Remove poisons in JSCPoison and uses of them.
https://bugs.webkit.org/show_bug.cgi?id=195082
Reviewed by Yusuke Suzuki.
Also removed unused poisoning code in WriteBarrier, AssemblyHelpers,
DFG::SpeculativeJIT, FTLLowerDFGToB3, and FTL::Output.
* API/JSAPIWrapperObject.h:
(JSC::JSAPIWrapperObject::wrappedObject):
* API/JSCallbackFunction.h:
* API/JSCallbackObject.h:
* API/glib/JSAPIWrapperGlobalObject.h:
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):
(JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
(JSC::DFG::SpeculativeJIT::compileGetExecutable):
(JSC::DFG::SpeculativeJIT::compileCreateThis):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer): Deleted.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
(JSC::FTL::DFG::LowerDFGToB3::weakPointer):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer): Deleted.
* ftl/FTLOutput.h:
(JSC::FTL::Output::weakPoisonedPointer): Deleted.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitDynamicPoison): Deleted.
(JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType): Deleted.
(JSC::AssemblyHelpers::emitDynamicPoisonOnType): Deleted.
* jit/AssemblyHelpers.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_create_this):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitScopedArgumentsGetByVal):
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* parser/UnlinkedSourceCode.h:
* runtime/ArrayPrototype.h:
* runtime/CustomGetterSetter.h:
(JSC::CustomGetterSetter::getter const):
(JSC::CustomGetterSetter::setter const):
* runtime/InitializeThreading.cpp:
(JSC::initializeThreading):
* runtime/InternalFunction.cpp:
(JSC::InternalFunction::getCallData):
(JSC::InternalFunction::getConstructData):
* runtime/InternalFunction.h:
(JSC::InternalFunction::nativeFunctionFor):
* runtime/JSArrayBuffer.h:
* runtime/JSBoundFunction.h:
* runtime/JSCPoison.cpp: Removed.
* runtime/JSCPoison.h: Removed.
* runtime/JSFunction.h:
* runtime/JSGlobalObject.h:
* runtime/JSScriptFetchParameters.h:
* runtime/JSScriptFetcher.h:
* runtime/JSString.h:
* runtime/NativeExecutable.cpp:
(JSC::NativeExecutable::hashFor const):
* runtime/NativeExecutable.h:
* runtime/Options.h:
* runtime/ScopedArguments.h:
* runtime/Structure.cpp:
(JSC::StructureTransitionTable::setSingleTransition):
* runtime/StructureTransitionTable.h:
(JSC::StructureTransitionTable::map const):
(JSC::StructureTransitionTable::weakImpl const):
(JSC::StructureTransitionTable::setMap):
* runtime/WriteBarrier.h:
* wasm/WasmB3IRGenerator.cpp:
* wasm/WasmInstance.h:
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
(JSC::JSWebAssemblyInstance::visitChildren):
* wasm/js/JSWebAssemblyInstance.h:
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::JSWebAssemblyTable):
(JSC::JSWebAssemblyTable::grow):
(JSC::JSWebAssemblyTable::clearFunction):
* wasm/js/JSWebAssemblyTable.h:
* wasm/js/WasmToJS.cpp:
(JSC::Wasm::materializeImportJSCell):
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
* wasm/js/WebAssemblyFunctionBase.h:
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):
(JSC::WebAssemblyModuleRecord::evaluate):
* wasm/js/WebAssemblyModuleRecord.h:
* wasm/js/WebAssemblyToJSCallee.h:
* wasm/js/WebAssemblyWrapperFunction.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@242123 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/API/JSAPIWrapperObject.h b/Source/JavaScriptCore/API/JSAPIWrapperObject.h
index 305fca4..dd874dc 100644
--- a/Source/JavaScriptCore/API/JSAPIWrapperObject.h
+++ b/Source/JavaScriptCore/API/JSAPIWrapperObject.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,9 +27,7 @@
#define JSAPIWrapperObject_h
#include "JSBase.h"
-#include "JSCPoison.h"
#include "JSDestructibleObject.h"
-#include <wtf/Poisoned.h>
#if JSC_OBJC_API_ENABLED || defined(JSC_GLIB_API_ENABLED)
@@ -42,14 +40,14 @@
void finishCreation(VM&);
static void visitChildren(JSCell*, JSC::SlotVisitor&);
- void* wrappedObject() { return m_wrappedObject.unpoisoned(); }
+ void* wrappedObject() { return m_wrappedObject; }
void setWrappedObject(void*);
protected:
JSAPIWrapperObject(VM&, Structure*);
private:
- Poisoned<JSAPIWrapperObjectPoison, void*> m_wrappedObject;
+ void* m_wrappedObject { nullptr };
};
} // namespace JSC
diff --git a/Source/JavaScriptCore/API/JSCallbackFunction.h b/Source/JavaScriptCore/API/JSCallbackFunction.h
index 7b2e559..f9e4f96 100644
--- a/Source/JavaScriptCore/API/JSCallbackFunction.h
+++ b/Source/JavaScriptCore/API/JSCallbackFunction.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,7 +27,6 @@
#define JSCallbackFunction_h
#include "InternalFunction.h"
-#include "JSCPoison.h"
#include "JSObjectRef.h"
namespace JSC {
@@ -58,9 +57,9 @@
JSCallbackFunction(VM&, Structure*, JSObjectCallAsFunctionCallback);
void finishCreation(VM&, const String& name);
- JSObjectCallAsFunctionCallback functionCallback() { return m_callback.unpoisoned(); }
+ JSObjectCallAsFunctionCallback functionCallback() { return m_callback; }
- Poisoned<NativeCodePoison, JSObjectCallAsFunctionCallback> m_callback;
+ JSObjectCallAsFunctionCallback m_callback { nullptr };
};
} // namespace JSC
diff --git a/Source/JavaScriptCore/API/JSCallbackObject.h b/Source/JavaScriptCore/API/JSCallbackObject.h
index a2c4afa..07d709b 100644
--- a/Source/JavaScriptCore/API/JSCallbackObject.h
+++ b/Source/JavaScriptCore/API/JSCallbackObject.h
@@ -27,11 +27,9 @@
#ifndef JSCallbackObject_h
#define JSCallbackObject_h
-#include "JSCPoison.h"
#include "JSObjectRef.h"
#include "JSValueRef.h"
#include "JSObject.h"
-#include <wtf/PoisonedUniquePtr.h>
namespace JSC {
@@ -227,7 +225,7 @@
static EncodedJSValue staticFunctionGetter(ExecState*, EncodedJSValue, PropertyName);
static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName);
- WTF::PoisonedUniquePtr<JSCallbackObjectPoison, JSCallbackObjectData> m_callbackObjectData;
+ std::unique_ptr<JSCallbackObjectData> m_callbackObjectData;
const ClassInfo* m_classInfo { nullptr };
};
diff --git a/Source/JavaScriptCore/API/glib/JSAPIWrapperGlobalObject.h b/Source/JavaScriptCore/API/glib/JSAPIWrapperGlobalObject.h
index 9a3f0c6..d54a9ec 100644
--- a/Source/JavaScriptCore/API/glib/JSAPIWrapperGlobalObject.h
+++ b/Source/JavaScriptCore/API/glib/JSAPIWrapperGlobalObject.h
@@ -27,7 +27,6 @@
#include "JSBase.h"
#include "JSCGLibWrapperObject.h"
-#include "JSCPoison.h"
#include "JSGlobalObject.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/CMakeLists.txt b/Source/JavaScriptCore/CMakeLists.txt
index f94d85b..878eaf2 100644
--- a/Source/JavaScriptCore/CMakeLists.txt
+++ b/Source/JavaScriptCore/CMakeLists.txt
@@ -830,7 +830,6 @@
runtime/JSCInlines.h
runtime/JSCJSValue.h
runtime/JSCJSValueInlines.h
- runtime/JSCPoison.h
runtime/JSCPtrTag.h
runtime/JSCallee.h
runtime/JSCast.h
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 4eb361c..d5381d1 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,5 +1,121 @@
2019-02-26 Mark Lam <mark.lam@apple.com>
+ Remove poisons in JSCPoison and uses of them.
+ https://bugs.webkit.org/show_bug.cgi?id=195082
+
+ Reviewed by Yusuke Suzuki.
+
+ Also removed unused poisoning code in WriteBarrier, AssemblyHelpers,
+ DFG::SpeculativeJIT, FTLLowerDFGToB3, and FTL::Output.
+
+ * API/JSAPIWrapperObject.h:
+ (JSC::JSAPIWrapperObject::wrappedObject):
+ * API/JSCallbackFunction.h:
+ * API/JSCallbackObject.h:
+ * API/glib/JSAPIWrapperGlobalObject.h:
+ * CMakeLists.txt:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * Sources.txt:
+ * bytecode/AccessCase.cpp:
+ (JSC::AccessCase::generateWithGuard):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+ (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+ (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
+ (JSC::DFG::SpeculativeJIT::compileGetExecutable):
+ (JSC::DFG::SpeculativeJIT::compileCreateThis):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer): Deleted.
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+ (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+ (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
+ (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
+ (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
+ (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
+ (JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer): Deleted.
+ * ftl/FTLOutput.h:
+ (JSC::FTL::Output::weakPoisonedPointer): Deleted.
+ * jit/AssemblyHelpers.cpp:
+ (JSC::AssemblyHelpers::emitDynamicPoison): Deleted.
+ (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType): Deleted.
+ (JSC::AssemblyHelpers::emitDynamicPoisonOnType): Deleted.
+ * jit/AssemblyHelpers.h:
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_create_this):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitScopedArgumentsGetByVal):
+ * jit/Repatch.cpp:
+ (JSC::linkPolymorphicCall):
+ * jit/ThunkGenerators.cpp:
+ (JSC::virtualThunkFor):
+ (JSC::nativeForGenerator):
+ (JSC::boundThisNoArgsFunctionCallGenerator):
+ * parser/UnlinkedSourceCode.h:
+ * runtime/ArrayPrototype.h:
+ * runtime/CustomGetterSetter.h:
+ (JSC::CustomGetterSetter::getter const):
+ (JSC::CustomGetterSetter::setter const):
+ * runtime/InitializeThreading.cpp:
+ (JSC::initializeThreading):
+ * runtime/InternalFunction.cpp:
+ (JSC::InternalFunction::getCallData):
+ (JSC::InternalFunction::getConstructData):
+ * runtime/InternalFunction.h:
+ (JSC::InternalFunction::nativeFunctionFor):
+ * runtime/JSArrayBuffer.h:
+ * runtime/JSBoundFunction.h:
+ * runtime/JSCPoison.cpp: Removed.
+ * runtime/JSCPoison.h: Removed.
+ * runtime/JSFunction.h:
+ * runtime/JSGlobalObject.h:
+ * runtime/JSScriptFetchParameters.h:
+ * runtime/JSScriptFetcher.h:
+ * runtime/JSString.h:
+ * runtime/NativeExecutable.cpp:
+ (JSC::NativeExecutable::hashFor const):
+ * runtime/NativeExecutable.h:
+ * runtime/Options.h:
+ * runtime/ScopedArguments.h:
+ * runtime/Structure.cpp:
+ (JSC::StructureTransitionTable::setSingleTransition):
+ * runtime/StructureTransitionTable.h:
+ (JSC::StructureTransitionTable::map const):
+ (JSC::StructureTransitionTable::weakImpl const):
+ (JSC::StructureTransitionTable::setMap):
+ * runtime/WriteBarrier.h:
+ * wasm/WasmB3IRGenerator.cpp:
+ * wasm/WasmInstance.h:
+ * wasm/js/JSToWasm.cpp:
+ (JSC::Wasm::createJSToWasmWrapper):
+ * wasm/js/JSWebAssemblyCodeBlock.h:
+ * wasm/js/JSWebAssemblyInstance.cpp:
+ (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
+ (JSC::JSWebAssemblyInstance::visitChildren):
+ * wasm/js/JSWebAssemblyInstance.h:
+ * wasm/js/JSWebAssemblyMemory.h:
+ * wasm/js/JSWebAssemblyModule.h:
+ * wasm/js/JSWebAssemblyTable.cpp:
+ (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
+ (JSC::JSWebAssemblyTable::grow):
+ (JSC::JSWebAssemblyTable::clearFunction):
+ * wasm/js/JSWebAssemblyTable.h:
+ * wasm/js/WasmToJS.cpp:
+ (JSC::Wasm::materializeImportJSCell):
+ (JSC::Wasm::handleBadI64Use):
+ (JSC::Wasm::wasmToJS):
+ * wasm/js/WebAssemblyFunctionBase.h:
+ * wasm/js/WebAssemblyModuleRecord.cpp:
+ (JSC::WebAssemblyModuleRecord::link):
+ (JSC::WebAssemblyModuleRecord::evaluate):
+ * wasm/js/WebAssemblyModuleRecord.h:
+ * wasm/js/WebAssemblyToJSCallee.h:
+ * wasm/js/WebAssemblyWrapperFunction.h:
+
+2019-02-26 Mark Lam <mark.lam@apple.com>
+
wasmToJS() should purify incoming NaNs.
https://bugs.webkit.org/show_bug.cgi?id=194807
<rdar://problem/48189132>
diff --git a/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj b/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
index 1084330..ffab99c 100644
--- a/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
+++ b/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
@@ -1810,7 +1810,6 @@
FE1C0FFD1B193E9800B53FCA /* Exception.h in Headers */ = {isa = PBXBuildFile; fileRef = FE1C0FFC1B193E9800B53FCA /* Exception.h */; settings = {ATTRIBUTES = (Private, ); }; };
FE20CE9E15F04A9500DF3430 /* LLIntCLoop.h in Headers */ = {isa = PBXBuildFile; fileRef = FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */; settings = {ATTRIBUTES = (Private, ); }; };
FE2A87601F02381600EB31B2 /* MinimumReservedZoneSize.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2A875F1F02381600EB31B2 /* MinimumReservedZoneSize.h */; };
- FE2B0B731FD9EF700075DA5F /* JSCPoison.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2B0B701FD8C4630075DA5F /* JSCPoison.h */; settings = {ATTRIBUTES = (Private, ); }; };
FE3022D31E3D73A500BAC493 /* SigillCrashAnalyzer.h in Headers */ = {isa = PBXBuildFile; fileRef = FE3022D11E3D739600BAC493 /* SigillCrashAnalyzer.h */; settings = {ATTRIBUTES = (Private, ); }; };
FE3022D71E42857300BAC493 /* VMInspector.h in Headers */ = {isa = PBXBuildFile; fileRef = FE3022D51E42856700BAC493 /* VMInspector.h */; };
FE318FE01CAC982F00DFCC54 /* ECMAScriptSpecInternalFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = FE318FDE1CAC8C5300DFCC54 /* ECMAScriptSpecInternalFunctions.h */; };
@@ -4819,8 +4818,6 @@
FE20CE9B15F04A9500DF3430 /* LLIntCLoop.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = LLIntCLoop.cpp; path = llint/LLIntCLoop.cpp; sourceTree = "<group>"; };
FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LLIntCLoop.h; path = llint/LLIntCLoop.h; sourceTree = "<group>"; };
FE2A875F1F02381600EB31B2 /* MinimumReservedZoneSize.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MinimumReservedZoneSize.h; sourceTree = "<group>"; };
- FE2B0B681FD0D2970075DA5F /* JSCPoison.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSCPoison.cpp; sourceTree = "<group>"; };
- FE2B0B701FD8C4630075DA5F /* JSCPoison.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCPoison.h; sourceTree = "<group>"; };
FE2E6A7A1D6EA5FE0060F896 /* ThrowScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ThrowScope.cpp; sourceTree = "<group>"; };
FE3022D01E3D739600BAC493 /* SigillCrashAnalyzer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SigillCrashAnalyzer.cpp; sourceTree = "<group>"; };
FE3022D11E3D739600BAC493 /* SigillCrashAnalyzer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SigillCrashAnalyzer.h; sourceTree = "<group>"; };
@@ -6871,8 +6868,6 @@
F692A8870255597D01FF60F7 /* JSCJSValue.cpp */,
14ABB36E099C076400E2A24F /* JSCJSValue.h */,
865A30F0135007E100CDB49E /* JSCJSValueInlines.h */,
- FE2B0B681FD0D2970075DA5F /* JSCPoison.cpp */,
- FE2B0B701FD8C4630075DA5F /* JSCPoison.h */,
FE7497E5209001B00003565B /* JSCPtrTag.h */,
72AAF7CB1D0D318B005E60BE /* JSCustomGetterSetterFunction.cpp */,
72AAF7CC1D0D318B005E60BE /* JSCustomGetterSetterFunction.h */,
@@ -9282,7 +9277,6 @@
A5EA70EE19F5B5C40098F5EC /* JSContextRefInspectorSupport.h in Headers */,
A5D2E665195E174000A518E7 /* JSContextRefInternal.h in Headers */,
148CD1D8108CF902008163C6 /* JSContextRefPrivate.h in Headers */,
- FE2B0B731FD9EF700075DA5F /* JSCPoison.h in Headers */,
FE7497E6209001B10003565B /* JSCPtrTag.h in Headers */,
A72028B81797601E0098028C /* JSCTestRunnerUtils.h in Headers */,
72AAF7CE1D0D31B3005E60BE /* JSCustomGetterSetterFunction.h in Headers */,
diff --git a/Source/JavaScriptCore/Sources.txt b/Source/JavaScriptCore/Sources.txt
index ad71971..60fcff0 100644
--- a/Source/JavaScriptCore/Sources.txt
+++ b/Source/JavaScriptCore/Sources.txt
@@ -802,7 +802,6 @@
runtime/JSBigInt.cpp
runtime/JSBoundFunction.cpp
runtime/JSCJSValue.cpp
-runtime/JSCPoison.cpp
runtime/JSCallee.cpp
runtime/JSCell.cpp
runtime/JSCustomGetterSetterFunction.cpp
diff --git a/Source/JavaScriptCore/bytecode/AccessCase.cpp b/Source/JavaScriptCore/bytecode/AccessCase.cpp
index 9e6ec7b..b00f14d 100644
--- a/Source/JavaScriptCore/bytecode/AccessCase.cpp
+++ b/Source/JavaScriptCore/bytecode/AccessCase.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -511,7 +511,6 @@
jit.loadPtr(
CCallHelpers::Address(baseGPR, ScopedArguments::offsetOfStorage()),
scratchGPR);
- jit.xorPtr(CCallHelpers::TrustedImmPtr(ScopedArgumentsPoison::key()), scratchGPR);
fallThrough.append(
jit.branchTest8(
CCallHelpers::NonZero,
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
index d08ea5b..a5117c1 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
@@ -6869,8 +6869,6 @@
m_jit.loadPtr(
MacroAssembler::Address(baseReg, ScopedArguments::offsetOfStorage()), resultRegs.payloadGPR());
- m_jit.xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), resultRegs.payloadGPR());
-
m_jit.load32(
MacroAssembler::Address(resultRegs.payloadGPR(), ScopedArguments::offsetOfTotalLengthInStorage()),
scratchReg);
@@ -6882,7 +6880,6 @@
m_jit.emitPreparePreciseIndexMask32(propertyReg, scratchReg, indexMaskReg);
m_jit.loadPtr(MacroAssembler::Address(baseReg, ScopedArguments::offsetOfTable()), scratchReg);
- m_jit.xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), scratchReg);
m_jit.load32(
MacroAssembler::Address(scratchReg, ScopedArgumentsTable::offsetOfLength()), scratch2Reg);
@@ -6890,7 +6887,6 @@
MacroAssembler::AboveOrEqual, propertyReg, scratch2Reg);
m_jit.loadPtr(MacroAssembler::Address(baseReg, ScopedArguments::offsetOfScope()), scratch2Reg);
- m_jit.xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), scratch2Reg);
m_jit.loadPtr(
MacroAssembler::Address(scratchReg, ScopedArgumentsTable::offsetOfArguments()),
@@ -7040,8 +7036,7 @@
m_jit.loadPtr(
MacroAssembler::Address(baseReg, ScopedArguments::offsetOfStorage()), resultReg);
- m_jit.xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), resultReg);
-
+
speculationCheck(
ExoticObjectMode, JSValueSource(), 0,
m_jit.branchTest8(
@@ -7091,7 +7086,7 @@
emitAllocateJSObjectWithKnownSize<ClassType>(resultGPR, TrustedImmPtr(structure), butterfly, scratch1GPR, scratch2GPR, slowPath, size);
m_jit.storePtr(scopeGPR, JITCompiler::Address(resultGPR, JSFunction::offsetOfScopeChain()));
- m_jit.storePtr(TrustedImmPtr::weakPoisonedPointer<JSFunctionPoison>(m_jit.graph(), executable), JITCompiler::Address(resultGPR, JSFunction::offsetOfExecutable()));
+ m_jit.storePtr(TrustedImmPtr::weakPointer(m_jit.graph(), executable), JITCompiler::Address(resultGPR, JSFunction::offsetOfExecutable()));
m_jit.storePtr(TrustedImmPtr(nullptr), JITCompiler::Address(resultGPR, JSFunction::offsetOfRareData()));
m_jit.mutatorFence(*m_jit.vm());
@@ -12116,9 +12111,6 @@
GPRReg resultGPR = result.gpr();
speculateCellType(node->child1(), functionGPR, SpecFunction, JSFunctionType);
m_jit.loadPtr(JITCompiler::Address(functionGPR, JSFunction::offsetOfExecutable()), resultGPR);
-#if USE(JSVALUE64)
- m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSFunctionPoison::key()), resultGPR);
-#endif
cellResult(resultGPR, node);
}
@@ -12490,7 +12482,6 @@
slowPath.append(m_jit.branchIfNotFunction(calleeGPR));
m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR));
- m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSFunctionPoison::key()), rareDataGPR);
m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
@@ -12498,7 +12489,6 @@
emitAllocateJSObject(resultGPR, JITAllocator::variable(), allocatorGPR, structureGPR, butterfly, scratchGPR, slowPath);
m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
- m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSFunctionPoison::key()), rareDataGPR);
m_jit.load32(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfInlineCapacity()), inlineCapacityGPR);
m_jit.emitInitializeInlineStorage(resultGPR, inlineCapacityGPR);
m_jit.mutatorFence(*m_jit.vm());
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
index cf54628..fc5e683 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
@@ -149,13 +149,6 @@
return TrustedImmPtr(bitwise_cast<size_t>(cell));
}
- template<typename Key>
- static TrustedImmPtr weakPoisonedPointer(Graph& graph, JSCell* cell)
- {
- graph.m_plan.weakReferences().addLazily(cell);
- return TrustedImmPtr(bitwise_cast<size_t>(cell) ^ Key::key());
- }
-
operator MacroAssembler::TrustedImmPtr() const { return m_value; }
operator MacroAssembler::TrustedImm() const { return m_value; }
diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
index 6c1f71f..a844b42 100644
--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
@@ -3141,10 +3141,7 @@
{
LValue cell = lowCell(m_node->child1());
speculateFunction(m_node->child1(), cell);
- setJSValue(
- m_out.bitXor(
- m_out.loadPtr(cell, m_heaps.JSFunction_executable),
- m_out.constIntPtr(JSFunctionPoison::key())));
+ setJSValue(m_out.loadPtr(cell, m_heaps.JSFunction_executable));
}
void compileArrayify()
@@ -3843,9 +3840,7 @@
case Array::ScopedArguments: {
LValue arguments = lowCell(m_node->child1());
- LValue storage = m_out.bitXor(
- m_out.loadPtr(arguments, m_heaps.ScopedArguments_storage),
- m_out.constIntPtr(ScopedArgumentsPoison::key()));
+ LValue storage = m_out.loadPtr(arguments, m_heaps.ScopedArguments_storage);
speculate(
ExoticObjectMode, noValue(), nullptr,
m_out.notZero32(m_out.load8ZeroExt32(storage, m_heaps.ScopedArguments_Storage_overrodeThings)));
@@ -4047,8 +4042,6 @@
LValue index = lowInt32(m_graph.varArgChild(m_node, 1));
LValue storage = m_out.loadPtr(base, m_heaps.ScopedArguments_storage);
- storage = m_out.bitXor(storage, m_out.constIntPtr(ScopedArgumentsPoison::key()));
-
LValue totalLength = m_out.load32NonNegative(
storage, m_heaps.ScopedArguments_Storage_totalLength);
speculate(
@@ -4056,8 +4049,6 @@
m_out.aboveOrEqual(index, totalLength));
LValue table = m_out.loadPtr(base, m_heaps.ScopedArguments_table);
- table = m_out.bitXor(table, m_out.constIntPtr(ScopedArgumentsPoison::key()));
-
LValue namedLength = m_out.load32(table, m_heaps.ScopedArgumentsTable_length);
LBasicBlock namedCase = m_out.newBlock();
@@ -4070,8 +4061,6 @@
LBasicBlock lastNext = m_out.appendTo(namedCase, overflowCase);
LValue scope = m_out.loadPtr(base, m_heaps.ScopedArguments_scope);
- scope = m_out.bitXor(scope, m_out.constIntPtr(ScopedArgumentsPoison::key()));
-
LValue arguments = m_out.loadPtr(table, m_heaps.ScopedArgumentsTable_arguments);
TypedPointer address = m_out.baseIndex(
@@ -5323,7 +5312,7 @@
// We don't need memory barriers since we just fast-created the function, so it
// must be young.
m_out.storePtr(scope, fastObject, m_heaps.JSFunction_scope);
- m_out.storePtr(weakPoisonedPointer<JSFunctionPoison>(executable), fastObject, m_heaps.JSFunction_executable);
+ m_out.storePtr(weakPointer(executable), fastObject, m_heaps.JSFunction_executable);
m_out.storePtr(m_out.intPtrZero, fastObject, m_heaps.JSFunction_rareData);
mutatorFence();
@@ -16385,32 +16374,6 @@
return preciseIndexMask64(value, m_out.zeroExt(index, Int64), m_out.zeroExt(limit, Int64));
}
- LValue dynamicPoison(LValue value, LValue poison)
- {
- return m_out.add(
- value,
- m_out.shl(
- m_out.zeroExt(poison, pointerType()),
- m_out.constInt32(40)));
- }
-
- LValue dynamicPoisonOnLoadedType(LValue value, LValue actualType, JSType expectedType)
- {
- return dynamicPoison(
- value,
- m_out.bitXor(
- m_out.opaque(actualType),
- m_out.constInt32(expectedType)));
- }
-
- LValue dynamicPoisonOnType(LValue value, JSType expectedType)
- {
- return dynamicPoisonOnLoadedType(
- value,
- m_out.load8ZeroExt32(value, m_heaps.JSCell_typeInfoType),
- expectedType);
- }
-
template<typename... Args>
LValue vmCall(LType type, LValue function, Args&&... args)
{
@@ -16957,13 +16920,6 @@
addWeakReference(pointer);
return m_out.weakPointer(m_graph, pointer);
}
-
- template<typename Key>
- LValue weakPoisonedPointer(JSCell* pointer)
- {
- addWeakReference(pointer);
- return m_out.weakPoisonedPointer<Key>(m_graph, pointer);
- }
LValue frozenPointer(FrozenValue* value)
{
diff --git a/Source/JavaScriptCore/ftl/FTLOutput.h b/Source/JavaScriptCore/ftl/FTLOutput.h
index 6baeb9e..7a1faee 100644
--- a/Source/JavaScriptCore/ftl/FTLOutput.h
+++ b/Source/JavaScriptCore/ftl/FTLOutput.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -111,14 +111,6 @@
return constIntPtr(bitwise_cast<intptr_t>(cell));
}
- template<typename Key>
- LValue weakPoisonedPointer(DFG::Graph& graph, JSCell* cell)
- {
- ASSERT(graph.m_plan.weakReferences().contains(cell));
-
- return constIntPtr(bitwise_cast<intptr_t>(cell) ^ Key::key());
- }
-
LValue weakPointer(DFG::FrozenValue* value)
{
RELEASE_ASSERT(value->value().isCell());
diff --git a/Source/JavaScriptCore/jit/AssemblyHelpers.cpp b/Source/JavaScriptCore/jit/AssemblyHelpers.cpp
index 0dc6cf9..45d80d7 100644
--- a/Source/JavaScriptCore/jit/AssemblyHelpers.cpp
+++ b/Source/JavaScriptCore/jit/AssemblyHelpers.cpp
@@ -1002,41 +1002,6 @@
rshiftPtr(TrustedImm32(preciseIndexMaskShift<void*>()), result);
}
-void AssemblyHelpers::emitDynamicPoison(GPRReg base, GPRReg poisonValue)
-{
-#if CPU(X86_64) || (CPU(ARM64) && !defined(__ILP32__))
- lshiftPtr(TrustedImm32(40), poisonValue);
- addPtr(poisonValue, base);
-#else
- UNUSED_PARAM(base);
- UNUSED_PARAM(poisonValue);
-#endif
-}
-
-void AssemblyHelpers::emitDynamicPoisonOnLoadedType(GPRReg base, GPRReg actualType, JSType expectedType)
-{
-#if CPU(X86_64) || (CPU(ARM64) && !defined(__ILP32__))
- xor32(TrustedImm32(expectedType), actualType);
- emitDynamicPoison(base, actualType);
-#else
- UNUSED_PARAM(base);
- UNUSED_PARAM(actualType);
- UNUSED_PARAM(expectedType);
-#endif
-}
-
-void AssemblyHelpers::emitDynamicPoisonOnType(GPRReg base, GPRReg scratch, JSType expectedType)
-{
-#if CPU(X86_64) || (CPU(ARM64) && !defined(__ILP32__))
- load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
- emitDynamicPoisonOnLoadedType(base, scratch, expectedType);
-#else
- UNUSED_PARAM(base);
- UNUSED_PARAM(scratch);
- UNUSED_PARAM(expectedType);
-#endif
-}
-
} // namespace JSC
#endif // ENABLE(JIT)
diff --git a/Source/JavaScriptCore/jit/AssemblyHelpers.h b/Source/JavaScriptCore/jit/AssemblyHelpers.h
index cf97150..addc63c 100644
--- a/Source/JavaScriptCore/jit/AssemblyHelpers.h
+++ b/Source/JavaScriptCore/jit/AssemblyHelpers.h
@@ -1831,10 +1831,6 @@
// zero-extended. Also this does not clobber index, which is useful in the baseline JIT. This
// permits length and result to be in the same register.
void emitPreparePreciseIndexMask32(GPRReg index, GPRReg length, GPRReg result);
-
- void emitDynamicPoison(GPRReg base, GPRReg poisonValue);
- void emitDynamicPoisonOnLoadedType(GPRReg base, GPRReg actualType, JSType expectedType);
- void emitDynamicPoisonOnType(GPRReg base, GPRReg scratch, JSType expectedType);
#if ENABLE(WEBASSEMBLY)
void loadWasmContextInstance(GPRReg dst);
diff --git a/Source/JavaScriptCore/jit/JITOpcodes.cpp b/Source/JavaScriptCore/jit/JITOpcodes.cpp
index bd24958..e65851c 100644
--- a/Source/JavaScriptCore/jit/JITOpcodes.cpp
+++ b/Source/JavaScriptCore/jit/JITOpcodes.cpp
@@ -908,7 +908,6 @@
addSlowCase(branchIfNotFunction(calleeReg));
loadPtr(Address(calleeReg, JSFunction::offsetOfRareData()), rareDataReg);
addSlowCase(branchTestPtr(Zero, rareDataReg));
- xorPtr(TrustedImmPtr(JSFunctionPoison::key()), rareDataReg);
loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
@@ -922,7 +921,6 @@
emitAllocateJSObject(resultReg, JITAllocator::variable(), allocatorReg, structureReg, butterfly, scratchReg, slowCases);
emitGetVirtualRegister(callee, scratchReg);
loadPtr(Address(scratchReg, JSFunction::offsetOfRareData()), scratchReg);
- xorPtr(TrustedImmPtr(JSFunctionPoison::key()), scratchReg);
load32(Address(scratchReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfInlineCapacity()), scratchReg);
emitInitializeInlineStorage(resultReg, scratchReg);
addSlowCase(slowCases);
diff --git a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp
index ea6fef0..8d8d5dbb 100644
--- a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp
+++ b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp
@@ -1609,15 +1609,12 @@
load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
badType = patchableBranch32(NotEqual, scratch, TrustedImm32(ScopedArgumentsType));
loadPtr(Address(base, ScopedArguments::offsetOfStorage()), scratch3);
- xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), scratch3);
slowCases.append(branch32(AboveOrEqual, property, Address(scratch3, ScopedArguments::offsetOfTotalLengthInStorage())));
loadPtr(Address(base, ScopedArguments::offsetOfTable()), scratch);
- xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), scratch);
load32(Address(scratch, ScopedArgumentsTable::offsetOfLength()), scratch2);
Jump overflowCase = branch32(AboveOrEqual, property, scratch2);
loadPtr(Address(base, ScopedArguments::offsetOfScope()), scratch2);
- xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), scratch2);
loadPtr(Address(scratch, ScopedArgumentsTable::offsetOfArguments()), scratch);
load32(BaseIndex(scratch, property, TimesFour), scratch);
slowCases.append(branch32(Equal, scratch, TrustedImm32(ScopeOffset::invalidOffset)));
diff --git a/Source/JavaScriptCore/jit/Repatch.cpp b/Source/JavaScriptCore/jit/Repatch.cpp
index fba76da..e68e647 100644
--- a/Source/JavaScriptCore/jit/Repatch.cpp
+++ b/Source/JavaScriptCore/jit/Repatch.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -1064,7 +1064,6 @@
stubJit.loadPtr(
CCallHelpers::Address(calleeGPR, JSFunction::offsetOfExecutable()),
scratchGPR);
- stubJit.xorPtr(CCallHelpers::TrustedImmPtr(JSFunctionPoison::key()), scratchGPR);
comparisonValueGPR = scratchGPR;
} else
diff --git a/Source/JavaScriptCore/jit/ThunkGenerators.cpp b/Source/JavaScriptCore/jit/ThunkGenerators.cpp
index 6450dfe..a986fe7 100644
--- a/Source/JavaScriptCore/jit/ThunkGenerators.cpp
+++ b/Source/JavaScriptCore/jit/ThunkGenerators.cpp
@@ -203,7 +203,6 @@
jit.loadPtr(
CCallHelpers::Address(GPRInfo::regT0, JSFunction::offsetOfExecutable()),
GPRInfo::regT4);
- jit.xorPtr(CCallHelpers::TrustedImmPtr(JSFunctionPoison::key()), GPRInfo::regT4);
jit.loadPtr(
CCallHelpers::Address(
GPRInfo::regT4, ExecutableBase::offsetOfJITCodeWithArityCheckFor(
@@ -283,7 +282,6 @@
jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, JSInterfaceJIT::regT1);
if (thunkFunctionType == ThunkFunctionType::JSFunction) {
jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, JSFunction::offsetOfExecutable()), JSInterfaceJIT::regT1);
- jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), JSInterfaceJIT::regT1);
jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, executableOffsetToFunction), JSEntryPtrTag);
} else
jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, InternalFunction::offsetOfNativeFunctionFor(kind)), JSEntryPtrTag);
@@ -299,12 +297,9 @@
jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, X86Registers::esi);
if (thunkFunctionType == ThunkFunctionType::JSFunction) {
jit.loadPtr(JSInterfaceJIT::Address(X86Registers::esi, JSFunction::offsetOfExecutable()), X86Registers::r9);
- jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), X86Registers::r9);
jit.loadPtr(JSInterfaceJIT::Address(X86Registers::r9, executableOffsetToFunction), X86Registers::r9);
} else
jit.loadPtr(JSInterfaceJIT::Address(X86Registers::esi, InternalFunction::offsetOfNativeFunctionFor(kind)), X86Registers::r9);
- jit.move(JSInterfaceJIT::TrustedImm64(NativeCodePoison::key()), X86Registers::esi);
- jit.xor64(X86Registers::esi, X86Registers::r9);
jit.call(X86Registers::r9, JSEntryPtrTag);
#else
@@ -319,7 +314,6 @@
jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, X86Registers::edx);
if (thunkFunctionType == ThunkFunctionType::JSFunction) {
jit.loadPtr(JSInterfaceJIT::Address(X86Registers::edx, JSFunction::offsetOfExecutable()), X86Registers::r9);
- jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), X86Registers::r9);
jit.call(JSInterfaceJIT::Address(X86Registers::r9, executableOffsetToFunction), JSEntryPtrTag);
} else
jit.call(JSInterfaceJIT::Address(X86Registers::edx, InternalFunction::offsetOfNativeFunctionFor(kind)), JSEntryPtrTag);
@@ -338,12 +332,9 @@
jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, ARM64Registers::x1);
if (thunkFunctionType == ThunkFunctionType::JSFunction) {
jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x1, JSFunction::offsetOfExecutable()), ARM64Registers::x2);
- jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), ARM64Registers::x2);
jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x2, executableOffsetToFunction), ARM64Registers::x2);
} else
jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x1, InternalFunction::offsetOfNativeFunctionFor(kind)), ARM64Registers::x2);
- jit.move(JSInterfaceJIT::TrustedImm64(NativeCodePoison::key()), ARM64Registers::x1);
- jit.xor64(ARM64Registers::x1, ARM64Registers::x2);
jit.call(ARM64Registers::x2, JSEntryPtrTag);
#elif CPU(ARM_THUMB2) || CPU(MIPS)
@@ -359,7 +350,6 @@
jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, JSInterfaceJIT::argumentGPR1);
if (thunkFunctionType == ThunkFunctionType::JSFunction) {
jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::argumentGPR1, JSFunction::offsetOfExecutable()), JSInterfaceJIT::regT2);
- jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), JSInterfaceJIT::regT2);
jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::regT2, executableOffsetToFunction), JSEntryPtrTag);
} else
jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::argumentGPR1, InternalFunction::offsetOfNativeFunctionFor(kind)), JSEntryPtrTag);
@@ -1237,7 +1227,6 @@
jit.loadPtr(
CCallHelpers::Address(GPRInfo::regT3, JSFunction::offsetOfExecutable()),
GPRInfo::regT0);
- jit.xorPtr(CCallHelpers::TrustedImmPtr(JSFunctionPoison::key()), GPRInfo::regT0);
jit.loadPtr(
CCallHelpers::Address(
GPRInfo::regT0, ExecutableBase::offsetOfJITCodeWithArityCheckFor(CodeForCall)),
diff --git a/Source/JavaScriptCore/parser/UnlinkedSourceCode.h b/Source/JavaScriptCore/parser/UnlinkedSourceCode.h
index fae0e35..eef0097 100644
--- a/Source/JavaScriptCore/parser/UnlinkedSourceCode.h
+++ b/Source/JavaScriptCore/parser/UnlinkedSourceCode.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -28,7 +28,6 @@
#pragma once
-#include "JSCPoison.h"
#include "SourceProvider.h"
#include <wtf/RefPtr.h>
@@ -107,9 +106,9 @@
int length() const { return m_endOffset - m_startOffset; }
protected:
- // FIXME: Make it PoisonedRef<SourceProvidier>.
+ // FIXME: Make it Ref<SourceProvidier>.
// https://bugs.webkit.org/show_bug.cgi?id=168325
- PoisonedRefPtr<UnlinkedSourceCodePoison, SourceProvider> m_provider;
+ RefPtr<SourceProvider> m_provider;
int m_startOffset;
int m_endOffset;
};
diff --git a/Source/JavaScriptCore/runtime/ArrayPrototype.h b/Source/JavaScriptCore/runtime/ArrayPrototype.h
index b0fd8a5..8def036 100644
--- a/Source/JavaScriptCore/runtime/ArrayPrototype.h
+++ b/Source/JavaScriptCore/runtime/ArrayPrototype.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- * Copyright (C) 2007-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2007-2019 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -21,8 +21,6 @@
#pragma once
#include "JSArray.h"
-#include "JSCPoison.h"
-#include <wtf/PoisonedUniquePtr.h>
namespace JSC {
@@ -62,8 +60,8 @@
private:
// This bit is set if any user modifies the constructor property Array.prototype. This is used to optimize species creation for JSArrays.
friend ArrayPrototypeAdaptiveInferredPropertyWatchpoint;
- PoisonedUniquePtr<ArrayPrototypePoison, ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorWatchpoint;
- PoisonedUniquePtr<ArrayPrototypePoison, ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorSpeciesWatchpoint;
+ std::unique_ptr<ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorWatchpoint;
+ std::unique_ptr<ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorSpeciesWatchpoint;
};
EncodedJSValue JSC_HOST_CALL arrayProtoFuncToString(ExecState*);
diff --git a/Source/JavaScriptCore/runtime/CustomGetterSetter.h b/Source/JavaScriptCore/runtime/CustomGetterSetter.h
index bc09d36..e97a096 100644
--- a/Source/JavaScriptCore/runtime/CustomGetterSetter.h
+++ b/Source/JavaScriptCore/runtime/CustomGetterSetter.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -25,7 +25,6 @@
#pragma once
-#include "JSCPoison.h"
#include "JSCast.h"
#include "PropertySlot.h"
#include "PutPropertySlot.h"
@@ -48,8 +47,8 @@
return customGetterSetter;
}
- CustomGetterSetter::CustomGetter getter() const { return m_getter.unpoisoned(); }
- CustomGetterSetter::CustomSetter setter() const { return m_setter.unpoisoned(); }
+ CustomGetterSetter::CustomGetter getter() const { return m_getter; }
+ CustomGetterSetter::CustomSetter setter() const { return m_setter; }
static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
@@ -67,11 +66,8 @@
}
private:
- template<typename T>
- using PoisonedAccessor = Poisoned<NativeCodePoison, T>;
-
- PoisonedAccessor<CustomGetter> m_getter;
- PoisonedAccessor<CustomSetter> m_setter;
+ CustomGetter m_getter;
+ CustomSetter m_setter;
};
JS_EXPORT_PRIVATE bool callCustomSetter(ExecState*, CustomGetterSetter::CustomSetter, bool isAccessor, JSValue thisValue, JSValue);
diff --git a/Source/JavaScriptCore/runtime/InitializeThreading.cpp b/Source/JavaScriptCore/runtime/InitializeThreading.cpp
index 2522ffd..d0a37f4 100644
--- a/Source/JavaScriptCore/runtime/InitializeThreading.cpp
+++ b/Source/JavaScriptCore/runtime/InitializeThreading.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -60,7 +60,6 @@
std::call_once(initializeThreadingOnceFlag, []{
WTF::initializeThreading();
Options::initialize();
- initializePoison();
#if ENABLE(WRITE_BARRIER_PROFILING)
WriteBarrierCounters::initialize();
diff --git a/Source/JavaScriptCore/runtime/InternalFunction.cpp b/Source/JavaScriptCore/runtime/InternalFunction.cpp
index 54dceba..a03b52b 100644
--- a/Source/JavaScriptCore/runtime/InternalFunction.cpp
+++ b/Source/JavaScriptCore/runtime/InternalFunction.cpp
@@ -1,7 +1,7 @@
/*
* Copyright (C) 1999-2002 Harri Porten (porten@kde.org)
* Copyright (C) 2001 Peter Kelly (pmk@post.com)
- * Copyright (C) 2004, 2007-2008, 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2019 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -88,7 +88,7 @@
{
auto* function = jsCast<InternalFunction*>(cell);
ASSERT(function->m_functionForCall);
- callData.native.function = function->m_functionForCall.unpoisoned();
+ callData.native.function = function->m_functionForCall;
return CallType::Host;
}
@@ -97,7 +97,7 @@
auto* function = jsCast<InternalFunction*>(cell);
if (function->m_functionForConstruct == callHostFunctionAsConstructor)
return ConstructType::None;
- constructData.native.function = function->m_functionForConstruct.unpoisoned();
+ constructData.native.function = function->m_functionForConstruct;
return ConstructType::Host;
}
diff --git a/Source/JavaScriptCore/runtime/InternalFunction.h b/Source/JavaScriptCore/runtime/InternalFunction.h
index 634d9dd..89097d9 100644
--- a/Source/JavaScriptCore/runtime/InternalFunction.h
+++ b/Source/JavaScriptCore/runtime/InternalFunction.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- * Copyright (C) 2003-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2019 Apple Inc. All rights reserved.
* Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
* Copyright (C) 2007 Maks Orlovich
*
@@ -24,7 +24,6 @@
#pragma once
#include "CodeSpecializationKind.h"
-#include "JSCPoison.h"
#include "JSDestructibleObject.h"
namespace JSC {
@@ -63,9 +62,9 @@
TaggedNativeFunction nativeFunctionFor(CodeSpecializationKind kind)
{
if (kind == CodeForCall)
- return m_functionForCall.unpoisoned();
+ return m_functionForCall;
ASSERT(kind == CodeForConstruct);
- return m_functionForConstruct.unpoisoned();
+ return m_functionForConstruct;
}
static ptrdiff_t offsetOfNativeFunctionFor(CodeSpecializationKind kind)
@@ -77,8 +76,6 @@
}
protected:
- using PoisonedTaggedNativeFunction = Poisoned<NativeCodePoison, TaggedNativeFunction>;
-
JS_EXPORT_PRIVATE InternalFunction(VM&, Structure*, NativeFunction functionForCall, NativeFunction functionForConstruct);
enum class NameVisibility { Visible, Anonymous };
@@ -89,8 +86,8 @@
JS_EXPORT_PRIVATE static ConstructType getConstructData(JSCell*, ConstructData&);
JS_EXPORT_PRIVATE static CallType getCallData(JSCell*, CallData&);
- PoisonedTaggedNativeFunction m_functionForCall;
- PoisonedTaggedNativeFunction m_functionForConstruct;
+ TaggedNativeFunction m_functionForCall;
+ TaggedNativeFunction m_functionForConstruct;
WriteBarrier<JSString> m_originalName;
};
diff --git a/Source/JavaScriptCore/runtime/JSArrayBuffer.h b/Source/JavaScriptCore/runtime/JSArrayBuffer.h
index 8fdfc53..5db9d82 100644
--- a/Source/JavaScriptCore/runtime/JSArrayBuffer.h
+++ b/Source/JavaScriptCore/runtime/JSArrayBuffer.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -26,9 +26,7 @@
#pragma once
#include "ArrayBuffer.h"
-#include "JSCPoison.h"
#include "JSObject.h"
-#include <wtf/Poisoned.h>
namespace JSC {
@@ -45,7 +43,7 @@
// This function will register the new wrapper with the vm's TypedArrayController.
JS_EXPORT_PRIVATE static JSArrayBuffer* create(VM&, Structure*, RefPtr<ArrayBuffer>&&);
- ArrayBuffer* impl() const { return m_impl.unpoisoned(); }
+ ArrayBuffer* impl() const { return m_impl; }
static Structure* createStructure(VM&, JSGlobalObject*, JSValue prototype);
@@ -61,7 +59,7 @@
static size_t estimatedSize(JSCell*, VM&);
private:
- Poisoned<JSArrayBufferPoison, ArrayBuffer*> m_impl;
+ ArrayBuffer* m_impl;
};
inline ArrayBuffer* toPossiblySharedArrayBuffer(VM& vm, JSValue value)
diff --git a/Source/JavaScriptCore/runtime/JSBoundFunction.h b/Source/JavaScriptCore/runtime/JSBoundFunction.h
index 5814886..8bb4b77 100644
--- a/Source/JavaScriptCore/runtime/JSBoundFunction.h
+++ b/Source/JavaScriptCore/runtime/JSBoundFunction.h
@@ -76,8 +76,6 @@
void finishCreation(VM&, NativeExecutable*, int length);
- // FIXME: Consider poisoning these pointers.
- // https://bugs.webkit.org/show_bug.cgi?id=182713
WriteBarrier<JSObject> m_targetFunction;
WriteBarrier<Unknown> m_boundThis;
WriteBarrier<JSArray> m_boundArgs;
diff --git a/Source/JavaScriptCore/runtime/JSCPoison.cpp b/Source/JavaScriptCore/runtime/JSCPoison.cpp
deleted file mode 100644
index 7d85643..0000000
--- a/Source/JavaScriptCore/runtime/JSCPoison.cpp
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-#include "JSCPoison.h"
-
-#include "Options.h"
-#include <mutex>
-#include <wtf/HashSet.h>
-
-namespace JSC {
-
-#define DEFINE_POISON(poisonID) \
- uintptr_t POISON_KEY_NAME(poisonID);
-FOR_EACH_JSC_POISON(DEFINE_POISON)
-
-void initializePoison()
-{
- static std::once_flag initializeOnceFlag;
- std::call_once(initializeOnceFlag, [] {
- if (!Options::usePoisoning())
- return;
-
-#define INITIALIZE_POISON(poisonID) \
- POISON_KEY_NAME(poisonID) = makePoison();
-
- FOR_EACH_JSC_POISON(INITIALIZE_POISON)
- });
-}
-
-} // namespace JSC
-
diff --git a/Source/JavaScriptCore/runtime/JSCPoison.h b/Source/JavaScriptCore/runtime/JSCPoison.h
deleted file mode 100644
index a324493..0000000
--- a/Source/JavaScriptCore/runtime/JSCPoison.h
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#pragma once
-
-#include <wtf/Poisoned.h>
-
-namespace JSC {
-
-// Let's keep the following list of poisons in alphabetical order just so it's easier to read.
-#define FOR_EACH_JSC_POISON(v) \
- v(ArrayPrototype) \
- v(JSAPIWrapperObject) \
- v(JSArrayBuffer) \
- v(JSCallbackObject) \
- v(JSFunction) \
- v(JSGlobalObject) \
- v(JSScriptFetchParameters) \
- v(JSScriptFetcher) \
- v(JSWebAssemblyCodeBlock) \
- v(JSWebAssemblyInstance) \
- v(JSWebAssemblyMemory) \
- v(JSWebAssemblyModule) \
- v(JSWebAssemblyTable) \
- v(NativeCode) \
- v(ScopedArguments) \
- v(StructureTransitionTable) \
- v(UnlinkedSourceCode) \
- v(WebAssemblyFunctionBase) \
- v(WebAssemblyModuleRecord) \
- v(WebAssemblyToJSCallee) \
- v(WebAssemblyWrapperFunction) \
-
-#define POISON_KEY_NAME(_poisonID_) g_##_poisonID_##Poison
-
-#define DECLARE_POISON(_poisonID_) \
- extern "C" JS_EXPORT_PRIVATE uintptr_t POISON_KEY_NAME(_poisonID_); \
- using _poisonID_ ## Poison = Poison<POISON_KEY_NAME(_poisonID_)>;
-
-FOR_EACH_JSC_POISON(DECLARE_POISON)
-#undef DECLARE_POISON
-
-void initializePoison();
-
-} // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/JSFunction.h b/Source/JavaScriptCore/runtime/JSFunction.h
index 242c8d6..5e77017 100644
--- a/Source/JavaScriptCore/runtime/JSFunction.h
+++ b/Source/JavaScriptCore/runtime/JSFunction.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- * Copyright (C) 2003-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2019 Apple Inc. All rights reserved.
* Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
* Copyright (C) 2007 Maks Orlovich
*
@@ -220,11 +220,8 @@
static EncodedJSValue lengthGetter(ExecState*, EncodedJSValue, PropertyName);
static EncodedJSValue nameGetter(ExecState*, EncodedJSValue, PropertyName);
- template<typename T>
- using PoisonedBarrier = PoisonedWriteBarrier<JSFunctionPoison, T>;
-
- PoisonedBarrier<ExecutableBase> m_executable;
- PoisonedBarrier<FunctionRareData> m_rareData;
+ WriteBarrier<ExecutableBase> m_executable;
+ WriteBarrier<FunctionRareData> m_rareData;
};
} // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/JSGlobalObject.h b/Source/JavaScriptCore/runtime/JSGlobalObject.h
index 7dd2f82..fead79b3 100644
--- a/Source/JavaScriptCore/runtime/JSGlobalObject.h
+++ b/Source/JavaScriptCore/runtime/JSGlobalObject.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007 Eric Seidel <eric@webkit.org>
- * Copyright (C) 2007-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2007-2019 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -30,7 +30,6 @@
#include "InternalFunction.h"
#include "JSArray.h"
#include "JSArrayBufferPrototype.h"
-#include "JSCPoison.h"
#include "JSClassRef.h"
#include "JSGlobalLexicalEnvironment.h"
#include "JSPromiseDeferred.h"
@@ -49,7 +48,6 @@
#include <JavaScriptCore/JSBase.h>
#include <array>
#include <wtf/HashSet.h>
-#include <wtf/PoisonedUniquePtr.h>
#include <wtf/RetainPtr.h>
struct OpaqueJSClass;
@@ -430,11 +428,9 @@
VM& m_vm;
- template<typename T> using PoisonedUniquePtr = WTF::PoisonedUniquePtr<JSGlobalObjectPoison, T>;
-
#if ENABLE(REMOTE_INSPECTOR)
- PoisonedUniquePtr<Inspector::JSGlobalObjectInspectorController> m_inspectorController;
- PoisonedUniquePtr<JSGlobalObjectDebuggable> m_inspectorDebuggable;
+ std::unique_ptr<Inspector::JSGlobalObjectInspectorController> m_inspectorController;
+ std::unique_ptr<JSGlobalObjectDebuggable> m_inspectorDebuggable;
#endif
#if ENABLE(INTL)
@@ -477,17 +473,17 @@
InlineWatchpointSet m_setAddWatchpoint;
InlineWatchpointSet m_arraySpeciesWatchpoint;
InlineWatchpointSet m_numberToStringWatchpoint;
- PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayPrototypeSymbolIteratorWatchpoint;
- PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayIteratorPrototypeNext;
- PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapPrototypeSymbolIteratorWatchpoint;
- PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapIteratorPrototypeNextWatchpoint;
- PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setPrototypeSymbolIteratorWatchpoint;
- PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setIteratorPrototypeNextWatchpoint;
- PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_stringPrototypeSymbolIteratorWatchpoint;
- PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_stringIteratorPrototypeNextWatchpoint;
- PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapPrototypeSetWatchpoint;
- PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setPrototypeAddWatchpoint;
- PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_numberPrototypeToStringWatchpoint;
+ std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayPrototypeSymbolIteratorWatchpoint;
+ std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayIteratorPrototypeNext;
+ std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapPrototypeSymbolIteratorWatchpoint;
+ std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapIteratorPrototypeNextWatchpoint;
+ std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setPrototypeSymbolIteratorWatchpoint;
+ std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setIteratorPrototypeNextWatchpoint;
+ std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_stringPrototypeSymbolIteratorWatchpoint;
+ std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_stringIteratorPrototypeNextWatchpoint;
+ std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapPrototypeSetWatchpoint;
+ std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setPrototypeAddWatchpoint;
+ std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_numberPrototypeToStringWatchpoint;
bool isArrayPrototypeIteratorProtocolFastAndNonObservable();
bool isMapPrototypeIteratorProtocolFastAndNonObservable();
diff --git a/Source/JavaScriptCore/runtime/JSScriptFetchParameters.h b/Source/JavaScriptCore/runtime/JSScriptFetchParameters.h
index d3d8ca5..b877911 100644
--- a/Source/JavaScriptCore/runtime/JSScriptFetchParameters.h
+++ b/Source/JavaScriptCore/runtime/JSScriptFetchParameters.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2017 Yusuke Suzuki <utatane.tea@gmail.com>
- * Copyright (C) 2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -26,7 +26,6 @@
#pragma once
-#include "JSCPoison.h"
#include "JSGlobalObject.h"
#include "JSObject.h"
#include "ScriptFetchParameters.h"
@@ -74,7 +73,7 @@
{
}
- PoisonedRef<JSScriptFetchParametersPoison, ScriptFetchParameters> m_parameters;
+ Ref<ScriptFetchParameters> m_parameters;
};
} // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/JSScriptFetcher.h b/Source/JavaScriptCore/runtime/JSScriptFetcher.h
index 910b7e3..f3c41c2 100644
--- a/Source/JavaScriptCore/runtime/JSScriptFetcher.h
+++ b/Source/JavaScriptCore/runtime/JSScriptFetcher.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2017 Yusuke Suzuki <utatane.tea@gmail.com>
- * Copyright (C) 2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -26,7 +26,6 @@
#pragma once
-#include "JSCPoison.h"
#include "JSGlobalObject.h"
#include "JSObject.h"
#include "ScriptFetcher.h"
@@ -74,7 +73,7 @@
{
}
- PoisonedRefPtr<JSScriptFetcherPoison, ScriptFetcher> m_fetcher;
+ RefPtr<ScriptFetcher> m_fetcher;
};
} // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/JSString.h b/Source/JavaScriptCore/runtime/JSString.h
index a5a63f5..016d89e 100644
--- a/Source/JavaScriptCore/runtime/JSString.h
+++ b/Source/JavaScriptCore/runtime/JSString.h
@@ -222,8 +222,6 @@
// A string is represented either by a String or a rope of fibers.
unsigned m_length { 0 };
mutable uint16_t m_flags { 0 };
- // The poison is strategically placed and holds a value such that the first
- // 64 bits of JSString look like a double JSValue.
mutable String m_value;
friend class LLIntOffsetsExtractor;
diff --git a/Source/JavaScriptCore/runtime/NativeExecutable.cpp b/Source/JavaScriptCore/runtime/NativeExecutable.cpp
index 63dd2ec..1a429b5 100644
--- a/Source/JavaScriptCore/runtime/NativeExecutable.cpp
+++ b/Source/JavaScriptCore/runtime/NativeExecutable.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -94,10 +94,10 @@
CodeBlockHash NativeExecutable::hashFor(CodeSpecializationKind kind) const
{
if (kind == CodeForCall)
- return CodeBlockHash(m_function.bits());
+ return CodeBlockHash(bitwise_cast<uintptr_t>(m_function));
RELEASE_ASSERT(kind == CodeForConstruct);
- return CodeBlockHash(m_constructor.bits());
+ return CodeBlockHash(bitwise_cast<uintptr_t>(m_constructor));
}
} // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/NativeExecutable.h b/Source/JavaScriptCore/runtime/NativeExecutable.h
index b9ab65a..b8d1fb3 100644
--- a/Source/JavaScriptCore/runtime/NativeExecutable.h
+++ b/Source/JavaScriptCore/runtime/NativeExecutable.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -26,7 +26,6 @@
#pragma once
#include "ExecutableBase.h"
-#include "JSCPoison.h"
namespace JSC {
@@ -49,8 +48,8 @@
CodeBlockHash hashFor(CodeSpecializationKind) const;
- TaggedNativeFunction function() { return m_function.unpoisoned(); }
- TaggedNativeFunction constructor() { return m_constructor.unpoisoned(); }
+ TaggedNativeFunction function() { return m_function; }
+ TaggedNativeFunction constructor() { return m_constructor; }
TaggedNativeFunction nativeFunctionFor(CodeSpecializationKind kind)
{
@@ -81,13 +80,10 @@
void finishCreation(VM&, Ref<JITCode>&& callThunk, Ref<JITCode>&& constructThunk, const String& name);
private:
- friend class ExecutableBase;
- using PoisonedTaggedNativeFunction = Poisoned<NativeCodePoison, TaggedNativeFunction>;
-
NativeExecutable(VM&, TaggedNativeFunction, TaggedNativeFunction constructor);
- PoisonedTaggedNativeFunction m_function;
- PoisonedTaggedNativeFunction m_constructor;
+ TaggedNativeFunction m_function;
+ TaggedNativeFunction m_constructor;
String m_name;
};
diff --git a/Source/JavaScriptCore/runtime/Options.h b/Source/JavaScriptCore/runtime/Options.h
index b89b289..35fd4bc 100644
--- a/Source/JavaScriptCore/runtime/Options.h
+++ b/Source/JavaScriptCore/runtime/Options.h
@@ -475,7 +475,6 @@
\
v(bool, enableSpectreMitigations, true, Restricted, "Enable Spectre mitigations.") \
v(bool, enableSpectreGadgets, false, Restricted, "enable gadgets to test Spectre mitigations.") \
- v(bool, usePoisoning, true, Normal, "Poison is randomized at load time when true, and initialized to 0 if false which defeats some Spectre and type confusion mitigations, but allows tools such as leak detectors to function better.") \
v(bool, zeroStackFrame, false, Normal, "Zero stack frame on entry to a function.") \
\
v(bool, failToCompileWebAssemblyCode, false, Normal, "If true, no Wasm::Plan will sucessfully compile a function.") \
diff --git a/Source/JavaScriptCore/runtime/ScopedArguments.h b/Source/JavaScriptCore/runtime/ScopedArguments.h
index f36db86..378adf3 100644
--- a/Source/JavaScriptCore/runtime/ScopedArguments.h
+++ b/Source/JavaScriptCore/runtime/ScopedArguments.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -180,7 +180,7 @@
WriteBarrier<Unknown>* overflowStorage() const
{
- return m_storage.get().unpoisoned();
+ return m_storage.get();
}
static StorageHeader& storageHeader(WriteBarrier<Unknown>* storage)
@@ -194,14 +194,11 @@
return storageHeader(overflowStorage());
}
- template<typename T>
- using PoisonedBarrier = PoisonedWriteBarrier<ScopedArgumentsPoison, T>;
+ WriteBarrier<JSFunction> m_callee;
+ WriteBarrier<ScopedArgumentsTable> m_table;
+ WriteBarrier<JSLexicalEnvironment> m_scope;
- PoisonedBarrier<JSFunction> m_callee;
- PoisonedBarrier<ScopedArgumentsTable> m_table;
- PoisonedBarrier<JSLexicalEnvironment> m_scope;
-
- AuxiliaryBarrier<Poisoned<ScopedArgumentsPoison, WriteBarrier<Unknown>*>> m_storage;
+ AuxiliaryBarrier<WriteBarrier<Unknown>*> m_storage;
};
} // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp
index 0921cb3..ddf6821 100644
--- a/Source/JavaScriptCore/runtime/Structure.cpp
+++ b/Source/JavaScriptCore/runtime/Structure.cpp
@@ -84,7 +84,7 @@
if (WeakImpl* impl = this->weakImpl())
WeakSet::deallocate(impl);
WeakImpl* impl = WeakSet::allocate(structure, &singleSlotTransitionWeakOwner(), this);
- m_data = PoisonedWeakImplPtr(impl).bits() | UsingSingleSlotFlag;
+ m_data = bitwise_cast<intptr_t>(impl) | UsingSingleSlotFlag;
}
bool StructureTransitionTable::contains(UniquedStringImpl* rep, unsigned attributes) const
diff --git a/Source/JavaScriptCore/runtime/StructureTransitionTable.h b/Source/JavaScriptCore/runtime/StructureTransitionTable.h
index 437641e..2452617 100644
--- a/Source/JavaScriptCore/runtime/StructureTransitionTable.h
+++ b/Source/JavaScriptCore/runtime/StructureTransitionTable.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -26,7 +26,6 @@
#pragma once
#include "IndexingType.h"
-#include "JSCPoison.h"
#include "WeakGCMap.h"
#include <wtf/HashFunctions.h>
#include <wtf/text/UniquedStringImpl.h>
@@ -187,8 +186,6 @@
private:
friend class SingleSlotTransitionWeakOwner;
- using PoisonedTransitionMapPtr = Poisoned<StructureTransitionTablePoison, TransitionMap*>;
- using PoisonedWeakImplPtr = Poisoned<StructureTransitionTablePoison, WeakImpl*>;
bool isUsingSingleSlot() const
{
@@ -198,13 +195,13 @@
TransitionMap* map() const
{
ASSERT(!isUsingSingleSlot());
- return PoisonedTransitionMapPtr(AlreadyPoisoned, m_data).unpoisoned();
+ return bitwise_cast<TransitionMap*>(m_data);
}
WeakImpl* weakImpl() const
{
ASSERT(isUsingSingleSlot());
- return PoisonedWeakImplPtr(AlreadyPoisoned, m_data & ~UsingSingleSlotFlag).unpoisoned();
+ return bitwise_cast<WeakImpl*>(m_data & ~UsingSingleSlotFlag);
}
void setMap(TransitionMap* map)
@@ -215,7 +212,7 @@
WeakSet::deallocate(impl);
// This implicitly clears the flag that indicates we're using a single transition
- m_data = PoisonedTransitionMapPtr(map).bits();
+ m_data = bitwise_cast<intptr_t>(map);
ASSERT(!isUsingSingleSlot());
}
diff --git a/Source/JavaScriptCore/runtime/WriteBarrier.h b/Source/JavaScriptCore/runtime/WriteBarrier.h
index e2bc7c5..707e20b 100644
--- a/Source/JavaScriptCore/runtime/WriteBarrier.h
+++ b/Source/JavaScriptCore/runtime/WriteBarrier.h
@@ -27,11 +27,9 @@
#include "GCAssertions.h"
#include "HandleTypes.h"
-#include "JSCPoison.h"
#include <type_traits>
#include <wtf/DumbPtrTraits.h>
#include <wtf/DumbValueTraits.h>
-#include <wtf/Poisoned.h>
namespace JSC {
@@ -250,12 +248,4 @@
return lhs.get() == rhs.get();
}
-template<typename Poison, class T>
-using PoisonedWriteBarrierTraitsSelect = typename std::conditional<std::is_same<T, Unknown>::value,
- WTF::PoisonedValueTraits<Poison, T>, WTF::PoisonedPtrTraits<Poison, T>
->::type;
-
-template <typename Poison, typename T>
-using PoisonedWriteBarrier = WriteBarrier<T, PoisonedWriteBarrierTraitsSelect<Poison, T>>;
-
} // namespace JSC
diff --git a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
index 5e2a39d..5f51e5a 100644
--- a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
+++ b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
@@ -48,7 +48,6 @@
#include "B3WasmAddressValue.h"
#include "B3WasmBoundsCheckValue.h"
#include "JSCInlines.h"
-#include "JSCPoison.h"
#include "ScratchRegisterAllocator.h"
#include "VirtualRegister.h"
#include "WasmCallingConvention.h"
diff --git a/Source/JavaScriptCore/wasm/WasmInstance.h b/Source/JavaScriptCore/wasm/WasmInstance.h
index a773878..8d337c8 100644
--- a/Source/JavaScriptCore/wasm/WasmInstance.h
+++ b/Source/JavaScriptCore/wasm/WasmInstance.h
@@ -117,7 +117,7 @@
Instance* targetInstance { nullptr };
WasmToWasmImportableFunction::LoadLocation wasmEntrypointLoadLocation { nullptr };
MacroAssemblerCodePtr<WasmEntryPtrTag> wasmToEmbedderStub;
- void* importFunction { nullptr }; // In a JS embedding, this is a PoisonedBarrier<JSObject>.
+ void* importFunction { nullptr }; // In a JS embedding, this is a WriteBarrier<JSObject>.
};
unsigned numImportFunctions() const { return m_numImportFunctions; }
ImportFunctionInfo* importFunctionInfo(size_t importFunctionNum)
diff --git a/Source/JavaScriptCore/wasm/js/JSToWasm.cpp b/Source/JavaScriptCore/wasm/js/JSToWasm.cpp
index 1df552c..ae30b22 100644
--- a/Source/JavaScriptCore/wasm/js/JSToWasm.cpp
+++ b/Source/JavaScriptCore/wasm/js/JSToWasm.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -116,9 +116,7 @@
// instance as the first JS argument when we're not using fast TLS to hold the
// Wasm::Context*'s instance.
jit.loadPtr(CCallHelpers::Address(GPRInfo::callFrameRegister, CallFrameSlot::thisArgument * sizeof(EncodedJSValue)), GPRInfo::argumentGPR2);
- jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR2, JSWebAssemblyInstance::offsetOfPoisonedInstance()), GPRInfo::argumentGPR2);
- jit.move(CCallHelpers::TrustedImm64(JSWebAssemblyInstancePoison::key()), GPRInfo::argumentGPR0);
- jit.xor64(GPRInfo::argumentGPR0, GPRInfo::argumentGPR2);
+ jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR2, JSWebAssemblyInstance::offsetOfInstance()), GPRInfo::argumentGPR2);
}
jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR2, Instance::offsetOfPointerToTopEntryFrame()), GPRInfo::argumentGPR0);
@@ -155,9 +153,7 @@
// Wasm::Context*'s instance.
if (!Context::useFastTLS()) {
jit.loadPtr(CCallHelpers::Address(GPRInfo::callFrameRegister, jsOffset), wasmContextInstanceGPR);
- jit.loadPtr(CCallHelpers::Address(wasmContextInstanceGPR, JSWebAssemblyInstance::offsetOfPoisonedInstance()), wasmContextInstanceGPR);
- jit.move(CCallHelpers::TrustedImm64(JSWebAssemblyInstancePoison::key()), scratchReg);
- jit.xor64(scratchReg, wasmContextInstanceGPR);
+ jit.loadPtr(CCallHelpers::Address(wasmContextInstanceGPR, JSWebAssemblyInstance::offsetOfInstance()), wasmContextInstanceGPR);
jsOffset += sizeof(EncodedJSValue);
}
diff --git a/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlock.h b/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlock.h
index bf1ccac..9950656 100644
--- a/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlock.h
+++ b/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlock.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -28,7 +28,6 @@
#if ENABLE(WEBASSEMBLY)
#include "CallLinkInfo.h"
-#include "JSCPoison.h"
#include "JSCast.h"
#include "PromiseDeferredTimer.h"
#include "Structure.h"
@@ -36,7 +35,6 @@
#include "WasmFormat.h"
#include "WasmModule.h"
#include <wtf/Bag.h>
-#include <wtf/PoisonedUniquePtr.h>
#include <wtf/Ref.h>
#include <wtf/Vector.h>
@@ -90,7 +88,7 @@
static void destroy(JSCell*);
static void visitChildren(JSCell*, SlotVisitor&);
- PoisonedRef<JSWebAssemblyCodeBlockPoison, Wasm::CodeBlock> m_codeBlock;
+ Ref<Wasm::CodeBlock> m_codeBlock;
Vector<MacroAssemblerCodeRef<WasmEntryPtrTag>> m_wasmToJSExitStubs;
Bag<CallLinkInfo> m_callLinkInfos;
String m_errorMessage;
diff --git a/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp b/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
index bd703fd..b9d7b89 100644
--- a/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
+++ b/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -54,7 +54,7 @@
, m_instance(WTFMove(instance))
{
for (unsigned i = 0; i < this->instance().numImportFunctions(); ++i)
- new (this->instance().importFunction<PoisonedBarrier<JSObject>>(i)) PoisonedBarrier<JSObject>();
+ new (this->instance().importFunction<WriteBarrier<JSObject>>(i)) WriteBarrier<JSObject>();
}
void JSWebAssemblyInstance::finishCreation(VM& vm, JSWebAssemblyModule* module, JSModuleNamespaceObject* moduleNamespaceObject)
@@ -88,7 +88,7 @@
visitor.append(thisObject->m_callee);
visitor.reportExtraMemoryVisited(thisObject->m_instance->extraMemoryAllocated());
for (unsigned i = 0; i < thisObject->instance().numImportFunctions(); ++i)
- visitor.append(*thisObject->instance().importFunction<PoisonedBarrier<JSObject>>(i)); // This also keeps the functions' JSWebAssemblyInstance alive.
+ visitor.append(*thisObject->instance().importFunction<WriteBarrier<JSObject>>(i)); // This also keeps the functions' JSWebAssemblyInstance alive.
}
void JSWebAssemblyInstance::finalizeCreation(VM& vm, ExecState* exec, Ref<Wasm::CodeBlock>&& wasmCodeBlock, JSObject* importObject, Wasm::CreationMode creationMode)
diff --git a/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h b/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h
index 3ca46d6..faab936 100644
--- a/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h
+++ b/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,7 +27,6 @@
#if ENABLE(WEBASSEMBLY)
-#include "JSCPoison.h"
#include "JSDestructibleObject.h"
#include "JSObject.h"
#include "JSWebAssemblyCodeBlock.h"
@@ -81,11 +80,8 @@
JSWebAssemblyModule* module() const { return m_module.get(); }
- static size_t offsetOfPoisonedInstance() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_instance); }
- static size_t offsetOfPoisonedCallee() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_callee); }
-
- template<typename T>
- using PoisonedBarrier = PoisonedWriteBarrier<JSWebAssemblyInstancePoison, T>;
+ static size_t offsetOfInstance() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_instance); }
+ static size_t offsetOfCallee() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_callee); }
protected:
JSWebAssemblyInstance(VM&, Structure*, Ref<Wasm::Instance>&&);
@@ -94,14 +90,14 @@
static void visitChildren(JSCell*, SlotVisitor&);
private:
- PoisonedRef<JSWebAssemblyInstancePoison, Wasm::Instance> m_instance;
+ Ref<Wasm::Instance> m_instance;
- PoisonedBarrier<JSWebAssemblyModule> m_module;
- PoisonedBarrier<JSWebAssemblyCodeBlock> m_codeBlock;
- PoisonedBarrier<JSModuleNamespaceObject> m_moduleNamespaceObject;
- PoisonedBarrier<JSWebAssemblyMemory> m_memory;
- PoisonedBarrier<JSWebAssemblyTable> m_table;
- PoisonedBarrier<WebAssemblyToJSCallee> m_callee;
+ WriteBarrier<JSWebAssemblyModule> m_module;
+ WriteBarrier<JSWebAssemblyCodeBlock> m_codeBlock;
+ WriteBarrier<JSModuleNamespaceObject> m_moduleNamespaceObject;
+ WriteBarrier<JSWebAssemblyMemory> m_memory;
+ WriteBarrier<JSWebAssemblyTable> m_table;
+ WriteBarrier<WebAssemblyToJSCallee> m_callee;
};
} // namespace JSC
diff --git a/Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h b/Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h
index a145945..82a0dcf 100644
--- a/Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h
+++ b/Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,7 +27,6 @@
#if ENABLE(WEBASSEMBLY)
-#include "JSCPoison.h"
#include "JSDestructibleObject.h"
#include "JSObject.h"
#include "WasmMemory.h"
@@ -67,9 +66,9 @@
static void destroy(JSCell*);
static void visitChildren(JSCell*, SlotVisitor&);
- PoisonedRef<JSWebAssemblyMemoryPoison, Wasm::Memory> m_memory;
- PoisonedWriteBarrier<JSWebAssemblyMemoryPoison, JSArrayBuffer> m_bufferWrapper;
- PoisonedRefPtr<JSWebAssemblyMemoryPoison, ArrayBuffer> m_buffer;
+ Ref<Wasm::Memory> m_memory;
+ WriteBarrier<JSArrayBuffer> m_bufferWrapper;
+ RefPtr<ArrayBuffer> m_buffer;
};
} // namespace JSC
diff --git a/Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h b/Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h
index 72a3063..4c211b7 100644
--- a/Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h
+++ b/Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,7 +27,6 @@
#if ENABLE(WEBASSEMBLY)
-#include "JSCPoison.h"
#include "JSDestructibleObject.h"
#include "JSObject.h"
#include "WasmMemoryMode.h"
@@ -78,14 +77,10 @@
static void destroy(JSCell*);
static void visitChildren(JSCell*, SlotVisitor&);
- PoisonedRef<JSWebAssemblyModulePoison, Wasm::Module> m_module;
-
- template<typename T>
- using PoisonedBarrier = PoisonedWriteBarrier<JSWebAssemblyModulePoison, T>;
-
- PoisonedBarrier<SymbolTable> m_exportSymbolTable;
- PoisonedBarrier<JSWebAssemblyCodeBlock> m_codeBlocks[Wasm::NumberOfMemoryModes];
- PoisonedBarrier<WebAssemblyToJSCallee> m_callee;
+ Ref<Wasm::Module> m_module;
+ WriteBarrier<SymbolTable> m_exportSymbolTable;
+ WriteBarrier<JSWebAssemblyCodeBlock> m_codeBlocks[Wasm::NumberOfMemoryModes];
+ WriteBarrier<WebAssemblyToJSCallee> m_callee;
};
} // namespace JSC
diff --git a/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp b/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp
index a5033d5..5be49dd 100644
--- a/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp
+++ b/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -63,9 +63,9 @@
// FIXME: It might be worth trying to pre-allocate maximum here. The spec recommends doing so.
// But for now, we're not doing that.
// FIXME this over-allocates and could be smarter about not committing all of that memory https://bugs.webkit.org/show_bug.cgi?id=181425
- m_jsFunctions = MallocPtr<PoisonedBarrier<JSObject>>::malloc((sizeof(PoisonedBarrier<JSObject>) * Checked<size_t>(allocatedLength())).unsafeGet());
+ m_jsFunctions = MallocPtr<WriteBarrier<JSObject>>::malloc((sizeof(WriteBarrier<JSObject>) * Checked<size_t>(allocatedLength())).unsafeGet());
for (uint32_t i = 0; i < allocatedLength(); ++i)
- new(&m_jsFunctions.get()[i]) PoisonedBarrier<JSObject>();
+ new(&m_jsFunctions.get()[i]) WriteBarrier<JSObject>();
}
void JSWebAssemblyTable::finishCreation(VM& vm)
@@ -104,10 +104,10 @@
size_t newLength = grew.value();
if (newLength > m_table->allocatedLength(oldLength))
// FIXME this over-allocates and could be smarter about not committing all of that memory https://bugs.webkit.org/show_bug.cgi?id=181425
- m_jsFunctions.realloc((sizeof(PoisonedBarrier<JSObject>) * Checked<size_t>(m_table->allocatedLength(newLength))).unsafeGet());
+ m_jsFunctions.realloc((sizeof(WriteBarrier<JSObject>) * Checked<size_t>(m_table->allocatedLength(newLength))).unsafeGet());
for (size_t i = oldLength; i < m_table->allocatedLength(newLength); ++i)
- new (&m_jsFunctions.get()[i]) PoisonedBarrier<JSObject>();
+ new (&m_jsFunctions.get()[i]) WriteBarrier<JSObject>();
return true;
}
@@ -121,7 +121,7 @@
void JSWebAssemblyTable::clearFunction(uint32_t index)
{
m_table->clearFunction(index);
- m_jsFunctions.get()[index & m_table->mask()] = PoisonedBarrier<JSObject>();
+ m_jsFunctions.get()[index & m_table->mask()] = WriteBarrier<JSObject>();
}
void JSWebAssemblyTable::setFunction(VM& vm, uint32_t index, WebAssemblyFunction* function)
diff --git a/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h b/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h
index 604119f..d2f3eac 100644
--- a/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h
+++ b/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,7 +27,6 @@
#if ENABLE(WEBASSEMBLY)
-#include "JSCPoison.h"
#include "JSDestructibleObject.h"
#include "JSObject.h"
#include "WasmLimits.h"
@@ -66,12 +65,8 @@
static void destroy(JSCell*);
static void visitChildren(JSCell*, SlotVisitor&);
- PoisonedRef<JSWebAssemblyTablePoison, Wasm::Table> m_table;
-
- template<typename T>
- using PoisonedBarrier = PoisonedWriteBarrier<JSWebAssemblyTablePoison, T>;
-
- MallocPtr<PoisonedBarrier<JSObject>> m_jsFunctions;
+ Ref<Wasm::Table> m_table;
+ MallocPtr<WriteBarrier<JSObject>> m_jsFunctions;
};
} // namespace JSC
diff --git a/Source/JavaScriptCore/wasm/js/WasmToJS.cpp b/Source/JavaScriptCore/wasm/js/WasmToJS.cpp
index 9265aae..792f02d 100644
--- a/Source/JavaScriptCore/wasm/js/WasmToJS.cpp
+++ b/Source/JavaScriptCore/wasm/js/WasmToJS.cpp
@@ -47,12 +47,11 @@
using JIT = CCallHelpers;
-static void materializeImportJSCell(JIT& jit, unsigned importIndex, GPRReg poison, GPRReg result)
+static void materializeImportJSCell(JIT& jit, unsigned importIndex, GPRReg result)
{
// We're calling out of the current WebAssembly.Instance. That Instance has a list of all its import functions.
jit.loadWasmContextInstance(result);
jit.loadPtr(JIT::Address(result, Instance::offsetOfImportFunction(importIndex)), result);
- jit.xor64(poison, result);
}
static Expected<MacroAssemblerCodeRef<WasmEntryPtrTag>, BindingFailure> handleBadI64Use(VM* vm, JIT& jit, const Signature& signature, unsigned importIndex)
@@ -86,14 +85,9 @@
// Store Callee.
jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR1, Instance::offsetOfOwner()), GPRInfo::argumentGPR1);
- jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR1, JSWebAssemblyInstance::offsetOfPoisonedCallee()), GPRInfo::argumentGPR2);
- jit.move(CCallHelpers::TrustedImm64(JSWebAssemblyInstancePoison::key()), GPRInfo::argumentGPR3);
- jit.xor64(GPRInfo::argumentGPR3, GPRInfo::argumentGPR2);
+ jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR1, JSWebAssemblyInstance::offsetOfCallee()), GPRInfo::argumentGPR2);
jit.storePtr(GPRInfo::argumentGPR2, JIT::Address(GPRInfo::callFrameRegister, CallFrameSlot::callee * static_cast<int>(sizeof(Register))));
- // Let's be paranoid on the exception path and zero out the poison instead of leaving it in an argument GPR.
- jit.move(CCallHelpers::TrustedImm32(0), GPRInfo::argumentGPR3);
-
auto call = jit.call(OperationPtrTag);
jit.jumpToExceptionHandler(*vm);
@@ -291,16 +285,11 @@
jit.loadWasmContextInstance(GPRInfo::argumentGPR0);
jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, Instance::offsetOfOwner()), GPRInfo::argumentGPR0);
- jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, JSWebAssemblyInstance::offsetOfPoisonedCallee()), GPRInfo::argumentGPR0);
- jit.move(CCallHelpers::TrustedImm64(JSWebAssemblyInstancePoison::key()), GPRInfo::argumentGPR3);
- jit.xor64(GPRInfo::argumentGPR3, GPRInfo::argumentGPR0);
+ jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, JSWebAssemblyInstance::offsetOfCallee()), GPRInfo::argumentGPR0);
jit.storePtr(GPRInfo::argumentGPR0, JIT::Address(GPRInfo::callFrameRegister, CallFrameSlot::callee * static_cast<int>(sizeof(Register))));
- materializeImportJSCell(jit, importIndex, GPRInfo::argumentGPR3, GPRInfo::argumentGPR1);
+ materializeImportJSCell(jit, importIndex, GPRInfo::argumentGPR1);
- // Let's be paranoid before the call and zero out the poison instead of leaving it in an argument GPR.
- jit.move(CCallHelpers::TrustedImm32(0), GPRInfo::argumentGPR3);
-
static_assert(GPRInfo::numberOfArgumentRegisters >= 4, "We rely on this with the call below.");
static_assert(sizeof(SignatureIndex) == sizeof(uint64_t), "Following code assumes SignatureIndex is 64bit.");
jit.setupArguments<decltype(callFunc)>(GPRInfo::argumentGPR1, CCallHelpers::TrustedImm64(signatureIndex), CCallHelpers::TrustedImmPtr(buffer));
@@ -479,24 +468,15 @@
}
}
- GPRReg poison = GPRInfo::argumentGPR1;
- ASSERT(poison != GPRInfo::argumentGPR0); // Both are used at the same time below.
-
jit.loadWasmContextInstance(GPRInfo::argumentGPR0);
jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, Instance::offsetOfOwner()), GPRInfo::argumentGPR0);
- jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, JSWebAssemblyInstance::offsetOfPoisonedCallee()), GPRInfo::argumentGPR0);
- jit.move(CCallHelpers::TrustedImm64(JSWebAssemblyInstancePoison::key()), poison);
- jit.xor64(poison, GPRInfo::argumentGPR0);
+ jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, JSWebAssemblyInstance::offsetOfCallee()), GPRInfo::argumentGPR0);
jit.storePtr(GPRInfo::argumentGPR0, JIT::Address(GPRInfo::callFrameRegister, CallFrameSlot::callee * static_cast<int>(sizeof(Register))));
GPRReg importJSCellGPRReg = GPRInfo::regT0; // Callee needs to be in regT0 for slow path below.
- ASSERT(poison != importJSCellGPRReg);
ASSERT(!wasmCC.m_calleeSaveRegisters.get(importJSCellGPRReg));
- materializeImportJSCell(jit, importIndex, poison, importJSCellGPRReg);
-
- // Let's be paranoid zero out the poison instead of leaving it in an argument GPR.
- jit.move(CCallHelpers::TrustedImm32(0), poison);
+ materializeImportJSCell(jit, importIndex, importJSCellGPRReg);
jit.store64(importJSCellGPRReg, calleeFrame.withOffset(CallFrameSlot::callee * static_cast<int>(sizeof(Register))));
jit.store32(JIT::TrustedImm32(numberOfParameters), calleeFrame.withOffset(CallFrameSlot::argumentCount * static_cast<int>(sizeof(Register)) + PayloadOffset));
diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h b/Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h
index d1719a0..a533b5d 100644
--- a/Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h
+++ b/Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h
@@ -50,7 +50,7 @@
void finishCreation(VM&, NativeExecutable*, unsigned length, const String& name, JSWebAssemblyInstance*);
WebAssemblyFunctionBase(VM&, JSGlobalObject*, Structure*);
- PoisonedWriteBarrier<WebAssemblyFunctionBasePoison, JSWebAssemblyInstance> m_instance;
+ WriteBarrier<JSWebAssemblyInstance> m_instance;
};
} // namespace JSC
diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp b/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp
index 2dc0ae7..b67c05e 100644
--- a/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp
+++ b/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -224,7 +224,7 @@
auto* info = m_instance->instance().importFunctionInfo(import.kindIndex);
info->targetInstance = calleeInstance;
info->wasmEntrypointLoadLocation = entrypointLoadLocation;
- m_instance->instance().importFunction<JSWebAssemblyInstance::PoisonedBarrier<JSObject>>(import.kindIndex)->set(vm, m_instance.get(), function);
+ m_instance->instance().importFunction<WriteBarrier<JSObject>>(import.kindIndex)->set(vm, m_instance.get(), function);
break;
}
@@ -338,7 +338,7 @@
// ii. (Note: At most one wrapper is created for any closure, so func is unique, even if there are multiple occurrances in the list. Moreover, if the item was an import that is already an Exported Function Exotic Object, then the original function object will be found. For imports that are regular JS functions, a new wrapper will be created.)
if (exp.kindIndex < functionImportCount) {
unsigned functionIndex = exp.kindIndex;
- JSObject* functionImport = m_instance->instance().importFunction<JSWebAssemblyInstance::PoisonedBarrier<JSObject>>(functionIndex)->get();
+ JSObject* functionImport = m_instance->instance().importFunction<WriteBarrier<JSObject>>(functionIndex)->get();
if (isWebAssemblyHostFunction(vm, functionImport))
exportedValue = functionImport;
else {
@@ -419,7 +419,7 @@
ASSERT(!signature.argumentCount());
ASSERT(signature.returnType() == Wasm::Void);
if (startFunctionIndexSpace < codeBlock->functionImportCount()) {
- JSObject* startFunction = m_instance->instance().importFunction<JSWebAssemblyInstance::PoisonedBarrier<JSObject>>(startFunctionIndexSpace)->get();
+ JSObject* startFunction = m_instance->instance().importFunction<WriteBarrier<JSObject>>(startFunctionIndexSpace)->get();
m_startFunction.set(vm, this, startFunction);
} else {
Wasm::Callee& embedderEntrypointCallee = codeBlock->embedderEntrypointCalleeFromFunctionIndexSpace(startFunctionIndexSpace);
@@ -520,7 +520,7 @@
uint32_t functionIndex = element.functionIndices[i];
Wasm::SignatureIndex signatureIndex = module.signatureIndexFromFunctionIndexSpace(functionIndex);
if (functionIndex < codeBlock->functionImportCount()) {
- JSObject* functionImport = m_instance->instance().importFunction<JSWebAssemblyInstance::PoisonedBarrier<JSObject>>(functionIndex)->get();
+ JSObject* functionImport = m_instance->instance().importFunction<WriteBarrier<JSObject>>(functionIndex)->get();
if (isWebAssemblyHostFunction(vm, functionImport)) {
WebAssemblyFunction* wasmFunction = jsDynamicCast<WebAssemblyFunction*>(vm, functionImport);
// If we ever import a WebAssemblyWrapperFunction, we set the import as the unwrapped value.
diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.h b/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.h
index 316f337..18e3d43 100644
--- a/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.h
+++ b/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -61,11 +61,8 @@
static void visitChildren(JSCell*, SlotVisitor&);
- template<typename T>
- using PoisonedBarrier = PoisonedWriteBarrier<WebAssemblyModuleRecordPoison, T>;
-
- PoisonedBarrier<JSWebAssemblyInstance> m_instance;
- PoisonedBarrier<JSObject> m_startFunction;
+ WriteBarrier<JSWebAssemblyInstance> m_instance;
+ WriteBarrier<JSObject> m_startFunction;
};
} // namespace JSC
diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.h b/Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.h
index c89a1af..a46baf9 100644
--- a/Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.h
+++ b/Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -51,7 +51,7 @@
void finishCreation(VM&, JSWebAssemblyModule*);
WebAssemblyToJSCallee(VM&, Structure*);
- PoisonedWriteBarrier<WebAssemblyToJSCalleePoison, JSWebAssemblyModule> m_module;
+ WriteBarrier<JSWebAssemblyModule> m_module;
};
} // namespace JSC
diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.h b/Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.h
index 12a55d6..d12e691 100644
--- a/Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.h
+++ b/Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -64,7 +64,7 @@
private:
WebAssemblyWrapperFunction(VM&, JSGlobalObject*, Structure*, WasmToWasmImportableFunction);
- PoisonedWriteBarrier<WebAssemblyWrapperFunctionPoison, JSObject> m_function;
+ WriteBarrier<JSObject> m_function;
// It's safe to just hold the raw WasmToWasmImportableFunction because we have a reference
// to our Instance, which points to the CodeBlock, which points to the Module
// that exported us, which ensures that the actual Signature/code doesn't get deallocated.
