RESOLVED FIXED 210314
Fix bad tests in testmasm's testCagePreservesPACFailureBit(). 
https://bugs.webkit.org/show_bug.cgi?id=210314
Summary Fix bad tests in testmasm's testCagePreservesPACFailureBit().
Mark Lam
Reported 2020-04-09 19:00:11 PDT
Some of these tests will crash when validated untagging is enabled.
Attachments
proposed patch. (2.76 KB, patch)
2020-04-09 19:10 PDT, Mark Lam 		ysuzuki: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-04-09 19:00:34 PDT
<rdar://problem/61556785>
Mark Lam
Comment 2 2020-04-09 19:10:13 PDT
Created attachment 396032 [details] proposed patch.
Yusuke Suzuki
Comment 3 2020-04-09 23:18:18 PDT
Comment on attachment 396032 [details] proposed patch. r=me
Mark Lam
Comment 4 2020-04-09 23:26:34 PDT
Thanks for the review. Landed in r259848: <http://trac.webkit.org/r259848>.
Keith Miller
Comment 5 2020-04-10 10:19:34 PDT
Comment on attachment 396032 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=396032&action=review > Source/JavaScriptCore/assembler/testmasm.cpp:2136 > + CHECK_NOT_EQ(invoke<void*>(cage, taggedNotCagedPtr, 1), ptr); This isn't quite a strong as the old test. It doesn't guarantee that the cage gave you a pointer that will crash when dereferenced. However, I think that can be tested by also asserting, CHECK_NOT_EQ(invoke<void*>(cage, taggedNotCagedPtr, 1), removeArrayPtrTag(invoke<void*>(cage, taggedNotCagedPtr, 1))));
Mark Lam
Comment 6 2020-04-10 12:34:58 PDT
Landed the additional test in r259890: <http://trac.webkit.org/r259890>.
Saam Barati
Comment 7 2020-04-10 12:53:44 PDT
Comment on attachment 396032 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=396032&action=review > Source/JavaScriptCore/ChangeLog:9 > + Some of these tests will crash when validated untagging is enabled. why?
Saam Barati
Comment 8 2020-04-10 12:54:01 PDT
Comment on attachment 396032 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=396032&action=review >> Source/JavaScriptCore/ChangeLog:9 >> + Some of these tests will crash when validated untagging is enabled. > > why? (You should say that here, not just what, but why)
Mark Lam
Comment 9 2020-04-10 12:59:28 PDT
(In reply to Saam Barati from comment #8) > Comment on attachment 396032 [details] > proposed patch. > > View in context: > https://bugs.webkit.org/attachment.cgi?id=396032&action=review > > >> Source/JavaScriptCore/ChangeLog:9 > >> + Some of these tests will crash when validated untagging is enabled. > > > > why? > > (You should say that here, not just what, but why) It's in the title: "when validated untagging is enabled". When we start validating the untagged pointer (as in crash if validation fails), we will crash if we are untagging badly tagged pointers on purpose in the test.
Mark Lam
Comment 10 2020-04-10 13:00:22 PDT
(In reply to Mark Lam from comment #9) > (In reply to Saam Barati from comment #8) > > Comment on attachment 396032 [details] > > proposed patch. > > > > View in context: > > https://bugs.webkit.org/attachment.cgi?id=396032&action=review > > > > >> Source/JavaScriptCore/ChangeLog:9 > > >> + Some of these tests will crash when validated untagging is enabled. > > > > > > why? > > > > (You should say that here, not just what, but why) > > It's in the title: "when validated untagging is enabled". When we start > validating the untagged pointer (as in crash if validation fails), we will > crash if we are untagging badly tagged pointers on purpose in the test. Sorry, not title. It's in the bug and ChangeLog description.
Saam Barati
Comment 11 2020-04-10 13:03:17 PDT
Comment on attachment 396032 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=396032&action=review >> Source/JavaScriptCore/assembler/testmasm.cpp:2136 >> + CHECK_NOT_EQ(invoke<void*>(cage, taggedNotCagedPtr, 1), ptr); > > This isn't quite a strong as the old test. It doesn't guarantee that the cage gave you a pointer that will crash when dereferenced. However, I think that can be tested by also asserting, > > CHECK_NOT_EQ(invoke<void*>(cage, taggedNotCagedPtr, 1), removeArrayPtrTag(invoke<void*>(cage, taggedNotCagedPtr, 1)))); can't we just assert using some functions that we're looking at unmapped memory?
Keith Miller
Comment 12 2020-04-10 13:20:31 PDT
Comment on attachment 396032 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=396032&action=review >>> Source/JavaScriptCore/assembler/testmasm.cpp:2136 >>> + CHECK_NOT_EQ(invoke<void*>(cage, taggedNotCagedPtr, 1), ptr); >> >> This isn't quite a strong as the old test. It doesn't guarantee that the cage gave you a pointer that will crash when dereferenced. However, I think that can be tested by also asserting, >> >> CHECK_NOT_EQ(invoke<void*>(cage, taggedNotCagedPtr, 1), removeArrayPtrTag(invoke<void*>(cage, taggedNotCagedPtr, 1)))); > > can't we just assert using some functions that we're looking at unmapped memory? The point is to ensure you have PAC bits.
Note You need to log in before you can comment on or make changes to this bug.