Allow JS Exception Handler setup to be disabled
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox98 | --- | fixed |
People
(Reporter: tjr, Assigned: jandem)
References
(Blocks 1 open bug)
Details
Attachments
(3 files)
Per jandem on Matrix - On startup (on Windows) we need register an exception handler on windows for the (future) executable memory region. But the handler's code we generate at runtime which itself is causing the crash. We don't have a way to disable the exception handling generation right now.
There are JitOptions for disabling ion and baseline; maybe those would be sufficient to determine whether or not to set up the exception handling?
Comment hidden (typo) |
Reporter | ||
Comment 2•3 years ago
|
||
Ping jandem - could you outline what needs to be done in the engine for this?
Assignee | ||
Comment 3•3 years ago
|
||
(In reply to Tom Ritter [:tjr] (ni? for response to CVE/sec-approval/advisories/etc) from comment #2)
Ping jandem - could you outline what needs to be done in the engine for this?
(I'm looking into this. There's some complexity because the Wasm prefs and JIT prefs use a different mechanism..)
Is anything blocked on this short-term? We've been wanting to do some clean up in this area for a long time, but I don't want to block work on the socket process...
Comment 4•3 years ago
|
||
FYI: bug 1475641 is kind of blocked by this, but we could adjust the sandboxing rule to allow to initialize JS on the socket process.
Reporter | ||
Comment 5•3 years ago
|
||
It would be good to do this in the next few months, the longer we leave the Socket Process without ACG the more likely we wind up with some other code in it that breaks ACG that we don't know about, that we then need to investigate and fix.
Assignee | ||
Comment 6•2 years ago
|
||
I've been looking into this. The main issue is the atomic-operation stubs we generate at runtime, these are used to load/store typed array elements for example. We have a fallback for no-jit platforms, but using that implementation at runtime without hurting perf is pretty complicated.
Assignee | ||
Comment 7•2 years ago
|
||
Another issue is that it would run PAC scripts without any JIT support. This could affect scripts that iterate over a list of hosts/IPs or that use regular expressions for pattern matching. Maybe that's fine and we don't really care, but there is some risk.
Reporter | ||
Comment 8•2 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #6)
I've been looking into this. The main issue is the atomic-operation stubs we generate at runtime, these are used to load/store typed array elements for example. We have a fallback for no-jit platforms, but using that implementation at runtime without hurting perf is pretty complicated.
I'm not sure we need to do the complicated thing? The ask here is to just give us an option to tell the JS Engine to initialize without any codegen (so we can enable the security mitigation that blocks ever making writable memory executable.) We don't need to do it all the time - the only places we expect to ask the Engine to initialize without codegen is the Socket Process and potentially the Utility Process if that winds up hosting JS but right now we don't have plans for that AFAIK.
(In reply to Jan de Mooij [:jandem] from comment #7)
Another issue is that it would run PAC scripts without any JIT support. This could affect scripts that iterate over a list of hosts/IPs or that use regular expressions for pattern matching. Maybe that's fine and we don't really care, but there is some risk.
We are okay with this. We will have a flag to disable the ACG on the socket process for debugging and tweaking purposes, and we can wire things up so we tell the JS Engine it can initialize with the JIT in that case. So if this produce a hardship we do have an escape hatch, and I will let mkaply know so we can make it an enterprise policy if we want.
Assignee | ||
Comment 9•2 years ago
|
||
(In reply to Tom Ritter [:tjr] (ni? for response to CVE/sec-approval/advisories/etc) from comment #8)
I'm not sure we need to do the complicated thing? The ask here is to just give us an option to tell the JS Engine to initialize without any codegen (so we can enable the security mitigation that blocks ever making writable memory executable.) We don't need to do it all the time - the only places we expect to ask the Engine to initialize without codegen is the Socket Process and potentially the Utility Process if that winds up hosting JS but right now we don't have plans for that AFAIK.
The problem is that certain JS operations just don't work in this mode without the atomics stubs, for example loading/storing typed array elements would crash because the VM uses those. This also means we can't really test this mode in the JS shell with fuzzing. I'll see if I can make this work somehow.
Assignee | ||
Comment 10•2 years ago
|
||
I have a prototype to generate GCC/Clang inline assembly for the atomic operations (based on the trampoline code we currently generate at runtime). It seems to work and it would then let us disable JIT codegen completely.
Assignee | ||
Comment 11•2 years ago
|
||
The next patch changes the shell to parse the shell flags before calling JS_Init.
This means we have to use the system malloc instead of JS malloc.
Updated•2 years ago
|
Assignee | ||
Comment 12•2 years ago
|
||
This allows us to have shell flags that affect JS_Init.
Depends on D136722
Assignee | ||
Comment 13•2 years ago
|
||
This adds a mechanism to permanently disable the JIT backend for the process. This
lets us improve the sandbox for the socket process.
Depends on D136723
Comment 14•2 years ago
|
||
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/373d232b065a part 1 - Use system malloc for JS shell's option parser. r=jonco https://hg.mozilla.org/integration/autoland/rev/e9ac9d3459d3 part 2 - Initialize JS engine after parsing command line options. r=jonco https://hg.mozilla.org/integration/autoland/rev/ad80819d2534 part 3 - Add an API to disable the JIT backend completely. r=iain
Assignee | ||
Comment 15•2 years ago
|
||
Tom, assuming this sticks, you can call JS::DisableJitBackend()
before JS_Init
/JS_InitWithFailureDiagnostic
to completely disable any JIT-related activity for that process.
Comment 17•2 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/373d232b065a
https://hg.mozilla.org/mozilla-central/rev/e9ac9d3459d3
https://hg.mozilla.org/mozilla-central/rev/ad80819d2534
Description
•