Diff
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/API/JSCallbackObject.h (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/API/JSCallbackObject.h 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/API/JSCallbackObject.h 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
* Copyright (C) 2007 Eric Seidel <e...@webkit.org>
*
* Redistribution and use in source and binary forms, with or without
@@ -228,7 +228,7 @@
static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName);
WTF::PoisonedUniquePtr<JSCallbackObjectPoison, JSCallbackObjectData> m_callbackObjectData;
- PoisonedClassInfoPtr m_classInfo;
+ const ClassInfo* m_classInfo { nullptr };
};
} // namespace JSC
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/API/JSObjectRef.cpp (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/API/JSObjectRef.cpp 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/API/JSObjectRef.cpp 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
* Copyright (C) 2008 Kelvin W Sherlock (ksherl...@gmail.com)
*
* Redistribution and use in source and binary forms, with or without
@@ -551,7 +551,7 @@
if (vm.currentlyDestructingCallbackObject != jsObject)
return jsObject->classInfo(vm);
- return vm.currentlyDestructingCallbackObjectClassInfo.unpoisoned();
+ return vm.currentlyDestructingCallbackObjectClassInfo;
}
void* JSObjectGetPrivate(JSObjectRef object)
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1,5 +1,70 @@
2019-02-26 Mark Lam <mark....@apple.com>
+ Unpoison MacroAssemblerCodePtr, ClassInfo pointers, and a few other things.
+ https://bugs.webkit.org/show_bug.cgi?id=195039
+
+ Reviewed by Saam Barati.
+
+ 1. Unpoison MacroAssemblerCodePtrs, ReturnAddressPtr.
+ 2. Replace PoisonedClassInfoPtr with ClassInfo*.
+ 3. Replace PoisonedMasmPtr with const void*.
+ 4. Remove all references to CodeBlockPoison, JITCodePoison, and GlobalDataPoison.
+
+ * API/JSCallbackObject.h:
+ * API/JSObjectRef.cpp:
+ (classInfoPrivate):
+ * assembler/MacroAssemblerCodeRef.h:
+ (JSC::FunctionPtr::FunctionPtr):
+ (JSC::FunctionPtr::executableAddress const):
+ (JSC::FunctionPtr::retaggedExecutableAddress const):
+ (JSC::ReturnAddressPtr::ReturnAddressPtr):
+ (JSC::ReturnAddressPtr::value const):
+ (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+ (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+ (JSC::MacroAssemblerCodePtr:: const):
+ (JSC::MacroAssemblerCodePtr::operator! const):
+ (JSC::MacroAssemblerCodePtr::operator== const):
+ (JSC::MacroAssemblerCodePtr::hash const):
+ (JSC::MacroAssemblerCodePtr::emptyValue):
+ (JSC::MacroAssemblerCodePtr::deletedValue):
+ (JSC::FunctionPtr<tag>::FunctionPtr):
+ (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
+ * b3/B3LowerMacros.cpp:
+ * b3/testb3.cpp:
+ (JSC::B3::testInterpreter):
+ * dfg/DFGOSRExitCompilerCommon.h:
+ (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+ (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+ (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+ (JSC::DFG::SpeculativeJIT::emitSwitchImm):
+ (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
+ (JSC::DFG::SpeculativeJIT::emitSwitchChar):
+ * dfg/DFGSpeculativeJIT.h:
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+ (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+ * jit/AssemblyHelpers.h:
+ (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+ * jit/ThunkGenerators.cpp:
+ (JSC::virtualThunkFor):
+ (JSC::boundThisNoArgsFunctionCallGenerator):
+ * runtime/JSCPoison.h:
+ * runtime/JSDestructibleObject.h:
+ (JSC::JSDestructibleObject::classInfo const):
+ * runtime/JSSegmentedVariableObject.h:
+ (JSC::JSSegmentedVariableObject::classInfo const):
+ * runtime/Structure.h:
+ * runtime/VM.h:
+ * wasm/WasmB3IRGenerator.cpp:
+ (JSC::Wasm::B3IRGenerator::addCall):
+ (JSC::Wasm::B3IRGenerator::addCallIndirect):
+ * wasm/WasmBinding.cpp:
+ (JSC::Wasm::wasmToWasm):
+
+2019-02-26 Mark Lam <mark....@apple.com>
+
Misc cleanup in StructureIDTable after r242096.
https://bugs.webkit.org/show_bug.cgi?id=195063
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -26,7 +26,6 @@
#pragma once
#include "ExecutableAllocator.h"
-#include "JSCPoison.h"
#include "JSCPtrTag.h"
#include <wtf/DataLog.h>
#include <wtf/PrintStream.h>
@@ -74,7 +73,6 @@
: m_value(tagCFunctionPtr<void*, tag>(value))
{
assertIsNullOrCFunctionPtr(value);
- PoisonedMasmPtr::assertIsNotPoisoned(m_value);
ASSERT_NULL_OR_VALID_CODE_POINTER(m_value);
}
@@ -87,7 +85,6 @@
: m_value(tagCFunctionPtr<void*, tag>(value))
{
assertIsNullOrCFunctionPtr(value);
- PoisonedMasmPtr::assertIsNotPoisoned(m_value);
ASSERT_NULL_OR_VALID_CODE_POINTER(m_value);
}
@@ -100,7 +97,6 @@
: m_value(tagCFunctionPtr<void*, tag>(value))
{
assertIsNullOrCFunctionPtr(value);
- PoisonedMasmPtr::assertIsNotPoisoned(m_value);
ASSERT_NULL_OR_VALID_CODE_POINTER(m_value);
}
@@ -114,7 +110,6 @@
: m_value(tagCFunctionPtr<void*, tag>(value))
{
assertIsNullOrCFunctionPtr(value);
- PoisonedMasmPtr::assertIsNotPoisoned(m_value);
ASSERT_NULL_OR_VALID_CODE_POINTER(m_value);
}
@@ -130,7 +125,6 @@
void* executableAddress() const
{
- PoisonedMasmPtr::assertIsNotPoisoned(m_value);
return m_value;
}
@@ -137,7 +131,6 @@
template<PtrTag newTag>
void* retaggedExecutableAddress() const
{
- PoisonedMasmPtr::assertIsNotPoisoned(m_value);
return retagCodePtr<tag, newTag>(m_value);
}
@@ -152,7 +145,6 @@
explicit FunctionPtr(const FunctionPtr<otherTag>& other)
: m_value(retagCodePtr<otherTag, tag>(other.executableAddress()))
{
- PoisonedMasmPtr::assertIsNotPoisoned(m_value);
ASSERT_NULL_OR_VALID_CODE_POINTER(m_value);
}
@@ -179,7 +171,6 @@
explicit ReturnAddressPtr(const void* value)
: m_value(value)
{
- PoisonedMasmPtr::assertIsNotPoisoned(m_value);
ASSERT_VALID_CODE_POINTER(m_value);
}
@@ -187,13 +178,11 @@
explicit ReturnAddressPtr(FunctionPtr<tag> function)
: m_value(untagCodePtr<tag>(function.executableAddress()))
{
- PoisonedMasmPtr::assertIsNotPoisoned(m_value);
ASSERT_VALID_CODE_POINTER(m_value);
}
const void* value() const
{
- PoisonedMasmPtr::assertIsNotPoisoned(m_value);
return m_value;
}
@@ -231,12 +220,11 @@
#endif
{
assertIsTaggedWith(value, tag);
- m_value.assertIsPoisoned();
ASSERT(value);
#if CPU(ARM_THUMB2)
ASSERT(!(reinterpret_cast<uintptr_t>(value) & 1));
#endif
- ASSERT_VALID_CODE_POINTER(m_value.unpoisoned());
+ ASSERT_VALID_CODE_POINTER(m_value);
}
static MacroAssemblerCodePtr createFromExecutableAddress(const void* value)
@@ -245,8 +233,7 @@
ASSERT_VALID_CODE_POINTER(value);
assertIsTaggedWith(value, tag);
MacroAssemblerCodePtr result;
- result.m_value = PoisonedMasmPtr(value);
- result.m_value.assertIsPoisoned();
+ result.m_value = value;
return result;
}
@@ -255,12 +242,9 @@
{
assertIsNotTagged(ra.value());
ASSERT(ra.value());
- m_value.assertIsPoisoned();
- ASSERT_VALID_CODE_POINTER(m_value.unpoisoned());
+ ASSERT_VALID_CODE_POINTER(m_value);
}
- PoisonedMasmPtr poisonedPtr() const { return m_value; }
-
template<PtrTag newTag>
MacroAssemblerCodePtr<newTag> retagged() const
{
@@ -272,22 +256,19 @@
template<typename T = void*>
T executableAddress() const
{
- m_value.assertIsPoisoned();
- return m_value.unpoisoned<T>();
+ return bitwise_cast<T>(m_value);
}
template<typename T = void*>
T untaggedExecutableAddress() const
{
- m_value.assertIsPoisoned();
- return untagCodePtr<T, tag>(m_value.unpoisoned());
+ return untagCodePtr<T, tag>(m_value);
}
template<PtrTag newTag, typename T = void*>
T retaggedExecutableAddress() const
{
- m_value.assertIsPoisoned();
- return retagCodePtr<T, tag, newTag>(m_value.unpoisoned());
+ return retagCodePtr<T, tag, newTag>(m_value);
}
#if CPU(ARM_THUMB2)
@@ -295,26 +276,20 @@
template<typename T = void*>
T dataLocation() const
{
- m_value.assertIsPoisoned();
- ASSERT_VALID_CODE_POINTER(m_value.unpoisoned());
- return bitwise_cast<T>(m_value ? m_value.unpoisoned<char*>() - 1 : nullptr);
+ ASSERT_VALID_CODE_POINTER(m_value);
+ return bitwise_cast<T>(m_value ? bitwise_cast<char*>(m_value) - 1 : nullptr);
}
#else
template<typename T = void*>
T dataLocation() const
{
- m_value.assertIsPoisoned();
ASSERT_VALID_CODE_POINTER(m_value);
- return untagCodePtr<T, tag>(m_value.unpoisoned());
+ return untagCodePtr<T, tag>(m_value);
}
#endif
bool operator!() const
{
-#if ENABLE(POISON_ASSERTS)
- if (!isEmptyValue() && !isDeletedValue())
- m_value.assertIsPoisoned();
-#endif
return !m_value;
}
explicit operator bool() const { return !(!*this); }
@@ -321,17 +296,11 @@
bool operator==(const MacroAssemblerCodePtr& other) const
{
-#if ENABLE(POISON_ASSERTS)
- if (!isEmptyValue() && !isDeletedValue())
- m_value.assertIsPoisoned();
- if (!other.isEmptyValue() && !other.isDeletedValue())
- other.m_value.assertIsPoisoned();
-#endif
return m_value == other.m_value;
}
// Disallow any casting operations (except for booleans). Instead, the client
- // should be asking for poisonedPtr() or executableAddress() explicitly.
+ // should be asking executableAddress() explicitly.
template<typename T, typename = std::enable_if_t<!std::is_same<T, bool>::value>>
operator T() = delete;
@@ -356,15 +325,15 @@
bool isEmptyValue() const { return m_value == emptyValue(); }
bool isDeletedValue() const { return m_value == deletedValue(); }
- unsigned hash() const { return IntHash<uintptr_t>::hash(m_value.bits()); }
+ unsigned hash() const { return PtrHash<const void*>::hash(m_value); }
static void initialize();
private:
- static PoisonedMasmPtr emptyValue() { return PoisonedMasmPtr(AlreadyPoisoned, 1); }
- static PoisonedMasmPtr deletedValue() { return PoisonedMasmPtr(AlreadyPoisoned, 2); }
+ static const void* emptyValue() { return bitwise_cast<void*>(static_cast<intptr_t>(1)); }
+ static const void* deletedValue() { return bitwise_cast<void*>(static_cast<intptr_t>(2)); }
- PoisonedMasmPtr m_value;
+ const void* m_value { nullptr };
};
template<PtrTag tag>
@@ -488,7 +457,6 @@
inline FunctionPtr<tag>::FunctionPtr(MacroAssemblerCodePtr<tag> ptr)
: m_value(ptr.executableAddress())
{
- PoisonedMasmPtr::assertIsNotPoisoned(m_value);
}
} // namespace JSC
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/b3/B3LowerMacros.cpp (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/b3/B3LowerMacros.cpp 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/b3/B3LowerMacros.cpp 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -507,12 +507,9 @@
GPRReg index = params[0].gpr();
GPRReg scratch = params.gpScratch(0);
- GPRReg poisonScratch = params.gpScratch(1);
- jit.move(CCallHelpers::TrustedImm64(JITCodePoison::key()), poisonScratch);
jit.move(CCallHelpers::TrustedImmPtr(jumpTable), scratch);
jit.load64(CCallHelpers::BaseIndex(scratch, index, CCallHelpers::timesPtr()), scratch);
- jit.xor64(poisonScratch, scratch);
jit.jump(scratch, JSSwitchPtrTag);
// These labels are guaranteed to be populated before either late paths or
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/b3/testb3.cpp (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/b3/testb3.cpp 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/b3/testb3.cpp 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -13369,12 +13369,9 @@
params.proc().addDataSection(sizeof(MacroAssemblerCodePtr<B3CompilationPtrTag>) * labels.size()));
GPRReg scratch = params.gpScratch(0);
- GPRReg poisonScratch = params.gpScratch(1);
jit.move(CCallHelpers::TrustedImmPtr(jumpTable), scratch);
- jit.move(CCallHelpers::TrustedImm64(JITCodePoison::key()), poisonScratch);
jit.load64(CCallHelpers::BaseIndex(scratch, params[0].gpr(), CCallHelpers::timesPtr()), scratch);
- jit.xor64(poisonScratch, scratch);
jit.jump(scratch, B3CompilationPtrTag);
jit.addLinkTask(
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.h (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.h 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.h 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -87,7 +87,6 @@
// We need to make sure SP is correct in case of an exception.
jit.loadPtr(MacroAssembler::Address(GPRInfo::callFrameRegister, CallFrameSlot::codeBlock * static_cast<int>(sizeof(Register))), GPRInfo::regT0);
jit.loadPtr(MacroAssembler::Address(GPRInfo::regT0, CodeBlock::jitCodeOffset()), GPRInfo::regT0);
- jit.xorPtr(MacroAssembler::TrustedImmPtr(CodeBlockPoison::key()), GPRInfo::regT0);
jit.addPtr(MacroAssembler::TrustedImm32(JITCodeType::commonDataOffset()), GPRInfo::regT0);
jit.load32(MacroAssembler::Address(GPRInfo::regT0, CommonData::frameRegisterCountOffset()), GPRInfo::regT0);
// This does virtualRegisterForLocal(frameRegisterCount - 1)*sizeof(Register) where:
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-03-05 17:21:03 UTC (rev 242472)
@@ -9341,10 +9341,6 @@
m_jit.emitLoadStructure(*m_jit.vm(), baseGPR, otherGPR, specifiedGPR);
m_jit.loadPtr(CCallHelpers::Address(otherGPR, Structure::classInfoOffset()), otherGPR);
-#if USE(JSVALUE64)
- m_jit.move(CCallHelpers::TrustedImm64(GlobalDataPoison::key()), specifiedGPR);
- m_jit.xor64(specifiedGPR, otherGPR);
-#endif
m_jit.move(CCallHelpers::TrustedImmPtr(node->classInfo()), specifiedGPR);
CCallHelpers::Label loop = m_jit.label();
@@ -9638,7 +9634,7 @@
slowPath);
m_jit.storePtr(
- TrustedImmPtr(PoisonedClassInfoPtr(StringObject::info()).bits()),
+ TrustedImmPtr(StringObject::info()),
JITCompiler::Address(resultGPR, JSDestructibleObject::classInfoOffset()));
#if USE(JSVALUE64)
m_jit.store64(
@@ -10481,7 +10477,7 @@
}
void SpeculativeJIT::emitSwitchIntJump(
- SwitchData* data, GPRReg value, GPRReg scratch, GPRReg poisonScratch)
+ SwitchData* data, GPRReg value, GPRReg scratch)
{
SimpleJumpTable& table = m_jit.codeBlock()->switchJumpTable(data->switchTableIndex);
table.ensureCTITable();
@@ -10489,16 +10485,9 @@
addBranch(
m_jit.branch32(JITCompiler::AboveOrEqual, value, Imm32(table.ctiOffsets.size())),
data->fallThrough.block);
- UNUSED_PARAM(poisonScratch); // Placate the 32-bit build.
-#if USE(JSVALUE64)
- m_jit.move(TrustedImm64(JITCodePoison::key()), poisonScratch);
-#endif
m_jit.move(TrustedImmPtr(table.ctiOffsets.begin()), scratch);
m_jit.loadPtr(JITCompiler::BaseIndex(scratch, value, JITCompiler::timesPtr()), scratch);
-#if USE(JSVALUE64)
- m_jit.xor64(poisonScratch, scratch);
-#endif
m_jit.jump(scratch, JSSwitchPtrTag);
data->didUseJumpTable = true;
}
@@ -10509,8 +10498,7 @@
case Int32Use: {
SpeculateInt32Operand value(this, node->child1());
GPRTemporary temp(this);
- GPRTemporary temp2(this);
- emitSwitchIntJump(data, value.gpr(), temp.gpr(), temp2.gpr());
+ emitSwitchIntJump(data, value.gpr(), temp.gpr());
noResult(node);
break;
}
@@ -10518,15 +10506,13 @@
case UntypedUse: {
JSValueOperand value(this, node->child1());
GPRTemporary temp(this);
- GPRTemporary temp2(this);
JSValueRegs valueRegs = value.jsValueRegs();
GPRReg scratch = temp.gpr();
- GPRReg scratch2 = temp2.gpr();
value.use();
auto notInt32 = m_jit.branchIfNotInt32(valueRegs);
- emitSwitchIntJump(data, valueRegs.payloadGPR(), scratch, scratch2);
+ emitSwitchIntJump(data, valueRegs.payloadGPR(), scratch);
notInt32.link(&m_jit);
addBranch(m_jit.branchIfNotNumber(valueRegs, scratch), data->fallThrough.block);
silentSpillAllRegisters(scratch);
@@ -10545,7 +10531,7 @@
}
void SpeculativeJIT::emitSwitchCharStringJump(
- SwitchData* data, GPRReg value, GPRReg scratch, GPRReg scratch2)
+ SwitchData* data, GPRReg value, GPRReg scratch)
{
addBranch(
m_jit.branch32(
@@ -10576,7 +10562,7 @@
m_jit.load8(MacroAssembler::Address(value), scratch);
ready.link(&m_jit);
- emitSwitchIntJump(data, scratch, value, scratch2);
+ emitSwitchIntJump(data, scratch, value);
}
void SpeculativeJIT::emitSwitchChar(Node* node, SwitchData* data)
@@ -10585,16 +10571,14 @@
case StringUse: {
SpeculateCellOperand op1(this, node->child1());
GPRTemporary temp(this);
- GPRTemporary temp2(this);
GPRReg op1GPR = op1.gpr();
GPRReg tempGPR = temp.gpr();
- GPRReg temp2GPR = temp2.gpr();
op1.use();
speculateString(node->child1(), op1GPR);
- emitSwitchCharStringJump(data, op1GPR, tempGPR, temp2GPR);
+ emitSwitchCharStringJump(data, op1GPR, tempGPR);
noResult(node, UseChildrenCalledExplicitly);
break;
}
@@ -10602,11 +10586,9 @@
case UntypedUse: {
JSValueOperand op1(this, node->child1());
GPRTemporary temp(this);
- GPRTemporary temp2(this);
JSValueRegs op1Regs = op1.jsValueRegs();
GPRReg tempGPR = temp.gpr();
- GPRReg temp2GPR = temp2.gpr();
op1.use();
@@ -10614,7 +10596,7 @@
addBranch(m_jit.branchIfNotString(op1Regs.payloadGPR()), data->fallThrough.block);
- emitSwitchCharStringJump(data, op1Regs.payloadGPR(), tempGPR, temp2GPR);
+ emitSwitchCharStringJump(data, op1Regs.payloadGPR(), tempGPR);
noResult(node, UseChildrenCalledExplicitly);
break;
}
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -1236,9 +1236,9 @@
BasicBlock* target;
};
- void emitSwitchIntJump(SwitchData*, GPRReg value, GPRReg scratch, GPRReg scratch2);
+ void emitSwitchIntJump(SwitchData*, GPRReg value, GPRReg scratch);
void emitSwitchImm(Node*, SwitchData*);
- void emitSwitchCharStringJump(SwitchData*, GPRReg value, GPRReg scratch, GPRReg scratch2);
+ void emitSwitchCharStringJump(SwitchData*, GPRReg value, GPRReg scratch);
void emitSwitchChar(Node*, SwitchData*);
void emitBinarySwitchStringRecurse(
SwitchData*, const Vector<StringSwitchCase>&, unsigned numChecked,
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-03-05 17:21:03 UTC (rev 242472)
@@ -5645,7 +5645,7 @@
LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowCase);
LValue fastResultValue = allocateObject<StringObject>(structure, m_out.intPtrZero, slowCase);
- m_out.storePtr(m_out.constIntPtr(PoisonedClassInfoPtr(StringObject::info()).bits()), fastResultValue, m_heaps.JSDestructibleObject_classInfo);
+ m_out.storePtr(m_out.constIntPtr(StringObject::info()), fastResultValue, m_heaps.JSDestructibleObject_classInfo);
m_out.store64(string, fastResultValue, m_heaps.JSWrapperObject_internalValue);
mutatorFence();
ValueFromBlock fastResult = m_out.anchor(fastResultValue);
@@ -12153,8 +12153,7 @@
LBasicBlock continuation = m_out.newBlock();
LValue structure = loadStructure(cell);
- LValue poisonedClassInfo = m_out.loadPtr(structure, m_heaps.Structure_classInfo);
- LValue classInfo = m_out.bitXor(poisonedClassInfo, m_out.constInt64(GlobalDataPoison::key()));
+ LValue classInfo = m_out.loadPtr(structure, m_heaps.Structure_classInfo);
ValueFromBlock otherAtStart = m_out.anchor(classInfo);
m_out.jump(loop);
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/jit/AssemblyHelpers.h (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/jit/AssemblyHelpers.h 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/jit/AssemblyHelpers.h 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1798,7 +1798,7 @@
{
auto butterfly = TrustedImmPtr(nullptr);
emitAllocateJSObject<ClassType>(vm, resultGPR, TrustedImmPtr(structure), butterfly, scratchGPR1, scratchGPR2, slowPath);
- storePtr(TrustedImmPtr(PoisonedClassInfoPtr(structure->classInfo()).bits()), Address(resultGPR, JSDestructibleObject::classInfoOffset()));
+ storePtr(TrustedImmPtr(structure->classInfo()), Address(resultGPR, JSDestructibleObject::classInfoOffset()));
}
void emitInitializeInlineStorage(GPRReg baseGPR, unsigned inlineCapacity)
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/jit/ThunkGenerators.cpp (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/jit/ThunkGenerators.cpp 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/jit/ThunkGenerators.cpp 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -213,10 +213,6 @@
// Now we know that we have a CodeBlock, and we're committed to making a fast
// call.
-#if USE(JSVALUE64)
- jit.move(CCallHelpers::TrustedImm64(JITCodePoison::key()), GPRInfo::regT1);
- jit.xor64(GPRInfo::regT1, GPRInfo::regT4);
-#endif
// Make a tail call. This will return back to JIT code.
JSInterfaceJIT::Label callCode(jit.label());
@@ -1248,10 +1244,6 @@
GPRInfo::regT0);
CCallHelpers::Jump noCode = jit.branchTestPtr(CCallHelpers::Zero, GPRInfo::regT0);
-#if USE(JSVALUE64)
- jit.move(CCallHelpers::TrustedImm64(JITCodePoison::key()), GPRInfo::regT1);
- jit.xor64(GPRInfo::regT1, GPRInfo::regT0);
-#endif
emitPointerValidation(jit, GPRInfo::regT0, JSEntryPtrTag);
jit.call(GPRInfo::regT0, JSEntryPtrTag);
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSCPoison.h (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSCPoison.h 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSCPoison.h 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -32,9 +32,6 @@
// Let's keep the following list of poisons in alphabetical order just so it's easier to read.
#define FOR_EACH_JSC_POISON(v) \
v(ArrayPrototype) \
- v(CodeBlock) \
- v(GlobalData) \
- v(JITCode) \
v(JSAPIWrapperObject) \
v(JSArrayBuffer) \
v(JSCallbackObject) \
@@ -65,11 +62,6 @@
FOR_EACH_JSC_POISON(DECLARE_POISON)
#undef DECLARE_POISON
-struct ClassInfo;
-
-using PoisonedClassInfoPtr = Poisoned<GlobalDataPoison, const ClassInfo*>;
-using PoisonedMasmPtr = Poisoned<JITCodePoison, const void*>;
-
void initializePoison();
} // namespace JSC
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSDestructibleObject.h (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSDestructibleObject.h 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSDestructibleObject.h 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -43,7 +43,7 @@
return &vm.destructibleObjectSpace;
}
- const ClassInfo* classInfo() const { return m_classInfo.unpoisoned(); }
+ const ClassInfo* classInfo() const { return m_classInfo; }
static ptrdiff_t classInfoOffset() { return OBJECT_OFFSETOF(JSDestructibleObject, m_classInfo); }
@@ -56,7 +56,7 @@
}
private:
- PoisonedClassInfoPtr m_classInfo;
+ const ClassInfo* m_classInfo;
};
} // namespace JSC
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSSegmentedVariableObject.h (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSSegmentedVariableObject.h 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/JSSegmentedVariableObject.h 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -96,7 +96,7 @@
return &vm.segmentedVariableObjectSpace;
}
- const ClassInfo* classInfo() const { return m_classInfo.unpoisoned(); }
+ const ClassInfo* classInfo() const { return m_classInfo; }
protected:
JSSegmentedVariableObject(VM&, Structure*, JSScope*);
@@ -107,7 +107,7 @@
private:
SegmentedVector<WriteBarrier<Unknown>, 16> m_variables;
- PoisonedClassInfoPtr m_classInfo;
+ const ClassInfo* m_classInfo;
ConcurrentJSLock m_lock;
bool m_alreadyDestroyed { false }; // We use these assertions to check that we aren't doing ancient hacks that result in this being destroyed more than once.
};
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/Structure.h (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/Structure.h 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/Structure.h 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -490,7 +490,7 @@
void setObjectToStringValue(ExecState*, VM&, JSString* value, PropertySlot toStringTagSymbolSlot);
- const ClassInfo* classInfo() const { return m_classInfo.unpoisoned(); }
+ const ClassInfo* classInfo() const { return m_classInfo; }
static ptrdiff_t structureIDOffset()
{
@@ -768,7 +768,7 @@
RefPtr<UniquedStringImpl> m_nameInPrevious;
- PoisonedClassInfoPtr m_classInfo;
+ const ClassInfo* m_classInfo;
StructureTransitionTable m_transitionTable;
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/VM.h (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/VM.h 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/runtime/VM.h 2019-03-05 17:21:03 UTC (rev 242472)
@@ -546,7 +546,7 @@
std::unique_ptr<PromiseDeferredTimer> promiseDeferredTimer;
JSCell* currentlyDestructingCallbackObject;
- PoisonedClassInfoPtr currentlyDestructingCallbackObjectClassInfo;
+ const ClassInfo* currentlyDestructingCallbackObjectClassInfo { nullptr };
AtomicStringTable* m_atomicStringTable;
WTF::SymbolRegistry m_symbolRegistry;
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -1128,8 +1128,6 @@
// https://bugs.webkit.org/show_bug.cgi?id=170375
Value* jumpDestination = isEmbedderBlock->appendNew<MemoryValue>(m_proc,
Load, pointerType(), origin(), instanceValue(), safeCast<int32_t>(Instance::offsetOfWasmToEmbedderStub(functionIndex)));
- if (Options::usePoisoning())
- jumpDestination = isEmbedderBlock->appendNew<Value>(m_proc, BitXor, origin(), jumpDestination, isEmbedderBlock->appendNew<Const64Value>(m_proc, origin(), g_JITCodePoison));
Value* embedderCallResult = wasmCallingConvention().setupCall(m_proc, isEmbedderBlock, origin(), args, toB3Type(returnType),
[=] (PatchpointValue* patchpoint) {
@@ -1308,8 +1306,6 @@
ExpressionType calleeCode = m_currentBlock->appendNew<MemoryValue>(m_proc, Load, pointerType(), origin(),
m_currentBlock->appendNew<MemoryValue>(m_proc, Load, pointerType(), origin(), callableFunction,
safeCast<int32_t>(WasmToWasmImportableFunction::offsetOfEntrypointLoadLocation())));
- if (Options::usePoisoning())
- calleeCode = m_currentBlock->appendNew<Value>(m_proc, BitXor, origin(), calleeCode, m_currentBlock->appendNew<Const64Value>(m_proc, origin(), g_JITCodePoison));
Type returnType = signature.returnType();
result = wasmCallingConvention().setupCall(m_proc, m_currentBlock, origin(), args, toB3Type(returnType),
Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/wasm/WasmBinding.cpp (242471 => 242472)
--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/wasm/WasmBinding.cpp 2019-03-05 17:20:55 UTC (rev 242471)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/wasm/WasmBinding.cpp 2019-03-05 17:21:03 UTC (rev 242472)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -78,8 +78,6 @@
// Tail call into the callee WebAssembly function.
jit.loadPtr(scratch, scratch);
- if (Options::usePoisoning())
- jit.xorPtr(JIT::TrustedImmPtr(g_JITCodePoison), scratch);
jit.jump(scratch, WasmEntryPtrTag);
LinkBuffer patchBuffer(jit, GLOBAL_THUNK_ID, JITCompilationCanFail);