Changeset 226940 in webkit for trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

Timestamp:

Jan 13, 2018, 10:11:55 PM (7 years ago)

Author:

[email protected]

Message:

Replace all use of ConstExprPoisoned with Poisoned.
​https://bugs.webkit.org/show_bug.cgi?id=181542
<rdar://problem/36442138>

Reviewed by JF Bastien.

Source/JavaScriptCore:

1. All JSC poisons are now defined in JSCPoison.h.

2. Change all clients to use the new poison values via the POISON() macro.

3. The LLInt code has been updated to handle CodeBlock poison. Some of this code uses the t5 temp register, which is not available on the Windows port. Fortunately, we don't currently do poisoning on the Windows port yet. So, it will just work for now.

When poisoning is enabled for the Windows port, this LLInt code will need a
Windows specific implementation to workaround its lack of a t5 register.

• API/JSAPIWrapperObject.h:
• API/JSCallbackFunction.h:
• API/JSCallbackObject.h:
• JavaScriptCore.xcodeproj/project.pbxproj:
• Sources.txt:
• assembler/MacroAssemblerCodeRef.h:

(JSC::MacroAssemblerCodePtr::emptyValue):
(JSC::MacroAssemblerCodePtr::deletedValue):

• b3/B3LowerMacros.cpp:
• b3/testb3.cpp:

(JSC::B3::testInterpreter):

• bytecode/CodeBlock.h:

(JSC::CodeBlock::instructions):
(JSC::CodeBlock::instructions const):
(JSC::CodeBlock::makePoisonedUnique):

• dfg/DFGOSRExitCompilerCommon.h:

(JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCheckSubClass):
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):

• jit/JIT.h:
• jit/ThunkGenerators.cpp:

(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):

• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• parser/UnlinkedSourceCode.h:
• runtime/ArrayPrototype.h:
• runtime/CustomGetterSetter.h:
• runtime/DateInstance.h:
• runtime/InternalFunction.h:
• runtime/JSArrayBuffer.h:
• runtime/JSCPoison.cpp: Copied from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.

(JSC::initializePoison):

• runtime/JSCPoison.h:

(): Deleted.

• runtime/JSCPoisonedPtr.cpp: Removed.
• runtime/JSCPoisonedPtr.h: Removed.
• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::makePoisonedUnique):

• runtime/JSScriptFetchParameters.h:
• runtime/JSScriptFetcher.h:
• runtime/NativeExecutable.h:
• runtime/StructureTransitionTable.h:

(JSC::StructureTransitionTable::map const):
(JSC::StructureTransitionTable::weakImpl const):

• runtime/WriteBarrier.h:

(JSC::WriteBarrier::poison):

• wasm/js/JSToWasm.cpp:

(JSC::Wasm::createJSToWasmWrapper):

• wasm/js/JSWebAssemblyCodeBlock.cpp:

(JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):

• wasm/js/JSWebAssemblyCodeBlock.h:
• wasm/js/JSWebAssemblyInstance.h:
• wasm/js/JSWebAssemblyMemory.h:
• wasm/js/JSWebAssemblyModule.h:
• wasm/js/JSWebAssemblyTable.h:
• wasm/js/WasmToJS.cpp:

(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):

• wasm/js/WebAssemblyFunctionBase.h:
• wasm/js/WebAssemblyModuleRecord.h:
• wasm/js/WebAssemblyToJSCallee.h:
• wasm/js/WebAssemblyWrapperFunction.h:

Source/WTF:

1. Removed ConstExprPoisoned and its artifacts.

2. Consolidated Poisoned into PoisonedImpl. PoisonedImpl is not more.

3. Changed all clients of ConstExprPoisoned to use Poisoned instead.

4. Worked around the GCC and Clang compiler bug that confuses an intptr_t& template arg with intptr_t. See use of std::enable_if_t<Other::isPoisoned> in Poisoned.h.

5. Removed ENABLE(MIXED_POISON) since we now have a workaround (3) that makes it possible to use the mixed poison code.

6. Also fixed broken implementation of comparison operators in Poisoned.

• wtf/Bag.h:
• wtf/DumbPtrTraits.h:

(WTF::DumbPtrTraits::poison):

• wtf/DumbValueTraits.h:

(WTF::DumbValueTraits::poison):

• wtf/Poisoned.h:

(WTF::Poisoned::Poisoned):
(WTF::Poisoned::operator== const):
(WTF::Poisoned::operator!= const):
(WTF::Poisoned::operator< const):
(WTF::Poisoned::operator<= const):
(WTF::Poisoned::operator> const):
(WTF::Poisoned::operator>= const):
(WTF::Poisoned::operator=):
(WTF::Poisoned::swap):
(WTF::swap):
(WTF::PoisonedPtrTraits::poison):
(WTF::PoisonedPtrTraits::swap):
(WTF::PoisonedValueTraits::poison):
(WTF::PoisonedValueTraits::swap):
(WTF::PoisonedImpl::PoisonedImpl): Deleted.
(WTF::PoisonedImpl::assertIsPoisoned const): Deleted.
(WTF::PoisonedImpl::assertIsNotPoisoned const): Deleted.
(WTF::PoisonedImpl::unpoisoned const): Deleted.
(WTF::PoisonedImpl::clear): Deleted.
(WTF::PoisonedImpl::operator* const): Deleted.
(WTF::PoisonedImpl::operator-> const): Deleted.
(WTF::PoisonedImpl::bits const): Deleted.
(WTF::PoisonedImpl::operator! const): Deleted.
(WTF::PoisonedImpl::operator bool const): Deleted.
(WTF::PoisonedImpl::operator== const): Deleted.
(WTF::PoisonedImpl::operator!= const): Deleted.
(WTF::PoisonedImpl::operator< const): Deleted.
(WTF::PoisonedImpl::operator<= const): Deleted.
(WTF::PoisonedImpl::operator> const): Deleted.
(WTF::PoisonedImpl::operator>= const): Deleted.
(WTF::PoisonedImpl::operator=): Deleted.
(WTF::PoisonedImpl::swap): Deleted.
(WTF::PoisonedImpl::exchange): Deleted.
(WTF::PoisonedImpl::poison): Deleted.
(WTF::PoisonedImpl::unpoison): Deleted.
(WTF::constExprPoisonRandom): Deleted.
(WTF::makeConstExprPoison): Deleted.
(WTF::ConstExprPoisonedPtrTraits::exchange): Deleted.
(WTF::ConstExprPoisonedPtrTraits::swap): Deleted.
(WTF::ConstExprPoisonedPtrTraits::unwrap): Deleted.
(WTF::ConstExprPoisonedValueTraits::exchange): Deleted.
(WTF::ConstExprPoisonedValueTraits::swap): Deleted.
(WTF::ConstExprPoisonedValueTraits::unwrap): Deleted.

• wtf/PoisonedUniquePtr.h:

(WTF::PoisonedUniquePtr::PoisonedUniquePtr):
(WTF::PoisonedUniquePtr::operator=):

• wtf/Ref.h:
• wtf/RefCountedArray.h:

(WTF::RefCountedArray::RefCountedArray):

• wtf/RefPtr.h:
• wtf/WTFAssertions.cpp:

Tools:

1. Converted tests to using new uintptr_t& poison type.
2. Added tests for Poisoned comparison operators.

• TestWebKitAPI/CMakeLists.txt:
• TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
• TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp: Removed.
• TestWebKitAPI/Tests/WTF/Poisoned.cpp:

(TestWebKitAPI::TEST):
(TestWebKitAPI::initializeTestPoison): Deleted.

• TestWebKitAPI/Tests/WTF/PoisonedRef.cpp:

(TestWebKitAPI::TEST):
(TestWebKitAPI::passWithRef):

• TestWebKitAPI/Tests/WTF/PoisonedRefPtr.cpp:

(TestWebKitAPI::TEST):
(TestWebKitAPI::f1):

• TestWebKitAPI/Tests/WTF/PoisonedUniquePtr.cpp:

(TestWebKitAPI::TEST):
(TestWebKitAPI::poisonedPtrFoo):

• TestWebKitAPI/Tests/WTF/PoisonedUniquePtrForNonTriviallyDestructibleArrays.cpp:

(TestWebKitAPI::TEST):

• TestWebKitAPI/Tests/WTF/PoisonedUniquePtrForTriviallyDestructibleArrays.cpp:

(TestWebKitAPI::TEST):

File:

• trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (16 diffs)

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -46 +46 @@
     loadp CodeBlock[cfr], PB
     loadp CodeBlock::m_instructions[PB], PB
-    unpoison(CodeBlockPoison, PB)
+    unpoison(_g_CodeBlockPoison, PB, t1)
     loadisFromInstruction(1, t1)
     storeq r0, [cfr, t1, 8]
@@ -481 +481 @@
 end
 
-macro structureIDToStructureWithScratch(structureIDThenStructure, scratch)
+macro structureIDToStructureWithScratch(structureIDThenStructure, scratch, scratch2)
     loadp CodeBlock[cfr], scratch
     loadp CodeBlock::m_poisonedVM[scratch], scratch
-    unpoison(CodeBlockPoison, scratch)
+    unpoison(_g_CodeBlockPoison, scratch, scratch2)
     loadp VM::heap + Heap::m_structureIDTable + StructureIDTable::m_table[scratch], scratch
     loadp [scratch, structureIDThenStructure, 8], structureIDThenStructure
 end
 
-macro loadStructureWithScratch(cell, structure, scratch)
+macro loadStructureWithScratch(cell, structure, scratch, scratch2)
     loadi JSCell::m_structureID[cell], structure
-    structureIDToStructureWithScratch(structure, scratch)
-end
-
-macro loadStructureAndClobberFirstArg(cell, structure)
-    loadi JSCell::m_structureID[cell], structure
-    loadp CodeBlock[cfr], cell
-    loadp CodeBlock::m_poisonedVM[cell], cell
-    unpoison(CodeBlockPoison, cell)
-    loadp VM::heap + Heap::m_structureIDTable + StructureIDTable::m_table[cell], cell
-    loadp [cell, structure, 8], structure
+    structureIDToStructureWithScratch(structure, scratch, scratch2)
 end
 
@@ -563 +554 @@
     loadp CodeBlock[cfr], t1
     loadp CodeBlock::m_instructions[t1], PB
-    unpoison(CodeBlockPoison, PB)
+    unpoison(_g_CodeBlockPoison, PB, t2)
     move 0, PC
     jmp doneLabel
@@ -642 +633 @@
     btqnz t0, tagMask, .opToThisSlow
     bbneq JSCell::m_type[t0], FinalObjectType, .opToThisSlow
-    loadStructureWithScratch(t0, t1, t2)
+    loadStructureWithScratch(t0, t1, t2, t3)
     loadpFromInstruction(2, t2)
     bpneq t1, t2, .opToThisSlow
@@ -725 +716 @@
     jmp .done
 .masqueradesAsUndefined:
-    loadStructureWithScratch(t0, t2, t1)
+    loadStructureWithScratch(t0, t2, t1, t3)
     loadp CodeBlock[cfr], t0
     loadp CodeBlock::m_globalObject[t0], t0
@@ -1164 +1155 @@
     dispatch(constexpr op_is_undefined_length)
 .masqueradesAsUndefined:
-    loadStructureWithScratch(t0, t3, t1)
+    loadStructureWithScratch(t0, t3, t1, t5)
     loadp CodeBlock[cfr], t1
     loadp CodeBlock::m_globalObject[t1], t1
@@ -1434 +1425 @@
     assert(macro (ok) btpnz t3, ok end)
 
-    structureIDToStructureWithScratch(t2, t1)
+    structureIDToStructureWithScratch(t2, t1, t5)
     loadq Structure::m_prototype[t2], t2
     bqeq t2, ValueNull, .opPutByIdTransitionChainDone
@@ -1741 +1732 @@
     loadq [cfr, t0, 8], t0
     btqnz t0, tagMask, .immediate
-    loadStructureWithScratch(t0, t2, t1)
+    loadStructureWithScratch(t0, t2, t1, t3)
     cellHandler(t2, JSCell::m_flags[t0], .target)
     dispatch(3)
@@ -1955 +1946 @@
     move t3, sp
     if POISON
-        loadp _g_jitCodePoison, t2
+        loadp _g_JITCodePoison, t2
         xorp LLIntCallLinkInfo::machineCodeTarget[t1], t2
         prepareCall(t2, t1, t3, t4)
@@ -2008 +1999 @@
     loadp CodeBlock[cfr], PB
     loadp CodeBlock::m_instructions[PB], PB
-    unpoison(CodeBlockPoison, PB)
+    unpoison(_g_CodeBlockPoison, PB, t2)
     loadp VM::targetInterpreterPCForThrow[t3], PC
     subp PB, PC
@@ -2085 +2076 @@
     checkStackPointerAlignment(t3, 0xdead0001)
     if C_LOOP
-        loadp _g_nativeCodePoison, t2
+        loadp _g_NativeCodePoison, t2
         xorp executableOffsetToFunction[t1], t2
         cloopCallNative t2
@@ -2094 +2085 @@
             addp 32, sp
         else
-            loadp _g_nativeCodePoison, t2
+            loadp _g_NativeCodePoison, t2
             xorp executableOffsetToFunction[t1], t2
             call t2
@@ -2128 +2119 @@
     checkStackPointerAlignment(t3, 0xdead0001)
     if C_LOOP
-        loadp _g_nativeCodePoison, t2
+        loadp _g_NativeCodePoison, t2
         xorp offsetOfFunction[t1], t2
         cloopCallNative t2
@@ -2137 +2128 @@
             addp 32, sp
         else
-            loadp _g_nativeCodePoison, t2
+            loadp _g_NativeCodePoison, t2
             xorp offsetOfFunction[t1], t2
             call t2
@@ -2248 +2239 @@
     loadisFromInstruction(operand, t0)
     loadq [cfr, t0, 8], t0
-    loadStructureWithScratch(t0, t2, t1)
+    loadStructureWithScratch(t0, t2, t1, t3)
     loadpFromInstruction(5, t1)
     bpneq t2, t1, slowPath
@@ -2501 +2492 @@
     loadp CodeBlock[cfr], t1
     loadp CodeBlock::m_poisonedVM[t1], t1
-    unpoison(CodeBlockPoison, t1)
+    unpoison(_g_CodeBlockPoison, t1, t3)
     # t1 is holding the pointer to the typeProfilerLog.
     loadp VM::m_typeProfilerLog[t1], t1