<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[226133] branches/safari-604-branch</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/226133">226133</a></dd>
<dt>Author</dt> <dd>jmarcell@apple.com</dd>
<dt>Date</dt> <dd>2017-12-19 11:34:17 -0800 (Tue, 19 Dec 2017)</dd>
</dl>

<h3>Log Message</h3>
<pre>Apply patch. rdar://problem/36111993

    Cherry-pick <a href="http://trac.webkit.org/projects/webkit/changeset/225363">r225363</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/225437">r225437</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/225632">r225632</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/225659">r225659</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/225697">r225697</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/225857">r225857</a>. rdar://problem/36085975

        Also merged offlineasm parts of <a href="http://trac.webkit.org/projects/webkit/changeset/220184">r220184</a> and <a href="http://trac.webkit.org/projects/webkit/changeset/222549">r222549</a>.  These changes are required
        to support the code in cherry-picked revisions above.

    2017-11-30  Mark Lam  <mark.lam@apple.com>

            Let's scramble MacroAssemblerCodePtr values.
            https://bugs.webkit.org/show_bug.cgi?id=180169
            <rdar://problem/35758340>

            Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.

            1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.

            2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
               template argument type that will be used to cast the result.  This makes the
               client code that uses these functions a little less verbose.

            3. Change the code base in general to minimize passing void* code pointers around.
               We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
               at the last moment when we need the underlying code pointer.

            4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
               default.  I'm leaving them in because they are instrumental in finding bugs
               where not all MacroAssemblerCodePtr values were not scrambled as expected.
               I expect them to be useful in the near future as we add more scrambling.

            5. Also disable the casting operator on MacroAssemblerCodePtr (except for
               explicit casts to a boolean).  This ensures that clients will always explicitly
               use scrambledBits() or executableAddress() to get a value based on which value
               they actually need.

            5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
               This was helpful when debugging tests that ran multiple VMs concurrently on
               different threads.

            MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
            CLoop).  It is not yet supported in 32-bit and Windows because we don't
            currently have a way to read a global variable from their LLInt code.

            * assembler/AbstractMacroAssembler.h:
            (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
            (JSC::AbstractMacroAssembler::linkPointer):
            * assembler/CodeLocation.h:
            (JSC::CodeLocationCommon::instructionAtOffset):
            (JSC::CodeLocationCommon::labelAtOffset):
            (JSC::CodeLocationCommon::jumpAtOffset):
            (JSC::CodeLocationCommon::callAtOffset):
            (JSC::CodeLocationCommon::nearCallAtOffset):
            (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
            (JSC::CodeLocationCommon::dataLabel32AtOffset):
            (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
            (JSC::CodeLocationCommon::convertibleLoadAtOffset):
            * assembler/LinkBuffer.cpp:
            (JSC::LinkBuffer::finalizeCodeWithDisassembly):
            * assembler/LinkBuffer.h:
            (JSC::LinkBuffer::link):
            (JSC::LinkBuffer::patch):
            * assembler/MacroAssemblerCodeRef.cpp:
            (JSC::MacroAssemblerCodePtr::initialize):
            * assembler/MacroAssemblerCodeRef.h:
            (JSC::FunctionPtr::FunctionPtr):
            (JSC::FunctionPtr::value const):
            (JSC::FunctionPtr::executableAddress const):
            (JSC::ReturnAddressPtr::ReturnAddressPtr):
            (JSC::ReturnAddressPtr::value const):
            (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
            (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
            (JSC::MacroAssemblerCodePtr::scrambledPtr const):
            (JSC::MacroAssemblerCodePtr:: const):
            (JSC::MacroAssemblerCodePtr::operator! const):
            (JSC::MacroAssemblerCodePtr::operator bool const):
            (JSC::MacroAssemblerCodePtr::operator== const):
            (JSC::MacroAssemblerCodePtr::hash const):
            (JSC::MacroAssemblerCodePtr::emptyValue):
            (JSC::MacroAssemblerCodePtr::deletedValue):
            (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
            (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
            * b3/B3LowerMacros.cpp:
            * b3/testb3.cpp:
            (JSC::B3::testInterpreter):
            * dfg/DFGDisassembler.cpp:
            (JSC::DFG::Disassembler::dumpDisassembly):
            * dfg/DFGJITCompiler.cpp:
            (JSC::DFG::JITCompiler::link):
            (JSC::DFG::JITCompiler::compileFunction):
            * dfg/DFGOperations.cpp:
            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
            (JSC::DFG::SpeculativeJIT::emitSwitchImm):
            (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
            (JSC::DFG::SpeculativeJIT::emitSwitchChar):
            * dfg/DFGSpeculativeJIT.h:
            * disassembler/Disassembler.cpp:
            (JSC::disassemble):
            * disassembler/UDis86Disassembler.cpp:
            (JSC::tryToDisassembleWithUDis86):
            * ftl/FTLCompile.cpp:
            (JSC::FTL::compile):
            * ftl/FTLJITCode.cpp:
            (JSC::FTL::JITCode::executableAddressAtOffset):
            * ftl/FTLLink.cpp:
            (JSC::FTL::link):
            * ftl/FTLLowerDFGToB3.cpp:
            (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
            (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
            (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
            (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
            (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
            * interpreter/InterpreterInlines.h:
            (JSC::Interpreter::getOpcodeID):
            * jit/JITArithmetic.cpp:
            (JSC::JIT::emitMathICFast):
            (JSC::JIT::emitMathICSlow):
            * jit/JITCode.cpp:
            (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
            (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
            (JSC::JITCodeWithCodeRef::offsetOf):
            * jit/JITDisassembler.cpp:
            (JSC::JITDisassembler::dumpDisassembly):
            * jit/PCToCodeOriginMap.cpp:
            (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
            * jit/Repatch.cpp:
            (JSC::ftlThunkAwareRepatchCall):
            * jit/ThunkGenerators.cpp:
            (JSC::virtualThunkFor):
            (JSC::boundThisNoArgsFunctionCallGenerator):
            * llint/LLIntSlowPaths.cpp:
            (JSC::LLInt::llint_trace_operand):
            (JSC::LLInt::llint_trace_value):
            (JSC::LLInt::handleHostCall):
            (JSC::LLInt::setUpCall):
            * llint/LowLevelInterpreter64.asm:
            * offlineasm/cloop.rb:
            * runtime/InitializeThreading.cpp:
            (JSC::initializeThreading):
            * wasm/WasmBBQPlan.cpp:
            (JSC::Wasm::BBQPlan::complete):
            * wasm/WasmCallee.h:
            (JSC::Wasm::Callee::entrypoint const):
            * wasm/WasmCodeBlock.cpp:
            (JSC::Wasm::CodeBlock::CodeBlock):
            * wasm/WasmOMGPlan.cpp:
            (JSC::Wasm::OMGPlan::work):
            * wasm/js/WasmToJS.cpp:
            (JSC::Wasm::wasmToJS):
            * wasm/js/WebAssemblyFunction.cpp:
            (JSC::callWebAssemblyFunction):
            * wasm/js/WebAssemblyFunction.h:
            * wasm/js/WebAssemblyWrapperFunction.cpp:
            (JSC::WebAssemblyWrapperFunction::create):

    2017-12-01  Mark Lam  <mark.lam@apple.com>

            Let's scramble ClassInfo pointers in cells.
            https://bugs.webkit.org/show_bug.cgi?id=180291
            <rdar://problem/35807620>

            Reviewed by JF Bastien.

            * API/JSCallbackObject.h:
            * API/JSObjectRef.cpp:
            (classInfoPrivate):
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * Sources.txt:
            * assembler/MacroAssemblerCodeRef.cpp:
            (JSC::MacroAssemblerCodePtr::initialize): Deleted.
            * assembler/MacroAssemblerCodeRef.h:
            (JSC::MacroAssemblerCodePtr:: const):
            (JSC::MacroAssemblerCodePtr::hash const):
            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::checkArray):
            (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
            (JSC::DFG::SpeculativeJIT::compileNewStringObject):
            * ftl/FTLLowerDFGToB3.cpp:
            (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
            (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
            * jit/AssemblyHelpers.h:
            (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
            * jit/SpecializedThunkJIT.h:
            (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
            * runtime/InitializeThreading.cpp:
            (JSC::initializeThreading):
            * runtime/JSCScrambledPtr.cpp: Added.
            (JSC::initializeScrambledPtrKeys):
            * runtime/JSCScrambledPtr.h: Added.
            * runtime/JSDestructibleObject.h:
            (JSC::JSDestructibleObject::classInfo const):
            * runtime/JSSegmentedVariableObject.h:
            (JSC::JSSegmentedVariableObject::classInfo const):
            * runtime/Structure.h:
            * runtime/VM.h:

    2017-12-07  Mark Lam  <mark.lam@apple.com>

            [Re-landing <a href="http://trac.webkit.org/projects/webkit/changeset/225620">r225620</a>] Refactoring: Rename ScrambledPtr to Poisoned.
            https://bugs.webkit.org/show_bug.cgi?id=180514

            Reviewed by Saam Barati and JF Bastien.

            Re-landing <a href="http://trac.webkit.org/projects/webkit/changeset/225620">r225620</a> with speculative build fix for GCC 7.

            * API/JSCallbackObject.h:
            * API/JSObjectRef.cpp:
            (classInfoPrivate):
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * Sources.txt:
            * assembler/MacroAssemblerCodeRef.h:
            (JSC::FunctionPtr::FunctionPtr):
            (JSC::FunctionPtr::value const):
            (JSC::FunctionPtr::executableAddress const):
            (JSC::ReturnAddressPtr::ReturnAddressPtr):
            (JSC::ReturnAddressPtr::value const):
            (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
            (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
            (JSC::MacroAssemblerCodePtr::poisonedPtr const):
            (JSC::MacroAssemblerCodePtr:: const):
            (JSC::MacroAssemblerCodePtr::operator! const):
            (JSC::MacroAssemblerCodePtr::operator== const):
            (JSC::MacroAssemblerCodePtr::emptyValue):
            (JSC::MacroAssemblerCodePtr::deletedValue):
            (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
            * b3/B3LowerMacros.cpp:
            * b3/testb3.cpp:
            (JSC::B3::testInterpreter):
            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::checkArray):
            (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
            (JSC::DFG::SpeculativeJIT::compileNewStringObject):
            (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
            * ftl/FTLLowerDFGToB3.cpp:
            (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
            (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
            * jit/AssemblyHelpers.h:
            (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
            * jit/SpecializedThunkJIT.h:
            (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
            * jit/ThunkGenerators.cpp:
            (JSC::virtualThunkFor):
            (JSC::boundThisNoArgsFunctionCallGenerator):
            * llint/LLIntSlowPaths.cpp:
            (JSC::LLInt::handleHostCall):
            (JSC::LLInt::setUpCall):
            * llint/LowLevelInterpreter64.asm:
            * runtime/InitializeThreading.cpp:
            (JSC::initializeThreading):
            * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
            (JSC::initializePoison):
            (JSC::initializeScrambledPtrKeys): Deleted.
            * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
            * runtime/JSCScrambledPtr.cpp: Removed.
            * runtime/JSCScrambledPtr.h: Removed.
            * runtime/JSDestructibleObject.h:
            (JSC::JSDestructibleObject::classInfo const):
            * runtime/JSSegmentedVariableObject.h:
            (JSC::JSSegmentedVariableObject::classInfo const):
            * runtime/Structure.h:
            * runtime/VM.h:

    2017-12-07  Mark Lam  <mark.lam@apple.com>

            Apply poisoning to some native code pointers.
            https://bugs.webkit.org/show_bug.cgi?id=180541
            <rdar://problem/35916875>

            Reviewed by Filip Pizlo.

            Renamed g_classInfoPoison to g_globalDataPoison.
            Renamed g_masmPoison to g_jitCodePoison.
            Introduced g_nativeCodePoison.
            Applied g_nativeCodePoison to poisoning some native code pointers.

            Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
            to malloc allocated data structures (where needed).

            * API/JSCallbackFunction.h:
            (JSC::JSCallbackFunction::functionCallback):
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * jit/ThunkGenerators.cpp:
            (JSC::nativeForGenerator):
            * llint/LowLevelInterpreter64.asm:
            * runtime/CustomGetterSetter.h:
            (JSC::CustomGetterSetter::getter const):
            (JSC::CustomGetterSetter::setter const):
            * runtime/InternalFunction.cpp:
            (JSC::InternalFunction::getCallData):
            (JSC::InternalFunction::getConstructData):
            * runtime/InternalFunction.h:
            (JSC::InternalFunction::nativeFunctionFor):
            * runtime/JSCPoison.h: Added.
            * runtime/JSCPoisonedPtr.cpp:
            (JSC::initializePoison):
            * runtime/JSCPoisonedPtr.h:
            * runtime/Lookup.h:
            * runtime/NativeExecutable.cpp:
            (JSC::NativeExecutable::hashFor const):
            * runtime/NativeExecutable.h:
            * runtime/Structure.cpp:
            (JSC::StructureTransitionTable::setSingleTransition):
            * runtime/StructureTransitionTable.h:
            (JSC::StructureTransitionTable::StructureTransitionTable):
            (JSC::StructureTransitionTable::isUsingSingleSlot const):
            (JSC::StructureTransitionTable::map const):
            (JSC::StructureTransitionTable::weakImpl const):
            (JSC::StructureTransitionTable::setMap):

    2017-12-08  Mark Lam  <mark.lam@apple.com>

            Need to unpoison native function pointers for CLoop.
            https://bugs.webkit.org/show_bug.cgi?id=180601
            <rdar://problem/35942028>

            Reviewed by JF Bastien.

            * llint/LowLevelInterpreter64.asm:

    2017-12-13  Mark Lam  <mark.lam@apple.com>

            Fill out some Poisoned APIs, fix some bugs, and add some tests.
            https://bugs.webkit.org/show_bug.cgi?id=180724
            <rdar://problem/36006884>

            Reviewed by JF Bastien.

            * runtime/StructureTransitionTable.h:

    2017-12-18  Jason Marcell  <jmarcell@apple.com>

        Apply patch. rdar://problem/36113365

        Cherry-pick <a href="http://trac.webkit.org/projects/webkit/changeset/225363">r225363</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/225437">r225437</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/225632">r225632</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/225659">r225659</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/225697">r225697</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/225857">r225857</a>. rdar://problem/36085975

    2017-11-30  Mark Lam  <mark.lam@apple.com>

            Let's scramble MacroAssemblerCodePtr values.
            https://bugs.webkit.org/show_bug.cgi?id=180169
            <rdar://problem/35758340>

            Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.

            Introduce a ScrambledPtr class to facilitate scrambling.

            * WTF.xcodeproj/project.pbxproj:
            * wtf/CMakeLists.txt:
            * wtf/ScrambledPtr.cpp: Added.
            (WTF::makeScrambledPtrKey):
            * wtf/ScrambledPtr.h: Added.
            (WTF::ScrambledPtr::ScrambledPtr):
            (WTF::ScrambledPtr::paranoidAssertIsScrambled const):
            (WTF::ScrambledPtr::paranoidAssertIsNotScrambled const):
            (WTF::ScrambledPtr:: const):
            (WTF::ScrambledPtr::operator-> const):
            (WTF::ScrambledPtr::scrambledBits const):
            (WTF::ScrambledPtr::operator! const):
            (WTF::ScrambledPtr::operator bool const):
            (WTF::ScrambledPtr::operator== const):
            (WTF::ScrambledPtr::operator==):
            (WTF::ScrambledPtr::scramble):
            (WTF::ScrambledPtr::descramble):

    2017-12-01  Mark Lam  <mark.lam@apple.com>

            Let's scramble ClassInfo pointers in cells.
            https://bugs.webkit.org/show_bug.cgi?id=180291
            <rdar://problem/35807620>

            Reviewed by JF Bastien.

            * wtf/ScrambledPtr.h:
            (WTF::ScrambledPtr::descrambled const):
            (WTF::ScrambledPtr::bits const):
            (WTF::ScrambledPtr::operator==):
            (WTF::ScrambledPtr::operator=):
            (WTF::ScrambledPtr::scramble):
            (WTF::ScrambledPtr::descramble):
            (WTF::ScrambledPtr:: const): Deleted.
            (WTF::ScrambledPtr::scrambledBits const): Deleted.

    2017-12-07  Mark Lam  <mark.lam@apple.com>

            [Re-landing <a href="http://trac.webkit.org/projects/webkit/changeset/225620">r225620</a>] Refactoring: Rename ScrambledPtr to Poisoned.
            https://bugs.webkit.org/show_bug.cgi?id=180514

            Reviewed by Saam Barati and JF Bastien.

            Re-landing <a href="http://trac.webkit.org/projects/webkit/changeset/225620">r225620</a> with speculative build fix for GCC 7.

            * WTF.xcodeproj/project.pbxproj:
            * wtf/CMakeLists.txt:
            * wtf/Poisoned.cpp: Copied from Source/WTF/wtf/ScrambledPtr.cpp.
            (WTF::makePoison):
            (WTF::makeScrambledPtrKey): Deleted.
            * wtf/Poisoned.h: Copied from Source/WTF/wtf/ScrambledPtr.h.
            (WTF::PoisonedImpl::PoisonedImpl):
            (WTF::PoisonedImpl::assertIsPoisoned const):
            (WTF::PoisonedImpl::assertIsNotPoisoned const):
            (WTF::PoisonedImpl::unpoisoned const):
            (WTF::PoisonedImpl::operator-> const):
            (WTF::PoisonedImpl::bits const):
            (WTF::PoisonedImpl::operator! const):
            (WTF::PoisonedImpl::operator bool const):
            (WTF::PoisonedImpl::operator== const):
            (WTF::PoisonedImpl::operator==):
            (WTF::PoisonedImpl::operator=):
            (WTF::PoisonedImpl::poison):
            (WTF::PoisonedImpl::unpoison):
            (WTF::ScrambledPtr::ScrambledPtr): Deleted.
            (WTF::ScrambledPtr::assertIsScrambled const): Deleted.
            (WTF::ScrambledPtr::assertIsNotScrambled const): Deleted.
            (WTF::ScrambledPtr::descrambled const): Deleted.
            (WTF::ScrambledPtr::operator-> const): Deleted.
            (WTF::ScrambledPtr::bits const): Deleted.
            (WTF::ScrambledPtr::operator! const): Deleted.
            (WTF::ScrambledPtr::operator bool const): Deleted.
            (WTF::ScrambledPtr::operator== const): Deleted.
            (WTF::ScrambledPtr::operator==): Deleted.
            (WTF::ScrambledPtr::operator=): Deleted.
            (WTF::ScrambledPtr::scramble): Deleted.
            (WTF::ScrambledPtr::descramble): Deleted.
            * wtf/ScrambledPtr.cpp: Removed.
            * wtf/ScrambledPtr.h: Removed.

    2017-12-07  Mark Lam  <mark.lam@apple.com>

            Apply poisoning to some native code pointers.
            https://bugs.webkit.org/show_bug.cgi?id=180541
            <rdar://problem/35916875>

            Reviewed by Filip Pizlo.

            Ensure that the resultant poisoned bits still looks like a pointer in that its
            bottom bits are 0, just like the alignment bits of a pointer.  This allows the
            client to use the bottom bits of the poisoned bits as flag bits just like the
            client was previously able to do with pointer values.

            Note: we only ensure that the bottom alignment bits of the generated poison
            value is 0.  We're not masking out the poisoned bits.  This means that the bottom
            bits of the poisoned bits will only be null if the original pointer is aligned.
            Hence, if the client applies the poison to an unaligned pointer, we do not lose
            any information on the low bits.

            Also removed 2 wrong assertions in PoisonedImpl's constructors.  We were
            asserting that Poisoned will never be used with a null value, but that's invalid.
            We do want to allow a null value so that we don't have to constantly do null
            checks in the clients.  This was uncovered by some layout tests.

            * wtf/Poisoned.cpp:
            (WTF::makePoison):
            * wtf/Poisoned.h:
            (WTF::PoisonedImpl::PoisonedImpl):

    2017-12-13  Mark Lam  <mark.lam@apple.com>

            Fill out some Poisoned APIs, fix some bugs, and add some tests.
            https://bugs.webkit.org/show_bug.cgi?id=180724
            <rdar://problem/36006884>

            Reviewed by JF Bastien.

            Also rename Int32Poisoned to ConstExprPoisoned.  The key it takes is actually a
            uint32_t.  So, Int32 is really a misnomer.  In addition, the key needs to be a
            constexpr.  So, ConstExprPoisoned is a better name for it.

            * wtf/Poisoned.cpp:
            (WTF::makePoison):
            * wtf/Poisoned.h:
            (WTF::PoisonedImplHelper::asReference):
            (WTF::PoisonedImpl::PoisonedImpl):
            (WTF::PoisonedImpl::clear):
            (WTF::PoisonedImpl::operator* const):
            (WTF::PoisonedImpl::operator-> const):
            (WTF::PoisonedImpl::operator== const):
            (WTF::PoisonedImpl::operator!= const):
            (WTF::PoisonedImpl::operator< const):
            (WTF::PoisonedImpl::operator<= const):
            (WTF::PoisonedImpl::operator> const):
            (WTF::PoisonedImpl::operator>= const):
            (WTF::PoisonedImpl::operator=):
            (WTF::PoisonedImpl::swap):
            (WTF::PoisonedImpl::exchange):
            (WTF::swap):
            (WTF::makePoison):
            (WTF::PoisonedImpl::operator==): Deleted.

    2017-12-18  Mark Lam  <mark.lam@apple.com>

            Cherry-pick <a href="http://trac.webkit.org/projects/webkit/changeset/225363">r225363</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/225437">r225437</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/225632">r225632</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/225659">r225659</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/225697">r225697</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/225857">r225857</a>. rdar://problem/36085975

            Also merged offlineasm parts of <a href="http://trac.webkit.org/projects/webkit/changeset/220184">r220184</a> and <a href="http://trac.webkit.org/projects/webkit/changeset/222549">r222549</a>.  These changes are required
            to support the code in cherry-picked revisions above.

        2017-11-30  Mark Lam  <mark.lam@apple.com>

                Let's scramble MacroAssemblerCodePtr values.
                https://bugs.webkit.org/show_bug.cgi?id=180169
                <rdar://problem/35758340>

                Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.

                1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.

                2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
                   template argument type that will be used to cast the result.  This makes the
                   client code that uses these functions a little less verbose.

                3. Change the code base in general to minimize passing void* code pointers around.
                   We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
                   at the last moment when we need the underlying code pointer.

                4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
                   default.  I'm leaving them in because they are instrumental in finding bugs
                   where not all MacroAssemblerCodePtr values were not scrambled as expected.
                   I expect them to be useful in the near future as we add more scrambling.

                5. Also disable the casting operator on MacroAssemblerCodePtr (except for
                   explicit casts to a boolean).  This ensures that clients will always explicitly
                   use scrambledBits() or executableAddress() to get a value based on which value
                   they actually need.

                5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
                   This was helpful when debugging tests that ran multiple VMs concurrently on
                   different threads.

                MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
                CLoop).  It is not yet supported in 32-bit and Windows because we don't
                currently have a way to read a global variable from their LLInt code.

                * assembler/AbstractMacroAssembler.h:
                (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
                (JSC::AbstractMacroAssembler::linkPointer):
                * assembler/CodeLocation.h:
                (JSC::CodeLocationCommon::instructionAtOffset):
                (JSC::CodeLocationCommon::labelAtOffset):
                (JSC::CodeLocationCommon::jumpAtOffset):
                (JSC::CodeLocationCommon::callAtOffset):
                (JSC::CodeLocationCommon::nearCallAtOffset):
                (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
                (JSC::CodeLocationCommon::dataLabel32AtOffset):
                (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
                (JSC::CodeLocationCommon::convertibleLoadAtOffset):
                * assembler/LinkBuffer.cpp:
                (JSC::LinkBuffer::finalizeCodeWithDisassembly):
                * assembler/LinkBuffer.h:
                (JSC::LinkBuffer::link):
                (JSC::LinkBuffer::patch):
                * assembler/MacroAssemblerCodeRef.cpp:
                (JSC::MacroAssemblerCodePtr::initialize):
                * assembler/MacroAssemblerCodeRef.h:
                (JSC::FunctionPtr::FunctionPtr):
                (JSC::FunctionPtr::value const):
                (JSC::FunctionPtr::executableAddress const):
                (JSC::ReturnAddressPtr::ReturnAddressPtr):
                (JSC::ReturnAddressPtr::value const):
                (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
                (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
                (JSC::MacroAssemblerCodePtr::scrambledPtr const):
                (JSC::MacroAssemblerCodePtr:: const):
                (JSC::MacroAssemblerCodePtr::operator! const):
                (JSC::MacroAssemblerCodePtr::operator bool const):
                (JSC::MacroAssemblerCodePtr::operator== const):
                (JSC::MacroAssemblerCodePtr::hash const):
                (JSC::MacroAssemblerCodePtr::emptyValue):
                (JSC::MacroAssemblerCodePtr::deletedValue):
                (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
                (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
                * b3/B3LowerMacros.cpp:
                * b3/testb3.cpp:
                (JSC::B3::testInterpreter):
                * dfg/DFGDisassembler.cpp:
                (JSC::DFG::Disassembler::dumpDisassembly):
                * dfg/DFGJITCompiler.cpp:
                (JSC::DFG::JITCompiler::link):
                (JSC::DFG::JITCompiler::compileFunction):
                * dfg/DFGOperations.cpp:
                * dfg/DFGSpeculativeJIT.cpp:
                (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
                (JSC::DFG::SpeculativeJIT::emitSwitchImm):
                (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
                (JSC::DFG::SpeculativeJIT::emitSwitchChar):
                * dfg/DFGSpeculativeJIT.h:
                * disassembler/Disassembler.cpp:
                (JSC::disassemble):
                * disassembler/UDis86Disassembler.cpp:
                (JSC::tryToDisassembleWithUDis86):
                * ftl/FTLCompile.cpp:
                (JSC::FTL::compile):
                * ftl/FTLJITCode.cpp:
                (JSC::FTL::JITCode::executableAddressAtOffset):
                * ftl/FTLLink.cpp:
                (JSC::FTL::link):
                * ftl/FTLLowerDFGToB3.cpp:
                (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
                (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
                (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
                (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
                (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
                * interpreter/InterpreterInlines.h:
                (JSC::Interpreter::getOpcodeID):
                * jit/JITArithmetic.cpp:
                (JSC::JIT::emitMathICFast):
                (JSC::JIT::emitMathICSlow):
                * jit/JITCode.cpp:
                (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
                (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
                (JSC::JITCodeWithCodeRef::offsetOf):
                * jit/JITDisassembler.cpp:
                (JSC::JITDisassembler::dumpDisassembly):
                * jit/PCToCodeOriginMap.cpp:
                (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
                * jit/Repatch.cpp:
                (JSC::ftlThunkAwareRepatchCall):
                * jit/ThunkGenerators.cpp:
                (JSC::virtualThunkFor):
                (JSC::boundThisNoArgsFunctionCallGenerator):
                * llint/LLIntSlowPaths.cpp:
                (JSC::LLInt::llint_trace_operand):
                (JSC::LLInt::llint_trace_value):
                (JSC::LLInt::handleHostCall):
                (JSC::LLInt::setUpCall):
                * llint/LowLevelInterpreter64.asm:
                * offlineasm/cloop.rb:
                * runtime/InitializeThreading.cpp:
                (JSC::initializeThreading):
                * wasm/WasmBBQPlan.cpp:
                (JSC::Wasm::BBQPlan::complete):
                * wasm/WasmCallee.h:
                (JSC::Wasm::Callee::entrypoint const):
                * wasm/WasmCodeBlock.cpp:
                (JSC::Wasm::CodeBlock::CodeBlock):
                * wasm/WasmOMGPlan.cpp:
                (JSC::Wasm::OMGPlan::work):
                * wasm/js/WasmToJS.cpp:
                (JSC::Wasm::wasmToJS):
                * wasm/js/WebAssemblyFunction.cpp:
                (JSC::callWebAssemblyFunction):
                * wasm/js/WebAssemblyFunction.h:
                * wasm/js/WebAssemblyWrapperFunction.cpp:
                (JSC::WebAssemblyWrapperFunction::create):

        2017-12-01  Mark Lam  <mark.lam@apple.com>

                Let's scramble ClassInfo pointers in cells.
                https://bugs.webkit.org/show_bug.cgi?id=180291
                <rdar://problem/35807620>

                Reviewed by JF Bastien.

                * API/JSCallbackObject.h:
                * API/JSObjectRef.cpp:
                (classInfoPrivate):
                * JavaScriptCore.xcodeproj/project.pbxproj:
                * Sources.txt:
                * assembler/MacroAssemblerCodeRef.cpp:
                (JSC::MacroAssemblerCodePtr::initialize): Deleted.
                * assembler/MacroAssemblerCodeRef.h:
                (JSC::MacroAssemblerCodePtr:: const):
                (JSC::MacroAssemblerCodePtr::hash const):
                * dfg/DFGSpeculativeJIT.cpp:
                (JSC::DFG::SpeculativeJIT::checkArray):
                (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
                (JSC::DFG::SpeculativeJIT::compileNewStringObject):
                * ftl/FTLLowerDFGToB3.cpp:
                (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
                (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
                * jit/AssemblyHelpers.h:
                (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
                * jit/SpecializedThunkJIT.h:
                (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
                * runtime/InitializeThreading.cpp:
                (JSC::initializeThreading):
                * runtime/JSCScrambledPtr.cpp: Added.
                (JSC::initializeScrambledPtrKeys):
                * runtime/JSCScrambledPtr.h: Added.
                * runtime/JSDestructibleObject.h:
                (JSC::JSDestructibleObject::classInfo const):
                * runtime/JSSegmentedVariableObject.h:
                (JSC::JSSegmentedVariableObject::classInfo const):
                * runtime/Structure.h:
                * runtime/VM.h:

        2017-12-07  Mark Lam  <mark.lam@apple.com>

                [Re-landing <a href="http://trac.webkit.org/projects/webkit/changeset/225620">r225620</a>] Refactoring: Rename ScrambledPtr to Poisoned.
                https://bugs.webkit.org/show_bug.cgi?id=180514

                Reviewed by Saam Barati and JF Bastien.

                Re-landing <a href="http://trac.webkit.org/projects/webkit/changeset/225620">r225620</a> with speculative build fix for GCC 7.

                * API/JSCallbackObject.h:
                * API/JSObjectRef.cpp:
                (classInfoPrivate):
                * JavaScriptCore.xcodeproj/project.pbxproj:
                * Sources.txt:
                * assembler/MacroAssemblerCodeRef.h:
                (JSC::FunctionPtr::FunctionPtr):
                (JSC::FunctionPtr::value const):
                (JSC::FunctionPtr::executableAddress const):
                (JSC::ReturnAddressPtr::ReturnAddressPtr):
                (JSC::ReturnAddressPtr::value const):
                (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
                (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
                (JSC::MacroAssemblerCodePtr::poisonedPtr const):
                (JSC::MacroAssemblerCodePtr:: const):
                (JSC::MacroAssemblerCodePtr::operator! const):
                (JSC::MacroAssemblerCodePtr::operator== const):
                (JSC::MacroAssemblerCodePtr::emptyValue):
                (JSC::MacroAssemblerCodePtr::deletedValue):
                (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
                * b3/B3LowerMacros.cpp:
                * b3/testb3.cpp:
                (JSC::B3::testInterpreter):
                * dfg/DFGSpeculativeJIT.cpp:
                (JSC::DFG::SpeculativeJIT::checkArray):
                (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
                (JSC::DFG::SpeculativeJIT::compileNewStringObject):
                (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
                * ftl/FTLLowerDFGToB3.cpp:
                (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
                (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
                * jit/AssemblyHelpers.h:
                (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
                * jit/SpecializedThunkJIT.h:
                (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
                * jit/ThunkGenerators.cpp:
                (JSC::virtualThunkFor):
                (JSC::boundThisNoArgsFunctionCallGenerator):
                * llint/LLIntSlowPaths.cpp:
                (JSC::LLInt::handleHostCall):
                (JSC::LLInt::setUpCall):
                * llint/LowLevelInterpreter64.asm:
                * runtime/InitializeThreading.cpp:
                (JSC::initializeThreading):
                * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
                (JSC::initializePoison):
                (JSC::initializeScrambledPtrKeys): Deleted.
                * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
                * runtime/JSCScrambledPtr.cpp: Removed.
                * runtime/JSCScrambledPtr.h: Removed.
                * runtime/JSDestructibleObject.h:
                (JSC::JSDestructibleObject::classInfo const):
                * runtime/JSSegmentedVariableObject.h:
                (JSC::JSSegmentedVariableObject::classInfo const):
                * runtime/Structure.h:
                * runtime/VM.h:

        2017-12-07  Mark Lam  <mark.lam@apple.com>

                Apply poisoning to some native code pointers.
                https://bugs.webkit.org/show_bug.cgi?id=180541
                <rdar://problem/35916875>

                Reviewed by Filip Pizlo.

                Renamed g_classInfoPoison to g_globalDataPoison.
                Renamed g_masmPoison to g_jitCodePoison.
                Introduced g_nativeCodePoison.
                Applied g_nativeCodePoison to poisoning some native code pointers.

                Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
                to malloc allocated data structures (where needed).

                * API/JSCallbackFunction.h:
                (JSC::JSCallbackFunction::functionCallback):
                * JavaScriptCore.xcodeproj/project.pbxproj:
                * jit/ThunkGenerators.cpp:
                (JSC::nativeForGenerator):
                * llint/LowLevelInterpreter64.asm:
                * runtime/CustomGetterSetter.h:
                (JSC::CustomGetterSetter::getter const):
                (JSC::CustomGetterSetter::setter const):
                * runtime/InternalFunction.cpp:
                (JSC::InternalFunction::getCallData):
                (JSC::InternalFunction::getConstructData):
                * runtime/InternalFunction.h:
                (JSC::InternalFunction::nativeFunctionFor):
                * runtime/JSCPoison.h: Added.
                * runtime/JSCPoisonedPtr.cpp:
                (JSC::initializePoison):
                * runtime/JSCPoisonedPtr.h:
                * runtime/Lookup.h:
                * runtime/NativeExecutable.cpp:
                (JSC::NativeExecutable::hashFor const):
                * runtime/NativeExecutable.h:
                * runtime/Structure.cpp:
                (JSC::StructureTransitionTable::setSingleTransition):
                * runtime/StructureTransitionTable.h:
                (JSC::StructureTransitionTable::StructureTransitionTable):
                (JSC::StructureTransitionTable::isUsingSingleSlot const):
                (JSC::StructureTransitionTable::map const):
                (JSC::StructureTransitionTable::weakImpl const):
                (JSC::StructureTransitionTable::setMap):

        2017-12-08  Mark Lam  <mark.lam@apple.com>

                Need to unpoison native function pointers for CLoop.
                https://bugs.webkit.org/show_bug.cgi?id=180601
                <rdar://problem/35942028>

                Reviewed by JF Bastien.

                * llint/LowLevelInterpreter64.asm:

        2017-12-13  Mark Lam  <mark.lam@apple.com>

                Fill out some Poisoned APIs, fix some bugs, and add some tests.
                https://bugs.webkit.org/show_bug.cgi?id=180724
                <rdar://problem/36006884>

                Reviewed by JF Bastien.

                * runtime/StructureTransitionTable.h:</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari604branchSourceJavaScriptCoreAPIJSCallbackFunctionh">branches/safari-604-branch/Source/JavaScriptCore/API/JSCallbackFunction.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreAPIJSCallbackObjecth">branches/safari-604-branch/Source/JavaScriptCore/API/JSCallbackObject.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreAPIJSObjectRefcpp">branches/safari-604-branch/Source/JavaScriptCore/API/JSObjectRef.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreChangeLog">branches/safari-604-branch/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">branches/safari-604-branch/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreassemblerAbstractMacroAssemblerh">branches/safari-604-branch/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreassemblerCodeLocationh">branches/safari-604-branch/Source/JavaScriptCore/assembler/CodeLocation.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreassemblerLinkBuffercpp">branches/safari-604-branch/Source/JavaScriptCore/assembler/LinkBuffer.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreassemblerLinkBufferh">branches/safari-604-branch/Source/JavaScriptCore/assembler/LinkBuffer.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreassemblerMacroAssemblerCodeRefcpp">branches/safari-604-branch/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreassemblerMacroAssemblerCodeRefh">branches/safari-604-branch/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreb3B3LowerMacroscpp">branches/safari-604-branch/Source/JavaScriptCore/b3/B3LowerMacros.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreb3testb3cpp">branches/safari-604-branch/Source/JavaScriptCore/b3/testb3.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoredfgDFGDisassemblercpp">branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGDisassembler.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoredfgDFGJITCompilercpp">branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoredfgDFGOperationscpp">branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoredfgDFGSpeculativeJITcpp">branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoredfgDFGSpeculativeJITh">branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoredisassemblerDisassemblercpp">branches/safari-604-branch/Source/JavaScriptCore/disassembler/Disassembler.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoredisassemblerUDis86Disassemblercpp">branches/safari-604-branch/Source/JavaScriptCore/disassembler/UDis86Disassembler.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreftlFTLCompilecpp">branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLCompile.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreftlFTLJITCodecpp">branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLJITCode.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreftlFTLLinkcpp">branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLLink.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreinterpreterInterpreterInlinesh">branches/safari-604-branch/Source/JavaScriptCore/interpreter/InterpreterInlines.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorejitAssemblyHelpersh">branches/safari-604-branch/Source/JavaScriptCore/jit/AssemblyHelpers.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorejitJITArithmeticcpp">branches/safari-604-branch/Source/JavaScriptCore/jit/JITArithmetic.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorejitJITCodecpp">branches/safari-604-branch/Source/JavaScriptCore/jit/JITCode.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorejitJITDisassemblercpp">branches/safari-604-branch/Source/JavaScriptCore/jit/JITDisassembler.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorejitPCToCodeOriginMapcpp">branches/safari-604-branch/Source/JavaScriptCore/jit/PCToCodeOriginMap.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorejitRepatchcpp">branches/safari-604-branch/Source/JavaScriptCore/jit/Repatch.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorejitSpecializedThunkJITh">branches/safari-604-branch/Source/JavaScriptCore/jit/SpecializedThunkJIT.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorejitThunkGeneratorscpp">branches/safari-604-branch/Source/JavaScriptCore/jit/ThunkGenerators.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorellintLLIntSlowPathscpp">branches/safari-604-branch/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorellintLowLevelInterpreter64asm">branches/safari-604-branch/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreofflineasmastrb">branches/safari-604-branch/Source/JavaScriptCore/offlineasm/ast.rb</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreofflineasmclooprb">branches/safari-604-branch/Source/JavaScriptCore/offlineasm/cloop.rb</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreofflineasmparserrb">branches/safari-604-branch/Source/JavaScriptCore/offlineasm/parser.rb</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreofflineasmtransformrb">branches/safari-604-branch/Source/JavaScriptCore/offlineasm/transform.rb</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreofflineasmx86rb">branches/safari-604-branch/Source/JavaScriptCore/offlineasm/x86.rb</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreruntimeCustomGetterSetterh">branches/safari-604-branch/Source/JavaScriptCore/runtime/CustomGetterSetter.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreruntimeInitializeThreadingcpp">branches/safari-604-branch/Source/JavaScriptCore/runtime/InitializeThreading.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreruntimeJSDestructibleObjecth">branches/safari-604-branch/Source/JavaScriptCore/runtime/JSDestructibleObject.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreruntimeJSSegmentedVariableObjecth">branches/safari-604-branch/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreruntimeNativeExecutablecpp">branches/safari-604-branch/Source/JavaScriptCore/runtime/NativeExecutable.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreruntimeNativeExecutableh">branches/safari-604-branch/Source/JavaScriptCore/runtime/NativeExecutable.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreruntimeStructurecpp">branches/safari-604-branch/Source/JavaScriptCore/runtime/Structure.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreruntimeStructureh">branches/safari-604-branch/Source/JavaScriptCore/runtime/Structure.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreruntimeStructureTransitionTableh">branches/safari-604-branch/Source/JavaScriptCore/runtime/StructureTransitionTable.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreruntimeVMh">branches/safari-604-branch/Source/JavaScriptCore/runtime/VM.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorewasmWasmBBQPlancpp">branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmBBQPlan.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorewasmWasmCalleeh">branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmCallee.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorewasmWasmCodeBlockcpp">branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmCodeBlock.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorewasmWasmOMGPlancpp">branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmOMGPlan.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorewasmjsWebAssemblyFunctioncpp">branches/safari-604-branch/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCorewasmjsWebAssemblyFunctionh">branches/safari-604-branch/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h</a></li>
<li><a href="#branchessafari604branchSourceWTFChangeLog">branches/safari-604-branch/Source/WTF/ChangeLog</a></li>
<li><a href="#branchessafari604branchSourceWTFWTFxcodeprojprojectpbxproj">branches/safari-604-branch/Source/WTF/WTF.xcodeproj/project.pbxproj</a></li>
<li><a href="#branchessafari604branchSourceWTFwtfCMakeListstxt">branches/safari-604-branch/Source/WTF/wtf/CMakeLists.txt</a></li>
<li><a href="#branchessafari604branchToolsChangeLog">branches/safari-604-branch/Tools/ChangeLog</a></li>
<li><a href="#branchessafari604branchToolsTestWebKitAPICMakeListstxt">branches/safari-604-branch/Tools/TestWebKitAPI/CMakeLists.txt</a></li>
<li><a href="#branchessafari604branchToolsTestWebKitAPITestWebKitAPIxcodeprojprojectpbxproj">branches/safari-604-branch/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#branchessafari604branchSourceJavaScriptCoreruntimeJSCPoisonh">branches/safari-604-branch/Source/JavaScriptCore/runtime/JSCPoison.h</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreruntimeJSCPoisonedPtrcpp">branches/safari-604-branch/Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp</a></li>
<li><a href="#branchessafari604branchSourceJavaScriptCoreruntimeJSCPoisonedPtrh">branches/safari-604-branch/Source/JavaScriptCore/runtime/JSCPoisonedPtr.h</a></li>
<li><a href="#branchessafari604branchSourceWTFwtfPoisonedcpp">branches/safari-604-branch/Source/WTF/wtf/Poisoned.cpp</a></li>
<li><a href="#branchessafari604branchSourceWTFwtfPoisonedh">branches/safari-604-branch/Source/WTF/wtf/Poisoned.h</a></li>
<li><a href="#branchessafari604branchToolsTestWebKitAPITestsWTFConstExprPoisonedcpp">branches/safari-604-branch/Tools/TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp</a></li>
<li><a href="#branchessafari604branchToolsTestWebKitAPITestsWTFPoisonedcpp">branches/safari-604-branch/Tools/TestWebKitAPI/Tests/WTF/Poisoned.cpp</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari604branchSourceJavaScriptCoreAPIJSCallbackFunctionh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/API/JSCallbackFunction.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/API/JSCallbackFunction.h        2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/API/JSCallbackFunction.h   2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2006, 2008 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2006-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -53,9 +53,9 @@
</span><span class="cx"> 
</span><span class="cx">     static CallType getCallData(JSCell*, CallData&);
</span><span class="cx"> 
</span><del>-    JSObjectCallAsFunctionCallback functionCallback() { return m_callback; }
</del><ins>+    JSObjectCallAsFunctionCallback functionCallback() { return m_callback.unpoisoned(); }
</ins><span class="cx"> 
</span><del>-    JSObjectCallAsFunctionCallback m_callback;
</del><ins>+    Poisoned<g_nativeCodePoison, JSObjectCallAsFunctionCallback> m_callback;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreAPIJSCallbackObjecth"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/API/JSCallbackObject.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/API/JSCallbackObject.h  2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/API/JSCallbackObject.h     2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx"> #ifndef JSCallbackObject_h
</span><span class="cx"> #define JSCallbackObject_h
</span><span class="cx"> 
</span><ins>+#include "JSCPoisonedPtr.h"
</ins><span class="cx"> #include "JSObjectRef.h"
</span><span class="cx"> #include "JSValueRef.h"
</span><span class="cx"> #include "JSObject.h"
</span><span class="lines">@@ -232,7 +233,7 @@
</span><span class="cx">     static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName);
</span><span class="cx"> 
</span><span class="cx">     std::unique_ptr<JSCallbackObjectData> m_callbackObjectData;
</span><del>-    const ClassInfo* m_classInfo;
</del><ins>+    PoisonedClassInfoPtr m_classInfo;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreAPIJSObjectRefcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/API/JSObjectRef.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/API/JSObjectRef.cpp     2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/API/JSObjectRef.cpp        2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -392,7 +392,7 @@
</span><span class="cx">     if (vm.currentlyDestructingCallbackObject != jsObject)
</span><span class="cx">         return jsObject->classInfo(vm);
</span><span class="cx"> 
</span><del>-    return vm.currentlyDestructingCallbackObjectClassInfo;
</del><ins>+    return vm.currentlyDestructingCallbackObjectClassInfo.unpoisoned();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void* JSObjectGetPrivate(JSObjectRef object)
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/ChangeLog (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/ChangeLog       2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/ChangeLog  2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,3 +1,821 @@
</span><ins>+2017-12-19  Jason Marcell  <jmarcell@apple.com>
+
+        Apply patch. rdar://problem/36111993
+
+    Cherry-pick r225363, r225437, r225632, r225659, r225697, r225857. rdar://problem/36085975
+    
+        Also merged offlineasm parts of r220184 and r222549.  These changes are required
+        to support the code in cherry-picked revisions above.
+    
+    2017-11-30  Mark Lam  <mark.lam@apple.com>
+    
+            Let's scramble MacroAssemblerCodePtr values.
+            https://bugs.webkit.org/show_bug.cgi?id=180169
+            <rdar://problem/35758340>
+    
+            Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
+    
+            1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
+    
+            2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
+               template argument type that will be used to cast the result.  This makes the
+               client code that uses these functions a little less verbose.
+    
+            3. Change the code base in general to minimize passing void* code pointers around.
+               We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
+               at the last moment when we need the underlying code pointer.
+    
+            4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
+               default.  I'm leaving them in because they are instrumental in finding bugs
+               where not all MacroAssemblerCodePtr values were not scrambled as expected.
+               I expect them to be useful in the near future as we add more scrambling.
+    
+            5. Also disable the casting operator on MacroAssemblerCodePtr (except for
+               explicit casts to a boolean).  This ensures that clients will always explicitly
+               use scrambledBits() or executableAddress() to get a value based on which value
+               they actually need.
+    
+            5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
+               This was helpful when debugging tests that ran multiple VMs concurrently on
+               different threads.
+    
+            MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
+            CLoop).  It is not yet supported in 32-bit and Windows because we don't
+            currently have a way to read a global variable from their LLInt code.
+    
+            * assembler/AbstractMacroAssembler.h:
+            (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
+            (JSC::AbstractMacroAssembler::linkPointer):
+            * assembler/CodeLocation.h:
+            (JSC::CodeLocationCommon::instructionAtOffset):
+            (JSC::CodeLocationCommon::labelAtOffset):
+            (JSC::CodeLocationCommon::jumpAtOffset):
+            (JSC::CodeLocationCommon::callAtOffset):
+            (JSC::CodeLocationCommon::nearCallAtOffset):
+            (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
+            (JSC::CodeLocationCommon::dataLabel32AtOffset):
+            (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
+            (JSC::CodeLocationCommon::convertibleLoadAtOffset):
+            * assembler/LinkBuffer.cpp:
+            (JSC::LinkBuffer::finalizeCodeWithDisassembly):
+            * assembler/LinkBuffer.h:
+            (JSC::LinkBuffer::link):
+            (JSC::LinkBuffer::patch):
+            * assembler/MacroAssemblerCodeRef.cpp:
+            (JSC::MacroAssemblerCodePtr::initialize):
+            * assembler/MacroAssemblerCodeRef.h:
+            (JSC::FunctionPtr::FunctionPtr):
+            (JSC::FunctionPtr::value const):
+            (JSC::FunctionPtr::executableAddress const):
+            (JSC::ReturnAddressPtr::ReturnAddressPtr):
+            (JSC::ReturnAddressPtr::value const):
+            (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+            (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+            (JSC::MacroAssemblerCodePtr::scrambledPtr const):
+            (JSC::MacroAssemblerCodePtr:: const):
+            (JSC::MacroAssemblerCodePtr::operator! const):
+            (JSC::MacroAssemblerCodePtr::operator bool const):
+            (JSC::MacroAssemblerCodePtr::operator== const):
+            (JSC::MacroAssemblerCodePtr::hash const):
+            (JSC::MacroAssemblerCodePtr::emptyValue):
+            (JSC::MacroAssemblerCodePtr::deletedValue):
+            (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
+            (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
+            * b3/B3LowerMacros.cpp:
+            * b3/testb3.cpp:
+            (JSC::B3::testInterpreter):
+            * dfg/DFGDisassembler.cpp:
+            (JSC::DFG::Disassembler::dumpDisassembly):
+            * dfg/DFGJITCompiler.cpp:
+            (JSC::DFG::JITCompiler::link):
+            (JSC::DFG::JITCompiler::compileFunction):
+            * dfg/DFGOperations.cpp:
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+            (JSC::DFG::SpeculativeJIT::emitSwitchImm):
+            (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
+            (JSC::DFG::SpeculativeJIT::emitSwitchChar):
+            * dfg/DFGSpeculativeJIT.h:
+            * disassembler/Disassembler.cpp:
+            (JSC::disassemble):
+            * disassembler/UDis86Disassembler.cpp:
+            (JSC::tryToDisassembleWithUDis86):
+            * ftl/FTLCompile.cpp:
+            (JSC::FTL::compile):
+            * ftl/FTLJITCode.cpp:
+            (JSC::FTL::JITCode::executableAddressAtOffset):
+            * ftl/FTLLink.cpp:
+            (JSC::FTL::link):
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
+            (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+            * interpreter/InterpreterInlines.h:
+            (JSC::Interpreter::getOpcodeID):
+            * jit/JITArithmetic.cpp:
+            (JSC::JIT::emitMathICFast):
+            (JSC::JIT::emitMathICSlow):
+            * jit/JITCode.cpp:
+            (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
+            (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
+            (JSC::JITCodeWithCodeRef::offsetOf):
+            * jit/JITDisassembler.cpp:
+            (JSC::JITDisassembler::dumpDisassembly):
+            * jit/PCToCodeOriginMap.cpp:
+            (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
+            * jit/Repatch.cpp:
+            (JSC::ftlThunkAwareRepatchCall):
+            * jit/ThunkGenerators.cpp:
+            (JSC::virtualThunkFor):
+            (JSC::boundThisNoArgsFunctionCallGenerator):
+            * llint/LLIntSlowPaths.cpp:
+            (JSC::LLInt::llint_trace_operand):
+            (JSC::LLInt::llint_trace_value):
+            (JSC::LLInt::handleHostCall):
+            (JSC::LLInt::setUpCall):
+            * llint/LowLevelInterpreter64.asm:
+            * offlineasm/cloop.rb:
+            * runtime/InitializeThreading.cpp:
+            (JSC::initializeThreading):
+            * wasm/WasmBBQPlan.cpp:
+            (JSC::Wasm::BBQPlan::complete):
+            * wasm/WasmCallee.h:
+            (JSC::Wasm::Callee::entrypoint const):
+            * wasm/WasmCodeBlock.cpp:
+            (JSC::Wasm::CodeBlock::CodeBlock):
+            * wasm/WasmOMGPlan.cpp:
+            (JSC::Wasm::OMGPlan::work):
+            * wasm/js/WasmToJS.cpp:
+            (JSC::Wasm::wasmToJS):
+            * wasm/js/WebAssemblyFunction.cpp:
+            (JSC::callWebAssemblyFunction):
+            * wasm/js/WebAssemblyFunction.h:
+            * wasm/js/WebAssemblyWrapperFunction.cpp:
+            (JSC::WebAssemblyWrapperFunction::create):
+    
+    2017-12-01  Mark Lam  <mark.lam@apple.com>
+    
+            Let's scramble ClassInfo pointers in cells.
+            https://bugs.webkit.org/show_bug.cgi?id=180291
+            <rdar://problem/35807620>
+    
+            Reviewed by JF Bastien.
+    
+            * API/JSCallbackObject.h:
+            * API/JSObjectRef.cpp:
+            (classInfoPrivate):
+            * JavaScriptCore.xcodeproj/project.pbxproj:
+            * Sources.txt:
+            * assembler/MacroAssemblerCodeRef.cpp:
+            (JSC::MacroAssemblerCodePtr::initialize): Deleted.
+            * assembler/MacroAssemblerCodeRef.h:
+            (JSC::MacroAssemblerCodePtr:: const):
+            (JSC::MacroAssemblerCodePtr::hash const):
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::checkArray):
+            (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+            (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+            * jit/AssemblyHelpers.h:
+            (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+            * jit/SpecializedThunkJIT.h:
+            (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
+            * runtime/InitializeThreading.cpp:
+            (JSC::initializeThreading):
+            * runtime/JSCScrambledPtr.cpp: Added.
+            (JSC::initializeScrambledPtrKeys):
+            * runtime/JSCScrambledPtr.h: Added.
+            * runtime/JSDestructibleObject.h:
+            (JSC::JSDestructibleObject::classInfo const):
+            * runtime/JSSegmentedVariableObject.h:
+            (JSC::JSSegmentedVariableObject::classInfo const):
+            * runtime/Structure.h:
+            * runtime/VM.h:
+    
+    2017-12-07  Mark Lam  <mark.lam@apple.com>
+    
+            [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
+            https://bugs.webkit.org/show_bug.cgi?id=180514
+    
+            Reviewed by Saam Barati and JF Bastien.
+    
+            Re-landing r225620 with speculative build fix for GCC 7.
+    
+            * API/JSCallbackObject.h:
+            * API/JSObjectRef.cpp:
+            (classInfoPrivate):
+            * JavaScriptCore.xcodeproj/project.pbxproj:
+            * Sources.txt:
+            * assembler/MacroAssemblerCodeRef.h:
+            (JSC::FunctionPtr::FunctionPtr):
+            (JSC::FunctionPtr::value const):
+            (JSC::FunctionPtr::executableAddress const):
+            (JSC::ReturnAddressPtr::ReturnAddressPtr):
+            (JSC::ReturnAddressPtr::value const):
+            (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+            (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+            (JSC::MacroAssemblerCodePtr::poisonedPtr const):
+            (JSC::MacroAssemblerCodePtr:: const):
+            (JSC::MacroAssemblerCodePtr::operator! const):
+            (JSC::MacroAssemblerCodePtr::operator== const):
+            (JSC::MacroAssemblerCodePtr::emptyValue):
+            (JSC::MacroAssemblerCodePtr::deletedValue):
+            (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
+            * b3/B3LowerMacros.cpp:
+            * b3/testb3.cpp:
+            (JSC::B3::testInterpreter):
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::checkArray):
+            (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+            (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+            (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+            * jit/AssemblyHelpers.h:
+            (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+            * jit/SpecializedThunkJIT.h:
+            (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
+            * jit/ThunkGenerators.cpp:
+            (JSC::virtualThunkFor):
+            (JSC::boundThisNoArgsFunctionCallGenerator):
+            * llint/LLIntSlowPaths.cpp:
+            (JSC::LLInt::handleHostCall):
+            (JSC::LLInt::setUpCall):
+            * llint/LowLevelInterpreter64.asm:
+            * runtime/InitializeThreading.cpp:
+            (JSC::initializeThreading):
+            * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
+            (JSC::initializePoison):
+            (JSC::initializeScrambledPtrKeys): Deleted.
+            * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
+            * runtime/JSCScrambledPtr.cpp: Removed.
+            * runtime/JSCScrambledPtr.h: Removed.
+            * runtime/JSDestructibleObject.h:
+            (JSC::JSDestructibleObject::classInfo const):
+            * runtime/JSSegmentedVariableObject.h:
+            (JSC::JSSegmentedVariableObject::classInfo const):
+            * runtime/Structure.h:
+            * runtime/VM.h:
+    
+    2017-12-07  Mark Lam  <mark.lam@apple.com>
+    
+            Apply poisoning to some native code pointers.
+            https://bugs.webkit.org/show_bug.cgi?id=180541
+            <rdar://problem/35916875>
+    
+            Reviewed by Filip Pizlo.
+    
+            Renamed g_classInfoPoison to g_globalDataPoison.
+            Renamed g_masmPoison to g_jitCodePoison.
+            Introduced g_nativeCodePoison.
+            Applied g_nativeCodePoison to poisoning some native code pointers.
+    
+            Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
+            to malloc allocated data structures (where needed).
+    
+            * API/JSCallbackFunction.h:
+            (JSC::JSCallbackFunction::functionCallback):
+            * JavaScriptCore.xcodeproj/project.pbxproj:
+            * jit/ThunkGenerators.cpp:
+            (JSC::nativeForGenerator):
+            * llint/LowLevelInterpreter64.asm:
+            * runtime/CustomGetterSetter.h:
+            (JSC::CustomGetterSetter::getter const):
+            (JSC::CustomGetterSetter::setter const):
+            * runtime/InternalFunction.cpp:
+            (JSC::InternalFunction::getCallData):
+            (JSC::InternalFunction::getConstructData):
+            * runtime/InternalFunction.h:
+            (JSC::InternalFunction::nativeFunctionFor):
+            * runtime/JSCPoison.h: Added.
+            * runtime/JSCPoisonedPtr.cpp:
+            (JSC::initializePoison):
+            * runtime/JSCPoisonedPtr.h:
+            * runtime/Lookup.h:
+            * runtime/NativeExecutable.cpp:
+            (JSC::NativeExecutable::hashFor const):
+            * runtime/NativeExecutable.h:
+            * runtime/Structure.cpp:
+            (JSC::StructureTransitionTable::setSingleTransition):
+            * runtime/StructureTransitionTable.h:
+            (JSC::StructureTransitionTable::StructureTransitionTable):
+            (JSC::StructureTransitionTable::isUsingSingleSlot const):
+            (JSC::StructureTransitionTable::map const):
+            (JSC::StructureTransitionTable::weakImpl const):
+            (JSC::StructureTransitionTable::setMap):
+    
+    2017-12-08  Mark Lam  <mark.lam@apple.com>
+    
+            Need to unpoison native function pointers for CLoop.
+            https://bugs.webkit.org/show_bug.cgi?id=180601
+            <rdar://problem/35942028>
+    
+            Reviewed by JF Bastien.
+    
+            * llint/LowLevelInterpreter64.asm:
+    
+    2017-12-13  Mark Lam  <mark.lam@apple.com>
+    
+            Fill out some Poisoned APIs, fix some bugs, and add some tests.
+            https://bugs.webkit.org/show_bug.cgi?id=180724
+            <rdar://problem/36006884>
+    
+            Reviewed by JF Bastien.
+    
+            * runtime/StructureTransitionTable.h:
+    
+    2017-12-18  Jason Marcell  <jmarcell@apple.com>
+    
+        Apply patch. rdar://problem/36113365
+    
+        Cherry-pick r225363, r225437, r225632, r225659, r225697, r225857. rdar://problem/36085975
+    
+    2017-11-30  Mark Lam  <mark.lam@apple.com>
+    
+            Let's scramble MacroAssemblerCodePtr values.
+            https://bugs.webkit.org/show_bug.cgi?id=180169
+            <rdar://problem/35758340>
+    
+            Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
+    
+            Introduce a ScrambledPtr class to facilitate scrambling.
+    
+            * WTF.xcodeproj/project.pbxproj:
+            * wtf/CMakeLists.txt:
+            * wtf/ScrambledPtr.cpp: Added.
+            (WTF::makeScrambledPtrKey):
+            * wtf/ScrambledPtr.h: Added.
+            (WTF::ScrambledPtr::ScrambledPtr):
+            (WTF::ScrambledPtr::paranoidAssertIsScrambled const):
+            (WTF::ScrambledPtr::paranoidAssertIsNotScrambled const):
+            (WTF::ScrambledPtr:: const):
+            (WTF::ScrambledPtr::operator-> const):
+            (WTF::ScrambledPtr::scrambledBits const):
+            (WTF::ScrambledPtr::operator! const):
+            (WTF::ScrambledPtr::operator bool const):
+            (WTF::ScrambledPtr::operator== const):
+            (WTF::ScrambledPtr::operator==):
+            (WTF::ScrambledPtr::scramble):
+            (WTF::ScrambledPtr::descramble):
+    
+    2017-12-01  Mark Lam  <mark.lam@apple.com>
+    
+            Let's scramble ClassInfo pointers in cells.
+            https://bugs.webkit.org/show_bug.cgi?id=180291
+            <rdar://problem/35807620>
+    
+            Reviewed by JF Bastien.
+    
+            * wtf/ScrambledPtr.h:
+            (WTF::ScrambledPtr::descrambled const):
+            (WTF::ScrambledPtr::bits const):
+            (WTF::ScrambledPtr::operator==):
+            (WTF::ScrambledPtr::operator=):
+            (WTF::ScrambledPtr::scramble):
+            (WTF::ScrambledPtr::descramble):
+            (WTF::ScrambledPtr:: const): Deleted.
+            (WTF::ScrambledPtr::scrambledBits const): Deleted.
+    
+    2017-12-07  Mark Lam  <mark.lam@apple.com>
+    
+            [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
+            https://bugs.webkit.org/show_bug.cgi?id=180514
+    
+            Reviewed by Saam Barati and JF Bastien.
+    
+            Re-landing r225620 with speculative build fix for GCC 7.
+    
+            * WTF.xcodeproj/project.pbxproj:
+            * wtf/CMakeLists.txt:
+            * wtf/Poisoned.cpp: Copied from Source/WTF/wtf/ScrambledPtr.cpp.
+            (WTF::makePoison):
+            (WTF::makeScrambledPtrKey): Deleted.
+            * wtf/Poisoned.h: Copied from Source/WTF/wtf/ScrambledPtr.h.
+            (WTF::PoisonedImpl::PoisonedImpl):
+            (WTF::PoisonedImpl::assertIsPoisoned const):
+            (WTF::PoisonedImpl::assertIsNotPoisoned const):
+            (WTF::PoisonedImpl::unpoisoned const):
+            (WTF::PoisonedImpl::operator-> const):
+            (WTF::PoisonedImpl::bits const):
+            (WTF::PoisonedImpl::operator! const):
+            (WTF::PoisonedImpl::operator bool const):
+            (WTF::PoisonedImpl::operator== const):
+            (WTF::PoisonedImpl::operator==):
+            (WTF::PoisonedImpl::operator=):
+            (WTF::PoisonedImpl::poison):
+            (WTF::PoisonedImpl::unpoison):
+            (WTF::ScrambledPtr::ScrambledPtr): Deleted.
+            (WTF::ScrambledPtr::assertIsScrambled const): Deleted.
+            (WTF::ScrambledPtr::assertIsNotScrambled const): Deleted.
+            (WTF::ScrambledPtr::descrambled const): Deleted.
+            (WTF::ScrambledPtr::operator-> const): Deleted.
+            (WTF::ScrambledPtr::bits const): Deleted.
+            (WTF::ScrambledPtr::operator! const): Deleted.
+            (WTF::ScrambledPtr::operator bool const): Deleted.
+            (WTF::ScrambledPtr::operator== const): Deleted.
+            (WTF::ScrambledPtr::operator==): Deleted.
+            (WTF::ScrambledPtr::operator=): Deleted.
+            (WTF::ScrambledPtr::scramble): Deleted.
+            (WTF::ScrambledPtr::descramble): Deleted.
+            * wtf/ScrambledPtr.cpp: Removed.
+            * wtf/ScrambledPtr.h: Removed.
+    
+    2017-12-07  Mark Lam  <mark.lam@apple.com>
+    
+            Apply poisoning to some native code pointers.
+            https://bugs.webkit.org/show_bug.cgi?id=180541
+            <rdar://problem/35916875>
+    
+            Reviewed by Filip Pizlo.
+    
+            Ensure that the resultant poisoned bits still looks like a pointer in that its
+            bottom bits are 0, just like the alignment bits of a pointer.  This allows the
+            client to use the bottom bits of the poisoned bits as flag bits just like the
+            client was previously able to do with pointer values.
+    
+            Note: we only ensure that the bottom alignment bits of the generated poison
+            value is 0.  We're not masking out the poisoned bits.  This means that the bottom
+            bits of the poisoned bits will only be null if the original pointer is aligned.
+            Hence, if the client applies the poison to an unaligned pointer, we do not lose
+            any information on the low bits.
+    
+            Also removed 2 wrong assertions in PoisonedImpl's constructors.  We were
+            asserting that Poisoned will never be used with a null value, but that's invalid.
+            We do want to allow a null value so that we don't have to constantly do null
+            checks in the clients.  This was uncovered by some layout tests.
+    
+            * wtf/Poisoned.cpp:
+            (WTF::makePoison):
+            * wtf/Poisoned.h:
+            (WTF::PoisonedImpl::PoisonedImpl):
+    
+    2017-12-13  Mark Lam  <mark.lam@apple.com>
+    
+            Fill out some Poisoned APIs, fix some bugs, and add some tests.
+            https://bugs.webkit.org/show_bug.cgi?id=180724
+            <rdar://problem/36006884>
+    
+            Reviewed by JF Bastien.
+    
+            Also rename Int32Poisoned to ConstExprPoisoned.  The key it takes is actually a
+            uint32_t.  So, Int32 is really a misnomer.  In addition, the key needs to be a
+            constexpr.  So, ConstExprPoisoned is a better name for it.
+    
+            * wtf/Poisoned.cpp:
+            (WTF::makePoison):
+            * wtf/Poisoned.h:
+            (WTF::PoisonedImplHelper::asReference):
+            (WTF::PoisonedImpl::PoisonedImpl):
+            (WTF::PoisonedImpl::clear):
+            (WTF::PoisonedImpl::operator* const):
+            (WTF::PoisonedImpl::operator-> const):
+            (WTF::PoisonedImpl::operator== const):
+            (WTF::PoisonedImpl::operator!= const):
+            (WTF::PoisonedImpl::operator< const):
+            (WTF::PoisonedImpl::operator<= const):
+            (WTF::PoisonedImpl::operator> const):
+            (WTF::PoisonedImpl::operator>= const):
+            (WTF::PoisonedImpl::operator=):
+            (WTF::PoisonedImpl::swap):
+            (WTF::PoisonedImpl::exchange):
+            (WTF::swap):
+            (WTF::makePoison):
+            (WTF::PoisonedImpl::operator==): Deleted.
+
+    2017-12-18  Mark Lam  <mark.lam@apple.com>
+
+            Cherry-pick r225363, r225437, r225632, r225659, r225697, r225857. rdar://problem/36085975
+
+            Also merged offlineasm parts of r220184 and r222549.  These changes are required
+            to support the code in cherry-picked revisions above.
+
+        2017-11-30  Mark Lam  <mark.lam@apple.com>
+
+                Let's scramble MacroAssemblerCodePtr values.
+                https://bugs.webkit.org/show_bug.cgi?id=180169
+                <rdar://problem/35758340>
+
+                Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
+
+                1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
+
+                2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
+                   template argument type that will be used to cast the result.  This makes the
+                   client code that uses these functions a little less verbose.
+
+                3. Change the code base in general to minimize passing void* code pointers around.
+                   We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
+                   at the last moment when we need the underlying code pointer.
+
+                4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
+                   default.  I'm leaving them in because they are instrumental in finding bugs
+                   where not all MacroAssemblerCodePtr values were not scrambled as expected.
+                   I expect them to be useful in the near future as we add more scrambling.
+
+                5. Also disable the casting operator on MacroAssemblerCodePtr (except for
+                   explicit casts to a boolean).  This ensures that clients will always explicitly
+                   use scrambledBits() or executableAddress() to get a value based on which value
+                   they actually need.
+
+                5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
+                   This was helpful when debugging tests that ran multiple VMs concurrently on
+                   different threads.
+
+                MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
+                CLoop).  It is not yet supported in 32-bit and Windows because we don't
+                currently have a way to read a global variable from their LLInt code.
+
+                * assembler/AbstractMacroAssembler.h:
+                (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
+                (JSC::AbstractMacroAssembler::linkPointer):
+                * assembler/CodeLocation.h:
+                (JSC::CodeLocationCommon::instructionAtOffset):
+                (JSC::CodeLocationCommon::labelAtOffset):
+                (JSC::CodeLocationCommon::jumpAtOffset):
+                (JSC::CodeLocationCommon::callAtOffset):
+                (JSC::CodeLocationCommon::nearCallAtOffset):
+                (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
+                (JSC::CodeLocationCommon::dataLabel32AtOffset):
+                (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
+                (JSC::CodeLocationCommon::convertibleLoadAtOffset):
+                * assembler/LinkBuffer.cpp:
+                (JSC::LinkBuffer::finalizeCodeWithDisassembly):
+                * assembler/LinkBuffer.h:
+                (JSC::LinkBuffer::link):
+                (JSC::LinkBuffer::patch):
+                * assembler/MacroAssemblerCodeRef.cpp:
+                (JSC::MacroAssemblerCodePtr::initialize):
+                * assembler/MacroAssemblerCodeRef.h:
+                (JSC::FunctionPtr::FunctionPtr):
+                (JSC::FunctionPtr::value const):
+                (JSC::FunctionPtr::executableAddress const):
+                (JSC::ReturnAddressPtr::ReturnAddressPtr):
+                (JSC::ReturnAddressPtr::value const):
+                (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+                (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+                (JSC::MacroAssemblerCodePtr::scrambledPtr const):
+                (JSC::MacroAssemblerCodePtr:: const):
+                (JSC::MacroAssemblerCodePtr::operator! const):
+                (JSC::MacroAssemblerCodePtr::operator bool const):
+                (JSC::MacroAssemblerCodePtr::operator== const):
+                (JSC::MacroAssemblerCodePtr::hash const):
+                (JSC::MacroAssemblerCodePtr::emptyValue):
+                (JSC::MacroAssemblerCodePtr::deletedValue):
+                (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
+                (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
+                * b3/B3LowerMacros.cpp:
+                * b3/testb3.cpp:
+                (JSC::B3::testInterpreter):
+                * dfg/DFGDisassembler.cpp:
+                (JSC::DFG::Disassembler::dumpDisassembly):
+                * dfg/DFGJITCompiler.cpp:
+                (JSC::DFG::JITCompiler::link):
+                (JSC::DFG::JITCompiler::compileFunction):
+                * dfg/DFGOperations.cpp:
+                * dfg/DFGSpeculativeJIT.cpp:
+                (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+                (JSC::DFG::SpeculativeJIT::emitSwitchImm):
+                (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
+                (JSC::DFG::SpeculativeJIT::emitSwitchChar):
+                * dfg/DFGSpeculativeJIT.h:
+                * disassembler/Disassembler.cpp:
+                (JSC::disassemble):
+                * disassembler/UDis86Disassembler.cpp:
+                (JSC::tryToDisassembleWithUDis86):
+                * ftl/FTLCompile.cpp:
+                (JSC::FTL::compile):
+                * ftl/FTLJITCode.cpp:
+                (JSC::FTL::JITCode::executableAddressAtOffset):
+                * ftl/FTLLink.cpp:
+                (JSC::FTL::link):
+                * ftl/FTLLowerDFGToB3.cpp:
+                (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
+                (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
+                (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
+                (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+                (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+                * interpreter/InterpreterInlines.h:
+                (JSC::Interpreter::getOpcodeID):
+                * jit/JITArithmetic.cpp:
+                (JSC::JIT::emitMathICFast):
+                (JSC::JIT::emitMathICSlow):
+                * jit/JITCode.cpp:
+                (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
+                (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
+                (JSC::JITCodeWithCodeRef::offsetOf):
+                * jit/JITDisassembler.cpp:
+                (JSC::JITDisassembler::dumpDisassembly):
+                * jit/PCToCodeOriginMap.cpp:
+                (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
+                * jit/Repatch.cpp:
+                (JSC::ftlThunkAwareRepatchCall):
+                * jit/ThunkGenerators.cpp:
+                (JSC::virtualThunkFor):
+                (JSC::boundThisNoArgsFunctionCallGenerator):
+                * llint/LLIntSlowPaths.cpp:
+                (JSC::LLInt::llint_trace_operand):
+                (JSC::LLInt::llint_trace_value):
+                (JSC::LLInt::handleHostCall):
+                (JSC::LLInt::setUpCall):
+                * llint/LowLevelInterpreter64.asm:
+                * offlineasm/cloop.rb:
+                * runtime/InitializeThreading.cpp:
+                (JSC::initializeThreading):
+                * wasm/WasmBBQPlan.cpp:
+                (JSC::Wasm::BBQPlan::complete):
+                * wasm/WasmCallee.h:
+                (JSC::Wasm::Callee::entrypoint const):
+                * wasm/WasmCodeBlock.cpp:
+                (JSC::Wasm::CodeBlock::CodeBlock):
+                * wasm/WasmOMGPlan.cpp:
+                (JSC::Wasm::OMGPlan::work):
+                * wasm/js/WasmToJS.cpp:
+                (JSC::Wasm::wasmToJS):
+                * wasm/js/WebAssemblyFunction.cpp:
+                (JSC::callWebAssemblyFunction):
+                * wasm/js/WebAssemblyFunction.h:
+                * wasm/js/WebAssemblyWrapperFunction.cpp:
+                (JSC::WebAssemblyWrapperFunction::create):
+
+        2017-12-01  Mark Lam  <mark.lam@apple.com>
+
+                Let's scramble ClassInfo pointers in cells.
+                https://bugs.webkit.org/show_bug.cgi?id=180291
+                <rdar://problem/35807620>
+
+                Reviewed by JF Bastien.
+
+                * API/JSCallbackObject.h:
+                * API/JSObjectRef.cpp:
+                (classInfoPrivate):
+                * JavaScriptCore.xcodeproj/project.pbxproj:
+                * Sources.txt:
+                * assembler/MacroAssemblerCodeRef.cpp:
+                (JSC::MacroAssemblerCodePtr::initialize): Deleted.
+                * assembler/MacroAssemblerCodeRef.h:
+                (JSC::MacroAssemblerCodePtr:: const):
+                (JSC::MacroAssemblerCodePtr::hash const):
+                * dfg/DFGSpeculativeJIT.cpp:
+                (JSC::DFG::SpeculativeJIT::checkArray):
+                (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+                (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+                * ftl/FTLLowerDFGToB3.cpp:
+                (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+                (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+                * jit/AssemblyHelpers.h:
+                (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+                * jit/SpecializedThunkJIT.h:
+                (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
+                * runtime/InitializeThreading.cpp:
+                (JSC::initializeThreading):
+                * runtime/JSCScrambledPtr.cpp: Added.
+                (JSC::initializeScrambledPtrKeys):
+                * runtime/JSCScrambledPtr.h: Added.
+                * runtime/JSDestructibleObject.h:
+                (JSC::JSDestructibleObject::classInfo const):
+                * runtime/JSSegmentedVariableObject.h:
+                (JSC::JSSegmentedVariableObject::classInfo const):
+                * runtime/Structure.h:
+                * runtime/VM.h:
+
+        2017-12-07  Mark Lam  <mark.lam@apple.com>
+
+                [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
+                https://bugs.webkit.org/show_bug.cgi?id=180514
+
+                Reviewed by Saam Barati and JF Bastien.
+
+                Re-landing r225620 with speculative build fix for GCC 7.
+
+                * API/JSCallbackObject.h:
+                * API/JSObjectRef.cpp:
+                (classInfoPrivate):
+                * JavaScriptCore.xcodeproj/project.pbxproj:
+                * Sources.txt:
+                * assembler/MacroAssemblerCodeRef.h:
+                (JSC::FunctionPtr::FunctionPtr):
+                (JSC::FunctionPtr::value const):
+                (JSC::FunctionPtr::executableAddress const):
+                (JSC::ReturnAddressPtr::ReturnAddressPtr):
+                (JSC::ReturnAddressPtr::value const):
+                (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+                (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+                (JSC::MacroAssemblerCodePtr::poisonedPtr const):
+                (JSC::MacroAssemblerCodePtr:: const):
+                (JSC::MacroAssemblerCodePtr::operator! const):
+                (JSC::MacroAssemblerCodePtr::operator== const):
+                (JSC::MacroAssemblerCodePtr::emptyValue):
+                (JSC::MacroAssemblerCodePtr::deletedValue):
+                (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
+                * b3/B3LowerMacros.cpp:
+                * b3/testb3.cpp:
+                (JSC::B3::testInterpreter):
+                * dfg/DFGSpeculativeJIT.cpp:
+                (JSC::DFG::SpeculativeJIT::checkArray):
+                (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+                (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+                (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+                * ftl/FTLLowerDFGToB3.cpp:
+                (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+                (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+                * jit/AssemblyHelpers.h:
+                (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+                * jit/SpecializedThunkJIT.h:
+                (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
+                * jit/ThunkGenerators.cpp:
+                (JSC::virtualThunkFor):
+                (JSC::boundThisNoArgsFunctionCallGenerator):
+                * llint/LLIntSlowPaths.cpp:
+                (JSC::LLInt::handleHostCall):
+                (JSC::LLInt::setUpCall):
+                * llint/LowLevelInterpreter64.asm:
+                * runtime/InitializeThreading.cpp:
+                (JSC::initializeThreading):
+                * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
+                (JSC::initializePoison):
+                (JSC::initializeScrambledPtrKeys): Deleted.
+                * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
+                * runtime/JSCScrambledPtr.cpp: Removed.
+                * runtime/JSCScrambledPtr.h: Removed.
+                * runtime/JSDestructibleObject.h:
+                (JSC::JSDestructibleObject::classInfo const):
+                * runtime/JSSegmentedVariableObject.h:
+                (JSC::JSSegmentedVariableObject::classInfo const):
+                * runtime/Structure.h:
+                * runtime/VM.h:
+
+        2017-12-07  Mark Lam  <mark.lam@apple.com>
+
+                Apply poisoning to some native code pointers.
+                https://bugs.webkit.org/show_bug.cgi?id=180541
+                <rdar://problem/35916875>
+
+                Reviewed by Filip Pizlo.
+
+                Renamed g_classInfoPoison to g_globalDataPoison.
+                Renamed g_masmPoison to g_jitCodePoison.
+                Introduced g_nativeCodePoison.
+                Applied g_nativeCodePoison to poisoning some native code pointers.
+
+                Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
+                to malloc allocated data structures (where needed).
+
+                * API/JSCallbackFunction.h:
+                (JSC::JSCallbackFunction::functionCallback):
+                * JavaScriptCore.xcodeproj/project.pbxproj:
+                * jit/ThunkGenerators.cpp:
+                (JSC::nativeForGenerator):
+                * llint/LowLevelInterpreter64.asm:
+                * runtime/CustomGetterSetter.h:
+                (JSC::CustomGetterSetter::getter const):
+                (JSC::CustomGetterSetter::setter const):
+                * runtime/InternalFunction.cpp:
+                (JSC::InternalFunction::getCallData):
+                (JSC::InternalFunction::getConstructData):
+                * runtime/InternalFunction.h:
+                (JSC::InternalFunction::nativeFunctionFor):
+                * runtime/JSCPoison.h: Added.
+                * runtime/JSCPoisonedPtr.cpp:
+                (JSC::initializePoison):
+                * runtime/JSCPoisonedPtr.h:
+                * runtime/Lookup.h:
+                * runtime/NativeExecutable.cpp:
+                (JSC::NativeExecutable::hashFor const):
+                * runtime/NativeExecutable.h:
+                * runtime/Structure.cpp:
+                (JSC::StructureTransitionTable::setSingleTransition):
+                * runtime/StructureTransitionTable.h:
+                (JSC::StructureTransitionTable::StructureTransitionTable):
+                (JSC::StructureTransitionTable::isUsingSingleSlot const):
+                (JSC::StructureTransitionTable::map const):
+                (JSC::StructureTransitionTable::weakImpl const):
+                (JSC::StructureTransitionTable::setMap):
+
+        2017-12-08  Mark Lam  <mark.lam@apple.com>
+
+                Need to unpoison native function pointers for CLoop.
+                https://bugs.webkit.org/show_bug.cgi?id=180601
+                <rdar://problem/35942028>
+
+                Reviewed by JF Bastien.
+
+                * llint/LowLevelInterpreter64.asm:
+
+        2017-12-13  Mark Lam  <mark.lam@apple.com>
+
+                Fill out some Poisoned APIs, fix some bugs, and add some tests.
+                https://bugs.webkit.org/show_bug.cgi?id=180724
+                <rdar://problem/36006884>
+
+                Reviewed by JF Bastien.
+
+                * runtime/StructureTransitionTable.h:
+
</ins><span class="cx"> 2017-12-18  Jason Marcell  <jmarcell@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Apply patch. rdar://problem/36112002
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj        2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj   2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -2411,6 +2411,7 @@
</span><span class="cx">          E49DC16C12EF294E00184A1F /* SourceProviderCache.h in Headers */ = {isa = PBXBuildFile; fileRef = E49DC15112EF272200184A1F /* SourceProviderCache.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          E49DC16D12EF295300184A1F /* SourceProviderCacheItem.h in Headers */ = {isa = PBXBuildFile; fileRef = E49DC14912EF261A00184A1F /* SourceProviderCacheItem.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          FA3AB211C8494524AB390267 /* JSSourceCode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = F73926918DC64330AFCDF0D7 /* JSSourceCode.cpp */; };
</span><ins>+               FE05FB0A1FE8EF5800093230 /* JSCPoisonedPtr.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE2B0B681FD0D2970075DA5F /* JSCPoisonedPtr.cpp */; };
</ins><span class="cx">           FE0D4A061AB8DD0A002F54BF /* ExecutionTimeLimitTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE0D4A041AB8DD0A002F54BF /* ExecutionTimeLimitTest.cpp */; };
</span><span class="cx">          FE0D4A091ABA2437002F54BF /* GlobalContextWithFinalizerTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE0D4A071ABA2437002F54BF /* GlobalContextWithFinalizerTest.cpp */; };
</span><span class="cx">          FE1220271BE7F58C0039E6F2 /* JITAddGenerator.h in Headers */ = {isa = PBXBuildFile; fileRef = FE1220261BE7F5640039E6F2 /* JITAddGenerator.h */; };
</span><span class="lines">@@ -2430,6 +2431,8 @@
</span><span class="cx">          FE20CE9D15F04A9500DF3430 /* LLIntCLoop.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE20CE9B15F04A9500DF3430 /* LLIntCLoop.cpp */; };
</span><span class="cx">          FE20CE9E15F04A9500DF3430 /* LLIntCLoop.h in Headers */ = {isa = PBXBuildFile; fileRef = FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          FE2A87601F02381600EB31B2 /* MinimumReservedZoneSize.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2A875F1F02381600EB31B2 /* MinimumReservedZoneSize.h */; };
</span><ins>+               FE2B0B691FD227E00075DA5F /* JSCPoisonedPtr.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2B0B671FD0D2960075DA5F /* JSCPoisonedPtr.h */; settings = {ATTRIBUTES = (Private, ); }; };
+               FE2B0B731FD9EF700075DA5F /* JSCPoison.h in Headers */ = {isa = PBXBuildFile; fileRef = FE2B0B701FD8C4630075DA5F /* JSCPoison.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">           FE2E6A7B1D6EA62C0060F896 /* ThrowScope.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE2E6A7A1D6EA5FE0060F896 /* ThrowScope.cpp */; };
</span><span class="cx">          FE3022D21E3D73A500BAC493 /* SigillCrashAnalyzer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE3022D01E3D739600BAC493 /* SigillCrashAnalyzer.cpp */; };
</span><span class="cx">          FE3022D31E3D73A500BAC493 /* SigillCrashAnalyzer.h in Headers */ = {isa = PBXBuildFile; fileRef = FE3022D11E3D739600BAC493 /* SigillCrashAnalyzer.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -5081,6 +5084,9 @@
</span><span class="cx">          FE20CE9B15F04A9500DF3430 /* LLIntCLoop.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = LLIntCLoop.cpp; path = llint/LLIntCLoop.cpp; sourceTree = "<group>"; };
</span><span class="cx">          FE20CE9C15F04A9500DF3430 /* LLIntCLoop.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LLIntCLoop.h; path = llint/LLIntCLoop.h; sourceTree = "<group>"; };
</span><span class="cx">          FE2A875F1F02381600EB31B2 /* MinimumReservedZoneSize.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MinimumReservedZoneSize.h; sourceTree = "<group>"; };
</span><ins>+               FE2B0B671FD0D2960075DA5F /* JSCPoisonedPtr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCPoisonedPtr.h; sourceTree = "<group>"; };
+               FE2B0B681FD0D2970075DA5F /* JSCPoisonedPtr.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSCPoisonedPtr.cpp; sourceTree = "<group>"; };
+               FE2B0B701FD8C4630075DA5F /* JSCPoison.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCPoison.h; sourceTree = "<group>"; };
</ins><span class="cx">           FE2E6A7A1D6EA5FE0060F896 /* ThrowScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ThrowScope.cpp; sourceTree = "<group>"; };
</span><span class="cx">          FE3022D01E3D739600BAC493 /* SigillCrashAnalyzer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SigillCrashAnalyzer.cpp; sourceTree = "<group>"; };
</span><span class="cx">          FE3022D11E3D739600BAC493 /* SigillCrashAnalyzer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SigillCrashAnalyzer.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -6756,6 +6762,9 @@
</span><span class="cx">                          F692A8870255597D01FF60F7 /* JSCJSValue.cpp */,
</span><span class="cx">                          14ABB36E099C076400E2A24F /* JSCJSValue.h */,
</span><span class="cx">                          865A30F0135007E100CDB49E /* JSCJSValueInlines.h */,
</span><ins>+                               FE2B0B701FD8C4630075DA5F /* JSCPoison.h */,
+                               FE2B0B681FD0D2970075DA5F /* JSCPoisonedPtr.cpp */,
+                               FE2B0B671FD0D2960075DA5F /* JSCPoisonedPtr.h */,
</ins><span class="cx">                           72AAF7CB1D0D318B005E60BE /* JSCustomGetterSetterFunction.cpp */,
</span><span class="cx">                          72AAF7CC1D0D318B005E60BE /* JSCustomGetterSetterFunction.h */,
</span><span class="cx">                          0F2B66BD17B6B5AB00A7AE3F /* JSDataView.cpp */,
</span><span class="lines">@@ -8279,6 +8288,7 @@
</span><span class="cx">                          0F338DFA1BE96AA80013C88F /* B3CCallValue.h in Headers */,
</span><span class="cx">                          0F33FCFB1C1625BE00323F67 /* B3CFG.h in Headers */,
</span><span class="cx">                          0FEC85061BDACDAC0080FF74 /* B3CheckSpecial.h in Headers */,
</span><ins>+                               FE2B0B731FD9EF700075DA5F /* JSCPoison.h in Headers */,
</ins><span class="cx">                           0FEC85081BDACDAC0080FF74 /* B3CheckValue.h in Headers */,
</span><span class="cx">                          0FEC850A1BDACDAC0080FF74 /* B3Common.h in Headers */,
</span><span class="cx">                          0FEC850C1BDACDAC0080FF74 /* B3Commutativity.h in Headers */,
</span><span class="lines">@@ -8329,6 +8339,7 @@
</span><span class="cx">                          0FEC852A1BDACDAC0080FF74 /* B3PhaseScope.h in Headers */,
</span><span class="cx">                          0F37308D1C0BD29100052BFA /* B3PhiChildren.h in Headers */,
</span><span class="cx">                          0FEC852C1BDACDAC0080FF74 /* B3Procedure.h in Headers */,
</span><ins>+                               FE2B0B691FD227E00075DA5F /* JSCPoisonedPtr.h in Headers */,
</ins><span class="cx">                           0FEC852D1BDACDAC0080FF74 /* B3ProcedureInlines.h in Headers */,
</span><span class="cx">                          0F725CAA1C503DED00AD943A /* B3PureCSE.h in Headers */,
</span><span class="cx">                          43422A671C16267800E2EB98 /* B3ReduceDoubleToFloat.h in Headers */,
</span><span class="lines">@@ -10267,6 +10278,7 @@
</span><span class="cx">                          A5FD0079189B051000633231 /* ConsoleMessage.cpp in Sources */,
</span><span class="cx">                          A55714BF1CD804A40004D2C6 /* ConsoleObject.cpp in Sources */,
</span><span class="cx">                          0F978B3B1AAEA71D007C7369 /* ConstantMode.cpp in Sources */,
</span><ins>+                               FE05FB0A1FE8EF5800093230 /* JSCPoisonedPtr.cpp in Sources */,
</ins><span class="cx">                           1428082E107EC0570013E7B2 /* ConstructData.cpp in Sources */,
</span><span class="cx">                          A57D23F11891B5B40031C7FA /* ContentSearchUtilities.cpp in Sources */,
</span><span class="cx">                          52B717B51A0597E1007AF4F3 /* ControlFlowProfiler.cpp in Sources */,
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreassemblerAbstractMacroAssemblerh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h      2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h 2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -825,7 +825,7 @@
</span><span class="cx"> 
</span><span class="cx">     static ptrdiff_t differenceBetweenCodePtr(const MacroAssemblerCodePtr& a, const MacroAssemblerCodePtr& b)
</span><span class="cx">     {
</span><del>-        return reinterpret_cast<ptrdiff_t>(b.executableAddress()) - reinterpret_cast<ptrdiff_t>(a.executableAddress());
</del><ins>+        return b.executableAddress<ptrdiff_t>() - a.executableAddress<ptrdiff_t>();
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     unsigned debugOffset() { return m_assembler.debugOffset(); }
</span><span class="lines">@@ -847,6 +847,11 @@
</span><span class="cx">         AssemblerType::linkPointer(code, label, value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    static void linkPointer(void* code, AssemblerLabel label, MacroAssemblerCodePtr value)
+    {
+        AssemblerType::linkPointer(code, label, value.executableAddress());
+    }
+
</ins><span class="cx">     static void* getLinkerAddress(void* code, AssemblerLabel label)
</span><span class="cx">     {
</span><span class="cx">         return AssemblerType::getRelocatedAddress(code, label);
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreassemblerCodeLocationh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/assembler/CodeLocation.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/assembler/CodeLocation.h        2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/assembler/CodeLocation.h   2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2009 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -164,55 +164,55 @@
</span><span class="cx"> inline CodeLocationInstruction CodeLocationCommon::instructionAtOffset(int offset)
</span><span class="cx"> {
</span><span class="cx">     ASSERT_VALID_CODE_OFFSET(offset);
</span><del>-    return CodeLocationInstruction(reinterpret_cast<char*>(dataLocation()) + offset);
</del><ins>+    return CodeLocationInstruction(dataLocation<char*>() + offset);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline CodeLocationLabel CodeLocationCommon::labelAtOffset(int offset)
</span><span class="cx"> {
</span><span class="cx">     ASSERT_VALID_CODE_OFFSET(offset);
</span><del>-    return CodeLocationLabel(reinterpret_cast<char*>(dataLocation()) + offset);
</del><ins>+    return CodeLocationLabel(dataLocation<char*>() + offset);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline CodeLocationJump CodeLocationCommon::jumpAtOffset(int offset)
</span><span class="cx"> {
</span><span class="cx">     ASSERT_VALID_CODE_OFFSET(offset);
</span><del>-    return CodeLocationJump(reinterpret_cast<char*>(dataLocation()) + offset);
</del><ins>+    return CodeLocationJump(dataLocation<char*>() + offset);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline CodeLocationCall CodeLocationCommon::callAtOffset(int offset)
</span><span class="cx"> {
</span><span class="cx">     ASSERT_VALID_CODE_OFFSET(offset);
</span><del>-    return CodeLocationCall(reinterpret_cast<char*>(dataLocation()) + offset);
</del><ins>+    return CodeLocationCall(dataLocation<char*>() + offset);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline CodeLocationNearCall CodeLocationCommon::nearCallAtOffset(int offset, NearCallMode callMode)
</span><span class="cx"> {
</span><span class="cx">     ASSERT_VALID_CODE_OFFSET(offset);
</span><del>-    return CodeLocationNearCall(reinterpret_cast<char*>(dataLocation()) + offset, callMode);
</del><ins>+    return CodeLocationNearCall(dataLocation<char*>() + offset, callMode);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline CodeLocationDataLabelPtr CodeLocationCommon::dataLabelPtrAtOffset(int offset)
</span><span class="cx"> {
</span><span class="cx">     ASSERT_VALID_CODE_OFFSET(offset);
</span><del>-    return CodeLocationDataLabelPtr(reinterpret_cast<char*>(dataLocation()) + offset);
</del><ins>+    return CodeLocationDataLabelPtr(dataLocation<char*>() + offset);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline CodeLocationDataLabel32 CodeLocationCommon::dataLabel32AtOffset(int offset)
</span><span class="cx"> {
</span><span class="cx">     ASSERT_VALID_CODE_OFFSET(offset);
</span><del>-    return CodeLocationDataLabel32(reinterpret_cast<char*>(dataLocation()) + offset);
</del><ins>+    return CodeLocationDataLabel32(dataLocation<char*>() + offset);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline CodeLocationDataLabelCompact CodeLocationCommon::dataLabelCompactAtOffset(int offset)
</span><span class="cx"> {
</span><span class="cx">     ASSERT_VALID_CODE_OFFSET(offset);
</span><del>-    return CodeLocationDataLabelCompact(reinterpret_cast<char*>(dataLocation()) + offset);
</del><ins>+    return CodeLocationDataLabelCompact(dataLocation<char*>() + offset);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline CodeLocationConvertibleLoad CodeLocationCommon::convertibleLoadAtOffset(int offset)
</span><span class="cx"> {
</span><span class="cx">     ASSERT_VALID_CODE_OFFSET(offset);
</span><del>-    return CodeLocationConvertibleLoad(reinterpret_cast<char*>(dataLocation()) + offset);
</del><ins>+    return CodeLocationConvertibleLoad(dataLocation<char*>() + offset);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreassemblerLinkBuffercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/assembler/LinkBuffer.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/assembler/LinkBuffer.cpp        2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/assembler/LinkBuffer.cpp   2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -70,7 +70,7 @@
</span><span class="cx">     va_end(argList);
</span><span class="cx">     out.printf(":\n");
</span><span class="cx"> 
</span><del>-    out.printf("    Code at [%p, %p):\n", result.code().executableAddress(), static_cast<char*>(result.code().executableAddress()) + result.size());
</del><ins>+    out.printf("    Code at [%p, %p):\n", result.code().executableAddress(), result.code().executableAddress<char*>() + result.size());
</ins><span class="cx">     
</span><span class="cx">     CString header = out.toCString();
</span><span class="cx">     
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreassemblerLinkBufferh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/assembler/LinkBuffer.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/assembler/LinkBuffer.h  2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/assembler/LinkBuffer.h     2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2009, 2010, 2012-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -130,7 +130,7 @@
</span><span class="cx">     
</span><span class="cx">     void link(Call call, CodeLocationLabel label)
</span><span class="cx">     {
</span><del>-        link(call, FunctionPtr(label.executableAddress()));
</del><ins>+        link(call, FunctionPtr(label));
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     void link(Jump jump, CodeLocationLabel label)
</span><span class="lines">@@ -154,7 +154,7 @@
</span><span class="cx">     void patch(DataLabelPtr label, CodeLocationLabel value)
</span><span class="cx">     {
</span><span class="cx">         AssemblerLabel target = applyOffset(label.m_label);
</span><del>-        MacroAssembler::linkPointer(code(), target, value.executableAddress());
</del><ins>+        MacroAssembler::linkPointer(code(), target, value);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // These methods are used to obtain handles to allow the code to be relinked / repatched later.
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreassemblerMacroAssemblerCodeRefcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.cpp     2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.cpp        2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -29,6 +29,7 @@
</span><span class="cx"> #include "Disassembler.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "LLIntData.h"
</span><ins>+#include <mutex>
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreassemblerMacroAssemblerCodeRefh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h       2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h  2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2009, 2012, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #pragma once
</span><span class="cx"> 
</span><span class="cx"> #include "ExecutableAllocator.h"
</span><ins>+#include "JSCPoisonedPtr.h"
</ins><span class="cx"> #include <wtf/DataLog.h>
</span><span class="cx"> #include <wtf/PrintStream.h>
</span><span class="cx"> #include <wtf/RefPtr.h>
</span><span class="lines">@@ -50,6 +51,8 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><ins>+class MacroAssemblerCodePtr;
+
</ins><span class="cx"> enum OpcodeID : unsigned;
</span><span class="cx"> 
</span><span class="cx"> // FunctionPtr:
</span><span class="lines">@@ -58,15 +61,13 @@
</span><span class="cx"> // (particularly, the stub functions).
</span><span class="cx"> class FunctionPtr {
</span><span class="cx"> public:
</span><del>-    FunctionPtr()
-        : m_value(0)
-    {
-    }
</del><ins>+    FunctionPtr() { }
</ins><span class="cx"> 
</span><span class="cx">     template<typename returnType>
</span><span class="cx">     FunctionPtr(returnType(*value)())
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -74,6 +75,7 @@
</span><span class="cx">     FunctionPtr(returnType(*value)(argType1))
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -81,6 +83,7 @@
</span><span class="cx">     FunctionPtr(returnType(*value)(argType1, argType2))
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -88,6 +91,7 @@
</span><span class="cx">     FunctionPtr(returnType(*value)(argType1, argType2, argType3))
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -95,6 +99,7 @@
</span><span class="cx">     FunctionPtr(returnType(*value)(argType1, argType2, argType3, argType4))
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -102,6 +107,7 @@
</span><span class="cx">     FunctionPtr(returnType(*value)(argType1, argType2, argType3, argType4, argType5))
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -109,6 +115,7 @@
</span><span class="cx">     FunctionPtr(returnType(*value)(argType1, argType2, argType3, argType4, argType5, argType6))
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> // MSVC doesn't seem to treat functions with different calling conventions as
</span><span class="lines">@@ -119,6 +126,7 @@
</span><span class="cx">     FunctionPtr(returnType (CDECL *value)())
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -126,6 +134,7 @@
</span><span class="cx">     FunctionPtr(returnType (CDECL *value)(argType1))
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -133,6 +142,7 @@
</span><span class="cx">     FunctionPtr(returnType (CDECL *value)(argType1, argType2))
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -140,6 +150,7 @@
</span><span class="cx">     FunctionPtr(returnType (CDECL *value)(argType1, argType2, argType3))
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -147,6 +158,7 @@
</span><span class="cx">     FunctionPtr(returnType (CDECL *value)(argType1, argType2, argType3, argType4))
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> #endif
</span><span class="lines">@@ -157,6 +169,7 @@
</span><span class="cx">     FunctionPtr(returnType (FASTCALL *value)())
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -164,6 +177,7 @@
</span><span class="cx">     FunctionPtr(returnType (FASTCALL *value)(argType1))
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -171,6 +185,7 @@
</span><span class="cx">     FunctionPtr(returnType (FASTCALL *value)(argType1, argType2))
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -178,6 +193,7 @@
</span><span class="cx">     FunctionPtr(returnType (FASTCALL *value)(argType1, argType2, argType3))
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -185,6 +201,7 @@
</span><span class="cx">     FunctionPtr(returnType (FASTCALL *value)(argType1, argType2, argType3, argType4))
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> #endif
</span><span class="lines">@@ -196,15 +213,25 @@
</span><span class="cx">         // (I guess on RVTC function pointers have a different constness to GCC/MSVC?)
</span><span class="cx">         : m_value((void*)value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    void* value() const { return m_value; }
-    void* executableAddress() const { return m_value; }
</del><ins>+    explicit FunctionPtr(MacroAssemblerCodePtr);
</ins><span class="cx"> 
</span><ins>+    void* value() const
+    {
+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
+        return m_value;
+    }
+    void* executableAddress() const
+    {
+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
+        return m_value;
+    }
</ins><span class="cx"> 
</span><span class="cx"> private:
</span><del>-    void* m_value;
</del><ins>+    void* m_value { nullptr };
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> // ReturnAddressPtr:
</span><span class="lines">@@ -215,14 +242,12 @@
</span><span class="cx"> // that is the source of the return address.
</span><span class="cx"> class ReturnAddressPtr {
</span><span class="cx"> public:
</span><del>-    ReturnAddressPtr()
-        : m_value(0)
-    {
-    }
</del><ins>+    ReturnAddressPtr() { }
</ins><span class="cx"> 
</span><span class="cx">     explicit ReturnAddressPtr(void* value)
</span><span class="cx">         : m_value(value)
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -229,10 +254,15 @@
</span><span class="cx">     explicit ReturnAddressPtr(FunctionPtr function)
</span><span class="cx">         : m_value(function.value())
</span><span class="cx">     {
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    void* value() const { return m_value; }
</del><ins>+    void* value() const
+    {
+        PoisonedMasmPtr::assertIsNotPoisoned(m_value);
+        return m_value;
+    }
</ins><span class="cx">     
</span><span class="cx">     void dump(PrintStream& out) const
</span><span class="cx">     {
</span><span class="lines">@@ -240,7 +270,7 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx"> private:
</span><del>-    void* m_value;
</del><ins>+    void* m_value { nullptr };
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> // MacroAssemblerCodePtr:
</span><span class="lines">@@ -248,10 +278,7 @@
</span><span class="cx"> // MacroAssemblerCodePtr should be used to wrap pointers to JIT generated code.
</span><span class="cx"> class MacroAssemblerCodePtr {
</span><span class="cx"> public:
</span><del>-    MacroAssemblerCodePtr()
-        : m_value(0)
-    {
-    }
</del><ins>+    MacroAssemblerCodePtr() { }
</ins><span class="cx"> 
</span><span class="cx">     explicit MacroAssemblerCodePtr(void* value)
</span><span class="cx"> #if CPU(ARM_THUMB2)
</span><span class="lines">@@ -261,14 +288,18 @@
</span><span class="cx">         : m_value(value)
</span><span class="cx"> #endif
</span><span class="cx">     {
</span><ins>+        m_value.assertIsPoisoned();
+        ASSERT(value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     static MacroAssemblerCodePtr createFromExecutableAddress(void* value)
</span><span class="cx">     {
</span><ins>+        ASSERT(value);
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(value);
</span><span class="cx">         MacroAssemblerCodePtr result;
</span><del>-        result.m_value = value;
</del><ins>+        result.m_value = PoisonedMasmPtr(value);
+        result.m_value.assertIsPoisoned();
</ins><span class="cx">         return result;
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -277,24 +308,64 @@
</span><span class="cx">     explicit MacroAssemblerCodePtr(ReturnAddressPtr ra)
</span><span class="cx">         : m_value(ra.value())
</span><span class="cx">     {
</span><ins>+        ASSERT(ra.value());
+        m_value.assertIsPoisoned();
</ins><span class="cx">         ASSERT_VALID_CODE_POINTER(m_value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    void* executableAddress() const { return m_value; }
</del><ins>+    PoisonedMasmPtr poisonedPtr() const { return m_value; }
+
+    template<typename T = void*>
+    T executableAddress() const
+    {
+        m_value.assertIsPoisoned();
+        return m_value.unpoisoned<T>();
+    }
</ins><span class="cx"> #if CPU(ARM_THUMB2)
</span><span class="cx">     // To use this pointer as a data address remove the decoration.
</span><del>-    void* dataLocation() const { ASSERT_VALID_CODE_POINTER(m_value); return reinterpret_cast<char*>(m_value) - 1; }
</del><ins>+    template<typename T = void*>
+    T dataLocation() const
+    {
+        m_value.assertIsPoisoned();
+        ASSERT_VALID_CODE_POINTER(m_value);
+        return bitwise_cast<T>(m_value ? m_value.unpoisoned<char*>() - 1 : nullptr);
+    }
</ins><span class="cx"> #else
</span><del>-    void* dataLocation() const { ASSERT_VALID_CODE_POINTER(m_value); return m_value; }
</del><ins>+    template<typename T = void*>
+    T dataLocation() const
+    {
+        m_value.assertIsPoisoned();
+        ASSERT_VALID_CODE_POINTER(m_value);
+        return m_value.unpoisoned<T>();
+    }
</ins><span class="cx"> #endif
</span><span class="cx"> 
</span><del>-    explicit operator bool() const { return m_value; }
</del><ins>+    bool operator!() const
+    {
+#if ENABLE(POISON_ASSERTS)
+        if (!isEmptyValue() && !isDeletedValue())
+            m_value.assertIsPoisoned();
+#endif
+        return !m_value;
+    }
+    explicit operator bool() const { return !(!*this); }
</ins><span class="cx">     
</span><span class="cx">     bool operator==(const MacroAssemblerCodePtr& other) const
</span><span class="cx">     {
</span><ins>+#if ENABLE(POISON_ASSERTS)
+        if (!isEmptyValue() && !isDeletedValue())
+            m_value.assertIsPoisoned();
+        if (!other.isEmptyValue() && !other.isDeletedValue())
+            other.m_value.assertIsPoisoned();
+#endif
</ins><span class="cx">         return m_value == other.m_value;
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    // Disallow any casting operations (except for booleans). Instead, the client
+    // should be asking for poisonedPtr() or executableAddress() explicitly.
+    template<typename T, typename = std::enable_if_t<!std::is_same<T, bool>::value>>
+    operator T() = delete;
+
</ins><span class="cx">     void dumpWithName(const char* name, PrintStream& out) const;
</span><span class="cx">     
</span><span class="cx">     void dump(PrintStream& out) const;
</span><span class="lines">@@ -304,24 +375,24 @@
</span><span class="cx">     
</span><span class="cx">     MacroAssemblerCodePtr(EmptyValueTag)
</span><span class="cx">         : m_value(emptyValue())
</span><del>-    {
-    }
</del><ins>+    { }
</ins><span class="cx">     
</span><span class="cx">     MacroAssemblerCodePtr(DeletedValueTag)
</span><span class="cx">         : m_value(deletedValue())
</span><del>-    {
-    }
</del><ins>+    { }
</ins><span class="cx">     
</span><span class="cx">     bool isEmptyValue() const { return m_value == emptyValue(); }
</span><span class="cx">     bool isDeletedValue() const { return m_value == deletedValue(); }
</span><del>-    
-    unsigned hash() const { return PtrHash<void*>::hash(m_value); }
</del><span class="cx"> 
</span><ins>+    unsigned hash() const { return IntHash<uintptr_t>::hash(m_value.bits()); }
+
+    static void initialize();
+
</ins><span class="cx"> private:
</span><del>-    static void* emptyValue() { return bitwise_cast<void*>(static_cast<intptr_t>(1)); }
-    static void* deletedValue() { return bitwise_cast<void*>(static_cast<intptr_t>(2)); }
-    
-    void* m_value;
</del><ins>+    static PoisonedMasmPtr emptyValue() { return PoisonedMasmPtr(1); }
+    static PoisonedMasmPtr deletedValue() { return PoisonedMasmPtr(2); }
+
+    PoisonedMasmPtr m_value;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> struct MacroAssemblerCodePtrHash {
</span><span class="lines">@@ -405,6 +476,13 @@
</span><span class="cx">     RefPtr<ExecutableMemoryHandle> m_executableMemory;
</span><span class="cx"> };
</span><span class="cx"> 
</span><ins>+inline FunctionPtr::FunctionPtr(MacroAssemblerCodePtr ptr)
+    : m_value(ptr.executableAddress())
+{
+    PoisonedMasmPtr::assertIsNotPoisoned(m_value);
+    ASSERT_VALID_CODE_POINTER(m_value);
+}
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span><span class="cx"> namespace WTF {
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreb3B3LowerMacroscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/b3/B3LowerMacros.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/b3/B3LowerMacros.cpp    2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/b3/B3LowerMacros.cpp       2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -470,7 +470,7 @@
</span><span class="cx">                 patchpoint->effects.terminal = true;
</span><span class="cx">                 
</span><span class="cx">                 patchpoint->appendSomeRegister(index);
</span><del>-                patchpoint->numGPScratchRegisters++;
</del><ins>+                patchpoint->numGPScratchRegisters = 2;
</ins><span class="cx">                 // Technically, we don't have to clobber macro registers on X86_64. This is probably
</span><span class="cx">                 // OK though.
</span><span class="cx">                 patchpoint->clobber(RegisterSet::macroScratchRegisters());
</span><span class="lines">@@ -505,10 +505,14 @@
</span><span class="cx">                         
</span><span class="cx">                         GPRReg index = params[0].gpr();
</span><span class="cx">                         GPRReg scratch = params.gpScratch(0);
</span><del>-                        
</del><ins>+                        GPRReg poisonScratch = params.gpScratch(1);
+
+                        jit.move(CCallHelpers::TrustedImm64(g_jitCodePoison), poisonScratch);
</ins><span class="cx">                         jit.move(CCallHelpers::TrustedImmPtr(jumpTable), scratch);
</span><del>-                        jit.jump(CCallHelpers::BaseIndex(scratch, index, CCallHelpers::timesPtr()));
-                        
</del><ins>+                        jit.load64(CCallHelpers::BaseIndex(scratch, index, CCallHelpers::timesPtr()), scratch);
+                        jit.xor64(poisonScratch, scratch);
+                        jit.jump(scratch);
+
</ins><span class="cx">                         // These labels are guaranteed to be populated before either late paths or
</span><span class="cx">                         // link tasks run.
</span><span class="cx">                         Vector<Box<CCallHelpers::Label>> labels = params.successorLabels();
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreb3testb3cpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/b3/testb3.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/b3/testb3.cpp   2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/b3/testb3.cpp      2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -13007,7 +13007,7 @@
</span><span class="cx">     polyJump->effects.terminal = true;
</span><span class="cx">     polyJump->appendSomeRegister(opcode);
</span><span class="cx">     polyJump->clobber(RegisterSet::macroScratchRegisters());
</span><del>-    polyJump->numGPScratchRegisters++;
</del><ins>+    polyJump->numGPScratchRegisters = 2;
</ins><span class="cx">     dispatch->appendSuccessor(FrequentedBlock(addToDataPointer));
</span><span class="cx">     dispatch->appendSuccessor(FrequentedBlock(addToCodePointer));
</span><span class="cx">     dispatch->appendSuccessor(FrequentedBlock(addToData));
</span><span class="lines">@@ -13029,9 +13029,15 @@
</span><span class="cx">             MacroAssemblerCodePtr* jumpTable = bitwise_cast<MacroAssemblerCodePtr*>(
</span><span class="cx">                 params.proc().addDataSection(sizeof(MacroAssemblerCodePtr) * labels.size()));
</span><span class="cx"> 
</span><del>-            jit.move(CCallHelpers::TrustedImmPtr(jumpTable), params.gpScratch(0));
-            jit.jump(CCallHelpers::BaseIndex(params.gpScratch(0), params[0].gpr(), CCallHelpers::timesPtr()));
-            
</del><ins>+            GPRReg scratch = params.gpScratch(0);
+            GPRReg poisonScratch = params.gpScratch(1);
+
+            jit.move(CCallHelpers::TrustedImmPtr(jumpTable), scratch);
+            jit.move(CCallHelpers::TrustedImm64(g_jitCodePoison), poisonScratch);
+            jit.load64(CCallHelpers::BaseIndex(scratch, params[0].gpr(), CCallHelpers::timesPtr()), scratch);
+            jit.xor64(poisonScratch, scratch);
+            jit.jump(scratch);
+
</ins><span class="cx">             jit.addLinkTask(
</span><span class="cx">                 [&, jumpTable, labels] (LinkBuffer& linkBuffer) {
</span><span class="cx">                     for (unsigned i = labels.size(); i--;)
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoredfgDFGDisassemblercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGDisassembler.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGDisassembler.cpp 2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGDisassembler.cpp    2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -168,8 +168,8 @@
</span><span class="cx">     CodeLocationLabel start = linkBuffer.locationOf(previousLabel);
</span><span class="cx">     CodeLocationLabel end = linkBuffer.locationOf(currentLabel);
</span><span class="cx">     previousLabel = currentLabel;
</span><del>-    ASSERT(bitwise_cast<uintptr_t>(end.executableAddress()) >= bitwise_cast<uintptr_t>(start.executableAddress()));
-    disassemble(start, bitwise_cast<uintptr_t>(end.executableAddress()) - bitwise_cast<uintptr_t>(start.executableAddress()), prefixBuffer.get(), out);
</del><ins>+    ASSERT(end.executableAddress<uintptr_t>() >= start.executableAddress<uintptr_t>());
+    disassemble(start, end.executableAddress<uintptr_t>() - start.executableAddress<uintptr_t>(), prefixBuffer.get(), out);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } } // namespace JSC::DFG
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoredfgDFGJITCompilercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp  2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp     2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -279,7 +279,7 @@
</span><span class="cx">     
</span><span class="cx">     for (auto& record : m_jsCalls) {
</span><span class="cx">         CallLinkInfo& info = *record.info;
</span><del>-        linkBuffer.link(record.slowCall, FunctionPtr(vm()->getCTIStub(linkCallThunkGenerator).code().executableAddress()));
</del><ins>+        linkBuffer.link(record.slowCall, FunctionPtr(vm()->getCTIStub(linkCallThunkGenerator).code()));
</ins><span class="cx">         info.setCallLocations(
</span><span class="cx">             CodeLocationLabel(linkBuffer.locationOfNearCall(record.slowCall)),
</span><span class="cx">             CodeLocationLabel(linkBuffer.locationOf(record.targetToCheck)),
</span><span class="lines">@@ -510,9 +510,9 @@
</span><span class="cx">     
</span><span class="cx">     m_jitCode->shrinkToFit();
</span><span class="cx">     codeBlock()->shrinkToFit(CodeBlock::LateShrink);
</span><del>-    
-    linkBuffer->link(m_callArityFixup, FunctionPtr((vm()->getCTIStub(arityFixupGenerator)).code().executableAddress()));
-    
</del><ins>+
+    linkBuffer->link(m_callArityFixup, FunctionPtr(vm()->getCTIStub(arityFixupGenerator).code()));
+
</ins><span class="cx">     disassemble(*linkBuffer);
</span><span class="cx"> 
</span><span class="cx">     MacroAssemblerCodePtr withArityCheck = linkBuffer->locationOf(m_arityCheck);
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp   2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp      2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1789,8 +1789,8 @@
</span><span class="cx">     double asDouble = value.asDouble();
</span><span class="cx">     int32_t asInt32 = static_cast<int32_t>(asDouble);
</span><span class="cx">     if (asDouble == asInt32)
</span><del>-        return static_cast<char*>(table.ctiForValue(asInt32).executableAddress());
-    return static_cast<char*>(table.ctiDefault.executableAddress());
</del><ins>+        return table.ctiForValue(asInt32).executableAddress<char*>();
+    return table.ctiDefault.executableAddress<char*>();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> char* JIT_OPERATION operationSwitchString(ExecState* exec, size_t tableIndex, JSString* string)
</span><span class="lines">@@ -1798,7 +1798,7 @@
</span><span class="cx">     VM& vm = exec->vm();
</span><span class="cx">     NativeCallFrameTracer tracer(&vm, exec);
</span><span class="cx"> 
</span><del>-    return static_cast<char*>(exec->codeBlock()->stringSwitchJumpTable(tableIndex).ctiForValue(string->value(exec).impl()).executableAddress());
</del><ins>+    return exec->codeBlock()->stringSwitchJumpTable(tableIndex).ctiForValue(string->value(exec).impl()).executableAddress<char*>();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> int32_t JIT_OPERATION operationSwitchStringAndGetBranchOffset(ExecState* exec, size_t tableIndex, JSString* string)
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp       2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp  2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -867,8 +867,8 @@
</span><span class="cx">         m_jit.branchPtr(
</span><span class="cx">             MacroAssembler::NotEqual,
</span><span class="cx">             MacroAssembler::Address(temp.gpr(), Structure::classInfoOffset()),
</span><del>-            TrustedImmPtr(expectedClassInfo)));
-    
</del><ins>+            TrustedImmPtr(PoisonedClassInfoPtr(expectedClassInfo).bits())));
+
</ins><span class="cx">     noResult(m_currentNode);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -8140,6 +8140,10 @@
</span><span class="cx"> 
</span><span class="cx">         m_jit.emitLoadStructure(*m_jit.vm(), baseGPR, otherGPR, specifiedGPR);
</span><span class="cx">         m_jit.loadPtr(CCallHelpers::Address(otherGPR, Structure::classInfoOffset()), otherGPR);
</span><ins>+#if USE(JSVALUE64)
+        m_jit.move(CCallHelpers::TrustedImm64(g_globalDataPoison), specifiedGPR);
+        m_jit.xor64(specifiedGPR, otherGPR);
+#endif
</ins><span class="cx">         m_jit.move(CCallHelpers::TrustedImmPtr(node->classInfo()), specifiedGPR);
</span><span class="cx"> 
</span><span class="cx">         CCallHelpers::Label loop = m_jit.label();
</span><span class="lines">@@ -8429,7 +8433,7 @@
</span><span class="cx">         slowPath);
</span><span class="cx">     
</span><span class="cx">     m_jit.storePtr(
</span><del>-        TrustedImmPtr(StringObject::info()),
</del><ins>+        TrustedImmPtr(PoisonedClassInfoPtr(StringObject::info()).bits()),
</ins><span class="cx">         JITCompiler::Address(resultGPR, JSDestructibleObject::classInfoOffset()));
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx">     m_jit.store64(
</span><span class="lines">@@ -9135,7 +9139,7 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void SpeculativeJIT::emitSwitchIntJump(
</span><del>-    SwitchData* data, GPRReg value, GPRReg scratch)
</del><ins>+    SwitchData* data, GPRReg value, GPRReg scratch, GPRReg poisonScratch)
</ins><span class="cx"> {
</span><span class="cx">     SimpleJumpTable& table = m_jit.codeBlock()->switchJumpTable(data->switchTableIndex);
</span><span class="cx">     table.ensureCTITable();
</span><span class="lines">@@ -9143,8 +9147,16 @@
</span><span class="cx">     addBranch(
</span><span class="cx">         m_jit.branch32(JITCompiler::AboveOrEqual, value, Imm32(table.ctiOffsets.size())),
</span><span class="cx">         data->fallThrough.block);
</span><ins>+    UNUSED_PARAM(poisonScratch); // Placate the 32-bit build.
+#if USE(JSVALUE64)
+    m_jit.move(TrustedImm64(g_jitCodePoison), poisonScratch);
+#endif
</ins><span class="cx">     m_jit.move(TrustedImmPtr(table.ctiOffsets.begin()), scratch);
</span><span class="cx">     m_jit.loadPtr(JITCompiler::BaseIndex(scratch, value, JITCompiler::timesPtr()), scratch);
</span><ins>+    
+#if USE(JSVALUE64)
+    m_jit.xor64(poisonScratch, scratch);
+#endif
</ins><span class="cx">     m_jit.jump(scratch);
</span><span class="cx">     data->didUseJumpTable = true;
</span><span class="cx"> }
</span><span class="lines">@@ -9155,7 +9167,8 @@
</span><span class="cx">     case Int32Use: {
</span><span class="cx">         SpeculateInt32Operand value(this, node->child1());
</span><span class="cx">         GPRTemporary temp(this);
</span><del>-        emitSwitchIntJump(data, value.gpr(), temp.gpr());
</del><ins>+        GPRTemporary temp2(this);
+        emitSwitchIntJump(data, value.gpr(), temp.gpr(), temp2.gpr());
</ins><span class="cx">         noResult(node);
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="lines">@@ -9163,15 +9176,17 @@
</span><span class="cx">     case UntypedUse: {
</span><span class="cx">         JSValueOperand value(this, node->child1());
</span><span class="cx">         GPRTemporary temp(this);
</span><ins>+        GPRTemporary temp2(this);
</ins><span class="cx">         JSValueRegs valueRegs = value.jsValueRegs();
</span><span class="cx">         GPRReg scratch = temp.gpr();
</span><del>-        
</del><ins>+        GPRReg scratch2 = temp2.gpr();
+
</ins><span class="cx">         value.use();
</span><span class="cx">         
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx">         JITCompiler::Jump notInt = m_jit.branch64(
</span><span class="cx">             JITCompiler::Below, valueRegs.gpr(), GPRInfo::tagTypeNumberRegister);
</span><del>-        emitSwitchIntJump(data, valueRegs.gpr(), scratch);
</del><ins>+        emitSwitchIntJump(data, valueRegs.gpr(), scratch, scratch2);
</ins><span class="cx">         notInt.link(&m_jit);
</span><span class="cx">         addBranch(
</span><span class="cx">             m_jit.branchTest64(
</span><span class="lines">@@ -9184,7 +9199,7 @@
</span><span class="cx"> #else
</span><span class="cx">         JITCompiler::Jump notInt = m_jit.branch32(
</span><span class="cx">             JITCompiler::NotEqual, valueRegs.tagGPR(), TrustedImm32(JSValue::Int32Tag));
</span><del>-        emitSwitchIntJump(data, valueRegs.payloadGPR(), scratch);
</del><ins>+        emitSwitchIntJump(data, valueRegs.payloadGPR(), scratch, scratch2);
</ins><span class="cx">         notInt.link(&m_jit);
</span><span class="cx">         addBranch(
</span><span class="cx">             m_jit.branch32(
</span><span class="lines">@@ -9208,7 +9223,7 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void SpeculativeJIT::emitSwitchCharStringJump(
</span><del>-    SwitchData* data, GPRReg value, GPRReg scratch)
</del><ins>+    SwitchData* data, GPRReg value, GPRReg scratch, GPRReg scratch2)
</ins><span class="cx"> {
</span><span class="cx">     addBranch(
</span><span class="cx">         m_jit.branch32(
</span><span class="lines">@@ -9239,7 +9254,7 @@
</span><span class="cx">     m_jit.load8(MacroAssembler::Address(value), scratch);
</span><span class="cx">     
</span><span class="cx">     ready.link(&m_jit);
</span><del>-    emitSwitchIntJump(data, scratch, value);
</del><ins>+    emitSwitchIntJump(data, scratch, value, scratch2);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void SpeculativeJIT::emitSwitchChar(Node* node, SwitchData* data)
</span><span class="lines">@@ -9248,14 +9263,16 @@
</span><span class="cx">     case StringUse: {
</span><span class="cx">         SpeculateCellOperand op1(this, node->child1());
</span><span class="cx">         GPRTemporary temp(this);
</span><del>-        
</del><ins>+        GPRTemporary temp2(this);
+
</ins><span class="cx">         GPRReg op1GPR = op1.gpr();
</span><span class="cx">         GPRReg tempGPR = temp.gpr();
</span><del>-        
</del><ins>+        GPRReg temp2GPR = temp2.gpr();
+
</ins><span class="cx">         op1.use();
</span><span class="cx"> 
</span><span class="cx">         speculateString(node->child1(), op1GPR);
</span><del>-        emitSwitchCharStringJump(data, op1GPR, tempGPR);
</del><ins>+        emitSwitchCharStringJump(data, op1GPR, tempGPR, temp2GPR);
</ins><span class="cx">         noResult(node, UseChildrenCalledExplicitly);
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="lines">@@ -9263,10 +9280,12 @@
</span><span class="cx">     case UntypedUse: {
</span><span class="cx">         JSValueOperand op1(this, node->child1());
</span><span class="cx">         GPRTemporary temp(this);
</span><del>-        
</del><ins>+        GPRTemporary temp2(this);
+
</ins><span class="cx">         JSValueRegs op1Regs = op1.jsValueRegs();
</span><span class="cx">         GPRReg tempGPR = temp.gpr();
</span><del>-        
</del><ins>+        GPRReg temp2GPR = temp2.gpr();
+
</ins><span class="cx">         op1.use();
</span><span class="cx">         
</span><span class="cx">         addBranch(m_jit.branchIfNotCell(op1Regs), data->fallThrough.block);
</span><span class="lines">@@ -9273,7 +9292,7 @@
</span><span class="cx">         
</span><span class="cx">         addBranch(m_jit.branchIfNotString(op1Regs.payloadGPR()), data->fallThrough.block);
</span><span class="cx">         
</span><del>-        emitSwitchCharStringJump(data, op1Regs.payloadGPR(), tempGPR);
</del><ins>+        emitSwitchCharStringJump(data, op1Regs.payloadGPR(), tempGPR, temp2GPR);
</ins><span class="cx">         noResult(node, UseChildrenCalledExplicitly);
</span><span class="cx">         break;
</span><span class="cx">     }
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h    2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -2702,9 +2702,9 @@
</span><span class="cx">         BasicBlock* target;
</span><span class="cx">     };
</span><span class="cx">     
</span><del>-    void emitSwitchIntJump(SwitchData*, GPRReg value, GPRReg scratch);
</del><ins>+    void emitSwitchIntJump(SwitchData*, GPRReg value, GPRReg scratch, GPRReg scratch2);
</ins><span class="cx">     void emitSwitchImm(Node*, SwitchData*);
</span><del>-    void emitSwitchCharStringJump(SwitchData*, GPRReg value, GPRReg scratch);
</del><ins>+    void emitSwitchCharStringJump(SwitchData*, GPRReg value, GPRReg scratch, GPRReg scratch2);
</ins><span class="cx">     void emitSwitchChar(Node*, SwitchData*);
</span><span class="cx">     void emitBinarySwitchStringRecurse(
</span><span class="cx">         SwitchData*, const Vector<StringSwitchCase>&, unsigned numChecked,
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoredisassemblerDisassemblercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/disassembler/Disassembler.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/disassembler/Disassembler.cpp   2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/disassembler/Disassembler.cpp      2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2013, 2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -42,7 +42,7 @@
</span><span class="cx">     if (tryToDisassemble(codePtr, size, prefix, out))
</span><span class="cx">         return;
</span><span class="cx">     
</span><del>-    out.printf("%sdisassembly not available for range %p...%p\n", prefix, codePtr.executableAddress(), static_cast<char*>(codePtr.executableAddress()) + size);
</del><ins>+    out.printf("%sdisassembly not available for range %p...%p\n", prefix, codePtr.executableAddress(), codePtr.executableAddress<char*>() + size);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> namespace {
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoredisassemblerUDis86Disassemblercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/disassembler/UDis86Disassembler.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/disassembler/UDis86Disassembler.cpp     2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/disassembler/UDis86Disassembler.cpp        2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2013, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -37,13 +37,13 @@
</span><span class="cx"> {
</span><span class="cx">     ud_t disassembler;
</span><span class="cx">     ud_init(&disassembler);
</span><del>-    ud_set_input_buffer(&disassembler, static_cast<unsigned char*>(codePtr.executableAddress()), size);
</del><ins>+    ud_set_input_buffer(&disassembler, codePtr.executableAddress<unsigned char*>(), size);
</ins><span class="cx"> #if CPU(X86_64)
</span><span class="cx">     ud_set_mode(&disassembler, 64);
</span><span class="cx"> #else
</span><span class="cx">     ud_set_mode(&disassembler, 32);
</span><span class="cx"> #endif
</span><del>-    ud_set_pc(&disassembler, bitwise_cast<uintptr_t>(codePtr.executableAddress()));
</del><ins>+    ud_set_pc(&disassembler, codePtr.executableAddress<uintptr_t>());
</ins><span class="cx">     ud_set_syntax(&disassembler, UD_SYN_ATT);
</span><span class="cx">     
</span><span class="cx">     uint64_t currentPC = disassembler.pc;
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreftlFTLCompilecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLCompile.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLCompile.cpp      2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLCompile.cpp 2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -151,8 +151,8 @@
</span><span class="cx">     if (vm.shouldBuilderPCToCodeOriginMapping())
</span><span class="cx">         codeBlock->setPCToCodeOriginMap(std::make_unique<PCToCodeOriginMap>(PCToCodeOriginMapBuilder(vm, WTFMove(originMap)), *state.finalizer->b3CodeLinkBuffer));
</span><span class="cx"> 
</span><del>-    state.generatedFunction = bitwise_cast<GeneratedFunction>(
-        state.finalizer->b3CodeLinkBuffer->entrypoint().executableAddress());
</del><ins>+    CodeLocationLabel label = state.finalizer->b3CodeLinkBuffer->entrypoint();
+    state.generatedFunction = label.executableAddress<GeneratedFunction>();
</ins><span class="cx">     state.jitCode->initializeB3Byproducts(state.proc->releaseByproducts());
</span><span class="cx"> 
</span><span class="cx">     if (B3::Air::Disassembler* disassembler = state.proc->code().disassembler()) {
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreftlFTLJITCodecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLJITCode.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLJITCode.cpp      2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLJITCode.cpp 2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -84,7 +84,7 @@
</span><span class="cx"> 
</span><span class="cx"> void* JITCode::executableAddressAtOffset(size_t offset)
</span><span class="cx"> {
</span><del>-    return reinterpret_cast<char*>(m_addressForCall.executableAddress()) + offset;
</del><ins>+    return m_addressForCall.executableAddress<char*>() + offset;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void* JITCode::dataAddressAtOffset(size_t)
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreftlFTLLinkcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLLink.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLLink.cpp 2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLLink.cpp    2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -170,7 +170,7 @@
</span><span class="cx">             }
</span><span class="cx">             linkBuffer->link(callArityCheck, codeBlock->m_isConstructor ? operationConstructArityCheck : operationCallArityCheck);
</span><span class="cx">             linkBuffer->link(callLookupExceptionHandlerFromCallerFrame, lookupExceptionHandlerFromCallerFrame);
</span><del>-            linkBuffer->link(callArityFixup, FunctionPtr((vm.getCTIStub(arityFixupGenerator)).code().executableAddress()));
</del><ins>+            linkBuffer->link(callArityFixup, FunctionPtr((vm.getCTIStub(arityFixupGenerator)).code()));
</ins><span class="cx">             linkBuffer->link(mainPathJumps, CodeLocationLabel(bitwise_cast<void*>(state.generatedFunction)));
</span><span class="cx">         }
</span><span class="cx">         
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp    2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1708,7 +1708,7 @@
</span><span class="cx"> #if ENABLE(MATH_IC_STATS)
</span><span class="cx">                         auto slowPathEnd = jit.label();
</span><span class="cx">                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
</span><del>-                            size_t size = static_cast<char*>(linkBuffer.locationOf(slowPathEnd).executableAddress()) - static_cast<char*>(linkBuffer.locationOf(slowPathStart).executableAddress());
</del><ins>+                            size_t size = linkBuffer.locationOf(slowPathEnd).executableAddress<char*>() - linkBuffer.locationOf(slowPathStart).executableAddress<char*>();
</ins><span class="cx">                             mathIC->m_generatedCodeSize += size;
</span><span class="cx">                         });
</span><span class="cx"> #endif
</span><span class="lines">@@ -1722,7 +1722,7 @@
</span><span class="cx"> #if ENABLE(MATH_IC_STATS)
</span><span class="cx">                 auto inlineEnd = jit.label();
</span><span class="cx">                 jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
</span><del>-                    size_t size = static_cast<char*>(linkBuffer.locationOf(inlineEnd).executableAddress()) - static_cast<char*>(linkBuffer.locationOf(inlineStart).executableAddress());
</del><ins>+                    size_t size = linkBuffer.locationOf(inlineEnd).executableAddress<char*>() - linkBuffer.locationOf(inlineStart).executableAddress<char*>();
</ins><span class="cx">                     mathIC->m_generatedCodeSize += size;
</span><span class="cx">                 });
</span><span class="cx"> #endif
</span><span class="lines">@@ -1801,7 +1801,7 @@
</span><span class="cx"> #if ENABLE(MATH_IC_STATS)
</span><span class="cx">                         auto slowPathEnd = jit.label();
</span><span class="cx">                         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
</span><del>-                            size_t size = static_cast<char*>(linkBuffer.locationOf(slowPathEnd).executableAddress()) - static_cast<char*>(linkBuffer.locationOf(slowPathStart).executableAddress());
</del><ins>+                            size_t size = linkBuffer.locationOf(slowPathEnd).executableAddress<char*>() - linkBuffer.locationOf(slowPathStart).executableAddress<char*>();
</ins><span class="cx">                             mathIC->m_generatedCodeSize += size;
</span><span class="cx">                         });
</span><span class="cx"> #endif
</span><span class="lines">@@ -1815,7 +1815,7 @@
</span><span class="cx"> #if ENABLE(MATH_IC_STATS)
</span><span class="cx">                 auto inlineEnd = jit.label();
</span><span class="cx">                 jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
</span><del>-                    size_t size = static_cast<char*>(linkBuffer.locationOf(inlineEnd).executableAddress()) - static_cast<char*>(linkBuffer.locationOf(inlineStart).executableAddress());
</del><ins>+                    size_t size = linkBuffer.locationOf(inlineEnd).executableAddress<char*>() - linkBuffer.locationOf(inlineStart).executableAddress<char*>();
</ins><span class="cx">                     mathIC->m_generatedCodeSize += size;
</span><span class="cx">                 });
</span><span class="cx"> #endif
</span><span class="lines">@@ -6304,7 +6304,7 @@
</span><span class="cx">                     [=] (LinkBuffer& linkBuffer) {
</span><span class="cx">                         MacroAssemblerCodePtr linkCall =
</span><span class="cx">                             vm->getCTIStub(linkCallThunkGenerator).code();
</span><del>-                        linkBuffer.link(slowCall, FunctionPtr(linkCall.executableAddress()));
</del><ins>+                        linkBuffer.link(slowCall, FunctionPtr(linkCall));
</ins><span class="cx"> 
</span><span class="cx">                         callLinkInfo->setCallLocations(
</span><span class="cx">                             CodeLocationLabel(linkBuffer.locationOfNearCall(slowCall)),
</span><span class="lines">@@ -6615,7 +6615,7 @@
</span><span class="cx">                     [=] (LinkBuffer& linkBuffer) {
</span><span class="cx">                         MacroAssemblerCodePtr linkCall =
</span><span class="cx">                             vm->getCTIStub(linkCallThunkGenerator).code();
</span><del>-                        linkBuffer.link(slowCall, FunctionPtr(linkCall.executableAddress()));
</del><ins>+                        linkBuffer.link(slowCall, FunctionPtr(linkCall));
</ins><span class="cx"> 
</span><span class="cx">                         callLinkInfo->setCallLocations(
</span><span class="cx">                             CodeLocationLabel(linkBuffer.locationOfNearCall(slowCall)),
</span><span class="lines">@@ -6886,7 +6886,7 @@
</span><span class="cx">                     [=] (LinkBuffer& linkBuffer) {
</span><span class="cx">                         MacroAssemblerCodePtr linkCall =
</span><span class="cx">                             vm->getCTIStub(linkCallThunkGenerator).code();
</span><del>-                        linkBuffer.link(slowCall, FunctionPtr(linkCall.executableAddress()));
</del><ins>+                        linkBuffer.link(slowCall, FunctionPtr(linkCall));
</ins><span class="cx">                         
</span><span class="cx">                         callLinkInfo->setCallLocations(
</span><span class="cx">                             CodeLocationLabel(linkBuffer.locationOfNearCall(slowCall)),
</span><span class="lines">@@ -7169,7 +7169,7 @@
</span><span class="cx">                     [=] (LinkBuffer& linkBuffer) {
</span><span class="cx">                         MacroAssemblerCodePtr linkCall =
</span><span class="cx">                             vm->getCTIStub(linkCallThunkGenerator).code();
</span><del>-                        linkBuffer.link(slowCall, FunctionPtr(linkCall.executableAddress()));
</del><ins>+                        linkBuffer.link(slowCall, FunctionPtr(linkCall));
</ins><span class="cx">                         
</span><span class="cx">                         callLinkInfo->setCallLocations(
</span><span class="cx">                             CodeLocationLabel(linkBuffer.locationOfNearCall(slowCall)),
</span><span class="lines">@@ -10422,7 +10422,9 @@
</span><span class="cx">             LBasicBlock continuation = m_out.newBlock();
</span><span class="cx"> 
</span><span class="cx">             LValue structure = loadStructure(cell);
</span><del>-            ValueFromBlock otherAtStart = m_out.anchor(m_out.loadPtr(structure, m_heaps.Structure_classInfo));
</del><ins>+            LValue poisonedClassInfo = m_out.loadPtr(structure, m_heaps.Structure_classInfo);
+            LValue classInfo = m_out.bitXor(poisonedClassInfo, m_out.constInt64(g_globalDataPoison));
+            ValueFromBlock otherAtStart = m_out.anchor(classInfo);
</ins><span class="cx">             m_out.jump(loop);
</span><span class="cx"> 
</span><span class="cx">             LBasicBlock lastNext = m_out.appendTo(loop, parentClass);
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreinterpreterInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/interpreter/InterpreterInlines.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/interpreter/InterpreterInlines.h        2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/interpreter/InterpreterInlines.h   2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -47,7 +47,7 @@
</span><span class="cx">     // the LLInt code for the opcode (see the EMBED_OPCODE_ID_IF_NEEDED macro
</span><span class="cx">     // in LowLevelInterpreter.cpp).
</span><span class="cx">     MacroAssemblerCodePtr codePtr(reinterpret_cast<void*>(opcode));
</span><del>-    int32_t* opcodeIDAddress = reinterpret_cast<int32_t*>(codePtr.dataLocation()) - 1;
</del><ins>+    int32_t* opcodeIDAddress = codePtr.dataLocation<int32_t*>() - 1;
</ins><span class="cx">     OpcodeID opcodeID = static_cast<OpcodeID>(*opcodeIDAddress);
</span><span class="cx">     ASSERT(opcodeID < NUMBER_OF_BYTECODE_IDS);
</span><span class="cx">     return opcodeID;
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorejitAssemblyHelpersh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/jit/AssemblyHelpers.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/jit/AssemblyHelpers.h   2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/jit/AssemblyHelpers.h      2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1587,7 +1587,7 @@
</span><span class="cx">     void emitAllocateDestructibleObject(VM& vm, GPRReg resultGPR, Structure* structure, GPRReg scratchGPR1, GPRReg scratchGPR2, JumpList& slowPath)
</span><span class="cx">     {
</span><span class="cx">         emitAllocateJSObject<ClassType>(vm, resultGPR, TrustedImmPtr(structure), TrustedImmPtr(0), scratchGPR1, scratchGPR2, slowPath);
</span><del>-        storePtr(TrustedImmPtr(structure->classInfo()), Address(resultGPR, JSDestructibleObject::classInfoOffset()));
</del><ins>+        storePtr(TrustedImmPtr(PoisonedClassInfoPtr(structure->classInfo()).bits()), Address(resultGPR, JSDestructibleObject::classInfoOffset()));
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     void emitInitializeInlineStorage(GPRReg baseGPR, unsigned inlineCapacity)
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorejitJITArithmeticcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/jit/JITArithmetic.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/jit/JITArithmetic.cpp   2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/jit/JITArithmetic.cpp      2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2008, 2015-2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -720,7 +720,7 @@
</span><span class="cx"> #if ENABLE(MATH_IC_STATS)
</span><span class="cx">     auto inlineEnd = label();
</span><span class="cx">     addLinkTask([=] (LinkBuffer& linkBuffer) {
</span><del>-        size_t size = static_cast<char*>(linkBuffer.locationOf(inlineEnd).executableAddress()) - static_cast<char*>(linkBuffer.locationOf(inlineStart).executableAddress());
</del><ins>+        size_t size = linkBuffer.locationOf(inlineEnd).executableAddress<char*>() - linkBuffer.locationOf(inlineStart).executableAddress<char*>();
</ins><span class="cx">         mathIC->m_generatedCodeSize += size;
</span><span class="cx">     });
</span><span class="cx"> #endif
</span><span class="lines">@@ -793,7 +793,7 @@
</span><span class="cx"> #if ENABLE(MATH_IC_STATS)
</span><span class="cx">     auto inlineEnd = label();
</span><span class="cx">     addLinkTask([=] (LinkBuffer& linkBuffer) {
</span><del>-        size_t size = static_cast<char*>(linkBuffer.locationOf(inlineEnd).executableAddress()) - static_cast<char*>(linkBuffer.locationOf(inlineStart).executableAddress());
</del><ins>+        size_t size = linkBuffer.locationOf(inlineEnd).executableAddress<char*>() - linkBuffer.locationOf(inlineStart).executableAddress<char*>();
</ins><span class="cx">         mathIC->m_generatedCodeSize += size;
</span><span class="cx">     });
</span><span class="cx"> #endif
</span><span class="lines">@@ -833,7 +833,7 @@
</span><span class="cx"> #if ENABLE(MATH_IC_STATS)
</span><span class="cx">     auto slowPathEnd = label();
</span><span class="cx">     addLinkTask([=] (LinkBuffer& linkBuffer) {
</span><del>-        size_t size = static_cast<char*>(linkBuffer.locationOf(slowPathEnd).executableAddress()) - static_cast<char*>(linkBuffer.locationOf(slowPathStart).executableAddress());
</del><ins>+        size_t size = linkBuffer.locationOf(slowPathEnd).executableAddress<char*>() - linkBuffer.locationOf(slowPathStart).executableAddress<char*>();
</ins><span class="cx">         mathIC->m_generatedCodeSize += size;
</span><span class="cx">     });
</span><span class="cx"> #endif
</span><span class="lines">@@ -899,7 +899,7 @@
</span><span class="cx"> #if ENABLE(MATH_IC_STATS)
</span><span class="cx">     auto slowPathEnd = label();
</span><span class="cx">     addLinkTask([=] (LinkBuffer& linkBuffer) {
</span><del>-        size_t size = static_cast<char*>(linkBuffer.locationOf(slowPathEnd).executableAddress()) - static_cast<char*>(linkBuffer.locationOf(slowPathStart).executableAddress());
</del><ins>+        size_t size = linkBuffer.locationOf(slowPathEnd).executableAddress<char*>() - linkBuffer.locationOf(slowPathStart).executableAddress<char*>();
</ins><span class="cx">         mathIC->m_generatedCodeSize += size;
</span><span class="cx">     });
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorejitJITCodecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/jit/JITCode.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/jit/JITCode.cpp 2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/jit/JITCode.cpp    2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2008, 2012, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -127,7 +127,7 @@
</span><span class="cx"> void* JITCodeWithCodeRef::executableAddressAtOffset(size_t offset)
</span><span class="cx"> {
</span><span class="cx">     RELEASE_ASSERT(m_ref);
</span><del>-    return reinterpret_cast<char*>(m_ref.code().executableAddress()) + offset;
</del><ins>+    return m_ref.code().executableAddress<char*>() + offset;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void* JITCodeWithCodeRef::dataAddressAtOffset(size_t offset)
</span><span class="lines">@@ -134,13 +134,13 @@
</span><span class="cx"> {
</span><span class="cx">     RELEASE_ASSERT(m_ref);
</span><span class="cx">     ASSERT(offset <= size()); // use <= instead of < because it is valid to ask for an address at the exclusive end of the code.
</span><del>-    return reinterpret_cast<char*>(m_ref.code().dataLocation()) + offset;
</del><ins>+    return m_ref.code().dataLocation<char*>() + offset;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> unsigned JITCodeWithCodeRef::offsetOf(void* pointerIntoCode)
</span><span class="cx"> {
</span><span class="cx">     RELEASE_ASSERT(m_ref);
</span><del>-    intptr_t result = reinterpret_cast<intptr_t>(pointerIntoCode) - reinterpret_cast<intptr_t>(m_ref.code().executableAddress());
</del><ins>+    intptr_t result = reinterpret_cast<intptr_t>(pointerIntoCode) - m_ref.code().executableAddress<intptr_t>();
</ins><span class="cx">     ASSERT(static_cast<intptr_t>(static_cast<unsigned>(result)) == result);
</span><span class="cx">     return static_cast<unsigned>(result);
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorejitJITDisassemblercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/jit/JITDisassembler.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/jit/JITDisassembler.cpp 2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/jit/JITDisassembler.cpp    2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012-2013, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -163,7 +163,7 @@
</span><span class="cx"> {
</span><span class="cx">     CodeLocationLabel fromLocation = linkBuffer.locationOf(from);
</span><span class="cx">     CodeLocationLabel toLocation = linkBuffer.locationOf(to);
</span><del>-    disassemble(fromLocation, bitwise_cast<uintptr_t>(toLocation.executableAddress()) - bitwise_cast<uintptr_t>(fromLocation.executableAddress()), "        ", out);
</del><ins>+    disassemble(fromLocation, toLocation.executableAddress<uintptr_t>() - fromLocation.executableAddress<uintptr_t>(), "        ", out);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorejitPCToCodeOriginMapcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/jit/PCToCodeOriginMap.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/jit/PCToCodeOriginMap.cpp       2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/jit/PCToCodeOriginMap.cpp  2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -204,8 +204,8 @@
</span><span class="cx">             codeOriginCompressor.write<uintptr_t>(bitwise_cast<uintptr_t>(codeOrigin.inlineCallFrame));
</span><span class="cx">     };
</span><span class="cx"> 
</span><del>-    m_pcRangeStart = bitwise_cast<uintptr_t>(linkBuffer.locationOf(builder.m_codeRanges.first().start).dataLocation());
-    m_pcRangeEnd = bitwise_cast<uintptr_t>(linkBuffer.locationOf(builder.m_codeRanges.last().end).dataLocation());
</del><ins>+    m_pcRangeStart = linkBuffer.locationOf(builder.m_codeRanges.first().start).dataLocation<uintptr_t>();
+    m_pcRangeEnd = linkBuffer.locationOf(builder.m_codeRanges.last().end).dataLocation<uintptr_t>();
</ins><span class="cx">     m_pcRangeEnd -= 1;
</span><span class="cx"> 
</span><span class="cx">     for (unsigned i = 0; i < builder.m_codeRanges.size(); i++) {
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorejitRepatchcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/jit/Repatch.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/jit/Repatch.cpp 2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/jit/Repatch.cpp    2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -90,8 +90,7 @@
</span><span class="cx">             MacroAssemblerCodePtr::createFromExecutableAddress(
</span><span class="cx">                 MacroAssembler::readCallTarget(call).executableAddress()));
</span><span class="cx">         key = key.withCallTarget(newCalleeFunction.executableAddress());
</span><del>-        newCalleeFunction = FunctionPtr(
-            thunks.getSlowPathCallThunk(key).code().executableAddress());
</del><ins>+        newCalleeFunction = FunctionPtr(thunks.getSlowPathCallThunk(key).code());
</ins><span class="cx">     }
</span><span class="cx"> #else // ENABLE(FTL_JIT)
</span><span class="cx">     UNUSED_PARAM(codeBlock);
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorejitSpecializedThunkJITh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/jit/SpecializedThunkJIT.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/jit/SpecializedThunkJIT.h       2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/jit/SpecializedThunkJIT.h  2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2010, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2010-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -77,7 +77,7 @@
</span><span class="cx">         {
</span><span class="cx">             loadCellArgument(argument, dst);
</span><span class="cx">             emitLoadStructure(*vm(), dst, scratch, dst);
</span><del>-            appendFailure(branchPtr(NotEqual, Address(scratch, Structure::classInfoOffset()), TrustedImmPtr(classInfo)));
</del><ins>+            appendFailure(branchPtr(NotEqual, Address(scratch, Structure::classInfoOffset()), TrustedImmPtr(PoisonedClassInfoPtr(classInfo).bits())));
</ins><span class="cx">             // We have to reload the argument since emitLoadStructure clobbered it.
</span><span class="cx">             loadCellArgument(argument, dst);
</span><span class="cx">         }
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorejitThunkGeneratorscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/jit/ThunkGenerators.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/jit/ThunkGenerators.cpp 2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/jit/ThunkGenerators.cpp    2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2010, 2012-2014, 2016-2017 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2010-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -212,7 +212,11 @@
</span><span class="cx">     
</span><span class="cx">     // Now we know that we have a CodeBlock, and we're committed to making a fast
</span><span class="cx">     // call.
</span><del>-    
</del><ins>+#if USE(JSVALUE64)
+    jit.move(CCallHelpers::TrustedImm64(g_jitCodePoison), GPRInfo::regT1);
+    jit.xor64(GPRInfo::regT1, GPRInfo::regT4);
+#endif
+
</ins><span class="cx">     // Make a tail call. This will return back to JIT code.
</span><span class="cx">     emitPointerValidation(jit, GPRInfo::regT4);
</span><span class="cx">     if (callLinkInfo.isTailCall()) {
</span><span class="lines">@@ -291,7 +295,10 @@
</span><span class="cx"> 
</span><span class="cx">     jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, X86Registers::esi);
</span><span class="cx">     jit.loadPtr(JSInterfaceJIT::Address(X86Registers::esi, JSFunction::offsetOfExecutable()), X86Registers::r9);
</span><del>-    jit.call(JSInterfaceJIT::Address(X86Registers::r9, executableOffsetToFunction));
</del><ins>+    jit.loadPtr(JSInterfaceJIT::Address(X86Registers::r9, executableOffsetToFunction), X86Registers::r9);
+    jit.move(JSInterfaceJIT::TrustedImm64(g_nativeCodePoison), X86Registers::esi);
+    jit.xor64(X86Registers::esi, X86Registers::r9);
+    jit.call(X86Registers::r9);
</ins><span class="cx"> 
</span><span class="cx"> #else
</span><span class="cx">     // Calling convention:      f(ecx, edx, r8, r9, ...);
</span><span class="lines">@@ -319,7 +326,10 @@
</span><span class="cx"> 
</span><span class="cx">     jit.emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, ARM64Registers::x1);
</span><span class="cx">     jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x1, JSFunction::offsetOfExecutable()), ARM64Registers::x2);
</span><del>-    jit.call(JSInterfaceJIT::Address(ARM64Registers::x2, executableOffsetToFunction));
</del><ins>+    jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x2, executableOffsetToFunction), ARM64Registers::x2);
+    jit.move(JSInterfaceJIT::TrustedImm64(g_nativeCodePoison), ARM64Registers::x1);
+    jit.xor64(ARM64Registers::x1, ARM64Registers::x2);
+    jit.call(ARM64Registers::x2);
</ins><span class="cx"> #elif CPU(ARM) || CPU(MIPS)
</span><span class="cx"> #if CPU(MIPS)
</span><span class="cx">     // Allocate stack space for (unused) 16 bytes (8-byte aligned) for 4 arguments.
</span><span class="lines">@@ -1126,6 +1136,10 @@
</span><span class="cx">         GPRInfo::regT0);
</span><span class="cx">     CCallHelpers::Jump noCode = jit.branchTestPtr(CCallHelpers::Zero, GPRInfo::regT0);
</span><span class="cx">     
</span><ins>+#if USE(JSVALUE64)
+    jit.move(CCallHelpers::TrustedImm64(g_jitCodePoison), GPRInfo::regT1);
+    jit.xor64(GPRInfo::regT1, GPRInfo::regT0);
+#endif
</ins><span class="cx">     emitPointerValidation(jit, GPRInfo::regT0);
</span><span class="cx">     jit.call(GPRInfo::regT0);
</span><span class="cx">     
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorellintLLIntSlowPathscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp        2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp   2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -189,7 +189,8 @@
</span><span class="cx"> extern "C" SlowPathReturnType llint_trace_operand(ExecState* exec, Instruction* pc, int fromWhere, int operand)
</span><span class="cx"> {
</span><span class="cx">     LLINT_BEGIN();
</span><del>-    dataLogF("%p / %p: executing bc#%zu, op#%u: Trace(%d): %d: %d\n",
</del><ins>+    dataLogF("<%d> %p / %p: executing bc#%zu, op#%u: Trace(%d): %d: %d\n",
+            currentThread(),
</ins><span class="cx">             exec->codeBlock(),
</span><span class="cx">             exec,
</span><span class="cx">             static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
</span><span class="lines">@@ -212,7 +213,8 @@
</span><span class="cx">     } u;
</span><span class="cx">     u.asValue = JSValue::encode(value);
</span><span class="cx">     dataLogF(
</span><del>-        "%p / %p: executing bc#%zu, op#%u: Trace(%d): %d: %d: %08x:%08x: %s\n",
</del><ins>+        "<%d> %p / %p: executing bc#%zu, op#%u: Trace(%d): %d: %d: %08x:%08x: %s\n",
+        currentThread(),
</ins><span class="cx">         exec->codeBlock(),
</span><span class="cx">         exec,
</span><span class="cx">         static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
</span><span class="lines">@@ -228,7 +230,7 @@
</span><span class="cx"> 
</span><span class="cx"> LLINT_SLOW_PATH_DECL(trace_prologue)
</span><span class="cx"> {
</span><del>-    dataLogF("%p / %p: in prologue of ", exec->codeBlock(), exec);
</del><ins>+    dataLogF("<%d> %p / %p: in prologue of ", currentThread(), exec->codeBlock(), exec);
</ins><span class="cx">     dataLog(*exec->codeBlock(), "\n");
</span><span class="cx">     LLINT_END_IMPL();
</span><span class="cx"> }
</span><span class="lines">@@ -238,7 +240,7 @@
</span><span class="cx">     JSFunction* callee = jsCast<JSFunction*>(exec->jsCallee());
</span><span class="cx">     FunctionExecutable* executable = callee->jsExecutable();
</span><span class="cx">     CodeBlock* codeBlock = executable->codeBlockFor(kind);
</span><del>-    dataLogF("%p / %p: in %s of ", codeBlock, exec, comment);
</del><ins>+    dataLogF("<%d> %p / %p: in %s of ", currentThread(), codeBlock, exec, comment);
</ins><span class="cx">     dataLog(*codeBlock);
</span><span class="cx">     dataLogF(" function %p, executable %p; numVars = %u, numParameters = %u, numCalleeLocals = %u, caller = %p.\n",
</span><span class="cx">         callee, executable, codeBlock->m_numVars, codeBlock->numParameters(), codeBlock->m_numCalleeLocals, exec->callerFrame());
</span><span class="lines">@@ -271,7 +273,8 @@
</span><span class="cx"> LLINT_SLOW_PATH_DECL(trace)
</span><span class="cx"> {
</span><span class="cx">     OpcodeID opcodeID = Interpreter::getOpcodeID(pc[0].u.opcode);
</span><del>-    dataLogF("%p / %p: executing bc#%zu, %s, pc = %p\n",
</del><ins>+    dataLogF("<%d> %p / %p: executing bc#%zu, %s, pc = %p\n",
+            currentThread(),
</ins><span class="cx">             exec->codeBlock(),
</span><span class="cx">             exec,
</span><span class="cx">             static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
</span><span class="lines">@@ -289,7 +292,8 @@
</span><span class="cx"> 
</span><span class="cx"> LLINT_SLOW_PATH_DECL(special_trace)
</span><span class="cx"> {
</span><del>-    dataLogF("%p / %p: executing special case bc#%zu, op#%u, return PC is %p\n",
</del><ins>+    dataLogF("<%d> %p / %p: executing special case bc#%zu, op#%u, return PC is %p\n",
+            currentThread(),
</ins><span class="cx">             exec->codeBlock(),
</span><span class="cx">             exec,
</span><span class="cx">             static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
</span><span class="lines">@@ -1243,6 +1247,7 @@
</span><span class="cx">             execCallee->setCallee(asObject(callee));
</span><span class="cx">             vm.hostCallReturnValue = JSValue::decode(callData.native.function(execCallee));
</span><span class="cx">             
</span><ins>+            PoisonedMasmPtr::assertIsNotPoisoned(LLInt::getCodePtr(getHostCallReturnValue));
</ins><span class="cx">             LLINT_CALL_RETURN(execCallee, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
</span><span class="cx">         }
</span><span class="cx">         
</span><span class="lines">@@ -1266,6 +1271,7 @@
</span><span class="cx">         execCallee->setCallee(asObject(callee));
</span><span class="cx">         vm.hostCallReturnValue = JSValue::decode(constructData.native.function(execCallee));
</span><span class="cx"> 
</span><ins>+        PoisonedMasmPtr::assertIsNotPoisoned(LLInt::getCodePtr(getHostCallReturnValue));
</ins><span class="cx">         LLINT_CALL_RETURN(execCallee, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -1337,6 +1343,7 @@
</span><span class="cx">             codeBlock->linkIncomingCall(exec, callLinkInfo);
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    PoisonedMasmPtr::assertIsNotPoisoned(codePtr.executableAddress());
</ins><span class="cx">     LLINT_CALL_RETURN(exec, execCallee, codePtr.executableAddress());
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorellintLowLevelInterpreter64asm"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm    2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1893,8 +1893,15 @@
</span><span class="cx">     storei PC, ArgumentCount + TagOffset[cfr]
</span><span class="cx">     storei t2, ArgumentCount + PayloadOffset[t3]
</span><span class="cx">     move t3, sp
</span><del>-    prepareCall(LLIntCallLinkInfo::machineCodeTarget[t1], t2, t3, t4)
-    callTargetFunction(LLIntCallLinkInfo::machineCodeTarget[t1])
</del><ins>+    if X86_64_WIN
+        prepareCall(LLIntCallLinkInfo::machineCodeTarget[t1], t2, t3, t4)
+        callTargetFunction(LLIntCallLinkInfo::machineCodeTarget[t1])
+    else
+        loadp _g_jitCodePoison, t2
+        xorp LLIntCallLinkInfo::machineCodeTarget[t1], t2
+        prepareCall(t2, t1, t3, t4)
+        callTargetFunction(t2)
+    end
</ins><span class="cx"> 
</span><span class="cx"> .opCallSlow:
</span><span class="cx">     slowPathForCall(slowPath, prepareCall)
</span><span class="lines">@@ -2013,14 +2020,18 @@
</span><span class="cx">     loadp JSFunction::m_executable[t1], t1
</span><span class="cx">     checkStackPointerAlignment(t3, 0xdead0001)
</span><span class="cx">     if C_LOOP
</span><del>-        cloopCallNative executableOffsetToFunction[t1]
</del><ins>+        loadp _g_nativeCodePoison, t2
+        xorp executableOffsetToFunction[t1], t2
+        cloopCallNative t2
</ins><span class="cx">     else
</span><span class="cx">         if X86_64_WIN
</span><span class="cx">             subp 32, sp
</span><del>-        end
-        call executableOffsetToFunction[t1]
-        if X86_64_WIN
</del><ins>+            call executableOffsetToFunction[t1]
</ins><span class="cx">             addp 32, sp
</span><ins>+        else
+            loadp _g_nativeCodePoison, t2
+            xorp executableOffsetToFunction[t1], t2
+            call t2
</ins><span class="cx">         end
</span><span class="cx">     end
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreofflineasmastrb"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/offlineasm/ast.rb (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/offlineasm/ast.rb       2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/offlineasm/ast.rb  2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -928,7 +928,7 @@
</span><span class="cx">         when "globalAnnotation"
</span><span class="cx">             $asm.putGlobalAnnotation
</span><span class="cx">         when "emit"
</span><del>-          $asm.puts "#{operands[0].dump}"
</del><ins>+            $asm.puts "#{operands[0].dump}"
</ins><span class="cx">         else
</span><span class="cx">             raise "Unhandled opcode #{opcode} at #{codeOriginString}"
</span><span class="cx">         end
</span><span class="lines">@@ -1080,12 +1080,20 @@
</span><span class="cx"> 
</span><span class="cx"> class LabelReference < Node
</span><span class="cx">     attr_reader :label
</span><ins>+    attr_accessor :offset
</ins><span class="cx">     
</span><span class="cx">     def initialize(codeOrigin, label)
</span><span class="cx">         super(codeOrigin)
</span><span class="cx">         @label = label
</span><ins>+        @offset = 0
</ins><span class="cx">     end
</span><span class="cx">     
</span><ins>+    def plusOffset(additionalOffset)
+        result = LabelReference.new(codeOrigin, label)
+        result.offset = @offset + additionalOffset
+        result
+    end
+    
</ins><span class="cx">     def children
</span><span class="cx">         [@label]
</span><span class="cx">     end
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreofflineasmclooprb"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/offlineasm/cloop.rb (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/offlineasm/cloop.rb     2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/offlineasm/cloop.rb        2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -302,7 +302,13 @@
</span><span class="cx">     end
</span><span class="cx"> end
</span><span class="cx"> 
</span><ins>+class LabelReference
+    def intMemRef
+        "*CAST<intptr_t*>(&#{cLabel})"
+    end
+end
</ins><span class="cx"> 
</span><ins>+
</ins><span class="cx"> #
</span><span class="cx"> # Lea support.
</span><span class="cx"> #
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreofflineasmparserrb"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/offlineasm/parser.rb (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/offlineasm/parser.rb    2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/offlineasm/parser.rb       2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -481,7 +481,7 @@
</span><span class="cx">     end
</span><span class="cx">     
</span><span class="cx">     def couldBeExpression
</span><del>-        @tokens[@idx] == "-" or @tokens[@idx] == "~" or @tokens[@idx] == "sizeof" or isInteger(@tokens[@idx]) or isString(@tokens[@idx]) or isVariable(@tokens[@idx]) or @tokens[@idx] == "("
</del><ins>+        @tokens[@idx] == "-" or @tokens[@idx] == "~" or @tokens[@idx] == "sizeof" or isInteger(@tokens[@idx]) or isString(@tokens[@idx]) or isVariable(@tokens[@idx]) or isLabel(@tokens[@idx]) or @tokens[@idx] == "("
</ins><span class="cx">     end
</span><span class="cx">     
</span><span class="cx">     def parseExpressionAdd
</span><span class="lines">@@ -539,10 +539,6 @@
</span><span class="cx">             end
</span><span class="cx">         elsif @tokens[@idx] == "["
</span><span class="cx">             parseAddress(Immediate.new(@tokens[@idx].codeOrigin, 0))
</span><del>-        elsif isLabel @tokens[@idx]
-            result = LabelReference.new(@tokens[@idx].codeOrigin, Label.forName(@tokens[@idx].codeOrigin, @tokens[@idx].string))
-            @idx += 1
-            result
</del><span class="cx">         elsif isLocalLabel @tokens[@idx]
</span><span class="cx">             result = LocalLabelReference.new(@tokens[@idx].codeOrigin, LocalLabel.forName(@tokens[@idx].codeOrigin, @tokens[@idx].string))
</span><span class="cx">             @idx += 1
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreofflineasmtransformrb"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/offlineasm/transform.rb (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/offlineasm/transform.rb 2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/offlineasm/transform.rb    2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -298,6 +298,10 @@
</span><span class="cx">     def fold
</span><span class="cx">         @left = @left.fold
</span><span class="cx">         @right = @right.fold
</span><ins>+        
+        return right.plusOffset(@left.value) if @left.is_a? Immediate and @right.is_a? LabelReference
+        return left.plusOffset(@right.value) if @left.is_a? LabelReference and @right.is_a? Immediate
+        
</ins><span class="cx">         return self unless @left.is_a? Immediate
</span><span class="cx">         return self unless @right.is_a? Immediate
</span><span class="cx">         Immediate.new(codeOrigin, @left.value + @right.value)
</span><span class="lines">@@ -308,6 +312,9 @@
</span><span class="cx">     def fold
</span><span class="cx">         @left = @left.fold
</span><span class="cx">         @right = @right.fold
</span><ins>+        
+        return left.plusOffset(-@right.value) if @left.is_a? LabelReference and @right.is_a? Immediate
+        
</ins><span class="cx">         return self unless @left.is_a? Immediate
</span><span class="cx">         return self unless @right.is_a? Immediate
</span><span class="cx">         Immediate.new(codeOrigin, @left.value - @right.value)
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreofflineasmx86rb"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/offlineasm/x86.rb (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/offlineasm/x86.rb       2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/offlineasm/x86.rb  2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -247,6 +247,12 @@
</span><span class="cx">     end
</span><span class="cx"> end
</span><span class="cx"> 
</span><ins>+class Node
+    def x86LoadOperand(type, dst)
+        x86Operand(type)
+    end
+end
+
</ins><span class="cx"> class RegisterID
</span><span class="cx">     def supports8BitOnX86
</span><span class="cx">         case x86GPR
</span><span class="lines">@@ -456,6 +462,12 @@
</span><span class="cx">     def x86CallOperand(kind)
</span><span class="cx">         asmLabel
</span><span class="cx">     end
</span><ins>+    def x86LoadOperand(kind, dst)
+        # FIXME: Implement this on platforms that aren't Mach-O.
+        # https://bugs.webkit.org/show_bug.cgi?id=175104
+        $asm.puts "movq #{asmLabel}@GOTPCREL(%rip), #{dst.x86Operand(:ptr)}"
+        "#{offset}(#{dst.x86Operand(kind)})"
+    end
</ins><span class="cx"> end
</span><span class="cx"> 
</span><span class="cx"> class LocalLabelReference
</span><span class="lines">@@ -523,6 +535,10 @@
</span><span class="cx">         }
</span><span class="cx">         result.join(", ")
</span><span class="cx">     end
</span><ins>+    
+    def x86LoadOperands(srcKind, dstKind)
+        orderOperands(operands[0].x86LoadOperand(srcKind, operands[1]), operands[1].x86Operand(dstKind))
+    end
</ins><span class="cx"> 
</span><span class="cx">     def x86Suffix(kind)
</span><span class="cx">         if isIntelSyntax
</span><span class="lines">@@ -927,45 +943,51 @@
</span><span class="cx">             handleX86Op("xor#{x86Suffix(:ptr)}", :ptr)
</span><span class="cx">         when "xorq"
</span><span class="cx">             handleX86Op("xor#{x86Suffix(:quad)}", :quad)
</span><del>-        when "loadi", "storei"
</del><ins>+        when "loadi"
+            $asm.puts "mov#{x86Suffix(:int)} #{x86LoadOperands(:int, :int)}"
+        when "storei"
</ins><span class="cx">             $asm.puts "mov#{x86Suffix(:int)} #{x86Operands(:int, :int)}"
</span><span class="cx">         when "loadis"
</span><span class="cx">             if isX64
</span><span class="cx">                 if !isIntelSyntax
</span><del>-                    $asm.puts "movslq #{x86Operands(:int, :quad)}"
</del><ins>+                    $asm.puts "movslq #{x86LoadOperands(:int, :quad)}"
</ins><span class="cx">                 else
</span><del>-                    $asm.puts "movsxd #{x86Operands(:int, :quad)}"
</del><ins>+                    $asm.puts "movsxd #{x86LoadOperands(:int, :quad)}"
</ins><span class="cx">                 end
</span><span class="cx">             else
</span><del>-                $asm.puts "mov#{x86Suffix(:int)} #{x86Operands(:int, :int)}"
</del><ins>+                $asm.puts "mov#{x86Suffix(:int)} #{x86LoadOperands(:int, :int)}"
</ins><span class="cx">             end
</span><del>-        when "loadp", "storep"
</del><ins>+        when "loadp"
+            $asm.puts "mov#{x86Suffix(:ptr)} #{x86LoadOperands(:ptr, :ptr)}"
+        when "storep"
</ins><span class="cx">             $asm.puts "mov#{x86Suffix(:ptr)} #{x86Operands(:ptr, :ptr)}"
</span><del>-        when "loadq", "storeq"
</del><ins>+        when "loadq"
+            $asm.puts "mov#{x86Suffix(:quad)} #{x86LoadOperands(:quad, :quad)}"
+        when "storeq"
</ins><span class="cx">             $asm.puts "mov#{x86Suffix(:quad)} #{x86Operands(:quad, :quad)}"
</span><span class="cx">         when "loadb"
</span><span class="cx">             if !isIntelSyntax
</span><del>-                $asm.puts "movzbl #{orderOperands(operands[0].x86Operand(:byte), operands[1].x86Operand(:int))}"
</del><ins>+                $asm.puts "movzbl #{x86LoadOperands(:byte, :int)}"
</ins><span class="cx">             else
</span><del>-                $asm.puts "movzx #{orderOperands(operands[0].x86Operand(:byte), operands[1].x86Operand(:int))}"
</del><ins>+                $asm.puts "movzx #{x86LoadOperands(:byte, :int)}"
</ins><span class="cx">             end
</span><span class="cx">         when "loadbs"
</span><span class="cx">             if !isIntelSyntax
</span><del>-                $asm.puts "movsbl #{orderOperands(operands[0].x86Operand(:byte), operands[1].x86Operand(:int))}"
</del><ins>+                $asm.puts "movsbl #{x86LoadOperands(:byte, :int)}"
</ins><span class="cx">             else
</span><del>-                $asm.puts "movsx #{orderOperands(operands[0].x86Operand(:byte), operands[1].x86Operand(:int))}"
</del><ins>+                $asm.puts "movsx #{x86LoadOperands(:byte, :int)}"
</ins><span class="cx">             end
</span><span class="cx">         when "loadh"
</span><span class="cx">             if !isIntelSyntax
</span><del>-                $asm.puts "movzwl #{orderOperands(operands[0].x86Operand(:half), operands[1].x86Operand(:int))}"
</del><ins>+                $asm.puts "movzwl #{x86LoadOperands(:half, :int)}"
</ins><span class="cx">             else
</span><del>-                $asm.puts "movzx #{orderOperands(operands[0].x86Operand(:half), operands[1].x86Operand(:int))}"
</del><ins>+                $asm.puts "movzx #{x86LoadOperands(:half, :int)}"
</ins><span class="cx">             end
</span><span class="cx">         when "loadhs"
</span><span class="cx">             if !isIntelSyntax
</span><del>-                $asm.puts "movswl #{orderOperands(operands[0].x86Operand(:half), operands[1].x86Operand(:int))}"
</del><ins>+                $asm.puts "movswl #{x86LoadOperands(:half, :int)}"
</ins><span class="cx">             else
</span><del>-                $asm.puts "movsx #{orderOperands(operands[0].x86Operand(:half), operands[1].x86Operand(:int))}"
</del><ins>+                $asm.puts "movsx #{x86LoadOperands(:half, :int)}"
</ins><span class="cx">             end
</span><span class="cx">         when "storeb"
</span><span class="cx">             $asm.puts "mov#{x86Suffix(:byte)} #{x86Operands(:byte, :byte)}"
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreruntimeCustomGetterSetterh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/runtime/CustomGetterSetter.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/runtime/CustomGetterSetter.h    2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/runtime/CustomGetterSetter.h       2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2014-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -25,6 +25,7 @@
</span><span class="cx"> 
</span><span class="cx"> #pragma once
</span><span class="cx"> 
</span><ins>+#include "JSCPoisonedPtr.h"
</ins><span class="cx"> #include "JSCell.h"
</span><span class="cx"> #include "PropertySlot.h"
</span><span class="cx"> #include "PutPropertySlot.h"
</span><span class="lines">@@ -50,8 +51,8 @@
</span><span class="cx">         return customGetterSetter;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    CustomGetterSetter::CustomGetter getter() const { return m_getter; }
-    CustomGetterSetter::CustomSetter setter() const { return m_setter; }
</del><ins>+    CustomGetterSetter::CustomGetter getter() const { return m_getter.unpoisoned(); }
+    CustomGetterSetter::CustomSetter setter() const { return m_setter.unpoisoned(); }
</ins><span class="cx">     DOMJIT::GetterSetter* domJIT() const { return m_domJIT; }
</span><span class="cx"> 
</span><span class="cx">     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
</span><span class="lines">@@ -70,8 +71,11 @@
</span><span class="cx">     {
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    CustomGetter m_getter;
-    CustomSetter m_setter;
</del><ins>+    template<typename T>
+    using PoisonedAccessor = Poisoned<g_nativeCodePoison, T>;
+
+    PoisonedAccessor<CustomGetter> m_getter;
+    PoisonedAccessor<CustomSetter> m_setter;
</ins><span class="cx">     DOMJIT::GetterSetter* m_domJIT;
</span><span class="cx"> };
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreruntimeInitializeThreadingcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/runtime/InitializeThreading.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/runtime/InitializeThreading.cpp 2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/runtime/InitializeThreading.cpp    2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2008, 2015-2017 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -37,6 +37,7 @@
</span><span class="cx"> #include "JSGlobalObject.h"
</span><span class="cx"> #include "JSLock.h"
</span><span class="cx"> #include "LLIntData.h"
</span><ins>+#include "MacroAssemblerCodeRef.h"
</ins><span class="cx"> #include "Options.h"
</span><span class="cx"> #include "StructureIDTable.h"
</span><span class="cx"> #include "SuperSampler.h"
</span><span class="lines">@@ -59,6 +60,7 @@
</span><span class="cx"> 
</span><span class="cx">     std::call_once(initializeThreadingOnceFlag, []{
</span><span class="cx">         WTF::initializeThreading();
</span><ins>+        initializePoison();
</ins><span class="cx">         Options::initialize();
</span><span class="cx"> #if ENABLE(WEBASSEMBLY)
</span><span class="cx">         Wasm::Memory::initializePreallocations();
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreruntimeJSCPoisonhfromrev226132branchessafari604branchSourceJavaScriptCoredisassemblerUDis86Disassemblercpp"></a>
<div class="copfile"><h4>Copied: branches/safari-604-branch/Source/JavaScriptCore/runtime/JSCPoison.h (from rev 226132, branches/safari-604-branch/Source/JavaScriptCore/disassembler/UDis86Disassembler.cpp) (0 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/runtime/JSCPoison.h                             (rev 0)
+++ branches/safari-604-branch/Source/JavaScriptCore/runtime/JSCPoison.h        2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -0,0 +1,39 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include <wtf/Poisoned.h>
+
+namespace JSC {
+
+enum Poison {
+    NotPoisoned = 0,
+    TransitionMapPoison,
+    WeakImplPoison,
+};
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreruntimeJSCPoisonedPtrcppfromrev226132branchessafari604branchSourceJavaScriptCoredisassemblerUDis86Disassemblercpp"></a>
<div class="copfile"><h4>Copied: branches/safari-604-branch/Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp (from rev 226132, branches/safari-604-branch/Source/JavaScriptCore/disassembler/UDis86Disassembler.cpp) (0 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp                              (rev 0)
+++ branches/safari-604-branch/Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp 2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -0,0 +1,48 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "JSCPoisonedPtr.h"
+
+#include <mutex>
+
+namespace JSC {
+
+uintptr_t g_globalDataPoison;
+uintptr_t g_jitCodePoison;
+uintptr_t g_nativeCodePoison;
+
+void initializePoison()
+{
+    static std::once_flag initializeOnceFlag;
+    std::call_once(initializeOnceFlag, [] {
+        g_globalDataPoison = makePoison();
+        g_jitCodePoison = makePoison();
+        g_nativeCodePoison = makePoison();
+    });
+}
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreruntimeJSCPoisonedPtrhfromrev226132branchessafari604branchSourceJavaScriptCoredisassemblerUDis86Disassemblercpp"></a>
<div class="copfile"><h4>Copied: branches/safari-604-branch/Source/JavaScriptCore/runtime/JSCPoisonedPtr.h (from rev 226132, branches/safari-604-branch/Source/JavaScriptCore/disassembler/UDis86Disassembler.cpp) (0 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/runtime/JSCPoisonedPtr.h                                (rev 0)
+++ branches/safari-604-branch/Source/JavaScriptCore/runtime/JSCPoisonedPtr.h   2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -0,0 +1,45 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "JSExportMacros.h"
+#include <wtf/Poisoned.h>
+
+namespace JSC {
+
+extern "C" JS_EXPORTDATA uintptr_t g_globalDataPoison;
+extern "C" JS_EXPORTDATA uintptr_t g_jitCodePoison;
+extern "C" JS_EXPORTDATA uintptr_t g_nativeCodePoison;
+
+struct ClassInfo;
+
+using PoisonedClassInfoPtr = Poisoned<g_globalDataPoison, const ClassInfo*>;
+using PoisonedMasmPtr = Poisoned<g_jitCodePoison, void*>;
+
+void initializePoison();
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreruntimeJSDestructibleObjecth"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/runtime/JSDestructibleObject.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/runtime/JSDestructibleObject.h  2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/runtime/JSDestructibleObject.h     2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -43,7 +43,7 @@
</span><span class="cx">         return &vm.destructibleObjectSpace;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    const ClassInfo* classInfo() const { return m_classInfo; }
</del><ins>+    const ClassInfo* classInfo() const { return m_classInfo.unpoisoned(); }
</ins><span class="cx">     
</span><span class="cx">     static ptrdiff_t classInfoOffset() { return OBJECT_OFFSETOF(JSDestructibleObject, m_classInfo); }
</span><span class="cx"> 
</span><span class="lines">@@ -56,7 +56,7 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx"> private:
</span><del>-    const ClassInfo* m_classInfo;
</del><ins>+    PoisonedClassInfoPtr m_classInfo;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreruntimeJSSegmentedVariableObjecth"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h     2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h        2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -94,7 +94,7 @@
</span><span class="cx">         return &vm.segmentedVariableObjectSpace;
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    const ClassInfo* classInfo() const { return m_classInfo; }
</del><ins>+    const ClassInfo* classInfo() const { return m_classInfo.unpoisoned(); }
</ins><span class="cx">     
</span><span class="cx"> protected:
</span><span class="cx">     JSSegmentedVariableObject(VM&, Structure*, JSScope*);
</span><span class="lines">@@ -107,7 +107,7 @@
</span><span class="cx">     SegmentedVector<WriteBarrier<Unknown>, 16> m_variables;
</span><span class="cx">     ConcurrentJSLock m_lock;
</span><span class="cx">     bool m_alreadyDestroyed { false }; // We use these assertions to check that we aren't doing ancient hacks that result in this being destroyed more than once.
</span><del>-    const ClassInfo* m_classInfo;
</del><ins>+    PoisonedClassInfoPtr m_classInfo;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreruntimeNativeExecutablecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/runtime/NativeExecutable.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/runtime/NativeExecutable.cpp    2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/runtime/NativeExecutable.cpp       2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2009, 2010, 2013, 2015-2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -79,10 +79,10 @@
</span><span class="cx"> CodeBlockHash NativeExecutable::hashFor(CodeSpecializationKind kind) const
</span><span class="cx"> {
</span><span class="cx">     if (kind == CodeForCall)
</span><del>-        return CodeBlockHash(static_cast<unsigned>(bitwise_cast<size_t>(m_function)));
-    
</del><ins>+        return CodeBlockHash(m_function.bits());
+
</ins><span class="cx">     RELEASE_ASSERT(kind == CodeForConstruct);
</span><del>-    return CodeBlockHash(static_cast<unsigned>(bitwise_cast<size_t>(m_constructor)));
</del><ins>+    return CodeBlockHash(m_constructor.bits());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreruntimeNativeExecutableh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/runtime/NativeExecutable.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/runtime/NativeExecutable.h      2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/runtime/NativeExecutable.h 2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #pragma once
</span><span class="cx"> 
</span><span class="cx"> #include "ExecutableBase.h"
</span><ins>+#include "JSCPoisonedPtr.h"
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> namespace DOMJIT {
</span><span class="lines">@@ -45,8 +46,8 @@
</span><span class="cx"> 
</span><span class="cx">     CodeBlockHash hashFor(CodeSpecializationKind) const;
</span><span class="cx"> 
</span><del>-    NativeFunction function() { return m_function; }
-    NativeFunction constructor() { return m_constructor; }
</del><ins>+    NativeFunction function() { return m_function.unpoisoned(); }
+    NativeFunction constructor() { return m_constructor.unpoisoned(); }
</ins><span class="cx">         
</span><span class="cx">     NativeFunction nativeFunctionFor(CodeSpecializationKind kind)
</span><span class="cx">     {
</span><span class="lines">@@ -83,11 +84,12 @@
</span><span class="cx"> 
</span><span class="cx"> private:
</span><span class="cx">     friend class ExecutableBase;
</span><ins>+    using PoisonedNativeFunction = Poisoned<g_nativeCodePoison, NativeFunction>;
</ins><span class="cx"> 
</span><span class="cx">     NativeExecutable(VM&, NativeFunction function, NativeFunction constructor, Intrinsic, const DOMJIT::Signature*);
</span><span class="cx"> 
</span><del>-    NativeFunction m_function;
-    NativeFunction m_constructor;
</del><ins>+    PoisonedNativeFunction m_function;
+    PoisonedNativeFunction m_constructor;
</ins><span class="cx">     const DOMJIT::Signature* m_signature;
</span><span class="cx"> 
</span><span class="cx">     String m_name;
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreruntimeStructurecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/runtime/Structure.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/runtime/Structure.cpp   2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/runtime/Structure.cpp      2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -86,7 +86,7 @@
</span><span class="cx">     if (WeakImpl* impl = this->weakImpl())
</span><span class="cx">         WeakSet::deallocate(impl);
</span><span class="cx">     WeakImpl* impl = WeakSet::allocate(structure, &singleSlotTransitionWeakOwner(), this);
</span><del>-    m_data = reinterpret_cast<intptr_t>(impl) | UsingSingleSlotFlag;
</del><ins>+    m_data = PoisonedWeakImplPtr(impl).bits() | UsingSingleSlotFlag;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool StructureTransitionTable::contains(UniquedStringImpl* rep, unsigned attributes) const
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreruntimeStructureh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/runtime/Structure.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/runtime/Structure.h     2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/runtime/Structure.h        2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2008, 2009, 2012-2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -428,7 +428,7 @@
</span><span class="cx"> 
</span><span class="cx">     void setObjectToStringValue(ExecState*, VM&, JSString* value, PropertySlot toStringTagSymbolSlot);
</span><span class="cx"> 
</span><del>-    const ClassInfo* classInfo() const { return m_classInfo; }
</del><ins>+    const ClassInfo* classInfo() const { return m_classInfo.unpoisoned(); }
</ins><span class="cx"> 
</span><span class="cx">     static ptrdiff_t structureIDOffset()
</span><span class="cx">     {
</span><span class="lines">@@ -771,7 +771,7 @@
</span><span class="cx"> 
</span><span class="cx">     RefPtr<UniquedStringImpl> m_nameInPrevious;
</span><span class="cx"> 
</span><del>-    const ClassInfo* m_classInfo;
</del><ins>+    PoisonedClassInfoPtr m_classInfo;
</ins><span class="cx"> 
</span><span class="cx">     StructureTransitionTable m_transitionTable;
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreruntimeStructureTransitionTableh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/runtime/StructureTransitionTable.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/runtime/StructureTransitionTable.h      2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/runtime/StructureTransitionTable.h 2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2008, 2009, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #pragma once
</span><span class="cx"> 
</span><span class="cx"> #include "IndexingType.h"
</span><ins>+#include "JSCPoison.h"
</ins><span class="cx"> #include "WeakGCMap.h"
</span><span class="cx"> #include <wtf/HashFunctions.h>
</span><span class="cx"> #include <wtf/text/UniquedStringImpl.h>
</span><span class="lines">@@ -186,6 +187,8 @@
</span><span class="cx"> 
</span><span class="cx"> private:
</span><span class="cx">     friend class SingleSlotTransitionWeakOwner;
</span><ins>+    using PoisonedTransitionMapPtr = ConstExprPoisoned<TransitionMapPoison, TransitionMap*>;
+    using PoisonedWeakImplPtr = ConstExprPoisoned<WeakImplPoison, WeakImpl*>;
</ins><span class="cx"> 
</span><span class="cx">     bool isUsingSingleSlot() const
</span><span class="cx">     {
</span><span class="lines">@@ -195,13 +198,13 @@
</span><span class="cx">     TransitionMap* map() const
</span><span class="cx">     {
</span><span class="cx">         ASSERT(!isUsingSingleSlot());
</span><del>-        return reinterpret_cast<TransitionMap*>(m_data);
</del><ins>+        return PoisonedTransitionMapPtr(m_data).unpoisoned();
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     WeakImpl* weakImpl() const
</span><span class="cx">     {
</span><span class="cx">         ASSERT(isUsingSingleSlot());
</span><del>-        return reinterpret_cast<WeakImpl*>(m_data & ~UsingSingleSlotFlag);
</del><ins>+        return PoisonedWeakImplPtr(m_data & ~UsingSingleSlotFlag).unpoisoned();
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     void setMap(TransitionMap* map)
</span><span class="lines">@@ -212,7 +215,7 @@
</span><span class="cx">             WeakSet::deallocate(impl);
</span><span class="cx"> 
</span><span class="cx">         // This implicitly clears the flag that indicates we're using a single transition
</span><del>-        m_data = reinterpret_cast<intptr_t>(map);
</del><ins>+        m_data = PoisonedTransitionMapPtr(map).bits();
</ins><span class="cx"> 
</span><span class="cx">         ASSERT(!isUsingSingleSlot());
</span><span class="cx">     }
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCoreruntimeVMh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/runtime/VM.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/runtime/VM.h    2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/runtime/VM.h       2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -361,7 +361,7 @@
</span><span class="cx">     std::unique_ptr<PromiseDeferredTimer> promiseDeferredTimer;
</span><span class="cx">     
</span><span class="cx">     JSCell* currentlyDestructingCallbackObject;
</span><del>-    const ClassInfo* currentlyDestructingCallbackObjectClassInfo;
</del><ins>+    PoisonedClassInfoPtr currentlyDestructingCallbackObjectClassInfo;
</ins><span class="cx"> 
</span><span class="cx">     AtomicStringTable* m_atomicStringTable;
</span><span class="cx">     WTF::SymbolRegistry m_symbolRegistry;
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorewasmWasmBBQPlancpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmBBQPlan.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmBBQPlan.cpp    2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmBBQPlan.cpp       2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -327,12 +327,12 @@
</span><span class="cx"> 
</span><span class="cx">         for (auto& unlinked : m_unlinkedWasmToWasmCalls) {
</span><span class="cx">             for (auto& call : unlinked) {
</span><del>-                void* executableAddress;
</del><ins>+                MacroAssemblerCodePtr executableAddress;
</ins><span class="cx">                 if (m_moduleInformation->isImportedFunctionFromFunctionIndexSpace(call.functionIndexSpace)) {
</span><span class="cx">                     // FIXME imports could have been linked in B3, instead of generating a patchpoint. This condition should be replaced by a RELEASE_ASSERT. https://bugs.webkit.org/show_bug.cgi?id=166462
</span><del>-                    executableAddress = m_wasmToWasmExitStubs.at(call.functionIndexSpace).code().executableAddress();
</del><ins>+                    executableAddress = m_wasmToWasmExitStubs.at(call.functionIndexSpace).code();
</ins><span class="cx">                 } else
</span><del>-                    executableAddress = m_wasmInternalFunctions.at(call.functionIndexSpace - m_moduleInformation->importFunctionCount())->entrypoint.compilation->code().executableAddress();
</del><ins>+                    executableAddress = m_wasmInternalFunctions.at(call.functionIndexSpace - m_moduleInformation->importFunctionCount())->entrypoint.compilation->code();
</ins><span class="cx">                 MacroAssembler::repatchNearCall(call.callLocation, CodeLocationLabel(executableAddress));
</span><span class="cx">             }
</span><span class="cx">         }
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorewasmWasmCalleeh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmCallee.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmCallee.h       2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmCallee.h  2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -50,7 +50,7 @@
</span><span class="cx">         return adoptRef(*callee);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    void* entrypoint() const { return m_entrypoint.compilation->code().executableAddress(); }
</del><ins>+    MacroAssemblerCodePtr entrypoint() const { return m_entrypoint.compilation->code(); }
</ins><span class="cx"> 
</span><span class="cx">     RegisterAtOffsetList* calleeSaveRegisters() { return &m_entrypoint.calleeSaveRegisters; }
</span><span class="cx">     IndexOrName indexOrName() const { return m_indexOrName; }
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorewasmWasmCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmCodeBlock.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmCodeBlock.cpp  2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmCodeBlock.cpp     2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -59,7 +59,7 @@
</span><span class="cx">                 ASSERT_UNUSED(result, result.isNewEntry);
</span><span class="cx">             }
</span><span class="cx">             m_callees[calleeIndex] = WTFMove(wasmEntrypointCallee);
</span><del>-            m_wasmIndirectCallEntryPoints[calleeIndex] = m_callees[calleeIndex]->entrypoint();
</del><ins>+            m_wasmIndirectCallEntryPoints[calleeIndex] = m_callees[calleeIndex]->entrypoint().executableAddress();
</ins><span class="cx">         });
</span><span class="cx"> 
</span><span class="cx">         m_wasmToWasmExitStubs = m_plan->takeWasmToWasmExitStubs();
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorewasmWasmOMGPlancpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmOMGPlan.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmOMGPlan.cpp    2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/wasm/WasmOMGPlan.cpp       2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -99,7 +99,7 @@
</span><span class="cx"> 
</span><span class="cx">     omgEntrypoint.calleeSaveRegisters = WTFMove(parseAndCompileResult.value()->entrypoint.calleeSaveRegisters);
</span><span class="cx"> 
</span><del>-    void* entrypoint;
</del><ins>+    MacroAssemblerCodePtr entrypoint;
</ins><span class="cx">     {
</span><span class="cx">         ASSERT(m_codeBlock.ptr() == m_module->codeBlockFor(mode()));
</span><span class="cx">         Ref<Callee> callee = Callee::create(WTFMove(omgEntrypoint), functionIndexSpace, m_moduleInformation->nameSection.get(functionIndexSpace));
</span><span class="lines">@@ -115,9 +115,9 @@
</span><span class="cx">         m_codeBlock->m_optimizedCallees[m_functionIndex] = WTFMove(callee);
</span><span class="cx"> 
</span><span class="cx">         for (auto& call : unlinkedCalls) {
</span><del>-            void* entrypoint;
</del><ins>+            MacroAssemblerCodePtr entrypoint;
</ins><span class="cx">             if (call.functionIndexSpace < m_module->moduleInformation().importFunctionCount())
</span><del>-                entrypoint = m_codeBlock->m_wasmToWasmExitStubs[call.functionIndexSpace].code().executableAddress();
</del><ins>+                entrypoint = m_codeBlock->m_wasmToWasmExitStubs[call.functionIndexSpace].code();
</ins><span class="cx">             else
</span><span class="cx">                 entrypoint = m_codeBlock->wasmEntrypointCalleeFromFunctionIndexSpace(call.functionIndexSpace).entrypoint();
</span><span class="cx"> 
</span><span class="lines">@@ -132,7 +132,7 @@
</span><span class="cx">     resetInstructionCacheOnAllThreads();
</span><span class="cx">     WTF::storeStoreFence(); // This probably isn't necessary but it's good to be paranoid.
</span><span class="cx"> 
</span><del>-    m_codeBlock->m_wasmIndirectCallEntryPoints[m_functionIndex] = entrypoint;
</del><ins>+    m_codeBlock->m_wasmIndirectCallEntryPoints[m_functionIndex] = entrypoint.executableAddress();
</ins><span class="cx">     {
</span><span class="cx">         LockHolder holder(m_codeBlock->m_lock);
</span><span class="cx"> 
</span><span class="lines">@@ -140,7 +140,7 @@
</span><span class="cx">             for (auto& call : callsites) {
</span><span class="cx">                 dataLogLnIf(verbose, "Considering repatching call at: ", RawPointer(call.callLocation.dataLocation()), " that targets ", call.functionIndexSpace);
</span><span class="cx">                 if (call.functionIndexSpace == functionIndexSpace) {
</span><del>-                    dataLogLnIf(verbose, "Repatching call at: ", RawPointer(call.callLocation.dataLocation()), " to ", RawPointer(entrypoint));
</del><ins>+                    dataLogLnIf(verbose, "Repatching call at: ", RawPointer(call.callLocation.dataLocation()), " to ", RawPointer(entrypoint.executableAddress()));
</ins><span class="cx">                     MacroAssembler::repatchNearCall(call.callLocation, CodeLocationLabel(entrypoint));
</span><span class="cx">                 }
</span><span class="cx">             }
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorewasmjsWebAssemblyFunctioncpp"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp 2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp    2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -140,7 +140,7 @@
</span><span class="cx">     Wasm::storeContext(vm, wasmContext);
</span><span class="cx">     ASSERT(wasmFunction->instance());
</span><span class="cx">     ASSERT(wasmFunction->instance() == Wasm::loadContext(vm));
</span><del>-    EncodedJSValue rawResult = vmEntryToWasm(wasmFunction->jsEntrypoint(), &vm, &protoCallFrame);
</del><ins>+    EncodedJSValue rawResult = vmEntryToWasm(wasmFunction->jsEntrypoint().executableAddress(), &vm, &protoCallFrame);
</ins><span class="cx">     // We need to make sure this is in a register or on the stack since it's stored in Vector<JSValue>.
</span><span class="cx">     // This probably isn't strictly necessary, since the WebAssemblyFunction* should keep the instance
</span><span class="cx">     // alive. But it's good hygiene.
</span></span></pre></div>
<a id="branchessafari604branchSourceJavaScriptCorewasmjsWebAssemblyFunctionh"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h   2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h      2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(WEBASSEMBLY)
</span><span class="cx"> 
</span><ins>+#include "MacroAssemblerCodeRef.h"
</ins><span class="cx"> #include "WasmCallee.h"
</span><span class="cx"> #include "WebAssemblyFunctionBase.h"
</span><span class="cx"> #include <wtf/Noncopyable.h>
</span><span class="lines">@@ -56,7 +57,7 @@
</span><span class="cx">     Wasm::WasmEntrypointLoadLocation wasmEntrypointLoadLocation() const { return m_wasmFunction.code; }
</span><span class="cx">     Wasm::CallableFunction callableFunction() const { return m_wasmFunction; }
</span><span class="cx"> 
</span><del>-    void* jsEntrypoint() { return m_jsEntrypoint; }
</del><ins>+    MacroAssemblerCodePtr jsEntrypoint() { return m_jsEntrypoint; }
</ins><span class="cx"> 
</span><span class="cx">     static ptrdiff_t offsetOfWasmEntrypointLoadLocation() { return OBJECT_OFFSETOF(WebAssemblyFunction, m_wasmFunction) + Wasm::CallableFunction::offsetOfWasmEntrypointLoadLocation(); }
</span><span class="cx"> 
</span><span class="lines">@@ -66,7 +67,7 @@
</span><span class="cx">     // It's safe to just hold the raw CallableFunction/jsEntrypoint because we have a reference
</span><span class="cx">     // to our Instance, which points to the Module that exported us, which
</span><span class="cx">     // ensures that the actual Signature/code doesn't get deallocated.
</span><del>-    void* m_jsEntrypoint;
</del><ins>+    MacroAssemblerCodePtr m_jsEntrypoint;
</ins><span class="cx">     Wasm::CallableFunction m_wasmFunction;
</span><span class="cx"> };
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari604branchSourceWTFChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/WTF/ChangeLog (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/WTF/ChangeLog  2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/WTF/ChangeLog     2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,3 +1,648 @@
</span><ins>+2017-12-19  Jason Marcell  <jmarcell@apple.com>
+
+        Apply patch. rdar://problem/36111993
+
+    Cherry-pick r225363, r225437, r225632, r225659, r225697, r225857. rdar://problem/36085975
+    
+        Also merged offlineasm parts of r220184 and r222549.  These changes are required
+        to support the code in cherry-picked revisions above.
+    
+    2017-11-30  Mark Lam  <mark.lam@apple.com>
+    
+            Let's scramble MacroAssemblerCodePtr values.
+            https://bugs.webkit.org/show_bug.cgi?id=180169
+            <rdar://problem/35758340>
+    
+            Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
+    
+            1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
+    
+            2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
+               template argument type that will be used to cast the result.  This makes the
+               client code that uses these functions a little less verbose.
+    
+            3. Change the code base in general to minimize passing void* code pointers around.
+               We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
+               at the last moment when we need the underlying code pointer.
+    
+            4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
+               default.  I'm leaving them in because they are instrumental in finding bugs
+               where not all MacroAssemblerCodePtr values were not scrambled as expected.
+               I expect them to be useful in the near future as we add more scrambling.
+    
+            5. Also disable the casting operator on MacroAssemblerCodePtr (except for
+               explicit casts to a boolean).  This ensures that clients will always explicitly
+               use scrambledBits() or executableAddress() to get a value based on which value
+               they actually need.
+    
+            5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
+               This was helpful when debugging tests that ran multiple VMs concurrently on
+               different threads.
+    
+            MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
+            CLoop).  It is not yet supported in 32-bit and Windows because we don't
+            currently have a way to read a global variable from their LLInt code.
+    
+            * assembler/AbstractMacroAssembler.h:
+            (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
+            (JSC::AbstractMacroAssembler::linkPointer):
+            * assembler/CodeLocation.h:
+            (JSC::CodeLocationCommon::instructionAtOffset):
+            (JSC::CodeLocationCommon::labelAtOffset):
+            (JSC::CodeLocationCommon::jumpAtOffset):
+            (JSC::CodeLocationCommon::callAtOffset):
+            (JSC::CodeLocationCommon::nearCallAtOffset):
+            (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
+            (JSC::CodeLocationCommon::dataLabel32AtOffset):
+            (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
+            (JSC::CodeLocationCommon::convertibleLoadAtOffset):
+            * assembler/LinkBuffer.cpp:
+            (JSC::LinkBuffer::finalizeCodeWithDisassembly):
+            * assembler/LinkBuffer.h:
+            (JSC::LinkBuffer::link):
+            (JSC::LinkBuffer::patch):
+            * assembler/MacroAssemblerCodeRef.cpp:
+            (JSC::MacroAssemblerCodePtr::initialize):
+            * assembler/MacroAssemblerCodeRef.h:
+            (JSC::FunctionPtr::FunctionPtr):
+            (JSC::FunctionPtr::value const):
+            (JSC::FunctionPtr::executableAddress const):
+            (JSC::ReturnAddressPtr::ReturnAddressPtr):
+            (JSC::ReturnAddressPtr::value const):
+            (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+            (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+            (JSC::MacroAssemblerCodePtr::scrambledPtr const):
+            (JSC::MacroAssemblerCodePtr:: const):
+            (JSC::MacroAssemblerCodePtr::operator! const):
+            (JSC::MacroAssemblerCodePtr::operator bool const):
+            (JSC::MacroAssemblerCodePtr::operator== const):
+            (JSC::MacroAssemblerCodePtr::hash const):
+            (JSC::MacroAssemblerCodePtr::emptyValue):
+            (JSC::MacroAssemblerCodePtr::deletedValue):
+            (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
+            (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
+            * b3/B3LowerMacros.cpp:
+            * b3/testb3.cpp:
+            (JSC::B3::testInterpreter):
+            * dfg/DFGDisassembler.cpp:
+            (JSC::DFG::Disassembler::dumpDisassembly):
+            * dfg/DFGJITCompiler.cpp:
+            (JSC::DFG::JITCompiler::link):
+            (JSC::DFG::JITCompiler::compileFunction):
+            * dfg/DFGOperations.cpp:
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+            (JSC::DFG::SpeculativeJIT::emitSwitchImm):
+            (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
+            (JSC::DFG::SpeculativeJIT::emitSwitchChar):
+            * dfg/DFGSpeculativeJIT.h:
+            * disassembler/Disassembler.cpp:
+            (JSC::disassemble):
+            * disassembler/UDis86Disassembler.cpp:
+            (JSC::tryToDisassembleWithUDis86):
+            * ftl/FTLCompile.cpp:
+            (JSC::FTL::compile):
+            * ftl/FTLJITCode.cpp:
+            (JSC::FTL::JITCode::executableAddressAtOffset):
+            * ftl/FTLLink.cpp:
+            (JSC::FTL::link):
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
+            (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+            * interpreter/InterpreterInlines.h:
+            (JSC::Interpreter::getOpcodeID):
+            * jit/JITArithmetic.cpp:
+            (JSC::JIT::emitMathICFast):
+            (JSC::JIT::emitMathICSlow):
+            * jit/JITCode.cpp:
+            (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
+            (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
+            (JSC::JITCodeWithCodeRef::offsetOf):
+            * jit/JITDisassembler.cpp:
+            (JSC::JITDisassembler::dumpDisassembly):
+            * jit/PCToCodeOriginMap.cpp:
+            (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
+            * jit/Repatch.cpp:
+            (JSC::ftlThunkAwareRepatchCall):
+            * jit/ThunkGenerators.cpp:
+            (JSC::virtualThunkFor):
+            (JSC::boundThisNoArgsFunctionCallGenerator):
+            * llint/LLIntSlowPaths.cpp:
+            (JSC::LLInt::llint_trace_operand):
+            (JSC::LLInt::llint_trace_value):
+            (JSC::LLInt::handleHostCall):
+            (JSC::LLInt::setUpCall):
+            * llint/LowLevelInterpreter64.asm:
+            * offlineasm/cloop.rb:
+            * runtime/InitializeThreading.cpp:
+            (JSC::initializeThreading):
+            * wasm/WasmBBQPlan.cpp:
+            (JSC::Wasm::BBQPlan::complete):
+            * wasm/WasmCallee.h:
+            (JSC::Wasm::Callee::entrypoint const):
+            * wasm/WasmCodeBlock.cpp:
+            (JSC::Wasm::CodeBlock::CodeBlock):
+            * wasm/WasmOMGPlan.cpp:
+            (JSC::Wasm::OMGPlan::work):
+            * wasm/js/WasmToJS.cpp:
+            (JSC::Wasm::wasmToJS):
+            * wasm/js/WebAssemblyFunction.cpp:
+            (JSC::callWebAssemblyFunction):
+            * wasm/js/WebAssemblyFunction.h:
+            * wasm/js/WebAssemblyWrapperFunction.cpp:
+            (JSC::WebAssemblyWrapperFunction::create):
+    
+    2017-12-01  Mark Lam  <mark.lam@apple.com>
+    
+            Let's scramble ClassInfo pointers in cells.
+            https://bugs.webkit.org/show_bug.cgi?id=180291
+            <rdar://problem/35807620>
+    
+            Reviewed by JF Bastien.
+    
+            * API/JSCallbackObject.h:
+            * API/JSObjectRef.cpp:
+            (classInfoPrivate):
+            * JavaScriptCore.xcodeproj/project.pbxproj:
+            * Sources.txt:
+            * assembler/MacroAssemblerCodeRef.cpp:
+            (JSC::MacroAssemblerCodePtr::initialize): Deleted.
+            * assembler/MacroAssemblerCodeRef.h:
+            (JSC::MacroAssemblerCodePtr:: const):
+            (JSC::MacroAssemblerCodePtr::hash const):
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::checkArray):
+            (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+            (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+            * jit/AssemblyHelpers.h:
+            (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+            * jit/SpecializedThunkJIT.h:
+            (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
+            * runtime/InitializeThreading.cpp:
+            (JSC::initializeThreading):
+            * runtime/JSCScrambledPtr.cpp: Added.
+            (JSC::initializeScrambledPtrKeys):
+            * runtime/JSCScrambledPtr.h: Added.
+            * runtime/JSDestructibleObject.h:
+            (JSC::JSDestructibleObject::classInfo const):
+            * runtime/JSSegmentedVariableObject.h:
+            (JSC::JSSegmentedVariableObject::classInfo const):
+            * runtime/Structure.h:
+            * runtime/VM.h:
+    
+    2017-12-07  Mark Lam  <mark.lam@apple.com>
+    
+            [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
+            https://bugs.webkit.org/show_bug.cgi?id=180514
+    
+            Reviewed by Saam Barati and JF Bastien.
+    
+            Re-landing r225620 with speculative build fix for GCC 7.
+    
+            * API/JSCallbackObject.h:
+            * API/JSObjectRef.cpp:
+            (classInfoPrivate):
+            * JavaScriptCore.xcodeproj/project.pbxproj:
+            * Sources.txt:
+            * assembler/MacroAssemblerCodeRef.h:
+            (JSC::FunctionPtr::FunctionPtr):
+            (JSC::FunctionPtr::value const):
+            (JSC::FunctionPtr::executableAddress const):
+            (JSC::ReturnAddressPtr::ReturnAddressPtr):
+            (JSC::ReturnAddressPtr::value const):
+            (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+            (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+            (JSC::MacroAssemblerCodePtr::poisonedPtr const):
+            (JSC::MacroAssemblerCodePtr:: const):
+            (JSC::MacroAssemblerCodePtr::operator! const):
+            (JSC::MacroAssemblerCodePtr::operator== const):
+            (JSC::MacroAssemblerCodePtr::emptyValue):
+            (JSC::MacroAssemblerCodePtr::deletedValue):
+            (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
+            * b3/B3LowerMacros.cpp:
+            * b3/testb3.cpp:
+            (JSC::B3::testInterpreter):
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::checkArray):
+            (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+            (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+            (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+            * jit/AssemblyHelpers.h:
+            (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+            * jit/SpecializedThunkJIT.h:
+            (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
+            * jit/ThunkGenerators.cpp:
+            (JSC::virtualThunkFor):
+            (JSC::boundThisNoArgsFunctionCallGenerator):
+            * llint/LLIntSlowPaths.cpp:
+            (JSC::LLInt::handleHostCall):
+            (JSC::LLInt::setUpCall):
+            * llint/LowLevelInterpreter64.asm:
+            * runtime/InitializeThreading.cpp:
+            (JSC::initializeThreading):
+            * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
+            (JSC::initializePoison):
+            (JSC::initializeScrambledPtrKeys): Deleted.
+            * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
+            * runtime/JSCScrambledPtr.cpp: Removed.
+            * runtime/JSCScrambledPtr.h: Removed.
+            * runtime/JSDestructibleObject.h:
+            (JSC::JSDestructibleObject::classInfo const):
+            * runtime/JSSegmentedVariableObject.h:
+            (JSC::JSSegmentedVariableObject::classInfo const):
+            * runtime/Structure.h:
+            * runtime/VM.h:
+    
+    2017-12-07  Mark Lam  <mark.lam@apple.com>
+    
+            Apply poisoning to some native code pointers.
+            https://bugs.webkit.org/show_bug.cgi?id=180541
+            <rdar://problem/35916875>
+    
+            Reviewed by Filip Pizlo.
+    
+            Renamed g_classInfoPoison to g_globalDataPoison.
+            Renamed g_masmPoison to g_jitCodePoison.
+            Introduced g_nativeCodePoison.
+            Applied g_nativeCodePoison to poisoning some native code pointers.
+    
+            Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
+            to malloc allocated data structures (where needed).
+    
+            * API/JSCallbackFunction.h:
+            (JSC::JSCallbackFunction::functionCallback):
+            * JavaScriptCore.xcodeproj/project.pbxproj:
+            * jit/ThunkGenerators.cpp:
+            (JSC::nativeForGenerator):
+            * llint/LowLevelInterpreter64.asm:
+            * runtime/CustomGetterSetter.h:
+            (JSC::CustomGetterSetter::getter const):
+            (JSC::CustomGetterSetter::setter const):
+            * runtime/InternalFunction.cpp:
+            (JSC::InternalFunction::getCallData):
+            (JSC::InternalFunction::getConstructData):
+            * runtime/InternalFunction.h:
+            (JSC::InternalFunction::nativeFunctionFor):
+            * runtime/JSCPoison.h: Added.
+            * runtime/JSCPoisonedPtr.cpp:
+            (JSC::initializePoison):
+            * runtime/JSCPoisonedPtr.h:
+            * runtime/Lookup.h:
+            * runtime/NativeExecutable.cpp:
+            (JSC::NativeExecutable::hashFor const):
+            * runtime/NativeExecutable.h:
+            * runtime/Structure.cpp:
+            (JSC::StructureTransitionTable::setSingleTransition):
+            * runtime/StructureTransitionTable.h:
+            (JSC::StructureTransitionTable::StructureTransitionTable):
+            (JSC::StructureTransitionTable::isUsingSingleSlot const):
+            (JSC::StructureTransitionTable::map const):
+            (JSC::StructureTransitionTable::weakImpl const):
+            (JSC::StructureTransitionTable::setMap):
+    
+    2017-12-08  Mark Lam  <mark.lam@apple.com>
+    
+            Need to unpoison native function pointers for CLoop.
+            https://bugs.webkit.org/show_bug.cgi?id=180601
+            <rdar://problem/35942028>
+    
+            Reviewed by JF Bastien.
+    
+            * llint/LowLevelInterpreter64.asm:
+    
+    2017-12-13  Mark Lam  <mark.lam@apple.com>
+    
+            Fill out some Poisoned APIs, fix some bugs, and add some tests.
+            https://bugs.webkit.org/show_bug.cgi?id=180724
+            <rdar://problem/36006884>
+    
+            Reviewed by JF Bastien.
+    
+            * runtime/StructureTransitionTable.h:
+    
+    2017-12-18  Jason Marcell  <jmarcell@apple.com>
+    
+        Apply patch. rdar://problem/36113365
+    
+        Cherry-pick r225363, r225437, r225632, r225659, r225697, r225857. rdar://problem/36085975
+    
+    2017-11-30  Mark Lam  <mark.lam@apple.com>
+    
+            Let's scramble MacroAssemblerCodePtr values.
+            https://bugs.webkit.org/show_bug.cgi?id=180169
+            <rdar://problem/35758340>
+    
+            Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
+    
+            Introduce a ScrambledPtr class to facilitate scrambling.
+    
+            * WTF.xcodeproj/project.pbxproj:
+            * wtf/CMakeLists.txt:
+            * wtf/ScrambledPtr.cpp: Added.
+            (WTF::makeScrambledPtrKey):
+            * wtf/ScrambledPtr.h: Added.
+            (WTF::ScrambledPtr::ScrambledPtr):
+            (WTF::ScrambledPtr::paranoidAssertIsScrambled const):
+            (WTF::ScrambledPtr::paranoidAssertIsNotScrambled const):
+            (WTF::ScrambledPtr:: const):
+            (WTF::ScrambledPtr::operator-> const):
+            (WTF::ScrambledPtr::scrambledBits const):
+            (WTF::ScrambledPtr::operator! const):
+            (WTF::ScrambledPtr::operator bool const):
+            (WTF::ScrambledPtr::operator== const):
+            (WTF::ScrambledPtr::operator==):
+            (WTF::ScrambledPtr::scramble):
+            (WTF::ScrambledPtr::descramble):
+    
+    2017-12-01  Mark Lam  <mark.lam@apple.com>
+    
+            Let's scramble ClassInfo pointers in cells.
+            https://bugs.webkit.org/show_bug.cgi?id=180291
+            <rdar://problem/35807620>
+    
+            Reviewed by JF Bastien.
+    
+            * wtf/ScrambledPtr.h:
+            (WTF::ScrambledPtr::descrambled const):
+            (WTF::ScrambledPtr::bits const):
+            (WTF::ScrambledPtr::operator==):
+            (WTF::ScrambledPtr::operator=):
+            (WTF::ScrambledPtr::scramble):
+            (WTF::ScrambledPtr::descramble):
+            (WTF::ScrambledPtr:: const): Deleted.
+            (WTF::ScrambledPtr::scrambledBits const): Deleted.
+    
+    2017-12-07  Mark Lam  <mark.lam@apple.com>
+    
+            [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
+            https://bugs.webkit.org/show_bug.cgi?id=180514
+    
+            Reviewed by Saam Barati and JF Bastien.
+    
+            Re-landing r225620 with speculative build fix for GCC 7.
+    
+            * WTF.xcodeproj/project.pbxproj:
+            * wtf/CMakeLists.txt:
+            * wtf/Poisoned.cpp: Copied from Source/WTF/wtf/ScrambledPtr.cpp.
+            (WTF::makePoison):
+            (WTF::makeScrambledPtrKey): Deleted.
+            * wtf/Poisoned.h: Copied from Source/WTF/wtf/ScrambledPtr.h.
+            (WTF::PoisonedImpl::PoisonedImpl):
+            (WTF::PoisonedImpl::assertIsPoisoned const):
+            (WTF::PoisonedImpl::assertIsNotPoisoned const):
+            (WTF::PoisonedImpl::unpoisoned const):
+            (WTF::PoisonedImpl::operator-> const):
+            (WTF::PoisonedImpl::bits const):
+            (WTF::PoisonedImpl::operator! const):
+            (WTF::PoisonedImpl::operator bool const):
+            (WTF::PoisonedImpl::operator== const):
+            (WTF::PoisonedImpl::operator==):
+            (WTF::PoisonedImpl::operator=):
+            (WTF::PoisonedImpl::poison):
+            (WTF::PoisonedImpl::unpoison):
+            (WTF::ScrambledPtr::ScrambledPtr): Deleted.
+            (WTF::ScrambledPtr::assertIsScrambled const): Deleted.
+            (WTF::ScrambledPtr::assertIsNotScrambled const): Deleted.
+            (WTF::ScrambledPtr::descrambled const): Deleted.
+            (WTF::ScrambledPtr::operator-> const): Deleted.
+            (WTF::ScrambledPtr::bits const): Deleted.
+            (WTF::ScrambledPtr::operator! const): Deleted.
+            (WTF::ScrambledPtr::operator bool const): Deleted.
+            (WTF::ScrambledPtr::operator== const): Deleted.
+            (WTF::ScrambledPtr::operator==): Deleted.
+            (WTF::ScrambledPtr::operator=): Deleted.
+            (WTF::ScrambledPtr::scramble): Deleted.
+            (WTF::ScrambledPtr::descramble): Deleted.
+            * wtf/ScrambledPtr.cpp: Removed.
+            * wtf/ScrambledPtr.h: Removed.
+    
+    2017-12-07  Mark Lam  <mark.lam@apple.com>
+    
+            Apply poisoning to some native code pointers.
+            https://bugs.webkit.org/show_bug.cgi?id=180541
+            <rdar://problem/35916875>
+    
+            Reviewed by Filip Pizlo.
+    
+            Ensure that the resultant poisoned bits still looks like a pointer in that its
+            bottom bits are 0, just like the alignment bits of a pointer.  This allows the
+            client to use the bottom bits of the poisoned bits as flag bits just like the
+            client was previously able to do with pointer values.
+    
+            Note: we only ensure that the bottom alignment bits of the generated poison
+            value is 0.  We're not masking out the poisoned bits.  This means that the bottom
+            bits of the poisoned bits will only be null if the original pointer is aligned.
+            Hence, if the client applies the poison to an unaligned pointer, we do not lose
+            any information on the low bits.
+    
+            Also removed 2 wrong assertions in PoisonedImpl's constructors.  We were
+            asserting that Poisoned will never be used with a null value, but that's invalid.
+            We do want to allow a null value so that we don't have to constantly do null
+            checks in the clients.  This was uncovered by some layout tests.
+    
+            * wtf/Poisoned.cpp:
+            (WTF::makePoison):
+            * wtf/Poisoned.h:
+            (WTF::PoisonedImpl::PoisonedImpl):
+    
+    2017-12-13  Mark Lam  <mark.lam@apple.com>
+    
+            Fill out some Poisoned APIs, fix some bugs, and add some tests.
+            https://bugs.webkit.org/show_bug.cgi?id=180724
+            <rdar://problem/36006884>
+    
+            Reviewed by JF Bastien.
+    
+            Also rename Int32Poisoned to ConstExprPoisoned.  The key it takes is actually a
+            uint32_t.  So, Int32 is really a misnomer.  In addition, the key needs to be a
+            constexpr.  So, ConstExprPoisoned is a better name for it.
+    
+            * wtf/Poisoned.cpp:
+            (WTF::makePoison):
+            * wtf/Poisoned.h:
+            (WTF::PoisonedImplHelper::asReference):
+            (WTF::PoisonedImpl::PoisonedImpl):
+            (WTF::PoisonedImpl::clear):
+            (WTF::PoisonedImpl::operator* const):
+            (WTF::PoisonedImpl::operator-> const):
+            (WTF::PoisonedImpl::operator== const):
+            (WTF::PoisonedImpl::operator!= const):
+            (WTF::PoisonedImpl::operator< const):
+            (WTF::PoisonedImpl::operator<= const):
+            (WTF::PoisonedImpl::operator> const):
+            (WTF::PoisonedImpl::operator>= const):
+            (WTF::PoisonedImpl::operator=):
+            (WTF::PoisonedImpl::swap):
+            (WTF::PoisonedImpl::exchange):
+            (WTF::swap):
+            (WTF::makePoison):
+            (WTF::PoisonedImpl::operator==): Deleted.
+
+    2017-12-18  Mark Lam  <mark.lam@apple.com>
+
+            Cherry-pick r225363, r225437, r225632, r225659, r225697, r225857. rdar://problem/36085975
+
+        2017-11-30  Mark Lam  <mark.lam@apple.com>
+
+                Let's scramble MacroAssemblerCodePtr values.
+                https://bugs.webkit.org/show_bug.cgi?id=180169
+                <rdar://problem/35758340>
+
+                Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
+
+                Introduce a ScrambledPtr class to facilitate scrambling.
+
+                * WTF.xcodeproj/project.pbxproj:
+                * wtf/CMakeLists.txt:
+                * wtf/ScrambledPtr.cpp: Added.
+                (WTF::makeScrambledPtrKey):
+                * wtf/ScrambledPtr.h: Added.
+                (WTF::ScrambledPtr::ScrambledPtr):
+                (WTF::ScrambledPtr::paranoidAssertIsScrambled const):
+                (WTF::ScrambledPtr::paranoidAssertIsNotScrambled const):
+                (WTF::ScrambledPtr:: const):
+                (WTF::ScrambledPtr::operator-> const):
+                (WTF::ScrambledPtr::scrambledBits const):
+                (WTF::ScrambledPtr::operator! const):
+                (WTF::ScrambledPtr::operator bool const):
+                (WTF::ScrambledPtr::operator== const):
+                (WTF::ScrambledPtr::operator==):
+                (WTF::ScrambledPtr::scramble):
+                (WTF::ScrambledPtr::descramble):
+
+        2017-12-01  Mark Lam  <mark.lam@apple.com>
+
+                Let's scramble ClassInfo pointers in cells.
+                https://bugs.webkit.org/show_bug.cgi?id=180291
+                <rdar://problem/35807620>
+
+                Reviewed by JF Bastien.
+
+                * wtf/ScrambledPtr.h:
+                (WTF::ScrambledPtr::descrambled const):
+                (WTF::ScrambledPtr::bits const):
+                (WTF::ScrambledPtr::operator==):
+                (WTF::ScrambledPtr::operator=):
+                (WTF::ScrambledPtr::scramble):
+                (WTF::ScrambledPtr::descramble):
+                (WTF::ScrambledPtr:: const): Deleted.
+                (WTF::ScrambledPtr::scrambledBits const): Deleted.
+
+        2017-12-07  Mark Lam  <mark.lam@apple.com>
+
+                [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
+                https://bugs.webkit.org/show_bug.cgi?id=180514
+
+                Reviewed by Saam Barati and JF Bastien.
+
+                Re-landing r225620 with speculative build fix for GCC 7.
+
+                * WTF.xcodeproj/project.pbxproj:
+                * wtf/CMakeLists.txt:
+                * wtf/Poisoned.cpp: Copied from Source/WTF/wtf/ScrambledPtr.cpp.
+                (WTF::makePoison):
+                (WTF::makeScrambledPtrKey): Deleted.
+                * wtf/Poisoned.h: Copied from Source/WTF/wtf/ScrambledPtr.h.
+                (WTF::PoisonedImpl::PoisonedImpl):
+                (WTF::PoisonedImpl::assertIsPoisoned const):
+                (WTF::PoisonedImpl::assertIsNotPoisoned const):
+                (WTF::PoisonedImpl::unpoisoned const):
+                (WTF::PoisonedImpl::operator-> const):
+                (WTF::PoisonedImpl::bits const):
+                (WTF::PoisonedImpl::operator! const):
+                (WTF::PoisonedImpl::operator bool const):
+                (WTF::PoisonedImpl::operator== const):
+                (WTF::PoisonedImpl::operator==):
+                (WTF::PoisonedImpl::operator=):
+                (WTF::PoisonedImpl::poison):
+                (WTF::PoisonedImpl::unpoison):
+                (WTF::ScrambledPtr::ScrambledPtr): Deleted.
+                (WTF::ScrambledPtr::assertIsScrambled const): Deleted.
+                (WTF::ScrambledPtr::assertIsNotScrambled const): Deleted.
+                (WTF::ScrambledPtr::descrambled const): Deleted.
+                (WTF::ScrambledPtr::operator-> const): Deleted.
+                (WTF::ScrambledPtr::bits const): Deleted.
+                (WTF::ScrambledPtr::operator! const): Deleted.
+                (WTF::ScrambledPtr::operator bool const): Deleted.
+                (WTF::ScrambledPtr::operator== const): Deleted.
+                (WTF::ScrambledPtr::operator==): Deleted.
+                (WTF::ScrambledPtr::operator=): Deleted.
+                (WTF::ScrambledPtr::scramble): Deleted.
+                (WTF::ScrambledPtr::descramble): Deleted.
+                * wtf/ScrambledPtr.cpp: Removed.
+                * wtf/ScrambledPtr.h: Removed.
+
+        2017-12-07  Mark Lam  <mark.lam@apple.com>
+
+                Apply poisoning to some native code pointers.
+                https://bugs.webkit.org/show_bug.cgi?id=180541
+                <rdar://problem/35916875>
+
+                Reviewed by Filip Pizlo.
+
+                Ensure that the resultant poisoned bits still looks like a pointer in that its
+                bottom bits are 0, just like the alignment bits of a pointer.  This allows the
+                client to use the bottom bits of the poisoned bits as flag bits just like the
+                client was previously able to do with pointer values.
+
+                Note: we only ensure that the bottom alignment bits of the generated poison
+                value is 0.  We're not masking out the poisoned bits.  This means that the bottom
+                bits of the poisoned bits will only be null if the original pointer is aligned.
+                Hence, if the client applies the poison to an unaligned pointer, we do not lose
+                any information on the low bits.
+
+                Also removed 2 wrong assertions in PoisonedImpl's constructors.  We were
+                asserting that Poisoned will never be used with a null value, but that's invalid.
+                We do want to allow a null value so that we don't have to constantly do null
+                checks in the clients.  This was uncovered by some layout tests.
+
+                * wtf/Poisoned.cpp:
+                (WTF::makePoison):
+                * wtf/Poisoned.h:
+                (WTF::PoisonedImpl::PoisonedImpl):
+
+        2017-12-13  Mark Lam  <mark.lam@apple.com>
+
+                Fill out some Poisoned APIs, fix some bugs, and add some tests.
+                https://bugs.webkit.org/show_bug.cgi?id=180724
+                <rdar://problem/36006884>
+
+                Reviewed by JF Bastien.
+
+                Also rename Int32Poisoned to ConstExprPoisoned.  The key it takes is actually a
+                uint32_t.  So, Int32 is really a misnomer.  In addition, the key needs to be a
+                constexpr.  So, ConstExprPoisoned is a better name for it.
+
+                * wtf/Poisoned.cpp:
+                (WTF::makePoison):
+                * wtf/Poisoned.h:
+                (WTF::PoisonedImplHelper::asReference):
+                (WTF::PoisonedImpl::PoisonedImpl):
+                (WTF::PoisonedImpl::clear):
+                (WTF::PoisonedImpl::operator* const):
+                (WTF::PoisonedImpl::operator-> const):
+                (WTF::PoisonedImpl::operator== const):
+                (WTF::PoisonedImpl::operator!= const):
+                (WTF::PoisonedImpl::operator< const):
+                (WTF::PoisonedImpl::operator<= const):
+                (WTF::PoisonedImpl::operator> const):
+                (WTF::PoisonedImpl::operator>= const):
+                (WTF::PoisonedImpl::operator=):
+                (WTF::PoisonedImpl::swap):
+                (WTF::PoisonedImpl::exchange):
+                (WTF::swap):
+                (WTF::makePoison):
+                (WTF::PoisonedImpl::operator==): Deleted.
+
</ins><span class="cx"> 2017-12-18  Jason Marcell  <jmarcell@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Apply patch. rdar://problem/36112002
</span></span></pre></div>
<a id="branchessafari604branchSourceWTFWTFxcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/WTF/WTF.xcodeproj/project.pbxproj (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/WTF/WTF.xcodeproj/project.pbxproj      2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/WTF/WTF.xcodeproj/project.pbxproj 2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -139,6 +139,7 @@
</span><span class="cx">          E43A469D1E228FD500276B05 /* Coders.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E43A469C1E228FD500276B05 /* Coders.cpp */; };
</span><span class="cx">          E4A0AD391A96245500536DF6 /* WorkQueue.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E4A0AD371A96245500536DF6 /* WorkQueue.cpp */; };
</span><span class="cx">          E4A0AD3D1A96253C00536DF6 /* WorkQueueCocoa.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E4A0AD3C1A96253C00536DF6 /* WorkQueueCocoa.cpp */; };
</span><ins>+               FE85416E1FBE285D008DA5DA /* Poisoned.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE85416C1FBE285B008DA5DA /* Poisoned.cpp */; };
</ins><span class="cx">           FEDACD3D1630F83F00C69634 /* StackStats.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FEDACD3B1630F83F00C69634 /* StackStats.cpp */; };
</span><span class="cx"> /* End PBXBuildFile section */
</span><span class="cx"> 
</span><span class="lines">@@ -561,6 +562,8 @@
</span><span class="cx">          EF7D6CD59D8642A8A0DA86AD /* StackTrace.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = StackTrace.h; sourceTree = "<group>"; };
</span><span class="cx">          F72BBDB107FA424886178B9E /* SymbolImpl.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SymbolImpl.cpp; sourceTree = "<group>"; };
</span><span class="cx">          FE8225301B2A1E5B00BA68FD /* NakedPtr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NakedPtr.h; sourceTree = "<group>"; };
</span><ins>+               FE85416C1FBE285B008DA5DA /* Poisoned.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Poisoned.cpp; sourceTree = "<group>"; };
+               FE85416D1FBE285C008DA5DA /* Poisoned.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Poisoned.h; sourceTree = "<group>"; };
</ins><span class="cx">           FE86A8741E59440200111BBF /* ForbidHeapAllocation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ForbidHeapAllocation.h; sourceTree = "<group>"; };
</span><span class="cx">          FE8925AF1D00DAEC0046907E /* Indenter.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Indenter.h; sourceTree = "<group>"; };
</span><span class="cx">          FEDACD3B1630F83F00C69634 /* StackStats.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = StackStats.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -889,6 +892,8 @@
</span><span class="cx">                          DCEE21FE1CEA7551000C2396 /* PlatformUserPreferredLanguages.h */,
</span><span class="cx">                          DCEE21FF1CEA7551000C2396 /* PlatformUserPreferredLanguagesMac.mm */,
</span><span class="cx">                          0FF860941BCCBD740045127F /* PointerComparison.h */,
</span><ins>+                               FE85416C1FBE285B008DA5DA /* Poisoned.cpp */,
+                               FE85416D1FBE285C008DA5DA /* Poisoned.h */,
</ins><span class="cx">                           0F9D335D165DBA73005AD387 /* PrintStream.cpp */,
</span><span class="cx">                          0F9D335E165DBA73005AD387 /* PrintStream.h */,
</span><span class="cx">                          53EC253C1E95AD30000831B9 /* PriorityQueue.h */,
</span><span class="lines">@@ -1363,6 +1368,7 @@
</span><span class="cx">                          1469419316EAAF6D0024E146 /* RunLoopTimerCF.cpp in Sources */,
</span><span class="cx">                          1469419916EAB0410024E146 /* SchedulePairCF.cpp in Sources */,
</span><span class="cx">                          1469419716EAAFF80024E146 /* SchedulePairMac.mm in Sources */,
</span><ins>+                               FE85416E1FBE285D008DA5DA /* Poisoned.cpp in Sources */,
</ins><span class="cx">                           0F66B28E1DC97BAB004A1D3F /* Seconds.cpp in Sources */,
</span><span class="cx">                          A8A47421151A825B004123FF /* SHA1.cpp in Sources */,
</span><span class="cx">                          5311BD531EA71CAD00525281 /* Signals.cpp in Sources */,
</span></span></pre></div>
<a id="branchessafari604branchSourceWTFwtfCMakeListstxt"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Source/WTF/wtf/CMakeLists.txt (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/WTF/wtf/CMakeLists.txt 2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Source/WTF/wtf/CMakeLists.txt    2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -97,6 +97,7 @@
</span><span class="cx">     ParkingLot.h
</span><span class="cx">     Platform.h
</span><span class="cx">     PlatformRegisters.h
</span><ins>+    Poisoned.h
</ins><span class="cx">     PrintStream.h
</span><span class="cx">     ProcessID.h
</span><span class="cx">     RAMSize.h
</span><span class="lines">@@ -233,6 +234,7 @@
</span><span class="cx">     ParallelHelperPool.cpp
</span><span class="cx">     ParallelJobsGeneric.cpp
</span><span class="cx">     ParkingLot.cpp
</span><ins>+    Poisoned.cpp
</ins><span class="cx">     PrintStream.cpp
</span><span class="cx">     RAMSize.cpp
</span><span class="cx">     RandomDevice.cpp
</span></span></pre></div>
<a id="branchessafari604branchSourceWTFwtfPoisonedcppfromrev226132branchessafari604branchSourceJavaScriptCoredisassemblerUDis86Disassemblercpp"></a>
<div class="copfile"><h4>Copied: branches/safari-604-branch/Source/WTF/wtf/Poisoned.cpp (from rev 226132, branches/safari-604-branch/Source/JavaScriptCore/disassembler/UDis86Disassembler.cpp) (0 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/WTF/wtf/Poisoned.cpp                           (rev 0)
+++ branches/safari-604-branch/Source/WTF/wtf/Poisoned.cpp      2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -0,0 +1,53 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "Poisoned.h"
+
+#include <wtf/CryptographicallyRandomNumber.h>
+
+namespace WTF {
+
+uintptr_t makePoison()
+{
+    uintptr_t key = cryptographicallyRandomNumber();
+#if ENABLE(POISON)
+    key = (key << 32) ^ (static_cast<uintptr_t>(cryptographicallyRandomNumber()) << 3);
+    // Ensure that the poisoned bits (pointer ^ key) do not make a valid pointer and
+    // cannot be 0. We ensure that it is zero so that the poisoned bits can also be
+    // used for a notmal zero check without needing to decoded first.
+    key |= (static_cast<uintptr_t>(0x1) << 63);
+    // Ensure that the bottom alignment bits are still 0 so that the poisoned bits will
+    // still preserve the properties of a pointer where these bits are expected to be 0.
+    // This allows the poisoned bits to be used in place of the pointer by clients that
+    // rely on this property of pointers and sets flags in the low bits.
+    key &= ~static_cast<uintptr_t>(0x7);
+#else
+    key = 0; // Poisoning is not supported on 32-bit or non-darwin platforms yet.
+#endif
+    return key;
+}
+
+} // namespace WTF
</ins></span></pre></div>
<a id="branchessafari604branchSourceWTFwtfPoisonedh"></a>
<div class="addfile"><h4>Added: branches/safari-604-branch/Source/WTF/wtf/Poisoned.h (0 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Source/WTF/wtf/Poisoned.h                             (rev 0)
+++ branches/safari-604-branch/Source/WTF/wtf/Poisoned.h        2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -0,0 +1,237 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include <wtf/Assertions.h>
+
+#define ENABLE_POISON 1
+#define ENABLE_POISON_ASSERTS 0
+
+// Older versions of gcc and clang have a bug which results in build failures
+// when using template methods that take an argument of PoisonedImpl<K2, k2, T2>
+// when the KeyType is a uintptr_t (i.e. when we're using the Poisoned variant
+// of PoisonedImpl). This bug does not manifest for the ConstExprPoisoned variant.
+// In practice, we will likely only use these methods for instantiations of the
+// ConstExprPoisoned variant. Hence. this bug is not a show stopper.
+// That said, we'll define ENABLE_MIXED_POISON accordingly so that we can use
+// it to disable the affected tests when building with old compilers.
+
+#if OS(DARWIN)
+#define ENABLE_MIXED_POISON (__clang_major__ >= 9)
+#elif defined(__clang_major__)
+#define ENABLE_MIXED_POISON (__clang_major__ >= 4)
+#elif defined(__GNUC__)
+#include <features.h>
+#define ENABLE_MIXED_POISON (__GNUC_PREREQ(7, 2))
+#endif // !defined(__GNUC__)
+
+#ifndef ENABLE_MIXED_POISON
+#define ENABLE_MIXED_POISON 0 // Disable for everything else.
+#endif
+
+// Not currently supported for 32-bit or OS(WINDOWS) builds (because of missing llint support).
+// Make sure it's disabled.
+#if USE(JSVALUE32_64) || OS(WINDOWS)
+#undef ENABLE_POISON
+#define ENABLE_POISON 0
+#undef ENABLE_POISON_ASSERTS
+#define ENABLE_POISON_ASSERTS 0
+#endif
+
+namespace WTF {
+
+using PoisonedBits = uintptr_t;
+
+namespace PoisonedImplHelper {
+
+template<typename T>
+struct isFunctionPointer : std::integral_constant<bool, std::is_function<typename std::remove_pointer<T>::type>::value> { };
+
+template<typename T>
+struct isVoidPointer : std::integral_constant<bool, std::is_void<typename std::remove_pointer<T>::type>::value> { };
+
+template<typename T>
+struct isConvertibleToReference : std::integral_constant<bool, !isFunctionPointer<T>::value && !isVoidPointer<T>::value> { };
+
+template<typename T>
+typename std::enable_if_t<!isConvertibleToReference<T>::value, int>&
+asReference(T) { RELEASE_ASSERT_NOT_REACHED(); }
+
+template<typename T>
+typename std::enable_if_t<isConvertibleToReference<T>::value, typename std::remove_pointer<T>::type>&
+asReference(T ptr) { return *ptr; }
+
+} // namespace PoisonedImplHelper
+
+template<typename KeyType, KeyType key, typename T, typename = std::enable_if_t<std::is_pointer<T>::value>>
+class PoisonedImpl {
+public:
+    PoisonedImpl() { }
+
+    PoisonedImpl(T ptr)
+        : m_poisonedBits(poison(ptr))
+    { }
+
+    PoisonedImpl(const PoisonedImpl&) = default;
+
+    template<typename K2, K2 k2, typename T2>
+    PoisonedImpl(const PoisonedImpl<K2, k2, T2>& other)
+        : m_poisonedBits(poison<T>(other.unpoisoned()))
+    { }
+
+    PoisonedImpl(PoisonedImpl&& other)
+        : m_poisonedBits(WTFMove(other.m_poisonedBits))
+    { }
+
+    explicit PoisonedImpl(PoisonedBits poisonedBits)
+        : m_poisonedBits(poisonedBits)
+    { }
+
+#if ENABLE(POISON_ASSERTS)
+    template<typename U = void*>
+    static bool isPoisoned(U value) { return !value || (reinterpret_cast<uintptr_t>(value) & 0xffff000000000000); }
+    template<typename U = void*>
+    static void assertIsPoisoned(U value) { RELEASE_ASSERT(isPoisoned(value)); }
+    template<typename U = void*>
+    static void assertIsNotPoisoned(U value) { RELEASE_ASSERT(!isPoisoned(value)); }
+#else
+    template<typename U = void*> static void assertIsPoisoned(U) { }
+    template<typename U = void*> static void assertIsNotPoisoned(U) { }
+#endif
+    void assertIsPoisoned() const { assertIsPoisoned(m_poisonedBits); }
+    void assertIsNotPoisoned() const { assertIsNotPoisoned(m_poisonedBits); }
+
+    template<typename U = T>
+    U unpoisoned() const { return unpoison<U>(m_poisonedBits); }
+
+    void clear() { m_poisonedBits = 0; }
+
+    auto& operator*() const { ASSERT(m_poisonedBits); return PoisonedImplHelper::asReference(unpoison(m_poisonedBits)); }
+    ALWAYS_INLINE T operator->() const { return unpoison(m_poisonedBits); }
+
+    template<typename U = PoisonedBits>
+    U bits() const { return bitwise_cast<U>(m_poisonedBits); }
+
+    bool operator!() const { return !m_poisonedBits; }
+    explicit operator bool() const { return !!m_poisonedBits; }
+
+    bool operator==(const PoisonedImpl& b) const { return m_poisonedBits == b.m_poisonedBits; }
+    bool operator!=(const PoisonedImpl& b) const { return m_poisonedBits != b.m_poisonedBits; }
+    bool operator<(const PoisonedImpl& b) const { return m_poisonedBits < b.m_poisonedBits; }
+    bool operator<=(const PoisonedImpl& b) const { return m_poisonedBits <= b.m_poisonedBits; }
+    bool operator>(const PoisonedImpl& b) const { return m_poisonedBits > b.m_poisonedBits; }
+    bool operator>=(const PoisonedImpl& b) const { return m_poisonedBits >= b.m_poisonedBits; }
+
+    template<typename U> bool operator==(U b) const { return unpoisoned<U>() == b; }
+    template<typename U> bool operator!=(U b) const { return unpoisoned<U>() != b; }
+    template<typename U> bool operator<(U b) const { return unpoisoned<U>() < b; }
+    template<typename U> bool operator<=(U b) const { return unpoisoned<U>() <= b; }
+    template<typename U> bool operator>(U b) const { return unpoisoned<U>() > b; }
+    template<typename U> bool operator>=(U b) const { return unpoisoned<U>() >= b; }
+
+    PoisonedImpl& operator=(T ptr)
+    {
+        m_poisonedBits = poison(ptr);
+        return *this;
+    }
+    PoisonedImpl& operator=(const PoisonedImpl&) = default;
+
+    template<typename K2, K2 k2, typename T2>
+    PoisonedImpl& operator=(const PoisonedImpl<K2, k2, T2>& other)
+    {
+        m_poisonedBits = poison<T>(other.unpoisoned());
+        return *this;
+    }
+
+    void swap(PoisonedImpl& o)
+    {
+        std::swap(m_poisonedBits, o.m_poisonedBits);
+    }
+
+    template<typename K2, K2 k2, typename T2>
+    void swap(PoisonedImpl<K2, k2, T2>& o)
+    {
+        T t1 = this->unpoisoned();
+        T2 t2 = o.unpoisoned();
+        std::swap(t1, t2);
+        m_poisonedBits = poison(t1);
+        o = t2;
+    }
+
+    template<class U>
+    T exchange(U&& newValue)
+    {
+        T oldValue = unpoisoned();
+        m_poisonedBits = poison(std::forward<U>(newValue));
+        return oldValue;
+    }
+
+private:
+#if ENABLE(POISON)
+    template<typename U>
+    ALWAYS_INLINE static PoisonedBits poison(U ptr) { return ptr ? bitwise_cast<PoisonedBits>(ptr) ^ key : 0; }
+    template<typename U = T>
+    ALWAYS_INLINE static U unpoison(PoisonedBits poisonedBits) { return poisonedBits ? bitwise_cast<U>(poisonedBits ^ key) : bitwise_cast<U>(0ll); }
+#else
+    template<typename U>
+    ALWAYS_INLINE static PoisonedBits poison(U ptr) { return bitwise_cast<PoisonedBits>(ptr); }
+    template<typename U = T>
+    ALWAYS_INLINE static U unpoison(PoisonedBits poisonedBits) { return bitwise_cast<U>(poisonedBits); }
+#endif
+
+    PoisonedBits m_poisonedBits { 0 };
+};
+
+template<typename K1, K1 k1, typename T1, typename K2, K2 k2, typename T2>
+inline void swap(PoisonedImpl<K1, k1, T1>& a, PoisonedImpl<K2, k2, T2>& b)
+{
+    a.swap(b);
+}
+
+WTF_EXPORT_PRIVATE uintptr_t makePoison();
+
+inline constexpr uintptr_t makePoison(uint32_t key)
+{
+#if ENABLE(POISON)
+    return static_cast<uintptr_t>(0x80000000 | key) << 32;
+#else
+    return (void)key, 0;
+#endif
+}
+
+template<uintptr_t& key, typename T>
+using Poisoned = PoisonedImpl<uintptr_t&, key, T>;
+
+template<uint32_t key, typename T>
+using ConstExprPoisoned = PoisonedImpl<uintptr_t, makePoison(key), T>;
+
+} // namespace WTF
+
+using WTF::ConstExprPoisoned;
+using WTF::Poisoned;
+using WTF::PoisonedBits;
+using WTF::makePoison;
+
</ins></span></pre></div>
<a id="branchessafari604branchToolsChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Tools/ChangeLog (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Tools/ChangeLog       2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Tools/ChangeLog  2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -1,3 +1,512 @@
</span><ins>+2017-12-19  Jason Marcell  <jmarcell@apple.com>
+
+        Apply patch. rdar://problem/36111993
+
+    Cherry-pick r225363, r225437, r225632, r225659, r225697, r225857. rdar://problem/36085975
+    
+        Also merged offlineasm parts of r220184 and r222549.  These changes are required
+        to support the code in cherry-picked revisions above.
+    
+    2017-11-30  Mark Lam  <mark.lam@apple.com>
+    
+            Let's scramble MacroAssemblerCodePtr values.
+            https://bugs.webkit.org/show_bug.cgi?id=180169
+            <rdar://problem/35758340>
+    
+            Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
+    
+            1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
+    
+            2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
+               template argument type that will be used to cast the result.  This makes the
+               client code that uses these functions a little less verbose.
+    
+            3. Change the code base in general to minimize passing void* code pointers around.
+               We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
+               at the last moment when we need the underlying code pointer.
+    
+            4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
+               default.  I'm leaving them in because they are instrumental in finding bugs
+               where not all MacroAssemblerCodePtr values were not scrambled as expected.
+               I expect them to be useful in the near future as we add more scrambling.
+    
+            5. Also disable the casting operator on MacroAssemblerCodePtr (except for
+               explicit casts to a boolean).  This ensures that clients will always explicitly
+               use scrambledBits() or executableAddress() to get a value based on which value
+               they actually need.
+    
+            5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
+               This was helpful when debugging tests that ran multiple VMs concurrently on
+               different threads.
+    
+            MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
+            CLoop).  It is not yet supported in 32-bit and Windows because we don't
+            currently have a way to read a global variable from their LLInt code.
+    
+            * assembler/AbstractMacroAssembler.h:
+            (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
+            (JSC::AbstractMacroAssembler::linkPointer):
+            * assembler/CodeLocation.h:
+            (JSC::CodeLocationCommon::instructionAtOffset):
+            (JSC::CodeLocationCommon::labelAtOffset):
+            (JSC::CodeLocationCommon::jumpAtOffset):
+            (JSC::CodeLocationCommon::callAtOffset):
+            (JSC::CodeLocationCommon::nearCallAtOffset):
+            (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
+            (JSC::CodeLocationCommon::dataLabel32AtOffset):
+            (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
+            (JSC::CodeLocationCommon::convertibleLoadAtOffset):
+            * assembler/LinkBuffer.cpp:
+            (JSC::LinkBuffer::finalizeCodeWithDisassembly):
+            * assembler/LinkBuffer.h:
+            (JSC::LinkBuffer::link):
+            (JSC::LinkBuffer::patch):
+            * assembler/MacroAssemblerCodeRef.cpp:
+            (JSC::MacroAssemblerCodePtr::initialize):
+            * assembler/MacroAssemblerCodeRef.h:
+            (JSC::FunctionPtr::FunctionPtr):
+            (JSC::FunctionPtr::value const):
+            (JSC::FunctionPtr::executableAddress const):
+            (JSC::ReturnAddressPtr::ReturnAddressPtr):
+            (JSC::ReturnAddressPtr::value const):
+            (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+            (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+            (JSC::MacroAssemblerCodePtr::scrambledPtr const):
+            (JSC::MacroAssemblerCodePtr:: const):
+            (JSC::MacroAssemblerCodePtr::operator! const):
+            (JSC::MacroAssemblerCodePtr::operator bool const):
+            (JSC::MacroAssemblerCodePtr::operator== const):
+            (JSC::MacroAssemblerCodePtr::hash const):
+            (JSC::MacroAssemblerCodePtr::emptyValue):
+            (JSC::MacroAssemblerCodePtr::deletedValue):
+            (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
+            (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
+            * b3/B3LowerMacros.cpp:
+            * b3/testb3.cpp:
+            (JSC::B3::testInterpreter):
+            * dfg/DFGDisassembler.cpp:
+            (JSC::DFG::Disassembler::dumpDisassembly):
+            * dfg/DFGJITCompiler.cpp:
+            (JSC::DFG::JITCompiler::link):
+            (JSC::DFG::JITCompiler::compileFunction):
+            * dfg/DFGOperations.cpp:
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+            (JSC::DFG::SpeculativeJIT::emitSwitchImm):
+            (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
+            (JSC::DFG::SpeculativeJIT::emitSwitchChar):
+            * dfg/DFGSpeculativeJIT.h:
+            * disassembler/Disassembler.cpp:
+            (JSC::disassemble):
+            * disassembler/UDis86Disassembler.cpp:
+            (JSC::tryToDisassembleWithUDis86):
+            * ftl/FTLCompile.cpp:
+            (JSC::FTL::compile):
+            * ftl/FTLJITCode.cpp:
+            (JSC::FTL::JITCode::executableAddressAtOffset):
+            * ftl/FTLLink.cpp:
+            (JSC::FTL::link):
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
+            (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+            * interpreter/InterpreterInlines.h:
+            (JSC::Interpreter::getOpcodeID):
+            * jit/JITArithmetic.cpp:
+            (JSC::JIT::emitMathICFast):
+            (JSC::JIT::emitMathICSlow):
+            * jit/JITCode.cpp:
+            (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
+            (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
+            (JSC::JITCodeWithCodeRef::offsetOf):
+            * jit/JITDisassembler.cpp:
+            (JSC::JITDisassembler::dumpDisassembly):
+            * jit/PCToCodeOriginMap.cpp:
+            (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
+            * jit/Repatch.cpp:
+            (JSC::ftlThunkAwareRepatchCall):
+            * jit/ThunkGenerators.cpp:
+            (JSC::virtualThunkFor):
+            (JSC::boundThisNoArgsFunctionCallGenerator):
+            * llint/LLIntSlowPaths.cpp:
+            (JSC::LLInt::llint_trace_operand):
+            (JSC::LLInt::llint_trace_value):
+            (JSC::LLInt::handleHostCall):
+            (JSC::LLInt::setUpCall):
+            * llint/LowLevelInterpreter64.asm:
+            * offlineasm/cloop.rb:
+            * runtime/InitializeThreading.cpp:
+            (JSC::initializeThreading):
+            * wasm/WasmBBQPlan.cpp:
+            (JSC::Wasm::BBQPlan::complete):
+            * wasm/WasmCallee.h:
+            (JSC::Wasm::Callee::entrypoint const):
+            * wasm/WasmCodeBlock.cpp:
+            (JSC::Wasm::CodeBlock::CodeBlock):
+            * wasm/WasmOMGPlan.cpp:
+            (JSC::Wasm::OMGPlan::work):
+            * wasm/js/WasmToJS.cpp:
+            (JSC::Wasm::wasmToJS):
+            * wasm/js/WebAssemblyFunction.cpp:
+            (JSC::callWebAssemblyFunction):
+            * wasm/js/WebAssemblyFunction.h:
+            * wasm/js/WebAssemblyWrapperFunction.cpp:
+            (JSC::WebAssemblyWrapperFunction::create):
+    
+    2017-12-01  Mark Lam  <mark.lam@apple.com>
+    
+            Let's scramble ClassInfo pointers in cells.
+            https://bugs.webkit.org/show_bug.cgi?id=180291
+            <rdar://problem/35807620>
+    
+            Reviewed by JF Bastien.
+    
+            * API/JSCallbackObject.h:
+            * API/JSObjectRef.cpp:
+            (classInfoPrivate):
+            * JavaScriptCore.xcodeproj/project.pbxproj:
+            * Sources.txt:
+            * assembler/MacroAssemblerCodeRef.cpp:
+            (JSC::MacroAssemblerCodePtr::initialize): Deleted.
+            * assembler/MacroAssemblerCodeRef.h:
+            (JSC::MacroAssemblerCodePtr:: const):
+            (JSC::MacroAssemblerCodePtr::hash const):
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::checkArray):
+            (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+            (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+            * jit/AssemblyHelpers.h:
+            (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+            * jit/SpecializedThunkJIT.h:
+            (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
+            * runtime/InitializeThreading.cpp:
+            (JSC::initializeThreading):
+            * runtime/JSCScrambledPtr.cpp: Added.
+            (JSC::initializeScrambledPtrKeys):
+            * runtime/JSCScrambledPtr.h: Added.
+            * runtime/JSDestructibleObject.h:
+            (JSC::JSDestructibleObject::classInfo const):
+            * runtime/JSSegmentedVariableObject.h:
+            (JSC::JSSegmentedVariableObject::classInfo const):
+            * runtime/Structure.h:
+            * runtime/VM.h:
+    
+    2017-12-07  Mark Lam  <mark.lam@apple.com>
+    
+            [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
+            https://bugs.webkit.org/show_bug.cgi?id=180514
+    
+            Reviewed by Saam Barati and JF Bastien.
+    
+            Re-landing r225620 with speculative build fix for GCC 7.
+    
+            * API/JSCallbackObject.h:
+            * API/JSObjectRef.cpp:
+            (classInfoPrivate):
+            * JavaScriptCore.xcodeproj/project.pbxproj:
+            * Sources.txt:
+            * assembler/MacroAssemblerCodeRef.h:
+            (JSC::FunctionPtr::FunctionPtr):
+            (JSC::FunctionPtr::value const):
+            (JSC::FunctionPtr::executableAddress const):
+            (JSC::ReturnAddressPtr::ReturnAddressPtr):
+            (JSC::ReturnAddressPtr::value const):
+            (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+            (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+            (JSC::MacroAssemblerCodePtr::poisonedPtr const):
+            (JSC::MacroAssemblerCodePtr:: const):
+            (JSC::MacroAssemblerCodePtr::operator! const):
+            (JSC::MacroAssemblerCodePtr::operator== const):
+            (JSC::MacroAssemblerCodePtr::emptyValue):
+            (JSC::MacroAssemblerCodePtr::deletedValue):
+            (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
+            * b3/B3LowerMacros.cpp:
+            * b3/testb3.cpp:
+            (JSC::B3::testInterpreter):
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::checkArray):
+            (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+            (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+            (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+            * jit/AssemblyHelpers.h:
+            (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+            * jit/SpecializedThunkJIT.h:
+            (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
+            * jit/ThunkGenerators.cpp:
+            (JSC::virtualThunkFor):
+            (JSC::boundThisNoArgsFunctionCallGenerator):
+            * llint/LLIntSlowPaths.cpp:
+            (JSC::LLInt::handleHostCall):
+            (JSC::LLInt::setUpCall):
+            * llint/LowLevelInterpreter64.asm:
+            * runtime/InitializeThreading.cpp:
+            (JSC::initializeThreading):
+            * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
+            (JSC::initializePoison):
+            (JSC::initializeScrambledPtrKeys): Deleted.
+            * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
+            * runtime/JSCScrambledPtr.cpp: Removed.
+            * runtime/JSCScrambledPtr.h: Removed.
+            * runtime/JSDestructibleObject.h:
+            (JSC::JSDestructibleObject::classInfo const):
+            * runtime/JSSegmentedVariableObject.h:
+            (JSC::JSSegmentedVariableObject::classInfo const):
+            * runtime/Structure.h:
+            * runtime/VM.h:
+    
+    2017-12-07  Mark Lam  <mark.lam@apple.com>
+    
+            Apply poisoning to some native code pointers.
+            https://bugs.webkit.org/show_bug.cgi?id=180541
+            <rdar://problem/35916875>
+    
+            Reviewed by Filip Pizlo.
+    
+            Renamed g_classInfoPoison to g_globalDataPoison.
+            Renamed g_masmPoison to g_jitCodePoison.
+            Introduced g_nativeCodePoison.
+            Applied g_nativeCodePoison to poisoning some native code pointers.
+    
+            Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
+            to malloc allocated data structures (where needed).
+    
+            * API/JSCallbackFunction.h:
+            (JSC::JSCallbackFunction::functionCallback):
+            * JavaScriptCore.xcodeproj/project.pbxproj:
+            * jit/ThunkGenerators.cpp:
+            (JSC::nativeForGenerator):
+            * llint/LowLevelInterpreter64.asm:
+            * runtime/CustomGetterSetter.h:
+            (JSC::CustomGetterSetter::getter const):
+            (JSC::CustomGetterSetter::setter const):
+            * runtime/InternalFunction.cpp:
+            (JSC::InternalFunction::getCallData):
+            (JSC::InternalFunction::getConstructData):
+            * runtime/InternalFunction.h:
+            (JSC::InternalFunction::nativeFunctionFor):
+            * runtime/JSCPoison.h: Added.
+            * runtime/JSCPoisonedPtr.cpp:
+            (JSC::initializePoison):
+            * runtime/JSCPoisonedPtr.h:
+            * runtime/Lookup.h:
+            * runtime/NativeExecutable.cpp:
+            (JSC::NativeExecutable::hashFor const):
+            * runtime/NativeExecutable.h:
+            * runtime/Structure.cpp:
+            (JSC::StructureTransitionTable::setSingleTransition):
+            * runtime/StructureTransitionTable.h:
+            (JSC::StructureTransitionTable::StructureTransitionTable):
+            (JSC::StructureTransitionTable::isUsingSingleSlot const):
+            (JSC::StructureTransitionTable::map const):
+            (JSC::StructureTransitionTable::weakImpl const):
+            (JSC::StructureTransitionTable::setMap):
+    
+    2017-12-08  Mark Lam  <mark.lam@apple.com>
+    
+            Need to unpoison native function pointers for CLoop.
+            https://bugs.webkit.org/show_bug.cgi?id=180601
+            <rdar://problem/35942028>
+    
+            Reviewed by JF Bastien.
+    
+            * llint/LowLevelInterpreter64.asm:
+    
+    2017-12-13  Mark Lam  <mark.lam@apple.com>
+    
+            Fill out some Poisoned APIs, fix some bugs, and add some tests.
+            https://bugs.webkit.org/show_bug.cgi?id=180724
+            <rdar://problem/36006884>
+    
+            Reviewed by JF Bastien.
+    
+            * runtime/StructureTransitionTable.h:
+    
+    2017-12-18  Jason Marcell  <jmarcell@apple.com>
+    
+        Apply patch. rdar://problem/36113365
+    
+        Cherry-pick r225363, r225437, r225632, r225659, r225697, r225857. rdar://problem/36085975
+    
+    2017-11-30  Mark Lam  <mark.lam@apple.com>
+    
+            Let's scramble MacroAssemblerCodePtr values.
+            https://bugs.webkit.org/show_bug.cgi?id=180169
+            <rdar://problem/35758340>
+    
+            Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
+    
+            Introduce a ScrambledPtr class to facilitate scrambling.
+    
+            * WTF.xcodeproj/project.pbxproj:
+            * wtf/CMakeLists.txt:
+            * wtf/ScrambledPtr.cpp: Added.
+            (WTF::makeScrambledPtrKey):
+            * wtf/ScrambledPtr.h: Added.
+            (WTF::ScrambledPtr::ScrambledPtr):
+            (WTF::ScrambledPtr::paranoidAssertIsScrambled const):
+            (WTF::ScrambledPtr::paranoidAssertIsNotScrambled const):
+            (WTF::ScrambledPtr:: const):
+            (WTF::ScrambledPtr::operator-> const):
+            (WTF::ScrambledPtr::scrambledBits const):
+            (WTF::ScrambledPtr::operator! const):
+            (WTF::ScrambledPtr::operator bool const):
+            (WTF::ScrambledPtr::operator== const):
+            (WTF::ScrambledPtr::operator==):
+            (WTF::ScrambledPtr::scramble):
+            (WTF::ScrambledPtr::descramble):
+    
+    2017-12-01  Mark Lam  <mark.lam@apple.com>
+    
+            Let's scramble ClassInfo pointers in cells.
+            https://bugs.webkit.org/show_bug.cgi?id=180291
+            <rdar://problem/35807620>
+    
+            Reviewed by JF Bastien.
+    
+            * wtf/ScrambledPtr.h:
+            (WTF::ScrambledPtr::descrambled const):
+            (WTF::ScrambledPtr::bits const):
+            (WTF::ScrambledPtr::operator==):
+            (WTF::ScrambledPtr::operator=):
+            (WTF::ScrambledPtr::scramble):
+            (WTF::ScrambledPtr::descramble):
+            (WTF::ScrambledPtr:: const): Deleted.
+            (WTF::ScrambledPtr::scrambledBits const): Deleted.
+    
+    2017-12-07  Mark Lam  <mark.lam@apple.com>
+    
+            [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
+            https://bugs.webkit.org/show_bug.cgi?id=180514
+    
+            Reviewed by Saam Barati and JF Bastien.
+    
+            Re-landing r225620 with speculative build fix for GCC 7.
+    
+            * WTF.xcodeproj/project.pbxproj:
+            * wtf/CMakeLists.txt:
+            * wtf/Poisoned.cpp: Copied from Source/WTF/wtf/ScrambledPtr.cpp.
+            (WTF::makePoison):
+            (WTF::makeScrambledPtrKey): Deleted.
+            * wtf/Poisoned.h: Copied from Source/WTF/wtf/ScrambledPtr.h.
+            (WTF::PoisonedImpl::PoisonedImpl):
+            (WTF::PoisonedImpl::assertIsPoisoned const):
+            (WTF::PoisonedImpl::assertIsNotPoisoned const):
+            (WTF::PoisonedImpl::unpoisoned const):
+            (WTF::PoisonedImpl::operator-> const):
+            (WTF::PoisonedImpl::bits const):
+            (WTF::PoisonedImpl::operator! const):
+            (WTF::PoisonedImpl::operator bool const):
+            (WTF::PoisonedImpl::operator== const):
+            (WTF::PoisonedImpl::operator==):
+            (WTF::PoisonedImpl::operator=):
+            (WTF::PoisonedImpl::poison):
+            (WTF::PoisonedImpl::unpoison):
+            (WTF::ScrambledPtr::ScrambledPtr): Deleted.
+            (WTF::ScrambledPtr::assertIsScrambled const): Deleted.
+            (WTF::ScrambledPtr::assertIsNotScrambled const): Deleted.
+            (WTF::ScrambledPtr::descrambled const): Deleted.
+            (WTF::ScrambledPtr::operator-> const): Deleted.
+            (WTF::ScrambledPtr::bits const): Deleted.
+            (WTF::ScrambledPtr::operator! const): Deleted.
+            (WTF::ScrambledPtr::operator bool const): Deleted.
+            (WTF::ScrambledPtr::operator== const): Deleted.
+            (WTF::ScrambledPtr::operator==): Deleted.
+            (WTF::ScrambledPtr::operator=): Deleted.
+            (WTF::ScrambledPtr::scramble): Deleted.
+            (WTF::ScrambledPtr::descramble): Deleted.
+            * wtf/ScrambledPtr.cpp: Removed.
+            * wtf/ScrambledPtr.h: Removed.
+    
+    2017-12-07  Mark Lam  <mark.lam@apple.com>
+    
+            Apply poisoning to some native code pointers.
+            https://bugs.webkit.org/show_bug.cgi?id=180541
+            <rdar://problem/35916875>
+    
+            Reviewed by Filip Pizlo.
+    
+            Ensure that the resultant poisoned bits still looks like a pointer in that its
+            bottom bits are 0, just like the alignment bits of a pointer.  This allows the
+            client to use the bottom bits of the poisoned bits as flag bits just like the
+            client was previously able to do with pointer values.
+    
+            Note: we only ensure that the bottom alignment bits of the generated poison
+            value is 0.  We're not masking out the poisoned bits.  This means that the bottom
+            bits of the poisoned bits will only be null if the original pointer is aligned.
+            Hence, if the client applies the poison to an unaligned pointer, we do not lose
+            any information on the low bits.
+    
+            Also removed 2 wrong assertions in PoisonedImpl's constructors.  We were
+            asserting that Poisoned will never be used with a null value, but that's invalid.
+            We do want to allow a null value so that we don't have to constantly do null
+            checks in the clients.  This was uncovered by some layout tests.
+    
+            * wtf/Poisoned.cpp:
+            (WTF::makePoison):
+            * wtf/Poisoned.h:
+            (WTF::PoisonedImpl::PoisonedImpl):
+    
+    2017-12-13  Mark Lam  <mark.lam@apple.com>
+    
+            Fill out some Poisoned APIs, fix some bugs, and add some tests.
+            https://bugs.webkit.org/show_bug.cgi?id=180724
+            <rdar://problem/36006884>
+    
+            Reviewed by JF Bastien.
+    
+            Also rename Int32Poisoned to ConstExprPoisoned.  The key it takes is actually a
+            uint32_t.  So, Int32 is really a misnomer.  In addition, the key needs to be a
+            constexpr.  So, ConstExprPoisoned is a better name for it.
+    
+            * wtf/Poisoned.cpp:
+            (WTF::makePoison):
+            * wtf/Poisoned.h:
+            (WTF::PoisonedImplHelper::asReference):
+            (WTF::PoisonedImpl::PoisonedImpl):
+            (WTF::PoisonedImpl::clear):
+            (WTF::PoisonedImpl::operator* const):
+            (WTF::PoisonedImpl::operator-> const):
+            (WTF::PoisonedImpl::operator== const):
+            (WTF::PoisonedImpl::operator!= const):
+            (WTF::PoisonedImpl::operator< const):
+            (WTF::PoisonedImpl::operator<= const):
+            (WTF::PoisonedImpl::operator> const):
+            (WTF::PoisonedImpl::operator>= const):
+            (WTF::PoisonedImpl::operator=):
+            (WTF::PoisonedImpl::swap):
+            (WTF::PoisonedImpl::exchange):
+            (WTF::swap):
+            (WTF::makePoison):
+            (WTF::PoisonedImpl::operator==): Deleted.
+
+    2017-12-18  Mark Lam  <mark.lam@apple.com>
+
+            Cherry-pick r225363, r225437, r225632, r225659, r225697, r225857. rdar://problem/36085975
+
+        2017-12-13  Mark Lam  <mark.lam@apple.com>
+
+                Fill out some Poisoned APIs, fix some bugs, and add some tests.
+                https://bugs.webkit.org/show_bug.cgi?id=180724
+                <rdar://problem/36006884>
+
+                Reviewed by JF Bastien.
+
+                * TestWebKitAPI/CMakeLists.txt:
+                * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+                * TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp: Added.
+                (TestWebKitAPI::TEST):
+                * TestWebKitAPI/Tests/WTF/Poisoned.cpp: Added.
+                (TestWebKitAPI::initializeTestPoison):
+                (TestWebKitAPI::TEST):
+
</ins><span class="cx"> 2017-10-27  Jason Marcell  <jmarcell@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Cherry-pick r221233. rdar://problem/35228663
</span></span></pre></div>
<a id="branchessafari604branchToolsTestWebKitAPICMakeListstxt"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Tools/TestWebKitAPI/CMakeLists.txt (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Tools/TestWebKitAPI/CMakeLists.txt    2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Tools/TestWebKitAPI/CMakeLists.txt       2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -46,6 +46,7 @@
</span><span class="cx">     ${TESTWEBKITAPI_DIR}/Tests/WTF/CString.cpp
</span><span class="cx">     ${TESTWEBKITAPI_DIR}/Tests/WTF/CheckedArithmeticOperations.cpp
</span><span class="cx">     ${TESTWEBKITAPI_DIR}/Tests/WTF/Condition.cpp
</span><ins>+    ${TESTWEBKITAPI_DIR}/Tests/WTF/ConstExprPoisoned.cpp
</ins><span class="cx">     ${TESTWEBKITAPI_DIR}/Tests/WTF/DateMath.cpp
</span><span class="cx">     ${TESTWEBKITAPI_DIR}/Tests/WTF/Deque.cpp
</span><span class="cx">     ${TESTWEBKITAPI_DIR}/Tests/WTF/EnumTraits.cpp
</span><span class="lines">@@ -65,6 +66,7 @@
</span><span class="cx">     ${TESTWEBKITAPI_DIR}/Tests/WTF/Optional.cpp
</span><span class="cx">     ${TESTWEBKITAPI_DIR}/Tests/WTF/OptionSet.cpp
</span><span class="cx">     ${TESTWEBKITAPI_DIR}/Tests/WTF/ParkingLot.cpp
</span><ins>+    ${TESTWEBKITAPI_DIR}/Tests/WTF/Poisoned.cpp
</ins><span class="cx">     ${TESTWEBKITAPI_DIR}/Tests/WTF/RedBlackTree.cpp
</span><span class="cx">     ${TESTWEBKITAPI_DIR}/Tests/WTF/Ref.cpp
</span><span class="cx">     ${TESTWEBKITAPI_DIR}/Tests/WTF/RefCounter.cpp
</span></span></pre></div>
<a id="branchessafari604branchToolsTestWebKitAPITestWebKitAPIxcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: branches/safari-604-branch/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj (226132 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj   2017-12-19 19:34:02 UTC (rev 226132)
+++ branches/safari-604-branch/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj      2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -687,6 +687,8 @@
</span><span class="cx">          F6B7BE9717469B96008A3445 /* associate-form-controls.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = F6B7BE9617469B7E008A3445 /* associate-form-controls.html */; };
</span><span class="cx">          F6F49C6B15545CA70007F39D /* DOMWindowExtensionNoCache_Bundle.cpp in Sources */ = {isa = PBXBuildFile; fileRef = F6F49C6615545C8D0007F39D /* DOMWindowExtensionNoCache_Bundle.cpp */; };
</span><span class="cx">          F6FDDDD614241C6F004F1729 /* push-state.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = F6FDDDD514241C48004F1729 /* push-state.html */; };
</span><ins>+               FE05FAEF1FE0645B00093230 /* Poisoned.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE05FAEE1FE0643D00093230 /* Poisoned.cpp */; };
+               FE05FAF11FE08CD400093230 /* ConstExprPoisoned.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE05FAF01FE08CCD00093230 /* ConstExprPoisoned.cpp */; };
</ins><span class="cx"> /* End PBXBuildFile section */
</span><span class="cx"> 
</span><span class="cx"> /* Begin PBXContainerItemProxy section */
</span><span class="lines">@@ -1692,6 +1694,8 @@
</span><span class="cx">          F6F49C6715545C8D0007F39D /* DOMWindowExtensionNoCache.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DOMWindowExtensionNoCache.cpp; sourceTree = "<group>"; };
</span><span class="cx">          F6FDDDD214241AD4004F1729 /* PrivateBrowsingPushStateNoHistoryCallback.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PrivateBrowsingPushStateNoHistoryCallback.cpp; sourceTree = "<group>"; };
</span><span class="cx">          F6FDDDD514241C48004F1729 /* push-state.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "push-state.html"; sourceTree = "<group>"; };
</span><ins>+               FE05FAEE1FE0643D00093230 /* Poisoned.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Poisoned.cpp; sourceTree = "<group>"; };
+               FE05FAF01FE08CCD00093230 /* ConstExprPoisoned.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ConstExprPoisoned.cpp; sourceTree = "<group>"; };
</ins><span class="cx">           FEB6F74E1B2BA44E009E4922 /* NakedPtr.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NakedPtr.cpp; sourceTree = "<group>"; };
</span><span class="cx"> /* End PBXFileReference section */
</span><span class="cx"> 
</span><span class="lines">@@ -2388,6 +2392,7 @@
</span><span class="cx">                          E40019301ACE9B5C001B0A2A /* BloomFilter.cpp */,
</span><span class="cx">                          A7A966DA140ECCC8005EF9B4 /* CheckedArithmeticOperations.cpp */,
</span><span class="cx">                          0FEAE3671B7D19CB00CE17F2 /* Condition.cpp */,
</span><ins>+                               FE05FAF01FE08CCD00093230 /* ConstExprPoisoned.cpp */,
</ins><span class="cx">                           51714EB91D087416004723C4 /* CrossThreadTask.cpp */,
</span><span class="cx">                          26A2C72E15E2E73C005B1A14 /* CString.cpp */,
</span><span class="cx">                          7AA021BA1AB09EA70052953F /* DateMath.cpp */,
</span><span class="lines">@@ -2412,6 +2417,7 @@
</span><span class="cx">                          1AFDE6541953B2C000C48FFA /* Optional.cpp */,
</span><span class="cx">                          CE50D8C81C8665CE0072EA5A /* OptionSet.cpp */,
</span><span class="cx">                          0FE447971B76F1E3009498EB /* ParkingLot.cpp */,
</span><ins>+                               FE05FAEE1FE0643D00093230 /* Poisoned.cpp */,
</ins><span class="cx">                           53EC253F1E96BC80000831B9 /* PriorityQueue.cpp */,
</span><span class="cx">                          0FC6C4CB141027E0005B7F0C /* RedBlackTree.cpp */,
</span><span class="cx">                          93A427AA180DA26400CD24D7 /* Ref.cpp */,
</span><span class="lines">@@ -2954,6 +2960,7 @@
</span><span class="cx">                          5311BD5E1EA9490E00525281 /* ThreadMessages.cpp in Sources */,
</span><span class="cx">                          7C83DF1D1D0A590C00FEBCF3 /* Lock.cpp in Sources */,
</span><span class="cx">                          7C83DEED1D0A590C00FEBCF3 /* MathExtras.cpp in Sources */,
</span><ins>+                               FE05FAF11FE08CD400093230 /* ConstExprPoisoned.cpp in Sources */,
</ins><span class="cx">                           7C83DEEF1D0A590C00FEBCF3 /* MD5.cpp in Sources */,
</span><span class="cx">                          7C83DEF11D0A590C00FEBCF3 /* MediaTime.cpp in Sources */,
</span><span class="cx">                          7C83DEF61D0A590C00FEBCF3 /* MetaAllocator.cpp in Sources */,
</span><span class="lines">@@ -2972,6 +2979,7 @@
</span><span class="cx">                          7C83DF051D0A590C00FEBCF3 /* RunLoop.cpp in Sources */,
</span><span class="cx">                          7C83DF261D0A590C00FEBCF3 /* SaturatedArithmeticOperations.cpp in Sources */,
</span><span class="cx">                          1A3524AE1D63A4FB0031729B /* Scope.cpp in Sources */,
</span><ins>+                               FE05FAEF1FE0645B00093230 /* Poisoned.cpp in Sources */,
</ins><span class="cx">                           7C83DF121D0A590C00FEBCF3 /* ScopedLambda.cpp in Sources */,
</span><span class="cx">                          7C83DF3D1D0A590C00FEBCF3 /* SetForScope.cpp in Sources */,
</span><span class="cx">                          37C7CC2D1EA4146B007BD956 /* WeakLinking.cpp in Sources */,
</span></span></pre></div>
<a id="branchessafari604branchToolsTestWebKitAPITestsWTFConstExprPoisonedcpp"></a>
<div class="addfile"><h4>Added: branches/safari-604-branch/Tools/TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp (0 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Tools/TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp                           (rev 0)
+++ branches/safari-604-branch/Tools/TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp      2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -0,0 +1,352 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "RefLogger.h"
+#include <mutex>
+#include <wtf/Poisoned.h>
+
+namespace TestWebKitAPI {
+
+static const uint32_t PoisonA = 0xaaaa;
+static const uint32_t PoisonB = 0xbbbb;
+
+// For these tests, we need a base class and a derived class. For this purpose,
+// we reuse the RefLogger and DerivedRefLogger classes.
+
+TEST(WTF_ConstExprPoisoned, Basic)
+{
+    DerivedRefLogger a("a");
+
+    ConstExprPoisoned<PoisonA, RefLogger*> empty;
+    ASSERT_EQ(nullptr, empty.unpoisoned());
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> ptr(&a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+        ASSERT_EQ(&a, &*ptr);
+        ASSERT_EQ(&a.name, &ptr->name);
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> ptr = &a;
+        ASSERT_EQ(&a, ptr.unpoisoned());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> p1 = &a;
+        ConstExprPoisoned<PoisonA, RefLogger*> p2(p1);
+        ConstExprPoisoned<PoisonB, RefLogger*> p3(p1);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+        ASSERT_EQ(&a, p3.unpoisoned());
+
+        ASSERT_TRUE(p1.bits() == p2.bits());
+        ASSERT_TRUE(p1.bits() != p3.bits());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> p1 = &a;
+        ConstExprPoisoned<PoisonA, RefLogger*> p2 = p1;
+        ConstExprPoisoned<PoisonB, RefLogger*> p3 = p1;
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+        ASSERT_EQ(&a, p3.unpoisoned());
+
+        ASSERT_TRUE(p1.bits() == p2.bits());
+        ASSERT_TRUE(p1.bits() != p3.bits());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> p1 = &a;
+        ConstExprPoisoned<PoisonA, RefLogger*> p2 = WTFMove(p1);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+
+        ConstExprPoisoned<PoisonA, RefLogger*> p3 = &a;
+        ConstExprPoisoned<PoisonB, RefLogger*> p4 = WTFMove(p3);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&a, p4.unpoisoned());
+
+        ASSERT_TRUE(p1.bits() == p2.bits());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> p1 = &a;
+        ConstExprPoisoned<PoisonA, RefLogger*> p2(WTFMove(p1));
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+
+        ConstExprPoisoned<PoisonA, RefLogger*> p3 = &a;
+        ConstExprPoisoned<PoisonB, RefLogger*> p4(WTFMove(p3));
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&a, p4.unpoisoned());
+
+        ASSERT_TRUE(p1.bits() == p2.bits());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, DerivedRefLogger*> p1 = &a;
+        ConstExprPoisoned<PoisonA, RefLogger*> p2 = p1;
+        ConstExprPoisoned<PoisonB, RefLogger*> p3 = p1;
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+        ASSERT_EQ(&a, p3.unpoisoned());
+
+        ASSERT_TRUE(p1.bits() == p2.bits());
+        ASSERT_TRUE(p1.bits() != p3.bits());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, DerivedRefLogger*> p1 = &a;
+        ConstExprPoisoned<PoisonA, RefLogger*> p2 = WTFMove(p1);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+
+        ConstExprPoisoned<PoisonA, DerivedRefLogger*> p3 = &a;
+        ConstExprPoisoned<PoisonB, RefLogger*> p4 = WTFMove(p3);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&a, p4.unpoisoned());
+
+        ASSERT_TRUE(p1.bits() == p2.bits());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> ptr(&a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+        ptr.clear();
+        ASSERT_EQ(nullptr, ptr.unpoisoned());
+    }
+}
+
+TEST(WTF_ConstExprPoisoned, Assignment)
+{
+    DerivedRefLogger a("a");
+    RefLogger b("b");
+    DerivedRefLogger c("c");
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> p1(&a);
+        ConstExprPoisoned<PoisonA, RefLogger*> p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2.unpoisoned());
+        p1 = p2;
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&b, p2.unpoisoned());
+
+        ConstExprPoisoned<PoisonA, RefLogger*> p3(&a);
+        ConstExprPoisoned<PoisonB, RefLogger*> p4(&b);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&b, p4.unpoisoned());
+        p3 = p4;
+        ASSERT_EQ(&b, p3.unpoisoned());
+        ASSERT_EQ(&b, p4.unpoisoned());
+
+        ASSERT_TRUE(p1.bits() == p2.bits());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> ptr(&a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+        ptr = &b;
+        ASSERT_EQ(&b, ptr.unpoisoned());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> ptr(&a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+        ptr = nullptr;
+        ASSERT_EQ(nullptr, ptr.unpoisoned());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> p1(&a);
+        ConstExprPoisoned<PoisonA, RefLogger*> p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2.unpoisoned());
+        p1 = WTFMove(p2);
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&b, p2.unpoisoned());
+
+        ConstExprPoisoned<PoisonA, RefLogger*> p3(&a);
+        ConstExprPoisoned<PoisonB, RefLogger*> p4(&b);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&b, p4.unpoisoned());
+        p3 = WTFMove(p4);
+        ASSERT_EQ(&b, p3.unpoisoned());
+        ASSERT_EQ(&b, p4.unpoisoned());
+
+        ASSERT_TRUE(p1.bits() == p2.bits());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> p1(&a);
+        ConstExprPoisoned<PoisonA, DerivedRefLogger*> p2(&c);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&c, p2.unpoisoned());
+        p1 = p2;
+        ASSERT_EQ(&c, p1.unpoisoned());
+        ASSERT_EQ(&c, p2.unpoisoned());
+
+        ConstExprPoisoned<PoisonA, RefLogger*> p3(&a);
+        ConstExprPoisoned<PoisonB, DerivedRefLogger*> p4(&c);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&c, p4.unpoisoned());
+        p3 = p4;
+        ASSERT_EQ(&c, p3.unpoisoned());
+        ASSERT_EQ(&c, p4.unpoisoned());
+
+        ASSERT_TRUE(p1.bits() == p2.bits());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> ptr(&a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+        ptr = &c;
+        ASSERT_EQ(&c, ptr.unpoisoned());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> p1(&a);
+        ConstExprPoisoned<PoisonA, DerivedRefLogger*> p2(&c);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&c, p2.unpoisoned());
+        p1 = WTFMove(p2);
+        ASSERT_EQ(&c, p1.unpoisoned());
+        ASSERT_EQ(&c, p2.unpoisoned());
+
+        ConstExprPoisoned<PoisonA, RefLogger*> p3(&a);
+        ConstExprPoisoned<PoisonB, DerivedRefLogger*> p4(&c);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&c, p4.unpoisoned());
+        p3 = WTFMove(p4);
+        ASSERT_EQ(&c, p3.unpoisoned());
+        ASSERT_EQ(&c, p4.unpoisoned());
+
+        ASSERT_TRUE(p1.bits() == p2.bits());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> ptr(&a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+        ptr = ptr;
+        ASSERT_EQ(&a, ptr.unpoisoned());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> ptr(&a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+#if COMPILER(CLANG)
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunknown-pragmas"
+#pragma clang diagnostic ignored "-Wself-move"
+#endif
+        ptr = WTFMove(ptr);
+#if COMPILER(CLANG)
+#pragma clang diagnostic pop
+#endif
+        ASSERT_EQ(&a, ptr.unpoisoned());
+    }
+}
+
+TEST(WTF_ConstExprPoisoned, Swap)
+{
+    RefLogger a("a");
+    RefLogger b("b");
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> p1(&a);
+        ConstExprPoisoned<PoisonA, RefLogger*> p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2.unpoisoned());
+        p1.swap(p2);
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+
+        ConstExprPoisoned<PoisonA, RefLogger*> p3(&a);
+        ConstExprPoisoned<PoisonB, RefLogger*> p4(&b);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&b, p4.unpoisoned());
+        p3.swap(p4);
+        ASSERT_EQ(&b, p3.unpoisoned());
+        ASSERT_EQ(&a, p4.unpoisoned());
+
+        ASSERT_TRUE(p1.bits() != p2.bits());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+        ASSERT_TRUE(p1.bits() == p3.bits());
+        ASSERT_TRUE(p2.bits() != p4.bits());
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> p1(&a);
+        ConstExprPoisoned<PoisonA, RefLogger*> p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2.unpoisoned());
+        swap(p1, p2);
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+
+        ConstExprPoisoned<PoisonA, RefLogger*> p3(&a);
+        ConstExprPoisoned<PoisonB, RefLogger*> p4(&b);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&b, p4.unpoisoned());
+        swap(p3, p4);
+        ASSERT_EQ(&b, p3.unpoisoned());
+        ASSERT_EQ(&a, p4.unpoisoned());
+
+        ASSERT_TRUE(p1.bits() != p2.bits());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+        ASSERT_TRUE(p1.bits() == p3.bits());
+        ASSERT_TRUE(p2.bits() != p4.bits());
+    }
+}
+
+static ConstExprPoisoned<PoisonA, RefLogger*> poisonedPtrFoo(RefLogger& logger)
+{
+    return ConstExprPoisoned<PoisonA, RefLogger*>(&logger);
+}
+
+TEST(WTF_ConstExprPoisoned, ReturnValue)
+{
+    DerivedRefLogger a("a");
+
+    {
+        auto ptr = poisonedPtrFoo(a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+        ASSERT_EQ(&a, &*ptr);
+        ASSERT_EQ(&a.name, &ptr->name);
+    }
+}
+
+} // namespace TestWebKitAPI
+
</ins></span></pre></div>
<a id="branchessafari604branchToolsTestWebKitAPITestsWTFPoisonedcpp"></a>
<div class="addfile"><h4>Added: branches/safari-604-branch/Tools/TestWebKitAPI/Tests/WTF/Poisoned.cpp (0 => 226133)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-604-branch/Tools/TestWebKitAPI/Tests/WTF/Poisoned.cpp                            (rev 0)
+++ branches/safari-604-branch/Tools/TestWebKitAPI/Tests/WTF/Poisoned.cpp       2017-12-19 19:34:17 UTC (rev 226133)
</span><span class="lines">@@ -0,0 +1,391 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "RefLogger.h"
+#include <mutex>
+#include <wtf/Poisoned.h>
+
+namespace TestWebKitAPI {
+
+uintptr_t g_testPoisonA;
+uintptr_t g_testPoisonB;
+
+static void initializeTestPoison()
+{
+    static std::once_flag initializeOnceFlag;
+    std::call_once(initializeOnceFlag, [] {
+        // Make sure we get 2 different poison values.
+        g_testPoisonA = makePoison();
+        while (!g_testPoisonB || g_testPoisonB == g_testPoisonA)
+            g_testPoisonB = makePoison();
+    });
+}
+
+// For these tests, we need a base class and a derived class. For this purpose,
+// we reuse the RefLogger and DerivedRefLogger classes.
+
+TEST(WTF_Poisoned, Basic)
+{
+    initializeTestPoison();
+    DerivedRefLogger a("a");
+
+    Poisoned<g_testPoisonA, RefLogger*> empty;
+    ASSERT_EQ(nullptr, empty.unpoisoned());
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> ptr(&a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+        ASSERT_EQ(&a, &*ptr);
+        ASSERT_EQ(&a.name, &ptr->name);
+    }
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> ptr = &a;
+        ASSERT_EQ(&a, ptr.unpoisoned());
+    }
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> p1 = &a;
+        Poisoned<g_testPoisonA, RefLogger*> p2(p1);
+
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+        ASSERT_TRUE(p1.bits() == p2.bits());
+
+#if ENABLE(MIXED_POISON)
+        Poisoned<g_testPoisonB, RefLogger*> p3(p1);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_TRUE(p1.bits() != p3.bits());
+#endif
+    }
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> p1 = &a;
+        Poisoned<g_testPoisonA, RefLogger*> p2 = p1;
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+        ASSERT_TRUE(p1.bits() == p2.bits());
+
+#if ENABLE(MIXED_POISON)
+        Poisoned<g_testPoisonB, RefLogger*> p3 = p1;
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_TRUE(p1.bits() != p3.bits());
+#endif
+    }
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> p1 = &a;
+        Poisoned<g_testPoisonA, RefLogger*> p2 = WTFMove(p1);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+        ASSERT_TRUE(p1.bits() == p2.bits());
+
+#if ENABLE(MIXED_POISON)
+        Poisoned<g_testPoisonA, RefLogger*> p3 = &a;
+        Poisoned<g_testPoisonB, RefLogger*> p4 = WTFMove(p3);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&a, p4.unpoisoned());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+#endif
+    }
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> p1 = &a;
+        Poisoned<g_testPoisonA, RefLogger*> p2(WTFMove(p1));
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+        ASSERT_TRUE(p1.bits() == p2.bits());
+
+#if ENABLE(MIXED_POISON)
+        Poisoned<g_testPoisonA, RefLogger*> p3 = &a;
+        Poisoned<g_testPoisonB, RefLogger*> p4(WTFMove(p3));
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&a, p4.unpoisoned());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+#endif
+    }
+
+#if ENABLE(MIXED_POISON)
+    {
+        Poisoned<g_testPoisonA, DerivedRefLogger*> p1 = &a;
+        Poisoned<g_testPoisonA, RefLogger*> p2 = p1;
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+        ASSERT_TRUE(p1.bits() == p2.bits());
+
+        Poisoned<g_testPoisonB, RefLogger*> p3 = p1;
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_TRUE(p1.bits() != p3.bits());
+    }
+#endif
+
+#if ENABLE(MIXED_POISON)
+    {
+        Poisoned<g_testPoisonA, DerivedRefLogger*> p1 = &a;
+        Poisoned<g_testPoisonA, RefLogger*> p2 = WTFMove(p1);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+        ASSERT_TRUE(p1.bits() == p2.bits());
+
+        Poisoned<g_testPoisonA, DerivedRefLogger*> p3 = &a;
+        Poisoned<g_testPoisonB, RefLogger*> p4 = WTFMove(p3);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&a, p4.unpoisoned());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+    }
+#endif
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> ptr(&a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+        ptr.clear();
+        ASSERT_EQ(nullptr, ptr.unpoisoned());
+    }
+}
+
+TEST(WTF_Poisoned, Assignment)
+{
+    initializeTestPoison();
+    DerivedRefLogger a("a");
+    RefLogger b("b");
+    DerivedRefLogger c("c");
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> p1(&a);
+        Poisoned<g_testPoisonA, RefLogger*> p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2.unpoisoned());
+        p1 = p2;
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&b, p2.unpoisoned());
+        ASSERT_TRUE(p1.bits() == p2.bits());
+
+#if ENABLE(MIXED_POISON)
+        Poisoned<g_testPoisonA, RefLogger*> p3(&a);
+        Poisoned<g_testPoisonB, RefLogger*> p4(&b);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&b, p4.unpoisoned());
+        p3 = p4;
+        ASSERT_EQ(&b, p3.unpoisoned());
+        ASSERT_EQ(&b, p4.unpoisoned());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+#endif
+    }
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> ptr(&a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+        ptr = &b;
+        ASSERT_EQ(&b, ptr.unpoisoned());
+    }
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> ptr(&a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+        ptr = nullptr;
+        ASSERT_EQ(nullptr, ptr.unpoisoned());
+    }
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> p1(&a);
+        Poisoned<g_testPoisonA, RefLogger*> p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2.unpoisoned());
+        p1 = WTFMove(p2);
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&b, p2.unpoisoned());
+        ASSERT_TRUE(p1.bits() == p2.bits());
+
+#if ENABLE(MIXED_POISON)
+        Poisoned<g_testPoisonA, RefLogger*> p3(&a);
+        Poisoned<g_testPoisonB, RefLogger*> p4(&b);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&b, p4.unpoisoned());
+        p3 = WTFMove(p4);
+        ASSERT_EQ(&b, p3.unpoisoned());
+        ASSERT_EQ(&b, p4.unpoisoned());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+#endif
+    }
+
+#if ENABLE(MIXED_POISON)
+    {
+        Poisoned<g_testPoisonA, RefLogger*> p1(&a);
+        Poisoned<g_testPoisonA, DerivedRefLogger*> p2(&c);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&c, p2.unpoisoned());
+        p1 = p2;
+        ASSERT_EQ(&c, p1.unpoisoned());
+        ASSERT_EQ(&c, p2.unpoisoned());
+        ASSERT_TRUE(p1.bits() == p2.bits());
+
+        Poisoned<g_testPoisonA, RefLogger*> p3(&a);
+        Poisoned<g_testPoisonB, DerivedRefLogger*> p4(&c);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&c, p4.unpoisoned());
+        p3 = p4;
+        ASSERT_EQ(&c, p3.unpoisoned());
+        ASSERT_EQ(&c, p4.unpoisoned());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+    }
+#endif
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> ptr(&a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+        ptr = &c;
+        ASSERT_EQ(&c, ptr.unpoisoned());
+    }
+
+#if ENABLE(MIXED_POISON)
+    {
+        Poisoned<g_testPoisonA, RefLogger*> p1(&a);
+        Poisoned<g_testPoisonA, DerivedRefLogger*> p2(&c);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&c, p2.unpoisoned());
+        p1 = WTFMove(p2);
+        ASSERT_EQ(&c, p1.unpoisoned());
+        ASSERT_EQ(&c, p2.unpoisoned());
+        ASSERT_TRUE(p1.bits() == p2.bits());
+
+        Poisoned<g_testPoisonA, RefLogger*> p3(&a);
+        Poisoned<g_testPoisonB, DerivedRefLogger*> p4(&c);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&c, p4.unpoisoned());
+        p3 = WTFMove(p4);
+        ASSERT_EQ(&c, p3.unpoisoned());
+        ASSERT_EQ(&c, p4.unpoisoned());
+        ASSERT_TRUE(p3.bits() != p4.bits());
+    }
+#endif
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> ptr(&a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+        ptr = ptr;
+        ASSERT_EQ(&a, ptr.unpoisoned());
+    }
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> ptr(&a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+#if COMPILER(CLANG)
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunknown-pragmas"
+#pragma clang diagnostic ignored "-Wself-move"
+#endif
+        ptr = WTFMove(ptr);
+#if COMPILER(CLANG)
+#pragma clang diagnostic pop
+#endif
+        ASSERT_EQ(&a, ptr.unpoisoned());
+    }
+}
+
+TEST(WTF_Poisoned, Swap)
+{
+    initializeTestPoison();
+    RefLogger a("a");
+    RefLogger b("b");
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> p1(&a);
+        Poisoned<g_testPoisonA, RefLogger*> p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2.unpoisoned());
+        p1.swap(p2);
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+
+        ASSERT_TRUE(p1.bits() != p2.bits());
+
+#if ENABLE(MIXED_POISON)
+        Poisoned<g_testPoisonA, RefLogger*> p3(&a);
+        Poisoned<g_testPoisonB, RefLogger*> p4(&b);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&b, p4.unpoisoned());
+        p3.swap(p4);
+        ASSERT_EQ(&b, p3.unpoisoned());
+        ASSERT_EQ(&a, p4.unpoisoned());
+
+        ASSERT_TRUE(p3.bits() != p4.bits());
+        ASSERT_TRUE(p1.bits() == p3.bits());
+        ASSERT_TRUE(p2.bits() != p4.bits());
+#endif
+    }
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> p1(&a);
+        Poisoned<g_testPoisonA, RefLogger*> p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2.unpoisoned());
+#if ENABLE(MIXED_POISON)
+        swap(p1, p2);
+#else
+        std::swap(p1, p2);
+#endif
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&a, p2.unpoisoned());
+
+        ASSERT_TRUE(p1.bits() != p2.bits());
+
+#if ENABLE(MIXED_POISON)
+        Poisoned<g_testPoisonA, RefLogger*> p3(&a);
+        Poisoned<g_testPoisonB, RefLogger*> p4(&b);
+        ASSERT_EQ(&a, p3.unpoisoned());
+        ASSERT_EQ(&b, p4.unpoisoned());
+        swap(p3, p4);
+        ASSERT_EQ(&b, p3.unpoisoned());
+        ASSERT_EQ(&a, p4.unpoisoned());
+
+        ASSERT_TRUE(p3.bits() != p4.bits());
+        ASSERT_TRUE(p1.bits() == p3.bits());
+        ASSERT_TRUE(p2.bits() != p4.bits());
+#endif
+    }
+}
+
+static Poisoned<g_testPoisonA, RefLogger*> poisonedPtrFoo(RefLogger& logger)
+{
+    return Poisoned<g_testPoisonA, RefLogger*>(&logger);
+}
+
+TEST(WTF_Poisoned, ReturnValue)
+{
+    initializeTestPoison();
+    DerivedRefLogger a("a");
+
+    {
+        auto ptr = poisonedPtrFoo(a);
+        ASSERT_EQ(&a, ptr.unpoisoned());
+        ASSERT_EQ(&a, &*ptr);
+        ASSERT_EQ(&a.name, &ptr->name);
+    }
+}
+
+} // namespace TestWebKitAPI
+
</ins></span></pre>
</div>
</div>

</body>
</html>