[webkit-changes] [226600] trunk/Source

Mon, 08 Jan 2018 17:07:50 -0800

Title: [226600] trunk/Source
Revision
226600
Author
msab...@apple.com
Date
2018-01-08 17:07:29 -0800 (Mon, 08 Jan 2018)

Log Message

Add a DOM gadget for Spectre testing
https://bugs.webkit.org/show_bug.cgi?id=181351

Source/_javascript_Core:

Reviewed by Michael Saboff.

Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
Spectre mitigations.

* runtime/Options.h:

Source/WebCore:

Reviewed by Saam Barati.

This change is used to test Spectre mitigations.

Added a side data array to the Comment DOM node to test for Spectre issues in
the DOM layer.  This additional functionality is disabled by default and must
be enabled through the JSC option "enableSpectreGadgets".

* dom/Comment.cpp:
(WebCore::Comment::Comment):
(WebCore::Comment::setReadLength):
(WebCore::Comment::charCodeAt):
(WebCore::Comment::clflushReadLength):
* dom/Comment.h:
* dom/Comment.idl:
* page/RuntimeEnabledFeatures.cpp:
(WebCore::RuntimeEnabledFeatures::spectreGadgetsEnabled const):
* page/RuntimeEnabledFeatures.h:

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (226599 => 226600)


--- trunk/Source/_javascript_Core/ChangeLog	2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-01-09 01:07:29 UTC (rev 226600)
@@ -1,3 +1,15 @@
+2018-01-08  Michael Saboff  <msab...@apple.com>
+
+        Add a DOM gadget for Spectre testing
+        https://bugs.webkit.org/show_bug.cgi?id=181351
+
+        Reviewed by Michael Saboff.
+
+        Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
+        Spectre mitigations.
+
+        * runtime/Options.h:
+
 2018-01-08  Mark Lam  <mark....@apple.com>
 
         Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.

Modified: trunk/Source/_javascript_Core/runtime/Options.h (226599 => 226600)


--- trunk/Source/_javascript_Core/runtime/Options.h	2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/_javascript_Core/runtime/Options.h	2018-01-09 01:07:29 UTC (rev 226600)
@@ -460,6 +460,8 @@
     \
     v(bool, disableSpectreMitigations, false, Restricted, "Disable Spectre mitigations.") \
     \
+    v(bool, enableSpectreGadgets, false, Restricted, "enable gadgets to test Spectre mitigations.") \
+    \
     v(bool, useAsyncIterator, enableAsyncIteration, Normal, "Allow to use Async Iterator in JS.") \
     \
     v(bool, failToCompileWebAssemblyCode, false, Normal, "If true, no Wasm::Plan will sucessfully compile a function.") \

Modified: trunk/Source/WebCore/ChangeLog (226599 => 226600)


--- trunk/Source/WebCore/ChangeLog	2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/WebCore/ChangeLog	2018-01-09 01:07:29 UTC (rev 226600)
@@ -1,3 +1,27 @@
+2018-01-08  Michael Saboff  <msab...@apple.com>
+
+        Add a DOM gadget for Spectre testing
+        https://bugs.webkit.org/show_bug.cgi?id=181351
+
+        Reviewed by Saam Barati.
+
+        This change is used to test Spectre mitigations.
+
+        Added a side data array to the Comment DOM node to test for Spectre issues in
+        the DOM layer.  This additional functionality is disabled by default and must
+        be enabled through the JSC option "enableSpectreGadgets".
+
+        * dom/Comment.cpp:
+        (WebCore::Comment::Comment):
+        (WebCore::Comment::setReadLength):
+        (WebCore::Comment::charCodeAt):
+        (WebCore::Comment::clflushReadLength):
+        * dom/Comment.h:
+        * dom/Comment.idl:
+        * page/RuntimeEnabledFeatures.cpp:
+        (WebCore::RuntimeEnabledFeatures::spectreGadgetsEnabled const):
+        * page/RuntimeEnabledFeatures.h:
+
 2018-01-08  Said Abou-Hallawa  <sabouhall...@apple.com>
 
         A canvas should not be tainted if it draws a data URL SVGImage with a <foreignObject>

Modified: trunk/Source/WebCore/dom/Comment.cpp (226599 => 226600)


--- trunk/Source/WebCore/dom/Comment.cpp	2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/WebCore/dom/Comment.cpp	2018-01-09 01:07:29 UTC (rev 226600)
@@ -23,12 +23,27 @@
 #include "Comment.h"
 
 #include "Document.h"
+#include "RuntimeEnabledFeatures.h"
 
 namespace WebCore {
 
+static constexpr unsigned s_maxDataLength = 100u;
+
 inline Comment::Comment(Document& document, const String& text)
     : CharacterData(document, text, CreateOther)
 {
+    if (RuntimeEnabledFeatures::sharedFeatures().spectreGadgetsEnabled()) {
+        setReadLength(text.length());
+        m_data.resize(s_maxDataLength);
+        m_data.fill(0);
+        m_dataPtr = m_data.data();
+
+        for (size_t i = 0; i < m_readLength; i++)
+            m_data[i] = text.characterAt(i);
+    } else {
+        setReadLength(0);
+        m_dataPtr = nullptr;
+    }
 }
 
 Ref<Comment> Comment::create(Document& document, const String& text)
@@ -56,4 +71,27 @@
     return false;
 }
 
+void Comment::setReadLength(unsigned readLength)
+{
+    m_readLength = std::min(readLength, s_maxDataLength);
+}
+
+unsigned Comment::charCodeAt(unsigned index)
+{
+    if (index < m_readLength)
+        return m_dataPtr[index];
+
+    return 0;
+}
+
+void Comment::clflushReadLength()
+{
+    auto clflush = [] (void* ptr) {
+        char* ptrToFlush = static_cast<char*>(ptr);
+        asm volatile ("clflush %0" :: "m"(*ptrToFlush) : "memory");
+    };
+
+    clflush(&m_readLength);
+}
+
 } // namespace WebCore

Modified: trunk/Source/WebCore/dom/Comment.h (226599 => 226600)


--- trunk/Source/WebCore/dom/Comment.h	2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/WebCore/dom/Comment.h	2018-01-09 01:07:29 UTC (rev 226600)
@@ -30,6 +30,10 @@
 public:
     static Ref<Comment> create(Document&, const String&);
 
+    void setReadLength(unsigned);
+    unsigned charCodeAt(unsigned);
+    void clflushReadLength();
+
 private:
     Comment(Document&, const String&);
 
@@ -37,6 +41,10 @@
     NodeType nodeType() const override;
     Ref<Node> cloneNodeInternal(Document&, CloningOperation) override;
     bool childTypeAllowed(NodeType) const override;
+
+    Vector<int32_t> m_data;
+    size_t m_readLength;
+    int32_t* m_dataPtr;
 };
 
 } // namespace WebCore

Modified: trunk/Source/WebCore/dom/Comment.idl (226599 => 226600)


--- trunk/Source/WebCore/dom/Comment.idl	2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/WebCore/dom/Comment.idl	2018-01-09 01:07:29 UTC (rev 226600)
@@ -22,5 +22,8 @@
     ConstructorCallWith=Document,
     JSGenerateToJSObject
 ] interface Comment : CharacterData {
+    [EnabledAtRuntime=SpectreGadgets] void setReadLength(unsigned long readLength);
+    [EnabledAtRuntime=SpectreGadgets] unsigned long charCodeAt(unsigned long index);
+    [EnabledAtRuntime=SpectreGadgets] void clflushReadLength();
 };

Modified: trunk/Source/WebCore/page/RuntimeEnabledFeatures.cpp (226599 => 226600)


--- trunk/Source/WebCore/page/RuntimeEnabledFeatures.cpp	2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/WebCore/page/RuntimeEnabledFeatures.cpp	2018-01-09 01:07:29 UTC (rev 226600)
@@ -33,6 +33,7 @@
 #include "RuntimeEnabledFeatures.h"
 
 #include "MediaPlayer.h"
+#include <_javascript_Core/Options.h>
 #include <wtf/NeverDestroyed.h>
 
 namespace WebCore {
@@ -51,6 +52,11 @@
     return runtimeEnabledFeatures;
 }
 
+bool RuntimeEnabledFeatures::spectreGadgetsEnabled() const
+{
+    return JSC::Options::enableSpectreGadgets();
+}
+
 #if ENABLE(VIDEO)
 bool RuntimeEnabledFeatures::audioEnabled() const
 {

Modified: trunk/Source/WebCore/page/RuntimeEnabledFeatures.h (226599 => 226600)


--- trunk/Source/WebCore/page/RuntimeEnabledFeatures.h	2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/WebCore/page/RuntimeEnabledFeatures.h	2018-01-09 01:07:29 UTC (rev 226600)
@@ -220,6 +220,8 @@
     void setServiceWorkerEnabled(bool isEnabled) { m_serviceWorkerEnabled = isEnabled; }
 #endif
 
+    bool spectreGadgetsEnabled() const;
+
 #if ENABLE(VIDEO)
     bool audioEnabled() const;
 #endif

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to