Bug 182217

Summary: MarkedBlock should have a footer instead of a header
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren, jfbastien, keith_miller, mark.lam, msaboff, rmorisset, saam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 181636    
Attachments:
Description Flags
it's a start
none
maybe this is right
none
the patch
none
the patch
none
the patch jfbastien: review+

Filip Pizlo
Reported 2018-01-27 10:59:34 PST
Patch forthcoming. This helps us create a distancing constraint for positive offsets: any out-of-bounds read or write that has offset smaller than K, where K is MarkedBlock footer size, will end up hitting another object in the same block or the footer.
Attachments
it's a start (18.37 KB, patch)
2018-01-27 11:00 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
maybe this is right (28.75 KB, patch)
2018-01-27 11:24 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (48.69 KB, patch)
2018-01-27 13:16 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (46.59 KB, patch)
2018-01-27 14:09 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (47.24 KB, patch)
2018-01-27 14:20 PST, Filip Pizlo 		jfbastien: review+
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2018-01-27 11:00:30 PST
Created attachment 332475 [details] it's a start
Filip Pizlo
Comment 2 2018-01-27 11:24:37 PST
Created attachment 332476 [details] maybe this is right
Filip Pizlo
Comment 3 2018-01-27 13:16:52 PST
Created attachment 332482 [details] the patch
Filip Pizlo
Comment 4 2018-01-27 14:09:41 PST
Created attachment 332483 [details] the patch
Filip Pizlo
Comment 5 2018-01-27 14:20:51 PST
Created attachment 332484 [details] the patch Now I like the changelog.
JF Bastien
Comment 6 2018-01-27 15:13:24 PST
Comment on attachment 332484 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=332484&action=review r=me > Source/JavaScriptCore/heap/MarkedBlock.cpp:92 > + dataLog(RawPointer(this), ": Allocated.\n"); Drop logging or add verbose flag. > Source/JavaScriptCore/heap/MarkedBlock.h:269 > + CountingLock m_lock; This is 4 bytes, I'd put it next to HeapVersion (also 4) instead of before the 2x 2 byte mark counts. > Source/JavaScriptCore/heap/MarkedBlock.h:615 > return true; Seems like all uses of isAtom() should be succeeded by a size mask (when accessing the atoms) to Spectre-protect the accesses?
Filip Pizlo
Comment 7 2018-01-27 17:39:20 PST
(In reply to JF Bastien from comment #6) > Comment on attachment 332484 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=332484&action=review > > r=me > > > Source/JavaScriptCore/heap/MarkedBlock.cpp:92 > > + dataLog(RawPointer(this), ": Allocated.\n"); > > Drop logging or add verbose flag. That code was already there. The patch makes it seem like it was added. I'm just moving it. > > > Source/JavaScriptCore/heap/MarkedBlock.h:269 > > + CountingLock m_lock; > > This is 4 bytes, I'd put it next to HeapVersion (also 4) instead of before > the 2x 2 byte mark counts. But the goal is more padding! ;-) > > > Source/JavaScriptCore/heap/MarkedBlock.h:615 > > return true; > > Seems like all uses of isAtom() should be succeeded by a size mask (when > accessing the atoms) to Spectre-protect the accesses? I don't think so, because the index is not under user control.
Radar WebKit Bug Importer
Comment 8 2018-01-27 17:40:00 PST
<rdar://problem/36952146>
Filip Pizlo
Comment 9 2018-01-27 18:26:00 PST
Landed in https://trac.webkit.org/changeset/227717/webkit
Note You need to log in before you can comment on or make changes to this bug.