Bug 182217

Summary: MarkedBlock should have a footer instead of a header
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren, jfbastien, keith_miller, mark.lam, msaboff, rmorisset, saam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 181636    
Attachments:
Description Flags
it's a start
none
maybe this is right
none
the patch
none
the patch
none
the patch jfbastien: review+

Description Filip Pizlo 2018-01-27 10:59:34 PST 
Patch forthcoming.

This helps us create a distancing constraint for positive offsets: any out-of-bounds read or write that has offset smaller than K, where K is MarkedBlock footer size, will end up hitting another object in the same block or the footer.
Comment 1 Filip Pizlo 2018-01-27 11:00:30 PST 
Created attachment 332475 [details]
it's a start
Comment 2 Filip Pizlo 2018-01-27 11:24:37 PST 
Created attachment 332476 [details]
maybe this is right
Comment 3 Filip Pizlo 2018-01-27 13:16:52 PST 
Created attachment 332482 [details]
the patch
Comment 4 Filip Pizlo 2018-01-27 14:09:41 PST 
Created attachment 332483 [details]
the patch
Comment 5 Filip Pizlo 2018-01-27 14:20:51 PST 
Created attachment 332484 [details]
the patch

Now I like the changelog.
Comment 6 JF Bastien 2018-01-27 15:13:24 PST 
Comment on attachment 332484 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=332484&action=review

r=me

> Source/JavaScriptCore/heap/MarkedBlock.cpp:92
> +        dataLog(RawPointer(this), ": Allocated.\n");

Drop logging or add verbose flag.

> Source/JavaScriptCore/heap/MarkedBlock.h:269
> +        CountingLock m_lock;

This is 4 bytes, I'd put it next to HeapVersion (also 4) instead of before the 2x 2 byte mark counts.

> Source/JavaScriptCore/heap/MarkedBlock.h:615
>      return true;

Seems like all uses of isAtom() should be succeeded by a size mask (when accessing the atoms) to Spectre-protect the accesses?
Comment 7 Filip Pizlo 2018-01-27 17:39:20 PST 
(In reply to JF Bastien from comment #6)
> Comment on attachment 332484 [details]
> the patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=332484&action=review
> 
> r=me
> 
> > Source/JavaScriptCore/heap/MarkedBlock.cpp:92
> > +        dataLog(RawPointer(this), ": Allocated.\n");
> 
> Drop logging or add verbose flag.

That code was already there.  The patch makes it seem like it was added.  I'm just moving it.

> 
> > Source/JavaScriptCore/heap/MarkedBlock.h:269
> > +        CountingLock m_lock;
> 
> This is 4 bytes, I'd put it next to HeapVersion (also 4) instead of before
> the 2x 2 byte mark counts.

But the goal is more padding! ;-)

> 
> > Source/JavaScriptCore/heap/MarkedBlock.h:615
> >      return true;
> 
> Seems like all uses of isAtom() should be succeeded by a size mask (when
> accessing the atoms) to Spectre-protect the accesses?

I don't think so, because the index is not under user control.
Comment 8 Radar WebKit Bug Importer 2018-01-27 17:40:00 PST 
<rdar://problem/36952146>
Comment 9 Filip Pizlo 2018-01-27 18:26:00 PST 
Landed in https://trac.webkit.org/changeset/227717/webkit