Diff
Modified: trunk/Source/_javascript_Core/API/JSCallbackObject.h (225436 => 225437)
--- trunk/Source/_javascript_Core/API/JSCallbackObject.h 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/API/JSCallbackObject.h 2017-12-02 01:12:48 UTC (rev 225437)
@@ -27,6 +27,7 @@
#ifndef JSCallbackObject_h
#define JSCallbackObject_h
+#include "JSCScrambledPtr.h"
#include "JSObjectRef.h"
#include "JSValueRef.h"
#include "JSObject.h"
@@ -233,7 +234,7 @@
static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName);
std::unique_ptr<JSCallbackObjectData> m_callbackObjectData;
- const ClassInfo* m_classInfo;
+ ClassInfoScrambledPtr m_classInfo;
};
} // namespace JSC
Modified: trunk/Source/_javascript_Core/API/JSObjectRef.cpp (225436 => 225437)
--- trunk/Source/_javascript_Core/API/JSObjectRef.cpp 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/API/JSObjectRef.cpp 2017-12-02 01:12:48 UTC (rev 225437)
@@ -431,7 +431,7 @@
if (vm.currentlyDestructingCallbackObject != jsObject)
return jsObject->classInfo(vm);
- return vm.currentlyDestructingCallbackObjectClassInfo;
+ return vm.currentlyDestructingCallbackObjectClassInfo.descrambled();
}
void* JSObjectGetPrivate(JSObjectRef object)
Modified: trunk/Source/_javascript_Core/ChangeLog (225436 => 225437)
--- trunk/Source/_javascript_Core/ChangeLog 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-12-02 01:12:48 UTC (rev 225437)
@@ -1,3 +1,44 @@
+2017-12-01 Mark Lam <[email protected]>
+
+ Let's scramble ClassInfo pointers in cells.
+ https://bugs.webkit.org/show_bug.cgi?id=180291
+ <rdar://problem/35807620>
+
+ Reviewed by JF Bastien.
+
+ * API/JSCallbackObject.h:
+ * API/JSObjectRef.cpp:
+ (classInfoPrivate):
+ * _javascript_Core.xcodeproj/project.pbxproj:
+ * Sources.txt:
+ * assembler/MacroAssemblerCodeRef.cpp:
+ (JSC::MacroAssemblerCodePtr::initialize): Deleted.
+ * assembler/MacroAssemblerCodeRef.h:
+ (JSC::MacroAssemblerCodePtr:: const):
+ (JSC::MacroAssemblerCodePtr::hash const):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::checkArray):
+ (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+ (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+ (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+ * jit/AssemblyHelpers.h:
+ (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+ * jit/SpecializedThunkJIT.h:
+ (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
+ * runtime/InitializeThreading.cpp:
+ (JSC::initializeThreading):
+ * runtime/JSCScrambledPtr.cpp: Added.
+ (JSC::initializeScrambledPtrKeys):
+ * runtime/JSCScrambledPtr.h: Added.
+ * runtime/JSDestructibleObject.h:
+ (JSC::JSDestructibleObject::classInfo const):
+ * runtime/JSSegmentedVariableObject.h:
+ (JSC::JSSegmentedVariableObject::classInfo const):
+ * runtime/Structure.h:
+ * runtime/VM.h:
+
2017-12-01 Brian Burg <[email protected]>
Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (225436 => 225437)
--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2017-12-02 01:12:48 UTC (rev 225437)
@@ -1715,6 +1715,7 @@
FE1C0FFD1B193E9800B53FCA /* Exception.h in Headers */ = {isa = PBXBuildFile; fileRef = FE1C0FFC1B193E9800B53FCA /* Exception.h */; settings = {ATTRIBUTES = (Private, ); }; };
FE20CE9E15F04A9500DF3430 /* LLIntCLoop.h in Headers */ = {isa = PBXBuildFile; fileRef = FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */; settings = {ATTRIBUTES = (Private, ); }; };
FE2A87601F02381600EB31B2 /* MinimumReservedZoneSize.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2A875F1F02381600EB31B2 /* MinimumReservedZoneSize.h */; };
+ FE2B0B691FD227E00075DA5F /* JSCScrambledPtr.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2B0B671FD0D2960075DA5F /* JSCScrambledPtr.h */; settings = {ATTRIBUTES = (Private, ); }; };
FE3022D31E3D73A500BAC493 /* SigillCrashAnalyzer.h in Headers */ = {isa = PBXBuildFile; fileRef = FE3022D11E3D739600BAC493 /* SigillCrashAnalyzer.h */; settings = {ATTRIBUTES = (Private, ); }; };
FE3022D71E42857300BAC493 /* VMInspector.h in Headers */ = {isa = PBXBuildFile; fileRef = FE3022D51E42856700BAC493 /* VMInspector.h */; };
FE318FE01CAC982F00DFCC54 /* ECMAScriptSpecInternalFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = FE318FDE1CAC8C5300DFCC54 /* ECMAScriptSpecInternalFunctions.h */; };
@@ -4584,6 +4585,8 @@
FE20CE9B15F04A9500DF3430 /* LLIntCLoop.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = LLIntCLoop.cpp; path = llint/LLIntCLoop.cpp; sourceTree = "<group>"; };
FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LLIntCLoop.h; path = llint/LLIntCLoop.h; sourceTree = "<group>"; };
FE2A875F1F02381600EB31B2 /* MinimumReservedZoneSize.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MinimumReservedZoneSize.h; sourceTree = "<group>"; };
+ FE2B0B671FD0D2960075DA5F /* JSCScrambledPtr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCScrambledPtr.h; sourceTree = "<group>"; };
+ FE2B0B681FD0D2970075DA5F /* JSCScrambledPtr.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSCScrambledPtr.cpp; sourceTree = "<group>"; };
FE2E6A7A1D6EA5FE0060F896 /* ThrowScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ThrowScope.cpp; sourceTree = "<group>"; };
FE3022D01E3D739600BAC493 /* SigillCrashAnalyzer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SigillCrashAnalyzer.cpp; sourceTree = "<group>"; };
FE3022D11E3D739600BAC493 /* SigillCrashAnalyzer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SigillCrashAnalyzer.h; sourceTree = "<group>"; };
@@ -6519,6 +6522,8 @@
F692A8870255597D01FF60F7 /* JSCJSValue.cpp */,
14ABB36E099C076400E2A24F /* JSCJSValue.h */,
865A30F0135007E100CDB49E /* JSCJSValueInlines.h */,
+ FE2B0B681FD0D2970075DA5F /* JSCScrambledPtr.cpp */,
+ FE2B0B671FD0D2960075DA5F /* JSCScrambledPtr.h */,
72AAF7CB1D0D318B005E60BE /* JSCustomGetterSetterFunction.cpp */,
72AAF7CC1D0D318B005E60BE /* JSCustomGetterSetterFunction.h */,
0F2B66BD17B6B5AB00A7AE3F /* JSDataView.cpp */,
@@ -8128,6 +8133,7 @@
0FEC852A1BDACDAC0080FF74 /* B3PhaseScope.h in Headers */,
0F37308D1C0BD29100052BFA /* B3PhiChildren.h in Headers */,
0FEC852C1BDACDAC0080FF74 /* B3Procedure.h in Headers */,
+ FE2B0B691FD227E00075DA5F /* JSCScrambledPtr.h in Headers */,
0FEC852D1BDACDAC0080FF74 /* B3ProcedureInlines.h in Headers */,
0F725CAA1C503DED00AD943A /* B3PureCSE.h in Headers */,
43422A671C16267800E2EB98 /* B3ReduceDoubleToFloat.h in Headers */,
Modified: trunk/Source/_javascript_Core/Sources.txt (225436 => 225437)
--- trunk/Source/_javascript_Core/Sources.txt 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/Sources.txt 2017-12-02 01:12:48 UTC (rev 225437)
@@ -769,6 +769,7 @@
runtime/JSAsyncGeneratorFunction.cpp
runtime/JSBoundFunction.cpp
runtime/JSCJSValue.cpp
+runtime/JSCScrambledPtr.cpp
runtime/JSCallee.cpp
runtime/JSCell.cpp
runtime/JSCustomGetterSetterFunction.cpp
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.cpp (225436 => 225437)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.cpp 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.cpp 2017-12-02 01:12:48 UTC (rev 225437)
@@ -33,16 +33,6 @@
namespace JSC {
-uintptr_t g_masmScrambledPtrKey;
-
-void MacroAssemblerCodePtr::initialize()
-{
- static std::once_flag initializeOnceFlag;
- std::call_once(initializeOnceFlag, [] {
- g_masmScrambledPtrKey = makeScrambledPtrKey();
- });
-}
-
MacroAssemblerCodePtr MacroAssemblerCodePtr::createLLIntCodePtr(OpcodeID codeId)
{
return createFromExecutableAddress(LLInt::getCodePtr(codeId));
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h (225436 => 225437)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h 2017-12-02 01:12:48 UTC (rev 225437)
@@ -26,10 +26,10 @@
#pragma once
#include "ExecutableAllocator.h"
+#include "JSCScrambledPtr.h"
#include <wtf/DataLog.h>
#include <wtf/PrintStream.h>
#include <wtf/RefPtr.h>
-#include <wtf/ScrambledPtr.h>
#include <wtf/text/CString.h>
// ASSERT_VALID_CODE_POINTER checks that ptr is a non-null pointer, and that it is a valid
@@ -51,10 +51,6 @@
namespace JSC {
-extern "C" JS_EXPORTDATA uintptr_t g_masmScrambledPtrKey;
-
-using MasmScrambledPtr = ScrambledPtr<g_masmScrambledPtrKey>;
-
class MacroAssemblerCodePtr;
enum OpcodeID : unsigned;
@@ -323,7 +319,7 @@
T executableAddress() const
{
m_value.assertIsScrambled();
- return m_value ? m_value.descramble<T>() : static_cast<T>(0);
+ return m_value ? m_value.descrambled<T>() : static_cast<T>(0);
}
#if CPU(ARM_THUMB2)
// To use this pointer as a data address remove the decoration.
@@ -332,7 +328,7 @@
{
m_value.assertIsScrambled();
ASSERT_VALID_CODE_POINTER(m_value);
- return bitwise_cast<T>(m_value ? m_value.descramble<char*>() - 1 : nullptr);
+ return bitwise_cast<T>(m_value ? m_value.descrambled<char*>() - 1 : nullptr);
}
#else
template<typename T = void*>
@@ -340,7 +336,7 @@
{
m_value.assertIsScrambled();
ASSERT_VALID_CODE_POINTER(m_value);
- return m_value ? m_value.descramble<T>() : static_cast<T>(0);
+ return m_value ? m_value.descrambled<T>() : static_cast<T>(0);
}
#endif
@@ -388,7 +384,7 @@
bool isEmptyValue() const { return m_value == emptyValue(); }
bool isDeletedValue() const { return m_value == deletedValue(); }
- unsigned hash() const { return IntHash<uintptr_t>::hash(m_value.scrambledBits()); }
+ unsigned hash() const { return IntHash<uintptr_t>::hash(m_value.bits()); }
static void initialize();
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (225436 => 225437)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-12-02 01:12:48 UTC (rev 225437)
@@ -868,8 +868,8 @@
m_jit.branchPtr(
MacroAssembler::NotEqual,
MacroAssembler::Address(temp.gpr(), Structure::classInfoOffset()),
- TrustedImmPtr(expectedClassInfo)));
-
+ TrustedImmPtr(ClassInfoScrambledPtr(expectedClassInfo).bits())));
+
noResult(m_currentNode);
}
@@ -8705,6 +8705,10 @@
m_jit.emitLoadStructure(*m_jit.vm(), baseGPR, otherGPR, specifiedGPR);
m_jit.loadPtr(CCallHelpers::Address(otherGPR, Structure::classInfoOffset()), otherGPR);
+#if USE(JSVALUE64)
+ m_jit.move(CCallHelpers::TrustedImm64(g_classInfoScrambledPtrKey), specifiedGPR);
+ m_jit.xor64(specifiedGPR, otherGPR);
+#endif
m_jit.move(CCallHelpers::TrustedImmPtr(node->classInfo()), specifiedGPR);
CCallHelpers::Label loop = m_jit.label();
@@ -8999,7 +9003,7 @@
slowPath);
m_jit.storePtr(
- TrustedImmPtr(StringObject::info()),
+ TrustedImmPtr(ClassInfoScrambledPtr(StringObject::info()).bits()),
JITCompiler::Address(resultGPR, JSDestructibleObject::classInfoOffset()));
#if USE(JSVALUE64)
m_jit.store64(
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (225436 => 225437)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-12-02 01:12:48 UTC (rev 225437)
@@ -5010,7 +5010,7 @@
LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowCase);
LValue fastResultValue = allocateObject<StringObject>(structure, m_out.intPtrZero, slowCase);
- m_out.storePtr(m_out.constIntPtr(StringObject::info()), fastResultValue, m_heaps.JSDestructibleObject_classInfo);
+ m_out.storePtr(m_out.constIntPtr(ClassInfoScrambledPtr(StringObject::info()).bits()), fastResultValue, m_heaps.JSDestructibleObject_classInfo);
m_out.store64(string, fastResultValue, m_heaps.JSWrapperObject_internalValue);
mutatorFence();
ValueFromBlock fastResult = m_out.anchor(fastResultValue);
@@ -11160,7 +11160,9 @@
LBasicBlock continuation = m_out.newBlock();
LValue structure = loadStructure(cell);
- ValueFromBlock otherAtStart = m_out.anchor(m_out.loadPtr(structure, m_heaps.Structure_classInfo));
+ LValue scrambledClassInfo = m_out.loadPtr(structure, m_heaps.Structure_classInfo);
+ LValue classInfo = m_out.bitXor(scrambledClassInfo, m_out.constInt64(g_classInfoScrambledPtrKey));
+ ValueFromBlock otherAtStart = m_out.anchor(classInfo);
m_out.jump(loop);
LBasicBlock lastNext = m_out.appendTo(loop, parentClass);
Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.h (225436 => 225437)
--- trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2017-12-02 01:12:48 UTC (rev 225437)
@@ -1625,7 +1625,7 @@
void emitAllocateDestructibleObject(VM& vm, GPRReg resultGPR, Structure* structure, GPRReg scratchGPR1, GPRReg scratchGPR2, JumpList& slowPath)
{
emitAllocateJSObject<ClassType>(vm, resultGPR, TrustedImmPtr(structure), TrustedImmPtr(0), scratchGPR1, scratchGPR2, slowPath);
- storePtr(TrustedImmPtr(structure->classInfo()), Address(resultGPR, JSDestructibleObject::classInfoOffset()));
+ storePtr(TrustedImmPtr(ClassInfoScrambledPtr(structure->classInfo()).bits()), Address(resultGPR, JSDestructibleObject::classInfoOffset()));
}
void emitInitializeInlineStorage(GPRReg baseGPR, unsigned inlineCapacity)
Modified: trunk/Source/_javascript_Core/jit/SpecializedThunkJIT.h (225436 => 225437)
--- trunk/Source/_javascript_Core/jit/SpecializedThunkJIT.h 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/jit/SpecializedThunkJIT.h 2017-12-02 01:12:48 UTC (rev 225437)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -77,7 +77,7 @@
{
loadCellArgument(argument, dst);
emitLoadStructure(*vm(), dst, scratch, dst);
- appendFailure(branchPtr(NotEqual, Address(scratch, Structure::classInfoOffset()), TrustedImmPtr(classInfo)));
+ appendFailure(branchPtr(NotEqual, Address(scratch, Structure::classInfoOffset()), TrustedImmPtr(ClassInfoScrambledPtr(classInfo).bits())));
// We have to reload the argument since emitLoadStructure clobbered it.
loadCellArgument(argument, dst);
}
Modified: trunk/Source/_javascript_Core/runtime/InitializeThreading.cpp (225436 => 225437)
--- trunk/Source/_javascript_Core/runtime/InitializeThreading.cpp 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/runtime/InitializeThreading.cpp 2017-12-02 01:12:48 UTC (rev 225437)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008, 2015-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -59,7 +59,7 @@
std::call_once(initializeThreadingOnceFlag, []{
WTF::initializeThreading();
- MacroAssemblerCodePtr::initialize();
+ initializeScrambledPtrKeys();
Options::initialize();
#if ENABLE(WRITE_BARRIER_PROFILING)
WriteBarrierCounters::initialize();
Added: trunk/Source/_javascript_Core/runtime/JSCScrambledPtr.cpp (0 => 225437)
--- trunk/Source/_javascript_Core/runtime/JSCScrambledPtr.cpp (rev 0)
+++ trunk/Source/_javascript_Core/runtime/JSCScrambledPtr.cpp 2017-12-02 01:12:48 UTC (rev 225437)
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "JSCScrambledPtr.h"
+
+namespace JSC {
+
+uintptr_t g_classInfoScrambledPtrKey;
+uintptr_t g_masmScrambledPtrKey;
+
+void initializeScrambledPtrKeys()
+{
+ static std::once_flag initializeOnceFlag;
+ std::call_once(initializeOnceFlag, [] {
+ g_classInfoScrambledPtrKey = makeScrambledPtrKey();
+ g_masmScrambledPtrKey = makeScrambledPtrKey();
+ });
+}
+
+} // namespace JSC
+
Added: trunk/Source/_javascript_Core/runtime/JSCScrambledPtr.h (0 => 225437)
--- trunk/Source/_javascript_Core/runtime/JSCScrambledPtr.h (rev 0)
+++ trunk/Source/_javascript_Core/runtime/JSCScrambledPtr.h 2017-12-02 01:12:48 UTC (rev 225437)
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include <wtf/ScrambledPtr.h>
+
+namespace JSC {
+
+extern "C" JS_EXPORTDATA uintptr_t g_classInfoScrambledPtrKey;
+extern "C" JS_EXPORTDATA uintptr_t g_masmScrambledPtrKey;
+
+struct ClassInfo;
+
+using ClassInfoScrambledPtr = ScrambledPtr<const ClassInfo*, g_classInfoScrambledPtrKey>;
+using MasmScrambledPtr = ScrambledPtr<void*, g_masmScrambledPtrKey>;
+
+void initializeScrambledPtrKeys();
+
+} // namespace JSC
+
Modified: trunk/Source/_javascript_Core/runtime/JSDestructibleObject.h (225436 => 225437)
--- trunk/Source/_javascript_Core/runtime/JSDestructibleObject.h 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/runtime/JSDestructibleObject.h 2017-12-02 01:12:48 UTC (rev 225437)
@@ -43,7 +43,7 @@
return &vm.destructibleObjectSpace;
}
- const ClassInfo* classInfo() const { return m_classInfo; }
+ const ClassInfo* classInfo() const { return m_classInfo.descrambled(); }
static ptrdiff_t classInfoOffset() { return OBJECT_OFFSETOF(JSDestructibleObject, m_classInfo); }
@@ -56,7 +56,7 @@
}
private:
- const ClassInfo* m_classInfo;
+ ClassInfoScrambledPtr m_classInfo;
};
} // namespace JSC
Modified: trunk/Source/_javascript_Core/runtime/JSSegmentedVariableObject.h (225436 => 225437)
--- trunk/Source/_javascript_Core/runtime/JSSegmentedVariableObject.h 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/runtime/JSSegmentedVariableObject.h 2017-12-02 01:12:48 UTC (rev 225437)
@@ -94,7 +94,7 @@
return &vm.segmentedVariableObjectSpace;
}
- const ClassInfo* classInfo() const { return m_classInfo; }
+ const ClassInfo* classInfo() const { return m_classInfo.descrambled(); }
protected:
JSSegmentedVariableObject(VM&, Structure*, JSScope*);
@@ -107,7 +107,7 @@
SegmentedVector<WriteBarrier<Unknown>, 16> m_variables;
ConcurrentJSLock m_lock;
bool m_alreadyDestroyed { false }; // We use these assertions to check that we aren't doing ancient hacks that result in this being destroyed more than once.
- const ClassInfo* m_classInfo;
+ ClassInfoScrambledPtr m_classInfo;
};
} // namespace JSC
Modified: trunk/Source/_javascript_Core/runtime/Structure.h (225436 => 225437)
--- trunk/Source/_javascript_Core/runtime/Structure.h 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/runtime/Structure.h 2017-12-02 01:12:48 UTC (rev 225437)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008, 2009, 2012-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -468,7 +468,7 @@
void setObjectToStringValue(ExecState*, VM&, JSString* value, PropertySlot toStringTagSymbolSlot);
- const ClassInfo* classInfo() const { return m_classInfo; }
+ const ClassInfo* classInfo() const { return m_classInfo.descrambled(); }
static ptrdiff_t structureIDOffset()
{
@@ -798,7 +798,7 @@
RefPtr<UniquedStringImpl> m_nameInPrevious;
- const ClassInfo* m_classInfo;
+ ClassInfoScrambledPtr m_classInfo;
StructureTransitionTable m_transitionTable;
Modified: trunk/Source/_javascript_Core/runtime/VM.h (225436 => 225437)
--- trunk/Source/_javascript_Core/runtime/VM.h 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/_javascript_Core/runtime/VM.h 2017-12-02 01:12:48 UTC (rev 225437)
@@ -414,7 +414,7 @@
std::unique_ptr<PromiseDeferredTimer> promiseDeferredTimer;
JSCell* currentlyDestructingCallbackObject;
- const ClassInfo* currentlyDestructingCallbackObjectClassInfo;
+ ClassInfoScrambledPtr currentlyDestructingCallbackObjectClassInfo;
AtomicStringTable* m_atomicStringTable;
WTF::SymbolRegistry m_symbolRegistry;
Modified: trunk/Source/WTF/ChangeLog (225436 => 225437)
--- trunk/Source/WTF/ChangeLog 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/WTF/ChangeLog 2017-12-02 01:12:48 UTC (rev 225437)
@@ -1,3 +1,21 @@
+2017-12-01 Mark Lam <[email protected]>
+
+ Let's scramble ClassInfo pointers in cells.
+ https://bugs.webkit.org/show_bug.cgi?id=180291
+ <rdar://problem/35807620>
+
+ Reviewed by JF Bastien.
+
+ * wtf/ScrambledPtr.h:
+ (WTF::ScrambledPtr::descrambled const):
+ (WTF::ScrambledPtr::bits const):
+ (WTF::ScrambledPtr::operator==):
+ (WTF::ScrambledPtr::operator=):
+ (WTF::ScrambledPtr::scramble):
+ (WTF::ScrambledPtr::descramble):
+ (WTF::ScrambledPtr:: const): Deleted.
+ (WTF::ScrambledPtr::scrambledBits const): Deleted.
+
2017-12-01 Christopher Reid <[email protected]>
Move DateComponents into WTF
Modified: trunk/Source/WTF/wtf/ScrambledPtr.h (225436 => 225437)
--- trunk/Source/WTF/wtf/ScrambledPtr.h 2017-12-02 01:04:52 UTC (rev 225436)
+++ trunk/Source/WTF/wtf/ScrambledPtr.h 2017-12-02 01:12:48 UTC (rev 225437)
@@ -40,12 +40,11 @@
using ScrambledPtrBits = uintptr_t;
-template<uintptr_t& key>
+template<typename T, uintptr_t& key, typename = std::enable_if_t<std::is_pointer<T>::value>>
class ScrambledPtr {
public:
ScrambledPtr() { }
- template<typename T, typename = typename std::enable_if<std::is_pointer<T>::value>::type>
explicit ScrambledPtr(T ptr)
: m_scrambledBits(scramble(ptr))
{
@@ -61,26 +60,26 @@
}
#if ENABLE(SCRAMBLED_PTR_ASSERTS)
- template<typename T = void*>
- static bool isScrambled(T value) { return !value || (reinterpret_cast<uintptr_t>(value) & 0xffff000000000000); }
- template<typename T = void*>
- static void assertIsScrambled(T value) { RELEASE_ASSERT(isScrambled(value)); }
- template<typename T = void*>
- static void assertIsNotScrambled(T value) { RELEASE_ASSERT(!isScrambled(value)); }
+ template<typename U = void*>
+ static bool isScrambled(U value) { return !value || (reinterpret_cast<uintptr_t>(value) & 0xffff000000000000); }
+ template<typename U = void*>
+ static void assertIsScrambled(U value) { RELEASE_ASSERT(isScrambled(value)); }
+ template<typename U = void*>
+ static void assertIsNotScrambled(U value) { RELEASE_ASSERT(!isScrambled(value)); }
#else
- template<typename T = void*> static void assertIsScrambled(T) { }
- template<typename T = void*> static void assertIsNotScrambled(T) { }
+ template<typename U = void*> static void assertIsScrambled(U) { }
+ template<typename U = void*> static void assertIsNotScrambled(U) { }
#endif
void assertIsScrambled() const { assertIsScrambled(m_scrambledBits); }
void assertIsNotScrambled() const { assertIsNotScrambled(m_scrambledBits); }
- template<typename T = void*>
- T descramble() const { return descramble<T>(m_scrambledBits); }
+ template<typename U = T>
+ U descrambled() const { return descramble<U>(m_scrambledBits); }
- template<typename T, typename = typename std::enable_if<std::is_pointer<T>::value>::type>
ALWAYS_INLINE T operator->() const { return descramble<T>(m_scrambledBits); }
- ScrambledPtrBits scrambledBits() const { return m_scrambledBits; }
+ template<typename U = ScrambledPtrBits>
+ U bits() const { return bitwise_cast<U>(m_scrambledBits); }
bool operator!() const { return !m_scrambledBits; }
explicit operator bool() const { return !!m_scrambledBits; }
@@ -93,20 +92,27 @@
template<typename PtrType = void*, typename = typename std::enable_if<std::is_pointer<PtrType>::value>::type>
bool operator==(const PtrType b)
{
- return descramble<PtrType>() == b;
+ return descrambled<PtrType>() == b;
}
+ ScrambledPtr& operator=(T ptr)
+ {
+ m_scrambledBits = ptr ? scramble(ptr) : 0;
+ return *this;
+ }
+ ScrambledPtr& operator=(const ScrambledPtr&) = default;
+
private:
#if USE(JSVALUE64)
- template<typename T>
- ALWAYS_INLINE static ScrambledPtrBits scramble(T ptr) { return bitwise_cast<ScrambledPtrBits>(ptr) ^ key; }
- template<typename T>
- ALWAYS_INLINE static T descramble(ScrambledPtrBits scrambledBits) { return bitwise_cast<T>(scrambledBits ^ key); }
+ template<typename U>
+ ALWAYS_INLINE static ScrambledPtrBits scramble(U ptr) { return bitwise_cast<ScrambledPtrBits>(ptr) ^ key; }
+ template<typename U>
+ ALWAYS_INLINE static U descramble(ScrambledPtrBits scrambledBits) { return bitwise_cast<U>(scrambledBits ^ key); }
#else
- template<typename T>
- ALWAYS_INLINE static ScrambledPtrBits scramble(T ptr) { return bitwise_cast<ScrambledPtrBits>(ptr); }
- template<typename T>
- ALWAYS_INLINE static T descramble(ScrambledPtrBits scrambledBits) { return bitwise_cast<T>(scrambledBits); }
+ template<typename U>
+ ALWAYS_INLINE static ScrambledPtrBits scramble(U ptr) { return bitwise_cast<ScrambledPtrBits>(ptr); }
+ template<typename U>
+ ALWAYS_INLINE static U descramble(ScrambledPtrBits scrambledBits) { return bitwise_cast<U>(scrambledBits); }
#endif
ScrambledPtrBits m_scrambledBits { 0 };
