Changeset 259547 in webkit


Ignore:
Timestamp:
Apr 5, 2020, 1:34:43 AM (5 years ago)
Author:
mark.lam@apple.com
Message:

Add some structureID integrity checks to various runtime functions.
https://bugs.webkit.org/show_bug.cgi?id=210015
<rdar://problem/58116514>

Reviewed by Keith Miller.

Specifically, implementations of toString(), toValue(), and a few others.
I also moved the HeapCell version of ensureStillAliveHere() into the new
EnsureStillAliveHere.h/cpp since it's useful for any pointers, not just HeapCells.

This change is performance neutral on JetStream 2.0, Speedometer-2, and PLT5.

  • CMakeLists.txt:
  • JavaScriptCore.xcodeproj/project.pbxproj:
  • Sources.txt:
  • heap/HeapCell.cpp:

(JSC::ensureStillAliveHere): Deleted.

  • heap/HeapCell.h:

(JSC::ensureStillAliveHere): Deleted.

  • heap/SlotVisitor.cpp:

(JSC::SlotVisitor::appendJSCellOrAuxiliary):

  • runtime/ArrayPrototype.cpp:

(JSC::arrayProtoFuncToString):

  • runtime/BigIntPrototype.cpp:

(JSC::bigIntProtoFuncToStringImpl):
(JSC::bigIntProtoFuncValueOf):

  • runtime/BooleanPrototype.cpp:

(JSC::booleanProtoFuncToString):
(JSC::booleanProtoFuncValueOf):

  • runtime/DatePrototype.cpp:

(JSC::formatLocaleDate):
(JSC::formateDateInstance):
(JSC::dateProtoFuncToISOString):
(JSC::dateProtoFuncToPrimitiveSymbol):

  • runtime/EnsureStillAliveHere.cpp: Added.

(JSC::ensureStillAliveHere):

  • runtime/EnsureStillAliveHere.h: Added.

(JSC::ensureStillAliveHere):

  • runtime/ErrorInstance.cpp:

(JSC::ErrorInstance::sanitizedToString):

  • runtime/ErrorPrototype.cpp:

(JSC::errorProtoFuncToString):

  • runtime/FunctionPrototype.cpp:

(JSC::functionProtoFuncToString):

  • runtime/JSCell.cpp:

(JSC::JSCell::toObjectSlow const):

  • runtime/NumberPrototype.cpp:

(JSC::toThisNumber):

  • runtime/ObjectPrototype.cpp:

(JSC::objectProtoFuncValueOf):
(JSC::objectProtoFuncToString):

  • runtime/RegExpPrototype.cpp:

(JSC::regExpProtoFuncToString):

  • runtime/StringPrototype.cpp:

(JSC::stringProtoFuncToString):

  • runtime/StructureIDTable.h:

(JSC::StructureIDTable::validate):
(JSC::StructureIDTable::isValid): Deleted.

  • runtime/SymbolPrototype.cpp:

(JSC::symbolProtoGetterDescription):
(JSC::symbolProtoFuncToString):
(JSC::symbolProtoFuncValueOf):

  • tools/Integrity.h:
  • tools/IntegrityInlines.h:

(JSC::Integrity::auditStructureID):

  • wasm/js/WebAssemblyGlobalPrototype.cpp:

(JSC::getGlobal):

Location:
trunk/Source/JavaScriptCore
Files:
2 added
24 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/CMakeLists.txt

    r259436 r259547  
    821821    runtime/DisallowVMReentry.h
    822822    runtime/DumpContext.h
     823    runtime/EnsureStillAliveHere.h
    823824    runtime/EnumerationMode.h
    824825    runtime/Error.h

  • trunk/Source/JavaScriptCore/ChangeLog

    r259546 r259547  
     12020-04-05  Mark Lam  <mark.lam@apple.com>
     2
     3        Add some structureID integrity checks to various runtime functions.
     4        https://bugs.webkit.org/show_bug.cgi?id=210015
     5        <rdar://problem/58116514>
     6
     7        Reviewed by Keith Miller.
     8
     9        Specifically, implementations of toString(), toValue(), and a few others.
     10        I also moved the HeapCell version of ensureStillAliveHere() into the new
     11        EnsureStillAliveHere.h/cpp since it's useful for any pointers, not just HeapCells.
     12
     13        This change is performance neutral on JetStream 2.0, Speedometer-2, and PLT5.
     14
     15        * CMakeLists.txt:
     16        * JavaScriptCore.xcodeproj/project.pbxproj:
     17        * Sources.txt:
     18        * heap/HeapCell.cpp:
     19        (JSC::ensureStillAliveHere): Deleted.
     20        * heap/HeapCell.h:
     21        (JSC::ensureStillAliveHere): Deleted.
     22        * heap/SlotVisitor.cpp:
     23        (JSC::SlotVisitor::appendJSCellOrAuxiliary):
     24        * runtime/ArrayPrototype.cpp:
     25        (JSC::arrayProtoFuncToString):
     26        * runtime/BigIntPrototype.cpp:
     27        (JSC::bigIntProtoFuncToStringImpl):
     28        (JSC::bigIntProtoFuncValueOf):
     29        * runtime/BooleanPrototype.cpp:
     30        (JSC::booleanProtoFuncToString):
     31        (JSC::booleanProtoFuncValueOf):
     32        * runtime/DatePrototype.cpp:
     33        (JSC::formatLocaleDate):
     34        (JSC::formateDateInstance):
     35        (JSC::dateProtoFuncToISOString):
     36        (JSC::dateProtoFuncToPrimitiveSymbol):
     37        * runtime/EnsureStillAliveHere.cpp: Added.
     38        (JSC::ensureStillAliveHere):
     39        * runtime/EnsureStillAliveHere.h: Added.
     40        (JSC::ensureStillAliveHere):
     41        * runtime/ErrorInstance.cpp:
     42        (JSC::ErrorInstance::sanitizedToString):
     43        * runtime/ErrorPrototype.cpp:
     44        (JSC::errorProtoFuncToString):
     45        * runtime/FunctionPrototype.cpp:
     46        (JSC::functionProtoFuncToString):
     47        * runtime/JSCell.cpp:
     48        (JSC::JSCell::toObjectSlow const):
     49        * runtime/NumberPrototype.cpp:
     50        (JSC::toThisNumber):
     51        * runtime/ObjectPrototype.cpp:
     52        (JSC::objectProtoFuncValueOf):
     53        (JSC::objectProtoFuncToString):
     54        * runtime/RegExpPrototype.cpp:
     55        (JSC::regExpProtoFuncToString):
     56        * runtime/StringPrototype.cpp:
     57        (JSC::stringProtoFuncToString):
     58        * runtime/StructureIDTable.h:
     59        (JSC::StructureIDTable::validate):
     60        (JSC::StructureIDTable::isValid): Deleted.
     61        * runtime/SymbolPrototype.cpp:
     62        (JSC::symbolProtoGetterDescription):
     63        (JSC::symbolProtoFuncToString):
     64        (JSC::symbolProtoFuncValueOf):
     65        * tools/Integrity.h:
     66        * tools/IntegrityInlines.h:
     67        (JSC::Integrity::auditStructureID):
     68        * wasm/js/WebAssemblyGlobalPrototype.cpp:
     69        (JSC::getGlobal):
     70
    1712020-04-05  Alexey Shvayka  <shvaikalesh@gmail.com>
    272

  • trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

    r259545 r259547  
    18881888                FE318FE01CAC982F00DFCC54 /* ECMAScriptSpecInternalFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = FE318FDE1CAC8C5300DFCC54 /* ECMAScriptSpecInternalFunctions.h */; };
    18891889                FE3422121D6B81C30032BE88 /* ThrowScope.h in Headers */ = {isa = PBXBuildFile; fileRef = FE3422111D6B818C0032BE88 /* ThrowScope.h */; settings = {ATTRIBUTES = (Private, ); }; };
     1890                FE34EE2124398AAE00AA2E7C /* EnsureStillAliveHere.h in Headers */ = {isa = PBXBuildFile; fileRef = FE34EE2024398A9A00AA2E7C /* EnsureStillAliveHere.h */; settings = {ATTRIBUTES = (Private, ); }; };
    18901891                FE3842332324D51B009DD445 /* OptionsList.h in Headers */ = {isa = PBXBuildFile; fileRef = FE3842312324D51B009DD445 /* OptionsList.h */; settings = {ATTRIBUTES = (Private, ); }; };
    18911892                FE384EE61ADDB7AD0055DE2C /* JSDollarVM.h in Headers */ = {isa = PBXBuildFile; fileRef = FE384EE21ADDB7AD0055DE2C /* JSDollarVM.h */; settings = {ATTRIBUTES = (Private, ); }; };
     
    51225123                FE318FDE1CAC8C5300DFCC54 /* ECMAScriptSpecInternalFunctions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ECMAScriptSpecInternalFunctions.h; sourceTree = "<group>"; };
    51235124                FE3422111D6B818C0032BE88 /* ThrowScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ThrowScope.h; sourceTree = "<group>"; };
     5125                FE34EE2024398A9A00AA2E7C /* EnsureStillAliveHere.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = EnsureStillAliveHere.h; sourceTree = "<group>"; };
     5126                FE34EE2224398B8500AA2E7C /* EnsureStillAliveHere.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = EnsureStillAliveHere.cpp; sourceTree = "<group>"; };
    51245127                FE35C2F021B1E6C5000F4CA8 /* Template.rb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.ruby; path = Template.rb; sourceTree = "<group>"; };
    51255128                FE35C2F121B1E6C6000F4CA8 /* Fits.rb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.ruby; path = Fits.rb; sourceTree = "<group>"; };
     
    71117114                                FE318FDD1CAC8C5300DFCC54 /* ECMAScriptSpecInternalFunctions.cpp */,
    71127115                                FE318FDE1CAC8C5300DFCC54 /* ECMAScriptSpecInternalFunctions.h */,
     7116                                FE34EE2224398B8500AA2E7C /* EnsureStillAliveHere.cpp */,
     7117                                FE34EE2024398A9A00AA2E7C /* EnsureStillAliveHere.h */,
    71137118                                2AD2EDFA19799E38004D6478 /* EnumerationMode.h */,
    71147119                                BC337BEA0E1B00CB0076918A /* Error.cpp */,
     
    89278932                                79A228361D35D71F00D8E067 /* ArithProfile.h in Headers */,
    89288933                                0F6B1CB91861244C00845D97 /* ArityCheckMode.h in Headers */,
     8934                                FE34EE2124398AAE00AA2E7C /* EnsureStillAliveHere.h in Headers */,
    89298935                                A1A009C11831A26E00CF8711 /* ARM64Assembler.h in Headers */,
    89308936                                FE1E2C402240DD6200F6B729 /* ARM64EAssembler.h in Headers */,

  • trunk/Source/JavaScriptCore/Sources.txt

    r259436 r259547  
    765765runtime/DumpContext.cpp
    766766runtime/ECMAScriptSpecInternalFunctions.cpp
     767runtime/EnsureStillAliveHere.cpp
    767768runtime/Error.cpp
    768769runtime/ErrorConstructor.cpp

  • trunk/Source/JavaScriptCore/heap/HeapCell.cpp

    r258825 r259547  
    11/*
    2  * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    4343}
    4444
    45 #if !COMPILER(GCC_COMPATIBLE)
    46 // This makes the argument opaque from the compiler.
    47 NEVER_INLINE void ensureStillAliveHere(const void*)
    48 {
    49 }
    50 #endif
    51 
    5245} // namespace JSC
    5346

  • trunk/Source/JavaScriptCore/heap/HeapCell.h

    r258825 r259547  
    11/*
    2  * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2727
    2828#include "DestructionMode.h"
     29#include "EnsureStillAliveHere.h"
    2930
    3031namespace JSC {
     
    3738class VM;
    3839struct CellAttributes;
    39 
    40 #if COMPILER(GCC_COMPATIBLE)
    41 ALWAYS_INLINE void ensureStillAliveHere(const void* pointer)
    42 {
    43     asm volatile ("" : : "r"(pointer) : "memory");
    44 }
    45 #else
    46 JS_EXPORT_PRIVATE void ensureStillAliveHere(const void*);
    47 #endif
    4840
    4941class HeapCell {

  • trunk/Source/JavaScriptCore/heap/SlotVisitor.cpp

    r258386 r259547  
    11/*
    2  * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2012-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    201201            die("GC scan found object in bad state: structureID is nuked!\n");
    202202       
    203 #if USE(JSVALUE64)
    204203        // This detects the worst of the badness.
    205         if (!heap()->structureIDTable().isValid(structureID))
    206             die("GC scan found corrupt object: structureID is invalid!\n");
    207 #endif
     204        Integrity::auditStructureID(heap()->structureIDTable(), structureID);
    208205    };
    209206   

  • trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

    r254252 r259547  
    11/*
    22 *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
    3  *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
     3 *  Copyright (C) 2003-2020 Apple Inc. All rights reserved.
    44 *  Copyright (C) 2003 Peter Kelly (pmk@post.com)
    55 *  Copyright (C) 2006 Alexey Proskuryakov (ap@nypop.com)
     
    3232#include "Error.h"
    3333#include "GetterSetter.h"
     34#include "IntegrityInlines.h"
    3435#include "Interpreter.h"
    3536#include "JIT.h"
     
    606607    RETURN_IF_EXCEPTION(scope, encodedJSValue());
    607608
     609    Integrity::auditStructureID(vm, thisObject->structureID());
    608610    if (!canUseDefaultArrayJoinForToString(vm, thisObject)) {
    609611        // 2. Let func be the result of calling the [[Get]] internal method of array with argument "join".

  • trunk/Source/JavaScriptCore/runtime/BigIntPrototype.cpp

    r253865 r259547  
    11/*
    22 * Copyright (C) 2017 Caio Lima <ticaiolima@gmail.com>.
    3  * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
     3 * Copyright (C) 2017-2020 Apple Inc. All rights reserved.
    44 *
    55 * Redistribution and use in source and binary forms, with or without
     
    3030#include "BigIntObject.h"
    3131#include "Error.h"
     32#include "IntegrityInlines.h"
    3233#include "JSBigInt.h"
    3334#include "JSCBuiltins.h"
     
    102103    ASSERT(value);
    103104
     105    Integrity::auditStructureID(vm, value->structureID());
    104106    int32_t radix = extractToStringRadixArgument(globalObject, callFrame->argument(0), scope);
    105107    RETURN_IF_EXCEPTION(scope, { });
     
    127129{
    128130    VM& vm = globalObject->vm();
    129     if (JSBigInt* value = toThisBigIntValue(vm, callFrame->thisValue()))
    130         return JSValue::encode(value);
    131    
    132131    auto scope = DECLARE_THROW_SCOPE(vm);
    133     return throwVMTypeError(globalObject, scope, "'this' value must be a BigInt or BigIntObject"_s);
     132
     133    JSBigInt* value = toThisBigIntValue(vm, callFrame->thisValue());
     134    if (!value)
     135        return throwVMTypeError(globalObject, scope, "'this' value must be a BigInt or BigIntObject"_s);
     136
     137    Integrity::auditStructureID(vm, value->structureID());
     138    return JSValue::encode(value);
    134139}
    135140

  • trunk/Source/JavaScriptCore/runtime/BooleanPrototype.cpp

    r251425 r259547  
    11/*
    22 *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
    3  *  Copyright (C) 2003, 2008, 2011, 2016 Apple Inc. All rights reserved.
     3 *  Copyright (C) 2003-2020 Apple Inc. All rights reserved.
    44 *
    55 *  This library is free software; you can redistribute it and/or
     
    2424#include "Error.h"
    2525#include "ExceptionHelpers.h"
     26#include "IntegrityInlines.h"
    2627#include "JSFunction.h"
    2728#include "JSString.h"
     
    8182        return throwVMTypeError(globalObject, scope);
    8283
     84    Integrity::auditStructureID(vm, thisObject->structureID());
    8385    if (thisObject->internalValue() == jsBoolean(false))
    8486        return JSValue::encode(vm.smallStrings.falseString());
     
    100102        return throwVMTypeError(globalObject, scope);
    101103
     104    Integrity::auditStructureID(vm, thisObject->structureID());
    102105    return JSValue::encode(thisObject->internalValue());
    103106}

  • trunk/Source/JavaScriptCore/runtime/DatePrototype.cpp

    r251852 r259547  
    11/*
    22 *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
    3  *  Copyright (C) 2004-2019 Apple Inc. All rights reserved.
     3 *  Copyright (C) 2004-2020 Apple Inc. All rights reserved.
    44 *  Copyright (C) 2008, 2009 Torch Mobile, Inc. All rights reserved.
    55 *  Copyright (C) 2010 Torch Mobile (Beijing) Co. Ltd. All rights reserved.
     
    2828#include "DateInstance.h"
    2929#include "Error.h"
     30#include "IntegrityInlines.h"
    3031#include "JSCBuiltins.h"
    3132#include "JSDateMath.h"
     
    141142}
    142143
    143 static JSCell* formatLocaleDate(JSGlobalObject* globalObject, CallFrame* callFrame, DateInstance*, double timeInMilliseconds, LocaleDateTimeFormat format)
    144 {
    145     VM& vm = globalObject->vm();
     144static JSCell* formatLocaleDate(JSGlobalObject* globalObject, CallFrame* callFrame, DateInstance* dateObject, double timeInMilliseconds, LocaleDateTimeFormat format)
     145{
     146    VM& vm = globalObject->vm();
     147    Integrity::auditStructureID(vm, dateObject->structureID());
     148
    146149    CFDateFormatterStyle dateStyle = (format != LocaleTime ? kCFDateFormatterLongStyle : kCFDateFormatterNoStyle);
    147150    CFDateFormatterStyle timeStyle = (format != LocaleDate ? kCFDateFormatterLongStyle : kCFDateFormatterNoStyle);
     
    172175#elif !UCONFIG_NO_FORMATTING
    173176
    174 static JSCell* formatLocaleDate(JSGlobalObject* globalObject, CallFrame*, DateInstance*, double timeInMilliseconds, LocaleDateTimeFormat format)
    175 {
    176     VM& vm = globalObject->vm();
     177static JSCell* formatLocaleDate(JSGlobalObject* globalObject, CallFrame*, DateInstance* dateObject, double timeInMilliseconds, LocaleDateTimeFormat format)
     178{
     179    VM& vm = globalObject->vm();
     180    Integrity::auditStructureID(vm, dateObject->structureID());
     181
    177182    UDateFormatStyle timeStyle = (format != LocaleDate ? UDAT_LONG : UDAT_NONE);
    178183    UDateFormatStyle dateStyle = (format != LocaleTime ? UDAT_LONG : UDAT_NONE);
     
    312317{
    313318    VM& vm = globalObject->vm();
     319    Integrity::auditStructureID(vm, dateObject->structureID());
     320
    314321    const GregorianDateTime* gregorianDateTime = dateObject->gregorianDateTime(vm);
    315322    if (!gregorianDateTime)
     
    329336        return throwVMTypeError(globalObject, scope);
    330337
     338    Integrity::auditStructureID(vm, thisDateObj->structureID());
    331339    const GregorianDateTime* gregorianDateTime = asUTCVariant
    332340        ? thisDateObj->gregorianDateTimeUTC(vm)
     
    544552    if (UNLIKELY(!thisDateObj))
    545553        return throwVMTypeError(globalObject, scope);
    546    
     554
     555    Integrity::auditStructureID(vm, thisDateObj->structureID());
    547556    if (!std::isfinite(thisDateObj->internalNumber()))
    548557        return throwVMError(globalObject, scope, createRangeError(globalObject, "Invalid Date"_s));
     
    628637        return throwVMTypeError(globalObject, scope, "Date.prototype[Symbol.toPrimitive] expected |this| to be an object.");
    629638    JSObject* thisObject = jsCast<JSObject*>(thisValue);
     639    Integrity::auditStructureID(vm, thisObject->structureID());
    630640
    631641    if (!callFrame->argumentCount())

  • trunk/Source/JavaScriptCore/runtime/ErrorInstance.cpp

    r257399 r259547  
    11/*
    22 *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
    3  *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
     3 *  Copyright (C) 2003-2020 Apple Inc. All rights reserved.
    44 *
    55 *  This library is free software; you can redistribute it and/or
     
    2424#include "CodeBlock.h"
    2525#include "InlineCallFrame.h"
     26#include "IntegrityInlines.h"
    2627#include "Interpreter.h"
    2728#include "JSScope.h"
     
    140141    VM& vm = globalObject->vm();
    141142    auto scope = DECLARE_THROW_SCOPE(vm);
     143    Integrity::auditStructureID(vm, structureID());
    142144
    143145    JSValue nameValue;

  • trunk/Source/JavaScriptCore/runtime/ErrorPrototype.cpp

    r254842 r259547  
    11/*
    22 *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
    3  *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
     3 *  Copyright (C) 2003-2020 Apple Inc. All rights reserved.
    44 *
    55 *  This library is free software; you can redistribute it and/or
     
    2323
    2424#include "Error.h"
     25#include "IntegrityInlines.h"
    2526#include "JSFunction.h"
    2627#include "JSStringInlines.h"
     
    8384        return throwVMTypeError(globalObject, scope);
    8485    JSObject* thisObj = asObject(thisValue);
     86    Integrity::auditStructureID(vm, thisObj->structureID());
    8587
    8688    // Guard against recursion!

  • trunk/Source/JavaScriptCore/runtime/FunctionPrototype.cpp

    r254653 r259547  
    11/*
    22 *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
    3  *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
     3 *  Copyright (C) 2003-2020 Apple Inc. All rights reserved.
    44 *
    55 *  This library is free software; you can redistribute it and/or
     
    2626#include "Error.h"
    2727#include "GetterSetter.h"
     28#include "IntegrityInlines.h"
    2829#include "JSAsyncFunction.h"
    2930#include "JSCInlines.h"
     
    8586    if (thisValue.inherits<JSFunction>(vm)) {
    8687        JSFunction* function = jsCast<JSFunction*>(thisValue);
     88        Integrity::auditStructureID(vm, function->structureID());
    8789        if (function->isHostOrBuiltinFunction())
    8890            RELEASE_AND_RETURN(scope, JSValue::encode(jsMakeNontrivialString(globalObject, "function ", function->name(vm), "() {\n    [native code]\n}")));
     
    141143    if (thisValue.inherits<InternalFunction>(vm)) {
    142144        InternalFunction* function = jsCast<InternalFunction*>(thisValue);
     145        Integrity::auditStructureID(vm, function->structureID());
    143146        RELEASE_AND_RETURN(scope, JSValue::encode(jsMakeNontrivialString(globalObject, "function ", function->name(), "() {\n    [native code]\n}")));
    144147    }
     
    146149    if (thisValue.isObject()) {
    147150        JSObject* object = asObject(thisValue);
     151        Integrity::auditStructureID(vm, object->structureID());
    148152        if (object->isFunction(vm))
    149153            RELEASE_AND_RETURN(scope, JSValue::encode(jsMakeNontrivialString(globalObject, "function ", object->classInfo(vm)->className, "() {\n    [native code]\n}")));

  • trunk/Source/JavaScriptCore/runtime/JSCell.cpp

    r258479 r259547  
    22 *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
    33 *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
    4  *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
     4 *  Copyright (C) 2003-2020 Apple Inc. All rights reserved.
    55 *
    66 *  This library is free software; you can redistribute it and/or
     
    2626#include "ArrayBufferView.h"
    2727#include "BlockDirectoryInlines.h"
     28#include "IntegrityInlines.h"
    2829#include "IsoSubspaceInlines.h"
    2930#include "JSCInlines.h"
     
    192193JSObject* JSCell::toObjectSlow(JSGlobalObject* globalObject) const
    193194{
     195    Integrity::auditStructureID(globalObject->vm(), structureID());
    194196    ASSERT(!isObject());
    195197    if (isString())

  • trunk/Source/JavaScriptCore/runtime/NumberPrototype.cpp

    r252256 r259547  
    11/*
    22 *  Copyright (C) 1999-2000,2003 Harri Porten (porten@kde.org)
    3  *  Copyright (C) 2007-2019 Apple Inc. All rights reserved.
     3 *  Copyright (C) 2007-2020 Apple Inc. All rights reserved.
    44 *
    55 *  This library is free software; you can redistribute it and/or
     
    2525#include "BigInteger.h"
    2626#include "Error.h"
     27#include "IntegrityInlines.h"
    2728#include "IntlNumberFormat.h"
    2829#include "IntlObject.h"
     
    99100
    100101    if (auto* numberObject = jsDynamicCast<NumberObject*>(vm, thisValue)) {
     102        Integrity::auditStructureID(vm, numberObject->structureID());
    101103        x = numberObject->internalValue().asNumber();
    102104        return true;

  • trunk/Source/JavaScriptCore/runtime/ObjectPrototype.cpp

    r253264 r259547  
    11/*
    22 *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
    3  *  Copyright (C) 2008-2019 Apple Inc. All rights reserved.
     3 *  Copyright (C) 2008-2020 Apple Inc. All rights reserved.
    44 *
    55 *  This library is free software; you can redistribute it and/or
     
    2525#include "GetterSetter.h"
    2626#include "HasOwnPropertyCache.h"
     27#include "IntegrityInlines.h"
    2728#include "JSFunction.h"
    2829#include "JSString.h"
     
    8586    if (UNLIKELY(!valueObj))
    8687        return encodedJSValue();
     88    Integrity::auditStructureID(globalObject->vm(), valueObj->structureID());
    8789    return JSValue::encode(valueObj);
    8890}
     
    322324        return JSValue::encode(jsUndefined());
    323325
     326    Integrity::auditStructureID(vm, thisObject->structureID());
    324327    auto result = thisObject->structure(vm)->objectToStringValue();
    325328    if (result)

  • trunk/Source/JavaScriptCore/runtime/RegExpPrototype.cpp

    r253865 r259547  
    11/*
    22 *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
    3  *  Copyright (C) 2003-2019 Apple Inc. All Rights Reserved.
     3 *  Copyright (C) 2003-2020 Apple Inc. All Rights Reserved.
    44 *
    55 *  This library is free software; you can redistribute it and/or
     
    2525#include "BuiltinNames.h"
    2626#include "Error.h"
     27#include "IntegrityInlines.h"
    2728#include "JSArray.h"
    2829#include "JSCBuiltins.h"
     
    218219
    219220    JSObject* thisObject = asObject(thisValue);
     221    Integrity::auditStructureID(vm, thisObject->structureID());
    220222
    221223    StringRecursionChecker checker(globalObject, thisObject);

  • trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp

    r259029 r259547  
    11/*
    22 *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
    3  *  Copyright (C) 2004-2019 Apple Inc. All rights reserved.
     3 *  Copyright (C) 2004-2020 Apple Inc. All rights reserved.
    44 *  Copyright (C) 2009 Torch Mobile, Inc.
    55 *  Copyright (C) 2015 Jordan Harband (ljharb@gmail.com)
     
    3030#include "ExecutableBaseInlines.h"
    3131#include "FrameTracers.h"
     32#include "IntegrityInlines.h"
    3233#include "InterpreterInlines.h"
    3334#include "IntlCollator.h"
     
    980981
    981982    auto* stringObject = jsDynamicCast<StringObject*>(vm, thisValue);
    982     if (stringObject)
    983         return JSValue::encode(stringObject->internalValue());
    984 
    985     return throwVMTypeError(globalObject, scope);
     983    if (!stringObject)
     984        return throwVMTypeError(globalObject, scope);
     985
     986    Integrity::auditStructureID(vm, stringObject->structureID());
     987    return JSValue::encode(stringObject->internalValue());
    986988}
    987989

  • trunk/Source/JavaScriptCore/runtime/StructureIDTable.h

    r259107 r259547  
    11/*
    2  * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2626#pragma once
    2727
     28#include "EnsureStillAliveHere.h"
    2829#include "UnusedPointer.h"
    2930#include <wtf/UniqueArray.h>
     
    9293    void** base() { return reinterpret_cast<void**>(&m_table); }
    9394
    94     bool isValid(StructureID);
     95    ALWAYS_INLINE void validate(StructureID);
     96
    9597    Structure* get(StructureID);
    9698    void deallocateID(Structure*, StructureID);
     
    177179}
    178180
    179 inline bool StructureIDTable::isValid(StructureID structureID)
    180 {
    181     if (!structureID)
    182         return false;
     181ALWAYS_INLINE void StructureIDTable::validate(StructureID structureID)
     182{
    183183    uint32_t structureIndex = structureID >> s_numberOfEntropyBits;
    184     if (structureIndex >= m_capacity)
    185         return false;
    186 #if CPU(ADDRESS64)
    187184    Structure* structure = decode(table()[structureIndex].encodedStructureBits, structureID);
    188     if (reinterpret_cast<uintptr_t>(structure) >> s_entropyBitsShiftForStructurePointer)
    189         return false;
    190 #endif
    191     return true;
     185    RELEASE_ASSERT(structureIndex < m_capacity);
     186    uint64_t value = *bitwise_cast<uint64_t*>(structure);
     187    ensureStillAliveHere(value);
    192188}
    193189
     
    208204
    209205    void flushOldTables() { }
     206    void validate(StructureID) { }
    210207};
    211208

  • trunk/Source/JavaScriptCore/runtime/SymbolPrototype.cpp

    r253865 r259547  
    11/*
    2  * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2012-2020 Apple Inc. All rights reserved.
    33 * Copyright (C) 2015 Yusuke Suzuki <utatane.tea@gmail.com>.
    44 *
     
    2929
    3030#include "Error.h"
     31#include "IntegrityInlines.h"
    3132#include "JSCInlines.h"
    3233#include "JSString.h"
     
    9899        return throwVMTypeError(globalObject, scope, SymbolDescriptionTypeError);
    99100    scope.release();
     101    Integrity::auditStructureID(vm, symbol->structureID());
    100102    const auto description = symbol->description();
    101103    return JSValue::encode(description.isNull() ? jsUndefined() : jsString(vm, description));
     
    110112    if (!symbol)
    111113        return throwVMTypeError(globalObject, scope, SymbolToStringTypeError);
     114    Integrity::auditStructureID(vm, symbol->structureID());
    112115    RELEASE_AND_RETURN(scope, JSValue::encode(jsNontrivialString(vm, symbol->descriptiveString())));
    113116}
     
    122125        return throwVMTypeError(globalObject, scope, SymbolValueOfTypeError);
    123126
     127    Integrity::auditStructureID(vm, symbol->structureID());
    124128    RELEASE_AND_RETURN(scope, JSValue::encode(symbol));
    125129}

  • trunk/Source/JavaScriptCore/tools/Integrity.h

    r250285 r259547  
    11/*
    2  * Copyright (C) 2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2019-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    3333
    3434class JSCell;
     35class StructureIDTable;
    3536class VM;
    3637
     
    100101}
    101102
     103ALWAYS_INLINE void auditStructureID(StructureIDTable&, StructureID);
     104ALWAYS_INLINE void auditStructureID(VM&, StructureID);
     105
    102106} // namespace Integrity
    103107

  • trunk/Source/JavaScriptCore/tools/IntegrityInlines.h

    r250285 r259547  
    11/*
    2  * Copyright (C) 2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2019-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    7474}
    7575
     76ALWAYS_INLINE void auditStructureID(StructureIDTable& table, StructureID id)
     77{
     78    table.validate(id);
     79}
     80
     81ALWAYS_INLINE void auditStructureID(VM& vm, StructureID id)
     82{
     83    auditStructureID(vm.heap.structureIDTable(), id);
     84}
     85
    7686} // namespace Integrity
    7787} // namespace JSC

  • trunk/Source/JavaScriptCore/wasm/js/WebAssemblyGlobalPrototype.cpp

    r253074 r259547  
    11/*
    2  * Copyright (C) 2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2019-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    3131#include "FunctionPrototype.h"
    3232#include "GetterSetter.h"
     33#include "IntegrityInlines.h"
    3334#include "JSCInlines.h"
    3435#include "JSWebAssemblyGlobal.h"
     
    6263        return nullptr;
    6364    }
     65    Integrity::auditStructureID(vm, result->structureID());
    6466    return result;
    6567}
Note: See TracChangeset for help on using the changeset viewer.