Bug 210314 - Fix bad tests in testmasm's testCagePreservesPACFailureBit().
Summary: Fix bad tests in testmasm's testCagePreservesPACFailureBit().
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords: InRadar
Depends on:
Blocks: 210252
  Show dependency treegraph
 
Reported: 2020-04-09 19:00 PDT by Mark Lam
Modified: 2020-04-10 13:20 PDT (History)
7 users (show)

See Also:

Attachments
proposed patch. (2.76 KB, patch)
2020-04-09 19:10 PDT, Mark Lam 		ysuzuki: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2020-04-09 19:00:11 PDT 
Some of these tests will crash when validated untagging is enabled.
Comment 1 Radar WebKit Bug Importer 2020-04-09 19:00:34 PDT 
<rdar://problem/61556785>
Comment 2 Mark Lam 2020-04-09 19:10:13 PDT 
Created attachment 396032 [details]
proposed patch.
Comment 3 Yusuke Suzuki 2020-04-09 23:18:18 PDT 
Comment on attachment 396032 [details]
proposed patch.

r=me
Comment 4 Mark Lam 2020-04-09 23:26:34 PDT 
Thanks for the review.  Landed in r259848: <http://trac.webkit.org/r259848>.
Comment 5 Keith Miller 2020-04-10 10:19:34 PDT 
Comment on attachment 396032 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=396032&action=review

> Source/JavaScriptCore/assembler/testmasm.cpp:2136
> +        CHECK_NOT_EQ(invoke<void*>(cage, taggedNotCagedPtr, 1), ptr);

This isn't quite a strong as the old test. It doesn't guarantee that the cage gave you a pointer that will crash when dereferenced. However, I think that can be tested by also asserting, 

CHECK_NOT_EQ(invoke<void*>(cage, taggedNotCagedPtr, 1), removeArrayPtrTag(invoke<void*>(cage, taggedNotCagedPtr, 1))));
Comment 6 Mark Lam 2020-04-10 12:34:58 PDT 
Landed the additional test in r259890: <http://trac.webkit.org/r259890>.
Comment 7 Saam Barati 2020-04-10 12:53:44 PDT 
Comment on attachment 396032 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=396032&action=review

> Source/JavaScriptCore/ChangeLog:9
> +        Some of these tests will crash when validated untagging is enabled.

why?
Comment 8 Saam Barati 2020-04-10 12:54:01 PDT 
Comment on attachment 396032 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=396032&action=review

>> Source/JavaScriptCore/ChangeLog:9
>> +        Some of these tests will crash when validated untagging is enabled.
> 
> why?

(You should say that here, not just what, but why)
Comment 9 Mark Lam 2020-04-10 12:59:28 PDT 
(In reply to Saam Barati from comment #8)
> Comment on attachment 396032 [details]
> proposed patch.
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=396032&action=review
> 
> >> Source/JavaScriptCore/ChangeLog:9
> >> +        Some of these tests will crash when validated untagging is enabled.
> > 
> > why?
> 
> (You should say that here, not just what, but why)

It's in the title: "when validated untagging is enabled".  When we start validating the untagged pointer (as in crash if validation fails), we will crash if we are untagging badly tagged pointers on purpose in the test.
Comment 10 Mark Lam 2020-04-10 13:00:22 PDT 
(In reply to Mark Lam from comment #9)
> (In reply to Saam Barati from comment #8)
> > Comment on attachment 396032 [details]
> > proposed patch.
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=396032&action=review
> > 
> > >> Source/JavaScriptCore/ChangeLog:9
> > >> +        Some of these tests will crash when validated untagging is enabled.
> > > 
> > > why?
> > 
> > (You should say that here, not just what, but why)
> 
> It's in the title: "when validated untagging is enabled".  When we start
> validating the untagged pointer (as in crash if validation fails), we will
> crash if we are untagging badly tagged pointers on purpose in the test.

Sorry, not title.  It's in the bug and ChangeLog description.
Comment 11 Saam Barati 2020-04-10 13:03:17 PDT 
Comment on attachment 396032 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=396032&action=review

>> Source/JavaScriptCore/assembler/testmasm.cpp:2136
>> +        CHECK_NOT_EQ(invoke<void*>(cage, taggedNotCagedPtr, 1), ptr);
> 
> This isn't quite a strong as the old test. It doesn't guarantee that the cage gave you a pointer that will crash when dereferenced. However, I think that can be tested by also asserting, 
> 
> CHECK_NOT_EQ(invoke<void*>(cage, taggedNotCagedPtr, 1), removeArrayPtrTag(invoke<void*>(cage, taggedNotCagedPtr, 1))));

can't we just assert using some functions that we're looking at unmapped memory?
Comment 12 Keith Miller 2020-04-10 13:20:31 PDT 
Comment on attachment 396032 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=396032&action=review

>>> Source/JavaScriptCore/assembler/testmasm.cpp:2136
>>> +        CHECK_NOT_EQ(invoke<void*>(cage, taggedNotCagedPtr, 1), ptr);
>> 
>> This isn't quite a strong as the old test. It doesn't guarantee that the cage gave you a pointer that will crash when dereferenced. However, I think that can be tested by also asserting, 
>> 
>> CHECK_NOT_EQ(invoke<void*>(cage, taggedNotCagedPtr, 1), removeArrayPtrTag(invoke<void*>(cage, taggedNotCagedPtr, 1))));
> 
> can't we just assert using some functions that we're looking at unmapped memory?

The point is to ensure you have PAC bits.