Bug 981991 - Replace JS_*_POISON macros with inline functions r=jandem
authorJon Coppeard <jcoppeard@mozilla.com>
Thu, 10 Jan 2019 13:21:45 +0000
changeset 453250 77dfbff3744411eaec7b5d834e3c517dda9c22b6
parent 453249 3922da7f8c518a0dfe111458859e5dc45e477a62
child 453251 65174e3014705687e7ca1050d5d1ffbe81126ac0
push id35350
push userbtara@mozilla.com
push dateThu, 10 Jan 2019 17:21:43 +0000
treeherdermozilla-central@d0a6668cf2fe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs981991
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 981991 - Replace JS_*_POISON macros with inline functions r=jandem
js/src/builtin/Array.cpp
js/src/builtin/Promise.cpp
js/src/frontend/NameFunctions.cpp
js/src/gc/Allocator.cpp
js/src/gc/GC.cpp
js/src/gc/Heap.h
js/src/gc/Marking.cpp
js/src/gc/Nursery.cpp
js/src/jit/ExecutableAllocator.cpp
js/src/jsutil.h
js/src/vm/Iteration.cpp
js/src/vm/JSScript.cpp
js/src/vm/Scope.h
js/src/vm/TypeInference.cpp
--- a/js/src/builtin/Array.cpp
+++ b/js/src/builtin/Array.cpp
@@ -4419,17 +4419,17 @@ void js::ArraySpeciesLookup::initialize(
   arraySpeciesShape_ = speciesShape;
   canonicalSpeciesFunc_ = speciesFun;
 #endif
   arrayProtoShape_ = arrayProto->lastProperty();
   arrayProtoConstructorSlot_ = ctorShape->slot();
 }
 
 void js::ArraySpeciesLookup::reset() {
-  JS_POISON(this, 0xBB, sizeof(*this), MemCheckKind::MakeUndefined);
+  Poison(this, 0xBB, sizeof(*this), MemCheckKind::MakeUndefined);
   state_ = State::Uninitialized;
 }
 
 bool js::ArraySpeciesLookup::isArrayStateStillSane() {
   MOZ_ASSERT(state_ == State::Initialized);
 
   // Ensure that Array.prototype still has the expected shape.
   if (arrayProto_->lastProperty() != arrayProtoShape_) {
--- a/js/src/builtin/Promise.cpp
+++ b/js/src/builtin/Promise.cpp
@@ -4690,17 +4690,17 @@ void js::PromiseLookup::initialize(JSCon
 #endif
   promiseProtoShape_ = promiseProto->lastProperty();
   promiseResolveSlot_ = resolveShape->slot();
   promiseProtoConstructorSlot_ = ctorShape->slot();
   promiseProtoThenSlot_ = thenShape->slot();
 }
 
 void js::PromiseLookup::reset() {
-  JS_POISON(this, 0xBB, sizeof(*this), MemCheckKind::MakeUndefined);
+  Poison(this, 0xBB, sizeof(*this), MemCheckKind::MakeUndefined);
   state_ = State::Uninitialized;
 }
 
 bool js::PromiseLookup::isPromiseStateStillSane(JSContext* cx) {
   MOZ_ASSERT(state_ == State::Initialized);
 
   NativeObject* promiseProto = getPromisePrototype(cx);
   MOZ_ASSERT(promiseProto);
--- a/js/src/frontend/NameFunctions.cpp
+++ b/js/src/frontend/NameFunctions.cpp
@@ -980,18 +980,18 @@ class NameResolver {
 
     // It would be nice to common up the repeated |parents[initialParents]|
     // in a single variable, but the #if condition required to prevent an
     // unused-variable warning across three separate conditionally-expanded
     // macros would be super-ugly.  :-(
     MOZ_ASSERT(parents[initialParents] == cur,
                "pushed child shouldn't change underneath us");
 
-    JS_POISON(&parents[initialParents], 0xFF, sizeof(parents[initialParents]),
-              MemCheckKind::MakeUndefined);
+    Poison(&parents[initialParents], 0xFF, sizeof(parents[initialParents]),
+           MemCheckKind::MakeUndefined);
 
     return true;
   }
 };
 
 } /* anonymous namespace */
 
 bool frontend::NameFunctions(JSContext* cx, ParseNode* pn) {
--- a/js/src/gc/Allocator.cpp
+++ b/js/src/gc/Allocator.cpp
@@ -729,18 +729,18 @@ void BackgroundAllocTask::run() {
 void Chunk::init(JSRuntime* rt) {
   /* The chunk may still have some regions marked as no-access. */
   MOZ_MAKE_MEM_UNDEFINED(this, ChunkSize);
 
   /*
    * Poison the chunk. Note that decommitAllArenas() below will mark the
    * arenas as inaccessible (for memory sanitizers).
    */
-  JS_POISON(this, JS_FRESH_TENURED_PATTERN, ChunkSize,
-            MemCheckKind::MakeUndefined);
+  Poison(this, JS_FRESH_TENURED_PATTERN, ChunkSize,
+         MemCheckKind::MakeUndefined);
 
   /*
    * We clear the bitmap to guard against JS::GCThingIsMarkedGray being called
    * on uninitialized data, which would happen before the first GC cycle.
    */
   bitmap.clear();
 
   /*
--- a/js/src/gc/GC.cpp
+++ b/js/src/gc/GC.cpp
@@ -585,26 +585,26 @@ inline size_t Arena::finalize(FreeOp* fo
         newListTail->initBounds(firstThingOrSuccessorOfLastMarkedThing,
                                 thing - thingSize, this);
         newListTail = newListTail->nextSpanUnchecked(this);
       }
       firstThingOrSuccessorOfLastMarkedThing = thing + thingSize;
       nmarked++;
     } else {
       t->finalize(fop);
-      JS_POISON(t, JS_SWEPT_TENURED_PATTERN, thingSize,
-                MemCheckKind::MakeUndefined);
+      Poison(t, JS_SWEPT_TENURED_PATTERN, thingSize,
+             MemCheckKind::MakeUndefined);
       gcTracer.traceTenuredFinalize(t);
     }
   }
 
   if (nmarked == 0) {
     // Do nothing. The caller will update the arena appropriately.
     MOZ_ASSERT(newListTail == &newListHead);
-    JS_EXTRA_POISON(data, JS_SWEPT_TENURED_PATTERN, sizeof(data),
+    DebugOnlyPoison(data, JS_SWEPT_TENURED_PATTERN, sizeof(data),
                     MemCheckKind::MakeUndefined);
     return nmarked;
   }
 
   MOZ_ASSERT(firstThingOrSuccessorOfLastMarkedThing != firstThing);
   uint_fast16_t lastMarkedThing =
       firstThingOrSuccessorOfLastMarkedThing - thingSize;
   if (lastThing == lastMarkedThing) {
@@ -2948,19 +2948,19 @@ void GCRuntime::releaseRelocatedArenasWi
 
     // Clear the mark bits
     arena->unmarkAll();
 
     // Mark arena as empty
     arena->setAsFullyUnused();
 
 #if defined(JS_CRASH_DIAGNOSTICS) || defined(JS_GC_ZEAL)
-    JS_POISON(reinterpret_cast<void*>(arena->thingsStart()),
-              JS_MOVED_TENURED_PATTERN, arena->getThingsSpan(),
-              MemCheckKind::MakeNoAccess);
+    Poison(reinterpret_cast<void*>(arena->thingsStart()),
+           JS_MOVED_TENURED_PATTERN, arena->getThingsSpan(),
+           MemCheckKind::MakeNoAccess);
 #endif
 
     releaseArena(arena, lock);
     ++count;
   }
 }
 
 // In debug mode we don't always release relocated arenas straight away.
--- a/js/src/gc/Heap.h
+++ b/js/src/gc/Heap.h
@@ -161,19 +161,18 @@ class FreeSpan {
       // The last space points to the next free span (which may be empty).
       const FreeSpan* next = nextSpan(arena);
       first = next->first;
       last = next->last;
     } else {
       return nullptr;  // The span is empty.
     }
     checkSpan(arena);
-    JS_EXTRA_POISON(reinterpret_cast<void*>(thing),
-                    JS_ALLOCATED_TENURED_PATTERN, thingSize,
-                    MemCheckKind::MakeUndefined);
+    DebugOnlyPoison(reinterpret_cast<void*>(thing), JS_ALLOCATED_TENURED_PATTERN,
+                    thingSize, MemCheckKind::MakeUndefined);
     return reinterpret_cast<TenuredCell*>(thing);
   }
 
   inline void checkSpan(const Arena* arena) const;
   inline void checkRange(uintptr_t first, uintptr_t last,
                          const Arena* arena) const;
 };
 
--- a/js/src/gc/Marking.cpp
+++ b/js/src/gc/Marking.cpp
@@ -2282,18 +2282,18 @@ bool MarkStack::resize(size_t newCapacit
   return true;
 }
 
 inline void MarkStack::poisonUnused() {
   static_assert((JS_FRESH_MARK_STACK_PATTERN & TagMask) > LastTag,
                 "The mark stack poison pattern must not look like a valid "
                 "tagged pointer");
 
-  JS_POISON(stack().begin() + topIndex_, JS_FRESH_MARK_STACK_PATTERN,
-            stack().capacity() - topIndex_, MemCheckKind::MakeUndefined);
+  Poison(stack().begin() + topIndex_, JS_FRESH_MARK_STACK_PATTERN,
+         stack().capacity() - topIndex_, MemCheckKind::MakeUndefined);
 }
 
 size_t MarkStack::sizeOfExcludingThis(
     mozilla::MallocSizeOf mallocSizeOf) const {
   return stack().sizeOfExcludingThis(mallocSizeOf);
 }
 
 MarkStackIter::MarkStackIter(MarkStack& stack)
--- a/js/src/gc/Nursery.cpp
+++ b/js/src/gc/Nursery.cpp
@@ -67,29 +67,29 @@ static_assert(sizeof(js::NurseryChunk) =
               "Nursery chunk size must match gc::Chunk size.");
 
 } /* namespace js */
 
 inline void js::NurseryChunk::poisonAndInit(JSRuntime* rt, size_t extent) {
   MOZ_ASSERT(extent <= ChunkSize);
   MOZ_MAKE_MEM_UNDEFINED(this, extent);
 
-  JS_POISON(this, JS_FRESH_NURSERY_PATTERN, extent,
-            MemCheckKind::MakeUndefined);
+  Poison(this, JS_FRESH_NURSERY_PATTERN, extent,
+         MemCheckKind::MakeUndefined);
 
   new (&trailer) gc::ChunkTrailer(rt, &rt->gc.storeBuffer());
 }
 
 inline void js::NurseryChunk::poisonAfterSweep(size_t extent) {
   MOZ_ASSERT(extent <= ChunkSize);
   // We can poison the same chunk more than once, so first make sure memory
   // sanitizers will let us poison it.
   MOZ_MAKE_MEM_UNDEFINED(this, extent);
 
-  JS_POISON(this, JS_SWEPT_NURSERY_PATTERN, extent, MemCheckKind::MakeNoAccess);
+  Poison(this, JS_SWEPT_NURSERY_PATTERN, extent, MemCheckKind::MakeNoAccess);
 }
 
 /* static */ inline js::NurseryChunk* js::NurseryChunk::fromChunk(
     Chunk* chunk) {
   return reinterpret_cast<NurseryChunk*>(chunk);
 }
 
 inline Chunk* js::NurseryChunk::toChunk(JSRuntime* rt) {
@@ -369,17 +369,17 @@ void* js::Nursery::allocate(size_t size)
 
   void* thing = (void*)position();
   position_ = position() + size;
   // We count this regardless of the profiler's state, assuming that it costs
   // just as much to count it, as to check the profiler's state and decide not
   // to count it.
   stats().noteNurseryAlloc();
 
-  JS_EXTRA_POISON(thing, JS_ALLOCATED_NURSERY_PATTERN, size,
+  DebugOnlyPoison(thing, JS_ALLOCATED_NURSERY_PATTERN, size,
                   MemCheckKind::MakeUndefined);
 
 #ifdef JS_GC_ZEAL
   if (runtime()->gc.hasZealMode(ZealMode::CheckNursery)) {
     auto canary = reinterpret_cast<Canary*>(position() - CanarySize);
     canary->magicValue = CanaryMagicValue;
     canary->next = nullptr;
     if (lastCanary_) {
--- a/js/src/jit/ExecutableAllocator.cpp
+++ b/js/src/jit/ExecutableAllocator.cpp
@@ -288,19 +288,19 @@ void ExecutableAllocator::addSizeOfCode(
 
     // Use the pool's mark bit to indicate we made the pool writable.
     // This avoids reprotecting a pool multiple times.
     if (!pool->isMarked()) {
       reprotectPool(rt, pool, ProtectionSetting::Writable);
       pool->mark();
     }
 
-    // Note: we use memset instead of JS_POISON because we want to poison
+    // Note: we use memset instead of js::Poison because we want to poison
     // JIT code in release builds too. Furthermore, we don't want the
-    // invalid-ObjectValue poisoning JS_POISON does in debug builds.
+    // invalid-ObjectValue poisoning js::Poison does in debug builds.
     memset(ranges[i].start, JS_SWEPT_CODE_PATTERN, ranges[i].size);
     MOZ_MAKE_MEM_NOACCESS(ranges[i].start, ranges[i].size);
   }
 
   // Make the pools executable again and drop references.
   for (size_t i = 0; i < ranges.length(); i++) {
     ExecutablePool* pool = ranges[i].pool;
     if (pool->isMarked()) {
--- a/js/src/jsutil.h
+++ b/js/src/jsutil.h
@@ -18,16 +18,26 @@
 #include "mozilla/PodOperations.h"
 
 #include <limits.h>
 
 #include "js/Initialization.h"
 #include "js/Utility.h"
 #include "js/Value.h"
 
+/* Crash diagnostics by default in debug and on nightly channel. */
+#if defined(DEBUG) || defined(NIGHTLY_BUILD)
+#define JS_CRASH_DIAGNOSTICS 1
+#endif
+
+/* Enable poisoning in crash-diagnostics and zeal builds. */
+#if defined(JS_CRASH_DIAGNOSTICS) || defined(JS_GC_ZEAL)
+#define JS_GC_POISONING 1
+#endif
+
 #if defined(JS_DEBUG)
 #define JS_DIAGNOSTICS_ASSERT(expr) MOZ_ASSERT(expr)
 #elif defined(JS_CRASH_DIAGNOSTICS)
 #define JS_DIAGNOSTICS_ASSERT(expr)         \
   do {                                      \
     if (MOZ_UNLIKELY(!(expr))) MOZ_CRASH(); \
   } while (0)
 #else
@@ -282,16 +292,17 @@ static MOZ_ALWAYS_INLINE void SetMemChec
       MOZ_MAKE_MEM_NOACCESS(ptr, bytes);
       return;
   }
   MOZ_CRASH("Invalid kind");
 }
 
 namespace js {
 
+// Unconditionally poison a region on memory.
 static inline void AlwaysPoison(void* ptr, uint8_t value, size_t num,
                                 MemCheckKind kind) {
   // Without a valid Value tag, a poisoned Value may look like a valid
   // floating point number. To ensure that we crash more readily when
   // observing a poisoned Value, we make the poison an invalid ObjectValue.
   // Unfortunately, this adds about 2% more overhead, so we can only enable
   // it in debug.
 #if defined(DEBUG)
@@ -315,38 +326,32 @@ static inline void AlwaysPoison(void* pt
 #endif  // !DEBUG
 
   SetMemCheckKind(ptr, num, kind);
 }
 
 // JSGC_DISABLE_POISONING environment variable
 extern bool gDisablePoisoning;
 
+// Poison a region of memory in debug and nightly builds (plus builds where GC
+// zeal is configured). Can be disabled by setting the JSGC_DISABLE_POISONING
+// environment variable.
 static inline void Poison(void* ptr, uint8_t value, size_t num,
                           MemCheckKind kind) {
+#if defined(JS_CRASH_DIAGNOSTICS) || defined(JS_GC_ZEAL)
   if (!js::gDisablePoisoning) {
     AlwaysPoison(ptr, value, num, kind);
   }
+#endif
+}
+
+// Poison a region of memory in debug builds. Can be disabled by setting the
+// JSGC_DISABLE_POISONING environment variable.
+static inline void DebugOnlyPoison(void* ptr, uint8_t value, size_t num,
+                                   MemCheckKind kind) {
+#if defined(DEBUG)
+  Poison(ptr, value, num, kind);
+#endif
 }
 
 }  // namespace js
 
-/* Crash diagnostics by default in debug and on nightly channel. */
-#if defined(DEBUG) || defined(NIGHTLY_BUILD)
-#define JS_CRASH_DIAGNOSTICS 1
-#endif
-
-/* Enable poisoning in crash-diagnostics and zeal builds. */
-#if defined(JS_CRASH_DIAGNOSTICS) || defined(JS_GC_ZEAL)
-#define JS_POISON(p, val, size, kind) js::Poison(p, val, size, kind)
-#define JS_GC_POISONING 1
-#else
-#define JS_POISON(p, val, size, kind) ((void)0)
-#endif
-
-/* Enable even more poisoning in purely debug builds. */
-#if defined(DEBUG)
-#define JS_EXTRA_POISON(p, val, size, kind) js::Poison(p, val, size, kind)
-#else
-#define JS_EXTRA_POISON(p, val, size, kind) ((void)0)
-#endif
-
 #endif /* jsutil_h */
--- a/js/src/vm/Iteration.cpp
+++ b/js/src/vm/Iteration.cpp
@@ -669,18 +669,18 @@ static PropertyIteratorObject* CreatePro
 /**
  * Initialize a sentinel NativeIterator whose purpose is only to act as the
  * start/end of the circular linked list of NativeIterators in
  * ObjectRealm::enumerators.
  */
 NativeIterator::NativeIterator() {
   // Do our best to enforce that nothing in |this| except the two fields set
   // below is ever observed.
-  JS_POISON(static_cast<void*>(this), 0xCC, sizeof(*this),
-            MemCheckKind::MakeUndefined);
+  Poison(static_cast<void*>(this), 0xCC, sizeof(*this),
+         MemCheckKind::MakeUndefined);
 
   // These are the only two fields in sentinel NativeIterators that are
   // examined, in ObjectRealm::sweepNativeIterators.  Everything else is
   // only examined *if* it's a NativeIterator being traced by a
   // PropertyIteratorObject that owns it, and nothing owns this iterator.
   prev_ = next_ = this;
 }
 
--- a/js/src/vm/JSScript.cpp
+++ b/js/src/vm/JSScript.cpp
@@ -3560,17 +3560,17 @@ void JSScript::finalize(FreeOp* fop) {
 #ifdef MOZ_VTUNE
   if (realm()->scriptVTuneIdMap) {
     // Note: we should only get here if the VTune JIT profiler is running.
     realm()->scriptVTuneIdMap->remove(this);
   }
 #endif
 
   if (data_) {
-    JS_POISON(data_, 0xdb, computedSizeOfData(), MemCheckKind::MakeNoAccess);
+    Poison(data_, 0xdb, computedSizeOfData(), MemCheckKind::MakeNoAccess);
     fop->free_(data_);
   }
 
   if (scriptData_) {
     scriptData_->decRefCount();
   }
 
   // In most cases, our LazyScript's script pointer will reference this
--- a/js/src/vm/Scope.h
+++ b/js/src/vm/Scope.h
@@ -171,18 +171,18 @@ class TrailingNamesArray {
 
  public:
   // Explicitly ensure no one accidentally allocates scope data without
   // poisoning its trailing names.
   TrailingNamesArray() = delete;
 
   explicit TrailingNamesArray(size_t nameCount) {
     if (nameCount) {
-      JS_POISON(&data_, 0xCC, sizeof(BindingName) * nameCount,
-                MemCheckKind::MakeUndefined);
+      Poison(&data_, 0xCC, sizeof(BindingName) * nameCount,
+             MemCheckKind::MakeUndefined);
     }
   }
 
   BindingName* start() { return reinterpret_cast<BindingName*>(ptr()); }
 
   BindingName& get(size_t i) { return start()[i]; }
   BindingName& operator[](size_t i) { return get(i); }
 };
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -4464,19 +4464,19 @@ void ConstraintTypeSet::sweep(const Auto
         flags |= TYPE_FLAG_ANYOBJECT;
         clearObjects();
         objectCount = 0;
         break;
       }
     }
     setBaseObjectCount(objectCount);
     // Note: -1/+1 to also poison the capacity field.
-    JS_POISON(oldArray - 1, JS_SWEPT_TI_PATTERN,
-              (oldCapacity + 1) * sizeof(oldArray[0]),
-              MemCheckKind::MakeUndefined);
+    Poison(oldArray - 1, JS_SWEPT_TI_PATTERN,
+           (oldCapacity + 1) * sizeof(oldArray[0]),
+           MemCheckKind::MakeUndefined);
   } else if (objectCount == 1) {
     ObjectKey* key = (ObjectKey*)objectSet;
     if (!IsObjectKeyAboutToBeFinalized(&key)) {
       objectSet = reinterpret_cast<ObjectKey**>(key);
     } else {
       // As above, mark type sets containing objects with unknown
       // properties as unknown.
       if (key->isGroup() &&
@@ -4502,18 +4502,18 @@ void ConstraintTypeSet::sweep(const Auto
         MOZ_ASSERT(zone->types.typeLifoAlloc().contains(copy));
         copy->setNext(constraintList_);
         constraintList_ = copy;
       } else {
         zone->types.setOOMSweepingTypes();
       }
     }
     TypeConstraint* next = constraint->next();
-    JS_POISON(constraint, JS_SWEPT_TI_PATTERN, sizeof(TypeConstraint),
-              MemCheckKind::MakeUndefined);
+    Poison(constraint, JS_SWEPT_TI_PATTERN, sizeof(TypeConstraint),
+           MemCheckKind::MakeUndefined);
     constraint = next;
   }
 }
 
 inline void ObjectGroup::clearProperties(const AutoSweepObjectGroup& sweep) {
   // We're about to remove edges from the group to property ids. Incremental
   // GC should know about these edges.
   if (zone()->needsIncrementalBarrier()) {
@@ -4580,18 +4580,18 @@ void ObjectGroup::sweep(const AutoSweepO
   if (propertyCount >= 2) {
     unsigned oldCapacity = TypeHashSet::Capacity(propertyCount);
     Property** oldArray = propertySet;
 
     MOZ_RELEASE_ASSERT(uintptr_t(oldArray[-1]) == oldCapacity);
 
     auto poisonArray = mozilla::MakeScopeExit([oldArray, oldCapacity] {
       size_t size = sizeof(Property*) * (oldCapacity + 1);
-      JS_POISON(oldArray - 1, JS_SWEPT_TI_PATTERN, size,
-                MemCheckKind::MakeUndefined);
+      Poison(oldArray - 1, JS_SWEPT_TI_PATTERN, size,
+             MemCheckKind::MakeUndefined);
     });
 
     unsigned oldPropertyCount = propertyCount;
     unsigned oldPropertiesFound = 0;
 
     clearProperties(sweep);
     propertyCount = 0;
     for (unsigned i = 0; i < oldCapacity; i++) {
@@ -4602,24 +4602,24 @@ void ObjectGroup::sweep(const AutoSweepO
         if (singleton() && !prop->types.constraintList(sweep) &&
             !zone()->isPreservingCode()) {
           /*
            * Don't copy over properties of singleton objects when their
            * presence will not be required by jitcode or type constraints
            * (i.e. for the definite properties analysis). The contents of
            * these type sets will be regenerated as necessary.
            */
-          JS_POISON(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
-                    MemCheckKind::MakeUndefined);
+          Poison(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
+                 MemCheckKind::MakeUndefined);
           continue;
         }
 
         Property* newProp = typeLifoAlloc.new_<Property>(*prop);
-        JS_POISON(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
-                  MemCheckKind::MakeUndefined);
+        Poison(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
+               MemCheckKind::MakeUndefined);
         if (newProp) {
           Property** pentry = TypeHashSet::Insert<jsid, Property, Property>(
               typeLifoAlloc, propertySet, propertyCount, newProp->id);
           if (pentry) {
             *pentry = newProp;
             newProp->types.sweep(sweep, zone());
             continue;
           }
@@ -4635,23 +4635,23 @@ void ObjectGroup::sweep(const AutoSweepO
     MOZ_RELEASE_ASSERT(oldPropertyCount == oldPropertiesFound);
     setBasePropertyCount(sweep, propertyCount);
   } else if (propertyCount == 1) {
     Property* prop = (Property*)propertySet;
     prop->types.checkMagic();
     if (singleton() && !prop->types.constraintList(sweep) &&
         !zone()->isPreservingCode()) {
       // Skip, as above.
-      JS_POISON(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
-                MemCheckKind::MakeUndefined);
+      Poison(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
+             MemCheckKind::MakeUndefined);
       clearProperties(sweep);
     } else {
       Property* newProp = typeLifoAlloc.new_<Property>(*prop);
-      JS_POISON(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
-                MemCheckKind::MakeUndefined);
+      Poison(prop, JS_SWEPT_TI_PATTERN, sizeof(Property),
+             MemCheckKind::MakeUndefined);
       if (newProp) {
         propertySet = (Property**)newProp;
         newProp->types.sweep(sweep, zone());
       } else {
         zone()->types.setOOMSweepingTypes();
         addFlags(sweep,
                  OBJECT_FLAG_DYNAMIC_MASK | OBJECT_FLAG_UNKNOWN_PROPERTIES);
         clearProperties(sweep);