Hi all -- I'm implementing Spectre mitigations on the explicit heap bounds checks, motivated by the need for this in the SpiderMonkey/aarch64 embedding. There's a question of whether we also expend effort to build this out for the (legacy) x86 backend; it's a bit nontrivial (but do-able) to do so. The major reason not to is that by default, the x86 backend uses a 4GB guard region ("huge heap mode", I think it's called?) so no checks are needed at all; this only matters with non-default options. Is everyone OK with saying that the huge-heap mode is our Spectre-safe option on x86? We plan to also put the mitigations behind a flag that's on by default, and we could perhaps error out if this flag is not explicitly turned off with small-heap / explicit-check x86 variants.
It seems reasonable to me not to add the mitigations to the old x86 backend, yes
PSA: as https://github.com/bytecodealliance/wasmtime/pull/1930 may land soon, and Spectre mitigations will be enabled by default as part of this patch, embedders who are using explicit bounds checks for heaps should be aware that there's going to be a small performance cost implied by this, and that they might want to disable the spectre checks if their environment makes it safe to do so.
For what it's worth, wasmtime uses implicit bounds check (via the "huge memory" involving signal handlers tricks), so this is not going to affect Wasmtime, as far as i can tell.
@Benjamin Bouvier thank you for the PSA! Two questions: do we have any estimates of the slowdown, and how it might vary for different uses? And, do you know if it is possible to disable this in embeddings? I could imagine some use cases, such as YoWASP, being affected that might want to disable this
Maybe also post the PSA at https://github.com/bytecodealliance/wasmtime/issues/1096?
@Till Schneidereit It good question! We haven't collected numbers, but it shouldn't be "a lot" (generate imm 0 + cmov after each heap bounds check). It is entirely possible to disable it using the setting introduced in this commit, enable_heap_access_spectre_mitigation
to false.
@bjorn3 thanks! mentioned it with the extra information in the evergreen thread too.
@Benjamin Bouvier ok, that makes sense. We might eventually want to have a higher-level "don't mitigate side-channel attackes" switch for embedders, but that's obviously out of scope for this change
Last updated: Dec 23 2024 at 13:07 UTC