Bug 208671 - [JSC] Cage JIT pointers to the JIT region
Summary: [JSC] Cage JIT pointers to the JIT region
Status: ASSIGNED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-03-05 15:54 PST by Michael Saboff
Modified: 2020-09-22 20:25 PDT (History)
26 users (show)

See Also:

Attachments
Draft patch (598.44 KB, patch)
2020-03-05 17:03 PST, Michael Saboff 		no flags Details | Formatted Diff | Diff
Work in progress patch (735.51 KB, patch)
2020-09-22 20:18 PDT, Michael Saboff 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2020-03-05 15:54:21 PST 
The idea here is that we emit code that cages code pointers to the JIT region so that JIT execution does not escape to not-JIT'ed regions except to known destinations.  For functions that the JIT'ed code needs to call out to in C++ code space, provide a whitelist of allowable entry points.  Finally, verify that the emitted instructions follow the designed restrictions.

This change is currently only implemented for ARM64 hardware.
Comment 1 Michael Saboff 2020-03-05 15:54:38 PST 
<rdar://problem/56044895>
Comment 2 Michael Saboff 2020-03-05 17:03:36 PST 
Created attachment 392652 [details]
Draft patch

This patch does not build for non-ARM64 platforms.  It also doesn't generate the WebKit and WebCore whitelists.
Comment 3 Michael Saboff 2020-09-22 20:18:16 PDT 
Created attachment 409448 [details]
Work in progress patch