forked from mirrors/gecko-dev
b9e071e2e8
Entry storage allocation now occurs on the first lookupForAdd()/put()/putNew().
This removes the need for init() and initialized(), and matches how
PLDHashTable/nsTHashtable work. It also removes the need for init() functions
in a lot of types that are built on top of mozilla::Hash{Map,Set}.
Pros:
- No need for init() calls and subsequent checks.
- No memory allocated for empty tables, which are not that uncommon.
Cons:
- An extra branch in lookup() and lookupForAdd(), but not in put()/putNew(),
because the existing checkOverloaded() can handle it.
Specifics:
- Construction now can take a length parameter.
- init() is removed. Explicit length-setting, when necessary, now occurs in the
constructors.
- initialized() is removed.
- capacity() now returns zero when the entry storage is absent.
- lookupForAdd() is no longer `const`, because it can instantiate the storage,
which requires modifications.
- lookupForAdd() can now return an invalid AddPtr in two cases:
- old: hashing failure (due to OOM in the hasher)
- new: OOM while instantiating entry storage
The existing failure handling paths for the old case work for the new case.
- clear(), finish(), and clearAndShrink() are replaced by clear(), compact(),
and reserve(). The old compactIfUnderloaded() is also removed.
- Capacity computation code is now in its own functions, bestCapacity() and
hashShift(). setTableSizeLog2() is removed.
- uint32_t is used throughout for capacities, instead of size_t, for
consistency with other similar values.
- changeTableSize() now takes a capacity instead of a deltaLog2, and it can now
handle !mTable.
Measurements:
- Total source code size is reduced by over 900 lines. Also, lots of existing
lines got shorter (i.e. two checks were reduced to one).
- Executable size barely changed, down by 2 KiB on Linux64. The extra branches
are compensated for by the lack of init() calls.
- Speed changed negligibly. The instruction count for Bench_Cpp_MozHash
increased from 2.84 billion to 2.89 billion but any execution time change was
well below noise.
166 lines
4.8 KiB
C++
166 lines
4.8 KiB
C++
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
|
|
* vim: set ts=4 sw=4 et tw=80:
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "JavaScriptParent.h"
|
|
#include "mozilla/dom/ContentParent.h"
|
|
#include "mozilla/dom/ScriptSettings.h"
|
|
#include "nsJSUtils.h"
|
|
#include "nsIScriptError.h"
|
|
#include "jsfriendapi.h"
|
|
#include "js/Proxy.h"
|
|
#include "js/HeapAPI.h"
|
|
#include "js/Wrapper.h"
|
|
#include "xpcprivate.h"
|
|
#include "mozilla/Casting.h"
|
|
#include "mozilla/Telemetry.h"
|
|
#include "nsAutoPtr.h"
|
|
|
|
using namespace js;
|
|
using namespace JS;
|
|
using namespace mozilla;
|
|
using namespace mozilla::jsipc;
|
|
using namespace mozilla::dom;
|
|
|
|
static void
|
|
TraceParent(JSTracer* trc, void* data)
|
|
{
|
|
static_cast<JavaScriptParent*>(data)->trace(trc);
|
|
}
|
|
|
|
JavaScriptParent::JavaScriptParent()
|
|
: savedNextCPOWNumber_(1)
|
|
{
|
|
JS_AddExtraGCRootsTracer(danger::GetJSContext(), TraceParent, this);
|
|
}
|
|
|
|
JavaScriptParent::~JavaScriptParent()
|
|
{
|
|
JS_RemoveExtraGCRootsTracer(danger::GetJSContext(), TraceParent, this);
|
|
}
|
|
|
|
static bool
|
|
ForbidUnsafeBrowserCPOWs()
|
|
{
|
|
static bool result;
|
|
static bool cached = false;
|
|
if (!cached) {
|
|
cached = true;
|
|
Preferences::AddBoolVarCache(&result, "dom.ipc.cpows.forbid-unsafe-from-browser", false);
|
|
}
|
|
return result;
|
|
}
|
|
|
|
bool
|
|
JavaScriptParent::allowMessage(JSContext* cx)
|
|
{
|
|
MOZ_ASSERT(cx);
|
|
|
|
// If we're running browser code while running tests (in automation),
|
|
// then we allow all safe CPOWs and forbid unsafe CPOWs
|
|
// based on a pref (which defaults to forbidden).
|
|
// We also allow CPOWs unconditionally in selected globals (based on
|
|
// Cu.permitCPOWsInScope).
|
|
// A normal (release) browser build will never allow CPOWs,
|
|
// excecpt as a token to pass round.
|
|
|
|
if (!xpc::IsInAutomation()) {
|
|
JS_ReportErrorASCII(cx, "CPOW usage forbidden");
|
|
return false;
|
|
}
|
|
|
|
MessageChannel* channel = GetIPCChannel();
|
|
bool isSafe = channel->IsInTransaction();
|
|
|
|
if (isSafe)
|
|
return true;
|
|
|
|
nsIGlobalObject* global = dom::GetIncumbentGlobal();
|
|
JS::Rooted<JSObject*> jsGlobal(cx, global ? global->GetGlobalJSObject() : nullptr);
|
|
if (jsGlobal) {
|
|
JSAutoRealm ar(cx, jsGlobal);
|
|
|
|
if (!xpc::CompartmentPrivate::Get(jsGlobal)->allowCPOWs &&
|
|
ForbidUnsafeBrowserCPOWs())
|
|
{
|
|
Telemetry::Accumulate(Telemetry::BROWSER_SHIM_USAGE_BLOCKED, 1);
|
|
JS_ReportErrorASCII(cx, "unsafe CPOW usage forbidden");
|
|
return false;
|
|
}
|
|
}
|
|
|
|
static bool disableUnsafeCPOWWarnings = PR_GetEnv("DISABLE_UNSAFE_CPOW_WARNINGS");
|
|
if (!disableUnsafeCPOWWarnings) {
|
|
nsCOMPtr<nsIConsoleService> console(do_GetService(NS_CONSOLESERVICE_CONTRACTID));
|
|
if (console) {
|
|
nsAutoString filename;
|
|
uint32_t lineno = 0, column = 0;
|
|
nsJSUtils::GetCallingLocation(cx, filename, &lineno, &column);
|
|
nsCOMPtr<nsIScriptError> error(do_CreateInstance(NS_SCRIPTERROR_CONTRACTID));
|
|
error->Init(NS_LITERAL_STRING("unsafe/forbidden CPOW usage"), filename,
|
|
EmptyString(), lineno, column,
|
|
nsIScriptError::warningFlag, "chrome javascript",
|
|
false /* from private window */);
|
|
console->LogMessage(error);
|
|
} else {
|
|
NS_WARNING("Unsafe synchronous IPC message");
|
|
}
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
void
|
|
JavaScriptParent::trace(JSTracer* trc)
|
|
{
|
|
objects_.trace(trc);
|
|
unwaivedObjectIds_.trace(trc);
|
|
waivedObjectIds_.trace(trc);
|
|
}
|
|
|
|
JSObject*
|
|
JavaScriptParent::scopeForTargetObjects()
|
|
{
|
|
// CPOWs from the child need to point into the parent's unprivileged junk
|
|
// scope so that a compromised child cannot compromise the parent. In
|
|
// practice, this means that a child process can only (a) hold parent
|
|
// objects alive and (b) invoke them if they are callable.
|
|
return xpc::UnprivilegedJunkScope();
|
|
}
|
|
|
|
void
|
|
JavaScriptParent::afterProcessTask()
|
|
{
|
|
if (savedNextCPOWNumber_ == nextCPOWNumber_)
|
|
return;
|
|
|
|
savedNextCPOWNumber_ = nextCPOWNumber_;
|
|
|
|
MOZ_ASSERT(nextCPOWNumber_ > 0);
|
|
if (active())
|
|
Unused << SendDropTemporaryStrongReferences(nextCPOWNumber_ - 1);
|
|
}
|
|
|
|
PJavaScriptParent*
|
|
mozilla::jsipc::NewJavaScriptParent()
|
|
{
|
|
return new JavaScriptParent();
|
|
}
|
|
|
|
void
|
|
mozilla::jsipc::ReleaseJavaScriptParent(PJavaScriptParent* parent)
|
|
{
|
|
static_cast<JavaScriptParent*>(parent)->decref();
|
|
}
|
|
|
|
void
|
|
mozilla::jsipc::AfterProcessTask()
|
|
{
|
|
for (auto* cp : ContentParent::AllProcesses(ContentParent::eLive)) {
|
|
if (PJavaScriptParent* p = LoneManagedOrNullAsserts(cp->ManagedPJavaScriptParent()))
|
|
static_cast<JavaScriptParent*>(p)->afterProcessTask();
|
|
}
|
|
}
|