Modified: trunk/Source/_javascript_Core/ChangeLog (230722 => 230723)
--- trunk/Source/_javascript_Core/ChangeLog 2018-04-17 18:33:36 UTC (rev 230722)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-04-17 18:59:00 UTC (rev 230723)
@@ -1,3 +1,20 @@
+2018-04-17 Filip Pizlo <fpi...@apple.com>
+
+ JSWebAssemblyCodeBlock should be in an IsoSubspace
+ https://bugs.webkit.org/show_bug.cgi?id=184704
+
+ Reviewed by Mark Lam.
+
+ Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
+ CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
+ shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
+ protection.
+
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+ * runtime/VM.h:
+ * wasm/js/JSWebAssemblyCodeBlock.h:
+
2018-04-17 Jer Noble <jer.no...@apple.com>
Only enable useSeparatedWXHeap on ARM64.
Modified: trunk/Source/_javascript_Core/runtime/VM.cpp (230722 => 230723)
--- trunk/Source/_javascript_Core/runtime/VM.cpp 2018-04-17 18:33:36 UTC (rev 230722)
+++ trunk/Source/_javascript_Core/runtime/VM.cpp 2018-04-17 18:59:00 UTC (rev 230723)
@@ -94,6 +94,7 @@
#include "JSWeakMap.h"
#include "JSWeakSet.h"
#include "JSWebAssembly.h"
+#include "JSWebAssemblyCodeBlock.h"
#include "JSWebAssemblyCodeBlockHeapCellType.h"
#include "JSWithScope.h"
#include "LLIntData.h"
@@ -253,9 +254,6 @@
, destructibleObjectSpace("JSDestructibleObject", heap, destructibleObjectHeapCellType.get(), fastMallocAllocator.get())
, eagerlySweptDestructibleObjectSpace("Eagerly Swept JSDestructibleObject", heap, destructibleObjectHeapCellType.get(), fastMallocAllocator.get())
, segmentedVariableObjectSpace("JSSegmentedVariableObjectSpace", heap, segmentedVariableObjectHeapCellType.get(), fastMallocAllocator.get())
-#if ENABLE(WEBASSEMBLY)
- , webAssemblyCodeBlockSpace("JSWebAssemblyCodeBlockSpace", heap, webAssemblyCodeBlockHeapCellType.get(), fastMallocAllocator.get())
-#endif
, asyncFunctionSpace ISO_SUBSPACE_INIT(heap, cellJSValueOOBHeapCellType.get(), JSAsyncFunction)
, asyncGeneratorFunctionSpace ISO_SUBSPACE_INIT(heap, cellJSValueOOBHeapCellType.get(), JSAsyncGeneratorFunction)
, boundFunctionSpace ISO_SUBSPACE_INIT(heap, cellJSValueOOBHeapCellType.get(), JSBoundFunction)
@@ -278,6 +276,7 @@
, weakSetSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), JSWeakSet)
, weakMapSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), JSWeakMap)
#if ENABLE(WEBASSEMBLY)
+ , webAssemblyCodeBlockSpace ISO_SUBSPACE_INIT(heap, webAssemblyCodeBlockHeapCellType.get(), JSWebAssemblyCodeBlock)
, webAssemblyFunctionSpace ISO_SUBSPACE_INIT(heap, cellJSValueOOBHeapCellType.get(), WebAssemblyFunction)
, webAssemblyWrapperFunctionSpace ISO_SUBSPACE_INIT(heap, cellJSValueOOBHeapCellType.get(), WebAssemblyWrapperFunction)
#endif
Modified: trunk/Source/_javascript_Core/runtime/VM.h (230722 => 230723)
--- trunk/Source/_javascript_Core/runtime/VM.h 2018-04-17 18:33:36 UTC (rev 230722)
+++ trunk/Source/_javascript_Core/runtime/VM.h 2018-04-17 18:59:00 UTC (rev 230723)
@@ -336,9 +336,6 @@
CompleteSubspace destructibleObjectSpace;
CompleteSubspace eagerlySweptDestructibleObjectSpace;
CompleteSubspace segmentedVariableObjectSpace;
-#if ENABLE(WEBASSEMBLY)
- CompleteSubspace webAssemblyCodeBlockSpace;
-#endif
IsoSubspace asyncFunctionSpace;
IsoSubspace asyncGeneratorFunctionSpace;
@@ -362,6 +359,7 @@
IsoSubspace weakSetSpace;
IsoSubspace weakMapSpace;
#if ENABLE(WEBASSEMBLY)
+ IsoSubspace webAssemblyCodeBlockSpace;
IsoSubspace webAssemblyFunctionSpace;
IsoSubspace webAssemblyWrapperFunctionSpace;
#endif
Modified: trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyCodeBlock.h (230722 => 230723)
--- trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyCodeBlock.h 2018-04-17 18:33:36 UTC (rev 230722)
+++ trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyCodeBlock.h 2018-04-17 18:59:00 UTC (rev 230723)
@@ -61,7 +61,7 @@
}
template<typename CellType>
- static CompleteSubspace* subspaceFor(VM& vm)
+ static IsoSubspace* subspaceFor(VM& vm)
{
return &vm.webAssemblyCodeBlockSpace;
}
