RESOLVED FIXED 240264
Add optional Integrity checks at JSC API boundaries.
https://bugs.webkit.org/show_bug.cgi?id=240264
Summary Add optional Integrity checks at JSC API boundaries.
Mark Lam
Reported 2022-05-09 18:08:26 PDT
This will help us detect if bad values are passed across the API boundary.
Attachments
proposed patch with ENABLE(EXTRA_INTEGRITY_CHECKS) on. (50.47 KB, patch)
2022-05-09 23:07 PDT, Mark Lam
ews-feeder: commit-queue-
proposed patch w/ ENABLE(EXTRA_INTEGRITY_CHECKS) on. (51.78 KB, patch)
2022-05-09 23:55 PDT, Mark Lam
ews-feeder: commit-queue-
proposed patch. (52.77 KB, patch)
2022-05-10 00:13 PDT, Mark Lam
ews-feeder: commit-queue-
proposed patch w/ extra audits enabled for EWS testing only. (52.83 KB, patch)
2022-05-10 01:05 PDT, Mark Lam
no flags
proposed patch. (52.25 KB, patch)
2022-05-10 09:12 PDT, Mark Lam
ysuzuki: review+
patch for landing. (53.65 KB, patch)
2022-05-10 14:48 PDT, Mark Lam
no flags
Mark Lam
Comment 1 2022-05-09 23:07:49 PDT
Created attachment 459095 [details] proposed patch with ENABLE(EXTRA_INTEGRITY_CHECKS) on.
Mark Lam
Comment 2 2022-05-09 23:08:52 PDT
Comment on attachment 459095 [details] proposed patch with ENABLE(EXTRA_INTEGRITY_CHECKS) on. View in context: https://bugs.webkit.org/attachment.cgi?id=459095&action=review > Source/JavaScriptCore/tools/Integrity.h:36 > +#define ENABLE_EXTRA_INTEGRITY_CHECKS 1 This is deliberately left enabled so that we can test this on the EWS. Will disable before landing.
Mark Lam
Comment 3 2022-05-09 23:55:23 PDT
Created attachment 459096 [details] proposed patch w/ ENABLE(EXTRA_INTEGRITY_CHECKS) on.
Mark Lam
Comment 4 2022-05-10 00:13:00 PDT
Created attachment 459097 [details] proposed patch.
Mark Lam
Comment 5 2022-05-10 01:05:30 PDT
Created attachment 459098 [details] proposed patch w/ extra audits enabled for EWS testing only.
Mark Lam
Comment 6 2022-05-10 09:12:42 PDT
Created attachment 459123 [details] proposed patch.
Yusuke Suzuki
Comment 7 2022-05-10 10:01:50 PDT
Comment on attachment 459123 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=459123&action=review r=me with comments. > Source/JavaScriptCore/ChangeLog:22 > + 4. Moved isSanePointer() to Integrity.h so that it can be used in more places. Should we put it under `Integrity` namespace, what do you think of? > Source/JavaScriptCore/ChangeLog:48 > + 11. Also strengten Integrity::auditStructureID() so that it will check if a > + Structure's memory has been released. Can we split these lists into two sets of lists? They are based on, 1. features enabled only when ENABLE(EXTRA_INTEGRITY_CHECKS) is true 2. others e.g. The features enabled with ENABLE(EXTRA_INTEGRITY_CHECKS) are, 1. ... 2. ... 3. .. > Source/JavaScriptCore/runtime/VM.cpp:410 > + WTF::compilerFence(); Let's use `storeStoreFence()` to ensure that all the above stores are effective when we set m_isInService. > Source/JavaScriptCore/runtime/VM.cpp:435 > + WTF::compilerFence(); Use storeStoreFence to ensure that when m_isInService is true, we are not starting the following destruction operations. > Source/JavaScriptCore/tools/Integrity.h:41 > +#if USE(JSVALUE32) > +#define ENABLE_EXTRA_INTEGRITY_CHECKS 0 // Not supported. > +#else > +// Force ENABLE_EXTRA_INTEGRITY_CHECKS to 1 for your local build if you want > +// more prolific audits to be enabled. > +#define ENABLE_EXTRA_INTEGRITY_CHECKS 0 > +#endif What do you think about enabling it for debug builds? Is it too costly?
Mark Lam
Comment 8 2022-05-10 14:35:29 PDT
Comment on attachment 459123 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=459123&action=review Thanks for the review. >> Source/JavaScriptCore/ChangeLog:22 >> + 4. Moved isSanePointer() to Integrity.h so that it can be used in more places. > > Should we put it under `Integrity` namespace, what do you think of? OK, I moved it into the Integrity namespace. >> Source/JavaScriptCore/ChangeLog:48 >> + Structure's memory has been released. > > Can we split these lists into two sets of lists? They are based on, > > 1. features enabled only when ENABLE(EXTRA_INTEGRITY_CHECKS) is true > 2. others > > e.g. > > The features enabled with ENABLE(EXTRA_INTEGRITY_CHECKS) are, > > 1. ... > 2. ... > 3. .. Most of this patch is adding support code that is always built in. The only code dependent on ENABLE(EXTRA_INTEGRITY_CHECKS) are the audit calls added at the API boundary. Those are no-ops when ENABLE(EXTRA_INTEGRITY_CHECKS) is disabled. The other change is that I added back a check to load from Structure memory (to test readability) in auditStructureID. This used to be enabled on Release builds as well, but was removed when the new StructureID management system was installed. My patch adds back this check but only for Debug builds and also for when ENABLE(EXTRA_INTEGRITY_CHECKS) is enabled. I've updated the ChangeLog to try to make this clearer. >> Source/JavaScriptCore/runtime/VM.cpp:410 >> + WTF::compilerFence(); > > Let's use `storeStoreFence()` to ensure that all the above stores are effective when we set m_isInService. Fixed. >> Source/JavaScriptCore/runtime/VM.cpp:435 >> + WTF::compilerFence(); > > Use storeStoreFence to ensure that when m_isInService is true, we are not starting the following destruction operations. Fixed. >> Source/JavaScriptCore/tools/Integrity.h:41 >> +#endif > > What do you think about enabling it for debug builds? Is it too costly? I'll land this patch with this disabled, and investigate enabling this always on Debug builds in a later patch.
Mark Lam
Comment 9 2022-05-10 14:48:06 PDT
Created attachment 459134 [details] patch for landing.
Mark Lam
Comment 10 2022-05-10 14:56:24 PDT
Radar WebKit Bug Importer
Comment 11 2022-05-10 14:56:48 PDT
Note You need to log in before you can comment on or make changes to this bug.