[JSC] SharedArrayBufferConstructor and ArrayBufferConstructor should not have their...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
index 9ae276c..5faea62 100644 (file)
@@ -1,5 +1,44 @@
 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
 
+        [JSC] SharedArrayBufferConstructor and ArrayBufferConstructor should not have their own IsoSubspace
+        https://bugs.webkit.org/show_bug.cgi?id=193774
+
+        Reviewed by Mark Lam.
+
+        We put all the instances of InternalFunction and its subclasses in IsoSubspace to make safer from UAF.
+        But since IsoSubspace requires the memory layout of instances is the same, we created different IsoSubspace
+        for subclasses of InternalFunction if sizeof(subclass) != sizeof(InternalFunction). One example is
+        ArrayBufferConstructor and SharedArrayBufferConstructor. But it is too costly to allocate 16KB page just
+        for these two constructor instances. They are only two instances per JSGlobalObject.
+
+        This patch makes sizeof(ArrayBufferConstructor) == sizeof(InternalFunction) so that they can use IsoSubspace
+        of InternalFunction. We introduce JSGenericArrayBufferConstructor, and it takes ArrayBufferSharingMode as
+        its template parameter. We define JSArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Default>
+        and JSSharedArrayBufferConstructor as JSGenericArrayBufferConstructor<ArrayBufferSharingMode::Shared> so that
+        we do not need to hold ArrayBufferSharingMode in the field of the constructor. This change removes IsoSubspace
+        for ArrayBufferConstructors, and reduces the memory usage.
+
+        * runtime/JSArrayBufferConstructor.cpp:
+        (JSC::JSGenericArrayBufferConstructor<sharingMode>::JSGenericArrayBufferConstructor):
+        (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
+        (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
+        (JSC::JSGenericArrayBufferConstructor<sharingMode>::createStructure):
+        (JSC::JSGenericArrayBufferConstructor<sharingMode>::info):
+        (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor): Deleted.
+        (JSC::JSArrayBufferConstructor::finishCreation): Deleted.
+        (JSC::JSArrayBufferConstructor::create): Deleted.
+        (JSC::JSArrayBufferConstructor::createStructure): Deleted.
+        (JSC::constructArrayBuffer): Deleted.
+        * runtime/JSArrayBufferConstructor.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSGlobalObject.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
+
         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
         https://bugs.webkit.org/show_bug.cgi?id=190693