Changeset 242123 in webkit

Timestamp:

Feb 26, 2019, 9:43:34 PM (6 years ago)

Author:

mark.lam@apple.com

Message:

Remove poisons in JSCPoison and uses of them.
​https://bugs.webkit.org/show_bug.cgi?id=195082

Reviewed by Yusuke Suzuki.

Also removed unused poisoning code in WriteBarrier, AssemblyHelpers,
DFG::SpeculativeJIT, FTLLowerDFGToB3, and FTL::Output.

• API/JSAPIWrapperObject.h:

(JSC::JSAPIWrapperObject::wrappedObject):

• API/JSCallbackFunction.h:
• API/JSCallbackObject.h:
• API/glib/JSAPIWrapperGlobalObject.h:
• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• Sources.txt:
• bytecode/AccessCase.cpp:

(JSC::AccessCase::generateWithGuard):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):
(JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
(JSC::DFG::SpeculativeJIT::compileGetExecutable):
(JSC::DFG::SpeculativeJIT::compileCreateThis):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer): Deleted.

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
(JSC::FTL::DFG::LowerDFGToB3::weakPointer):
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer): Deleted.

• ftl/FTLOutput.h:

(JSC::FTL::Output::weakPoisonedPointer): Deleted.

• jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::emitDynamicPoison): Deleted.
(JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType): Deleted.
(JSC::AssemblyHelpers::emitDynamicPoisonOnType): Deleted.

• jit/AssemblyHelpers.h:
• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_create_this):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitScopedArgumentsGetByVal):

• jit/Repatch.cpp:

(JSC::linkPolymorphicCall):

• jit/ThunkGenerators.cpp:

(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):

• parser/UnlinkedSourceCode.h:
• runtime/ArrayPrototype.h:
• runtime/CustomGetterSetter.h:

(JSC::CustomGetterSetter::getter const):
(JSC::CustomGetterSetter::setter const):

• runtime/InitializeThreading.cpp:

(JSC::initializeThreading):

• runtime/InternalFunction.cpp:

(JSC::InternalFunction::getCallData):
(JSC::InternalFunction::getConstructData):

• runtime/InternalFunction.h:

(JSC::InternalFunction::nativeFunctionFor):

• runtime/JSArrayBuffer.h:
• runtime/JSBoundFunction.h:
• runtime/JSCPoison.cpp: Removed.
• runtime/JSCPoison.h: Removed.
• runtime/JSFunction.h:
• runtime/JSGlobalObject.h:
• runtime/JSScriptFetchParameters.h:
• runtime/JSScriptFetcher.h:
• runtime/JSString.h:
• runtime/NativeExecutable.cpp:

(JSC::NativeExecutable::hashFor const):

• runtime/NativeExecutable.h:
• runtime/Options.h:
• runtime/ScopedArguments.h:
• runtime/Structure.cpp:

(JSC::StructureTransitionTable::setSingleTransition):

• runtime/StructureTransitionTable.h:

(JSC::StructureTransitionTable::map const):
(JSC::StructureTransitionTable::weakImpl const):
(JSC::StructureTransitionTable::setMap):

• runtime/WriteBarrier.h:
• wasm/WasmB3IRGenerator.cpp:
• wasm/WasmInstance.h:
• wasm/js/JSToWasm.cpp:

(JSC::Wasm::createJSToWasmWrapper):

• wasm/js/JSWebAssemblyCodeBlock.h:
• wasm/js/JSWebAssemblyInstance.cpp:

(JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
(JSC::JSWebAssemblyInstance::visitChildren):

• wasm/js/JSWebAssemblyInstance.h:
• wasm/js/JSWebAssemblyMemory.h:
• wasm/js/JSWebAssemblyModule.h:
• wasm/js/JSWebAssemblyTable.cpp:

(JSC::JSWebAssemblyTable::JSWebAssemblyTable):
(JSC::JSWebAssemblyTable::grow):
(JSC::JSWebAssemblyTable::clearFunction):

• wasm/js/JSWebAssemblyTable.h:
• wasm/js/WasmToJS.cpp:

(JSC::Wasm::materializeImportJSCell):
(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):

• wasm/js/WebAssemblyFunctionBase.h:
• wasm/js/WebAssemblyModuleRecord.cpp:

(JSC::WebAssemblyModuleRecord::link):
(JSC::WebAssemblyModuleRecord::evaluate):

• wasm/js/WebAssemblyModuleRecord.h:
• wasm/js/WebAssemblyToJSCallee.h:
• wasm/js/WebAssemblyWrapperFunction.h:

Location:

trunk/Source/JavaScriptCore

Files:

• API/JSAPIWrapperObject.h (modified) (4 diffs)
• API/JSCallbackFunction.h (modified) (3 diffs)
• API/JSCallbackObject.h (modified) (2 diffs)
• API/glib/JSAPIWrapperGlobalObject.h (modified) (1 diff)
• CMakeLists.txt (modified) (1 diff)
• ChangeLog (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Sources.txt (modified) (1 diff)
• bytecode/AccessCase.cpp (modified) (2 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (8 diffs)
• dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• ftl/FTLLowerDFGToB3.cpp (modified) (8 diffs)
• ftl/FTLOutput.h (modified) (2 diffs)
• jit/AssemblyHelpers.cpp (modified) (1 diff)
• jit/AssemblyHelpers.h (modified) (1 diff)
• jit/JITOpcodes.cpp (modified) (2 diffs)
• jit/JITPropertyAccess.cpp (modified) (1 diff)
• jit/Repatch.cpp (modified) (2 diffs)
• jit/ThunkGenerators.cpp (modified) (7 diffs)
• parser/UnlinkedSourceCode.h (modified) (3 diffs)
• runtime/ArrayPrototype.h (modified) (3 diffs)
• runtime/CustomGetterSetter.h (modified) (4 diffs)
• runtime/InitializeThreading.cpp (modified) (2 diffs)
• runtime/InternalFunction.cpp (modified) (3 diffs)
• runtime/InternalFunction.h (modified) (5 diffs)
• runtime/JSArrayBuffer.h (modified) (4 diffs)
• runtime/JSBoundFunction.h (modified) (1 diff)
• runtime/JSCPoison.cpp (deleted)
• runtime/JSCPoison.h (deleted)
• runtime/JSFunction.h (modified) (2 diffs)
• runtime/JSGlobalObject.h (modified) (5 diffs)
• runtime/JSScriptFetchParameters.h (modified) (3 diffs)
• runtime/JSScriptFetcher.h (modified) (3 diffs)
• runtime/JSString.h (modified) (1 diff)
• runtime/NativeExecutable.cpp (modified) (2 diffs)
• runtime/NativeExecutable.h (modified) (4 diffs)
• runtime/Options.h (modified) (1 diff)
• runtime/ScopedArguments.h (modified) (3 diffs)
• runtime/Structure.cpp (modified) (1 diff)
• runtime/StructureTransitionTable.h (modified) (6 diffs)
• runtime/WriteBarrier.h (modified) (2 diffs)
• wasm/WasmB3IRGenerator.cpp (modified) (1 diff)
• wasm/WasmInstance.h (modified) (1 diff)
• wasm/js/JSToWasm.cpp (modified) (3 diffs)
• wasm/js/JSWebAssemblyCodeBlock.h (modified) (4 diffs)
• wasm/js/JSWebAssemblyInstance.cpp (modified) (3 diffs)
• wasm/js/JSWebAssemblyInstance.h (modified) (4 diffs)
• wasm/js/JSWebAssemblyMemory.h (modified) (3 diffs)
• wasm/js/JSWebAssemblyModule.h (modified) (3 diffs)
• wasm/js/JSWebAssemblyTable.cpp (modified) (4 diffs)
• wasm/js/JSWebAssemblyTable.h (modified) (3 diffs)
• wasm/js/WasmToJS.cpp (modified) (4 diffs)
• wasm/js/WebAssemblyFunctionBase.h (modified) (1 diff)
• wasm/js/WebAssemblyModuleRecord.cpp (modified) (5 diffs)
• wasm/js/WebAssemblyModuleRecord.h (modified) (2 diffs)
• wasm/js/WebAssemblyToJSCallee.h (modified) (2 diffs)
• wasm/js/WebAssemblyWrapperFunction.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/API/JSAPIWrapperObject.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28 +28 @@
 
 #include "JSBase.h"
-#include "JSCPoison.h"
 #include "JSDestructibleObject.h"
-#include <wtf/Poisoned.h>
 
 #if JSC_OBJC_API_ENABLED || defined(JSC_GLIB_API_ENABLED)
@@ -43 +41 @@
     static void visitChildren(JSCell*, JSC::SlotVisitor&);
     
-    void* wrappedObject() { return m_wrappedObject.unpoisoned(); }
+    void* wrappedObject() { return m_wrappedObject; }
     void setWrappedObject(void*);
 
@@ -50 +48 @@
 
 private:
-    Poisoned<JSAPIWrapperObjectPoison, void*> m_wrappedObject;
+    void* m_wrappedObject { nullptr };
 };
 

trunk/Source/JavaScriptCore/API/JSCallbackFunction.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2006-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28 +28 @@
 
 #include "InternalFunction.h"
-#include "JSCPoison.h"
 #include "JSObjectRef.h"
 
@@ -59 +58 @@
     void finishCreation(VM&, const String& name);
 
-    JSObjectCallAsFunctionCallback functionCallback() { return m_callback.unpoisoned(); }
+    JSObjectCallAsFunctionCallback functionCallback() { return m_callback; }
 
-    Poisoned<NativeCodePoison, JSObjectCallAsFunctionCallback> m_callback;
+    JSObjectCallAsFunctionCallback m_callback { nullptr };
 };
 

trunk/Source/JavaScriptCore/API/JSCallbackObject.h

@@ -28 +28 @@
 #define JSCallbackObject_h
 
-#include "JSCPoison.h"
 #include "JSObjectRef.h"
 #include "JSValueRef.h"
 #include "JSObject.h"
-#include <wtf/PoisonedUniquePtr.h>
 
 namespace JSC {
@@ -228 +226 @@
     static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName);
 
-    WTF::PoisonedUniquePtr<JSCallbackObjectPoison, JSCallbackObjectData> m_callbackObjectData;
+    std::unique_ptr<JSCallbackObjectData> m_callbackObjectData;
     const ClassInfo* m_classInfo { nullptr };
 };

trunk/Source/JavaScriptCore/API/glib/JSAPIWrapperGlobalObject.h

@@ -28 +28 @@
 #include "JSBase.h"
 #include "JSCGLibWrapperObject.h"
-#include "JSCPoison.h"
 #include "JSGlobalObject.h"
 

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -831 +831 @@
     runtime/JSCJSValue.h
     runtime/JSCJSValueInlines.h
-    runtime/JSCPoison.h
     runtime/JSCPtrTag.h
     runtime/JSCallee.h

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-02-26  Mark Lam  <mark.lam@apple.com>
+
+        Remove poisons in JSCPoison and uses of them.
+        https://bugs.webkit.org/show_bug.cgi?id=195082
+
+        Reviewed by Yusuke Suzuki.
+
+        Also removed unused poisoning code in WriteBarrier, AssemblyHelpers,
+        DFG::SpeculativeJIT, FTLLowerDFGToB3, and FTL::Output.
+
+        * API/JSAPIWrapperObject.h:
+        (JSC::JSAPIWrapperObject::wrappedObject):
+        * API/JSCallbackFunction.h:
+        * API/JSCallbackObject.h:
+        * API/glib/JSAPIWrapperGlobalObject.h:
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateWithGuard):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
+        (JSC::DFG::SpeculativeJIT::compileGetExecutable):
+        (JSC::DFG::SpeculativeJIT::compileCreateThis):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer): Deleted.
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+        (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
+        (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer): Deleted.
+        * ftl/FTLOutput.h:
+        (JSC::FTL::Output::weakPoisonedPointer): Deleted.
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitDynamicPoison): Deleted.
+        (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType): Deleted.
+        (JSC::AssemblyHelpers::emitDynamicPoisonOnType): Deleted.
+        * jit/AssemblyHelpers.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_create_this):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitScopedArgumentsGetByVal):
+        * jit/Repatch.cpp:
+        (JSC::linkPolymorphicCall):
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+        (JSC::nativeForGenerator):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        * parser/UnlinkedSourceCode.h:
+        * runtime/ArrayPrototype.h:
+        * runtime/CustomGetterSetter.h:
+        (JSC::CustomGetterSetter::getter const):
+        (JSC::CustomGetterSetter::setter const):
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::getCallData):
+        (JSC::InternalFunction::getConstructData):
+        * runtime/InternalFunction.h:
+        (JSC::InternalFunction::nativeFunctionFor):
+        * runtime/JSArrayBuffer.h:
+        * runtime/JSBoundFunction.h:
+        * runtime/JSCPoison.cpp: Removed.
+        * runtime/JSCPoison.h: Removed.
+        * runtime/JSFunction.h:
+        * runtime/JSGlobalObject.h:
+        * runtime/JSScriptFetchParameters.h:
+        * runtime/JSScriptFetcher.h:
+        * runtime/JSString.h:
+        * runtime/NativeExecutable.cpp:
+        (JSC::NativeExecutable::hashFor const):
+        * runtime/NativeExecutable.h:
+        * runtime/Options.h:
+        * runtime/ScopedArguments.h:
+        * runtime/Structure.cpp:
+        (JSC::StructureTransitionTable::setSingleTransition):
+        * runtime/StructureTransitionTable.h:
+        (JSC::StructureTransitionTable::map const):
+        (JSC::StructureTransitionTable::weakImpl const):
+        (JSC::StructureTransitionTable::setMap):
+        * runtime/WriteBarrier.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        * wasm/WasmInstance.h:
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
+        (JSC::JSWebAssemblyInstance::visitChildren):
+        * wasm/js/JSWebAssemblyInstance.h:
+        * wasm/js/JSWebAssemblyMemory.h:
+        * wasm/js/JSWebAssemblyModule.h:
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
+        (JSC::JSWebAssemblyTable::grow):
+        (JSC::JSWebAssemblyTable::clearFunction):
+        * wasm/js/JSWebAssemblyTable.h:
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::materializeImportJSCell):
+        (JSC::Wasm::handleBadI64Use):
+        (JSC::Wasm::wasmToJS):
+        * wasm/js/WebAssemblyFunctionBase.h:
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyModuleRecord.h:
+        * wasm/js/WebAssemblyToJSCallee.h:
+        * wasm/js/WebAssemblyWrapperFunction.h:
+
 2019-02-26  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1811 +1811 @@
                 FE20CE9E15F04A9500DF3430 /* LLIntCLoop.h in Headers */ = {isa = PBXBuildFile; fileRef = FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 FE2A87601F02381600EB31B2 /* MinimumReservedZoneSize.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2A875F1F02381600EB31B2 /* MinimumReservedZoneSize.h */; };
-                FE2B0B731FD9EF700075DA5F /* JSCPoison.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2B0B701FD8C4630075DA5F /* JSCPoison.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 FE3022D31E3D73A500BAC493 /* SigillCrashAnalyzer.h in Headers */ = {isa = PBXBuildFile; fileRef = FE3022D11E3D739600BAC493 /* SigillCrashAnalyzer.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 FE3022D71E42857300BAC493 /* VMInspector.h in Headers */ = {isa = PBXBuildFile; fileRef = FE3022D51E42856700BAC493 /* VMInspector.h */; };
@@ -4820 +4819 @@
                 FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LLIntCLoop.h; path = llint/LLIntCLoop.h; sourceTree = "<group>"; };
                 FE2A875F1F02381600EB31B2 /* MinimumReservedZoneSize.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MinimumReservedZoneSize.h; sourceTree = "<group>"; };
-                FE2B0B681FD0D2970075DA5F /* JSCPoison.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSCPoison.cpp; sourceTree = "<group>"; };
-                FE2B0B701FD8C4630075DA5F /* JSCPoison.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCPoison.h; sourceTree = "<group>"; };
                 FE2E6A7A1D6EA5FE0060F896 /* ThrowScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ThrowScope.cpp; sourceTree = "<group>"; };
                 FE3022D01E3D739600BAC493 /* SigillCrashAnalyzer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SigillCrashAnalyzer.cpp; sourceTree = "<group>"; };
@@ -6872 +6869 @@
                                 14ABB36E099C076400E2A24F /* JSCJSValue.h */,
                                 865A30F0135007E100CDB49E /* JSCJSValueInlines.h */,
-                                FE2B0B681FD0D2970075DA5F /* JSCPoison.cpp */,
-                                FE2B0B701FD8C4630075DA5F /* JSCPoison.h */,
                                 FE7497E5209001B00003565B /* JSCPtrTag.h */,
                                 72AAF7CB1D0D318B005E60BE /* JSCustomGetterSetterFunction.cpp */,
@@ -9283 +9278 @@
                                 A5D2E665195E174000A518E7 /* JSContextRefInternal.h in Headers */,
                                 148CD1D8108CF902008163C6 /* JSContextRefPrivate.h in Headers */,
-                                FE2B0B731FD9EF700075DA5F /* JSCPoison.h in Headers */,
                                 FE7497E6209001B10003565B /* JSCPtrTag.h in Headers */,
                                 A72028B81797601E0098028C /* JSCTestRunnerUtils.h in Headers */,

trunk/Source/JavaScriptCore/Sources.txt

@@ -803 +803 @@
 runtime/JSBoundFunction.cpp
 runtime/JSCJSValue.cpp
-runtime/JSCPoison.cpp
 runtime/JSCallee.cpp
 runtime/JSCell.cpp

trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -512 +512 @@
             CCallHelpers::Address(baseGPR, ScopedArguments::offsetOfStorage()),
             scratchGPR);
-        jit.xorPtr(CCallHelpers::TrustedImmPtr(ScopedArgumentsPoison::key()), scratchGPR);
         fallThrough.append(
             jit.branchTest8(

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -6870 +6870 @@
     m_jit.loadPtr(
         MacroAssembler::Address(baseReg, ScopedArguments::offsetOfStorage()), resultRegs.payloadGPR());
-    m_jit.xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), resultRegs.payloadGPR());
-    
     m_jit.load32(
         MacroAssembler::Address(resultRegs.payloadGPR(), ScopedArguments::offsetOfTotalLengthInStorage()),
@@ -6883 +6881 @@
     
     m_jit.loadPtr(MacroAssembler::Address(baseReg, ScopedArguments::offsetOfTable()), scratchReg);
-    m_jit.xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), scratchReg);
     m_jit.load32(
         MacroAssembler::Address(scratchReg, ScopedArgumentsTable::offsetOfLength()), scratch2Reg);
@@ -6891 +6888 @@
     
     m_jit.loadPtr(MacroAssembler::Address(baseReg, ScopedArguments::offsetOfScope()), scratch2Reg);
-    m_jit.xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), scratch2Reg);
 
     m_jit.loadPtr(
@@ -7041 +7037 @@
         m_jit.loadPtr(
             MacroAssembler::Address(baseReg, ScopedArguments::offsetOfStorage()), resultReg);
-        m_jit.xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), resultReg);
-        
+
         speculationCheck(
             ExoticObjectMode, JSValueSource(), 0,
@@ -7092 +7087 @@
     
     m_jit.storePtr(scopeGPR, JITCompiler::Address(resultGPR, JSFunction::offsetOfScopeChain()));
-    m_jit.storePtr(TrustedImmPtr::weakPoisonedPointer<JSFunctionPoison>(m_jit.graph(), executable), JITCompiler::Address(resultGPR, JSFunction::offsetOfExecutable()));
+    m_jit.storePtr(TrustedImmPtr::weakPointer(m_jit.graph(), executable), JITCompiler::Address(resultGPR, JSFunction::offsetOfExecutable()));
     m_jit.storePtr(TrustedImmPtr(nullptr), JITCompiler::Address(resultGPR, JSFunction::offsetOfRareData()));
     
@@ -12117 +12112 @@
     speculateCellType(node->child1(), functionGPR, SpecFunction, JSFunctionType);
     m_jit.loadPtr(JITCompiler::Address(functionGPR, JSFunction::offsetOfExecutable()), resultGPR);
-#if USE(JSVALUE64)
-    m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSFunctionPoison::key()), resultGPR);
-#endif
     cellResult(resultGPR, node);
 }
@@ -12491 +12483 @@
     m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
     slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR));
-    m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSFunctionPoison::key()), rareDataGPR);
     m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
     m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
@@ -12499 +12490 @@
 
     m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
-    m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSFunctionPoison::key()), rareDataGPR);
     m_jit.load32(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfInlineCapacity()), inlineCapacityGPR);
     m_jit.emitInitializeInlineStorage(resultGPR, inlineCapacityGPR);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -148 +148 @@
             graph.m_plan.weakReferences().addLazily(cell);
             return TrustedImmPtr(bitwise_cast<size_t>(cell));
-        }
-
-        template<typename Key>
-        static TrustedImmPtr weakPoisonedPointer(Graph& graph, JSCell* cell)
-        {     
-            graph.m_plan.weakReferences().addLazily(cell);
-            return TrustedImmPtr(bitwise_cast<size_t>(cell) ^ Key::key());
         }
 

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -3142 +3142 @@
         LValue cell = lowCell(m_node->child1());
         speculateFunction(m_node->child1(), cell);
-        setJSValue(
-            m_out.bitXor(
-                m_out.loadPtr(cell, m_heaps.JSFunction_executable),
-                m_out.constIntPtr(JSFunctionPoison::key())));
+        setJSValue(m_out.loadPtr(cell, m_heaps.JSFunction_executable));
     }
     
@@ -3844 +3841 @@
         case Array::ScopedArguments: {
             LValue arguments = lowCell(m_node->child1());
-            LValue storage = m_out.bitXor(
-                m_out.loadPtr(arguments, m_heaps.ScopedArguments_storage),
-                m_out.constIntPtr(ScopedArgumentsPoison::key()));
+            LValue storage = m_out.loadPtr(arguments, m_heaps.ScopedArguments_storage);
             speculate(
                 ExoticObjectMode, noValue(), nullptr,
@@ -4048 +4043 @@
             
             LValue storage = m_out.loadPtr(base, m_heaps.ScopedArguments_storage);
-            storage = m_out.bitXor(storage, m_out.constIntPtr(ScopedArgumentsPoison::key()));
-            
             LValue totalLength = m_out.load32NonNegative(
                 storage, m_heaps.ScopedArguments_Storage_totalLength);
@@ -4057 +4050 @@
             
             LValue table = m_out.loadPtr(base, m_heaps.ScopedArguments_table);
-            table = m_out.bitXor(table, m_out.constIntPtr(ScopedArgumentsPoison::key()));
-            
             LValue namedLength = m_out.load32(table, m_heaps.ScopedArgumentsTable_length);
             
@@ -4071 +4062 @@
             
             LValue scope = m_out.loadPtr(base, m_heaps.ScopedArguments_scope);
-            scope = m_out.bitXor(scope, m_out.constIntPtr(ScopedArgumentsPoison::key()));
-            
             LValue arguments = m_out.loadPtr(table, m_heaps.ScopedArgumentsTable_arguments);
             
@@ -5324 +5313 @@
         // must be young.
         m_out.storePtr(scope, fastObject, m_heaps.JSFunction_scope);
-        m_out.storePtr(weakPoisonedPointer<JSFunctionPoison>(executable), fastObject, m_heaps.JSFunction_executable);
+        m_out.storePtr(weakPointer(executable), fastObject, m_heaps.JSFunction_executable);
         m_out.storePtr(m_out.intPtrZero, fastObject, m_heaps.JSFunction_rareData);
         
@@ -16386 +16375 @@
     }
     
-    LValue dynamicPoison(LValue value, LValue poison)
-    {
-        return m_out.add(
-            value,
-            m_out.shl(
-                m_out.zeroExt(poison, pointerType()),
-                m_out.constInt32(40)));
-    }
-    
-    LValue dynamicPoisonOnLoadedType(LValue value, LValue actualType, JSType expectedType)
-    {
-        return dynamicPoison(
-            value,
-            m_out.bitXor(
-                m_out.opaque(actualType),
-                m_out.constInt32(expectedType)));
-    }
-    
-    LValue dynamicPoisonOnType(LValue value, JSType expectedType)
-    {
-        return dynamicPoisonOnLoadedType(
-            value,
-            m_out.load8ZeroExt32(value, m_heaps.JSCell_typeInfoType),
-            expectedType);
-    }
-
     template<typename... Args>
     LValue vmCall(LType type, LValue function, Args&&... args)
@@ -16957 +16920 @@
         addWeakReference(pointer);
         return m_out.weakPointer(m_graph, pointer);
-    }
-    
-    template<typename Key>
-    LValue weakPoisonedPointer(JSCell* pointer)
-    {
-        addWeakReference(pointer);
-        return m_out.weakPoisonedPointer<Key>(m_graph, pointer);
     }
 

trunk/Source/JavaScriptCore/ftl/FTLOutput.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -112 +112 @@
     }
 
-    template<typename Key>
-    LValue weakPoisonedPointer(DFG::Graph& graph, JSCell* cell)
-    {
-        ASSERT(graph.m_plan.weakReferences().contains(cell));
-
-        return constIntPtr(bitwise_cast<intptr_t>(cell) ^ Key::key());
-    }
-
     LValue weakPointer(DFG::FrozenValue* value)
     {

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp

@@ -1003 +1003 @@
 }
 
-void AssemblyHelpers::emitDynamicPoison(GPRReg base, GPRReg poisonValue)
-{
-#if CPU(X86_64) || (CPU(ARM64) && !defined(__ILP32__))
-    lshiftPtr(TrustedImm32(40), poisonValue);
-    addPtr(poisonValue, base);
-#else
-    UNUSED_PARAM(base);
-    UNUSED_PARAM(poisonValue);
-#endif
-}
-
-void AssemblyHelpers::emitDynamicPoisonOnLoadedType(GPRReg base, GPRReg actualType, JSType expectedType)
-{
-#if CPU(X86_64) || (CPU(ARM64) && !defined(__ILP32__))
-    xor32(TrustedImm32(expectedType), actualType);
-    emitDynamicPoison(base, actualType);
-#else
-    UNUSED_PARAM(base);
-    UNUSED_PARAM(actualType);
-    UNUSED_PARAM(expectedType);
-#endif
-}
-
-void AssemblyHelpers::emitDynamicPoisonOnType(GPRReg base, GPRReg scratch, JSType expectedType)
-{
-#if CPU(X86_64) || (CPU(ARM64) && !defined(__ILP32__))
-    load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
-    emitDynamicPoisonOnLoadedType(base, scratch, expectedType);
-#else
-    UNUSED_PARAM(base);
-    UNUSED_PARAM(scratch);
-    UNUSED_PARAM(expectedType);
-#endif
-}
-
 } // namespace JSC
 

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -1832 +1832 @@
     // permits length and result to be in the same register.
     void emitPreparePreciseIndexMask32(GPRReg index, GPRReg length, GPRReg result);
-    
-    void emitDynamicPoison(GPRReg base, GPRReg poisonValue);
-    void emitDynamicPoisonOnLoadedType(GPRReg base, GPRReg actualType, JSType expectedType);
-    void emitDynamicPoisonOnType(GPRReg base, GPRReg scratch, JSType expectedType);
 
 #if ENABLE(WEBASSEMBLY)

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -909 +909 @@
     loadPtr(Address(calleeReg, JSFunction::offsetOfRareData()), rareDataReg);
     addSlowCase(branchTestPtr(Zero, rareDataReg));
-    xorPtr(TrustedImmPtr(JSFunctionPoison::key()), rareDataReg);
     loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
     loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
@@ -923 +922 @@
     emitGetVirtualRegister(callee, scratchReg);
     loadPtr(Address(scratchReg, JSFunction::offsetOfRareData()), scratchReg);
-    xorPtr(TrustedImmPtr(JSFunctionPoison::key()), scratchReg);
     load32(Address(scratchReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfInlineCapacity()), scratchReg);
     emitInitializeInlineStorage(resultReg, scratchReg);

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -1610 +1610 @@
     badType = patchableBranch32(NotEqual, scratch, TrustedImm32(ScopedArgumentsType));
     loadPtr(Address(base, ScopedArguments::offsetOfStorage()), scratch3);
-    xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), scratch3);
     slowCases.append(branch32(AboveOrEqual, property, Address(scratch3, ScopedArguments::offsetOfTotalLengthInStorage())));
     
     loadPtr(Address(base, ScopedArguments::offsetOfTable()), scratch);
-    xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), scratch);
     load32(Address(scratch, ScopedArgumentsTable::offsetOfLength()), scratch2);
     Jump overflowCase = branch32(AboveOrEqual, property, scratch2);
     loadPtr(Address(base, ScopedArguments::offsetOfScope()), scratch2);
-    xorPtr(TrustedImmPtr(ScopedArgumentsPoison::key()), scratch2);
     loadPtr(Address(scratch, ScopedArgumentsTable::offsetOfArguments()), scratch);
     load32(BaseIndex(scratch, property, TimesFour), scratch);

trunk/Source/JavaScriptCore/jit/Repatch.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1065 +1065 @@
             CCallHelpers::Address(calleeGPR, JSFunction::offsetOfExecutable()),
             scratchGPR);
-        stubJit.xorPtr(CCallHelpers::TrustedImmPtr(JSFunctionPoison::key()), scratchGPR);
         
         comparisonValueGPR = scratchGPR;

trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp

@@ -204 +204 @@
         CCallHelpers::Address(GPRInfo::regT0, JSFunction::offsetOfExecutable()),
         GPRInfo::regT4);
-    jit.xorPtr(CCallHelpers::TrustedImmPtr(JSFunctionPoison::key()), GPRInfo::regT4);
     jit.loadPtr(
         CCallHelpers::Address(
@@ -284 +283 @@
     if (thunkFunctionType == ThunkFunctionType::JSFunction) {
         jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, JSFunction::offsetOfExecutable()), JSInterfaceJIT::regT1);
-        jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), JSInterfaceJIT::regT1);
         jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, executableOffsetToFunction), JSEntryPtrTag);
     } else
@@ -300 +298 @@
     if (thunkFunctionType == ThunkFunctionType::JSFunction) {
         jit.loadPtr(JSInterfaceJIT::Address(X86Registers::esi, JSFunction::offsetOfExecutable()), X86Registers::r9);
-        jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), X86Registers::r9);
         jit.loadPtr(JSInterfaceJIT::Address(X86Registers::r9, executableOffsetToFunction), X86Registers::r9);
     } else
         jit.loadPtr(JSInterfaceJIT::Address(X86Registers::esi, InternalFunction::offsetOfNativeFunctionFor(kind)), X86Registers::r9);
-    jit.move(JSInterfaceJIT::TrustedImm64(NativeCodePoison::key()), X86Registers::esi);
-    jit.xor64(X86Registers::esi, X86Registers::r9);
     jit.call(X86Registers::r9, JSEntryPtrTag);
 
@@ -320 +315 @@
     if (thunkFunctionType == ThunkFunctionType::JSFunction) {
         jit.loadPtr(JSInterfaceJIT::Address(X86Registers::edx, JSFunction::offsetOfExecutable()), X86Registers::r9);
-        jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), X86Registers::r9);
         jit.call(JSInterfaceJIT::Address(X86Registers::r9, executableOffsetToFunction), JSEntryPtrTag);
     } else
@@ -339 +333 @@
     if (thunkFunctionType == ThunkFunctionType::JSFunction) {
         jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x1, JSFunction::offsetOfExecutable()), ARM64Registers::x2);
-        jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), ARM64Registers::x2);
         jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x2, executableOffsetToFunction), ARM64Registers::x2);
     } else
         jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x1, InternalFunction::offsetOfNativeFunctionFor(kind)), ARM64Registers::x2);
-    jit.move(JSInterfaceJIT::TrustedImm64(NativeCodePoison::key()), ARM64Registers::x1);
-    jit.xor64(ARM64Registers::x1, ARM64Registers::x2);
     jit.call(ARM64Registers::x2, JSEntryPtrTag);
 
@@ -360 +351 @@
     if (thunkFunctionType == ThunkFunctionType::JSFunction) {
         jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::argumentGPR1, JSFunction::offsetOfExecutable()), JSInterfaceJIT::regT2);
-        jit.xorPtr(JSInterfaceJIT::TrustedImmPtr(JSFunctionPoison::key()), JSInterfaceJIT::regT2);
         jit.call(JSInterfaceJIT::Address(JSInterfaceJIT::regT2, executableOffsetToFunction), JSEntryPtrTag);
     } else
@@ -1238 +1228 @@
         CCallHelpers::Address(GPRInfo::regT3, JSFunction::offsetOfExecutable()),
         GPRInfo::regT0);
-    jit.xorPtr(CCallHelpers::TrustedImmPtr(JSFunctionPoison::key()), GPRInfo::regT0);
     jit.loadPtr(
         CCallHelpers::Address(

trunk/Source/JavaScriptCore/parser/UnlinkedSourceCode.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -29 +29 @@
 #pragma once
 
-#include "JSCPoison.h"
 #include "SourceProvider.h"
 #include <wtf/RefPtr.h>
@@ -108 +107 @@
 
     protected:
-        // FIXME: Make it PoisonedRef<SourceProvidier>.
+        // FIXME: Make it Ref<SourceProvidier>.
         // https://bugs.webkit.org/show_bug.cgi?id=168325
-        PoisonedRefPtr<UnlinkedSourceCodePoison, SourceProvider> m_provider;
+        RefPtr<SourceProvider> m_provider;
         int m_startOffset;
         int m_endOffset;

trunk/Source/JavaScriptCore/runtime/ArrayPrototype.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2007-2018 Apple Inc. All rights reserved.
+ *  Copyright (C) 2007-2019 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -22 +22 @@
 
 #include "JSArray.h"
-#include "JSCPoison.h"
-#include <wtf/PoisonedUniquePtr.h>
 
 namespace JSC {
@@ -63 +61 @@
     // This bit is set if any user modifies the constructor property Array.prototype. This is used to optimize species creation for JSArrays.
     friend ArrayPrototypeAdaptiveInferredPropertyWatchpoint;
-    PoisonedUniquePtr<ArrayPrototypePoison, ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorWatchpoint;
-    PoisonedUniquePtr<ArrayPrototypePoison, ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorSpeciesWatchpoint;
+    std::unique_ptr<ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorWatchpoint;
+    std::unique_ptr<ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorSpeciesWatchpoint;
 };
 

trunk/Source/JavaScriptCore/runtime/CustomGetterSetter.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2014-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26 +26 @@
 #pragma once
 
-#include "JSCPoison.h"
 #include "JSCast.h"
 #include "PropertySlot.h"
@@ -49 +48 @@
     }
 
-    CustomGetterSetter::CustomGetter getter() const { return m_getter.unpoisoned(); }
-    CustomGetterSetter::CustomSetter setter() const { return m_setter.unpoisoned(); }
+    CustomGetterSetter::CustomGetter getter() const { return m_getter; }
+    CustomGetterSetter::CustomSetter setter() const { return m_setter; }
 
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
@@ -68 +67 @@
 
 private:
-    template<typename T>
-    using PoisonedAccessor = Poisoned<NativeCodePoison, T>;
-
-    PoisonedAccessor<CustomGetter> m_getter;
-    PoisonedAccessor<CustomSetter> m_setter;
+    CustomGetter m_getter;
+    CustomSetter m_setter;
 };
 

trunk/Source/JavaScriptCore/runtime/InitializeThreading.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -61 +61 @@
         WTF::initializeThreading();
         Options::initialize();
-        initializePoison();
 
 #if ENABLE(WRITE_BARRIER_PROFILING)

trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp

@@ -2 +2 @@
  *  Copyright (C) 1999-2002 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2004, 2007-2008, 2016-2017 Apple Inc. All rights reserved.
+ *  Copyright (C) 2004-2019 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -89 +89 @@
     auto* function = jsCast<InternalFunction*>(cell);
     ASSERT(function->m_functionForCall);
-    callData.native.function = function->m_functionForCall.unpoisoned();
+    callData.native.function = function->m_functionForCall;
     return CallType::Host;
 }
@@ -98 +98 @@
     if (function->m_functionForConstruct == callHostFunctionAsConstructor)
         return ConstructType::None;
-    constructData.native.function = function->m_functionForConstruct.unpoisoned();
+    constructData.native.function = function->m_functionForConstruct;
     return ConstructType::Host;
 }

trunk/Source/JavaScriptCore/runtime/InternalFunction.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003-2018 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
  *  Copyright (C) 2007 Maks Orlovich
@@ -25 +25 @@
 
 #include "CodeSpecializationKind.h"
-#include "JSCPoison.h"
 #include "JSDestructibleObject.h"
 
@@ -64 +63 @@
     {
         if (kind == CodeForCall)
-            return m_functionForCall.unpoisoned();
+            return m_functionForCall;
         ASSERT(kind == CodeForConstruct);
-        return m_functionForConstruct.unpoisoned();
+        return m_functionForConstruct;
     }
 
@@ -78 +77 @@
 
 protected:
-    using PoisonedTaggedNativeFunction = Poisoned<NativeCodePoison, TaggedNativeFunction>;
-
     JS_EXPORT_PRIVATE InternalFunction(VM&, Structure*, NativeFunction functionForCall, NativeFunction functionForConstruct);
 
@@ -90 +87 @@
     JS_EXPORT_PRIVATE static CallType getCallData(JSCell*, CallData&);
 
-    PoisonedTaggedNativeFunction m_functionForCall;
-    PoisonedTaggedNativeFunction m_functionForConstruct;
+    TaggedNativeFunction m_functionForCall;
+    TaggedNativeFunction m_functionForConstruct;
     WriteBarrier<JSString> m_originalName;
 };

trunk/Source/JavaScriptCore/runtime/JSArrayBuffer.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 
 #include "ArrayBuffer.h"
-#include "JSCPoison.h"
 #include "JSObject.h"
-#include <wtf/Poisoned.h>
 
 namespace JSC {
@@ -46 +44 @@
     JS_EXPORT_PRIVATE static JSArrayBuffer* create(VM&, Structure*, RefPtr<ArrayBuffer>&&);
 
-    ArrayBuffer* impl() const { return m_impl.unpoisoned(); }
+    ArrayBuffer* impl() const { return m_impl; }
     
     static Structure* createStructure(VM&, JSGlobalObject*, JSValue prototype);
@@ -62 +60 @@
 
 private:
-    Poisoned<JSArrayBufferPoison, ArrayBuffer*> m_impl;
+    ArrayBuffer* m_impl;
 };
 

trunk/Source/JavaScriptCore/runtime/JSBoundFunction.h

@@ -77 +77 @@
     void finishCreation(VM&, NativeExecutable*, int length);
 
-    // FIXME: Consider poisoning these pointers.
-    // https://bugs.webkit.org/show_bug.cgi?id=182713
     WriteBarrier<JSObject> m_targetFunction;
     WriteBarrier<Unknown> m_boundThis;

trunk/Source/JavaScriptCore/runtime/JSFunction.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003-2018 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
  *  Copyright (C) 2007 Maks Orlovich
@@ -221 +221 @@
     static EncodedJSValue nameGetter(ExecState*, EncodedJSValue, PropertyName);
 
-    template<typename T>
-    using PoisonedBarrier = PoisonedWriteBarrier<JSFunctionPoison, T>;
-    
-    PoisonedBarrier<ExecutableBase> m_executable;
-    PoisonedBarrier<FunctionRareData> m_rareData;
+    WriteBarrier<ExecutableBase> m_executable;
+    WriteBarrier<FunctionRareData> m_rareData;
 };
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 2007 Eric Seidel <eric@webkit.org>
- *  Copyright (C) 2007-2018 Apple Inc. All rights reserved.
+ *  Copyright (C) 2007-2019 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -31 +31 @@
 #include "JSArray.h"
 #include "JSArrayBufferPrototype.h"
-#include "JSCPoison.h"
 #include "JSClassRef.h"
 #include "JSGlobalLexicalEnvironment.h"
@@ -50 +49 @@
 #include <array>
 #include <wtf/HashSet.h>
-#include <wtf/PoisonedUniquePtr.h>
 #include <wtf/RetainPtr.h>
 
@@ -431 +429 @@
     VM& m_vm;
 
-    template<typename T> using PoisonedUniquePtr = WTF::PoisonedUniquePtr<JSGlobalObjectPoison, T>;
-
 #if ENABLE(REMOTE_INSPECTOR)
-    PoisonedUniquePtr<Inspector::JSGlobalObjectInspectorController> m_inspectorController;
-    PoisonedUniquePtr<JSGlobalObjectDebuggable> m_inspectorDebuggable;
+    std::unique_ptr<Inspector::JSGlobalObjectInspectorController> m_inspectorController;
+    std::unique_ptr<JSGlobalObjectDebuggable> m_inspectorDebuggable;
 #endif
 
@@ -478 +474 @@
     InlineWatchpointSet m_arraySpeciesWatchpoint;
     InlineWatchpointSet m_numberToStringWatchpoint;
-    PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayPrototypeSymbolIteratorWatchpoint;
-    PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayIteratorPrototypeNext;
-    PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapPrototypeSymbolIteratorWatchpoint;
-    PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapIteratorPrototypeNextWatchpoint;
-    PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setPrototypeSymbolIteratorWatchpoint;
-    PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setIteratorPrototypeNextWatchpoint;
-    PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_stringPrototypeSymbolIteratorWatchpoint;
-    PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_stringIteratorPrototypeNextWatchpoint;
-    PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapPrototypeSetWatchpoint;
-    PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setPrototypeAddWatchpoint;
-    PoisonedUniquePtr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_numberPrototypeToStringWatchpoint;
+    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayPrototypeSymbolIteratorWatchpoint;
+    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_arrayIteratorPrototypeNext;
+    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapPrototypeSymbolIteratorWatchpoint;
+    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapIteratorPrototypeNextWatchpoint;
+    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setPrototypeSymbolIteratorWatchpoint;
+    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setIteratorPrototypeNextWatchpoint;
+    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_stringPrototypeSymbolIteratorWatchpoint;
+    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_stringIteratorPrototypeNextWatchpoint;
+    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapPrototypeSetWatchpoint;
+    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setPrototypeAddWatchpoint;
+    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_numberPrototypeToStringWatchpoint;
 
     bool isArrayPrototypeIteratorProtocolFastAndNonObservable();

trunk/Source/JavaScriptCore/runtime/JSScriptFetchParameters.h

@@ -1 +1 @@
 /*
  * Copyright (C) 2017 Yusuke Suzuki <utatane.tea@gmail.com>
- * Copyright (C) 2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 #pragma once
 
-#include "JSCPoison.h"
 #include "JSGlobalObject.h"
 #include "JSObject.h"
@@ -75 +74 @@
     }
 
-    PoisonedRef<JSScriptFetchParametersPoison, ScriptFetchParameters> m_parameters;
+    Ref<ScriptFetchParameters> m_parameters;
 };
 

trunk/Source/JavaScriptCore/runtime/JSScriptFetcher.h

@@ -1 +1 @@
 /*
  * Copyright (C) 2017 Yusuke Suzuki <utatane.tea@gmail.com>
- * Copyright (C) 2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 #pragma once
 
-#include "JSCPoison.h"
 #include "JSGlobalObject.h"
 #include "JSObject.h"
@@ -75 +74 @@
     }
 
-    PoisonedRefPtr<JSScriptFetcherPoison, ScriptFetcher> m_fetcher;
+    RefPtr<ScriptFetcher> m_fetcher;
 };
 

trunk/Source/JavaScriptCore/runtime/JSString.h

@@ -223 +223 @@
     unsigned m_length { 0 };
     mutable uint16_t m_flags { 0 };
-    // The poison is strategically placed and holds a value such that the first
-    // 64 bits of JSString look like a double JSValue.
     mutable String m_value;
 

trunk/Source/JavaScriptCore/runtime/NativeExecutable.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -95 +95 @@
 {
     if (kind == CodeForCall)
-        return CodeBlockHash(m_function.bits());
+        return CodeBlockHash(bitwise_cast<uintptr_t>(m_function));
 
     RELEASE_ASSERT(kind == CodeForConstruct);
-    return CodeBlockHash(m_constructor.bits());
+    return CodeBlockHash(bitwise_cast<uintptr_t>(m_constructor));
 }
 

trunk/Source/JavaScriptCore/runtime/NativeExecutable.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 
 #include "ExecutableBase.h"
-#include "JSCPoison.h"
 
 namespace JSC {
@@ -50 +49 @@
     CodeBlockHash hashFor(CodeSpecializationKind) const;
 
-    TaggedNativeFunction function() { return m_function.unpoisoned(); }
-    TaggedNativeFunction constructor() { return m_constructor.unpoisoned(); }
+    TaggedNativeFunction function() { return m_function; }
+    TaggedNativeFunction constructor() { return m_constructor; }
         
     TaggedNativeFunction nativeFunctionFor(CodeSpecializationKind kind)
@@ -82 +81 @@
 
 private:
-    friend class ExecutableBase;
-    using PoisonedTaggedNativeFunction = Poisoned<NativeCodePoison, TaggedNativeFunction>;
-
     NativeExecutable(VM&, TaggedNativeFunction, TaggedNativeFunction constructor);
 
-    PoisonedTaggedNativeFunction m_function;
-    PoisonedTaggedNativeFunction m_constructor;
+    TaggedNativeFunction m_function;
+    TaggedNativeFunction m_constructor;
 
     String m_name;

trunk/Source/JavaScriptCore/runtime/Options.h

@@ -476 +476 @@
     v(bool, enableSpectreMitigations, true, Restricted, "Enable Spectre mitigations.") \
     v(bool, enableSpectreGadgets, false, Restricted, "enable gadgets to test Spectre mitigations.") \
-    v(bool, usePoisoning, true, Normal, "Poison is randomized at load time when true, and initialized to 0 if false which defeats some Spectre and type confusion mitigations, but allows tools such as leak detectors to function better.") \
     v(bool, zeroStackFrame, false, Normal, "Zero stack frame on entry to a function.") \
     \

trunk/Source/JavaScriptCore/runtime/ScopedArguments.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -181 +181 @@
     WriteBarrier<Unknown>* overflowStorage() const
     {
-        return m_storage.get().unpoisoned();
+        return m_storage.get();
     }
     
@@ -195 +195 @@
     }
     
-    template<typename T>
-    using PoisonedBarrier = PoisonedWriteBarrier<ScopedArgumentsPoison, T>;
-    
-    PoisonedBarrier<JSFunction> m_callee;
-    PoisonedBarrier<ScopedArgumentsTable> m_table;
-    PoisonedBarrier<JSLexicalEnvironment> m_scope;
-    
-    AuxiliaryBarrier<Poisoned<ScopedArgumentsPoison, WriteBarrier<Unknown>*>> m_storage;
+    WriteBarrier<JSFunction> m_callee;
+    WriteBarrier<ScopedArgumentsTable> m_table;
+    WriteBarrier<JSLexicalEnvironment> m_scope;
+    
+    AuxiliaryBarrier<WriteBarrier<Unknown>*> m_storage;
 };
 

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -85 +85 @@
         WeakSet::deallocate(impl);
     WeakImpl* impl = WeakSet::allocate(structure, &singleSlotTransitionWeakOwner(), this);
-    m_data = PoisonedWeakImplPtr(impl).bits() | UsingSingleSlotFlag;
+    m_data = bitwise_cast<intptr_t>(impl) | UsingSingleSlotFlag;
 }
 

trunk/Source/JavaScriptCore/runtime/StructureTransitionTable.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 
 #include "IndexingType.h"
-#include "JSCPoison.h"
 #include "WeakGCMap.h"
 #include <wtf/HashFunctions.h>
@@ -188 +187 @@
 private:
     friend class SingleSlotTransitionWeakOwner;
-    using PoisonedTransitionMapPtr = Poisoned<StructureTransitionTablePoison, TransitionMap*>;
-    using PoisonedWeakImplPtr = Poisoned<StructureTransitionTablePoison, WeakImpl*>;
 
     bool isUsingSingleSlot() const
@@ -199 +196 @@
     {
         ASSERT(!isUsingSingleSlot());
-        return PoisonedTransitionMapPtr(AlreadyPoisoned, m_data).unpoisoned();
+        return bitwise_cast<TransitionMap*>(m_data);
     }
 
@@ -205 +202 @@
     {
         ASSERT(isUsingSingleSlot());
-        return PoisonedWeakImplPtr(AlreadyPoisoned, m_data & ~UsingSingleSlotFlag).unpoisoned();
+        return bitwise_cast<WeakImpl*>(m_data & ~UsingSingleSlotFlag);
     }
 
@@ -216 +213 @@
 
         // This implicitly clears the flag that indicates we're using a single transition
-        m_data = PoisonedTransitionMapPtr(map).bits();
+        m_data = bitwise_cast<intptr_t>(map);
 
         ASSERT(!isUsingSingleSlot());

trunk/Source/JavaScriptCore/runtime/WriteBarrier.h

@@ -28 +28 @@
 #include "GCAssertions.h"
 #include "HandleTypes.h"
-#include "JSCPoison.h"
 #include <type_traits>
 #include <wtf/DumbPtrTraits.h>
 #include <wtf/DumbValueTraits.h>
-#include <wtf/Poisoned.h>
 
 namespace JSC {
@@ -251 +249 @@
 }
 
-template<typename Poison, class T>
-using PoisonedWriteBarrierTraitsSelect = typename std::conditional<std::is_same<T, Unknown>::value,
-    WTF::PoisonedValueTraits<Poison, T>, WTF::PoisonedPtrTraits<Poison, T>
->::type;
-
-template <typename Poison, typename T>
-using PoisonedWriteBarrier = WriteBarrier<T, PoisonedWriteBarrierTraitsSelect<Poison, T>>;
-
 } // namespace JSC

trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

@@ -49 +49 @@
 #include "B3WasmBoundsCheckValue.h"
 #include "JSCInlines.h"
-#include "JSCPoison.h"
 #include "ScratchRegisterAllocator.h"
 #include "VirtualRegister.h"

trunk/Source/JavaScriptCore/wasm/WasmInstance.h

@@ -118 +118 @@
         WasmToWasmImportableFunction::LoadLocation wasmEntrypointLoadLocation { nullptr };
         MacroAssemblerCodePtr<WasmEntryPtrTag> wasmToEmbedderStub;
-        void* importFunction { nullptr }; // In a JS embedding, this is a PoisonedBarrier<JSObject>.
+        void* importFunction { nullptr }; // In a JS embedding, this is a WriteBarrier<JSObject>.
     };
     unsigned numImportFunctions() const { return m_numImportFunctions; }

trunk/Source/JavaScriptCore/wasm/js/JSToWasm.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -117 +117 @@
             // Wasm::Context*'s instance.
             jit.loadPtr(CCallHelpers::Address(GPRInfo::callFrameRegister, CallFrameSlot::thisArgument * sizeof(EncodedJSValue)), GPRInfo::argumentGPR2);
-            jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR2, JSWebAssemblyInstance::offsetOfPoisonedInstance()), GPRInfo::argumentGPR2);
-            jit.move(CCallHelpers::TrustedImm64(JSWebAssemblyInstancePoison::key()), GPRInfo::argumentGPR0);
-            jit.xor64(GPRInfo::argumentGPR0, GPRInfo::argumentGPR2);
+            jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR2, JSWebAssemblyInstance::offsetOfInstance()), GPRInfo::argumentGPR2);
         }
 
@@ -156 +154 @@
         if (!Context::useFastTLS()) {
             jit.loadPtr(CCallHelpers::Address(GPRInfo::callFrameRegister, jsOffset), wasmContextInstanceGPR);
-            jit.loadPtr(CCallHelpers::Address(wasmContextInstanceGPR, JSWebAssemblyInstance::offsetOfPoisonedInstance()), wasmContextInstanceGPR);
-            jit.move(CCallHelpers::TrustedImm64(JSWebAssemblyInstancePoison::key()), scratchReg);
-            jit.xor64(scratchReg, wasmContextInstanceGPR);
+            jit.loadPtr(CCallHelpers::Address(wasmContextInstanceGPR, JSWebAssemblyInstance::offsetOfInstance()), wasmContextInstanceGPR);
             jsOffset += sizeof(EncodedJSValue);
         }

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlock.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -29 +29 @@
 
 #include "CallLinkInfo.h"
-#include "JSCPoison.h"
 #include "JSCast.h"
 #include "PromiseDeferredTimer.h"
@@ -37 +36 @@
 #include "WasmModule.h"
 #include <wtf/Bag.h>
-#include <wtf/PoisonedUniquePtr.h>
 #include <wtf/Ref.h>
 #include <wtf/Vector.h>
@@ -91 +89 @@
     static void visitChildren(JSCell*, SlotVisitor&);
 
-    PoisonedRef<JSWebAssemblyCodeBlockPoison, Wasm::CodeBlock> m_codeBlock;
+    Ref<Wasm::CodeBlock> m_codeBlock;
     Vector<MacroAssemblerCodeRef<WasmEntryPtrTag>> m_wasmToJSExitStubs;
     Bag<CallLinkInfo> m_callLinkInfos;

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -55 +55 @@
 {
     for (unsigned i = 0; i < this->instance().numImportFunctions(); ++i)
-        new (this->instance().importFunction<PoisonedBarrier<JSObject>>(i)) PoisonedBarrier<JSObject>();
+        new (this->instance().importFunction<WriteBarrier<JSObject>>(i)) WriteBarrier<JSObject>();
 }
 
@@ -89 +89 @@
     visitor.reportExtraMemoryVisited(thisObject->m_instance->extraMemoryAllocated());
     for (unsigned i = 0; i < thisObject->instance().numImportFunctions(); ++i)
-        visitor.append(*thisObject->instance().importFunction<PoisonedBarrier<JSObject>>(i)); // This also keeps the functions' JSWebAssemblyInstance alive.
+        visitor.append(*thisObject->instance().importFunction<WriteBarrier<JSObject>>(i)); // This also keeps the functions' JSWebAssemblyInstance alive.
 }
 

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28 +28 @@
 #if ENABLE(WEBASSEMBLY)
 
-#include "JSCPoison.h"
 #include "JSDestructibleObject.h"
 #include "JSObject.h"
@@ -82 +81 @@
     JSWebAssemblyModule* module() const { return m_module.get(); }
 
-    static size_t offsetOfPoisonedInstance() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_instance); }
-    static size_t offsetOfPoisonedCallee() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_callee); }
-
-    template<typename T>
-    using PoisonedBarrier = PoisonedWriteBarrier<JSWebAssemblyInstancePoison, T>;
+    static size_t offsetOfInstance() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_instance); }
+    static size_t offsetOfCallee() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_callee); }
 
 protected:
@@ -95 +91 @@
 
 private:
-    PoisonedRef<JSWebAssemblyInstancePoison, Wasm::Instance> m_instance;
+    Ref<Wasm::Instance> m_instance;
 
-    PoisonedBarrier<JSWebAssemblyModule> m_module;
-    PoisonedBarrier<JSWebAssemblyCodeBlock> m_codeBlock;
-    PoisonedBarrier<JSModuleNamespaceObject> m_moduleNamespaceObject;
-    PoisonedBarrier<JSWebAssemblyMemory> m_memory;
-    PoisonedBarrier<JSWebAssemblyTable> m_table;
-    PoisonedBarrier<WebAssemblyToJSCallee> m_callee;
+    WriteBarrier<JSWebAssemblyModule> m_module;
+    WriteBarrier<JSWebAssemblyCodeBlock> m_codeBlock;
+    WriteBarrier<JSModuleNamespaceObject> m_moduleNamespaceObject;
+    WriteBarrier<JSWebAssemblyMemory> m_memory;
+    WriteBarrier<JSWebAssemblyTable> m_table;
+    WriteBarrier<WebAssemblyToJSCallee> m_callee;
 };
 

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28 +28 @@
 #if ENABLE(WEBASSEMBLY)
 
-#include "JSCPoison.h"
 #include "JSDestructibleObject.h"
 #include "JSObject.h"
@@ -68 +67 @@
     static void visitChildren(JSCell*, SlotVisitor&);
 
-    PoisonedRef<JSWebAssemblyMemoryPoison, Wasm::Memory> m_memory;
-    PoisonedWriteBarrier<JSWebAssemblyMemoryPoison, JSArrayBuffer> m_bufferWrapper;
-    PoisonedRefPtr<JSWebAssemblyMemoryPoison, ArrayBuffer> m_buffer;
+    Ref<Wasm::Memory> m_memory;
+    WriteBarrier<JSArrayBuffer> m_bufferWrapper;
+    RefPtr<ArrayBuffer> m_buffer;
 };
 

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28 +28 @@
 #if ENABLE(WEBASSEMBLY)
 
-#include "JSCPoison.h"
 #include "JSDestructibleObject.h"
 #include "JSObject.h"
@@ -79 +78 @@
     static void visitChildren(JSCell*, SlotVisitor&);
 
-    PoisonedRef<JSWebAssemblyModulePoison, Wasm::Module> m_module;
-
-    template<typename T>
-    using PoisonedBarrier = PoisonedWriteBarrier<JSWebAssemblyModulePoison, T>;
-
-    PoisonedBarrier<SymbolTable> m_exportSymbolTable;
-    PoisonedBarrier<JSWebAssemblyCodeBlock> m_codeBlocks[Wasm::NumberOfMemoryModes];
-    PoisonedBarrier<WebAssemblyToJSCallee> m_callee;
+    Ref<Wasm::Module> m_module;
+    WriteBarrier<SymbolTable> m_exportSymbolTable;
+    WriteBarrier<JSWebAssemblyCodeBlock> m_codeBlocks[Wasm::NumberOfMemoryModes];
+    WriteBarrier<WebAssemblyToJSCallee> m_callee;
 };
 

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -64 +64 @@
     // But for now, we're not doing that.
     // FIXME this over-allocates and could be smarter about not committing all of that memory https://bugs.webkit.org/show_bug.cgi?id=181425
-    m_jsFunctions = MallocPtr<PoisonedBarrier<JSObject>>::malloc((sizeof(PoisonedBarrier<JSObject>) * Checked<size_t>(allocatedLength())).unsafeGet());
+    m_jsFunctions = MallocPtr<WriteBarrier<JSObject>>::malloc((sizeof(WriteBarrier<JSObject>) * Checked<size_t>(allocatedLength())).unsafeGet());
     for (uint32_t i = 0; i < allocatedLength(); ++i)
-        new(&m_jsFunctions.get()[i]) PoisonedBarrier<JSObject>();
+        new(&m_jsFunctions.get()[i]) WriteBarrier<JSObject>();
 }
 
@@ -105 +105 @@
     if (newLength > m_table->allocatedLength(oldLength))
         // FIXME this over-allocates and could be smarter about not committing all of that memory https://bugs.webkit.org/show_bug.cgi?id=181425
-        m_jsFunctions.realloc((sizeof(PoisonedBarrier<JSObject>) * Checked<size_t>(m_table->allocatedLength(newLength))).unsafeGet());
+        m_jsFunctions.realloc((sizeof(WriteBarrier<JSObject>) * Checked<size_t>(m_table->allocatedLength(newLength))).unsafeGet());
 
     for (size_t i = oldLength; i < m_table->allocatedLength(newLength); ++i)
-        new (&m_jsFunctions.get()[i]) PoisonedBarrier<JSObject>();
+        new (&m_jsFunctions.get()[i]) WriteBarrier<JSObject>();
 
     return true;
@@ -122 +122 @@
 {
     m_table->clearFunction(index);
-    m_jsFunctions.get()[index & m_table->mask()] = PoisonedBarrier<JSObject>();
+    m_jsFunctions.get()[index & m_table->mask()] = WriteBarrier<JSObject>();
 }
 

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28 +28 @@
 #if ENABLE(WEBASSEMBLY)
 
-#include "JSCPoison.h"
 #include "JSDestructibleObject.h"
 #include "JSObject.h"
@@ -67 +66 @@
     static void visitChildren(JSCell*, SlotVisitor&);
 
-    PoisonedRef<JSWebAssemblyTablePoison, Wasm::Table> m_table;
-
-    template<typename T>
-    using PoisonedBarrier = PoisonedWriteBarrier<JSWebAssemblyTablePoison, T>;
-
-    MallocPtr<PoisonedBarrier<JSObject>> m_jsFunctions;
+    Ref<Wasm::Table> m_table;
+    MallocPtr<WriteBarrier<JSObject>> m_jsFunctions;
 };
 

trunk/Source/JavaScriptCore/wasm/js/WasmToJS.cpp

@@ -48 +48 @@
 using JIT = CCallHelpers;
 
-static void materializeImportJSCell(JIT& jit, unsigned importIndex, GPRReg poison, GPRReg result)
+static void materializeImportJSCell(JIT& jit, unsigned importIndex, GPRReg result)
 {
     // We're calling out of the current WebAssembly.Instance. That Instance has a list of all its import functions.
     jit.loadWasmContextInstance(result);
     jit.loadPtr(JIT::Address(result, Instance::offsetOfImportFunction(importIndex)), result);
-    jit.xor64(poison, result);
 }
 
@@ -87 +86 @@
         // Store Callee.
         jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR1, Instance::offsetOfOwner()), GPRInfo::argumentGPR1);
-        jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR1, JSWebAssemblyInstance::offsetOfPoisonedCallee()), GPRInfo::argumentGPR2);
-        jit.move(CCallHelpers::TrustedImm64(JSWebAssemblyInstancePoison::key()), GPRInfo::argumentGPR3);
-        jit.xor64(GPRInfo::argumentGPR3, GPRInfo::argumentGPR2);
+        jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR1, JSWebAssemblyInstance::offsetOfCallee()), GPRInfo::argumentGPR2);
         jit.storePtr(GPRInfo::argumentGPR2, JIT::Address(GPRInfo::callFrameRegister, CallFrameSlot::callee * static_cast<int>(sizeof(Register))));
-
-        // Let's be paranoid on the exception path and zero out the poison instead of leaving it in an argument GPR.
-        jit.move(CCallHelpers::TrustedImm32(0), GPRInfo::argumentGPR3);
 
         auto call = jit.call(OperationPtrTag);
@@ -292 +286 @@
         jit.loadWasmContextInstance(GPRInfo::argumentGPR0);
         jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, Instance::offsetOfOwner()), GPRInfo::argumentGPR0);
-        jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, JSWebAssemblyInstance::offsetOfPoisonedCallee()), GPRInfo::argumentGPR0);
-        jit.move(CCallHelpers::TrustedImm64(JSWebAssemblyInstancePoison::key()), GPRInfo::argumentGPR3);
-        jit.xor64(GPRInfo::argumentGPR3, GPRInfo::argumentGPR0);
+        jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, JSWebAssemblyInstance::offsetOfCallee()), GPRInfo::argumentGPR0);
         jit.storePtr(GPRInfo::argumentGPR0, JIT::Address(GPRInfo::callFrameRegister, CallFrameSlot::callee * static_cast<int>(sizeof(Register))));
         
-        materializeImportJSCell(jit, importIndex, GPRInfo::argumentGPR3, GPRInfo::argumentGPR1);
+        materializeImportJSCell(jit, importIndex, GPRInfo::argumentGPR1);
         
-        // Let's be paranoid before the call and zero out the poison instead of leaving it in an argument GPR.
-        jit.move(CCallHelpers::TrustedImm32(0), GPRInfo::argumentGPR3);
-
         static_assert(GPRInfo::numberOfArgumentRegisters >= 4, "We rely on this with the call below.");
         static_assert(sizeof(SignatureIndex) == sizeof(uint64_t), "Following code assumes SignatureIndex is 64bit.");
@@ -480 +469 @@
     }
 
-    GPRReg poison = GPRInfo::argumentGPR1;
-    ASSERT(poison != GPRInfo::argumentGPR0); // Both are used at the same time below.
-
     jit.loadWasmContextInstance(GPRInfo::argumentGPR0);
     jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, Instance::offsetOfOwner()), GPRInfo::argumentGPR0);
-    jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, JSWebAssemblyInstance::offsetOfPoisonedCallee()), GPRInfo::argumentGPR0);
-    jit.move(CCallHelpers::TrustedImm64(JSWebAssemblyInstancePoison::key()), poison);
-    jit.xor64(poison, GPRInfo::argumentGPR0);
+    jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0, JSWebAssemblyInstance::offsetOfCallee()), GPRInfo::argumentGPR0);
     jit.storePtr(GPRInfo::argumentGPR0, JIT::Address(GPRInfo::callFrameRegister, CallFrameSlot::callee * static_cast<int>(sizeof(Register))));
 
     GPRReg importJSCellGPRReg = GPRInfo::regT0; // Callee needs to be in regT0 for slow path below.
-    ASSERT(poison != importJSCellGPRReg);
 
     ASSERT(!wasmCC.m_calleeSaveRegisters.get(importJSCellGPRReg));
-    materializeImportJSCell(jit, importIndex, poison, importJSCellGPRReg);
-
-    // Let's be paranoid zero out the poison instead of leaving it in an argument GPR.
-    jit.move(CCallHelpers::TrustedImm32(0), poison);
+    materializeImportJSCell(jit, importIndex, importJSCellGPRReg);
 
     jit.store64(importJSCellGPRReg, calleeFrame.withOffset(CallFrameSlot::callee * static_cast<int>(sizeof(Register))));

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h

@@ -51 +51 @@
     WebAssemblyFunctionBase(VM&, JSGlobalObject*, Structure*);
 
-    PoisonedWriteBarrier<WebAssemblyFunctionBasePoison, JSWebAssemblyInstance> m_instance;
+    WriteBarrier<JSWebAssemblyInstance> m_instance;
 };
 

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -225 +225 @@
             info->targetInstance = calleeInstance;
             info->wasmEntrypointLoadLocation = entrypointLoadLocation;
-            m_instance->instance().importFunction<JSWebAssemblyInstance::PoisonedBarrier<JSObject>>(import.kindIndex)->set(vm, m_instance.get(), function);
+            m_instance->instance().importFunction<WriteBarrier<JSObject>>(import.kindIndex)->set(vm, m_instance.get(), function);
             break;
         }
@@ -339 +339 @@
             if (exp.kindIndex < functionImportCount) {
                 unsigned functionIndex = exp.kindIndex;
-                JSObject* functionImport = m_instance->instance().importFunction<JSWebAssemblyInstance::PoisonedBarrier<JSObject>>(functionIndex)->get();
+                JSObject* functionImport = m_instance->instance().importFunction<WriteBarrier<JSObject>>(functionIndex)->get();
                 if (isWebAssemblyHostFunction(vm, functionImport))
                     exportedValue = functionImport;
@@ -420 +420 @@
         ASSERT(signature.returnType() == Wasm::Void);
         if (startFunctionIndexSpace < codeBlock->functionImportCount()) {
-            JSObject* startFunction = m_instance->instance().importFunction<JSWebAssemblyInstance::PoisonedBarrier<JSObject>>(startFunctionIndexSpace)->get();
+            JSObject* startFunction = m_instance->instance().importFunction<WriteBarrier<JSObject>>(startFunctionIndexSpace)->get();
             m_startFunction.set(vm, this, startFunction);
         } else {
@@ -521 +521 @@
             Wasm::SignatureIndex signatureIndex = module.signatureIndexFromFunctionIndexSpace(functionIndex);
             if (functionIndex < codeBlock->functionImportCount()) {
-                JSObject* functionImport = m_instance->instance().importFunction<JSWebAssemblyInstance::PoisonedBarrier<JSObject>>(functionIndex)->get();
+                JSObject* functionImport = m_instance->instance().importFunction<WriteBarrier<JSObject>>(functionIndex)->get();
                 if (isWebAssemblyHostFunction(vm, functionImport)) {
                     WebAssemblyFunction* wasmFunction = jsDynamicCast<WebAssemblyFunction*>(vm, functionImport);

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -62 +62 @@
     static void visitChildren(JSCell*, SlotVisitor&);
 
-    template<typename T>
-    using PoisonedBarrier = PoisonedWriteBarrier<WebAssemblyModuleRecordPoison, T>;
-
-    PoisonedBarrier<JSWebAssemblyInstance> m_instance;
-    PoisonedBarrier<JSObject> m_startFunction;
+    WriteBarrier<JSWebAssemblyInstance> m_instance;
+    WriteBarrier<JSObject> m_startFunction;
 };
 

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyToJSCallee.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -52 +52 @@
     WebAssemblyToJSCallee(VM&, Structure*);
 
-    PoisonedWriteBarrier<WebAssemblyToJSCalleePoison, JSWebAssemblyModule> m_module;
+    WriteBarrier<JSWebAssemblyModule> m_module;
 };
 

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -65 +65 @@
     WebAssemblyWrapperFunction(VM&, JSGlobalObject*, Structure*, WasmToWasmImportableFunction);
 
-    PoisonedWriteBarrier<WebAssemblyWrapperFunctionPoison, JSObject> m_function;
+    WriteBarrier<JSObject> m_function;
     // It's safe to just hold the raw WasmToWasmImportableFunction because we have a reference
     // to our Instance, which points to the CodeBlock, which points to the Module