Merge r242100 - Unpoison MacroAssemblerCodePtr, ClassInfo pointers, a…

…nd a few other things.

https://bugs.webkit.org/show_bug.cgi?id=195039

Reviewed by Saam Barati.

1. Unpoison MacroAssemblerCodePtrs, ReturnAddressPtr.
2. Replace PoisonedClassInfoPtr with ClassInfo*.
3. Replace PoisonedMasmPtr with const void*.
4. Remove all references to CodeBlockPoison, JITCodePoison, and GlobalDataPoison.

* API/JSCallbackObject.h:
* API/JSObjectRef.cpp:
(classInfoPrivate):
* assembler/MacroAssemblerCodeRef.h:
(JSC::FunctionPtr::FunctionPtr):
(JSC::FunctionPtr::executableAddress const):
(JSC::FunctionPtr::retaggedExecutableAddress const):
(JSC::ReturnAddressPtr::ReturnAddressPtr):
(JSC::ReturnAddressPtr::value const):
(JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
(JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
(JSC::MacroAssemblerCodePtr:: const):
(JSC::MacroAssemblerCodePtr::operator! const):
(JSC::MacroAssemblerCodePtr::operator== const):
(JSC::MacroAssemblerCodePtr::hash const):
(JSC::MacroAssemblerCodePtr::emptyValue):
(JSC::MacroAssemblerCodePtr::deletedValue):
(JSC::FunctionPtr<tag>::FunctionPtr):
(JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
* b3/B3LowerMacros.cpp:
* b3/testb3.cpp:
(JSC::B3::testInterpreter):
* dfg/DFGOSRExitCompilerCommon.h:
(JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCheckSubClass):
(JSC::DFG::SpeculativeJIT::compileNewStringObject):
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
(JSC::DFG::SpeculativeJIT::emitSwitchImm):
(JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
(JSC::DFG::SpeculativeJIT::emitSwitchChar):
* dfg/DFGSpeculativeJIT.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitAllocateDestructibleObject):
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::boundThisNoArgsFunctionCallGenerator):
* runtime/JSCPoison.h:
* runtime/JSDestructibleObject.h:
(JSC::JSDestructibleObject::classInfo const):
* runtime/JSSegmentedVariableObject.h:
(JSC::JSSegmentedVariableObject::classInfo const):
* runtime/Structure.h:
* runtime/VM.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addCall):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):

Source/JavaScriptCore/API/JSCallbackObject.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
  * Copyright (C) 2007 Eric Seidel <eric@webkit.org>
  *
  * Redistribution and use in source and binary forms, with or without
@@ -228,7 +228,7 @@ class JSCallbackObject final : public Parent {
     static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName);
 
     WTF::PoisonedUniquePtr<JSCallbackObjectPoison, JSCallbackObjectData> m_callbackObjectData;
-    PoisonedClassInfoPtr m_classInfo;
+    const ClassInfo* m_classInfo { nullptr };
 };
 
 } // namespace JSC

Source/JavaScriptCore/API/JSObjectRef.cpp

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Kelvin W Sherlock (ksherlock@gmail.com)
  *
  * Redistribution and use in source and binary forms, with or without
@@ -551,7 +551,7 @@ static const ClassInfo* classInfoPrivate(JSObject* jsObject)
     if (vm.currentlyDestructingCallbackObject != jsObject)
         return jsObject->classInfo(vm);
 
-    return vm.currentlyDestructingCallbackObjectClassInfo.unpoisoned();
+    return vm.currentlyDestructingCallbackObjectClassInfo;
 }
 
 void* JSObjectGetPrivate(JSObjectRef object)

Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,68 @@
+2019-02-26  Mark Lam  <mark.lam@apple.com>
+
+        Unpoison MacroAssemblerCodePtr, ClassInfo pointers, and a few other things.
+        https://bugs.webkit.org/show_bug.cgi?id=195039
+
+        Reviewed by Saam Barati.
+
+        1. Unpoison MacroAssemblerCodePtrs, ReturnAddressPtr.
+        2. Replace PoisonedClassInfoPtr with ClassInfo*.
+        3. Replace PoisonedMasmPtr with const void*.
+        4. Remove all references to CodeBlockPoison, JITCodePoison, and GlobalDataPoison.
+
+        * API/JSCallbackObject.h:
+        * API/JSObjectRef.cpp:
+        (classInfoPrivate):
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::FunctionPtr::FunctionPtr):
+        (JSC::FunctionPtr::executableAddress const):
+        (JSC::FunctionPtr::retaggedExecutableAddress const):
+        (JSC::ReturnAddressPtr::ReturnAddressPtr):
+        (JSC::ReturnAddressPtr::value const):
+        (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+        (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+        (JSC::MacroAssemblerCodePtr:: const):
+        (JSC::MacroAssemblerCodePtr::operator! const):
+        (JSC::MacroAssemblerCodePtr::operator== const):
+        (JSC::MacroAssemblerCodePtr::hash const):
+        (JSC::MacroAssemblerCodePtr::emptyValue):
+        (JSC::MacroAssemblerCodePtr::deletedValue):
+        (JSC::FunctionPtr<tag>::FunctionPtr):
+        (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
+        * b3/B3LowerMacros.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::testInterpreter):
+        * dfg/DFGOSRExitCompilerCommon.h:
+        (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
+        (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
+        (JSC::DFG::SpeculativeJIT::emitSwitchChar):
+        * dfg/DFGSpeculativeJIT.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        * runtime/JSCPoison.h:
+        * runtime/JSDestructibleObject.h:
+        (JSC::JSDestructibleObject::classInfo const):
+        * runtime/JSSegmentedVariableObject.h:
+        (JSC::JSSegmentedVariableObject::classInfo const):
+        * runtime/Structure.h:
+        * runtime/VM.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addCall):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+
 2019-02-26  Mark Lam  <mark.lam@apple.com>
 
         Misc cleanup in StructureIDTable after r242096.

Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -26,7 +26,6 @@
 #pragma once
 
 #include "ExecutableAllocator.h"
-#include "JSCPoison.h"
 #include "JSCPtrTag.h"
 #include <wtf/DataLog.h>
 #include <wtf/PrintStream.h>
@@ -74,7 +73,6 @@ class FunctionPtr {
         : m_value(tagCFunctionPtr<void*, tag>(value))
     {
         assertIsNullOrCFunctionPtr(value);
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         ASSERT_NULL_OR_VALID_CODE_POINTER(m_value);
     }
 
@@ -87,7 +85,6 @@ class FunctionPtr {
         : m_value(tagCFunctionPtr<void*, tag>(value))
     {
         assertIsNullOrCFunctionPtr(value);
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         ASSERT_NULL_OR_VALID_CODE_POINTER(m_value);
     }
 
@@ -100,7 +97,6 @@ class FunctionPtr {
         : m_value(tagCFunctionPtr<void*, tag>(value))
     {
         assertIsNullOrCFunctionPtr(value);
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         ASSERT_NULL_OR_VALID_CODE_POINTER(m_value);
     }
 
@@ -114,7 +110,6 @@ class FunctionPtr {
         : m_value(tagCFunctionPtr<void*, tag>(value))
     {
         assertIsNullOrCFunctionPtr(value);
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         ASSERT_NULL_OR_VALID_CODE_POINTER(m_value);
     }
 
@@ -130,14 +125,12 @@ class FunctionPtr {
 
     void* executableAddress() const
     {
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         return m_value;
     }
 
     template<PtrTag newTag>
     void* retaggedExecutableAddress() const
     {
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         return retagCodePtr<tag, newTag>(m_value);
     }
 
@@ -152,7 +145,6 @@ class FunctionPtr {
     explicit FunctionPtr(const FunctionPtr<otherTag>& other)
         : m_value(retagCodePtr<otherTag, tag>(other.executableAddress()))
     {
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         ASSERT_NULL_OR_VALID_CODE_POINTER(m_value);
     }
 
@@ -179,21 +171,18 @@ class ReturnAddressPtr {
     explicit ReturnAddressPtr(const void* value)
         : m_value(value)
     {
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         ASSERT_VALID_CODE_POINTER(m_value);
     }
 
     template<PtrTag tag>
     explicit ReturnAddressPtr(FunctionPtr<tag> function)
         : m_value(untagCodePtr<tag>(function.executableAddress()))
     {
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         ASSERT_VALID_CODE_POINTER(m_value);
     }
 
     const void* value() const
     {
-        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
         return m_value;
     }
 
@@ -231,12 +220,11 @@ class MacroAssemblerCodePtr : private MacroAssemblerCodePtrBase {
 #endif
     {
         assertIsTaggedWith(value, tag);
-        m_value.assertIsPoisoned();
         ASSERT(value);
 #if CPU(ARM_THUMB2)
         ASSERT(!(reinterpret_cast<uintptr_t>(value) & 1));
 #endif
-        ASSERT_VALID_CODE_POINTER(m_value.unpoisoned());
+        ASSERT_VALID_CODE_POINTER(m_value);
     }
 
     static MacroAssemblerCodePtr createFromExecutableAddress(const void* value)
@@ -245,8 +233,7 @@ class MacroAssemblerCodePtr : private MacroAssemblerCodePtrBase {
         ASSERT_VALID_CODE_POINTER(value);
         assertIsTaggedWith(value, tag);
         MacroAssemblerCodePtr result;
-        result.m_value = PoisonedMasmPtr(value);
-        result.m_value.assertIsPoisoned();
+        result.m_value = value;
         return result;
     }
 
@@ -255,12 +242,9 @@ class MacroAssemblerCodePtr : private MacroAssemblerCodePtrBase {
     {
         assertIsNotTagged(ra.value());
         ASSERT(ra.value());
-        m_value.assertIsPoisoned();
-        ASSERT_VALID_CODE_POINTER(m_value.unpoisoned());
+        ASSERT_VALID_CODE_POINTER(m_value);
     }
 
-    PoisonedMasmPtr poisonedPtr() const { return m_value; }
-
     template<PtrTag newTag>
     MacroAssemblerCodePtr<newTag> retagged() const
     {
@@ -272,66 +256,51 @@ class MacroAssemblerCodePtr : private MacroAssemblerCodePtrBase {
     template<typename T = void*>
     T executableAddress() const
     {
-        m_value.assertIsPoisoned();
-        return m_value.unpoisoned<T>();
+        return bitwise_cast<T>(m_value);
     }
 
     template<typename T = void*>
     T untaggedExecutableAddress() const
     {
-        m_value.assertIsPoisoned();
-        return untagCodePtr<T, tag>(m_value.unpoisoned());
+        return untagCodePtr<T, tag>(m_value);
     }
 
     template<PtrTag newTag, typename T = void*>
     T retaggedExecutableAddress() const
     {
-        m_value.assertIsPoisoned();
-        return retagCodePtr<T, tag, newTag>(m_value.unpoisoned());
+        return retagCodePtr<T, tag, newTag>(m_value);
     }
 
 #if CPU(ARM_THUMB2)
     // To use this pointer as a data address remove the decoration.
     template<typename T = void*>
     T dataLocation() const
     {
-        m_value.assertIsPoisoned();
-        ASSERT_VALID_CODE_POINTER(m_value.unpoisoned());
-        return bitwise_cast<T>(m_value ? m_value.unpoisoned<char*>() - 1 : nullptr);
+        ASSERT_VALID_CODE_POINTER(m_value);
+        return bitwise_cast<T>(m_value ? bitwise_cast<char*>(m_value) - 1 : nullptr);
     }
 #else
     template<typename T = void*>
     T dataLocation() const
     {
-        m_value.assertIsPoisoned();
         ASSERT_VALID_CODE_POINTER(m_value);
-        return untagCodePtr<T, tag>(m_value.unpoisoned());
+        return untagCodePtr<T, tag>(m_value);
     }
 #endif
 
     bool operator!() const
     {
-#if ENABLE(POISON_ASSERTS)
-        if (!isEmptyValue() && !isDeletedValue())
-            m_value.assertIsPoisoned();
-#endif
         return !m_value;
     }
     explicit operator bool() const { return !(!*this); }
 
     bool operator==(const MacroAssemblerCodePtr& other) const
     {
-#if ENABLE(POISON_ASSERTS)
-        if (!isEmptyValue() && !isDeletedValue())
-            m_value.assertIsPoisoned();
-        if (!other.isEmptyValue() && !other.isDeletedValue())
-            other.m_value.assertIsPoisoned();
-#endif
         return m_value == other.m_value;
     }
 
     // Disallow any casting operations (except for booleans). Instead, the client
-    // should be asking for poisonedPtr() or executableAddress() explicitly.
+    // should be asking executableAddress() explicitly.
     template<typename T, typename = std::enable_if_t<!std::is_same<T, bool>::value>>
     operator T() = delete;
 
@@ -356,15 +325,15 @@ class MacroAssemblerCodePtr : private MacroAssemblerCodePtrBase {
     bool isEmptyValue() const { return m_value == emptyValue(); }
     bool isDeletedValue() const { return m_value == deletedValue(); }
 
-    unsigned hash() const { return IntHash<uintptr_t>::hash(m_value.bits()); }
+    unsigned hash() const { return PtrHash<const void*>::hash(m_value); }
 
     static void initialize();
 
 private:
-    static PoisonedMasmPtr emptyValue() { return PoisonedMasmPtr(AlreadyPoisoned, 1); }
-    static PoisonedMasmPtr deletedValue() { return PoisonedMasmPtr(AlreadyPoisoned, 2); }
+    static const void* emptyValue() { return bitwise_cast<void*>(static_cast<intptr_t>(1)); }
+    static const void* deletedValue() { return bitwise_cast<void*>(static_cast<intptr_t>(2)); }
 
-    PoisonedMasmPtr m_value;
+    const void* m_value { nullptr };
 };
 
 template<PtrTag tag>
@@ -488,7 +457,6 @@ template<PtrTag tag>
 inline FunctionPtr<tag>::FunctionPtr(MacroAssemblerCodePtr<tag> ptr)
     : m_value(ptr.executableAddress())
 {
-    PoisonedMasmPtr::assertIsNotPoisoned(m_value);
 }
 
 } // namespace JSC

Source/JavaScriptCore/b3/B3LowerMacros.cpp

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -507,12 +507,9 @@ class LowerMacros {
 
                         GPRReg index = params[0].gpr();
                         GPRReg scratch = params.gpScratch(0);
-                        GPRReg poisonScratch = params.gpScratch(1);
 
-                        jit.move(CCallHelpers::TrustedImm64(JITCodePoison::key()), poisonScratch);
                         jit.move(CCallHelpers::TrustedImmPtr(jumpTable), scratch);
                         jit.load64(CCallHelpers::BaseIndex(scratch, index, CCallHelpers::timesPtr()), scratch);
-                        jit.xor64(poisonScratch, scratch);
                         jit.jump(scratch, JSSwitchPtrTag);
 
                         // These labels are guaranteed to be populated before either late paths or

Source/JavaScriptCore/b3/testb3.cpp

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -13369,12 +13369,9 @@ void testInterpreter()
                 params.proc().addDataSection(sizeof(MacroAssemblerCodePtr<B3CompilationPtrTag>) * labels.size()));
 
             GPRReg scratch = params.gpScratch(0);
-            GPRReg poisonScratch = params.gpScratch(1);
 
             jit.move(CCallHelpers::TrustedImmPtr(jumpTable), scratch);
-            jit.move(CCallHelpers::TrustedImm64(JITCodePoison::key()), poisonScratch);
             jit.load64(CCallHelpers::BaseIndex(scratch, params[0].gpr(), CCallHelpers::timesPtr()), scratch);
-            jit.xor64(poisonScratch, scratch);
             jit.jump(scratch, B3CompilationPtrTag);
 
             jit.addLinkTask(

Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -87,7 +87,6 @@ void adjustFrameAndStackInOSRExitCompilerThunk(MacroAssembler& jit, VM* vm, JITC
     // We need to make sure SP is correct in case of an exception.
     jit.loadPtr(MacroAssembler::Address(GPRInfo::callFrameRegister, CallFrameSlot::codeBlock * static_cast<int>(sizeof(Register))), GPRInfo::regT0);
     jit.loadPtr(MacroAssembler::Address(GPRInfo::regT0, CodeBlock::jitCodeOffset()), GPRInfo::regT0);
-    jit.xorPtr(MacroAssembler::TrustedImmPtr(CodeBlockPoison::key()), GPRInfo::regT0);
     jit.addPtr(MacroAssembler::TrustedImm32(JITCodeType::commonDataOffset()), GPRInfo::regT0);
     jit.load32(MacroAssembler::Address(GPRInfo::regT0, CommonData::frameRegisterCountOffset()), GPRInfo::regT0);
     // This does virtualRegisterForLocal(frameRegisterCount - 1)*sizeof(Register) where: