Open Bug 1432207 Opened 7 years ago Updated 3 years ago

[Meta] Spectre mitigations for Value type checks

Categories

(Core :: JavaScript Engine, enhancement, P3)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement

Tracking

()

Tracking Flags:
Tracking Status
firefox60 --- affected

People

(Reporter: jandem, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: meta)

The plan so far: * 64-bit platforms: Instead of unboxing as follows: ValueBits & JSVAL_PAYLOAD_MASK, we will have a type specific mask that has the high bits set to the type tag. Unboxing a string becomes ValueBits ^ string-specific-mask. This is nice because it means when you pass in an int32, object, or any other type, you'll get a JSString* that has some high bits set, so dereferencing it is guaranteed to give you an invalid address. I'm excited about this scheme, because it's cheap (no extra overhead!) and it has other nice security properties: doing val.toObject() on something that's not an object, will now always crash and that could help us catch other bugs. The main difficulty here is passing through the JSValueType to various MacroAssembler methods. I hacked this up locally and it doesn't seem too difficult. * 32-bit platforms We're not sure yet what we will do here. Maybe XOR GC things with a random value, but there might be other ideas. For now I'm focusing on 64-bit.
(In reply to Jan de Mooij [:jandem] from comment #0) > doing val.toObject() on something > that's not an object, will now always crash and that could help us catch > other bugs. More correct: it will crash when you dereference this value.
(In reply to Jan de Mooij [:jandem] from comment #0) > The main difficulty here is passing through the JSValueType to various > MacroAssembler methods. There are also some places where we call masm.unboxObject on string values etc. That kind of "sloppiness" will now result in crashes and it's a Good Thing; I just have to track them down.
Depends on: 1432479
Depends on: 1433111
I hit this in a rebase of my nursery strings patch. Sadly, this does introduce a small amount of overhead for me, since I have a check for whether a Value is a nursery cell (so it could be either an object or a string). Oh well. I've been Spectrified or something. The overhead is pretty close to zero for my current scheme anyway, other than a tiny bit of code size, since I'm already doing separate type tag tests for object and string (it's just that previously they both ended up in the same code.)
(In reply to Steve Fink [:sfink] [:s:] from comment #3) > The overhead is pretty close to zero for my current scheme anyway, other > than a tiny bit of code size, since I'm already doing separate type tag > tests for object and string (it's just that previously they both ended up in > the same code.) You may be able to get away with something like this: https://searchfox.org/mozilla-central/rev/97cb0aa64ae51adcabff76fb3b5eb18368f5f8ab/js/src/jit/MacroAssembler.cpp#3161 Assuming it's Spectre-safe (it depends on your code).
Depends on: 1437510
This is such a great idea.
status-firefox60: --- → affected
Priority: -- → P1
Moving to p3 because no activity for at least 24 weeks.
Priority: P1 → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.