Merge r226386 - Disable SharedArrayBuffers from Web API

https://bugs.webkit.org/show_bug.cgi?id=181266

Reviewed by Saam Barati.

JSTests:

Disabled SharedArrayBuffer tests.

* stress/SharedArrayBuffer-opt.js:
* stress/SharedArrayBuffer.js:
* stress/array-buffer-byte-length.js:
* stress/atomics-add-uint32.js:
* stress/atomics-known-int-use.js:
* stress/atomics-neg-zero.js:
* stress/atomics-store-return.js:
* stress/lars-sab-workers.js:
* stress/regress-159779-1.js:
* stress/regress-159779-2.js:
* stress/regress-170473.js:
* test262.yaml:

Source/JavaScriptCore:

Removed SharedArrayBuffer prototype and structure from GlobalObject creation
to disable.

* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::arrayBufferPrototype const):
(JSC::JSGlobalObject::arrayBufferStructure const):

Source/WTF:

Turn off SharedArrayBuffers using a compile time flag ENABLE_SHARED_ARRAY_BUFFER.

* wtf/Platform.h:

LayoutTests:

Disabled SharedArrayBuffer tests.

* TestExpectations:

JSTests/ChangeLog

@@ -1,3 +1,25 @@
+2018-01-03  Michael Saboff  <msaboff@apple.com>
+
+        Disable SharedArrayBuffers from Web API
+        https://bugs.webkit.org/show_bug.cgi?id=181266
+
+        Reviewed by Saam Barati.
+
+        Disabled SharedArrayBuffer tests.
+
+        * stress/SharedArrayBuffer-opt.js:
+        * stress/SharedArrayBuffer.js:
+        * stress/array-buffer-byte-length.js:
+        * stress/atomics-add-uint32.js:
+        * stress/atomics-known-int-use.js:
+        * stress/atomics-neg-zero.js:
+        * stress/atomics-store-return.js:
+        * stress/lars-sab-workers.js:
+        * stress/regress-159779-1.js:
+        * stress/regress-159779-2.js:
+        * stress/regress-170473.js:
+        * test262.yaml:
+
 2017-11-27  JF Bastien  <jfbastien@apple.com>
 
         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation

JSTests/stress/SharedArrayBuffer-opt.js

@@ -1,3 +1,4 @@
+//@ skip
 var dv = new DataView(new SharedArrayBuffer(128));
 var i8a = new Int8Array(new SharedArrayBuffer(128));
 var i16a = new Int16Array(new SharedArrayBuffer(128));

JSTests/stress/SharedArrayBuffer.js

@@ -1,3 +1,4 @@
+//@ skip
 // This is a basic test of SharedArrayBuffer API as we understand it.
 
 if (SharedArrayBuffer == ArrayBuffer)

JSTests/stress/array-buffer-byte-length.js

@@ -1,3 +1,4 @@
+//@ skip
 function shouldBe(actual, expected)
 {
     if (actual !== expected)

JSTests/stress/atomics-add-uint32.js

@@ -1,3 +1,4 @@
+//@ skip
 var sab = new SharedArrayBuffer(4);
 var a = new Uint32Array(sab);
 var result = Atomics.add(a, 0, 4000000000);

JSTests/stress/atomics-known-int-use.js

@@ -1,3 +1,4 @@
+//@ skip
 // Break type inference.
 var o = {f: 42.5};
 

JSTests/stress/atomics-neg-zero.js

@@ -1,3 +1,4 @@
+//@ skip
 var sab = new SharedArrayBuffer(4);
 var a = new Int32Array(sab);
 Atomics.add(a, -0, 1); // This should not throw.

JSTests/stress/atomics-store-return.js

@@ -1,3 +1,4 @@
+//@ skip
 var sab = new SharedArrayBuffer(1);
 var a = new Int8Array(sab);
 var result = Atomics.store(a, 0, 1000);

JSTests/stress/lars-sab-workers.js

@@ -1,4 +1,4 @@
-//@ defaultRunNoisyTest
+//@ skip
 
 var sab = new SharedArrayBuffer(100 * 4);
 

JSTests/stress/regress-170473.js

@@ -1,3 +1,4 @@
+//@ skip
 var heap = new SharedArrayBuffer(4096);
 var Uint8ArrayView = new Uint8Array(heap);
 

LayoutTests/ChangeLog

@@ -1,3 +1,14 @@
+2018-01-03  Michael Saboff  <msaboff@apple.com>
+
+        Disable SharedArrayBuffers from Web API
+        https://bugs.webkit.org/show_bug.cgi?id=181266
+
+        Reviewed by Saam Barati.
+
+        Disabled SharedArrayBuffer tests.
+
+        * TestExpectations:
+
 2017-12-18  Zalan Bujtas  <zalan@apple.com>
 
         [SVG] Detach list wrappers before resetting the base value.

LayoutTests/TestExpectations

@@ -1042,6 +1042,20 @@ webkit.org/b/159370 [ Debug ] fast/history/page-cache-destroy-document.html [ Sk
 # This test is just way too slow.
 workers/bomb-with-v8.html [ Skip ]
 
+# Disable the SharedArrayBuffers tests
+imported/blink/fast/beacon/beacon-basic.html [ Skip ]
+imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/integration-with-the-javascript-agent-formalism/canblock-dedicatedworker.html [ Skip ]
+imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/integration-with-the-javascript-agent-formalism/canblock-serviceworker.https.html [ Skip ]
+imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/integration-with-the-javascript-agent-formalism/canblock-window.html [ Skip ]
+js/shared-array-buffer-webgl.html [ Skip ]
+workers/sab/cascade_lock.html [ Skip ]
+workers/sab/multi-memory-multi-buffer.html [ Skip ]
+workers/sab/multi-memory.html [ Skip ]
+workers/sab/no-transfer.html [ Skip ]
+workers/sab/postMessage-clones.html [ Skip ]
+workers/sab/postMessage-transfer-type-error.html [ Skip ]
+workers/sab/sent-from-worker-no-transfer.html [ Skip ]
+
 # These tests are slow by design.
 workers/wasm-hashset-many.html [ Slow ]
 workers/wasm-hashset-many-2.html [ Slow ]

Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,20 @@
+2018-01-03  Michael Saboff  <msaboff@apple.com>
+
+        Disable SharedArrayBuffers from Web API
+        https://bugs.webkit.org/show_bug.cgi?id=181266
+
+        Reviewed by Saam Barati.
+
+        Removed SharedArrayBuffer prototype and structure from GlobalObject creation
+        to disable.
+
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::arrayBufferPrototype const):
+        (JSC::JSGlobalObject::arrayBufferStructure const):
+
 2017-11-27  JF Bastien  <jfbastien@apple.com>
 
         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation

Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -574,8 +574,10 @@ void JSGlobalObject::init(VM& vm)
 
     m_arrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this, JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Default));
     m_arrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this, m_arrayBufferPrototype.get()));
+#if ENABLE(SHARED_ARRAY_BUFFER)
     m_sharedArrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this, JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Shared));
     m_sharedArrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this, m_sharedArrayBufferPrototype.get()));
+#endif
 
     m_iteratorPrototype.set(vm, this, IteratorPrototype::create(vm, this, IteratorPrototype::createStructure(vm, this, m_objectPrototype.get())));
     m_generatorPrototype.set(vm, this, GeneratorPrototype::create(vm, this, GeneratorPrototype::createStructure(vm, this, m_iteratorPrototype.get())));
@@ -620,10 +622,11 @@ m_ ## properName ## Structure.set(vm, this, instanceType::createStructure(vm, th
 
     JSArrayBufferConstructor* arrayBufferConstructor = JSArrayBufferConstructor::create(vm, JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_arrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Default);
     m_arrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, arrayBufferConstructor, DontEnum);
+#if ENABLE(SHARED_ARRAY_BUFFER)
     JSArrayBufferConstructor* sharedArrayBufferConstructor = nullptr;
     sharedArrayBufferConstructor = JSArrayBufferConstructor::create(vm, JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_sharedArrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Shared);
     m_sharedArrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, sharedArrayBufferConstructor, DontEnum);
-    
+#endif
 #define CREATE_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
 capitalName ## Constructor* lowerName ## Constructor = capitalName ## Constructor::create(vm, capitalName ## Constructor::createStructure(vm, this, m_functionPrototype.get()), m_ ## lowerName ## Prototype.get(), m_speciesGetterSetter.get()); \
 m_ ## lowerName ## Prototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, lowerName ## Constructor, DontEnum); \
@@ -686,7 +689,9 @@ m_ ## lowerName ## Prototype->putDirectWithoutTransition(vm, vm.propertyNames->c
     putDirectWithoutTransition(vm, vm.propertyNames->builtinNames().ArrayPrivateName(), arrayConstructor, DontEnum | DontDelete | ReadOnly);
 
     putDirectWithoutTransition(vm, vm.propertyNames->ArrayBuffer, arrayBufferConstructor, DontEnum);
+#if ENABLE(SHARED_ARRAY_BUFFER)
     putDirectWithoutTransition(vm, vm.propertyNames->SharedArrayBuffer, sharedArrayBufferConstructor, DontEnum);
+#endif
 
 #define PUT_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
 putDirectWithoutTransition(vm, vm.propertyNames-> jsName, lowerName ## Constructor, DontEnum); \
@@ -1288,8 +1293,10 @@ void JSGlobalObject::visitChildren(JSCell* cell, SlotVisitor& visitor)
 
     visitor.append(thisObject->m_arrayBufferPrototype);
     visitor.append(thisObject->m_arrayBufferStructure);
+#if ENABLE(SHARED_ARRAY_BUFFER)
     visitor.append(thisObject->m_sharedArrayBufferPrototype);
     visitor.append(thisObject->m_sharedArrayBufferStructure);
+#endif
 
 #define VISIT_SIMPLE_TYPE(CapitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
     visitor.append(thisObject->m_ ## lowerName ## Prototype); \

Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -338,8 +338,10 @@ class JSGlobalObject : public JSSegmentedVariableObject {
     WriteBarrier<Structure> m_moduleLoaderStructure;
     WriteBarrier<JSArrayBufferPrototype> m_arrayBufferPrototype;
     WriteBarrier<Structure> m_arrayBufferStructure;
+#if ENABLE(SHARED_ARRAY_BUFFER)
     WriteBarrier<JSArrayBufferPrototype> m_sharedArrayBufferPrototype;
     WriteBarrier<Structure> m_sharedArrayBufferStructure;
+#endif
 
 #define DEFINE_STORAGE_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
     WriteBarrier<capitalName ## Prototype> m_ ## lowerName ## Prototype; \
@@ -670,17 +672,27 @@ class JSGlobalObject : public JSSegmentedVariableObject {
         switch (sharingMode) {
         case ArrayBufferSharingMode::Default:
             return m_arrayBufferPrototype.get();
+#if ENABLE(SHARED_ARRAY_BUFFER)
         case ArrayBufferSharingMode::Shared:
             return m_sharedArrayBufferPrototype.get();
+#else
+        default:
+            return m_arrayBufferPrototype.get();
+#endif
         }
     }
     Structure* arrayBufferStructure(ArrayBufferSharingMode sharingMode) const
     {
         switch (sharingMode) {
         case ArrayBufferSharingMode::Default:
             return m_arrayBufferStructure.get();
+#if ENABLE(SHARED_ARRAY_BUFFER)
         case ArrayBufferSharingMode::Shared:
             return m_sharedArrayBufferStructure.get();
+#else
+        default:
+            return m_arrayBufferStructure.get();
+#endif
         }
         RELEASE_ASSERT_NOT_REACHED();
         return nullptr;

Source/WTF/ChangeLog

@@ -1,3 +1,14 @@
+2018-01-03  Michael Saboff  <msaboff@apple.com>
+
+        Disable SharedArrayBuffers from Web API
+        https://bugs.webkit.org/show_bug.cgi?id=181266
+
+        Reviewed by Saam Barati.
+
+        Turn off SharedArrayBuffers using a compile time flag ENABLE_SHARED_ARRAY_BUFFER.
+
+        * wtf/Platform.h:
+
 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
 
         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h

Source/WTF/wtf/Platform.h

@@ -1190,6 +1190,9 @@
 #define HAVE_NS_ACTIVITY 1
 #endif
 
+/* Disable SharedArrayBuffers until Spectre security concerns are mitigated. */
+#define ENABLE_SHARED_ARRAY_BUFFER 0
+
 #if (OS(DARWIN) && USE(CG)) || (USE(FREETYPE) && !PLATFORM(GTK)) || (PLATFORM(WIN) && (USE(CG) || USE(CAIRO)))
 #undef ENABLE_OPENTYPE_MATH
 #define ENABLE_OPENTYPE_MATH 1