[webkit-changes] [263283] trunk

Fri, 19 Jun 2020 14:01:17 -0700

Title: [263283] trunk
Revision
263283
Author
mark....@apple.com
Date
2020-06-19 14:00:21 -0700 (Fri, 19 Jun 2020)

Log Message

Make $vm properties non-configurable, non-enumerable, and non-writable.
https://bugs.webkit.org/show_bug.cgi?id=213395

Reviewed by Saam Barati and Yusuke Suzuki.

JSTests:

* stress/dollarVM-properties-should-not-be-enumerable.js: Added.

Source/_javascript_Core:

$vm provides functions for test development and VM debugging.  There's no reason
for them to be configurable, enumerable, and writable.

We particularly don't want them to be enumerable as this can trip up some fuzzers.
Fuzzers should not be fuzzing the $vm object which doesn't exist in real world
uses of _javascript_Core.

* tools/JSDollarVM.cpp:
(JSC::JSDollarVM::finishCreation):
(JSC::JSDollarVM::addFunction):
(JSC::JSDollarVM::addConstructibleFunction):

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (263282 => 263283)


--- trunk/JSTests/ChangeLog	2020-06-19 20:13:14 UTC (rev 263282)
+++ trunk/JSTests/ChangeLog	2020-06-19 21:00:21 UTC (rev 263283)
@@ -1,3 +1,12 @@
+2020-06-19  Mark Lam  <mark....@apple.com>
+
+        Make $vm properties non-configurable, non-enumerable, and non-writable.
+        https://bugs.webkit.org/show_bug.cgi?id=213395
+
+        Reviewed by Saam Barati and Yusuke Suzuki.
+
+        * stress/dollarVM-properties-should-not-be-enumerable.js: Added.
+
 2020-06-18  Saam Barati  <sbar...@apple.com>
 
         sampling-profiler-wasm-name-section should run for more iterations

Added: trunk/JSTests/stress/dollarVM-properties-should-not-be-enumerable.js (0 => 263283)


--- trunk/JSTests/stress/dollarVM-properties-should-not-be-enumerable.js	                        (rev 0)
+++ trunk/JSTests/stress/dollarVM-properties-should-not-be-enumerable.js	2020-06-19 21:00:21 UTC (rev 263283)
@@ -0,0 +1,28 @@
+//@ runDefault
+
+const descriptors = Object.getOwnPropertyDescriptors($vm);
+
+var success = true;
+
+for (prop in descriptors) {
+    let descriptor = descriptors[prop];
+    var expected = !descriptor.configurable && !descriptor.enumerable && !descriptor.writable;
+    if (!expected) {
+        print(" --- " + prop + " --- ", descriptors[prop]);
+        if (descriptor.configurable)
+            print("    $vm." + prop + " should not be configurable.");
+        if (descriptor.enumerable)
+            print("    $vm." + prop + " should not be enumerable.");
+        if (descriptor.writable)
+            print("    $vm." + prop + " should not be writable.");
+    }
+    success = success && !descriptor.configurable && !descriptor.enumerable && !descriptor.writable;
+}
+
+for (prop in $vm) {
+    print("$vm." + prop + " should not be enumerable.");
+    success = false;
+}
+    
+if (!success)
+    throw "FAILED";

Modified: trunk/Source/_javascript_Core/ChangeLog (263282 => 263283)


--- trunk/Source/_javascript_Core/ChangeLog	2020-06-19 20:13:14 UTC (rev 263282)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-06-19 21:00:21 UTC (rev 263283)
@@ -1,3 +1,22 @@
+2020-06-19  Mark Lam  <mark....@apple.com>
+
+        Make $vm properties non-configurable, non-enumerable, and non-writable.
+        https://bugs.webkit.org/show_bug.cgi?id=213395
+
+        Reviewed by Saam Barati and Yusuke Suzuki.
+
+        $vm provides functions for test development and VM debugging.  There's no reason
+        for them to be configurable, enumerable, and writable.
+
+        We particularly don't want them to be enumerable as this can trip up some fuzzers.
+        Fuzzers should not be fuzzing the $vm object which doesn't exist in real world
+        uses of _javascript_Core.
+
+        * tools/JSDollarVM.cpp:
+        (JSC::JSDollarVM::finishCreation):
+        (JSC::JSDollarVM::addFunction):
+        (JSC::JSDollarVM::addConstructibleFunction):
+
 2020-06-19  Tuomas Karkkainen  <tuomas.web...@apple.com>
 
         functionCpuClflush checks that the second argument is Int32 but it actually expects it to be UInt32

Modified: trunk/Source/_javascript_Core/tools/JSDollarVM.cpp (263282 => 263283)


--- trunk/Source/_javascript_Core/tools/JSDollarVM.cpp	2020-06-19 20:13:14 UTC (rev 263282)
+++ trunk/Source/_javascript_Core/tools/JSDollarVM.cpp	2020-06-19 21:00:21 UTC (rev 263283)
@@ -3094,6 +3094,8 @@
 #endif
 }
 
+constexpr unsigned jsDollarVMPropertyAttributes = PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum | PropertyAttribute::DontDelete;
+
 void JSDollarVM::finishCreation(VM& vm)
 {
     DollarVMAssertScope assertScope;
@@ -3114,13 +3116,13 @@
     addFunction(vm, "crash", functionCrash, 0);
     addFunction(vm, "breakpoint", functionBreakpoint, 0);
 
-    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "dfgTrue"), 0, functionDFGTrue, DFGTrueIntrinsic, static_cast<unsigned>(PropertyAttribute::DontEnum));
-    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "ftlTrue"), 0, functionFTLTrue, FTLTrueIntrinsic, static_cast<unsigned>(PropertyAttribute::DontEnum));
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "dfgTrue"), 0, functionDFGTrue, DFGTrueIntrinsic, jsDollarVMPropertyAttributes);
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "ftlTrue"), 0, functionFTLTrue, FTLTrueIntrinsic, jsDollarVMPropertyAttributes);
 
-    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuMfence"), 0, functionCpuMfence, CPUMfenceIntrinsic, 0);
-    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuRdtsc"), 0, functionCpuRdtsc, CPURdtscIntrinsic, 0);
-    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuCpuid"), 0, functionCpuCpuid, CPUCpuidIntrinsic, 0);
-    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuPause"), 0, functionCpuPause, CPUPauseIntrinsic, 0);
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuMfence"), 0, functionCpuMfence, CPUMfenceIntrinsic, jsDollarVMPropertyAttributes);
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuRdtsc"), 0, functionCpuRdtsc, CPURdtscIntrinsic, jsDollarVMPropertyAttributes);
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuCpuid"), 0, functionCpuCpuid, CPUCpuidIntrinsic, jsDollarVMPropertyAttributes);
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuPause"), 0, functionCpuPause, CPUPauseIntrinsic, jsDollarVMPropertyAttributes);
     addFunction(vm, "cpuClflush", functionCpuClflush, 2);
 
     addFunction(vm, "llintTrue", functionLLintTrue, 0);
@@ -3243,7 +3245,7 @@
 {
     DollarVMAssertScope assertScope;
     Identifier identifier = Identifier::fromString(vm, name);
-    putDirect(vm, identifier, JSFunction::create(vm, globalObject, arguments, identifier.string(), function));
+    putDirect(vm, identifier, JSFunction::create(vm, globalObject, arguments, identifier.string(), function), jsDollarVMPropertyAttributes);
 }
 
 void JSDollarVM::addConstructibleFunction(VM& vm, JSGlobalObject* globalObject, const char* name, NativeFunction function, unsigned arguments)
@@ -3250,7 +3252,7 @@
 {
     DollarVMAssertScope assertScope;
     Identifier identifier = Identifier::fromString(vm, name);
-    putDirect(vm, identifier, JSFunction::create(vm, globalObject, arguments, identifier.string(), function, NoIntrinsic, function));
+    putDirect(vm, identifier, JSFunction::create(vm, globalObject, arguments, identifier.string(), function, NoIntrinsic, function), jsDollarVMPropertyAttributes);
 }
 
 void JSDollarVM::visitChildren(JSCell* cell, SlotVisitor& visitor)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to