Changeset 217052 in webkit

Timestamp:

May 18, 2017 11:22:19 AM (7 years ago)

Author:

keith_miller@apple.com

Message:

WebAssembly API: test with neutered inputs
​https://bugs.webkit.org/show_bug.cgi?id=163899

Reviewed by JF Bastien.

JSTests:

• wasm/js-api/neutered-inputs.js: Added.

(const.testFunction):
(const.testConstructor):

• wasm/js-api/test_basic_api.js:

(const.c.in.constructorProperties.switch):

Source/JavaScriptCore:

Add tests to check that we properly throw a type error when
we get a transferred ArrayBuffer. Also, we should make sure
we cannot post message a wasm memory's ArrayBuffer.

• API/JSTypedArray.cpp:

(JSObjectGetArrayBufferBytesPtr):

• runtime/ArrayBuffer.cpp:

(JSC::ArrayBuffer::makeShared):
(JSC::ArrayBuffer::makeWasmMemory):
(JSC::ArrayBuffer::transferTo):
(JSC::ArrayBuffer::neuter):
(JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
(JSC::errorMesasgeForTransfer):

• runtime/ArrayBuffer.h:

(JSC::ArrayBuffer::isLocked):
(JSC::ArrayBuffer::isWasmMemory):

• wasm/js/JSWebAssemblyMemory.cpp:

(JSC::JSWebAssemblyMemory::buffer):
(JSC::JSWebAssemblyMemory::grow):

Source/WebCore:

Make it not possible to transfer an ArrayBuffer that is backed by a
wasm memory.

Test: workers/wasm-mem-post-message.html

• bindings/js/SerializedScriptValue.cpp:

(WebCore::SerializedScriptValue::create):

LayoutTests:

This patch dups Saam's de-modularized builder.

• workers/sab/postMessage-transfer-type-error-expected.txt:
• workers/wasm-mem-post-message-expected.txt: Added.
• workers/wasm-mem-post-message.html: Added.
• workers/wasm-mem-post-message/test.js: Added.

(worker.onmessage):

• workers/wasm-mem-post-message/worker.js: Added.

(onmessage):

• workers/wasm-resources/builder.js: Added.

(const._fail):
(const.isNotA.assert.isNotA):
(const):
(switch.typeof):
(Builder):
(Builder.prototype.setChecked):
(Builder.prototype.setPreamble):
(Builder.prototype._functionIndexSpaceKeyHash):
(Builder.prototype._registerFunctionToIndexSpace):
(Builder.prototype._getFunctionFromIndexSpace):
(Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
(Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.const.codeBuilder.End.switch.case.string_appeared_here.e):
(Builder.prototype._registerSectionBuilders.this.Unknown):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/wasm/js-api/neutered-inputs.js (added)
• JSTests/wasm/js-api/test_basic_api.js (modified) (1 diff)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/workers/sab/postMessage-transfer-type-error-expected.txt (modified) (1 diff)
• LayoutTests/workers/wasm-mem-post-message (added)
• LayoutTests/workers/wasm-mem-post-message-expected.txt (added)
• LayoutTests/workers/wasm-mem-post-message.html (added)
• LayoutTests/workers/wasm-mem-post-message/test.js (added)
• LayoutTests/workers/wasm-mem-post-message/worker.js (added)
• LayoutTests/workers/wasm-resources/builder.js (added)
• Source/JavaScriptCore/API/JSTypedArray.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/ArrayBuffer.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/ArrayBuffer.h (modified) (5 diffs)
• Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.cpp (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/SerializedScriptValue.cpp (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2017-05-18  Keith Miller  <keith_miller@apple.com>
+
+        WebAssembly API: test with neutered inputs
+        https://bugs.webkit.org/show_bug.cgi?id=163899
+
+        Reviewed by JF Bastien.
+
+        * wasm/js-api/neutered-inputs.js: Added.
+        (const.testFunction):
+        (const.testConstructor):
+        * wasm/js-api/test_basic_api.js:
+        (const.c.in.constructorProperties.switch):
+
 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
 

trunk/JSTests/wasm/js-api/test_basic_api.js

@@ -62 +62 @@
             assert.throws(() => new WebAssembly[c](buffer), Error, `WebAssembly.Module doesn't parse at byte 0 / 0: expected a module of at least 8 bytes (evaluating 'new WebAssembly[c](buffer)')`);
         assert.instanceof(new WebAssembly[c](emptyModuleArray), WebAssembly.Module);
-        // FIXME test neutered TypedArray and TypedArrayView. https://bugs.webkit.org/show_bug.cgi?id=163899
         break;
     case "Instance":

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-05-18  Keith Miller  <keith_miller@apple.com>
+
+        WebAssembly API: test with neutered inputs
+        https://bugs.webkit.org/show_bug.cgi?id=163899
+
+        Reviewed by JF Bastien.
+
+        This patch dups Saam's de-modularized builder.
+
+        * workers/sab/postMessage-transfer-type-error-expected.txt:
+        * workers/wasm-mem-post-message-expected.txt: Added.
+        * workers/wasm-mem-post-message.html: Added.
+        * workers/wasm-mem-post-message/test.js: Added.
+        (worker.onmessage):
+        * workers/wasm-mem-post-message/worker.js: Added.
+        (onmessage):
+        * workers/wasm-resources/builder.js: Added.
+        (const._fail):
+        (const.isNotA.assert.isNotA):
+        (const):
+        (switch.typeof):
+        (Builder):
+        (Builder.prototype.setChecked):
+        (Builder.prototype.setPreamble):
+        (Builder.prototype._functionIndexSpaceKeyHash):
+        (Builder.prototype._registerFunctionToIndexSpace):
+        (Builder.prototype._getFunctionFromIndexSpace):
+        (Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
+        (Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.const.codeBuilder.End.switch.case.string_appeared_here.e):
+        (Builder.prototype._registerSectionBuilders.this.Unknown):
+
 2017-05-18  Chris Dumez  <cdumez@apple.com>
 

trunk/LayoutTests/workers/sab/postMessage-transfer-type-error-expected.txt

@@ -4 +4 @@
 
 
-PASS postMessageTransferSharedArrayBuffer() threw exception TypeError: Type error.
+PASS postMessageTransferSharedArrayBuffer() threw exception TypeError: Cannot transfer a SharedArrayBuffer.
 PASS successfullyParsed is true
 

trunk/Source/JavaScriptCore/API/JSTypedArray.cpp

@@ -318 +318 @@
 }
 
-void* JSObjectGetArrayBufferBytesPtr(JSContextRef ctx, JSObjectRef objectRef, JSValueRef*)
+void* JSObjectGetArrayBufferBytesPtr(JSContextRef ctx, JSObjectRef objectRef, JSValueRef* exception)
 {
     ExecState* exec = toJS(ctx);
@@ -327 +327 @@
     if (JSArrayBuffer* jsBuffer = jsDynamicCast<JSArrayBuffer*>(vm, object)) {
         ArrayBuffer* buffer = jsBuffer->impl();
+        if (buffer->isWasmMemory()) {
+            setException(exec, exception, createTypeError(exec, ASCIILiteral("Cannot get the backing buffer for a WebAssembly.Memory")));
+            return nullptr;
+        }
+
         buffer->pinAndLock();
         return buffer->data();

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-05-18  Keith Miller  <keith_miller@apple.com>
+
+        WebAssembly API: test with neutered inputs
+        https://bugs.webkit.org/show_bug.cgi?id=163899
+
+        Reviewed by JF Bastien.
+
+        Add tests to check that we properly throw a type error when
+        we get a transferred ArrayBuffer. Also, we should make sure
+        we cannot post message a wasm memory's ArrayBuffer.
+
+        * API/JSTypedArray.cpp:
+        (JSObjectGetArrayBufferBytesPtr):
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBuffer::makeShared):
+        (JSC::ArrayBuffer::makeWasmMemory):
+        (JSC::ArrayBuffer::transferTo):
+        (JSC::ArrayBuffer::neuter):
+        (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
+        (JSC::errorMesasgeForTransfer):
+        * runtime/ArrayBuffer.h:
+        (JSC::ArrayBuffer::isLocked):
+        (JSC::ArrayBuffer::isWasmMemory):
+        * wasm/js/JSWebAssemblyMemory.cpp:
+        (JSC::JSWebAssemblyMemory::buffer):
+        (JSC::JSWebAssemblyMemory::grow):
+
 2017-05-18  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/JavaScriptCore/runtime/ArrayBuffer.cpp

@@ -249 +249 @@
     : m_contents(WTFMove(contents))
     , m_pinCount(0)
+    , m_isWasmMemory(false)
     , m_locked(false)
 {
@@ -274 +275 @@
 {
     m_contents.makeShared();
+    m_locked = true;
+}
+
+void ArrayBuffer::makeWasmMemory()
+{
+    m_locked = true;
+    m_isWasmMemory = true;
 }
 
@@ -320 +328 @@
 
     m_contents.transferTo(result);
+    notifyIncommingReferencesOfTransfer(vm);
+    return true;
+}
+
+// We allow neutering wasm memory ArrayBuffers even though they are locked.
+void ArrayBuffer::neuter(VM& vm)
+{
+    ASSERT(isWasmMemory());
+    ArrayBufferContents unused;
+    m_contents.transferTo(unused);
+    notifyIncommingReferencesOfTransfer(vm);
+}
+
+void ArrayBuffer::notifyIncommingReferencesOfTransfer(VM& vm)
+{
     for (size_t i = numberOfIncomingReferences(); i--;) {
         JSCell* cell = incomingReferenceAt(i);
@@ -327 +350 @@
             watchpoint->fireAll();
     }
-    return true;
+}
+
+ASCIILiteral errorMesasgeForTransfer(ArrayBuffer* buffer)
+{
+    ASSERT(buffer->isLocked());
+    if (buffer->isShared())
+        return ASCIILiteral("Cannot transfer a SharedArrayBuffer");
+    if (buffer->isWasmMemory())
+        return ASCIILiteral("Cannot transfer a WebAssembly.Memory");
+    return ASCIILiteral("Cannot transfer an ArrayBuffer whose backing store has been accessed by the JavaScriptCore C API");
 }
 

trunk/Source/JavaScriptCore/runtime/ArrayBuffer.h

@@ -32 +32 @@
 #include <wtf/StdLibExtras.h>
 #include <wtf/ThreadSafeRefCounted.h>
+#include <wtf/text/WTFString.h>
 
 namespace JSC {
@@ -123 +124 @@
     inline bool isShared() const;
     inline ArrayBufferSharingMode sharingMode() const { return isShared() ? ArrayBufferSharingMode::Shared : ArrayBufferSharingMode::Default; }
-    
+
     inline size_t gcSizeEstimateInBytes() const;
 
@@ -132 +133 @@
     inline void unpin();
     inline void pinAndLock();
+    inline bool isLocked();
+
+    void makeWasmMemory();
+    inline bool isWasmMemory();
 
     JS_EXPORT_PRIVATE bool transferTo(VM&, ArrayBufferContents&);
     JS_EXPORT_PRIVATE bool shareWith(ArrayBufferContents&);
+
+    void neuter(VM&);
     bool isNeutered() { return !m_contents.m_data; }
-    
+
     static ptrdiff_t offsetOfData() { return OBJECT_OFFSETOF(ArrayBuffer, m_contents) + OBJECT_OFFSETOF(ArrayBufferContents, m_data); }
 
@@ -150 +157 @@
     static inline int clampValue(int x, int left, int right);
 
+    void notifyIncommingReferencesOfTransfer(VM&);
+
     ArrayBufferContents m_contents;
-    unsigned m_pinCount : 31;
-    bool m_locked : 1; // m_locked == true means that some API user fetched m_contents directly from a TypedArray object.
+    unsigned m_pinCount : 30;
+    bool m_isWasmMemory : 1;
+    // m_locked == true means that some API user fetched m_contents directly from a TypedArray object,
+    // the buffer is backed by a WebAssembly.Memory, or is a SharedArrayBuffer.
+    bool m_locked : 1;
 
 public:
@@ -217 +229 @@
 }
 
+bool ArrayBuffer::isLocked()
+{
+    return m_locked;
+}
+
+bool ArrayBuffer::isWasmMemory()
+{
+    return m_isWasmMemory;
+}
+
+JS_EXPORT_PRIVATE ASCIILiteral errorMesasgeForTransfer(ArrayBuffer*);
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.cpp

@@ -69 +69 @@
     auto destructor = [protectedMemory = WTFMove(protectedMemory)] (void*) { };
     m_buffer = ArrayBuffer::createFromBytes(memory().memory(), memory().size(), WTFMove(destructor));
+    m_buffer->makeWasmMemory();
     m_bufferWrapper.set(vm, this, JSArrayBuffer::create(vm, globalObject->m_arrayBufferStructure.get(), m_buffer.get()));
     RELEASE_ASSERT(m_bufferWrapper);
@@ -111 +112 @@
     // Neuter the old array.
     if (m_buffer) {
-        ArrayBufferContents dummyContents;
-        m_buffer->transferTo(vm, dummyContents);
+        m_buffer->neuter(vm);
         m_buffer = nullptr;
         m_bufferWrapper.clear();

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-05-18  Keith Miller  <keith_miller@apple.com>
+
+        WebAssembly API: test with neutered inputs
+        https://bugs.webkit.org/show_bug.cgi?id=163899
+
+        Reviewed by JF Bastien.
+
+        Make it not possible to transfer an ArrayBuffer that is backed by a
+        wasm memory.
+
+        Test: workers/wasm-mem-post-message.html
+
+        * bindings/js/SerializedScriptValue.cpp:
+        (WebCore::SerializedScriptValue::create):
+
 2017-05-18  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp

@@ -2997 +2997 @@
             if (arrayBuffer->isNeutered())
                 return Exception { DATA_CLONE_ERR };
-            if (arrayBuffer->isShared())
-                return Exception { TypeError };
+            if (arrayBuffer->isLocked()) {
+                auto scope = DECLARE_THROW_SCOPE(vm);
+                throwVMTypeError(&state, scope, errorMesasgeForTransfer(arrayBuffer));
+                return Exception { ExistingExceptionError };
+            }
             arrayBuffers.append(WTFMove(arrayBuffer));
             continue;