[Webkit-unassigned] [Bug 197060] New: WebCore: auto-initialize stack variables

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Apr 18 09:28:09 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=197060

            Bug ID: 197060
           Summary: WebCore: auto-initialize stack variables
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jfbastien at apple.com

Clang added support for C / C++ variable auto-initialization.

The build’s CFLAGS / CCFLAGS can use the following flag:
  -ftrivial-auto-var-init=pattern
An Xcode setting can also be used, which will enable said flag if it's available in clang.

Variable auto-initialization will affect stack variables as follows:
 - Initialize all integers and pointers to repeated 0xAA byte pattern
 - Initialize all floating point values to “negative NaN with repeated 0xFF payload” (i.e. float32 is 0xFFFFFFFF and float64 is 0xFFFFFFFFFFFFFFFF)
 - Initialize aggregate types in the same way, and their padding (structs, classes, vectors, arrays, variable-length arrays, unions)
The optimizer will then get rid of redundant initializations (if it doesn't, please file bugs on clang).

This means that attackers can’t exploit uninitialized stack variables as easily because they can’t leave a value on the stack / in a register and use it later in a manner which the program wasn’t designed to handle.

This currently increases binary size by 1%–2% and, in some cases, has a similar or smaller performance impact.We’ve put effort in reducing this impact, but the compiler can still be improved to reduce this impact. Concretely, WebCore on x86-64 grows by 1.9% on a recent clang (though we've done more optimizations since this measurement). We ran performance numbers on benchmarks we find important and Dean said "looking at the results, I think we have enough evidence to say it doesn't appear to be a regression".

As a workaround when performance impact is unacceptable, the compiler isn't optimizing things away, and you've manually validated that code was correct, you can mark the corresponding stack variable as follows:
  struct uninitialized_struct __attribute((uninitialized));
  int uninitalized_array[42] __attribute((uninitialized));
  int uninitialized_scalar __attribute((uninitialized));
Of course, you then have no protection of that variable from uninitialized usage!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190418/5fe60976/attachment-0001.html>

More information about the webkit-unassigned mailing list