[webkit-changes] [WebKit/WebKit] ee167b: [JSC] Don't use JSScope instances as `this` value ...

Commit Queue noreply at github.com
Wed Oct 9 15:27:06 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: ee167b8fe4fd234a33b2381640cba982fa6c7516
      https://github.com/WebKit/WebKit/commit/ee167b8fe4fd234a33b2381640cba982fa6c7516
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2024-10-09 (Wed, 09 Oct 2024)

  Changed paths:
    M JSTests/stress/big-int-strict-spec-to-this.js
    A JSTests/stress/evaluate-with-scope-extension.js
    A JSTests/stress/global-object-accessor-property-this-value.js
    A JSTests/stress/variable-named-eval.js
    M LayoutTests/fast/dom/Window/dom-access-from-closure-iframe-expected.txt
    M LayoutTests/fast/dom/Window/dom-access-from-closure-window-expected.txt
    M LayoutTests/fast/dom/Window/dom-access-from-closure-window-with-gc-expected.txt
    M LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt
    M LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt
    M LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt
    M LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value-cross-realm-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value.any-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value.any.serviceworker-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value.any.sharedworker-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value.any.worker-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/browsers/windows/embedded-opener-remove-frame-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/execution-timing/083-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/websockets/unload-a-document/001_default-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/websockets/unload-a-document/001_wss-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/websockets/unload-a-document/002_default-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/websockets/unload-a-document/002_wss-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/websockets/unload-a-document/003-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/websockets/unload-a-document/004-expected.txt
    M LayoutTests/js/object-literal-shorthand-construction-expected.txt
    M LayoutTests/js/script-tests/object-literal-shorthand-construction.js
    M LayoutTests/storage/indexeddb/resources/crash-on-getdatabases.js
    M Source/JavaScriptCore/API/APICallbackFunction.h
    M Source/JavaScriptCore/API/JSBase.cpp
    M Source/JavaScriptCore/API/JSCallbackObjectFunctions.h
    M Source/JavaScriptCore/API/JSContextRef.cpp
    M Source/JavaScriptCore/API/JSObjectRef.cpp
    M Source/JavaScriptCore/API/JSScriptRef.cpp
    M Source/JavaScriptCore/API/tests/testapi.c
    M Source/JavaScriptCore/CMakeLists.txt
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
    M Source/JavaScriptCore/Sources.txt
    M Source/JavaScriptCore/builtins/ProxyHelpers.js
    M Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h
    M Source/JavaScriptCore/bytecode/BytecodeList.rb
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/bytecode/SpeculatedType.cpp
    M Source/JavaScriptCore/bytecode/SpeculatedType.h
    R Source/JavaScriptCore/bytecode/ToThisStatus.cpp
    R Source/JavaScriptCore/bytecode/ToThisStatus.h
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
    M Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
    M Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGGraph.h
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGOpInfo.h
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.h
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/generator/DSL.rb
    M Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp
    M Source/JavaScriptCore/interpreter/Interpreter.cpp
    M Source/JavaScriptCore/jit/AssemblyHelpers.h
    M Source/JavaScriptCore/jit/JITOpcodes.cpp
    M Source/JavaScriptCore/jit/JITOperations.cpp
    M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
    M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
    M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
    M Source/JavaScriptCore/runtime/ArrayPrototype.cpp
    M Source/JavaScriptCore/runtime/AsyncIteratorPrototype.cpp
    M Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
    M Source/JavaScriptCore/runtime/Completion.cpp
    M Source/JavaScriptCore/runtime/DatePrototype.cpp
    M Source/JavaScriptCore/runtime/ErrorPrototype.cpp
    M Source/JavaScriptCore/runtime/JSCJSValue.cpp
    M Source/JavaScriptCore/runtime/JSCJSValue.h
    M Source/JavaScriptCore/runtime/JSCJSValueInlines.h
    M Source/JavaScriptCore/runtime/JSCast.h
    M Source/JavaScriptCore/runtime/JSGlobalObject.h
    M Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
    M Source/JavaScriptCore/runtime/JSIteratorPrototype.cpp
    M Source/JavaScriptCore/runtime/JSObject.cpp
    M Source/JavaScriptCore/runtime/JSObject.h
    M Source/JavaScriptCore/runtime/JSScope.h
    M Source/JavaScriptCore/runtime/JSType.h
    M Source/JavaScriptCore/runtime/ObjectPrototype.cpp
    M Source/JavaScriptCore/runtime/ProxyObject.cpp
    M Source/JavaScriptCore/runtime/RegExpPrototype.cpp
    M Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp
    M Source/JavaScriptCore/runtime/StringPrototype.cpp
    M Source/WebCore/bindings/js/JSDOMOperation.h
    M Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h
    M Source/WebCore/bindings/js/JSDOMWindowCustom.cpp
    M Source/WebCore/bindings/js/JSErrorHandler.cpp
    M Source/WebCore/bindings/js/JSEventTargetCustom.h
    M Source/WebCore/bindings/js/ScheduledAction.cpp
    M Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
    M Source/WebCore/bindings/scripts/test/JS/JSTestGlobalObject.cpp
    M Source/WebCore/bindings/scripts/test/TestGlobalObject.idl
    M Source/WebCore/html/HTMLMediaElement.cpp

  Log Message:
  -----------
  [JSC] Don't use JSScope instances as `this` value when calling functions
https://bugs.webkit.org/show_bug.cgi?id=225397
<rdar://problem/77915872>

Reviewed by Yusuke Suzuki.

Over the past few years, we've been constantly encountering security vulnerabilities / spec compat issues
that arise due to necessity of `ToThis` even in strict mode (which is a mode for all built-ins):

  https://commits.webkit.org/229319@main
  https://commits.webkit.org/259016@main
  https://commits.webkit.org/272163@main (security)
  https://commits.webkit.org/276104@main (security)
  https://github.com/WebKit/WebKit/pull/22329 (caught during review)

`ToThis` in strict mode is very easy to miss because it doesn't make sense in terms of ECMA-262 spec.
Passing the resolved scope as `this` value is a sorta of hack to support `with` statement.

This change replaces the above-mentioned footgun with a `JSType` check of the resolved scope,
which is performed only inside `with` statement by making use of `TaintedByWithScopeLexicallyScopedFeature`,
and dramatically simplifies `ToThis`, which is now emitted only in sloppy mode.

The downside of this approach is that we need to ensure that every `JSC::call()` and `JSC::evaluate()`
is called with `JSGlobalProxy` as `this` value rather than raw global object, which is now enforced
by assertions and implemented with `wrapGlobalObject` helper.

Also, this change fixes minor ECMA-262 and WebIDL spec compat issues, like calling cross-realm getters
accessing `__proto__` from the scope.

This patch reduces 1 bytecode of every strict function, but adds 1 bytecode for every call from
scope, yet was proven to be neutral on JetStream3 and Speedometer3.

* JSTests/stress/big-int-strict-spec-to-this.js:
* JSTests/stress/evaluate-with-scope-extension.js: Added.
* JSTests/stress/global-object-accessor-property-this-value.js: Added.
* JSTests/stress/variable-named-eval.js: Added.
* LayoutTests/fast/dom/Window/dom-access-from-closure-iframe-expected.txt:
* LayoutTests/fast/dom/Window/dom-access-from-closure-window-expected.txt:
* LayoutTests/fast/dom/Window/dom-access-from-closure-window-with-gc-expected.txt:
* LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt:
* LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt:
* LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt:
* LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value-cross-realm-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value.any-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value.any.serviceworker-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value.any.sharedworker-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value.any.worker-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/browsers/windows/embedded-opener-remove-frame-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/execution-timing/083-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/websockets/unload-a-document/001_default-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/websockets/unload-a-document/001_wss-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/websockets/unload-a-document/002_default-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/websockets/unload-a-document/002_wss-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/websockets/unload-a-document/003-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/websockets/unload-a-document/004-expected.txt:
* LayoutTests/js/object-literal-shorthand-construction-expected.txt:
* LayoutTests/js/script-tests/object-literal-shorthand-construction.js:
(set 2):
(get 1):
* LayoutTests/storage/indexeddb/resources/crash-on-getdatabases.js:
(async testDoesNotCrash):
* Source/JavaScriptCore/API/APICallbackFunction.h:
(JSC::APICallbackFunction::callImpl):
* Source/JavaScriptCore/API/JSBase.cpp:
(JSEvaluateScriptInternal):
* Source/JavaScriptCore/API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::callImpl):
* Source/JavaScriptCore/API/JSContextRef.cpp:
(JSContextGetGlobalObject):
* Source/JavaScriptCore/API/JSObjectRef.cpp:
(JSObjectCallAsFunction):
* Source/JavaScriptCore/API/JSScriptRef.cpp:
* Source/JavaScriptCore/API/tests/testapi.c:
(main):
* Source/JavaScriptCore/CMakeLists.txt:
* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
* Source/JavaScriptCore/Sources.txt:
* Source/JavaScriptCore/builtins/ProxyHelpers.js:
(linkTimeConstant.performProxyObjectGet):
(linkTimeConstant.performProxyObjectGetByVal):
(linkTimeConstant.performProxyObjectSetSloppy):
(linkTimeConstant.performProxyObjectSetStrict):
(linkTimeConstant.performProxyObjectSetByValSloppy):
(linkTimeConstant.performProxyObjectSetByValStrict):
* Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h:
* Source/JavaScriptCore/bytecode/BytecodeList.rb:
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::finalizeLLIntInlineCaches):
* Source/JavaScriptCore/bytecode/SpeculatedType.cpp:
(JSC::speculationFromJSTypeRange):
* Source/JavaScriptCore/bytecode/SpeculatedType.h:
* Source/JavaScriptCore/bytecode/ToThisStatus.cpp: Removed.
* Source/JavaScriptCore/bytecode/ToThisStatus.h: Removed.
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitEqualityOpImpl):
(JSC::BytecodeGenerator::emitGetFunctionFromScope):
(JSC::BytecodeGenerator::isTaintedByWithScope const):
(JSC::BytecodeGenerator::emitIsCellWithType):
(JSC::BytecodeGenerator::emitToThis):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitToThis): Deleted.
* Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:
(JSC::TaggedTemplateNode::emitBytecode):
(JSC::EvalFunctionCallNode::emitBytecode):
(JSC::FunctionCallResolveNode::emitBytecode):
(JSC::BytecodeIntrinsicNode::emit_intrinsic_toThis): Deleted.
* Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::thisValue const):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::isToThisAnIdentity): Deleted.
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
(JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupToThis):
* Source/JavaScriptCore/dfg/DFGGraph.h:
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::queriedType):
(JSC::DFG::Node::speculatedTypeForQuery):
(JSC::DFG::Node::hasECMAMode):
(JSC::DFG::Node::ecmaMode):
(JSC::DFG::Node::hasSpeculatedTypeForQuery): Deleted.
* Source/JavaScriptCore/dfg/DFGOpInfo.h:
(JSC::DFG::OpInfo::OpInfo):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
(JSC::DFG::putDynamicVar):
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileToThis):
* Source/JavaScriptCore/generator/DSL.rb:
* Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::internalConstructorName):
* Source/JavaScriptCore/interpreter/Interpreter.cpp:
(JSC::Interpreter::executeProgram):
(JSC::Interpreter::executeCallImpl):
(JSC::Interpreter::executeEval):
* Source/JavaScriptCore/jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::isCellWithType):
* Source/JavaScriptCore/jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_is_cell_with_type):
(JSC::JIT::emit_op_to_this):
* Source/JavaScriptCore/jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/runtime/ArrayPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::createArrayIteratorObject):
* Source/JavaScriptCore/runtime/AsyncIteratorPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:
(JSC::JSC_DEFINE_COMMON_SLOW_PATH):
* Source/JavaScriptCore/runtime/Completion.cpp:
(JSC::evaluate):
(JSC::evaluateWithScopeExtension):
* Source/JavaScriptCore/runtime/DatePrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/ErrorPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/JSCJSValue.cpp:
(JSC::JSValue::toThisSloppySlowCase const): Deleted.
* Source/JavaScriptCore/runtime/JSCJSValue.h:
* Source/JavaScriptCore/runtime/JSCJSValueInlines.h:
(JSC::JSValue::toSloppyModeThis const):
(JSC::JSValue::toThis const): Deleted.
* Source/JavaScriptCore/runtime/JSCast.h:
(JSC::JSTypeRange::rawBits const):
(JSC::JSTypeRange::dump const):
(JSC::JSTypeRange::fromBits):
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
(JSC::wrapGlobalObject):
(JSC::JSScope::globalThis): Deleted.
* Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/JSIteratorPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/JSObject.cpp:
(JSC::JSObject::setPrototypeWithCycleCheck):
* Source/JavaScriptCore/runtime/JSObject.h:
(JSC::JSObject::isStrictEvalActivation const): Deleted.
(JSC::JSObject::isEnvironment const): Deleted.
* Source/JavaScriptCore/runtime/JSScope.h:
* Source/JavaScriptCore/runtime/JSType.h:
* Source/JavaScriptCore/runtime/ObjectPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/ProxyObject.cpp:
(JSC::performProxyGet):
(JSC::ProxyObject::performPut):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/RegExpPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayEntry::put):
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::checkObjectCoercible):
* Source/WebCore/bindings/js/JSDOMOperation.h:
(WebCore::IDLOperation::call):
(WebCore::IDLOperation::cast): Deleted.
* Source/WebCore/bindings/js/JSDOMOperationReturningPromise.h:
(WebCore::IDLOperationReturningPromise::call):
(WebCore::IDLOperationReturningPromise::callReturningPromisePair):
(WebCore::IDLOperationReturningPromise::callReturningOwnPromise):
* Source/WebCore/bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSC_DEFINE_HOST_FUNCTION):
* Source/WebCore/bindings/js/JSErrorHandler.cpp:
(WebCore::JSErrorHandler::handleEvent):
* Source/WebCore/bindings/js/JSEventTargetCustom.h:
(WebCore::IDLOperation<JSEventTarget>::call):
* Source/WebCore/bindings/js/ScheduledAction.cpp:
(WebCore::ScheduledAction::execute):
* Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:
(GenerateAttributeSetterBodyDefinition):
* Source/WebCore/bindings/scripts/test/JS/JSTestGlobalObject.cpp:
(WebCore::jsTestGlobalObject_putForwardsAttributeGetter):
(WebCore::JSC_DEFINE_CUSTOM_GETTER):
(WebCore::setJSTestGlobalObject_putForwardsAttributeSetter):
(WebCore::JSC_DEFINE_CUSTOM_SETTER):
* Source/WebCore/bindings/scripts/test/TestGlobalObject.idl:
* Source/WebCore/html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::ensureMediaControls):

Canonical link: https://commits.webkit.org/284931@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list