Bug 981991 - Make most poisoning unconditional r=jandem

2019-01-10 13:21:46 +00:00 · 2019-01-10 13:21:46 +00:00 · d087597227
--- a/js/src/builtin/Array.cpp
+++ b/js/src/builtin/Array.cpp
@ -4424,7 +4424,7 @@ void js::ArraySpeciesLookup::initialize(JSContext* cx) {
 }

 void js::ArraySpeciesLookup::reset() {
-  Poison(this, 0xBB, sizeof(*this), MemCheckKind::MakeUndefined);
+  AlwaysPoison(this, 0xBB, sizeof(*this), MemCheckKind::MakeUndefined);
  state_ = State::Uninitialized;
 }

--- a/js/src/builtin/Promise.cpp
+++ b/js/src/builtin/Promise.cpp
@ -4695,7 +4695,7 @@ void js::PromiseLookup::initialize(JSContext* cx) {
 }

 void js::PromiseLookup::reset() {
-  Poison(this, 0xBB, sizeof(*this), MemCheckKind::MakeUndefined);
+  AlwaysPoison(this, 0xBB, sizeof(*this), MemCheckKind::MakeUndefined);
  state_ = State::Uninitialized;
 }

--- a/js/src/frontend/NameFunctions.cpp
+++ b/js/src/frontend/NameFunctions.cpp
@ -985,8 +985,8 @@ class NameResolver {
    MOZ_ASSERT(parents[initialParents] == cur,
               "pushed child shouldn't change underneath us");

-    Poison(&parents[initialParents], 0xFF, sizeof(parents[initialParents]),
-           MemCheckKind::MakeUndefined);
+    AlwaysPoison(&parents[initialParents], 0xFF, sizeof(parents[initialParents]),
+                 MemCheckKind::MakeUndefined);

    return true;
  }
--- a/js/src/gc/GC.cpp
+++ b/js/src/gc/GC.cpp
@ -590,7 +590,7 @@ inline size_t Arena::finalize(FreeOp* fop, AllocKind thingKind,
      nmarked++;
    } else {
      t->finalize(fop);
-      Poison(t, JS_SWEPT_TENURED_PATTERN, thingSize,
+      AlwaysPoison(t, JS_SWEPT_TENURED_PATTERN, thingSize,
             MemCheckKind::MakeUndefined);
      gcTracer.traceTenuredFinalize(t);
    }
@ -2952,11 +2952,9 @@ void GCRuntime::releaseRelocatedArenasWithoutUnlocking(Arena* arenaList,
    // Mark arena as empty
    arena->setAsFullyUnused();

-#if defined(JS_CRASH_DIAGNOSTICS) || defined(JS_GC_ZEAL)
-    Poison(reinterpret_cast<void*>(arena->thingsStart()),
-           JS_MOVED_TENURED_PATTERN, arena->getThingsSpan(),
-           MemCheckKind::MakeNoAccess);
-#endif
+    AlwaysPoison(reinterpret_cast<void*>(arena->thingsStart()),
+                 JS_MOVED_TENURED_PATTERN, arena->getThingsSpan(),
+                 MemCheckKind::MakeNoAccess);

    releaseArena(arena, lock);
    ++count;
--- a/js/src/gc/Marking.cpp
+++ b/js/src/gc/Marking.cpp
@ -2287,8 +2287,8 @@ inline void MarkStack::poisonUnused() {
                "The mark stack poison pattern must not look like a valid "
                "tagged pointer");

-  Poison(stack().begin() + topIndex_, JS_FRESH_MARK_STACK_PATTERN,
-         stack().capacity() - topIndex_, MemCheckKind::MakeUndefined);
+  AlwaysPoison(stack().begin() + topIndex_, JS_FRESH_MARK_STACK_PATTERN,
+               stack().capacity() - topIndex_, MemCheckKind::MakeUndefined);
 }

 size_t MarkStack::sizeOfExcludingThis(
--- a/js/src/vm/Iteration.cpp
+++ b/js/src/vm/Iteration.cpp
@ -674,8 +674,8 @@ static PropertyIteratorObject* CreatePropertyIterator(
 NativeIterator::NativeIterator() {
  // Do our best to enforce that nothing in |this| except the two fields set
  // below is ever observed.
-  Poison(static_cast<void*>(this), 0xCC, sizeof(*this),
-         MemCheckKind::MakeUndefined);
+  AlwaysPoison(static_cast<void*>(this), 0xCC, sizeof(*this),
+               MemCheckKind::MakeUndefined);

  // These are the only two fields in sentinel NativeIterators that are
  // examined, in ObjectRealm::sweepNativeIterators.  Everything else is
--- a/js/src/vm/JSScript.cpp
+++ b/js/src/vm/JSScript.cpp
@ -3565,7 +3565,7 @@ void JSScript::finalize(FreeOp* fop) {
 #endif

  if (data_) {
-    Poison(data_, 0xdb, computedSizeOfData(), MemCheckKind::MakeNoAccess);
+    AlwaysPoison(data_, 0xdb, computedSizeOfData(), MemCheckKind::MakeNoAccess);
    fop->free_(data_);
  }

--- a/js/src/vm/Scope.h
+++ b/js/src/vm/Scope.h
@ -176,8 +176,8 @@ class TrailingNamesArray {

  explicit TrailingNamesArray(size_t nameCount) {
    if (nameCount) {
-      Poison(&data_, 0xCC, sizeof(BindingName) * nameCount,
-             MemCheckKind::MakeUndefined);
+      AlwaysPoison(&data_, 0xCC, sizeof(BindingName) * nameCount,
+                   MemCheckKind::MakeUndefined);
    }
  }

--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@ -4469,9 +4469,9 @@ void ConstraintTypeSet::sweep(const AutoSweepBase& sweep, Zone* zone) {
    }
    setBaseObjectCount(objectCount);
    // Note: -1/+1 to also poison the capacity field.
-    Poison(oldArray - 1, JS_SWEPT_TI_PATTERN,
-           (oldCapacity + 1) * sizeof(oldArray[0]),
-           MemCheckKind::MakeUndefined);
+    AlwaysPoison(oldArray - 1, JS_SWEPT_TI_PATTERN,
+                 (oldCapacity + 1) * sizeof(oldArray[0]),
+                 MemCheckKind::MakeUndefined);
  } else if (objectCount == 1) {
    ObjectKey* key = (ObjectKey*)objectSet;
    if (!IsObjectKeyAboutToBeFinalized(&key)) {
@ -4507,8 +4507,8 @@ void ConstraintTypeSet::sweep(const AutoSweepBase& sweep, Zone* zone) {
      }
    }
    TypeConstraint* next = constraint->next();
-    Poison(constraint, JS_SWEPT_TI_PATTERN, sizeof(TypeConstraint),
-           MemCheckKind::MakeUndefined);
+    AlwaysPoison(constraint, JS_SWEPT_TI_PATTERN, sizeof(TypeConstraint),
+                 MemCheckKind::MakeUndefined);
    constraint = next;
  }
 }
@ -4585,8 +4585,8 @@ void ObjectGroup::sweep(const AutoSweepObjectGroup& sweep) {

    auto poisonArray = mozilla::MakeScopeExit([oldArray, oldCapacity] {
      size_t size = sizeof(Property*) * (oldCapacity + 1);
-      Poison(oldArray - 1, JS_SWEPT_TI_PATTERN, size,
-             MemCheckKind::MakeUndefined);
+      AlwaysPoison(oldArray - 1, JS_SWEPT_TI_PATTERN, size,
+                   MemCheckKind::MakeUndefined);
    });

    unsigned oldPropertyCount = propertyCount;
@ -4607,14 +4607,14 @@ void ObjectGroup::sweep(const AutoSweepObjectGroup& sweep) {
           * (i.e. for the definite properties analysis). The contents of
           * these type sets will be regenerated as necessary.
           */
-          Poison(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
-                 MemCheckKind::MakeUndefined);
+          AlwaysPoison(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
+                       MemCheckKind::MakeUndefined);
          continue;
        }

        Property* newProp = typeLifoAlloc.new_<Property>(*prop);
-        Poison(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
-               MemCheckKind::MakeUndefined);
+        AlwaysPoison(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
+                     MemCheckKind::MakeUndefined);
        if (newProp) {
          Property** pentry = TypeHashSet::Insert<jsid, Property, Property>(
              typeLifoAlloc, propertySet, propertyCount, newProp->id);
@ -4640,13 +4640,13 @@ void ObjectGroup::sweep(const AutoSweepObjectGroup& sweep) {
    if (singleton() && !prop->types.constraintList(sweep) &&
        !zone()->isPreservingCode()) {
      // Skip, as above.
-      Poison(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
-             MemCheckKind::MakeUndefined);
+      AlwaysPoison(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
+                   MemCheckKind::MakeUndefined);
      clearProperties(sweep);
    } else {
      Property* newProp = typeLifoAlloc.new_<Property>(*prop);
-      Poison(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
-             MemCheckKind::MakeUndefined);
+      AlwaysPoison(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
+                   MemCheckKind::MakeUndefined);
      if (newProp) {
        propertySet = (Property**)newProp;
        newProp->types.sweep(sweep, zone());