Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (226484 => 226485)
--- trunk/Source/_javascript_Core/ChangeLog 2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,3 +1,30 @@
+2018-01-05 JF Bastien <[email protected]>
+
+ WebAssembly: poison JS object's secrets
+ https://bugs.webkit.org/show_bug.cgi?id=181339
+ <rdar://problem/36325001>
+
+ Reviewed by Mark Lam.
+
+ Separating WebAssembly's JS objects from their non-JS
+ implementation means that all interesting information lives
+ outside of the JS object itself. This patch poisons each JS
+ object's pointer to non-JS implementation using the poisoning
+ mechanism and a unique key per JS object type origin.
+
+ * runtime/JSCPoison.h:
+ * wasm/js/JSToWasm.cpp:
+ (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
+ object in a stack slot when fast TLS is disabled. This requires
+ that we unpoison the Wasm::Instance.
+ * wasm/js/JSWebAssemblyCodeBlock.h:
+ * wasm/js/JSWebAssemblyInstance.h:
+ (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
+ be explicit that the pointer is poisoned.
+ * wasm/js/JSWebAssemblyMemory.h:
+ * wasm/js/JSWebAssemblyModule.h:
+ * wasm/js/JSWebAssemblyTable.h:
+
2018-01-05 Michael Saboff <[email protected]>
Add ability to disable indexed property masking for testing
Modified: trunk/Source/_javascript_Core/runtime/JSCPoison.h (226484 => 226485)
--- trunk/Source/_javascript_Core/runtime/JSCPoison.h 2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/runtime/JSCPoison.h 2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -31,6 +31,11 @@
enum Poison {
NotPoisoned = 0,
+ JSWebAssemblyCodeBlockPoison,
+ JSWebAssemblyInstancePoison,
+ JSWebAssemblyMemoryPoison,
+ JSWebAssemblyModulePoison,
+ JSWebAssemblyTablePoison,
TransitionMapPoison,
WeakImplPoison,
};
Modified: trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp (226484 => 226485)
--- trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp 2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp 2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -117,7 +117,9 @@
// Wasm::Context*'s instance.
if (!Context::useFastTLS()) {
jit.loadPtr(CCallHelpers::Address(GPRInfo::callFrameRegister, jsOffset), wasmContextInstanceGPR);
- jit.loadPtr(CCallHelpers::Address(wasmContextInstanceGPR, JSWebAssemblyInstance::offsetOfInstance()), wasmContextInstanceGPR);
+ jit.loadPtr(CCallHelpers::Address(wasmContextInstanceGPR, JSWebAssemblyInstance::offsetOfPoisonedInstance()), wasmContextInstanceGPR);
+ jit.move(CCallHelpers::TrustedImm64(makeConstExprPoison(JSWebAssemblyInstancePoison)), scratchReg);
+ jit.xor64(scratchReg, wasmContextInstanceGPR);
jsOffset += sizeof(EncodedJSValue);
}
Modified: trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyCodeBlock.h (226484 => 226485)
--- trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyCodeBlock.h 2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyCodeBlock.h 2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -28,6 +28,7 @@
#if ENABLE(WEBASSEMBLY)
#include "CallLinkInfo.h"
+#include "JSCPoison.h"
#include "JSCell.h"
#include "PromiseDeferredTimer.h"
#include "Structure.h"
@@ -36,6 +37,7 @@
#include "WasmFormat.h"
#include "WasmModule.h"
#include <wtf/Bag.h>
+#include <wtf/Ref.h>
#include <wtf/Vector.h>
namespace JSC {
@@ -90,7 +92,7 @@
void finalizeUnconditionally() override;
};
- Ref<Wasm::CodeBlock> m_codeBlock;
+ PoisonedRef<JSWebAssemblyCodeBlockPoison, Wasm::CodeBlock> m_codeBlock;
Vector<MacroAssemblerCodeRef> m_wasmToJSExitStubs;
UnconditionalFinalizer m_unconditionalFinalizer;
Bag<CallLinkInfo> m_callLinkInfos;
Modified: trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyInstance.h (226484 => 226485)
--- trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyInstance.h 2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyInstance.h 2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,6 +27,7 @@
#if ENABLE(WEBASSEMBLY)
+#include "JSCPoison.h"
#include "JSDestructibleObject.h"
#include "JSObject.h"
#include "JSWebAssemblyCodeBlock.h"
@@ -33,6 +34,7 @@
#include "JSWebAssemblyMemory.h"
#include "JSWebAssemblyTable.h"
#include "WasmInstance.h"
+#include <wtf/Ref.h>
namespace JSC {
@@ -74,7 +76,7 @@
instance().setTable(makeRef(*table()->table()));
}
- static size_t offsetOfInstance() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_instance); }
+ static size_t offsetOfPoisonedInstance() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_instance); }
static size_t offsetOfCallee() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_callee); }
protected:
@@ -86,7 +88,7 @@
private:
JSWebAssemblyModule* module() const { return m_module.get(); }
- Ref<Wasm::Instance> m_instance;
+ PoisonedRef<JSWebAssemblyInstancePoison, Wasm::Instance> m_instance;
WriteBarrier<JSWebAssemblyModule> m_module;
WriteBarrier<JSWebAssemblyCodeBlock> m_codeBlock;
Modified: trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyMemory.h (226484 => 226485)
--- trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyMemory.h 2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyMemory.h 2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,9 +27,11 @@
#if ENABLE(WEBASSEMBLY)
+#include "JSCPoison.h"
#include "JSDestructibleObject.h"
#include "JSObject.h"
#include "WasmMemory.h"
+#include <wtf/Ref.h>
#include <wtf/RefPtr.h>
namespace JSC {
@@ -65,9 +67,9 @@
static void destroy(JSCell*);
static void visitChildren(JSCell*, SlotVisitor&);
- Ref<Wasm::Memory> m_memory;
+ PoisonedRef<JSWebAssemblyMemoryPoison, Wasm::Memory> m_memory;
WriteBarrier<JSArrayBuffer> m_bufferWrapper;
- RefPtr<ArrayBuffer> m_buffer;
+ PoisonedRefPtr<JSWebAssemblyMemoryPoison, ArrayBuffer> m_buffer;
};
} // namespace JSC
Modified: trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyModule.h (226484 => 226485)
--- trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyModule.h 2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyModule.h 2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,6 +27,7 @@
#if ENABLE(WEBASSEMBLY)
+#include "JSCPoison.h"
#include "JSDestructibleObject.h"
#include "JSObject.h"
#include "UnconditionalFinalizer.h"
@@ -34,6 +35,7 @@
#include <wtf/Bag.h>
#include <wtf/Expected.h>
#include <wtf/Forward.h>
+#include <wtf/Ref.h>
#include <wtf/text/WTFString.h>
namespace JSC {
@@ -79,7 +81,7 @@
static void destroy(JSCell*);
static void visitChildren(JSCell*, SlotVisitor&);
- Ref<Wasm::Module> m_module;
+ PoisonedRef<JSWebAssemblyModulePoison, Wasm::Module> m_module;
WriteBarrier<SymbolTable> m_exportSymbolTable;
WriteBarrier<JSWebAssemblyCodeBlock> m_codeBlocks[Wasm::NumberOfMemoryModes];
WriteBarrier<WebAssemblyToJSCallee> m_callee;
Modified: trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyTable.h (226484 => 226485)
--- trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyTable.h 2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyTable.h 2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,6 +27,7 @@
#if ENABLE(WEBASSEMBLY)
+#include "JSCPoison.h"
#include "JSDestructibleObject.h"
#include "JSObject.h"
#include "WasmLimits.h"
@@ -34,6 +35,7 @@
#include "WebAssemblyWrapperFunction.h"
#include "WebAssemblyFunction.h"
#include <wtf/MallocPtr.h>
+#include <wtf/Ref.h>
namespace JSC {
@@ -63,7 +65,7 @@
static void destroy(JSCell*);
static void visitChildren(JSCell*, SlotVisitor&);
- Ref<Wasm::Table> m_table;
+ PoisonedRef<JSWebAssemblyTablePoison, Wasm::Table> m_table;
MallocPtr<WriteBarrier<JSObject>> m_jsFunctions;
};
Modified: trunk/Source/WTF/ChangeLog (226484 => 226485)
--- trunk/Source/WTF/ChangeLog 2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/WTF/ChangeLog 2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,3 +1,18 @@
+2018-01-05 JF Bastien <[email protected]>
+
+ WebAssembly: poison JS object's secrets
+ https://bugs.webkit.org/show_bug.cgi?id=181339
+ <rdar://problem/36325001>
+
+ Reviewed by Mark Lam.
+
+ swapping a poisoned pointer with a non-poisoned one (as is done in
+ JSWebAssembyMemory::adopt) was missing.
+
+ * wtf/Poisoned.h:
+ (WTF::PoisonedImpl::swap):
+ (WTF::ConstExprPoisonedPtrTraits::swap):
+
2018-01-05 David Kilzer <[email protected]>
Re-enable -Wcast-qual in WebCore for Apple ports
Modified: trunk/Source/WTF/wtf/Poisoned.h (226484 => 226485)
--- trunk/Source/WTF/wtf/Poisoned.h 2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Source/WTF/wtf/Poisoned.h 2018-01-06 07:01:21 UTC (rev 226485)
@@ -182,6 +182,13 @@
o = t2;
}
+ void swap(T& t2)
+ {
+ T t1 = this->unpoisoned();
+ std::swap(t1, t2);
+ m_poisonedBits = poison(t1);
+ }
+
template<class U>
T exchange(U&& newValue)
{
@@ -212,6 +219,12 @@
a.swap(b);
}
+template<typename K1, K1 k1, typename T1>
+inline void swap(PoisonedImpl<K1, k1, T1>& a, T1& b)
+{
+ a.swap(b);
+}
+
WTF_EXPORT_PRIVATE uintptr_t makePoison();
inline constexpr uintptr_t makeConstExprPoison(uint32_t key)
@@ -241,6 +254,9 @@
template<class U> static ALWAYS_INLINE T* exchange(StorageType& ptr, U&& newValue) { return ptr.exchange(newValue); }
+ template<typename K1, K1 k1, typename T1>
+ static ALWAYS_INLINE void swap(PoisonedImpl<K1, k1, T1>& a, T1& b) { a.swap(b); }
+
template<typename K1, K1 k1, typename T1, typename K2, K2 k2, typename T2>
static ALWAYS_INLINE void swap(PoisonedImpl<K1, k1, T1>& a, PoisonedImpl<K2, k2, T2>& b) { a.swap(b); }
@@ -252,5 +268,5 @@
using WTF::ConstExprPoisoned;
using WTF::Poisoned;
using WTF::PoisonedBits;
+using WTF::makeConstExprPoison;
using WTF::makePoison;
-
Modified: trunk/Tools/ChangeLog (226484 => 226485)
--- trunk/Tools/ChangeLog 2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Tools/ChangeLog 2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,3 +1,20 @@
+2018-01-05 JF Bastien <[email protected]>
+
+ WebAssembly: poison JS object's secrets
+ https://bugs.webkit.org/show_bug.cgi?id=181339
+ <rdar://problem/36325001>
+
+ Reviewed by Mark Lam.
+
+ Update tests for swap(Poisoned<k, T>, T*)
+
+ * TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp:
+ (TestWebKitAPI::TEST):
+ * TestWebKitAPI/Tests/WTF/Poisoned.cpp:
+ (TestWebKitAPI::TEST):
+ * TestWebKitAPI/Tests/WTF/PoisonedRef.cpp:
+ (TestWebKitAPI::TEST):
+
2018-01-05 Wenson Hsieh <[email protected]>
REGRESSION(r226396) DataInteractionTests: ContentEditableToContentEditable and ContentEditableToTextarea are failing
Modified: trunk/Tools/TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp (226484 => 226485)
--- trunk/Tools/TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp 2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Tools/TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp 2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -337,6 +337,30 @@
ASSERT_TRUE(p1.bits() == p3.bits());
ASSERT_TRUE(p2.bits() != p4.bits());
}
+
+ {
+ ConstExprPoisoned<PoisonA, RefLogger*> p1(&a);
+ RefLogger* p2(&b);
+ ASSERT_EQ(&a, p1.unpoisoned());
+ ASSERT_EQ(&b, p2);
+ swap(p1, p2);
+ ASSERT_EQ(&b, p1.unpoisoned());
+ ASSERT_EQ(&a, p2);
+
+ ASSERT_TRUE(p1.bits() != bitwise_cast<uintptr_t>(p2));
+ }
+
+ {
+ ConstExprPoisoned<PoisonA, RefLogger*> p1(&a);
+ RefLogger* p2(&b);
+ ASSERT_EQ(&a, p1.unpoisoned());
+ ASSERT_EQ(&b, p2);
+ p1.swap(p2);
+ ASSERT_EQ(&b, p1.unpoisoned());
+ ASSERT_EQ(&a, p2);
+
+ ASSERT_TRUE(p1.bits() != bitwise_cast<uintptr_t>(p2));
+ }
}
static ConstExprPoisoned<PoisonA, RefLogger*> poisonedPtrFoo(RefLogger& logger)
Modified: trunk/Tools/TestWebKitAPI/Tests/WTF/Poisoned.cpp (226484 => 226485)
--- trunk/Tools/TestWebKitAPI/Tests/WTF/Poisoned.cpp 2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Tools/TestWebKitAPI/Tests/WTF/Poisoned.cpp 2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -376,6 +376,32 @@
ASSERT_TRUE(p2.bits() != p4.bits());
#endif
}
+
+#if ENABLE(MIXED_POISON)
+ {
+ Poisoned<g_testPoisonA, RefLogger*> p1(&a);
+ RefLogger* p2(&b);
+ ASSERT_EQ(&a, p1.unpoisoned());
+ ASSERT_EQ(&b, p2);
+ swap(p1, p2);
+ ASSERT_EQ(&b, p1.unpoisoned());
+ ASSERT_EQ(&a, p2);
+
+ ASSERT_TRUE(p1.bits() != bitwise_cast<uintptr_t>(p2));
+ }
+
+ {
+ Poisoned<g_testPoisonA, RefLogger*> p1(&a);
+ RefLogger* p2(&b);
+ ASSERT_EQ(&a, p1.unpoisoned());
+ ASSERT_EQ(&b, p2);
+ p1.swap(p2);
+ ASSERT_EQ(&b, p1.unpoisoned());
+ ASSERT_EQ(&a, p2);
+
+ ASSERT_TRUE(p1.bits() != bitwise_cast<uintptr_t>(p2));
+ }
+#endif
}
static Poisoned<g_testPoisonA, RefLogger*> poisonedPtrFoo(RefLogger& logger)
Modified: trunk/Tools/TestWebKitAPI/Tests/WTF/PoisonedRef.cpp (226484 => 226485)
--- trunk/Tools/TestWebKitAPI/Tests/WTF/PoisonedRef.cpp 2018-01-06 03:48:05 UTC (rev 226484)
+++ trunk/Tools/TestWebKitAPI/Tests/WTF/PoisonedRef.cpp 2018-01-06 07:01:21 UTC (rev 226485)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -194,6 +194,32 @@
log() << "| ";
}
EXPECT_STREQ("ref(a) ref(b) | | deref(a) deref(b) ", takeLogStr().c_str());
+
+ {
+ PoisonedRef<PoisonF, RefLogger> p1(a);
+ Ref<RefLogger> p2(b);
+ log() << "| ";
+ EXPECT_EQ(&a, p1.ptr());
+ EXPECT_EQ(&b, p2.ptr());
+ swap(p1, p2);
+ EXPECT_EQ(&b, p1.ptr());
+ EXPECT_EQ(&a, p2.ptr());
+ log() << "| ";
+ }
+ EXPECT_STREQ("ref(a) ref(b) | | deref(a) deref(b) ", takeLogStr().c_str());
+
+ {
+ PoisonedRef<PoisonF, RefLogger> p1(a);
+ Ref<RefLogger> p2(b);
+ log() << "| ";
+ EXPECT_EQ(&a, p1.ptr());
+ EXPECT_EQ(&b, p2.ptr());
+ p1.swap(p2);
+ EXPECT_EQ(&b, p1.ptr());
+ EXPECT_EQ(&a, p2.ptr());
+ log() << "| ";
+ }
+ EXPECT_STREQ("ref(a) ref(b) | | deref(a) deref(b) ", takeLogStr().c_str());
}
struct PoisonedRefCheckingRefLogger : RefLogger {
