183863 – ScopedArguments should do poisoning and index masking

RESOLVED FIXED 183863

ScopedArguments should do poisoning and index masking

https://bugs.webkit.org/show_bug.cgi?id=183863

Summary ScopedArguments should do poisoning and index masking

Filip Pizlo

Reported 2018-03-21 12:20:56 PDT

Patch forthcoming.

Attachments
work in progress (22.97 KB, patch) 2018-03-21 12:23 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
it might be done (32.82 KB, patch) 2018-03-21 14:21 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
the patch (32.87 KB, patch) 2018-03-21 15:00 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
the patch (32.93 KB, patch) 2018-03-21 15:29 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
patch for landing (32.92 KB, patch) 2018-03-21 15:41 PDT, Filip Pizlo	ews-watchlist: commit-queue-	Details Formatted Diff Diff
patch for landing (33.20 KB, patch) 2018-03-21 18:38 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2018-03-21 12:23:23 PDT

Created attachment 336220 [details] work in progress

Filip Pizlo

Comment 2 2018-03-21 14:21:54 PDT

Created attachment 336234 [details] it might be done

EWS Watchlist

Comment 3 2018-03-21 14:24:01 PDT

Attachment 336234 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/ScopedArguments.cpp:151: Please replace ASSERT_WITH_SECURITY_IMPLICATION() with RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(). [security/assertion] [5] Total errors found: 1 in 18 files If any of these errors are false positives, please file a bug against check-webkit-style.

Filip Pizlo

Comment 4 2018-03-21 15:00:50 PDT

Created attachment 336238 [details] the patch

EWS Watchlist

Comment 5 2018-03-21 15:04:52 PDT

Attachment 336238 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/ScopedArguments.cpp:151: Please replace ASSERT_WITH_SECURITY_IMPLICATION() with RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(). [security/assertion] [5] Total errors found: 1 in 18 files If any of these errors are false positives, please file a bug against check-webkit-style.

Filip Pizlo

Comment 6 2018-03-21 15:29:06 PDT

Created attachment 336240 [details] the patch

EWS Watchlist

Comment 7 2018-03-21 15:31:49 PDT

Attachment 336240 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/ScopedArguments.cpp:151: Please replace ASSERT_WITH_SECURITY_IMPLICATION() with RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(). [security/assertion] [5] Total errors found: 1 in 18 files If any of these errors are false positives, please file a bug against check-webkit-style.

Mark Lam

Comment 8 2018-03-21 15:32:04 PDT

Comment on attachment 336234 [details] it might be done View in context: https://bugs.webkit.org/attachment.cgi?id=336234&action=review r=me with issues addressed. > Source/JavaScriptCore/bytecode/AccessCase.cpp:407 > + jit.loadPtr( > + CCallHelpers::Address(baseGPR, DirectArguments::offsetOfStorage()), Shouldn't this be ScopedArguments::offsetOfStorage()? > Source/JavaScriptCore/runtime/ScopedArguments.h:184 > + static_assert(sizeof(StorageHeader) <= sizeof(WriteBarrier<Unknown>), "StorageHeader needs to be no bigger than a JSValue"); > + return *bitwise_cast<StorageHeader*>(storage - 1); You could have introduced a static method: static size_t storageHeaderSizeInJSValueCount() { return WTF::roundUpToMultipleOf<sizeof(WriteBarrier<Unknown>)>(sizeof(StorageHeader)) / sizeof(WriteBarrier<Unknown>); } ... and use that instead assuming the StorageHeader takes 1 JSValue. With that you can get rid of this assertion and make it such that we can add new fields to StorageHeader without breaking any code. That said, we can always defer this till we need it in the future.

Filip Pizlo

Comment 9 2018-03-21 15:34:55 PDT

(In reply to Mark Lam from comment #8) > Comment on attachment 336234 [details] > it might be done > > View in context: > https://bugs.webkit.org/attachment.cgi?id=336234&action=review > > r=me with issues addressed. > > > Source/JavaScriptCore/bytecode/AccessCase.cpp:407 > > + jit.loadPtr( > > + CCallHelpers::Address(baseGPR, DirectArguments::offsetOfStorage()), > > Shouldn't this be ScopedArguments::offsetOfStorage()? > > > Source/JavaScriptCore/runtime/ScopedArguments.h:184 > > + static_assert(sizeof(StorageHeader) <= sizeof(WriteBarrier<Unknown>), "StorageHeader needs to be no bigger than a JSValue"); > > + return *bitwise_cast<StorageHeader*>(storage - 1); > > You could have introduced a static method: > static size_t storageHeaderSizeInJSValueCount() { return > WTF:: > roundUpToMultipleOf<sizeof(WriteBarrier<Unknown>)>(sizeof(StorageHeader)) / > sizeof(WriteBarrier<Unknown>); } > > ... and use that instead assuming the StorageHeader takes 1 JSValue. With > that you can get rid of this assertion and make it such that we can add new > fields to StorageHeader without breaking any code. That said, we can always > defer this till we need it in the future. Lots of code assumes that StorageHeader is smaller than JSValue.

Filip Pizlo

Comment 10 2018-03-21 15:35:06 PDT

(In reply to Mark Lam from comment #8) > Comment on attachment 336234 [details] > it might be done > > View in context: > https://bugs.webkit.org/attachment.cgi?id=336234&action=review > > r=me with issues addressed. > > > Source/JavaScriptCore/bytecode/AccessCase.cpp:407 > > + jit.loadPtr( > > + CCallHelpers::Address(baseGPR, DirectArguments::offsetOfStorage()), > > Shouldn't this be ScopedArguments::offsetOfStorage()? Fixed! > > > Source/JavaScriptCore/runtime/ScopedArguments.h:184 > > + static_assert(sizeof(StorageHeader) <= sizeof(WriteBarrier<Unknown>), "StorageHeader needs to be no bigger than a JSValue"); > > + return *bitwise_cast<StorageHeader*>(storage - 1); > > You could have introduced a static method: > static size_t storageHeaderSizeInJSValueCount() { return > WTF:: > roundUpToMultipleOf<sizeof(WriteBarrier<Unknown>)>(sizeof(StorageHeader)) / > sizeof(WriteBarrier<Unknown>); } > > ... and use that instead assuming the StorageHeader takes 1 JSValue. With > that you can get rid of this assertion and make it such that we can add new > fields to StorageHeader without breaking any code. That said, we can always > defer this till we need it in the future.

Filip Pizlo

Comment 11 2018-03-21 15:41:51 PDT

Created attachment 336242 [details] patch for landing Addressed Mark's feedback

EWS Watchlist

Comment 12 2018-03-21 15:51:53 PDT

Attachment 336242 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/ScopedArguments.cpp:151: Please replace ASSERT_WITH_SECURITY_IMPLICATION() with RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(). [security/assertion] [5] Total errors found: 1 in 18 files If any of these errors are false positives, please file a bug against check-webkit-style.

EWS Watchlist

Comment 13 2018-03-21 17:09:46 PDT

Comment on attachment 336242 [details] patch for landing Attachment 336242 [details] did not pass jsc-ews (mac): Output: http://webkit-queues.webkit.org/results/7057246 New failing tests: microbenchmarks/scoped-arguments-possibly-overridden-length.js.dfg-eager microbenchmarks/scoped-arguments-possibly-overridden-length.js.dfg-maximal-flush-validate-no-cjit microbenchmarks/scoped-arguments-possibly-overridden-length.js.ftl-eager-no-cjit microbenchmarks/scoped-arguments-possibly-overridden-length.js.no-cjit-validate-phases microbenchmarks/scoped-arguments-possibly-overridden-length.js.ftl-eager microbenchmarks/scoped-arguments-possibly-overridden-length.js.ftl-no-cjit-small-pool microbenchmarks/scoped-arguments-possibly-overridden-length.js.dfg-eager-no-cjit-validate microbenchmarks/scoped-arguments-possibly-overridden-length.js.ftl-eager-no-cjit-b3o1 microbenchmarks/scoped-arguments-possibly-overridden-length.js.ftl-no-cjit-no-put-stack-validate microbenchmarks/scoped-arguments-possibly-overridden-length.js.ftl-no-cjit-b3o1 microbenchmarks/scoped-arguments-possibly-overridden-length.js.no-ftl microbenchmarks/scoped-arguments-possibly-overridden-length.js.no-llint microbenchmarks/scoped-arguments-possibly-overridden-length.js.ftl-no-cjit-no-inline-validate microbenchmarks/scoped-arguments-possibly-overridden-length.js.default microbenchmarks/scoped-arguments-possibly-overridden-length.js.ftl-no-cjit-validate-sampling-profiler microbenchmarks/scoped-arguments-possibly-overridden-length.js.no-cjit-collect-continuously

Filip Pizlo

Comment 14 2018-03-21 18:38:43 PDT

Created attachment 336254 [details] patch for landing

EWS Watchlist

Comment 15 2018-03-21 18:40:50 PDT

Attachment 336254 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/ScopedArguments.cpp:151: Please replace ASSERT_WITH_SECURITY_IMPLICATION() with RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(). [security/assertion] [5] Total errors found: 1 in 18 files If any of these errors are false positives, please file a bug against check-webkit-style.

Filip Pizlo

Comment 16 2018-03-21 19:16:04 PDT

Landed in https://trac.webkit.org/changeset/229842/webkit

Radar WebKit Bug Importer

Comment 17 2018-03-21 19:17:19 PDT

<rdar://problem/38734279>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Filip Pizlo

Reported

2018-03-21 12:20 PDT

Modified

2018-03-21 19:17 PDT History

CC List

6 users Show

URL

Keywords InRadar

Depends on

Blocks