Add back retpoline for indirect function calls in wasm |
||||||||||||||
Issue descriptionWhen we moved WebAssembly code off-heap, we accidentally removed the retpoline used for indirect calls. The switch happened in https://crrev.com/c/856999 (January 2018, M65). We will need to add it back, and merge that to M67 and possibly M66.
,
May 7 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/79c7e1897a78e057c6d59b48205ddb88fa835b4c commit 79c7e1897a78e057c6d59b48205ddb88fa835b4c Author: Clemens Hammacher <clemensh@chromium.org> Date: Mon May 07 16:27:08 2018 [wasm] Use retpoline for indirect calls Retpolines were never used for off-heap wasm code. This CL adds them. R=titzer@chromium.org Bug: chromium:840376 , chromium:798964 Change-Id: I9f1b2150cce484f831a83663d1fb06555e7eac82 Reviewed-on: https://chromium-review.googlesource.com/1047385 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#53036} [modify] https://crrev.com/79c7e1897a78e057c6d59b48205ddb88fa835b4c/src/compiler/wasm-compiler.cc [modify] https://crrev.com/79c7e1897a78e057c6d59b48205ddb88fa835b4c/src/compiler/wasm-compiler.h
,
May 7 2018
*** Bulk Edit *** M67 Stable promotion is coming VERY soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. If fix is already merged to M67 and nothing else is pending, pls mark the bug as fixed. Thank you.
,
May 7 2018
Waiting for canary coverage.
,
May 8 2018
,
May 8 2018
Adding merge request labels to get this on folk's radars
,
May 8 2018
This bug requires manual review: Less than 17 days to go before AppStore submit on M67 Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 8 2018
This did not make it into today's canary, but will be included in the next one. Looking at the history of retpolines in wasm again, it seems that we never shipped a version with retpolines enabled. Support for retpolines was added in https://crrev.com/c/867063 (in January), but was only (partially) enabled for WebAssembly in https://crrev.com/c/885181 (in March). That CL landed after the M67 branch, and never had any effect since that code path was already dead after https://crrev.com/c/856999 (January).
,
May 8 2018
+awhalley@ (Security TPM) for M67/M66 merge review. +abdulsyed@ & cmasso@ as FYI
,
May 8 2018
Per thread, OK to just get this into 67, once it's had some more coverage (not sure if it'll squeak into today's 68 dev or not)
,
May 8 2018
clemensh@, pls update the bug with canary result tomorrow. I don't think this change made it today's M68 Dev #68.0.3423.2.
,
May 9 2018
The NextAction date has arrived: 2018-05-09
,
May 9 2018
Canary is out for eight hours, nothing related to this showed up yet.
,
May 10 2018
govind@ - good for 67
,
May 11 2018
Approving merge to M67 branch 3396 based on comment #14. Pls merge ASAP. Thank you.
,
May 14 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/d7bd86585d7ef70f932923dc2e0e0b81aa4cfafc commit d7bd86585d7ef70f932923dc2e0e0b81aa4cfafc Author: Clemens Hammacher <clemensh@chromium.org> Date: Mon May 14 09:48:33 2018 Merged: [wasm] Use retpoline for indirect calls Retpolines were never used for off-heap wasm code. This CL adds them. R=titzer@chromium.org No-Try: true No-Presubmit: true No-Treechecks: true Bug: chromium:840376 , chromium:798964 Change-Id: I4ccf3d0ad8c6390f40310de0f941db1456efadc5 Originally-reviewed-on: https://chromium-review.googlesource.com/1047385 Reviewed-on: https://chromium-review.googlesource.com/1056987 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/branch-heads/6.7@{#63} Cr-Branched-From: 8457e810efd34381448d51d93f50079cf1f6a812-refs/heads/6.7.288@{#2} Cr-Branched-From: e921be5c4f2c6407936bde750992dedbf47c1016-refs/heads/master@{#52547} [modify] https://crrev.com/d7bd86585d7ef70f932923dc2e0e0b81aa4cfafc/src/compiler/wasm-compiler.cc [modify] https://crrev.com/d7bd86585d7ef70f932923dc2e0e0b81aa4cfafc/src/compiler/wasm-compiler.h [modify] https://crrev.com/d7bd86585d7ef70f932923dc2e0e0b81aa4cfafc/src/compiler/wasm-linkage.cc
,
May 14 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/dba31f67b77cb5a86e410ba7377cf7ee49862233 commit dba31f67b77cb5a86e410ba7377cf7ee49862233 Author: Clemens Hammacher <clemensh@chromium.org> Date: Mon May 14 10:03:02 2018 [wasm] Only use retpoline if untrusted code mitigations are enabled We accidentally always enabled retpolines for indirect calls in https://crrev.com/c/1047385. This regresses performance and code size unnecessarily if the --no-untrusted-code-mitigations flag is used. R=titzer@chromium.org Bug: chromium:840376 , chromium:798964 Change-Id: I6bab130e33d0dafa1f547ebf7e7930a23c4eba20 Reviewed-on: https://chromium-review.googlesource.com/1057128 Reviewed-by: Ben Titzer <titzer@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#53142} [modify] https://crrev.com/dba31f67b77cb5a86e410ba7377cf7ee49862233/src/compiler/wasm-compiler.cc
,
May 14 2018
,
May 14 2018
,
May 29 2018
,
Aug 14
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by clemensh@chromium.org
, May 7 2018