Changeset 225659 in webkit

Timestamp:

Dec 7, 2017 5:22:06 PM (6 years ago)

Author:

mark.lam@apple.com

Message:

Apply poisoning to some native code pointers.
​https://bugs.webkit.org/show_bug.cgi?id=180541
<rdar://problem/35916875>

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

Renamed g_classInfoPoison to g_globalDataPoison.
Renamed g_masmPoison to g_jitCodePoison.
Introduced g_nativeCodePoison.
Applied g_nativeCodePoison to poisoning some native code pointers.

Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
to malloc allocated data structures (where needed).

• API/JSCallbackFunction.h:

(JSC::JSCallbackFunction::functionCallback):

• JavaScriptCore.xcodeproj/project.pbxproj:
• jit/ThunkGenerators.cpp:

(JSC::nativeForGenerator):

• llint/LowLevelInterpreter64.asm:
• runtime/CustomGetterSetter.h:

(JSC::CustomGetterSetter::getter const):
(JSC::CustomGetterSetter::setter const):

• runtime/InternalFunction.cpp:

(JSC::InternalFunction::getCallData):
(JSC::InternalFunction::getConstructData):

• runtime/InternalFunction.h:

(JSC::InternalFunction::nativeFunctionFor):

• runtime/JSCPoison.h: Added.
• runtime/JSCPoisonedPtr.cpp:

(JSC::initializePoison):

• runtime/JSCPoisonedPtr.h:
• runtime/Lookup.h:
• runtime/NativeExecutable.cpp:

(JSC::NativeExecutable::hashFor const):

• runtime/NativeExecutable.h:
• runtime/Structure.cpp:

(JSC::StructureTransitionTable::setSingleTransition):

• runtime/StructureTransitionTable.h:

(JSC::StructureTransitionTable::StructureTransitionTable):
(JSC::StructureTransitionTable::isUsingSingleSlot const):
(JSC::StructureTransitionTable::map const):
(JSC::StructureTransitionTable::weakImpl const):
(JSC::StructureTransitionTable::setMap):

Source/WTF:

Ensure that the resultant poisoned bits still looks like a pointer in that its
bottom bits are 0, just like the alignment bits of a pointer. This allows the
client to use the bottom bits of the poisoned bits as flag bits just like the
client was previously able to do with pointer values.

Note: we only ensure that the bottom alignment bits of the generated poison
value is 0. We're not masking out the poisoned bits. This means that the bottom
bits of the poisoned bits will only be null if the original pointer is aligned.
Hence, if the client applies the poison to an unaligned pointer, we do not lose
any information on the low bits.

Also removed 2 wrong assertions in PoisonedImpl's constructors. We were
asserting that Poisoned will never be used with a null value, but that's invalid.
We do want to allow a null value so that we don't have to constantly do null
checks in the clients. This was uncovered by some layout tests.

• wtf/Poisoned.cpp:

(WTF::makePoison):

• wtf/Poisoned.h:

(WTF::PoisonedImpl::PoisonedImpl):

Location:

trunk/Source

Files:

• JavaScriptCore/API/JSCallbackFunction.h (modified) (2 diffs)
• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• JavaScriptCore/b3/B3LowerMacros.cpp (modified) (1 diff)
• JavaScriptCore/b3/testb3.cpp (modified) (1 diff)
• JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
• JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (1 diff)
• JavaScriptCore/jit/ThunkGenerators.cpp (modified) (4 diffs)
• JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (3 diffs)
• JavaScriptCore/runtime/CustomGetterSetter.h (modified) (4 diffs)
• JavaScriptCore/runtime/InternalFunction.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/InternalFunction.h (modified) (5 diffs)
• JavaScriptCore/runtime/JSCPoison.h (added)
• JavaScriptCore/runtime/JSCPoisonedPtr.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSCPoisonedPtr.h (modified) (1 diff)
• JavaScriptCore/runtime/NativeExecutable.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/NativeExecutable.h (modified) (3 diffs)
• JavaScriptCore/runtime/Structure.cpp (modified) (1 diff)
• JavaScriptCore/runtime/StructureTransitionTable.h (modified) (5 diffs)
• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/Poisoned.cpp (modified) (1 diff)
• WTF/wtf/Poisoned.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/API/JSCallbackFunction.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2006, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -52 +52 @@
     void finishCreation(VM&, const String& name);
 
-    JSObjectCallAsFunctionCallback functionCallback() { return m_callback; }
+    JSObjectCallAsFunctionCallback functionCallback() { return m_callback.unpoisoned(); }
 
-    JSObjectCallAsFunctionCallback m_callback;
+    Poisoned<g_nativeCodePoison, JSObjectCallAsFunctionCallback> m_callback;
 };
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-12-07  Mark Lam  <mark.lam@apple.com>
+
+        Apply poisoning to some native code pointers.
+        https://bugs.webkit.org/show_bug.cgi?id=180541
+        <rdar://problem/35916875>
+
+        Reviewed by Filip Pizlo.
+
+        Renamed g_classInfoPoison to g_globalDataPoison.
+        Renamed g_masmPoison to g_jitCodePoison.
+        Introduced g_nativeCodePoison.
+        Applied g_nativeCodePoison to poisoning some native code pointers.
+
+        Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
+        to malloc allocated data structures (where needed).
+
+        * API/JSCallbackFunction.h:
+        (JSC::JSCallbackFunction::functionCallback):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * jit/ThunkGenerators.cpp:
+        (JSC::nativeForGenerator):
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CustomGetterSetter.h:
+        (JSC::CustomGetterSetter::getter const):
+        (JSC::CustomGetterSetter::setter const):
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::getCallData):
+        (JSC::InternalFunction::getConstructData):
+        * runtime/InternalFunction.h:
+        (JSC::InternalFunction::nativeFunctionFor):
+        * runtime/JSCPoison.h: Added.
+        * runtime/JSCPoisonedPtr.cpp:
+        (JSC::initializePoison):
+        * runtime/JSCPoisonedPtr.h:
+        * runtime/Lookup.h:
+        * runtime/NativeExecutable.cpp:
+        (JSC::NativeExecutable::hashFor const):
+        * runtime/NativeExecutable.h:
+        * runtime/Structure.cpp:
+        (JSC::StructureTransitionTable::setSingleTransition):
+        * runtime/StructureTransitionTable.h:
+        (JSC::StructureTransitionTable::StructureTransitionTable):
+        (JSC::StructureTransitionTable::isUsingSingleSlot const):
+        (JSC::StructureTransitionTable::map const):
+        (JSC::StructureTransitionTable::weakImpl const):
+        (JSC::StructureTransitionTable::setMap):
+
 2017-12-07  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1722 +1722 @@
                 FE2A87601F02381600EB31B2 /* MinimumReservedZoneSize.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2A875F1F02381600EB31B2 /* MinimumReservedZoneSize.h */; };
                 FE2B0B691FD227E00075DA5F /* JSCPoisonedPtr.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2B0B671FD0D2960075DA5F /* JSCPoisonedPtr.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                FE2B0B731FD9EF700075DA5F /* JSCPoison.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2B0B701FD8C4630075DA5F /* JSCPoison.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 FE3022D31E3D73A500BAC493 /* SigillCrashAnalyzer.h in Headers */ = {isa = PBXBuildFile; fileRef = FE3022D11E3D739600BAC493 /* SigillCrashAnalyzer.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 FE3022D71E42857300BAC493 /* VMInspector.h in Headers */ = {isa = PBXBuildFile; fileRef = FE3022D51E42856700BAC493 /* VMInspector.h */; };
@@ -4601 +4602 @@
                 FE2B0B671FD0D2960075DA5F /* JSCPoisonedPtr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCPoisonedPtr.h; sourceTree = "<group>"; };
                 FE2B0B681FD0D2970075DA5F /* JSCPoisonedPtr.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSCPoisonedPtr.cpp; sourceTree = "<group>"; };
+                FE2B0B701FD8C4630075DA5F /* JSCPoison.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCPoison.h; sourceTree = "<group>"; };
                 FE2E6A7A1D6EA5FE0060F896 /* ThrowScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ThrowScope.cpp; sourceTree = "<group>"; };
                 FE3022D01E3D739600BAC493 /* SigillCrashAnalyzer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SigillCrashAnalyzer.cpp; sourceTree = "<group>"; };
@@ -6544 +6546 @@
                                 14ABB36E099C076400E2A24F /* JSCJSValue.h */,
                                 865A30F0135007E100CDB49E /* JSCJSValueInlines.h */,
+                                FE2B0B701FD8C4630075DA5F /* JSCPoison.h */,
                                 FE2B0B681FD0D2970075DA5F /* JSCPoisonedPtr.cpp */,
                                 FE2B0B671FD0D2960075DA5F /* JSCPoisonedPtr.h */,
@@ -8102 +8105 @@
                                 0F33FCFB1C1625BE00323F67 /* B3CFG.h in Headers */,
                                 0FEC85061BDACDAC0080FF74 /* B3CheckSpecial.h in Headers */,
+                                FE2B0B731FD9EF700075DA5F /* JSCPoison.h in Headers */,
                                 0FEC85081BDACDAC0080FF74 /* B3CheckValue.h in Headers */,
                                 0FEC850A1BDACDAC0080FF74 /* B3Common.h in Headers */,

trunk/Source/JavaScriptCore/b3/B3LowerMacros.cpp

@@ -508 +508 @@
                         GPRReg poisonScratch = params.gpScratch(1);
 
-                        jit.move(CCallHelpers::TrustedImm64(g_masmPoison), poisonScratch);
+                        jit.move(CCallHelpers::TrustedImm64(g_jitCodePoison), poisonScratch);
                         jit.move(CCallHelpers::TrustedImmPtr(jumpTable), scratch);
                         jit.load64(CCallHelpers::BaseIndex(scratch, index, CCallHelpers::timesPtr()), scratch);

trunk/Source/JavaScriptCore/b3/testb3.cpp

@@ -13034 +13034 @@
 
             jit.move(CCallHelpers::TrustedImmPtr(jumpTable), scratch);
-            jit.move(CCallHelpers::TrustedImm64(g_masmPoison), poisonScratch);
+            jit.move(CCallHelpers::TrustedImm64(g_jitCodePoison), poisonScratch);
             jit.load64(CCallHelpers::BaseIndex(scratch, params[0].gpr(), CCallHelpers::timesPtr()), scratch);
             jit.xor64(poisonScratch, scratch);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -8707 +8707 @@
         m_jit.loadPtr(CCallHelpers::Address(otherGPR, Structure::classInfoOffset()), otherGPR);
 #if USE(JSVALUE64)
-        m_jit.move(CCallHelpers::TrustedImm64(g_classInfoPoison), specifiedGPR);
+        m_jit.move(CCallHelpers::TrustedImm64(g_globalDataPoison), specifiedGPR);
         m_jit.xor64(specifiedGPR, otherGPR);
 #endif
@@ -9785 +9785 @@
     UNUSED_PARAM(poisonScratch); // Placate the 32-bit build.
 #if USE(JSVALUE64)
-    m_jit.move(TrustedImm64(g_masmPoison), poisonScratch);
+    m_jit.move(TrustedImm64(g_jitCodePoison), poisonScratch);
 #endif
     m_jit.move(TrustedImmPtr(table.ctiOffsets.begin()), scratch);

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -11172 +11172 @@
             LValue structure = loadStructure(cell);
             LValue poisonedClassInfo = m_out.loadPtr(structure, m_heaps.Structure_classInfo);
-            LValue classInfo = m_out.bitXor(poisonedClassInfo, m_out.constInt64(g_classInfoPoison));
+            LValue classInfo = m_out.bitXor(poisonedClassInfo, m_out.constInt64(g_globalDataPoison));
             ValueFromBlock otherAtStart = m_out.anchor(classInfo);
             m_out.jump(loop);

trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp

@@ -215 +215 @@
     // call.
 #if USE(JSVALUE64)
-    jit.move(CCallHelpers::TrustedImm64(g_masmPoison), GPRInfo::regT1);
+    jit.move(CCallHelpers::TrustedImm64(g_jitCodePoison), GPRInfo::regT1);
     jit.xor64(GPRInfo::regT1, GPRInfo::regT4);
 #endif
@@ -308 +308 @@
     if (thunkFunctionType == ThunkFunctionType::JSFunction) {
         jit.loadPtr(JSInterfaceJIT::Address(X86Registers::esi, JSFunction::offsetOfExecutable()), X86Registers::r9);
-        jit.call(JSInterfaceJIT::Address(X86Registers::r9, executableOffsetToFunction));
+        jit.loadPtr(JSInterfaceJIT::Address(X86Registers::r9, executableOffsetToFunction), X86Registers::r9);
     } else
-        jit.call(JSInterfaceJIT::Address(X86Registers::esi, InternalFunction::offsetOfNativeFunctionFor(kind)));
+        jit.loadPtr(JSInterfaceJIT::Address(X86Registers::esi, InternalFunction::offsetOfNativeFunctionFor(kind)), X86Registers::r9);
+    jit.move(JSInterfaceJIT::TrustedImm64(g_nativeCodePoison), X86Registers::esi);
+    jit.xor64(X86Registers::esi, X86Registers::r9);
+    jit.call(X86Registers::r9);
 
 #else
@@ -342 +345 @@
     if (thunkFunctionType == ThunkFunctionType::JSFunction) {
         jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x1, JSFunction::offsetOfExecutable()), ARM64Registers::x2);
-        jit.call(JSInterfaceJIT::Address(ARM64Registers::x2, executableOffsetToFunction));
+        jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x2, executableOffsetToFunction), ARM64Registers::x2);
     } else
-        jit.call(JSInterfaceJIT::Address(ARM64Registers::x1, InternalFunction::offsetOfNativeFunctionFor(kind)));
+        jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x1, InternalFunction::offsetOfNativeFunctionFor(kind)), ARM64Registers::x2);
+    jit.move(JSInterfaceJIT::TrustedImm64(g_nativeCodePoison), ARM64Registers::x1);
+    jit.xor64(ARM64Registers::x1, ARM64Registers::x2);
+    jit.call(ARM64Registers::x2);
+
 #elif CPU(ARM) || CPU(MIPS)
 #if CPU(MIPS)
@@ -1164 +1171 @@
     
 #if USE(JSVALUE64)
-    jit.move(CCallHelpers::TrustedImm64(g_masmPoison), GPRInfo::regT1);
+    jit.move(CCallHelpers::TrustedImm64(g_jitCodePoison), GPRInfo::regT1);
     jit.xor64(GPRInfo::regT1, GPRInfo::regT0);
 #endif

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -1951 +1951 @@
         callTargetFunction(LLIntCallLinkInfo::machineCodeTarget[t1])
     else
-        loadp _g_masmPoison, t2
+        loadp _g_jitCodePoison, t2
         xorp LLIntCallLinkInfo::machineCodeTarget[t1], t2
         prepareCall(t2, t1, t3, t4)
@@ -2081 +2081 @@
         if X86_64_WIN
             subp 32, sp
-        end
-        call executableOffsetToFunction[t1]
-        if X86_64_WIN
+            call executableOffsetToFunction[t1]
             addp 32, sp
+        else
+            loadp _g_nativeCodePoison, t2
+            xorp executableOffsetToFunction[t1], t2
+            call t2
         end
     end
@@ -2120 +2122 @@
         if X86_64_WIN
             subp 32, sp
-        end
-        call offsetOfFunction[t1]
-        if X86_64_WIN
+            call offsetOfFunction[t1]
             addp 32, sp
+        else
+            loadp _g_nativeCodePoison, t2
+            xorp offsetOfFunction[t1], t2
+            call t2
         end
     end

trunk/Source/JavaScriptCore/runtime/CustomGetterSetter.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26 +26 @@
 #pragma once
 
+#include "JSCPoisonedPtr.h"
 #include "JSCell.h"
 #include "PropertySlot.h"
@@ -48 +49 @@
     }
 
-    CustomGetterSetter::CustomGetter getter() const { return m_getter; }
-    CustomGetterSetter::CustomSetter setter() const { return m_setter; }
+    CustomGetterSetter::CustomGetter getter() const { return m_getter.unpoisoned(); }
+    CustomGetterSetter::CustomSetter setter() const { return m_setter.unpoisoned(); }
 
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
@@ -67 +68 @@
 
 private:
-    CustomGetter m_getter;
-    CustomSetter m_setter;
+    template<typename T>
+    using PoisonedAccessor = Poisoned<g_nativeCodePoison, T>;
+
+    PoisonedAccessor<CustomGetter> m_getter;
+    PoisonedAccessor<CustomSetter> m_setter;
 };
 

trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp

@@ -89 +89 @@
     auto* function = jsCast<InternalFunction*>(cell);
     ASSERT(function->m_functionForCall);
-    callData.native.function = function->m_functionForCall;
+    callData.native.function = function->m_functionForCall.unpoisoned();
     return CallType::Host;
 }
@@ -98 +98 @@
     if (function->m_functionForConstruct == callHostFunctionAsConstructor)
         return ConstructType::None;
-    constructData.native.function = function->m_functionForConstruct;
+    constructData.native.function = function->m_functionForConstruct.unpoisoned();
     return ConstructType::Host;
 }

trunk/Source/JavaScriptCore/runtime/InternalFunction.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003, 2006, 2007, 2008, 2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2017 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
  *  Copyright (C) 2007 Maks Orlovich
@@ -25 +25 @@
 
 #include "CodeSpecializationKind.h"
+#include "JSCPoisonedPtr.h"
 #include "JSDestructibleObject.h"
 
@@ -56 +57 @@
     {
         if (kind == CodeForCall)
-            return m_functionForCall;
+            return m_functionForCall.unpoisoned();
         ASSERT(kind == CodeForConstruct);
-        return m_functionForConstruct;
+        return m_functionForConstruct.unpoisoned();
     }
 
@@ -70 +71 @@
 
 protected:
+    using PoisonedNativeFunction = Poisoned<g_nativeCodePoison, NativeFunction>;
+
     JS_EXPORT_PRIVATE InternalFunction(VM&, Structure*, NativeFunction functionForCall, NativeFunction functionForConstruct);
 
@@ -80 +83 @@
     JS_EXPORT_PRIVATE static CallType getCallData(JSCell*, CallData&);
 
-    NativeFunction m_functionForCall;
-    NativeFunction m_functionForConstruct;
+    PoisonedNativeFunction m_functionForCall;
+    PoisonedNativeFunction m_functionForConstruct;
     WriteBarrier<JSString> m_originalName;
 };

trunk/Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp

@@ -29 +29 @@
 namespace JSC {
 
-uintptr_t g_classInfoPoison;
-uintptr_t g_masmPoison;
+uintptr_t g_globalDataPoison;
+uintptr_t g_jitCodePoison;
+uintptr_t g_nativeCodePoison;
 
 void initializePoison()
@@ -36 +37 @@
     static std::once_flag initializeOnceFlag;
     std::call_once(initializeOnceFlag, [] {
-        g_classInfoPoison = makePoison();
-        g_masmPoison = makePoison();
+        g_globalDataPoison = makePoison();
+        g_jitCodePoison = makePoison();
+        g_nativeCodePoison = makePoison();
     });
 }

trunk/Source/JavaScriptCore/runtime/JSCPoisonedPtr.h

@@ -30 +30 @@
 namespace JSC {
 
-extern "C" JS_EXPORTDATA uintptr_t g_classInfoPoison;
-extern "C" JS_EXPORTDATA uintptr_t g_masmPoison;
+extern "C" JS_EXPORTDATA uintptr_t g_globalDataPoison;
+extern "C" JS_EXPORTDATA uintptr_t g_jitCodePoison;
+extern "C" JS_EXPORTDATA uintptr_t g_nativeCodePoison;
 
 struct ClassInfo;
 
-using PoisonedClassInfoPtr = Poisoned<g_classInfoPoison, const ClassInfo*>;
-using PoisonedMasmPtr = Poisoned<g_masmPoison, void*>;
+using PoisonedClassInfoPtr = Poisoned<g_globalDataPoison, const ClassInfo*>;
+using PoisonedMasmPtr = Poisoned<g_jitCodePoison, void*>;
 
 void initializePoison();

trunk/Source/JavaScriptCore/runtime/NativeExecutable.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2009, 2010, 2013, 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -80 +80 @@
 {
     if (kind == CodeForCall)
-        return CodeBlockHash(static_cast<unsigned>(bitwise_cast<size_t>(m_function)));
-    
+        return CodeBlockHash(m_function.bits());
+
     RELEASE_ASSERT(kind == CodeForConstruct);
-    return CodeBlockHash(static_cast<unsigned>(bitwise_cast<size_t>(m_constructor)));
+    return CodeBlockHash(m_constructor.bits());
 }
 

trunk/Source/JavaScriptCore/runtime/NativeExecutable.h

@@ -27 +27 @@
 
 #include "ExecutableBase.h"
+#include "JSCPoisonedPtr.h"
 
 namespace JSC {
@@ -52 +53 @@
     CodeBlockHash hashFor(CodeSpecializationKind) const;
 
-    NativeFunction function() { return m_function; }
-    NativeFunction constructor() { return m_constructor; }
+    NativeFunction function() { return m_function.unpoisoned(); }
+    NativeFunction constructor() { return m_constructor.unpoisoned(); }
         
     NativeFunction nativeFunctionFor(CodeSpecializationKind kind)
@@ -90 +91 @@
 private:
     friend class ExecutableBase;
+    using PoisonedNativeFunction = Poisoned<g_nativeCodePoison, NativeFunction>;
 
     NativeExecutable(VM&, NativeFunction function, NativeFunction constructor, Intrinsic, const DOMJIT::Signature*);
 
-    NativeFunction m_function;
-    NativeFunction m_constructor;
+    PoisonedNativeFunction m_function;
+    PoisonedNativeFunction m_constructor;
     const DOMJIT::Signature* m_signature;
 

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -87 +87 @@
         WeakSet::deallocate(impl);
     WeakImpl* impl = WeakSet::allocate(structure, &singleSlotTransitionWeakOwner(), this);
-    m_data = reinterpret_cast<intptr_t>(impl) | UsingSingleSlotFlag;
+    m_data = PoisonedWeakImplPtr(impl).bits() | UsingSingleSlotFlag;
 }
 

trunk/Source/JavaScriptCore/runtime/StructureTransitionTable.h

@@ -27 +27 @@
 
 #include "IndexingType.h"
+#include "JSCPoison.h"
 #include "WeakGCMap.h"
 #include <wtf/HashFunctions.h>
@@ -187 +188 @@
 private:
     friend class SingleSlotTransitionWeakOwner;
+    using PoisonedTransitionMapPtr = Int32Poisoned<TransitionMapPoison, TransitionMap*>;
+    using PoisonedWeakImplPtr = Int32Poisoned<WeakImplPoison, WeakImpl*>;
 
     bool isUsingSingleSlot() const
@@ -196 +199 @@
     {
         ASSERT(!isUsingSingleSlot());
-        return reinterpret_cast<TransitionMap*>(m_data);
+        return PoisonedTransitionMapPtr(m_data).unpoisoned();
     }
 
@@ -202 +205 @@
     {
         ASSERT(isUsingSingleSlot());
-        return reinterpret_cast<WeakImpl*>(m_data & ~UsingSingleSlotFlag);
+        return PoisonedWeakImplPtr(m_data & ~UsingSingleSlotFlag).unpoisoned();
     }
 
@@ -213 +216 @@
 
         // This implicitly clears the flag that indicates we're using a single transition
-        m_data = reinterpret_cast<intptr_t>(map);
+        m_data = PoisonedTransitionMapPtr(map).bits();
 
         ASSERT(!isUsingSingleSlot());

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2017-12-07  Mark Lam  <mark.lam@apple.com>
+
+        Apply poisoning to some native code pointers.
+        https://bugs.webkit.org/show_bug.cgi?id=180541
+        <rdar://problem/35916875>
+
+        Reviewed by Filip Pizlo.
+
+        Ensure that the resultant poisoned bits still looks like a pointer in that its
+        bottom bits are 0, just like the alignment bits of a pointer.  This allows the
+        client to use the bottom bits of the poisoned bits as flag bits just like the
+        client was previously able to do with pointer values.
+
+        Note: we only ensure that the bottom alignment bits of the generated poison
+        value is 0.  We're not masking out the poisoned bits.  This means that the bottom
+        bits of the poisoned bits will only be null if the original pointer is aligned.
+        Hence, if the client applies the poison to an unaligned pointer, we do not lose
+        any information on the low bits.
+
+        Also removed 2 wrong assertions in PoisonedImpl's constructors.  We were
+        asserting that Poisoned will never be used with a null value, but that's invalid.
+        We do want to allow a null value so that we don't have to constantly do null
+        checks in the clients.  This was uncovered by some layout tests.
+
+        * wtf/Poisoned.cpp:
+        (WTF::makePoison):
+        * wtf/Poisoned.h:
+        (WTF::PoisonedImpl::PoisonedImpl):
+
 2017-12-07  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/WTF/wtf/Poisoned.cpp

@@ -40 +40 @@
     // used for a notmal zero check without needing to decoded first.
     key |= (static_cast<uintptr_t>(0x1) << 63);
+    // Ensure that the bottom alignment bits are still 0 so that the poisoned bits will
+    // still preserve the properties of a pointer where these bits are expected to be 0.
+    // This allows the poisoned bits to be used in place of the pointer by clients that
+    // rely on this property of pointers and sets flags in the low bits.
+    key &= ~static_cast<uintptr_t>(0x7);
 #else
     key = 0; // Poisoning is not supported on 32-bit or non-darwin platforms yet.

trunk/Source/WTF/wtf/Poisoned.h

@@ -48 +48 @@
     explicit PoisonedImpl(T ptr)
         : m_poisonedBits(poison(ptr))
-    {
-        ASSERT(ptr && m_poisonedBits);
-    }
+    { }
 
     PoisonedImpl(const PoisonedImpl&) = default;
@@ -56 +54 @@
     explicit PoisonedImpl(PoisonedBits poisonedBits)
         : m_poisonedBits(poisonedBits)
-    {
-        ASSERT(m_poisonedBits);
-    }
+    { }
 
 #if ENABLE(POISON_ASSERTS)