Changeset 242123 in webkit


Ignore:
Timestamp:
Feb 26, 2019 9:43:34 PM (5 years ago)
Author:
mark.lam@apple.com
Message:

Remove poisons in JSCPoison and uses of them.
https://bugs.webkit.org/show_bug.cgi?id=195082

Reviewed by Yusuke Suzuki.

Also removed unused poisoning code in WriteBarrier, AssemblyHelpers,
DFG::SpeculativeJIT, FTLLowerDFGToB3, and FTL::Output.

  • API/JSAPIWrapperObject.h:

(JSC::JSAPIWrapperObject::wrappedObject):

  • API/JSCallbackFunction.h:
  • API/JSCallbackObject.h:
  • API/glib/JSAPIWrapperGlobalObject.h:
  • CMakeLists.txt:
  • JavaScriptCore.xcodeproj/project.pbxproj:
  • Sources.txt:
  • bytecode/AccessCase.cpp:

(JSC::AccessCase::generateWithGuard):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):
(JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
(JSC::DFG::SpeculativeJIT::compileGetExecutable):
(JSC::DFG::SpeculativeJIT::compileCreateThis):

  • dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer): Deleted.

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
(JSC::FTL::DFG::LowerDFGToB3::weakPointer):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer): Deleted.

  • ftl/FTLOutput.h:

(JSC::FTL::Output::weakPoisonedPointer): Deleted.

  • jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::emitDynamicPoison): Deleted.
(JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType): Deleted.
(JSC::AssemblyHelpers::emitDynamicPoisonOnType): Deleted.

  • jit/AssemblyHelpers.h:
  • jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_create_this):

  • jit/JITPropertyAccess.cpp:

(JSC::JIT::emitScopedArgumentsGetByVal):

  • jit/Repatch.cpp:

(JSC::linkPolymorphicCall):

  • jit/ThunkGenerators.cpp:

(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):

  • parser/UnlinkedSourceCode.h:
  • runtime/ArrayPrototype.h:
  • runtime/CustomGetterSetter.h:

(JSC::CustomGetterSetter::getter const):
(JSC::CustomGetterSetter::setter const):

  • runtime/InitializeThreading.cpp:

(JSC::initializeThreading):

  • runtime/InternalFunction.cpp:

(JSC::InternalFunction::getCallData):
(JSC::InternalFunction::getConstructData):

  • runtime/InternalFunction.h:

(JSC::InternalFunction::nativeFunctionFor):

  • runtime/JSArrayBuffer.h:
  • runtime/JSBoundFunction.h:
  • runtime/JSCPoison.cpp: Removed.
  • runtime/JSCPoison.h: Removed.
  • runtime/JSFunction.h:
  • runtime/JSGlobalObject.h:
  • runtime/JSScriptFetchParameters.h:
  • runtime/JSScriptFetcher.h:
  • runtime/JSString.h:
  • runtime/NativeExecutable.cpp:

(JSC::NativeExecutable::hashFor const):

  • runtime/NativeExecutable.h:
  • runtime/Options.h:
  • runtime/ScopedArguments.h:
  • runtime/Structure.cpp:

(JSC::StructureTransitionTable::setSingleTransition):

  • runtime/StructureTransitionTable.h:

(JSC::StructureTransitionTable::map const):
(JSC::StructureTransitionTable::weakImpl const):
(JSC::StructureTransitionTable::setMap):

  • runtime/WriteBarrier.h:
  • wasm/WasmB3IRGenerator.cpp:
  • wasm/WasmInstance.h:
  • wasm/js/JSToWasm.cpp:

(JSC::Wasm::createJSToWasmWrapper):

  • wasm/js/JSWebAssemblyCodeBlock.h:
  • wasm/js/JSWebAssemblyInstance.cpp:

(JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
(JSC::JSWebAssemblyInstance::visitChildren):

  • wasm/js/JSWebAssemblyInstance.h:
  • wasm/js/JSWebAssemblyMemory.h:
  • wasm/js/JSWebAssemblyModule.h:
  • wasm/js/JSWebAssemblyTable.cpp:

(JSC::JSWebAssemblyTable::JSWebAssemblyTable):
(JSC::JSWebAssemblyTable::grow):
(JSC::JSWebAssemblyTable::clearFunction):

  • wasm/js/JSWebAssemblyTable.h:
  • wasm/js/WasmToJS.cpp:

(JSC::Wasm::materializeImportJSCell):
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):

  • wasm/js/WebAssemblyFunctionBase.h:
  • wasm/js/WebAssemblyModuleRecord.cpp:

(JSC::WebAssemblyModuleRecord::link):
(JSC::WebAssemblyModuleRecord::evaluate):

  • wasm/js/WebAssemblyModuleRecord.h:
  • wasm/js/WebAssemblyToJSCallee.h:
  • wasm/js/WebAssemblyWrapperFunction.h:
Location:
trunk/Source/JavaScriptCore
Files:
2 deleted
55 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/API/JSAPIWrapperObject.h

    r232443 r242123  
    11/*
    2  * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2828
    2929#include "JSBase.h"
    30 #include "JSCPoison.h"
    3130#include "JSDestructibleObject.h"
    32 #include <wtf/Poisoned.h>
    3331
    3432#if JSC_OBJC_API_ENABLED || defined(JSC_GLIB_API_ENABLED)
     
    4341    static void visitChildren(JSCell*, JSC::SlotVisitor&);
    4442   
    45     void* wrappedObject() { return m_wrappedObject.unpoisoned(); }
     43    void* wrappedObject() { return m_wrappedObject; }
    4644    void setWrappedObject(void*);
    4745
     
    5048
    5149private:
    52     Poisoned<JSAPIWrapperObjectPoison, void*> m_wrappedObject;
     50    void* m_wrappedObject { nullptr };
    5351};
    5452
  • trunk/Source/JavaScriptCore/API/JSCallbackFunction.h

    r240965 r242123  
    11/*
    2  * Copyright (C) 2006-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2828
    2929#include "InternalFunction.h"
    30 #include "JSCPoison.h"
    3130#include "JSObjectRef.h"
    3231
     
    5958    void finishCreation(VM&, const String& name);
    6059
    61     JSObjectCallAsFunctionCallback functionCallback() { return m_callback.unpoisoned(); }
     60    JSObjectCallAsFunctionCallback functionCallback() { return m_callback; }
    6261
    63     Poisoned<NativeCodePoison, JSObjectCallAsFunctionCallback> m_callback;
     62    JSObjectCallAsFunctionCallback m_callback { nullptr };
    6463};
    6564
  • trunk/Source/JavaScriptCore/API/JSCallbackObject.h

    r242100 r242123  
    2828#define JSCallbackObject_h
    2929
    30 #include "JSCPoison.h"
    3130#include "JSObjectRef.h"
    3231#include "JSValueRef.h"
    3332#include "JSObject.h"
    34 #include <wtf/PoisonedUniquePtr.h>
    3533
    3634namespace JSC {
     
    228226    static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName);
    229227
    230     WTF::PoisonedUniquePtr<JSCallbackObjectPoison, JSCallbackObjectData> m_callbackObjectData;
     228    std::unique_ptr<JSCallbackObjectData> m_callbackObjectData;
    231229    const ClassInfo* m_classInfo { nullptr };
    232230};
  • trunk/Source/JavaScriptCore/API/glib/JSAPIWrapperGlobalObject.h

    r234025 r242123  
    2828#include "JSBase.h"
    2929#include "JSCGLibWrapperObject.h"
    30 #include "JSCPoison.h"
    3130#include "JSGlobalObject.h"
    3231
  • trunk/Source/JavaScriptCore/CMakeLists.txt

    r242047 r242123  
    831831    runtime/JSCJSValue.h
    832832    runtime/JSCJSValueInlines.h
    833     runtime/JSCPoison.h
    834833    runtime/JSCPtrTag.h
    835834    runtime/JSCallee.h
  • trunk/Source/JavaScriptCore/ChangeLog

    r242114 r242123  
     12019-02-26  Mark Lam  <mark.lam@apple.com>
     2
     3        Remove poisons in JSCPoison and uses of them.
     4        https://bugs.webkit.org/show_bug.cgi?id=195082
     5
     6        Reviewed by Yusuke Suzuki.
     7
     8        Also removed unused poisoning code in WriteBarrier, AssemblyHelpers,
     9        DFG::SpeculativeJIT, FTLLowerDFGToB3, and FTL::Output.
     10
     11        * API/JSAPIWrapperObject.h:
     12        (JSC::JSAPIWrapperObject::wrappedObject):
     13        * API/JSCallbackFunction.h:
     14        * API/JSCallbackObject.h:
     15        * API/glib/JSAPIWrapperGlobalObject.h:
     16        * CMakeLists.txt:
     17        * JavaScriptCore.xcodeproj/project.pbxproj:
     18        * Sources.txt:
     19        * bytecode/AccessCase.cpp:
     20        (JSC::AccessCase::generateWithGuard):
     21        * dfg/DFGSpeculativeJIT.cpp:
     22        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
     23        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
     24        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
     25        (JSC::DFG::SpeculativeJIT::compileGetExecutable):
     26        (JSC::DFG::SpeculativeJIT::compileCreateThis):
     27        * dfg/DFGSpeculativeJIT.h:
     28        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer): Deleted.
     29        * ftl/FTLLowerDFGToB3.cpp:
     30        (JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
     31        (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
     32        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
     33        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
     34        (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
     35        (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
     36        (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
     37        (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
     38        (JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer): Deleted.
     39        * ftl/FTLOutput.h:
     40        (JSC::FTL::Output::weakPoisonedPointer): Deleted.
     41        * jit/AssemblyHelpers.cpp:
     42        (JSC::AssemblyHelpers::emitDynamicPoison): Deleted.
     43        (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType): Deleted.
     44        (JSC::AssemblyHelpers::emitDynamicPoisonOnType): Deleted.
     45        * jit/AssemblyHelpers.h:
     46        * jit/JITOpcodes.cpp:
     47        (JSC::JIT::emit_op_create_this):
     48        * jit/JITPropertyAccess.cpp:
     49        (JSC::JIT::emitScopedArgumentsGetByVal):
     50        * jit/Repatch.cpp:
     51        (JSC::linkPolymorphicCall):
     52        * jit/ThunkGenerators.cpp:
     53        (JSC::virtualThunkFor):
     54        (JSC::nativeForGenerator):
     55        (JSC::boundThisNoArgsFunctionCallGenerator):
     56        * parser/UnlinkedSourceCode.h:
     57        * runtime/ArrayPrototype.h:
     58        * runtime/CustomGetterSetter.h:
     59        (JSC::CustomGetterSetter::getter const):
     60        (JSC::CustomGetterSetter::setter const):
     61        * runtime/InitializeThreading.cpp:
     62        (JSC::initializeThreading):
     63        * runtime/InternalFunction.cpp:
     64        (JSC::InternalFunction::getCallData):
     65        (JSC::InternalFunction::getConstructData):
     66        * runtime/InternalFunction.h:
     67        (JSC::InternalFunction::nativeFunctionFor):
     68        * runtime/JSArrayBuffer.h:
     69        * runtime/JSBoundFunction.h:
     70        * runtime/JSCPoison.cpp: Removed.
     71        * runtime/JSCPoison.h: Removed.
     72        * runtime/JSFunction.h:
     73        * runtime/JSGlobalObject.h:
     74        * runtime/JSScriptFetchParameters.h:
     75        * runtime/JSScriptFetcher.h:
     76        * runtime/JSString.h:
     77        * runtime/NativeExecutable.cpp:
     78        (JSC::NativeExecutable::hashFor const):
     79        * runtime/NativeExecutable.h:
     80        * runtime/Options.h:
     81        * runtime/ScopedArguments.h:
     82        * runtime/Structure.cpp:
     83        (JSC::StructureTransitionTable::setSingleTransition):
     84        * runtime/StructureTransitionTable.h:
     85        (JSC::StructureTransitionTable::map const):
     86        (JSC::StructureTransitionTable::weakImpl const):
     87        (JSC::StructureTransitionTable::setMap):
     88        * runtime/WriteBarrier.h:
     89        * wasm/WasmB3IRGenerator.cpp:
     90        * wasm/WasmInstance.h:
     91        * wasm/js/JSToWasm.cpp:
     92        (JSC::Wasm::createJSToWasmWrapper):
     93        * wasm/js/JSWebAssemblyCodeBlock.h:
     94        * wasm/js/JSWebAssemblyInstance.cpp:
     95        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
     96        (JSC::JSWebAssemblyInstance::visitChildren):
     97        * wasm/js/JSWebAssemblyInstance.h:
     98        * wasm/js/JSWebAssemblyMemory.h:
     99        * wasm/js/JSWebAssemblyModule.h:
     100        * wasm/js/JSWebAssemblyTable.cpp:
     101        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
     102        (JSC::JSWebAssemblyTable::grow):
     103        (JSC::JSWebAssemblyTable::clearFunction):
     104        * wasm/js/JSWebAssemblyTable.h:
     105        * wasm/js/WasmToJS.cpp:
     106        (JSC::Wasm::materializeImportJSCell):
     107        (JSC::Wasm::handleBadI64Use):
     108        (JSC::Wasm::wasmToJS):
     109        * wasm/js/WebAssemblyFunctionBase.h:
     110        * wasm/js/WebAssemblyModuleRecord.cpp:
     111        (JSC::WebAssemblyModuleRecord::link):
     112        (JSC::WebAssemblyModuleRecord::evaluate):
     113        * wasm/js/WebAssemblyModuleRecord.h:
     114        * wasm/js/WebAssemblyToJSCallee.h:
     115        * wasm/js/WebAssemblyWrapperFunction.h:
     116
    11172019-02-26  Mark Lam  <mark.lam@apple.com>
    2118
  • trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

    r242047 r242123  
    18111811                FE20CE9E15F04A9500DF3430 /* LLIntCLoop.h in Headers */ = {isa = PBXBuildFile; fileRef = FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */; settings = {ATTRIBUTES = (Private, ); }; };
    18121812                FE2A87601F02381600EB31B2 /* MinimumReservedZoneSize.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2A875F1F02381600EB31B2 /* MinimumReservedZoneSize.h */; };
    1813                 FE2B0B731FD9EF700075DA5F /* JSCPoison.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2B0B701FD8C4630075DA5F /* JSCPoison.h */; settings = {ATTRIBUTES = (Private, ); }; };
    18141813                FE3022D31E3D73A500BAC493 /* SigillCrashAnalyzer.h in Headers */ = {isa = PBXBuildFile; fileRef = FE3022D11E3D739600BAC493 /* SigillCrashAnalyzer.h */; settings = {ATTRIBUTES = (Private, ); }; };
    18151814                FE3022D71E42857300BAC493 /* VMInspector.h in Headers */ = {isa = PBXBuildFile; fileRef = FE3022D51E42856700BAC493 /* VMInspector.h */; };
     
    48204819                FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LLIntCLoop.h; path = llint/LLIntCLoop.h; sourceTree = "<group>"; };
    48214820                FE2A875F1F02381600EB31B2 /* MinimumReservedZoneSize.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MinimumReservedZoneSize.h; sourceTree = "<group>"; };
    4822                 FE2B0B681FD0D2970075DA5F /* JSCPoison.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSCPoison.cpp; sourceTree = "<group>"; };
    4823                 FE2B0B701FD8C4630075DA5F /* JSCPoison.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCPoison.h; sourceTree = "<group>"; };
    48244821                FE2E6A7A1D6EA5FE0060F896 /* ThrowScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ThrowScope.cpp; sourceTree = "<group>"; };
    48254822                FE3022D01E3D739600BAC493 /* SigillCrashAnalyzer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SigillCrashAnalyzer.cpp; sourceTree = "<group>"; };
     
    68726869                                14ABB36E099C076400E2A24F /* JSCJSValue.h */,
    68736870                                865A30F0135007E100CDB49E /* JSCJSValueInlines.h */,
    6874                                 FE2B0B681FD0D2970075DA5F /* JSCPoison.cpp */,
    6875                                 FE2B0B701FD8C4630075DA5F /* JSCPoison.h */,
    68766871                                FE7497E5209001B00003565B /* JSCPtrTag.h */,
    68776872                                72AAF7CB1D0D318B005E60BE /* JSCustomGetterSetterFunction.cpp */,
     
    92839278                                A5D2E665195E174000A518E7 /* JSContextRefInternal.h in Headers */,
    92849279                                148CD1D8108CF902008163C6 /* JSContextRefPrivate.h in Headers */,
    9285                                 FE2B0B731FD9EF700075DA5F /* JSCPoison.h in Headers */,
    92869280                                FE7497E6209001B10003565B /* JSCPtrTag.h in Headers */,
    92879281                                A72028B81797601E0098028C /* JSCTestRunnerUtils.h in Headers */,
  • trunk/Source/JavaScriptCore/Sources.txt

    r241769 r242123  
    803803runtime/JSBoundFunction.cpp
    804804runtime/JSCJSValue.cpp
    805 runtime/JSCPoison.cpp
    806805runtime/JSCallee.cpp
    807806runtime/JSCell.cpp
  • trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

    r240023 r242123  
    11/*
    2  * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    512512            CCallHelpers::Address(baseGPR, ScopedArguments::offsetOfStorage()),
    513513            scratchGPR);
    514         jit.xorPtr(CCallHelpers::TrustedImmPtr(ScopedArgumentsPoison::key()), scratchGPR);
    515514        fallThrough.append(
    516515            jit.branchTest8(
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r242100 r242123  
    68706870    m_jit.loadPtr(
    68716871        MacroAssembler::Address(baseReg, ScopedArguments::offsetOfStorage()), resultRegs.payloadGPR());
    6872     m_jit.xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), resultRegs.payloadGPR());
    6873    
    68746872    m_jit.load32(
    68756873        MacroAssembler::Address(resultRegs.payloadGPR(), ScopedArguments::offsetOfTotalLengthInStorage()),
     
    68836881   
    68846882    m_jit.loadPtr(MacroAssembler::Address(baseReg, ScopedArguments::offsetOfTable()), scratchReg);
    6885     m_jit.xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), scratchReg);
    68866883    m_jit.load32(
    68876884        MacroAssembler::Address(scratchReg, ScopedArgumentsTable::offsetOfLength()), scratch2Reg);
     
    68916888   
    68926889    m_jit.loadPtr(MacroAssembler::Address(baseReg, ScopedArguments::offsetOfScope()), scratch2Reg);
    6893     m_jit.xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), scratch2Reg);
    68946890
    68956891    m_jit.loadPtr(
     
    70417037        m_jit.loadPtr(
    70427038            MacroAssembler::Address(baseReg, ScopedArguments::offsetOfStorage()), resultReg);
    7043         m_jit.xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), resultReg);
    7044        
     7039
    70457040        speculationCheck(
    70467041            ExoticObjectMode, JSValueSource(), 0,
     
    70927087   
    70937088    m_jit.storePtr(scopeGPR, JITCompiler::Address(resultGPR, JSFunction::offsetOfScopeChain()));
    7094     m_jit.storePtr(TrustedImmPtr::weakPoisonedPointer<JSFunctionPoison>(m_jit.graph(), executable), JITCompiler::Address(resultGPR, JSFunction::offsetOfExecutable()));
     7089    m_jit.storePtr(TrustedImmPtr::weakPointer(m_jit.graph(), executable), JITCompiler::Address(resultGPR, JSFunction::offsetOfExecutable()));
    70957090    m_jit.storePtr(TrustedImmPtr(nullptr), JITCompiler::Address(resultGPR, JSFunction::offsetOfRareData()));
    70967091   
     
    1211712112    speculateCellType(node->child1(), functionGPR, SpecFunction, JSFunctionType);
    1211812113    m_jit.loadPtr(JITCompiler::Address(functionGPR, JSFunction::offsetOfExecutable()), resultGPR);
    12119 #if USE(JSVALUE64)
    12120     m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSFunctionPoison::key()), resultGPR);
    12121 #endif
    1212212114    cellResult(resultGPR, node);
    1212312115}
     
    1249112483    m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
    1249212484    slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR));
    12493     m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSFunctionPoison::key()), rareDataGPR);
    1249412485    m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
    1249512486    m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
     
    1249912490
    1250012491    m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
    12501     m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSFunctionPoison::key()), rareDataGPR);
    1250212492    m_jit.load32(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfInlineCapacity()), inlineCapacityGPR);
    1250312493    m_jit.emitInitializeInlineStorage(resultGPR, inlineCapacityGPR);
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

    r242100 r242123  
    148148            graph.m_plan.weakReferences().addLazily(cell);
    149149            return TrustedImmPtr(bitwise_cast<size_t>(cell));
    150         }
    151 
    152         template<typename Key>
    153         static TrustedImmPtr weakPoisonedPointer(Graph& graph, JSCell* cell)
    154         {     
    155             graph.m_plan.weakReferences().addLazily(cell);
    156             return TrustedImmPtr(bitwise_cast<size_t>(cell) ^ Key::key());
    157150        }
    158151
  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r242100 r242123  
    31423142        LValue cell = lowCell(m_node->child1());
    31433143        speculateFunction(m_node->child1(), cell);
    3144         setJSValue(
    3145             m_out.bitXor(
    3146                 m_out.loadPtr(cell, m_heaps.JSFunction_executable),
    3147                 m_out.constIntPtr(JSFunctionPoison::key())));
     3144        setJSValue(m_out.loadPtr(cell, m_heaps.JSFunction_executable));
    31483145    }
    31493146   
     
    38443841        case Array::ScopedArguments: {
    38453842            LValue arguments = lowCell(m_node->child1());
    3846             LValue storage = m_out.bitXor(
    3847                 m_out.loadPtr(arguments, m_heaps.ScopedArguments_storage),
    3848                 m_out.constIntPtr(ScopedArgumentsPoison::key()));
     3843            LValue storage = m_out.loadPtr(arguments, m_heaps.ScopedArguments_storage);
    38493844            speculate(
    38503845                ExoticObjectMode, noValue(), nullptr,
     
    40484043           
    40494044            LValue storage = m_out.loadPtr(base, m_heaps.ScopedArguments_storage);
    4050             storage = m_out.bitXor(storage, m_out.constIntPtr(ScopedArgumentsPoison::key()));
    4051            
    40524045            LValue totalLength = m_out.load32NonNegative(
    40534046                storage, m_heaps.ScopedArguments_Storage_totalLength);
     
    40574050           
    40584051            LValue table = m_out.loadPtr(base, m_heaps.ScopedArguments_table);
    4059             table = m_out.bitXor(table, m_out.constIntPtr(ScopedArgumentsPoison::key()));
    4060            
    40614052            LValue namedLength = m_out.load32(table, m_heaps.ScopedArgumentsTable_length);
    40624053           
     
    40714062           
    40724063            LValue scope = m_out.loadPtr(base, m_heaps.ScopedArguments_scope);
    4073             scope = m_out.bitXor(scope, m_out.constIntPtr(ScopedArgumentsPoison::key()));
    4074            
    40754064            LValue arguments = m_out.loadPtr(table, m_heaps.ScopedArgumentsTable_arguments);
    40764065           
     
    53245313        // must be young.
    53255314        m_out.storePtr(scope, fastObject, m_heaps.JSFunction_scope);
    5326         m_out.storePtr(weakPoisonedPointer<JSFunctionPoison>(executable), fastObject, m_heaps.JSFunction_executable);
     5315        m_out.storePtr(weakPointer(executable), fastObject, m_heaps.JSFunction_executable);
    53275316        m_out.storePtr(m_out.intPtrZero, fastObject, m_heaps.JSFunction_rareData);
    53285317       
     
    1638616375    }
    1638716376   
    16388     LValue dynamicPoison(LValue value, LValue poison)
    16389     {
    16390         return m_out.add(
    16391             value,
    16392             m_out.shl(
    16393                 m_out.zeroExt(poison, pointerType()),
    16394                 m_out.constInt32(40)));
    16395     }
    16396    
    16397     LValue dynamicPoisonOnLoadedType(LValue value, LValue actualType, JSType expectedType)
    16398     {
    16399         return dynamicPoison(
    16400             value,
    16401             m_out.bitXor(
    16402                 m_out.opaque(actualType),
    16403                 m_out.constInt32(expectedType)));
    16404     }
    16405    
    16406     LValue dynamicPoisonOnType(LValue value, JSType expectedType)
    16407     {
    16408         return dynamicPoisonOnLoadedType(
    16409             value,
    16410             m_out.load8ZeroExt32(value, m_heaps.JSCell_typeInfoType),
    16411             expectedType);
    16412     }
    16413 
    1641416377    template<typename... Args>
    1641516378    LValue vmCall(LType type, LValue function, Args&&... args)
     
    1695716920        addWeakReference(pointer);
    1695816921        return m_out.weakPointer(m_graph, pointer);
    16959     }
    16960    
    16961     template<typename Key>
    16962     LValue weakPoisonedPointer(JSCell* pointer)
    16963     {
    16964         addWeakReference(pointer);
    16965         return m_out.weakPoisonedPointer<Key>(m_graph, pointer);
    1696616922    }
    1696716923
  • trunk/Source/JavaScriptCore/ftl/FTLOutput.h

    r235935 r242123  
    11/*
    2  * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    112112    }
    113113
    114     template<typename Key>
    115     LValue weakPoisonedPointer(DFG::Graph& graph, JSCell* cell)
    116     {
    117         ASSERT(graph.m_plan.weakReferences().contains(cell));
    118 
    119         return constIntPtr(bitwise_cast<intptr_t>(cell) ^ Key::key());
    120     }
    121 
    122114    LValue weakPointer(DFG::FrozenValue* value)
    123115    {
  • trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp

    r242101 r242123  
    10031003}
    10041004
    1005 void AssemblyHelpers::emitDynamicPoison(GPRReg base, GPRReg poisonValue)
    1006 {
    1007 #if CPU(X86_64) || (CPU(ARM64) && !defined(__ILP32__))
    1008     lshiftPtr(TrustedImm32(40), poisonValue);
    1009     addPtr(poisonValue, base);
    1010 #else
    1011     UNUSED_PARAM(base);
    1012     UNUSED_PARAM(poisonValue);
    1013 #endif
    1014 }
    1015 
    1016 void AssemblyHelpers::emitDynamicPoisonOnLoadedType(GPRReg base, GPRReg actualType, JSType expectedType)
    1017 {
    1018 #if CPU(X86_64) || (CPU(ARM64) && !defined(__ILP32__))
    1019     xor32(TrustedImm32(expectedType), actualType);
    1020     emitDynamicPoison(base, actualType);
    1021 #else
    1022     UNUSED_PARAM(base);
    1023     UNUSED_PARAM(actualType);
    1024     UNUSED_PARAM(expectedType);
    1025 #endif
    1026 }
    1027 
    1028 void AssemblyHelpers::emitDynamicPoisonOnType(GPRReg base, GPRReg scratch, JSType expectedType)
    1029 {
    1030 #if CPU(X86_64) || (CPU(ARM64) && !defined(__ILP32__))
    1031     load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
    1032     emitDynamicPoisonOnLoadedType(base, scratch, expectedType);
    1033 #else
    1034     UNUSED_PARAM(base);
    1035     UNUSED_PARAM(scratch);
    1036     UNUSED_PARAM(expectedType);
    1037 #endif
    1038 }
    1039 
    10401005} // namespace JSC
    10411006
  • trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

    r242100 r242123  
    18321832    // permits length and result to be in the same register.
    18331833    void emitPreparePreciseIndexMask32(GPRReg index, GPRReg length, GPRReg result);
    1834    
    1835     void emitDynamicPoison(GPRReg base, GPRReg poisonValue);
    1836     void emitDynamicPoisonOnLoadedType(GPRReg base, GPRReg actualType, JSType expectedType);
    1837     void emitDynamicPoisonOnType(GPRReg base, GPRReg scratch, JSType expectedType);
    18381834
    18391835#if ENABLE(WEBASSEMBLY)
  • trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

    r240965 r242123  
    909909    loadPtr(Address(calleeReg, JSFunction::offsetOfRareData()), rareDataReg);
    910910    addSlowCase(branchTestPtr(Zero, rareDataReg));
    911     xorPtr(TrustedImmPtr(JSFunctionPoison::key()), rareDataReg);
    912911    loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
    913912    loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
     
    923922    emitGetVirtualRegister(callee, scratchReg);
    924923    loadPtr(Address(scratchReg, JSFunction::offsetOfRareData()), scratchReg);
    925     xorPtr(TrustedImmPtr(JSFunctionPoison::key()), scratchReg);
    926924    load32(Address(scratchReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfInlineCapacity()), scratchReg);
    927925    emitInitializeInlineStorage(resultReg, scratchReg);
  • trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

    r240893 r242123  
    16101610    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(ScopedArgumentsType));
    16111611    loadPtr(Address(base, ScopedArguments::offsetOfStorage()), scratch3);
    1612     xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), scratch3);
    16131612    slowCases.append(branch32(AboveOrEqual, property, Address(scratch3, ScopedArguments::offsetOfTotalLengthInStorage())));
    16141613   
    16151614    loadPtr(Address(base, ScopedArguments::offsetOfTable()), scratch);
    1616     xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), scratch);
    16171615    load32(Address(scratch, ScopedArgumentsTable::offsetOfLength()), scratch2);
    16181616    Jump overflowCase = branch32(AboveOrEqual, property, scratch2);
    16191617    loadPtr(Address(base, ScopedArguments::offsetOfScope()), scratch2);
    1620     xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), scratch2);
    16211618    loadPtr(Address(scratch, ScopedArgumentsTable::offsetOfArguments()), scratch);
    16221619    load32(BaseIndex(scratch, property, TimesFour), scratch);
  • trunk/Source/JavaScriptCore/jit/Repatch.cpp

    r241037 r242123  
    11/*
    2  * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    10651065            CCallHelpers::Address(calleeGPR, JSFunction::offsetOfExecutable()),
    10661066            scratchGPR);
    1067         stubJit.xorPtr(CCallHelpers::TrustedImmPtr(JSFunctionPoison::key()), scratchGPR);
    10681067       
    10691068        comparisonValueGPR = scratchGPR;
  • trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp

    r242100 r242123  
    204204        CCallHelpers::Address(GPRInfo::regT0, JSFunction::offsetOfExecutable()),
    205205        GPRInfo::regT4);
    206     jit.xorPtr(CCallHelpers::TrustedImmPtr(JSFunctionPoison::key()), GPRInfo::regT4);
    207206    jit.loadPtr(
    208207        CCallHelpers::Address(
     
    284283    if (thunkFunctionType == ThunkFunctionType::JSFunction) {
    285284        jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, JSFunction::offsetOfExecutable()), JSInterfaceJIT::regT1);
    286         jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), JSInterfaceJIT::regT1);
    287285        jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, executableOffsetToFunction), JSEntryPtrTag);
    288286    } else
     
    300298    if (thunkFunctionType == ThunkFunctionType::JSFunction) {
    301299        jit.loadPtr(JSInterfaceJIT::Address(X86Registers::esi, JSFunction::offsetOfExecutable()), X86Registers::r9);
    302         jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), X86Registers::r9);
    303300        jit.loadPtr(JSInterfaceJIT::Address(X86Registers::r9, executableOffsetToFunction), X86Registers::r9);
    304301    } else
    305302        jit.loadPtr(JSInterfaceJIT::Address(X86Registers::esi, InternalFunction::offsetOfNativeFunctionFor(kind)), X86Registers::r9);
    306     jit.move(JSInterfaceJIT::TrustedImm64(NativeCodePoison::key()), X86Registers::esi);
    307     jit.xor64(X86Registers::esi, X86Registers::r9);
    308303    jit.call(X86Registers::r9, JSEntryPtrTag);
    309304
     
    320315    if (thunkFunctionType == ThunkFunctionType::JSFunction) {
    321316        jit.loadPtr(JSInterfaceJIT::Address(X86Registers::edx, JSFunction::offsetOfExecutable()), X86Registers::r9);
    322         jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), X86Registers::r9);
    323317        jit.call(JSInterfaceJIT::Address(X86Registers::r9, executableOffsetToFunction), JSEntryPtrTag);
    324318    } else
     
    339333    if (thunkFunctionType == ThunkFunctionType::JSFunction) {
    340334        jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x1, JSFunction::offsetOfExecutable()), ARM64Registers::x2);
    341         jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), ARM64Registers::x2);
    342335        jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x2, executableOffsetToFunction), ARM64Registers::x2);
    343336    } else
    344337        jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x1, InternalFunction::offsetOfNativeFunctionFor(kind)), ARM64Registers::x2);
    345     jit.move(JSInterfaceJIT::TrustedImm64(NativeCodePoison::key()), ARM64Registers::x1);
    346     jit.xor64(ARM64Registers::x1, ARM64Registers::x2);
    347338    jit.call(ARM64Registers::x2, JSEntryPtrTag);
    348339
     
    360351    if (thunkFunctionType == ThunkFunctionType::JSFunction) {
    361352        jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::argumentGPR1, JSFunction::offsetOfExecutable()), JSInterfaceJIT::regT2);
    362         jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), JSInterfaceJIT::regT2);
    363353        jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::regT2, executableOffsetToFunction), JSEntryPtrTag);
    364354    } else
     
    12381228        CCallHelpers::Address(GPRInfo::regT3, JSFunction::offsetOfExecutable()),
    12391229        GPRInfo::regT0);
    1240     jit.xorPtr(CCallHelpers::TrustedImmPtr(JSFunctionPoison::key()), GPRInfo::regT0);
    12411230    jit.loadPtr(
    12421231        CCallHelpers::Address(
  • trunk/Source/JavaScriptCore/parser/UnlinkedSourceCode.h

    r240511 r242123  
    11/*
    2  * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2929#pragma once
    3030
    31 #include "JSCPoison.h"
    3231#include "SourceProvider.h"
    3332#include <wtf/RefPtr.h>
     
    108107
    109108    protected:
    110         // FIXME: Make it PoisonedRef<SourceProvidier>.
     109        // FIXME: Make it Ref<SourceProvidier>.
    111110        // https://bugs.webkit.org/show_bug.cgi?id=168325
    112         PoisonedRefPtr<UnlinkedSourceCodePoison, SourceProvider> m_provider;
     111        RefPtr<SourceProvider> m_provider;
    113112        int m_startOffset;
    114113        int m_endOffset;
  • trunk/Source/JavaScriptCore/runtime/ArrayPrototype.h

    r229413 r242123  
    11/*
    22 *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
    3  *  Copyright (C) 2007-2018 Apple Inc. All rights reserved.
     3 *  Copyright (C) 2007-2019 Apple Inc. All rights reserved.
    44 *
    55 *  This library is free software; you can redistribute it and/or
     
    2222
    2323#include "JSArray.h"
    24 #include "JSCPoison.h"
    25 #include <wtf/PoisonedUniquePtr.h>
    2624
    2725namespace JSC {
     
    6361    // This bit is set if any user modifies the constructor property Array.prototype. This is used to optimize species creation for JSArrays.
    6462    friend ArrayPrototypeAdaptiveInferredPropertyWatchpoint;
    65     PoisonedUniquePtr<ArrayPrototypePoison, ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorWatchpoint;
    66     PoisonedUniquePtr<ArrayPrototypePoison, ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorSpeciesWatchpoint;
     63    std::unique_ptr<ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorWatchpoint;
     64    std::unique_ptr<ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorSpeciesWatchpoint;
    6765};
    6866
  • trunk/Source/JavaScriptCore/runtime/CustomGetterSetter.h

    r228500 r242123  
    11/*
    2  * Copyright (C) 2014-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2014-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2626#pragma once
    2727
    28 #include "JSCPoison.h"
    2928#include "JSCast.h"
    3029#include "PropertySlot.h"
     
    4948    }
    5049
    51     CustomGetterSetter::CustomGetter getter() const { return m_getter.unpoisoned(); }
    52     CustomGetterSetter::CustomSetter setter() const { return m_setter.unpoisoned(); }
     50    CustomGetterSetter::CustomGetter getter() const { return m_getter; }
     51    CustomGetterSetter::CustomSetter setter() const { return m_setter; }
    5352
    5453    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
     
    6867
    6968private:
    70     template<typename T>
    71     using PoisonedAccessor = Poisoned<NativeCodePoison, T>;
    72 
    73     PoisonedAccessor<CustomGetter> m_getter;
    74     PoisonedAccessor<CustomSetter> m_setter;
     69    CustomGetter m_getter;
     70    CustomSetter m_setter;
    7571};
    7672
  • trunk/Source/JavaScriptCore/runtime/InitializeThreading.cpp

    r241630 r242123  
    11/*
    2  * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
     2 * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    6161        WTF::initializeThreading();
    6262        Options::initialize();
    63         initializePoison();
    6463
    6564#if ENABLE(WRITE_BARRIER_PROFILING)
  • trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp

    r233245 r242123  
    22 *  Copyright (C) 1999-2002 Harri Porten (porten@kde.org)
    33 *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
    4  *  Copyright (C) 2004, 2007-2008, 2016-2017 Apple Inc. All rights reserved.
     4 *  Copyright (C) 2004-2019 Apple Inc. All rights reserved.
    55 *
    66 *  This library is free software; you can redistribute it and/or
     
    8989    auto* function = jsCast<InternalFunction*>(cell);
    9090    ASSERT(function->m_functionForCall);
    91     callData.native.function = function->m_functionForCall.unpoisoned();
     91    callData.native.function = function->m_functionForCall;
    9292    return CallType::Host;
    9393}
     
    9898    if (function->m_functionForConstruct == callHostFunctionAsConstructor)
    9999        return ConstructType::None;
    100     constructData.native.function = function->m_functionForConstruct.unpoisoned();
     100    constructData.native.function = function->m_functionForConstruct;
    101101    return ConstructType::Host;
    102102}
  • trunk/Source/JavaScriptCore/runtime/InternalFunction.h

    r240965 r242123  
    11/*
    22 *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
    3  *  Copyright (C) 2003-2018 Apple Inc. All rights reserved.
     3 *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
    44 *  Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
    55 *  Copyright (C) 2007 Maks Orlovich
     
    2525
    2626#include "CodeSpecializationKind.h"
    27 #include "JSCPoison.h"
    2827#include "JSDestructibleObject.h"
    2928
     
    6463    {
    6564        if (kind == CodeForCall)
    66             return m_functionForCall.unpoisoned();
     65            return m_functionForCall;
    6766        ASSERT(kind == CodeForConstruct);
    68         return m_functionForConstruct.unpoisoned();
     67        return m_functionForConstruct;
    6968    }
    7069
     
    7877
    7978protected:
    80     using PoisonedTaggedNativeFunction = Poisoned<NativeCodePoison, TaggedNativeFunction>;
    81 
    8279    JS_EXPORT_PRIVATE InternalFunction(VM&, Structure*, NativeFunction functionForCall, NativeFunction functionForConstruct);
    8380
     
    9087    JS_EXPORT_PRIVATE static CallType getCallData(JSCell*, CallData&);
    9188
    92     PoisonedTaggedNativeFunction m_functionForCall;
    93     PoisonedTaggedNativeFunction m_functionForConstruct;
     89    TaggedNativeFunction m_functionForCall;
     90    TaggedNativeFunction m_functionForConstruct;
    9491    WriteBarrier<JSString> m_originalName;
    9592};
  • trunk/Source/JavaScriptCore/runtime/JSArrayBuffer.h

    r233765 r242123  
    11/*
    2  * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2727
    2828#include "ArrayBuffer.h"
    29 #include "JSCPoison.h"
    3029#include "JSObject.h"
    31 #include <wtf/Poisoned.h>
    3230
    3331namespace JSC {
     
    4644    JS_EXPORT_PRIVATE static JSArrayBuffer* create(VM&, Structure*, RefPtr<ArrayBuffer>&&);
    4745
    48     ArrayBuffer* impl() const { return m_impl.unpoisoned(); }
     46    ArrayBuffer* impl() const { return m_impl; }
    4947   
    5048    static Structure* createStructure(VM&, JSGlobalObject*, JSValue prototype);
     
    6260
    6361private:
    64     Poisoned<JSArrayBufferPoison, ArrayBuffer*> m_impl;
     62    ArrayBuffer* m_impl;
    6563};
    6664
  • trunk/Source/JavaScriptCore/runtime/JSBoundFunction.h

    r240965 r242123  
    7777    void finishCreation(VM&, NativeExecutable*, int length);
    7878
    79     // FIXME: Consider poisoning these pointers.
    80     // https://bugs.webkit.org/show_bug.cgi?id=182713
    8179    WriteBarrier<JSObject> m_targetFunction;
    8280    WriteBarrier<Unknown> m_boundThis;
  • trunk/Source/JavaScriptCore/runtime/JSFunction.h

    r241110 r242123  
    11/*
    22 *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
    3  *  Copyright (C) 2003-2018 Apple Inc. All rights reserved.
     3 *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
    44 *  Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
    55 *  Copyright (C) 2007 Maks Orlovich
     
    221221    static EncodedJSValue nameGetter(ExecState*, EncodedJSValue, PropertyName);
    222222
    223     template<typename T>
    224     using PoisonedBarrier = PoisonedWriteBarrier<JSFunctionPoison, T>;
    225    
    226     PoisonedBarrier<ExecutableBase> m_executable;
    227     PoisonedBarrier<FunctionRareData> m_rareData;
     223    WriteBarrier<ExecutableBase> m_executable;
     224    WriteBarrier<FunctionRareData> m_rareData;
    228225};
    229226
  • trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

    r242064 r242123  
    11/*
    22 *  Copyright (C) 2007 Eric Seidel <eric@webkit.org>
    3  *  Copyright (C) 2007-2018 Apple Inc. All rights reserved.
     3 *  Copyright (C) 2007-2019 Apple Inc. All rights reserved.
    44 *
    55 *  This library is free software; you can redistribute it and/or
     
    3131#include "JSArray.h"
    3232#include "JSArrayBufferPrototype.h"
    33 #include "JSCPoison.h"
    3433#include "JSClassRef.h"
    3534#include "JSGlobalLexicalEnvironment.h"
     
    5049#include <array>
    5150#include <wtf/HashSet.h>
    52 #include <wtf/PoisonedUniquePtr.h>
    5351#include <wtf/RetainPtr.h>
    5452
     
    431429    VM& m_vm;
    432430
    433     template<typename T> using PoisonedUniquePtr = WTF::PoisonedUniquePtr<JSGlobalObjectPoison, T>;
    434 
    435431#if ENABLE(REMOTE_INSPECTOR)
    436     PoisonedUniquePtr<Inspector::JSGlobalObjectInspectorController> m_inspectorController;
    437     PoisonedUniquePtr<JSGlobalObjectDebuggable> m_inspectorDebuggable;
     432    std::unique_ptr<Inspector::JSGlobalObjectInspectorController> m_inspectorController;
     433    std::unique_ptr<JSGlobalObjectDebuggable> m_inspectorDebuggable;
    438434#endif
    439435
     
    478474    InlineWatchpointSet m_arraySpeciesWatchpoint;
    479475    InlineWatchpointSet m_numberToStringWatchpoint;
    480     PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayPrototypeSymbolIteratorWatchpoint;
    481     PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayIteratorPrototypeNext;
    482     PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapPrototypeSymbolIteratorWatchpoint;
    483     PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapIteratorPrototypeNextWatchpoint;
    484     PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setPrototypeSymbolIteratorWatchpoint;
    485     PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setIteratorPrototypeNextWatchpoint;
    486     PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_stringPrototypeSymbolIteratorWatchpoint;
    487     PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_stringIteratorPrototypeNextWatchpoint;
    488     PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapPrototypeSetWatchpoint;
    489     PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setPrototypeAddWatchpoint;
    490     PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_numberPrototypeToStringWatchpoint;
     476    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayPrototypeSymbolIteratorWatchpoint;
     477    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayIteratorPrototypeNext;
     478    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapPrototypeSymbolIteratorWatchpoint;
     479    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapIteratorPrototypeNextWatchpoint;
     480    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setPrototypeSymbolIteratorWatchpoint;
     481    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setIteratorPrototypeNextWatchpoint;
     482    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_stringPrototypeSymbolIteratorWatchpoint;
     483    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_stringIteratorPrototypeNextWatchpoint;
     484    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapPrototypeSetWatchpoint;
     485    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setPrototypeAddWatchpoint;
     486    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_numberPrototypeToStringWatchpoint;
    491487
    492488    bool isArrayPrototypeIteratorProtocolFastAndNonObservable();
  • trunk/Source/JavaScriptCore/runtime/JSScriptFetchParameters.h

    r229413 r242123  
    11/*
    22 * Copyright (C) 2017 Yusuke Suzuki <utatane.tea@gmail.com>
    3  * Copyright (C) 2018 Apple Inc. All rights reserved.
     3 * Copyright (C) 2018-2019 Apple Inc. All rights reserved.
    44 *
    55 * Redistribution and use in source and binary forms, with or without
     
    2727#pragma once
    2828
    29 #include "JSCPoison.h"
    3029#include "JSGlobalObject.h"
    3130#include "JSObject.h"
     
    7574    }
    7675
    77     PoisonedRef<JSScriptFetchParametersPoison, ScriptFetchParameters> m_parameters;
     76    Ref<ScriptFetchParameters> m_parameters;
    7877};
    7978
  • trunk/Source/JavaScriptCore/runtime/JSScriptFetcher.h

    r229413 r242123  
    11/*
    22 * Copyright (C) 2017 Yusuke Suzuki <utatane.tea@gmail.com>
    3  * Copyright (C) 2018 Apple Inc. All rights reserved.
     3 * Copyright (C) 2018-2019 Apple Inc. All rights reserved.
    44 *
    55 * Redistribution and use in source and binary forms, with or without
     
    2727#pragma once
    2828
    29 #include "JSCPoison.h"
    3029#include "JSGlobalObject.h"
    3130#include "JSObject.h"
     
    7574    }
    7675
    77     PoisonedRefPtr<JSScriptFetcherPoison, ScriptFetcher> m_fetcher;
     76    RefPtr<ScriptFetcher> m_fetcher;
    7877};
    7978
  • trunk/Source/JavaScriptCore/runtime/JSString.h

    r241849 r242123  
    223223    unsigned m_length { 0 };
    224224    mutable uint16_t m_flags { 0 };
    225     // The poison is strategically placed and holds a value such that the first
    226     // 64 bits of JSString look like a double JSValue.
    227225    mutable String m_value;
    228226
  • trunk/Source/JavaScriptCore/runtime/NativeExecutable.cpp

    r241037 r242123  
    11/*
    2  * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2009-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    9595{
    9696    if (kind == CodeForCall)
    97         return CodeBlockHash(m_function.bits());
     97        return CodeBlockHash(bitwise_cast<uintptr_t>(m_function));
    9898
    9999    RELEASE_ASSERT(kind == CodeForConstruct);
    100     return CodeBlockHash(m_constructor.bits());
     100    return CodeBlockHash(bitwise_cast<uintptr_t>(m_constructor));
    101101}
    102102
  • trunk/Source/JavaScriptCore/runtime/NativeExecutable.h

    r241037 r242123  
    11/*
    2  * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2009-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2727
    2828#include "ExecutableBase.h"
    29 #include "JSCPoison.h"
    3029
    3130namespace JSC {
     
    5049    CodeBlockHash hashFor(CodeSpecializationKind) const;
    5150
    52     TaggedNativeFunction function() { return m_function.unpoisoned(); }
    53     TaggedNativeFunction constructor() { return m_constructor.unpoisoned(); }
     51    TaggedNativeFunction function() { return m_function; }
     52    TaggedNativeFunction constructor() { return m_constructor; }
    5453       
    5554    TaggedNativeFunction nativeFunctionFor(CodeSpecializationKind kind)
     
    8281
    8382private:
    84     friend class ExecutableBase;
    85     using PoisonedTaggedNativeFunction = Poisoned<NativeCodePoison, TaggedNativeFunction>;
    86 
    8783    NativeExecutable(VM&, TaggedNativeFunction, TaggedNativeFunction constructor);
    8884
    89     PoisonedTaggedNativeFunction m_function;
    90     PoisonedTaggedNativeFunction m_constructor;
     85    TaggedNativeFunction m_function;
     86    TaggedNativeFunction m_constructor;
    9187
    9288    String m_name;
  • trunk/Source/JavaScriptCore/runtime/Options.h

    r241579 r242123  
    476476    v(bool, enableSpectreMitigations, true, Restricted, "Enable Spectre mitigations.") \
    477477    v(bool, enableSpectreGadgets, false, Restricted, "enable gadgets to test Spectre mitigations.") \
    478     v(bool, usePoisoning, true, Normal, "Poison is randomized at load time when true, and initialized to 0 if false which defeats some Spectre and type confusion mitigations, but allows tools such as leak detectors to function better.") \
    479478    v(bool, zeroStackFrame, false, Normal, "Zero stack frame on entry to a function.") \
    480479    \
  • trunk/Source/JavaScriptCore/runtime/ScopedArguments.h

    r240965 r242123  
    11/*
    2  * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    181181    WriteBarrier<Unknown>* overflowStorage() const
    182182    {
    183         return m_storage.get().unpoisoned();
     183        return m_storage.get();
    184184    }
    185185   
     
    195195    }
    196196   
    197     template<typename T>
    198     using PoisonedBarrier = PoisonedWriteBarrier<ScopedArgumentsPoison, T>;
    199    
    200     PoisonedBarrier<JSFunction> m_callee;
    201     PoisonedBarrier<ScopedArgumentsTable> m_table;
    202     PoisonedBarrier<JSLexicalEnvironment> m_scope;
    203    
    204     AuxiliaryBarrier<Poisoned<ScopedArgumentsPoison, WriteBarrier<Unknown>*>> m_storage;
     197    WriteBarrier<JSFunction> m_callee;
     198    WriteBarrier<ScopedArgumentsTable> m_table;
     199    WriteBarrier<JSLexicalEnvironment> m_scope;
     200   
     201    AuxiliaryBarrier<WriteBarrier<Unknown>*> m_storage;
    205202};
    206203
  • trunk/Source/JavaScriptCore/runtime/Structure.cpp

    r241655 r242123  
    8585        WeakSet::deallocate(impl);
    8686    WeakImpl* impl = WeakSet::allocate(structure, &singleSlotTransitionWeakOwner(), this);
    87     m_data = PoisonedWeakImplPtr(impl).bits() | UsingSingleSlotFlag;
     87    m_data = bitwise_cast<intptr_t>(impl) | UsingSingleSlotFlag;
    8888}
    8989
  • trunk/Source/JavaScriptCore/runtime/StructureTransitionTable.h

    r232070 r242123  
    11/*
    2  * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2727
    2828#include "IndexingType.h"
    29 #include "JSCPoison.h"
    3029#include "WeakGCMap.h"
    3130#include <wtf/HashFunctions.h>
     
    188187private:
    189188    friend class SingleSlotTransitionWeakOwner;
    190     using PoisonedTransitionMapPtr = Poisoned<StructureTransitionTablePoison, TransitionMap*>;
    191     using PoisonedWeakImplPtr = Poisoned<StructureTransitionTablePoison, WeakImpl*>;
    192189
    193190    bool isUsingSingleSlot() const
     
    199196    {
    200197        ASSERT(!isUsingSingleSlot());
    201         return PoisonedTransitionMapPtr(AlreadyPoisoned, m_data).unpoisoned();
     198        return bitwise_cast<TransitionMap*>(m_data);
    202199    }
    203200
     
    205202    {
    206203        ASSERT(isUsingSingleSlot());
    207         return PoisonedWeakImplPtr(AlreadyPoisoned, m_data & ~UsingSingleSlotFlag).unpoisoned();
     204        return bitwise_cast<WeakImpl*>(m_data & ~UsingSingleSlotFlag);
    208205    }
    209206
     
    216213
    217214        // This implicitly clears the flag that indicates we're using a single transition
    218         m_data = PoisonedTransitionMapPtr(map).bits();
     215        m_data = bitwise_cast<intptr_t>(map);
    219216
    220217        ASSERT(!isUsingSingleSlot());
  • trunk/Source/JavaScriptCore/runtime/WriteBarrier.h

    r227527 r242123  
    2828#include "GCAssertions.h"
    2929#include "HandleTypes.h"
    30 #include "JSCPoison.h"
    3130#include <type_traits>
    3231#include <wtf/DumbPtrTraits.h>
    3332#include <wtf/DumbValueTraits.h>
    34 #include <wtf/Poisoned.h>
    3533
    3634namespace JSC {
     
    251249}
    252250
    253 template<typename Poison, class T>
    254 using PoisonedWriteBarrierTraitsSelect = typename std::conditional<std::is_same<T, Unknown>::value,
    255     WTF::PoisonedValueTraits<Poison, T>, WTF::PoisonedPtrTraits<Poison, T>
    256 >::type;
    257 
    258 template <typename Poison, typename T>
    259 using PoisonedWriteBarrier = WriteBarrier<T, PoisonedWriteBarrierTraitsSelect<Poison, T>>;
    260 
    261251} // namespace JSC
  • trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

    r242100 r242123  
    4949#include "B3WasmBoundsCheckValue.h"
    5050#include "JSCInlines.h"
    51 #include "JSCPoison.h"
    5251#include "ScratchRegisterAllocator.h"
    5352#include "VirtualRegister.h"
  • trunk/Source/JavaScriptCore/wasm/WasmInstance.h

    r232613 r242123  
    118118        WasmToWasmImportableFunction::LoadLocation wasmEntrypointLoadLocation { nullptr };
    119119        MacroAssemblerCodePtr<WasmEntryPtrTag> wasmToEmbedderStub;
    120         void* importFunction { nullptr }; // In a JS embedding, this is a PoisonedBarrier<JSObject>.
     120        void* importFunction { nullptr }; // In a JS embedding, this is a WriteBarrier<JSObject>.
    121121    };
    122122    unsigned numImportFunctions() const { return m_numImportFunctions; }
  • trunk/Source/JavaScriptCore/wasm/js/JSToWasm.cpp

    r238376 r242123  
    11/*
    2  * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    117117            // Wasm::Context*'s instance.
    118118            jit.loadPtr(CCallHelpers::Address(GPRInfo::callFrameRegister, CallFrameSlot::thisArgument * sizeof(EncodedJSValue)), GPRInfo::argumentGPR2);
    119             jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR2, JSWebAssemblyInstance::offsetOfPoisonedInstance()), GPRInfo::argumentGPR2);
    120             jit.move(CCallHelpers::TrustedImm64(JSWebAssemblyInstancePoison::key()), GPRInfo::argumentGPR0);
    121             jit.xor64(GPRInfo::argumentGPR0, GPRInfo::argumentGPR2);
     119            jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR2, JSWebAssemblyInstance::offsetOfInstance()), GPRInfo::argumentGPR2);
    122120        }
    123121
     
    156154        if (!Context::useFastTLS()) {
    157155            jit.loadPtr(CCallHelpers::Address(GPRInfo::callFrameRegister, jsOffset), wasmContextInstanceGPR);
    158             jit.loadPtr(CCallHelpers::Address(wasmContextInstanceGPR, JSWebAssemblyInstance::offsetOfPoisonedInstance()), wasmContextInstanceGPR);
    159             jit.move(CCallHelpers::TrustedImm64(JSWebAssemblyInstancePoison::key()), scratchReg);
    160             jit.xor64(scratchReg, wasmContextInstanceGPR);
     156            jit.loadPtr(CCallHelpers::Address(wasmContextInstanceGPR, JSWebAssemblyInstance::offsetOfInstance()), wasmContextInstanceGPR);
    161157            jsOffset += sizeof(EncodedJSValue);
    162158        }
  • trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlock.h

    r240965 r242123  
    11/*
    2  * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2929
    3030#include "CallLinkInfo.h"
    31 #include "JSCPoison.h"
    3231#include "JSCast.h"
    3332#include "PromiseDeferredTimer.h"
     
    3736#include "WasmModule.h"
    3837#include <wtf/Bag.h>
    39 #include <wtf/PoisonedUniquePtr.h>
    4038#include <wtf/Ref.h>
    4139#include <wtf/Vector.h>
     
    9189    static void visitChildren(JSCell*, SlotVisitor&);
    9290
    93     PoisonedRef<JSWebAssemblyCodeBlockPoison, Wasm::CodeBlock> m_codeBlock;
     91    Ref<Wasm::CodeBlock> m_codeBlock;
    9492    Vector<MacroAssemblerCodeRef<WasmEntryPtrTag>> m_wasmToJSExitStubs;
    9593    Bag<CallLinkInfo> m_callLinkInfos;
  • trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp

    r237009 r242123  
    11/*
    2  * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    5555{
    5656    for (unsigned i = 0; i < this->instance().numImportFunctions(); ++i)
    57         new (this->instance().importFunction<PoisonedBarrier<JSObject>>(i)) PoisonedBarrier<JSObject>();
     57        new (this->instance().importFunction<WriteBarrier<JSObject>>(i)) WriteBarrier<JSObject>();
    5858}
    5959
     
    8989    visitor.reportExtraMemoryVisited(thisObject->m_instance->extraMemoryAllocated());
    9090    for (unsigned i = 0; i < thisObject->instance().numImportFunctions(); ++i)
    91         visitor.append(*thisObject->instance().importFunction<PoisonedBarrier<JSObject>>(i)); // This also keeps the functions' JSWebAssemblyInstance alive.
     91        visitor.append(*thisObject->instance().importFunction<WriteBarrier<JSObject>>(i)); // This also keeps the functions' JSWebAssemblyInstance alive.
    9292}
    9393
  • trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h

    r230759 r242123  
    11/*
    2  * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2828#if ENABLE(WEBASSEMBLY)
    2929
    30 #include "JSCPoison.h"
    3130#include "JSDestructibleObject.h"
    3231#include "JSObject.h"
     
    8281    JSWebAssemblyModule* module() const { return m_module.get(); }
    8382
    84     static size_t offsetOfPoisonedInstance() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_instance); }
    85     static size_t offsetOfPoisonedCallee() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_callee); }
    86 
    87     template<typename T>
    88     using PoisonedBarrier = PoisonedWriteBarrier<JSWebAssemblyInstancePoison, T>;
     83    static size_t offsetOfInstance() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_instance); }
     84    static size_t offsetOfCallee() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_callee); }
    8985
    9086protected:
     
    9591
    9692private:
    97     PoisonedRef<JSWebAssemblyInstancePoison, Wasm::Instance> m_instance;
     93    Ref<Wasm::Instance> m_instance;
    9894
    99     PoisonedBarrier<JSWebAssemblyModule> m_module;
    100     PoisonedBarrier<JSWebAssemblyCodeBlock> m_codeBlock;
    101     PoisonedBarrier<JSModuleNamespaceObject> m_moduleNamespaceObject;
    102     PoisonedBarrier<JSWebAssemblyMemory> m_memory;
    103     PoisonedBarrier<JSWebAssemblyTable> m_table;
    104     PoisonedBarrier<WebAssemblyToJSCallee> m_callee;
     95    WriteBarrier<JSWebAssemblyModule> m_module;
     96    WriteBarrier<JSWebAssemblyCodeBlock> m_codeBlock;
     97    WriteBarrier<JSModuleNamespaceObject> m_moduleNamespaceObject;
     98    WriteBarrier<JSWebAssemblyMemory> m_memory;
     99    WriteBarrier<JSWebAssemblyTable> m_table;
     100    WriteBarrier<WebAssemblyToJSCallee> m_callee;
    105101};
    106102
  • trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h

    r240965 r242123  
    11/*
    2  * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2828#if ENABLE(WEBASSEMBLY)
    2929
    30 #include "JSCPoison.h"
    3130#include "JSDestructibleObject.h"
    3231#include "JSObject.h"
     
    6867    static void visitChildren(JSCell*, SlotVisitor&);
    6968
    70     PoisonedRef<JSWebAssemblyMemoryPoison, Wasm::Memory> m_memory;
    71     PoisonedWriteBarrier<JSWebAssemblyMemoryPoison, JSArrayBuffer> m_bufferWrapper;
    72     PoisonedRefPtr<JSWebAssemblyMemoryPoison, ArrayBuffer> m_buffer;
     69    Ref<Wasm::Memory> m_memory;
     70    WriteBarrier<JSArrayBuffer> m_bufferWrapper;
     71    RefPtr<ArrayBuffer> m_buffer;
    7372};
    7473
  • trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h

    r235786 r242123  
    11/*
    2  * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2828#if ENABLE(WEBASSEMBLY)
    2929
    30 #include "JSCPoison.h"
    3130#include "JSDestructibleObject.h"
    3231#include "JSObject.h"
     
    7978    static void visitChildren(JSCell*, SlotVisitor&);
    8079
    81     PoisonedRef<JSWebAssemblyModulePoison, Wasm::Module> m_module;
    82 
    83     template<typename T>
    84     using PoisonedBarrier = PoisonedWriteBarrier<JSWebAssemblyModulePoison, T>;
    85 
    86     PoisonedBarrier<SymbolTable> m_exportSymbolTable;
    87     PoisonedBarrier<JSWebAssemblyCodeBlock> m_codeBlocks[Wasm::NumberOfMemoryModes];
    88     PoisonedBarrier<WebAssemblyToJSCallee> m_callee;
     80    Ref<Wasm::Module> m_module;
     81    WriteBarrier<SymbolTable> m_exportSymbolTable;
     82    WriteBarrier<JSWebAssemblyCodeBlock> m_codeBlocks[Wasm::NumberOfMemoryModes];
     83    WriteBarrier<WebAssemblyToJSCallee> m_callee;
    8984};
    9085
  • trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp

    r230096 r242123  
    11/*
    2  * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    6464    // But for now, we're not doing that.
    6565    // FIXME this over-allocates and could be smarter about not committing all of that memory https://bugs.webkit.org/show_bug.cgi?id=181425
    66     m_jsFunctions = MallocPtr<PoisonedBarrier<JSObject>>::malloc((sizeof(PoisonedBarrier<JSObject>) * Checked<size_t>(allocatedLength())).unsafeGet());
     66    m_jsFunctions = MallocPtr<WriteBarrier<JSObject>>::malloc((sizeof(WriteBarrier<JSObject>) * Checked<size_t>(allocatedLength())).unsafeGet());
    6767    for (uint32_t i = 0; i < allocatedLength(); ++i)
    68         new(&m_jsFunctions.get()[i]) PoisonedBarrier<JSObject>();
     68        new(&m_jsFunctions.get()[i]) WriteBarrier<JSObject>();
    6969}
    7070
     
    105105    if (newLength > m_table->allocatedLength(oldLength))
    106106        // FIXME this over-allocates and could be smarter about not committing all of that memory https://bugs.webkit.org/show_bug.cgi?id=181425
    107         m_jsFunctions.realloc((sizeof(PoisonedBarrier<JSObject>) * Checked<size_t>(m_table->allocatedLength(newLength))).unsafeGet());
     107        m_jsFunctions.realloc((sizeof(WriteBarrier<JSObject>) * Checked<size_t>(m_table->allocatedLength(newLength))).unsafeGet());
    108108
    109109    for (size_t i = oldLength; i < m_table->allocatedLength(newLength); ++i)
    110         new (&m_jsFunctions.get()[i]) PoisonedBarrier<JSObject>();
     110        new (&m_jsFunctions.get()[i]) WriteBarrier<JSObject>();
    111111
    112112    return true;
     
    122122{
    123123    m_table->clearFunction(index);
    124     m_jsFunctions.get()[index & m_table->mask()] = PoisonedBarrier<JSObject>();
     124    m_jsFunctions.get()[index & m_table->mask()] = WriteBarrier<JSObject>();
    125125}
    126126
  • trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h

    r239427 r242123  
    11/*
    2  * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2828#if ENABLE(WEBASSEMBLY)
    2929
    30 #include "JSCPoison.h"
    3130#include "JSDestructibleObject.h"
    3231#include "JSObject.h"
     
    6766    static void visitChildren(JSCell*, SlotVisitor&);
    6867
    69     PoisonedRef<JSWebAssemblyTablePoison, Wasm::Table> m_table;
    70 
    71     template<typename T>
    72     using PoisonedBarrier = PoisonedWriteBarrier<JSWebAssemblyTablePoison, T>;
    73 
    74     MallocPtr<PoisonedBarrier<JSObject>> m_jsFunctions;
     68    Ref<Wasm::Table> m_table;
     69    MallocPtr<WriteBarrier<JSObject>> m_jsFunctions;
    7570};
    7671
  • trunk/Source/JavaScriptCore/wasm/js/WasmToJS.cpp

    r242114 r242123  
    4848using JIT = CCallHelpers;
    4949
    50 static void materializeImportJSCell(JIT& jit, unsigned importIndex, GPRReg poison, GPRReg result)
     50static void materializeImportJSCell(JIT& jit, unsigned importIndex, GPRReg result)
    5151{
    5252    // We're calling out of the current WebAssembly.Instance. That Instance has a list of all its import functions.
    5353    jit.loadWasmContextInstance(result);
    5454    jit.loadPtr(JIT::Address(result, Instance::offsetOfImportFunction(importIndex)), result);
    55     jit.xor64(poison, result);
    5655}
    5756
     
    8786        // Store Callee.
    8887        jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR1, Instance::offsetOfOwner()), GPRInfo::argumentGPR1);
    89         jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR1, JSWebAssemblyInstance::offsetOfPoisonedCallee()), GPRInfo::argumentGPR2);
    90         jit.move(CCallHelpers::TrustedImm64(JSWebAssemblyInstancePoison::key()), GPRInfo::argumentGPR3);
    91         jit.xor64(GPRInfo::argumentGPR3, GPRInfo::argumentGPR2);
     88        jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR1, JSWebAssemblyInstance::offsetOfCallee()), GPRInfo::argumentGPR2);
    9289        jit.storePtr(GPRInfo::argumentGPR2, JIT::Address(GPRInfo::callFrameRegister, CallFrameSlot::callee * static_cast<int>(sizeof(Register))));
    93 
    94         // Let's be paranoid on the exception path and zero out the poison instead of leaving it in an argument GPR.
    95         jit.move(CCallHelpers::TrustedImm32(0), GPRInfo::argumentGPR3);
    9690
    9791        auto call = jit.call(OperationPtrTag);
     
    292286        jit.loadWasmContextInstance(GPRInfo::argumentGPR0);
    293287        jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, Instance::offsetOfOwner()), GPRInfo::argumentGPR0);
    294         jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, JSWebAssemblyInstance::offsetOfPoisonedCallee()), GPRInfo::argumentGPR0);
    295         jit.move(CCallHelpers::TrustedImm64(JSWebAssemblyInstancePoison::key()), GPRInfo::argumentGPR3);
    296         jit.xor64(GPRInfo::argumentGPR3, GPRInfo::argumentGPR0);
     288        jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, JSWebAssemblyInstance::offsetOfCallee()), GPRInfo::argumentGPR0);
    297289        jit.storePtr(GPRInfo::argumentGPR0, JIT::Address(GPRInfo::callFrameRegister, CallFrameSlot::callee * static_cast<int>(sizeof(Register))));
    298290       
    299         materializeImportJSCell(jit, importIndex, GPRInfo::argumentGPR3, GPRInfo::argumentGPR1);
     291        materializeImportJSCell(jit, importIndex, GPRInfo::argumentGPR1);
    300292       
    301         // Let's be paranoid before the call and zero out the poison instead of leaving it in an argument GPR.
    302         jit.move(CCallHelpers::TrustedImm32(0), GPRInfo::argumentGPR3);
    303 
    304293        static_assert(GPRInfo::numberOfArgumentRegisters >= 4, "We rely on this with the call below.");
    305294        static_assert(sizeof(SignatureIndex) == sizeof(uint64_t), "Following code assumes SignatureIndex is 64bit.");
     
    480469    }
    481470
    482     GPRReg poison = GPRInfo::argumentGPR1;
    483     ASSERT(poison != GPRInfo::argumentGPR0); // Both are used at the same time below.
    484 
    485471    jit.loadWasmContextInstance(GPRInfo::argumentGPR0);
    486472    jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, Instance::offsetOfOwner()), GPRInfo::argumentGPR0);
    487     jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, JSWebAssemblyInstance::offsetOfPoisonedCallee()), GPRInfo::argumentGPR0);
    488     jit.move(CCallHelpers::TrustedImm64(JSWebAssemblyInstancePoison::key()), poison);
    489     jit.xor64(poison, GPRInfo::argumentGPR0);
     473    jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, JSWebAssemblyInstance::offsetOfCallee()), GPRInfo::argumentGPR0);
    490474    jit.storePtr(GPRInfo::argumentGPR0, JIT::Address(GPRInfo::callFrameRegister, CallFrameSlot::callee * static_cast<int>(sizeof(Register))));
    491475
    492476    GPRReg importJSCellGPRReg = GPRInfo::regT0; // Callee needs to be in regT0 for slow path below.
    493     ASSERT(poison != importJSCellGPRReg);
    494477
    495478    ASSERT(!wasmCC.m_calleeSaveRegisters.get(importJSCellGPRReg));
    496     materializeImportJSCell(jit, importIndex, poison, importJSCellGPRReg);
    497 
    498     // Let's be paranoid zero out the poison instead of leaving it in an argument GPR.
    499     jit.move(CCallHelpers::TrustedImm32(0), poison);
     479    materializeImportJSCell(jit, importIndex, importJSCellGPRReg);
    500480
    501481    jit.store64(importJSCellGPRReg, calleeFrame.withOffset(CallFrameSlot::callee * static_cast<int>(sizeof(Register))));
  • trunk/Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h

    r227527 r242123  
    5151    WebAssemblyFunctionBase(VM&, JSGlobalObject*, Structure*);
    5252
    53     PoisonedWriteBarrier<WebAssemblyFunctionBasePoison, JSWebAssemblyInstance> m_instance;
     53    WriteBarrier<JSWebAssemblyInstance> m_instance;
    5454};
    5555
  • trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp

    r239461 r242123  
    11/*
    2  * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    225225            info->targetInstance = calleeInstance;
    226226            info->wasmEntrypointLoadLocation = entrypointLoadLocation;
    227             m_instance->instance().importFunction<JSWebAssemblyInstance::PoisonedBarrier<JSObject>>(import.kindIndex)->set(vm, m_instance.get(), function);
     227            m_instance->instance().importFunction<WriteBarrier<JSObject>>(import.kindIndex)->set(vm, m_instance.get(), function);
    228228            break;
    229229        }
     
    339339            if (exp.kindIndex < functionImportCount) {
    340340                unsigned functionIndex = exp.kindIndex;
    341                 JSObject* functionImport = m_instance->instance().importFunction<JSWebAssemblyInstance::PoisonedBarrier<JSObject>>(functionIndex)->get();
     341                JSObject* functionImport = m_instance->instance().importFunction<WriteBarrier<JSObject>>(functionIndex)->get();
    342342                if (isWebAssemblyHostFunction(vm, functionImport))
    343343                    exportedValue = functionImport;
     
    420420        ASSERT(signature.returnType() == Wasm::Void);
    421421        if (startFunctionIndexSpace < codeBlock->functionImportCount()) {
    422             JSObject* startFunction = m_instance->instance().importFunction<JSWebAssemblyInstance::PoisonedBarrier<JSObject>>(startFunctionIndexSpace)->get();
     422            JSObject* startFunction = m_instance->instance().importFunction<WriteBarrier<JSObject>>(startFunctionIndexSpace)->get();
    423423            m_startFunction.set(vm, this, startFunction);
    424424        } else {
     
    521521            Wasm::SignatureIndex signatureIndex = module.signatureIndexFromFunctionIndexSpace(functionIndex);
    522522            if (functionIndex < codeBlock->functionImportCount()) {
    523                 JSObject* functionImport = m_instance->instance().importFunction<JSWebAssemblyInstance::PoisonedBarrier<JSObject>>(functionIndex)->get();
     523                JSObject* functionImport = m_instance->instance().importFunction<WriteBarrier<JSObject>>(functionIndex)->get();
    524524                if (isWebAssemblyHostFunction(vm, functionImport)) {
    525525                    WebAssemblyFunction* wasmFunction = jsDynamicCast<WebAssemblyFunction*>(vm, functionImport);
  • trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.h

    r230759 r242123  
    11/*
    2  * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    6262    static void visitChildren(JSCell*, SlotVisitor&);
    6363
    64     template<typename T>
    65     using PoisonedBarrier = PoisonedWriteBarrier<WebAssemblyModuleRecordPoison, T>;
    66 
    67     PoisonedBarrier<JSWebAssemblyInstance> m_instance;
    68     PoisonedBarrier<JSObject> m_startFunction;
     64    WriteBarrier<JSWebAssemblyInstance> m_instance;
     65    WriteBarrier<JSObject> m_startFunction;
    6966};
    7067
  • trunk/Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.h

    r227527 r242123  
    11/*
    2  * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    5252    WebAssemblyToJSCallee(VM&, Structure*);
    5353
    54     PoisonedWriteBarrier<WebAssemblyToJSCalleePoison, JSWebAssemblyModule> m_module;
     54    WriteBarrier<JSWebAssemblyModule> m_module;
    5555};
    5656
  • trunk/Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.h

    r240965 r242123  
    11/*
    2  * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    6565    WebAssemblyWrapperFunction(VM&, JSGlobalObject*, Structure*, WasmToWasmImportableFunction);
    6666
    67     PoisonedWriteBarrier<WebAssemblyWrapperFunctionPoison, JSObject> m_function;
     67    WriteBarrier<JSObject> m_function;
    6868    // It's safe to just hold the raw WasmToWasmImportableFunction because we have a reference
    6969    // to our Instance, which points to the CodeBlock, which points to the Module
Note: See TracChangeset for help on using the changeset viewer.