Hi all, I've been recently investigating type confusion errors in the TurboFan JIT (such as this <https://bugs.chromium.org/p/project-zero/issues/detail?id=1710> and this <https://bugs.chromium.org/p/chromium/issues/detail?id=762874&can=2&q=762874&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified>). I am doing this by creating systems that mutate the V8 graph and add pass-through "assertion" nodes that verify that the actual type of a value at runtime indeed matches the type computed by TurboFan's typer.
One of the systems I have built runs in pipeline.cc and adds a "range checking node" after every inferred range analysis, which verifies that V8's typer system correctly computes ranges in the Typer phase. This is very similar to existing functionality in other JITs such as IonMonkey <https://dxr.mozilla.org/mozilla-central/source/js/src/jit/RangeAnalysis.cpp?q=rangeanalysis.cpp&redirect_type=direct#2375>, which already use this to catch bugs in range analysis that can lead to security vulnerabilities. I have verified that my system catches artificially introduced errors in range computation, and does not introduce false positives in existing tests. It is also enabled as a d8 command-line flag, so it can be used in the fuzzer. I think this range checking would be useful for catching range analysis-related security vulnerabilities in the future, especially given that it's been used in other JITs. I have working code, but before going through the code submission process, I wanted to ask if there was anything to be aware of independent of implementation (such as existing duplicate functionality) that would be reasons not to ship this feature. (This is my first time contributing to V8, so my apologies if there's a different way of going about this process - thank you in advance!). Neil -- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
