Changeset 260489 in webkit

Timestamp:

Apr 21, 2020 7:35:57 PM (4 years ago)

Author:

ysuzuki@apple.com

Message:

Canonicalize JSBigInt generated by structured-cloning by calling rightTrim
​https://bugs.webkit.org/show_bug.cgi?id=210816

Reviewed by Keith Miller and Darin Adler.

Source/JavaScriptCore:

• runtime/JSBigInt.h:

Source/WebCore:

Let's assume that the serialized data is slightly different. JSBigInt's internal representation has various invariants. For example, if JSBigInt is zero, it should have zero length,
and its sign should be false. But there are various ways of representing zero JSBigInt in serialization format. For example, we can set sign = true, length = 0. Current code strongly
assumes that dumped data meets this JSBigInt's internal invariant. This is not good: for example, if we add a new invariant into JSBigInt, already serialized data would not meet this
invariant.
In this patch, we call JSBigInt::rightTrim(VM&) when finishing JSBigInt deserialization. This means that we canonicalize JSBigInt when finishing creation, and this makes this serialization
format free from JSBigInt's internal invariants. This makes JSBigInt serialization/deserialization robust. And we also add lengthInUint64 == 0 path not to call rightTrim when it is zero.
This makes deserialization robust for zero-length & signed corrupted JSBigInt zero.

• bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneSerializer::dumpBigInt32Data):
(WebCore::CloneDeserializer::readBigInt):

LayoutTests:

Add HeapZero BigInt test.

• fast/dom/Window/window-postmessage-clone-expected.txt:
• fast/dom/Window/window-postmessage-clone.html:
• js/dom/bigint-canonicalization-in-structured-cloning-expected.txt: Added.
• js/dom/bigint-canonicalization-in-structured-cloning.html: Added.
• js/dom/script-tests/bigint-canonicalization-in-structured-cloning.js: Added.
• platform/gtk/fast/dom/Window/window-postmessage-clone-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/Window/window-postmessage-clone-expected.txt (modified) (1 diff)
• LayoutTests/fast/dom/Window/window-postmessage-clone.html (modified) (2 diffs)
• LayoutTests/js/dom/bigint-canonicalization-in-structured-cloning-expected.txt (added)
• LayoutTests/js/dom/bigint-canonicalization-in-structured-cloning.html (added)
• LayoutTests/js/dom/script-tests/bigint-canonicalization-in-structured-cloning.js (added)
• LayoutTests/platform/gtk/fast/dom/Window/window-postmessage-clone-expected.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSBigInt.h (modified) (3 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/SerializedScriptValue.cpp (modified) (4 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-04-21  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        Canonicalize JSBigInt generated by structured-cloning by calling rightTrim
+        https://bugs.webkit.org/show_bug.cgi?id=210816
+
+        Reviewed by Keith Miller and Darin Adler.
+
+        Add HeapZero BigInt test.
+
+        * fast/dom/Window/window-postmessage-clone-expected.txt:
+        * fast/dom/Window/window-postmessage-clone.html:
+        * js/dom/bigint-canonicalization-in-structured-cloning-expected.txt: Added.
+        * js/dom/bigint-canonicalization-in-structured-cloning.html: Added.
+        * js/dom/script-tests/bigint-canonicalization-in-structured-cloning.js: Added.
+        * platform/gtk/fast/dom/Window/window-postmessage-clone-expected.txt:
+
 2020-04-21  Alexey Shvayka  <shvaikalesh@gmail.com>
 

trunk/LayoutTests/fast/dom/Window/window-postmessage-clone-expected.txt

@@ -14 +14 @@
 PASS: eventData is true of type boolean
 PASS: eventData is 1 of type string
+PASS: eventData is 0 of type bigint
 PASS: eventData is 0 of type bigint
 PASS: eventData is -20 of type bigint

trunk/LayoutTests/fast/dom/Window/window-postmessage-clone.html

@@ -9 +9 @@
 document.getElementById("description").innerHTML = "Tests that we clone object hierarchies";
 
+globalThis.heapZero = 100000000000000000000000000000000000000000n - 100000000000000000000000000000000000000000n;
 tryPostMessage('null');
 tryPostMessage('undefined');
@@ -15 +16 @@
 tryPostMessage('"1"');
 tryPostMessage('0n');
+tryPostMessage('globalThis.heapZero');
 tryPostMessage('-20n');
 tryPostMessage('4294967295n');

trunk/LayoutTests/platform/gtk/fast/dom/Window/window-postmessage-clone-expected.txt

@@ -10 +10 @@
 PASS: eventData is true of type boolean
 PASS: eventData is 1 of type string
+PASS: eventData is 0 of type bigint
 PASS: eventData is 0 of type bigint
 PASS: eventData is -20 of type bigint

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-04-21  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        Canonicalize JSBigInt generated by structured-cloning by calling rightTrim
+        https://bugs.webkit.org/show_bug.cgi?id=210816
+
+        Reviewed by Keith Miller and Darin Adler.
+
+        * runtime/JSBigInt.h:
+
 2020-04-21  Peng Liu  <peng.liu6@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSBigInt.h

@@ -60 +60 @@
 
     static Structure* createStructure(VM&, JSGlobalObject*, JSValue prototype);
-    static JSBigInt* createZero(VM&);
+    JS_EXPORT_PRIVATE static JSBigInt* createZero(VM&);
     JS_EXPORT_PRIVATE static JSBigInt* tryCreateWithLength(JSGlobalObject*, unsigned length);
     static JSBigInt* createWithLengthUnchecked(VM&, unsigned length);
@@ -157 +157 @@
     Digit digit(unsigned);
     void setDigit(unsigned, Digit); // Use only when initializing.
+    JS_EXPORT_PRIVATE JSBigInt* rightTrim(VM&);
 
 private:
@@ -245 +246 @@
 
     static JSBigInt* copy(VM&, JSBigInt* x);
-    JSBigInt* rightTrim(VM&);
 
     void inplaceMultiplyAdd(Digit multiplier, Digit part);

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-04-21  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        Canonicalize JSBigInt generated by structured-cloning by calling rightTrim
+        https://bugs.webkit.org/show_bug.cgi?id=210816
+
+        Reviewed by Keith Miller and Darin Adler.
+
+        Let's assume that the serialized data is slightly different. JSBigInt's internal representation has various invariants. For example, if JSBigInt is zero, it should have zero length,
+        and its sign should be false. But there are various ways of representing zero JSBigInt in serialization format. For example, we can set sign = true, length = 0. Current code strongly
+        assumes that dumped data meets this JSBigInt's internal invariant. This is not good: for example, if we add a new invariant into JSBigInt, already serialized data would not meet this
+        invariant.
+        In this patch, we call `JSBigInt::rightTrim(VM&)` when finishing JSBigInt deserialization. This means that we canonicalize JSBigInt when finishing creation, and this makes this serialization
+        format free from JSBigInt's internal invariants. This makes JSBigInt serialization/deserialization robust. And we also add lengthInUint64 == 0 path not to call rightTrim when it is zero.
+        This makes deserialization robust for zero-length & signed corrupted JSBigInt zero.
+
+        * bindings/js/SerializedScriptValue.cpp:
+        (WebCore::CloneSerializer::dumpBigInt32Data):
+        (WebCore::CloneDeserializer::readBigInt):
+
 2020-04-21  Peng Liu  <peng.liu6@apple.com>
 

trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp

@@ -836 +836 @@
         static_assert(sizeof(uint64_t) == sizeof(unsigned long long));
         write(static_cast<uint8_t>(integer < 0));
+        if (!integer) {
+            write(static_cast<uint32_t>(0)); // Length-in-uint64_t
+            return;
+        }
         write(static_cast<uint32_t>(1)); // Length-in-uint64_t
         int64_t value = static_cast<int64_t>(integer);
@@ -2999 +3003 @@
         if (!read(lengthInUint64))
             return JSValue();
+
+        if (!lengthInUint64) {
+#if USE(BIGINT32)
+            return JSValue(JSValue::JSBigInt32, 0);
+#else
+            JSBigInt* bigInt = JSBigInt::createZero(m_lexicalGlobalObject->vm());
+            m_gcBuffer.appendWithCrashOnOverflow(bigInt);
+            return bigInt;
+#endif
+        }
+
 #if USE(BIGINT32)
         static_assert(sizeof(JSBigInt::Digit) == sizeof(uint64_t));
@@ -3021 +3036 @@
             bigInt->setDigit(0, digit64);
             bigInt->setSign(sign);
+            bigInt = bigInt->rightTrim(m_lexicalGlobalObject->vm());
             m_gcBuffer.appendWithCrashOnOverflow(bigInt);
             return bigInt;
@@ -3056 +3072 @@
         }
         bigInt->setSign(sign);
+        bigInt = bigInt->rightTrim(m_lexicalGlobalObject->vm());
         m_gcBuffer.appendWithCrashOnOverflow(bigInt);
         return bigInt;