All C++ accesses to JSObject::m_butterfly should do caging
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Aug 2017 01:32:07 +0000 (01:32 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Aug 2017 01:32:07 +0000 (01:32 +0000)
commit428ec965cd414f12ecff715838fcf0b13c9b8c2e
treef31f62654102e4455a361e4865a2d3310e3d75ac
parent0b4f740affebd1dec7ec37bb436e9bb83889b36c
All C++ accesses to JSObject::m_butterfly should do caging
https://bugs.webkit.org/show_bug.cgi?id=175039

Reviewed by Keith Miller.

Source/JavaScriptCore:

Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
outside the gigacage.

* runtime/JSArray.cpp:
(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::push):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):
* runtime/JSObject.cpp:
(JSC::JSObject::heapSnapshot):
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::convertUndecidedToDouble):
(JSC::JSObject::convertUndecidedToContiguous):
(JSC::JSObject::convertInt32ToDouble):
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::convertDoubleToContiguous):
(JSC::JSObject::convertDoubleToArrayStorage):
(JSC::JSObject::convertContiguousToArrayStorage):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::allocateMoreOutOfLineStorage):
* runtime/JSObject.h:
(JSC::JSObject::canGetIndexQuickly):
(JSC::JSObject::getIndexQuickly):
(JSC::JSObject::tryGetIndexQuickly const):
(JSC::JSObject::canSetIndexQuickly):
(JSC::JSObject::setIndexQuickly):
(JSC::JSObject::initializeIndex):
(JSC::JSObject::initializeIndexWithoutBarrier):
(JSC::JSObject::butterfly const):
(JSC::JSObject::butterfly):

Source/WTF:

Adds a smart pointer class that does various kinds of caging for you.

* WTF.xcodeproj/project.pbxproj:
* wtf/CMakeLists.txt:
* wtf/CagedPtr.h: Added.
(WTF::CagedPtr::CagedPtr):
(WTF::CagedPtr::get const):
(WTF::CagedPtr::getMayBeNull const):
(WTF::CagedPtr::operator== const):
(WTF::CagedPtr::operator!= const):
(WTF::CagedPtr::operator bool const):
(WTF::CagedPtr::operator* const):
(WTF::CagedPtr::operator-> const):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220165 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSArray.cpp
Source/JavaScriptCore/runtime/JSObject.cpp
Source/JavaScriptCore/runtime/JSObject.h
Source/WTF/ChangeLog
Source/WTF/WTF.xcodeproj/project.pbxproj
Source/WTF/wtf/CMakeLists.txt
Source/WTF/wtf/CagedPtr.h [new file with mode: 0644]
Source/bmalloc/bmalloc/Gigacage.h