Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 07a7233fd471f281b1e097ca3fd2e504e01ab9b2
https://github.com/WebKit/WebKit/commit/07a7233fd471f281b1e097ca3fd2e504e01ab9b2
Author: Daniel Liu <[email protected]>
Date: 2025-07-07 (Mon, 07 Jul 2025)
Changed paths:
A JSTests/stress/taintedness-tracking-bind.js
A JSTests/stress/taintedness-tracking-wasm-proxying.js
A JSTests/stress/taintedness-tracking-wasm.js
M JSTests/stress/taintedness-tracking.js
M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
M Source/JavaScriptCore/dfg/DFGOperations.cpp
M Source/JavaScriptCore/interpreter/Interpreter.cpp
M Source/JavaScriptCore/interpreter/StackVisitor.h
M Source/JavaScriptCore/parser/SourceTaintedOrigin.cpp
M Source/JavaScriptCore/runtime/FunctionPrototype.cpp
M Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp
M Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
M Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp
M Source/JavaScriptCore/runtime/JSBoundFunction.cpp
M Source/JavaScriptCore/runtime/JSBoundFunction.h
M Source/JavaScriptCore/runtime/JSModuleLoader.cpp
M Source/JavaScriptCore/runtime/VM.cpp
M Source/JavaScriptCore/runtime/VM.h
M Source/JavaScriptCore/tools/JSDollarVM.cpp
M Source/JavaScriptCore/wasm/WasmOperations.cpp
M Source/JavaScriptCore/wasm/WasmStreamingCompiler.cpp
M Source/JavaScriptCore/wasm/WasmStreamingCompiler.h
M Source/JavaScriptCore/wasm/js/JSWebAssembly.cpp
M Source/JavaScriptCore/wasm/js/JSWebAssembly.h
M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h
M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h
M Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp
M Source/WebCore/bindings/js/JSDOMAsyncIterator.h
M Source/WebCore/bindings/js/JSDOMGlobalObject.cpp
Log Message:
-----------
Add source taintedness support for Wasm
https://bugs.webkit.org/show_bug.cgi?id=294860
rdar://148934299
Reviewed by Keith Miller and Yusuke Suzuki.
Previously, some source taintedness propagation would not work properly
through WebAssembly function calls. This patch adds support for tainted
Wasm stack frames, and fixes an issue with `bind` where bound functions
would incorrectly use the target function's taintedness, instead of the
current stack's taintedness.
* JSTests/stress/taintedness-tracking-bind.js: Added.
(check):
(checkNot):
(shouldBeUntainted):
(shouldBeTainted):
(vm.runTaintedString):
* JSTests/stress/taintedness-tracking-wasm-proxying.js: Added.
(log):
(check):
(checkNot):
(shouldBeUntainted):
(shouldBeTainted):
(let.startupModule.new.WebAssembly.Module):
(let.startupInstance.new.WebAssembly.Instance):
* JSTests/stress/taintedness-tracking-wasm.js: Added.
(check):
(getTaintedState):
(vm.runTaintedString.async taintedMain):
* JSTests/stress/taintedness-tracking.js:
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/interpreter/Interpreter.cpp:
(JSC::Interpreter::executeCall):
* Source/JavaScriptCore/interpreter/StackVisitor.h:
(JSC::StackVisitor::Frame::isWasmFrame const):
* Source/JavaScriptCore/parser/SourceTaintedOrigin.cpp:
(JSC::sourceTaintedOriginFromStack):
(JSC::computeNewSourceTaintedOriginFromStack):
* Source/JavaScriptCore/runtime/FunctionPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* Source/JavaScriptCore/runtime/JSBoundFunction.cpp:
(JSC::JSBoundFunction::create):
(JSC::JSBoundFunction::createRaw):
(JSC::JSBoundFunction::JSBoundFunction):
* Source/JavaScriptCore/runtime/JSBoundFunction.h:
* Source/JavaScriptCore/runtime/JSModuleLoader.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::getBoundFunction):
* Source/JavaScriptCore/runtime/VM.h:
* Source/JavaScriptCore/tools/JSDollarVM.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/wasm/WasmOperations.cpp:
(JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/wasm/WasmStreamingCompiler.cpp:
(JSC::Wasm::StreamingCompiler::StreamingCompiler):
(JSC::Wasm::StreamingCompiler::create):
(JSC::Wasm::StreamingCompiler::didComplete):
* Source/JavaScriptCore/wasm/WasmStreamingCompiler.h:
* Source/JavaScriptCore/wasm/js/JSWebAssembly.cpp:
(JSC::instantiate):
(JSC::compileAndInstantiate):
(JSC::JSWebAssembly::instantiate):
(JSC::JSWebAssembly::instantiateForStreaming):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/wasm/js/JSWebAssembly.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
(JSC::JSWebAssemblyInstance::tryCreate):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h:
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::m_source):
(JSC::m_frameSize): Deleted.
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h:
* Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/WebCore/bindings/js/JSDOMAsyncIterator.h:
(WebCore::IteratorTraits>::createOnSettledFunction):
(WebCore::IteratorTraits>::createOnFulfilledFunction):
(WebCore::IteratorTraits>::createOnRejectedFunction):
* Source/WebCore/bindings/js/JSDOMGlobalObject.cpp:
(WebCore::handleResponseOnStreamingAction):
Canonical link: https://commits.webkit.org/297060@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
