[sandbox] Access external pointer in JSDataView via bottlenecks

Bug: v8:10391 Change-Id: I0c7e2110227f9c271a3a644d4e921c6b74b68cfd Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2152648 Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#67669}
2020-05-07 21:10:28 +02:00 · 2020-05-07 21:10:28 +02:00 · c9810b8e31
commit c9810b8e31
parent be3ca12b7e
7 changed files with 26 additions and 13 deletions
--- a/src/builtins/builtins-dataview.cc
+++ b/src/builtins/builtins-dataview.cc
@ -102,6 +102,7 @@ BUILTIN(DataViewConstructor) {
  // 13. Set O's [[ByteOffset]] internal slot to offset.
  Handle<JSDataView>::cast(result)->set_byte_offset(view_byte_offset);
  Handle<JSDataView>::cast(result)->set_data_pointer(
+      isolate,
      static_cast<uint8_t*>(array_buffer->backing_store()) + view_byte_offset);

  // 14. Return O.
--- a/src/compiler/access-builder.cc
+++ b/src/compiler/access-builder.cc
@ -430,9 +430,13 @@ FieldAccess AccessBuilder::ForJSTypedArrayExternalPointer() {

 // static
 FieldAccess AccessBuilder::ForJSDataViewDataPointer() {
-  FieldAccess access = {kTaggedBase,           JSDataView::kDataPointerOffset,
-                        MaybeHandle<Name>(),   MaybeHandle<Map>(),
-                        Type::OtherInternal(), MachineType::Pointer(),
+  FieldAccess access = {kTaggedBase,
+                        JSDataView::kDataPointerOffset,
+                        MaybeHandle<Name>(),
+                        MaybeHandle<Map>(),
+                        V8_HEAP_SANDBOX_BOOL ? Type::SandboxedExternalPointer()
+                                             : Type::ExternalPointer(),
+                        MachineType::Pointer(),
                        kNoWriteBarrier};
  return access;
 }
--- a/src/heap/factory.cc
+++ b/src/heap/factory.cc
@ -2688,8 +2688,8 @@ Handle<JSDataView> Factory::NewJSDataView(Handle<JSArrayBuffer> buffer,
                  isolate());
  Handle<JSDataView> obj = Handle<JSDataView>::cast(NewJSArrayBufferView(
      map, empty_fixed_array(), buffer, byte_offset, byte_length));
-  obj->set_data_pointer(static_cast<uint8_t*>(buffer->backing_store()) +
-                        byte_offset);
+  obj->set_data_pointer(
+      isolate(), static_cast<uint8_t*>(buffer->backing_store()) + byte_offset);
  return obj;
 }

--- a/src/objects/js-array-buffer-inl.h
+++ b/src/objects/js-array-buffer-inl.h
@ -303,12 +303,16 @@ MaybeHandle<JSTypedArray> JSTypedArray::Validate(Isolate* isolate,
  return array;
 }

-void* JSDataView::data_pointer() const {
-  return reinterpret_cast<void*>(ReadField<Address>(kDataPointerOffset));
+DEF_GETTER(JSDataView, data_pointer, void*) {
+  ExternalPointer_t encoded_value =
+      ReadField<ExternalPointer_t>(kDataPointerOffset);
+  return reinterpret_cast<void*>(DecodeExternalPointer(isolate, encoded_value));
 }

-void JSDataView::set_data_pointer(void* value) {
-  WriteField<Address>(kDataPointerOffset, reinterpret_cast<Address>(value));
+void JSDataView::set_data_pointer(Isolate* isolate, void* value) {
+  WriteField<ExternalPointer_t>(
+      kDataPointerOffset,
+      EncodeExternalPointer(isolate, reinterpret_cast<Address>(value)));
 }

 }  // namespace internal
--- a/src/objects/js-array-buffer.h
+++ b/src/objects/js-array-buffer.h
@ -369,7 +369,8 @@ class JSTypedArray : public JSArrayBufferView {
 class JSDataView : public JSArrayBufferView {
 public:
  // [data_pointer]: pointer to the actual data.
-  DECL_PRIMITIVE_ACCESSORS(data_pointer, void*)
+  DECL_GETTER(data_pointer, void*)
+  inline void set_data_pointer(Isolate* isolate, void* value);

  DECL_CAST(JSDataView)

--- a/src/objects/js-array-buffer.tq
+++ b/src/objects/js-array-buffer.tq
@ -46,4 +46,6 @@ extern class JSTypedArray extends JSArrayBufferView {
  base_pointer: ByteArray|Smi;
 }

-extern class JSDataView extends JSArrayBufferView { data_pointer: RawPtr; }
+extern class JSDataView extends JSArrayBufferView {
+  data_pointer: ExternalPointer;
+}
--- a/src/snapshot/deserializer.cc
+++ b/src/snapshot/deserializer.cc
@ -306,8 +306,9 @@ HeapObject Deserializer::PostProcessNewObject(HeapObject obj,
      uint32_t store_index = buffer.GetBackingStoreRefForDeserialization();
      backing_store = backing_stores_[store_index]->buffer_start();
    }
-    data_view.set_data_pointer(reinterpret_cast<uint8_t*>(backing_store) +
-                               data_view.byte_offset());
+    data_view.set_data_pointer(
+        isolate_,
+        reinterpret_cast<uint8_t*>(backing_store) + data_view.byte_offset());
  } else if (obj.IsJSTypedArray()) {
    JSTypedArray typed_array = JSTypedArray::cast(obj);
    // Fixup typed array pointers.