Summary: | Objects that contain dangerous things should be allocated far away from objects that can do OOB | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Filip Pizlo <fpizlo> | ||||||||
Component: | JavaScriptCore | Assignee: | Filip Pizlo <fpizlo> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | ews-watchlist, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer | ||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||
Version: | WebKit Nightly Build | ||||||||||
Hardware: | All | ||||||||||
OS: | All | ||||||||||
Bug Depends on: | |||||||||||
Bug Blocks: | 181636 | ||||||||||
Attachments: |
|
Description
Filip Pizlo
2018-02-15 15:15:30 PST
Created attachment 333956 [details]
work in progress
Created attachment 333980 [details]
the patch
Created attachment 333982 [details]
the patch
Comment on attachment 333982 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=333982&action=review r=me > Source/JavaScriptCore/heap/SecurityKind.h:40 > + // out-of-bounds. Currently, it's not essential to keep this separate from SeparateBits. We're using SeparateBits => DangerousBits > Source/JavaScriptCore/heap/SecurityKind.h:44 > + // It's illegal to use this for any subclass of JSObject, JSString, or SymbolObject, or any other While true for SymbolObject, I think you mean Symbol here. SymbolObject is a wrapper over symbol (ditto below) > Source/JavaScriptCore/runtime/VM.h:333 > + CompleteSubspace jsValueGigacageCellSpace; // FIXME: This space is problematic because we have things in here like DirectArguments and ScopedArguments; those should be split into JSValueOOB cells and JSValueStrict auxiliaries. Link to bug#? (In reply to Saam Barati from comment #5) > Comment on attachment 333982 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=333982&action=review > > r=me > > > Source/JavaScriptCore/heap/SecurityKind.h:40 > > + // out-of-bounds. Currently, it's not essential to keep this separate from SeparateBits. We're using > > SeparateBits => DangerousBits > > > Source/JavaScriptCore/heap/SecurityKind.h:44 > > + // It's illegal to use this for any subclass of JSObject, JSString, or SymbolObject, or any other > > While true for SymbolObject, I think you mean Symbol here. SymbolObject is a > wrapper over symbol (ditto below) Oh, oops! Fixed. > > > Source/JavaScriptCore/runtime/VM.h:333 > > + CompleteSubspace jsValueGigacageCellSpace; // FIXME: This space is problematic because we have things in here like DirectArguments and ScopedArguments; those should be split into JSValueOOB cells and JSValueStrict auxiliaries. > > Link to bug#? https://bugs.webkit.org/show_bug.cgi?id=182858 |