Diff
Modified: trunk/Source/_javascript_Core/CMakeLists.txt (267937 => 267938)
--- trunk/Source/_javascript_Core/CMakeLists.txt 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/_javascript_Core/CMakeLists.txt 2020-10-03 23:51:12 UTC (rev 267938)
@@ -474,6 +474,7 @@
assembler/CPU.h
assembler/CodeLocation.h
assembler/FastJITPermissions.h
+ assembler/JITOperationList.h
assembler/LinkBuffer.h
assembler/MIPSAssembler.h
assembler/MIPSRegisters.h
Modified: trunk/Source/_javascript_Core/ChangeLog (267937 => 267938)
--- trunk/Source/_javascript_Core/ChangeLog 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-10-03 23:51:12 UTC (rev 267938)
@@ -1,3 +1,54 @@
+2020-10-03 Yusuke Suzuki <[email protected]>
+
+ [JSC] Introduce JITOperationList to validate JIT-caged pointers
+ https://bugs.webkit.org/show_bug.cgi?id=217261
+
+ Reviewed by Saam Barati.
+
+ This patch adds JITOperationList, which manages all the host-function & jit-operation pointers.
+ And we can now query whether the given pointer is registered in this table.
+ Currently, as a test, we are verifying that host-function is registered in this table when creating NativeExecutable in debug build.
+
+ * CMakeLists.txt:
+ * _javascript_Core.xcodeproj/project.pbxproj:
+ * Sources.txt:
+ * assembler/JITOperationList.cpp: Added.
+ (JSC::JITOperationList::initialize):
+ (JSC::addPointers):
+ (JSC::JITOperationList::populatePointersInJavaScriptCore):
+ (JSC::JITOperationList::populatePointersInEmbedder):
+ * assembler/JITOperationList.h: Added.
+ (JSC::JITOperationList::contains const):
+ (JSC::JITOperationList::assertIsHostFunction):
+ (JSC::JITOperationList::assertIsJITOperation):
+ (JSC::JITOperationList::instance):
+ * assembler/MacroAssemblerARM64.cpp:
+ * assembler/MacroAssemblerARMv7.cpp:
+ * assembler/MacroAssemblerMIPS.cpp:
+ * assembler/MacroAssemblerX86Common.cpp:
+ * jsc.cpp:
+ (jscmain):
+ * runtime/InitializeThreading.cpp:
+ (JSC::initialize):
+ * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+ (JSC::genericTypedArrayViewProtoFuncSet):
+ (JSC::genericTypedArrayViewProtoFuncCopyWithin):
+ (JSC::genericTypedArrayViewProtoFuncIncludes):
+ (JSC::genericTypedArrayViewProtoFuncIndexOf):
+ (JSC::genericTypedArrayViewProtoFuncJoin):
+ (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
+ (JSC::genericTypedArrayViewProtoGetterFuncBuffer):
+ (JSC::genericTypedArrayViewProtoGetterFuncLength):
+ (JSC::genericTypedArrayViewProtoGetterFuncByteLength):
+ (JSC::genericTypedArrayViewProtoGetterFuncByteOffset):
+ (JSC::genericTypedArrayViewProtoFuncReverse):
+ (JSC::genericTypedArrayViewPrivateFuncSort):
+ (JSC::genericTypedArrayViewProtoFuncSlice):
+ (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
+ (JSC::JSC_DEFINE_HOST_FUNCTION): Deleted.
+ * runtime/VM.cpp:
+ (JSC::VM::getHostFunction):
+
2020-10-02 Ross Kirsling <[email protected]>
[JSC] Add Array#item to @@unscopables
Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (267937 => 267938)
--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2020-10-03 23:51:12 UTC (rev 267938)
@@ -1881,6 +1881,7 @@
E3C694B323026877006FBE42 /* WasmOSREntryData.h in Headers */ = {isa = PBXBuildFile; fileRef = E3C694B123026873006FBE42 /* WasmOSREntryData.h */; };
E3C79CAB1DB9A4DC00D1ECA4 /* DOMJITEffect.h in Headers */ = {isa = PBXBuildFile; fileRef = E3C79CAA1DB9A4D600D1ECA4 /* DOMJITEffect.h */; settings = {ATTRIBUTES = (Private, ); }; };
E3C8ED4323A1DBCB00131958 /* IsoInlinedHeapCellType.h in Headers */ = {isa = PBXBuildFile; fileRef = E3C8ED4223A1DBC500131958 /* IsoInlinedHeapCellType.h */; };
+ E3CA3A4E2527AB2F004802BF /* JITOperationList.h in Headers */ = {isa = PBXBuildFile; fileRef = E3CA3A4C2527AB2F004802BF /* JITOperationList.h */; settings = {ATTRIBUTES = (Private, ); }; };
E3D239C91B829C1C00BBEF67 /* JSModuleEnvironment.h in Headers */ = {isa = PBXBuildFile; fileRef = E3D239C71B829C1C00BBEF67 /* JSModuleEnvironment.h */; settings = {ATTRIBUTES = (Private, ); }; };
E3D3515F241B89D7008DC16E /* MarkedJSValueRefArray.h in Headers */ = {isa = PBXBuildFile; fileRef = E3D3515D241B89CE008DC16E /* MarkedJSValueRefArray.h */; };
E3D877741E65C0A000BE945A /* BytecodeDumper.h in Headers */ = {isa = PBXBuildFile; fileRef = E3D877721E65C08900BE945A /* BytecodeDumper.h */; };
@@ -5107,6 +5108,8 @@
E3C79CAA1DB9A4D600D1ECA4 /* DOMJITEffect.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITEffect.h; sourceTree = "<group>"; };
E3C8ED4123A1DBC400131958 /* IsoHeapCellType.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = IsoHeapCellType.cpp; sourceTree = "<group>"; };
E3C8ED4223A1DBC500131958 /* IsoInlinedHeapCellType.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IsoInlinedHeapCellType.h; sourceTree = "<group>"; };
+ E3CA3A4B2527AB2E004802BF /* JITOperationList.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JITOperationList.cpp; sourceTree = "<group>"; };
+ E3CA3A4C2527AB2F004802BF /* JITOperationList.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JITOperationList.h; sourceTree = "<group>"; };
E3D239C61B829C1C00BBEF67 /* JSModuleEnvironment.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSModuleEnvironment.cpp; sourceTree = "<group>"; };
E3D239C71B829C1C00BBEF67 /* JSModuleEnvironment.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSModuleEnvironment.h; sourceTree = "<group>"; };
E3D264261D38C042000BE174 /* BytecodeGeneratorification.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = BytecodeGeneratorification.cpp; sourceTree = "<group>"; };
@@ -8284,6 +8287,8 @@
0F30D7BF1D95D62F0053089D /* CPU.h */,
0F37308E1C0CD68500052BFA /* DisallowMacroScratchRegisterUsage.h */,
5267CF81249316AD0022BF6D /* FastJITPermissions.h */,
+ E3CA3A4B2527AB2E004802BF /* JITOperationList.cpp */,
+ E3CA3A4C2527AB2F004802BF /* JITOperationList.h */,
0FF4275615914A20004CB9FF /* LinkBuffer.cpp */,
86D3B3C110159D7F002865E7 /* LinkBuffer.h */,
0FEB3ECE16237F6700AB67AD /* MacroAssembler.cpp */,
@@ -9905,6 +9910,7 @@
79AF0BE41D3EFD4C00E95FA5 /* JITMathICInlineResult.h in Headers */,
FE187A021BFBE5610038BBCA /* JITMulGenerator.h in Headers */,
FE99B2491C24C3D300C82159 /* JITNegGenerator.h in Headers */,
+ E3CA3A4E2527AB2F004802BF /* JITOperationList.h in Headers */,
0F24E54D17EE274900ABB217 /* JITOperations.h in Headers */,
FE3A06C01C11041A00390FDD /* JITRightShiftGenerator.h in Headers */,
0F766D3115AA8112008F363E /* JITStubRoutine.h in Headers */,
Modified: trunk/Source/_javascript_Core/Sources.txt (267937 => 267938)
--- trunk/Source/_javascript_Core/Sources.txt 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/_javascript_Core/Sources.txt 2020-10-03 23:51:12 UTC (rev 267938)
@@ -46,6 +46,7 @@
assembler/AbstractMacroAssembler.cpp
assembler/AssemblerBuffer.cpp
assembler/CPU.cpp
+assembler/JITOperationList.cpp
assembler/LinkBuffer.cpp
assembler/MacroAssembler.cpp
assembler/MacroAssemblerARM64.cpp
Added: trunk/Source/_javascript_Core/assembler/JITOperationList.cpp (0 => 267938)
--- trunk/Source/_javascript_Core/assembler/JITOperationList.cpp (rev 0)
+++ trunk/Source/_javascript_Core/assembler/JITOperationList.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2020 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "JITOperationList.h"
+
+namespace JSC {
+
+LazyNeverDestroyed<JITOperationList> jitOperationList;
+
+#if ENABLE(JIT_OPERATION_VALIDATION)
+extern const uintptr_t startOfHostFunctionsInJSC __asm("section$start$__DATA_CONST$__jsc_host");
+extern const uintptr_t endOfHostFunctionsInJSC __asm("section$end$__DATA_CONST$__jsc_host");
+extern const uintptr_t startOfJITOperationsInJSC __asm("section$start$__DATA_CONST$__jsc_ops");
+extern const uintptr_t endOfJITOperationsInJSC __asm("section$end$__DATA_CONST$__jsc_ops");
+#endif
+
+void JITOperationList::initialize()
+{
+ jitOperationList.construct();
+}
+
+#if ENABLE(JIT_OPERATION_VALIDATION)
+static ALWAYS_INLINE void addPointers(HashMap<void*, void*>& map, const uintptr_t* beginHost, const uintptr_t* endHost, const uintptr_t* beginOperations, const uintptr_t* endOperations)
+{
+ for (const uintptr_t* current = beginHost; current != endHost; ++current) {
+ void* codePtr = removeCodePtrTag(bitwise_cast<void*>(*current));
+ auto result = map.add(codePtr, tagCodePtr(codePtr, JSEntryPtrTag));
+ ASSERT(result.isNewEntry);
+ }
+ for (const uintptr_t* current = beginOperations; current != endOperations; ++current) {
+ void* codePtr = removeCodePtrTag(bitwise_cast<void*>(*current));
+ auto result = map.add(codePtr, tagCodePtr(codePtr, OperationPtrTag));
+ ASSERT(result.isNewEntry);
+ }
+}
+#endif
+
+void JITOperationList::populatePointersInJavaScriptCore()
+{
+#if ENABLE(JIT_OPERATION_VALIDATION)
+ static std::once_flag onceKey;
+ std::call_once(onceKey, [] {
+ if (Options::useJIT())
+ addPointers(jitOperationList->m_validatedOperations, &startOfHostFunctionsInJSC, &endOfHostFunctionsInJSC, &startOfJITOperationsInJSC, &endOfJITOperationsInJSC);
+ });
+#endif
+}
+
+void JITOperationList::populatePointersInEmbedder(const uintptr_t* beginHost, const uintptr_t* endHost, const uintptr_t* beginOperations, const uintptr_t* endOperations)
+{
+ UNUSED_PARAM(beginHost);
+ UNUSED_PARAM(endHost);
+ UNUSED_PARAM(beginOperations);
+ UNUSED_PARAM(endOperations);
+#if ENABLE(JIT_OPERATION_VALIDATION)
+ if (Options::useJIT())
+ addPointers(jitOperationList->m_validatedOperations, beginHost, endHost, beginOperations, endOperations);
+#endif
+}
+
+} // namespace JSC
Added: trunk/Source/_javascript_Core/assembler/JITOperationList.h (0 => 267938)
--- trunk/Source/_javascript_Core/assembler/JITOperationList.h (rev 0)
+++ trunk/Source/_javascript_Core/assembler/JITOperationList.h 2020-10-03 23:51:12 UTC (rev 267938)
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2020 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "JSCPtrTag.h"
+#include "Options.h"
+#include <wtf/HashMap.h>
+#include <wtf/NeverDestroyed.h>
+
+namespace JSC {
+
+class JITOperationList {
+public:
+ static JITOperationList& instance();
+ static void initialize();
+
+ void* contains(void* pointer) const
+ {
+ if constexpr(ASSERT_ENABLED)
+ return m_validatedOperations.get(removeCodePtrTag(pointer));
+ return pointer;
+ }
+
+ static void populatePointersInJavaScriptCore();
+
+ JS_EXPORT_PRIVATE static void populatePointersInEmbedder(const uintptr_t* beginHost, const uintptr_t* endHost, const uintptr_t* beginOperations, const uintptr_t* endOperations);
+
+ // FIXME: Currently, assertIsHostFunction and assertIsJITOperation are the same.
+ // We will make them work in a subsequent patch.
+ template<typename T> static void assertIsHostFunction(T function)
+ {
+ UNUSED_PARAM(function);
+#if ENABLE(JIT_OPERATION_VALIDATION)
+ ASSERT(function, !Options::useJIT() || JITOperationList::instance().contains(bitwise_cast<void*>(function)));
+#endif
+ }
+
+ template<typename T> static void assertIsJITOperation(T function)
+ {
+ UNUSED_PARAM(function);
+#if ENABLE(JIT_OPERATION_VALIDATION)
+ ASSERT(!Options::useJIT() || JITOperationList::instance().contains(bitwise_cast<void*>(function)));
+#endif
+ }
+
+private:
+ HashMap<void*, void*> m_validatedOperations;
+};
+
+extern LazyNeverDestroyed<JITOperationList> jitOperationList;
+
+inline JITOperationList& JITOperationList::instance()
+{
+ return jitOperationList.get();
+}
+
+} // namespace JSC
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.cpp (267937 => 267938)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.cpp 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -42,7 +42,7 @@
#if ENABLE(MASM_PROBE)
extern "C" JSC_DECLARE_JIT_OPERATION(ctiMasmProbeTrampoline, void, ());
-JSC_ANNOTATE_JIT_OPERATION(ctiMasmProbeTrampoline, ctiMasmProbeTrampoline);
+JSC_ANNOTATE_JIT_OPERATION(ctiMasmProbeTrampolineId, ctiMasmProbeTrampoline);
using namespace ARM64Registers;
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerARMv7.cpp (267937 => 267938)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerARMv7.cpp 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerARMv7.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -36,7 +36,7 @@
#if ENABLE(MASM_PROBE)
extern "C" JSC_DECLARE_JIT_OPERATION(ctiMasmProbeTrampoline, void, ());
-JSC_ANNOTATE_JIT_OPERATION(ctiMasmProbeTrampoline, ctiMasmProbeTrampoline);
+JSC_ANNOTATE_JIT_OPERATION(ctiMasmProbeTrampolineId, ctiMasmProbeTrampoline);
using namespace ARMRegisters;
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerMIPS.cpp (267937 => 267938)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerMIPS.cpp 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerMIPS.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -37,7 +37,7 @@
#if ENABLE(MASM_PROBE)
extern "C" JSC_DECLARE_JIT_OPERATION(ctiMasmProbeTrampoline, void, ());
-JSC_ANNOTATE_JIT_OPERATION(ctiMasmProbeTrampoline, ctiMasmProbeTrampoline);
+JSC_ANNOTATE_JIT_OPERATION(ctiMasmProbeTrampolineId, ctiMasmProbeTrampoline);
using namespace MIPSRegisters;
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerX86Common.cpp (267937 => 267938)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerX86Common.cpp 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerX86Common.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -40,7 +40,7 @@
#if ENABLE(MASM_PROBE)
extern "C" JSC_DECLARE_JIT_OPERATION(ctiMasmProbeTrampoline, void, ());
-JSC_ANNOTATE_JIT_OPERATION(ctiMasmProbeTrampoline, ctiMasmProbeTrampoline);
+JSC_ANNOTATE_JIT_OPERATION(ctiMasmProbeTrampolineId, ctiMasmProbeTrampoline);
// The following are offsets for Probe::State fields accessed by the ctiMasmProbeTrampoline stub.
Modified: trunk/Source/_javascript_Core/jsc.cpp (267937 => 267938)
--- trunk/Source/_javascript_Core/jsc.cpp 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/_javascript_Core/jsc.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -39,6 +39,7 @@
#include "InitializeThreading.h"
#include "Interpreter.h"
#include "JIT.h"
+#include "JITOperationList.h"
#include "JSArray.h"
#include "JSArrayBuffer.h"
#include "JSBigInt.h"
@@ -3415,6 +3416,13 @@
return result;
}
+#if ENABLE(JIT_OPERATION_VALIDATION)
+extern const uintptr_t startOfHostFunctionsInShell __asm("section$start$__DATA_CONST$__jsc_host");
+extern const uintptr_t endOfHostFunctionsInShell __asm("section$end$__DATA_CONST$__jsc_host");
+extern const uintptr_t startOfJITOperationsInShell __asm("section$start$__DATA_CONST$__jsc_ops");
+extern const uintptr_t endOfJITOperationsInShell __asm("section$end$__DATA_CONST$__jsc_ops");
+#endif
+
int jscmain(int argc, char** argv)
{
// Need to override and enable restricted options before we start parsing options below.
@@ -3434,6 +3442,9 @@
}
JSC::initialize();
+#if ENABLE(JIT_OPERATION_VALIDATION)
+ JSC::JITOperationList::populatePointersInEmbedder(&startOfHostFunctionsInShell, &endOfHostFunctionsInShell, &startOfJITOperationsInShell, &endOfJITOperationsInShell);
+#endif
initializeTimeoutIfNeeded();
#if OS(DARWIN) || OS(LINUX)
Modified: trunk/Source/_javascript_Core/runtime/InitializeThreading.cpp (267937 => 267938)
--- trunk/Source/_javascript_Core/runtime/InitializeThreading.cpp 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/_javascript_Core/runtime/InitializeThreading.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -30,6 +30,7 @@
#include "InitializeThreading.h"
#include "ExecutableAllocator.h"
+#include "JITOperationList.h"
#include "JSCConfig.h"
#include "JSCPtrTag.h"
#include "LLIntData.h"
@@ -64,6 +65,7 @@
#endif
{
Options::AllowUnfinalizedAccessScope scope;
+ JITOperationList::initialize();
ExecutableAllocator::initialize();
VM::computeCanUseJIT();
if (!g_jscConfig.vm.canUseJIT) {
@@ -73,6 +75,8 @@
}
Options::finalize();
+ JITOperationList::populatePointersInJavaScriptCore();
+
if (Options::useSigillCrashAnalyzer())
enableSigillCrashAnalyzer();
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h (267937 => 267938)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewPrototypeFunctions.h 2020-10-03 23:51:12 UTC (rev 267938)
@@ -100,7 +100,7 @@
}
template<typename ViewClass>
-JSC_DEFINE_HOST_FUNCTION(genericTypedArrayViewProtoFuncSet, (VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame))
+ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoFuncSet(VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame)
{
auto scope = DECLARE_THROW_SCOPE(vm);
@@ -147,7 +147,7 @@
}
template<typename ViewClass>
-JSC_DEFINE_HOST_FUNCTION(genericTypedArrayViewProtoFuncCopyWithin, (VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame))
+ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoFuncCopyWithin(VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame)
{
auto scope = DECLARE_THROW_SCOPE(vm);
@@ -179,7 +179,7 @@
}
template<typename ViewClass>
-JSC_DEFINE_HOST_FUNCTION(genericTypedArrayViewProtoFuncIncludes, (VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame))
+ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoFuncIncludes(VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame)
{
auto scope = DECLARE_THROW_SCOPE(vm);
@@ -224,7 +224,7 @@
}
template<typename ViewClass>
-JSC_DEFINE_HOST_FUNCTION(genericTypedArrayViewProtoFuncIndexOf, (VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame))
+ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoFuncIndexOf(VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame)
{
auto scope = DECLARE_THROW_SCOPE(vm);
@@ -261,7 +261,7 @@
}
template<typename ViewClass>
-JSC_DEFINE_HOST_FUNCTION(genericTypedArrayViewProtoFuncJoin, (VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame))
+ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoFuncJoin(VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame)
{
auto scope = DECLARE_THROW_SCOPE(vm);
@@ -300,7 +300,7 @@
}
template<typename ViewClass>
-JSC_DEFINE_HOST_FUNCTION(genericTypedArrayViewProtoFuncLastIndexOf, (VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame))
+ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoFuncLastIndexOf(VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame)
{
auto scope = DECLARE_THROW_SCOPE(vm);
@@ -350,7 +350,7 @@
}
template<typename ViewClass>
-JSC_DEFINE_HOST_FUNCTION(genericTypedArrayViewProtoGetterFuncBuffer, (VM&, JSGlobalObject* globalObject, CallFrame* callFrame))
+ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoGetterFuncBuffer(VM&, JSGlobalObject* globalObject, CallFrame* callFrame)
{
// 22.2.3.3
ViewClass* thisObject = jsCast<ViewClass*>(callFrame->thisValue());
@@ -359,7 +359,7 @@
}
template<typename ViewClass>
-JSC_DEFINE_HOST_FUNCTION(genericTypedArrayViewProtoGetterFuncLength, (VM&, JSGlobalObject*, CallFrame* callFrame))
+ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoGetterFuncLength(VM&, JSGlobalObject*, CallFrame* callFrame)
{
// 22.2.3.17
ViewClass* thisObject = jsCast<ViewClass*>(callFrame->thisValue());
@@ -368,7 +368,7 @@
}
template<typename ViewClass>
-JSC_DEFINE_HOST_FUNCTION(genericTypedArrayViewProtoGetterFuncByteLength, (VM&, JSGlobalObject*, CallFrame* callFrame))
+ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoGetterFuncByteLength(VM&, JSGlobalObject*, CallFrame* callFrame)
{
// 22.2.3.2
ViewClass* thisObject = jsCast<ViewClass*>(callFrame->thisValue());
@@ -377,7 +377,7 @@
}
template<typename ViewClass>
-JSC_DEFINE_HOST_FUNCTION(genericTypedArrayViewProtoGetterFuncByteOffset, (VM&, JSGlobalObject*, CallFrame* callFrame))
+ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoGetterFuncByteOffset(VM&, JSGlobalObject*, CallFrame* callFrame)
{
// 22.2.3.3
ViewClass* thisObject = jsCast<ViewClass*>(callFrame->thisValue());
@@ -386,7 +386,7 @@
}
template<typename ViewClass>
-JSC_DEFINE_HOST_FUNCTION(genericTypedArrayViewProtoFuncReverse, (VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame))
+ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoFuncReverse(VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame)
{
// VM& vm = getVM(globalObject);
auto scope = DECLARE_THROW_SCOPE(vm);
@@ -403,7 +403,7 @@
}
template<typename ViewClass>
-JSC_DEFINE_HOST_FUNCTION(genericTypedArrayViewPrivateFuncSort, (VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame))
+ALWAYS_INLINE EncodedJSValue genericTypedArrayViewPrivateFuncSort(VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame)
{
// VM& vm = getVM(globalObject);
auto scope = DECLARE_THROW_SCOPE(vm);
@@ -419,7 +419,7 @@
}
template<typename ViewClass>
-JSC_DEFINE_HOST_FUNCTION(genericTypedArrayViewProtoFuncSlice, (VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame))
+ALWAYS_INLINE EncodedJSValue genericTypedArrayViewProtoFuncSlice(VM& vm, JSGlobalObject* globalObject, CallFrame* callFrame)
{
auto scope = DECLARE_THROW_SCOPE(vm);
@@ -510,7 +510,7 @@
}
template<typename ViewClass>
-JSC_DEFINE_HOST_FUNCTION(genericTypedArrayViewPrivateFuncSubarrayCreate, (VM&vm, JSGlobalObject* globalObject, CallFrame* callFrame))
+ALWAYS_INLINE EncodedJSValue genericTypedArrayViewPrivateFuncSubarrayCreate(VM&vm, JSGlobalObject* globalObject, CallFrame* callFrame)
{
auto scope = DECLARE_THROW_SCOPE(vm);
Modified: trunk/Source/_javascript_Core/runtime/VM.cpp (267937 => 267938)
--- trunk/Source/_javascript_Core/runtime/VM.cpp 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/_javascript_Core/runtime/VM.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -78,6 +78,7 @@
#include "IsoHeapCellType.h"
#include "IsoInlinedHeapCellType.h"
#include "JITCode.h"
+#include "JITOperationList.h"
#include "JITThunks.h"
#include "JITWorklist.h"
#include "JSAPIGlobalObject.h"
@@ -831,6 +832,7 @@
{
#if ENABLE(JIT)
if (Options::useJIT()) {
+ JITOperationList::assertIsHostFunction(function);
return jitStubs->hostFunctionStub(
*this, function, constructor,
intrinsic != NoIntrinsic ? thunkGeneratorForIntrinsic(intrinsic) : nullptr,
Modified: trunk/Source/WTF/ChangeLog (267937 => 267938)
--- trunk/Source/WTF/ChangeLog 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WTF/ChangeLog 2020-10-03 23:51:12 UTC (rev 267938)
@@ -1,3 +1,13 @@
+2020-10-03 Yusuke Suzuki <[email protected]>
+
+ [JSC] Introduce JITOperationList to validate JIT-caged pointers
+ https://bugs.webkit.org/show_bug.cgi?id=217261
+
+ Reviewed by Saam Barati.
+
+ * wtf/PlatformCallingConventions.h:
+ * wtf/PlatformEnable.h:
+
2020-10-03 Alex Christensen <[email protected]>
Add extra slash after empty host copied from base URL if path is also empty
Modified: trunk/Source/WTF/wtf/PlatformCallingConventions.h (267937 => 267938)
--- trunk/Source/WTF/wtf/PlatformCallingConventions.h 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WTF/wtf/PlatformCallingConventions.h 2020-10-03 23:51:12 UTC (rev 267938)
@@ -42,13 +42,20 @@
#define JSC_HOST_CALL_ATTRIBUTES
#endif
+#if ENABLE(JIT_OPERATION_VALIDATION)
+#define JSC_ANNOTATE_HOST_FUNCTION(functionId, function) \
+ constexpr auto functionId __attribute__((used, section("__DATA_CONST,__jsc_host"))) = function;
+#else
+#define JSC_ANNOTATE_HOST_FUNCTION(functionId, function)
+#endif
+
#define JSC_DEFINE_HOST_FUNCTION_WITH_ATTRIBUTES(functionName, attributes, parameters) \
+ JSC_ANNOTATE_HOST_FUNCTION(_JITTarget_##functionName, static_cast<JSC::EncodedJSValue(*)parameters>(functionName)); \
attributes JSC::EncodedJSValue JSC_HOST_CALL_ATTRIBUTES functionName parameters
#define JSC_DEFINE_HOST_FUNCTION(functionName, parameters) \
JSC_DEFINE_HOST_FUNCTION_WITH_ATTRIBUTES(functionName, , parameters)
#define JSC_DECLARE_HOST_FUNCTION(functionName) \
JSC::EncodedJSValue JSC_HOST_CALL_ATTRIBUTES functionName(JSC::JSGlobalObject*, JSC::CallFrame*)
-#define JSC_ANNOTATE_HOST_FUNCTION(functionId, function)
#if CPU(X86) && OS(WINDOWS)
#define CALLING_CONVENTION_IS_STDCALL 1
@@ -82,14 +89,20 @@
#define JIT_OPERATION_ATTRIBUTES
#endif
+#if ENABLE(JIT_OPERATION_VALIDATION)
+#define JSC_ANNOTATE_JIT_OPERATION(functionId, function) \
+ constexpr auto functionId __attribute__((used, section("__DATA_CONST,__jsc_ops"))) = function;
+#else
+#define JSC_ANNOTATE_JIT_OPERATION(functionId, function)
+#endif
#define JSC_DEFINE_JIT_OPERATION_WITH_ATTRIBUTES(functionName, attributes, returnType, parameters) \
+ JSC_ANNOTATE_JIT_OPERATION(_JITTarget_##functionName, static_cast<returnType(*)parameters>(functionName)); \
attributes returnType JIT_OPERATION_ATTRIBUTES functionName parameters
#define JSC_DEFINE_JIT_OPERATION(functionName, returnType, parameters) \
JSC_DEFINE_JIT_OPERATION_WITH_ATTRIBUTES(functionName, , returnType, parameters)
#define JSC_DECLARE_JIT_OPERATION(functionName, returnType, parameters) \
returnType JIT_OPERATION_ATTRIBUTES functionName parameters REFERENCED_FROM_ASM WTF_INTERNAL
-#define JSC_ANNOTATE_JIT_OPERATION(functionId, function)
#define JSC_DECLARE_CUSTOM_GETTER(functionName) JSC_DECLARE_JIT_OPERATION(functionName, JSC::EncodedJSValue, (JSC::JSGlobalObject*, JSC::EncodedJSValue, JSC::PropertyName))
#define JSC_DECLARE_CUSTOM_SETTER(functionName) JSC_DECLARE_JIT_OPERATION(functionName, bool, (JSC::JSGlobalObject*, JSC::EncodedJSValue, JSC::EncodedJSValue))
Modified: trunk/Source/WTF/wtf/PlatformEnable.h (267937 => 267938)
--- trunk/Source/WTF/wtf/PlatformEnable.h 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WTF/wtf/PlatformEnable.h 2020-10-03 23:51:12 UTC (rev 267938)
@@ -888,3 +888,7 @@
#if CPU(ARM64) && CPU(ADDRESS64)
#define USE_JUMP_ISLANDS 1
#endif
+
+#if OS(DARWIN) && ENABLE(JIT) && ASSERT_ENABLED
+#define ENABLE_JIT_OPERATION_VALIDATION 1
+#endif
Modified: trunk/Source/WebCore/ChangeLog (267937 => 267938)
--- trunk/Source/WebCore/ChangeLog 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebCore/ChangeLog 2020-10-03 23:51:12 UTC (rev 267938)
@@ -1,3 +1,35 @@
+2020-10-03 Yusuke Suzuki <[email protected]>
+
+ [JSC] Introduce JITOperationList to validate JIT-caged pointers
+ https://bugs.webkit.org/show_bug.cgi?id=217261
+
+ Reviewed by Saam Barati.
+
+ We should have WebCore::initialize(). It is filed in https://bugs.webkit.org/show_bug.cgi?id=217270.
+
+ * Headers.cmake:
+ * Sources.txt:
+ * WebCore.xcodeproj/project.pbxproj:
+ * bindings/js/JSDOMBuiltinConstructor.h:
+ * bindings/js/JSDOMConstructor.h:
+ * bindings/js/JSDOMLegacyFactoryFunction.h:
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::initializeMainThread):
+ * bindings/js/WebCoreJITOperations.cpp: Copied from Source/WebKit/Shared/WebKit2Initialize.cpp.
+ (WebCore::populateJITOperations):
+ * bindings/js/WebCoreJITOperations.h: Copied from Source/WebKit/Shared/WebKit2Initialize.cpp.
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateConstructorDefinitions):
+ * bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp:
+ * bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp:
+ * bridge/objc/WebScriptObject.mm:
+ (+[WebScriptObject initialize]):
+ * domjit/JSDocumentDOMJIT.cpp:
+ * platform/cocoa/SharedBufferCocoa.mm:
+ (+[WebCoreSharedBufferData initialize]):
+ * platform/ios/wak/WebCoreThread.mm:
+ (RunWebThread):
+
2020-10-03 Antoine Quint <[email protected]>
Add non-animated support for the CSS translate property
Modified: trunk/Source/WebCore/Headers.cmake (267937 => 267938)
--- trunk/Source/WebCore/Headers.cmake 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebCore/Headers.cmake 2020-10-03 23:51:12 UTC (rev 267938)
@@ -258,6 +258,7 @@
bindings/js/ScriptWrappableInlines.h
bindings/js/SerializedScriptValue.h
bindings/js/StringAdaptors.h
+ bindings/js/WebCoreJITOperations.h
bindings/js/WebCoreTypedArrayController.h
bindings/js/WindowProxy.h
Modified: trunk/Source/WebCore/Sources.txt (267937 => 267938)
--- trunk/Source/WebCore/Sources.txt 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebCore/Sources.txt 2020-10-03 23:51:12 UTC (rev 267938)
@@ -594,6 +594,7 @@
bindings/js/ScriptWrappable.cpp
bindings/js/SerializedScriptValue.cpp
bindings/js/StructuredClone.cpp
+bindings/js/WebCoreJITOperations.cpp
bindings/js/WebCoreJSClientData.cpp
bindings/js/WebCoreTypedArrayController.cpp
bindings/js/WindowProxy.cpp
Modified: trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj (267937 => 267938)
--- trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2020-10-03 23:51:12 UTC (rev 267938)
@@ -4967,6 +4967,7 @@
E323CFFA1E5AF6AF00F0B4A0 /* JSDOMConvertPromise.h in Headers */ = {isa = PBXBuildFile; fileRef = E323CFF91E5AF6A500F0B4A0 /* JSDOMConvertPromise.h */; settings = {ATTRIBUTES = (Private, ); }; };
E3565B7B1DC2D6C900217DBD /* JSEventCustom.h in Headers */ = {isa = PBXBuildFile; fileRef = E34EE49F1DC2D57500EAA9D3 /* JSEventCustom.h */; settings = {ATTRIBUTES = (Private, ); }; };
E35802B61DC8435D00A9773C /* DOMJITIDLTypeFilter.h in Headers */ = {isa = PBXBuildFile; fileRef = E35802B51DC8435800A9773C /* DOMJITIDLTypeFilter.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ E3582C282527F66900D1B790 /* WebCoreJITOperations.h in Headers */ = {isa = PBXBuildFile; fileRef = E3582C262527F66800D1B790 /* WebCoreJITOperations.h */; settings = {ATTRIBUTES = (Private, ); }; };
E35B907F23F60A50000011FF /* LocalizedDeviceModel.h in Headers */ = {isa = PBXBuildFile; fileRef = E35B907C23F60677000011FF /* LocalizedDeviceModel.h */; settings = {ATTRIBUTES = (Private, ); }; };
E377FE4D1DADE16500CDD025 /* NodeConstants.h in Headers */ = {isa = PBXBuildFile; fileRef = E3D049931DADC04500718F3C /* NodeConstants.h */; settings = {ATTRIBUTES = (Private, ); }; };
E37C86501EB63E3F0087C6CA /* JSDOMPromise.h in Headers */ = {isa = PBXBuildFile; fileRef = E37C864F1EB63E2D0087C6CA /* JSDOMPromise.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -15838,6 +15839,8 @@
E334825E1DC93AA0009C9544 /* DOMJITAbstractHeapRepository.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DOMJITAbstractHeapRepository.h; path = DerivedSources/WebCore/DOMJITAbstractHeapRepository.h; sourceTree = BUILT_PRODUCTS_DIR; };
E34EE49F1DC2D57500EAA9D3 /* JSEventCustom.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSEventCustom.h; sourceTree = "<group>"; };
E35802B51DC8435800A9773C /* DOMJITIDLTypeFilter.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITIDLTypeFilter.h; sourceTree = "<group>"; };
+ E3582C242527F66800D1B790 /* WebCoreJITOperations.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WebCoreJITOperations.cpp; sourceTree = "<group>"; };
+ E3582C262527F66800D1B790 /* WebCoreJITOperations.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WebCoreJITOperations.h; sourceTree = "<group>"; };
E35B907C23F60677000011FF /* LocalizedDeviceModel.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LocalizedDeviceModel.h; sourceTree = "<group>"; };
E35B907E23F60677000011FF /* LocalizedDeviceModel.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = LocalizedDeviceModel.mm; sourceTree = "<group>"; };
E37C864F1EB63E2D0087C6CA /* JSDOMPromise.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSDOMPromise.h; sourceTree = "<group>"; };
@@ -26529,6 +26532,8 @@
414B82021D6DF0D90077EBE3 /* StructuredClone.cpp */,
414B82031D6DF0D90077EBE3 /* StructuredClone.h */,
419BE7521BC7F3DB00E1C85B /* WebCoreBuiltinNames.h */,
+ E3582C242527F66800D1B790 /* WebCoreJITOperations.cpp */,
+ E3582C262527F66800D1B790 /* WebCoreJITOperations.h */,
0F7DF1471E2BF1A60095951B /* WebCoreJSClientData.cpp */,
BC53D910114310CC000D817E /* WebCoreJSClientData.h */,
0F099D0617B968A100FF84B9 /* WebCoreTypedArrayController.cpp */,
@@ -34505,6 +34510,7 @@
CDC69DDA16371FD4007C38DF /* WebCoreFullScreenPlaceholderView.h in Headers */,
CDC69DD61632026C007C38DF /* WebCoreFullScreenWarningView.h in Headers */,
CD127DEE14F3098400E84779 /* WebCoreFullScreenWindow.h in Headers */,
+ E3582C282527F66900D1B790 /* WebCoreJITOperations.h in Headers */,
BC348BD40DB7F804004ABABB /* WebCoreJSBuiltinInternals.h in Headers */,
BC348BD40DB7F804004ABABA /* WebCoreJSBuiltins.h in Headers */,
BC53D911114310CC000D817E /* WebCoreJSClientData.h in Headers */,
Modified: trunk/Source/WebCore/bindings/js/JSDOMBuiltinConstructor.h (267937 => 267938)
--- trunk/Source/WebCore/bindings/js/JSDOMBuiltinConstructor.h 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebCore/bindings/js/JSDOMBuiltinConstructor.h 2020-10-03 23:51:12 UTC (rev 267938)
@@ -37,6 +37,8 @@
// Usually defined for each specialization class.
static JSC::JSValue prototypeForStructure(JSC::VM&, const JSDOMGlobalObject&);
+ static JSC::EncodedJSValue JSC_HOST_CALL_ATTRIBUTES construct(JSC::JSGlobalObject*, JSC::CallFrame*);
+
private:
JSDOMBuiltinConstructor(JSC::Structure* structure, JSDOMGlobalObject& globalObject)
: Base(structure, globalObject)
@@ -45,7 +47,6 @@
void finishCreation(JSC::VM&, JSDOMGlobalObject&);
static JSC::CallData getConstructData(JSC::JSCell*);
- static JSC::EncodedJSValue JSC_HOST_CALL_ATTRIBUTES construct(JSC::JSGlobalObject*, JSC::CallFrame*);
JSC::EncodedJSValue callConstructor(JSC::JSGlobalObject&, JSC::CallFrame&, JSC::JSObject&);
JSC::EncodedJSValue callConstructor(JSC::JSGlobalObject&, JSC::CallFrame&, JSC::JSObject*);
Modified: trunk/Source/WebCore/bindings/js/JSDOMConstructor.h (267937 => 267938)
--- trunk/Source/WebCore/bindings/js/JSDOMConstructor.h 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebCore/bindings/js/JSDOMConstructor.h 2020-10-03 23:51:12 UTC (rev 267938)
@@ -35,6 +35,9 @@
// Must be defined for each specialization class.
static JSC::JSValue prototypeForStructure(JSC::VM&, const JSDOMGlobalObject&);
+ // Must be defined for each specialization class.
+ static JSC::EncodedJSValue JSC_HOST_CALL_ATTRIBUTES construct(JSC::JSGlobalObject*, JSC::CallFrame*);
+
private:
JSDOMConstructor(JSC::Structure* structure, JSDOMGlobalObject& globalObject)
: Base(structure, globalObject)
@@ -46,8 +49,6 @@
// Usually defined for each specialization class.
void initializeProperties(JSC::VM&, JSDOMGlobalObject&) { }
- // Must be defined for each specialization class.
- static JSC::EncodedJSValue JSC_HOST_CALL_ATTRIBUTES construct(JSC::JSGlobalObject*, JSC::CallFrame*);
};
template<typename JSClass> inline JSDOMConstructor<JSClass>* JSDOMConstructor<JSClass>::create(JSC::VM& vm, JSC::Structure* structure, JSDOMGlobalObject& globalObject)
Modified: trunk/Source/WebCore/bindings/js/JSDOMLegacyFactoryFunction.h (267937 => 267938)
--- trunk/Source/WebCore/bindings/js/JSDOMLegacyFactoryFunction.h 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebCore/bindings/js/JSDOMLegacyFactoryFunction.h 2020-10-03 23:51:12 UTC (rev 267938)
@@ -36,6 +36,9 @@
// Must be defined for each specialization class.
static JSC::JSValue prototypeForStructure(JSC::VM&, const JSDOMGlobalObject&);
+ // Must be defined for each specialization class.
+ static JSC::EncodedJSValue JSC_HOST_CALL_ATTRIBUTES construct(JSC::JSGlobalObject*, JSC::CallFrame*);
+
private:
JSDOMLegacyFactoryFunction(JSC::Structure* structure, JSDOMGlobalObject& globalObject)
: Base(structure, globalObject)
@@ -47,8 +50,6 @@
// Usually defined for each specialization class.
void initializeProperties(JSC::VM&, JSDOMGlobalObject&) { }
- // Must be defined for each specialization class.
- static JSC::EncodedJSValue JSC_HOST_CALL_ATTRIBUTES construct(JSC::JSGlobalObject*, JSC::CallFrame*);
};
template<typename JSClass> inline JSDOMLegacyFactoryFunction<JSClass>* JSDOMLegacyFactoryFunction<JSClass>::create(JSC::VM& vm, JSC::Structure* structure, JSDOMGlobalObject& globalObject)
Modified: trunk/Source/WebCore/bindings/js/ScriptController.cpp (267937 => 267938)
--- trunk/Source/WebCore/bindings/js/ScriptController.cpp 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebCore/bindings/js/ScriptController.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -56,6 +56,7 @@
#include "ScriptableDocumentParser.h"
#include "Settings.h"
#include "UserGestureIndicator.h"
+#include "WebCoreJITOperations.h"
#include "WebCoreJSClientData.h"
#include "npruntime_impl.h"
#include "runtime_root.h"
@@ -87,6 +88,7 @@
#if !PLATFORM(IOS_FAMILY)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
}
Copied: trunk/Source/WebCore/bindings/js/WebCoreJITOperations.cpp (from rev 267937, trunk/Source/WebKit/Shared/WebKit2Initialize.cpp) (0 => 267938)
--- trunk/Source/WebCore/bindings/js/WebCoreJITOperations.cpp (rev 0)
+++ trunk/Source/WebCore/bindings/js/WebCoreJITOperations.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2020 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "WebCoreJITOperations.h"
+
+#include <_javascript_Core/JITOperationList.h>
+
+namespace WebCore {
+
+#if ENABLE(JIT_OPERATION_VALIDATION)
+extern const uintptr_t startOfHostFunctionsInWebCore __asm("section$start$__DATA_CONST$__jsc_host");
+extern const uintptr_t endOfHostFunctionsInWebCore __asm("section$end$__DATA_CONST$__jsc_host");
+extern const uintptr_t startOfJITOperationsInWebCore __asm("section$start$__DATA_CONST$__jsc_ops");
+extern const uintptr_t endOfJITOperationsInWebCore __asm("section$end$__DATA_CONST$__jsc_ops");
+#endif
+
+void populateJITOperations()
+{
+#if ENABLE(JIT_OPERATION_VALIDATION)
+ static std::once_flag onceKey;
+ std::call_once(onceKey, [] {
+ JSC::JITOperationList::populatePointersInEmbedder(&startOfHostFunctionsInWebCore, &endOfHostFunctionsInWebCore, &startOfJITOperationsInWebCore, &endOfJITOperationsInWebCore);
+ });
+#endif
+}
+
+}
Copied: trunk/Source/WebCore/bindings/js/WebCoreJITOperations.h (from rev 267937, trunk/Source/WebKit/Shared/WebKit2Initialize.cpp) (0 => 267938)
--- trunk/Source/WebCore/bindings/js/WebCoreJITOperations.h (rev 0)
+++ trunk/Source/WebCore/bindings/js/WebCoreJITOperations.h 2020-10-03 23:51:12 UTC (rev 267938)
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2020 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+namespace WebCore {
+
+WEBCORE_EXPORT void populateJITOperations();
+
+}
Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (267937 => 267938)
--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -7719,7 +7719,7 @@
GenerateOverloadDispatcher(@{$interface->constructors}[0], $interface, $overloadFunctionPrefix, "", "lexicalGlobalObject, callFrame");
push(@implContent, "}\n");
- push(@implContent, "JSC_ANNOTATE_HOST_FUNCTION(${className}ConstructorConstruct, ${className}Constructor::construct);\n\n");
+ push(@implContent, "JSC_ANNOTATE_HOST_FUNCTION(${className}ConstructorConstruct, ${className}DOMConstructor::construct);\n\n");
} elsif (@constructors == 1) {
GenerateConstructorDefinition($outputArray, $className, $protoClassName, $visibleInterfaceName, $interface, $generatingLegacyFactoryFunction, $constructors[0]);
} else {
Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp (267937 => 267938)
--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -204,7 +204,7 @@
}
return throwVMTypeError(lexicalGlobalObject, throwScope);
}
-JSC_ANNOTATE_HOST_FUNCTION(JSTestOverloadedConstructorsConstructorConstruct, JSTestOverloadedConstructorsConstructor::construct);
+JSC_ANNOTATE_HOST_FUNCTION(JSTestOverloadedConstructorsConstructorConstruct, JSTestOverloadedConstructorsDOMConstructor::construct);
template<> JSValue JSTestOverloadedConstructorsDOMConstructor::prototypeForStructure(JSC::VM& vm, const JSDOMGlobalObject& globalObject)
{
Modified: trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp (267937 => 267938)
--- trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -143,7 +143,7 @@
}
return throwVMTypeError(lexicalGlobalObject, throwScope);
}
-JSC_ANNOTATE_HOST_FUNCTION(JSTestOverloadedConstructorsWithSequenceConstructorConstruct, JSTestOverloadedConstructorsWithSequenceConstructor::construct);
+JSC_ANNOTATE_HOST_FUNCTION(JSTestOverloadedConstructorsWithSequenceConstructorConstruct, JSTestOverloadedConstructorsWithSequenceDOMConstructor::construct);
template<> JSValue JSTestOverloadedConstructorsWithSequenceDOMConstructor::prototypeForStructure(JSC::VM& vm, const JSDOMGlobalObject& globalObject)
{
Modified: trunk/Source/WebCore/bridge/objc/WebScriptObject.mm (267937 => 267938)
--- trunk/Source/WebCore/bridge/objc/WebScriptObject.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebCore/bridge/objc/WebScriptObject.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -35,6 +35,7 @@
#import "JSHTMLElement.h"
#import "JSPluginElementFunctions.h"
#import "ObjCRuntimeObject.h"
+#import "WebCoreJITOperations.h"
#import "WebCoreObjCExtras.h"
#import "objc_instance.h"
#import "runtime_object.h"
@@ -166,6 +167,7 @@
#if !USE(WEB_THREAD)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
}
Modified: trunk/Source/WebCore/domjit/JSDocumentDOMJIT.cpp (267937 => 267938)
--- trunk/Source/WebCore/domjit/JSDocumentDOMJIT.cpp 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebCore/domjit/JSDocumentDOMJIT.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -140,6 +140,8 @@
return snippet;
}
+namespace DOMJIT {
+
extern "C" {
JSC_DEFINE_JIT_OPERATION(operationToJSElement, JSC::EncodedJSValue, (JSC::JSGlobalObject* globalObject, void* result))
@@ -194,6 +196,6 @@
}
-}
+} }
#endif
Modified: trunk/Source/WebCore/platform/cocoa/SharedBufferCocoa.mm (267937 => 267938)
--- trunk/Source/WebCore/platform/cocoa/SharedBufferCocoa.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebCore/platform/cocoa/SharedBufferCocoa.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -26,6 +26,7 @@
#import "config.h"
#import "SharedBuffer.h"
+#import "WebCoreJITOperations.h"
#import "WebCoreObjCExtras.h"
#import <_javascript_Core/InitializeThreading.h>
#import <string.h>
@@ -46,6 +47,7 @@
#if !USE(WEB_THREAD)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif // !USE(WEB_THREAD)
}
Modified: trunk/Source/WebCore/platform/ios/wak/WebCoreThread.mm (267937 => 267938)
--- trunk/Source/WebCore/platform/ios/wak/WebCoreThread.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebCore/platform/ios/wak/WebCoreThread.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -36,6 +36,7 @@
#import "ThreadGlobalData.h"
#import "WAKWindow.h"
#import "WKUtilities.h"
+#import "WebCoreJITOperations.h"
#import "WebCoreThreadInternal.h"
#import "WebCoreThreadMessage.h"
#import "WebCoreThreadRun.h"
@@ -616,6 +617,7 @@
// <rdar://problem/8502487>.
WTF::initializeWebThread();
JSC::initialize();
+ WebCore::populateJITOperations();
// Make sure that the WebThread and the main thread share the same ThreadGlobalData objects.
WebCore::threadGlobalData().setWebCoreThreadData();
Modified: trunk/Source/WebKit/ChangeLog (267937 => 267938)
--- trunk/Source/WebKit/ChangeLog 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKit/ChangeLog 2020-10-03 23:51:12 UTC (rev 267938)
@@ -1,3 +1,22 @@
+2020-10-03 Yusuke Suzuki <[email protected]>
+
+ [JSC] Introduce JITOperationList to validate JIT-caged pointers
+ https://bugs.webkit.org/show_bug.cgi?id=217261
+
+ Reviewed by Saam Barati.
+
+ * Shared/API/c/WKString.cpp:
+ (WKStringCopyJSString):
+ * Shared/Cocoa/WebKit2InitializeCocoa.mm:
+ (WebKit::runInitializationCode):
+ * Shared/WebKit2Initialize.cpp:
+ (WebKit::InitializeWebKit2):
+ * Shared/WebKitJITOperations.cpp: Copied from Source/WebKit/Shared/WebKit2Initialize.cpp.
+ (WebKit::populateJITOperations):
+ * Shared/WebKitJITOperations.h: Copied from Source/WebKit/Shared/WebKit2Initialize.cpp.
+ * Sources.txt:
+ * WebKit.xcodeproj/project.pbxproj:
+
2020-10-03 Myles C. Maxfield <[email protected]>
[GPU Process] Support drawing text in 2D canvas with font features
Modified: trunk/Source/WebKit/Shared/API/c/WKString.cpp (267937 => 267938)
--- trunk/Source/WebKit/Shared/API/c/WKString.cpp 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKit/Shared/API/c/WKString.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -28,8 +28,10 @@
#include "WKStringPrivate.h"
#include "WKAPICast.h"
+#include "WebKitJITOperations.h"
#include <_javascript_Core/InitializeThreading.h>
#include <_javascript_Core/OpaqueJSString.h>
+#include <WebCore/WebCoreJITOperations.h>
#include <wtf/unicode/UTF8Conversion.h>
WKTypeID WKStringGetTypeID()
@@ -134,5 +136,7 @@
JSStringRef WKStringCopyJSString(WKStringRef stringRef)
{
JSC::initialize();
+ WebCore::populateJITOperations();
+ WebKit::populateJITOperations();
return OpaqueJSString::tryCreate(WebKit::toImpl(stringRef)->string()).leakRef();
}
Modified: trunk/Source/WebKit/Shared/Cocoa/WebKit2InitializeCocoa.mm (267937 => 267938)
--- trunk/Source/WebKit/Shared/Cocoa/WebKit2InitializeCocoa.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKit/Shared/Cocoa/WebKit2InitializeCocoa.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -27,7 +27,9 @@
#import "WebKit2Initialize.h"
#import "VersionChecks.h"
+#import "WebKitJITOperations.h"
#import <_javascript_Core/InitializeThreading.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <mutex>
#import <wtf/MainThread.h>
#import <wtf/RefCounted.h>
@@ -54,6 +56,9 @@
WTF::initializeMainThread();
WTF::RefCountedBase::enableThreadingChecksGlobally();
+
+ WebCore::populateJITOperations();
+ WebKit::populateJITOperations();
}
void InitializeWebKit2()
Modified: trunk/Source/WebKit/Shared/WebKit2Initialize.cpp (267937 => 267938)
--- trunk/Source/WebKit/Shared/WebKit2Initialize.cpp 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKit/Shared/WebKit2Initialize.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -27,8 +27,10 @@
#include "WebKit2Initialize.h"
#include "LogInitialization.h"
+#include "WebKitJITOperations.h"
#include <_javascript_Core/InitializeThreading.h>
#include <WebCore/LogInitialization.h>
+#include <WebCore/WebCoreJITOperations.h>
#include <wtf/MainThread.h>
#include <wtf/RefCounted.h>
#include <wtf/RunLoop.h>
@@ -49,6 +51,9 @@
WebCore::initializeLogChannelsIfNecessary();
WebKit::initializeLogChannelsIfNecessary();
#endif // !LOG_DISABLED || !RELEASE_LOG_DISABLED
+
+ WebCore::populateJITOperations();
+ WebKit::populateJITOperations();
}
#endif // !PLATFORM(COCOA)
Copied: trunk/Source/WebKit/Shared/WebKitJITOperations.cpp (from rev 267937, trunk/Source/WebKit/Shared/WebKit2Initialize.cpp) (0 => 267938)
--- trunk/Source/WebKit/Shared/WebKitJITOperations.cpp (rev 0)
+++ trunk/Source/WebKit/Shared/WebKitJITOperations.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2020 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "WebKitJITOperations.h"
+
+#include <_javascript_Core/JITOperationList.h>
+
+namespace WebKit {
+
+#if ENABLE(JIT_OPERATION_VALIDATION)
+extern const uintptr_t startOfHostFunctionsInWebKit __asm("section$start$__DATA_CONST$__jsc_host");
+extern const uintptr_t endOfHostFunctionsInWebKit __asm("section$end$__DATA_CONST$__jsc_host");
+extern const uintptr_t startOfJITOperationsInWebKit __asm("section$start$__DATA_CONST$__jsc_ops");
+extern const uintptr_t endOfJITOperationsInWebKit __asm("section$end$__DATA_CONST$__jsc_ops");
+#endif
+
+void populateJITOperations()
+{
+#if ENABLE(JIT_OPERATION_VALIDATION)
+ static std::once_flag onceKey;
+ std::call_once(onceKey, [] {
+ JSC::JITOperationList::populatePointersInEmbedder(&startOfHostFunctionsInWebKit, &endOfHostFunctionsInWebKit, &startOfJITOperationsInWebKit, &endOfJITOperationsInWebKit);
+ });
+#endif
+}
+
+}
Copied: trunk/Source/WebKit/Shared/WebKitJITOperations.h (from rev 267937, trunk/Source/WebKit/Shared/WebKit2Initialize.cpp) (0 => 267938)
--- trunk/Source/WebKit/Shared/WebKitJITOperations.h (rev 0)
+++ trunk/Source/WebKit/Shared/WebKitJITOperations.h 2020-10-03 23:51:12 UTC (rev 267938)
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2020 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+namespace WebKit {
+
+void populateJITOperations();
+
+}
Modified: trunk/Source/WebKit/Sources.txt (267937 => 267938)
--- trunk/Source/WebKit/Sources.txt 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKit/Sources.txt 2020-10-03 23:51:12 UTC (rev 267938)
@@ -197,6 +197,7 @@
Shared/WebImage.cpp
Shared/WebKeyboardEvent.cpp @no-unify
Shared/WebKit2Initialize.cpp @no-unify
+Shared/WebKitJITOperations.cpp @no-unify
Shared/WebMemorySampler.cpp
Shared/WebMouseEvent.cpp @no-unify
Shared/WebPageCreationParameters.cpp
Modified: trunk/Source/WebKit/WebKit.xcodeproj/project.pbxproj (267937 => 267938)
--- trunk/Source/WebKit/WebKit.xcodeproj/project.pbxproj 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKit/WebKit.xcodeproj/project.pbxproj 2020-10-03 23:51:12 UTC (rev 267938)
@@ -1801,6 +1801,7 @@
E1D26A53175964D90095BFD1 /* WebContentProcess.xib in Resources */ = {isa = PBXBuildFile; fileRef = E1D26A4C1759634E0095BFD1 /* WebContentProcess.xib */; };
E1E552C516AE065F004ED653 /* SandboxInitializationParameters.h in Headers */ = {isa = PBXBuildFile; fileRef = E1E552C316AE065E004ED653 /* SandboxInitializationParameters.h */; };
E1EE53E311F8CFC000CCBEE4 /* InjectedBundlePageEditorClient.h in Headers */ = {isa = PBXBuildFile; fileRef = E1EE53DC11F8CF9F00CCBEE4 /* InjectedBundlePageEditorClient.h */; };
+ E3582C2B2527F6AA00D1B790 /* WebKitJITOperations.h in Headers */ = {isa = PBXBuildFile; fileRef = E3582C2A2527F69C00D1B790 /* WebKitJITOperations.h */; };
E3866AE52397400400F88FE9 /* WebDeviceOrientationUpdateProviderProxy.mm in Sources */ = {isa = PBXBuildFile; fileRef = E3866AE42397400400F88FE9 /* WebDeviceOrientationUpdateProviderProxy.mm */; };
E3866AE72397405300F88FE9 /* WebDeviceOrientationUpdateProviderProxy.h in Headers */ = {isa = PBXBuildFile; fileRef = E3866AE62397405300F88FE9 /* WebDeviceOrientationUpdateProviderProxy.h */; };
E3866B082399A2D100F88FE9 /* WebDeviceOrientationUpdateProviderProxyMessages.h in Headers */ = {isa = PBXBuildFile; fileRef = E3866B052399979C00F88FE9 /* WebDeviceOrientationUpdateProviderProxyMessages.h */; };
@@ -1810,6 +1811,7 @@
E38A1FC023A551BF00D2374F /* UserInterfaceIdiom.mm in Sources */ = {isa = PBXBuildFile; fileRef = E38A1FBF23A551BF00D2374F /* UserInterfaceIdiom.mm */; };
E39628DD23960CC600658ECD /* WebDeviceOrientationUpdateProvider.h in Headers */ = {isa = PBXBuildFile; fileRef = E39628DB23960CC500658ECD /* WebDeviceOrientationUpdateProvider.h */; };
E39628DE23960CC600658ECD /* WebDeviceOrientationUpdateProvider.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E39628DC23960CC600658ECD /* WebDeviceOrientationUpdateProvider.cpp */; };
+ E3C8467C2527F9DE0054FD9C /* WebKitJITOperations.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E3582C292527F69B00D1B790 /* WebKitJITOperations.cpp */; };
E3CAAA442413279900CED2E2 /* AccessibilitySupportSPI.h in Headers */ = {isa = PBXBuildFile; fileRef = E3CAAA432413278A00CED2E2 /* AccessibilitySupportSPI.h */; };
E413F59D1AC1ADC400345360 /* NetworkCacheEntry.h in Headers */ = {isa = PBXBuildFile; fileRef = E413F59B1AC1ADB600345360 /* NetworkCacheEntry.h */; };
E42E06101AA7523B00B11699 /* NetworkCacheIOChannel.h in Headers */ = {isa = PBXBuildFile; fileRef = E42E060B1AA7440D00B11699 /* NetworkCacheIOChannel.h */; };
@@ -5286,6 +5288,8 @@
E1EE53DC11F8CF9F00CCBEE4 /* InjectedBundlePageEditorClient.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InjectedBundlePageEditorClient.h; sourceTree = "<group>"; };
E1EE53E611F8CFFB00CCBEE4 /* InjectedBundlePageEditorClient.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InjectedBundlePageEditorClient.cpp; sourceTree = "<group>"; };
E3439B632345463A0011DE0B /* NetworkProcessConnectionInfo.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = NetworkProcessConnectionInfo.h; path = Network/NetworkProcessConnectionInfo.h; sourceTree = "<group>"; };
+ E3582C292527F69B00D1B790 /* WebKitJITOperations.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WebKitJITOperations.cpp; sourceTree = "<group>"; };
+ E3582C2A2527F69C00D1B790 /* WebKitJITOperations.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WebKitJITOperations.h; sourceTree = "<group>"; };
E3866AE42397400400F88FE9 /* WebDeviceOrientationUpdateProviderProxy.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = WebDeviceOrientationUpdateProviderProxy.mm; path = ios/WebDeviceOrientationUpdateProviderProxy.mm; sourceTree = "<group>"; };
E3866AE62397405300F88FE9 /* WebDeviceOrientationUpdateProviderProxy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = WebDeviceOrientationUpdateProviderProxy.h; path = ios/WebDeviceOrientationUpdateProviderProxy.h; sourceTree = "<group>"; };
E3866AED2398471A00F88FE9 /* WebDeviceOrientationUpdateProviderProxy.messages.in */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = WebDeviceOrientationUpdateProviderProxy.messages.in; path = ios/WebDeviceOrientationUpdateProviderProxy.messages.in; sourceTree = "<group>"; };
@@ -6121,6 +6125,8 @@
0F4000FF2527D6F700E91DA7 /* WebKeyboardEvent.h */,
BC9BA5021697C45300E44616 /* WebKit2Initialize.cpp */,
BC9BA5031697C45300E44616 /* WebKit2Initialize.h */,
+ E3582C292527F69B00D1B790 /* WebKitJITOperations.cpp */,
+ E3582C2A2527F69C00D1B790 /* WebKitJITOperations.h */,
905620E812BC248B000799B6 /* WebMemorySampler.cpp */,
905620E912BC248B000799B6 /* WebMemorySampler.h */,
C0337DAF127A28D0008FF4F4 /* WebMouseEvent.cpp */,
@@ -11301,6 +11307,7 @@
1A6280C51919949F006AD9F9 /* WebKit.h in Headers */,
BCB63478116BF10600603215 /* WebKit2_C.h in Headers */,
BC9BA5051697C45300E44616 /* WebKit2Initialize.h in Headers */,
+ E3582C2B2527F6AA00D1B790 /* WebKitJITOperations.h in Headers */,
1A6280C71919950C006AD9F9 /* WebKitPrivate.h in Headers */,
CD003A5319D49B5D005ABCE0 /* WebMediaKeyStorageManager.h in Headers */,
9B5BEC262400F4A90070C6EF /* WebMediaStrategy.h in Headers */,
@@ -13036,6 +13043,7 @@
1A6280F31919982A006AD9F9 /* WebKit.m in Sources */,
2D92A78B212B6AB100F493FD /* WebKit2Initialize.cpp in Sources */,
A181A79821ACC74B0059A316 /* WebKitAdditions.mm in Sources */,
+ E3C8467C2527F9DE0054FD9C /* WebKitJITOperations.cpp in Sources */,
51F060E11654318500F3282F /* WebMDNSRegisterMessageReceiver.cpp in Sources */,
2D92A78C212B6AB100F493FD /* WebMouseEvent.cpp in Sources */,
31BA924D148831260062EDB5 /* WebNotificationManagerMessageReceiver.cpp in Sources */,
Modified: trunk/Source/WebKitLegacy/mac/ChangeLog (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/ChangeLog 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/ChangeLog 2020-10-03 23:51:12 UTC (rev 267938)
@@ -1,3 +1,50 @@
+2020-10-03 Yusuke Suzuki <[email protected]>
+
+ [JSC] Introduce JITOperationList to validate JIT-caged pointers
+ https://bugs.webkit.org/show_bug.cgi?id=217261
+
+ Reviewed by Saam Barati.
+
+ * History/WebBackForwardList.mm:
+ (+[WebBackForwardList initialize]):
+ * History/WebHistoryItem.mm:
+ (+[WebHistoryItem initialize]):
+ * Misc/WebCache.mm:
+ (+[WebCache initialize]):
+ * Misc/WebElementDictionary.mm:
+ (+[WebElementDictionary initialize]):
+ * Misc/WebIconDatabase.mm:
+ * Misc/WebStringTruncator.mm:
+ (+[WebStringTruncator initialize]):
+ * Plugins/Hosted/WebHostedNetscapePluginView.mm:
+ (+[WebHostedNetscapePluginView initialize]):
+ * Plugins/WebBaseNetscapePluginView.mm:
+ * Plugins/WebBasePluginPackage.mm:
+ (+[WebBasePluginPackage initialize]):
+ * Plugins/WebNetscapePluginView.mm:
+ (+[WebNetscapePluginView initialize]):
+ * WebCoreSupport/WebEditorClient.mm:
+ (+[WebUndoStep initialize]):
+ * WebCoreSupport/WebFrameLoaderClient.mm:
+ (+[WebFramePolicyListener initialize]):
+ * WebView/WebArchive.mm:
+ (+[WebArchivePrivate initialize]):
+ * WebView/WebDataSource.mm:
+ (+[WebDataSource initialize]):
+ * WebView/WebHTMLView.mm:
+ (+[WebHTMLViewPrivate initialize]):
+ (+[WebHTMLView initialize]):
+ * WebView/WebPreferences.mm:
+ (+[WebPreferences initialize]):
+ * WebView/WebResource.mm:
+ (+[WebResourcePrivate initialize]):
+ * WebView/WebTextIterator.mm:
+ (+[WebTextIteratorPrivate initialize]):
+ * WebView/WebView.mm:
+ (+[WebView initialize]):
+ * WebView/WebViewData.mm:
+ (+[WebViewPrivate initialize]):
+
2020-10-01 Chris Dumez <[email protected]>
Add basic infrastructure for AudioWorklet
Modified: trunk/Source/WebKitLegacy/mac/History/WebBackForwardList.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/History/WebBackForwardList.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/History/WebBackForwardList.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -44,6 +44,7 @@
#import <WebCore/HistoryItem.h>
#import <WebCore/Settings.h>
#import <WebCore/ThreadCheck.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <WebCore/WebCoreObjCExtras.h>
#import <wtf/Assertions.h>
#import <wtf/MainThread.h>
@@ -100,6 +101,7 @@
#if !PLATFORM(IOS_FAMILY)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
}
Modified: trunk/Source/WebKitLegacy/mac/History/WebHistoryItem.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/History/WebHistoryItem.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/History/WebHistoryItem.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -47,6 +47,7 @@
#import <WebCore/HistoryItem.h>
#import <WebCore/Image.h>
#import <WebCore/ThreadCheck.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <WebCore/WebCoreObjCExtras.h>
#import <wtf/Assertions.h>
#import <wtf/MainThread.h>
@@ -127,6 +128,7 @@
#if !PLATFORM(IOS_FAMILY)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
}
Modified: trunk/Source/WebKitLegacy/mac/Misc/WebCache.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/Misc/WebCache.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/Misc/WebCache.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -40,6 +40,7 @@
#import <WebCore/MemoryCache.h>
#import <WebCore/NetworkStorageSession.h>
#import <WebCore/StorageSessionProvider.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <wtf/MainThread.h>
#import <wtf/RunLoop.h>
@@ -65,6 +66,7 @@
#if !PLATFORM(IOS_FAMILY)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
}
Modified: trunk/Source/WebKitLegacy/mac/Misc/WebElementDictionary.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/Misc/WebElementDictionary.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/Misc/WebElementDictionary.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -41,6 +41,7 @@
#import <WebCore/Frame.h>
#import <WebCore/HitTestResult.h>
#import <WebCore/Image.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <WebCore/WebCoreObjCExtras.h>
#import <WebKitLegacy/DOMCore.h>
#import <WebKitLegacy/DOMExtensions.h>
@@ -69,6 +70,7 @@
#if !PLATFORM(IOS_FAMILY)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
}
Modified: trunk/Source/WebKitLegacy/mac/Misc/WebIconDatabase.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/Misc/WebIconDatabase.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/Misc/WebIconDatabase.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -34,6 +34,7 @@
#import <_javascript_Core/InitializeThreading.h>
#import <WebCore/Image.h>
#import <WebCore/ThreadCheck.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <wtf/MainThread.h>
#import <wtf/NeverDestroyed.h>
#import <wtf/RunLoop.h>
@@ -99,6 +100,7 @@
{
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
}
+ (WebIconDatabase *)sharedIconDatabase
Modified: trunk/Source/WebKitLegacy/mac/Misc/WebStringTruncator.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/Misc/WebStringTruncator.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/Misc/WebStringTruncator.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -32,6 +32,7 @@
#import <WebCore/FontCascade.h>
#import <WebCore/FontPlatformData.h>
#import <WebCore/StringTruncator.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <wtf/MainThread.h>
#import <wtf/NeverDestroyed.h>
@@ -52,6 +53,7 @@
{
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
}
+ (NSString *)centerTruncateString:(NSString *)string toWidth:(float)maxWidth
Modified: trunk/Source/WebKitLegacy/mac/Plugins/Hosted/WebHostedNetscapePluginView.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/Plugins/Hosted/WebHostedNetscapePluginView.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/Plugins/Hosted/WebHostedNetscapePluginView.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -47,6 +47,7 @@
#import <WebCore/RenderEmbeddedObject.h>
#import <WebCore/ResourceError.h>
#import <WebCore/WebCoreCALayerExtras.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <WebCore/runtime_root.h>
#import <pal/spi/cocoa/QuartzCoreSPI.h>
#import <wtf/Assertions.h>
@@ -107,6 +108,7 @@
#if !PLATFORM(IOS_FAMILY)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
sendUserChangeNotifications();
}
Modified: trunk/Source/WebKitLegacy/mac/Plugins/WebBaseNetscapePluginView.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/Plugins/WebBaseNetscapePluginView.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/Plugins/WebBaseNetscapePluginView.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -54,6 +54,7 @@
#import <WebCore/RenderEmbeddedObject.h>
#import <WebCore/RenderView.h>
#import <WebCore/SecurityOrigin.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <WebKitLegacy/DOMPrivate.h>
#import <pal/spi/cg/CoreGraphicsSPI.h>
#import <wtf/Assertions.h>
@@ -72,6 +73,7 @@
{
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
WebKit::sendUserChangeNotifications();
}
Modified: trunk/Source/WebKitLegacy/mac/Plugins/WebBasePluginPackage.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/Plugins/WebBasePluginPackage.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/Plugins/WebBasePluginPackage.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -34,6 +34,7 @@
#import "WebPluginPackage.h"
#import "WebTypesInternal.h"
#import <_javascript_Core/InitializeThreading.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <algorithm>
#import <mach-o/arch.h>
#import <mach-o/fat.h>
@@ -61,6 +62,7 @@
#if !PLATFORM(IOS_FAMILY)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
}
Modified: trunk/Source/WebKitLegacy/mac/Plugins/WebNetscapePluginView.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/Plugins/WebNetscapePluginView.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/Plugins/WebNetscapePluginView.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -68,6 +68,7 @@
#import <WebCore/ScriptController.h>
#import <WebCore/SecurityOrigin.h>
#import <WebCore/UserGestureIndicator.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <WebCore/WebCoreURLResponse.h>
#import <WebCore/npruntime_impl.h>
#import <WebCore/runtime_root.h>
@@ -164,6 +165,7 @@
{
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
sendUserChangeNotifications();
}
Modified: trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebEditorClient.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebEditorClient.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebEditorClient.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -78,6 +78,7 @@
#import <WebCore/UserTypingGestureIndicator.h>
#import <WebCore/VisibleUnits.h>
#import <WebCore/WebContentReader.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <WebCore/WebCoreObjCExtras.h>
#import <pal/spi/cocoa/NSAttributedStringSPI.h>
#import <pal/spi/mac/NSSpellCheckerSPI.h>
@@ -140,6 +141,7 @@
#if !PLATFORM(IOS_FAMILY)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
}
Modified: trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -118,6 +118,7 @@
#import <WebCore/ScriptController.h>
#import <WebCore/SharedBuffer.h>
#import <WebCore/SubresourceLoader.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <WebCore/WebCoreObjCExtras.h>
#import <WebCore/WebGLBlocklist.h>
#import <WebCore/WebScriptObjectPrivate.h>
@@ -2346,6 +2347,7 @@
#if !PLATFORM(IOS_FAMILY)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
}
Modified: trunk/Source/WebKitLegacy/mac/WebView/WebArchive.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/WebView/WebArchive.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/WebView/WebArchive.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -37,6 +37,7 @@
#import <WebCore/ArchiveResource.h>
#import <WebCore/LegacyWebArchive.h>
#import <WebCore/ThreadCheck.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <WebCore/WebCoreObjCExtras.h>
#import <wtf/MainThread.h>
#import <wtf/RunLoop.h>
@@ -71,6 +72,7 @@
#if !PLATFORM(IOS_FAMILY)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
}
Modified: trunk/Source/WebKitLegacy/mac/WebView/WebDataSource.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/WebView/WebDataSource.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/WebView/WebDataSource.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -55,6 +55,7 @@
#import <WebCore/MIMETypeRegistry.h>
#import <WebCore/ResourceRequest.h>
#import <WebCore/SharedBuffer.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <WebCore/WebCoreObjCExtras.h>
#import <WebCore/WebCoreURLResponse.h>
#import <WebKitLegacy/DOMHTML.h>
@@ -155,6 +156,7 @@
#if !PLATFORM(IOS_FAMILY)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
}
}
Modified: trunk/Source/WebKitLegacy/mac/WebView/WebHTMLView.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/WebView/WebHTMLView.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/WebView/WebHTMLView.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -127,6 +127,7 @@
#import <WebCore/TextAlternativeWithRange.h>
#import <WebCore/TextIndicator.h>
#import <WebCore/TextUndoInsertionMarkupMac.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <WebCore/WebCoreNSFontManagerExtras.h>
#import <WebCore/WebCoreObjCExtras.h>
#import <WebCore/WebNSAttributedStringExtras.h>
@@ -1033,6 +1034,7 @@
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
if (!oldSetCursorForMouseLocationIMP) {
Method setCursorMethod = class_getInstanceMethod([NSWindow class], @selector(_setCursorForMouseLocation:));
@@ -2568,6 +2570,7 @@
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
}
#endif
Modified: trunk/Source/WebKitLegacy/mac/WebView/WebPreferences.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/WebView/WebPreferences.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/WebView/WebPreferences.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -48,6 +48,7 @@
#import <WebCore/RuntimeApplicationChecks.h>
#import <WebCore/Settings.h>
#import <WebCore/TextEncodingRegistry.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <pal/spi/cf/CFNetworkSPI.h>
#import <wtf/MainThread.h>
#import <wtf/RetainPtr.h>
@@ -376,6 +377,7 @@
#if PLATFORM(MAC)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
NSDictionary *dict = [NSDictionary dictionaryWithObjectsAndKeys:
Modified: trunk/Source/WebKitLegacy/mac/WebView/WebResource.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/WebView/WebResource.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/WebView/WebResource.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -40,6 +40,7 @@
#import <WebCore/RuntimeApplicationChecks.h>
#import <WebCore/TextEncoding.h>
#import <WebCore/ThreadCheck.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <WebCore/WebCoreObjCExtras.h>
#import <WebCore/WebCoreURLResponse.h>
#import <wtf/MainThread.h>
@@ -69,6 +70,7 @@
#if !PLATFORM(IOS_FAMILY)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
}
Modified: trunk/Source/WebKitLegacy/mac/WebView/WebTextIterator.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/WebView/WebTextIterator.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/WebView/WebTextIterator.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -31,6 +31,7 @@
#import <_javascript_Core/InitializeThreading.h>
#import <WebCore/Range.h>
#import <WebCore/TextIterator.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <wtf/MainThread.h>
#import <wtf/RunLoop.h>
#import <wtf/Vector.h>
@@ -49,6 +50,7 @@
#if !PLATFORM(IOS_FAMILY)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
}
Modified: trunk/Source/WebKitLegacy/mac/WebView/WebView.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/WebView/WebView.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/WebView/WebView.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -221,6 +221,7 @@
#import <WebCore/UserScript.h>
#import <WebCore/UserStyleSheet.h>
#import <WebCore/ValidationBubble.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <WebCore/WebCoreObjCExtras.h>
#import <WebCore/WebCoreView.h>
#import <WebCore/WebViewVisualIdentificationOverlay.h>
@@ -5244,6 +5245,7 @@
#if !PLATFORM(IOS_FAMILY)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
WTF::RefCountedBase::enableThreadingChecksGlobally();
Modified: trunk/Source/WebKitLegacy/mac/WebView/WebViewData.mm (267937 => 267938)
--- trunk/Source/WebKitLegacy/mac/WebView/WebViewData.mm 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/mac/WebView/WebViewData.mm 2020-10-03 23:51:12 UTC (rev 267938)
@@ -40,6 +40,7 @@
#import <WebCore/RunLoopObserver.h>
#import <WebCore/TextIndicatorWindow.h>
#import <WebCore/ValidationBubble.h>
+#import <WebCore/WebCoreJITOperations.h>
#import <wtf/MainThread.h>
#import <wtf/RunLoop.h>
@@ -169,6 +170,7 @@
#if !PLATFORM(IOS_FAMILY)
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
#endif
}
Modified: trunk/Source/WebKitLegacy/win/ChangeLog (267937 => 267938)
--- trunk/Source/WebKitLegacy/win/ChangeLog 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/win/ChangeLog 2020-10-03 23:51:12 UTC (rev 267938)
@@ -1,3 +1,15 @@
+2020-10-03 Yusuke Suzuki <[email protected]>
+
+ [JSC] Introduce JITOperationList to validate JIT-caged pointers
+ https://bugs.webkit.org/show_bug.cgi?id=217261
+
+ Reviewed by Saam Barati.
+
+ * WebKitClassFactory.cpp:
+ (WebKitClassFactory::WebKitClassFactory):
+ * WebView.cpp:
+ (WebView::WebView):
+
2020-10-01 Chris Dumez <[email protected]>
Add basic infrastructure for AudioWorklet
Modified: trunk/Source/WebKitLegacy/win/WebKitClassFactory.cpp (267937 => 267938)
--- trunk/Source/WebKitLegacy/win/WebKitClassFactory.cpp 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/win/WebKitClassFactory.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -56,6 +56,7 @@
#include "WebView.h"
#include "WebWorkersPrivate.h"
#include <_javascript_Core/InitializeThreading.h>
+#include <WebCore/WebCoreJITOperations.h>
#include <wtf/MainThread.h>
#include <wtf/SoftLinking.h>
@@ -65,6 +66,7 @@
{
JSC::initialize();
WTF::initializeMainThread();
+ WebCore::populateJITOperations();
gClassCount++;
gClassNameCount().add("WebKitClassFactory");
Modified: trunk/Source/WebKitLegacy/win/WebView.cpp (267937 => 267938)
--- trunk/Source/WebKitLegacy/win/WebView.cpp 2020-10-03 22:07:03 UTC (rev 267937)
+++ trunk/Source/WebKitLegacy/win/WebView.cpp 2020-10-03 23:51:12 UTC (rev 267938)
@@ -167,6 +167,7 @@
#include <WebCore/UserContentController.h>
#include <WebCore/UserScript.h>
#include <WebCore/UserStyleSheet.h>
+#include <WebCore/WebCoreJITOperations.h>
#include <WebCore/WebCoreTextRenderer.h>
#include <WebCore/WindowMessageBroadcaster.h>
#include <WebCore/WindowsTouch.h>
@@ -423,6 +424,7 @@
JSC::initialize();
WTF::initializeMainThread();
WTF::setProcessPrivileges(allPrivileges());
+ WebCore::populateJITOperations();
WebCore::NetworkStorageSession::permitProcessToUseCookieAPI(true);
m_backingStoreSize.cx = m_backingStoreSize.cy = 0;
