Ignore:
Timestamp:
Dec 7, 2017, 5:22:06 PM (7 years ago)
Author:
[email protected]
Message:

Apply poisoning to some native code pointers.
https://bugs.webkit.org/show_bug.cgi?id=180541
<rdar://problem/35916875>

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

Renamed g_classInfoPoison to g_globalDataPoison.
Renamed g_masmPoison to g_jitCodePoison.
Introduced g_nativeCodePoison.
Applied g_nativeCodePoison to poisoning some native code pointers.

Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
to malloc allocated data structures (where needed).

  • API/JSCallbackFunction.h:

(JSC::JSCallbackFunction::functionCallback):

(JSC::nativeForGenerator):

  • llint/LowLevelInterpreter64.asm:
  • runtime/CustomGetterSetter.h:

(JSC::CustomGetterSetter::getter const):
(JSC::CustomGetterSetter::setter const):

  • runtime/InternalFunction.cpp:

(JSC::InternalFunction::getCallData):
(JSC::InternalFunction::getConstructData):

  • runtime/InternalFunction.h:

(JSC::InternalFunction::nativeFunctionFor):

  • runtime/JSCPoison.h: Added.
  • runtime/JSCPoisonedPtr.cpp:

(JSC::initializePoison):

  • runtime/JSCPoisonedPtr.h:
  • runtime/Lookup.h:
  • runtime/NativeExecutable.cpp:

(JSC::NativeExecutable::hashFor const):

  • runtime/NativeExecutable.h:
  • runtime/Structure.cpp:

(JSC::StructureTransitionTable::setSingleTransition):

  • runtime/StructureTransitionTable.h:

(JSC::StructureTransitionTable::StructureTransitionTable):
(JSC::StructureTransitionTable::isUsingSingleSlot const):
(JSC::StructureTransitionTable::map const):
(JSC::StructureTransitionTable::weakImpl const):
(JSC::StructureTransitionTable::setMap):

Source/WTF:

Ensure that the resultant poisoned bits still looks like a pointer in that its
bottom bits are 0, just like the alignment bits of a pointer. This allows the
client to use the bottom bits of the poisoned bits as flag bits just like the
client was previously able to do with pointer values.

Note: we only ensure that the bottom alignment bits of the generated poison
value is 0. We're not masking out the poisoned bits. This means that the bottom
bits of the poisoned bits will only be null if the original pointer is aligned.
Hence, if the client applies the poison to an unaligned pointer, we do not lose
any information on the low bits.

Also removed 2 wrong assertions in PoisonedImpl's constructors. We were
asserting that Poisoned will never be used with a null value, but that's invalid.
We do want to allow a null value so that we don't have to constantly do null
checks in the clients. This was uncovered by some layout tests.

  • wtf/Poisoned.cpp:

(WTF::makePoison):

  • wtf/Poisoned.h:

(WTF::PoisonedImpl::PoisonedImpl):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/b3/testb3.cpp

    r225632 r225659  
    1303413034
    1303513035            jit.move(CCallHelpers::TrustedImmPtr(jumpTable), scratch);
    13036             jit.move(CCallHelpers::TrustedImm64(g_masmPoison), poisonScratch);
     13036            jit.move(CCallHelpers::TrustedImm64(g_jitCodePoison), poisonScratch);
    1303713037            jit.load64(CCallHelpers::BaseIndex(scratch, params[0].gpr(), CCallHelpers::timesPtr()), scratch);
    1303813038            jit.xor64(poisonScratch, scratch);
Note: See TracChangeset for help on using the changeset viewer.