Objects that contain dangerous things should be allocated far away from objects that...
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 16 Feb 2018 05:27:39 +0000 (05:27 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 16 Feb 2018 05:27:39 +0000 (05:27 +0000)
commit6b0f97da29fc2cc390326536808a3b95b784b759
tree4186f5a494d26ce8a3b1c4b5506012b567639982
parenta774ce59a5144c98fd8449f7bdf11f8775ac0ea7
Objects that contain dangerous things should be allocated far away from objects that can do OOB
https://bugs.webkit.org/show_bug.cgi?id=182843

Reviewed by Saam Barati.

To complete our object distancing plan, we need to put objects that can contain unpoisoned data
far away from objects that cannot. Objects referenceable from JSValues cannot contain
unpoisoned data, but auxiliary data can. This further divides auxiliary data that is meant for
storing mostly JSValues from data that is meant for storing anything.

This is achieved by having three SecurityKinds that are used for MarkedBlock selection and
zeroing sort of the same way SecurityOriginToken already was.

This change shouldn't make anything slower. If anything, it will be a small speed-up because it
removes some cases of MarkedBlock zeroing since we don't need to zero blocks used for two of
the SecurityKinds.

* Sources.txt:
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::addBlock):
* heap/BlockDirectory.h:
* heap/CellAttributes.cpp:
(JSC::CellAttributes::dump const):
* heap/CellAttributes.h:
(JSC::CellAttributes::CellAttributes):
* heap/LocalAllocator.cpp:
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::didAddToDirectory):
(JSC::MarkedBlock::Handle::associateWithOrigin): Deleted.
* heap/MarkedBlock.h:
* heap/SecurityKind.cpp: Added.
(WTF::printInternal):
* heap/SecurityKind.h: Added.
* runtime/JSCellInlines.h:
(JSC::JSCell::subspaceFor):
* runtime/JSDestructibleObjectHeapCellType.cpp:
(JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
* runtime/JSObject.h:
(JSC::JSObject::subspaceFor):
* runtime/JSSegmentedVariableObjectHeapCellType.cpp:
(JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
* runtime/JSStringHeapCellType.cpp:
(JSC::JSStringHeapCellType::JSStringHeapCellType):
* runtime/Symbol.h:
(JSC::Symbol::subspaceFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
(JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@228552 268f45cc-cd09-0410-ab3c-d52691b4dbfc
23 files changed:
Source/JavaScriptCore/CMakeLists.txt
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
Source/JavaScriptCore/Sources.txt
Source/JavaScriptCore/bytecode/ObjectAllocationProfileInlines.h
Source/JavaScriptCore/heap/BlockDirectory.cpp
Source/JavaScriptCore/heap/BlockDirectory.h
Source/JavaScriptCore/heap/CellAttributes.cpp
Source/JavaScriptCore/heap/CellAttributes.h
Source/JavaScriptCore/heap/LocalAllocator.cpp
Source/JavaScriptCore/heap/MarkedBlock.cpp
Source/JavaScriptCore/heap/MarkedBlock.h
Source/JavaScriptCore/heap/SecurityKind.cpp [new file with mode: 0644]
Source/JavaScriptCore/heap/SecurityKind.h [new file with mode: 0644]
Source/JavaScriptCore/runtime/JSCellInlines.h
Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp
Source/JavaScriptCore/runtime/JSObject.h
Source/JavaScriptCore/runtime/JSSegmentedVariableObjectHeapCellType.cpp
Source/JavaScriptCore/runtime/JSStringHeapCellType.cpp
Source/JavaScriptCore/runtime/Symbol.h
Source/JavaScriptCore/runtime/VM.cpp
Source/JavaScriptCore/runtime/VM.h
Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp