Ignore:
Timestamp:
May 3, 2018, 5:40:18 PM (7 years ago)
Author:
[email protected]
Message:

Strings should not be allocated in a gigacage
https://bugs.webkit.org/show_bug.cgi?id=185218

Reviewed by Saam Barati.
Source/bmalloc:


This removes the string gigacage.

Putting strings in a gigacage prevents read gadgets. The other things that get to be in gigacages
are there to prevent read-write gadgets.

Also, putting strings in a gigacage seems to have been a bigger regression than putting other
things in gigacages.

Therefore, to maximize the benefit/cost ratio of gigacages, we should evict strings from them. If
we want to throw away perf for security, there are more beneficial things to sacrifice.

  • bmalloc/Gigacage.h:

(Gigacage::name):
(Gigacage::basePtr):
(Gigacage::size):
(Gigacage::forEachKind):

  • bmalloc/HeapKind.h:

(bmalloc::isGigacage):
(bmalloc::gigacageKind):
(bmalloc::heapKind):
(bmalloc::isActiveHeapKindAfterEnsuringGigacage):
(bmalloc::mapToActiveHeapKindAfterEnsuringGigacage):

Source/JavaScriptCore:

  • runtime/JSBigInt.cpp:

(JSC::JSBigInt::toStringGeneric):

  • runtime/JSString.cpp:

(JSC::JSRopeString::resolveRopeToAtomicString const):
(JSC::JSRopeString::resolveRope const):

  • runtime/JSString.h:

(JSC::JSString::create):
(JSC::JSString::createHasOtherOwner):

  • runtime/VM.h:

(JSC::VM::gigacageAuxiliarySpace):

Source/WebCore:

No new tests because no new behavior.

  • Modules/indexeddb/server/IDBSerialization.cpp:

(WebCore::decodeKey):

  • bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneDeserializer::readString):

  • html/canvas/CanvasRenderingContext2D.cpp:

(WebCore::normalizeSpaces):

  • html/parser/HTMLTreeBuilder.cpp:

(WebCore::HTMLTreeBuilder::ExternalCharacterTokenBuffer::takeRemainingWhitespace):

  • platform/URLParser.cpp:

(WebCore::percentEncodeByte):
(WebCore::serializeURLEncodedForm):
(WebCore::URLParser::serialize):

  • platform/URLParser.h:
  • platform/graphics/FourCC.cpp:

(WebCore::FourCC::toString const):

  • platform/graphics/ca/GraphicsLayerCA.cpp:

(WebCore::GraphicsLayerCA::ReplicaState::cloneID const):

  • platform/text/LocaleICU.cpp:

(WebCore::LocaleICU::decimalSymbol):
(WebCore::LocaleICU::decimalTextAttribute):
(WebCore::getDateFormatPattern):
(WebCore::LocaleICU::createLabelVector):
(WebCore::getFormatForSkeleton):

  • platform/win/FileSystemWin.cpp:

(WebCore::FileSystem::getFinalPathName):
(WebCore::FileSystem::pathByAppendingComponent):
(WebCore::FileSystem::storageDirectory):

Source/WTF:


  • WTF.xcodeproj/project.pbxproj:
  • wtf/Deque.h:
  • wtf/Forward.h:
  • wtf/Gigacage.h:

(Gigacage::name):
(Gigacage::basePtr):

  • wtf/Vector.h:

(WTF::VectorBufferBase::allocateBuffer):
(WTF::VectorBufferBase::tryAllocateBuffer):
(WTF::VectorBufferBase::reallocateBuffer):
(WTF::VectorBufferBase::deallocateBuffer):
(WTF::minCapacity>::Vector):
(WTF::=):
(WTF::minCapacity>::contains const):
(WTF::minCapacity>::findMatching const):
(WTF::minCapacity>::find const):
(WTF::minCapacity>::reverseFind const):
(WTF::minCapacity>::appendIfNotContains):
(WTF::minCapacity>::fill):
(WTF::minCapacity>::appendRange):
(WTF::minCapacity>::expandCapacity):
(WTF::minCapacity>::tryExpandCapacity):
(WTF::minCapacity>::resize):
(WTF::minCapacity>::resizeToFit):
(WTF::minCapacity>::shrink):
(WTF::minCapacity>::grow):
(WTF::minCapacity>::asanSetInitialBufferSizeTo):
(WTF::minCapacity>::asanSetBufferSizeToFullCapacity):
(WTF::minCapacity>::asanBufferSizeWillChangeTo):
(WTF::minCapacity>::reserveCapacity):
(WTF::minCapacity>::tryReserveCapacity):
(WTF::minCapacity>::reserveInitialCapacity):
(WTF::minCapacity>::shrinkCapacity):
(WTF::minCapacity>::append):
(WTF::minCapacity>::tryAppend):
(WTF::minCapacity>::constructAndAppend):
(WTF::minCapacity>::tryConstructAndAppend):
(WTF::minCapacity>::appendSlowCase):
(WTF::minCapacity>::constructAndAppendSlowCase):
(WTF::minCapacity>::tryConstructAndAppendSlowCase):
(WTF::minCapacity>::uncheckedAppend):
(WTF::minCapacity>::appendVector):
(WTF::minCapacity>::insert):
(WTF::minCapacity>::insertVector):
(WTF::minCapacity>::remove):
(WTF::minCapacity>::removeFirst):
(WTF::minCapacity>::removeFirstMatching):
(WTF::minCapacity>::removeAll):
(WTF::minCapacity>::removeAllMatching):
(WTF::minCapacity>::reverse):
(WTF::minCapacity>::map const):
(WTF::minCapacity>::releaseBuffer):
(WTF::minCapacity>::checkConsistency):
(WTF::swap):
(WTF::operator==):
(WTF::operator!=):
(WTF::removeRepeatedElements):
(WTF::Malloc>::Vector): Deleted.
(WTF::Malloc>::contains const): Deleted.
(WTF::Malloc>::findMatching const): Deleted.
(WTF::Malloc>::find const): Deleted.
(WTF::Malloc>::reverseFind const): Deleted.
(WTF::Malloc>::appendIfNotContains): Deleted.
(WTF::Malloc>::fill): Deleted.
(WTF::Malloc>::appendRange): Deleted.
(WTF::Malloc>::expandCapacity): Deleted.
(WTF::Malloc>::tryExpandCapacity): Deleted.
(WTF::Malloc>::resize): Deleted.
(WTF::Malloc>::resizeToFit): Deleted.
(WTF::Malloc>::shrink): Deleted.
(WTF::Malloc>::grow): Deleted.
(WTF::Malloc>::asanSetInitialBufferSizeTo): Deleted.
(WTF::Malloc>::asanSetBufferSizeToFullCapacity): Deleted.
(WTF::Malloc>::asanBufferSizeWillChangeTo): Deleted.
(WTF::Malloc>::reserveCapacity): Deleted.
(WTF::Malloc>::tryReserveCapacity): Deleted.
(WTF::Malloc>::reserveInitialCapacity): Deleted.
(WTF::Malloc>::shrinkCapacity): Deleted.
(WTF::Malloc>::append): Deleted.
(WTF::Malloc>::tryAppend): Deleted.
(WTF::Malloc>::constructAndAppend): Deleted.
(WTF::Malloc>::tryConstructAndAppend): Deleted.
(WTF::Malloc>::appendSlowCase): Deleted.
(WTF::Malloc>::constructAndAppendSlowCase): Deleted.
(WTF::Malloc>::tryConstructAndAppendSlowCase): Deleted.
(WTF::Malloc>::uncheckedAppend): Deleted.
(WTF::Malloc>::appendVector): Deleted.
(WTF::Malloc>::insert): Deleted.
(WTF::Malloc>::insertVector): Deleted.
(WTF::Malloc>::remove): Deleted.
(WTF::Malloc>::removeFirst): Deleted.
(WTF::Malloc>::removeFirstMatching): Deleted.
(WTF::Malloc>::removeAll): Deleted.
(WTF::Malloc>::removeAllMatching): Deleted.
(WTF::Malloc>::reverse): Deleted.
(WTF::Malloc>::map const): Deleted.
(WTF::Malloc>::releaseBuffer): Deleted.
(WTF::Malloc>::checkConsistency): Deleted.

  • wtf/text/AtomicStringImpl.h:
  • wtf/text/CString.cpp:

(WTF::CStringBuffer::createUninitialized):

  • wtf/text/CString.h:
  • wtf/text/StringBuffer.h:

(WTF::StringBuffer::StringBuffer):
(WTF::StringBuffer::~StringBuffer):
(WTF::StringBuffer::resize):

  • wtf/text/StringImpl.cpp:

(WTF::StringImpl::~StringImpl):
(WTF::StringImpl::destroy):
(WTF::StringImpl::createUninitializedInternalNonEmpty):
(WTF::StringImpl::reallocateInternal):
(WTF::StringImpl::releaseAssertCaged const): Deleted.

  • wtf/text/StringImpl.h:

(WTF::StringImpl::createSubstringSharingImpl):
(WTF::StringImpl::tryCreateUninitialized):
(WTF::StringImpl::adopt):
(WTF::StringImpl::assertCaged const): Deleted.

  • wtf/text/StringMalloc.cpp: Removed.
  • wtf/text/StringMalloc.h: Removed.
  • wtf/text/StringVector.h: Removed.
  • wtf/text/SymbolImpl.h:
  • wtf/text/UniquedStringImpl.h:
  • wtf/text/WTFString.h:

(WTF::String::adopt):
(WTF::String::assertCaged const): Deleted.
(WTF::String::releaseAssertCaged const): Deleted.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/JSString.cpp

    r225117 r231337  
    179179void JSRopeString::resolveRopeToAtomicString(ExecState* exec) const
    180180{
    181     [&] () {
    182         if (length() > maxLengthForOnStackResolve) {
    183             resolveRope(exec);
    184             m_value = AtomicString(m_value);
    185             setIs8Bit(m_value.impl()->is8Bit());
    186             return;
    187         }
    188 
    189         if (is8Bit()) {
    190             LChar buffer[maxLengthForOnStackResolve];
    191             resolveRopeInternal8(buffer);
    192             m_value = AtomicString(buffer, length());
    193             setIs8Bit(m_value.impl()->is8Bit());
    194         } else {
    195             UChar buffer[maxLengthForOnStackResolve];
    196             resolveRopeInternal16(buffer);
    197             m_value = AtomicString(buffer, length());
    198             setIs8Bit(m_value.impl()->is8Bit());
    199         }
    200 
    201         clearFibers();
    202 
    203         // If we resolved a string that didn't previously exist, notify the heap that we've grown.
    204         if (m_value.impl()->hasOneRef())
    205             Heap::heap(this)->reportExtraMemoryAllocated(m_value.impl()->cost());
    206     }();
    207    
    208     m_value.releaseAssertCaged();
     181    if (length() > maxLengthForOnStackResolve) {
     182        resolveRope(exec);
     183        m_value = AtomicString(m_value);
     184        setIs8Bit(m_value.impl()->is8Bit());
     185        return;
     186    }
     187
     188    if (is8Bit()) {
     189        LChar buffer[maxLengthForOnStackResolve];
     190        resolveRopeInternal8(buffer);
     191        m_value = AtomicString(buffer, length());
     192        setIs8Bit(m_value.impl()->is8Bit());
     193    } else {
     194        UChar buffer[maxLengthForOnStackResolve];
     195        resolveRopeInternal16(buffer);
     196        m_value = AtomicString(buffer, length());
     197        setIs8Bit(m_value.impl()->is8Bit());
     198    }
     199
     200    clearFibers();
     201
     202    // If we resolved a string that didn't previously exist, notify the heap that we've grown.
     203    if (m_value.impl()->hasOneRef())
     204        Heap::heap(this)->reportExtraMemoryAllocated(m_value.impl()->cost());
    209205}
    210206
     
    253249void JSRopeString::resolveRope(ExecState* exec) const
    254250{
    255     [&] () {
    256         ASSERT(isRope());
    257        
    258         if (isSubstring()) {
    259             ASSERT(!substringBase()->isRope());
    260             m_value = substringBase()->m_value.substringSharingImpl(substringOffset(), length());
    261             substringBase().clear();
    262             return;
    263         }
    264        
    265         if (is8Bit()) {
    266             LChar* buffer;
    267             if (auto newImpl = StringImpl::tryCreateUninitialized(length(), buffer)) {
    268                 Heap::heap(this)->reportExtraMemoryAllocated(newImpl->cost());
    269                 m_value = WTFMove(newImpl);
    270             } else {
    271                 outOfMemory(exec);
    272                 return;
    273             }
    274             resolveRopeInternal8NoSubstring(buffer);
    275             clearFibers();
    276             ASSERT(!isRope());
    277             return;
    278         }
    279        
    280         UChar* buffer;
     251    ASSERT(isRope());
     252   
     253    if (isSubstring()) {
     254        ASSERT(!substringBase()->isRope());
     255        m_value = substringBase()->m_value.substringSharingImpl(substringOffset(), length());
     256        substringBase().clear();
     257        return;
     258    }
     259   
     260    if (is8Bit()) {
     261        LChar* buffer;
    281262        if (auto newImpl = StringImpl::tryCreateUninitialized(length(), buffer)) {
    282263            Heap::heap(this)->reportExtraMemoryAllocated(newImpl->cost());
     
    286267            return;
    287268        }
    288        
    289         resolveRopeInternal16NoSubstring(buffer);
     269        resolveRopeInternal8NoSubstring(buffer);
    290270        clearFibers();
    291271        ASSERT(!isRope());
    292     }();
    293 
    294     m_value.releaseAssertCaged();
     272        return;
     273    }
     274   
     275    UChar* buffer;
     276    if (auto newImpl = StringImpl::tryCreateUninitialized(length(), buffer)) {
     277        Heap::heap(this)->reportExtraMemoryAllocated(newImpl->cost());
     278        m_value = WTFMove(newImpl);
     279    } else {
     280        outOfMemory(exec);
     281        return;
     282    }
     283   
     284    resolveRopeInternal16NoSubstring(buffer);
     285    clearFibers();
     286    ASSERT(!isRope());
    295287}
    296288
Note: See TracChangeset for help on using the changeset viewer.