WebAssembly: poison JS object's secrets
authorjfbastien@apple.com <jfbastien@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 6 Jan 2018 07:01:21 +0000 (07:01 +0000)
committerjfbastien@apple.com <jfbastien@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 6 Jan 2018 07:01:21 +0000 (07:01 +0000)
commitb949ba93e99141ba17b801391285e140ee1b9e5a
tree4d0f8757883688558c388605103cd9cdc3fbf976
parent982b2ccde3260517c2cde964cabc201e1963d657
WebAssembly: poison JS object's secrets
https://bugs.webkit.org/show_bug.cgi?id=181339
<rdar://problem/36325001>

Reviewed by Mark Lam.

Source/JavaScriptCore:

Separating WebAssembly's JS objects from their non-JS
implementation means that all interesting information lives
outside of the JS object itself. This patch poisons each JS
object's pointer to non-JS implementation using the poisoning
mechanism and a unique key per JS object type origin.

* runtime/JSCPoison.h:
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
object in a stack slot when fast TLS is disabled. This requires
that we unpoison the Wasm::Instance.
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
be explicit that the pointer is poisoned.
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.h:

Source/WTF:

swapping a poisoned pointer with a non-poisoned one (as is done in
JSWebAssembyMemory::adopt) was missing.

* wtf/Poisoned.h:
(WTF::PoisonedImpl::swap):
(WTF::ConstExprPoisonedPtrTraits::swap):

Tools:

Update tests for swap(Poisoned<k, T>, T*)

* TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp:
(TestWebKitAPI::TEST):
* TestWebKitAPI/Tests/WTF/Poisoned.cpp:
(TestWebKitAPI::TEST):
* TestWebKitAPI/Tests/WTF/PoisonedRef.cpp:
(TestWebKitAPI::TEST):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226485 268f45cc-cd09-0410-ab3c-d52691b4dbfc
14 files changed:
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSCPoison.h
Source/JavaScriptCore/wasm/js/JSToWasm.cpp
Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlock.h
Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h
Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h
Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h
Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h
Source/WTF/ChangeLog
Source/WTF/wtf/Poisoned.h
Tools/ChangeLog
Tools/TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp
Tools/TestWebKitAPI/Tests/WTF/Poisoned.cpp
Tools/TestWebKitAPI/Tests/WTF/PoisonedRef.cpp