Changeset 294017 in webkit for trunk/Source/JavaScriptCore/tools/Integrity.h

Timestamp:

May 10, 2022, 2:55:45 PM (3 years ago)

Author:

[email protected]

Message:

Add optional Integrity checks at JSC API boundaries.
​https://bugs.webkit.org/show_bug.cgi?id=240264

Reviewed by Yusuke Suzuki.

1. Defined ENABLE_EXTRA_INTEGRITY_CHECKS in Integrity.h. JSC developers can enable this for their local build if they want to enable more prolific Integrity audits. This is disabled by default.

This feature is currently only supported for USE(JSVALUE64) targets.

The following changes only take effect if ENABLE(EXTRA_INTEGRITY_CHECKS) is enabled.
Otherwise, these are no-ops.

2. Added Integrity audits to all toJS and toRef conversion functions in APICast.h. This will help us detect if bad values are passed across the API boundary.

3. Added some Integrity audits in JSValue.mm where the APICast ones were insufficient.

The following changes are in effect even when ENABLE(EXTRA_INTEGRITY_CHECKS) is
disabled. Some of these were made to support ENABLE(EXTRA_INTEGRITY_CHECKS), and
some are just clean up in related code that I had to touch along the way.

4. Moved isSanePointer() to Integrity.h so that it can be used in more places.

5. Changed VM registration with the VMInspector so that it's registered earlier and removed later. Integrity audits may need to audit VM pointers while the VM is being constructed and destructed.

6. Added VM::m_isInService to track when the VM is fully constructed or about to be destructed since the VM is now registered with the VMInspector differently (see (4) above). Applied this check in places that need it.

7. Fixed VMInspector::isValidExecutableMemory() to check the ExecutableAllocator directly without iterating VMs (which is completely unnecessary).

8. Fixed VMInspector::isValidExecutableMemory() and VMInspector::codeBlockForMachinePC() to use AdoptLock. This fixes a race condition where the lock can be contended after ensureIsSafeToLock() succeeds.

9. Added VMInspector::isValidVM() to check if a VM pointer is registered or not. VMInspector caches the most recently added or found VM so that isValidVM() can just check the cache for its fast path.

10. Moved the implementation of VMInspector::verifyCell() to Integrity::analyzeCell()

and add more checks to it. VMInspector::verifyCell() now calls Integrity::verifyCell()
which uses Integrity::analyzeCell() to do the real cell analysis.

11. Also strengten Integrity::auditStructureID() so that it will check if a

Structure's memory has been released. This change is enabled on Debug builds
by default as well as when ENABLE(EXTRA_INTEGRITY_CHECKS). It is disabled
on Release builds.

• API/APICast.h:

(toJS):
(toJSForGC):
(uncheckedToJS):
(toRef):
(toGlobalRef):

• API/JSContext.mm:
• API/JSContextRef.cpp:
• API/JSScript.mm:
• API/JSValue.mm:

(ObjcContainerConvertor::convert):
(objectToValueWithoutCopy):
(objectToValue):

• API/JSVirtualMachine.mm:
• API/JSWeakPrivate.cpp:
• API/glib/JSCContext.cpp:
• API/glib/JSCWrapperMap.cpp:
• API/tests/JSObjectGetProxyTargetTest.cpp:
• bytecode/SpeculatedType.cpp:

(JSC::speculationFromCell):
(JSC::isSanePointer): Deleted.

• heap/HeapFinalizerCallback.cpp:
• heap/WeakSet.h:
• runtime/Structure.h:
• runtime/VM.cpp:

(JSC::VM::VM):
(JSC::VM::~VM):

• runtime/VM.h:

(JSC::VM::isInService const):

• tools/HeapVerifier.cpp:

(JSC::HeapVerifier::checkIfRecorded):

• tools/Integrity.cpp:

(JSC::Integrity::Random::reloadAndCheckShouldAuditSlow):
(JSC::Integrity::auditCellMinimallySlow):
(JSC::Integrity::doAudit):
(JSC::Integrity::Analyzer::analyzeVM):
(JSC::Integrity::Analyzer::analyzeCell):
(JSC::Integrity::doAuditSlow):
(JSC::Integrity::verifyCell):
(): Deleted.
(JSC::Integrity::auditCellFully): Deleted.

• tools/Integrity.h:

(JSC::isSanePointer):
(JSC::Integrity::auditCell):
(JSC::Integrity::audit):

• tools/IntegrityInlines.h:

(JSC::Integrity::auditCell):
(JSC::Integrity::auditCellFully):
(JSC::Integrity::auditStructureID):
(JSC::Integrity::doAudit):

• tools/VMInspector.cpp:

(JSC::VMInspector::add):
(JSC::VMInspector::remove):
(JSC::VMInspector::isValidVMSlow):
(JSC::VMInspector::dumpVMs):
(JSC::VMInspector::isValidExecutableMemory):
(JSC::VMInspector::codeBlockForMachinePC):
(JSC::ensureIsSafeToLock): Deleted.

• tools/VMInspector.h:

(JSC::VMInspector::isValidVM):
(): Deleted.
(JSC::VMInspector::unusedVerifier): Deleted.

• tools/VMInspectorInlines.h:

(JSC::VMInspector::verifyCell):
(JSC::VMInspector::verifyCellSize): Deleted.

File:

• trunk/Source/JavaScriptCore/tools/Integrity.h (modified) (4 diffs)

trunk/Source/JavaScriptCore/tools/Integrity.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2019-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2019-2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26 +26 @@
 #pragma once
 
-#include "JSCJSValue.h"
-#include "StructureID.h"
-#include <wtf/Gigacage.h>
+#include <wtf/Assertions.h>
 #include <wtf/Lock.h>
 
+#if OS(DARWIN)
+#include <mach/vm_param.h>
+#endif
+
+#if USE(JSVALUE32)
+#define ENABLE_EXTRA_INTEGRITY_CHECKS 0 // Not supported.
+#else
+// Force ENABLE_EXTRA_INTEGRITY_CHECKS to 1 for your local build if you want
+// more prolific audits to be enabled.
+#define ENABLE_EXTRA_INTEGRITY_CHECKS 0
+#endif
+
+// From API/JSBase.h
+typedef const struct OpaqueJSContextGroup* JSContextGroupRef;
+typedef const struct OpaqueJSContext* JSContextRef;
+typedef struct OpaqueJSContext* JSGlobalContextRef;
+typedef struct OpaqueJSPropertyNameAccumulator* JSPropertyNameAccumulatorRef;
+typedef const struct OpaqueJSValue* JSValueRef;
+typedef struct OpaqueJSValue* JSObjectRef;
+
 namespace JSC {
 
 class JSCell;
+class JSGlobalObject;
+class JSObject;
+class JSValue;
+class Structure;
+class StructureID;
 class VM;
 
@@ -68 +91 @@
 };
 
+ALWAYS_INLINE static bool isSanePointer(const void* pointer)
+{
+#if CPU(ADDRESS64)
+    uintptr_t pointerAsInt = bitwise_cast<uintptr_t>(pointer);
+    uintptr_t canonicalPointerBits = pointerAsInt << (64 - OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH));
+    uintptr_t nonCanonicalPointerBits = pointerAsInt >> OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH);
+    return !nonCanonicalPointerBits && canonicalPointerBits;
+#else
+    UNUSED_PARAM(pointer);
+    return true;
+#endif
+}
+
+#if USE(JSVALUE64)
+
+class Analyzer {
+public:
+    enum Action { LogOnly, LogAndCrash };
+
+    static bool analyzeVM(VM&, Action);
+    static bool analyzeCell(VM&, JSCell*, Action);
+    static bool analyzeCell(JSCell*, Action);
+};
+
+JS_EXPORT_PRIVATE JSContextRef doAudit(JSContextRef);
+JS_EXPORT_PRIVATE JSGlobalContextRef doAudit(JSGlobalContextRef);
+JS_EXPORT_PRIVATE JSObjectRef doAudit(JSObjectRef);
+JS_EXPORT_PRIVATE JSValueRef doAudit(JSValueRef);
+
+JS_EXPORT_PRIVATE JSValue doAudit(JSValue);
+JS_EXPORT_PRIVATE JSCell* doAudit(JSCell*);
+JS_EXPORT_PRIVATE JSCell* doAudit(VM&, JSCell*);
+JS_EXPORT_PRIVATE JSObject* doAudit(JSObject*);
+JS_EXPORT_PRIVATE JSGlobalObject* doAudit(JSGlobalObject*);
+
+VM* doAudit(VM*); // see IntegrityInlines.h
+
+// These are used for debugging queries, and will not crash.
+JS_EXPORT_PRIVATE bool verifyCell(JSCell*);
+JS_EXPORT_PRIVATE bool verifyCell(VM&, JSCell*);
+
+#endif // USE(JSVALUE64)
+
 ALWAYS_INLINE void auditCellRandomly(VM&, JSCell*);
 ALWAYS_INLINE void auditCellMinimally(VM&, JSCell*);
 JS_EXPORT_PRIVATE void auditCellMinimallySlow(VM&, JSCell*);
-JS_EXPORT_PRIVATE void auditCellFully(VM&, JSCell*);
+ALWAYS_INLINE void auditCellFully(VM&, JSCell*);
 
 template<AuditLevel = AuditLevel::Random, typename T>
@@ -79 +145 @@
 ALWAYS_INLINE void auditCell(VM& vm, JSCell* cell)
 {
-    switch (auditLevel) {
-    case AuditLevel::None:
+    static_assert(auditLevel == AuditLevel::None || auditLevel == AuditLevel::Minimal || auditLevel == AuditLevel::Full || auditLevel == AuditLevel::Random);
+
+    UNUSED_PARAM(vm);
+    UNUSED_PARAM(cell);
+    if constexpr (auditLevel == AuditLevel::None)
         return;
-    case AuditLevel::Minimal:
+    if constexpr (auditLevel == AuditLevel::Minimal)
         return auditCellMinimally(vm, cell);
-    case AuditLevel::Full:
+    if constexpr (auditLevel == AuditLevel::Full)
         return auditCellFully(vm, cell);
-    case AuditLevel::Random:
+    if constexpr (auditLevel == AuditLevel::Random)
         return auditCellRandomly(vm, cell);
-    }
 }
 
 template<AuditLevel auditLevel = DefaultAuditLevel>
-ALWAYS_INLINE void auditCell(VM& vm, JSValue value)
-{
-    if (auditLevel == AuditLevel::None)
-        return;
-
-    if (value.isCell())
-        auditCell<auditLevel>(vm, value.asCell());
-}
+ALWAYS_INLINE void auditCell(VM&, JSValue);
 
 ALWAYS_INLINE void auditStructureID(StructureID);
 
+#if ENABLE(EXTRA_INTEGRITY_CHECKS) && USE(JSVALUE64)
+template<typename T> ALWAYS_INLINE T audit(T value) { return doAudit(value); }
+#else
+template<typename T> ALWAYS_INLINE T audit(T value) { return value; }
+#endif
+
+#if COMPILER(MSVC) || !VA_OPT_SUPPORTED
+
+#define IA_LOG(assertion, format, ...) do { \
+        WTFLogAlways("Integrity ERROR: %s @ %s:%d\n", #assertion, __FILE__, __LINE__); \
+        WTFLogAlways("    " format, ##__VA_ARGS__); \
+    } while (false)
+
+#define IA_ASSERT_WITH_ACTION(assertion, action, ...) do { \
+        if (UNLIKELY(!(assertion))) { \
+            IA_LOG(assertion, __VA_ARGS__); \
+            WTFReportBacktraceWithPrefix("    "); \
+            action; \
+        } \
+    } while (false)
+
+#define IA_ASSERT(assertion, ...) \
+    IA_ASSERT_WITH_ACTION(assertion, { \
+        RELEASE_ASSERT((assertion), ##__VA_ARGS__); \
+    }, ## __VA_ARGS__)
+
+#else // not (COMPILER(MSVC) || !VA_OPT_SUPPORTED)
+
+#define IA_LOG(assertion, format, ...) do { \
+        WTFLogAlways("Integrity ERROR: %s @ %s:%d\n", #assertion, __FILE__, __LINE__); \
+        WTFLogAlways("    " format __VA_OPT__(,) __VA_ARGS__); \
+    } while (false)
+
+#define IA_ASSERT_WITH_ACTION(assertion, action, ...) do { \
+        if (UNLIKELY(!(assertion))) { \
+            IA_LOG(assertion, __VA_ARGS__); \
+            WTFReportBacktraceWithPrefix("    "); \
+            action; \
+        } \
+    } while (false)
+
+#define IA_ASSERT(assertion, ...) \
+    IA_ASSERT_WITH_ACTION(assertion, { \
+        RELEASE_ASSERT((assertion) __VA_OPT__(,) __VA_ARGS__); \
+    } __VA_OPT__(,) __VA_ARGS__)
+
+#endif // COMPILER(MSVC) || !VA_OPT_SUPPORTED
+
 } // namespace Integrity