[webkit-changes] [WebKit/WebKit] b40b23: Bindings integrity logic depends on incorrect beha...
Oliver Hunt
noreply at github.com
Thu May 16 13:03:39 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b40b23ef5c8b1e86efd379f753d142ec778584a2
https://github.com/WebKit/WebKit/commit/b40b23ef5c8b1e86efd379f753d142ec778584a2
Author: Oliver Hunt <oliver at apple.com>
Date: 2024-05-16 (Thu, 16 May 2024)
Changed paths:
M Source/WTF/wtf/PointerPreparations.h
M Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
M Source/WebCore/bindings/scripts/test/JS/JSExposedStar.cpp
M Source/WebCore/bindings/scripts/test/JS/JSExposedToWorkerAndWindow.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestAsyncIterable.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestAsyncKeyValueIterable.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestCallTracer.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestConditionalIncludes.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestConditionallyReadWrite.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestDefaultToJSON.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestDefaultToJSONFilteredByExposed.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestDelegateToSharedSyntheticAttribute.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestDomainSecurity.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestEnabledBySetting.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestEnabledForContext.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestGenerateAddOpaqueRoot.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterNoIdentifier.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterThrowingException.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterWithIdentifier.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestIterable.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestLegacyFactoryFunction.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestLegacyNoInterfaceObject.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestLegacyOverrideBuiltIns.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestMapLike.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestMapLikeWithOverriddenOperations.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterNoIdentifier.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterThrowingException.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterWithIdentifier.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterWithIndexedGetter.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedGetterCallWith.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedGetterNoIdentifier.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedGetterWithIdentifier.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterThrowingException.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyOverrideBuiltIns.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyUnforgeableProperties.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyUnforgeablePropertiesAndLegacyOverrideBuiltIns.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestNode.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestOperationConditional.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestPluginInterface.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestPromiseRejectionEvent.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestReadOnlyMapLike.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestReadOnlySetLike.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestReportExtraMemoryCost.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestScheduledAction.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestSetLike.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestSetLikeWithOverriddenOperations.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestStringContext.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestStringifier.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestStringifierAnonymousOperation.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestStringifierNamedOperation.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestStringifierOperationImplementedAs.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestStringifierOperationNamedToString.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestStringifierReadOnlyAttribute.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestStringifierReadWriteAttribute.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestTaggedWrapper.cpp
M Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp
Log Message:
-----------
Bindings integrity logic depends on incorrect behavior of constexpr if
https://bugs.webkit.org/show_bug.cgi?id=274202
rdar://128006867
Reviewed by Chris Dumez.
The existing code from generated for the bindings attempts to use
`if constexpr (std::is_polymorphic_v<Type>)` to gate access to an
object's vtable pointer if the object does not have a vtable. Due
to a bug in clang this was historically allowed. However the actual
spec behavior of `if constexpr` requires that all contained code
that does not make use of a dependent type or value be semantically
valid regardless of whether the condition is true or false. e.g.
void *v = nullptr;
if constexpr (false) {
v++;
}
is invalid even though the body is never evaluated.
To deal with this particular issue what this patch does is have codegen
introduce a new `verifyVTable` function of the form
template <typename T> void verifyVTable(const ImplType *) {
if constexpr (std::is_polymorphic_v<T>) {
...
}
}
That is then called from the toJS functions as
verifyVTable<ImplType>(impl.get());
This code obviously appears silly as we will only ever be evaluating
`void verifyVTable(const ImplType *)` with T==ImplType, but it satisfies
the requirement that the constexpr evaluation involves a dependent type
or value. In an ideal world there would be a mechanism to get the vtable
for a type, which would allow us to have a single generic function, but
alas there is not, so we cannot.
* Source/WTF/wtf/PointerPreparations.h:
(WTF::getVTablePointer):
Add enable_if guards on the getVTablePointer functions so that the same
ensuring the `if constexpr` path fails in existing compilers
* Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:
(GenerateImplementation):
Change the codegen to introduce and call the intermediate verifyVTable
function.
* Source/WebCore/bindings/scripts/test/JS/JSExposedStar.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSExposedToWorkerAndWindow.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestAsyncIterable.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestAsyncKeyValueIterable.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestCEReactions.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestCallTracer.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestConditionalIncludes.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestConditionallyReadWrite.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestDefaultToJSON.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestDefaultToJSONFilteredByExposed.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestDelegateToSharedSyntheticAttribute.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestDomainSecurity.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestEnabledBySetting.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestEnabledForContext.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestGenerateAddOpaqueRoot.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterNoIdentifier.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterThrowingException.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterWithIdentifier.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestIterable.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestLegacyFactoryFunction.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestLegacyNoInterfaceObject.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestLegacyOverrideBuiltIns.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestMapLike.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestMapLikeWithOverriddenOperations.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterNoIdentifier.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterThrowingException.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterWithIdentifier.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterWithIndexedGetter.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedGetterCallWith.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedGetterNoIdentifier.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedGetterWithIdentifier.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterThrowingException.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyOverrideBuiltIns.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyUnforgeableProperties.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyUnforgeablePropertiesAndLegacyOverrideBuiltIns.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestNode.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestOperationConditional.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestPluginInterface.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestPromiseRejectionEvent.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestReadOnlyMapLike.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestReadOnlySetLike.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestReportExtraMemoryCost.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestScheduledAction.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestSetLike.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestSetLikeWithOverriddenOperations.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestStringContext.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestStringifier.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestStringifierAnonymousOperation.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestStringifierNamedOperation.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestStringifierOperationImplementedAs.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestStringifierOperationNamedToString.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestStringifierReadOnlyAttribute.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestStringifierReadWriteAttribute.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestTaggedWrapper.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
* Source/WebCore/bindings/scripts/test/JS/JSTestTypedefs.cpp:
(WebCore::verifyVTable):
(WebCore::toJSNewlyCreated):
Canonical link: https://commits.webkit.org/278886@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list