[webkit-changes] [WebKit/WebKit] 15477a: Make sensitive jsc global namespace properties not...

Commit Queue noreply at github.com
Sun Oct 22 20:54:15 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 15477a1fd6b58f51f29ef8ee00e63b139ce49fb1
      https://github.com/WebKit/WebKit/commit/15477a1fd6b58f51f29ef8ee00e63b139ce49fb1
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2023-10-22 (Sun, 22 Oct 2023)

  Changed paths:
    M Source/JavaScriptCore/CMakeLists.txt
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
    M Source/JavaScriptCore/Sources.txt
    M Source/JavaScriptCore/jsc.cpp
    A Source/JavaScriptCore/runtime/SideDataRepository.cpp
    A Source/JavaScriptCore/runtime/SideDataRepository.h
    M Source/JavaScriptCore/runtime/VM.cpp
    M Source/JavaScriptCore/runtime/VM.h
    M Source/JavaScriptCore/runtime/VMInlines.h

  Log Message:
  -----------
  Make sensitive jsc global namespace properties not enumerable by Object.getOwnPropertyNames.
https://bugs.webkit.org/show_bug.cgi?id=263506
rdar://112815258

Reviewed by Alexey Shvayka and Justin Michaud.

Some functions in the jsc shell GlobalObject are only added as debugging aids.  They are meant
to be used carefully under controlled conditions for test development.  Though they are added
as DontEnum, Object.getOwnPropertyNames() still enumerates them.  We should filter out all
DontEnum properties of this GlobalObject so as not to trip up fuzzers that try to fuzz with
Object.getOwnPropertyNames.

Achieving this turned out to be somewhat challenging for the following reasons:
1. We want the jsc shell's GlobalObject to be allocated out of the same IsoHeap as JSGlobalObject.
2. To achieve (1), we cannot change the size of GlobalObject i.e. we cannot add a field.
3. In order to filter out the sensitive properties, we need to maintain a copy of this list of
   properties somewhere. We can't stash it in the GlobalObject.
4. The list consists of UniquedStringImpl pointers.  So, strictly speaking, we can stash it with
   the VM because UniquedStringImpls are unique to each VM.  However, this is an issue with the
   jsc shell's GlobalObject.  The jsc shell is by 1 client of the JSC framework.   We don't want
   the VM to have specific knowledge about the jsc shell.

To solve this, we're introducing a SideDataRepository that can be used to associate some side
data with some owner.  In this case, the owner here is the VM.  This SideDataRepository will also
come in handy for stashing side data for other slow or rarely used features that we don't want to
bloat commonly used data structures for.  For example, JIT comments could have been stashed as
side data.  JIT probe backing data can be stashed as side data.  For now, we're only using it to
store jsc shell's GlobalObject's property filter list.

We're still adding a VM::m_hasSideData bool so that we can optimize the VM destructor to avoid
checking for the need to clean up side data if non was ever added.

* Source/JavaScriptCore/CMakeLists.txt:
* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
* Source/JavaScriptCore/Sources.txt:
* Source/JavaScriptCore/jsc.cpp:
* Source/JavaScriptCore/runtime/SideDataRepository.cpp: Added.
(JSC::SideDataRepository::add):
(JSC::SideDataRepository::deleteAll):
(JSC::sideDataRepository):
* Source/JavaScriptCore/runtime/SideDataRepository.h: Added.
(JSC::SideDataRepository::ensure):
* Source/JavaScriptCore/runtime/VM.cpp:
(JSC::VM::~VM):
* Source/JavaScriptCore/runtime/VM.h:
* Source/JavaScriptCore/runtime/VMInlines.h:
(JSC::VM::ensureSideData):

Canonical link: https://commits.webkit.org/269639@main

More information about the webkit-changes mailing list