[webkit-changes] [WebKit/WebKit] e354c8: [JSC] Wasm objects must succeed allocation

Yusuke Suzuki noreply at github.com
Fri Jan 31 15:16:56 PST 2025 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: e354c87747e7d6e8bae3c35e3a383e688a0cfed2
      https://github.com/WebKit/WebKit/commit/e354c87747e7d6e8bae3c35e3a383e688a0cfed2
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2025-01-31 (Fri, 31 Jan 2025)

  Changed paths:
    M LayoutTests/http/tests/security/contentSecurityPolicy/WebAssembly-blocked-expected.txt
    M LayoutTests/http/tests/security/contentSecurityPolicy/WebAssembly-blocked-in-subframe-expected.txt
    M Source/JavaScriptCore/jsc.cpp
    M Source/JavaScriptCore/wasm/WasmOperations.cpp
    M Source/JavaScriptCore/wasm/WasmOperationsInlines.h
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyArray.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyArray.h
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyGlobal.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyGlobal.h
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.h
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h
    M Source/JavaScriptCore/wasm/js/WebAssemblyGCObjectBase.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyGCObjectBase.h
    M Source/JavaScriptCore/wasm/js/WebAssemblyGlobalConstructor.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyTableConstructor.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.h
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  [JSC] Wasm objects must succeed allocation
https://bugs.webkit.org/show_bug.cgi?id=286712
rdar://143850092

Reviewed by Mark Lam.

1. These objects are fixed-sized. Thus it must succeed the allocation.
   We should not have weird tryCreate to mark it faillable.
2. Many wasm objects creation failed when wasm is disabled via CSP.
   But this code is totally wrong. CSP spec is putting a limitation to
   wasm code generation (So, it is right for JSWebAssemblyInstance), but
   failing allocation for random wasm related objects (Wasm Table,
   Memory, Global) are spec violation. We removed these incorrect code
   and make these allocation always succeed.
3. We also make RTT type ownership more explicit.

* Source/JavaScriptCore/wasm/WasmOperations.cpp:
(JSC::Wasm::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
* Source/JavaScriptCore/wasm/WasmOperationsInlines.h:
(JSC::Wasm::fillArray):
(JSC::Wasm::arrayNew):
(JSC::Wasm::copyElementsInReverse):
(JSC::Wasm::arrayNewFixed):
(JSC::Wasm::createArrayFromDataSegment):
(JSC::Wasm::arrayNewData):
(JSC::Wasm::arrayNewElem):
(JSC::Wasm::structNew):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyArray.cpp:
(JSC::JSWebAssemblyArray::JSWebAssemblyArray):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyArray.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyGlobal.cpp:
(JSC::JSWebAssemblyGlobal::create):
(JSC::JSWebAssemblyGlobal::tryCreate): Deleted.
* Source/JavaScriptCore/wasm/js/JSWebAssemblyGlobal.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::tryCreate):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.cpp:
(JSC::JSWebAssemblyMemory::create):
(JSC::JSWebAssemblyMemory::tryCreate): Deleted.
* Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.cpp:
(JSC::JSWebAssemblyStruct::JSWebAssemblyStruct):
(JSC::JSWebAssemblyStruct::create):
(JSC::JSWebAssemblyStruct::tryCreate): Deleted.
* Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::create):
(JSC::JSWebAssemblyTable::tryCreate): Deleted.
* Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h:
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::create):
(JSC::WebAssemblyFunction::WebAssemblyFunction):
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h:
* Source/JavaScriptCore/wasm/js/WebAssemblyGCObjectBase.cpp:
(JSC::WebAssemblyGCObjectBase::WebAssemblyGCObjectBase):
* Source/JavaScriptCore/wasm/js/WebAssemblyGCObjectBase.h:
* Source/JavaScriptCore/wasm/js/WebAssemblyGlobalConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::initializeExports):
* Source/JavaScriptCore/wasm/js/WebAssemblyTableConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.cpp:
(JSC::WebAssemblyWrapperFunction::create):
* Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.h:

Canonical link: https://commits.webkit.org/289638@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list