From a94048877ddd3732b1ceacf797319af366a80c30 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Samuel=20Gro=C3=9F?= <saelo@chromium.org>
Date: Mon, 29 Aug 2022 12:54:02 +0200
Subject: [PATCH] [sandbox] Unsandboxify CodeEntryPoint
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For code pointers, the sandbox will require a custom, lightweight CFI
mechanism (likely based on the external pointer table). Simply turning
all code pointers into ExternalPointers is not sufficient.
This CL therefore turns code pointers back into raw pointers for now so
that they don't block the external pointer table rollout.

Bug: v8:10391
Change-Id: Ib2ba246be546bbf19fcd0f4ae20f4e9a2cf2e099
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859348
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82775}
---
 include/v8-internal.h                      | 17 ++++++++---------
 src/codegen/arm64/macro-assembler-arm64.cc |  7 ++-----
 src/codegen/code-stub-assembler.cc         |  5 ++---
 src/codegen/x64/macro-assembler-x64.cc     | 13 ++++---------
 src/compiler/wasm-compiler.cc              |  7 ++++---
 src/objects/code-inl.h                     | 14 ++++----------
 src/objects/code.h                         |  2 +-
 src/objects/objects-body-descriptors-inl.h |  3 ---
 8 files changed, 25 insertions(+), 43 deletions(-)

diff --git a/include/v8-internal.h b/include/v8-internal.h
index 2da2d2f392..19d559d5c2 100644
--- a/include/v8-internal.h
+++ b/include/v8-internal.h
@@ -383,15 +383,14 @@ constexpr uint64_t kAllExternalPointerTypeTags[] = {
   V(kForeignForeignAddressTag,            unsandboxed, TAG(10)) \
   V(kNativeContextMicrotaskQueueTag,        sandboxed, TAG(11)) \
   V(kEmbedderDataSlotPayloadTag,            sandboxed, TAG(12)) \
-  V(kCodeEntryPointTag,                   unsandboxed, TAG(13)) \
-  V(kExternalObjectValueTag,                sandboxed, TAG(14)) \
-  V(kCallHandlerInfoCallbackTag,            sandboxed, TAG(15)) \
-  V(kAccessorInfoGetterTag,                 sandboxed, TAG(16)) \
-  V(kAccessorInfoSetterTag,                 sandboxed, TAG(17)) \
-  V(kWasmInternalFunctionCallTargetTag,     sandboxed, TAG(18)) \
-  V(kWasmTypeInfoNativeTypeTag,             sandboxed, TAG(19)) \
-  V(kWasmExportedFunctionDataSignatureTag,  sandboxed, TAG(20)) \
-  V(kWasmContinuationJmpbufTag,             sandboxed, TAG(21))
+  V(kExternalObjectValueTag,                sandboxed, TAG(13)) \
+  V(kCallHandlerInfoCallbackTag,            sandboxed, TAG(14)) \
+  V(kAccessorInfoGetterTag,                 sandboxed, TAG(15)) \
+  V(kAccessorInfoSetterTag,                 sandboxed, TAG(16)) \
+  V(kWasmInternalFunctionCallTargetTag,     sandboxed, TAG(17)) \
+  V(kWasmTypeInfoNativeTypeTag,             sandboxed, TAG(18)) \
+  V(kWasmExportedFunctionDataSignatureTag,  sandboxed, TAG(19)) \
+  V(kWasmContinuationJmpbufTag,             sandboxed, TAG(20))
 
 // All external pointer tags.
 #define ALL_EXTERNAL_POINTER_TAGS(V) \
diff --git a/src/codegen/arm64/macro-assembler-arm64.cc b/src/codegen/arm64/macro-assembler-arm64.cc
index 2916b3145d..63582ce9b3 100644
--- a/src/codegen/arm64/macro-assembler-arm64.cc
+++ b/src/codegen/arm64/macro-assembler-arm64.cc
@@ -2343,11 +2343,8 @@ void TurboAssembler::LoadCodeDataContainerEntry(
   ASM_CODE_COMMENT(this);
   CHECK(V8_EXTERNAL_CODE_SPACE_BOOL);
 
-  LoadExternalPointerField(
-      destination,
-      FieldMemOperand(code_data_container_object,
-                      CodeDataContainer::kCodeEntryPointOffset),
-      kCodeEntryPointTag);
+  Ldr(destination, FieldMemOperand(code_data_container_object,
+                                   CodeDataContainer::kCodeEntryPointOffset));
 }
 
 void TurboAssembler::LoadCodeDataContainerCodeNonBuiltin(
diff --git a/src/codegen/code-stub-assembler.cc b/src/codegen/code-stub-assembler.cc
index 25a9976bd6..4d2b42a112 100644
--- a/src/codegen/code-stub-assembler.cc
+++ b/src/codegen/code-stub-assembler.cc
@@ -14832,9 +14832,8 @@ TNode<CodeT> CodeStubAssembler::GetSharedFunctionInfoCode(
 TNode<RawPtrT> CodeStubAssembler::GetCodeEntry(TNode<CodeT> code) {
 #ifdef V8_EXTERNAL_CODE_SPACE
   TNode<CodeDataContainer> cdc = CodeDataContainerFromCodeT(code);
-  return LoadExternalPointerFromObject(
-      cdc, IntPtrConstant(CodeDataContainer::kCodeEntryPointOffset),
-      kCodeEntryPointTag);
+  return LoadObjectField<RawPtrT>(
+      cdc, IntPtrConstant(CodeDataContainer::kCodeEntryPointOffset));
 #else
   TNode<IntPtrT> object = BitcastTaggedToWord(code);
   return ReinterpretCast<RawPtrT>(
diff --git a/src/codegen/x64/macro-assembler-x64.cc b/src/codegen/x64/macro-assembler-x64.cc
index 9e5ddd45d4..0f90d61f69 100644
--- a/src/codegen/x64/macro-assembler-x64.cc
+++ b/src/codegen/x64/macro-assembler-x64.cc
@@ -2217,10 +2217,8 @@ void TurboAssembler::LoadCodeObjectEntry(Register destination,
                                          Register code_object) {
   ASM_CODE_COMMENT(this);
   if (V8_EXTERNAL_CODE_SPACE_BOOL) {
-    LoadExternalPointerField(
-        destination,
-        FieldOperand(code_object, CodeDataContainer::kCodeEntryPointOffset),
-        kCodeEntryPointTag, kScratchRegister);
+    movq(destination,
+         FieldOperand(code_object, CodeDataContainer::kCodeEntryPointOffset));
     return;
   }
 
@@ -2287,11 +2285,8 @@ void TurboAssembler::LoadCodeDataContainerEntry(
     Register destination, Register code_data_container_object) {
   ASM_CODE_COMMENT(this);
   CHECK(V8_EXTERNAL_CODE_SPACE_BOOL);
-  LoadExternalPointerField(
-      destination,
-      FieldOperand(code_data_container_object,
-                   CodeDataContainer::kCodeEntryPointOffset),
-      kCodeEntryPointTag, kScratchRegister);
+  movq(destination, FieldOperand(code_data_container_object,
+                                 CodeDataContainer::kCodeEntryPointOffset));
 }
 
 void TurboAssembler::LoadCodeDataContainerCodeNonBuiltin(
diff --git a/src/compiler/wasm-compiler.cc b/src/compiler/wasm-compiler.cc
index 4a17d34388..637aa31090 100644
--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@@ -2951,9 +2951,10 @@ Node* WasmGraphBuilder::BuildCallRef(const wasm::FunctionSig* sig,
         wasm::ObjectAccess::ToTagged(WasmInternalFunction::kCodeOffset));
     Node* call_target;
     if (V8_EXTERNAL_CODE_SPACE_BOOL) {
-      call_target = BuildLoadExternalPointerFromObject(
-          wrapper_code, CodeDataContainer::kCodeEntryPointOffset,
-          kCodeEntryPointTag);
+      call_target =
+          gasm_->LoadFromObject(MachineType::Pointer(), wrapper_code,
+                                wasm::ObjectAccess::ToTagged(
+                                    CodeDataContainer::kCodeEntryPointOffset));
     } else {
       call_target = gasm_->IntAdd(
           wrapper_code, gasm_->IntPtrConstant(
diff --git a/src/objects/code-inl.h b/src/objects/code-inl.h
index 38c1590e55..4277a164a0 100644
--- a/src/objects/code-inl.h
+++ b/src/objects/code-inl.h
@@ -1529,22 +1529,16 @@ Code CodeDataContainer::code(PtrComprCageBase cage_base,
 
 DEF_GETTER(CodeDataContainer, code_entry_point, Address) {
   CHECK(V8_EXTERNAL_CODE_SPACE_BOOL);
-  Isolate* isolate = GetIsolateForSandbox(*this);
-  return ReadExternalPointerField<kCodeEntryPointTag>(kCodeEntryPointOffset,
-                                                      isolate);
+  return ReadField<Address>(kCodeEntryPointOffset);
 }
 
-void CodeDataContainer::init_code_entry_point(Isolate* isolate,
-                                              Address initial_value) {
-  CHECK(V8_EXTERNAL_CODE_SPACE_BOOL);
-  InitExternalPointerField<kCodeEntryPointTag>(kCodeEntryPointOffset, isolate,
-                                               initial_value);
+void CodeDataContainer::init_code_entry_point(Isolate* isolate, Address value) {
+  set_code_entry_point(isolate, value);
 }
 
 void CodeDataContainer::set_code_entry_point(Isolate* isolate, Address value) {
   CHECK(V8_EXTERNAL_CODE_SPACE_BOOL);
-  WriteExternalPointerField<kCodeEntryPointTag>(kCodeEntryPointOffset, isolate,
-                                                value);
+  WriteField<Address>(kCodeEntryPointOffset, value);
 }
 
 void CodeDataContainer::SetCodeAndEntryPoint(Isolate* isolate_for_sandbox,
diff --git a/src/objects/code.h b/src/objects/code.h
index 7982d3eda4..de6d90eeb8 100644
--- a/src/objects/code.h
+++ b/src/objects/code.h
@@ -255,7 +255,7 @@ class CodeDataContainer : public HeapObject {
   V(kCodeCageBaseUpper32BitsOffset,                                 \
     V8_EXTERNAL_CODE_SPACE_BOOL ? kTaggedSize : 0)                  \
   V(kCodeEntryPointOffset,                                          \
-    V8_EXTERNAL_CODE_SPACE_BOOL ? kExternalPointerSlotSize : 0)     \
+    V8_EXTERNAL_CODE_SPACE_BOOL ? kSystemPointerSize : 0)           \
   V(kFlagsOffset, V8_EXTERNAL_CODE_SPACE_BOOL ? kUInt16Size : 0)    \
   V(kBuiltinIdOffset, V8_EXTERNAL_CODE_SPACE_BOOL ? kInt16Size : 0) \
   V(kKindSpecificFlagsOffset, kInt32Size)                           \
diff --git a/src/objects/objects-body-descriptors-inl.h b/src/objects/objects-body-descriptors-inl.h
index 3c7ee6432d..e6994bb87c 100644
--- a/src/objects/objects-body-descriptors-inl.h
+++ b/src/objects/objects-body-descriptors-inl.h
@@ -1065,9 +1065,6 @@ class CodeDataContainer::BodyDescriptor final : public BodyDescriptorBase {
 
     if (V8_EXTERNAL_CODE_SPACE_BOOL) {
       v->VisitCodePointer(obj, obj.RawCodeField(kCodeOffset));
-      v->VisitExternalPointer(
-          obj, obj.RawExternalPointerField(kCodeEntryPointOffset),
-          kCodeEntryPointTag);
     }
   }