArrayController final : public JSC::TypedArrayController {
 public:
     WebCoreTypedArrayController();
 …
 private:
     class JSArrayBufferOwner : public JSC::WeakHandleOwner {
+    class JSArrayBufferOwner final : public JSC::WeakHandleOwner {
     public:
         virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&) override;
         virtual void finalize(JSC::Handle<JSC::Unknown>, void* context) override;
+        bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+        void finalize(JSC::JSCell*&, void* context) override;
     };

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

-              r189507
+              r189616
         $headerIncludes{"<wtf/NeverDestroyed.h>"} = 1;
         push(@headerContent, "public:\n");
         push(@headerContent, "    virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);\n");
         push(@headerContent, "    virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);\n");
+        push(@headerContent, "    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;\n");
+        push(@headerContent, "    void finalize(JSC::JSCell*&, void* context) override;\n");
         push(@headerContent, "};\n");
         push(@headerContent, "\n");
 …
     if ((!$hasParent && !GetCustomIsReachable($interface)) || GetGenerateIsReachable($interface) || $codeGenerator->InheritsExtendedAttribute($interface, "ActiveDOMObject")) {
         push(@implContent, "bool JS${interfaceName}Owner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)\n");
+        push(@implContent, "bool JS${interfaceName}Owner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)\n");
         push(@implContent, "{\n");
         # All ActiveDOMObjects implement hasPendingActivity(), but not all of them
 …
         my $emittedJSCast = 0;
         if ($codeGenerator->InheritsExtendedAttribute($interface, "ActiveDOMObject")) {
             push(@implContent, "    auto* js${interfaceName} = jsCast<JS${interfaceName}*>(handle.slot()->asCell());\n");
+            push(@implContent, "    auto& js${interfaceName} = jsCast<JS${interfaceName}&>(cell);\n");
             $emittedJSCast = 1;
             push(@implContent, "    if (js${interfaceName}->impl().hasPendingActivity())\n");
+            push(@implContent, "    if (js${interfaceName}.impl().hasPendingActivity())\n");
             push(@implContent, "        return true;\n");
+        }
         if ($codeGenerator->InheritsExtendedAttribute($interface, "EventTarget")) {
             if (!$emittedJSCast) {
                 push(@implContent, "    auto* js${interfaceName} = jsCast<JS${interfaceName}*>(handle.slot()->asCell());\n");
+                push(@implContent, "    auto& js${interfaceName} = jsCast<JS${interfaceName}&>(cell);\n");
                 $emittedJSCast = 1;
+            }
             push(@implContent, "    if (js${interfaceName}->impl().isFiringEventListeners())\n");
+            push(@implContent, "    if (js${interfaceName}.impl().isFiringEventListeners())\n");
             push(@implContent, "        return true;\n");
+        }
         if ($codeGenerator->InheritsInterface($interface, "Node")) {
             if (!$emittedJSCast) {
                 push(@implContent, "    auto* js${interfaceName} = jsCast<JS${interfaceName}*>(handle.slot()->asCell());\n");
+                push(@implContent, "    auto& js${interfaceName} = jsCast<JS${interfaceName}&>(cell);\n");
                 $emittedJSCast = 1;
+            }
             push(@implContent, "    if (JSNodeOwner::isReachableFromOpaqueRoots(handle, 0, visitor))\n");
+            push(@implContent, "    if (JSNodeOwner::isReachableFromOpaqueRoots(cell, 0, visitor))\n");
             push(@implContent, "        return true;\n");
+        }
         if (GetGenerateIsReachable($interface)) {
             if (!$emittedJSCast) {
                 push(@implContent, "    auto* js${interfaceName} = jsCast<JS${interfaceName}*>(handle.slot()->asCell());\n");
+                push(@implContent, "    auto& js${interfaceName} = jsCast<JS${interfaceName}&>(cell);\n");
                 $emittedJSCast = 1;
+            }
 …
             my $rootString;
             if (GetGenerateIsReachable($interface) eq "Impl") {
                 $rootString  = "    ${implType}* root = &js${interfaceName}->impl();\n";
+                $rootString  = "    ${implType}* root = &js${interfaceName}.impl();\n";
             } elsif (GetGenerateIsReachable($interface) eq "ImplWebGLRenderingContext") {
                 $rootString  = "    WebGLRenderingContextBase* root = WTF::getPtr(js${interfaceName}->impl().context());\n";
+                $rootString  = "    WebGLRenderingContextBase* root = WTF::getPtr(js${interfaceName}.impl().context());\n";
             } elsif (GetGenerateIsReachable($interface) eq "ImplFrame") {
                 $rootString  = "    Frame* root = WTF::getPtr(js${interfaceName}->impl().frame());\n";
+                $rootString  = "    Frame* root = WTF::getPtr(js${interfaceName}.impl().frame());\n";
                 $rootString .= "    if (!root)\n";
                 $rootString .= "        return false;\n";
             } elsif (GetGenerateIsReachable($interface) eq "ImplDocument") {
                 $rootString  = "    Document* root = WTF::getPtr(js${interfaceName}->impl().document());\n";
+                $rootString  = "    Document* root = WTF::getPtr(js${interfaceName}.impl().document());\n";
                 $rootString .= "    if (!root)\n";
                 $rootString .= "        return false;\n";
 …
                 $implIncludes{"Element.h"} = 1;
                 $implIncludes{"JSNodeCustom.h"} = 1;
                 $rootString  = "    Element* element = WTF::getPtr(js${interfaceName}->impl().element());\n";
+                $rootString  = "    Element* element = WTF::getPtr(js${interfaceName}.impl().element());\n";
                 $rootString .= "    if (!element)\n";
                 $rootString .= "        return false;\n";
 …
                 $implIncludes{"Element.h"} = 1;
                 $implIncludes{"JSNodeCustom.h"} = 1;
                 $rootString  = "    void* root = WebCore::root(js${interfaceName}->impl().canvas());\n";
+                $rootString  = "    void* root = WebCore::root(js${interfaceName}.impl().canvas());\n";
             } elsif (GetGenerateIsReachable($interface) eq "ImplOwnerNodeRoot") {
                 $implIncludes{"Element.h"} = 1;
                 $implIncludes{"JSNodeCustom.h"} = 1;
                 $rootString  = "    void* root = WebCore::root(js${interfaceName}->impl().ownerNode());\n";
+                $rootString  = "    void* root = WebCore::root(js${interfaceName}.impl().ownerNode());\n";
             } else {
                 $rootString  = "    void* root = WebCore::root(&js${interfaceName}->impl());\n";
+                $rootString  = "    void* root = WebCore::root(&js${interfaceName}.impl());\n";
+            }
 …
         } else {
             if (!$emittedJSCast) {
                 push(@implContent, "    UNUSED_PARAM(handle);\n");
+                push(@implContent, "    UNUSED_PARAM(cell);\n");
+            }
             push(@implContent, "    UNUSED_PARAM(visitor);\n");
 …
          GetCustomIsReachable($interface) ||
          $codeGenerator->InheritsExtendedAttribute($interface, "ActiveDOMObject"))) {
         push(@implContent, "void JS${interfaceName}Owner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)\n");
+        push(@implContent, "void JS${interfaceName}Owner::finalize(JSC::JSCell*& cell, void* context)\n");
         push(@implContent, "{\n");
         push(@implContent, "    auto* js${interfaceName} = jsCast<JS${interfaceName}*>(handle.slot()->asCell());\n");
+        push(@implContent, "    auto& wrapper = jsCast<JS${interfaceName}&>(*cell);\n");
         push(@implContent, "    auto& world = *static_cast<DOMWrapperWorld*>(context);\n");
         push(@implContent, "    uncacheWrapper(world, &js${interfaceName}->impl(), js${interfaceName});\n");
+        push(@implContent, "    uncacheWrapper(world, &wrapper.impl(), &wrapper);\n");
         push(@implContent, "}\n\n");
+    }

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp

-              r189188
+              r189616
+}
 bool JSTestActiveDOMObjectOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     UNUSED_PARAM(handle);
+bool JSTestActiveDOMObjectOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    UNUSED_PARAM(cell);
     UNUSED_PARAM(visitor);
     return false;
+}
 void JSTestActiveDOMObjectOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestActiveDOMObject = jsCast<JSTestActiveDOMObject*>(handle.slot()->asCell());
+void JSTestActiveDOMObjectOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestActiveDOMObject&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestActiveDOMObject->impl(), jsTestActiveDOMObject);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.h

-              r184228
+              r189616
 class JSTestActiveDOMObjectOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp

-              r189188
+              r189616
+}
 bool JSTestCustomConstructorWithNoInterfaceObjectOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     UNUSED_PARAM(handle);
+bool JSTestCustomConstructorWithNoInterfaceObjectOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    UNUSED_PARAM(cell);
     UNUSED_PARAM(visitor);
     return false;
+}
 void JSTestCustomConstructorWithNoInterfaceObjectOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestCustomConstructorWithNoInterfaceObject = jsCast<JSTestCustomConstructorWithNoInterfaceObject*>(handle.slot()->asCell());
+void JSTestCustomConstructorWithNoInterfaceObjectOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestCustomConstructorWithNoInterfaceObject&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestCustomConstructorWithNoInterfaceObject->impl(), jsTestCustomConstructorWithNoInterfaceObject);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.h

-              r184953
+              r189616
 class JSTestCustomConstructorWithNoInterfaceObjectOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp

-              r189188
+              r189616
+}
 bool JSTestCustomNamedGetterOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     UNUSED_PARAM(handle);
+bool JSTestCustomNamedGetterOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    UNUSED_PARAM(cell);
     UNUSED_PARAM(visitor);
     return false;
+}
 void JSTestCustomNamedGetterOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestCustomNamedGetter = jsCast<JSTestCustomNamedGetter*>(handle.slot()->asCell());
+void JSTestCustomNamedGetterOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestCustomNamedGetter&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestCustomNamedGetter->impl(), jsTestCustomNamedGetter);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.h

-              r188663
+              r189616
 class JSTestCustomNamedGetterOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp

-              r189188
+              r189616
+}
 bool JSTestEventConstructorOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     UNUSED_PARAM(handle);
+bool JSTestEventConstructorOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    UNUSED_PARAM(cell);
     UNUSED_PARAM(visitor);
     return false;
+}
 void JSTestEventConstructorOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestEventConstructor = jsCast<JSTestEventConstructor*>(handle.slot()->asCell());
+void JSTestEventConstructorOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestEventConstructor&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestEventConstructor->impl(), jsTestEventConstructor);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventConstructor.h

-              r184228
+              r189616
 class JSTestEventConstructorOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.cpp

-              r189188
+              r189616
+}
 bool JSTestEventTargetOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     auto* jsTestEventTarget = jsCast<JSTestEventTarget*>(handle.slot()->asCell());
     if (jsTestEventTarget->impl().isFiringEventListeners())
+bool JSTestEventTargetOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    auto& jsTestEventTarget = jsCast<JSTestEventTarget&>(cell);
+    if (jsTestEventTarget.impl().isFiringEventListeners())
         return true;
     UNUSED_PARAM(visitor);
 …
+}
 void JSTestEventTargetOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestEventTarget = jsCast<JSTestEventTarget*>(handle.slot()->asCell());
+void JSTestEventTargetOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestEventTarget&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestEventTarget->impl(), jsTestEventTarget);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.h

-              r188663
+              r189616
 class JSTestEventTargetOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp

-              r189188
+              r189616
+}
 bool JSTestExceptionOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     UNUSED_PARAM(handle);
+bool JSTestExceptionOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    UNUSED_PARAM(cell);
     UNUSED_PARAM(visitor);
     return false;
+}
 void JSTestExceptionOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestException = jsCast<JSTestException*>(handle.slot()->asCell());
+void JSTestExceptionOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestException&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestException->impl(), jsTestException);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestException.h

-              r184228
+              r189616
 class JSTestExceptionOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp

-              r189188
+              r189616
+}
 bool JSTestGenerateIsReachableOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     auto* jsTestGenerateIsReachable = jsCast<JSTestGenerateIsReachable*>(handle.slot()->asCell());
     TestGenerateIsReachable* root = &jsTestGenerateIsReachable->impl();
+bool JSTestGenerateIsReachableOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    auto& jsTestGenerateIsReachable = jsCast<JSTestGenerateIsReachable&>(cell);
+    TestGenerateIsReachable* root = &jsTestGenerateIsReachable.impl();
     return visitor.containsOpaqueRoot(root);
+}
 void JSTestGenerateIsReachableOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestGenerateIsReachable = jsCast<JSTestGenerateIsReachable*>(handle.slot()->asCell());
+void JSTestGenerateIsReachableOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestGenerateIsReachable&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestGenerateIsReachable->impl(), jsTestGenerateIsReachable);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.h

-              r184228
+              r189616
 class JSTestGenerateIsReachableOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp

-              r189188
+              r189616
 #endif
 bool JSTestInterfaceOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     auto* jsTestInterface = jsCast<JSTestInterface*>(handle.slot()->asCell());
     if (jsTestInterface->impl().hasPendingActivity())
+bool JSTestInterfaceOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    auto& jsTestInterface = jsCast<JSTestInterface&>(cell);
+    if (jsTestInterface.impl().hasPendingActivity())
         return true;
     UNUSED_PARAM(visitor);
 …
+}
 void JSTestInterfaceOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestInterface = jsCast<JSTestInterface*>(handle.slot()->asCell());
+void JSTestInterfaceOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestInterface&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestInterface->impl(), jsTestInterface);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.h

-              r183523
+              r189616
 class JSTestInterfaceOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp

-              r189188
+              r189616
+}
 bool JSTestMediaQueryListListenerOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     UNUSED_PARAM(handle);
+bool JSTestMediaQueryListListenerOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    UNUSED_PARAM(cell);
     UNUSED_PARAM(visitor);
     return false;
+}
 void JSTestMediaQueryListListenerOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestMediaQueryListListener = jsCast<JSTestMediaQueryListListener*>(handle.slot()->asCell());
+void JSTestMediaQueryListListenerOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestMediaQueryListListener&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestMediaQueryListListener->impl(), jsTestMediaQueryListListener);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.h

-              r184228
+              r189616
 class JSTestMediaQueryListListenerOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp

-              r189507
+              r189616
+}
 bool JSTestNamedConstructorOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     auto* jsTestNamedConstructor = jsCast<JSTestNamedConstructor*>(handle.slot()->asCell());
     if (jsTestNamedConstructor->impl().hasPendingActivity())
+bool JSTestNamedConstructorOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    auto& jsTestNamedConstructor = jsCast<JSTestNamedConstructor&>(cell);
+    if (jsTestNamedConstructor.impl().hasPendingActivity())
         return true;
     UNUSED_PARAM(visitor);
 …
+}
 void JSTestNamedConstructorOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestNamedConstructor = jsCast<JSTestNamedConstructor*>(handle.slot()->asCell());
+void JSTestNamedConstructorOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestNamedConstructor&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestNamedConstructor->impl(), jsTestNamedConstructor);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.h

-              r184228
+              r189616
 class JSTestNamedConstructorOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNondeterministic.cpp

-              r189188
+              r189616
+}
 bool JSTestNondeterministicOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     UNUSED_PARAM(handle);
+bool JSTestNondeterministicOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    UNUSED_PARAM(cell);
     UNUSED_PARAM(visitor);
     return false;
+}
 void JSTestNondeterministicOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestNondeterministic = jsCast<JSTestNondeterministic*>(handle.slot()->asCell());
+void JSTestNondeterministicOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestNondeterministic&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestNondeterministic->impl(), jsTestNondeterministic);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNondeterministic.h

-              r184228
+              r189616
 class JSTestNondeterministicOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp

-              r189507
+              r189616
+}
 bool JSTestObjOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     UNUSED_PARAM(handle);
+bool JSTestObjOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    UNUSED_PARAM(cell);
     UNUSED_PARAM(visitor);
     return false;
+}
 void JSTestObjOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestObj = jsCast<JSTestObj*>(handle.slot()->asCell());
+void JSTestObjOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestObj&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestObj->impl(), jsTestObj);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.h

-              r188334
+              r189616
 class JSTestObjOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp

-              r189188
+              r189616
+}
 bool JSTestOverloadedConstructorsOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     UNUSED_PARAM(handle);
+bool JSTestOverloadedConstructorsOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    UNUSED_PARAM(cell);
     UNUSED_PARAM(visitor);
     return false;
+}
 void JSTestOverloadedConstructorsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestOverloadedConstructors = jsCast<JSTestOverloadedConstructors*>(handle.slot()->asCell());
+void JSTestOverloadedConstructorsOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestOverloadedConstructors&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestOverloadedConstructors->impl(), jsTestOverloadedConstructors);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.h

-              r184228
+              r189616
 class JSTestOverloadedConstructorsOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp

-              r189188
+              r189616
+}
 bool JSTestOverrideBuiltinsOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     UNUSED_PARAM(handle);
+bool JSTestOverrideBuiltinsOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    UNUSED_PARAM(cell);
     UNUSED_PARAM(visitor);
     return false;
+}
 void JSTestOverrideBuiltinsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestOverrideBuiltins = jsCast<JSTestOverrideBuiltins*>(handle.slot()->asCell());
+void JSTestOverrideBuiltinsOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestOverrideBuiltins&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestOverrideBuiltins->impl(), jsTestOverrideBuiltins);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.h

-              r188663
+              r189616
 class JSTestOverrideBuiltinsOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp

-              r189188
+              r189616
+}
 bool JSTestSerializedScriptValueInterfaceOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     UNUSED_PARAM(handle);
+bool JSTestSerializedScriptValueInterfaceOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    UNUSED_PARAM(cell);
     UNUSED_PARAM(visitor);
     return false;
+}
 void JSTestSerializedScriptValueInterfaceOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestSerializedScriptValueInterface = jsCast<JSTestSerializedScriptValueInterface*>(handle.slot()->asCell());
+void JSTestSerializedScriptValueInterfaceOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestSerializedScriptValueInterface&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestSerializedScriptValueInterface->impl(), jsTestSerializedScriptValueInterface);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.h

-              r184228
+              r189616
 class JSTestSerializedScriptValueInterfaceOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp

-              r189188
+              r189616
+}
 bool JSTestTypedefsOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     UNUSED_PARAM(handle);
+bool JSTestTypedefsOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    UNUSED_PARAM(cell);
     UNUSED_PARAM(visitor);
     return false;
+}
 void JSTestTypedefsOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsTestTypedefs = jsCast<JSTestTypedefs*>(handle.slot()->asCell());
+void JSTestTypedefsOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSTestTypedefs&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsTestTypedefs->impl(), jsTestTypedefs);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.h

-              r184228
+              r189616
 class JSTestTypedefsOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSattribute.cpp

-              r189188
+              r189616
+}
 bool JSattributeOwner::isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor)
+{
     UNUSED_PARAM(handle);
+bool JSattributeOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
+{
+    UNUSED_PARAM(cell);
     UNUSED_PARAM(visitor);
     return false;
+}
 void JSattributeOwner::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     auto* jsattribute = jsCast<JSattribute*>(handle.slot()->asCell());
+void JSattributeOwner::finalize(JSC::JSCell*& cell, void* context)
+{
+    auto& wrapper = jsCast<JSattribute&>(*cell);
     auto& world = *static_cast<DOMWrapperWorld*>(context);
     uncacheWrapper(world, &jsattribute->impl(), jsattribute);
+    uncacheWrapper(world, &wrapper.impl(), &wrapper);
+}

trunk/Source/WebCore/bindings/scripts/test/JS/JSattribute.h

-              r184228
+              r189616
 class JSattributeOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bindings/scripts/test/JS/JSreadonly.cpp

r189188	r189616
153	153	}
154	154
155		bool JSreadonlyOwner::isReachableFromOpaqueRoots(JSC::~~Handle<JSC::Unknown> handle~~, void*, SlotVisitor& visitor)
	155	bool JSreadonlyOwner::isReachableFromOpaqueRoots(JSC::JSCell& cell, void*, SlotVisitor& visitor)
156	156	{
157		UNUSED_PARAM(~~handle~~);
	157	UNUSED_PARAM(cell);
158	158	UNUSED_PARAM(visitor);
159	159	return false;
160	160	}
161	161
162		void JSreadonlyOwner::finalize(JSC::~~Handle<JSC::Unknown> handle~~, void* context)
	162	void JSreadonlyOwner::finalize(JSC::JSCell& cell, void context)
163	163	{
164		auto* jsreadonly = jsCast<JSreadonly*>(handle.slot()->asCell());
	164	auto& wrapper = jsCast<JSreadonly&>(*cell);
165	165	auto& world = static_cast<DOMWrapperWorld>(context);
166		uncacheWrapper(world, &~~jsreadonly->impl(), jsreadonly~~);
	166	uncacheWrapper(world, &wrapper.impl(), &wrapper);
167	167	}
168	168

trunk/Source/WebCore/bindings/scripts/test/JS/JSreadonly.h

-              r184228
+              r189616
 class JSreadonlyOwner : public JSC::WeakHandleOwner {
 public:
     virtual bool isReachableFromOpaqueRoots(JSC::Handle<JSC::Unknown>, void* context, JSC::SlotVisitor&);
     virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    bool isReachableFromOpaqueRoots(JSC::JSCell&, void* context, JSC::SlotVisitor&) override;
+    void finalize(JSC::JSCell*&, void* context) override;
 };

trunk/Source/WebCore/bridge/runtime_root.cpp

-              r171371
+              r189616
+}
 void RootObject::finalize(JSC::Handle<JSC::Unknown> handle, void*)
+{
     RuntimeObject* object = static_cast<RuntimeObject*>(handle.slot()->asCell());
+void RootObject::finalize(JSC::JSCell*& cell, void*)
+{
+    RuntimeObject* object = jsCast<RuntimeObject*>(cell);
     Ref<RootObject> protect(*this);

trunk/Source/WebCore/bridge/runtime_root.h

r172814	r189616
84	84
85	85	// WeakHandleOwner
86		v~~irtual void finalize(JSC::Handle<JSC::Unknown>~~, void* context) override;
	86	void finalize(JSC::JSCell&, void context) override;
87	87
88	88	bool m_isValid;

trunk/Source/WebKit2/ChangeLog

-              r189602
+              r189616
+-09-11  Andreas Kling  <[email protected]>
+        [JSC] Weak should only accept cell pointees.
+        <https://webkit.org/b/148955>
+        Reviewed by Geoffrey Garen.
+        * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
+        (WebKit::NPRuntimeObjectMap::finalize):
+        * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.h:
 -09-10  Joseph Pecoraro  <[email protected]>

trunk/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp

-              r173696
+              r189616
+}
 void NPRuntimeObjectMap::finalize(JSC::Handle<JSC::Unknown> handle, void* context)
+{
     JSNPObject* object = jsCast<JSNPObject*>(handle.get().asCell());
     weakRemove(m_jsNPObjects, static_cast<NPObject*>(context), object);
     addToInvalidationQueue(object->leakNPObject());
+void NPRuntimeObjectMap::finalize(JSC::JSCell*& cell, void* context)
+{
+    JSNPObject& object = jsCast<JSNPObject&>(*cell);
+    weakRemove(m_jsNPObjects, static_cast<NPObject*>(context), &object);
+    addToInvalidationQueue(object.leakNPObject());
+}

trunk/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.h

-              r159001
+              r189616
 // A per plug-in map of NPObjects that wrap JavaScript objects.
 class NPRuntimeObjectMap : private JSC::WeakHandleOwner {
+class NPRuntimeObjectMap final : private JSC::WeakHandleOwner {
 public:
     explicit NPRuntimeObjectMap(PluginView*);
 …
 private:
     // WeakHandleOwner
+    virtual void finalize(JSC::Handle<JSC::Unknown>, void* context);
+    void finalize(JSC::JSCell*&, void* context) override;
     void addToInvalidationQueue(NPObject*);
     void invalidateQueuedObjects();

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 189616 in webkit

Legend:

Download in other formats: