Prevent page access in CSA when third-party-heap is enabled

Added a CSA assertion to disallow page access when FLAG_enable_third_party_heap = true.

Also skipped two PageFromAddress callers in CSA that is not necessary when barriers are disabled.

Bug: v8:11641
Change-Id: Ib0e3ff7a7dbacb7c6e7a53a720b95e51cdf2e645
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878757
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Wenyu Zhao <wenyu.zhao@anu.edu.au>
Cr-Commit-Position: refs/heads/master@{#74562}
This commit is contained in:
Wenyu Zhao 2021-05-12 16:28:50 +10:00 committed by V8 LUCI CQ
parent 2f04904947
commit 5cee1bc1b4

View File

@ -4787,7 +4787,11 @@ void CodeStubAssembler::MoveElements(ElementsKind kind,
TNode<IntPtrT> length) { TNode<IntPtrT> length) {
Label finished(this); Label finished(this);
Label needs_barrier(this); Label needs_barrier(this);
#ifdef V8_DISABLE_WRITE_BARRIERS
const bool needs_barrier_check = false;
#else
const bool needs_barrier_check = !IsDoubleElementsKind(kind); const bool needs_barrier_check = !IsDoubleElementsKind(kind);
#endif // V8_DISABLE_WRITE_BARRIERS
DCHECK(IsFastElementsKind(kind)); DCHECK(IsFastElementsKind(kind));
CSA_ASSERT(this, IsFixedArrayWithKind(elements, kind)); CSA_ASSERT(this, IsFixedArrayWithKind(elements, kind));
@ -4872,7 +4876,11 @@ void CodeStubAssembler::CopyElements(ElementsKind kind,
WriteBarrierMode write_barrier) { WriteBarrierMode write_barrier) {
Label finished(this); Label finished(this);
Label needs_barrier(this); Label needs_barrier(this);
#ifdef V8_DISABLE_WRITE_BARRIERS
const bool needs_barrier_check = false;
#else
const bool needs_barrier_check = !IsDoubleElementsKind(kind); const bool needs_barrier_check = !IsDoubleElementsKind(kind);
#endif // V8_DISABLE_WRITE_BARRIERS
DCHECK(IsFastElementsKind(kind)); DCHECK(IsFastElementsKind(kind));
CSA_ASSERT(this, IsFixedArrayWithKind(dst_elements, kind)); CSA_ASSERT(this, IsFixedArrayWithKind(dst_elements, kind));
@ -11123,6 +11131,8 @@ void CodeStubAssembler::TrapAllocationMemento(TNode<JSObject> object,
// Bail out if the object is not in new space. // Bail out if the object is not in new space.
TNode<IntPtrT> object_word = BitcastTaggedToWord(object); TNode<IntPtrT> object_word = BitcastTaggedToWord(object);
// TODO(v8:11641): Skip TrapAllocationMemento when allocation-site
// tracking is disabled.
TNode<IntPtrT> object_page = PageFromAddress(object_word); TNode<IntPtrT> object_page = PageFromAddress(object_word);
{ {
TNode<IntPtrT> page_flags = TNode<IntPtrT> page_flags =
@ -11180,6 +11190,7 @@ void CodeStubAssembler::TrapAllocationMemento(TNode<JSObject> object,
} }
TNode<IntPtrT> CodeStubAssembler::PageFromAddress(TNode<IntPtrT> address) { TNode<IntPtrT> CodeStubAssembler::PageFromAddress(TNode<IntPtrT> address) {
if (FLAG_enable_third_party_heap) Unreachable();
return WordAnd(address, IntPtrConstant(~kPageAlignmentMask)); return WordAnd(address, IntPtrConstant(~kPageAlignmentMask));
} }