Changeset 294017 in webkit for trunk/Source/JavaScriptCore/tools/Integrity.cpp

Timestamp:

May 10, 2022, 2:55:45 PM (3 years ago)

Author:

[email protected]

Message:

Add optional Integrity checks at JSC API boundaries.
​https://bugs.webkit.org/show_bug.cgi?id=240264

Reviewed by Yusuke Suzuki.

1. Defined ENABLE_EXTRA_INTEGRITY_CHECKS in Integrity.h. JSC developers can enable this for their local build if they want to enable more prolific Integrity audits. This is disabled by default.

This feature is currently only supported for USE(JSVALUE64) targets.

The following changes only take effect if ENABLE(EXTRA_INTEGRITY_CHECKS) is enabled.
Otherwise, these are no-ops.

2. Added Integrity audits to all toJS and toRef conversion functions in APICast.h. This will help us detect if bad values are passed across the API boundary.

3. Added some Integrity audits in JSValue.mm where the APICast ones were insufficient.

The following changes are in effect even when ENABLE(EXTRA_INTEGRITY_CHECKS) is
disabled. Some of these were made to support ENABLE(EXTRA_INTEGRITY_CHECKS), and
some are just clean up in related code that I had to touch along the way.

4. Moved isSanePointer() to Integrity.h so that it can be used in more places.

5. Changed VM registration with the VMInspector so that it's registered earlier and removed later. Integrity audits may need to audit VM pointers while the VM is being constructed and destructed.

6. Added VM::m_isInService to track when the VM is fully constructed or about to be destructed since the VM is now registered with the VMInspector differently (see (4) above). Applied this check in places that need it.

7. Fixed VMInspector::isValidExecutableMemory() to check the ExecutableAllocator directly without iterating VMs (which is completely unnecessary).

8. Fixed VMInspector::isValidExecutableMemory() and VMInspector::codeBlockForMachinePC() to use AdoptLock. This fixes a race condition where the lock can be contended after ensureIsSafeToLock() succeeds.

9. Added VMInspector::isValidVM() to check if a VM pointer is registered or not. VMInspector caches the most recently added or found VM so that isValidVM() can just check the cache for its fast path.

10. Moved the implementation of VMInspector::verifyCell() to Integrity::analyzeCell()

and add more checks to it. VMInspector::verifyCell() now calls Integrity::verifyCell()
which uses Integrity::analyzeCell() to do the real cell analysis.

11. Also strengten Integrity::auditStructureID() so that it will check if a

Structure's memory has been released. This change is enabled on Debug builds
by default as well as when ENABLE(EXTRA_INTEGRITY_CHECKS). It is disabled
on Release builds.

• API/APICast.h:

(toJS):
(toJSForGC):
(uncheckedToJS):
(toRef):
(toGlobalRef):

• API/JSContext.mm:
• API/JSContextRef.cpp:
• API/JSScript.mm:
• API/JSValue.mm:

(ObjcContainerConvertor::convert):
(objectToValueWithoutCopy):
(objectToValue):

• API/JSVirtualMachine.mm:
• API/JSWeakPrivate.cpp:
• API/glib/JSCContext.cpp:
• API/glib/JSCWrapperMap.cpp:
• API/tests/JSObjectGetProxyTargetTest.cpp:
• bytecode/SpeculatedType.cpp:

(JSC::speculationFromCell):
(JSC::isSanePointer): Deleted.

• heap/HeapFinalizerCallback.cpp:
• heap/WeakSet.h:
• runtime/Structure.h:
• runtime/VM.cpp:

(JSC::VM::VM):
(JSC::VM::~VM):

• runtime/VM.h:

(JSC::VM::isInService const):

• tools/HeapVerifier.cpp:

(JSC::HeapVerifier::checkIfRecorded):

• tools/Integrity.cpp:

(JSC::Integrity::Random::reloadAndCheckShouldAuditSlow):
(JSC::Integrity::auditCellMinimallySlow):
(JSC::Integrity::doAudit):
(JSC::Integrity::Analyzer::analyzeVM):
(JSC::Integrity::Analyzer::analyzeCell):
(JSC::Integrity::doAuditSlow):
(JSC::Integrity::verifyCell):
(): Deleted.
(JSC::Integrity::auditCellFully): Deleted.

• tools/Integrity.h:

(JSC::isSanePointer):
(JSC::Integrity::auditCell):
(JSC::Integrity::audit):

• tools/IntegrityInlines.h:

(JSC::Integrity::auditCell):
(JSC::Integrity::auditCellFully):
(JSC::Integrity::auditStructureID):
(JSC::Integrity::doAudit):

• tools/VMInspector.cpp:

(JSC::VMInspector::add):
(JSC::VMInspector::remove):
(JSC::VMInspector::isValidVMSlow):
(JSC::VMInspector::dumpVMs):
(JSC::VMInspector::isValidExecutableMemory):
(JSC::VMInspector::codeBlockForMachinePC):
(JSC::ensureIsSafeToLock): Deleted.

• tools/VMInspector.h:

(JSC::VMInspector::isValidVM):
(): Deleted.
(JSC::VMInspector::unusedVerifier): Deleted.

• tools/VMInspectorInlines.h:

(JSC::VMInspector::verifyCell):
(JSC::VMInspector::verifyCellSize): Deleted.

File:

• trunk/Source/JavaScriptCore/tools/Integrity.cpp (modified) (7 diffs)

trunk/Source/JavaScriptCore/tools/Integrity.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2019-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2019-2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 #include "Integrity.h"
 
+#include "APICast.h"
+#include "CellSize.h"
+#include "IntegrityInlines.h"
+#include "JSCast.h"
 #include "JSCellInlines.h"
+#include "JSGlobalObject.h"
 #include "Options.h"
 #include "VMInspectorInlines.h"
@@ -34 +39 @@
 namespace Integrity {
 
-namespace {
-constexpr bool verbose = false;
+namespace IntegrityInternal {
+static constexpr bool verbose = false;
 }
 
@@ -49 +54 @@
     if (!Options::randomIntegrityAuditRate()) {
         m_triggerBits = 0; // Never trigger, and don't bother reloading.
-        if (verbose)
+        if (IntegrityInternal::verbose)
             dataLogLn("disabled Integrity audits: trigger bits ", RawPointer(reinterpret_cast<void*>(m_triggerBits)));
         return false;
@@ -62 +67 @@
         m_triggerBits = m_triggerBits | (static_cast<uint64_t>(trigger) << i);
     }
-    if (verbose)
+    if (IntegrityInternal::verbose)
         dataLogLn("reloaded Integrity trigger bits ", RawPointer(reinterpret_cast<void*>(m_triggerBits)));
     ASSERT(m_triggerBits >= (1ull << 63));
@@ -68 +73 @@
 }
 
-void auditCellFully(VM& vm, JSCell* cell)
-{
-    VMInspector::verifyCell<VMInspector::ReleaseAssert>(vm, cell);
-}
-
 void auditCellMinimallySlow(VM&, JSCell* cell)
 {
     if (Gigacage::contains(cell)) {
         if (cell->type() != JSImmutableButterflyType) {
-            if (verbose)
-                dataLogLn("Bad cell ", RawPointer(cell), " ", JSValue(cell));
+            if (IntegrityInternal::verbose)
+                dataLogLn("Integrity ERROR: Bad cell ", RawPointer(cell), " ", JSValue(cell));
             CRASH();
         }
@@ -84 +84 @@
 }
 
+#if USE(JSVALUE64)
+
+JSContextRef doAudit(JSContextRef ctx)
+{
+    IA_ASSERT(ctx, "NULL JSContextRef");
+    toJS(ctx); // toJS will trigger an audit.
+    return ctx;
+}
+
+JSGlobalContextRef doAudit(JSGlobalContextRef ctx)
+{
+    IA_ASSERT(ctx, "NULL JSGlobalContextRef");
+    toJS(ctx); // toJS will trigger an audit.
+    return ctx;
+}
+
+JSObjectRef doAudit(JSObjectRef objectRef)
+{
+    if (!objectRef)
+        return objectRef;
+    toJS(objectRef); // toJS will trigger an audit.
+    return objectRef;
+}
+
+JSValueRef doAudit(JSValueRef valueRef)
+{
+#if CPU(ADDRESS64)
+    if (!valueRef)
+        return valueRef;
+    toJS(valueRef); // toJS will trigger an audit.
+#endif
+    return valueRef;
+}
+
+JSValue doAudit(JSValue value)
+{
+    if (value.isCell())
+        doAudit(value.asCell());
+    return value;
+}
+
+bool Analyzer::analyzeVM(VM& vm, Analyzer::Action action)
+{
+    IA_ASSERT_WITH_ACTION(VMInspector::isValidVM(&vm), {
+        VMInspector::dumpVMs();
+        if (action == Action::LogAndCrash)
+            RELEASE_ASSERT(VMInspector::isValidVM(&vm));
+        else
+            return false;
+    }, "Invalid VM %p", &vm);
+    return true;
+}
+
+#if COMPILER(MSVC) || !VA_OPT_SUPPORTED
+
+#define AUDIT_VERIFY(cond, format, ...) do { \
+        IA_ASSERT_WITH_ACTION(cond, { \
+            WTFLogAlways("    cell %p", cell); \
+            if (action == Action::LogAndCrash) \
+                RELEASE_ASSERT((cond), ##__VA_ARGS__); \
+            else \
+                return false; \
+        }, format, ##__VA_ARGS__); \
+    } while (false)
+
+#else // not (COMPILER(MSVC) || !VA_OPT_SUPPORTED)
+
+#define AUDIT_VERIFY(cond, format, ...) do { \
+        IA_ASSERT_WITH_ACTION(cond, { \
+            WTFLogAlways("    cell %p", cell); \
+            if (action == Action::LogAndCrash) \
+                RELEASE_ASSERT((cond) __VA_OPT__(,) __VA_ARGS__); \
+            else \
+                return false; \
+        }, format __VA_OPT__(,) __VA_ARGS__); \
+    } while (false)
+
+#endif // COMPILER(MSVC) || !VA_OPT_SUPPORTED
+
+bool Analyzer::analyzeCell(VM& vm, JSCell* cell, Analyzer::Action action)
+{
+    AUDIT_VERIFY(isSanePointer(cell), "cell %p cell.type %d", cell, cell->type());
+
+    size_t allocatorCellSize = 0;
+    if (cell->isPreciseAllocation()) {
+        PreciseAllocation& preciseAllocation = cell->preciseAllocation();
+        AUDIT_VERIFY(&preciseAllocation.vm() == &vm,
+            "cell %p cell.type %d preciseAllocation.vm %p vm %p", cell, cell->type(), &preciseAllocation.vm(), &vm);
+
+        bool isValidPreciseAllocation = false;
+        for (auto* i : vm.heap.objectSpace().preciseAllocations()) {
+            if (i == &preciseAllocation) {
+                isValidPreciseAllocation = true;
+                break;
+            }
+        }
+        AUDIT_VERIFY(isValidPreciseAllocation, "cell %p cell.type %d", cell, cell->type());
+
+        allocatorCellSize = preciseAllocation.cellSize();
+    } else {
+        MarkedBlock& block = cell->markedBlock();
+        MarkedBlock::Handle& blockHandle = block.handle();
+        AUDIT_VERIFY(&block.vm() == &vm,
+            "cell %p cell.type %d markedBlock.vm %p vm %p", cell, cell->type(), &block.vm(), &vm);
+
+        uintptr_t blockStartAddress = reinterpret_cast<uintptr_t>(blockHandle.start());
+        AUDIT_VERIFY(blockHandle.contains(cell),
+            "cell %p cell.type %d markedBlock.start %p markedBlock.end %p", cell, cell->type(), blockHandle.start(), blockHandle.end());
+
+        uintptr_t cellAddress = reinterpret_cast<uintptr_t>(cell);
+        uintptr_t cellOffset = cellAddress - blockStartAddress;
+        allocatorCellSize = block.cellSize();
+        bool cellIsProperlyAligned = !(cellOffset % allocatorCellSize);
+        AUDIT_VERIFY(cellIsProperlyAligned,
+            "cell %p cell.type %d allocator.cellSize %zu", cell, cell->type(), allocatorCellSize);
+    }
+
+    JSType cellType = cell->type();
+    if (cell->type() != JSImmutableButterflyType)
+        AUDIT_VERIFY(!Gigacage::contains(cell), "cell %p cell.type %d", cell, cellType);
+
+    WeakSet& weakSet = cell->cellContainer().weakSet();
+    AUDIT_VERIFY(!weakSet.m_allocator || isSanePointer(weakSet.m_allocator),
+        "cell %p cell.type %d weakSet.allocator %p", cell, cell->type(), weakSet.m_allocator);
+    AUDIT_VERIFY(!weakSet.m_nextAllocator || isSanePointer(weakSet.m_nextAllocator),
+        "cell %p cell.type %d weakSet.allocator %p", cell, cell->type(), weakSet.m_nextAllocator);
+
+    // If we're currently destructing the cell, then we can't rely on its
+    // structure being good. Skip the following tests which rely on structure.
+    if (vm.currentlyDestructingCallbackObject == cell)
+        return true;
+
+    auto structureID = cell->structureID();
+
+    Structure* structure = structureID.tryDecode();
+    AUDIT_VERIFY(structure,
+        "cell %p cell.type %d structureID.bits 0x%x", cell, cellType, structureID.bits());
+    if (action == Analyzer::Action::LogAndCrash) {
+        // structure should be pointing to readable memory. Force a read.
+        WTF::opaque(*bitwise_cast<uintptr_t*>(structure));
+    }
+
+    const ClassInfo* classInfo = structure->classInfoForCells();
+    AUDIT_VERIFY(cellType == structure->m_blob.type(),
+        "cell %p cell.type %d structureBlob.type %d", cell, cellType, structure->m_blob.type());
+
+    size_t size = cellSize(cell);
+    AUDIT_VERIFY(size <= allocatorCellSize,
+        "cell %p cell.type %d cell.size %zu allocator.cellSize %zu, classInfo.cellSize %u", cell, cellType, size, allocatorCellSize, classInfo->staticClassSize);
+    if (isDynamicallySizedType(cellType)) {
+        AUDIT_VERIFY(size >= classInfo->staticClassSize,
+            "cell %p cell.type %d cell.size %zu classInfo.cellSize %u", cell, cellType, size, classInfo->staticClassSize);
+    }
+
+    if (cell->isObject()) {
+        AUDIT_VERIFY(jsDynamicCast<JSObject*>(cell),
+            "cell %p cell.type %d", cell, cell->type());
+
+        if (Gigacage::isEnabled(Gigacage::JSValue)) {
+            JSObject* object = bitwise_cast<JSObject*>(cell);
+            const Butterfly* butterfly = object->butterfly();
+            AUDIT_VERIFY(!butterfly || Gigacage::isCaged(Gigacage::JSValue, butterfly),
+                "cell %p cell.type %d butterfly %p", cell, cell->type(), butterfly);
+        }
+    }
+
+    return true;
+}
+
+bool Analyzer::analyzeCell(JSCell* cell, Analyzer::Action action)
+{
+    if (!cell)
+        return cell;
+
+    JSValue value = JSValue::decode(static_cast<EncodedJSValue>(bitwise_cast<uintptr_t>(cell)));
+    AUDIT_VERIFY(value.isCell(), "Invalid cell address: cell %p", cell);
+
+    VM& vm = cell->vm();
+    analyzeVM(vm, action);
+    return analyzeCell(vm, cell, action);
+}
+
+#undef AUDIT_VERIFY
+
+VM* doAuditSlow(VM* vm)
+{
+    Analyzer::analyzeVM(*vm, Analyzer::Action::LogAndCrash);
+    return vm;
+}
+
+JSCell* doAudit(JSCell* cell)
+{
+    Analyzer::analyzeCell(cell, Analyzer::Action::LogAndCrash);
+    return cell;
+}
+
+JSCell* doAudit(VM& vm, JSCell* cell)
+{
+    if (!cell)
+        return cell;
+    Analyzer::analyzeCell(vm, cell, Analyzer::Action::LogAndCrash);
+    return cell;
+}
+
+bool verifyCell(JSCell* cell)
+{
+    bool valid = Analyzer::analyzeCell(cell, Analyzer::Action::LogOnly);
+    WTFLogAlways("Cell %p is %s", cell, valid ? "VALID" : "INVALID");
+    return valid;
+}
+
+bool verifyCell(VM& vm, JSCell* cell)
+{
+    bool valid = Analyzer::analyzeCell(vm, cell, Analyzer::Action::LogOnly);
+    WTFLogAlways("Cell %p is %s", cell, valid ? "VALID" : "INVALID");
+    return valid;
+}
+
+JSObject* doAudit(JSObject* object)
+{
+    if (!object)
+        return object;
+    JSCell* cell = doAudit(reinterpret_cast<JSCell*>(object));
+    IA_ASSERT(cell->isObject(), "Invalid JSObject %p", object);
+    return object;
+}
+
+JSGlobalObject* doAudit(JSGlobalObject* globalObject)
+{
+    doAudit(reinterpret_cast<JSCell*>(globalObject));
+    IA_ASSERT(globalObject->isGlobalObject(), "Invalid JSGlobalObject %p", globalObject);
+    return globalObject;
+}
+
+#endif // USE(JSVALUE64)
+
 } // namespace Integrity
 } // namespace JSC