Apply poisoning to some native code pointers.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 8 Dec 2017 01:22:06 +0000 (01:22 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 8 Dec 2017 01:22:06 +0000 (01:22 +0000)
commitdd3193f908bd5cc07f297380acb60e9e49ae68ac
treead2a7b52cf9ccf822a64a529b578978c735412bc
parent691f0c1f692d0fb355a56e24ca5947e0e6eae933
Apply poisoning to some native code pointers.
https://bugs.webkit.org/show_bug.cgi?id=180541
<rdar://problem/35916875>

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

Renamed g_classInfoPoison to g_globalDataPoison.
Renamed g_masmPoison to g_jitCodePoison.
Introduced g_nativeCodePoison.
Applied g_nativeCodePoison to poisoning some native code pointers.

Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
to malloc allocated data structures (where needed).

* API/JSCallbackFunction.h:
(JSC::JSCallbackFunction::functionCallback):
* JavaScriptCore.xcodeproj/project.pbxproj:
* jit/ThunkGenerators.cpp:
(JSC::nativeForGenerator):
* llint/LowLevelInterpreter64.asm:
* runtime/CustomGetterSetter.h:
(JSC::CustomGetterSetter::getter const):
(JSC::CustomGetterSetter::setter const):
* runtime/InternalFunction.cpp:
(JSC::InternalFunction::getCallData):
(JSC::InternalFunction::getConstructData):
* runtime/InternalFunction.h:
(JSC::InternalFunction::nativeFunctionFor):
* runtime/JSCPoison.h: Added.
* runtime/JSCPoisonedPtr.cpp:
(JSC::initializePoison):
* runtime/JSCPoisonedPtr.h:
* runtime/Lookup.h:
* runtime/NativeExecutable.cpp:
(JSC::NativeExecutable::hashFor const):
* runtime/NativeExecutable.h:
* runtime/Structure.cpp:
(JSC::StructureTransitionTable::setSingleTransition):
* runtime/StructureTransitionTable.h:
(JSC::StructureTransitionTable::StructureTransitionTable):
(JSC::StructureTransitionTable::isUsingSingleSlot const):
(JSC::StructureTransitionTable::map const):
(JSC::StructureTransitionTable::weakImpl const):
(JSC::StructureTransitionTable::setMap):

Source/WTF:

Ensure that the resultant poisoned bits still looks like a pointer in that its
bottom bits are 0, just like the alignment bits of a pointer.  This allows the
client to use the bottom bits of the poisoned bits as flag bits just like the
client was previously able to do with pointer values.

Note: we only ensure that the bottom alignment bits of the generated poison
value is 0.  We're not masking out the poisoned bits.  This means that the bottom
bits of the poisoned bits will only be null if the original pointer is aligned.
Hence, if the client applies the poison to an unaligned pointer, we do not lose
any information on the low bits.

Also removed 2 wrong assertions in PoisonedImpl's constructors.  We were
asserting that Poisoned will never be used with a null value, but that's invalid.
We do want to allow a null value so that we don't have to constantly do null
checks in the clients.  This was uncovered by some layout tests.

* wtf/Poisoned.cpp:
(WTF::makePoison):
* wtf/Poisoned.h:
(WTF::PoisonedImpl::PoisonedImpl):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@225659 268f45cc-cd09-0410-ab3c-d52691b4dbfc
22 files changed:
Source/JavaScriptCore/API/JSCallbackFunction.h
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
Source/JavaScriptCore/b3/B3LowerMacros.cpp
Source/JavaScriptCore/b3/testb3.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/jit/ThunkGenerators.cpp
Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
Source/JavaScriptCore/runtime/CustomGetterSetter.h
Source/JavaScriptCore/runtime/InternalFunction.cpp
Source/JavaScriptCore/runtime/InternalFunction.h
Source/JavaScriptCore/runtime/JSCPoison.h [new file with mode: 0644]
Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp
Source/JavaScriptCore/runtime/JSCPoisonedPtr.h
Source/JavaScriptCore/runtime/NativeExecutable.cpp
Source/JavaScriptCore/runtime/NativeExecutable.h
Source/JavaScriptCore/runtime/Structure.cpp
Source/JavaScriptCore/runtime/StructureTransitionTable.h
Source/WTF/ChangeLog
Source/WTF/wtf/Poisoned.cpp
Source/WTF/wtf/Poisoned.h