Open Bug 1430051 Opened 6 years ago Updated 2 years ago

[Meta] Spectre bounds check mitigations

Categories

(Core :: JavaScript Engine: JIT, enhancement, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
enhancement

Tracking

()

Tracking Flags:
Tracking Status
firefox60 --- affected

People

(Reporter: jandem, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: meta) 

The plan is to implement V8-style index masking behind a pref:

  mask := ((index - limit) & ~index) >> 31
  index := index & mask

Then we can measure what the perf overhead is.
Depends on: 1430053
Depends on: 1430561
Depends on: 1430602
Depends on: 1431096
Depends on: 1431173
Intel appear to have released an update see https://software.intel.com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations.pdf

"Other instructions such as CMOVcc, AND, ADC, SBB and SETcc can also be used to prevent bounds check bypass by constraining speculative execution on current family 6 processors (Intel® Core™, Intel® Atom™, Intel® Xeon® and Intel® Xeon Phi™ processors). However, these instructions may not be guaranteed to do so on future Intel processors. Intel will release further guidance on the usage of instructions to constrain speculation in the future before processors with different behavior are released."

It would have been useful to have a little more information on these patterns, but if they are suggesting that a data dependency such as proposed in https://bugzilla.mozilla.org/show_bug.cgi?id=1429237 could work with current CPUs then that might be interesting, and are they suggesting that masking ("AND") might not be sufficient in future, or are they just saying the have not worked it out yet??
Depends on: 1432345
Here is another suggestion that avoids any race between the branch and the load and appears to have some potential and might be worth exploring https://weblll.org/index.php/spectre-bounds-check-mitigation-using-a-subtraction-with-borrow/ It uses instructions listed in the above recent Intel publication. A key pattern came from the Linux kernel discussions and the uses a subtraction with borrow from zero to generate the mask from the comparison and for the JS sandbox this can be usefully fused with the bounds check branch.
Yeah, Luke and I were talking about using SBB earlier this week and it's definitely interesting. We could use it for certain bounds checks, but not the hot ones in Ion that use MBoundsCheck + separate MSpectreMaskIndex. We could try to optimize that somehow though.
It might be possible to just replace the current pattern in spectreMaskIndexImpl with cmp/sbb for a start, and see if that makes any difference, and then explore fusing this with the bounds check to avoid a redundant comparison.
Depends on: 1435209
Depends on: 1435266
Depends on: 1436427
(In reply to Douglas Crosher [:dougc] from comment #2)
> […] uses a subtraction with borrow from zero to generate the mask […]

See Bug 1433111 comment 1.
status-firefox60: --- → affected
Priority: -- → P1
Depends on: 1445235
Depends on: 1448329
Moving to p3 because no activity for at least 24 weeks.
Priority: P1 → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.