[webkit-changes] [WebKit/WebKit] 3a1c34: Add taintedness tracking to JSC
Keith Miller
noreply at github.com
Thu Sep 7 21:09:48 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 3a1c346c2fdeb2cfa85ea094208e38b3cf786149
https://github.com/WebKit/WebKit/commit/3a1c346c2fdeb2cfa85ea094208e38b3cf786149
Author: Keith Miller <keith_miller at apple.com>
Date: 2023-09-07 (Thu, 07 Sep 2023)
Changed paths:
A JSTests/stress/taintedness-tracking-inlining.js
A JSTests/stress/taintedness-tracking.js
A LayoutTests/js/taintedness-innerhtml-expected.txt
A LayoutTests/js/taintedness-innerhtml.html
A LayoutTests/js/taintedness-settimeout-expected.txt
A LayoutTests/js/taintedness-settimeout.html
M Source/JavaScriptCore/API/JSBase.cpp
M Source/JavaScriptCore/API/JSObjectRef.cpp
M Source/JavaScriptCore/API/JSScript.mm
M Source/JavaScriptCore/API/JSScriptRef.cpp
M Source/JavaScriptCore/API/glib/JSCContext.cpp
M Source/JavaScriptCore/CMakeLists.txt
M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
M Source/JavaScriptCore/Scripts/wkbuiltins/builtins_templates.py
M Source/JavaScriptCore/Sources.txt
M Source/JavaScriptCore/builtins/BuiltinExecutables.cpp
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
M Source/JavaScriptCore/bytecode/CodeBlock.h
M Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/dfg/DFGJITCompiler.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/JavaScriptCore/inspector/InjectedScriptManager.cpp
M Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp
M Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.cpp
M Source/JavaScriptCore/interpreter/Interpreter.cpp
M Source/JavaScriptCore/interpreter/Interpreter.h
M Source/JavaScriptCore/jit/JITOpcodes.cpp
M Source/JavaScriptCore/jsc.cpp
M Source/JavaScriptCore/parser/SourceCode.h
M Source/JavaScriptCore/parser/SourceProvider.cpp
M Source/JavaScriptCore/parser/SourceProvider.h
A Source/JavaScriptCore/parser/SourceTaintedOrigin.cpp
A Source/JavaScriptCore/parser/SourceTaintedOrigin.h
M Source/JavaScriptCore/runtime/CachedTypes.cpp
M Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
M Source/JavaScriptCore/runtime/Forward.h
M Source/JavaScriptCore/runtime/FunctionConstructor.cpp
M Source/JavaScriptCore/runtime/FunctionConstructor.h
M Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
M Source/JavaScriptCore/runtime/ShadowRealmPrototype.cpp
M Source/JavaScriptCore/runtime/VM.h
M Source/JavaScriptCore/tools/FunctionOverrides.cpp
M Source/JavaScriptCore/tools/JSDollarVM.cpp
M Source/WebCore/bindings/js/CachedScriptSourceProvider.h
M Source/WebCore/bindings/js/JSLazyEventListener.cpp
M Source/WebCore/bindings/js/JSLazyEventListener.h
M Source/WebCore/bindings/js/RunJavaScriptParameters.h
M Source/WebCore/bindings/js/ScheduledAction.cpp
M Source/WebCore/bindings/js/ScheduledAction.h
M Source/WebCore/bindings/js/ScriptBufferSourceProvider.h
M Source/WebCore/bindings/js/ScriptController.cpp
M Source/WebCore/bindings/js/ScriptController.h
M Source/WebCore/bindings/js/ScriptSourceCode.h
M Source/WebCore/bridge/objc/WebScriptObject.mm
M Source/WebCore/contentextensions/ContentExtensionsBackend.cpp
M Source/WebCore/css/DOMCSSPaintWorklet.cpp
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/ScriptElement.cpp
M Source/WebCore/dom/ScriptElement.h
M Source/WebCore/html/HTMLMediaElement.cpp
M Source/WebCore/html/parser/HTMLScriptRunner.cpp
M Source/WebCore/inspector/InspectorFrontendAPIDispatcher.cpp
M Source/WebCore/inspector/InspectorFrontendHost.cpp
M Source/WebCore/inspector/agents/InspectorPageAgent.cpp
M Source/WebCore/loader/DocumentLoader.cpp
M Source/WebCore/page/LocalFrame.cpp
M Source/WebCore/testing/Internals.cpp
M Source/WebCore/xml/XMLTreeViewer.cpp
M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
M Source/WebKit/DerivedSources-output.xcfilelist
M Source/WebKit/UIProcess/API/C/WKPage.cpp
M Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm
M Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp
M Source/WebKit/UIProcess/Inspector/socket/RemoteInspectorProtocolHandler.cpp
M Source/WebKitLegacy/mac/WebView/WebFrame.mm
M Source/WebKitLegacy/mac/WebView/WebView.mm
Log Message:
-----------
Add taintedness tracking to JSC
https://bugs.webkit.org/show_bug.cgi?id=242537
rdar://83222586
Reviewed by Yusuke Suzuki.
This patch adds the core structure of what's needed to do taintedness tracking in JSC.
This allows us to track tainted code even through eval assuming there isn't support
from untainted code. In order to maintain performance of untainted code we add a bit
to the VM which tells us if tainted code has run this event loop turn. This allows
checkers of taintedness to skip a stack walk in the common case where there's no tainted
code running.
* JSTests/stress/taintedness-tracking-inlining.js: Added.
(foo):
(setTimeout):
* JSTests/stress/taintedness-tracking.js: Added.
(check):
(callArg):
(Promise.resolve.then):
(setTimeout):
(let.evalFunc.vm.runTaintedString):
(setTimeout.globalThis.foo.set bar):
* LayoutTests/js/taintedness-innerhtml-expected.txt: Added.
* LayoutTests/js/taintedness-innerhtml.html: Added.
* LayoutTests/js/taintedness-settimeout-expected.txt: Added.
* LayoutTests/js/taintedness-settimeout.html: Added.
* Source/JavaScriptCore/API/JSBase.cpp:
(JSEvaluateScript):
(JSCheckScriptSyntax):
* Source/JavaScriptCore/API/JSObjectRef.cpp:
(JSObjectMakeFunction):
* Source/JavaScriptCore/API/JSScript.mm:
(-[JSScript sourceCode]):
* Source/JavaScriptCore/API/JSScriptRef.cpp:
* Source/JavaScriptCore/API/glib/JSCContext.cpp:
(jsc_context_check_syntax):
* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
* Source/JavaScriptCore/Scripts/wkbuiltins/builtins_templates.py:
(BuiltinsGeneratorTemplates):
* Source/JavaScriptCore/Sources.txt:
* Source/JavaScriptCore/builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::BuiltinExecutables):
(JSC::BuiltinExecutables::defaultConstructorSourceCode):
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
* Source/JavaScriptCore/bytecode/CodeBlock.h:
(JSC::CodeBlock::couldBeTainted const):
* Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::evaluateWithScopeExtension):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::inliningCost):
* Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileEntry):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
* Source/JavaScriptCore/inspector/InjectedScriptManager.cpp:
* Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
* Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::parse):
* Source/JavaScriptCore/interpreter/Interpreter.cpp:
(JSC::eval):
(JSC::Interpreter::executeProgram):
* Source/JavaScriptCore/interpreter/Interpreter.h:
* Source/JavaScriptCore/jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_enter):
* Source/JavaScriptCore/jsc.cpp:
(GlobalObject::moduleLoaderFetch):
(JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/parser/SourceCode.h:
(JSC::makeSource):
* Source/JavaScriptCore/parser/SourceProvider.cpp:
(JSC::SourceProvider::SourceProvider):
(JSC::BaseWebAssemblySourceProvider::BaseWebAssemblySourceProvider):
* Source/JavaScriptCore/parser/SourceProvider.h:
(JSC::SourceProvider::setSourceTaintedOrigin):
(JSC::SourceProvider::sourceTaintedOrigin const):
(JSC::SourceProvider::couldBeTainted const):
(JSC::StringSourceProvider::create):
(JSC::StringSourceProvider::StringSourceProvider):
* Source/JavaScriptCore/parser/SourceTaintedOrigin.cpp: Added.
(JSC::sourceTaintedOriginToString):
(JSC::sourceTaintedOriginFromStack):
(JSC::computeNewSourceTaintedOriginFromStack):
* Source/JavaScriptCore/parser/SourceTaintedOrigin.h: Added.
(JSC::taintednessToTriState):
* Source/JavaScriptCore/runtime/CachedTypes.cpp:
(JSC::CachedSourceProviderShape::encode):
(JSC::CachedSourceProviderShape::decode const):
(JSC::CachedStringSourceProvider::decode const):
* Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:
(JSC::JSC_DEFINE_COMMON_SLOW_PATH):
* Source/JavaScriptCore/runtime/Forward.h:
* Source/JavaScriptCore/runtime/FunctionConstructor.cpp:
(JSC::constructFunction):
(JSC::constructFunctionSkippingEvalEnabledCheck):
* Source/JavaScriptCore/runtime/FunctionConstructor.h:
* Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/ShadowRealmPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/VM.h:
(JSC::VM::mightBeExecutingTaintedCode const):
(JSC::VM::addressOfMightBeExecutingTaintedCode):
(JSC::VM::setMightBeExecutingTaintedCode):
(JSC::VM::finalizeSynchronousJSExecution):
* Source/JavaScriptCore/tools/FunctionOverrides.cpp:
(JSC::initializeOverrideInfo):
* Source/JavaScriptCore/tools/JSDollarVM.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSDollarVM::finishCreation):
* Source/WebCore/bindings/js/CachedScriptSourceProvider.h:
(WebCore::CachedScriptSourceProvider::CachedScriptSourceProvider):
* Source/WebCore/bindings/js/JSLazyEventListener.cpp:
(WebCore::JSLazyEventListener::JSLazyEventListener):
(WebCore::JSLazyEventListener::initializeJSFunction const):
* Source/WebCore/bindings/js/JSLazyEventListener.h:
* Source/WebCore/bindings/js/RunJavaScriptParameters.h:
(WebCore::RunJavaScriptParameters::RunJavaScriptParameters):
(WebCore::RunJavaScriptParameters::encode const):
(WebCore::RunJavaScriptParameters::decode):
* Source/WebCore/bindings/js/ScheduledAction.cpp:
(WebCore::ScheduledAction::ScheduledAction):
(WebCore::ScheduledAction::execute):
* Source/WebCore/bindings/js/ScheduledAction.h:
* Source/WebCore/bindings/js/ScriptBufferSourceProvider.h:
* Source/WebCore/bindings/js/ScriptController.cpp:
(WebCore::ScriptController::executeScriptIgnoringException):
(WebCore::ScriptController::executeScriptInWorldIgnoringException):
(WebCore::ScriptController::executeScriptInWorld):
(WebCore::ScriptController::callInWorld):
(WebCore::ScriptController::executeUserAgentScriptInWorld):
(WebCore::ScriptController::executeJavaScriptURL):
* Source/WebCore/bindings/js/ScriptController.h:
* Source/WebCore/bindings/js/ScriptSourceCode.h:
(WebCore::ScriptSourceCode::ScriptSourceCode):
* Source/WebCore/bridge/objc/WebScriptObject.mm:
(-[WebScriptObject evaluateWebScript:]):
* Source/WebCore/contentextensions/ContentExtensionsBackend.cpp:
(WebCore::ContentExtensions::ContentExtensionsBackend::processContentRuleListsForLoad):
* Source/WebCore/css/DOMCSSPaintWorklet.cpp:
(WebCore::PaintWorklet::addModule):
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::ensurePlugInsInjectedScript):
* Source/WebCore/dom/ScriptElement.cpp:
(WebCore::ScriptElement::ScriptElement):
(WebCore::ScriptElement::prepareScript):
(WebCore::ScriptElement::requestModuleScript):
(WebCore::ScriptElement::executePendingScript):
* Source/WebCore/dom/ScriptElement.h:
(WebCore::ScriptElement::sourceTaintedOrigin const):
* Source/WebCore/html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::ensureMediaControls):
* Source/WebCore/html/parser/HTMLScriptRunner.cpp:
(WebCore::HTMLScriptRunner::runScript):
* Source/WebCore/inspector/InspectorFrontendAPIDispatcher.cpp:
(WebCore::InspectorFrontendAPIDispatcher::evaluateExpression):
* Source/WebCore/inspector/InspectorFrontendHost.cpp:
(WebCore::InspectorFrontendHost::evaluateScriptInExtensionTab):
* Source/WebCore/inspector/agents/InspectorPageAgent.cpp:
(WebCore::InspectorPageAgent::didClearWindowObjectInWorld):
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::handleContentFilterDidBlock):
* Source/WebCore/page/LocalFrame.cpp:
(WebCore::LocalFrame::injectUserScriptImmediately):
* Source/WebCore/testing/Internals.cpp:
(WebCore::Internals::evaluateInWorldIgnoringException):
* Source/WebCore/xml/XMLTreeViewer.cpp:
(WebCore::XMLTreeViewer::transformDocumentToTreeView):
* Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::XMLDocumentParser::endElementNs):
* Source/WebKit/DerivedSources-output.xcfilelist:
* Source/WebKit/UIProcess/API/C/WKPage.cpp:
(WKPageRunJavaScriptInMainFrame):
* Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm:
(-[WKWebView _evaluateJavaScript:asAsyncFunction:withSourceURL:withArguments:forceUserGesture:inFrame:inWorld:completionHandler:]):
* Source/WebKitLegacy/mac/WebView/WebFrame.mm:
(-[WebFrame _stringByEvaluatingJavaScriptFromString:forceUserGesture:]):
* Source/WebKitLegacy/mac/WebView/WebView.mm:
(-[WebView aeDescByEvaluatingJavaScriptFromString:]):
Canonical link: https://commits.webkit.org/267765@main
More information about the webkit-changes
mailing list