Bug 182843 - Objects that contain dangerous things should be allocated far away from objects that can do OOB
Summary: Objects that contain dangerous things should be allocated far away from objec...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords: InRadar
Depends on:
Blocks: 181636
  Show dependency treegraph
 
Reported: 2018-02-15 15:15 PST by Filip Pizlo
Modified: 2018-02-15 21:27 PST (History)
6 users (show)

See Also:


Attachments
work in progress (25.31 KB, patch)
2018-02-15 15:19 PST, Filip Pizlo
no flags Details | Formatted Diff | Diff
the patch (30.58 KB, patch)
2018-02-15 18:24 PST, Filip Pizlo
no flags Details | Formatted Diff | Diff
the patch (35.38 KB, patch)
2018-02-15 18:31 PST, Filip Pizlo
sbarati: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2018-02-15 15:15:30 PST
Patch forthcoming.
Comment 1 Filip Pizlo 2018-02-15 15:19:09 PST
Created attachment 333956 [details]
work in progress
Comment 2 Radar WebKit Bug Importer 2018-02-15 18:20:37 PST
<rdar://problem/37592039>
Comment 3 Filip Pizlo 2018-02-15 18:24:54 PST
Created attachment 333980 [details]
the patch
Comment 4 Filip Pizlo 2018-02-15 18:31:11 PST
Created attachment 333982 [details]
the patch
Comment 5 Saam Barati 2018-02-15 20:05:49 PST
Comment on attachment 333982 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=333982&action=review

r=me

> Source/JavaScriptCore/heap/SecurityKind.h:40
> +    // out-of-bounds. Currently, it's not essential to keep this separate from SeparateBits. We're using

SeparateBits => DangerousBits

> Source/JavaScriptCore/heap/SecurityKind.h:44
> +    // It's illegal to use this for any subclass of JSObject, JSString, or SymbolObject, or any other

While true for SymbolObject, I think you mean Symbol here. SymbolObject is a wrapper over symbol (ditto below)

> Source/JavaScriptCore/runtime/VM.h:333
> +    CompleteSubspace jsValueGigacageCellSpace; // FIXME: This space is problematic because we have things in here like DirectArguments and ScopedArguments; those should be split into JSValueOOB cells and JSValueStrict auxiliaries.

Link to bug#?
Comment 6 Filip Pizlo 2018-02-15 20:28:06 PST
(In reply to Saam Barati from comment #5)
> Comment on attachment 333982 [details]
> the patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=333982&action=review
> 
> r=me
> 
> > Source/JavaScriptCore/heap/SecurityKind.h:40
> > +    // out-of-bounds. Currently, it's not essential to keep this separate from SeparateBits. We're using
> 
> SeparateBits => DangerousBits
> 
> > Source/JavaScriptCore/heap/SecurityKind.h:44
> > +    // It's illegal to use this for any subclass of JSObject, JSString, or SymbolObject, or any other
> 
> While true for SymbolObject, I think you mean Symbol here. SymbolObject is a
> wrapper over symbol (ditto below)

Oh, oops!  Fixed.

> 
> > Source/JavaScriptCore/runtime/VM.h:333
> > +    CompleteSubspace jsValueGigacageCellSpace; // FIXME: This space is problematic because we have things in here like DirectArguments and ScopedArguments; those should be split into JSValueOOB cells and JSValueStrict auxiliaries.
> 
> Link to bug#?

https://bugs.webkit.org/show_bug.cgi?id=182858
Comment 7 Filip Pizlo 2018-02-15 21:27:58 PST
Landed in http://trac.webkit.org/changeset/228552/webkit