Changeset 228620 in webkit

Timestamp:

Feb 19, 2018 1:12:12 AM (6 years ago)

Author:

Carlos Garcia Campos

Message:

Merge r228108 - Gigacage: enable only for WebContent process and token executables
​https://bugs.webkit.org/show_bug.cgi?id=182457
<rdar://problem/35875011>

Reviewed by Keith Miller.

Gigacage is a solid security improvement, but it's probably best
to roll it out incrementally to the most valuable targets first
and progressively try out more and more over time rather than
outright enabling it everywhere. We've gotten some reports that it
has some side-effects that weren't expected, so for now let's
enable it for the WebContent process, JSC, and other executables
we know, and then later we'll enable more gigacage uses.

For now I've chosen the following bundles:

• com.apple.WebKit.WebContent.Development
• com.apple.WebKit.WebContent
• com.apple.WebProcess

And the following processes:

• jsc
• wasm
• anything starting with "test", to match the JSC tests

I tried a different approach first, where I add a function to turn
gigacage on or off and crash if gigacage is initialized without
having been told what to do. Doing this in ChildProcess and a
bunch of the process initialization methods isn't sufficient. I
got MiniBrowser working, but some other builds use static globals
which themselves use hash and string which are allocate with
bmalloc and therefore which initialize gigacage before main is
called and before the process gets a chance to opt in our out. It
gets tricky with API calls too, because we have to do the right
thing in any entry an API user could plausibly use, even the
private ones, so I endend up having to initialize gigacage in e.g.
WebPreferencesExperimentalFeatures.cpp.erb.

Another approach could be to create a free-for-all gigacage
entitlement, and opt-in the processes we want..

As a follow-up we can also check that gigacage allocation always
succeeds if it was allowed for that process. With my change I
expect it to always succeed.

• CMakeLists.txt:
• bmalloc.xcodeproj/project.pbxproj:
• bmalloc/BPlatform.h:
• bmalloc/Gigacage.cpp:

(Gigacage::shouldBeEnabled):

• bmalloc/ProcessCheck.h: Added.

(bmalloc::gigacageEnabledForProcess):

• bmalloc/ProcessCheck.mm: Added.

(bmalloc::gigacageEnabledForProcess):

Location:

releases/WebKitGTK/webkit-2.20/Source/bmalloc

Files:

• CMakeLists.txt (modified) (1 diff)
• ChangeLog (modified) (1 diff)
• bmalloc.xcodeproj/project.pbxproj (modified) (5 diffs)
• bmalloc/BPlatform.h (modified) (2 diffs)
• bmalloc/Gigacage.cpp (modified) (3 diffs)
• bmalloc/ProcessCheck.h (added)
• bmalloc/ProcessCheck.mm (added)

releases/WebKitGTK/webkit-2.20/Source/bmalloc/CMakeLists.txt

@@ -35 +35 @@
 if (CMAKE_SYSTEM_NAME MATCHES "Darwin")
     list(APPEND bmalloc_SOURCES
+        bmalloc/ProcessCheck.mm
         bmalloc/Zone.cpp
     )

releases/WebKitGTK/webkit-2.20/Source/bmalloc/ChangeLog

@@ +1 @@
+2018-02-05  JF Bastien  <jfbastien@apple.com>
+
+        Gigacage: enable only for WebContent process and token executables
+        https://bugs.webkit.org/show_bug.cgi?id=182457
+        <rdar://problem/35875011>
+
+        Reviewed by Keith Miller.
+
+        Gigacage is a solid security improvement, but it's probably best
+        to roll it out incrementally to the most valuable targets first
+        and progressively try out more and more over time rather than
+        outright enabling it everywhere. We've gotten some reports that it
+        has some side-effects that weren't expected, so for now let's
+        enable it for the WebContent process, JSC, and other executables
+        we know, and then later we'll enable more gigacage uses.
+
+        For now I've chosen the following bundles:
+
+          - com.apple.WebKit.WebContent.Development
+          - com.apple.WebKit.WebContent
+          - com.apple.WebProcess
+
+        And the following processes:
+
+          - jsc
+          - wasm
+          - anything starting with "test", to match the JSC tests
+
+        I tried a different approach first, where I add a function to turn
+        gigacage on or off and crash if gigacage is initialized without
+        having been told what to do. Doing this in ChildProcess and a
+        bunch of the process initialization methods isn't sufficient. I
+        got MiniBrowser working, but some other builds use static globals
+        which themselves use hash and string which are allocate with
+        bmalloc and therefore which initialize gigacage before main is
+        called and before the process gets a chance to opt in our out. It
+        gets tricky with API calls too, because we have to do the right
+        thing in any entry an API user could plausibly use, even the
+        private ones, so I endend up having to initialize gigacage in e.g.
+        WebPreferencesExperimentalFeatures.cpp.erb.
+
+        Another approach could be to create a free-for-all gigacage
+        entitlement, and opt-in the processes we want..
+
+        As a follow-up we can also check that gigacage allocation always
+        succeeds if it was allowed for that process. With my change I
+        expect it to always succeed.
+
+        * CMakeLists.txt:
+        * bmalloc.xcodeproj/project.pbxproj:
+        * bmalloc/BPlatform.h:
+        * bmalloc/Gigacage.cpp:
+        (Gigacage::shouldBeEnabled):
+        * bmalloc/ProcessCheck.h: Added.
+        (bmalloc::gigacageEnabledForProcess):
+        * bmalloc/ProcessCheck.mm: Added.
+        (bmalloc::gigacageEnabledForProcess):
+
 2018-02-05  Joseph Pecoraro  <pecoraro@apple.com>
 

releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc.xcodeproj/project.pbxproj

@@ -134 +134 @@
                 6599C5CD1EC3F15900A2F7BB /* AvailableMemory.h in Headers */ = {isa = PBXBuildFile; fileRef = 6599C5CB1EC3F15900A2F7BB /* AvailableMemory.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 AD0934331FCF406D00E85EB5 /* BCompiler.h in Headers */ = {isa = PBXBuildFile; fileRef = AD0934321FCF405000E85EB5 /* BCompiler.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                AD14AD29202529C400890E3B /* ProcessCheck.h in Headers */ = {isa = PBXBuildFile; fileRef = AD14AD27202529A600890E3B /* ProcessCheck.h */; };
+                AD14AD2A202529C700890E3B /* ProcessCheck.mm in Sources */ = {isa = PBXBuildFile; fileRef = AD14AD28202529B000890E3B /* ProcessCheck.mm */; };
 /* End PBXBuildFile section */
 
@@ -290 +292 @@
                 6599C5CB1EC3F15900A2F7BB /* AvailableMemory.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AvailableMemory.h; path = bmalloc/AvailableMemory.h; sourceTree = "<group>"; };
                 AD0934321FCF405000E85EB5 /* BCompiler.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = BCompiler.h; path = bmalloc/BCompiler.h; sourceTree = "<group>"; };
+                AD14AD27202529A600890E3B /* ProcessCheck.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ProcessCheck.h; path = bmalloc/ProcessCheck.h; sourceTree = "<group>"; };
+                AD14AD28202529B000890E3B /* ProcessCheck.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = ProcessCheck.mm; path = bmalloc/ProcessCheck.mm; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
@@ -481 +485 @@
                                 14105E8318E14374003A106E /* ObjectType.cpp */,
                                 1485656018A43DBA00ED6942 /* ObjectType.h */,
+                                AD14AD27202529A600890E3B /* ProcessCheck.h */,
+                                AD14AD28202529B000890E3B /* ProcessCheck.mm */,
                                 0F5BF1501F22E1570029D91D /* Scavenger.cpp */,
                                 0F5BF1511F22E1570029D91D /* Scavenger.h */,
@@ -633 +639 @@
                                 14DD78D018F48D7500950702 /* VMAllocate.h in Headers */,
                                 0F7EB83A1F9541B000F1ABCB /* IsoDeallocatorInlines.h in Headers */,
+                                AD14AD29202529C400890E3B /* ProcessCheck.h in Headers */,
                                 1400274A18F89C2300115C97 /* VMHeap.h in Headers */,
                                 1440AFCB1A95261100837FAA /* Zone.h in Headers */,
@@ -766 +773 @@
                                 14895D911A3A319C0006235D /* Environment.cpp in Sources */,
                                 0F7EB83F1F9541B000F1ABCB /* IsoTLSLayout.cpp in Sources */,
+                                AD14AD2A202529C700890E3B /* ProcessCheck.mm in Sources */,
                                 14F271C718EA3990008C152F /* Heap.cpp in Sources */,
                                 0F7EB8321F9541B000F1ABCB /* IsoTLSEntry.cpp in Sources */,

releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc/BPlatform.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2014-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -64 +64 @@
 #endif
 
+#if BPLATFORM(MAC) || BPLATFORM(IOS)
+#define BPLATFORM_COCOA 1
+#endif
+
+#if defined(TARGET_OS_WATCH) && TARGET_OS_WATCH
+#define BPLATFORM_WATCHOS 1
+#endif
+
 /* ==== Policy decision macros: these define policy choices for a particular port. ==== */
 

releases/WebKitGTK/webkit-2.20/Source/bmalloc/bmalloc/Gigacage.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -29 +29 @@
 #include "Environment.h"
 #include "PerProcess.h"
+#include "ProcessCheck.h"
 #include "VMAllocate.h"
 #include "Vector.h"
@@ -251 +252 @@
         onceFlag,
         [] {
+            if (!gigacageEnabledForProcess())
+                return;
+
             bool result = !PerProcess<Environment>::get()->isDebugHeapEnabled();
             if (!result)