Poison small JSObject derivatives which only contain pointers
authorjfbastien@apple.com <jfbastien@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 11 Jan 2018 03:03:35 +0000 (03:03 +0000)
committerjfbastien@apple.com <jfbastien@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 11 Jan 2018 03:03:35 +0000 (03:03 +0000)
commitdec4ae01481dd10c6a8a38a9bfee1f39bd05c68a
treed491d57918beb55f1528791363108de18eb2b371
parentc347f073cd45871d94ff3f7cb67c7955b5aba889
Poison small JSObject derivatives which only contain pointers
https://bugs.webkit.org/show_bug.cgi?id=181483
<rdar://problem/36407127>

Reviewed by Mark Lam.

Source/JavaScriptCore:

I wrote a script that finds interesting things to poison or
generally harden. These stood out because they derive from
JSObject and only contain a few pointer or pointer-like fields,
and could therefore just be poisoned. This also requires some
template "improvements" to our poisoning machinery. Worth noting
is that I'm making PoisonedUniquePtr move-assignable and
move-constructible from unique_ptr, which makes it a better
drop-in replacement because we don't need to use
makePoisonedUniquePtr. This means function-locals can be
unique_ptr and get the nice RAII pattern, and once the function is
done you can just move to the class' PoisonedUniquePtr without
worrying.

* API/JSAPIWrapperObject.h:
(JSC::JSAPIWrapperObject::wrappedObject):
* API/JSAPIWrapperObject.mm:
(JSC::JSAPIWrapperObject::JSAPIWrapperObject):
* API/JSCallbackObject.h:
* runtime/ArrayPrototype.h:
* runtime/DateInstance.h:
* runtime/JSArrayBuffer.cpp:
(JSC::JSArrayBuffer::finishCreation):
(JSC::JSArrayBuffer::isShared const):
(JSC::JSArrayBuffer::sharingMode const):
* runtime/JSArrayBuffer.h:
* runtime/JSCPoison.h:

Source/WTF:

The associated JSC poisoning change requires some template
"improvements" to our poisoning machinery. Worth noting is that
I'm making PoisonedUniquePtr move-assignable and
move-constructible from unique_ptr, which makes it a better
drop-in replacement because we don't need to use
makePoisonedUniquePtr. This means function-locals can be
unique_ptr and get the nice RAII pattern, and once the function is
done you can just move to the class' PoisonedUniquePtr without
worrying.

* wtf/Poisoned.h:
(WTF::PoisonedImpl::PoisonedImpl):
* wtf/PoisonedUniquePtr.h:
(WTF::PoisonedUniquePtr::PoisonedUniquePtr):
(WTF::PoisonedUniquePtr::operator=):

Tools:

Test the new move-assign and move-copy from unique_ptr, as well as
nullptr_t ctors.

* TestWebKitAPI/Tests/WTF/Poisoned.cpp:
(TestWebKitAPI::TEST):
* TestWebKitAPI/Tests/WTF/PoisonedUniquePtr.cpp:
(TestWebKitAPI::TEST):
* TestWebKitAPI/Tests/WTF/PoisonedUniquePtrForTriviallyDestructibleArrays.cpp:
(TestWebKitAPI::TEST):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226752 268f45cc-cd09-0410-ab3c-d52691b4dbfc
16 files changed:
Source/JavaScriptCore/API/JSAPIWrapperObject.h
Source/JavaScriptCore/API/JSAPIWrapperObject.mm
Source/JavaScriptCore/API/JSCallbackObject.h
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ArrayPrototype.h
Source/JavaScriptCore/runtime/DateInstance.h
Source/JavaScriptCore/runtime/JSArrayBuffer.cpp
Source/JavaScriptCore/runtime/JSArrayBuffer.h
Source/JavaScriptCore/runtime/JSCPoison.h
Source/WTF/ChangeLog
Source/WTF/wtf/Poisoned.h
Source/WTF/wtf/PoisonedUniquePtr.h
Tools/ChangeLog
Tools/TestWebKitAPI/Tests/WTF/Poisoned.cpp
Tools/TestWebKitAPI/Tests/WTF/PoisonedUniquePtr.cpp
Tools/TestWebKitAPI/Tests/WTF/PoisonedUniquePtrForTriviallyDestructibleArrays.cpp