[Webkit-unassigned] [Bug 196533] [META] Undefined behavior bugs

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 3 13:56:58 PDT 2019


--- Comment #4 from Don Olmstead <don.olmstead at sony.com> ---
(In reply to Filip Pizlo from comment #3)
> (In reply to Don Olmstead from comment #2)
> > (In reply to Filip Pizlo from comment #1)
> > > What is the value to fixing these?  JSC uses C++ as if it was a structured
> > > assembler. If the things that the various committees view as UB were
> > > actually removed from the language then it wouldn’t be possible to implement
> > > JSC.
> > 
> > We'd like to enable Control Flow Integrity
> > https://clang.llvm.org/docs/ControlFlowIntegrity.html on the PlayStation
> > port as a threat mitigation. We have a compiler team here that works on LLVM
> > and is interested in enabling CFI with WebKit. Our biggest attack vector for
> > hacking our console is WebKit.
> Can you help fix security bugs in WebKit?

I'm on the security mailing list as well as a handful of people over here at Sony. If these things turn up security issues then we'd definitely help fix.

In the long term we'd like to spin up bots running the different sanitizers to continuously look for issues. An issue there is that I don't know that we could lock down the logs to a bot if it were attached to build.webkit.org. I've talked a bit about this with Brent.

Another issue would be collating the stacks. Not sure how we'd do that yet.

Anyways I think this is a solvable issue.

> > We understand that JSC has some bits of code that actively rely on undefined
> > behavior. Others might be false positives. For those we can blacklist them
> > so CFI doesn't report any issues. See Yusuke's patch for
> > https://bugs.webkit.org/show_bug.cgi?id=188741 as an example.
> I don’t like the idea of those blacklist code changes. It’s just noise to
> most people. 

Benefit is grepping for source but yea I don't have a strong opinion on where the blacklist will live.

> > Others might be legit bugs. When we started running Undefined Behavior
> > Sanitizer over WebKit Yusuke felt some results warranted action. See
> > https://trac.webkit.org/changeset/235307/webkit and
> > https://trac.webkit.org/changeset/234855/webkit for examples. You can also
> > search for ubsan in trac.
> The first of those is just not a bug. CPUs we target ignore the high bits of
> a shift amount. This code would only be recompiled if the shift amount ended
> up being a constant. 
> The second one seems like an asymptomatic bug. It’s nice to fix but I don’t
> think t makes sense to put effort towards finding those.

Chrome has a page about their work with CFI https://www.chromium.org/developers/testing/control-flow-integrity
 so they're seeing value with using CFI. We don't really know what issues crop up until we have things running throughout. As I stated we're happy to help sort out anything it manages to find.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190403/04ee454a/attachment.html>

More information about the webkit-unassigned mailing list