[Webkit-unassigned] [Bug 196533] [META] Undefined behavior bugs
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 3 12:11:25 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=196533
--- Comment #2 from Don Olmstead <don.olmstead at sony.com> ---
(In reply to Filip Pizlo from comment #1)
> What is the value to fixing these? JSC uses C++ as if it was a structured
> assembler. If the things that the various committees view as UB were
> actually removed from the language then it wouldn’t be possible to implement
> JSC.
We'd like to enable Control Flow Integrity https://clang.llvm.org/docs/ControlFlowIntegrity.html on the PlayStation port as a threat mitigation. We have a compiler team here that works on LLVM and is interested in enabling CFI with WebKit. Our biggest attack vector for hacking our console is WebKit.
We understand that JSC has some bits of code that actively rely on undefined behavior. Others might be false positives. For those we can blacklist them so CFI doesn't report any issues. See Yusuke's patch for https://bugs.webkit.org/show_bug.cgi?id=188741 as an example.
Others might be legit bugs. When we started running Undefined Behavior Sanitizer over WebKit Yusuke felt some results warranted action. See https://trac.webkit.org/changeset/235307/webkit and https://trac.webkit.org/changeset/234855/webkit for examples. You can also search for ubsan in trac.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190403/837d7409/attachment-0001.html>
More information about the webkit-unassigned
mailing list