Bug 181453

Summary:	Spectre bound check mitigation efficiency
Product:	WebKit	Reporter:	dougc <dtc-llvm>
Component:	JavaScriptCore	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED WONTFIX
Severity:	Normal	CC:	fpizlo
Priority:	P2
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Description dougc 2018-01-09 15:12:34 PST

Although some mitigations for the Spectre vulnerabilities have been deployed, for example https://bugs.webkit.org/show_bug.cgi?id=181313, I would like to suggest one alternative strategy that does not appear to have been explored, might need feedback from Intel etc who have not responded to me personally. The idea is to create a data flow dependency on the array length so that the protected memory access can not execute until the same time that the speculative bounds check branch can execute. Tests suggests this is faster than the index masking approaches that are added to the bounds check. Please see https://weblll.org/index.php/spectre-bounds-check-data-flow-mitigation/

Comment 1 Filip Pizlo 2018-01-09 19:02:43 PST

This doesn’t completely fix Spectre since the CPU will sometimes verify the branch after the leaking load. There is nothing in your code snippet that prevents this. 

So, although this probably performs great, it’s too risky since it still leaves Spectre as a theoretical possibility.

Comment 2 dougc 2018-01-09 19:18:12 PST

> This doesn’t completely fix Spectre since the CPU will sometimes verify the branch after the leaking load. There is nothing in your code snippet that prevents this. 

Yes that is a possibility, but to me an unknown. Did you get some confirmation from Intel etc on this, or is it just that this in an unknown?

If it has to be masking, or other data flow strategies to limit the index, then so be it, but just wanted to be sure.