A Report from V8

Spectre Badness, Torque Goodness

April 2018

Michael Stanton

  • Google V8: Compiler Team/Manager
  • V8: Feedback Vectors, TurboFan
  • Cats, climbing and old typewriters :p

V8 Team, based in Munich

  • ~25 people
  • A few in San Francisco and London

We work on Chromium

  • Open source
  • Branded also as "Chrome"
  • Chromium is huge - we only know a part!

V8 has many features

  • "Hidden Classes"
  • ICs (Inline caches) - how we learn
  • Generational Garbage Collector
  • Pipelined Architecture

Compilation pipeline with learning

Source
Code

Ignition

Byte
Code

Run for a while

Gather feedback

Google proprietary

Compilation pipeline with learning

Source
Code

Ignition

Turbofan

Byte
Code

Optimized
Code

Google proprietary

Compilation pipeline with learning

Source
Code

Ignition

Turbofan

Byte
Code

Optimized
Code

Deoptimization

Google proprietary

TurboFan

  • The "Last Step" in the Pipeline
  • Inlining
  • Allocation Folding
  • Escape Analysis
  • Load Elimination
  • Write Barrier Elimination
  • etc!

Spectre

  • Speculative Execution exposes secrets
  • Chromium architecture is vulnerable ("rogue ads")
  • Optimizing JavaScript compilers are vulnerable

function lookup(i) {
  let data = 0;
  if (i < secret_size) {
    data = memory[ secret[i] ];
  }
  return data;
}

IFRAME boundary

// pass "nice" values to lookup to train
// the branch predictor
train();

// flush the memory array from the cache
fill_cache_with_junk();

// Pass a "bad" (out of bounds) i value
attack(bi);

// Which region of memory array load
// quickly? 
region = sense();  // timers!

secret_at_bi = compute(memory, region, bi);

Fencing


function lookup(i) {
  let data = 0;
  if (i < secret_size) {
    LFENCE();
    data = memory[ secret[i] ];
  }
  return data;
}

Costs a lot

Masking

 


function lookup(i) {
  let data = 0;
  let MASK = 0xffffffff;
  {MASK, O} = i < secret_size;
  if (O) {
    data = memory[ MASK & secret[i] ];
  }
  return data;
}

Not really JavaScript anymore...

Masking

 


MASK = 0xffffffff;  // CPU register

function lookup(i) {
  let data = 0;
  {MASK, O} = i < secret_size;
  if (O) {
    data = memory[ MASK & secret[i] ];
  }
  return data;
}

Not really JavaScript anymore...

Problems

  • New speculative attacks appear
  • How to test our mitigations?
  • Complexity
    • Does violence to our abstractions

What to do?

  • Move to full site isolation
  • Costs memory, some platforms need the mitigations
  • Longer term: Control Flow Integrity (CFI)

Torque

All the ways to implement a builtin

JavaScript Builtins

  • Array forEach, filter, map, splice, etc.
  • Need to be predictably fast
  • Tension: JavaScript is complex!

JavaScript Builtins

  • Array forEach, filter, map, splice, etc.
  • Need to be predictably fast
  • Tension: JavaScript is complex!
  • Spec compliant
  • Simple
  • Slow/cliffy :(
  • Cliffs/bailouts
  • Complex
  • Fast! :)

JavaScript

Assembly? C++?
Some unholy combination?

Some history

  • Some builtins were in hand-coded assembly
  • Others in JavaScript
  • Others had a C++ "fast path," and would bail out to JavaScript
  • Others had an assembly fast path, would fall back to C++, which would then fall back to JavaScript

Questions?

Google proprietary

Shameless plug

Geek Meetup April 2018

By ripsawridge

Geek Meetup April 2018

Google Chrome V8

  • 1,233