Open Bug 1899830 Opened 26 days ago Updated 13 days ago

[meta] Remove JIT usage from the parent process

Categories

(Core :: JavaScript Engine: JIT, enhancement, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
enhancement

Tracking

()

People

(Reporter: gcp, Unassigned)

References

(Depends on 1 open bug, Blocks 3 open bugs)

Details

(Keywords: meta)

The fact that we have a JIT in the parent makes it impossible to use various security features there. In terms of defense in depth, it would be nice to get rid of this.

Severity: -- → S3
Priority: -- → P3
Keywords: meta
See Also: → 1348341
Summary: Remove JIT usage from the parent process → [meta] Remove JIT usage from the parent process

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine: JIT' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → JavaScript Engine: JIT

The component has been changed since the backlog priority was decided, so we're resetting it.
For more information, please visit BugBot documentation.

Priority: P3 → --

What would the performance implications of javascript.options.main_process_disable_jit=true be? (bug 1883457)
I didn't notice any difference with that setting so far. Could it be set to true for Nightly as well as a test?

Is Bug 1614096 still a blocker for this?

I looked into this a while ago for the iOS investigation. The main blockers for this:

  • DevTools has source map parsing code written in Rust and compiled to WebAssembly that runs in the parent process, but WebAssembly isn't supported without a JIT backend. We could move this code to a different process or rewrite it somehow to not use Wasm.
  • There's also Wasm SIMD detection code for Firefox Translations that runs in the parent.
  • DevTools performance regresses significantly when we disable the JITs. Other tests were mostly unaffected.
Depends on: 1614096

(In reply to Jan de Mooij [:jandem] from comment #5)

I looked into this a while ago for the iOS investigation. The main blockers for this:

  • DevTools has source map parsing code written in Rust and compiled to WebAssembly that runs in the parent process, but WebAssembly isn't supported without a JIT backend. We could move this code to a different process or rewrite it somehow to not use Wasm.

Would it be valueable on its own to move the source map to another process (i.e. without moving DevTools UI out of parent)
Note that If we move the UI to a content process, the source map parsing will move alongside without any particular additional work.

(In reply to Alexandre Poirot [:ochameau] from comment #6)

Would it be valueable on its own to move the source map to another process (i.e. without moving DevTools UI out of parent)
Note that If we move the UI to a content process, the source map parsing will move alongside without any particular additional work.

It would make it easier to test disabling the JIT backend in the parent process, because we then don't have to worry about the performance numbers being affected by source map parsing not working. So not super valuable but if it's easy to do it might be worth it.

Is the problem only the fact that when we have a JIT we cannot encode the jump into JIT-ed pages with CET? I know Safari has CFI implemented for their JIT, could we implement CFI as part of the JIT in both the parent and client process?

Blocks: sm-dom
Severity: S3 → S4
Type: task → enhancement
Priority: -- → P3

I think on iOS the system sandbox doesn't allow us to use the JIT at all in the parent process, but I could be wrong. Nika, can you confirm?

Flags: needinfo?(nika)

We know that ACG also breaks with a JIT (see the discussion about the MPEG2 decoder JIT in this bug https://bugzilla.mozilla.org/show_bug.cgi?id=1381050).

Edge specifically lists ACG, CFG and CET as being enabled in their JIT-less mode (https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/).

I wonder if we can have the JIT emit CET control information, whether we'd be able to enable CET for content processes. That'd potentially be a big security win (even though it's probably a separate discussion from this one due to the above). Edit: Filed this as https://bugzilla.mozilla.org/show_bug.cgi?id=1902244

Nika, can you confirm?

I can confirm this, that's why this is a blocker for gecko-ios. The docs stop just short of saying it explicitly: https://developer.apple.com/documentation/browserenginekit/protecting-code-compiled-just-in-time but it's so heavily implied we're pretty sure it's indeed not allowed.

Flags: needinfo?(nika)
See Also: → 1902244
Flags: needinfo?(jdemooij)
You need to log in before you can comment on or make changes to this bug.