scottconstable wrote:

> This is not a Rust concern, but re-reading the initial post, it _looks_ like 
> your own statistics suggest that consuming 3 bits for arity costs more than 
> it buys you. As stated, (didn't check your math, just going off what you 
> said) prior to your change, we expect 0.01383765 collisions in your sample 
> environment.

If you had checked my math, you would have noticed that the values in the 
right-hand column were not exactly correct! I found and fixed a but in my Excel 
code and updated that chart, but the numbers didn't change by much.

> After your change, we expect to have the _sum_ of your right hand column in 
> collisions, which comes out to 0.0266774 - nearly double the rate of 
> collisions we have with the basic implementation. In fact, I think that any 
> scheme like this will always going to increase the number of overall 
> collisions, given that the arity is implicitly hashed into the representation 
> already.

Your analysis is correct that the total number of expected collisions would 
increase from 0.01375771 to 0.02660650 (with the updated statistics).
 
> The main reason I could see to consider this is if for some reason a 
> cross-arity collision is more dangerous than a same-arity collision in terms 
> of exploitability, which I can't immediately argue, but perhaps you have 
> something for this that was just assumed in the initial post?

I think that a cross-arity collision is clearly more dangerous than a 
same-arity collision. This is what I had written in the PR description:

> > The current 32-bit kCFI hash does not prevent, for example, a 2-arity fptr 
> > from calling a 3-arity target if the kCFI hashes collide. If this were to 
> > happen, then potentially malicious stale/dead data in RDX at the call site 
> > could suddenly become live as the third parameter at the call target.

Including the arity in the hash does prevent or even reduce the likelihood that 
a cross-arity collision will occur, if the hash function is uniform. Suppose 
that two function types' hashes collide (under the current 32-bit hash scheme). 
The probability that the arities differ is equal to 1 minus the probability 
that the arities agree:

1 - ((32/10903)*(31/10902) + (2492/10903)*(2491/10902) + ... + 
(148/10903)*(147/10902)) = 0.75901

Thus, if there is a hash collision, there is roughly a 76% chance that it will 
be a cross-arity collision.

https://github.com/llvm/llvm-project/pull/117121
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to