Changeset 240465 in webkit

Timestamp:

Jan 24, 2019 6:47:58 PM (5 years ago)

Author:

ysuzuki@apple.com

Message:

[JSC] ErrorConstructor should not have own IsoSubspace
​https://bugs.webkit.org/show_bug.cgi?id=193800

Reviewed by Saam Barati.

Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
into IsoSubspaces) described,

"subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses
appear to just override methods, which are called dynamically via the structure or class of the object.
So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another."

Then, putting ErrorConstructor in InternalFunction IsoSubspace is fine since it meets the above condition.
This patch removes m_stackTraceLimit in ErrorConstructor, and drops IsoSubspace for errorConstructorSpace.
This reduces the memory usage.

• interpreter/Interpreter.h:
• runtime/Error.cpp:

(JSC::getStackTrace):

• runtime/ErrorConstructor.cpp:

(JSC::ErrorConstructor::ErrorConstructor):
(JSC::ErrorConstructor::finishCreation):
(JSC::constructErrorConstructor):
(JSC::callErrorConstructor):
(JSC::ErrorConstructor::put):
(JSC::ErrorConstructor::deleteProperty):
(JSC::Interpreter::constructWithErrorConstructor): Deleted.
(JSC::Interpreter::callErrorConstructor): Deleted.

• runtime/ErrorConstructor.h:
• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::stackTraceLimit const):
(JSC::JSGlobalObject::setStackTraceLimit):
(JSC::JSGlobalObject::errorConstructor const): Deleted.

• runtime/VM.cpp:

(JSC::VM::VM):

• runtime/VM.h:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• interpreter/Interpreter.h (modified) (1 diff)
• runtime/Error.cpp (modified) (1 diff)
• runtime/ErrorConstructor.cpp (modified) (5 diffs)
• runtime/ErrorConstructor.h (modified) (3 diffs)
• runtime/JSGlobalObject.cpp (modified) (4 diffs)
• runtime/JSGlobalObject.h (modified) (4 diffs)
• runtime/VM.cpp (modified) (1 diff)
• runtime/VM.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] ErrorConstructor should not have own IsoSubspace
+        https://bugs.webkit.org/show_bug.cgi?id=193800
+
+        Reviewed by Saam Barati.
+
+        Similar to r240456, sizeof(ErrorConstructor) != sizeof(InternalFunction), and that is why we have
+        IsoSubspace errorConstructorSpace in VM. But it is allocated only one-per-JSGlobalObject, and it is
+        too costly to have IsoSubspace which allocates 16KB. Since stackTraceLimit information is per
+        JSGlobalObject information, we should have m_stackTraceLimit in JSGlobalObject instead and put
+        ErrorConstructor in InternalFunction's IsoSubspace. As r230813 (moving InternalFunction and subclasses
+        into IsoSubspaces) described,
+
+            "subclasses that are the same size as InternalFunction share its subspace. I did this because the subclasses
+            appear to just override methods, which are called dynamically via the structure or class of the object.
+            So, I don't see a type confusion risk if UAF is used to allocate one kind of InternalFunction over another."
+
+        Then, putting ErrorConstructor in InternalFunction IsoSubspace is fine since it meets the above condition.
+        This patch removes m_stackTraceLimit in ErrorConstructor, and drops IsoSubspace for errorConstructorSpace.
+        This reduces the memory usage.
+
+        * interpreter/Interpreter.h:
+        * runtime/Error.cpp:
+        (JSC::getStackTrace):
+        * runtime/ErrorConstructor.cpp:
+        (JSC::ErrorConstructor::ErrorConstructor):
+        (JSC::ErrorConstructor::finishCreation):
+        (JSC::constructErrorConstructor):
+        (JSC::callErrorConstructor):
+        (JSC::ErrorConstructor::put):
+        (JSC::ErrorConstructor::deleteProperty):
+        (JSC::Interpreter::constructWithErrorConstructor): Deleted.
+        (JSC::Interpreter::callErrorConstructor): Deleted.
+        * runtime/ErrorConstructor.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::stackTraceLimit const):
+        (JSC::JSGlobalObject::setStackTraceLimit):
+        (JSC::JSGlobalObject::errorConstructor const): Deleted.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
 2019-01-24  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/JavaScriptCore/interpreter/Interpreter.h

@@ -118 +118 @@
         static String stackTraceAsString(VM&, const Vector<StackFrame>&);
 
-        static EncodedJSValue JSC_HOST_CALL constructWithErrorConstructor(ExecState*);
-        static EncodedJSValue JSC_HOST_CALL callErrorConstructor(ExecState*);
         static EncodedJSValue JSC_HOST_CALL constructWithNativeErrorConstructor(ExecState*);
         static EncodedJSValue JSC_HOST_CALL callNativeErrorConstructor(ExecState*);

trunk/Source/JavaScriptCore/runtime/Error.cpp

@@ -162 +162 @@
 {
     JSGlobalObject* globalObject = obj->globalObject(vm);
-    ErrorConstructor* errorConstructor = globalObject->errorConstructor();
-    if (!errorConstructor->stackTraceLimit())
+    if (!globalObject->stackTraceLimit())
         return nullptr;
 
     size_t framesToSkip = useCurrentFrame ? 0 : 1;
     std::unique_ptr<Vector<StackFrame>> stackTrace = std::make_unique<Vector<StackFrame>>();
-    vm.interpreter->getStackTrace(obj, *stackTrace, framesToSkip, errorConstructor->stackTraceLimit().value());
+    vm.interpreter->getStackTrace(obj, *stackTrace, framesToSkip, globalObject->stackTraceLimit().value());
     if (!stackTrace->isEmpty())
         ASSERT_UNUSED(exec, exec == vm.topCallFrame || exec->isGlobalExec());

trunk/Source/JavaScriptCore/runtime/ErrorConstructor.cpp

@@ -34 +34 @@
 const ClassInfo ErrorConstructor::s_info = { "Function", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(ErrorConstructor) };
 
+static EncodedJSValue JSC_HOST_CALL callErrorConstructor(ExecState*);
+static EncodedJSValue JSC_HOST_CALL constructErrorConstructor(ExecState*);
+
 ErrorConstructor::ErrorConstructor(VM& vm, Structure* structure)
-    : InternalFunction(vm, structure, Interpreter::callErrorConstructor, Interpreter::constructWithErrorConstructor)
+    : InternalFunction(vm, structure, callErrorConstructor, constructErrorConstructor)
 {
 }
@@ -45 +48 @@
     putDirectWithoutTransition(vm, vm.propertyNames->prototype, errorPrototype, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly);
     putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(1), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
-
-    unsigned defaultStackTraceLimit = Options::defaultErrorStackTraceLimit();
-    m_stackTraceLimit = defaultStackTraceLimit;
-    putDirectWithoutTransition(vm, vm.propertyNames->stackTraceLimit, jsNumber(defaultStackTraceLimit), static_cast<unsigned>(PropertyAttribute::None));
+    putDirectWithoutTransition(vm, vm.propertyNames->stackTraceLimit, jsNumber(globalObject(vm)->stackTraceLimit().valueOr(Options::defaultErrorStackTraceLimit())), static_cast<unsigned>(PropertyAttribute::None));
 }
 
 // ECMA 15.9.3
 
-EncodedJSValue JSC_HOST_CALL Interpreter::constructWithErrorConstructor(ExecState* exec)
+EncodedJSValue JSC_HOST_CALL constructErrorConstructor(ExecState* exec)
 {
     VM& vm = exec->vm();
@@ -63 +63 @@
 }
 
-EncodedJSValue JSC_HOST_CALL Interpreter::callErrorConstructor(ExecState* exec)
+EncodedJSValue JSC_HOST_CALL callErrorConstructor(ExecState* exec)
 {
     JSValue message = exec->argument(0);
@@ -80 +80 @@
             effectiveLimit = std::max(0., effectiveLimit);
             effectiveLimit = std::min(effectiveLimit, static_cast<double>(std::numeric_limits<unsigned>::max()));
-            thisObject->m_stackTraceLimit = static_cast<unsigned>(effectiveLimit);
+            thisObject->globalObject(vm)->setStackTraceLimit(static_cast<unsigned>(effectiveLimit));
         } else
-            thisObject->m_stackTraceLimit = { };
+            thisObject->globalObject(vm)->setStackTraceLimit(WTF::nullopt);
     }
 
@@ -94 +94 @@
 
     if (propertyName == vm.propertyNames->stackTraceLimit)
-        thisObject->m_stackTraceLimit = { };
+        thisObject->globalObject(vm)->setStackTraceLimit(WTF::nullopt);
 
     return Base::deleteProperty(thisObject, exec, propertyName);

trunk/Source/JavaScriptCore/runtime/ErrorConstructor.h

@@ -30 +30 @@
 class ErrorConstructor final : public InternalFunction {
 public:
-    typedef InternalFunction Base;
-
-    template<typename CellType>
-    static IsoSubspace* subspaceFor(VM& vm)
-    {
-        return &vm.errorConstructorSpace;
-    }
+    using Base = InternalFunction;
 
     static ErrorConstructor* create(VM& vm, Structure* structure, ErrorPrototype* errorPrototype, GetterSetter*)
@@ -52 +46 @@
     }
 
-    Optional<unsigned> stackTraceLimit() const { return m_stackTraceLimit; }
-
 protected:
     void finishCreation(VM&, ErrorPrototype*);
@@ -63 +55 @@
     ErrorConstructor(VM&, Structure*);
 
-    Optional<unsigned> m_stackTraceLimit;
 };
 
+static_assert(sizeof(ErrorConstructor) == sizeof(InternalFunction), "");
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -361 +361 @@
     , m_numberToStringWatchpoint(IsWatched)
     , m_runtimeFlags()
+    , m_stackTraceLimit(Options::defaultErrorStackTraceLimit())
     , m_globalObjectMethodTable(globalObjectMethodTable ? globalObjectMethodTable : &s_globalObjectMethodTable)
 {
@@ -701 +702 @@
 #undef CREATE_CONSTRUCTOR_FOR_SIMPLE_TYPE
 
-    m_errorConstructor.set(vm, this, errorConstructor);
     m_promiseConstructor.set(vm, this, promiseConstructor);
     m_internalPromiseConstructor.set(vm, this, internalPromiseConstructor);
@@ -879 +879 @@
         GlobalPropertyInfo(vm.propertyNames->builtinNames().importModulePrivateName(), privateFuncImportModule, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->builtinNames().enqueueJobPrivateName(), JSFunction::create(vm, this, 0, String(), enqueueJob), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
-        GlobalPropertyInfo(vm.propertyNames->builtinNames().ErrorPrivateName(), m_errorConstructor.get(), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+        GlobalPropertyInfo(vm.propertyNames->builtinNames().ErrorPrivateName(), errorConstructor, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->builtinNames().RangeErrorPrivateName(), m_rangeErrorConstructor.get(), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->builtinNames().TypeErrorPrivateName(), m_typeErrorConstructor.get(), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
@@ -1549 +1549 @@
     visitor.append(thisObject->m_stackOverflowFrameCallee);
     visitor.append(thisObject->m_regExpConstructor);
-    visitor.append(thisObject->m_errorConstructor);
     visitor.append(thisObject->m_nativeErrorPrototypeStructure);
     visitor.append(thisObject->m_nativeErrorStructure);

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -260 +260 @@
     WriteBarrier<JSCallee> m_stackOverflowFrameCallee;
     WriteBarrier<RegExpConstructor> m_regExpConstructor;
-    WriteBarrier<ErrorConstructor> m_errorConstructor;
     WriteBarrier<Structure> m_nativeErrorPrototypeStructure;
     WriteBarrier<Structure> m_nativeErrorStructure;
@@ -499 +498 @@
     RuntimeFlags m_runtimeFlags;
     ConsoleClient* m_consoleClient { nullptr };
+    Optional<unsigned> m_stackTraceLimit;
 
 #if !ASSERT_DISABLED
@@ -531 +531 @@
 #endif
 
+    Optional<unsigned> stackTraceLimit() const { return m_stackTraceLimit; }
+    void setStackTraceLimit(Optional<unsigned> value) { m_stackTraceLimit = value; }
+
 protected:
     JS_EXPORT_PRIVATE explicit JSGlobalObject(VM&, Structure*, const GlobalObjectMethodTable* = nullptr);
@@ -574 +577 @@
     RegExpConstructor* regExpConstructor() const { return m_regExpConstructor.get(); }
 
-    ErrorConstructor* errorConstructor() const { return m_errorConstructor.get(); }
     ArrayConstructor* arrayConstructor() const { return m_arrayConstructor.get(); }
     ObjectConstructor* objectConstructor() const { return m_objectConstructor.get(); }

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -298 +298 @@
     , callbackFunctionSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), JSCallbackFunction)
     , customGetterSetterFunctionSpace ISO_SUBSPACE_INIT(heap, cellJSValueOOBHeapCellType.get(), JSCustomGetterSetterFunction)
-    , errorConstructorSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), ErrorConstructor)
     , executableToCodeBlockEdgeSpace ISO_SUBSPACE_INIT(heap, cellDangerousBitsHeapCellType.get(), ExecutableToCodeBlockEdge)
     , functionSpace ISO_SUBSPACE_INIT(heap, cellJSValueOOBHeapCellType.get(), JSFunction)

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -373 +373 @@
     IsoSubspace callbackFunctionSpace;
     IsoSubspace customGetterSetterFunctionSpace;
-    IsoSubspace errorConstructorSpace;
     IsoSubspace executableToCodeBlockEdgeSpace;
     IsoSubspace functionSpace;