Changeset 242100 in webkit

Timestamp:

Feb 26, 2019, 12:49:50 PM (6 years ago)

Author:

mark.lam@apple.com

Message:

Unpoison MacroAssemblerCodePtr, ClassInfo pointers, and a few other things.
​https://bugs.webkit.org/show_bug.cgi?id=195039

Reviewed by Saam Barati.

1. Unpoison MacroAssemblerCodePtrs, ReturnAddressPtr.
2. Replace PoisonedClassInfoPtr with ClassInfo*.
3. Replace PoisonedMasmPtr with const void*.
4. Remove all references to CodeBlockPoison, JITCodePoison, and GlobalDataPoison.

• API/JSCallbackObject.h:
• API/JSObjectRef.cpp:

(classInfoPrivate):

• assembler/MacroAssemblerCodeRef.h:

(JSC::FunctionPtr::FunctionPtr):
(JSC::FunctionPtr::executableAddress const):
(JSC::FunctionPtr::retaggedExecutableAddress const):
(JSC::ReturnAddressPtr::ReturnAddressPtr):
(JSC::ReturnAddressPtr::value const):
(JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
(JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
(JSC::MacroAssemblerCodePtr:: const):
(JSC::MacroAssemblerCodePtr::operator! const):
(JSC::MacroAssemblerCodePtr::operator== const):
(JSC::MacroAssemblerCodePtr::hash const):
(JSC::MacroAssemblerCodePtr::emptyValue):
(JSC::MacroAssemblerCodePtr::deletedValue):
(JSC::FunctionPtr<tag>::FunctionPtr):
(JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.

• b3/B3LowerMacros.cpp:
• b3/testb3.cpp:

(JSC::B3::testInterpreter):

• dfg/DFGOSRExitCompilerCommon.h:

(JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCheckSubClass):
(JSC::DFG::SpeculativeJIT::compileNewStringObject):
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
(JSC::DFG::SpeculativeJIT::emitSwitchImm):
(JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
(JSC::DFG::SpeculativeJIT::emitSwitchChar):

• dfg/DFGSpeculativeJIT.h:
• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::emitAllocateDestructibleObject):

• jit/ThunkGenerators.cpp:

(JSC::virtualThunkFor):
(JSC::boundThisNoArgsFunctionCallGenerator):

• runtime/JSCPoison.h:
• runtime/JSDestructibleObject.h:

(JSC::JSDestructibleObject::classInfo const):

• runtime/JSSegmentedVariableObject.h:

(JSC::JSSegmentedVariableObject::classInfo const):

• runtime/Structure.h:
• runtime/VM.h:
• wasm/WasmB3IRGenerator.cpp:

(JSC::Wasm::B3IRGenerator::addCall):
(JSC::Wasm::B3IRGenerator::addCallIndirect):

• wasm/WasmBinding.cpp:

(JSC::Wasm::wasmToWasm):

Location:

trunk/Source/JavaScriptCore

Files:

• API/JSCallbackObject.h (modified) (2 diffs)
• API/JSObjectRef.cpp (modified) (2 diffs)
• ChangeLog (modified) (1 diff)
• assembler/MacroAssemblerCodeRef.h (modified) (24 diffs)
• b3/B3LowerMacros.cpp (modified) (2 diffs)
• b3/testb3.cpp (modified) (2 diffs)
• dfg/DFGOSRExitCompilerCommon.h (modified) (2 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (11 diffs)
• dfg/DFGSpeculativeJIT.h (modified) (2 diffs)
• ftl/FTLLowerDFGToB3.cpp (modified) (2 diffs)
• jit/AssemblyHelpers.h (modified) (1 diff)
• jit/ThunkGenerators.cpp (modified) (3 diffs)
• runtime/JSCPoison.h (modified) (3 diffs)
• runtime/JSDestructibleObject.h (modified) (3 diffs)
• runtime/JSSegmentedVariableObject.h (modified) (3 diffs)
• runtime/Structure.h (modified) (3 diffs)
• runtime/VM.h (modified) (1 diff)
• wasm/WasmB3IRGenerator.cpp (modified) (3 diffs)
• wasm/WasmBinding.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/API/JSCallbackObject.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2006-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
  * Copyright (C) 2007 Eric Seidel <eric@webkit.org>
  *
@@ -229 +229 @@
 
     WTF::PoisonedUniquePtr<JSCallbackObjectPoison, JSCallbackObjectData> m_callbackObjectData;
-    PoisonedClassInfoPtr m_classInfo;
+    const ClassInfo* m_classInfo { nullptr };
 };
 

trunk/Source/JavaScriptCore/API/JSObjectRef.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2006-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Kelvin W Sherlock (ksherlock@gmail.com)
  *
@@ -552 +552 @@
         return jsObject->classInfo(vm);
 
-    return vm.currentlyDestructingCallbackObjectClassInfo.unpoisoned();
+    return vm.currentlyDestructingCallbackObjectClassInfo;
 }
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-02-26  Mark Lam  <mark.lam@apple.com>
+
+        Unpoison MacroAssemblerCodePtr, ClassInfo pointers, and a few other things.
+        https://bugs.webkit.org/show_bug.cgi?id=195039
+
+        Reviewed by Saam Barati.
+
+        1. Unpoison MacroAssemblerCodePtrs, ReturnAddressPtr.
+        2. Replace PoisonedClassInfoPtr with ClassInfo*.
+        3. Replace PoisonedMasmPtr with const void*.
+        4. Remove all references to CodeBlockPoison, JITCodePoison, and GlobalDataPoison.
+
+        * API/JSCallbackObject.h:
+        * API/JSObjectRef.cpp:
+        (classInfoPrivate):
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::FunctionPtr::FunctionPtr):
+        (JSC::FunctionPtr::executableAddress const):
+        (JSC::FunctionPtr::retaggedExecutableAddress const):
+        (JSC::ReturnAddressPtr::ReturnAddressPtr):
+        (JSC::ReturnAddressPtr::value const):
+        (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+        (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+        (JSC::MacroAssemblerCodePtr:: const):
+        (JSC::MacroAssemblerCodePtr::operator! const):
+        (JSC::MacroAssemblerCodePtr::operator== const):
+        (JSC::MacroAssemblerCodePtr::hash const):
+        (JSC::MacroAssemblerCodePtr::emptyValue):
+        (JSC::MacroAssemblerCodePtr::deletedValue):
+        (JSC::FunctionPtr<tag>::FunctionPtr):
+        (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
+        * b3/B3LowerMacros.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::testInterpreter):
+        * dfg/DFGOSRExitCompilerCommon.h:
+        (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
+        (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
+        (JSC::DFG::SpeculativeJIT::emitSwitchChar):
+        * dfg/DFGSpeculativeJIT.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        * runtime/JSCPoison.h:
+        * runtime/JSDestructibleObject.h:
+        (JSC::JSDestructibleObject::classInfo const):
+        * runtime/JSSegmentedVariableObject.h:
+        (JSC::JSSegmentedVariableObject::classInfo const):
+        * runtime/Structure.h:
+        * runtime/VM.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addCall):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+
 2019-02-26  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 
 #include "ExecutableAllocator.h"
-#include "JSCPoison.h"
 #include "JSCPtrTag.h"
 #include <wtf/DataLog.h>
@@ -75 +74 @@
     {
         assertIsNullOrCFunctionPtr(value);
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         ASSERT_NULL_OR_VALID_CODE_POINTER(m_value);
     }
@@ -88 +86 @@
     {
         assertIsNullOrCFunctionPtr(value);
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         ASSERT_NULL_OR_VALID_CODE_POINTER(m_value);
     }
@@ -101 +98 @@
     {
         assertIsNullOrCFunctionPtr(value);
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         ASSERT_NULL_OR_VALID_CODE_POINTER(m_value);
     }
@@ -115 +111 @@
     {
         assertIsNullOrCFunctionPtr(value);
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         ASSERT_NULL_OR_VALID_CODE_POINTER(m_value);
     }
@@ -131 +126 @@
     void* executableAddress() const
     {
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         return m_value;
     }
@@ -138 +132 @@
     void* retaggedExecutableAddress() const
     {
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         return retagCodePtr<tag, newTag>(m_value);
     }
@@ -153 +146 @@
         : m_value(retagCodePtr<otherTag, tag>(other.executableAddress()))
     {
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         ASSERT_NULL_OR_VALID_CODE_POINTER(m_value);
     }
@@ -180 +172 @@
         : m_value(value)
     {
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         ASSERT_VALID_CODE_POINTER(m_value);
     }
@@ -188 +179 @@
         : m_value(untagCodePtr<tag>(function.executableAddress()))
     {
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         ASSERT_VALID_CODE_POINTER(m_value);
     }
@@ -194 +184 @@
     const void* value() const
     {
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         return m_value;
     }
@@ -232 +221 @@
     {
         assertIsTaggedWith(value, tag);
-        m_value.assertIsPoisoned();
         ASSERT(value);
 #if CPU(ARM_THUMB2)
         ASSERT(!(reinterpret_cast<uintptr_t>(value) & 1));
 #endif
-        ASSERT_VALID_CODE_POINTER(m_value.unpoisoned());
+        ASSERT_VALID_CODE_POINTER(m_value);
     }
 
@@ -246 +234 @@
         assertIsTaggedWith(value, tag);
         MacroAssemblerCodePtr result;
-        result.m_value = PoisonedMasmPtr(value);
-        result.m_value.assertIsPoisoned();
+        result.m_value = value;
         return result;
     }
@@ -256 +243 @@
         assertIsNotTagged(ra.value());
         ASSERT(ra.value());
-        m_value.assertIsPoisoned();
-        ASSERT_VALID_CODE_POINTER(m_value.unpoisoned());
-    }
-
-    PoisonedMasmPtr poisonedPtr() const { return m_value; }
+        ASSERT_VALID_CODE_POINTER(m_value);
+    }
 
     template<PtrTag newTag>
@@ -273 +257 @@
     T executableAddress() const
     {
-        m_value.assertIsPoisoned();
-        return m_value.unpoisoned<T>();
+        return bitwise_cast<T>(m_value);
     }
 
@@ -280 +263 @@
     T untaggedExecutableAddress() const
     {
-        m_value.assertIsPoisoned();
-        return untagCodePtr<T, tag>(m_value.unpoisoned());
+        return untagCodePtr<T, tag>(m_value);
     }
 
@@ -287 +269 @@
     T retaggedExecutableAddress() const
     {
-        m_value.assertIsPoisoned();
-        return retagCodePtr<T, tag, newTag>(m_value.unpoisoned());
+        return retagCodePtr<T, tag, newTag>(m_value);
     }
 
@@ -296 +277 @@
     T dataLocation() const
     {
-        m_value.assertIsPoisoned();
-        ASSERT_VALID_CODE_POINTER(m_value.unpoisoned());
-        return bitwise_cast<T>(m_value ? m_value.unpoisoned<char*>() - 1 : nullptr);
+        ASSERT_VALID_CODE_POINTER(m_value);
+        return bitwise_cast<T>(m_value ? bitwise_cast<char*>(m_value) - 1 : nullptr);
     }
 #else
@@ -304 +284 @@
     T dataLocation() const
     {
-        m_value.assertIsPoisoned();
-        ASSERT_VALID_CODE_POINTER(m_value);
-        return untagCodePtr<T, tag>(m_value.unpoisoned());
+        ASSERT_VALID_CODE_POINTER(m_value);
+        return untagCodePtr<T, tag>(m_value);
     }
 #endif
@@ -312 +291 @@
     bool operator!() const
     {
-#if ENABLE(POISON_ASSERTS)
-        if (!isEmptyValue() && !isDeletedValue())
-            m_value.assertIsPoisoned();
-#endif
         return !m_value;
     }
@@ -322 +297 @@
     bool operator==(const MacroAssemblerCodePtr& other) const
     {
-#if ENABLE(POISON_ASSERTS)
-        if (!isEmptyValue() && !isDeletedValue())
-            m_value.assertIsPoisoned();
-        if (!other.isEmptyValue() && !other.isDeletedValue())
-            other.m_value.assertIsPoisoned();
-#endif
         return m_value == other.m_value;
     }
 
     // Disallow any casting operations (except for booleans). Instead, the client
-    // should be asking for poisonedPtr() or executableAddress() explicitly.
+    // should be asking executableAddress() explicitly.
     template<typename T, typename = std::enable_if_t<!std::is_same<T, bool>::value>>
     operator T() = delete;
@@ -357 +326 @@
     bool isDeletedValue() const { return m_value == deletedValue(); }
 
-    unsigned hash() const { return IntHash<uintptr_t>::hash(m_value.bits()); }
+    unsigned hash() const { return PtrHash<const void*>::hash(m_value); }
 
     static void initialize();
 
 private:
-    static PoisonedMasmPtr emptyValue() { return PoisonedMasmPtr(AlreadyPoisoned, 1); }
-    static PoisonedMasmPtr deletedValue() { return PoisonedMasmPtr(AlreadyPoisoned, 2); }
-
-    PoisonedMasmPtr m_value;
+    static const void* emptyValue() { return bitwise_cast<void*>(static_cast<intptr_t>(1)); }
+    static const void* deletedValue() { return bitwise_cast<void*>(static_cast<intptr_t>(2)); }
+
+    const void* m_value { nullptr };
 };
 
@@ -489 +458 @@
     : m_value(ptr.executableAddress())
 {
-    PoisonedMasmPtr::assertIsNotPoisoned(m_value);
 }
 

trunk/Source/JavaScriptCore/b3/B3LowerMacros.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -508 +508 @@
                         GPRReg index = params[0].gpr();
                         GPRReg scratch = params.gpScratch(0);
-                        GPRReg poisonScratch = params.gpScratch(1);
-
-                        jit.move(CCallHelpers::TrustedImm64(JITCodePoison::key()), poisonScratch);
+
                         jit.move(CCallHelpers::TrustedImmPtr(jumpTable), scratch);
                         jit.load64(CCallHelpers::BaseIndex(scratch, index, CCallHelpers::timesPtr()), scratch);
-                        jit.xor64(poisonScratch, scratch);
                         jit.jump(scratch, JSSwitchPtrTag);
 

trunk/Source/JavaScriptCore/b3/testb3.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -13463 +13463 @@
 
             GPRReg scratch = params.gpScratch(0);
-            GPRReg poisonScratch = params.gpScratch(1);
 
             jit.move(CCallHelpers::TrustedImmPtr(jumpTable), scratch);
-            jit.move(CCallHelpers::TrustedImm64(JITCodePoison::key()), poisonScratch);
             jit.load64(CCallHelpers::BaseIndex(scratch, params[0].gpr(), CCallHelpers::timesPtr()), scratch);
-            jit.xor64(poisonScratch, scratch);
             jit.jump(scratch, B3CompilationPtrTag);
 

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -88 +88 @@
     jit.loadPtr(MacroAssembler::Address(GPRInfo::callFrameRegister, CallFrameSlot::codeBlock * static_cast<int>(sizeof(Register))), GPRInfo::regT0);
     jit.loadPtr(MacroAssembler::Address(GPRInfo::regT0, CodeBlock::jitCodeOffset()), GPRInfo::regT0);
-    jit.xorPtr(MacroAssembler::TrustedImmPtr(CodeBlockPoison::key()), GPRInfo::regT0);
     jit.addPtr(MacroAssembler::TrustedImm32(JITCodeType::commonDataOffset()), GPRInfo::regT0);
     jit.load32(MacroAssembler::Address(GPRInfo::regT0, CommonData::frameRegisterCountOffset()), GPRInfo::regT0);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -9342 +9342 @@
         m_jit.emitLoadStructure(*m_jit.vm(), baseGPR, otherGPR, specifiedGPR);
         m_jit.loadPtr(CCallHelpers::Address(otherGPR, Structure::classInfoOffset()), otherGPR);
-#if USE(JSVALUE64)
-        m_jit.move(CCallHelpers::TrustedImm64(GlobalDataPoison::key()), specifiedGPR);
-        m_jit.xor64(specifiedGPR, otherGPR);
-#endif
         m_jit.move(CCallHelpers::TrustedImmPtr(node->classInfo()), specifiedGPR);
 
@@ -9639 +9635 @@
     
     m_jit.storePtr(
-        TrustedImmPtr(PoisonedClassInfoPtr(StringObject::info()).bits()),
+        TrustedImmPtr(StringObject::info()),
         JITCompiler::Address(resultGPR, JSDestructibleObject::classInfoOffset()));
 #if USE(JSVALUE64)
@@ -10482 +10478 @@
 
 void SpeculativeJIT::emitSwitchIntJump(
-    SwitchData* data, GPRReg value, GPRReg scratch, GPRReg poisonScratch)
+    SwitchData* data, GPRReg value, GPRReg scratch)
 {
     SimpleJumpTable& table = m_jit.codeBlock()->switchJumpTable(data->switchTableIndex);
@@ -10490 +10486 @@
         m_jit.branch32(JITCompiler::AboveOrEqual, value, Imm32(table.ctiOffsets.size())),
         data->fallThrough.block);
-    UNUSED_PARAM(poisonScratch); // Placate the 32-bit build.
-#if USE(JSVALUE64)
-    m_jit.move(TrustedImm64(JITCodePoison::key()), poisonScratch);
-#endif
     m_jit.move(TrustedImmPtr(table.ctiOffsets.begin()), scratch);
     m_jit.loadPtr(JITCompiler::BaseIndex(scratch, value, JITCompiler::timesPtr()), scratch);
     
-#if USE(JSVALUE64)
-    m_jit.xor64(poisonScratch, scratch);
-#endif
     m_jit.jump(scratch, JSSwitchPtrTag);
     data->didUseJumpTable = true;
@@ -10510 +10499 @@
         SpeculateInt32Operand value(this, node->child1());
         GPRTemporary temp(this);
-        GPRTemporary temp2(this);
-        emitSwitchIntJump(data, value.gpr(), temp.gpr(), temp2.gpr());
+        emitSwitchIntJump(data, value.gpr(), temp.gpr());
         noResult(node);
         break;
@@ -10519 +10507 @@
         JSValueOperand value(this, node->child1());
         GPRTemporary temp(this);
-        GPRTemporary temp2(this);
         JSValueRegs valueRegs = value.jsValueRegs();
         GPRReg scratch = temp.gpr();
-        GPRReg scratch2 = temp2.gpr();
 
         value.use();
 
         auto notInt32 = m_jit.branchIfNotInt32(valueRegs);
-        emitSwitchIntJump(data, valueRegs.payloadGPR(), scratch, scratch2);
+        emitSwitchIntJump(data, valueRegs.payloadGPR(), scratch);
         notInt32.link(&m_jit);
         addBranch(m_jit.branchIfNotNumber(valueRegs, scratch), data->fallThrough.block);
@@ -10546 +10532 @@
 
 void SpeculativeJIT::emitSwitchCharStringJump(
-    SwitchData* data, GPRReg value, GPRReg scratch, GPRReg scratch2)
+    SwitchData* data, GPRReg value, GPRReg scratch)
 {
     addBranch(
@@ -10577 +10563 @@
     
     ready.link(&m_jit);
-    emitSwitchIntJump(data, scratch, value, scratch2);
+    emitSwitchIntJump(data, scratch, value);
 }
 
@@ -10586 +10572 @@
         SpeculateCellOperand op1(this, node->child1());
         GPRTemporary temp(this);
-        GPRTemporary temp2(this);
 
         GPRReg op1GPR = op1.gpr();
         GPRReg tempGPR = temp.gpr();
-        GPRReg temp2GPR = temp2.gpr();
 
         op1.use();
 
         speculateString(node->child1(), op1GPR);
-        emitSwitchCharStringJump(data, op1GPR, tempGPR, temp2GPR);
+        emitSwitchCharStringJump(data, op1GPR, tempGPR);
         noResult(node, UseChildrenCalledExplicitly);
         break;
@@ -10603 +10587 @@
         JSValueOperand op1(this, node->child1());
         GPRTemporary temp(this);
-        GPRTemporary temp2(this);
 
         JSValueRegs op1Regs = op1.jsValueRegs();
         GPRReg tempGPR = temp.gpr();
-        GPRReg temp2GPR = temp2.gpr();
 
         op1.use();
@@ -10615 +10597 @@
         addBranch(m_jit.branchIfNotString(op1Regs.payloadGPR()), data->fallThrough.block);
         
-        emitSwitchCharStringJump(data, op1Regs.payloadGPR(), tempGPR, temp2GPR);
+        emitSwitchCharStringJump(data, op1Regs.payloadGPR(), tempGPR);
         noResult(node, UseChildrenCalledExplicitly);
         break;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1237 +1237 @@
     };
     
-    void emitSwitchIntJump(SwitchData*, GPRReg value, GPRReg scratch, GPRReg scratch2);
+    void emitSwitchIntJump(SwitchData*, GPRReg value, GPRReg scratch);
     void emitSwitchImm(Node*, SwitchData*);
-    void emitSwitchCharStringJump(SwitchData*, GPRReg value, GPRReg scratch, GPRReg scratch2);
+    void emitSwitchCharStringJump(SwitchData*, GPRReg value, GPRReg scratch);
     void emitSwitchChar(Node*, SwitchData*);
     void emitBinarySwitchStringRecurse(

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -5646 +5646 @@
 
         LValue fastResultValue = allocateObject<StringObject>(structure, m_out.intPtrZero, slowCase);
-        m_out.storePtr(m_out.constIntPtr(PoisonedClassInfoPtr(StringObject::info()).bits()), fastResultValue, m_heaps.JSDestructibleObject_classInfo);
+        m_out.storePtr(m_out.constIntPtr(StringObject::info()), fastResultValue, m_heaps.JSDestructibleObject_classInfo);
         m_out.store64(string, fastResultValue, m_heaps.JSWrapperObject_internalValue);
         mutatorFence();
@@ -12154 +12154 @@
 
             LValue structure = loadStructure(cell);
-            LValue poisonedClassInfo = m_out.loadPtr(structure, m_heaps.Structure_classInfo);
-            LValue classInfo = m_out.bitXor(poisonedClassInfo, m_out.constInt64(GlobalDataPoison::key()));
+            LValue classInfo = m_out.loadPtr(structure, m_heaps.Structure_classInfo);
             ValueFromBlock otherAtStart = m_out.anchor(classInfo);
             m_out.jump(loop);

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -1799 +1799 @@
         auto butterfly = TrustedImmPtr(nullptr);
         emitAllocateJSObject<ClassType>(vm, resultGPR, TrustedImmPtr(structure), butterfly, scratchGPR1, scratchGPR2, slowPath);
-        storePtr(TrustedImmPtr(PoisonedClassInfoPtr(structure->classInfo()).bits()), Address(resultGPR, JSDestructibleObject::classInfoOffset()));
+        storePtr(TrustedImmPtr(structure->classInfo()), Address(resultGPR, JSDestructibleObject::classInfoOffset()));
     }
     

trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2010-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -214 +214 @@
     // Now we know that we have a CodeBlock, and we're committed to making a fast
     // call.
-#if USE(JSVALUE64)
-    jit.move(CCallHelpers::TrustedImm64(JITCodePoison::key()), GPRInfo::regT1);
-    jit.xor64(GPRInfo::regT1, GPRInfo::regT4);
-#endif
 
     // Make a tail call. This will return back to JIT code.
@@ -1249 +1245 @@
     CCallHelpers::Jump noCode = jit.branchTestPtr(CCallHelpers::Zero, GPRInfo::regT0);
     
-#if USE(JSVALUE64)
-    jit.move(CCallHelpers::TrustedImm64(JITCodePoison::key()), GPRInfo::regT1);
-    jit.xor64(GPRInfo::regT1, GPRInfo::regT0);
-#endif
     emitPointerValidation(jit, GPRInfo::regT0, JSEntryPtrTag);
     jit.call(GPRInfo::regT0, JSEntryPtrTag);

trunk/Source/JavaScriptCore/runtime/JSCPoison.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -33 +33 @@
 #define FOR_EACH_JSC_POISON(v) \
     v(ArrayPrototype) \
-    v(CodeBlock) \
-    v(GlobalData) \
-    v(JITCode) \
     v(JSAPIWrapperObject) \
     v(JSArrayBuffer) \
@@ -66 +63 @@
 #undef DECLARE_POISON
 
-struct ClassInfo;
-
-using PoisonedClassInfoPtr = Poisoned<GlobalDataPoison, const ClassInfo*>;
-using PoisonedMasmPtr = Poisoned<JITCodePoison, const void*>;
-
 void initializePoison();
 

trunk/Source/JavaScriptCore/runtime/JSDestructibleObject.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -44 +44 @@
     }
 
-    const ClassInfo* classInfo() const { return m_classInfo.unpoisoned(); }
+    const ClassInfo* classInfo() const { return m_classInfo; }
     
     static ptrdiff_t classInfoOffset() { return OBJECT_OFFSETOF(JSDestructibleObject, m_classInfo); }
@@ -57 +57 @@
 
 private:
-    PoisonedClassInfoPtr m_classInfo;
+    const ClassInfo* m_classInfo;
 };
 

trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -97 +97 @@
     }
     
-    const ClassInfo* classInfo() const { return m_classInfo.unpoisoned(); }
+    const ClassInfo* classInfo() const { return m_classInfo; }
     
 protected:
@@ -108 +108 @@
 private:
     SegmentedVector<WriteBarrier<Unknown>, 16> m_variables;
-    PoisonedClassInfoPtr m_classInfo;
+    const ClassInfo* m_classInfo;
     ConcurrentJSLock m_lock;
     bool m_alreadyDestroyed { false }; // We use these assertions to check that we aren't doing ancient hacks that result in this being destroyed more than once.

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -491 +491 @@
     void setObjectToStringValue(ExecState*, VM&, JSString* value, PropertySlot toStringTagSymbolSlot);
 
-    const ClassInfo* classInfo() const { return m_classInfo.unpoisoned(); }
+    const ClassInfo* classInfo() const { return m_classInfo; }
 
     static ptrdiff_t structureIDOffset()
@@ -769 +769 @@
     RefPtr<UniquedStringImpl> m_nameInPrevious;
 
-    PoisonedClassInfoPtr m_classInfo;
+    const ClassInfo* m_classInfo;
 
     StructureTransitionTable m_transitionTable;

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -547 +547 @@
     
     JSCell* currentlyDestructingCallbackObject;
-    PoisonedClassInfoPtr currentlyDestructingCallbackObjectClassInfo;
+    const ClassInfo* currentlyDestructingCallbackObjectClassInfo { nullptr };
 
     AtomicStringTable* m_atomicStringTable;

trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1129 +1129 @@
         Value* jumpDestination = isEmbedderBlock->appendNew<MemoryValue>(m_proc,
             Load, pointerType(), origin(), instanceValue(), safeCast<int32_t>(Instance::offsetOfWasmToEmbedderStub(functionIndex)));
-        if (Options::usePoisoning())
-            jumpDestination = isEmbedderBlock->appendNew<Value>(m_proc, BitXor, origin(), jumpDestination, isEmbedderBlock->appendNew<Const64Value>(m_proc, origin(), g_JITCodePoison));
 
         Value* embedderCallResult = wasmCallingConvention().setupCall(m_proc, isEmbedderBlock, origin(), args, toB3Type(returnType),
@@ -1309 +1307 @@
         m_currentBlock->appendNew<MemoryValue>(m_proc, Load, pointerType(), origin(), callableFunction,
             safeCast<int32_t>(WasmToWasmImportableFunction::offsetOfEntrypointLoadLocation())));
-    if (Options::usePoisoning())
-        calleeCode = m_currentBlock->appendNew<Value>(m_proc, BitXor, origin(), calleeCode, m_currentBlock->appendNew<Const64Value>(m_proc, origin(), g_JITCodePoison));
 
     Type returnType = signature.returnType();

trunk/Source/JavaScriptCore/wasm/WasmBinding.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -79 +79 @@
     // Tail call into the callee WebAssembly function.
     jit.loadPtr(scratch, scratch);
-    if (Options::usePoisoning())
-        jit.xorPtr(JIT::TrustedImmPtr(g_JITCodePoison), scratch);
     jit.jump(scratch, WasmEntryPtrTag);