Context Navigation

← Previous Changeset
Next Changeset →

Changeset 239256 in webkit

Timestamp:

Dec 15, 2018 9:49:01 PM (5 years ago)

Author:

yusukesuzuki@slowstart.org

Message:

Null pointer dereference in JSC::WriteBarrierBase()
https://bugs.webkit.org/show_bug.cgi?id=191252

Reviewed by Keith Miller.

Source/JavaScriptCore:

JSPromiseDeferred::create can return nullptr and an exception if stack overflow happens.
We would like to make it RELEASE_ASSERT since the current module mechanism is not immune
to stack overflow.

This patch renames JSPromiseDeferred::create to JSPromiseDeferred::tryCreate to tell that
it can return nullptr. And we insert error checks or assertions after this call.

jsc.cpp:

(GlobalObject::moduleLoaderImportModule):
(GlobalObject::moduleLoaderFetch):

runtime/Completion.cpp:

(JSC::rejectPromise):

runtime/JSGlobalObjectFunctions.cpp:

(JSC::globalFuncImportModule):

runtime/JSInternalPromiseDeferred.cpp:

(JSC::JSInternalPromiseDeferred::tryCreate):
(JSC::JSInternalPromiseDeferred::create): Deleted.

runtime/JSInternalPromiseDeferred.h:
runtime/JSModuleLoader.cpp:

(JSC::JSModuleLoader::importModule):
(JSC::JSModuleLoader::resolve):
(JSC::JSModuleLoader::fetch):
(JSC::moduleLoaderParseModule):

runtime/JSPromise.h:
runtime/JSPromiseDeferred.cpp:

(JSC::JSPromiseDeferred::tryCreate):

runtime/JSPromiseDeferred.h:
wasm/js/WebAssemblyPrototype.cpp:

(JSC::webAssemblyCompileFunc):
(JSC::webAssemblyInstantiateFunc):
(JSC::webAssemblyCompileStreamingInternal):
(JSC::webAssemblyInstantiateStreamingInternal):

Source/WebCore:

bindings/js/JSCustomElementRegistryCustom.cpp:

(WebCore::JSCustomElementRegistry::whenDefined):

bindings/js/JSDOMPromiseDeferred.cpp:

(WebCore::createDeferredPromise):

bindings/js/JSDOMPromiseDeferred.h:

(WebCore::DeferredPromise::create):
(WebCore::callPromiseFunction):

bindings/js/JSDOMWindowBase.cpp:

(WebCore::JSDOMWindowBase::moduleLoaderFetch):
(WebCore::JSDOMWindowBase::moduleLoaderImportModule):

bindings/js/ScriptModuleLoader.cpp:

(WebCore::ScriptModuleLoader::fetch):
(WebCore::rejectPromise):

Location:

trunk/Source

Files:

: 17 edited

JavaScriptCore/ChangeLog (modified) (1 diff)
JavaScriptCore/jsc.cpp (modified) (2 diffs)
JavaScriptCore/runtime/Completion.cpp (modified) (1 diff)
JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (1 diff)
JavaScriptCore/runtime/JSInternalPromiseDeferred.cpp (modified) (1 diff)
JavaScriptCore/runtime/JSInternalPromiseDeferred.h (modified) (1 diff)
JavaScriptCore/runtime/JSModuleLoader.cpp (modified) (4 diffs)
JavaScriptCore/runtime/JSPromise.h (modified) (1 diff)
JavaScriptCore/runtime/JSPromiseDeferred.cpp (modified) (1 diff)
JavaScriptCore/runtime/JSPromiseDeferred.h (modified) (1 diff)
JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp (modified) (4 diffs)
WebCore/ChangeLog (modified) (1 diff)
WebCore/bindings/js/JSCustomElementRegistryCustom.cpp (modified) (1 diff)
WebCore/bindings/js/JSDOMPromiseDeferred.cpp (modified) (1 diff)
WebCore/bindings/js/JSDOMPromiseDeferred.h (modified) (3 diffs)
WebCore/bindings/js/JSDOMWindowBase.cpp (modified) (2 diffs)
WebCore/bindings/js/ScriptModuleLoader.cpp (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/ChangeLog

-                      r239255
+                      r239256
+-12-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
+        Null pointer dereference in JSC::WriteBarrierBase()
+        https://bugs.webkit.org/show_bug.cgi?id=191252
+        Reviewed by Keith Miller.
+        JSPromiseDeferred::create can return nullptr and an exception if stack overflow happens.
+        We would like to make it RELEASE_ASSERT since the current module mechanism is not immune
+        to stack overflow.
+        This patch renames JSPromiseDeferred::create to JSPromiseDeferred::tryCreate to tell that
+        it can return nullptr. And we insert error checks or assertions after this call.
+        * jsc.cpp:
+        (GlobalObject::moduleLoaderImportModule):
+        (GlobalObject::moduleLoaderFetch):
+        * runtime/Completion.cpp:
+        (JSC::rejectPromise):
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncImportModule):
+        * runtime/JSInternalPromiseDeferred.cpp:
+        (JSC::JSInternalPromiseDeferred::tryCreate):
+        (JSC::JSInternalPromiseDeferred::create): Deleted.
+        * runtime/JSInternalPromiseDeferred.h:
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::importModule):
+        (JSC::JSModuleLoader::resolve):
+        (JSC::JSModuleLoader::fetch):
+        (JSC::moduleLoaderParseModule):
+        * runtime/JSPromise.h:
+        * runtime/JSPromiseDeferred.cpp:
+        (JSC::JSPromiseDeferred::tryCreate):
+        * runtime/JSPromiseDeferred.h:
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyCompileFunc):
+        (JSC::webAssemblyInstantiateFunc):
+        (JSC::webAssemblyCompileStreamingInternal):
+        (JSC::webAssemblyInstantiateStreamingInternal):
 -12-15  Darin Adler  <darin@apple.com>

trunk/Source/JavaScriptCore/jsc.cpp

-                      r239254
+                      r239256
     auto throwScope = DECLARE_THROW_SCOPE(vm);
     auto* deferred = JSInternalPromiseDeferred::create(exec, globalObject);
+    auto* deferred = JSInternalPromiseDeferred::tryCreate(exec, globalObject);
     RETURN_IF_EXCEPTION(throwScope, nullptr);
 …
     VM& vm = globalObject->vm();
     auto throwScope = DECLARE_THROW_SCOPE(vm);
     JSInternalPromiseDeferred* deferred = JSInternalPromiseDeferred::create(exec, globalObject);
+    JSInternalPromiseDeferred* deferred = JSInternalPromiseDeferred::tryCreate(exec, globalObject);
     RETURN_IF_EXCEPTION(throwScope, nullptr);

trunk/Source/JavaScriptCore/runtime/Completion.cpp

-                      r236904
+                      r239256
     JSValue exception = scope.exception()->value();
     scope.clearException();
+    JSInternalPromiseDeferred* deferred = JSInternalPromiseDeferred::create(exec, globalObject);
+    JSInternalPromiseDeferred* deferred = JSInternalPromiseDeferred::tryCreate(exec, globalObject);
+    scope.releaseAssertNoException();
     deferred->reject(exec, exception);
+    scope.releaseAssertNoException();
     return deferred->promise();
+}

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

r238391	r239256
788	788	auto* globalObject = exec->lexicalGlobalObject();
789	789
790		auto* promise = JSPromiseDeferred::create(exec, globalObject);
	790	auto* promise = JSPromiseDeferred::tryCreate(exec, globalObject);
791	791	RETURN_IF_EXCEPTION(throwScope, encodedJSValue());
792	792

trunk/Source/JavaScriptCore/runtime/JSInternalPromiseDeferred.cpp

r236372	r239256
38	38	const ClassInfo JSInternalPromiseDeferred::s_info = { "JSInternalPromiseDeferred", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSInternalPromiseDeferred) };
39	39
40		JSInternalPromiseDeferred* JSInternalPromiseDeferred::create(ExecState* exec, JSGlobalObject* globalObject)
	40	JSInternalPromiseDeferred* JSInternalPromiseDeferred::tryCreate(ExecState* exec, JSGlobalObject* globalObject)
41	41	{
42	42	VM& vm = exec->vm();

trunk/Source/JavaScriptCore/runtime/JSInternalPromiseDeferred.h

r214218	r239256
37	37	static const unsigned StructureFlags = Base::StructureFlags \| StructureIsImmortal;
38	38
39		JS_EXPORT_PRIVATE static JSInternalPromiseDeferred* create(ExecState, JSGlobalObject);
	39	JS_EXPORT_PRIVATE static JSInternalPromiseDeferred* tryCreate(ExecState, JSGlobalObject);
40	40
41	41	static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)

trunk/Source/JavaScriptCore/runtime/JSModuleLoader.cpp

-                      r238391
+                      r239256
         RELEASE_AND_RETURN(throwScope, globalObject->globalObjectMethodTable()->moduleLoaderImportModule(globalObject, exec, this, moduleName, parameters, referrer));
     auto* deferred = JSInternalPromiseDeferred::create(exec, globalObject);
+    auto* deferred = JSInternalPromiseDeferred::tryCreate(exec, globalObject);
     RETURN_IF_EXCEPTION(throwScope, nullptr);
 …
     auto throwScope = DECLARE_THROW_SCOPE(vm);
     JSInternalPromiseDeferred* deferred = JSInternalPromiseDeferred::create(exec, exec->lexicalGlobalObject());
+    JSInternalPromiseDeferred* deferred = JSInternalPromiseDeferred::tryCreate(exec, exec->lexicalGlobalObject());
     RETURN_IF_EXCEPTION(throwScope, nullptr);
 …
         RELEASE_AND_RETURN(throwScope, globalObject->globalObjectMethodTable()->moduleLoaderFetch(globalObject, exec, this, key, parameters, scriptFetcher));
     JSInternalPromiseDeferred* deferred = JSInternalPromiseDeferred::create(exec, globalObject);
+    JSInternalPromiseDeferred* deferred = JSInternalPromiseDeferred::tryCreate(exec, globalObject);
     RETURN_IF_EXCEPTION(throwScope, nullptr);
 …
     auto throwScope = DECLARE_THROW_SCOPE(vm);
     JSInternalPromiseDeferred* deferred = JSInternalPromiseDeferred::create(exec, exec->lexicalGlobalObject());
+    JSInternalPromiseDeferred* deferred = JSInternalPromiseDeferred::tryCreate(exec, exec->lexicalGlobalObject());
     RETURN_IF_EXCEPTION(throwScope, encodedJSValue());

trunk/Source/JavaScriptCore/runtime/JSPromise.h

-                      r236372
+                      r239256
 class JSPromise : public JSNonFinalObject {
 public:
     typedef JSNonFinalObject Base;
+    using Base = JSNonFinalObject;
     static JSPromise* create(VM&, Structure*);
-    struct JSPromiseAndCallbacks {
-        JSPromise* promise;
-        JSFunction* resolve;
-        JSFunction* reject;
-    };
-    static JSPromiseAndCallbacks createWithCallbacks(VM&, Structure*);
     static Structure* createStructure(VM&, JSGlobalObject*, JSValue);

trunk/Source/JavaScriptCore/runtime/JSPromiseDeferred.cpp

r236372	r239256
67	67	}
68	68
69		JSPromiseDeferred* JSPromiseDeferred::create(ExecState* exec, JSGlobalObject* globalObject)
	69	JSPromiseDeferred* JSPromiseDeferred::tryCreate(ExecState* exec, JSGlobalObject* globalObject)
70	70	{
71	71	VM& vm = exec->vm();

trunk/Source/JavaScriptCore/runtime/JSPromiseDeferred.h

r236372	r239256
50	50	static DeferredData createDeferredData(ExecState, JSGlobalObject, JSPromiseConstructor*);
51	51
52		JS_EXPORT_PRIVATE static JSPromiseDeferred* create(ExecState, JSGlobalObject);
	52	JS_EXPORT_PRIVATE static JSPromiseDeferred* tryCreate(ExecState, JSGlobalObject);
53	53	JS_EXPORT_PRIVATE static JSPromiseDeferred* create(VM&, JSPromise, JSFunction resolve, JSFunction* reject);
54	54

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp

-                      r235420
+                      r239256
     auto* globalObject = exec->lexicalGlobalObject();
     JSPromiseDeferred* promise = JSPromiseDeferred::create(exec, globalObject);
+    JSPromiseDeferred* promise = JSPromiseDeferred::tryCreate(exec, globalObject);
     RETURN_IF_EXCEPTION(throwScope, encodedJSValue());
 …
     auto* globalObject = exec->lexicalGlobalObject();
     JSPromiseDeferred* promise = JSPromiseDeferred::create(exec, globalObject);
+    JSPromiseDeferred* promise = JSPromiseDeferred::tryCreate(exec, globalObject);
     RETURN_IF_EXCEPTION(throwScope, encodedJSValue());
 …
     auto catchScope = DECLARE_CATCH_SCOPE(vm);
     JSPromiseDeferred* promise = JSPromiseDeferred::create(exec, globalObject);
+    JSPromiseDeferred* promise = JSPromiseDeferred::tryCreate(exec, globalObject);
     Vector<Strong<JSCell>> dependencies;
 …
     auto* globalObject = exec->lexicalGlobalObject();
+    JSPromiseDeferred* promise = JSPromiseDeferred::create(exec, globalObject);
+    JSPromiseDeferred* promise = JSPromiseDeferred::tryCreate(exec, globalObject);
     RETURN_IF_EXCEPTION(throwScope, encodedJSValue());
+    {

trunk/Source/WebCore/ChangeLog

-                      r239255
+                      r239256
+-12-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
+        Null pointer dereference in JSC::WriteBarrierBase()
+        https://bugs.webkit.org/show_bug.cgi?id=191252
+        Reviewed by Keith Miller.
+        * bindings/js/JSCustomElementRegistryCustom.cpp:
+        (WebCore::JSCustomElementRegistry::whenDefined):
+        * bindings/js/JSDOMPromiseDeferred.cpp:
+        (WebCore::createDeferredPromise):
+        * bindings/js/JSDOMPromiseDeferred.h:
+        (WebCore::DeferredPromise::create):
+        (WebCore::callPromiseFunction):
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore::JSDOMWindowBase::moduleLoaderFetch):
+        (WebCore::JSDOMWindowBase::moduleLoaderImportModule):
+        * bindings/js/ScriptModuleLoader.cpp:
+        (WebCore::ScriptModuleLoader::fetch):
+        (WebCore::rejectPromise):
 -12-15  Darin Adler  <darin@apple.com>

trunk/Source/WebCore/bindings/js/JSCustomElementRegistryCustom.cpp

-                      r233245
+                      r239256
     ASSERT(globalObject());
     auto promiseDeferred = JSPromiseDeferred::create(&state, globalObject());
     ASSERT(promiseDeferred);
+    auto promiseDeferred = JSPromiseDeferred::tryCreate(&state, globalObject());
+    RELEASE_ASSERT(promiseDeferred);
     JSValue promise = whenDefinedPromise(state, *globalObject(), wrapped(), *promiseDeferred);

trunk/Source/WebCore/bindings/js/JSDOMPromiseDeferred.cpp

-                      r232337
+                      r239256
 Ref<DeferredPromise> createDeferredPromise(JSC::ExecState& state, JSDOMWindow& domWindow)
+{
     JSC::JSPromiseDeferred* deferred = JSC::JSPromiseDeferred::create(&state, &domWindow);
+    JSC::JSPromiseDeferred* deferred = JSC::JSPromiseDeferred::tryCreate(&state, &domWindow);
     // deferred can only be null in workers.
     ASSERT(deferred);
+    RELEASE_ASSERT(deferred);
     return DeferredPromise::create(domWindow, *deferred);
+}

trunk/Source/WebCore/bindings/js/JSDOMPromiseDeferred.h

-                      r232156
+                      r239256
     static RefPtr<DeferredPromise> create(JSC::ExecState& state, JSDOMGlobalObject& globalObject, Mode mode = Mode::ClearPromiseOnResolve)
+    {
         auto* promiseDeferred = JSC::JSPromiseDeferred::create(&state, &globalObject);
+        auto* promiseDeferred = JSC::JSPromiseDeferred::tryCreate(&state, &globalObject);
         if (!promiseDeferred)
             return nullptr;
 …
     auto& globalObject = callerGlobalObject(state);
     JSC::JSPromiseDeferred* promiseDeferred = JSC::JSPromiseDeferred::create(&state, &globalObject);
+    JSC::JSPromiseDeferred* promiseDeferred = JSC::JSPromiseDeferred::tryCreate(&state, &globalObject);
     // promiseDeferred can be null when terminating a Worker abruptly.
 …
     auto& globalObject = callerGlobalObject(state);
     JSC::JSPromiseDeferred* promiseDeferred = JSC::JSPromiseDeferred::create(&state, &globalObject);
+    JSC::JSPromiseDeferred* promiseDeferred = JSC::JSPromiseDeferred::tryCreate(&state, &globalObject);
     // promiseDeferred can be null when terminating a Worker abruptly.

trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp

-                      r237266
+                      r239256
 JSC::JSInternalPromise* JSDOMWindowBase::moduleLoaderFetch(JSC::JSGlobalObject* globalObject, JSC::ExecState* exec, JSC::JSModuleLoader* moduleLoader, JSC::JSValue moduleKey, JSC::JSValue parameters, JSC::JSValue scriptFetcher)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     JSDOMWindowBase* thisObject = JSC::jsCast<JSDOMWindowBase*>(globalObject);
     if (RefPtr<Document> document = thisObject->wrapped().document())
+        return document->moduleLoader()->fetch(globalObject, exec, moduleLoader, moduleKey, parameters, scriptFetcher);
+    JSC::JSInternalPromiseDeferred* deferred = JSC::JSInternalPromiseDeferred::create(exec, globalObject);
+    return deferred->reject(exec, jsUndefined());
+        RELEASE_AND_RETURN(scope, document->moduleLoader()->fetch(globalObject, exec, moduleLoader, moduleKey, parameters, scriptFetcher));
+    JSC::JSInternalPromiseDeferred* deferred = JSC::JSInternalPromiseDeferred::tryCreate(exec, globalObject);
+    RETURN_IF_EXCEPTION(scope, nullptr);
+    RELEASE_AND_RETURN(scope, deferred->reject(exec, jsUndefined()));
+}
 …
 JSC::JSInternalPromise* JSDOMWindowBase::moduleLoaderImportModule(JSC::JSGlobalObject* globalObject, JSC::ExecState* exec, JSC::JSModuleLoader* moduleLoader, JSC::JSString* moduleName, JSC::JSValue parameters, const JSC::SourceOrigin& sourceOrigin)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     JSDOMWindowBase* thisObject = JSC::jsCast<JSDOMWindowBase*>(globalObject);
     if (RefPtr<Document> document = thisObject->wrapped().document())
+        return document->moduleLoader()->importModule(globalObject, exec, moduleLoader, moduleName, parameters, sourceOrigin);
+    JSC::JSInternalPromiseDeferred* deferred = JSC::JSInternalPromiseDeferred::create(exec, globalObject);
+    return deferred->reject(exec, jsUndefined());
+        RELEASE_AND_RETURN(scope, document->moduleLoader()->importModule(globalObject, exec, moduleLoader, moduleName, parameters, sourceOrigin));
+    JSC::JSInternalPromiseDeferred* deferred = JSC::JSInternalPromiseDeferred::tryCreate(exec, globalObject);
+    RETURN_IF_EXCEPTION(scope, nullptr);
+    RELEASE_AND_RETURN(scope, deferred->reject(exec, jsUndefined()));
+}

trunk/Source/WebCore/bindings/js/ScriptModuleLoader.cpp

-                      r233122
+                      r239256
     auto& globalObject = *JSC::jsCast<JSDOMGlobalObject*>(jsGlobalObject);
+    auto& jsPromise = *JSC::JSInternalPromiseDeferred::create(exec, &globalObject);
+    auto deferred = DeferredPromise::create(globalObject, jsPromise);
+    auto* jsPromise = JSC::JSInternalPromiseDeferred::tryCreate(exec, &globalObject);
+    RELEASE_ASSERT(jsPromise);
+    auto deferred = DeferredPromise::create(globalObject, *jsPromise);
     if (moduleKeyValue.isSymbol()) {
         deferred->reject(TypeError, "Symbol module key should be already fulfilled with the inlined resource."_s);
         return jsPromise.promise();
+        return jsPromise->promise();
+    }
     if (!moduleKeyValue.isString()) {
         deferred->reject(TypeError, "Module key is not Symbol or String."_s);
         return jsPromise.promise();
+        return jsPromise->promise();
+    }
 …
     if (!completedURL.isValid()) {
         deferred->reject(TypeError, "Module key is a valid URL."_s);
         return jsPromise.promise();
+        return jsPromise->promise();
+    }
 …
         m_loaders.remove(WTFMove(loader));
         rejectToPropagateNetworkError(deferred.get(), ModuleFetchFailureKind::WasErrored, "Importing a module script failed."_s);
         return jsPromise.promise();
+    }
     return jsPromise.promise();
+        return jsPromise->promise();
+    }
+    return jsPromise->promise();
+}
 …
 static JSC::JSInternalPromise* rejectPromise(JSC::ExecState& state, JSDOMGlobalObject& globalObject, ExceptionCode ec, ASCIILiteral message)
+{
+    auto& jsPromise = *JSC::JSInternalPromiseDeferred::create(&state, &globalObject);
+    auto deferred = DeferredPromise::create(globalObject, jsPromise);
+    auto* jsPromise = JSC::JSInternalPromiseDeferred::tryCreate(&state, &globalObject);
+    RELEASE_ASSERT(jsPromise);
+    auto deferred = DeferredPromise::create(globalObject, *jsPromise);
     deferred->reject(ec, WTFMove(message));
     return jsPromise.promise();
+    return jsPromise->promise();
+}

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 239256 in webkit

Legend:

Download in other formats: