Changeset 148257 in webkit

Timestamp:

Apr 11, 2013 6:43:23 PM (11 years ago)

Author:

oliver@apple.com

Message:

Add more type validation to debug builds
​https://bugs.webkit.org/show_bug.cgi?id=114478

Reviewed by Mark Hahnenberg.

Source/WebCore:

Add a bunch more type checks to the JS DOM bindings.

• Modules/mediastream/MediaStream.idl:
• Modules/webaudio/AudioDestinationNode.idl:
• WebCore.xcodeproj/project.pbxproj:
• bindings/js/JSDOMBinding.h:

(WebCore::getExistingWrapper):
(WebCore):
(WebCore::createNewWrapper):

• bindings/scripts/CodeGeneratorJS.pm:

(GetNativeTypeForConversions):
(GetGnuVTableRefForInterface):
(GetGnuVTableNameForInterface):
(GetGnuMangledNameForInterface):
(GetGnuVTableOffsetForType):
(GetWinVTableRefForInterface):
(GetWinVTableNameForInterface):
(GetWinMangledNameForInterface):
(GetNamespaceForInterface):
(GetImplementationLacksVTableForInterface):
(GetSkipVTableValidationForInterface):
(GenerateImplementation):

• bindings/scripts/IDLAttributes.txt:
• css/CSSRuleList.idl:
• css/CSSStyleDeclaration.idl:
• dom/Clipboard.idl:
• dom/DOMStringMap.idl:
• dom/MutationRecord.idl:
• dom/NodeList.idl:
• html/DOMTokenList.idl:
• html/track/TextTrack.idl:
• inspector/ScriptProfileNode.idl:
• storage/Storage.idl:
• xml/XPathNSResolver.idl:

Source/WTF:

Add BINDING_VALIDATION flag and make RELEASE_ASSERT use UNLIKELY.

• wtf/Assertions.h:
• wtf/Platform.h:

Location:

trunk/Source

Files:

• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/Assertions.h (modified) (1 diff)
• WTF/wtf/Platform.h (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/Modules/mediastream/MediaStream.idl (modified) (1 diff)
• WebCore/Modules/webaudio/AudioDestinationNode.idl (modified) (1 diff)
• WebCore/WebCore.xcodeproj/project.pbxproj (modified) (2 diffs)
• WebCore/bindings/js/JSDOMBinding.h (modified) (1 diff)
• WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (4 diffs)
• WebCore/bindings/scripts/IDLAttributes.txt (modified) (2 diffs)
• WebCore/css/CSSRuleList.idl (modified) (1 diff)
• WebCore/css/CSSStyleDeclaration.idl (modified) (1 diff)
• WebCore/dom/Clipboard.idl (modified) (1 diff)
• WebCore/dom/DOMStringMap.idl (modified) (1 diff)
• WebCore/dom/MutationRecord.idl (modified) (1 diff)
• WebCore/dom/NodeList.idl (modified) (1 diff)
• WebCore/html/DOMTokenList.idl (modified) (1 diff)
• WebCore/html/track/TextTrack.idl (modified) (1 diff)
• WebCore/inspector/ScriptProfileNode.idl (modified) (1 diff)
• WebCore/storage/Storage.idl (modified) (1 diff)
• WebCore/xml/XPathNSResolver.idl (modified) (1 diff)

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2013-04-11  Oliver Hunt  <oliver@apple.com>
+
+        Add more type validation to debug builds
+        https://bugs.webkit.org/show_bug.cgi?id=114478
+
+        Reviewed by Mark Hahnenberg.
+
+        Add BINDING_VALIDATION flag and make RELEASE_ASSERT use UNLIKELY.
+
+        * wtf/Assertions.h:
+        * wtf/Platform.h:
+
 2013-04-10  Thiago Marcos P. Santos  <thiago.santos@intel.com>
 

trunk/Source/WTF/wtf/Assertions.h

@@ -417 +417 @@
 
 #if ASSERT_DISABLED
-#define RELEASE_ASSERT(assertion) (!(assertion) ? (CRASH()) : (void)0)
+#define RELEASE_ASSERT(assertion) (UNLIKELY(!(assertion)) ? (CRASH()) : (void)0)
 #define RELEASE_ASSERT_WITH_MESSAGE(assertion, ...) RELEASE_ASSERT(assertion)
 #define RELEASE_ASSERT_NOT_REACHED() CRASH()

trunk/Source/WTF/wtf/Platform.h

@@ -966 +966 @@
 #endif
 
+#if !defined(ENABLE_BINDING_INTEGRITY)
+#define ENABLE_BINDING_INTEGRITY 1
+#endif
+
 #if PLATFORM(MAC) && !PLATFORM(IOS) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070
 #define WTF_USE_AVFOUNDATION 1

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-04-11  Oliver Hunt  <oliver@apple.com>
+
+        Add more type validation to debug builds
+        https://bugs.webkit.org/show_bug.cgi?id=114478
+
+        Reviewed by Mark Hahnenberg.
+
+        Add a bunch more type checks to the JS DOM bindings.
+
+        * Modules/mediastream/MediaStream.idl:
+        * Modules/webaudio/AudioDestinationNode.idl:
+        * WebCore.xcodeproj/project.pbxproj:
+        * bindings/js/JSDOMBinding.h:
+        (WebCore::getExistingWrapper):
+        (WebCore):
+        (WebCore::createNewWrapper):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GetNativeTypeForConversions):
+        (GetGnuVTableRefForInterface):
+        (GetGnuVTableNameForInterface):
+        (GetGnuMangledNameForInterface):
+        (GetGnuVTableOffsetForType):
+        (GetWinVTableRefForInterface):
+        (GetWinVTableNameForInterface):
+        (GetWinMangledNameForInterface):
+        (GetNamespaceForInterface):
+        (GetImplementationLacksVTableForInterface):
+        (GetSkipVTableValidationForInterface):
+        (GenerateImplementation):
+        * bindings/scripts/IDLAttributes.txt:
+        * css/CSSRuleList.idl:
+        * css/CSSStyleDeclaration.idl:
+        * dom/Clipboard.idl:
+        * dom/DOMStringMap.idl:
+        * dom/MutationRecord.idl:
+        * dom/NodeList.idl:
+        * html/DOMTokenList.idl:
+        * html/track/TextTrack.idl:
+        * inspector/ScriptProfileNode.idl:
+        * storage/Storage.idl:
+        * xml/XPathNSResolver.idl:
+
 2013-04-11  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/Source/WebCore/Modules/mediastream/MediaStream.idl

@@ -31 +31 @@
     ConstructorParameters=0,
     CallWith=ScriptExecutionContext,
-    V8SkipVTableValidation
+    SkipVTableValidation
 ] interface MediaStream {
     // DEPRECATED

trunk/Source/WebCore/Modules/webaudio/AudioDestinationNode.idl

@@ -26 +26 @@
     Conditional=WEB_AUDIO,
     JSGenerateToJSObject,
-    V8SkipVTableValidation
+    SkipVTableValidation
 ] interface AudioDestinationNode : AudioNode {
     readonly attribute unsigned long maxChannelCount;

trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -9985 +9985 @@
                 A7DBF8DB1276919C006B6008 /* TextCheckingHelper.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = TextCheckingHelper.cpp; sourceTree = "<group>"; };
                 A7DBF8DC1276919C006B6008 /* TextCheckingHelper.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TextCheckingHelper.h; sourceTree = "<group>"; };
+                A7F1F4BA17148BDB00CD4852 /* DOMWindowQuota.idl */ = {isa = PBXFileReference; lastKnownFileType = text; name = DOMWindowQuota.idl; path = Modules/quota/DOMWindowQuota.idl; sourceTree = SOURCE_ROOT; };
+                A7F1F4BB17148BDB00CD4852 /* NavigatorStorageQuota.idl */ = {isa = PBXFileReference; lastKnownFileType = text; name = NavigatorStorageQuota.idl; path = Modules/quota/NavigatorStorageQuota.idl; sourceTree = SOURCE_ROOT; };
+                A7F1F4BC17148BDB00CD4852 /* StorageErrorCallback.idl */ = {isa = PBXFileReference; lastKnownFileType = text; name = StorageErrorCallback.idl; path = Modules/quota/StorageErrorCallback.idl; sourceTree = SOURCE_ROOT; };
+                A7F1F4BD17148BDB00CD4852 /* StorageInfo.idl */ = {isa = PBXFileReference; lastKnownFileType = text; name = StorageInfo.idl; path = Modules/quota/StorageInfo.idl; sourceTree = SOURCE_ROOT; };
+                A7F1F4BE17148BDB00CD4852 /* StorageQuota.idl */ = {isa = PBXFileReference; lastKnownFileType = text; name = StorageQuota.idl; path = Modules/quota/StorageQuota.idl; sourceTree = SOURCE_ROOT; };
+                A7F1F4BF17148BDB00CD4852 /* StorageQuotaCallback.idl */ = {isa = PBXFileReference; lastKnownFileType = text; name = StorageQuotaCallback.idl; path = Modules/quota/StorageQuotaCallback.idl; sourceTree = SOURCE_ROOT; };
+                A7F1F4C017148BDB00CD4852 /* StorageUsageCallback.idl */ = {isa = PBXFileReference; lastKnownFileType = text; name = StorageUsageCallback.idl; path = Modules/quota/StorageUsageCallback.idl; sourceTree = SOURCE_ROOT; };
+                A7F1F4C117148BDB00CD4852 /* WorkerNavigatorStorageQuota.idl */ = {isa = PBXFileReference; lastKnownFileType = text; name = WorkerNavigatorStorageQuota.idl; path = Modules/quota/WorkerNavigatorStorageQuota.idl; sourceTree = SOURCE_ROOT; };
                 A7F5D94D1384F02D00A29A87 /* NodeRenderingContext.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NodeRenderingContext.cpp; sourceTree = "<group>"; };
                 A7F5D94E1384F02D00A29A87 /* NodeRenderingContext.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NodeRenderingContext.h; sourceTree = "<group>"; };
@@ -15471 +15479 @@
                         isa = PBXGroup;
                         children = (
+                                A7F1F4BA17148BDB00CD4852 /* DOMWindowQuota.idl */,
+                                A7F1F4BB17148BDB00CD4852 /* NavigatorStorageQuota.idl */,
+                                A7F1F4BC17148BDB00CD4852 /* StorageErrorCallback.idl */,
+                                A7F1F4BD17148BDB00CD4852 /* StorageInfo.idl */,
+                                A7F1F4BE17148BDB00CD4852 /* StorageQuota.idl */,
+                                A7F1F4BF17148BDB00CD4852 /* StorageQuotaCallback.idl */,
+                                A7F1F4C017148BDB00CD4852 /* StorageUsageCallback.idl */,
+                                A7F1F4C117148BDB00CD4852 /* WorkerNavigatorStorageQuota.idl */,
                                 892ABE5F16EEE2E5009F3587 /* JSDOMWindowQuota.h */,
                                 892ABE5C16EEE2AA009F3587 /* JSNavigatorStorageQuota.cpp */,

trunk/Source/WebCore/bindings/js/JSDOMBinding.h

@@ -201 +201 @@
     }
 
+    template<class WrapperClass, class DOMClass> inline JSC::JSValue getExistingWrapper(JSC::ExecState* exec, DOMClass* domObject)
+    {
+        ASSERT(domObject);
+        return getCachedWrapper(currentWorld(exec), domObject);
+    }
+
+    template<class WrapperClass, class DOMClass> inline JSC::JSValue createNewWrapper(JSC::ExecState* exec, JSDOMGlobalObject* globalObject, DOMClass* domObject)
+    {
+        ASSERT(domObject);
+        ASSERT(!getCachedWrapper(currentWorld(exec), domObject));
+        return createWrapper<WrapperClass>(exec, globalObject, domObject);
+    }
+
     inline JSC::JSValue argumentOrNull(JSC::ExecState* exec, unsigned index)
     {

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -10 +10 @@
 # Copyright (C) 2011 Patrick Gansterer <paroga@webkit.org>
 # Copyright (C) 2012 Ericsson AB. All rights reserved.
+# Copyright (C) 2007, 2008, 2009, 2012 Google Inc.
 #
 # This library is free software; you can redistribute it and/or
@@ -1396 +1397 @@
 }
 
+sub GetNativeTypeForConversions
+{
+    my $interface = shift;
+    my $interfaceName = $interface->name;
+    $interfaceName = $codeGenerator->GetSVGTypeNeedingTearOff($interfaceName) if $codeGenerator->IsSVGTypeNeedingTearOff($interfaceName);
+    return $interfaceName;
+}
+
+# See http://refspecs.linux-foundation.org/cxxabi-1.83.html.
+sub GetGnuVTableRefForInterface
+{
+    my $interface = shift;
+    my $vtableName = GetGnuVTableNameForInterface($interface);
+    if (!$vtableName) {
+        return "0";
+    }
+    my $typename = GetNativeTypeForConversions($interface);
+    my $offset = GetGnuVTableOffsetForType($typename);
+    return "&" . $vtableName . "[" . $offset . "]";
+}
+
+sub GetGnuVTableNameForInterface
+{
+    my $interface = shift;
+    my $typename = GetNativeTypeForConversions($interface);
+    my $templatePosition = index($typename, "<");
+    return "" if $templatePosition != -1;
+    return "" if GetImplementationLacksVTableForInterface($interface);
+    return "" if GetSkipVTableValidationForInterface($interface);
+    return "_ZTV" . GetGnuMangledNameForInterface($interface);
+}
+
+sub GetGnuMangledNameForInterface
+{
+    my $interface = shift;
+    my $typename = GetNativeTypeForConversions($interface);
+    my $templatePosition = index($typename, "<");
+    if ($templatePosition != -1) {
+        return "";
+    }
+    my $mangledType = length($typename) . $typename;
+    my $namespace = GetNamespaceForInterface($interface);
+    my $mangledNamespace =  "N" . length($namespace) . $namespace;
+    return $mangledNamespace . $mangledType . "E";
+}
+
+sub GetGnuVTableOffsetForType
+{
+    my $typename = shift;
+    if ($typename eq "SVGAElement"
+        || $typename eq "SVGCircleElement"
+        || $typename eq "SVGClipPathElement"
+        || $typename eq "SVGDefsElement"
+        || $typename eq "SVGEllipseElement"
+        || $typename eq "SVGForeignObjectElement"
+        || $typename eq "SVGGElement"
+        || $typename eq "SVGImageElement"
+        || $typename eq "SVGLineElement"
+        || $typename eq "SVGPathElement"
+        || $typename eq "SVGPolyElement"
+        || $typename eq "SVGPolygonElement"
+        || $typename eq "SVGPolylineElement"
+        || $typename eq "SVGRectElement"
+        || $typename eq "SVGSVGElement"
+        || $typename eq "SVGStyledLocatableElement"
+        || $typename eq "SVGStyledTransformableElement"
+        || $typename eq "SVGSwitchElement"
+        || $typename eq "SVGTextElement"
+        || $typename eq "SVGTransformable"
+        || $typename eq "SVGUseElement") {
+        return "3";
+    }
+    return "2";
+}
+
+# See http://en.wikipedia.org/wiki/Microsoft_Visual_C%2B%2B_Name_Mangling.
+sub GetWinVTableRefForInterface
+{
+    my $interface = shift;
+    my $vtableName = GetWinVTableNameForInterface($interface);
+    return 0 if !$vtableName;
+    return "__identifier(\"" . $vtableName . "\")";
+}
+
+sub GetWinVTableNameForInterface
+{
+    my $interface = shift;
+    my $typename = GetNativeTypeForConversions($interface);
+    my $templatePosition = index($typename, "<");
+    return "" if $templatePosition != -1;
+    return "" if GetImplementationLacksVTableForInterface($interface);
+    return "" if GetSkipVTableValidationForInterface($interface);
+    return "??_7" . GetWinMangledNameForInterface($interface) . "6B@";
+}
+
+sub GetWinMangledNameForInterface
+{
+    my $interface = shift;
+    my $typename = GetNativeTypeForConversions($interface);
+    my $namespace = GetNamespaceForInterface($interface);
+    return $typename . "@" . $namespace . "@@";
+}
+
+sub GetNamespaceForInterface
+{
+    my $interface = shift;
+    return $interface->extendedAttributes->{"ImplementationNamespace"} || "WebCore";
+}
+
+sub GetImplementationLacksVTableForInterface
+{
+    my $interface = shift;
+    return $interface->extendedAttributes->{"ImplementationLacksVTable"};
+}
+
+sub GetSkipVTableValidationForInterface
+{
+    my $interface = shift;
+    return $interface->extendedAttributes->{"SkipVTableValidation"};
+}
+
+
 sub GenerateImplementation
 {
@@ -1923 +2046 @@
 
                         unshift(@arguments, @callWithArgs);
-
                         my $jsType = NativeToJSValue($attribute->signature, 0, $interfaceName, "${functionName}(" . join(", ", @arguments) . ")", "castedThis");
                         push(@implContent, "    $interfaceName* impl = static_cast<$interfaceName*>(castedThis->impl());\n") if !$attribute->isStatic;
@@ -2579 +2701 @@
 
     if (ShouldGenerateToJSImplementation($hasParent, $interface)) {
+        my $vtableNameGnu = GetGnuVTableNameForInterface($interface);
+        my $vtableRefGnu = GetGnuVTableRefForInterface($interface);
+        my $vtableRefWin = GetWinVTableRefForInterface($interface);
+
+        push(@implContent, <<END) if $vtableNameGnu;
+#if ENABLE(BINDING_INTEGRITY)
+#if defined(OS_WIN)
+#pragma warning(disable: 4483)
+extern "C" { extern void (*const ${vtableRefWin}[])(); }
+#else
+extern "C" { extern void* ${vtableNameGnu}[]; }
+#endif
+#endif
+END
         push(@implContent, "JSC::JSValue toJS(JSC::ExecState* exec, JSDOMGlobalObject* globalObject, $implType* impl)\n");
         push(@implContent, "{\n");
+        push(@implContent, <<END);
+    if (!impl)
+        return jsNull();
+END
+
         if ($svgPropertyType) {
-            push(@implContent, "    return wrap<$className, $implType>(exec, globalObject, impl);\n");
+            push(@implContent, "    if (JSValue result = getExistingWrapper<$className, $implType>(exec, impl)) return result;\n");
         } else {
-            push(@implContent, "    return wrap<$className>(exec, globalObject, impl);\n");
-        }
+            push(@implContent, "    if (JSValue result = getExistingWrapper<$className>(exec, impl)) return result;\n");
+        }
+        push(@implContent, <<END) if $vtableNameGnu;
+
+#if ENABLE(BINDING_INTEGRITY)
+    void* actualVTablePointer = *(reinterpret_cast<void**>(impl));
+#if defined(OS_WIN)
+    void* expectedVTablePointer = reinterpret_cast<void*>(${vtableRefWin});
+#else
+    void* expectedVTablePointer = ${vtableRefGnu};
+#if COMPILER(CLANG)
+    COMPILE_ASSERT(__is_polymorphic($implType), ${implType}_is_not_polymorphic);
+#endif
+#endif
+    RELEASE_ASSERT(actualVTablePointer == expectedVTablePointer);
+#endif
+END
+        push(@implContent, <<END) if $interface->extendedAttributes->{"ImplementationLacksVTable"} && $vtableNameGnu;
+#if COMPILER(CLANG)
+        COMPILE_ASSERT(!__is_polymorphic($implType), ${implType}_is_polymorphic_but_idl_claims_not_to_be);
+#endif
+END
+
+        if ($svgPropertyType) {
+            push(@implContent, "    return createNewWrapper<$className, $implType>(exec, globalObject, impl);\n");
+        } else {
+            push(@implContent, "    return createNewWrapper<$className>(exec, globalObject, impl);\n");
+        }
+
         push(@implContent, "}\n\n");
     }

trunk/Source/WebCore/bindings/scripts/IDLAttributes.txt

@@ -105 +105 @@
 ReplaceableConstructor
 ReturnNewObject
+SkipVTableValidation
 StrictTypeChecking
 Supplemental=*
@@ -131 +132 @@
 V8PerWorldBindings
 V8ReadOnly
-V8SkipVTableValidation
 V8Unforgeable
 V8WrapAsFunction

trunk/Source/WebCore/css/CSSRuleList.idl

@@ -28 +28 @@
     JSCustomIsReachable,
     IndexedGetter,
+    SkipVTableValidation
 ] interface CSSRuleList {
     readonly attribute unsigned long    length;

trunk/Source/WebCore/css/CSSStyleDeclaration.idl

@@ -28 +28 @@
     IndexedGetter,
     CustomEnumerateProperty,
+    SkipVTableValidation
 ] interface CSSStyleDeclaration {
              [TreatReturnedNullStringAs=Null, TreatNullAs=NullString] attribute DOMString        cssText

trunk/Source/WebCore/dom/Clipboard.idl

@@ -26 +26 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-
-interface Clipboard {
+[
+    SkipVTableValidation
+] interface Clipboard {
              [TreatReturnedNullStringAs=Undefined] attribute DOMString dropEffect;
              [TreatReturnedNullStringAs=Undefined] attribute DOMString effectAllowed;

trunk/Source/WebCore/dom/DOMStringMap.idl

@@ -30 +30 @@
     CustomEnumerateProperty,
     CustomNamedSetter,
+    SkipVTableValidation
 ] interface DOMStringMap {
 };

trunk/Source/WebCore/dom/MutationRecord.idl

@@ -29 +29 @@
  */
 
-interface MutationRecord {
+[    
+    SkipVTableValidation
+] interface MutationRecord {
     readonly attribute DOMString type;
     readonly attribute Node target;

trunk/Source/WebCore/dom/NodeList.idl

@@ -23 +23 @@
     IndexedGetter,
     NamedGetter,
+    SkipVTableValidation
 ] interface NodeList {
 

trunk/Source/WebCore/html/DOMTokenList.idl

@@ -26 +26 @@
     GenerateIsReachable=ImplElementRoot,
     IndexedGetter,
+    SkipVTableValidation
 ] interface DOMTokenList {
     readonly attribute unsigned long length;

trunk/Source/WebCore/html/track/TextTrack.idl

@@ -29 +29 @@
     JSCustomMarkFunction,
     JSCustomIsReachable,
+    SkipVTableValidation
 ] interface TextTrack {
     readonly attribute DOMString kind;

trunk/Source/WebCore/inspector/ScriptProfileNode.idl

@@ -27 +27 @@
 [
     Conditional=JAVASCRIPT_DEBUGGER,
-    OmitConstructor
+    OmitConstructor,
+    ImplementationLacksVTable
 ] interface ScriptProfileNode {
     readonly attribute DOMString functionName;

trunk/Source/WebCore/storage/Storage.idl

@@ -31 +31 @@
     V8CustomIndexedGetter,
     CustomNamedSetter,
+    SkipVTableValidation
 ] interface Storage {
     [NotEnumerable] readonly attribute unsigned long length getter raises(DOMException);

trunk/Source/WebCore/xml/XPathNSResolver.idl

@@ -22 +22 @@
     ObjCProtocol,
     OmitConstructor,
-    V8SkipVTableValidation
+    SkipVTableValidation
 ] interface XPathNSResolver {
     [TreatReturnedNullStringAs=Null] DOMString lookupNamespaceURI(in [Optional=DefaultIsUndefined] DOMString prefix);