Closed Bug 1466118 Opened 7 years ago Closed 7 years ago

Audit/fix assertSameCompartment calls for same-compartment realms

Categories

(Core :: JavaScript Engine, enhancement, P3)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox63 --- fixed

People

(Reporter: jandem, Assigned: jandem)

References

Details

Attachments

(9 files)

Part 1 - Use variadic templates for assertSameCompartment functions
4.18 KB, patch
luke
: review+
Details | Diff | Splinter Review
Part 2 - Replace releaseAssertSameCompartment with JSContext::releaseCheck
3.82 KB, patch
luke
: review+
Details | Diff | Splinter Review
Part 3 - Replace assertSameCompartmentDebugOnly with JSContext::debugOnlyCheck
8.89 KB, patch
luke
: review+
Details | Diff | Splinter Review
Part 4 - Replace assertSameCompartment with JSContext::check
130.20 KB, patch
luke
: review+
Details | Diff | Splinter Review
Part 5 - Replace assertSameCompartmentImpl with JSContext::checkImpl
3.41 KB, patch
luke
: review+
Details | Diff | Splinter Review
Part 6 - Rename CompartmentChecker to ContextChecks and support realm checks
7.11 KB, patch
luke
: review+
Details | Diff | Splinter Review
Part 7 - Avoid a TLS lookup for each compartment check
1.81 KB, patch
jonco
: review+
Details | Diff | Splinter Review
Part 8 - Change compartment check to realm check for JSScript and AbstractFramePtr
1.92 KB, patch
luke
: review+
Details | Diff | Splinter Review
Part 9 - Some more cleanup
4.18 KB, patch
luke
: review+
Details | Diff | Splinter Review
These should still hold, but some of them should be changed to assert same-realm instead, a stronger invariant. We should try to come up with a nice API for this. Especially scripts will usually be same-realm so it would be nice if we could default to realm asserts for those somehow, but I haven't really thought about it yet. (Also, I've always wanted to s/assertSameCompartment/AssertSameCompartment/ - not trivial because js::AssertSameCompartment exists as friend API...)
Thinking about it more, assertSameCompartment is already a misnomer, because for strings it checks the zone and for atoms/symbols it checks whether their mark bit is set in the current Zone, completely unrelated to compartments. One option is to do something like this: class ContextAsserts { private: JSContext* cx_; public: explicit ContextAsserts(cx); ContextAsserts& checkRealm(realm); ContextAsserts& checkCompartment(compartment); ContextAsserts& checkZone(zone); ContextAsserts& checkAtom(atom or symbol); // These forward to one of the above. ContextAsserts& checkRealm(script); ContextAsserts& checkCompartment(object); ContextAsserts& checkRealm(object); // maybe // These forward to one of the above, depending on what's in them. ContextAsserts& check(string); ContextAsserts& check(Value); ContextAsserts& check(jsid); ... maybe some templated variants that accept multiple arguments, for convenience ... }; Then for a typical SetProperty with obj/id/val arguments, we can do: ContextAsserts(cx).checkCompartment(obj).check(id, val); Another option is to also add check(obj) and have it default to checkCompartment(obj), so then it's just: ContextAsserts(cx).check(obj, id, val); Similarly, check(script) could default to checkRealm(script). You could still override this default for objects/scripts etc by calling checkRealm/checkCompartment/checkZone explicitly.
Any thoughts on the design in comment 1 and the options mentioned there? Just to avoid writing a patch for this and then rewriting it after review :)
Flags: needinfo?(luke)
Sorry for the delayed feedback! IIUC, the only case where there is any choice in whether to check same-realm vs. same-compartment is object, with same-compartment being the default/normal case. Given that, what about: cx->check(anything1, anything2, ...) and using variadics and overloading to do the right thing. In the rare case of asserting same-object-realm, perhaps just MOZ_ASSERT(cx->realm() == obj->realm()) is better since it calls out the special case where we have, or rely on, a tighter invariant than the default one.
Flags: needinfo?(luke)
That's nice and simple and close to what we already have, so WFM. Thanks!
This also removes the START_ASSERT_SAME_COMPARTMENT macro :)
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #9002715 - Flags: review?(luke)
Just a small optimization.
Attachment #9002721 - Flags: review?(jcoppeard)
I verified compartment checks still work correctly with these patches (by adding cx->check(obj) and similar to Compartment::wrap).
Attachment #9002721 - Flags: review?(jcoppeard) → review+
Comment on attachment 9002715 [details] [diff] [review] Part 1 - Use variadic templates for assertSameCompartment functions Review of attachment 9002715 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/vm/JSContext-inl.h @@ +180,5 @@ > + // depends on other objects not having been swept yet. > + if (JS::RuntimeHeapIsCollecting()) > + return; > + CompartmentChecker c(cx); > + c.check(t1, argIndex); I don't know how widely the release compartment asserts are used, but I wonder if there's any perf benefit to having a single RuntimeHeapIsCollecting() check and CompartmentChecker object created at the root of the recursive call and having the CompartmentChecker passed downward via reference.
Attachment #9002715 - Flags: review?(luke) → review+
Attachment #9002716 - Flags: review?(luke) → review+
Comment on attachment 9002717 [details] [diff] [review] Part 3 - Replace assertSameCompartmentDebugOnly with JSContext::debugOnlyCheck Review of attachment 9002717 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/vm/JSContext-inl.h @@ +210,2 @@ > template <class... Args> inline void > +JSContext::debugOnlyCheck(const Args&... args) Maybe worth a MOZ_ALWAYS_INLINE (for the benefit of Interpret() which, I expect due to crossing some limit, is pretty aggressive about not inlining things unless they are marked always-inline). ::: js/src/vm/JSContext.h @@ +954,5 @@ > js::HandleObject incumbentGlobal); > void addUnhandledRejectedPromise(JSContext* cx, js::HandleObject promise); > void removeUnhandledRejectedPromise(JSContext* cx, js::HandleObject promise); > > + template <class... Args> inline void debugOnlyCheck(const Args&... args); nit: IMO 'debugCheck()' would be basically as clear, shorter and symmetric with 'releaseCheck()', but up to you.
Attachment #9002717 - Flags: review?(luke) → review+
Comment on attachment 9002717 [details] [diff] [review] Part 3 - Replace assertSameCompartmentDebugOnly with JSContext::debugOnlyCheck Review of attachment 9002717 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/vm/JSContext.h @@ +954,5 @@ > js::HandleObject incumbentGlobal); > void addUnhandledRejectedPromise(JSContext* cx, js::HandleObject promise); > void removeUnhandledRejectedPromise(JSContext* cx, js::HandleObject promise); > > + template <class... Args> inline void debugOnlyCheck(const Args&... args); Actually, n/m, I see how this contrasts with 'check()' in the next patch.
Comment on attachment 9002718 [details] [diff] [review] Part 4 - Replace assertSameCompartment with JSContext::check Review of attachment 9002718 [details] [diff] [review]: ----------------------------------------------------------------- Much prettier.
Attachment #9002718 - Flags: review?(luke) → review+
Attachment #9002719 - Flags: review?(luke) → review+
Attachment #9002720 - Flags: review?(luke) → review+
Attachment #9002722 - Flags: review?(luke) → review+
Attachment #9003084 - Flags: review?(luke)
Attachment #9003084 - Flags: review?(luke) → review+
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/3bf5eb6fe16d part 1 - Use variadic templates for assertSameCompartment functions. r=luke https://hg.mozilla.org/integration/mozilla-inbound/rev/5cb4cd7c449e part 2 - Replace releaseAssertSameCompartment with JSContext::releaseCheck. r=luke https://hg.mozilla.org/integration/mozilla-inbound/rev/224b09c2e661 part 3 - Replace assertSameCompartmentDebugOnly with JSContext::debugOnlyCheck. r=luke https://hg.mozilla.org/integration/mozilla-inbound/rev/239b363ac50d part 4 - Replace assertSameCompartment with JSContext::check. r=luke https://hg.mozilla.org/integration/mozilla-inbound/rev/af49f7a464d5 part 5 - Replace assertSameCompartmentImpl with JSContext::checkImpl. r=luke https://hg.mozilla.org/integration/mozilla-inbound/rev/ff5cb8442b5d part 6 - Rename CompartmentChecker to ContextChecks and support realm checks. r=luke https://hg.mozilla.org/integration/mozilla-inbound/rev/1a263d3e088e part 7 - Avoid a TLS lookup for each compartment check. r=jonco https://hg.mozilla.org/integration/mozilla-inbound/rev/64a85b3753ac part 8 - Change compartment check to realm check for JSScript and AbstractFramePtr. r=luke https://hg.mozilla.org/integration/mozilla-inbound/rev/87a88fb8b1a6 part 9 - Some more cleanup. r=luke
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: