Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 61117dc2de25c1caca02cb1ae82437a45df3f232
https://github.com/WebKit/WebKit/commit/61117dc2de25c1caca02cb1ae82437a45df3f232
Author: Mark Lam <[email protected]>
Date: 2025-12-29 (Mon, 29 Dec 2025)
Changed paths:
M Source/JavaScriptCore/bytecode/ExecutionCounter.h
M Source/JavaScriptCore/dfg/DFGNode.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
M Source/JavaScriptCore/heap/MarkedBlock.h
M Source/JavaScriptCore/inspector/augmentable/AlternateDispatchableAgent.h
M Source/WTF/wtf/FastMalloc.h
M Source/WTF/wtf/ForbidHeapAllocation.h
M Source/WTF/wtf/MetaAllocator.cpp
M Source/WTF/wtf/MetaAllocatorHandle.h
M Source/WTF/wtf/SegmentedVector.h
M Source/WTF/wtf/TZoneMalloc.h
M
Source/WebCore/Modules/WebGPU/Implementation/WebGPUXRProjectionLayerImpl.cpp
M Source/WebCore/Modules/WebGPU/Implementation/WebGPUXRProjectionLayerImpl.h
M Source/WebCore/Scripts/SettingsTemplates/Settings.cpp.erb
M Source/WebCore/Scripts/SettingsTemplates/Settings.h.erb
M Source/WebCore/css/CSSFontFaceSource.cpp
M Source/WebCore/css/CSSFontFaceSource.h
M Source/WebCore/css/CSSSelector.cpp
M Source/WebCore/css/CSSSelector.h
M Source/WebCore/fileapi/AsyncFileStream.cpp
M Source/WebCore/html/HTMLMediaElement.cpp
M Source/WebCore/loader/FontLoadRequest.h
M Source/WebCore/loader/LoaderMalloc.cpp
M Source/WebCore/loader/LocalFrameLoaderClient.h
M Source/WebCore/page/Page.cpp
M Source/WebCore/page/PrewarmInformation.h
M Source/WebCore/page/ProcessWarming.cpp
M Source/WebCore/platform/graphics/FontCache.cpp
M Source/WebCore/platform/graphics/LegacyCDMSession.h
M Source/WebCore/platform/graphics/angle/GraphicsContextGLANGLE.h
M Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.h
M Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.mm
M Source/WebCore/platform/graphics/cocoa/WebProcessGraphicsContextGLCocoa.mm
M Source/WebCore/platform/graphics/gbm/DRMDeviceManager.h
M Source/WebCore/platform/graphics/gbm/MemoryMappedGPUBuffer.h
M Source/WebCore/platform/graphics/texmap/BitmapTexturePool.h
M
Source/WebCore/platform/graphics/texmap/GraphicsContextGLTextureMapperANGLE.cpp
M
Source/WebCore/platform/graphics/texmap/GraphicsContextGLTextureMapperANGLE.h
M
Source/WebCore/platform/graphics/texmap/TextureMapperLayer3DRenderingContext.h
M
Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedPlatformLayerBuffer.h
M Source/WebCore/platform/graphics/win/MediaPlayerPrivateMediaFoundation.cpp
M Source/WebCore/platform/ios/PlaybackSessionInterfaceTVOS.cpp
M Source/WebCore/platform/ios/PlaybackSessionInterfaceTVOS.h
M Source/WebCore/platform/ios/VideoPresentationInterfaceTVOS.h
M Source/WebCore/platform/ios/VideoPresentationInterfaceTVOS.mm
M Source/WebCore/rendering/LegacyRootInlineBox.cpp
M Source/WebCore/style/StyleTreeResolver.h
M Source/WebCore/xml/XMLHttpRequestProgressEventThrottle.h
M Source/WebKit/GPUProcess/media/RemoteLegacyCDMSessionProxy.cpp
M Source/WebKit/GPUProcess/media/RemoteLegacyCDMSessionProxy.h
M Source/WebKit/NetworkProcess/Authentication/AuthenticationManager.cpp
M Source/WebKit/UIProcess/Cocoa/PageClientImplCocoa.h
M Source/WebKit/UIProcess/Cocoa/PageClientImplCocoa.mm
M
Source/WebKit/UIProcess/Inspector/socket/RemoteInspectorProtocolHandler.cpp
M Source/WebKit/UIProcess/ios/PageClientImplIOS.h
M Source/WebKit/UIProcess/ios/PageClientImplIOS.mm
M Source/WebKit/UIProcess/mac/PageClientImplMac.h
M Source/WebKit/UIProcess/mac/PageClientImplMac.mm
M Source/WebKit/WebProcess/WebPage/WebHistoryItemClient.cpp
M Source/WebKit/WebProcess/WebPage/WebHistoryItemClient.h
M Source/bmalloc/bmalloc/TZoneHeap.h
M Source/bmalloc/bmalloc/TZoneHeapInlines.h
M Source/bmalloc/bmalloc/TZoneHeapManager.cpp
M Tools/TestWebKitAPI/Tests/WebCore/cocoa/TestGraphicsContextGLCocoa.mm
Log Message:
-----------
Add some TZONE_ALLOCATED enforcement.
https://bugs.webkit.org/show_bug.cgi?id=304684
rdar://167161285
Reviewed by Justin Michaud and Keith Miller.
This is an invariant of TZone allocation as a hardening mechanism: if a class /
structure is
TZONE_ALLOCATED, its subclasses should also be TZONE_ALLOCATED. This patch
adds some
verification in MAKE_FAST_ALLOCATED to ensure that the class does not inherit
from an ancestor
class that is TZONE_ALLOCATED. This verification can also be added in other
non-TZone
allocation macros, but we're starting with MAKE_FAST_ALLOCATED for now.
Also fix some classes that should be TZONE_ALLOCATED (found by this
verification).
Also fix some incorrect uses of WTF_DEPRECATED_MAKE_FAST_ALLOCATED and
WTF_DEPRECATED_MAKE_STRUCT_FAST_ALLOCATED_WITH_HEAP_IDENTIFIER, where the
classname argument
is wrong. These were copy paste errors that had gone unnoticed until now.
This issue was
found by this verification.
Also introduce WTF_FORBID_HEAP_ALLOCATION_WITH_VALIDATION which is equivalent to
WTF_FORBID_HEAP_ALLOCATION with the !usesTZoneHeap() validation. Eventually,
we will convert
all uses of WTF_FORBID_HEAP_ALLOCATION to add the typename parameter, and
replace
WTF_FORBID_HEAP_ALLOCATION_WITH_VALIDATION with WTF_FORBID_HEAP_ALLOCATION.
Also introduce WTF_FORBID_HEAP_ALLOCATION_FOR_ABSTRACT_CLASS which is the
equivalent of
WTF_FORBID_HEAP_ALLOCATION_WITH_VALIDATION. The only reason for this
"duplicate" macro is
because it documents the reason why we're forbidding new and delete operators
i.e. the class is
an abstract class.
Also introduce WTF_MAKE_INHERITED_TZONE_ALLOCATED which can be used for
subclasses that inherit
from a TZONE_ALLOCATED class but does not add any fields. Hence. it is
identical in shape and
size as its parent. Therefore, there's not much added value in declaring its
own s_heapRef and
set of TZone support functions. Just use its parent's.
No new test. This patch adds verification that existing tests more effective
for catching this
class of issues as well.
* Source/JavaScriptCore/bytecode/ExecutionCounter.h:
* Source/JavaScriptCore/dfg/DFGNode.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/heap/MarkedBlock.h:
* Source/JavaScriptCore/inspector/augmentable/AlternateDispatchableAgent.h:
* Source/WTF/wtf/FastMalloc.h:
(WTF::usesTZoneHeap):
* Source/WTF/wtf/ForbidHeapAllocation.h:
* Source/WTF/wtf/MetaAllocator.cpp:
* Source/WTF/wtf/MetaAllocatorHandle.h:
* Source/WTF/wtf/SegmentedVector.h:
* Source/WTF/wtf/TZoneMalloc.h:
* Source/WebCore/Modules/WebGPU/Implementation/WebGPUXRProjectionLayerImpl.cpp:
* Source/WebCore/Modules/WebGPU/Implementation/WebGPUXRProjectionLayerImpl.h:
* Source/WebCore/Scripts/SettingsTemplates/Settings.cpp.erb:
* Source/WebCore/Scripts/SettingsTemplates/Settings.h.erb:
* Source/WebCore/css/CSSFontFaceSource.cpp:
* Source/WebCore/css/CSSFontFaceSource.h:
* Source/WebCore/css/CSSSelector.cpp:
* Source/WebCore/css/CSSSelector.h:
* Source/WebCore/fileapi/AsyncFileStream.cpp:
* Source/WebCore/html/HTMLMediaElement.cpp:
* Source/WebCore/loader/FontLoadRequest.h:
* Source/WebCore/loader/LoaderMalloc.cpp:
* Source/WebCore/loader/LocalFrameLoaderClient.h:
* Source/WebCore/page/Page.cpp:
* Source/WebCore/page/PrewarmInformation.h:
* Source/WebCore/page/ProcessWarming.cpp:
* Source/WebCore/platform/graphics/FontCache.cpp:
* Source/WebCore/platform/graphics/LegacyCDMSession.h:
* Source/WebCore/platform/graphics/angle/GraphicsContextGLANGLE.h:
* Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.h:
* Source/WebCore/platform/graphics/cocoa/GraphicsContextGLCocoa.mm:
* Source/WebCore/platform/graphics/cocoa/WebProcessGraphicsContextGLCocoa.mm:
* Source/WebCore/platform/graphics/gbm/DRMDeviceManager.h:
* Source/WebCore/platform/graphics/gbm/MemoryMappedGPUBuffer.h:
* Source/WebCore/platform/graphics/texmap/BitmapTexturePool.h:
*
Source/WebCore/platform/graphics/texmap/GraphicsContextGLTextureMapperANGLE.cpp:
* Source/WebCore/platform/graphics/texmap/GraphicsContextGLTextureMapperANGLE.h:
*
Source/WebCore/platform/graphics/texmap/TextureMapperLayer3DRenderingContext.h:
*
Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedPlatformLayerBuffer.h:
* Source/WebCore/platform/graphics/win/MediaPlayerPrivateMediaFoundation.cpp:
(WebCore::MediaPlayerPrivateMediaFoundation::AsyncCallback::AsyncCallback):
* Source/WebCore/platform/ios/PlaybackSessionInterfaceTVOS.cpp:
* Source/WebCore/platform/ios/PlaybackSessionInterfaceTVOS.h:
* Source/WebCore/platform/ios/VideoPresentationInterfaceTVOS.h:
* Source/WebCore/platform/ios/VideoPresentationInterfaceTVOS.mm:
* Source/WebCore/rendering/LegacyRootInlineBox.cpp:
* Source/WebCore/style/StyleTreeResolver.h:
* Source/WebCore/xml/XMLHttpRequestProgressEventThrottle.h:
* Source/WebKit/GPUProcess/media/RemoteLegacyCDMSessionProxy.cpp:
* Source/WebKit/GPUProcess/media/RemoteLegacyCDMSessionProxy.h:
* Source/WebKit/NetworkProcess/Authentication/AuthenticationManager.cpp:
* Source/WebKit/UIProcess/Cocoa/PageClientImplCocoa.h:
* Source/WebKit/UIProcess/Cocoa/PageClientImplCocoa.mm:
* Source/WebKit/UIProcess/Inspector/socket/RemoteInspectorProtocolHandler.cpp:
* Source/WebKit/UIProcess/ios/PageClientImplIOS.h:
* Source/WebKit/UIProcess/ios/PageClientImplIOS.mm:
* Source/WebKit/UIProcess/mac/PageClientImplMac.h:
* Source/WebKit/UIProcess/mac/PageClientImplMac.mm:
* Source/WebKit/WebProcess/WebPage/WebHistoryItemClient.cpp:
* Source/WebKit/WebProcess/WebPage/WebHistoryItemClient.h:
* Source/bmalloc/bmalloc/TZoneHeap.h:
(bmalloc::TZone::sizeClassFor):
(bmalloc::TZone::sizeClass):
(bmalloc::TZone::alignment):
(bmalloc::TZone::inheritedSizeClass):
(bmalloc::TZone::inheritedAlignment):
(bmalloc::TZone::usesTZoneHeap):
(bmalloc::api::SizeAndAlignment::encode):
(bmalloc::api::sizeClassFor): Deleted.
* Source/bmalloc/bmalloc/TZoneHeapInlines.h:
* Source/bmalloc/bmalloc/TZoneHeapManager.cpp:
(bmalloc::api::TZoneHeapManager::TZoneHeapManager::heapRefForTZoneTypeDifferentSize):
* Tools/TestWebKitAPI/Tests/WebCore/cocoa/TestGraphicsContextGLCocoa.mm:
Canonical link: https://commits.webkit.org/304989@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
