Add a DOM gadget for Spectre testing
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 9 Jan 2018 01:07:29 +0000 (01:07 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 9 Jan 2018 01:07:29 +0000 (01:07 +0000)
https://bugs.webkit.org/show_bug.cgi?id=181351

Source/JavaScriptCore:

Reviewed by Michael Saboff.

Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
Spectre mitigations.

* runtime/Options.h:

Source/WebCore:

Reviewed by Saam Barati.

This change is used to test Spectre mitigations.

Added a side data array to the Comment DOM node to test for Spectre issues in
the DOM layer.  This additional functionality is disabled by default and must
be enabled through the JSC option "enableSpectreGadgets".

* dom/Comment.cpp:
(WebCore::Comment::Comment):
(WebCore::Comment::setReadLength):
(WebCore::Comment::charCodeAt):
(WebCore::Comment::clflushReadLength):
* dom/Comment.h:
* dom/Comment.idl:
* page/RuntimeEnabledFeatures.cpp:
(WebCore::RuntimeEnabledFeatures::spectreGadgetsEnabled const):
* page/RuntimeEnabledFeatures.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226600 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/Options.h
Source/WebCore/ChangeLog
Source/WebCore/dom/Comment.cpp
Source/WebCore/dom/Comment.h
Source/WebCore/dom/Comment.idl
Source/WebCore/page/RuntimeEnabledFeatures.cpp
Source/WebCore/page/RuntimeEnabledFeatures.h

index 3ae4c94..9d88ba8 100644 (file)
@@ -1,3 +1,15 @@
+2018-01-08  Michael Saboff  <msaboff@apple.com>
+
+        Add a DOM gadget for Spectre testing
+        https://bugs.webkit.org/show_bug.cgi?id=181351
+
+        Reviewed by Michael Saboff.
+
+        Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
+        Spectre mitigations.
+
+        * runtime/Options.h:
+
 2018-01-08  Mark Lam  <mark.lam@apple.com>
 
         Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
index 786d999..f0839f2 100644 (file)
@@ -460,6 +460,8 @@ constexpr bool enableAsyncIteration = false;
     \
     v(bool, disableSpectreMitigations, false, Restricted, "Disable Spectre mitigations.") \
     \
+    v(bool, enableSpectreGadgets, false, Restricted, "enable gadgets to test Spectre mitigations.") \
+    \
     v(bool, useAsyncIterator, enableAsyncIteration, Normal, "Allow to use Async Iterator in JS.") \
     \
     v(bool, failToCompileWebAssemblyCode, false, Normal, "If true, no Wasm::Plan will sucessfully compile a function.") \
index b5ae76d..3749d85 100644 (file)
@@ -1,3 +1,27 @@
+2018-01-08  Michael Saboff  <msaboff@apple.com>
+
+        Add a DOM gadget for Spectre testing
+        https://bugs.webkit.org/show_bug.cgi?id=181351
+
+        Reviewed by Saam Barati.
+
+        This change is used to test Spectre mitigations.
+
+        Added a side data array to the Comment DOM node to test for Spectre issues in
+        the DOM layer.  This additional functionality is disabled by default and must
+        be enabled through the JSC option "enableSpectreGadgets".
+
+        * dom/Comment.cpp:
+        (WebCore::Comment::Comment):
+        (WebCore::Comment::setReadLength):
+        (WebCore::Comment::charCodeAt):
+        (WebCore::Comment::clflushReadLength):
+        * dom/Comment.h:
+        * dom/Comment.idl:
+        * page/RuntimeEnabledFeatures.cpp:
+        (WebCore::RuntimeEnabledFeatures::spectreGadgetsEnabled const):
+        * page/RuntimeEnabledFeatures.h:
+
 2018-01-08  Said Abou-Hallawa  <sabouhallawa@apple.com>
 
         A canvas should not be tainted if it draws a data URL SVGImage with a <foreignObject>
index 7314368..86e8e46 100644 (file)
 #include "Comment.h"
 
 #include "Document.h"
+#include "RuntimeEnabledFeatures.h"
 
 namespace WebCore {
 
+static constexpr unsigned s_maxDataLength = 100u;
+
 inline Comment::Comment(Document& document, const String& text)
     : CharacterData(document, text, CreateOther)
 {
+    if (RuntimeEnabledFeatures::sharedFeatures().spectreGadgetsEnabled()) {
+        setReadLength(text.length());
+        m_data.resize(s_maxDataLength);
+        m_data.fill(0);
+        m_dataPtr = m_data.data();
+
+        for (size_t i = 0; i < m_readLength; i++)
+            m_data[i] = text.characterAt(i);
+    } else {
+        setReadLength(0);
+        m_dataPtr = nullptr;
+    }
 }
 
 Ref<Comment> Comment::create(Document& document, const String& text)
@@ -56,4 +71,27 @@ bool Comment::childTypeAllowed(NodeType) const
     return false;
 }
 
+void Comment::setReadLength(unsigned readLength)
+{
+    m_readLength = std::min(readLength, s_maxDataLength);
+}
+
+unsigned Comment::charCodeAt(unsigned index)
+{
+    if (index < m_readLength)
+        return m_dataPtr[index];
+
+    return 0;
+}
+
+void Comment::clflushReadLength()
+{
+    auto clflush = [] (void* ptr) {
+        char* ptrToFlush = static_cast<char*>(ptr);
+        asm volatile ("clflush %0" :: "m"(*ptrToFlush) : "memory");
+    };
+
+    clflush(&m_readLength);
+}
+
 } // namespace WebCore
index fe7d348..bd51195 100644 (file)
@@ -30,6 +30,10 @@ class Comment final : public CharacterData {
 public:
     static Ref<Comment> create(Document&, const String&);
 
+    void setReadLength(unsigned);
+    unsigned charCodeAt(unsigned);
+    void clflushReadLength();
+
 private:
     Comment(Document&, const String&);
 
@@ -37,6 +41,10 @@ private:
     NodeType nodeType() const override;
     Ref<Node> cloneNodeInternal(Document&, CloningOperation) override;
     bool childTypeAllowed(NodeType) const override;
+
+    Vector<int32_t> m_data;
+    size_t m_readLength;
+    int32_t* m_dataPtr;
 };
 
 } // namespace WebCore
index fd45912..2c32a34 100644 (file)
@@ -22,5 +22,8 @@
     ConstructorCallWith=Document,
     JSGenerateToJSObject
 ] interface Comment : CharacterData {
+    [EnabledAtRuntime=SpectreGadgets] void setReadLength(unsigned long readLength);
+    [EnabledAtRuntime=SpectreGadgets] unsigned long charCodeAt(unsigned long index);
+    [EnabledAtRuntime=SpectreGadgets] void clflushReadLength();
 };
 
index def1188..8d52c44 100644 (file)
@@ -33,6 +33,7 @@
 #include "RuntimeEnabledFeatures.h"
 
 #include "MediaPlayer.h"
+#include <JavaScriptCore/Options.h>
 #include <wtf/NeverDestroyed.h>
 
 namespace WebCore {
@@ -51,6 +52,11 @@ RuntimeEnabledFeatures& RuntimeEnabledFeatures::sharedFeatures()
     return runtimeEnabledFeatures;
 }
 
+bool RuntimeEnabledFeatures::spectreGadgetsEnabled() const
+{
+    return JSC::Options::enableSpectreGadgets();
+}
+
 #if ENABLE(VIDEO)
 bool RuntimeEnabledFeatures::audioEnabled() const
 {
index f4e283f..ad8f3c6 100644 (file)
@@ -220,6 +220,8 @@ public:
     void setServiceWorkerEnabled(bool isEnabled) { m_serviceWorkerEnabled = isEnabled; }
 #endif
 
+    bool spectreGadgetsEnabled() const;
+
 #if ENABLE(VIDEO)
     bool audioEnabled() const;
 #endif