Changeset 226530 in webkit for trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

Timestamp:

Jan 8, 2018, 1:05:17 PM (8 years ago)

Author:

[email protected]

Message:

Apply poisoning to more pointers in JSC.
​https://bugs.webkit.org/show_bug.cgi?id=181096
<rdar://problem/36182970>

Reviewed by JF Bastien.

Source/JavaScriptCore:

• assembler/MacroAssembler.h:

(JSC::MacroAssembler::xorPtr):

• assembler/MacroAssemblerARM64.h:

(JSC::MacroAssemblerARM64::xor64):

• assembler/MacroAssemblerX86_64.h:

(JSC::MacroAssemblerX86_64::xor64):

• Add xorPtr implementation.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::inferredName const):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::setConstantRegisters):
(JSC::CodeBlock::visitWeakly):
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
(JSC::CodeBlock::finalizeLLIntInlineCaches):
(JSC::CodeBlock::finalizeBaselineJITInlineCaches):
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
(JSC::CodeBlock::jettison):
(JSC::CodeBlock::predictedMachineCodeSize):
(JSC::CodeBlock::findPC):

• bytecode/CodeBlock.h:

(JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer):
(JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester):
(JSC::CodeBlock::stubInfoBegin):
(JSC::CodeBlock::stubInfoEnd):
(JSC::CodeBlock::callLinkInfosBegin):
(JSC::CodeBlock::callLinkInfosEnd):
(JSC::CodeBlock::instructions):
(JSC::CodeBlock::instructions const):
(JSC::CodeBlock::vm const):

• dfg/DFGOSRExitCompilerCommon.h:

(JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):

• jit/JIT.h:
• llint/LLIntOfflineAsmConfig.h:
• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter64.asm:
• parser/UnlinkedSourceCode.h:
• runtime/JSCPoison.h:
• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):

• runtime/JSGlobalObject.h:
• runtime/JSScriptFetchParameters.h:
• runtime/JSScriptFetcher.h:
• runtime/StructureTransitionTable.h:
• wasm/js/JSWebAssemblyCodeBlock.cpp:

(JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
(JSC::JSWebAssemblyCodeBlock::visitChildren):
(JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):

• wasm/js/JSWebAssemblyCodeBlock.h:

Source/WTF:

Added support for PoisonedBag and PoisonedRefCountedArray.

• wtf/Bag.h:

(WTF::Private::BagNode::BagNode):
(WTF::Bag::Bag):
(WTF::Bag::operator=):
(WTF::Bag::clear):
(WTF::Bag::add):
(WTF::Bag::begin):
(WTF::Bag::unwrappedHead):
(WTF::Bag::Node::Node): Deleted.

• wtf/BagToHashMap.h:

(WTF::toHashMap):

• wtf/Poisoned.h:

(WTF::constExprPoisonRandom):
(WTF::makeConstExprPoison):

• wtf/RefCountedArray.h:

(WTF::RefCountedArray::RefCountedArray):
(WTF::RefCountedArray::clone const):
(WTF::RefCountedArray::operator=):
(WTF::RefCountedArray::~RefCountedArray):
(WTF::RefCountedArray::refCount const):
(WTF::RefCountedArray::size const):
(WTF::RefCountedArray::data):
(WTF::RefCountedArray::begin):
(WTF::RefCountedArray::end):
(WTF::RefCountedArray::data const):
(WTF::RefCountedArray::begin const):
(WTF::RefCountedArray::operator== const):
(WTF::RefCountedArray::Header::fromPayload):

• wtf/WTFAssertions.cpp:

File:

• trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (31 diffs)

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Cameron Zwarich <[email protected]>
  *
@@ -308 +308 @@
     , m_isStrictMode(other.m_isStrictMode)
     , m_codeType(other.m_codeType)
-    , m_unlinkedCode(*other.m_vm, this, other.m_unlinkedCode.get())
+    , m_unlinkedCode(*other.vm(), this, other.m_unlinkedCode.get())
     , m_numberOfArgumentsToSkip(other.m_numberOfArgumentsToSkip)
     , m_hasDebuggerStatement(false)
     , m_steppingMode(SteppingModeDisabled)
     , m_numBreakpoints(0)
-    , m_ownerExecutable(*other.m_vm, this, other.m_ownerExecutable.get())
+    , m_ownerExecutable(*other.vm(), this, other.m_ownerExecutable.get())
     , m_vm(other.m_vm)
     , m_instructions(other.m_instructions)
@@ -330 +330 @@
     , m_reoptimizationRetryCounter(0)
     , m_creationTime(MonotonicTime::now())
+    , m_unconditionalFinalizer(makePoisonedUnique<UnconditionalFinalizer>(*this))
+    , m_weakReferenceHarvester(makePoisonedUnique<WeakReferenceHarvester>(*this))
 {
     m_visitWeaklyHasBeenCalled = false;
@@ -388 +390 @@
     , m_reoptimizationRetryCounter(0)
     , m_creationTime(MonotonicTime::now())
+    , m_unconditionalFinalizer(makePoisonedUnique<UnconditionalFinalizer>(*this))
+    , m_weakReferenceHarvester(makePoisonedUnique<WeakReferenceHarvester>(*this))
 {
     m_visitWeaklyHasBeenCalled = false;
@@ -423 +427 @@
 
     if (unlinkedCodeBlock->usesGlobalObject())
-        m_constantRegisters[unlinkedCodeBlock->globalObjectRegister().toConstantIndex()].set(*m_vm, this, m_globalObject.get());
+        m_constantRegisters[unlinkedCodeBlock->globalObjectRegister().toConstantIndex()].set(vm, this, m_globalObject.get());
 
     for (unsigned i = 0; i < LinkTimeConstantCount; i++) {
         LinkTimeConstant type = static_cast<LinkTimeConstant>(i);
         if (unsigned registerIndex = unlinkedCodeBlock->registerIndexForLinkTimeConstant(type))
-            m_constantRegisters[registerIndex].set(*m_vm, this, m_globalObject->jsCellForLinkTimeConstant(type));
+            m_constantRegisters[registerIndex].set(vm, this, m_globalObject->jsCellForLinkTimeConstant(type));
     }
 
@@ -435 +439 @@
     if (UnlinkedModuleProgramCodeBlock* unlinkedModuleProgramCodeBlock = jsDynamicCast<UnlinkedModuleProgramCodeBlock*>(vm, unlinkedCodeBlock)) {
         SymbolTable* clonedSymbolTable = jsCast<ModuleProgramExecutable*>(ownerExecutable)->moduleEnvironmentSymbolTable();
-        if (m_vm->typeProfiler()) {
+        if (vm.typeProfiler()) {
             ConcurrentJSLocker locker(clonedSymbolTable->m_lock);
             clonedSymbolTable->prepareForTypeProfiling(locker);
@@ -448 +452 @@
         if (shouldUpdateFunctionHasExecutedCache)
             vm.functionHasExecutedCache()->insertUnexecutedRange(ownerExecutable->sourceID(), unlinkedExecutable->typeProfilingStartOffset(), unlinkedExecutable->typeProfilingEndOffset());
-        m_functionDecls[i].set(*m_vm, this, unlinkedExecutable->link(*m_vm, ownerExecutable->source()));
+        m_functionDecls[i].set(vm, this, unlinkedExecutable->link(vm, ownerExecutable->source()));
     }
 
@@ -456 +460 @@
         if (shouldUpdateFunctionHasExecutedCache)
             vm.functionHasExecutedCache()->insertUnexecutedRange(ownerExecutable->sourceID(), unlinkedExecutable->typeProfilingStartOffset(), unlinkedExecutable->typeProfilingEndOffset());
-        m_functionExprs[i].set(*m_vm, this, unlinkedExecutable->link(*m_vm, ownerExecutable->source()));
+        m_functionExprs[i].set(vm, this, unlinkedExecutable->link(vm, ownerExecutable->source()));
     }
 
@@ -854 +858 @@
 CodeBlock::~CodeBlock()
 {
-    if (UNLIKELY(m_vm->m_perBytecodeProfiler))
-        m_vm->m_perBytecodeProfiler->notifyDestruction(this);
+    VM& vm = *m_vm;
+    if (UNLIKELY(vm.m_perBytecodeProfiler))
+        vm.m_perBytecodeProfiler->notifyDestruction(this);
 
     if (unlinkedCodeBlock()->didOptimize() == MixedTriState)
@@ -877 +882 @@
 
 #if ENABLE(JIT)
-    for (Bag<StructureStubInfo>::iterator iter = m_stubInfos.begin(); !!iter; ++iter) {
+    for (auto iter = m_stubInfos.begin(); !!iter; ++iter) {
         StructureStubInfo* stub = *iter;
         stub->aboutToDie();
@@ -910 +915 @@
 void CodeBlock::setConstantRegisters(const Vector<WriteBarrier<Unknown>>& constants, const Vector<SourceCodeRepresentation>& constantsSourceCodeRepresentation)
 {
-    auto scope = DECLARE_THROW_SCOPE(*m_vm);
+    VM& vm = *m_vm;
+    auto scope = DECLARE_THROW_SCOPE(vm);
     JSGlobalObject* globalObject = m_globalObject.get();
     ExecState* exec = globalObject->globalExec();
@@ -917 +923 @@
     size_t count = constants.size();
     m_constantRegisters.resizeToFit(count);
-    bool hasTypeProfiler = !!m_vm->typeProfiler();
+    bool hasTypeProfiler = !!vm.typeProfiler();
     for (size_t i = 0; i < count; i++) {
         JSValue constant = constants[i].get();
 
         if (!constant.isEmpty()) {
-            if (SymbolTable* symbolTable = jsDynamicCast<SymbolTable*>(*m_vm, constant)) {
+            if (SymbolTable* symbolTable = jsDynamicCast<SymbolTable*>(vm, constant)) {
                 if (hasTypeProfiler) {
                     ConcurrentJSLocker locker(symbolTable->m_lock);
@@ -928 +934 @@
                 }
 
-                SymbolTable* clone = symbolTable->cloneScopePart(*m_vm);
+                SymbolTable* clone = symbolTable->cloneScopePart(vm);
                 if (wasCompiledWithDebuggingOpcodes())
                     clone->setRareDataCodeBlock(this);
 
                 constant = clone;
-            } else if (isTemplateRegistryKey(*m_vm, constant)) {
+            } else if (isTemplateRegistryKey(vm, constant)) {
                 auto* templateObject = globalObject->templateRegistry().getTemplateObject(exec, jsCast<JSTemplateRegistryKey*>(constant));
                 RETURN_IF_EXCEPTION(scope, void());
@@ -940 +946 @@
         }
 
-        m_constantRegisters[i].set(*m_vm, this, constant);
+        m_constantRegisters[i].set(vm, this, constant);
     }
 
@@ -990 +996 @@
     // is probably quite close to 1. So we add one no matter what and when it runs, it
     // figures out whether it has any work to do.
-    visitor.addUnconditionalFinalizer(&m_unconditionalFinalizer);
+    visitor.addUnconditionalFinalizer(m_unconditionalFinalizer.get());
 
     if (!JITCode::isOptimizingJIT(jitType()))
@@ -1002 +1008 @@
     // jettisoning, and trying to find structures that would be live based on some
     // inline cache. So it makes sense to register them regardless.
-    visitor.addWeakReferenceHarvester(&m_weakReferenceHarvester);
+    visitor.addWeakReferenceHarvester(m_weakReferenceHarvester.get());
 
 #if ENABLE(DFG_JIT)
@@ -1046 +1052 @@
     // is probably quite close to 1. So we add one no matter what and when it runs, it
     // figures out whether it has any work to do.
-    visitor.addUnconditionalFinalizer(&m_unconditionalFinalizer);
+    visitor.addUnconditionalFinalizer(m_unconditionalFinalizer.get());
 
     if (CodeBlock* otherBlock = specialOSREntryBlockOrNull())
@@ -1162 +1168 @@
         return;
 
+    VM& vm = *m_vm;
     bool allAreMarkedSoFar = true;
         
@@ -1175 +1182 @@
                     break;
                 Structure* oldStructure =
-                    m_vm->heap.structureIDTable().get(oldStructureID);
+                    vm.heap.structureIDTable().get(oldStructureID);
                 Structure* newStructure =
-                    m_vm->heap.structureIDTable().get(newStructureID);
+                    vm.heap.structureIDTable().get(newStructureID);
                 if (Heap::isMarked(oldStructure))
                     visitor.appendUnbarriered(newStructure);
@@ -1192 +1199 @@
 #if ENABLE(JIT)
     if (JITCode::isJIT(jitType())) {
-        for (Bag<StructureStubInfo>::iterator iter = m_stubInfos.begin(); !!iter; ++iter)
+        for (auto iter = m_stubInfos.begin(); !!iter; ++iter)
             allAreMarkedSoFar &= (*iter)->propagateTransitions(visitor);
     }
@@ -1280 +1287 @@
 void CodeBlock::WeakReferenceHarvester::visitWeakReferences(SlotVisitor& visitor)
 {
-    CodeBlock* codeBlock =
-        bitwise_cast<CodeBlock*>(
-            bitwise_cast<char*>(this) - OBJECT_OFFSETOF(CodeBlock, m_weakReferenceHarvester));
-    
-    codeBlock->propagateTransitions(NoLockingNecessary, visitor);
-    codeBlock->determineLiveness(NoLockingNecessary, visitor);
+    codeBlock.propagateTransitions(NoLockingNecessary, visitor);
+    codeBlock.determineLiveness(NoLockingNecessary, visitor);
 }
 
@@ -1298 +1301 @@
 void CodeBlock::finalizeLLIntInlineCaches()
 {
+    VM& vm = *m_vm;
     const Vector<unsigned>& propertyAccessInstructions = m_unlinkedCode->propertyAccessInstructions();
     for (size_t size = propertyAccessInstructions.size(), i = 0; i < size; ++i) {
@@ -1306 +1310 @@
         case op_get_by_id_unset: {
             StructureID oldStructureID = curInstruction[4].u.structureID;
-            if (!oldStructureID || Heap::isMarked(m_vm->heap.structureIDTable().get(oldStructureID)))
+            if (!oldStructureID || Heap::isMarked(vm.heap.structureIDTable().get(oldStructureID)))
                 break;
             if (Options::verboseOSR())
@@ -1317 +1321 @@
             StructureID newStructureID = curInstruction[6].u.structureID;
             StructureChain* chain = curInstruction[7].u.structureChain.get();
-            if ((!oldStructureID || Heap::isMarked(m_vm->heap.structureIDTable().get(oldStructureID))) &&
-                (!newStructureID || Heap::isMarked(m_vm->heap.structureIDTable().get(newStructureID))) &&
-                (!chain || Heap::isMarked(chain)))
+            if ((!oldStructureID || Heap::isMarked(vm.heap.structureIDTable().get(oldStructureID)))
+                && (!newStructureID || Heap::isMarked(vm.heap.structureIDTable().get(newStructureID)))
+                && (!chain || Heap::isMarked(chain)))
                 break;
             if (Options::verboseOSR())
@@ -1411 +1415 @@
         (*iter)->visitWeak(*vm());
 
-    for (Bag<StructureStubInfo>::iterator iter = m_stubInfos.begin(); !!iter; ++iter) {
+    for (auto iter = m_stubInfos.begin(); !!iter; ++iter) {
         StructureStubInfo& stubInfo = **iter;
         stubInfo.visitWeakReferences(this);
@@ -1420 +1424 @@
 void CodeBlock::UnconditionalFinalizer::finalizeUnconditionally()
 {
-    CodeBlock* codeBlock = bitwise_cast<CodeBlock*>(
-        bitwise_cast<char*>(this) - OBJECT_OFFSETOF(CodeBlock, m_unconditionalFinalizer));
-    
-    codeBlock->updateAllPredictions();
-    
-    if (!Heap::isMarked(codeBlock)) {
-        if (codeBlock->shouldJettisonDueToWeakReference())
-            codeBlock->jettison(Profiler::JettisonDueToWeakReference);
+    codeBlock.updateAllPredictions();
+    
+    if (!Heap::isMarked(&codeBlock)) {
+        if (codeBlock.shouldJettisonDueToWeakReference())
+            codeBlock.jettison(Profiler::JettisonDueToWeakReference);
         else
-            codeBlock->jettison(Profiler::JettisonDueToOldAge);
+            codeBlock.jettison(Profiler::JettisonDueToOldAge);
         return;
     }
 
-    if (JITCode::couldBeInterpreted(codeBlock->jitType()))
-        codeBlock->finalizeLLIntInlineCaches();
+    if (JITCode::couldBeInterpreted(codeBlock.jitType()))
+        codeBlock.finalizeLLIntInlineCaches();
 
 #if ENABLE(JIT)
-    if (!!codeBlock->jitCode())
-        codeBlock->finalizeBaselineJITInlineCaches();
+    if (!!codeBlock.jitCode())
+        codeBlock.finalizeBaselineJITInlineCaches();
 #endif
 }
@@ -1960 +1961 @@
 #endif // ENABLE(DFG_JIT)
 
+    VM& vm = *m_vm;
     DeferGCForAWhile deferGC(*heap());
     
@@ -1976 +1978 @@
         if (!jitCode()->dfgCommon()->invalidate()) {
             // We've already been invalidated.
-            RELEASE_ASSERT(this != replacement() || (m_vm->heap.isCurrentThreadBusy() && !Heap::isMarked(ownerScriptExecutable())));
+            RELEASE_ASSERT(this != replacement() || (vm.heap.isCurrentThreadBusy() && !Heap::isMarked(ownerScriptExecutable())));
             return;
         }
@@ -2008 +2010 @@
     // Jettison can happen during GC. We don't want to install code to a dead executable
     // because that would add a dead object to the remembered set.
-    if (m_vm->heap.isCurrentThreadBusy() && !Heap::isMarked(ownerScriptExecutable()))
+    if (vm.heap.isCurrentThreadBusy() && !Heap::isMarked(ownerScriptExecutable()))
         return;
 
     // This accomplishes (2).
-    ownerScriptExecutable()->installCode(
-        *m_vm, alternative(), codeType(), specializationKind());
+    ownerScriptExecutable()->installCode(vm, alternative(), codeType(), specializationKind());
 
 #if ENABLE(DFG_JIT)
@@ -2768 +2769 @@
 size_t CodeBlock::predictedMachineCodeSize()
 {
+    VM* vm = m_vm.unpoisoned();
     // This will be called from CodeBlock::CodeBlock before either m_vm or the
     // instructions have been initialized. It's OK to return 0 because what will really
     // matter is the recomputation of this value when the slow path is triggered.
-    if (!m_vm)
+    if (!vm)
         return 0;
     
-    if (!*m_vm->machineCodeBytesPerBytecodeWordForBaselineJIT)
+    if (!*vm->machineCodeBytesPerBytecodeWordForBaselineJIT)
         return 0; // It's as good of a prediction as we'll get.
     
     // Be conservative: return a size that will be an overestimation 84% of the time.
-    double multiplier = m_vm->machineCodeBytesPerBytecodeWordForBaselineJIT->mean() +
-        m_vm->machineCodeBytesPerBytecodeWordForBaselineJIT->standardDeviation();
+    double multiplier = vm->machineCodeBytesPerBytecodeWordForBaselineJIT->mean() +
+        vm->machineCodeBytesPerBytecodeWordForBaselineJIT->standardDeviation();
     
     // Be paranoid: silently reject bogus multipiers. Silently doing the "wrong" thing
@@ -3067 +3069 @@
     }
 
-    for (Bag<StructureStubInfo>::iterator iter = m_stubInfos.begin(); !!iter; ++iter) {
+    for (auto iter = m_stubInfos.begin(); !!iter; ++iter) {
         StructureStubInfo* stub = *iter;
         if (stub->containsPC(pc))