Poison small JSObject derivatives which only contain pointers

https://bugs.webkit.org/show_bug.cgi?id=181483
<rdar://problem/36407127>

Reviewed by Mark Lam.

Source/JavaScriptCore:

I wrote a script that finds interesting things to poison or
generally harden. These stood out because they derive from
JSObject and only contain a few pointer or pointer-like fields,
and could therefore just be poisoned. This also requires some
template "improvements" to our poisoning machinery. Worth noting
is that I'm making PoisonedUniquePtr move-assignable and
move-constructible from unique_ptr, which makes it a better
drop-in replacement because we don't need to use
makePoisonedUniquePtr. This means function-locals can be
unique_ptr and get the nice RAII pattern, and once the function is
done you can just move to the class' PoisonedUniquePtr without
worrying.

* API/JSAPIWrapperObject.h:
(JSC::JSAPIWrapperObject::wrappedObject):
* API/JSAPIWrapperObject.mm:
(JSC::JSAPIWrapperObject::JSAPIWrapperObject):
* API/JSCallbackObject.h:
* runtime/ArrayPrototype.h:
* runtime/DateInstance.h:
* runtime/JSArrayBuffer.cpp:
(JSC::JSArrayBuffer::finishCreation):
(JSC::JSArrayBuffer::isShared const):
(JSC::JSArrayBuffer::sharingMode const):
* runtime/JSArrayBuffer.h:
* runtime/JSCPoison.h:

Source/WTF:

The associated JSC poisoning change requires some template
"improvements" to our poisoning machinery. Worth noting is that
I'm making PoisonedUniquePtr move-assignable and
move-constructible from unique_ptr, which makes it a better
drop-in replacement because we don't need to use
makePoisonedUniquePtr. This means function-locals can be
unique_ptr and get the nice RAII pattern, and once the function is
done you can just move to the class' PoisonedUniquePtr without
worrying.

* wtf/Poisoned.h:
(WTF::PoisonedImpl::PoisonedImpl):
* wtf/PoisonedUniquePtr.h:
(WTF::PoisonedUniquePtr::PoisonedUniquePtr):
(WTF::PoisonedUniquePtr::operator=):

Tools:

Test the new move-assign and move-copy from unique_ptr, as well as
nullptr_t ctors.

* TestWebKitAPI/Tests/WTF/Poisoned.cpp:
(TestWebKitAPI::TEST):
* TestWebKitAPI/Tests/WTF/PoisonedUniquePtr.cpp:
(TestWebKitAPI::TEST):
* TestWebKitAPI/Tests/WTF/PoisonedUniquePtrForTriviallyDestructibleArrays.cpp:
(TestWebKitAPI::TEST):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@226752 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Author: [email protected]

Source/JavaScriptCore/API/JSAPIWrapperObject.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -27,8 +27,10 @@
 #define JSAPIWrapperObject_h
 
 #include "JSBase.h"
+#include "JSCPoison.h"
 #include "JSDestructibleObject.h"
 #include "WeakReferenceHarvester.h"
+#include <wtf/Poisoned.h>
 
 #if JSC_OBJC_API_ENABLED
 
@@ -41,14 +43,14 @@ class JSAPIWrapperObject : public JSDestructibleObject {
     void finishCreation(VM&);
     static void visitChildren(JSCell*, JSC::SlotVisitor&);
 
-    void* wrappedObject() { return m_wrappedObject; }
+    void* wrappedObject() { return m_wrappedObject.unpoisoned(); }
     void setWrappedObject(void*);
 
 protected:
     JSAPIWrapperObject(VM&, Structure*);
 
 private:
-    void* m_wrappedObject;
+    ConstExprPoisoned<JSAPIWrapperObjectPoison, void*> m_wrappedObject;
 };
 
 } // namespace JSC

Source/JavaScriptCore/API/JSAPIWrapperObject.mm

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -80,7 +80,6 @@
 
 JSAPIWrapperObject::JSAPIWrapperObject(VM& vm, Structure* structure)
     : Base(vm, structure)
-    , m_wrappedObject(0)
 {
 }
 

Source/JavaScriptCore/API/JSCallbackObject.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2007 Eric Seidel <[email protected]>
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27,10 +27,12 @@
 #ifndef JSCallbackObject_h
 #define JSCallbackObject_h
 
+#include "JSCPoison.h"
 #include "JSCPoisonedPtr.h"
 #include "JSObjectRef.h"
 #include "JSValueRef.h"
 #include "JSObject.h"
+#include <wtf/PoisonedUniquePtr.h>
 
 namespace JSC {
 
@@ -233,7 +235,7 @@ class JSCallbackObject : public Parent {
     static EncodedJSValue staticFunctionGetter(ExecState*, EncodedJSValue, PropertyName);
     static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName);
 
-    std::unique_ptr<JSCallbackObjectData> m_callbackObjectData;
+    WTF::PoisonedUniquePtr<JSCallbackObjectPoison, JSCallbackObjectData> m_callbackObjectData;
     PoisonedClassInfoPtr m_classInfo;
 };
 

Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,38 @@
+2018-01-10  JF Bastien  <[email protected]>
+
+        Poison small JSObject derivatives which only contain pointers
+        https://bugs.webkit.org/show_bug.cgi?id=181483
+        <rdar://problem/36407127>
+
+        Reviewed by Mark Lam.
+
+        I wrote a script that finds interesting things to poison or
+        generally harden. These stood out because they derive from
+        JSObject and only contain a few pointer or pointer-like fields,
+        and could therefore just be poisoned. This also requires some
+        template "improvements" to our poisoning machinery. Worth noting
+        is that I'm making PoisonedUniquePtr move-assignable and
+        move-constructible from unique_ptr, which makes it a better
+        drop-in replacement because we don't need to use
+        makePoisonedUniquePtr. This means function-locals can be
+        unique_ptr and get the nice RAII pattern, and once the function is
+        done you can just move to the class' PoisonedUniquePtr without
+        worrying.
+
+        * API/JSAPIWrapperObject.h:
+        (JSC::JSAPIWrapperObject::wrappedObject):
+        * API/JSAPIWrapperObject.mm:
+        (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
+        * API/JSCallbackObject.h:
+        * runtime/ArrayPrototype.h:
+        * runtime/DateInstance.h:
+        * runtime/JSArrayBuffer.cpp:
+        (JSC::JSArrayBuffer::finishCreation):
+        (JSC::JSArrayBuffer::isShared const):
+        (JSC::JSArrayBuffer::sharingMode const):
+        * runtime/JSArrayBuffer.h:
+        * runtime/JSCPoison.h:
+
 2018-01-10  Commit Queue  <[email protected]>
 
         Unreviewed, rolling out r226667 and r226673.

Source/JavaScriptCore/runtime/ArrayPrototype.h

@@ -1,6 +1,6 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten ([email protected])
- *  Copyright (C) 2007, 2011, 2015 Apple Inc. All rights reserved.
+ *  Copyright (C) 2007-2018 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
@@ -21,6 +21,8 @@
 #pragma once
 
 #include "JSArray.h"
+#include "JSCPoison.h"
+#include <wtf/PoisonedUniquePtr.h>
 
 namespace JSC {
 
@@ -60,8 +62,8 @@ class ArrayPrototype : public JSArray {
 private:
     // This bit is set if any user modifies the constructor property Array.prototype. This is used to optimize species creation for JSArrays.
     friend ArrayPrototypeAdaptiveInferredPropertyWatchpoint;
-    std::unique_ptr<ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorWatchpoint;
-    std::unique_ptr<ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorSpeciesWatchpoint;
+    PoisonedUniquePtr<ArrayPrototypePoison, ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorWatchpoint;
+    PoisonedUniquePtr<ArrayPrototypePoison, ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorSpeciesWatchpoint;
 };
 
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncToString(ExecState*);

Source/JavaScriptCore/runtime/DateInstance.h

@@ -1,6 +1,6 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten ([email protected])
- *  Copyright (C) 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2008-2018 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
@@ -20,6 +20,7 @@
 
 #pragma once
 
+#include "JSCPoison.h"
 #include "JSWrapperObject.h"
 
 namespace JSC {
@@ -76,7 +77,7 @@ class DateInstance : public JSWrapperObject {
     JS_EXPORT_PRIVATE const GregorianDateTime* calculateGregorianDateTime(ExecState*) const;
     JS_EXPORT_PRIVATE const GregorianDateTime* calculateGregorianDateTimeUTC(ExecState*) const;
 
-    mutable RefPtr<DateInstanceData> m_data;
+    mutable PoisonedRefPtr<DateInstancePoison, DateInstanceData> m_data;
 };
 
 DateInstance* asDateInstance(JSValue);

Source/JavaScriptCore/runtime/JSArrayBuffer.cpp

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -46,8 +46,8 @@ void JSArrayBuffer::finishCreation(VM& vm, JSGlobalObject* globalObject)
 {
     Base::finishCreation(vm);
     // This probably causes GCs in the various VMs to overcount the impact of the array buffer.
-    vm.heap.addReference(this, m_impl);
-    vm.m_typedArrayController->registerWrapper(globalObject, m_impl, this);
+    vm.heap.addReference(this, impl());
+    vm.m_typedArrayController->registerWrapper(globalObject, impl(), this);
 }
 
 JSArrayBuffer* JSArrayBuffer::create(
@@ -70,12 +70,12 @@ Structure* JSArrayBuffer::createStructure(
 
 bool JSArrayBuffer::isShared() const
 {
-    return m_impl->isShared();
+    return impl()->isShared();
 }
 
 ArrayBufferSharingMode JSArrayBuffer::sharingMode() const
 {
-    return m_impl->sharingMode();
+    return impl()->sharingMode();
 }
 
 size_t JSArrayBuffer::estimatedSize(JSCell* cell)

Source/JavaScriptCore/runtime/JSArrayBuffer.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -26,7 +26,9 @@
 #pragma once
 
 #include "ArrayBuffer.h"
+#include "JSCPoison.h"
 #include "JSObject.h"
+#include <wtf/Poisoned.h>
 
 namespace JSC {
 
@@ -43,7 +45,7 @@ class JSArrayBuffer final : public JSNonFinalObject {
     // This function will register the new wrapper with the vm's TypedArrayController.
     JS_EXPORT_PRIVATE static JSArrayBuffer* create(VM&, Structure*, RefPtr<ArrayBuffer>&&);
 
-    ArrayBuffer* impl() const { return m_impl; }
+    ArrayBuffer* impl() const { return m_impl.unpoisoned(); }
 
     static Structure* createStructure(VM&, JSGlobalObject*, JSValue prototype);
 
@@ -59,7 +61,7 @@ class JSArrayBuffer final : public JSNonFinalObject {
     static size_t estimatedSize(JSCell*);
 
 private:
-    ArrayBuffer* m_impl;
+    ConstExprPoisoned<JSArrayBufferPoison, ArrayBuffer*> m_impl;
 };
 
 inline ArrayBuffer* toPossiblySharedArrayBuffer(VM& vm, JSValue value)

Source/JavaScriptCore/runtime/JSCPoison.h

@@ -35,7 +35,12 @@ enum Poison {
     // Add new poison keys below in alphabetical order. The order doesn't really
     // matter, but we might as well keep them in alphabetically order for
     // greater readability.
+    ArrayPrototypePoison,
     CodeBlockPoison,
+    DateInstancePoison,
+    JSAPIWrapperObjectPoison,
+    JSArrayBufferPoison,
+    JSCallbackObjectPoison,
     JSGlobalObjectPoison,
     JSScriptFetchParametersPoison,
     JSScriptFetcherPoison,

Source/WTF/ChangeLog

@@ -1,3 +1,27 @@
+2018-01-10  JF Bastien  <[email protected]>
+
+        Poison small JSObject derivatives which only contain pointers
+        https://bugs.webkit.org/show_bug.cgi?id=181483
+        <rdar://problem/36407127>
+
+        Reviewed by Mark Lam.
+
+        The associated JSC poisoning change requires some template
+        "improvements" to our poisoning machinery. Worth noting is that
+        I'm making PoisonedUniquePtr move-assignable and
+        move-constructible from unique_ptr, which makes it a better
+        drop-in replacement because we don't need to use
+        makePoisonedUniquePtr. This means function-locals can be
+        unique_ptr and get the nice RAII pattern, and once the function is
+        done you can just move to the class' PoisonedUniquePtr without
+        worrying.
+
+        * wtf/Poisoned.h:
+        (WTF::PoisonedImpl::PoisonedImpl):
+        * wtf/PoisonedUniquePtr.h:
+        (WTF::PoisonedUniquePtr::PoisonedUniquePtr):
+        (WTF::PoisonedUniquePtr::operator=):
+
 2018-01-10  Don Olmstead  <[email protected]>
 
         Add nullptr_t specialization of poison