[webkit-changes] [WebKit/WebKit] f82849: [JSC] Introduce TaintedByWithScopeLexicallyScopedF...

Tue, 23 Jul 2024 22:02:08 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: f8284998946c00f1c6b4d8ea9aad813ba83616a7
      
https://github.com/WebKit/WebKit/commit/f8284998946c00f1c6b4d8ea9aad813ba83616a7
  Author: Alexey Shvayka <ashva...@apple.com>
  Date:   2024-07-23 (Tue, 23 Jul 2024)

  Changed paths:
    M Source/JavaScriptCore/API/JSScriptRef.cpp
    M Source/JavaScriptCore/API/glib/JSCContext.cpp
    M Source/JavaScriptCore/builtins/BuiltinExecutables.cpp
    M Source/JavaScriptCore/bytecode/BytecodeList.rb
    M Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
    M Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp
    M Source/JavaScriptCore/debugger/DebuggerParseData.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/interpreter/Interpreter.cpp
    M Source/JavaScriptCore/interpreter/Interpreter.h
    M Source/JavaScriptCore/jit/JITCall.cpp
    M Source/JavaScriptCore/jit/JITOperations.cpp
    M Source/JavaScriptCore/jit/JITOperations.h
    M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
    M Source/JavaScriptCore/parser/Parser.cpp
    M Source/JavaScriptCore/parser/Parser.h
    M Source/JavaScriptCore/parser/ParserModes.h
    M Source/JavaScriptCore/parser/SourceCodeKey.h
    M Source/JavaScriptCore/parser/SourceProviderCacheItem.h
    M Source/JavaScriptCore/runtime/CodeCache.cpp
    M Source/JavaScriptCore/runtime/CodeCache.h
    M Source/JavaScriptCore/runtime/Completion.cpp
    M Source/JavaScriptCore/runtime/DirectEvalExecutable.cpp
    M Source/JavaScriptCore/runtime/DirectEvalExecutable.h
    M Source/JavaScriptCore/runtime/EvalExecutable.cpp
    M Source/JavaScriptCore/runtime/EvalExecutable.h
    M Source/JavaScriptCore/runtime/GlobalExecutable.h
    M Source/JavaScriptCore/runtime/IndirectEvalExecutable.cpp
    M Source/JavaScriptCore/runtime/IndirectEvalExecutable.h
    M Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
    M Source/JavaScriptCore/runtime/JSModuleLoader.cpp
    M Source/JavaScriptCore/runtime/ModuleProgramExecutable.cpp
    M Source/JavaScriptCore/runtime/ProgramExecutable.cpp
    M Source/JavaScriptCore/runtime/ScriptExecutable.h
    M Source/JavaScriptCore/runtime/ShadowRealmPrototype.cpp
    M Source/JavaScriptCore/tools/JSDollarVM.cpp

  Log Message:
  -----------
  [JSC] Introduce TaintedByWithScopeLexicallyScopedFeature
https://bugs.webkit.org/show_bug.cgi?id=276788
<rdar://problem/132024214>

Reviewed by Yusuke Suzuki.

This is a re-land of 281119@main but without SourceCodeKey hashing drive-by 
fix, which regressed
JS3 scores on iOS by 2%.

For the upcoming ToThis revamp (webkit.org/b/225397), we would need to 
determine during bytecode
generation if a op_get_from_scope could possibly hit a JSWithScope; if it can, 
we would need
to emit an additional bytecode op that would sanitize JSScope to a `this` 
value. Otherwise, we
would pass `undefined` as `this` value.

Leveraging LexicallyScopedFeatures, this patch introduces a mechanism to 
determine that,
accounting for eval() and global scope extension. 
TaintedByWithScopeLexicallyScopedFeature
flag is precisely set only inside `with` statement, and doesn't affect code 
that follows
`with` in the same scope.

Also, this change eplaces JSParserStrictMode and bool flags with 
LexicallyScopedFeatures,
reducing the number of ways we pass strict mode to 2.

No new tests, no behavior change.

* Source/JavaScriptCore/API/JSScriptRef.cpp:
(parseScript):
* Source/JavaScriptCore/API/glib/JSCContext.cpp:
(jsc_context_check_syntax):
* Source/JavaScriptCore/builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::createExecutable):
* Source/JavaScriptCore/bytecode/BytecodeList.rb:
* Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::generateUnlinkedFunctionCodeBlock):
(JSC::UnlinkedFunctionExecutable::fromGlobalCode):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::computeFeaturesForCallDirectEval):
(JSC::BytecodeGenerator::emitCall):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:
* Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::evaluateWithScopeExtension):
* Source/JavaScriptCore/debugger/DebuggerParseData.cpp:
(JSC::gatherDebuggerParseData):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::hasECMAMode):
(JSC::DFG::Node::ecmaMode):
(JSC::DFG::Node::lexicallyScopedFeatures):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/interpreter/Interpreter.cpp:
(JSC::eval):
(JSC::Interpreter::executeProgram):
* Source/JavaScriptCore/interpreter/Interpreter.h:
* Source/JavaScriptCore/jit/JITCall.cpp:
(JSC::JIT::compileCallDirectEval):
* Source/JavaScriptCore/jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/jit/JITOperations.h:
(JSC::selectCallDirectEvalOperation):
* Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:
(JSC::LLInt::commonCallDirectEval):
* Source/JavaScriptCore/parser/Parser.cpp:
(JSC::Parser<LexerType>::Parser):
(JSC::Parser<LexerType>::parseWithStatement):
* Source/JavaScriptCore/parser/Parser.h:
(JSC::Scope::setLexicallyScopedFeatures):
(JSC::Scope::setTaintedByWithScope):
(JSC::parse):
(JSC::parseRootNode):
(JSC::parseFunctionForFunctionConstructor):
* Source/JavaScriptCore/parser/ParserModes.h:
* Source/JavaScriptCore/parser/SourceCodeKey.h:
(JSC::SourceCodeFlags::SourceCodeFlags):
(JSC::SourceCodeKey::SourceCodeKey):
* Source/JavaScriptCore/parser/SourceProviderCacheItem.h:
(JSC::SourceProviderCacheItem::lexicallyScopedFeatures const):
(JSC::SourceProviderCacheItem::SourceProviderCacheItem):
* Source/JavaScriptCore/runtime/CodeCache.cpp:
(JSC::generateUnlinkedCodeBlockImpl):
(JSC::generateUnlinkedCodeBlock):
(JSC::generateUnlinkedCodeBlockForDirectEval):
(JSC::recursivelyGenerateUnlinkedCodeBlockForProgram):
(JSC::recursivelyGenerateUnlinkedCodeBlockForModuleProgram):
(JSC::CodeCache::getUnlinkedGlobalCodeBlock):
(JSC::CodeCache::getUnlinkedProgramCodeBlock):
(JSC::CodeCache::getUnlinkedEvalCodeBlock):
(JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
(JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
(JSC::sourceCodeKeyForSerializedBytecode):
(JSC::sourceCodeKeyForSerializedProgram):
(JSC::sourceCodeKeyForSerializedModule):
(JSC::serializeBytecode):
* Source/JavaScriptCore/runtime/CodeCache.h:
* Source/JavaScriptCore/runtime/Completion.cpp:
(JSC::checkSyntaxInternal):
(JSC::checkModuleSyntax):
(JSC::generateProgramBytecode):
(JSC::generateModuleBytecode):
* Source/JavaScriptCore/runtime/DirectEvalExecutable.cpp:
(JSC::DirectEvalExecutable::create):
(JSC::DirectEvalExecutable::DirectEvalExecutable):
* Source/JavaScriptCore/runtime/DirectEvalExecutable.h:
* Source/JavaScriptCore/runtime/EvalExecutable.cpp:
(JSC::EvalExecutable::EvalExecutable):
* Source/JavaScriptCore/runtime/EvalExecutable.h:
* Source/JavaScriptCore/runtime/GlobalExecutable.h:
(JSC::GlobalExecutable::GlobalExecutable):
* Source/JavaScriptCore/runtime/IndirectEvalExecutable.cpp:
(JSC::IndirectEvalExecutable::createImpl):
(JSC::IndirectEvalExecutable::create):
(JSC::IndirectEvalExecutable::tryCreate):
(JSC::IndirectEvalExecutable::IndirectEvalExecutable):
* Source/JavaScriptCore/runtime/IndirectEvalExecutable.h:
* Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/JSModuleLoader.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/ModuleProgramExecutable.cpp:
(JSC::ModuleProgramExecutable::ModuleProgramExecutable):
* Source/JavaScriptCore/runtime/ProgramExecutable.cpp:
(JSC::ProgramExecutable::ProgramExecutable):
(JSC::ProgramExecutable::initializeGlobalProperties):
* Source/JavaScriptCore/runtime/ScriptExecutable.h:
(JSC::ScriptExecutable::lexicallyScopedFeatures):
(JSC::ScriptExecutable::setTaintedByWithScope):
* Source/JavaScriptCore/runtime/ShadowRealmPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/tools/JSDollarVM.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSDollarVM::finishCreation):

Canonical link: https://commits.webkit.org/281275@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to