Ignore:
Timestamp:
Aug 2, 2017, 6:32:07 PM (8 years ago)
Author:
[email protected]
Message:

All C++ accesses to JSObject::m_butterfly should do caging
https://bugs.webkit.org/show_bug.cgi?id=175039

Reviewed by Keith Miller.

Source/JavaScriptCore:

Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
outside the gigacage.

  • runtime/JSArray.cpp:

(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::push):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):

  • runtime/JSObject.cpp:

(JSC::JSObject::heapSnapshot):
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::convertUndecidedToDouble):
(JSC::JSObject::convertUndecidedToContiguous):
(JSC::JSObject::convertInt32ToDouble):
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::convertDoubleToContiguous):
(JSC::JSObject::convertDoubleToArrayStorage):
(JSC::JSObject::convertContiguousToArrayStorage):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::allocateMoreOutOfLineStorage):

  • runtime/JSObject.h:

(JSC::JSObject::canGetIndexQuickly):
(JSC::JSObject::getIndexQuickly):
(JSC::JSObject::tryGetIndexQuickly const):
(JSC::JSObject::canSetIndexQuickly):
(JSC::JSObject::setIndexQuickly):
(JSC::JSObject::initializeIndex):
(JSC::JSObject::initializeIndexWithoutBarrier):
(JSC::JSObject::butterfly const):
(JSC::JSObject::butterfly):

Source/WTF:

Adds a smart pointer class that does various kinds of caging for you.

  • WTF.xcodeproj/project.pbxproj:
  • wtf/CMakeLists.txt:
  • wtf/CagedPtr.h: Added.

(WTF::CagedPtr::CagedPtr):
(WTF::CagedPtr::get const):
(WTF::CagedPtr::getMayBeNull const):
(WTF::CagedPtr::operator== const):
(WTF::CagedPtr::operator!= const):
(WTF::CagedPtr::operator bool const):
(WTF::CagedPtr::operator* const):
(WTF::CagedPtr::operator-> const):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/JSArray.cpp

    r219636 r220165  
    551551    auto scope = DECLARE_THROW_SCOPE(vm);
    552552
    553     Butterfly* butterfly = m_butterfly.get();
     553    Butterfly* butterfly = m_butterfly.get().getMayBeNull();
    554554    switch (indexingType()) {
    555555    case ArrayClass:
     
    621621    auto scope = DECLARE_THROW_SCOPE(vm);
    622622
    623     Butterfly* butterfly = m_butterfly.get();
     623    Butterfly* butterfly = m_butterfly.get().getMayBeNull();
    624624   
    625625    switch (indexingType()) {
     
    723723    auto scope = DECLARE_THROW_SCOPE(vm);
    724724
    725     Butterfly* butterfly = m_butterfly.get();
     725    Butterfly* butterfly = m_butterfly.get().getMayBeNull();
    726726   
    727727    switch (indexingType()) {
     
    10161016    RELEASE_ASSERT(count > 0);
    10171017
    1018     Butterfly* butterfly = m_butterfly.get();
     1018    Butterfly* butterfly = m_butterfly.get().getMayBeNull();
    10191019   
    10201020    switch (indexingType()) {
     
    11721172    auto scope = DECLARE_THROW_SCOPE(vm);
    11731173
    1174     Butterfly* butterfly = m_butterfly.get();
     1174    Butterfly* butterfly = m_butterfly.get().getMayBeNull();
    11751175   
    11761176    switch (indexingType()) {
     
    11951195            return false;
    11961196        }
    1197         butterfly = m_butterfly.get();
     1197        butterfly = m_butterfly.get().getMayBeNull();
    11981198
    11991199        // We have to check for holes before we start moving things around so that we don't get halfway
     
    12391239            return false;
    12401240        }
    1241         butterfly = m_butterfly.get();
     1241        butterfly = m_butterfly.get().getMayBeNull();
    12421242       
    12431243        // We have to check for holes before we start moving things around so that we don't get halfway
     
    12821282    WriteBarrier<Unknown>* vector;
    12831283
    1284     Butterfly* butterfly = m_butterfly.get();
     1284    Butterfly* butterfly = m_butterfly.get().getMayBeNull();
    12851285   
    12861286    switch (indexingType()) {
     
    13551355    ASSERT(length == this->length());
    13561356
    1357     Butterfly* butterfly = m_butterfly.get();
     1357    Butterfly* butterfly = m_butterfly.get().getMayBeNull();
    13581358    switch (indexingType()) {
    13591359    case ArrayClass:
Note: See TracChangeset for help on using the changeset viewer.