Land debug instrumentation patch from bug 1607443
Categories
(Core :: JavaScript Engine: JIT, task, P1)
Tracking
()
People
(Reporter: jandem, Assigned: jandem)
References
Details
(Keywords: sec-want, Whiteboard: [post-critsmash-triage][adv-main75-])
Attachments
(1 file)
Bug 1607670 landed yesterday so I think we fixed all known issues and should land the patch now to prevent regressions and to make fuzzing it easier.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 2•4 years ago
|
||
Comment 3•4 years ago
|
||
Updated•4 years ago
|
Updated•4 years ago
|
Comment 4•4 years ago
|
||
Jan, could you please explain what this assertion means, in a way that doesn't require understand the JITs? I read the comment that starts with "If this MIR instruction has an overridden AliasSet" but I still don't understand what this is checking or why. Thanks.
Assignee | ||
Comment 5•4 years ago
•
|
||
(In reply to Andrew McCreight [:mccr8] from comment #4)
Jan, could you please explain what this assertion means, in a way that doesn't require understand the JITs? I read the comment that starts with "If this MIR instruction has an overridden AliasSet" but I still don't understand what this is checking or why. Thanks.
MIR instructions have a way to describe what side effects they have (using alias sets). The recent 0-day was caused by this information being incorrect: Ion would assume an instruction (calling into C++) could only store to object elements, but the exploit code was able to invoke arbitrary JS (via setters) breaking JIT optimizations based on the buggy alias set.
The assert added here catches the worst of these bugs: if a MIR instruction says it doesn't have all possible side-effects, then we check in debug builds that this MIR instruction cannot call into JS in any way (because calling into JS is the typical "anything can happen, we can exploit this" scenario).
I hope this helps.
Comment 6•4 years ago
|
||
Thanks. That does help.
Updated•4 years ago
|
Updated•3 years ago
|
Description
•