Bindings integrity logic depends on incorrect behavior of constexpr if

https://bugs.webkit.org/show_bug.cgi?id=274202 rdar://128006867 Reviewed by Chris Dumez. The existing code from generated for the bindings attempts to use `if constexpr (std::is_polymorphic_v<Type>)` to gate access to an object's vtable pointer if the object does not have a vtable. Due to a bug in clang this was historically allowed. However the actual spec behavior of `if constexpr` requires that all contained code that does not make use of a dependent type or value be semantically valid regardless of whether the condition is true or false. e.g. void *v = nullptr; if constexpr (false) { v++; } is invalid even though the body is never evaluated. To deal with this particular issue what this patch does is have codegen introduce a new `verifyVTable` function of the form template <typename T> void verifyVTable(const ImplType *) { if constexpr (std::is_polymorphic_v<T>) { ... } } That is then called from the toJS functions as verifyVTable<ImplType>(impl.get()); This code obviously appears silly as we will only ever be evaluating `void verifyVTable(const ImplType *)` with T==ImplType, but it satisfies the requirement that the constexpr evaluation involves a dependent type or value. In an ideal world there would be a mechanism to get the vtable for a type, which would allow us to have a single generic function, but alas there is not, so we cannot. * Source/WTF/wtf/PointerPreparations.h: (WTF::getVTablePointer): Add enable_if guards on the getVTablePointer functions so that the same ensuring the `if constexpr` path fails in existing compilers * Source/WebCore/bindings/scripts/CodeGeneratorJS.pm: (GenerateImplementation): Change the codegen to introduce and call the intermediate verifyVTable function. * Source/WebCore/bindings/scripts/test/JS/JSExposedStar.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSExposedToWorkerAndWindow.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestAsyncIterable.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestAsyncKeyValueIterable.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestCallTracer.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestConditionalIncludes.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestConditionallyReadWrite.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestDefaultToJSON.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestDefaultToJSONFilteredByExposed.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestDelegateToSharedSyntheticAttribute.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestDomainSecurity.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestEnabledBySetting.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestEnabledForContext.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestGenerateAddOpaqueRoot.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterNoIdentifier.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterThrowingException.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterWithIdentifier.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestIterable.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestLegacyFactoryFunction.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestLegacyNoInterfaceObject.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestLegacyOverrideBuiltIns.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestMapLike.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestMapLikeWithOverriddenOperations.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterNoIdentifier.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterThrowingException.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterWithIdentifier.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterWithIndexedGetter.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedGetterCallWith.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedGetterNoIdentifier.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedGetterWithIdentifier.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterThrowingException.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyOverrideBuiltIns.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyUnforgeableProperties.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyUnforgeablePropertiesAndLegacyOverrideBuiltIns.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestNode.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestOperationConditional.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestPluginInterface.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestPromiseRejectionEvent.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestReadOnlyMapLike.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestReadOnlySetLike.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestReportExtraMemoryCost.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestScheduledAction.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestSetLike.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestSetLikeWithOverriddenOperations.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestStringContext.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestStringifier.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestStringifierAnonymousOperation.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestStringifierNamedOperation.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestStringifierOperationImplementedAs.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestStringifierOperationNamedToString.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestStringifierReadOnlyAttribute.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestStringifierReadWriteAttribute.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestTaggedWrapper.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): * Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp: (WebCore::verifyVTable): (WebCore::toJSNewlyCreated): Canonical link: https://commits.webkit.org/278886@main
WebKit · May 16, 2024 · b40b23e · b40b23e
1 parent 0f65c8e
commit b40b23e
Show file tree

Hide file tree

Showing 76 changed files with 764 additions and 684 deletions.
diff --git a/Source/WTF/wtf/PointerPreparations.h b/Source/WTF/wtf/PointerPreparations.h
@@ -29,21 +29,23 @@
 #include <ptrauth.h>
 #endif
 
+#include <type_traits>
+
 namespace WTF {
 
 #if COMPILER_HAS_CLANG_BUILTIN(__builtin_get_vtable_pointer)
 
-template<typename T>
-ALWAYS_INLINE const void* getVTablePointer(T* o) { return __builtin_get_vtable_pointer(o); }
+template<typename T, typename = std::enable_if_t<std::is_polymorphic_v<T>>>
+ALWAYS_INLINE const void* getVTablePointer(const T* o) { return __builtin_get_vtable_pointer(o); }
 
 #else // not COMPILER_HAS_CLANG_BUILTIN(__builtin_get_vtable_pointer)
 
 #if CPU(ARM64E)
-template<typename T>
-ALWAYS_INLINE const void* getVTablePointer(T* o) { return __builtin_ptrauth_auth(*(reinterpret_cast<void**>(o)), ptrauth_key_cxx_vtable_pointer, 0); }
+template<typename T, typename = std::enable_if_t<std::is_polymorphic_v<T>>>
+ALWAYS_INLINE const void* getVTablePointer(const T* o) { return __builtin_ptrauth_auth(*(reinterpret_cast<const void* const*>(o)), ptrauth_key_cxx_vtable_pointer, 0); }
 #else // not CPU(ARM64E)
-template<typename T>
-ALWAYS_INLINE const void* getVTablePointer(T* o) { return (*(reinterpret_cast<void**>(o))); }
+template<typename T, typename = std::enable_if_t<std::is_polymorphic_v<T>>>
+ALWAYS_INLINE const void* getVTablePointer(const T* o) { return (*(reinterpret_cast<const void* const*>(o))); }
 #endif // not CPU(ARM64E)
 
 #endif // not COMPILER_HAS_CLANG_BUILTIN(__builtin_get_vtable_pointer)

diff --git a/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm b/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
@@ -5368,6 +5368,9 @@ sub GenerateImplementation
         my $vtableRefGnu = GetGnuVTableRefForInterface($interface);
         my $vtableRefWin = GetWinVTableRefForInterface($interface);
 
+        # We use a templated verifyVTable function here to force the type
+        # being checked to be a dependent type so we can rely on `if constexpr`
+        # not causing errors when evaluated.
         push(@implContent, <<END) if $vtableNameGnu;
 #if ENABLE(BINDING_INTEGRITY)
 #if PLATFORM(WIN)
@@ -5376,17 +5379,9 @@ extern "C" { extern void (*const ${vtableRefWin}[])(); }
 #else
 extern "C" { extern void* ${vtableNameGnu}[]; }
 #endif
-#endif
-
-END
-
-        push(@implContent, "JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<$implType>&& impl)\n");
-        push(@implContent, "{\n");
-        push(@implContent, <<END) if $vtableNameGnu;
-
-    if constexpr (std::is_polymorphic_v<${implType}>) {
-#if ENABLE(BINDING_INTEGRITY)
-        const void* actualVTablePointer = getVTablePointer(impl.ptr());
+template<typename T, typename = std::enable_if_t<std::is_same_v<T, ${implType}>, void>> static inline void verifyVTable(${implType}* ptr) {
+    if constexpr (std::is_polymorphic_v<T>) {
+        const void* actualVTablePointer = getVTablePointer<T>(ptr);
 #if PLATFORM(WIN)
         void* expectedVTablePointer = ${vtableRefWin};
 #else
@@ -5398,8 +5393,17 @@ END
         // to toJS() we currently require $interfaceName you to opt out of binding hardening
         // by adding the SkipVTableValidation attribute to the interface IDL definition
         RELEASE_ASSERT(actualVTablePointer == expectedVTablePointer);
-#endif
     }
+}
+#endif
+END
+
+        push(@implContent, "JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<$implType>&& impl)\n");
+        push(@implContent, "{\n");
+        push(@implContent, <<END) if $vtableNameGnu;
+#if ENABLE(BINDING_INTEGRITY)
+    verifyVTable<$implType>(impl.ptr());
+#endif
 END
         push(@implContent, "    return createWrapper<${implType}>(globalObject, WTFMove(impl));\n");
         push(@implContent, "}\n\n");

diff --git a/Source/WebCore/bindings/scripts/test/JS/JSExposedStar.cpp b/Source/WebCore/bindings/scripts/test/JS/JSExposedStar.cpp
@@ -257,14 +257,9 @@ extern "C" { extern void (*const __identifier("??_7ExposedStar@WebCore@@6B@")[])
 #else
 extern "C" { extern void* _ZTVN7WebCore11ExposedStarE[]; }
 #endif
-#endif
-
-JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<ExposedStar>&& impl)
-{
-
-    if constexpr (std::is_polymorphic_v<ExposedStar>) {
-#if ENABLE(BINDING_INTEGRITY)
-        const void* actualVTablePointer = getVTablePointer(impl.ptr());
+template<typename T, typename = std::enable_if_t<std::is_same_v<T, ExposedStar>, void>> static inline void verifyVTable(ExposedStar* ptr) {
+    if constexpr (std::is_polymorphic_v<T>) {
+        const void* actualVTablePointer = getVTablePointer<T>(ptr);
 #if PLATFORM(WIN)
         void* expectedVTablePointer = __identifier("??_7ExposedStar@WebCore@@6B@");
 #else
@@ -276,8 +271,14 @@ JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObj
         // to toJS() we currently require ExposedStar you to opt out of binding hardening
         // by adding the SkipVTableValidation attribute to the interface IDL definition
         RELEASE_ASSERT(actualVTablePointer == expectedVTablePointer);
-#endif
     }
+}
+#endif
+JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<ExposedStar>&& impl)
+{
+#if ENABLE(BINDING_INTEGRITY)
+    verifyVTable<ExposedStar>(impl.ptr());
+#endif
     return createWrapper<ExposedStar>(globalObject, WTFMove(impl));
 }
 

diff --git a/Source/WebCore/bindings/scripts/test/JS/JSExposedToWorkerAndWindow.cpp b/Source/WebCore/bindings/scripts/test/JS/JSExposedToWorkerAndWindow.cpp
@@ -283,14 +283,9 @@ extern "C" { extern void (*const __identifier("??_7ExposedToWorkerAndWindow@WebC
 #else
 extern "C" { extern void* _ZTVN7WebCore24ExposedToWorkerAndWindowE[]; }
 #endif
-#endif
-
-JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<ExposedToWorkerAndWindow>&& impl)
-{
-
-    if constexpr (std::is_polymorphic_v<ExposedToWorkerAndWindow>) {
-#if ENABLE(BINDING_INTEGRITY)
-        const void* actualVTablePointer = getVTablePointer(impl.ptr());
+template<typename T, typename = std::enable_if_t<std::is_same_v<T, ExposedToWorkerAndWindow>, void>> static inline void verifyVTable(ExposedToWorkerAndWindow* ptr) {
+    if constexpr (std::is_polymorphic_v<T>) {
+        const void* actualVTablePointer = getVTablePointer<T>(ptr);
 #if PLATFORM(WIN)
         void* expectedVTablePointer = __identifier("??_7ExposedToWorkerAndWindow@WebCore@@6B@");
 #else
@@ -302,8 +297,14 @@ JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObj
         // to toJS() we currently require ExposedToWorkerAndWindow you to opt out of binding hardening
         // by adding the SkipVTableValidation attribute to the interface IDL definition
         RELEASE_ASSERT(actualVTablePointer == expectedVTablePointer);
-#endif
     }
+}
+#endif
+JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<ExposedToWorkerAndWindow>&& impl)
+{
+#if ENABLE(BINDING_INTEGRITY)
+    verifyVTable<ExposedToWorkerAndWindow>(impl.ptr());
+#endif
     return createWrapper<ExposedToWorkerAndWindow>(globalObject, WTFMove(impl));
 }
 

diff --git a/Source/WebCore/bindings/scripts/test/JS/JSTestAsyncIterable.cpp b/Source/WebCore/bindings/scripts/test/JS/JSTestAsyncIterable.cpp
@@ -303,14 +303,9 @@ extern "C" { extern void (*const __identifier("??_7TestAsyncIterable@WebCore@@6B
 #else
 extern "C" { extern void* _ZTVN7WebCore17TestAsyncIterableE[]; }
 #endif
-#endif
-
-JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<TestAsyncIterable>&& impl)
-{
-
-    if constexpr (std::is_polymorphic_v<TestAsyncIterable>) {
-#if ENABLE(BINDING_INTEGRITY)
-        const void* actualVTablePointer = getVTablePointer(impl.ptr());
+template<typename T, typename = std::enable_if_t<std::is_same_v<T, TestAsyncIterable>, void>> static inline void verifyVTable(TestAsyncIterable* ptr) {
+    if constexpr (std::is_polymorphic_v<T>) {
+        const void* actualVTablePointer = getVTablePointer<T>(ptr);
 #if PLATFORM(WIN)
         void* expectedVTablePointer = __identifier("??_7TestAsyncIterable@WebCore@@6B@");
 #else
@@ -322,8 +317,14 @@ JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObj
         // to toJS() we currently require TestAsyncIterable you to opt out of binding hardening
         // by adding the SkipVTableValidation attribute to the interface IDL definition
         RELEASE_ASSERT(actualVTablePointer == expectedVTablePointer);
-#endif
     }
+}
+#endif
+JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<TestAsyncIterable>&& impl)
+{
+#if ENABLE(BINDING_INTEGRITY)
+    verifyVTable<TestAsyncIterable>(impl.ptr());
+#endif
     return createWrapper<TestAsyncIterable>(globalObject, WTFMove(impl));
 }
 

diff --git a/Source/WebCore/bindings/scripts/test/JS/JSTestAsyncKeyValueIterable.cpp b/Source/WebCore/bindings/scripts/test/JS/JSTestAsyncKeyValueIterable.cpp
@@ -304,14 +304,9 @@ extern "C" { extern void (*const __identifier("??_7TestAsyncKeyValueIterable@Web
 #else
 extern "C" { extern void* _ZTVN7WebCore25TestAsyncKeyValueIterableE[]; }
 #endif
-#endif
-
-JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<TestAsyncKeyValueIterable>&& impl)
-{
-
-    if constexpr (std::is_polymorphic_v<TestAsyncKeyValueIterable>) {
-#if ENABLE(BINDING_INTEGRITY)
-        const void* actualVTablePointer = getVTablePointer(impl.ptr());
+template<typename T, typename = std::enable_if_t<std::is_same_v<T, TestAsyncKeyValueIterable>, void>> static inline void verifyVTable(TestAsyncKeyValueIterable* ptr) {
+    if constexpr (std::is_polymorphic_v<T>) {
+        const void* actualVTablePointer = getVTablePointer<T>(ptr);
 #if PLATFORM(WIN)
         void* expectedVTablePointer = __identifier("??_7TestAsyncKeyValueIterable@WebCore@@6B@");
 #else
@@ -323,8 +318,14 @@ JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObj
         // to toJS() we currently require TestAsyncKeyValueIterable you to opt out of binding hardening
         // by adding the SkipVTableValidation attribute to the interface IDL definition
         RELEASE_ASSERT(actualVTablePointer == expectedVTablePointer);
-#endif
     }
+}
+#endif
+JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<TestAsyncKeyValueIterable>&& impl)
+{
+#if ENABLE(BINDING_INTEGRITY)
+    verifyVTable<TestAsyncKeyValueIterable>(impl.ptr());
+#endif
     return createWrapper<TestAsyncKeyValueIterable>(globalObject, WTFMove(impl));
 }
 

diff --git a/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp b/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp
@@ -473,14 +473,9 @@ extern "C" { extern void (*const __identifier("??_7TestCEReactions@WebCore@@6B@"
 #else
 extern "C" { extern void* _ZTVN7WebCore15TestCEReactionsE[]; }
 #endif
-#endif
-
-JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<TestCEReactions>&& impl)
-{
-
-    if constexpr (std::is_polymorphic_v<TestCEReactions>) {
-#if ENABLE(BINDING_INTEGRITY)
-        const void* actualVTablePointer = getVTablePointer(impl.ptr());
+template<typename T, typename = std::enable_if_t<std::is_same_v<T, TestCEReactions>, void>> static inline void verifyVTable(TestCEReactions* ptr) {
+    if constexpr (std::is_polymorphic_v<T>) {
+        const void* actualVTablePointer = getVTablePointer<T>(ptr);
 #if PLATFORM(WIN)
         void* expectedVTablePointer = __identifier("??_7TestCEReactions@WebCore@@6B@");
 #else
@@ -492,8 +487,14 @@ JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObj
         // to toJS() we currently require TestCEReactions you to opt out of binding hardening
         // by adding the SkipVTableValidation attribute to the interface IDL definition
         RELEASE_ASSERT(actualVTablePointer == expectedVTablePointer);
-#endif
     }
+}
+#endif
+JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<TestCEReactions>&& impl)
+{
+#if ENABLE(BINDING_INTEGRITY)
+    verifyVTable<TestCEReactions>(impl.ptr());
+#endif
     return createWrapper<TestCEReactions>(globalObject, WTFMove(impl));
 }
 

diff --git a/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp b/Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp
@@ -295,14 +295,9 @@ extern "C" { extern void (*const __identifier("??_7TestCEReactionsStringifier@We
 #else
 extern "C" { extern void* _ZTVN7WebCore26TestCEReactionsStringifierE[]; }
 #endif
-#endif
-
-JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<TestCEReactionsStringifier>&& impl)
-{
-
-    if constexpr (std::is_polymorphic_v<TestCEReactionsStringifier>) {
-#if ENABLE(BINDING_INTEGRITY)
-        const void* actualVTablePointer = getVTablePointer(impl.ptr());
+template<typename T, typename = std::enable_if_t<std::is_same_v<T, TestCEReactionsStringifier>, void>> static inline void verifyVTable(TestCEReactionsStringifier* ptr) {
+    if constexpr (std::is_polymorphic_v<T>) {
+        const void* actualVTablePointer = getVTablePointer<T>(ptr);
 #if PLATFORM(WIN)
         void* expectedVTablePointer = __identifier("??_7TestCEReactionsStringifier@WebCore@@6B@");
 #else
@@ -314,8 +309,14 @@ JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObj
         // to toJS() we currently require TestCEReactionsStringifier you to opt out of binding hardening
         // by adding the SkipVTableValidation attribute to the interface IDL definition
         RELEASE_ASSERT(actualVTablePointer == expectedVTablePointer);
-#endif
     }
+}
+#endif
+JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<TestCEReactionsStringifier>&& impl)
+{
+#if ENABLE(BINDING_INTEGRITY)
+    verifyVTable<TestCEReactionsStringifier>(impl.ptr());
+#endif
     return createWrapper<TestCEReactionsStringifier>(globalObject, WTFMove(impl));
 }
 

diff --git a/Source/WebCore/bindings/scripts/test/JS/JSTestCallTracer.cpp b/Source/WebCore/bindings/scripts/test/JS/JSTestCallTracer.cpp
@@ -545,14 +545,9 @@ extern "C" { extern void (*const __identifier("??_7TestCallTracer@WebCore@@6B@")
 #else
 extern "C" { extern void* _ZTVN7WebCore14TestCallTracerE[]; }
 #endif
-#endif
-
-JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<TestCallTracer>&& impl)
-{
-
-    if constexpr (std::is_polymorphic_v<TestCallTracer>) {
-#if ENABLE(BINDING_INTEGRITY)
-        const void* actualVTablePointer = getVTablePointer(impl.ptr());
+template<typename T, typename = std::enable_if_t<std::is_same_v<T, TestCallTracer>, void>> static inline void verifyVTable(TestCallTracer* ptr) {
+    if constexpr (std::is_polymorphic_v<T>) {
+        const void* actualVTablePointer = getVTablePointer<T>(ptr);
 #if PLATFORM(WIN)
         void* expectedVTablePointer = __identifier("??_7TestCallTracer@WebCore@@6B@");
 #else
@@ -564,8 +559,14 @@ JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObj
         // to toJS() we currently require TestCallTracer you to opt out of binding hardening
         // by adding the SkipVTableValidation attribute to the interface IDL definition
         RELEASE_ASSERT(actualVTablePointer == expectedVTablePointer);
-#endif
     }
+}
+#endif
+JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<TestCallTracer>&& impl)
+{
+#if ENABLE(BINDING_INTEGRITY)
+    verifyVTable<TestCallTracer>(impl.ptr());
+#endif
     return createWrapper<TestCallTracer>(globalObject, WTFMove(impl));
 }
 

diff --git a/Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp b/Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp
@@ -205,14 +205,9 @@ extern "C" { extern void (*const __identifier("??_7TestClassWithJSBuiltinConstru
 #else
 extern "C" { extern void* _ZTVN7WebCore33TestClassWithJSBuiltinConstructorE[]; }
 #endif
-#endif
-
-JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<TestClassWithJSBuiltinConstructor>&& impl)
-{
-
-    if constexpr (std::is_polymorphic_v<TestClassWithJSBuiltinConstructor>) {
-#if ENABLE(BINDING_INTEGRITY)
-        const void* actualVTablePointer = getVTablePointer(impl.ptr());
+template<typename T, typename = std::enable_if_t<std::is_same_v<T, TestClassWithJSBuiltinConstructor>, void>> static inline void verifyVTable(TestClassWithJSBuiltinConstructor* ptr) {
+    if constexpr (std::is_polymorphic_v<T>) {
+        const void* actualVTablePointer = getVTablePointer<T>(ptr);
 #if PLATFORM(WIN)
         void* expectedVTablePointer = __identifier("??_7TestClassWithJSBuiltinConstructor@WebCore@@6B@");
 #else
@@ -224,8 +219,14 @@ JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObj
         // to toJS() we currently require TestClassWithJSBuiltinConstructor you to opt out of binding hardening
         // by adding the SkipVTableValidation attribute to the interface IDL definition
         RELEASE_ASSERT(actualVTablePointer == expectedVTablePointer);
-#endif
     }
+}
+#endif
+JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<TestClassWithJSBuiltinConstructor>&& impl)
+{
+#if ENABLE(BINDING_INTEGRITY)
+    verifyVTable<TestClassWithJSBuiltinConstructor>(impl.ptr());
+#endif
     return createWrapper<TestClassWithJSBuiltinConstructor>(globalObject, WTFMove(impl));
 }
 

diff --git a/Source/WebCore/bindings/scripts/test/JS/JSTestConditionalIncludes.cpp b/Source/WebCore/bindings/scripts/test/JS/JSTestConditionalIncludes.cpp
@@ -822,14 +822,9 @@ extern "C" { extern void (*const __identifier("??_7TestConditionalIncludes@WebCo
 #else
 extern "C" { extern void* _ZTVN7WebCore23TestConditionalIncludesE[]; }
 #endif
-#endif
-
-JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<TestConditionalIncludes>&& impl)
-{
-
-    if constexpr (std::is_polymorphic_v<TestConditionalIncludes>) {
-#if ENABLE(BINDING_INTEGRITY)
-        const void* actualVTablePointer = getVTablePointer(impl.ptr());
+template<typename T, typename = std::enable_if_t<std::is_same_v<T, TestConditionalIncludes>, void>> static inline void verifyVTable(TestConditionalIncludes* ptr) {
+    if constexpr (std::is_polymorphic_v<T>) {
+        const void* actualVTablePointer = getVTablePointer<T>(ptr);
 #if PLATFORM(WIN)
         void* expectedVTablePointer = __identifier("??_7TestConditionalIncludes@WebCore@@6B@");
 #else
@@ -841,8 +836,14 @@ JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObj
         // to toJS() we currently require TestConditionalIncludes you to opt out of binding hardening
         // by adding the SkipVTableValidation attribute to the interface IDL definition
         RELEASE_ASSERT(actualVTablePointer == expectedVTablePointer);
-#endif
     }
+}
+#endif
+JSC::JSValue toJSNewlyCreated(JSC::JSGlobalObject*, JSDOMGlobalObject* globalObject, Ref<TestConditionalIncludes>&& impl)
+{
+#if ENABLE(BINDING_INTEGRITY)
+    verifyVTable<TestConditionalIncludes>(impl.ptr());
+#endif
     return createWrapper<TestConditionalIncludes>(globalObject, WTFMove(impl));
 }