Changeset 228632 in webkit

Timestamp:

Feb 19, 2018 1:59:43 AM (6 years ago)

Author:

Carlos Garcia Campos

Message:

Merge r228149 - Global objects should be able to use TLCs to allocate from different blocks from each other
​https://bugs.webkit.org/show_bug.cgi?id=182227

Source/JavaScriptCore:

Reviewed by JF Bastien.

This uses TLCs to create at least minimumDistanceBetweenCellsFromDifferenOrigins bytes of
distance between objects from different origins, using the following combination of things. For
short lets refer to that constant as K.

• Since r227721, LargeAllocation puts K bytes padding at the end of each allocation.

• Since r227718, MarkedBlock puts at least K bytes in its footer.

• Since r227617, global objects can have their own TLCs, which make them allocate from a different set of blocks than other global objects. The TLC of a global object comes into effect when you enter the VM via that global object.

• With this change, TLCs and blocks both have security origins. A TLC will only use blocks that share the same security origin or empty blocks (in which case we zero the block and change its security origin).

WebCore determines the TLC-GlobalObject mapping. By default, global objects would simply use
the VM's default TLC. WebCore makes it so that DOM windows (but not worker global objects) get
a TLC based on their document's SecurityOrigin.

• JavaScriptCore.xcodeproj/project.pbxproj:
• Sources.txt:
• heap/BlockDirectory.cpp:

(JSC::BlockDirectory::findBlockForAllocation):
(JSC::BlockDirectory::prepareForAllocation):

• heap/BlockDirectory.h:
• heap/LocalAllocator.cpp:

(JSC::LocalAllocator::LocalAllocator):
(JSC::LocalAllocator::reset):
(JSC::LocalAllocator::~LocalAllocator):
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):

• heap/LocalAllocator.h:

(JSC::LocalAllocator::tlc const):

• heap/MarkStackMergingConstraint.cpp:
• heap/MarkStackMergingConstraint.h:
• heap/MarkedBlock.cpp:

(JSC::MarkedBlock::Handle::associateWithOrigin):

• heap/MarkedBlock.h:

(JSC::MarkedBlock::Handle::securityOriginToken const):

• heap/SecurityOriginToken.cpp: Added.

(JSC::uniqueSecurityOriginToken):

• heap/SecurityOriginToken.h: Added.
• heap/ThreadLocalCache.cpp:

(JSC::ThreadLocalCache::create):
(JSC::ThreadLocalCache::ThreadLocalCache):
(JSC::ThreadLocalCache::allocateData):
(JSC::ThreadLocalCache::installSlow):

• heap/ThreadLocalCache.h:

(JSC::ThreadLocalCache::securityOriginToken const):

• heap/ThreadLocalCacheInlines.h:

(JSC::ThreadLocalCache::install):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::createThreadLocalCache):

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::threadLocalCache):
(JSC::JSGlobalObject::threadLocalCache const): Deleted.

• runtime/VMEntryScope.cpp:

(JSC::VMEntryScope::VMEntryScope):
(JSC::VMEntryScope::~VMEntryScope):

• runtime/VMEntryScope.h:

Source/WebCore:

Reviewed by Daniel Bates and Chris Dumez.

No new tests because no change in behavior.

Adopt JSC TLC API to put distance between objects from different security origins. WebCore has
a subclass of ThreadLocalCache that supports hash-consing based on the relevant origin data
using the existing SecurityOriginHash. It's Document's job to initiate this, but all of the
logic is in WebCore::OriginThreadLocalCache.

Workers don't opt into this. They just get the VM's default TLC all the time.

• ForwardingHeaders/heap/ThreadLocalCache.h: Added.
• Sources.txt:
• WebCore.xcodeproj/project.pbxproj:
• bindings/js/JSDOMGlobalObject.cpp:

(WebCore::JSDOMGlobalObject::JSDOMGlobalObject):

• bindings/js/JSDOMGlobalObject.h:
• bindings/js/JSDOMWindowBase.cpp:

(WebCore::JSDOMWindowBase::JSDOMWindowBase):

• dom/Document.cpp:

(WebCore::Document::initSecurityContext):
(WebCore::Document::threadLocalCache):

• dom/Document.h:
• page/OriginThreadLocalCache.cpp: Added.

(WebCore::threadLocalCacheMap):
(WebCore::OriginThreadLocalCache::create):
(WebCore::OriginThreadLocalCache::~OriginThreadLocalCache):
(WebCore::OriginThreadLocalCache::OriginThreadLocalCache):

• page/OriginThreadLocalCache.h: Added.
• page/SecurityOrigin.cpp:

(WebCore::SecurityOrigin::passesFileCheck const):
(WebCore::SecurityOrigin::setEnforcesFilePathSeparation):
(WebCore::SecurityOrigin::toString const):
(WebCore::SecurityOrigin::enforceFilePathSeparation): Deleted.

• page/SecurityOrigin.h:

(WebCore::SecurityOrigin::enforcesFilePathSeparation const):

Location:

releases/WebKitGTK/webkit-2.20/Source

Files:

• JavaScriptCore/CMakeLists.txt (modified) (1 diff)
• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (7 diffs)
• JavaScriptCore/Sources.txt (modified) (2 diffs)
• JavaScriptCore/heap/BlockDirectory.cpp (modified) (3 diffs)
• JavaScriptCore/heap/BlockDirectory.h (modified) (3 diffs)
• JavaScriptCore/heap/LocalAllocator.cpp (modified) (7 diffs)
• JavaScriptCore/heap/LocalAllocator.h (modified) (5 diffs)
• JavaScriptCore/heap/MarkStackMergingConstraint.cpp (modified) (1 diff)
• JavaScriptCore/heap/MarkStackMergingConstraint.h (modified) (1 diff)
• JavaScriptCore/heap/MarkedBlock.cpp (modified) (1 diff)
• JavaScriptCore/heap/MarkedBlock.h (modified) (3 diffs)
• JavaScriptCore/heap/SecurityOriginToken.cpp (copied) (copied from releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/runtime/VMEntryScope.h) (2 diffs)
• JavaScriptCore/heap/SecurityOriginToken.h (copied) (copied from releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/runtime/VMEntryScope.h) (2 diffs)
• JavaScriptCore/heap/ThreadLocalCache.cpp (modified) (4 diffs)
• JavaScriptCore/heap/ThreadLocalCache.h (modified) (6 diffs)
• JavaScriptCore/heap/ThreadLocalCacheInlines.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSGlobalObject.h (modified) (1 diff)
• JavaScriptCore/runtime/VMEntryScope.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/VMEntryScope.h (modified) (2 diffs)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/ForwardingHeaders/heap/ThreadLocalCache.h (added)
• WebCore/Sources.txt (modified) (1 diff)
• WebCore/WebCore.xcodeproj/project.pbxproj (modified) (5 diffs)
• WebCore/bindings/js/JSDOMGlobalObject.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSDOMGlobalObject.h (modified) (2 diffs)
• WebCore/bindings/js/JSDOMWindowBase.cpp (modified) (1 diff)
• WebCore/dom/Document.cpp (modified) (5 diffs)
• WebCore/dom/Document.h (modified) (3 diffs)
• WebCore/page/OriginThreadLocalCache.cpp (copied) (copied from releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/runtime/VMEntryScope.h) (2 diffs)
• WebCore/page/OriginThreadLocalCache.h (copied) (copied from releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/runtime/VMEntryScope.h) (2 diffs)
• WebCore/page/SecurityOrigin.cpp (modified) (4 diffs)
• WebCore/page/SecurityOrigin.h (modified) (3 diffs)

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/CMakeLists.txt

@@ -514 +514 @@
     heap/RegisterState.h
     heap/RunningScope.h
+    heap/SecurityOriginToken.h
     heap/SimpleMarkingConstraint.h
     heap/SlotVisitor.h

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-01-28  Filip Pizlo  <fpizlo@apple.com>
+
+        Global objects should be able to use TLCs to allocate from different blocks from each other
+        https://bugs.webkit.org/show_bug.cgi?id=182227
+
+        Reviewed by JF Bastien.
+        
+        This uses TLCs to create at least `minimumDistanceBetweenCellsFromDifferenOrigins` bytes of
+        distance between objects from different origins, using the following combination of things. For
+        short lets refer to that constant as K.
+        
+        - Since r227721, LargeAllocation puts K bytes padding at the end of each allocation.
+        
+        - Since r227718, MarkedBlock puts at least K bytes in its footer.
+        
+        - Since r227617, global objects can have their own TLCs, which make them allocate from a
+          different set of blocks than other global objects. The TLC of a global object comes into
+          effect when you enter the VM via that global object.
+        
+        - With this change, TLCs and blocks both have security origins. A TLC will only use blocks that
+          share the same security origin or empty blocks (in which case we zero the block and change
+          its security origin).
+        
+        WebCore determines the TLC-GlobalObject mapping. By default, global objects would simply use
+        the VM's default TLC. WebCore makes it so that DOM windows (but not worker global objects) get
+        a TLC based on their document's SecurityOrigin.
+        
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * heap/BlockDirectory.cpp:
+        (JSC::BlockDirectory::findBlockForAllocation):
+        (JSC::BlockDirectory::prepareForAllocation):
+        * heap/BlockDirectory.h:
+        * heap/LocalAllocator.cpp:
+        (JSC::LocalAllocator::LocalAllocator):
+        (JSC::LocalAllocator::reset):
+        (JSC::LocalAllocator::~LocalAllocator):
+        (JSC::LocalAllocator::allocateSlowCase):
+        (JSC::LocalAllocator::tryAllocateWithoutCollecting):
+        * heap/LocalAllocator.h:
+        (JSC::LocalAllocator::tlc const):
+        * heap/MarkStackMergingConstraint.cpp:
+        * heap/MarkStackMergingConstraint.h:
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::associateWithOrigin):
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::Handle::securityOriginToken const):
+        * heap/SecurityOriginToken.cpp: Added.
+        (JSC::uniqueSecurityOriginToken):
+        * heap/SecurityOriginToken.h: Added.
+        * heap/ThreadLocalCache.cpp:
+        (JSC::ThreadLocalCache::create):
+        (JSC::ThreadLocalCache::ThreadLocalCache):
+        (JSC::ThreadLocalCache::allocateData):
+        (JSC::ThreadLocalCache::installSlow):
+        * heap/ThreadLocalCache.h:
+        (JSC::ThreadLocalCache::securityOriginToken const):
+        * heap/ThreadLocalCacheInlines.h:
+        (JSC::ThreadLocalCache::install):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        (JSC::JSGlobalObject::createThreadLocalCache):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::threadLocalCache):
+        (JSC::JSGlobalObject::threadLocalCache const): Deleted.
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::VMEntryScope):
+        (JSC::VMEntryScope::~VMEntryScope):
+        * runtime/VMEntryScope.h:
+
 2018-02-05  Don Olmstead  <don.olmstead@sony.com>
 

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -295 +295 @@
                 0F426A491460CBB700131F8F /* VirtualRegister.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F426A461460CBAB00131F8F /* VirtualRegister.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F426A4B1460CD6E00131F8F /* DataFormat.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F426A4A1460CD6B00131F8F /* DataFormat.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F42B3C3201EC9FF00357031 /* SecurityOriginToken.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F42B3C2201EC9FD00357031 /* SecurityOriginToken.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F431738146BAC69007E3890 /* ListableHandler.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F431736146BAC65007E3890 /* ListableHandler.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F4570391BE44C910062A629 /* AirEliminateDeadCode.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F4570371BE44C910062A629 /* AirEliminateDeadCode.h */; };
@@ -2263 +2264 @@
                 0F426A461460CBAB00131F8F /* VirtualRegister.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VirtualRegister.h; sourceTree = "<group>"; };
                 0F426A4A1460CD6B00131F8F /* DataFormat.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DataFormat.h; sourceTree = "<group>"; };
+                0F42B3C0201EB50900357031 /* Allocator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Allocator.cpp; sourceTree = "<group>"; };
+                0F42B3C2201EC9FD00357031 /* SecurityOriginToken.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecurityOriginToken.h; sourceTree = "<group>"; };
                 0F431736146BAC65007E3890 /* ListableHandler.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ListableHandler.h; sourceTree = "<group>"; };
                 0F4570361BE44C910062A629 /* AirEliminateDeadCode.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = AirEliminateDeadCode.cpp; path = b3/air/AirEliminateDeadCode.cpp; sourceTree = "<group>"; };
@@ -5560 +5563 @@
                         isa = PBXGroup;
                         children = (
-                                0F75A054200D25EF0038E2CF /* Allocator.h */,
-                                0F75A05D200D25F10038E2CF /* AllocatorInlines.h */,
-                                0F75A059200D25F00038E2CF /* LocalAllocator.cpp */,
-                                0F75A057200D25F00038E2CF /* LocalAllocator.h */,
-                                0F75A05A200D25F00038E2CF /* LocalAllocatorInlines.h */,
-                                0F75A058200D25F00038E2CF /* ThreadLocalCache.cpp */,
-                                0F75A055200D25EF0038E2CF /* ThreadLocalCache.h */,
-                                0F75A056200D25EF0038E2CF /* ThreadLocalCacheInlines.h */,
-                                0F75A05B200D25F10038E2CF /* ThreadLocalCacheLayout.cpp */,
-                                0F75A05C200D25F10038E2CF /* ThreadLocalCacheLayout.h */,
                                 0FEC3C501F33A41600F59B6C /* AlignedMemoryAllocator.cpp */,
                                 0FEC3C511F33A41600F59B6C /* AlignedMemoryAllocator.h */,
                                 0FA7620A1DB959F600B7A2FD /* AllocatingScope.h */,
                                 0FDCE11B1FAE61F4006F3901 /* AllocationFailureMode.h */,
+                                0F42B3C0201EB50900357031 /* Allocator.cpp */,
+                                0F75A054200D25EF0038E2CF /* Allocator.h */,
                                 0F30CB5D1FCE46B4004B5323 /* AllocatorForMode.h */,
+                                0F75A05D200D25F10038E2CF /* AllocatorInlines.h */,
                                 0FB4677E1FDDA6E5003FCB09 /* AtomIndices.h */,
                                 C2B916C414DA040C00CBAC86 /* BlockDirectory.cpp */,
@@ -5675 +5671 @@
                                 0F070A461D543A89006E7232 /* LargeAllocation.h */,
                                 0F431736146BAC65007E3890 /* ListableHandler.h */,
+                                0F75A059200D25F00038E2CF /* LocalAllocator.cpp */,
+                                0F75A057200D25F00038E2CF /* LocalAllocator.h */,
+                                0F75A05A200D25F00038E2CF /* LocalAllocatorInlines.h */,
                                 0F208AD61DF0925A007D3269 /* LockDuringMarking.h */,
                                 14B7233F12D7D0DA003BD5ED /* MachineStackMarker.cpp */,
@@ -5704 +5703 @@
                                 0F7CF94E1DBEEE860098CC12 /* ReleaseHeapAccessScope.h */,
                                 0F2C63A91E4FA42C00C13839 /* RunningScope.h */,
+                                0F42B3C2201EC9FD00357031 /* SecurityOriginToken.h */,
                                 0F4D8C761FCA3CF2001D32AC /* SimpleMarkingConstraint.cpp */,
                                 0F4D8C771FCA3CF3001D32AC /* SimpleMarkingConstraint.h */,
@@ -5725 +5725 @@
                                 0F1FB38A1E173A6200A9BE50 /* SynchronousStopTheWorldMutatorScheduler.cpp */,
                                 0F1FB38B1E173A6200A9BE50 /* SynchronousStopTheWorldMutatorScheduler.h */,
+                                0F75A058200D25F00038E2CF /* ThreadLocalCache.cpp */,
+                                0F75A055200D25EF0038E2CF /* ThreadLocalCache.h */,
+                                0F75A056200D25EF0038E2CF /* ThreadLocalCacheInlines.h */,
+                                0F75A05B200D25F10038E2CF /* ThreadLocalCacheLayout.cpp */,
+                                0F75A05C200D25F10038E2CF /* ThreadLocalCacheLayout.h */,
                                 141448CC13A1783700F5BA1A /* TinyBloomFilter.h */,
                                 0F5F08CE146C762F000472A9 /* UnconditionalFinalizer.h */,
@@ -8523 +8528 @@
                                 A7D89CFE17A0B8CC00773AD8 /* DFGOSRAvailabilityAnalysisPhase.h in Headers */,
                                 0FD82E57141DAF1000179C94 /* DFGOSREntry.h in Headers */,
+                                0F42B3C3201EC9FF00357031 /* SecurityOriginToken.h in Headers */,
                                 0FD8A32617D51F5700CA2C40 /* DFGOSREntrypointCreationPhase.h in Headers */,
                                 0FC0976A1468A6F700CF2442 /* DFGOSRExit.h in Headers */,

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/Sources.txt

@@ -1 @@
-// Copyright (C) 2017 Apple Inc. All rights reserved.
+// Copyright (C) 2017-2018 Apple Inc. All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
@@ -513 +513 @@
 heap/MutatorScheduler.cpp
 heap/MutatorState.cpp
+heap/SecurityOriginToken.cpp
 heap/SimpleMarkingConstraint.cpp
 heap/SlotVisitor.cpp

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/heap/BlockDirectory.cpp

@@ -34 +34 @@
 #include "MarkedBlockInlines.h"
 #include "SuperSampler.h"
+#include "ThreadLocalCacheInlines.h"
 #include "VM.h"
 #include <wtf/CurrentTime.h>
@@ -81 +82 @@
 }
 
-MarkedBlock::Handle* BlockDirectory::findBlockForAllocation()
-{
-    m_allocationCursor = (m_canAllocateButNotEmpty | m_empty).findBit(m_allocationCursor, true);
-    if (m_allocationCursor >= m_blocks.size())
-        return nullptr;
-    
-    setIsCanAllocateButNotEmpty(NoLockingNecessary, m_allocationCursor, false);
-    return m_blocks[m_allocationCursor];
+MarkedBlock::Handle* BlockDirectory::findBlockForAllocation(LocalAllocator& allocator)
+{
+    for (;;) {
+        allocator.m_allocationCursor = (m_canAllocateButNotEmpty | m_empty).findBit(allocator.m_allocationCursor, true);
+        if (allocator.m_allocationCursor >= m_blocks.size())
+            return nullptr;
+        
+        size_t blockIndex = allocator.m_allocationCursor++;
+        MarkedBlock::Handle* result = m_blocks[blockIndex];
+        if (result->securityOriginToken() == allocator.tlc()->securityOriginToken()) {
+            setIsCanAllocateButNotEmpty(NoLockingNecessary, blockIndex, false);
+            return result;
+        }
+    }
 }
 
@@ -184 +191 @@
         });
     
-    m_allocationCursor = 0;
-    m_emptyCursor = 0;
     m_unsweptCursor = 0;
     

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/heap/BlockDirectory.h

@@ -44 +44 @@
 class MarkedSpace;
 class LLIntOffsetsExtractor;
+class ThreadLocalCache;
 class ThreadLocalCacheLayout;
 
@@ -163 +164 @@
     
 private:
+    friend class IsoCellSet;
     friend class LocalAllocator;
-    friend class IsoCellSet;
+    friend class LocalSideAllocator;
     friend class MarkedBlock;
     friend class ThreadLocalCacheLayout;
     
-    MarkedBlock::Handle* findBlockForAllocation();
+    MarkedBlock::Handle* findBlockForAllocation(LocalAllocator&);
     
     MarkedBlock::Handle* tryAllocateBlock();
@@ -185 +187 @@
     // After you do something to a block based on one of these cursors, you clear the bit in the
     // corresponding bitvector and leave the cursor where it was.
-    size_t m_allocationCursor { 0 }; // Points to the next block that is a candidate for allocation.
-    size_t m_emptyCursor { 0 }; // Points to the next block that is a candidate for empty allocation (allocating in empty blocks).
+    size_t m_emptyCursor { 0 };
     size_t m_unsweptCursor { 0 }; // Points to the next block that is a candidate for incremental sweeping.
     

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/heap/LocalAllocator.cpp

@@ -33 +33 @@
 namespace JSC {
 
-LocalAllocator::LocalAllocator(BlockDirectory* directory)
-    : m_directory(directory)
+LocalAllocator::LocalAllocator(ThreadLocalCache* tlc, BlockDirectory* directory)
+    : m_tlc(tlc)
+    , m_directory(directory)
     , m_cellSize(directory->m_cellSize)
     , m_freeList(m_cellSize)
@@ -43 +44 @@
 
 LocalAllocator::LocalAllocator(LocalAllocator&& other)
-    : m_directory(other.m_directory)
+    : m_tlc(other.m_tlc)
+    , m_directory(other.m_directory)
     , m_cellSize(other.m_cellSize)
     , m_freeList(WTFMove(other.m_freeList))
     , m_currentBlock(other.m_currentBlock)
     , m_lastActiveBlock(other.m_lastActiveBlock)
+    , m_allocationCursor(other.m_allocationCursor)
 {
     other.reset();
@@ -62 +65 @@
     m_currentBlock = nullptr;
     m_lastActiveBlock = nullptr;
+    m_allocationCursor = 0;
 }
 
@@ -81 +85 @@
     //   time of destruction because for it to get into any other state, someone must have allocated
     //   in it (which is impossible because it's supposedly unreachable).
+    //
+    // My biggest worry with these assertions is that there will be some TLC that gets set as the
+    // current one but then never reset, and in the meantime the global object that owns it gets
+    // destroyed.
+    //
+    // Note that if we did hold onto some memory and we wanted to return it then this could be weird.
+    // We would potentially have to stopAllocating(). That would mean having to return a block to the
+    // BlockDirectory. It's not clear that the BlockDirectory is prepared to handle that during
+    // sweeping another block, for example.
     bool ok = true;
     if (!m_freeList.allocationWillFail()) {
@@ -165 +178 @@
             return nullptr;
     }
+    block->associateWithOrigin(m_tlc->securityOriginToken());
     m_directory->addBlock(block);
     result = allocateIn(block);
@@ -202 +216 @@
     
     for (;;) {
-        MarkedBlock::Handle* block = m_directory->findBlockForAllocation();
+        MarkedBlock::Handle* block = m_directory->findBlockForAllocation(*this);
         if (!block)
             break;
@@ -221 +235 @@
             // and empty set at the same time.
             block->removeFromDirectory();
+            block->associateWithOrigin(m_tlc->securityOriginToken());
             m_directory->addBlock(block);
             return allocateIn(block);

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/heap/LocalAllocator.h

@@ -34 +34 @@
 class BlockDirectory;
 class GCDeferralContext;
+class ThreadLocalCache;
 
 class LocalAllocator : public BasicRawSentinelNode<LocalAllocator> {
@@ -39 +40 @@
     
 public:
-    LocalAllocator(BlockDirectory*);
+    LocalAllocator(ThreadLocalCache*, BlockDirectory*);
     LocalAllocator(LocalAllocator&&);
     ~LocalAllocator();
@@ -54 +55 @@
     
     bool isFreeListedCell(const void*) const;
+    
+    ThreadLocalCache* tlc() const { return m_tlc; }
 
 private:
+    friend class BlockDirectory;
+    
     void reset();
     JS_EXPORT_PRIVATE void* allocateSlowCase(GCDeferralContext*, AllocationFailureMode failureMode);
@@ -64 +69 @@
     ALWAYS_INLINE void doTestCollectionsIfNeeded(GCDeferralContext*);
 
+    ThreadLocalCache* m_tlc;
     BlockDirectory* m_directory;
     unsigned m_cellSize;
@@ -69 +75 @@
     MarkedBlock::Handle* m_currentBlock { nullptr };
     MarkedBlock::Handle* m_lastActiveBlock { nullptr };
+    
+    // After you do something to a block based on one of these cursors, you clear the bit in the
+    // corresponding bitvector and leave the cursor where it was.
+    size_t m_allocationCursor { 0 }; // Points to the next block that is a candidate for allocation.
 };
 

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/heap/MarkStackMergingConstraint.cpp

@@ -26 +26 @@
 #include "config.h"
 #include "MarkStackMergingConstraint.h"
+
+#include "GCSegmentedArrayInlines.h"
+#include "JSCInlines.h"
 
 namespace JSC {

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/heap/MarkStackMergingConstraint.h

@@ -30 +30 @@
 namespace JSC {
 
+class Heap;
+class SlotVisitor;
+
 class MarkStackMergingConstraint : public MarkingConstraint {
 public:

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/heap/MarkedBlock.cpp

@@ -489 +489 @@
 }
 
+void MarkedBlock::Handle::associateWithOrigin(SecurityOriginToken securityOriginToken)
+{
+    if (m_securityOriginToken == securityOriginToken)
+        return;
+    
+    memset(&block(), 0, endAtom * atomSize);
+    m_securityOriginToken = securityOriginToken;
+}
+
 } // namespace JSC
 

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/heap/MarkedBlock.h

@@ -26 +26 @@
 #include "HeapCell.h"
 #include "IterationStatus.h"
+#include "SecurityOriginToken.h"
 #include "WeakSet.h"
 #include <wtf/Atomics.h>
@@ -195 +196 @@
         void dumpState(PrintStream&);
         
+        void associateWithOrigin(SecurityOriginToken);
+        SecurityOriginToken securityOriginToken() const { return m_securityOriginToken; }
+        
     private:
         Handle(Heap&, AlignedMemoryAllocator*, void*);
@@ -230 +234 @@
         
         MarkedBlock* m_block { nullptr };
+        
+        SecurityOriginToken m_securityOriginToken { 0 };
     };
 

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/heap/SecurityOriginToken.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -24 +24 @@
  */
 
-#pragma once
+#include "config.h"
+#include "SecurityOriginToken.h"
 
-#include <functional>
-#include <wtf/Vector.h>
+#include <wtf/Atomics.h>
 
 namespace JSC {
 
-class JSGlobalObject;
-class VM;
-
-class VMEntryScope {
-public:
-    JS_EXPORT_PRIVATE VMEntryScope(VM&, JSGlobalObject*);
-    JS_EXPORT_PRIVATE ~VMEntryScope();
-
-    VM& vm() const { return m_vm; }
-    JSGlobalObject* globalObject() const { return m_globalObject; }
-
-    void addDidPopListener(std::function<void ()>);
-
-private:
-    VM& m_vm;
-    JSGlobalObject* m_globalObject;
-    Vector<std::function<void ()>> m_didPopListeners;
-};
+SecurityOriginToken uniqueSecurityOriginToken()
+{
+    static SecurityOriginToken counter;
+    return WTF::atomicExchangeAdd(&counter, 1) + 1;
+}
 
 } // namespace JSC
+

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/heap/SecurityOriginToken.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26 +26 @@
 #pragma once
 
-#include <functional>
-#include <wtf/Vector.h>
-
 namespace JSC {
 
-class JSGlobalObject;
-class VM;
+typedef uint64_t SecurityOriginToken;
 
-class VMEntryScope {
-public:
-    JS_EXPORT_PRIVATE VMEntryScope(VM&, JSGlobalObject*);
-    JS_EXPORT_PRIVATE ~VMEntryScope();
-
-    VM& vm() const { return m_vm; }
-    JSGlobalObject* globalObject() const { return m_globalObject; }
-
-    void addDidPopListener(std::function<void ()>);
-
-private:
-    VM& m_vm;
-    JSGlobalObject* m_globalObject;
-    Vector<std::function<void ()>> m_didPopListeners;
-};
+JS_EXPORT_PRIVATE SecurityOriginToken uniqueSecurityOriginToken();
 
 } // namespace JSC
+

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/heap/ThreadLocalCache.cpp

@@ -33 +33 @@
 namespace JSC {
 
-RefPtr<ThreadLocalCache> ThreadLocalCache::create(Heap& heap)
+RefPtr<ThreadLocalCache> ThreadLocalCache::create(Heap& heap, SecurityOriginToken securityOriginToken)
 {
-    return adoptRef(new ThreadLocalCache(heap));
+    return adoptRef(new ThreadLocalCache(heap, securityOriginToken));
 }
 
-ThreadLocalCache::ThreadLocalCache(Heap& heap)
+ThreadLocalCache::ThreadLocalCache(Heap& heap, SecurityOriginToken securityOriginToken)
     : m_heap(heap)
+    , m_securityOriginToken(securityOriginToken)
 {
     m_data = allocateData();
@@ -60 +61 @@
         new (&allocator(*result, offset)) LocalAllocator(WTFMove(allocator(*m_data, offset)));
     for (size_t offset = oldSize; offset < layout.size; offset += sizeof(LocalAllocator))
-        new (&allocator(*result, offset)) LocalAllocator(layout.directories[offset / sizeof(LocalAllocator)]);
+        new (&allocator(*result, offset)) LocalAllocator(this, layout.directories[offset / sizeof(LocalAllocator)]);
     return result;
 }
@@ -71 +72 @@
 }
 
-void ThreadLocalCache::installSlow(VM& vm)
+void ThreadLocalCache::installSlow(VM& vm, RefPtr<ThreadLocalCache>* previous)
 {
 #if USE(FAST_TLS_FOR_TLC)
@@ -84 +85 @@
     ref();
     
-    if (RefPtr<ThreadLocalCache> oldCache = get(vm))
-        oldCache->deref();
+    if (ThreadLocalCache::Data* oldCacheData = getImpl(vm)) {
+        ThreadLocalCache* oldCache = oldCacheData->cache;
+        if (previous)
+            *previous = adoptRef(oldCache);
+        else
+            oldCache->deref();
+    }
     
     installData(vm, m_data);

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/heap/ThreadLocalCache.h

@@ -26 +26 @@
 #pragma once
 
+#include "AllocationFailureMode.h"
+#include "LocalAllocator.h"
+#include "SecurityOriginToken.h"
 #include <wtf/FastMalloc.h>
 #include <wtf/FastTLS.h>
 #include <wtf/ThreadSafeRefCounted.h>
+#include <wtf/Vector.h>
 
 namespace JSC {
@@ -40 +44 @@
     
 public:
-    static RefPtr<ThreadLocalCache> create(Heap&);
+    JS_EXPORT_PRIVATE static RefPtr<ThreadLocalCache> create(Heap&, SecurityOriginToken = uniqueSecurityOriginToken());
     
-    JS_EXPORT_PRIVATE ~ThreadLocalCache();
+    JS_EXPORT_PRIVATE virtual ~ThreadLocalCache();
 
     static RefPtr<ThreadLocalCache> get(VM&);
@@ -50 +54 @@
     // assumes a relatively small number of caches or low chance of actual context switch combined
     // with possibly high rate of "I may have context switched" sites that call this out of paranoia.
-    void install(VM&);
+    void install(VM&, RefPtr<ThreadLocalCache>* = nullptr);
     
     static LocalAllocator& allocator(VM&, size_t offset);
@@ -60 +64 @@
     static ptrdiff_t offsetOfFirstAllocatorInData() { return OBJECT_OFFSETOF(Data, allocator); }
     
+    SecurityOriginToken securityOriginToken() const { return m_securityOriginToken; }
+
+protected:    
+    JS_EXPORT_PRIVATE ThreadLocalCache(Heap&, SecurityOriginToken);
+    
 private:
     friend class VM;
-    
-    ThreadLocalCache(Heap&);
     
     struct Data {
@@ -77 +84 @@
     static LocalAllocator& allocator(Data& data, size_t offset);
 
-    void installSlow(VM&);
+    void installSlow(VM&, RefPtr<ThreadLocalCache>*);
     static void installData(VM&, Data*);
     
@@ -92 +99 @@
     Heap& m_heap;
     Data* m_data { nullptr };
+    
+    SecurityOriginToken m_securityOriginToken;
 
 #if USE(FAST_TLS_FOR_TLC)

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/heap/ThreadLocalCacheInlines.h

@@ -27 +27 @@
 
 #include "ThreadLocalCache.h"
+#include "VM.h"
 
 namespace JSC {
@@ -48 +49 @@
 }
 
-inline void ThreadLocalCache::install(VM& vm)
+inline void ThreadLocalCache::install(VM& vm, RefPtr<ThreadLocalCache>* previous)
 {
-    if (getImpl(vm) == m_data)
+    if (getImpl(vm) == m_data) {
+        if (previous)
+            *previous = nullptr;
         return;
-    installSlow(vm);
+    }
+    installSlow(vm, previous);
 }
 

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -492 +492 @@
 
 protected:
-    JS_EXPORT_PRIVATE explicit JSGlobalObject(VM&, Structure*, const GlobalObjectMethodTable* = 0, RefPtr<ThreadLocalCache> = nullptr);
+    JS_EXPORT_PRIVATE explicit JSGlobalObject(VM&, Structure*, const GlobalObjectMethodTable* = nullptr, RefPtr<ThreadLocalCache> = nullptr);
 
     JS_EXPORT_PRIVATE void finishCreation(VM&);

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/runtime/VMEntryScope.cpp

@@ -42 +42 @@
     , m_globalObject(globalObject)
 {
-    globalObject->threadLocalCache().install(vm);
+    globalObject->threadLocalCache().install(vm, &m_previousTLC);
     ASSERT(!DisallowVMReentry::isInEffectOnCurrentThread());
     ASSERT(Thread::current().stack().isGrowingDownward());
@@ -72 +72 @@
 VMEntryScope::~VMEntryScope()
 {
+    if (m_previousTLC)
+        m_previousTLC->install(m_vm);
+    
     if (m_vm.entryScope != this)
         return;
 
     TracePoint(VMEntryScopeEnd);
-
+    
     if (m_vm.watchdog())
         m_vm.watchdog()->exitedVM();

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/runtime/VMEntryScope.h

@@ -32 +32 @@
 
 class JSGlobalObject;
+class ThreadLocalCache;
 class VM;
 
@@ -48 +49 @@
     JSGlobalObject* m_globalObject;
     Vector<std::function<void ()>> m_didPopListeners;
+    RefPtr<ThreadLocalCache> m_previousTLC;
 };
 

releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog

@@ +1 @@
+2018-02-05  Filip Pizlo  <fpizlo@apple.com>
+
+        Global objects should be able to use TLCs to allocate from different blocks from each other
+        https://bugs.webkit.org/show_bug.cgi?id=182227
+
+        Reviewed by Daniel Bates and Chris Dumez.
+
+        No new tests because no change in behavior.
+        
+        Adopt JSC TLC API to put distance between objects from different security origins. WebCore has
+        a subclass of ThreadLocalCache that supports hash-consing based on the relevant origin data
+        using the existing SecurityOriginHash. It's Document's job to initiate this, but all of the
+        logic is in WebCore::OriginThreadLocalCache.
+        
+        Workers don't opt into this. They just get the VM's default TLC all the time.
+
+        * ForwardingHeaders/heap/ThreadLocalCache.h: Added.
+        * Sources.txt:
+        * WebCore.xcodeproj/project.pbxproj:
+        * bindings/js/JSDOMGlobalObject.cpp:
+        (WebCore::JSDOMGlobalObject::JSDOMGlobalObject):
+        * bindings/js/JSDOMGlobalObject.h:
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore::JSDOMWindowBase::JSDOMWindowBase):
+        * dom/Document.cpp:
+        (WebCore::Document::initSecurityContext):
+        (WebCore::Document::threadLocalCache):
+        * dom/Document.h:
+        * page/OriginThreadLocalCache.cpp: Added.
+        (WebCore::threadLocalCacheMap):
+        (WebCore::OriginThreadLocalCache::create):
+        (WebCore::OriginThreadLocalCache::~OriginThreadLocalCache):
+        (WebCore::OriginThreadLocalCache::OriginThreadLocalCache):
+        * page/OriginThreadLocalCache.h: Added.
+        * page/SecurityOrigin.cpp:
+        (WebCore::SecurityOrigin::passesFileCheck const):
+        (WebCore::SecurityOrigin::setEnforcesFilePathSeparation):
+        (WebCore::SecurityOrigin::toString const):
+        (WebCore::SecurityOrigin::enforceFilePathSeparation): Deleted.
+        * page/SecurityOrigin.h:
+        (WebCore::SecurityOrigin::enforcesFilePathSeparation const):
+
 2018-02-05  Don Olmstead  <don.olmstead@sony.com>
 

releases/WebKitGTK/webkit-2.20/Source/WebCore/Sources.txt

@@ -1335 +1335 @@
 page/NavigatorBase.cpp
 page/OriginAccessEntry.cpp
+page/OriginThreadLocalCache.cpp
 page/Page.cpp
 page/PageConfiguration.cpp

releases/WebKitGTK/webkit-2.20/Source/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -343 +343 @@
                 0F580FA31496939100FB5BD8 /* WebTiledBackingLayer.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F580FA11496939100FB5BD8 /* WebTiledBackingLayer.h */; };
                 0F580FAF149800D400FB5BD8 /* AnimationUtilities.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F580FAE149800D400FB5BD8 /* AnimationUtilities.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F5B408A20212F770080F913 /* OriginThreadLocalCache.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5B408820212F730080F913 /* OriginThreadLocalCache.h */; };
                 0F5B7A5510F65D7A00376302 /* RenderEmbeddedObject.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5B7A5310F65D7A00376302 /* RenderEmbeddedObject.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F5E200618E771FC003EC3E5 /* PlatformCAAnimationCocoa.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5E200518E771FC003EC3E5 /* PlatformCAAnimationCocoa.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -5497 +5498 @@
                 0F580FA21496939100FB5BD8 /* WebTiledBackingLayer.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = WebTiledBackingLayer.mm; sourceTree = "<group>"; };
                 0F580FAE149800D400FB5BD8 /* AnimationUtilities.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AnimationUtilities.h; sourceTree = "<group>"; };
+                0F5B408820212F730080F913 /* OriginThreadLocalCache.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OriginThreadLocalCache.h; sourceTree = "<group>"; };
+                0F5B408920212F730080F913 /* OriginThreadLocalCache.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = OriginThreadLocalCache.cpp; sourceTree = "<group>"; };
                 0F5B7A5210F65D7A00376302 /* RenderEmbeddedObject.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = RenderEmbeddedObject.cpp; sourceTree = "<group>"; };
                 0F5B7A5310F65D7A00376302 /* RenderEmbeddedObject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = RenderEmbeddedObject.h; sourceTree = "<group>"; };
@@ -9937 +9940 @@
                 8AF4E55911DC5A63000ED3DE /* PerformanceTiming.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PerformanceTiming.h; sourceTree = "<group>"; };
                 8AF4E55A11DC5A63000ED3DE /* PerformanceTiming.idl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = PerformanceTiming.idl; sourceTree = "<group>"; };
+                8BD37A67201BB39C0011734A /* ReadableStreamChunk.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ReadableStreamChunk.h; sourceTree = "<group>"; };
                 8E33CD93201A29C100E39093 /* GapLength.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = GapLength.cpp; sourceTree = "<group>"; };
-                8BD37A67201BB39C0011734A /* ReadableStreamChunk.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ReadableStreamChunk.h; sourceTree = "<group>"; };
                 8E4C96D81AD4483500365A50 /* JSFetchResponse.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSFetchResponse.cpp; sourceTree = "<group>"; };
                 8E4C96D91AD4483500365A50 /* JSFetchResponse.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSFetchResponse.h; sourceTree = "<group>"; };
@@ -18830 +18833 @@
                                 00146288103CD1DE000B20DB /* OriginAccessEntry.cpp */,
                                 00146289103CD1DE000B20DB /* OriginAccessEntry.h */,
+                                0F5B408920212F730080F913 /* OriginThreadLocalCache.cpp */,
+                                0F5B408820212F730080F913 /* OriginThreadLocalCache.h */,
                                 65FEA86809833ADE00BED4AB /* Page.cpp */,
                                 65A21467097A329100B9050A /* Page.h */,
@@ -28267 +28272 @@
                                 5E2C436C1BCF071E0001E2BC /* JSRTCTrackEvent.h in Headers */,
                                 BCEC01C30C274DDD009F4EC9 /* JSScreen.h in Headers */,
+                                0F5B408A20212F770080F913 /* OriginThreadLocalCache.h in Headers */,
                                 FDA15ECE12B03F61003A583A /* JSScriptProcessorNode.h in Headers */,
                                 834476EF1DA5BC5E002B6ED2 /* JSScrollToOptions.h in Headers */,

releases/WebKitGTK/webkit-2.20/Source/WebCore/bindings/js/JSDOMGlobalObject.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2017 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2008-2018 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -57 +57 @@
 const ClassInfo JSDOMGlobalObject::s_info = { "DOMGlobalObject", &JSGlobalObject::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSDOMGlobalObject) };
 
-JSDOMGlobalObject::JSDOMGlobalObject(VM& vm, Structure* structure, Ref<DOMWrapperWorld>&& world, const GlobalObjectMethodTable* globalObjectMethodTable)
-    : JSGlobalObject(vm, structure, globalObjectMethodTable)
+JSDOMGlobalObject::JSDOMGlobalObject(VM& vm, Structure* structure, Ref<DOMWrapperWorld>&& world, const GlobalObjectMethodTable* globalObjectMethodTable, RefPtr<JSC::ThreadLocalCache>&& threadLocalCache)
+    : JSGlobalObject(vm, structure, globalObjectMethodTable, WTFMove(threadLocalCache))
     , m_currentEvent(0)
     , m_world(WTFMove(world))

releases/WebKitGTK/webkit-2.20/Source/WebCore/bindings/js/JSDOMGlobalObject.h

@@ -31 +31 @@
 #include <heap/HeapInlines.h>
 #include <heap/LockDuringMarking.h>
+#include <heap/ThreadLocalCache.h>
 #include <runtime/JSGlobalObject.h>
 #include <runtime/StructureInlines.h>
@@ -51 +52 @@
     struct JSDOMGlobalObjectData;
 
-    JSDOMGlobalObject(JSC::VM&, JSC::Structure*, Ref<DOMWrapperWorld>&&, const JSC::GlobalObjectMethodTable* = 0);
+    JSDOMGlobalObject(JSC::VM&, JSC::Structure*, Ref<DOMWrapperWorld>&&, const JSC::GlobalObjectMethodTable* = nullptr, RefPtr<JSC::ThreadLocalCache>&& = nullptr);
     static void destroy(JSC::JSCell*);
     void finishCreation(JSC::VM&);

releases/WebKitGTK/webkit-2.20/Source/WebCore/bindings/js/JSDOMWindowBase.cpp

@@ -80 +80 @@
 
 JSDOMWindowBase::JSDOMWindowBase(VM& vm, Structure* structure, RefPtr<DOMWindow>&& window, JSDOMWindowProxy* proxy)
-    : JSDOMGlobalObject(vm, structure, proxy->world(), &s_globalObjectMethodTable)
+    : JSDOMGlobalObject(vm, structure, proxy->world(), &s_globalObjectMethodTable, window ? &window->document()->threadLocalCache() : nullptr)
     , m_windowCloseWatchpoints((window && window->frame()) ? IsWatched : IsInvalidated)
     , m_wrapped(WTFMove(window))

releases/WebKitGTK/webkit-2.20/Source/WebCore/dom/Document.cpp

@@ -4 +4 @@
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  *           (C) 2006 Alexey Proskuryakov (ap@webkit.org)
- * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
  * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
@@ -127 +127 @@
 #include "NavigationScheduler.h"
 #include "NestingLevelIncrementer.h"
-
 #include "NodeIterator.h"
 #include "NodeRareData.h"
 #include "NodeWithIndex.h"
 #include "OriginAccessEntry.h"
+#include "OriginThreadLocalCache.h"
 #include "OverflowEvent.h"
 #include "PageConsoleClient.h"
@@ -219 +219 @@
 #include <inspector/ConsoleMessage.h>
 #include <inspector/ScriptCallStack.h>
+#include <runtime/VM.h>
 #include <wtf/CurrentTime.h>
 #include <wtf/Language.h>
@@ -5549 +5550 @@
             // FIXME 81578: The naming of this is confusing. Files with restricted access to other local files
             // still can have other privileges that can be remembered, thereby not making them unique origins.
-            securityOrigin().enforceFilePathSeparation();
+            securityOrigin().setEnforcesFilePathSeparation();
         }
     }
@@ -7741 +7742 @@
 #endif
 
+JSC::ThreadLocalCache& Document::threadLocalCache()
+{
+    if (!m_threadLocalCache) {
+        SecurityOrigin& origin = securityOrigin();
+        if (origin.isUnique() || (origin.isLocal() && origin.enforcesFilePathSeparation()))
+            m_threadLocalCache = JSC::ThreadLocalCache::create(commonVM().heap);
+        else
+            m_threadLocalCache = OriginThreadLocalCache::create(origin);
+    }
+    return *m_threadLocalCache;
+}
+
 } // namespace WebCore

releases/WebKitGTK/webkit-2.20/Source/WebCore/dom/Document.h

@@ -52 +52 @@
 #include "ViewportArguments.h"
 #include "VisibilityState.h"
+#include <heap/ThreadLocalCache.h>
 #include <pal/SessionID.h>
 #include <wtf/Deque.h>
@@ -1412 +1413 @@
 #endif
 
+    JSC::ThreadLocalCache& threadLocalCache();
+
 protected:
     enum ConstructionFlags { Synthesized = 1, NonRenderedPlaceholder = 1 << 1 };
@@ -1896 +1899 @@
 
     HashSet<ApplicationStateChangeListener*> m_applicationStateChangeListeners;
+    
+    RefPtr<JSC::ThreadLocalCache> m_threadLocalCache;
 };
 

releases/WebKitGTK/webkit-2.20/Source/WebCore/page/OriginThreadLocalCache.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -24 +24 @@
  */
 
-#pragma once
+#include "config.h"
+#include "OriginThreadLocalCache.h"
 
-#include <functional>
-#include <wtf/Vector.h>
+#include "CommonVM.h"
+#include "SecurityOriginHash.h"
+#include <wtf/HashMap.h>
+#include <wtf/NeverDestroyed.h>
 
-namespace JSC {
+namespace WebCore {
 
-class JSGlobalObject;
-class VM;
+typedef HashMap<RefPtr<SecurityOrigin>, OriginThreadLocalCache*> ThreadLocalCacheMap;
 
-class VMEntryScope {
-public:
-    JS_EXPORT_PRIVATE VMEntryScope(VM&, JSGlobalObject*);
-    JS_EXPORT_PRIVATE ~VMEntryScope();
+static ThreadLocalCacheMap& threadLocalCacheMap()
+{
+    static NeverDestroyed<ThreadLocalCacheMap> map;
+    return map;
+}
 
-    VM& vm() const { return m_vm; }
-    JSGlobalObject* globalObject() const { return m_globalObject; }
+Ref<OriginThreadLocalCache> OriginThreadLocalCache::create(SecurityOrigin& key)
+{
+    auto iter = threadLocalCacheMap().find(&key);
+    if (iter != threadLocalCacheMap().end())
+        return *iter->value;
+    
+    return adoptRef(*new OriginThreadLocalCache(key));
+}
 
-    void addDidPopListener(std::function<void ()>);
+OriginThreadLocalCache::~OriginThreadLocalCache()
+{
+    bool result = threadLocalCacheMap().remove(m_key);
+    RELEASE_ASSERT(result);
+}
 
-private:
-    VM& m_vm;
-    JSGlobalObject* m_globalObject;
-    Vector<std::function<void ()>> m_didPopListeners;
-};
+OriginThreadLocalCache::OriginThreadLocalCache(SecurityOrigin& key)
+    : ThreadLocalCache(commonVM().heap, JSC::uniqueSecurityOriginToken())
+    , m_key(&key)
+{
+    auto result = threadLocalCacheMap().add(&key, this);
+    RELEASE_ASSERT(result);
+}
 
-} // namespace JSC
+} // namespace WebCore
+

releases/WebKitGTK/webkit-2.20/Source/WebCore/page/OriginThreadLocalCache.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26 +26 @@
 #pragma once
 
-#include <functional>
-#include <wtf/Vector.h>
+#include "SecurityOrigin.h"
+#include <heap/ThreadLocalCache.h>
 
-namespace JSC {
+namespace WebCore {
 
-class JSGlobalObject;
-class VM;
-
-class VMEntryScope {
+class OriginThreadLocalCache final : public JSC::ThreadLocalCache {
 public:
-    JS_EXPORT_PRIVATE VMEntryScope(VM&, JSGlobalObject*);
-    JS_EXPORT_PRIVATE ~VMEntryScope();
-
-    VM& vm() const { return m_vm; }
-    JSGlobalObject* globalObject() const { return m_globalObject; }
-
-    void addDidPopListener(std::function<void ()>);
+    static Ref<OriginThreadLocalCache> create(SecurityOrigin&);
+    
+    ~OriginThreadLocalCache() override;
 
 private:
-    VM& m_vm;
-    JSGlobalObject* m_globalObject;
-    Vector<std::function<void ()>> m_didPopListeners;
+    explicit OriginThreadLocalCache(SecurityOrigin&);
+    
+    RefPtr<SecurityOrigin> m_key;
 };
 
-} // namespace JSC
+} // namespace WebCore
+

releases/WebKitGTK/webkit-2.20/Source/WebCore/page/SecurityOrigin.cpp

@@ -181 +181 @@
     , m_canLoadLocalResources { other->m_canLoadLocalResources }
     , m_storageBlockingPolicy { other->m_storageBlockingPolicy }
-    , m_enforceFilePathSeparation { other->m_enforceFilePathSeparation }
+    , m_enforcesFilePathSeparation { other->m_enforcesFilePathSeparation }
     , m_needsStorageAccessFromFileURLsQuirk { other->m_needsStorageAccessFromFileURLsQuirk }
     , m_isPotentiallyTrustworthy { other->m_isPotentiallyTrustworthy }
@@ -284 +284 @@
     ASSERT(isLocal() && other.isLocal());
 
-    return !m_enforceFilePathSeparation && !other.m_enforceFilePathSeparation;
+    return !m_enforcesFilePathSeparation && !other.m_enforcesFilePathSeparation;
 }
 
@@ -454 +454 @@
 }
 
-void SecurityOrigin::enforceFilePathSeparation()
+void SecurityOrigin::setEnforcesFilePathSeparation()
 {
     ASSERT(isLocal());
-    m_enforceFilePathSeparation = true;
+    m_enforcesFilePathSeparation = true;
 }
 
@@ -469 +469 @@
     if (isUnique())
         return ASCIILiteral("null");
-    if (m_protocol == "file" && m_enforceFilePathSeparation)
+    if (m_protocol == "file" && m_enforcesFilePathSeparation)
         return ASCIILiteral("null");
     return toRawString();

releases/WebKitGTK/webkit-2.20/Source/WebCore/page/SecurityOrigin.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2007-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2007-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -166 +166 @@
     // FIXME 81578: The naming of this is confusing. Files with restricted access to other local files
     // still can have other privileges that can be remembered, thereby not making them unique.
-    void enforceFilePathSeparation();
+    void setEnforcesFilePathSeparation();
+    bool enforcesFilePathSeparation() const { return m_enforcesFilePathSeparation; }
 
     // Convert this SecurityOrigin into a string. The string
@@ -230 +231 @@
     bool m_canLoadLocalResources { false };
     StorageBlockingPolicy m_storageBlockingPolicy { AllowAllStorage };
-    bool m_enforceFilePathSeparation { false };
+    bool m_enforcesFilePathSeparation { false };
     bool m_needsStorageAccessFromFileURLsQuirk { false };
     bool m_isPotentiallyTrustworthy { false };