Add source taintedness support for Wasm #47084

danlliu · 2025-06-23T22:52:41Z

`75be93f`

Add source taintedness support for Wasm
https://bugs.webkit.org/show_bug.cgi?id=294860
rdar://148934299

Reviewed by NOBODY (OOPS!).

Previously, some source taintedness propagation would not work properly
through WebAssembly function calls. This patch adds support for tainted
Wasm stack frames, and fixes an issue with `bind` where bound functions
would incorrectly use the target function's taintedness, instead of the
current stack's taintedness.

* JSTests/stress/taintedness-tracking-bind.js: Added.
(check):
(checkNot):
(shouldBeUntainted):
(shouldBeTainted):
(vm.runTaintedString):
* JSTests/stress/taintedness-tracking-wasm-proxying.js: Added.
(log):
(check):
(checkNot):
(shouldBeUntainted):
(shouldBeTainted):
(let.startupModule.new.WebAssembly.Module):
(let.startupInstance.new.WebAssembly.Instance):
* JSTests/stress/taintedness-tracking-wasm.js: Added.
(check):
(getTaintedState):
(vm.runTaintedString.async taintedMain):
* JSTests/stress/taintedness-tracking.js:
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/interpreter/Interpreter.cpp:
(JSC::Interpreter::executeCall):
* Source/JavaScriptCore/interpreter/StackVisitor.h:
(JSC::StackVisitor::Frame::isWasmFrame const):
* Source/JavaScriptCore/parser/SourceTaintedOrigin.cpp:
(JSC::sourceTaintedOriginFromStack):
(JSC::computeNewSourceTaintedOriginFromStack):
* Source/JavaScriptCore/runtime/FunctionPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp:
(JSC::JSC_DEFINE_CUSTOM_GETTER):
* Source/JavaScriptCore/runtime/JSBoundFunction.cpp:
(JSC::JSBoundFunction::create):
(JSC::JSBoundFunction::createRaw):
(JSC::JSBoundFunction::JSBoundFunction):
* Source/JavaScriptCore/runtime/JSBoundFunction.h:
* Source/JavaScriptCore/runtime/JSModuleLoader.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::getBoundFunction):
* Source/JavaScriptCore/runtime/VM.h:
* Source/JavaScriptCore/tools/JSDollarVM.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/wasm/WasmOperations.cpp:
(JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/wasm/WasmStreamingCompiler.cpp:
(JSC::Wasm::StreamingCompiler::StreamingCompiler):
(JSC::Wasm::StreamingCompiler::create):
(JSC::Wasm::StreamingCompiler::didComplete):
* Source/JavaScriptCore/wasm/WasmStreamingCompiler.h:
* Source/JavaScriptCore/wasm/js/JSWebAssembly.cpp:
(JSC::instantiate):
(JSC::compileAndInstantiate):
(JSC::JSWebAssembly::instantiate):
(JSC::JSWebAssembly::instantiateForStreaming):
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/wasm/js/JSWebAssembly.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
(JSC::JSWebAssemblyInstance::tryCreate):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h:
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::m_source):
(JSC::m_frameSize): Deleted.
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h:
* Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/WebCore/bindings/js/JSDOMAsyncIterator.h:
(WebCore::IteratorTraits>::createOnSettledFunction):
(WebCore::IteratorTraits>::createOnFulfilledFunction):
(WebCore::IteratorTraits>::createOnRejectedFunction):
* Source/WebCore/bindings/js/JSDOMGlobalObject.cpp:
(WebCore::handleResponseOnStreamingAction):

75be93f

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 win
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	⏳ 🧪 win-tests
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe
	✅ 🧪 ios-wk2-wpt	✅ 🧪 mac-wk1	✅ 🛠 wpe-cairo
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🧪 api-gtk
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2	✅ 🛠 playstation
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp	✅ 🛠 jsc-armv7
	✅ 🛠 tv-sim		❌ 🧪 jsc-armv7-tests
	✅ 🛠 watch
	✅ 🛠 watch-sim

webkit-early-warning-system · 2025-06-23T22:52:47Z

EWS run on previous version of this PR (hash 8148de2)

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows
❌ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 win
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	⏳ 🧪 win-tests
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe
	✅ 🧪 ios-wk2-wpt	✅ 🧪 mac-wk1	✅ 🛠 wpe-cairo
❌ 🛠 🧪 jsc	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🧪 api-gtk
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2	✅ 🛠 playstation
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp	✅ 🛠 jsc-armv7
	✅ 🛠 tv-sim		✅ 🧪 jsc-armv7-tests
	❌ 🛠 watch
	✅ 🛠 watch-sim

Constellation · 2025-06-23T23:27:13Z

Source/JavaScriptCore/wasm/WasmStreamingCompiler.cpp

@@ -172,7 +173,7 @@ void StreamingCompiler::didComplete()
    }

    case CompilerMode::FullCompile: {
-        m_vm.deferredWorkTimer->scheduleWorkSoon(ticket, [result = WTFMove(result)](DeferredWorkTimer::Ticket ticket) mutable {
+        m_vm.deferredWorkTimer->scheduleWorkSoon(ticket, [result = WTFMove(result), source = m_source](DeferredWorkTimer::Ticket ticket) mutable {


Is this correct? I wonder if didComplete can be called from wasm compiler thread. Is it fine to take ref / deref of data structures inside SourceCode from the other thread?

Discussed with Daniel. We should just thread SourceTaintedOrigin instead of SourceCode, which removes the above risk.

webkit-early-warning-system · 2025-06-25T21:11:14Z

EWS run on previous version of this PR (hash 1b0fb4f)

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	⏳ 🛠 win
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	~~🧪 wpe-wk2~~	⏳ 🧪 win-tests
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe
	~~🧪 ios-wk2-wpt~~	✅ 🧪 mac-wk1	⏳ 🛠 wpe-cairo
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64	✅ 🛠 vision	~~🧪 mac-AS-debug-wk2~~	~~🧪 gtk-wk2~~
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	~~🧪 api-gtk~~
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2	⏳ 🛠 playstation
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp	✅ 🛠 jsc-armv7
	✅ 🛠 tv-sim		✅ 🧪 jsc-armv7-tests
	❌ 🛠 watch
	✅ 🛠 watch-sim

webkit-early-warning-system · 2025-06-25T22:59:59Z

EWS run on previous version of this PR (hash 4daf32d)

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 win
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	⏳ 🧪 win-tests
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe
	✅ 🧪 ios-wk2-wpt	✅ 🧪 mac-wk1	✅ 🛠 wpe-cairo
❌ 🛠 🧪 jsc	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
❌ 🛠 🧪 jsc-arm64	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🧪 api-gtk
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2	✅ 🛠 playstation
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp	❌ 🛠 jsc-armv7
	✅ 🛠 tv-sim		❌ 🧪 jsc-armv7-tests
	❌ 🛠 watch
	✅ 🛠 watch-sim

webkit-early-warning-system · 2025-06-26T17:22:30Z

EWS run on previous version of this PR (hash 0012f40)

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 win
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	⏳ 🧪 win-tests
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe
	✅ 🧪 ios-wk2-wpt	✅ 🧪 mac-wk1	✅ 🛠 wpe-cairo
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
❌ 🛠 🧪 jsc-arm64	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🧪 api-gtk
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2	✅ 🛠 playstation
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp	✅ 🛠 jsc-armv7
	✅ 🛠 tv-sim		❌ 🧪 jsc-armv7-tests
	✅ 🛠 watch
	✅ 🛠 watch-sim

https://bugs.webkit.org/show_bug.cgi?id=294860 rdar://148934299 Reviewed by NOBODY (OOPS!). Previously, some source taintedness propagation would not work properly through WebAssembly function calls. This patch adds support for tainted Wasm stack frames, and fixes an issue with `bind` where bound functions would incorrectly use the target function's taintedness, instead of the current stack's taintedness. * JSTests/stress/taintedness-tracking-bind.js: Added. (check): (checkNot): (shouldBeUntainted): (shouldBeTainted): (vm.runTaintedString): * JSTests/stress/taintedness-tracking-wasm-proxying.js: Added. (log): (check): (checkNot): (shouldBeUntainted): (shouldBeTainted): (let.startupModule.new.WebAssembly.Module): (let.startupInstance.new.WebAssembly.Instance): * JSTests/stress/taintedness-tracking-wasm.js: Added. (check): (getTaintedState): (vm.runTaintedString.async taintedMain): * JSTests/stress/taintedness-tracking.js: * Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): * Source/JavaScriptCore/dfg/DFGOperations.cpp: (JSC::DFG::JSC_DEFINE_JIT_OPERATION): * Source/JavaScriptCore/interpreter/Interpreter.cpp: (JSC::Interpreter::executeCall): * Source/JavaScriptCore/interpreter/StackVisitor.h: (JSC::StackVisitor::Frame::isWasmFrame const): * Source/JavaScriptCore/parser/SourceTaintedOrigin.cpp: (JSC::sourceTaintedOriginFromStack): (JSC::computeNewSourceTaintedOriginFromStack): * Source/JavaScriptCore/runtime/FunctionPrototype.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp: (JSC::JSC_DEFINE_CUSTOM_GETTER): * Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp: (JSC::JSC_DEFINE_CUSTOM_GETTER): * Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp: (JSC::JSC_DEFINE_CUSTOM_GETTER): * Source/JavaScriptCore/runtime/JSBoundFunction.cpp: (JSC::JSBoundFunction::create): (JSC::JSBoundFunction::createRaw): (JSC::JSBoundFunction::JSBoundFunction): * Source/JavaScriptCore/runtime/JSBoundFunction.h: * Source/JavaScriptCore/runtime/JSModuleLoader.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/runtime/VM.cpp: (JSC::VM::VM): (JSC::VM::getBoundFunction): * Source/JavaScriptCore/runtime/VM.h: * Source/JavaScriptCore/tools/JSDollarVM.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/wasm/WasmOperations.cpp: (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): * Source/JavaScriptCore/wasm/WasmStreamingCompiler.cpp: (JSC::Wasm::StreamingCompiler::StreamingCompiler): (JSC::Wasm::StreamingCompiler::create): (JSC::Wasm::StreamingCompiler::didComplete): * Source/JavaScriptCore/wasm/WasmStreamingCompiler.h: * Source/JavaScriptCore/wasm/js/JSWebAssembly.cpp: (JSC::instantiate): (JSC::compileAndInstantiate): (JSC::JSWebAssembly::instantiate): (JSC::JSWebAssembly::instantiateForStreaming): (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/JavaScriptCore/wasm/js/JSWebAssembly.h: * Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp: (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): (JSC::JSWebAssemblyInstance::tryCreate): * Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h: * Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): (JSC::m_source): (JSC::m_frameSize): Deleted. * Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h: * Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): * Source/WebCore/bindings/js/JSDOMAsyncIterator.h: (WebCore::IteratorTraits>::createOnSettledFunction): (WebCore::IteratorTraits>::createOnFulfilledFunction): (WebCore::IteratorTraits>::createOnRejectedFunction): * Source/WebCore/bindings/js/JSDOMGlobalObject.cpp: (WebCore::handleResponseOnStreamingAction):

webkit-early-warning-system · 2025-07-01T00:22:38Z

EWS run on current version of this PR (hash 75be93f)

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 win
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	⏳ 🧪 win-tests
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe
	✅ 🧪 ios-wk2-wpt	✅ 🧪 mac-wk1	✅ 🛠 wpe-cairo
✅ 🛠 🧪 jsc	✅ 🧪 api-ios	✅ 🧪 mac-wk2	✅ 🛠 gtk
✅ 🛠 🧪 jsc-arm64	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🧪 api-gtk
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2	✅ 🛠 playstation
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp	✅ 🛠 jsc-armv7
	✅ 🛠 tv-sim		❌ 🧪 jsc-armv7-tests
	✅ 🛠 watch
	✅ 🛠 watch-sim

danlliu requested review from cdumez and a team as code owners June 23, 2025 22:52

danlliu self-assigned this Jun 23, 2025

danlliu added the New Bugs Unclassified bugs are placed in this component until the correct component can be determined. label Jun 23, 2025

Constellation reviewed Jun 23, 2025

View reviewed changes

webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Jun 24, 2025

danlliu removed the merging-blocked Applied to prevent a change from being merged label Jun 25, 2025

danlliu force-pushed the 148934299-wasm-taint branch from 8148de2 to 1b0fb4f Compare June 25, 2025 21:11

webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Jun 25, 2025

danlliu removed the merging-blocked Applied to prevent a change from being merged label Jun 25, 2025

danlliu force-pushed the 148934299-wasm-taint branch from 1b0fb4f to 4daf32d Compare June 25, 2025 22:59

webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Jun 26, 2025

danlliu removed the merging-blocked Applied to prevent a change from being merged label Jun 26, 2025

danlliu force-pushed the 148934299-wasm-taint branch from 4daf32d to 0012f40 Compare June 26, 2025 17:22

danlliu force-pushed the 148934299-wasm-taint branch from 0012f40 to 75be93f Compare July 1, 2025 00:22

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add source taintedness support for Wasm #47084

Add source taintedness support for Wasm #47084

Uh oh!

danlliu commented Jun 23, 2025 •

edited by webkit-early-warning-system

Loading

Uh oh!

webkit-early-warning-system commented Jun 23, 2025 •

edited

Loading

Uh oh!

Constellation Jun 23, 2025

Uh oh!

Constellation Jun 23, 2025

Uh oh!

webkit-early-warning-system commented Jun 25, 2025 •

edited

Loading

Uh oh!

webkit-early-warning-system commented Jun 25, 2025 •

edited

Loading

Uh oh!

webkit-early-warning-system commented Jun 26, 2025 •

edited

Loading

Uh oh!

webkit-early-warning-system commented Jul 1, 2025 •

edited

Loading

Uh oh!

Uh oh!

Add source taintedness support for Wasm #47084

Are you sure you want to change the base?

Add source taintedness support for Wasm #47084

Uh oh!

Conversation

danlliu commented Jun 23, 2025 • edited by webkit-early-warning-system Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

75be93f

Uh oh!

webkit-early-warning-system commented Jun 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Constellation Jun 23, 2025

Choose a reason for hiding this comment

Uh oh!

Constellation Jun 23, 2025

Choose a reason for hiding this comment

Uh oh!

webkit-early-warning-system commented Jun 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

webkit-early-warning-system commented Jun 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

webkit-early-warning-system commented Jun 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

webkit-early-warning-system commented Jul 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

danlliu commented Jun 23, 2025 •

edited by webkit-early-warning-system

Loading

`75be93f`

webkit-early-warning-system commented Jun 23, 2025 •

edited

Loading

webkit-early-warning-system commented Jun 25, 2025 •

edited

Loading

webkit-early-warning-system commented Jun 25, 2025 •

edited

Loading

webkit-early-warning-system commented Jun 26, 2025 •

edited

Loading

webkit-early-warning-system commented Jul 1, 2025 •

edited

Loading