188741 – [JSC] Suppress UBSan warnings for KeywordLookup

Bug 188741 - [JSC] Suppress UBSan warnings for KeywordLookup

Summary: [JSC] Suppress UBSan warnings for KeywordLookup

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Yusuke Suzuki

URL:
Keywords:

Depends on:
Blocks:	196533
	Show dependency tree / graph

Reported:	2018-08-20 02:40 PDT by Yusuke Suzuki
Modified:	2020-06-12 20:29 PDT (History)
CC List:	14 users (show)

See Also:

Attachments
Patch (3.30 KB, patch) 2018-08-20 02:47 PDT, Yusuke Suzuki	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yusuke Suzuki 2018-08-20 02:40:51 PDT

[JSC] Suppress UBSan warnings for KeywordLookup

Comment 1 Yusuke Suzuki 2018-08-20 02:47:14 PDT

Created attachment 347489 [details]
Patch

Comment 2 Fujii Hironori 2018-08-23 19:46:34 PDT

Can you use WTF::unalignedLoad instead of reinterpret_cast in this case?

There is a code path for CPU(NEEDS_ALIGNED_ACCESS). How about the idea to use the code path if UBSan is enabled?

Comment 3 Fujii Hironori 2018-08-23 19:47:57 PDT

Don, 

IIUC, we (SIE) want to remove undefined behaviors as much as possible for CFI. Right?

Control Flow Integrity
https://clang.llvm.org/docs/ControlFlowIntegrity.html

Comment 4 Don Olmstead 2018-08-24 10:09:38 PDT

(In reply to Fujii Hironori from comment #3)
> Don, 
> 
> IIUC, we (SIE) want to remove undefined behaviors as much as possible for
> CFI. Right?
> 
> Control Flow Integrity
> https://clang.llvm.org/docs/ControlFlowIntegrity.html

For CFI the unaligned loads should not be a problem. Patch as is looks fine I'm just interested in knowing if something like the WTF functions mentioned would be of use here just for reuse purposes.

Comment 5 Filip Pizlo 2019-04-03 13:33:02 PDT

Comment on attachment 347489 [details]
Patch

I’m not sure we should be splatting these blacklist things - it makes the code uglier.

Comment 6 Don Olmstead 2019-04-03 13:35:56 PDT

(In reply to Filip Pizlo from comment #5)
> Comment on attachment 347489 [details]
> Patch
> 
> I’m not sure we should be splatting these blacklist things - it makes the
> code uglier.

We can use a blacklist file or annotate the code. The benefit from having it in code is that you can see right away that the code is relying on undefined behavior.

I don't have a strong opinion either way.

Comment 7 Michael Catanzaro 2019-04-12 09:57:50 PDT

(In reply to Filip Pizlo from comment #5)
> Comment on attachment 347489 [details]
> Patch
> 
> I’m not sure we should be splatting these blacklist things - it makes the
> code uglier.

This looks like really low-cost to me. WebKit already has SUPPRESS_ASAN because we recognize asan is an extremely valuable tool for finding security bugs, and using SUPPRESS_ASAN in a couple odd places is less-invasive than rewriting those places to not trigger asan. (If we don't rewrite the code, and don't use SUPPRESS_ASAN, then we simply can't use asan.)

Now, ubsan is less-valuable than asan, but that's only because asan is really really good. Making a couple small tweaks to the code like this to please ubsan seems valuable to me, since it will make it much easier to run WebKit under ubsan. This seems much more valuable to me than a blacklist file, since that would require extra work to configure and would reduce the ease of running WebKit under ubsan.

Comment 8 Filip Pizlo 2019-04-12 10:14:12 PDT

(In reply to Michael Catanzaro from comment #7)
> (In reply to Filip Pizlo from comment #5)
> > Comment on attachment 347489 [details]
> > Patch
> > 
> > I’m not sure we should be splatting these blacklist things - it makes the
> > code uglier.
> 
> This looks like really low-cost to me. WebKit already has SUPPRESS_ASAN
> because we recognize asan is an extremely valuable tool for finding security
> bugs, and using SUPPRESS_ASAN in a couple odd places is less-invasive than
> rewriting those places to not trigger asan. (If we don't rewrite the code,
> and don't use SUPPRESS_ASAN, then we simply can't use asan.)

I don’t mind these annotations for asan. I was only talking about ubsan. 

> 
> Now, ubsan is less-valuable than asan, but that's only because asan is
> really really good. Making a couple small tweaks to the code like this to
> please ubsan seems valuable to me, since it will make it much easier to run
> WebKit under ubsan. This seems much more valuable to me than a blacklist
> file, since that would require extra work to configure and would reduce the
> ease of running WebKit under ubsan.

Ubsan is such a silly concept. The case of reporting bad shift amounts as errors is particularly silly: the only fix for that is to mask the shift amount. If that’s the only fix then we should ask for something that just applies those masks for us everywhere. 

The same argument can be made for most other kinds of UB.

Comment 9 Saagar Jha 2019-07-17 08:33:59 PDT

The code exhibiting undefined behavior that this bug mentions has been rewritten to be standards-compliant in https://bugs.webkit.org/show_bug.cgi?id=199650, so I don't think we need that part of the changeset anymore. I think that adding annotations is still useful, however: there are lot of places in WebKit that remain noncompliant, and an annotation like this would be useful to mark all the places we haven't gotten around to fixing yet as well as ensuring that new code remains free of undefined behavior.

Comment 10 Yusuke Suzuki 2020-06-12 20:29:23 PDT

Comment on attachment 347489 [details]
Patch

For now, I'm not planning to do this.