Title: [226485] trunk
Revision
226485
Author
jfbast...@apple.com
Date
2018-01-05 23:01:21 -0800 (Fri, 05 Jan 2018)

Log Message

WebAssembly: poison JS object's secrets
https://bugs.webkit.org/show_bug.cgi?id=181339
<rdar://problem/36325001>

Reviewed by Mark Lam.

Source/_javascript_Core:

Separating WebAssembly's JS objects from their non-JS
implementation means that all interesting information lives
outside of the JS object itself. This patch poisons each JS
object's pointer to non-JS implementation using the poisoning
mechanism and a unique key per JS object type origin.

* runtime/JSCPoison.h:
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
object in a stack slot when fast TLS is disabled. This requires
that we unpoison the Wasm::Instance.
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
be explicit that the pointer is poisoned.
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.h:

Source/WTF:

swapping a poisoned pointer with a non-poisoned one (as is done in
JSWebAssembyMemory::adopt) was missing.

* wtf/Poisoned.h:
(WTF::PoisonedImpl::swap):
(WTF::ConstExprPoisonedPtrTraits::swap):

Tools:

Update tests for swap(Poisoned<k, T>, T*)

* TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp:
(TestWebKitAPI::TEST):
* TestWebKitAPI/Tests/WTF/Poisoned.cpp:
(TestWebKitAPI::TEST):
* TestWebKitAPI/Tests/WTF/PoisonedRef.cpp:
(TestWebKitAPI::TEST):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (226484 => 226485)


--- trunk/Source/_javascript_Core/ChangeLog	2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,3 +1,30 @@
+2018-01-05  JF Bastien  <jfbast...@apple.com>
+
+        WebAssembly: poison JS object's secrets
+        https://bugs.webkit.org/show_bug.cgi?id=181339
+        <rdar://problem/36325001>
+
+        Reviewed by Mark Lam.
+
+        Separating WebAssembly's JS objects from their non-JS
+        implementation means that all interesting information lives
+        outside of the JS object itself. This patch poisons each JS
+        object's pointer to non-JS implementation using the poisoning
+        mechanism and a unique key per JS object type origin.
+
+        * runtime/JSCPoison.h:
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
+        object in a stack slot when fast TLS is disabled. This requires
+        that we unpoison the Wasm::Instance.
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
+        be explicit that the pointer is poisoned.
+        * wasm/js/JSWebAssemblyMemory.h:
+        * wasm/js/JSWebAssemblyModule.h:
+        * wasm/js/JSWebAssemblyTable.h:
+
 2018-01-05  Michael Saboff  <msab...@apple.com>
 
         Add ability to disable indexed property masking for testing

Modified: trunk/Source/_javascript_Core/runtime/JSCPoison.h (226484 => 226485)


--- trunk/Source/_javascript_Core/runtime/JSCPoison.h	2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/runtime/JSCPoison.h	2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -31,6 +31,11 @@
 
 enum Poison {
     NotPoisoned = 0,
+    JSWebAssemblyCodeBlockPoison,
+    JSWebAssemblyInstancePoison,
+    JSWebAssemblyMemoryPoison,
+    JSWebAssemblyModulePoison,
+    JSWebAssemblyTablePoison,
     TransitionMapPoison,
     WeakImplPoison,
 };

Modified: trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp (226484 => 226485)


--- trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp	2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp	2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -117,7 +117,9 @@
         // Wasm::Context*'s instance.
         if (!Context::useFastTLS()) {
             jit.loadPtr(CCallHelpers::Address(GPRInfo::callFrameRegister, jsOffset), wasmContextInstanceGPR);
-            jit.loadPtr(CCallHelpers::Address(wasmContextInstanceGPR, JSWebAssemblyInstance::offsetOfInstance()), wasmContextInstanceGPR);
+            jit.loadPtr(CCallHelpers::Address(wasmContextInstanceGPR, JSWebAssemblyInstance::offsetOfPoisonedInstance()), wasmContextInstanceGPR);
+            jit.move(CCallHelpers::TrustedImm64(makeConstExprPoison(JSWebAssemblyInstancePoison)), scratchReg);
+            jit.xor64(scratchReg, wasmContextInstanceGPR);
             jsOffset += sizeof(EncodedJSValue);
         }
 

Modified: trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyCodeBlock.h (226484 => 226485)


--- trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyCodeBlock.h	2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyCodeBlock.h	2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -28,6 +28,7 @@
 #if ENABLE(WEBASSEMBLY)
 
 #include "CallLinkInfo.h"
+#include "JSCPoison.h"
 #include "JSCell.h"
 #include "PromiseDeferredTimer.h"
 #include "Structure.h"
@@ -36,6 +37,7 @@
 #include "WasmFormat.h"
 #include "WasmModule.h"
 #include <wtf/Bag.h>
+#include <wtf/Ref.h>
 #include <wtf/Vector.h>
 
 namespace JSC {
@@ -90,7 +92,7 @@
         void finalizeUnconditionally() override;
     };
 
-    Ref<Wasm::CodeBlock> m_codeBlock;
+    PoisonedRef<JSWebAssemblyCodeBlockPoison, Wasm::CodeBlock> m_codeBlock;
     Vector<MacroAssemblerCodeRef> m_wasmToJSExitStubs;
     UnconditionalFinalizer m_unconditionalFinalizer;
     Bag<CallLinkInfo> m_callLinkInfos;

Modified: trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyInstance.h (226484 => 226485)


--- trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyInstance.h	2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyInstance.h	2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -27,6 +27,7 @@
 
 #if ENABLE(WEBASSEMBLY)
 
+#include "JSCPoison.h"
 #include "JSDestructibleObject.h"
 #include "JSObject.h"
 #include "JSWebAssemblyCodeBlock.h"
@@ -33,6 +34,7 @@
 #include "JSWebAssemblyMemory.h"
 #include "JSWebAssemblyTable.h"
 #include "WasmInstance.h"
+#include <wtf/Ref.h>
 
 namespace JSC {
 
@@ -74,7 +76,7 @@
         instance().setTable(makeRef(*table()->table()));
     }
 
-    static size_t offsetOfInstance() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_instance); }
+    static size_t offsetOfPoisonedInstance() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_instance); }
     static size_t offsetOfCallee() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_callee); }
 
 protected:
@@ -86,7 +88,7 @@
 private:
     JSWebAssemblyModule* module() const { return m_module.get(); }
 
-    Ref<Wasm::Instance> m_instance;
+    PoisonedRef<JSWebAssemblyInstancePoison, Wasm::Instance> m_instance;
 
     WriteBarrier<JSWebAssemblyModule> m_module;
     WriteBarrier<JSWebAssemblyCodeBlock> m_codeBlock;

Modified: trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyMemory.h (226484 => 226485)


--- trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyMemory.h	2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyMemory.h	2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -27,9 +27,11 @@
 
 #if ENABLE(WEBASSEMBLY)
 
+#include "JSCPoison.h"
 #include "JSDestructibleObject.h"
 #include "JSObject.h"
 #include "WasmMemory.h"
+#include <wtf/Ref.h>
 #include <wtf/RefPtr.h>
 
 namespace JSC {
@@ -65,9 +67,9 @@
     static void destroy(JSCell*);
     static void visitChildren(JSCell*, SlotVisitor&);
 
-    Ref<Wasm::Memory> m_memory;
+    PoisonedRef<JSWebAssemblyMemoryPoison, Wasm::Memory> m_memory;
     WriteBarrier<JSArrayBuffer> m_bufferWrapper;
-    RefPtr<ArrayBuffer> m_buffer;
+    PoisonedRefPtr<JSWebAssemblyMemoryPoison, ArrayBuffer> m_buffer;
 };
 
 } // namespace JSC

Modified: trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyModule.h (226484 => 226485)


--- trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyModule.h	2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyModule.h	2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -27,6 +27,7 @@
 
 #if ENABLE(WEBASSEMBLY)
 
+#include "JSCPoison.h"
 #include "JSDestructibleObject.h"
 #include "JSObject.h"
 #include "UnconditionalFinalizer.h"
@@ -34,6 +35,7 @@
 #include <wtf/Bag.h>
 #include <wtf/Expected.h>
 #include <wtf/Forward.h>
+#include <wtf/Ref.h>
 #include <wtf/text/WTFString.h>
 
 namespace JSC {
@@ -79,7 +81,7 @@
     static void destroy(JSCell*);
     static void visitChildren(JSCell*, SlotVisitor&);
 
-    Ref<Wasm::Module> m_module;
+    PoisonedRef<JSWebAssemblyModulePoison, Wasm::Module> m_module;
     WriteBarrier<SymbolTable> m_exportSymbolTable;
     WriteBarrier<JSWebAssemblyCodeBlock> m_codeBlocks[Wasm::NumberOfMemoryModes];
     WriteBarrier<WebAssemblyToJSCallee> m_callee;

Modified: trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyTable.h (226484 => 226485)


--- trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyTable.h	2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyTable.h	2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -27,6 +27,7 @@
 
 #if ENABLE(WEBASSEMBLY)
 
+#include "JSCPoison.h"
 #include "JSDestructibleObject.h"
 #include "JSObject.h"
 #include "WasmLimits.h"
@@ -34,6 +35,7 @@
 #include "WebAssemblyWrapperFunction.h"
 #include "WebAssemblyFunction.h"
 #include <wtf/MallocPtr.h>
+#include <wtf/Ref.h>
 
 namespace JSC {
 
@@ -63,7 +65,7 @@
     static void destroy(JSCell*);
     static void visitChildren(JSCell*, SlotVisitor&);
 
-    Ref<Wasm::Table> m_table;
+    PoisonedRef<JSWebAssemblyTablePoison, Wasm::Table> m_table;
     MallocPtr<WriteBarrier<JSObject>> m_jsFunctions;
 };
 

Modified: trunk/Source/WTF/ChangeLog (226484 => 226485)


--- trunk/Source/WTF/ChangeLog	2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/WTF/ChangeLog	2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,3 +1,18 @@
+2018-01-05  JF Bastien  <jfbast...@apple.com>
+
+        WebAssembly: poison JS object's secrets
+        https://bugs.webkit.org/show_bug.cgi?id=181339
+        <rdar://problem/36325001>
+
+        Reviewed by Mark Lam.
+
+        swapping a poisoned pointer with a non-poisoned one (as is done in
+        JSWebAssembyMemory::adopt) was missing.
+
+        * wtf/Poisoned.h:
+        (WTF::PoisonedImpl::swap):
+        (WTF::ConstExprPoisonedPtrTraits::swap):
+
 2018-01-05  David Kilzer  <ddkil...@apple.com>
 
         Re-enable -Wcast-qual in WebCore for Apple ports

Modified: trunk/Source/WTF/wtf/Poisoned.h (226484 => 226485)


--- trunk/Source/WTF/wtf/Poisoned.h	2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/WTF/wtf/Poisoned.h	2018-01-06 07:01:21 UTC (rev 226485)
@@ -182,6 +182,13 @@
         o = t2;
     }
 
+    void swap(T& t2)
+    {
+        T t1 = this->unpoisoned();
+        std::swap(t1, t2);
+        m_poisonedBits = poison(t1);
+    }
+
     template<class U>
     T exchange(U&& newValue)
     {
@@ -212,6 +219,12 @@
     a.swap(b);
 }
 
+template<typename K1, K1 k1, typename T1>
+inline void swap(PoisonedImpl<K1, k1, T1>& a, T1& b)
+{
+    a.swap(b);
+}
+
 WTF_EXPORT_PRIVATE uintptr_t makePoison();
 
 inline constexpr uintptr_t makeConstExprPoison(uint32_t key)
@@ -241,6 +254,9 @@
 
     template<class U> static ALWAYS_INLINE T* exchange(StorageType& ptr, U&& newValue) { return ptr.exchange(newValue); }
 
+    template<typename K1, K1 k1, typename T1>
+    static ALWAYS_INLINE void swap(PoisonedImpl<K1, k1, T1>& a, T1& b) { a.swap(b); }
+
     template<typename K1, K1 k1, typename T1, typename K2, K2 k2, typename T2>
     static ALWAYS_INLINE void swap(PoisonedImpl<K1, k1, T1>& a, PoisonedImpl<K2, k2, T2>& b) { a.swap(b); }
 
@@ -252,5 +268,5 @@
 using WTF::ConstExprPoisoned;
 using WTF::Poisoned;
 using WTF::PoisonedBits;
+using WTF::makeConstExprPoison;
 using WTF::makePoison;
-

Modified: trunk/Tools/ChangeLog (226484 => 226485)


--- trunk/Tools/ChangeLog	2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Tools/ChangeLog	2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,3 +1,20 @@
+2018-01-05  JF Bastien  <jfbast...@apple.com>
+
+        WebAssembly: poison JS object's secrets
+        https://bugs.webkit.org/show_bug.cgi?id=181339
+        <rdar://problem/36325001>
+
+        Reviewed by Mark Lam.
+
+        Update tests for swap(Poisoned<k, T>, T*)
+
+        * TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp:
+        (TestWebKitAPI::TEST):
+        * TestWebKitAPI/Tests/WTF/Poisoned.cpp:
+        (TestWebKitAPI::TEST):
+        * TestWebKitAPI/Tests/WTF/PoisonedRef.cpp:
+        (TestWebKitAPI::TEST):
+
 2018-01-05  Wenson Hsieh  <wenson_hs...@apple.com>
 
         REGRESSION(r226396) DataInteractionTests: ContentEditableToContentEditable and ContentEditableToTextarea are failing

Modified: trunk/Tools/TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp (226484 => 226485)


--- trunk/Tools/TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp	2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Tools/TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp	2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -337,6 +337,30 @@
         ASSERT_TRUE(p1.bits() == p3.bits());
         ASSERT_TRUE(p2.bits() != p4.bits());
     }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> p1(&a);
+        RefLogger* p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2);
+        swap(p1, p2);
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&a, p2);
+
+        ASSERT_TRUE(p1.bits() != bitwise_cast<uintptr_t>(p2));
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> p1(&a);
+        RefLogger* p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2);
+        p1.swap(p2);
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&a, p2);
+
+        ASSERT_TRUE(p1.bits() != bitwise_cast<uintptr_t>(p2));
+    }
 }
 
 static ConstExprPoisoned<PoisonA, RefLogger*> poisonedPtrFoo(RefLogger& logger)

Modified: trunk/Tools/TestWebKitAPI/Tests/WTF/Poisoned.cpp (226484 => 226485)


--- trunk/Tools/TestWebKitAPI/Tests/WTF/Poisoned.cpp	2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Tools/TestWebKitAPI/Tests/WTF/Poisoned.cpp	2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -376,6 +376,32 @@
         ASSERT_TRUE(p2.bits() != p4.bits());
 #endif
     }
+
+#if ENABLE(MIXED_POISON)
+    {
+        Poisoned<g_testPoisonA, RefLogger*> p1(&a);
+        RefLogger* p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2);
+        swap(p1, p2);
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&a, p2);
+
+        ASSERT_TRUE(p1.bits() != bitwise_cast<uintptr_t>(p2));
+    }
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> p1(&a);
+        RefLogger* p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2);
+        p1.swap(p2);
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&a, p2);
+
+        ASSERT_TRUE(p1.bits() != bitwise_cast<uintptr_t>(p2));
+    }
+#endif
 }
 
 static Poisoned<g_testPoisonA, RefLogger*> poisonedPtrFoo(RefLogger& logger)

Modified: trunk/Tools/TestWebKitAPI/Tests/WTF/PoisonedRef.cpp (226484 => 226485)


--- trunk/Tools/TestWebKitAPI/Tests/WTF/PoisonedRef.cpp	2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Tools/TestWebKitAPI/Tests/WTF/PoisonedRef.cpp	2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -194,6 +194,32 @@
         log() << "| ";
     }
     EXPECT_STREQ("ref(a) ref(b) | | deref(a) deref(b) ", takeLogStr().c_str());
+
+    {
+        PoisonedRef<PoisonF, RefLogger> p1(a);
+        Ref<RefLogger> p2(b);
+        log() << "| ";
+        EXPECT_EQ(&a, p1.ptr());
+        EXPECT_EQ(&b, p2.ptr());
+        swap(p1, p2);
+        EXPECT_EQ(&b, p1.ptr());
+        EXPECT_EQ(&a, p2.ptr());
+        log() << "| ";
+    }
+    EXPECT_STREQ("ref(a) ref(b) | | deref(a) deref(b) ", takeLogStr().c_str());
+
+    {
+        PoisonedRef<PoisonF, RefLogger> p1(a);
+        Ref<RefLogger> p2(b);
+        log() << "| ";
+        EXPECT_EQ(&a, p1.ptr());
+        EXPECT_EQ(&b, p2.ptr());
+        p1.swap(p2);
+        EXPECT_EQ(&b, p1.ptr());
+        EXPECT_EQ(&a, p2.ptr());
+        log() << "| ";
+    }
+    EXPECT_STREQ("ref(a) ref(b) | | deref(a) deref(b) ", takeLogStr().c_str());
 }
 
 struct PoisonedRefCheckingRefLogger : RefLogger {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to