Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (226599 => 226600)
--- trunk/Source/_javascript_Core/ChangeLog 2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-01-09 01:07:29 UTC (rev 226600)
@@ -1,3 +1,15 @@
+2018-01-08 Michael Saboff <msab...@apple.com>
+
+ Add a DOM gadget for Spectre testing
+ https://bugs.webkit.org/show_bug.cgi?id=181351
+
+ Reviewed by Michael Saboff.
+
+ Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
+ Spectre mitigations.
+
+ * runtime/Options.h:
+
2018-01-08 Mark Lam <mark....@apple.com>
Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
Modified: trunk/Source/_javascript_Core/runtime/Options.h (226599 => 226600)
--- trunk/Source/_javascript_Core/runtime/Options.h 2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/_javascript_Core/runtime/Options.h 2018-01-09 01:07:29 UTC (rev 226600)
@@ -460,6 +460,8 @@
\
v(bool, disableSpectreMitigations, false, Restricted, "Disable Spectre mitigations.") \
\
+ v(bool, enableSpectreGadgets, false, Restricted, "enable gadgets to test Spectre mitigations.") \
+ \
v(bool, useAsyncIterator, enableAsyncIteration, Normal, "Allow to use Async Iterator in JS.") \
\
v(bool, failToCompileWebAssemblyCode, false, Normal, "If true, no Wasm::Plan will sucessfully compile a function.") \
Modified: trunk/Source/WebCore/ChangeLog (226599 => 226600)
--- trunk/Source/WebCore/ChangeLog 2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/WebCore/ChangeLog 2018-01-09 01:07:29 UTC (rev 226600)
@@ -1,3 +1,27 @@
+2018-01-08 Michael Saboff <msab...@apple.com>
+
+ Add a DOM gadget for Spectre testing
+ https://bugs.webkit.org/show_bug.cgi?id=181351
+
+ Reviewed by Saam Barati.
+
+ This change is used to test Spectre mitigations.
+
+ Added a side data array to the Comment DOM node to test for Spectre issues in
+ the DOM layer. This additional functionality is disabled by default and must
+ be enabled through the JSC option "enableSpectreGadgets".
+
+ * dom/Comment.cpp:
+ (WebCore::Comment::Comment):
+ (WebCore::Comment::setReadLength):
+ (WebCore::Comment::charCodeAt):
+ (WebCore::Comment::clflushReadLength):
+ * dom/Comment.h:
+ * dom/Comment.idl:
+ * page/RuntimeEnabledFeatures.cpp:
+ (WebCore::RuntimeEnabledFeatures::spectreGadgetsEnabled const):
+ * page/RuntimeEnabledFeatures.h:
+
2018-01-08 Said Abou-Hallawa <sabouhall...@apple.com>
A canvas should not be tainted if it draws a data URL SVGImage with a <foreignObject>
Modified: trunk/Source/WebCore/dom/Comment.cpp (226599 => 226600)
--- trunk/Source/WebCore/dom/Comment.cpp 2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/WebCore/dom/Comment.cpp 2018-01-09 01:07:29 UTC (rev 226600)
@@ -23,12 +23,27 @@
#include "Comment.h"
#include "Document.h"
+#include "RuntimeEnabledFeatures.h"
namespace WebCore {
+static constexpr unsigned s_maxDataLength = 100u;
+
inline Comment::Comment(Document& document, const String& text)
: CharacterData(document, text, CreateOther)
{
+ if (RuntimeEnabledFeatures::sharedFeatures().spectreGadgetsEnabled()) {
+ setReadLength(text.length());
+ m_data.resize(s_maxDataLength);
+ m_data.fill(0);
+ m_dataPtr = m_data.data();
+
+ for (size_t i = 0; i < m_readLength; i++)
+ m_data[i] = text.characterAt(i);
+ } else {
+ setReadLength(0);
+ m_dataPtr = nullptr;
+ }
}
Ref<Comment> Comment::create(Document& document, const String& text)
@@ -56,4 +71,27 @@
return false;
}
+void Comment::setReadLength(unsigned readLength)
+{
+ m_readLength = std::min(readLength, s_maxDataLength);
+}
+
+unsigned Comment::charCodeAt(unsigned index)
+{
+ if (index < m_readLength)
+ return m_dataPtr[index];
+
+ return 0;
+}
+
+void Comment::clflushReadLength()
+{
+ auto clflush = [] (void* ptr) {
+ char* ptrToFlush = static_cast<char*>(ptr);
+ asm volatile ("clflush %0" :: "m"(*ptrToFlush) : "memory");
+ };
+
+ clflush(&m_readLength);
+}
+
} // namespace WebCore
Modified: trunk/Source/WebCore/dom/Comment.h (226599 => 226600)
--- trunk/Source/WebCore/dom/Comment.h 2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/WebCore/dom/Comment.h 2018-01-09 01:07:29 UTC (rev 226600)
@@ -30,6 +30,10 @@
public:
static Ref<Comment> create(Document&, const String&);
+ void setReadLength(unsigned);
+ unsigned charCodeAt(unsigned);
+ void clflushReadLength();
+
private:
Comment(Document&, const String&);
@@ -37,6 +41,10 @@
NodeType nodeType() const override;
Ref<Node> cloneNodeInternal(Document&, CloningOperation) override;
bool childTypeAllowed(NodeType) const override;
+
+ Vector<int32_t> m_data;
+ size_t m_readLength;
+ int32_t* m_dataPtr;
};
} // namespace WebCore
Modified: trunk/Source/WebCore/dom/Comment.idl (226599 => 226600)
--- trunk/Source/WebCore/dom/Comment.idl 2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/WebCore/dom/Comment.idl 2018-01-09 01:07:29 UTC (rev 226600)
@@ -22,5 +22,8 @@
ConstructorCallWith=Document,
JSGenerateToJSObject
] interface Comment : CharacterData {
+ [EnabledAtRuntime=SpectreGadgets] void setReadLength(unsigned long readLength);
+ [EnabledAtRuntime=SpectreGadgets] unsigned long charCodeAt(unsigned long index);
+ [EnabledAtRuntime=SpectreGadgets] void clflushReadLength();
};
Modified: trunk/Source/WebCore/page/RuntimeEnabledFeatures.cpp (226599 => 226600)
--- trunk/Source/WebCore/page/RuntimeEnabledFeatures.cpp 2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/WebCore/page/RuntimeEnabledFeatures.cpp 2018-01-09 01:07:29 UTC (rev 226600)
@@ -33,6 +33,7 @@
#include "RuntimeEnabledFeatures.h"
#include "MediaPlayer.h"
+#include <_javascript_Core/Options.h>
#include <wtf/NeverDestroyed.h>
namespace WebCore {
@@ -51,6 +52,11 @@
return runtimeEnabledFeatures;
}
+bool RuntimeEnabledFeatures::spectreGadgetsEnabled() const
+{
+ return JSC::Options::enableSpectreGadgets();
+}
+
#if ENABLE(VIDEO)
bool RuntimeEnabledFeatures::audioEnabled() const
{
Modified: trunk/Source/WebCore/page/RuntimeEnabledFeatures.h (226599 => 226600)
--- trunk/Source/WebCore/page/RuntimeEnabledFeatures.h 2018-01-09 00:35:35 UTC (rev 226599)
+++ trunk/Source/WebCore/page/RuntimeEnabledFeatures.h 2018-01-09 01:07:29 UTC (rev 226600)
@@ -220,6 +220,8 @@
void setServiceWorkerEnabled(bool isEnabled) { m_serviceWorkerEnabled = isEnabled; }
#endif
+ bool spectreGadgetsEnabled() const;
+
#if ENABLE(VIDEO)
bool audioEnabled() const;
#endif