From 322d66569c8cf8d52f96887d0ab454f0d0c9f23f Mon Sep 17 00:00:00 2001
From: "msaboff@apple.com"
 <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue, 9 Jan 2018 21:47:22 +0000
Subject: [PATCH] Unreviewed, rolling out r226600 and r226603
 https://bugs.webkit.org/show_bug.cgi?id=181351

Add a DOM gadget for Spectre testing

* runtime/Options.h:

* dom/Comment.cpp:
(WebCore::Comment::Comment):
(WebCore::Comment::setReadLength): Deleted.
(WebCore::Comment::charCodeAt): Deleted.
(WebCore::Comment::clflushReadLength): Deleted.
* dom/Comment.h:
* dom/Comment.idl:
* page/RuntimeEnabledFeatures.cpp:
(WebCore::RuntimeEnabledFeatures::spectreGadgetsEnabled const): Deleted.
* page/RuntimeEnabledFeatures.h:


git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226658 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 Source/JavaScriptCore/ChangeLog                |  9 ++++++
 Source/JavaScriptCore/runtime/Options.h        |  2 --
 Source/WebCore/ChangeLog                       | 18 ++++++++++++
 Source/WebCore/dom/Comment.cpp                 | 40 --------------------------
 Source/WebCore/dom/Comment.h                   |  8 ------
 Source/WebCore/dom/Comment.idl                 |  3 --
 Source/WebCore/page/RuntimeEnabledFeatures.cpp |  6 ----
 Source/WebCore/page/RuntimeEnabledFeatures.h   |  2 --
 8 files changed, 27 insertions(+), 61 deletions(-)

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 98b61be..6aebe1a 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,12 @@
+2018-01-09  Michael Saboff  <msaboff@apple.com>
+
+        Unreviewed, rolling out r226600 and r226603
+        https://bugs.webkit.org/show_bug.cgi?id=181351
+
+        Add a DOM gadget for Spectre testing
+
+        * runtime/Options.h:
+
 2018-01-09  Saam Barati  <sbarati@apple.com>
 
         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
diff --git a/Source/JavaScriptCore/runtime/Options.h b/Source/JavaScriptCore/runtime/Options.h
index e5300ba..65c3de8 100644
--- a/Source/JavaScriptCore/runtime/Options.h
+++ b/Source/JavaScriptCore/runtime/Options.h
@@ -460,8 +460,6 @@ constexpr bool enableAsyncIteration = false;
     \
     v(bool, enableSpectreMitigations, true, Restricted, "Enable Spectre mitigations.") \
     \
-    v(bool, enableSpectreGadgets, false, Restricted, "enable gadgets to test Spectre mitigations.") \
-    \
     v(bool, useAsyncIterator, enableAsyncIteration, Normal, "Allow to use Async Iterator in JS.") \
     \
     v(bool, failToCompileWebAssemblyCode, false, Normal, "If true, no Wasm::Plan will sucessfully compile a function.") \
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 4fd1da7..72f5d25 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2018-01-09  Michael Saboff  <msaboff@apple.com>
+
+        Unreviewed, rolling out r226600 and r226603
+        https://bugs.webkit.org/show_bug.cgi?id=181351
+
+        Add a DOM gadget for Spectre testing
+
+        * dom/Comment.cpp:
+        (WebCore::Comment::Comment):
+        (WebCore::Comment::setReadLength): Deleted.
+        (WebCore::Comment::charCodeAt): Deleted.
+        (WebCore::Comment::clflushReadLength): Deleted.
+        * dom/Comment.h:
+        * dom/Comment.idl:
+        * page/RuntimeEnabledFeatures.cpp:
+        (WebCore::RuntimeEnabledFeatures::spectreGadgetsEnabled const): Deleted.
+        * page/RuntimeEnabledFeatures.h:
+
 2018-01-09  Don Olmstead  <don.olmstead@sony.com>
 
         Add additional WEBCORE_EXPORTs
diff --git a/Source/WebCore/dom/Comment.cpp b/Source/WebCore/dom/Comment.cpp
index 1bda78a..7314368 100644
--- a/Source/WebCore/dom/Comment.cpp
+++ b/Source/WebCore/dom/Comment.cpp
@@ -23,27 +23,12 @@
 #include "Comment.h"
 
 #include "Document.h"
-#include "RuntimeEnabledFeatures.h"
 
 namespace WebCore {
 
-static constexpr unsigned s_maxDataLength = 100u;
-
 inline Comment::Comment(Document& document, const String& text)
     : CharacterData(document, text, CreateOther)
 {
-    if (RuntimeEnabledFeatures::sharedFeatures().spectreGadgetsEnabled()) {
-        setReadLength(text.length());
-        m_data.resize(s_maxDataLength);
-        m_data.fill(0);
-        m_dataPtr = m_data.data();
-
-        for (size_t i = 0; i < m_readLength; i++)
-            m_data[i] = text.characterAt(i);
-    } else {
-        setReadLength(0);
-        m_dataPtr = nullptr;
-    }
 }
 
 Ref<Comment> Comment::create(Document& document, const String& text)
@@ -71,29 +56,4 @@ bool Comment::childTypeAllowed(NodeType) const
     return false;
 }
 
-void Comment::setReadLength(unsigned readLength)
-{
-    m_readLength = std::min(readLength, s_maxDataLength);
-}
-
-unsigned Comment::charCodeAt(unsigned index)
-{
-    if (index < m_readLength)
-        return m_dataPtr[index];
-
-    return 0;
-}
-
-void Comment::clflushReadLength()
-{
-#if CPU(X86_64) && !OS(WINDOWS)
-    auto clflush = [] (void* ptr) {
-        char* ptrToFlush = static_cast<char*>(ptr);
-        asm volatile ("clflush %0" :: "m"(*ptrToFlush) : "memory");
-    };
-
-    clflush(&m_readLength);
-#endif
-}
-
 } // namespace WebCore
diff --git a/Source/WebCore/dom/Comment.h b/Source/WebCore/dom/Comment.h
index bd51195..fe7d348 100644
--- a/Source/WebCore/dom/Comment.h
+++ b/Source/WebCore/dom/Comment.h
@@ -30,10 +30,6 @@ class Comment final : public CharacterData {
 public:
     static Ref<Comment> create(Document&, const String&);
 
-    void setReadLength(unsigned);
-    unsigned charCodeAt(unsigned);
-    void clflushReadLength();
-
 private:
     Comment(Document&, const String&);
 
@@ -41,10 +37,6 @@ private:
     NodeType nodeType() const override;
     Ref<Node> cloneNodeInternal(Document&, CloningOperation) override;
     bool childTypeAllowed(NodeType) const override;
-
-    Vector<int32_t> m_data;
-    size_t m_readLength;
-    int32_t* m_dataPtr;
 };
 
 } // namespace WebCore
diff --git a/Source/WebCore/dom/Comment.idl b/Source/WebCore/dom/Comment.idl
index 2c32a34..fd45912 100644
--- a/Source/WebCore/dom/Comment.idl
+++ b/Source/WebCore/dom/Comment.idl
@@ -22,8 +22,5 @@
     ConstructorCallWith=Document,
     JSGenerateToJSObject
 ] interface Comment : CharacterData {
-    [EnabledAtRuntime=SpectreGadgets] void setReadLength(unsigned long readLength);
-    [EnabledAtRuntime=SpectreGadgets] unsigned long charCodeAt(unsigned long index);
-    [EnabledAtRuntime=SpectreGadgets] void clflushReadLength();
 };
 
diff --git a/Source/WebCore/page/RuntimeEnabledFeatures.cpp b/Source/WebCore/page/RuntimeEnabledFeatures.cpp
index 8d52c44..def1188 100644
--- a/Source/WebCore/page/RuntimeEnabledFeatures.cpp
+++ b/Source/WebCore/page/RuntimeEnabledFeatures.cpp
@@ -33,7 +33,6 @@
 #include "RuntimeEnabledFeatures.h"
 
 #include "MediaPlayer.h"
-#include <JavaScriptCore/Options.h>
 #include <wtf/NeverDestroyed.h>
 
 namespace WebCore {
@@ -52,11 +51,6 @@ RuntimeEnabledFeatures& RuntimeEnabledFeatures::sharedFeatures()
     return runtimeEnabledFeatures;
 }
 
-bool RuntimeEnabledFeatures::spectreGadgetsEnabled() const
-{
-    return JSC::Options::enableSpectreGadgets();
-}
-
 #if ENABLE(VIDEO)
 bool RuntimeEnabledFeatures::audioEnabled() const
 {
diff --git a/Source/WebCore/page/RuntimeEnabledFeatures.h b/Source/WebCore/page/RuntimeEnabledFeatures.h
index ad8f3c6..f4e283f 100644
--- a/Source/WebCore/page/RuntimeEnabledFeatures.h
+++ b/Source/WebCore/page/RuntimeEnabledFeatures.h
@@ -220,8 +220,6 @@ public:
     void setServiceWorkerEnabled(bool isEnabled) { m_serviceWorkerEnabled = isEnabled; }
 #endif
 
-    bool spectreGadgetsEnabled() const;
-
 #if ENABLE(VIDEO)
     bool audioEnabled() const;
 #endif
-- 
1.8.3.1