Open
Bug 1430051
Opened 7 years ago
Updated 2 years ago
[Meta] Spectre bounds check mitigations
Categories
(Core :: JavaScript Engine: JIT, enhancement, P3)
Core
JavaScript Engine: JIT
Tracking
()
NEW
Tracking | Status | |
---|---|---|
firefox60 | --- | affected |
People
(Reporter: jandem, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
(Keywords: meta)
The plan is to implement V8-style index masking behind a pref:
mask := ((index - limit) & ~index) >> 31
index := index & mask
Then we can measure what the perf overhead is.
Comment 1•7 years ago
|
||
Intel appear to have released an update see https://software.intel.com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations.pdf
"Other instructions such as CMOVcc, AND, ADC, SBB and SETcc can also be used to prevent bounds check bypass by constraining speculative execution on current family 6 processors (Intel® Core™, Intel® Atom™, Intel® Xeon® and Intel® Xeon Phi™ processors). However, these instructions may not be guaranteed to do so on future Intel processors. Intel will release further guidance on the usage of instructions to constrain speculation in the future before processors with different behavior are released."
It would have been useful to have a little more information on these patterns, but if they are suggesting that a data dependency such as proposed in https://bugzilla.mozilla.org/show_bug.cgi?id=1429237 could work with current CPUs then that might be interesting, and are they suggesting that masking ("AND") might not be sufficient in future, or are they just saying the have not worked it out yet??
Comment 2•7 years ago
|
||
Here is another suggestion that avoids any race between the branch and the load and appears to have some potential and might be worth exploring https://weblll.org/index.php/spectre-bounds-check-mitigation-using-a-subtraction-with-borrow/ It uses instructions listed in the above recent Intel publication. A key pattern came from the Linux kernel discussions and the uses a subtraction with borrow from zero to generate the mask from the comparison and for the JS sandbox this can be usefully fused with the bounds check branch.
Reporter | ||
Comment 3•7 years ago
|
||
Yeah, Luke and I were talking about using SBB earlier this week and it's definitely interesting. We could use it for certain bounds checks, but not the hot ones in Ion that use MBoundsCheck + separate MSpectreMaskIndex. We could try to optimize that somehow though.
Comment 4•7 years ago
|
||
It might be possible to just replace the current pattern in spectreMaskIndexImpl with cmp/sbb for a start, and see if that makes any difference, and then explore fusing this with the bounds check to avoid a redundant comparison.
Comment 5•7 years ago
|
||
(In reply to Douglas Crosher [:dougc] from comment #2)
> […] uses a subtraction with borrow from zero to generate the mask […]
See Bug 1433111 comment 1.
Updated•7 years ago
|
status-firefox60:
--- → affected
Priority: -- → P1
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•