build: enable v8's SipHash for hash seed creation

[rvagg]

Triggers the V8_USE_SIPHASH to switch from the internal custom V8 hash seed generation function to an implementation of SipHash. Final step needed to clear up HashWick.

Ref: #23259
Ref: https://darksi.de/12.hashwick-v8-vulnerability/

This could arguably be semver-minor because it introduces a configure flag, but that doesn't show in --help. I'm also unsure if this has any impact on snapshots, could it be breaking for people using snapshots for fast startup? (Electron projects do, don't they?).

[nodejs-github-bot]

@rvagg build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/2721/pipeline

[devsnek]

nice

[richardlau]

If we are enabling siphash by default, should we acknowledge its LICENSE anywhere?

[rvagg]

Good question @richardlau, I would say that V8 needs to do that in deps/v8/LICENSE and then when we run ./tools/license-builder.sh it'll be pulled in. Feel like raising an issue against V8?

[refack]

LGTM.
probably should bump patch counter at
ht tps://github.com/nodejs/node/blob/584305841d0fabee5d96ae43badfa271da99a19f/common.gypi#L40

[refack]

Ohh. We've been missing this with some of the other V8 new features...
/me writes himself a TODO note

[rvagg]

does this warrant a patch bump? I don't know the rules there

[refack]

does this warrant a patch bump? I don't know the rules there

@targos ?

P.S. Up till now we did bump v8_embedder_string for gypfiles changes, even-tough we actually need not...
_{We (read I) should really move those out of /deps/v8.}

[richardlau]

Good question @richardlau, I would say that V8 needs to do that in deps/v8/LICENSE and then when we run ./tools/license-builder.sh it'll be pulled in. Feel like raising an issue against V8?

If I'm reading https://github.com/nodejs/node/pull/25430/files#diff-75477e7cdd271be767e5255488ca45e1 correctly, siphash is not enabled by default in V8.

[rvagg]

@richardlau yes that's correct, I suspect because it'd be impractical, maybe impossible, to generate enough data to calculate the hash in a browser environment, especially now that they've got 64-bit seed length. It's slightly more practical when you have a server that will repeatedly answer you for hours on end.
There's may be a performance cost we're going to incur here that Chromium doesn't need/want as well. @hashseed might be able to edify us.

[targos]

I'm in favor of not bumping the patch level when only gypfiles are changed

[hashseed]

Hash flooding is not considered an vulnerability in the browser's threat model. A browser needs to deal with arbitrary, possibly malicious code, but does not care much about a tab locking up. An infinite loop is a lot simpler, with the same result.

V8 does not use it by default, and since it's a build-time flag, does not ship the code. That's why I included the v8/src/third_party/siphash/LICENSE, but have not actually pointed to it from anywhere. I can rectify this if anyone has strong opinions on this.

I got some numbers here. The current implementation is referred to as "implementation 1".

[bnoordhuis]

For posterity: this could be just o['variables']['v8_use_siphash'] = b(options.without_siphash) but it's fine, it's still locally consistent.

[rvagg]

thanks for the tip, we could do a lot of simplification with that but I'll withhold this time

[refack]

Do we even need a ./configure flag?
IIUC this is an obscure enough configuration that doing:

./configure -- -Dv8_use_siphash=false

seems good enough

[rvagg]

It can be removed in a future version when someone's cleaning up. For now if it ends up causing problems, performance or backward compatibility, or whatever, at least they have an easy out

[rvagg]

Thanks for the info @hashseed (and thanks for the hard work on this btw). I can get similar performance numbers using the benchmark in your doc with this turned on and off in Node, so at least I know it's enabled properly. I'm having a hard time finding anything in our benchmark suite that displays a meaningful difference though—there's a lot of I/O focus in our benchmarks and those that aren't I/O touch fairly deep code paths so are getting a lot of variety. Hopefully the overhead gets lost in the wash and will only hit a small subset of users.

I've included the SipHash LICENSE in ours, unfortunately the CC0 text is 3 times the size of the code we're importing.

[refack]

IIUC CC0 is a "no-attribution no-copyright" license, which IMO makes explicitly including it counter productive.

[indutny]

Excellent!

[refack]

I've included the SipHash LICENSE in ours, unfortunately the CC0 text is 3 times the size of the code we're importing.

IIUC CC0 is more of a "no copyright" waiver then a license, and as such does not require explicit attribution - https://wiki.creativecommons.org/wiki/CC0_FAQ#Does_CC0_require_others_who_use_my_work_to_give_me_attribution.3F

I think it should be removed from tools/license-builder.sh

[rvagg]

I've removed the CC0 but left attribution, because we're good open source citizens:

- SipHash, located at deps/v8/src/third_party/siphash, is licensed as follows:
  """
    SipHash reference C implementation

    Copyright (c) 2016 Jean-Philippe Aumasson <[email protected]>

    To the extent possible under law, the author(s) have dedicated all
    copyright and related and neighboring rights to this software to the public
    domain worldwide. This software is distributed without any warranty.
  """

[addaleax]

CI: https://ci.nodejs.org/job/node-test-pull-request/21122/

[rvagg]

Landed in e1cd8ac...0d94c23