Taint Confusion during Deduplication

[tmbrbr]

Foxhound contains a small number of regression tests for SpiderMonkey to make sure tainting is still working:

js/src/tests/jstests.py obj-spider-release/dist/bin/js taint/

While trying to debug these tests, I noticed something strange was going on while running the atom tests:

https://github.com/SAP/project-foxhound/blob/main/js/src/tests/taint/atoms.js

When splitting a string into an array of chars, there was some confusion between tainted and untainted strings, e.g.:

var untainted = "world";
var tainted = String.tainted("hello");

var untaintedStrings = untainted.split('');
var taintedStrings = tainted.split('');

taintedStrings[3].taint;  // Tainted, OK
untaintedStrings[3].taint;  // Tainted, what's going on?!??

So the char l is actually tainted in both arrays. Note that this only occurs after a number of iterations of the test function, not immediately.

[tmbrbr]

After digging around, it seems like this (and a lot of the taint test failures) is actually due to deduplication of strings in the Garbage Collector.

When moving String to Tenured memory:

https://github.com/SAP/project-foxhound/blob/main/js/src/gc/Tenuring.cpp#L691

The GC tries to deduplicate them first. As the taint is not used to compare strings, the GC was finding a match for the single char l and deduplicating it so that both objects point to the same content, in this case the tainted version of the string.

The fix for this is to prevent deduplication of tainted Strings.

[tmbrbr]

Fixed this issue here: bedb7e4#diff-bdf1275711c3516a0d40c11d16481579384f59f6965f63a2490a56754369a4d3