Don't compile functions in a context the caller doesn't have access to

Don't compile functions in a context the caller doesn't have access to

Instead just return undefined

A side effect of this is that it's no longer possible to compile
functions in a detached context.

BUG=chromium:541703
R=verwaest@chromium.org,bmeurer@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng

Committed: https://crrev.com/992e34c21635b179a993b82ac1d81753e7a6a57a
Cr-Commit-Position: refs/heads/master@{#37657}

[jochen (gone - plz use gerrit), 2016-06-03 13:44:52]

On 2016/06/03 at 13:35:35, jochen wrote:
> 

old cl here for reference: https://codereview.chromium.org/1393713006

[jochen (gone - plz use gerrit), 2016-06-03 13:56:02]

Description was changed from

==========
Don't compile functions in a context the caller doesn't have access to

Instead just return undefined

A side effect of this is that it's no longer possible to compile
functions in a detached context.

BUG=chromium:541703
R=verwaest@chromium.org,bmeurer@chromium.org
==========

to

==========
Don't compile functions in a context the caller doesn't have access to

Instead just return undefined

A side effect of this is that it's no longer possible to compile
functions in a detached context.

BUG=chromium:541703
R=verwaest@chromium.org,bmeurer@chromium.org
CQ_EXTRA_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng
==========

[jochen (gone - plz use gerrit), 2016-06-03 14:00:42]

The CQ bit was checked by jochen@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-06-03 14:00:51]

Dry run: CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/2034083002/60001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/2034083002/60001

[commit-bot: I haz the power, 2016-06-03 16:16:52]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-06-03 16:16:53]

Dry run: Try jobs failed on following builders:
  linux_chromium_rel_ng on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[Toon Verwaest, 2016-06-06 14:59:51]

As discussed offline, by now not walking across the first JS-exit frame seems
very easy to defeat...

https://codereview.chromium.org/2034083002/diff/1/src/d8.cc
File src/d8.cc (right):

https://codereview.chromium.org/2034083002/diff/1/src/d8.cc#newcode1999
src/d8.cc:1999: } else if (strcmp(argv[i], "--restricted-realsm") == 0) {
realms

https://codereview.chromium.org/2034083002/diff/60001/test/mjsunit/cross-real...
File test/mjsunit/cross-realm-filtering.js (right):

https://codereview.chromium.org/2034083002/diff/60001/test/mjsunit/cross-real...
test/mjsunit/cross-realm-filtering.js:95: var ctor_script =
"Function.constructor";
Why Function.constructor? Function.constructor === Function

[jochen (gone - plz use gerrit), 2016-06-29 12:22:03]

The CQ bit was checked by jochen@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-06-29 12:22:11]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[jochen (gone - plz use gerrit), 2016-06-29 12:26:55]

let's revisit this.

I think it's difficult / impossible to make this 100% perfect, as there are
plenty of situations where we cross the C++ boundary and switch between contexts
that can't access each other.

As is, however, this would effectively break all exploits that somehow manage to
get hold of a function from another context. Usually, you can't do much without
but run code - if you tried to pass it around, you'd hit the
V8WrapperInstationScope::securityCHeck in Blink.

[commit-bot: I haz the power, 2016-06-29 15:38:55]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-06-29 15:38:56]

Dry run: Try jobs failed on following builders:
  linux_chromium_rel_ng on tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[jochen (gone - plz use gerrit), 2016-07-05 14:23:31]

The CQ bit was checked by jochen@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-05 14:23:39]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-05 15:57:48]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-05 15:57:49]

Dry run: This issue passed the CQ dry run.

[Toon Verwaest, 2016-07-07 11:29:19]

I don't think that's true though. E.g., the following would still just work: new
Proxy(crossOriginFunction.constructor, {})("return document")()

[jochen (gone - plz use gerrit), 2016-07-08 12:09:09]

The CQ bit was checked by jochen@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-08 12:09:29]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-08 12:09:30]

There were warnings when CQ was processing your CL:
 * CQ_EXTRA_TRYBOTS flag is deprecated and will soon be removed. Use
CQ_INCLUDE_TRYBOTS instead.

[jochen (gone - plz use gerrit), 2016-07-08 12:10:02]

Description was changed from

==========
Don't compile functions in a context the caller doesn't have access to

Instead just return undefined

A side effect of this is that it's no longer possible to compile
functions in a detached context.

BUG=chromium:541703
R=verwaest@chromium.org,bmeurer@chromium.org
CQ_EXTRA_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng
==========

to

==========
Don't compile functions in a context the caller doesn't have access to

Instead just return undefined

A side effect of this is that it's no longer possible to compile
functions in a detached context.

BUG=chromium:541703
R=verwaest@chromium.org,bmeurer@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng
==========

[jochen (gone - plz use gerrit), 2016-07-08 12:30:22]

ptal

i changed the logic to walk the entire stack until the embedder last entered a
context

added tests for proxy and reflect

[commit-bot: I haz the power, 2016-07-08 14:38:05]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-08 14:38:06]

Dry run: This issue passed the CQ dry run.

[Toon Verwaest, 2016-07-08 19:47:11]

That sounds like a good idea. On that note: can't you just look at the last
entered context? Don't we maintain a stack of them on the isolate somewhere?

[jochen (gone - plz use gerrit), 2016-07-11 11:26:40]

On 2016/07/08 at 19:47:11, verwaest wrote:
> That sounds like a good idea. On that note: can't you just look at the last
entered context? Don't we maintain a stack of them on the isolate somewhere?

that's what I do (see latest patchset)

[jochen (gone - plz use gerrit), 2016-07-11 14:28:10]

The CQ bit was checked by jochen@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-11 14:28:12]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Toon Verwaest, 2016-07-11 14:46:39]

lgtm, yay :)
do you still need the --restricted-realms thing? I'd prefer to have it the other
way around: explicitly allow cross-realm access where necessary.

[commit-bot: I haz the power, 2016-07-11 15:49:11]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-11 15:49:12]

Dry run: This issue passed the CQ dry run.

[jochen (gone - plz use gerrit), 2016-07-11 18:40:54]

The CQ bit was checked by jochen@chromium.org

[commit-bot: I haz the power, 2016-07-11 18:40:57]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[jochen (gone - plz use gerrit), 2016-07-11 18:42:17]

The CQ bit was unchecked by jochen@chromium.org

[jochen (gone - plz use gerrit), 2016-07-11 18:43:06]

The CQ bit was checked by jochen@chromium.org

[jochen (gone - plz use gerrit), 2016-07-11 18:43:06]

The patchset sent to the CQ was uploaded after l-g-t-m from
verwaest@chromium.org
Link to the patchset: https://codereview.chromium.org/2034083002/#ps160001
(title: "updates")

[commit-bot: I haz the power, 2016-07-11 18:43:16]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-11 20:11:14]

Committed patchset #9 (id:160001)

[commit-bot: I haz the power, 2016-07-11 20:11:16]

CQ bit was unchecked.

[commit-bot: I haz the power, 2016-07-11 20:12:04]

Description was changed from

==========
Don't compile functions in a context the caller doesn't have access to

Instead just return undefined

A side effect of this is that it's no longer possible to compile
functions in a detached context.

BUG=chromium:541703
R=verwaest@chromium.org,bmeurer@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng
==========

to

==========
Don't compile functions in a context the caller doesn't have access to

Instead just return undefined

A side effect of this is that it's no longer possible to compile
functions in a detached context.

BUG=chromium:541703
R=verwaest@chromium.org,bmeurer@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng

Committed: https://crrev.com/992e34c21635b179a993b82ac1d81753e7a6a57a
Cr-Commit-Position: refs/heads/master@{#37657}
==========

[commit-bot: I haz the power, 2016-07-11 20:12:05]

Patchset 9 (id:??) landed as
https://crrev.com/992e34c21635b179a993b82ac1d81753e7a6a57a
Cr-Commit-Position: refs/heads/master@{#37657}

[adamk, 2016-07-14 01:34:22]

A revert of this CL (patchset #9 id:160001) has been created in
https://codereview.chromium.org/2148163002/ by adamk@chromium.org.

The reason for reverting is: Causes crashes on Canary.