https://bugs.webkit.org/show_bug.cgi?id=181351
Source/JavaScriptCore:
Reviewed by Michael Saboff.
Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
Spectre mitigations.
* runtime/Options.h:
Source/WebCore:
Reviewed by Saam Barati.
This change is used to test Spectre mitigations.
Added a side data array to the Comment DOM node to test for Spectre issues in
the DOM layer. This additional functionality is disabled by default and must
be enabled through the JSC option "enableSpectreGadgets".
* dom/Comment.cpp:
(WebCore::Comment::Comment):
(WebCore::Comment::setReadLength):
(WebCore::Comment::charCodeAt):
(WebCore::Comment::clflushReadLength):
* dom/Comment.h:
* dom/Comment.idl:
* page/RuntimeEnabledFeatures.cpp:
(WebCore::RuntimeEnabledFeatures::spectreGadgetsEnabled const):
* page/RuntimeEnabledFeatures.h:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226600
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2018-01-08 Michael Saboff <msaboff@apple.com>
+
+ Add a DOM gadget for Spectre testing
+ https://bugs.webkit.org/show_bug.cgi?id=181351
+
+ Reviewed by Michael Saboff.
+
+ Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
+ Spectre mitigations.
+
+ * runtime/Options.h:
+
2018-01-08 Mark Lam <mark.lam@apple.com>
Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
\
v(bool, disableSpectreMitigations, false, Restricted, "Disable Spectre mitigations.") \
\
+ v(bool, enableSpectreGadgets, false, Restricted, "enable gadgets to test Spectre mitigations.") \
+ \
v(bool, useAsyncIterator, enableAsyncIteration, Normal, "Allow to use Async Iterator in JS.") \
\
v(bool, failToCompileWebAssemblyCode, false, Normal, "If true, no Wasm::Plan will sucessfully compile a function.") \
+2018-01-08 Michael Saboff <msaboff@apple.com>
+
+ Add a DOM gadget for Spectre testing
+ https://bugs.webkit.org/show_bug.cgi?id=181351
+
+ Reviewed by Saam Barati.
+
+ This change is used to test Spectre mitigations.
+
+ Added a side data array to the Comment DOM node to test for Spectre issues in
+ the DOM layer. This additional functionality is disabled by default and must
+ be enabled through the JSC option "enableSpectreGadgets".
+
+ * dom/Comment.cpp:
+ (WebCore::Comment::Comment):
+ (WebCore::Comment::setReadLength):
+ (WebCore::Comment::charCodeAt):
+ (WebCore::Comment::clflushReadLength):
+ * dom/Comment.h:
+ * dom/Comment.idl:
+ * page/RuntimeEnabledFeatures.cpp:
+ (WebCore::RuntimeEnabledFeatures::spectreGadgetsEnabled const):
+ * page/RuntimeEnabledFeatures.h:
+
2018-01-08 Said Abou-Hallawa <sabouhallawa@apple.com>
A canvas should not be tainted if it draws a data URL SVGImage with a <foreignObject>
#include "Comment.h"
#include "Document.h"
+#include "RuntimeEnabledFeatures.h"
namespace WebCore {
+static constexpr unsigned s_maxDataLength = 100u;
+
inline Comment::Comment(Document& document, const String& text)
: CharacterData(document, text, CreateOther)
{
+ if (RuntimeEnabledFeatures::sharedFeatures().spectreGadgetsEnabled()) {
+ setReadLength(text.length());
+ m_data.resize(s_maxDataLength);
+ m_data.fill(0);
+ m_dataPtr = m_data.data();
+
+ for (size_t i = 0; i < m_readLength; i++)
+ m_data[i] = text.characterAt(i);
+ } else {
+ setReadLength(0);
+ m_dataPtr = nullptr;
+ }
}
Ref<Comment> Comment::create(Document& document, const String& text)
return false;
}
+void Comment::setReadLength(unsigned readLength)
+{
+ m_readLength = std::min(readLength, s_maxDataLength);
+}
+
+unsigned Comment::charCodeAt(unsigned index)
+{
+ if (index < m_readLength)
+ return m_dataPtr[index];
+
+ return 0;
+}
+
+void Comment::clflushReadLength()
+{
+ auto clflush = [] (void* ptr) {
+ char* ptrToFlush = static_cast<char*>(ptr);
+ asm volatile ("clflush %0" :: "m"(*ptrToFlush) : "memory");
+ };
+
+ clflush(&m_readLength);
+}
+
} // namespace WebCore
public:
static Ref<Comment> create(Document&, const String&);
+ void setReadLength(unsigned);
+ unsigned charCodeAt(unsigned);
+ void clflushReadLength();
+
private:
Comment(Document&, const String&);
NodeType nodeType() const override;
Ref<Node> cloneNodeInternal(Document&, CloningOperation) override;
bool childTypeAllowed(NodeType) const override;
+
+ Vector<int32_t> m_data;
+ size_t m_readLength;
+ int32_t* m_dataPtr;
};
} // namespace WebCore
ConstructorCallWith=Document,
JSGenerateToJSObject
] interface Comment : CharacterData {
+ [EnabledAtRuntime=SpectreGadgets] void setReadLength(unsigned long readLength);
+ [EnabledAtRuntime=SpectreGadgets] unsigned long charCodeAt(unsigned long index);
+ [EnabledAtRuntime=SpectreGadgets] void clflushReadLength();
};
#include "RuntimeEnabledFeatures.h"
#include "MediaPlayer.h"
+#include <JavaScriptCore/Options.h>
#include <wtf/NeverDestroyed.h>
namespace WebCore {
return runtimeEnabledFeatures;
}
+bool RuntimeEnabledFeatures::spectreGadgetsEnabled() const
+{
+ return JSC::Options::enableSpectreGadgets();
+}
+
#if ENABLE(VIDEO)
bool RuntimeEnabledFeatures::audioEnabled() const
{
void setServiceWorkerEnabled(bool isEnabled) { m_serviceWorkerEnabled = isEnabled; }
#endif
+ bool spectreGadgetsEnabled() const;
+
#if ENABLE(VIDEO)
bool audioEnabled() const;
#endif
git://git.webkit.org / WebKit-https.git / commitdiff