182843 – Objects that contain dangerous things should be allocated far away from objects that can do OOB

Bug 182843 - Objects that contain dangerous things should be allocated far away from objects that can do OOB

Summary: Objects that contain dangerous things should be allocated far away from objec...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Filip Pizlo

URL:
Keywords:	InRadar

Depends on:
Blocks:	181636
	Show dependency tree / graph

Reported:	2018-02-15 15:15 PST by Filip Pizlo
Modified:	2018-02-15 21:27 PST (History)
CC List:	6 users (show)

See Also:

Attachments
work in progress (25.31 KB, patch) 2018-02-15 15:19 PST, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
the patch (30.58 KB, patch) 2018-02-15 18:24 PST, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
the patch (35.38 KB, patch) 2018-02-15 18:31 PST, Filip Pizlo	saam: review+	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2018-02-15 15:15:30 PST

Patch forthcoming.

Comment 1 Filip Pizlo 2018-02-15 15:19:09 PST

Created attachment 333956 [details]
work in progress

Comment 2 Radar WebKit Bug Importer 2018-02-15 18:20:37 PST

<rdar://problem/37592039>

Comment 3 Filip Pizlo 2018-02-15 18:24:54 PST

Created attachment 333980 [details]
the patch

Comment 4 Filip Pizlo 2018-02-15 18:31:11 PST

Created attachment 333982 [details]
the patch

Comment 5 Saam Barati 2018-02-15 20:05:49 PST

Comment on attachment 333982 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=333982&action=review

r=me

> Source/JavaScriptCore/heap/SecurityKind.h:40
> +    // out-of-bounds. Currently, it's not essential to keep this separate from SeparateBits. We're using

SeparateBits => DangerousBits

> Source/JavaScriptCore/heap/SecurityKind.h:44
> +    // It's illegal to use this for any subclass of JSObject, JSString, or SymbolObject, or any other

While true for SymbolObject, I think you mean Symbol here. SymbolObject is a wrapper over symbol (ditto below)

> Source/JavaScriptCore/runtime/VM.h:333
> +    CompleteSubspace jsValueGigacageCellSpace; // FIXME: This space is problematic because we have things in here like DirectArguments and ScopedArguments; those should be split into JSValueOOB cells and JSValueStrict auxiliaries.

Link to bug#?

Comment 6 Filip Pizlo 2018-02-15 20:28:06 PST

(In reply to Saam Barati from comment #5)
> Comment on attachment 333982 [details]
> the patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=333982&action=review
> 
> r=me
> 
> > Source/JavaScriptCore/heap/SecurityKind.h:40
> > +    // out-of-bounds. Currently, it's not essential to keep this separate from SeparateBits. We're using
> 
> SeparateBits => DangerousBits
> 
> > Source/JavaScriptCore/heap/SecurityKind.h:44
> > +    // It's illegal to use this for any subclass of JSObject, JSString, or SymbolObject, or any other
> 
> While true for SymbolObject, I think you mean Symbol here. SymbolObject is a
> wrapper over symbol (ditto below)

Oh, oops!  Fixed.

> 
> > Source/JavaScriptCore/runtime/VM.h:333
> > +    CompleteSubspace jsValueGigacageCellSpace; // FIXME: This space is problematic because we have things in here like DirectArguments and ScopedArguments; those should be split into JSValueOOB cells and JSValueStrict auxiliaries.
> 
> Link to bug#?

https://bugs.webkit.org/show_bug.cgi?id=182858

Comment 7 Filip Pizlo 2018-02-15 21:27:58 PST

Landed in http://trac.webkit.org/changeset/228552/webkit