WebAssembly: poison JS object's secrets

https://bugs.webkit.org/show_bug.cgi?id=181339
<rdar://problem/36325001>

Reviewed by Mark Lam.

Source/JavaScriptCore:

Separating WebAssembly's JS objects from their non-JS
implementation means that all interesting information lives
outside of the JS object itself. This patch poisons each JS
object's pointer to non-JS implementation using the poisoning
mechanism and a unique key per JS object type origin.

* runtime/JSCPoison.h:
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
object in a stack slot when fast TLS is disabled. This requires
that we unpoison the Wasm::Instance.
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyInstance.h:
(JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
be explicit that the pointer is poisoned.
* wasm/js/JSWebAssemblyMemory.h:
* wasm/js/JSWebAssemblyModule.h:
* wasm/js/JSWebAssemblyTable.h:

Source/WTF:

swapping a poisoned pointer with a non-poisoned one (as is done in
JSWebAssembyMemory::adopt) was missing.

* wtf/Poisoned.h:
(WTF::PoisonedImpl::swap):
(WTF::ConstExprPoisonedPtrTraits::swap):

Tools:

Update tests for swap(Poisoned<k, T>, T*)

* TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp:
(TestWebKitAPI::TEST):
* TestWebKitAPI/Tests/WTF/Poisoned.cpp:
(TestWebKitAPI::TEST):
* TestWebKitAPI/Tests/WTF/PoisonedRef.cpp:
(TestWebKitAPI::TEST):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@226485 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Author: [email protected]

Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,30 @@
+2018-01-05  JF Bastien  <[email protected]>
+
+        WebAssembly: poison JS object's secrets
+        https://bugs.webkit.org/show_bug.cgi?id=181339
+        <rdar://problem/36325001>
+
+        Reviewed by Mark Lam.
+
+        Separating WebAssembly's JS objects from their non-JS
+        implementation means that all interesting information lives
+        outside of the JS object itself. This patch poisons each JS
+        object's pointer to non-JS implementation using the poisoning
+        mechanism and a unique key per JS object type origin.
+
+        * runtime/JSCPoison.h:
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
+        object in a stack slot when fast TLS is disabled. This requires
+        that we unpoison the Wasm::Instance.
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
+        be explicit that the pointer is poisoned.
+        * wasm/js/JSWebAssemblyMemory.h:
+        * wasm/js/JSWebAssemblyModule.h:
+        * wasm/js/JSWebAssemblyTable.h:
+
 2018-01-05  Michael Saboff  <[email protected]>
 
         Add ability to disable indexed property masking for testing

Source/JavaScriptCore/runtime/JSCPoison.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -31,6 +31,11 @@ namespace JSC {
 
 enum Poison {
     NotPoisoned = 0,
+    JSWebAssemblyCodeBlockPoison,
+    JSWebAssemblyInstancePoison,
+    JSWebAssemblyMemoryPoison,
+    JSWebAssemblyModulePoison,
+    JSWebAssemblyTablePoison,
     TransitionMapPoison,
     WeakImplPoison,
 };

Source/JavaScriptCore/wasm/js/JSToWasm.cpp

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -117,7 +117,9 @@ std::unique_ptr<InternalFunction> createJSToWasmWrapper(CompilationContext& comp
         // Wasm::Context*'s instance.
         if (!Context::useFastTLS()) {
             jit.loadPtr(CCallHelpers::Address(GPRInfo::callFrameRegister, jsOffset), wasmContextInstanceGPR);
-            jit.loadPtr(CCallHelpers::Address(wasmContextInstanceGPR, JSWebAssemblyInstance::offsetOfInstance()), wasmContextInstanceGPR);
+            jit.loadPtr(CCallHelpers::Address(wasmContextInstanceGPR, JSWebAssemblyInstance::offsetOfPoisonedInstance()), wasmContextInstanceGPR);
+            jit.move(CCallHelpers::TrustedImm64(makeConstExprPoison(JSWebAssemblyInstancePoison)), scratchReg);
+            jit.xor64(scratchReg, wasmContextInstanceGPR);
             jsOffset += sizeof(EncodedJSValue);
         }
 

Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlock.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -28,6 +28,7 @@
 #if ENABLE(WEBASSEMBLY)
 
 #include "CallLinkInfo.h"
+#include "JSCPoison.h"
 #include "JSCell.h"
 #include "PromiseDeferredTimer.h"
 #include "Structure.h"
@@ -36,6 +37,7 @@
 #include "WasmFormat.h"
 #include "WasmModule.h"
 #include <wtf/Bag.h>
+#include <wtf/Ref.h>
 #include <wtf/Vector.h>
 
 namespace JSC {
@@ -90,7 +92,7 @@ class JSWebAssemblyCodeBlock final : public JSCell {
         void finalizeUnconditionally() override;
     };
 
-    Ref<Wasm::CodeBlock> m_codeBlock;
+    PoisonedRef<JSWebAssemblyCodeBlockPoison, Wasm::CodeBlock> m_codeBlock;
     Vector<MacroAssemblerCodeRef> m_wasmToJSExitStubs;
     UnconditionalFinalizer m_unconditionalFinalizer;
     Bag<CallLinkInfo> m_callLinkInfos;

Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -27,12 +27,14 @@
 
 #if ENABLE(WEBASSEMBLY)
 
+#include "JSCPoison.h"
 #include "JSDestructibleObject.h"
 #include "JSObject.h"
 #include "JSWebAssemblyCodeBlock.h"
 #include "JSWebAssemblyMemory.h"
 #include "JSWebAssemblyTable.h"
 #include "WasmInstance.h"
+#include <wtf/Ref.h>
 
 namespace JSC {
 
@@ -74,7 +76,7 @@ class JSWebAssemblyInstance : public JSDestructibleObject {
         instance().setTable(makeRef(*table()->table()));
     }
 
-    static size_t offsetOfInstance() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_instance); }
+    static size_t offsetOfPoisonedInstance() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_instance); }
     static size_t offsetOfCallee() { return OBJECT_OFFSETOF(JSWebAssemblyInstance, m_callee); }
 
 protected:
@@ -86,7 +88,7 @@ class JSWebAssemblyInstance : public JSDestructibleObject {
 private:
     JSWebAssemblyModule* module() const { return m_module.get(); }
 
-    Ref<Wasm::Instance> m_instance;
+    PoisonedRef<JSWebAssemblyInstancePoison, Wasm::Instance> m_instance;
 
     WriteBarrier<JSWebAssemblyModule> m_module;
     WriteBarrier<JSWebAssemblyCodeBlock> m_codeBlock;

Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -27,9 +27,11 @@
 
 #if ENABLE(WEBASSEMBLY)
 
+#include "JSCPoison.h"
 #include "JSDestructibleObject.h"
 #include "JSObject.h"
 #include "WasmMemory.h"
+#include <wtf/Ref.h>
 #include <wtf/RefPtr.h>
 
 namespace JSC {
@@ -65,9 +67,9 @@ class JSWebAssemblyMemory : public JSDestructibleObject {
     static void destroy(JSCell*);
     static void visitChildren(JSCell*, SlotVisitor&);
 
-    Ref<Wasm::Memory> m_memory;
+    PoisonedRef<JSWebAssemblyMemoryPoison, Wasm::Memory> m_memory;
     WriteBarrier<JSArrayBuffer> m_bufferWrapper;
-    RefPtr<ArrayBuffer> m_buffer;
+    PoisonedRefPtr<JSWebAssemblyMemoryPoison, ArrayBuffer> m_buffer;
 };
 
 } // namespace JSC

Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -27,13 +27,15 @@
 
 #if ENABLE(WEBASSEMBLY)
 
+#include "JSCPoison.h"
 #include "JSDestructibleObject.h"
 #include "JSObject.h"
 #include "UnconditionalFinalizer.h"
 #include "WasmMemoryMode.h"
 #include <wtf/Bag.h>
 #include <wtf/Expected.h>
 #include <wtf/Forward.h>
+#include <wtf/Ref.h>
 #include <wtf/text/WTFString.h>
 
 namespace JSC {
@@ -79,7 +81,7 @@ class JSWebAssemblyModule : public JSDestructibleObject {
     static void destroy(JSCell*);
     static void visitChildren(JSCell*, SlotVisitor&);
 
-    Ref<Wasm::Module> m_module;
+    PoisonedRef<JSWebAssemblyModulePoison, Wasm::Module> m_module;
     WriteBarrier<SymbolTable> m_exportSymbolTable;
     WriteBarrier<JSWebAssemblyCodeBlock> m_codeBlocks[Wasm::NumberOfMemoryModes];
     WriteBarrier<WebAssemblyToJSCallee> m_callee;

Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -27,13 +27,15 @@
 
 #if ENABLE(WEBASSEMBLY)
 
+#include "JSCPoison.h"
 #include "JSDestructibleObject.h"
 #include "JSObject.h"
 #include "WasmLimits.h"
 #include "WasmTable.h"
 #include "WebAssemblyWrapperFunction.h"
 #include "WebAssemblyFunction.h"
 #include <wtf/MallocPtr.h>
+#include <wtf/Ref.h>
 
 namespace JSC {
 
@@ -63,7 +65,7 @@ class JSWebAssemblyTable : public JSDestructibleObject {
     static void destroy(JSCell*);
     static void visitChildren(JSCell*, SlotVisitor&);
 
-    Ref<Wasm::Table> m_table;
+    PoisonedRef<JSWebAssemblyTablePoison, Wasm::Table> m_table;
     MallocPtr<WriteBarrier<JSObject>> m_jsFunctions;
 };
 

Source/WTF/ChangeLog

@@ -1,3 +1,18 @@
+2018-01-05  JF Bastien  <[email protected]>
+
+        WebAssembly: poison JS object's secrets
+        https://bugs.webkit.org/show_bug.cgi?id=181339
+        <rdar://problem/36325001>
+
+        Reviewed by Mark Lam.
+
+        swapping a poisoned pointer with a non-poisoned one (as is done in
+        JSWebAssembyMemory::adopt) was missing.
+
+        * wtf/Poisoned.h:
+        (WTF::PoisonedImpl::swap):
+        (WTF::ConstExprPoisonedPtrTraits::swap):
+
 2018-01-05  David Kilzer  <[email protected]>
 
         Re-enable -Wcast-qual in WebCore for Apple ports

Source/WTF/wtf/Poisoned.h

@@ -182,6 +182,13 @@ class PoisonedImpl {
         o = t2;
     }
 
+    void swap(T& t2)
+    {
+        T t1 = this->unpoisoned();
+        std::swap(t1, t2);
+        m_poisonedBits = poison(t1);
+    }
+
     template<class U>
     T exchange(U&& newValue)
     {
@@ -212,6 +219,12 @@ inline void swap(PoisonedImpl<K1, k1, T1>& a, PoisonedImpl<K2, k2, T2>& b)
     a.swap(b);
 }
 
+template<typename K1, K1 k1, typename T1>
+inline void swap(PoisonedImpl<K1, k1, T1>& a, T1& b)
+{
+    a.swap(b);
+}
+
 WTF_EXPORT_PRIVATE uintptr_t makePoison();
 
 inline constexpr uintptr_t makeConstExprPoison(uint32_t key)
@@ -241,6 +254,9 @@ struct ConstExprPoisonedPtrTraits {
 
     template<class U> static ALWAYS_INLINE T* exchange(StorageType& ptr, U&& newValue) { return ptr.exchange(newValue); }
 
+    template<typename K1, K1 k1, typename T1>
+    static ALWAYS_INLINE void swap(PoisonedImpl<K1, k1, T1>& a, T1& b) { a.swap(b); }
+
     template<typename K1, K1 k1, typename T1, typename K2, K2 k2, typename T2>
     static ALWAYS_INLINE void swap(PoisonedImpl<K1, k1, T1>& a, PoisonedImpl<K2, k2, T2>& b) { a.swap(b); }
 
@@ -252,5 +268,5 @@ struct ConstExprPoisonedPtrTraits {
 using WTF::ConstExprPoisoned;
 using WTF::Poisoned;
 using WTF::PoisonedBits;
+using WTF::makeConstExprPoison;
 using WTF::makePoison;
-

Tools/ChangeLog

@@ -1,3 +1,20 @@
+2018-01-05  JF Bastien  <[email protected]>
+
+        WebAssembly: poison JS object's secrets
+        https://bugs.webkit.org/show_bug.cgi?id=181339
+        <rdar://problem/36325001>
+
+        Reviewed by Mark Lam.
+
+        Update tests for swap(Poisoned<k, T>, T*)
+
+        * TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp:
+        (TestWebKitAPI::TEST):
+        * TestWebKitAPI/Tests/WTF/Poisoned.cpp:
+        (TestWebKitAPI::TEST):
+        * TestWebKitAPI/Tests/WTF/PoisonedRef.cpp:
+        (TestWebKitAPI::TEST):
+
 2018-01-05  Wenson Hsieh  <[email protected]>
 
         REGRESSION(r226396) DataInteractionTests: ContentEditableToContentEditable and ContentEditableToTextarea are failing

Tools/TestWebKitAPI/Tests/WTF/ConstExprPoisoned.cpp

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -337,6 +337,30 @@ TEST(WTF_ConstExprPoisoned, Swap)
         ASSERT_TRUE(p1.bits() == p3.bits());
         ASSERT_TRUE(p2.bits() != p4.bits());
     }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> p1(&a);
+        RefLogger* p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2);
+        swap(p1, p2);
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&a, p2);
+
+        ASSERT_TRUE(p1.bits() != bitwise_cast<uintptr_t>(p2));
+    }
+
+    {
+        ConstExprPoisoned<PoisonA, RefLogger*> p1(&a);
+        RefLogger* p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2);
+        p1.swap(p2);
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&a, p2);
+
+        ASSERT_TRUE(p1.bits() != bitwise_cast<uintptr_t>(p2));
+    }
 }
 
 static ConstExprPoisoned<PoisonA, RefLogger*> poisonedPtrFoo(RefLogger& logger)

Tools/TestWebKitAPI/Tests/WTF/Poisoned.cpp

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -376,6 +376,32 @@ TEST(WTF_Poisoned, Swap)
         ASSERT_TRUE(p2.bits() != p4.bits());
 #endif
     }
+
+#if ENABLE(MIXED_POISON)
+    {
+        Poisoned<g_testPoisonA, RefLogger*> p1(&a);
+        RefLogger* p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2);
+        swap(p1, p2);
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&a, p2);
+
+        ASSERT_TRUE(p1.bits() != bitwise_cast<uintptr_t>(p2));
+    }
+
+    {
+        Poisoned<g_testPoisonA, RefLogger*> p1(&a);
+        RefLogger* p2(&b);
+        ASSERT_EQ(&a, p1.unpoisoned());
+        ASSERT_EQ(&b, p2);
+        p1.swap(p2);
+        ASSERT_EQ(&b, p1.unpoisoned());
+        ASSERT_EQ(&a, p2);
+
+        ASSERT_TRUE(p1.bits() != bitwise_cast<uintptr_t>(p2));
+    }
+#endif
 }
 
 static Poisoned<g_testPoisonA, RefLogger*> poisonedPtrFoo(RefLogger& logger)