Randomize the seed used for string hashing. This helps guard against (issue 9086006)

14 views
Skip to first unread message

erik....@gmail.com

unread,
Jan 4, 2012, 9:06:48 AM1/4/12
to veg...@chromium.org, v8-...@googlegroups.com
Reviewers: Vyacheslav Egorov,

Description:
Randomize the seed used for string hashing. This helps guard against
CPU-eating DOS attacks against node.js servers. Based on code from
Bert Belder. This version only solves the issue for those that compile
V8 themselves or those that do not use snapshots. A snapshot-based
precompiled V8 will still have predictable string hash codes.

Please review this at http://codereview.chromium.org/9086006/

SVN Base: http://v8.googlecode.com/svn/branches/bleeding_edge/

Affected files:
M src/arm/code-stubs-arm.cc
M src/flag-definitions.h
M src/heap.h
M src/heap.cc
M src/ia32/code-stubs-ia32.cc
M src/mips/code-stubs-mips.cc
M src/objects-inl.h
M src/objects.h
M src/objects.cc
M src/profile-generator.cc
M src/x64/code-stubs-x64.cc
M test/mjsunit/debug-evaluate-locals-optimized-double.js
M test/mjsunit/debug-evaluate-locals-optimized.js


veg...@chromium.org

unread,
Jan 4, 2012, 9:30:56 AM1/4/12
to erik....@gmail.com, v8-...@googlegroups.com
lgtm


http://codereview.chromium.org/9086006/diff/1/src/flag-definitions.h
File src/flag-definitions.h (right):

http://codereview.chromium.org/9086006/diff/1/src/flag-definitions.h#newcode352
src/flag-definitions.h:352: DEFINE_bool(randomize_string_hashes,
Maybe it should be noted that data in the snapshot (if present) will
supersede these flags

http://codereview.chromium.org/9086006/diff/1/src/mips/code-stubs-mips.cc
File src/mips/code-stubs-mips.cc (left):

http://codereview.chromium.org/9086006/diff/1/src/mips/code-stubs-mips.cc#oldcode5929
src/mips/code-stubs-mips.cc:5929: // hash = character + (character <<
10);
comment is outdated

http://codereview.chromium.org/9086006/diff/1/src/objects.cc
File src/objects.cc (right):

http://codereview.chromium.org/9086006/diff/1/src/objects.cc#newcode6696
src/objects.cc:6696: #endif
I think this should be checked only when slow assertions are enabled.

http://codereview.chromium.org/9086006/

erik....@gmail.com

unread,
Jan 4, 2012, 10:48:59 AM1/4/12
to veg...@chromium.org, v8-...@googlegroups.com

http://codereview.chromium.org/9086006/diff/1/src/flag-definitions.h
File src/flag-definitions.h (right):

http://codereview.chromium.org/9086006/diff/1/src/flag-definitions.h#newcode352
src/flag-definitions.h:352: DEFINE_bool(randomize_string_hashes,

On 2012/01/04 14:30:57, Vyacheslav Egorov wrote:
> Maybe it should be noted that data in the snapshot (if present) will
supersede
> these flags

Done.

http://codereview.chromium.org/9086006/diff/1/src/mips/code-stubs-mips.cc
File src/mips/code-stubs-mips.cc (left):

http://codereview.chromium.org/9086006/diff/1/src/mips/code-stubs-mips.cc#oldcode5929
src/mips/code-stubs-mips.cc:5929: // hash = character + (character <<
10);

On 2012/01/04 14:30:57, Vyacheslav Egorov wrote:
> comment is outdated

Done.

http://codereview.chromium.org/9086006/diff/1/src/objects.cc
File src/objects.cc (right):

http://codereview.chromium.org/9086006/diff/1/src/objects.cc#newcode6696
src/objects.cc:6696: #endif

On 2012/01/04 14:30:57, Vyacheslav Egorov wrote:
> I think this should be checked only when slow assertions are enabled.

Done.

http://codereview.chromium.org/9086006/

coldre...@gmail.com

unread,
Jan 4, 2012, 6:46:56 PM1/4/12
to erik....@gmail.com, veg...@chromium.org, v8-...@googlegroups.com
Hi Erik, Can you back port this to 3.6?

feel free to use my attempt if it is correct -
https://gist.github.com/d5fcb57e00e1a32475b4

http://codereview.chromium.org/9086006/

coldre...@gmail.com

unread,
Jan 5, 2012, 5:33:47 PM1/5/12
to erik....@gmail.com, veg...@chromium.org, v8-...@googlegroups.com
I talked with Slave a bit today and tried to get the patch working on 3.6
but
it's crashing on many of the tests. This is the patch I'm using -
https://gist.github.com/1567443

for example:

=== release array-constructor ===
Path: mjsunit/array-constructor
Command: /Users/ryan/projects/node-v0.6/deps/v8/d8
/Users/ryan/projects/node-v0.6/deps/v8/test/mjsunit/mjsunit.js
/Users/ryan/projects/node-v0.6/deps/v8/test/mjsunit/array-constructor.js
--test
--- CRASHED ---


http://codereview.chromium.org/9086006/

coldre...@gmail.com

unread,
Jan 5, 2012, 5:34:27 PM1/5/12
to erik....@gmail.com, veg...@chromium.org, v8-...@googlegroups.com
On 2012/01/05 22:33:47, ry wrote:
> I talked with Slave

s/Slave/Slav/ sorry

http://codereview.chromium.org/9086006/

Reply all
Reply to author
Forward
0 new messages