Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (275211 => 275212)
--- trunk/Source/_javascript_Core/ChangeLog 2021-03-30 17:13:57 UTC (rev 275211)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-03-30 17:21:18 UTC (rev 275212)
@@ -1,3 +1,29 @@
+2021-03-30 Mark Lam <[email protected]>
+
+ Ensure that GlobalPropertyInfo is allocated on the stack.
+ https://bugs.webkit.org/show_bug.cgi?id=223911
+ rdar://75865742
+
+ Reviewed by Yusuke Suzuki.
+
+ We rely on GlobalPropertyInfo being allocated on the stack to allow its JSValue
+ value to be scanned by the GC. Unfortunately, an ASAN compilation would choose
+ to allocate the GlobalPropertyInfo on a side buffer instead of directly on the
+ stack. This prevents the GC from doing the needed scan.
+
+ We'll fix this by suppressing ASAN on the functions that allocated GlobalPropertyInfo
+ arrays. Also added an ASSERT in the GlobalPropertyInfo constructor to assert that
+ it is allocated on the stack.
+
+ * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py:
+ (BuiltinsInternalsWrapperImplementationGenerator.generate_initialize_method):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::initStaticGlobals):
+ (JSC::JSGlobalObject::init):
+ (JSC::JSGlobalObject::exposeDollarVM):
+ * runtime/JSGlobalObject.h:
+ (JSC::JSGlobalObject::GlobalPropertyInfo::GlobalPropertyInfo):
+
2021-03-29 Xan López <[email protected]>
[JSC] Use helper method when possible to store data in the callframe header
Modified: trunk/Source/_javascript_Core/Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py (275211 => 275212)
--- trunk/Source/_javascript_Core/Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py 2021-03-30 17:13:57 UTC (rev 275211)
+++ trunk/Source/_javascript_Core/Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py 2021-03-30 17:21:18 UTC (rev 275212)
@@ -143,7 +143,7 @@
return '\n'.join(lines)
def generate_initialize_method(self):
- lines = ["void JSBuiltinInternalFunctions::initialize(JSDOMGlobalObject& globalObject)",
+ lines = ["SUPPRESS_ASAN void JSBuiltinInternalFunctions::initialize(JSDOMGlobalObject& globalObject)",
"{",
" UNUSED_PARAM(globalObject);"]
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (275211 => 275212)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2021-03-30 17:13:57 UTC (rev 275211)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2021-03-30 17:21:18 UTC (rev 275212)
@@ -580,6 +580,19 @@
init.setConstructor(AggregateErrorConstructor::create(init.vm, AggregateErrorConstructor::createStructure(init.vm, this, m_errorStructure.constructor(this)), jsCast<AggregateErrorPrototype*>(init.prototype)));
}
+SUPPRESS_ASAN inline void JSGlobalObject::initStaticGlobals(VM& vm)
+{
+ GlobalPropertyInfo staticGlobals[] = {
+ GlobalPropertyInfo(vm.propertyNames->NaN, jsNaN(), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+ GlobalPropertyInfo(vm.propertyNames->Infinity, jsNumber(std::numeric_limits<double>::infinity()), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+ GlobalPropertyInfo(vm.propertyNames->undefinedKeyword, jsUndefined(), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+#if ASSERT_ENABLED
+ GlobalPropertyInfo(vm.propertyNames->builtinNames().assertPrivateName(), JSFunction::create(vm, this, 1, String(), assertCall), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+#endif
+ };
+ addStaticGlobals(staticGlobals, WTF_ARRAY_LENGTH(staticGlobals));
+}
+
void JSGlobalObject::init(VM& vm)
{
ASSERT(vm.currentThreadIsHoldingAPILock());
@@ -1357,15 +1370,7 @@
putDirectWithoutTransition(vm, Identifier::fromString(vm, "__disableSuperSampler"), JSFunction::create(vm, this, 1, String(), disableSuperSampler), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly);
}
- GlobalPropertyInfo staticGlobals[] = {
- GlobalPropertyInfo(vm.propertyNames->NaN, jsNaN(), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
- GlobalPropertyInfo(vm.propertyNames->Infinity, jsNumber(std::numeric_limits<double>::infinity()), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
- GlobalPropertyInfo(vm.propertyNames->undefinedKeyword, jsUndefined(), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
-#if ASSERT_ENABLED
- GlobalPropertyInfo(vm.propertyNames->builtinNames().assertPrivateName(), JSFunction::create(vm, this, 1, String(), assertCall), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
-#endif
- };
- addStaticGlobals(staticGlobals, WTF_ARRAY_LENGTH(staticGlobals));
+ initStaticGlobals(vm);
if (UNLIKELY(Options::useDollarVM()))
exposeDollarVM(vm);
@@ -2108,7 +2113,7 @@
return CallFrame::create(m_deprecatedCallFrameForDebugger);
}
-void JSGlobalObject::exposeDollarVM(VM& vm)
+SUPPRESS_ASAN void JSGlobalObject::exposeDollarVM(VM& vm)
{
RELEASE_ASSERT(g_jscConfig.restrictedOptionsEnabled && Options::useDollarVM());
if (hasOwnProperty(this, vm.propertyNames->builtinNames().dollarVMPrivateName()))
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.h (275211 => 275212)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2021-03-30 17:13:57 UTC (rev 275211)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2021-03-30 17:21:18 UTC (rev 275212)
@@ -1116,6 +1116,7 @@
, value(v)
, attributes(a)
{
+ ASSERT(Thread::current().stack().contains(this));
}
const Identifier identifier;
@@ -1138,6 +1139,7 @@
void initializeAggregateErrorConstructor(LazyClassStructure::Initializer&);
JS_EXPORT_PRIVATE void init(VM&);
+ void initStaticGlobals(VM&);
void fixupPrototypeChainWithObjectPrototype(VM&);
JS_EXPORT_PRIVATE static void clearRareData(JSCell*);
Modified: trunk/Source/WebCore/ChangeLog (275211 => 275212)
--- trunk/Source/WebCore/ChangeLog 2021-03-30 17:13:57 UTC (rev 275211)
+++ trunk/Source/WebCore/ChangeLog 2021-03-30 17:21:18 UTC (rev 275212)
@@ -1,3 +1,18 @@
+2021-03-30 Mark Lam <[email protected]>
+
+ Ensure that GlobalPropertyInfo is allocated on the stack.
+ https://bugs.webkit.org/show_bug.cgi?id=223911
+ rdar://75865742
+
+ Reviewed by Yusuke Suzuki.
+
+ * bindings/js/JSDOMGlobalObject.cpp:
+ (WebCore::JSDOMGlobalObject::addBuiltinGlobals):
+ * bindings/js/JSDOMWindowBase.cpp:
+ (WebCore::JSDOMWindowBase::finishCreation):
+ (WebCore::JSDOMWindowBase::initStaticGlobals):
+ * bindings/js/JSDOMWindowBase.h:
+
2021-03-30 Sam Weinig <[email protected]>
Generalize ColorComponents to support an arbritrary number of components (though really we will only ever want 3, 4, or 5)
Modified: trunk/Source/WebCore/bindings/js/JSDOMGlobalObject.cpp (275211 => 275212)
--- trunk/Source/WebCore/bindings/js/JSDOMGlobalObject.cpp 2021-03-30 17:13:57 UTC (rev 275211)
+++ trunk/Source/WebCore/bindings/js/JSDOMGlobalObject.cpp 2021-03-30 17:21:18 UTC (rev 275212)
@@ -173,7 +173,7 @@
return JSValue::encode(result ? JSValue(JSC::JSValue::JSTrue) : JSValue(JSC::JSValue::JSFalse));
}
-void JSDOMGlobalObject::addBuiltinGlobals(VM& vm)
+SUPPRESS_ASAN void JSDOMGlobalObject::addBuiltinGlobals(VM& vm)
{
m_builtinInternalFunctions.initialize(*this);
Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp (275211 => 275212)
--- trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp 2021-03-30 17:13:57 UTC (rev 275211)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp 2021-03-30 17:21:18 UTC (rev 275212)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2000 Harri Porten ([email protected])
* Copyright (C) 2006 Jon Shier ([email protected])
- * Copyright (C) 2003-2020 Apple Inc. All rights reseved.
+ * Copyright (C) 2003-2021 Apple Inc. All rights reseved.
* Copyright (C) 2006 Alexey Proskuryakov ([email protected])
* Copyright (c) 2015 Canon Inc. All rights reserved.
*
@@ -100,11 +100,8 @@
m_proxy.set(vm, this, proxy);
}
-void JSDOMWindowBase::finishCreation(VM& vm, JSWindowProxy* proxy)
+SUPPRESS_ASAN inline void JSDOMWindowBase::initStaticGlobals(JSC::VM& vm)
{
- Base::finishCreation(vm, proxy);
- ASSERT(inherits(vm, info()));
-
auto& builtinNames = static_cast<JSVMClientData*>(vm.clientData)->builtinNames();
GlobalPropertyInfo staticGlobals[] = {
@@ -113,7 +110,15 @@
};
addStaticGlobals(staticGlobals, WTF_ARRAY_LENGTH(staticGlobals));
+}
+void JSDOMWindowBase::finishCreation(VM& vm, JSWindowProxy* proxy)
+{
+ Base::finishCreation(vm, proxy);
+ ASSERT(inherits(vm, info()));
+
+ initStaticGlobals(vm);
+
if (m_wrapped && m_wrapped->frame() && m_wrapped->frame()->settings().needsSiteSpecificQuirks())
setNeedsSiteSpecificQuirks(true);
}
Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowBase.h (275211 => 275212)
--- trunk/Source/WebCore/bindings/js/JSDOMWindowBase.h 2021-03-30 17:13:57 UTC (rev 275211)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowBase.h 2021-03-30 17:21:18 UTC (rev 275212)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2000 Harri Porten ([email protected])
- * Copyright (C) 2003-2017 Apple Inc. All rights reseved.
+ * Copyright (C) 2003-2021 Apple Inc. All rights reseved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -93,6 +93,7 @@
protected:
JSDOMWindowBase(JSC::VM&, JSC::Structure*, RefPtr<DOMWindow>&&, JSWindowProxy*);
void finishCreation(JSC::VM&, JSWindowProxy*);
+ void initStaticGlobals(JSC::VM&);
RefPtr<JSC::WatchpointSet> m_windowCloseWatchpoints;
