RESOLVED FIXED 182217
MarkedBlock should have a footer instead of a header 
https://bugs.webkit.org/show_bug.cgi?id=182217
Summary MarkedBlock should have a footer instead of a header
Filip Pizlo
Reported 2018-01-27 10:59:34 PST
Patch forthcoming. This helps us create a distancing constraint for positive offsets: any out-of-bounds read or write that has offset smaller than K, where K is MarkedBlock footer size, will end up hitting another object in the same block or the footer.
Attachments
it's a start (18.37 KB, patch)
2018-01-27 11:00 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
maybe this is right (28.75 KB, patch)
2018-01-27 11:24 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (48.69 KB, patch)
2018-01-27 13:16 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (46.59 KB, patch)
2018-01-27 14:09 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (47.24 KB, patch)
2018-01-27 14:20 PST, Filip Pizlo 		jfbastien: review+
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2018-01-27 11:00:30 PST
Created attachment 332475 [details] it's a start
Filip Pizlo
Comment 2 2018-01-27 11:24:37 PST
Created attachment 332476 [details] maybe this is right
Filip Pizlo
Comment 3 2018-01-27 13:16:52 PST
Created attachment 332482 [details] the patch
Filip Pizlo
Comment 4 2018-01-27 14:09:41 PST
Created attachment 332483 [details] the patch
Filip Pizlo
Comment 5 2018-01-27 14:20:51 PST
Created attachment 332484 [details] the patch Now I like the changelog.
JF Bastien
Comment 6 2018-01-27 15:13:24 PST
Comment on attachment 332484 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=332484&action=review r=me > Source/JavaScriptCore/heap/MarkedBlock.cpp:92 > + dataLog(RawPointer(this), ": Allocated.\n"); Drop logging or add verbose flag. > Source/JavaScriptCore/heap/MarkedBlock.h:269 > + CountingLock m_lock; This is 4 bytes, I'd put it next to HeapVersion (also 4) instead of before the 2x 2 byte mark counts. > Source/JavaScriptCore/heap/MarkedBlock.h:615 > return true; Seems like all uses of isAtom() should be succeeded by a size mask (when accessing the atoms) to Spectre-protect the accesses?
Filip Pizlo
Comment 7 2018-01-27 17:39:20 PST
(In reply to JF Bastien from comment #6) > Comment on attachment 332484 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=332484&action=review > > r=me > > > Source/JavaScriptCore/heap/MarkedBlock.cpp:92 > > + dataLog(RawPointer(this), ": Allocated.\n"); > > Drop logging or add verbose flag. That code was already there. The patch makes it seem like it was added. I'm just moving it. > > > Source/JavaScriptCore/heap/MarkedBlock.h:269 > > + CountingLock m_lock; > > This is 4 bytes, I'd put it next to HeapVersion (also 4) instead of before > the 2x 2 byte mark counts. But the goal is more padding! ;-) > > > Source/JavaScriptCore/heap/MarkedBlock.h:615 > > return true; > > Seems like all uses of isAtom() should be succeeded by a size mask (when > accessing the atoms) to Spectre-protect the accesses? I don't think so, because the index is not under user control.
Radar WebKit Bug Importer
Comment 8 2018-01-27 17:40:00 PST
<rdar://problem/36952146>
Filip Pizlo
Comment 9 2018-01-27 18:26:00 PST
Landed in https://trac.webkit.org/changeset/227717/webkit
Note You need to log in before you can comment on or make changes to this bug.