[webkit-changes] [WebKit/WebKit] 60a72b: Poison AssemblerBuffer's inline buffer on x86

[Marcus Plutowski]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 60a72b8caf511451d8acd82fde1a35ff0a322e7f
      https://github.com/WebKit/WebKit/commit/60a72b8caf511451d8acd82fde1a35ff0a322e7f
  Author: Marcus Plutowski <marcus_plutowski at apple.com>
  Date:   2024-09-26 (Thu, 26 Sep 2024)

  Changed paths:
    M Source/JavaScriptCore/assembler/AssemblerBuffer.h
    M Source/JavaScriptCore/jit/ExecutableAllocator.h

  Log Message:
  -----------
  Poison AssemblerBuffer's inline buffer on x86
https://bugs.webkit.org/show_bug.cgi?id=280354
rdar://136706743

Reviewed by Yusuke Suzuki.

JIT_SCAN_ASSEMBLER_BUFFER_FOR_ZEROES is a feature enabled on X86 that
scans the assembler buffer for excessive strings of zeroes at link-time.
We would like to be able to distinguish between two cases:
 1. The zeroes were written into the buffer (either intentionally or
    unintentionally)
 2. The zeroes were left there by someone who forgot to write over a
    chunk of code, and are thus just left over from initialization
By poisoning m_inlineBuffer inside the constructor, we mostly achieve
this -- we'd like to poison the out-of-line buffers too, but it's more
likely that that will have too high of a performance cost and inline
buffers are the ones most likely to be corrupted regardless (being on
the stack, and thus most vulnerable to buffer overruns and the like).

* Source/JavaScriptCore/assembler/AssemblerBuffer.h:
(JSC::AssemblerDataImpl::AssemblerDataImpl):
(JSC::AssemblerDataImpl::poisonInlineBuffer):
* Source/JavaScriptCore/jit/ExecutableAllocator.h:
(JSC::performJITMemcpy):

Canonical link: https://commits.webkit.org/284300@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications