Open Bug 1886562 Opened 6 months ago Updated 6 days ago

[meta] Move JIT constants to a data-section which is not executable

Categories

(Core :: JavaScript Engine: JIT, task, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
task

Tracking

()

Status:
ASSIGNED

People

(Reporter: nbp, Assigned: nbp)

References

(Blocks 1 open bug)

Details

(Keywords: meta)

Attachments

(2 files)

Number of Executable bytes versus the number of Data bytes in JitCode.
184.35 KB, image/png
Details
Bug 1886562 WIP squashed commit
48 bytes, text/x-phabricator-request
Details | Review

When generating JIT code, constants are being generated near the generated code, with the same executable flags as the code.

By creating a dedicated data-section for JIT constants, we prevent them from being used as-is in any payload. This does not prevent all forms of JIT Spraying but should help reduce the ease of making use of constants as part of the injected code.

Ok, before creating any data section, here is what the ratio of data-bytes versus executable-bytes looks like.

This graph is computed while running the jit-tests, with the various modes of executions such as eager compilations, and this includes all compilations modes, such as the initial JitRuntime and the BaselineInterpreter, as well as all ICs, Baseline and Ion.

The data is collected at the end of JitCode::copyFrom, which initialize the insnSize_ field (Executable Bytes) and the data bufferSize_ - insnSize_ (Data Bytes).

Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED

This is a work-in-progress which squash all the commits into a giant one.

This include changes to the ExecutableAllocator, to add the be able to
allocate data pages., discard them, and to store them in the JitCode using
newly introduced Executable abstraction which holds on the result of the
Allocations and enforce proper management of the lifetime and references of the
executable and data pages.

Then there is some work made to allocate constants such as float, double and
SIMD in the newly introduced data section. At the moment, these are restricted
to x64 and x86, as RISC platform are still relying on their constant
pools. Also, WebAssembly is not yet instrumented to make use of this data
section, as it does not make use of the Linker but directly poke at the
ExecutableAllocator.

DO_NOT_COMMIT: This patch does not add any runtime setting to toggle the
data-section on/off based on a preference. We would need such a flag in order to
make it usable for testing and to enforce it on the parent process while maybe
keeping it disabled on the content process.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: