Changeset 263283 in webkit

Timestamp:

Jun 19, 2020 2:00:21 PM (4 years ago)

Author:

mark.lam@apple.com

Message:

Make $vm properties non-configurable, non-enumerable, and non-writable.
​https://bugs.webkit.org/show_bug.cgi?id=213395

Reviewed by Saam Barati and Yusuke Suzuki.

JSTests:

• stress/dollarVM-properties-should-not-be-enumerable.js: Added.

Source/JavaScriptCore:

$vm provides functions for test development and VM debugging. There's no reason
for them to be configurable, enumerable, and writable.

We particularly don't want them to be enumerable as this can trip up some fuzzers.
Fuzzers should not be fuzzing the $vm object which doesn't exist in real world
uses of JavaScriptCore.

• tools/JSDollarVM.cpp:

(JSC::JSDollarVM::finishCreation):
(JSC::JSDollarVM::addFunction):
(JSC::JSDollarVM::addConstructibleFunction):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/dollarVM-properties-should-not-be-enumerable.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/tools/JSDollarVM.cpp (modified) (4 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-06-19  Mark Lam  <mark.lam@apple.com>
+
+        Make $vm properties non-configurable, non-enumerable, and non-writable.
+        https://bugs.webkit.org/show_bug.cgi?id=213395
+
+        Reviewed by Saam Barati and Yusuke Suzuki.
+
+        * stress/dollarVM-properties-should-not-be-enumerable.js: Added.
+
 2020-06-18  Saam Barati  <sbarati@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-06-19  Mark Lam  <mark.lam@apple.com>
+
+        Make $vm properties non-configurable, non-enumerable, and non-writable.
+        https://bugs.webkit.org/show_bug.cgi?id=213395
+
+        Reviewed by Saam Barati and Yusuke Suzuki.
+
+        $vm provides functions for test development and VM debugging.  There's no reason
+        for them to be configurable, enumerable, and writable.
+
+        We particularly don't want them to be enumerable as this can trip up some fuzzers.
+        Fuzzers should not be fuzzing the $vm object which doesn't exist in real world
+        uses of JavaScriptCore.
+
+        * tools/JSDollarVM.cpp:
+        (JSC::JSDollarVM::finishCreation):
+        (JSC::JSDollarVM::addFunction):
+        (JSC::JSDollarVM::addConstructibleFunction):
+
 2020-06-19  Tuomas Karkkainen  <tuomas.webkit@apple.com>
 

trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

@@ -3095 +3095 @@
 }
 
+constexpr unsigned jsDollarVMPropertyAttributes = PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum | PropertyAttribute::DontDelete;
+
 void JSDollarVM::finishCreation(VM& vm)
 {
@@ -3115 +3117 @@
     addFunction(vm, "breakpoint", functionBreakpoint, 0);
 
-    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "dfgTrue"), 0, functionDFGTrue, DFGTrueIntrinsic, static_cast<unsigned>(PropertyAttribute::DontEnum));
-    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "ftlTrue"), 0, functionFTLTrue, FTLTrueIntrinsic, static_cast<unsigned>(PropertyAttribute::DontEnum));
-
-    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuMfence"), 0, functionCpuMfence, CPUMfenceIntrinsic, 0);
-    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuRdtsc"), 0, functionCpuRdtsc, CPURdtscIntrinsic, 0);
-    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuCpuid"), 0, functionCpuCpuid, CPUCpuidIntrinsic, 0);
-    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuPause"), 0, functionCpuPause, CPUPauseIntrinsic, 0);
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "dfgTrue"), 0, functionDFGTrue, DFGTrueIntrinsic, jsDollarVMPropertyAttributes);
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "ftlTrue"), 0, functionFTLTrue, FTLTrueIntrinsic, jsDollarVMPropertyAttributes);
+
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuMfence"), 0, functionCpuMfence, CPUMfenceIntrinsic, jsDollarVMPropertyAttributes);
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuRdtsc"), 0, functionCpuRdtsc, CPURdtscIntrinsic, jsDollarVMPropertyAttributes);
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuCpuid"), 0, functionCpuCpuid, CPUCpuidIntrinsic, jsDollarVMPropertyAttributes);
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(vm, "cpuPause"), 0, functionCpuPause, CPUPauseIntrinsic, jsDollarVMPropertyAttributes);
     addFunction(vm, "cpuClflush", functionCpuClflush, 2);
 
@@ -3244 +3246 @@
     DollarVMAssertScope assertScope;
     Identifier identifier = Identifier::fromString(vm, name);
-    putDirect(vm, identifier, JSFunction::create(vm, globalObject, arguments, identifier.string(), function));
+    putDirect(vm, identifier, JSFunction::create(vm, globalObject, arguments, identifier.string(), function), jsDollarVMPropertyAttributes);
 }
 
@@ -3251 +3253 @@
     DollarVMAssertScope assertScope;
     Identifier identifier = Identifier::fromString(vm, name);
-    putDirect(vm, identifier, JSFunction::create(vm, globalObject, arguments, identifier.string(), function, NoIntrinsic, function));
+    putDirect(vm, identifier, JSFunction::create(vm, globalObject, arguments, identifier.string(), function, NoIntrinsic, function), jsDollarVMPropertyAttributes);
 }