Closed Bug 1494050 Opened 6 years ago Closed 6 years ago

Consider adding stack cookies in Ion around fun.call / fun.apply

Tracking

()

Status:

RESOLVED INVALID

People

(Reporter: tcampbell, Unassigned)

References

Details

(Keywords: sec-want)

Ted Campbell [:tcampbell]

Reporter

Description

•

6 years ago

These functions are immensely complex due to nested inlining and trickery with arguments. We should consider using stack cookies (in debug and probably release) around these.

In particular we should be carefully validate during bailouts that are stack is legal.

Daniel Veditz [:dveditz]

Updated

•

6 years ago

Keywords: sec-want

Nicolas B. Pierron [:nbp]

Comment 1

•

6 years ago

I do not think adding such canaries would give us more feedback from fuzzers.
If you miss-interpret the stack, you are going to crash soon after, and canaries would not increase the frequency of these crashes.

Ted Campbell [:tcampbell]

Reporter

Comment 2

•

6 years ago

Nicolas makes a good point here. I think the better route forward is Bug 1500514 to simplify the implementation of fun.call / fun.apply so other JIT users don't have to jump through the hoops in the first place.

Status: NEW → RESOLVED

Closed: 6 years ago

Resolution: --- → INVALID

Daniel Veditz [:dveditz]

Updated

•

5 years ago

Group: javascript-core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Consider adding stack cookies in Ion around fun.call / fun.apply

Categories

(Core :: JavaScript Engine: JIT, enhancement, P2)

Tracking

()

People

(Reporter: tcampbell, Unassigned)

References

Details

(Keywords: sec-want)

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Comment 2

Updated