Changeset 123856 in webkit

Timestamp:

Jul 27, 2012, 2:37:51 AM (13 years ago)

Author:

abarth@webkit.org

Message:

Add a Setting to expose quantized, rate-limited MemoryInfo values
​https://bugs.webkit.org/show_bug.cgi?id=80444

Reviewed by Eric Seidel.

We do not currently expose real MemoryInfo objects to the web unless
the user opts in because we're worried that this memory information
could be used in side-channel attacks.

We've gotten feedback from a number of web app developers that this
information is very useful in tracking the performance of their
applications. These developers use the setting in their testing labs
and regression harnesses to catch memory leaks and regressiosn early in
their development cycle.

Some of these developers have experimented with enabling this feature
within their enterprise and have found the memory data from the field
extremely useful in tracking down memory issues that slip through their
testing.

Based on this experience, they've asked whether we can enable this
functionality on a wider scale so they catch even more problems
including problems that don't manifest within their enterprise.
Because we're still worried about side-channel attacks, we don't want
to expose the raw data, so we've talked with these folks in more detail
to understand what information they find most valuable.

This patch is the result of those discussions. In particular, this
patch adds an option to expose quantized and rate-limited memory
information to web pages. Web pages can only learn new data every 20
minutes, which helps mitigate attacks where the attacker compares two
or readings to extract side-channel information. The patch also only
reports 100 distinct memory values, which (combined with the rate
limts) makes it difficult for attackers to learn about small changes in
memory use.

• page/MemoryInfo.cpp:

(WebCore):
(HeapSizeCache):
(WebCore::HeapSizeCache::HeapSizeCache):
(WebCore::HeapSizeCache::getCachedHeapSize):
(WebCore::HeapSizeCache::maybeUpdate):
(WebCore::HeapSizeCache::update):
(WebCore::HeapSizeCache::quantize):
(WebCore::MemoryInfo::MemoryInfo):

• page/Settings.cpp:

(WebCore::Settings::Settings):

• page/Settings.h:

(WebCore::Settings::setQuantizedMemoryInfoEnabled):
(WebCore::Settings::quantizedMemoryInfoEnabled):
(Settings):

Location:

trunk/Source

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/ScriptGCEvent.cpp (modified) (1 diff)
• WebCore/bindings/js/ScriptGCEvent.h (modified) (2 diffs)
• WebCore/bindings/v8/ScriptGCEvent.cpp (modified) (1 diff)
• WebCore/bindings/v8/ScriptGCEvent.h (modified) (2 diffs)
• WebCore/inspector/InspectorMemoryAgent.cpp (modified) (1 diff)
• WebCore/inspector/InspectorTimelineAgent.cpp (modified) (1 diff)
• WebCore/page/MemoryInfo.cpp (modified) (1 diff)
• WebCore/page/MemoryInfo.h (modified) (2 diffs)
• WebCore/page/Settings.cpp (modified) (1 diff)
• WebCore/page/Settings.h (modified) (2 diffs)
• WebKit/chromium/WebKit.gypi (modified) (1 diff)
• WebKit/chromium/tests/MemoryInfo.cpp (copied) (copied from trunk/Source/WebCore/page/MemoryInfo.cpp ) (2 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-07-27  Adam Barth  <abarth@webkit.org>
+
+        Add a Setting to expose quantized, rate-limited MemoryInfo values
+        https://bugs.webkit.org/show_bug.cgi?id=80444
+
+        Reviewed by Eric Seidel.
+
+        We do not currently expose real MemoryInfo objects to the web unless
+        the user opts in because we're worried that this memory information
+        could be used in side-channel attacks.
+
+        We've gotten feedback from a number of web app developers that this
+        information is very useful in tracking the performance of their
+        applications.  These developers use the setting in their testing labs
+        and regression harnesses to catch memory leaks and regressiosn early in
+        their development cycle.
+
+        Some of these developers have experimented with enabling this feature
+        within their enterprise and have found the memory data from the field
+        extremely useful in tracking down memory issues that slip through their
+        testing.
+
+        Based on this experience, they've asked whether we can enable this
+        functionality on a wider scale so they catch even more problems
+        including problems that don't manifest within their enterprise.
+        Because we're still worried about side-channel attacks, we don't want
+        to expose the raw data, so we've talked with these folks in more detail
+        to understand what information they find most valuable.
+
+        This patch is the result of those discussions.  In particular, this
+        patch adds an option to expose quantized and rate-limited memory
+        information to web pages.  Web pages can only learn new data every 20
+        minutes, which helps mitigate attacks where the attacker compares two
+        or readings to extract side-channel information.  The patch also only
+        reports 100 distinct memory values, which (combined with the rate
+        limts) makes it difficult for attackers to learn about small changes in
+        memory use.
+
+        * page/MemoryInfo.cpp:
+        (WebCore):
+        (HeapSizeCache):
+        (WebCore::HeapSizeCache::HeapSizeCache):
+        (WebCore::HeapSizeCache::getCachedHeapSize):
+        (WebCore::HeapSizeCache::maybeUpdate):
+        (WebCore::HeapSizeCache::update):
+        (WebCore::HeapSizeCache::quantize):
+        (WebCore::MemoryInfo::MemoryInfo):
+        * page/Settings.cpp:
+        (WebCore::Settings::Settings):
+        * page/Settings.h:
+        (WebCore::Settings::setQuantizedMemoryInfoEnabled):
+        (WebCore::Settings::quantizedMemoryInfoEnabled):
+        (Settings):
+
 2012-07-27  Vsevolod Vlasov  <vsevik@chromium.org>
 

trunk/Source/WebCore/bindings/js/ScriptGCEvent.cpp

@@ -44 +44 @@
 using namespace JSC;
 
-void ScriptGCEvent::getHeapSize(size_t& usedHeapSize, size_t& totalHeapSize, size_t& heapSizeLimit)
+void ScriptGCEvent::getHeapSize(HeapInfo& info)
 {
     JSGlobalData* globalData = JSDOMWindow::commonJSGlobalData();
-    totalHeapSize = globalData->heap.capacity();
-    usedHeapSize = globalData->heap.size();
-    heapSizeLimit = 0;
+    info.totalJSHeapSize = globalData->heap.capacity();
+    info.usedJSHeapSize = globalData->heap.size();
+    info.jsHeapSizeLimit = 0;
 }
 

trunk/Source/WebCore/bindings/js/ScriptGCEvent.h

@@ -38 +38 @@
 class ScriptGCEventListener;
 
+struct HeapInfo {
+    HeapInfo()
+        : usedJSHeapSize(0)
+        , totalJSHeapSize(0)
+        , jsHeapSizeLimit(0)
+    {
+    }
+
+    size_t usedJSHeapSize;
+    size_t totalJSHeapSize;
+    size_t jsHeapSizeLimit;
+};
+
 class ScriptGCEvent
 {
@@ -43 +56 @@
     static void addEventListener(ScriptGCEventListener*) { }
     static void removeEventListener(ScriptGCEventListener*) { }
-    static void getHeapSize(size_t& usedHeapSize, size_t& totalHeapSize, size_t& heapSizeLimit);
+    static void getHeapSize(HeapInfo&);
 };
 

trunk/Source/WebCore/bindings/v8/ScriptGCEvent.cpp

@@ -72 +72 @@
 }
 
-void ScriptGCEvent::getHeapSize(size_t& usedHeapSize, size_t& totalHeapSize, size_t& heapSizeLimit)
+void ScriptGCEvent::getHeapSize(HeapInfo& info)
 {
     v8::HeapStatistics heapStatistics;
     v8::V8::GetHeapStatistics(&heapStatistics);
-    usedHeapSize = heapStatistics.used_heap_size();
-    totalHeapSize = heapStatistics.total_heap_size();
-    heapSizeLimit = heapStatistics.heap_size_limit();
+    info.usedJSHeapSize = heapStatistics.used_heap_size();
+    info.totalJSHeapSize = heapStatistics.total_heap_size();
+    info.jsHeapSizeLimit = heapStatistics.heap_size_limit();
 }
 

trunk/Source/WebCore/bindings/v8/ScriptGCEvent.h

@@ -41 +41 @@
 class ScriptGCEventListener;
 
+struct HeapInfo {
+    HeapInfo()
+        : usedJSHeapSize(0)
+        , totalJSHeapSize(0)
+        , jsHeapSizeLimit(0)
+    {
+    }
+
+    size_t usedJSHeapSize;
+    size_t totalJSHeapSize;
+    size_t jsHeapSizeLimit;
+};
+
 class ScriptGCEvent
 {
@@ -46 +59 @@
     static void addEventListener(ScriptGCEventListener*);
     static void removeEventListener(ScriptGCEventListener*);
-    static void getHeapSize(size_t&, size_t&, size_t&);
+    static void getHeapSize(HeapInfo&);
+
 private:
     static void gcEpilogueCallback(v8::GCType type, v8::GCCallbackFlags flags);

trunk/Source/WebCore/inspector/InspectorMemoryAgent.cpp

@@ -418 +418 @@
 static PassRefPtr<InspectorMemoryBlock> jsHeapInfo()
 {
-    size_t usedJSHeapSize;
-    size_t totalJSHeapSize;
-    size_t jsHeapSizeLimit;
-    ScriptGCEvent::getHeapSize(usedJSHeapSize, totalJSHeapSize, jsHeapSizeLimit);
+    HeapInfo info;
+    ScriptGCEvent::getHeapSize(info);
 
     RefPtr<InspectorMemoryBlock> jsHeapAllocated = InspectorMemoryBlock::create().setName(MemoryBlockName::jsHeapAllocated);
-    jsHeapAllocated->setSize(totalJSHeapSize);
+    jsHeapAllocated->setSize(static_cast<int>(info.totalJSHeapSize));
 
     RefPtr<TypeBuilder::Array<InspectorMemoryBlock> > children = TypeBuilder::Array<InspectorMemoryBlock>::create();
     RefPtr<InspectorMemoryBlock> jsHeapUsed = InspectorMemoryBlock::create().setName(MemoryBlockName::jsHeapUsed);
-    jsHeapUsed->setSize(usedJSHeapSize);
+    jsHeapUsed->setSize(static_cast<int>(info.usedJSHeapSize));
     children->addItem(jsHeapUsed);
 

trunk/Source/WebCore/inspector/InspectorTimelineAgent.cpp

@@ -468 +468 @@
 void InspectorTimelineAgent::setHeapSizeStatistics(InspectorObject* record)
 {
-    size_t usedHeapSize = 0;
-    size_t totalHeapSize = 0;
-    size_t heapSizeLimit = 0;
-    ScriptGCEvent::getHeapSize(usedHeapSize, totalHeapSize, heapSizeLimit);
-    record->setNumber("usedHeapSize", usedHeapSize);
-    record->setNumber("totalHeapSize", totalHeapSize);
+    HeapInfo info;
+    ScriptGCEvent::getHeapSize(info);
+    record->setNumber("usedHeapSize", info.usedJSHeapSize);
+    record->setNumber("totalHeapSize", info.totalJSHeapSize);
 
     if (m_state->getBoolean(TimelineAgentState::includeMemoryDetails)) {

trunk/Source/WebCore/page/MemoryInfo.cpp

@@ -35 +35 @@
 #include "ScriptGCEvent.h"
 #include "Settings.h"
+#include <limits>
+#include <wtf/CurrentTime.h>
+#include <wtf/MainThread.h>
 
 namespace WebCore {
 
+#if ENABLE(INSPECTOR)
+
+class HeapSizeCache {
+    WTF_MAKE_NONCOPYABLE(HeapSizeCache);
+public:
+    HeapSizeCache()
+        : m_lastUpdateTime(0)
+    {
+    }
+
+    void getCachedHeapSize(HeapInfo& info)
+    {
+        maybeUpdate();
+        info = m_info;
+    }
+
+private:
+    void maybeUpdate()
+    {
+        // We rate-limit queries to once every twenty minutes to make it more difficult
+        // for attackers to compare memory usage before and after some event.
+        const double TwentyMinutesInSeconds = 20 * 60;
+
+        double now = monotonicallyIncreasingTime();
+        if (now - m_lastUpdateTime >= TwentyMinutesInSeconds) {
+            update();
+            m_lastUpdateTime = now;
+        }
+    }
+
+    void update()
+    {
+        ScriptGCEvent::getHeapSize(m_info);
+        m_info.usedJSHeapSize = quantizeMemorySize(m_info.usedJSHeapSize);
+        m_info.totalJSHeapSize = quantizeMemorySize(m_info.totalJSHeapSize);
+        m_info.jsHeapSizeLimit = quantizeMemorySize(m_info.jsHeapSizeLimit);
+    }
+
+    double m_lastUpdateTime;
+
+    HeapInfo m_info;
+};
+
+// We quantize the sizes to make it more difficult for an attacker to see precise
+// impact of operations on memory. The values are used for performance tuning,
+// and hence don't need to be as refined when the value is large, so we threshold
+// at a list of exponentially separated buckets.
+size_t quantizeMemorySize(size_t size)
+{
+    const int numberOfBuckets = 100;
+    DEFINE_STATIC_LOCAL(Vector<size_t>, bucketSizeList, ());
+
+    ASSERT(isMainThread());
+    if (bucketSizeList.isEmpty()) {
+        bucketSizeList.resize(numberOfBuckets);
+
+        float sizeOfNextBucket = 10000000.0; // First bucket size is roughly 10M.
+        const float largestBucketSize = 4000000000.0; // Roughly 4GB.
+        // We scale with the Nth root of the ratio, so that we use all the bucktes.
+        const float scalingFactor = exp(log(largestBucketSize / sizeOfNextBucket) / numberOfBuckets);
+
+        size_t nextPowerOfTen = static_cast<size_t>(pow(10, floor(log10(sizeOfNextBucket)) + 1) + 0.5);
+        size_t granularity = nextPowerOfTen / 1000; // We want 3 signficant digits.
+
+        for (int i = 0; i < numberOfBuckets; ++i) {
+            size_t currentBucketSize = static_cast<size_t>(sizeOfNextBucket);
+            bucketSizeList[i] = currentBucketSize - (currentBucketSize % granularity);
+
+            sizeOfNextBucket *= scalingFactor;
+            if (sizeOfNextBucket >= nextPowerOfTen) {
+                if (std::numeric_limits<size_t>::max() / 10 <= nextPowerOfTen)
+                    nextPowerOfTen = std::numeric_limits<size_t>::max();                       
+                else {
+                    nextPowerOfTen *= 10;
+                    granularity *= 10;
+                }
+            }
+
+            // Watch out for overflow, if the range is too large for size_t.
+            if (i > 0 && bucketSizeList[i] < bucketSizeList[i - 1])
+                bucketSizeList[i] = std::numeric_limits<size_t>::max();
+        }
+    }
+
+    for (int i = 0; i < numberOfBuckets; ++i) {
+        if (size <= bucketSizeList[i])
+            return bucketSizeList[i];
+    }
+
+    return bucketSizeList[numberOfBuckets - 1];
+}
+
+#endif
+
 MemoryInfo::MemoryInfo(Frame* frame)
-        : m_totalJSHeapSize(0),
-          m_usedJSHeapSize(0),
-          m_jsHeapSizeLimit(0)
 {
-    if (frame && frame->settings() && frame->settings()->memoryInfoEnabled()) {
+    if (!frame || !frame->settings())
+        return;
+
 #if ENABLE(INSPECTOR)
-        ScriptGCEvent::getHeapSize(m_usedJSHeapSize, m_totalJSHeapSize, m_jsHeapSizeLimit);
+    if (frame->settings()->memoryInfoEnabled())
+        ScriptGCEvent::getHeapSize(m_info);
+    else if (true || frame->settings()->quantizedMemoryInfoEnabled()) {
+        DEFINE_STATIC_LOCAL(HeapSizeCache, heapSizeCache, ());
+        heapSizeCache.getCachedHeapSize(m_info);
+    }
 #endif
-    }
 }
 

trunk/Source/WebCore/page/MemoryInfo.h

@@ -32 +32 @@
 #define MemoryInfo_h
 
+#include "ScriptGCEvent.h"
 #include <wtf/PassRefPtr.h>
 #include <wtf/RefCounted.h>
@@ -43 +44 @@
     static PassRefPtr<MemoryInfo> create(Frame* frame) { return adoptRef(new MemoryInfo(frame)); }
 
-    size_t totalJSHeapSize() const { return m_totalJSHeapSize; }
-    size_t usedJSHeapSize() const { return m_usedJSHeapSize; }
-    size_t jsHeapSizeLimit() const { return m_jsHeapSizeLimit; }
+    size_t totalJSHeapSize() const { return m_info.totalJSHeapSize; }
+    size_t usedJSHeapSize() const { return m_info.usedJSHeapSize; }
+    size_t jsHeapSizeLimit() const { return m_info.jsHeapSizeLimit; }
 
 private:
     explicit MemoryInfo(Frame*);
 
-    size_t m_totalJSHeapSize;
-    size_t m_usedJSHeapSize;
-    size_t m_jsHeapSizeLimit;
+    HeapInfo m_info;
 };
+
+size_t quantizeMemorySize(size_t);
 
 } // namespace WebCore

trunk/Source/WebCore/page/Settings.cpp

@@ -243 +243 @@
 #endif
     , m_memoryInfoEnabled(false)
+    , m_quantizedMemoryInfoEnabled(false)
     , m_interactiveFormValidation(false)
     , m_usePreHTML5ParserQuirks(false)

trunk/Source/WebCore/page/Settings.h

@@ -453 +453 @@
         void setMemoryInfoEnabled(bool flag) { m_memoryInfoEnabled = flag; }
         bool memoryInfoEnabled() const { return m_memoryInfoEnabled; }
+
+        void setQuantizedMemoryInfoEnabled(bool flag) { m_quantizedMemoryInfoEnabled = flag; }
+        bool quantizedMemoryInfoEnabled() const { return m_quantizedMemoryInfoEnabled; }
 
         // This setting will be removed when an HTML5 compatibility issue is
@@ -732 +735 @@
         bool m_fullScreenAPIEnabled : 1;
 #endif
-        bool m_asynchronousSpellCheckingEnabled: 1;
-        bool m_unifiedTextCheckerEnabled: 1;
-        bool m_memoryInfoEnabled: 1;
-        bool m_interactiveFormValidation: 1;
-        bool m_usePreHTML5ParserQuirks: 1;
+        bool m_asynchronousSpellCheckingEnabled : 1;
+        bool m_unifiedTextCheckerEnabled : 1;
+        bool m_memoryInfoEnabled : 1;
+        bool m_quantizedMemoryInfoEnabled : 1;
+        bool m_interactiveFormValidation : 1;
+        bool m_usePreHTML5ParserQuirks : 1;
         bool m_hyperlinkAuditingEnabled : 1;
         bool m_crossOriginCheckInGetMatchedCSSRulesDisabled : 1;

trunk/Source/WebKit/chromium/WebKit.gypi

@@ -126 +126 @@
             'tests/LocalizedDateICUTest.cpp',
             'tests/LocalizedNumberICUTest.cpp',
+            'tests/MemoryInfo.cpp',
             'tests/MockCCQuadCuller.h',
             'tests/OpaqueRectTrackingContentLayerDelegateTest.cpp',

trunk/Source/WebKit/chromium/tests/MemoryInfo.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2010 Google Inc. All rights reserved.
+ * Copyright (C) 2012 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30 +30 @@
 
 #include "config.h"
+
 #include "MemoryInfo.h"
 
-#include "Frame.h"
-#include "ScriptGCEvent.h"
-#include "Settings.h"
+#include <gtest/gtest.h>
 
-namespace WebCore {
+using namespace WebCore;
 
-MemoryInfo::MemoryInfo(Frame* frame)
-        : m_totalJSHeapSize(0),
-          m_usedJSHeapSize(0),
-          m_jsHeapSizeLimit(0)
+namespace {
+
+TEST(MemoryInfo, quantizeMemorySize)
 {
-    if (frame && frame->settings() && frame->settings()->memoryInfoEnabled()) {
-#if ENABLE(INSPECTOR)
-        ScriptGCEvent::getHeapSize(m_usedJSHeapSize, m_totalJSHeapSize, m_jsHeapSizeLimit);
-#endif
-    }
+    EXPECT_EQ(10000000u, quantizeMemorySize(1024));
+    EXPECT_EQ(10000000u, quantizeMemorySize(1024 * 1024));
+    EXPECT_EQ(410000000u, quantizeMemorySize(389472983));
+    EXPECT_EQ(39600000u, quantizeMemorySize(38947298));
+    EXPECT_EQ(29400000u, quantizeMemorySize(28947298));
+    EXPECT_EQ(19300000u, quantizeMemorySize(18947298));
+    EXPECT_EQ(14300000u, quantizeMemorySize(13947298));
+    EXPECT_EQ(10000000u, quantizeMemorySize(3894729));
+    EXPECT_EQ(10000000u, quantizeMemorySize(389472));
+    EXPECT_EQ(10000000u, quantizeMemorySize(38947));
+    EXPECT_EQ(10000000u, quantizeMemorySize(3894));
+    EXPECT_EQ(10000000u, quantizeMemorySize(389));
+    EXPECT_EQ(10000000u, quantizeMemorySize(38));
+    EXPECT_EQ(10000000u, quantizeMemorySize(3));
+    EXPECT_EQ(10000000u, quantizeMemorySize(1));
+    EXPECT_EQ(10000000u, quantizeMemorySize(0));
 }
 
-} // namespace WebCore
+} // namespace