Changeset 275212 in webkit

Timestamp:

Mar 30, 2021, 10:21:18 AM (4 years ago)

Author:

mark.lam@apple.com

Message:

Ensure that GlobalPropertyInfo is allocated on the stack.
​https://bugs.webkit.org/show_bug.cgi?id=223911
rdar://75865742

Reviewed by Yusuke Suzuki.

Source/JavaScriptCore:

We rely on GlobalPropertyInfo being allocated on the stack to allow its JSValue
value to be scanned by the GC. Unfortunately, an ASAN compilation would choose
to allocate the GlobalPropertyInfo on a side buffer instead of directly on the
stack. This prevents the GC from doing the needed scan.

We'll fix this by suppressing ASAN on the functions that allocated GlobalPropertyInfo
arrays. Also added an ASSERT in the GlobalPropertyInfo constructor to assert that
it is allocated on the stack.

• Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py:

(BuiltinsInternalsWrapperImplementationGenerator.generate_initialize_method):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::initStaticGlobals):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::exposeDollarVM):

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::GlobalPropertyInfo::GlobalPropertyInfo):

Source/WebCore:

• bindings/js/JSDOMGlobalObject.cpp:

(WebCore::JSDOMGlobalObject::addBuiltinGlobals):

• bindings/js/JSDOMWindowBase.cpp:

(WebCore::JSDOMWindowBase::finishCreation):
(WebCore::JSDOMWindowBase::initStaticGlobals):

• bindings/js/JSDOMWindowBase.h:

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py (modified) (1 diff)
• JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/JSGlobalObject.h (modified) (2 diffs)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/JSDOMGlobalObject.cpp (modified) (1 diff)
• WebCore/bindings/js/JSDOMWindowBase.cpp (modified) (3 diffs)
• WebCore/bindings/js/JSDOMWindowBase.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog ¶

@@ +1 @@
+2021-03-30  Mark Lam  <mark.lam@apple.com>
+
+        Ensure that GlobalPropertyInfo is allocated on the stack.
+        https://bugs.webkit.org/show_bug.cgi?id=223911
+        rdar://75865742
+
+        Reviewed by Yusuke Suzuki.
+
+        We rely on GlobalPropertyInfo being allocated on the stack to allow its JSValue
+        value to be scanned by the GC.  Unfortunately, an ASAN compilation would choose
+        to allocate the GlobalPropertyInfo on a side buffer instead of directly on the
+        stack.  This prevents the GC from doing the needed scan.
+
+        We'll fix this by suppressing ASAN on the functions that allocated GlobalPropertyInfo
+        arrays.  Also added an ASSERT in the GlobalPropertyInfo constructor to assert that
+        it is allocated on the stack.
+
+        * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py:
+        (BuiltinsInternalsWrapperImplementationGenerator.generate_initialize_method):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::initStaticGlobals):
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::exposeDollarVM):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::GlobalPropertyInfo::GlobalPropertyInfo):
+
 2021-03-29  Xan López  <xan@igalia.com>
 

trunk/Source/JavaScriptCore/Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py ¶

@@ -144 +144 @@
 
     def generate_initialize_method(self):
-        lines = ["void JSBuiltinInternalFunctions::initialize(JSDOMGlobalObject& globalObject)",
+        lines = ["SUPPRESS_ASAN void JSBuiltinInternalFunctions::initialize(JSDOMGlobalObject& globalObject)",
                 "{",
                 "    UNUSED_PARAM(globalObject);"]

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp ¶

@@ -581 +581 @@
 }
 
+SUPPRESS_ASAN inline void JSGlobalObject::initStaticGlobals(VM& vm)
+{
+    GlobalPropertyInfo staticGlobals[] = {
+        GlobalPropertyInfo(vm.propertyNames->NaN, jsNaN(), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+        GlobalPropertyInfo(vm.propertyNames->Infinity, jsNumber(std::numeric_limits<double>::infinity()), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+        GlobalPropertyInfo(vm.propertyNames->undefinedKeyword, jsUndefined(), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+#if ASSERT_ENABLED
+        GlobalPropertyInfo(vm.propertyNames->builtinNames().assertPrivateName(), JSFunction::create(vm, this, 1, String(), assertCall), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+#endif
+    };
+    addStaticGlobals(staticGlobals, WTF_ARRAY_LENGTH(staticGlobals));
+}
+
 void JSGlobalObject::init(VM& vm)
 {
@@ -1358 +1371 @@
     }
 
-    GlobalPropertyInfo staticGlobals[] = {
-        GlobalPropertyInfo(vm.propertyNames->NaN, jsNaN(), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
-        GlobalPropertyInfo(vm.propertyNames->Infinity, jsNumber(std::numeric_limits<double>::infinity()), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
-        GlobalPropertyInfo(vm.propertyNames->undefinedKeyword, jsUndefined(), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
-#if ASSERT_ENABLED
-        GlobalPropertyInfo(vm.propertyNames->builtinNames().assertPrivateName(), JSFunction::create(vm, this, 1, String(), assertCall), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
-#endif
-    };
-    addStaticGlobals(staticGlobals, WTF_ARRAY_LENGTH(staticGlobals));
+    initStaticGlobals(vm);
     
     if (UNLIKELY(Options::useDollarVM()))
@@ -2109 +2114 @@
 }
 
-void JSGlobalObject::exposeDollarVM(VM& vm)
+SUPPRESS_ASAN void JSGlobalObject::exposeDollarVM(VM& vm)
 {
     RELEASE_ASSERT(g_jscConfig.restrictedOptionsEnabled && Options::useDollarVM());

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h ¶

@@ -1117 +1117 @@
             , attributes(a)
         {
+            ASSERT(Thread::current().stack().contains(this));
         }
 
@@ -1139 +1140 @@
 
     JS_EXPORT_PRIVATE void init(VM&);
+    void initStaticGlobals(VM&);
     void fixupPrototypeChainWithObjectPrototype(VM&);
 

trunk/Source/WebCore/ChangeLog ¶

@@ +1 @@
+2021-03-30  Mark Lam  <mark.lam@apple.com>
+
+        Ensure that GlobalPropertyInfo is allocated on the stack.
+        https://bugs.webkit.org/show_bug.cgi?id=223911
+        rdar://75865742
+
+        Reviewed by Yusuke Suzuki.
+
+        * bindings/js/JSDOMGlobalObject.cpp:
+        (WebCore::JSDOMGlobalObject::addBuiltinGlobals):
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore::JSDOMWindowBase::finishCreation):
+        (WebCore::JSDOMWindowBase::initStaticGlobals):
+        * bindings/js/JSDOMWindowBase.h:
+
 2021-03-30  Sam Weinig  <weinig@apple.com>
 

trunk/Source/WebCore/bindings/js/JSDOMGlobalObject.cpp ¶

@@ -174 +174 @@
 }
 
-void JSDOMGlobalObject::addBuiltinGlobals(VM& vm)
+SUPPRESS_ASAN void JSDOMGlobalObject::addBuiltinGlobals(VM& vm)
 {
     m_builtinInternalFunctions.initialize(*this);

trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp ¶

@@ -2 +2 @@
  *  Copyright (C) 2000 Harri Porten (porten@kde.org)
  *  Copyright (C) 2006 Jon Shier (jshier@iastate.edu)
- *  Copyright (C) 2003-2020 Apple Inc. All rights reseved.
+ *  Copyright (C) 2003-2021 Apple Inc. All rights reseved.
  *  Copyright (C) 2006 Alexey Proskuryakov (ap@webkit.org)
  *  Copyright (c) 2015 Canon Inc. All rights reserved.
@@ -101 +101 @@
 }
 
-void JSDOMWindowBase::finishCreation(VM& vm, JSWindowProxy* proxy)
-{
-    Base::finishCreation(vm, proxy);
-    ASSERT(inherits(vm, info()));
-
+SUPPRESS_ASAN inline void JSDOMWindowBase::initStaticGlobals(JSC::VM& vm)
+{
     auto& builtinNames = static_cast<JSVMClientData*>(vm.clientData)->builtinNames();
 
@@ -114 +111 @@
 
     addStaticGlobals(staticGlobals, WTF_ARRAY_LENGTH(staticGlobals));
+}
+
+void JSDOMWindowBase::finishCreation(VM& vm, JSWindowProxy* proxy)
+{
+    Base::finishCreation(vm, proxy);
+    ASSERT(inherits(vm, info()));
+
+    initStaticGlobals(vm);
 
     if (m_wrapped && m_wrapped->frame() && m_wrapped->frame()->settings().needsSiteSpecificQuirks())

trunk/Source/WebCore/bindings/js/JSDOMWindowBase.h ¶

@@ -1 +1 @@
 /*
  *  Copyright (C) 2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003-2017 Apple Inc. All rights reseved.
+ *  Copyright (C) 2003-2021 Apple Inc. All rights reseved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -94 +94 @@
     JSDOMWindowBase(JSC::VM&, JSC::Structure*, RefPtr<DOMWindow>&&, JSWindowProxy*);
     void finishCreation(JSC::VM&, JSWindowProxy*);
+    void initStaticGlobals(JSC::VM&);
 
     RefPtr<JSC::WatchpointSet> m_windowCloseWatchpoints;