Skip to content

Commit

Permalink
Adding dedicated config flag for taint spewing
Browse files Browse the repository at this point in the history
  • Loading branch information
@tmbrbr
tmbrbr committed Jan 13, 2025
1 parent 6691123 commit cdb21e7
Show file tree
Hide file tree
Showing 11 changed files with 53 additions and 36 deletions.
13 changes: 13 additions & 0 deletions .github/workflows/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ jobs:

# This workflow contains a single job called "build"
build:
strategy:
matrix:
mozconfig: [ "Base", "JitSpew", "TaintSpew" ]

# The type of runner that the job will run on
runs-on: ubuntu-latest

Expand Down Expand Up @@ -52,6 +56,14 @@ jobs:
cd build
cp taintfox_mozconfig_spidermonkey .mozconfig
- name: Enable JitSpew
if: ${{ matrix.mozconfig }} == "JitSpew"
echo "ac_add_options --enable-jitspew" >> .mozconfig

- name: Enable Taint Spew
if: ${{ matrix.mozconfig }} == "TaintSpew"
echo "ac_add_options --enable-taintspew" >> .mozconfig

# Build
- name: Build
run: |
Expand All @@ -70,6 +82,7 @@ jobs:
python3 js/src/tests/parse_output.py
- name: Upload Report
if: ${{ matrix.mozconfig }} == "Base"
uses: actions/upload-artifact@v4 # upload test results
if: success() || failure() # run this step even if previous step failed
with:
Expand Down
2 changes: 1 addition & 1 deletion js/public/Id.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ class PropertyKey {
return reinterpret_cast<JSLinearString*>(toString());
}

#if defined(DEBUG) || defined(JS_JITSPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_TAINTSPEW)
void dump() const;
void dump(js::GenericPrinter& out) const;
void dump(js::JSONPrinter& json) const;
Expand Down
11 changes: 6 additions & 5 deletions js/src/jstaint.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
*/
#include "jstaint.h"

#include "mozilla/Sprintf.h"

#include <algorithm>
#include <iomanip>
#include <iostream>
Expand All @@ -16,6 +18,7 @@
#include "js/CharacterEncoding.h"
#include "js/ErrorReport.h"
#include "js/UniquePtr.h"
#include "util/GetPidProvider.h" // getpid()
#include "vm/FrameIter.h"
#include "vm/JSAtomUtils.h"
#include "vm/JSContext.h"
Expand Down Expand Up @@ -373,8 +376,7 @@ void JS::MarkTaintedFunctionArguments(JSContext* cx, JSFunction* function, const
}
}

#if defined(JS_STRUCTURED_SPEW)

#if defined(JS_JITSPEW)
void JS::MaybeSpewStringTaint(JSContext* cx, JSString* str, HandleValue location) {
// Use the standard spew framework to create a single spew file
AutoStructuredSpewer spew(cx, SpewChannel::TaintFlowSpewer, cx->currentScript());
Expand All @@ -384,7 +386,6 @@ void JS::MaybeSpewStringTaint(JSContext* cx, JSString* str, HandleValue location
spew->flush();
}
}

#endif

#if defined(JS_TAINTSPEW)
Expand Down Expand Up @@ -430,15 +431,14 @@ void JS::WriteTaintToFile(JSContext* cx, JSString* str, HandleValue location) {
JSONPrinter json(output);
json.beginObject();
PrintJsonTaint(cx, str, location, json);

json.endObject();

output.flush();
output.finish();
}

#endif

#if defined(JS_JITSPEW) || defined(JS_TAINTSPEW)
void JS::PrintJsonObject(JSContext* cx, JSObject* obj, js::JSONPrinter& json) {
// This code is adapted from JSObject::dumpFields, which was too verbose for our needs
if (obj && obj->is<NativeObject>()) {
Expand Down Expand Up @@ -552,6 +552,7 @@ void JS::PrintJsonTaint(JSContext* cx, JSString* str, HandleValue location, js::
json.endList();

}
#endif

void JS::MaybeSpewMessage(JSContext* cx, JSString* str) {
// First print message to stderr
Expand Down
4 changes: 3 additions & 1 deletion js/src/jstaint.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ void MarkTaintedFunctionArguments(JSContext* cx, JSFunction* function, const JS:
// flag in the .mozconfig build file
// and the environment variable
// SPEW=TaintFlowSpewer,AtStartup
#ifdef JS_STRUCTURED_SPEW
#ifdef JS_JITSPEW
void MaybeSpewStringTaint(JSContext* cx, JSString* str, HandleValue location);
#endif

Expand All @@ -104,11 +104,13 @@ void MaybeSpewStringTaint(JSContext* cx, JSString* str, HandleValue location);
void WriteTaintToFile(JSContext* cx, JSString* str, HandleValue location);
#endif

#if defined(JS_JITSPEW) || defined(JS_TAINTSPEW)
// Write a string and its taint information to JSON
void PrintJsonTaint(JSContext* cx, JSString* str, HandleValue location, js::JSONPrinter& json);

// Write a simple version of an object to JSON
void PrintJsonObject(JSContext* cx, JSObject* obj, js::JSONPrinter& json);
#endif

// Write a message to stderr and the spewer if enabled
void MaybeSpewMessage(JSContext* cx, JSString* str);
Expand Down
4 changes: 2 additions & 2 deletions js/src/vm/Id.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ bool JS::PropertyKey::isWellKnownSymbol(JS::SymbolCode code) const {
return JS::PropertyKey::isNonIntAtom(&str->asAtom());
}

#if defined(DEBUG) || defined(JS_JITSPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_TAINTSPEW)

void JS::PropertyKey::dump() const {
js::Fprinter out(stderr);
Expand Down Expand Up @@ -115,4 +115,4 @@ void JS::PropertyKey::dumpStringContent(js::GenericPrinter& out) const {
}
}

#endif /* defined(DEBUG) || defined(JS_JITSPEW) */
#endif /* defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_TAINTSPEW) */
6 changes: 4 additions & 2 deletions js/src/vm/PropMap.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@

#include "vm/PropMap-inl.h"

#include "mozilla/Sprintf.h"

#include "gc/HashUtil.h"
#include "js/GCVector.h"
#include "js/Printer.h" // js::GenericPrinter, js::Fprinter
Expand Down Expand Up @@ -1030,7 +1032,7 @@ bool LinkedPropMap::createTable(JSContext* cx) {
return true;
}

#if defined(DEBUG) || defined(JS_JITSPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_TAINTSPEW)
void PropMap::dump() const {
Fprinter out(stderr);
dump(out);
Expand Down Expand Up @@ -1243,7 +1245,7 @@ JS::UniqueChars PropMap::getPropertyNameAt(uint32_t index) const {

return sp.release();
}
#endif // defined(DEBUG) || defined(JS_JITSPEW)
#endif // defined(DEBUG) || defined(JS_JITSPEW)|| defined(JS_TAINTSPEW)

#ifdef DEBUG
void PropMap::checkConsistency(NativeObject* obj) const {
Expand Down
8 changes: 4 additions & 4 deletions js/src/vm/PropMap.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -513,7 +513,7 @@ class PropMap : public gc::TenuredCellWithFlags {

uint32_t approximateEntryCount() const;

#if defined(DEBUG) || defined(JS_JITSPEW)
#if defined(DEBUG) || defined(JS_JITSPEW)|| defined(JS_TAINTSPEW)
void dump() const;
void dump(js::GenericPrinter& out) const;
void dump(js::JSONPrinter& json) const;
Expand Down Expand Up @@ -737,7 +737,7 @@ class SharedPropMap : public PropMap {
Handle<SharedPropMap*> map,
uint32_t length);

#if defined(DEBUG) || defined(JS_JITSPEW)
#if defined(DEBUG) || defined(JS_JITSPEW)|| defined(JS_TAINTSPEW)
void dumpOwnFields(js::JSONPrinter& json) const;
#endif
};
Expand Down Expand Up @@ -850,7 +850,7 @@ class LinkedPropMap final : public PropMap {
return data_.propInfos[index];
}

#if defined(DEBUG) || defined(JS_JITSPEW)
#if defined(DEBUG) || defined(JS_JITSPEW)|| defined(JS_TAINTSPEW)
void dumpOwnFields(js::JSONPrinter& json) const;
#endif
};
Expand Down Expand Up @@ -1058,7 +1058,7 @@ class DictionaryPropMap final : public PropMap {
offsetof(LinkedPropMap, data_));
}

#if defined(DEBUG) || defined(JS_JITSPEW)
#if defined(DEBUG) || defined(JS_JITSPEW)|| defined(JS_TAINTSPEW)
void dumpOwnFields(js::JSONPrinter& json) const;
#endif
};
Expand Down
18 changes: 9 additions & 9 deletions js/src/vm/StringType.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -271,7 +271,7 @@ mozilla::Maybe<std::tuple<size_t, size_t>> JSString::encodeUTF8Partial(
return mozilla::Some(std::make_tuple(totalRead, totalWritten));
}

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(JS_TAINTSPEW)
template <typename CharT>
/*static */
void JSString::dumpCharsNoQuote(const CharT* s, size_t n,
Expand Down Expand Up @@ -742,7 +742,7 @@ bool JSRope::hash(uint32_t* outHash) const {
return true;
}

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(JS_TAINTSPEW)
void JSRope::dumpOwnRepresentationFields(js::JSONPrinter& json) const {
json.beginObjectProperty("leftChild");
leftChild()->dumpRepresentationFields(json);
Expand Down Expand Up @@ -1214,7 +1214,7 @@ template JSString* js::ConcatStrings<NoGC>(JSContext* cx, JSString* const& left,
JSString* const& right,
gc::Heap heap);

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(JS_TAINTSPEW)
void JSDependentString::dumpOwnRepresentationFields(
js::JSONPrinter& json) const {
json.property("baseOffset", baseOffset());
Expand Down Expand Up @@ -1662,7 +1662,7 @@ bool JS::SourceText<char16_t>::initMaybeBorrowed(
return initImpl(fc, chars, length, taint, ownership);
}

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(JS_TAINTSPEW)
void JSAtom::dump(js::GenericPrinter& out) {
out.printf("JSAtom* (%p) = ", (void*)this);
this->JSString::dump(out);
Expand Down Expand Up @@ -2262,7 +2262,7 @@ template JSString* NewMaybeExternalString(

} /* namespace js */

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(JS_TAINTSPEW)
void JSExtensibleString::dumpOwnRepresentationFields(
js::JSONPrinter& json) const {
json.property("capacity", capacity());
Expand Down Expand Up @@ -2660,22 +2660,22 @@ void JSString::sweepAfterMinorGC(JS::GCContext* gcx, JSString* str) {
}

if (IsInsideNursery(str) && !IsForwarded(str) && str->isTainted()) {
#ifdef TAINT_DEBUG_NURSERY
#ifdef JS_TAINTSPEW_NURSERY
printf("-----------------------------------------------------\n");
printf("Str: %p\n", str);
str->dumpRepresentationHeader();
#endif
auto* ptr = reinterpret_cast<uint8_t*>(str) + offsetOfTaint();
#ifdef TAINT_DEBUG_NURSERY
#ifdef JS_TAINTSPEW_NURSERY
printf("Ptr: %p\n", ptr);
printf("Before: %p\n", *reinterpret_cast<void**>(ptr));
#endif
str->clearTaint();
#ifdef TAINT_DEBUG_NURSERY
#ifdef JS_TAINTSPEW_NURSERY
printf("After Clear: %p\n", *reinterpret_cast<void**>(ptr));
#endif
AlwaysPoison(ptr, 0x7A, sizeof(StringTaint), MemCheckKind::MakeNoAccess);
#ifdef TAINT_DEBUG_NURSERY
#ifdef JS_TAINTSPEW_NURSERY
printf("After Poison: %p\n", *reinterpret_cast<void**>(ptr));
printf("-----------------------------------------------------\n");
#endif
Expand Down
17 changes: 8 additions & 9 deletions js/src/vm/StringType.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@
#include "js/UniquePtr.h"
#include "util/Text.h"

#define TAINT_DEBUG

class JSDependentString;
class JSExtensibleString;
Expand Down Expand Up @@ -815,7 +814,7 @@ class JSString : public js::gc::CellWithLengthAndFlags {
return kind;
}

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(JS_TAINTSPEW)
void dump() const;
void dump(js::GenericPrinter& out) const;
void dump(js::JSONPrinter& json) const;
Expand Down Expand Up @@ -964,7 +963,7 @@ class JSRope : public JSString {
void traceChildren(JSTracer* trc);


#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(JS_TAINTSPEW)
void dumpOwnRepresentationFields(js::JSONPrinter& json) const;
#endif

Expand Down Expand Up @@ -1152,7 +1151,7 @@ class JSLinearString : public JSString {
inline void finalize(JS::GCContext* gcx);
inline size_t allocSize() const;

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(JS_TAINTSPEW)
void dumpOwnRepresentationFields(js::JSONPrinter& json) const;
#endif

Expand Down Expand Up @@ -1203,7 +1202,7 @@ class JSDependentString : public JSLinearString {
setNonInlineChars(chars + offset);
}

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(JS_TAINTSPEW)
void dumpOwnRepresentationFields(js::JSONPrinter& json) const;
#endif

Expand Down Expand Up @@ -1232,7 +1231,7 @@ class JSExtensibleString : public JSLinearString {
return d.s.u3.capacity;
}

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(JS_TAINTSPEW)
void dumpOwnRepresentationFields(js::JSONPrinter& json) const;
#endif
};
Expand All @@ -1259,7 +1258,7 @@ class JSInlineString : public JSLinearString {
template <typename CharT>
static bool lengthFits(size_t length);

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(JS_TAINTSPEW)
void dumpOwnRepresentationFields(js::JSONPrinter& json) const;
#endif

Expand Down Expand Up @@ -1405,7 +1404,7 @@ class JSExternalString : public JSLinearString {
// kind.
inline void finalize(JS::GCContext* gcx);

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(JS_TAINTSPEW)
void dumpOwnRepresentationFields(js::JSONPrinter& json) const;
#endif
};
Expand Down Expand Up @@ -1472,7 +1471,7 @@ class JSAtom : public JSLinearString {
template <typename CharT>
static bool lengthFitsInline(size_t length);

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(JS_TAINTSPEW)
void dump(js::GenericPrinter& out);
void dump();
#endif
Expand Down
4 changes: 2 additions & 2 deletions js/src/vm/SymbolType.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ Symbol* Symbol::for_(JSContext* cx, HandleString description) {
return sym;
}

#if defined(DEBUG) || defined(JS_JITSPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_TAINTSPEW)
void Symbol::dump() const {
js::Fprinter out(stderr);
dump(out);
Expand Down Expand Up @@ -177,7 +177,7 @@ void Symbol::dumpPropertyName(js::GenericPrinter& out) const {
out.printf("<Invalid Symbol code=%u>", unsigned(code_));
}
}
#endif // defined(DEBUG) || defined(JS_JITSPEW)
#endif // defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_TAINTSPEW)

bool js::SymbolDescriptiveString(JSContext* cx, Symbol* sym,
MutableHandleValue result) {
Expand Down
2 changes: 1 addition & 1 deletion js/src/vm/SymbolType.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ class Symbol
return mallocSizeOf(this);
}

#if defined(DEBUG) || defined(JS_JITSPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_TAINTSPEW)
void dump() const; // Debugger-friendly stderr dump.
void dump(js::GenericPrinter& out) const;
void dump(js::JSONPrinter& json) const;
Expand Down

0 comments on commit cdb21e7

Please sign in to comment.