Bug 182843

Summary: Objects that contain dangerous things should be allocated far away from objects that can do OOB
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 181636    
Attachments:
Description Flags
work in progress
none
the patch
none
the patch saam: review+

Filip Pizlo
Reported 2018-02-15 15:15:30 PST
Patch forthcoming.
Attachments
work in progress (25.31 KB, patch)
2018-02-15 15:19 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (30.58 KB, patch)
2018-02-15 18:24 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (35.38 KB, patch)
2018-02-15 18:31 PST, Filip Pizlo 		saam: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2018-02-15 15:19:09 PST
Created attachment 333956 [details] work in progress
Radar WebKit Bug Importer
Comment 2 2018-02-15 18:20:37 PST
<rdar://problem/37592039>
Filip Pizlo
Comment 3 2018-02-15 18:24:54 PST
Created attachment 333980 [details] the patch
Filip Pizlo
Comment 4 2018-02-15 18:31:11 PST
Created attachment 333982 [details] the patch
Saam Barati
Comment 5 2018-02-15 20:05:49 PST
Comment on attachment 333982 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=333982&action=review r=me > Source/JavaScriptCore/heap/SecurityKind.h:40 > + // out-of-bounds. Currently, it's not essential to keep this separate from SeparateBits. We're using SeparateBits => DangerousBits > Source/JavaScriptCore/heap/SecurityKind.h:44 > + // It's illegal to use this for any subclass of JSObject, JSString, or SymbolObject, or any other While true for SymbolObject, I think you mean Symbol here. SymbolObject is a wrapper over symbol (ditto below) > Source/JavaScriptCore/runtime/VM.h:333 > + CompleteSubspace jsValueGigacageCellSpace; // FIXME: This space is problematic because we have things in here like DirectArguments and ScopedArguments; those should be split into JSValueOOB cells and JSValueStrict auxiliaries. Link to bug#?
Filip Pizlo
Comment 6 2018-02-15 20:28:06 PST
(In reply to Saam Barati from comment #5) > Comment on attachment 333982 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=333982&action=review > > r=me > > > Source/JavaScriptCore/heap/SecurityKind.h:40 > > + // out-of-bounds. Currently, it's not essential to keep this separate from SeparateBits. We're using > > SeparateBits => DangerousBits > > > Source/JavaScriptCore/heap/SecurityKind.h:44 > > + // It's illegal to use this for any subclass of JSObject, JSString, or SymbolObject, or any other > > While true for SymbolObject, I think you mean Symbol here. SymbolObject is a > wrapper over symbol (ditto below) Oh, oops! Fixed. > > > Source/JavaScriptCore/runtime/VM.h:333 > > + CompleteSubspace jsValueGigacageCellSpace; // FIXME: This space is problematic because we have things in here like DirectArguments and ScopedArguments; those should be split into JSValueOOB cells and JSValueStrict auxiliaries. > > Link to bug#? https://bugs.webkit.org/show_bug.cgi?id=182858
Filip Pizlo
Comment 7 2018-02-15 21:27:58 PST
Landed in http://trac.webkit.org/changeset/228552/webkit
Note You need to log in before you can comment on or make changes to this bug.