Changeset 225437 in webkit
- Timestamp:
- Dec 1, 2017 5:12:48 PM (6 years ago)
- Location:
- trunk/Source
- Files:
-
- 2 added
- 18 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/API/JSCallbackObject.h
r221822 r225437 28 28 #define JSCallbackObject_h 29 29 30 #include "JSCScrambledPtr.h" 30 31 #include "JSObjectRef.h" 31 32 #include "JSValueRef.h" … … 234 235 235 236 std::unique_ptr<JSCallbackObjectData> m_callbackObjectData; 236 const ClassInfo*m_classInfo;237 ClassInfoScrambledPtr m_classInfo; 237 238 }; 238 239 -
trunk/Source/JavaScriptCore/API/JSObjectRef.cpp
r224309 r225437 432 432 return jsObject->classInfo(vm); 433 433 434 return vm.currentlyDestructingCallbackObjectClassInfo ;434 return vm.currentlyDestructingCallbackObjectClassInfo.descrambled(); 435 435 } 436 436 -
trunk/Source/JavaScriptCore/ChangeLog
r225425 r225437 1 2017-12-01 Mark Lam <mark.lam@apple.com> 2 3 Let's scramble ClassInfo pointers in cells. 4 https://bugs.webkit.org/show_bug.cgi?id=180291 5 <rdar://problem/35807620> 6 7 Reviewed by JF Bastien. 8 9 * API/JSCallbackObject.h: 10 * API/JSObjectRef.cpp: 11 (classInfoPrivate): 12 * JavaScriptCore.xcodeproj/project.pbxproj: 13 * Sources.txt: 14 * assembler/MacroAssemblerCodeRef.cpp: 15 (JSC::MacroAssemblerCodePtr::initialize): Deleted. 16 * assembler/MacroAssemblerCodeRef.h: 17 (JSC::MacroAssemblerCodePtr:: const): 18 (JSC::MacroAssemblerCodePtr::hash const): 19 * dfg/DFGSpeculativeJIT.cpp: 20 (JSC::DFG::SpeculativeJIT::checkArray): 21 (JSC::DFG::SpeculativeJIT::compileCheckSubClass): 22 (JSC::DFG::SpeculativeJIT::compileNewStringObject): 23 * ftl/FTLLowerDFGToB3.cpp: 24 (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject): 25 (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): 26 * jit/AssemblyHelpers.h: 27 (JSC::AssemblyHelpers::emitAllocateDestructibleObject): 28 * jit/SpecializedThunkJIT.h: 29 (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass): 30 * runtime/InitializeThreading.cpp: 31 (JSC::initializeThreading): 32 * runtime/JSCScrambledPtr.cpp: Added. 33 (JSC::initializeScrambledPtrKeys): 34 * runtime/JSCScrambledPtr.h: Added. 35 * runtime/JSDestructibleObject.h: 36 (JSC::JSDestructibleObject::classInfo const): 37 * runtime/JSSegmentedVariableObject.h: 38 (JSC::JSSegmentedVariableObject::classInfo const): 39 * runtime/Structure.h: 40 * runtime/VM.h: 41 1 42 2017-12-01 Brian Burg <bburg@apple.com> 2 43 -
trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
r225314 r225437 1716 1716 FE20CE9E15F04A9500DF3430 /* LLIntCLoop.h in Headers */ = {isa = PBXBuildFile; fileRef = FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */; settings = {ATTRIBUTES = (Private, ); }; }; 1717 1717 FE2A87601F02381600EB31B2 /* MinimumReservedZoneSize.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2A875F1F02381600EB31B2 /* MinimumReservedZoneSize.h */; }; 1718 FE2B0B691FD227E00075DA5F /* JSCScrambledPtr.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2B0B671FD0D2960075DA5F /* JSCScrambledPtr.h */; settings = {ATTRIBUTES = (Private, ); }; }; 1718 1719 FE3022D31E3D73A500BAC493 /* SigillCrashAnalyzer.h in Headers */ = {isa = PBXBuildFile; fileRef = FE3022D11E3D739600BAC493 /* SigillCrashAnalyzer.h */; settings = {ATTRIBUTES = (Private, ); }; }; 1719 1720 FE3022D71E42857300BAC493 /* VMInspector.h in Headers */ = {isa = PBXBuildFile; fileRef = FE3022D51E42856700BAC493 /* VMInspector.h */; }; … … 4585 4586 FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LLIntCLoop.h; path = llint/LLIntCLoop.h; sourceTree = "<group>"; }; 4586 4587 FE2A875F1F02381600EB31B2 /* MinimumReservedZoneSize.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MinimumReservedZoneSize.h; sourceTree = "<group>"; }; 4588 FE2B0B671FD0D2960075DA5F /* JSCScrambledPtr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCScrambledPtr.h; sourceTree = "<group>"; }; 4589 FE2B0B681FD0D2970075DA5F /* JSCScrambledPtr.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSCScrambledPtr.cpp; sourceTree = "<group>"; }; 4587 4590 FE2E6A7A1D6EA5FE0060F896 /* ThrowScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ThrowScope.cpp; sourceTree = "<group>"; }; 4588 4591 FE3022D01E3D739600BAC493 /* SigillCrashAnalyzer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SigillCrashAnalyzer.cpp; sourceTree = "<group>"; }; … … 6520 6523 14ABB36E099C076400E2A24F /* JSCJSValue.h */, 6521 6524 865A30F0135007E100CDB49E /* JSCJSValueInlines.h */, 6525 FE2B0B681FD0D2970075DA5F /* JSCScrambledPtr.cpp */, 6526 FE2B0B671FD0D2960075DA5F /* JSCScrambledPtr.h */, 6522 6527 72AAF7CB1D0D318B005E60BE /* JSCustomGetterSetterFunction.cpp */, 6523 6528 72AAF7CC1D0D318B005E60BE /* JSCustomGetterSetterFunction.h */, … … 8129 8134 0F37308D1C0BD29100052BFA /* B3PhiChildren.h in Headers */, 8130 8135 0FEC852C1BDACDAC0080FF74 /* B3Procedure.h in Headers */, 8136 FE2B0B691FD227E00075DA5F /* JSCScrambledPtr.h in Headers */, 8131 8137 0FEC852D1BDACDAC0080FF74 /* B3ProcedureInlines.h in Headers */, 8132 8138 0F725CAA1C503DED00AD943A /* B3PureCSE.h in Headers */, -
trunk/Source/JavaScriptCore/Sources.txt
r225314 r225437 770 770 runtime/JSBoundFunction.cpp 771 771 runtime/JSCJSValue.cpp 772 runtime/JSCScrambledPtr.cpp 772 773 runtime/JSCallee.cpp 773 774 runtime/JSCell.cpp -
trunk/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.cpp
r225363 r225437 33 33 34 34 namespace JSC { 35 36 uintptr_t g_masmScrambledPtrKey;37 38 void MacroAssemblerCodePtr::initialize()39 {40 static std::once_flag initializeOnceFlag;41 std::call_once(initializeOnceFlag, [] {42 g_masmScrambledPtrKey = makeScrambledPtrKey();43 });44 }45 35 46 36 MacroAssemblerCodePtr MacroAssemblerCodePtr::createLLIntCodePtr(OpcodeID codeId) -
trunk/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h
r225363 r225437 27 27 28 28 #include "ExecutableAllocator.h" 29 #include "JSCScrambledPtr.h" 29 30 #include <wtf/DataLog.h> 30 31 #include <wtf/PrintStream.h> 31 32 #include <wtf/RefPtr.h> 32 #include <wtf/ScrambledPtr.h>33 33 #include <wtf/text/CString.h> 34 34 … … 52 52 namespace JSC { 53 53 54 extern "C" JS_EXPORTDATA uintptr_t g_masmScrambledPtrKey;55 56 using MasmScrambledPtr = ScrambledPtr<g_masmScrambledPtrKey>;57 58 54 class MacroAssemblerCodePtr; 59 55 … … 324 320 { 325 321 m_value.assertIsScrambled(); 326 return m_value ? m_value.descramble <T>() : static_cast<T>(0);322 return m_value ? m_value.descrambled<T>() : static_cast<T>(0); 327 323 } 328 324 #if CPU(ARM_THUMB2) … … 333 329 m_value.assertIsScrambled(); 334 330 ASSERT_VALID_CODE_POINTER(m_value); 335 return bitwise_cast<T>(m_value ? m_value.descramble <char*>() - 1 : nullptr);331 return bitwise_cast<T>(m_value ? m_value.descrambled<char*>() - 1 : nullptr); 336 332 } 337 333 #else … … 341 337 m_value.assertIsScrambled(); 342 338 ASSERT_VALID_CODE_POINTER(m_value); 343 return m_value ? m_value.descramble <T>() : static_cast<T>(0);339 return m_value ? m_value.descrambled<T>() : static_cast<T>(0); 344 340 } 345 341 #endif … … 389 385 bool isDeletedValue() const { return m_value == deletedValue(); } 390 386 391 unsigned hash() const { return IntHash<uintptr_t>::hash(m_value. scrambledBits()); }387 unsigned hash() const { return IntHash<uintptr_t>::hash(m_value.bits()); } 392 388 393 389 static void initialize(); -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
r225363 r225437 869 869 MacroAssembler::NotEqual, 870 870 MacroAssembler::Address(temp.gpr(), Structure::classInfoOffset()), 871 TrustedImmPtr( expectedClassInfo)));872 871 TrustedImmPtr(ClassInfoScrambledPtr(expectedClassInfo).bits()))); 872 873 873 noResult(m_currentNode); 874 874 } … … 8706 8706 m_jit.emitLoadStructure(*m_jit.vm(), baseGPR, otherGPR, specifiedGPR); 8707 8707 m_jit.loadPtr(CCallHelpers::Address(otherGPR, Structure::classInfoOffset()), otherGPR); 8708 #if USE(JSVALUE64) 8709 m_jit.move(CCallHelpers::TrustedImm64(g_classInfoScrambledPtrKey), specifiedGPR); 8710 m_jit.xor64(specifiedGPR, otherGPR); 8711 #endif 8708 8712 m_jit.move(CCallHelpers::TrustedImmPtr(node->classInfo()), specifiedGPR); 8709 8713 … … 9000 9004 9001 9005 m_jit.storePtr( 9002 TrustedImmPtr( StringObject::info()),9006 TrustedImmPtr(ClassInfoScrambledPtr(StringObject::info()).bits()), 9003 9007 JITCompiler::Address(resultGPR, JSDestructibleObject::classInfoOffset())); 9004 9008 #if USE(JSVALUE64) -
trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
r225385 r225437 5011 5011 5012 5012 LValue fastResultValue = allocateObject<StringObject>(structure, m_out.intPtrZero, slowCase); 5013 m_out.storePtr(m_out.constIntPtr( StringObject::info()), fastResultValue, m_heaps.JSDestructibleObject_classInfo);5013 m_out.storePtr(m_out.constIntPtr(ClassInfoScrambledPtr(StringObject::info()).bits()), fastResultValue, m_heaps.JSDestructibleObject_classInfo); 5014 5014 m_out.store64(string, fastResultValue, m_heaps.JSWrapperObject_internalValue); 5015 5015 mutatorFence(); … … 11161 11161 11162 11162 LValue structure = loadStructure(cell); 11163 ValueFromBlock otherAtStart = m_out.anchor(m_out.loadPtr(structure, m_heaps.Structure_classInfo)); 11163 LValue scrambledClassInfo = m_out.loadPtr(structure, m_heaps.Structure_classInfo); 11164 LValue classInfo = m_out.bitXor(scrambledClassInfo, m_out.constInt64(g_classInfoScrambledPtrKey)); 11165 ValueFromBlock otherAtStart = m_out.anchor(classInfo); 11164 11166 m_out.jump(loop); 11165 11167 -
trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h
r225314 r225437 1626 1626 { 1627 1627 emitAllocateJSObject<ClassType>(vm, resultGPR, TrustedImmPtr(structure), TrustedImmPtr(0), scratchGPR1, scratchGPR2, slowPath); 1628 storePtr(TrustedImmPtr( structure->classInfo()), Address(resultGPR, JSDestructibleObject::classInfoOffset()));1628 storePtr(TrustedImmPtr(ClassInfoScrambledPtr(structure->classInfo()).bits()), Address(resultGPR, JSDestructibleObject::classInfoOffset())); 1629 1629 } 1630 1630 -
trunk/Source/JavaScriptCore/jit/SpecializedThunkJIT.h
r214571 r225437 1 1 /* 2 * Copyright (C) 2010 , 2016Apple Inc. All rights reserved.2 * Copyright (C) 2010-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 78 78 loadCellArgument(argument, dst); 79 79 emitLoadStructure(*vm(), dst, scratch, dst); 80 appendFailure(branchPtr(NotEqual, Address(scratch, Structure::classInfoOffset()), TrustedImmPtr( classInfo)));80 appendFailure(branchPtr(NotEqual, Address(scratch, Structure::classInfoOffset()), TrustedImmPtr(ClassInfoScrambledPtr(classInfo).bits()))); 81 81 // We have to reload the argument since emitLoadStructure clobbered it. 82 82 loadCellArgument(argument, dst); -
trunk/Source/JavaScriptCore/runtime/InitializeThreading.cpp
r225363 r225437 1 1 /* 2 * Copyright (C) 2008 , 2015-2017 Apple Inc. All rights reserved.2 * Copyright (C) 2008-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 60 60 std::call_once(initializeThreadingOnceFlag, []{ 61 61 WTF::initializeThreading(); 62 MacroAssemblerCodePtr::initialize();62 initializeScrambledPtrKeys(); 63 63 Options::initialize(); 64 64 #if ENABLE(WRITE_BARRIER_PROFILING) -
trunk/Source/JavaScriptCore/runtime/JSDestructibleObject.h
r225314 r225437 44 44 } 45 45 46 const ClassInfo* classInfo() const { return m_classInfo ; }46 const ClassInfo* classInfo() const { return m_classInfo.descrambled(); } 47 47 48 48 static ptrdiff_t classInfoOffset() { return OBJECT_OFFSETOF(JSDestructibleObject, m_classInfo); } … … 57 57 58 58 private: 59 const ClassInfo*m_classInfo;59 ClassInfoScrambledPtr m_classInfo; 60 60 }; 61 61 -
trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h
r225314 r225437 95 95 } 96 96 97 const ClassInfo* classInfo() const { return m_classInfo ; }97 const ClassInfo* classInfo() const { return m_classInfo.descrambled(); } 98 98 99 99 protected: … … 108 108 ConcurrentJSLock m_lock; 109 109 bool m_alreadyDestroyed { false }; // We use these assertions to check that we aren't doing ancient hacks that result in this being destroyed more than once. 110 const ClassInfo*m_classInfo;110 ClassInfoScrambledPtr m_classInfo; 111 111 }; 112 112 -
trunk/Source/JavaScriptCore/runtime/Structure.h
r223715 r225437 1 1 /* 2 * Copyright (C) 2008 , 2009, 2012-2016Apple Inc. All rights reserved.2 * Copyright (C) 2008-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 469 469 void setObjectToStringValue(ExecState*, VM&, JSString* value, PropertySlot toStringTagSymbolSlot); 470 470 471 const ClassInfo* classInfo() const { return m_classInfo ; }471 const ClassInfo* classInfo() const { return m_classInfo.descrambled(); } 472 472 473 473 static ptrdiff_t structureIDOffset() … … 799 799 RefPtr<UniquedStringImpl> m_nameInPrevious; 800 800 801 const ClassInfo*m_classInfo;801 ClassInfoScrambledPtr m_classInfo; 802 802 803 803 StructureTransitionTable m_transitionTable; -
trunk/Source/JavaScriptCore/runtime/VM.h
r225314 r225437 415 415 416 416 JSCell* currentlyDestructingCallbackObject; 417 const ClassInfo*currentlyDestructingCallbackObjectClassInfo;417 ClassInfoScrambledPtr currentlyDestructingCallbackObjectClassInfo; 418 418 419 419 AtomicStringTable* m_atomicStringTable; -
trunk/Source/WTF/ChangeLog
r225430 r225437 1 2017-12-01 Mark Lam <mark.lam@apple.com> 2 3 Let's scramble ClassInfo pointers in cells. 4 https://bugs.webkit.org/show_bug.cgi?id=180291 5 <rdar://problem/35807620> 6 7 Reviewed by JF Bastien. 8 9 * wtf/ScrambledPtr.h: 10 (WTF::ScrambledPtr::descrambled const): 11 (WTF::ScrambledPtr::bits const): 12 (WTF::ScrambledPtr::operator==): 13 (WTF::ScrambledPtr::operator=): 14 (WTF::ScrambledPtr::scramble): 15 (WTF::ScrambledPtr::descramble): 16 (WTF::ScrambledPtr:: const): Deleted. 17 (WTF::ScrambledPtr::scrambledBits const): Deleted. 18 1 19 2017-12-01 Christopher Reid <chris.reid@sony.com> 2 20 -
trunk/Source/WTF/wtf/ScrambledPtr.h
r225363 r225437 41 41 using ScrambledPtrBits = uintptr_t; 42 42 43 template< uintptr_t& key>43 template<typename T, uintptr_t& key, typename = std::enable_if_t<std::is_pointer<T>::value>> 44 44 class ScrambledPtr { 45 45 public: 46 46 ScrambledPtr() { } 47 47 48 template<typename T, typename = typename std::enable_if<std::is_pointer<T>::value>::type>49 48 explicit ScrambledPtr(T ptr) 50 49 : m_scrambledBits(scramble(ptr)) … … 62 61 63 62 #if ENABLE(SCRAMBLED_PTR_ASSERTS) 64 template<typename T= void*>65 static bool isScrambled( Tvalue) { return !value || (reinterpret_cast<uintptr_t>(value) & 0xffff000000000000); }66 template<typename T= void*>67 static void assertIsScrambled( Tvalue) { RELEASE_ASSERT(isScrambled(value)); }68 template<typename T= void*>69 static void assertIsNotScrambled( Tvalue) { RELEASE_ASSERT(!isScrambled(value)); }63 template<typename U = void*> 64 static bool isScrambled(U value) { return !value || (reinterpret_cast<uintptr_t>(value) & 0xffff000000000000); } 65 template<typename U = void*> 66 static void assertIsScrambled(U value) { RELEASE_ASSERT(isScrambled(value)); } 67 template<typename U = void*> 68 static void assertIsNotScrambled(U value) { RELEASE_ASSERT(!isScrambled(value)); } 70 69 #else 71 template<typename T = void*> static void assertIsScrambled(T) { }72 template<typename T = void*> static void assertIsNotScrambled(T) { }70 template<typename U = void*> static void assertIsScrambled(U) { } 71 template<typename U = void*> static void assertIsNotScrambled(U) { } 73 72 #endif 74 73 void assertIsScrambled() const { assertIsScrambled(m_scrambledBits); } 75 74 void assertIsNotScrambled() const { assertIsNotScrambled(m_scrambledBits); } 76 75 77 template<typename T = void*>78 T descramble() const { return descramble<T>(m_scrambledBits); }76 template<typename U = T> 77 U descrambled() const { return descramble<U>(m_scrambledBits); } 79 78 80 template<typename T, typename = typename std::enable_if<std::is_pointer<T>::value>::type>81 79 ALWAYS_INLINE T operator->() const { return descramble<T>(m_scrambledBits); } 82 80 83 ScrambledPtrBits scrambledBits() const { return m_scrambledBits; } 81 template<typename U = ScrambledPtrBits> 82 U bits() const { return bitwise_cast<U>(m_scrambledBits); } 84 83 85 84 bool operator!() const { return !m_scrambledBits; } … … 94 93 bool operator==(const PtrType b) 95 94 { 96 return descramble <PtrType>() == b;95 return descrambled<PtrType>() == b; 97 96 } 97 98 ScrambledPtr& operator=(T ptr) 99 { 100 m_scrambledBits = ptr ? scramble(ptr) : 0; 101 return *this; 102 } 103 ScrambledPtr& operator=(const ScrambledPtr&) = default; 98 104 99 105 private: 100 106 #if USE(JSVALUE64) 101 template<typename T>102 ALWAYS_INLINE static ScrambledPtrBits scramble( Tptr) { return bitwise_cast<ScrambledPtrBits>(ptr) ^ key; }103 template<typename T>104 ALWAYS_INLINE static T descramble(ScrambledPtrBits scrambledBits) { return bitwise_cast<T>(scrambledBits ^ key); }107 template<typename U> 108 ALWAYS_INLINE static ScrambledPtrBits scramble(U ptr) { return bitwise_cast<ScrambledPtrBits>(ptr) ^ key; } 109 template<typename U> 110 ALWAYS_INLINE static U descramble(ScrambledPtrBits scrambledBits) { return bitwise_cast<U>(scrambledBits ^ key); } 105 111 #else 106 template<typename T>107 ALWAYS_INLINE static ScrambledPtrBits scramble( Tptr) { return bitwise_cast<ScrambledPtrBits>(ptr); }108 template<typename T>109 ALWAYS_INLINE static T descramble(ScrambledPtrBits scrambledBits) { return bitwise_cast<T>(scrambledBits); }112 template<typename U> 113 ALWAYS_INLINE static ScrambledPtrBits scramble(U ptr) { return bitwise_cast<ScrambledPtrBits>(ptr); } 114 template<typename U> 115 ALWAYS_INLINE static U descramble(ScrambledPtrBits scrambledBits) { return bitwise_cast<U>(scrambledBits); } 110 116 #endif 111 117
Note: See TracChangeset
for help on using the changeset viewer.