Changeset 226530 in webkit for trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

Timestamp:

Jan 8, 2018, 1:05:17 PM (7 years ago)

Author:

[email protected]

Message:

Apply poisoning to more pointers in JSC.
​https://bugs.webkit.org/show_bug.cgi?id=181096
<rdar://problem/36182970>

Reviewed by JF Bastien.

Source/JavaScriptCore:

• assembler/MacroAssembler.h:

(JSC::MacroAssembler::xorPtr):

• assembler/MacroAssemblerARM64.h:

(JSC::MacroAssemblerARM64::xor64):

• assembler/MacroAssemblerX86_64.h:

(JSC::MacroAssemblerX86_64::xor64):

• Add xorPtr implementation.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::inferredName const):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::setConstantRegisters):
(JSC::CodeBlock::visitWeakly):
(JSC::CodeBlock::visitChildren):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
(JSC::CodeBlock::finalizeLLIntInlineCaches):
(JSC::CodeBlock::finalizeBaselineJITInlineCaches):
(JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
(JSC::CodeBlock::jettison):
(JSC::CodeBlock::predictedMachineCodeSize):
(JSC::CodeBlock::findPC):

• bytecode/CodeBlock.h:

(JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer):
(JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester):
(JSC::CodeBlock::stubInfoBegin):
(JSC::CodeBlock::stubInfoEnd):
(JSC::CodeBlock::callLinkInfosBegin):
(JSC::CodeBlock::callLinkInfosEnd):
(JSC::CodeBlock::instructions):
(JSC::CodeBlock::instructions const):
(JSC::CodeBlock::vm const):

• dfg/DFGOSRExitCompilerCommon.h:

(JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):

• jit/JIT.h:
• llint/LLIntOfflineAsmConfig.h:
• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter64.asm:
• parser/UnlinkedSourceCode.h:
• runtime/JSCPoison.h:
• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):

• runtime/JSGlobalObject.h:
• runtime/JSScriptFetchParameters.h:
• runtime/JSScriptFetcher.h:
• runtime/StructureTransitionTable.h:
• wasm/js/JSWebAssemblyCodeBlock.cpp:

(JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
(JSC::JSWebAssemblyCodeBlock::visitChildren):
(JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):

• wasm/js/JSWebAssemblyCodeBlock.h:

Source/WTF:

Added support for PoisonedBag and PoisonedRefCountedArray.

• wtf/Bag.h:

(WTF::Private::BagNode::BagNode):
(WTF::Bag::Bag):
(WTF::Bag::operator=):
(WTF::Bag::clear):
(WTF::Bag::add):
(WTF::Bag::begin):
(WTF::Bag::unwrappedHead):
(WTF::Bag::Node::Node): Deleted.

• wtf/BagToHashMap.h:

(WTF::toHashMap):

• wtf/Poisoned.h:

(WTF::constExprPoisonRandom):
(WTF::makeConstExprPoison):

• wtf/RefCountedArray.h:

(WTF::RefCountedArray::RefCountedArray):
(WTF::RefCountedArray::clone const):
(WTF::RefCountedArray::operator=):
(WTF::RefCountedArray::~RefCountedArray):
(WTF::RefCountedArray::refCount const):
(WTF::RefCountedArray::size const):
(WTF::RefCountedArray::data):
(WTF::RefCountedArray::begin):
(WTF::RefCountedArray::end):
(WTF::RefCountedArray::data const):
(WTF::RefCountedArray::begin const):
(WTF::RefCountedArray::operator== const):
(WTF::RefCountedArray::Header::fromPayload):

• wtf/WTFAssertions.cpp:

File:

• trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (8 diffs)

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -1 @@
-# Copyright (C) 2011-2017 Apple Inc. All rights reserved.
+# Copyright (C) 2011-2018 Apple Inc. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -46 +46 @@
     loadp CodeBlock[cfr], PB
     loadp CodeBlock::m_instructions[PB], PB
+    unpoison(CodeBlockPoison, PB)
     loadisFromInstruction(1, t1)
     storeq r0, [cfr, t1, 8]
@@ -483 +484 @@
     loadp CodeBlock[cfr], scratch
     loadp CodeBlock::m_vm[scratch], scratch
+    unpoison(CodeBlockPoison, scratch)
     loadp VM::heap + Heap::m_structureIDTable + StructureIDTable::m_table[scratch], scratch
     loadp [scratch, structureIDThenStructure, 8], structureIDThenStructure
@@ -496 +498 @@
     loadp CodeBlock[cfr], cell
     loadp CodeBlock::m_vm[cell], cell
+    unpoison(CodeBlockPoison, cell)
     loadp VM::heap + Heap::m_structureIDTable + StructureIDTable::m_table[cell], cell
     loadp [cell, structure, 8], structure
@@ -560 +563 @@
     loadp CodeBlock[cfr], t1
     loadp CodeBlock::m_instructions[t1], PB
+    unpoison(CodeBlockPoison, PB)
     move 0, PC
     jmp doneLabel
@@ -1950 +1954 @@
     storei t2, ArgumentCount + PayloadOffset[t3]
     move t3, sp
-    if X86_64_WIN
-        prepareCall(LLIntCallLinkInfo::machineCodeTarget[t1], t2, t3, t4)
-        callTargetFunction(LLIntCallLinkInfo::machineCodeTarget[t1])
-    else
+    if POISON
         loadp _g_jitCodePoison, t2
         xorp LLIntCallLinkInfo::machineCodeTarget[t1], t2
         prepareCall(t2, t1, t3, t4)
         callTargetFunction(t2)
+    else
+        prepareCall(LLIntCallLinkInfo::machineCodeTarget[t1], t2, t3, t4)
+        callTargetFunction(LLIntCallLinkInfo::machineCodeTarget[t1])
     end
 
@@ -2004 +2008 @@
     loadp CodeBlock[cfr], PB
     loadp CodeBlock::m_instructions[PB], PB
+    unpoison(CodeBlockPoison, PB)
     loadp VM::targetInterpreterPCForThrow[t3], PC
     subp PB, PC
@@ -2496 +2501 @@
     loadp CodeBlock[cfr], t1
     loadp CodeBlock::m_vm[t1], t1
+    unpoison(CodeBlockPoison, t1)
     # t1 is holding the pointer to the typeProfilerLog.
     loadp VM::m_typeProfilerLog[t1], t1