Bug 208671

Summary:

[JSC] Cage JIT pointers to the JIT region

Product:

WebKit

Reporter:

Michael Saboff <msaboff>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

ASSIGNED

Severity:

Normal

CC:

allan.jensen, benjamin, calvaris, cdumez, cmarcelo, dino, esprehn+autocc, ews-watchlist, fmalita, glenn, gyuyoung.kim, hi, joepeck, kangil.han, keith_miller, macpherson, mark.lam, menard, pdr, saam, sabouhallawa, schenney, sergio, tzagallo, webkit-bug-importer, youennf

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Draft patch	none
Work in progress patch	ews-feeder: commit-queue-

Michael Saboff

Reported 2020-03-05 15:54:21 PST

The idea here is that we emit code that cages code pointers to the JIT region so that JIT execution does not escape to not-JIT'ed regions except to known destinations. For functions that the JIT'ed code needs to call out to in C++ code space, provide a whitelist of allowable entry points. Finally, verify that the emitted instructions follow the designed restrictions. This change is currently only implemented for ARM64 hardware.

Attachments
Draft patch (598.44 KB, patch) 2020-03-05 17:03 PST, Michael Saboff	no flags	Details Formatted Diff Diff
Work in progress patch (735.51 KB, patch) 2020-09-22 20:18 PDT, Michael Saboff	ews-feeder: commit-queue-	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Michael Saboff

Comment 1 2020-03-05 15:54:38 PST

<rdar://problem/56044895>

Michael Saboff

Comment 2 2020-03-05 17:03:36 PST

Created attachment 392652 [details] Draft patch This patch does not build for non-ARM64 platforms. It also doesn't generate the WebKit and WebCore whitelists.

Michael Saboff

Comment 3 2020-09-22 20:18:16 PDT

Created attachment 409448 [details] Work in progress patch

Note You need to log in before you can comment on or make changes to this bug.