[Webkit-unassigned] [Bug 196533] [META] Undefined behavior bugs
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 3 13:35:37 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=196533
--- Comment #3 from Filip Pizlo <fpizlo at apple.com> ---
(In reply to Don Olmstead from comment #2)
> (In reply to Filip Pizlo from comment #1)
> > What is the value to fixing these? JSC uses C++ as if it was a structured
> > assembler. If the things that the various committees view as UB were
> > actually removed from the language then it wouldn’t be possible to implement
> > JSC.
>
> We'd like to enable Control Flow Integrity
> https://clang.llvm.org/docs/ControlFlowIntegrity.html on the PlayStation
> port as a threat mitigation. We have a compiler team here that works on LLVM
> and is interested in enabling CFI with WebKit. Our biggest attack vector for
> hacking our console is WebKit.
Can you help fix security bugs in WebKit?
>
> We understand that JSC has some bits of code that actively rely on undefined
> behavior. Others might be false positives. For those we can blacklist them
> so CFI doesn't report any issues. See Yusuke's patch for
> https://bugs.webkit.org/show_bug.cgi?id=188741 as an example.
I don’t like the idea of those blacklist code changes. It’s just noise to most people.
>
> Others might be legit bugs. When we started running Undefined Behavior
> Sanitizer over WebKit Yusuke felt some results warranted action. See
> https://trac.webkit.org/changeset/235307/webkit and
> https://trac.webkit.org/changeset/234855/webkit for examples. You can also
> search for ubsan in trac.
The first of those is just not a bug. CPUs we target ignore the high bits of a shift amount. This code would only be recompiled if the shift amount ended up being a constant.
The second one seems like an asymptomatic bug. It’s nice to fix but I don’t think t makes sense to put effort towards finding those.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190403/f5462bf5/attachment.html>
More information about the webkit-unassigned
mailing list