Revert "[sandbox] Sandboxify WasmExportedFunctionData::sig"

This reverts commit 6ec7be21e6. Reason for revert: Speculative revert for https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Win64/47984/overview Original change's description: > [sandbox] Sandboxify WasmExportedFunctionData::sig > > This CL changes the WasmExportedFunctionData class to store a direct > ExternalPointer to the wasm::FunctionSig instead of referencing it > through a Foreign. This in turn makes it possible to use a unique > pointer tag for that external pointer when the sandbox is enabled. > > Drive-by: move WasmInternalFunction::call_target external pointer to the > end of the object, in line with other external pointer fields. > > Bug: v8:10391, v8:12949 > Change-Id: Ic3ff622a075c9eaa2f8d8835803437466290c928 > Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829086 > Commit-Queue: Samuel Groß <saelo@chromium.org> > Reviewed-by: Igor Sheludko <ishell@chromium.org> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> > Cr-Commit-Position: refs/heads/main@{#82523} Bug: v8:10391, v8:12949 Change-Id: I18a7c9603e30d7cd78fd599e59596015260a5818 Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3834259 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Owners-Override: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Auto-Submit: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/main@{#82535}
2022-08-17 15:27:33 +00:00 · 2022-08-17 15:27:33 +00:00 · d8b8024e92
commit d8b8024e92
parent 5493270399
11 changed files with 46 additions and 61 deletions
--- a/include/v8-internal.h
+++ b/include/v8-internal.h
@ -390,8 +390,7 @@ constexpr uint64_t kAllExternalPointerTypeTags[] = {
  V(kAccessorInfoSetterTag,                 sandboxed, TAG(19)) \
  V(kWasmInternalFunctionCallTargetTag,     sandboxed, TAG(20)) \
  V(kWasmTypeInfoNativeTypeTag,             sandboxed, TAG(21)) \
-  V(kWasmExportedFunctionDataSignatureTag,  sandboxed, TAG(22)) \
-  V(kWasmContinuationJmpbufTag,             sandboxed, TAG(23))
+  V(kWasmContinuationJmpbufTag,             sandboxed, TAG(22))

 // All external pointer tags.
 #define ALL_EXTERNAL_POINTER_TAGS(V) \
--- a/src/builtins/x64/builtins-x64.cc
+++ b/src/builtins/x64/builtins-x64.cc
@ -2986,11 +2986,17 @@ void LoadFunctionDataAndWasmInstance(MacroAssembler* masm,
 void LoadValueTypesArray(MacroAssembler* masm, Register function_data,
                         Register valuetypes_array_ptr, Register return_count,
                         Register param_count) {
-  Register signature = valuetypes_array_ptr;
+  Register foreign_signature = valuetypes_array_ptr;
+  __ LoadAnyTaggedField(
+      foreign_signature,
+      MemOperand(function_data,
+                 WasmExportedFunctionData::kSignatureOffset - kHeapObjectTag));
+  Register signature = foreign_signature;
  __ LoadExternalPointerField(
      signature,
-      FieldOperand(function_data, WasmExportedFunctionData::kSigOffset),
-      kWasmExportedFunctionDataSignatureTag, kScratchRegister);
+      FieldOperand(foreign_signature, Foreign::kForeignAddressOffset),
+      kForeignForeignAddressTag, kScratchRegister);
+  foreign_signature = no_reg;
  __ movq(return_count,
          MemOperand(signature, wasm::FunctionSig::kReturnCountOffset));
  __ movq(param_count,
--- a/src/diagnostics/objects-printer.cc
+++ b/src/diagnostics/objects-printer.cc
@ -2053,10 +2053,9 @@ void WasmFunctionData::WasmFunctionDataPrint(std::ostream& os) {
 void WasmExportedFunctionData::WasmExportedFunctionDataPrint(std::ostream& os) {
  PrintHeader(os, "WasmExportedFunctionData");
  WasmFunctionDataPrint(os);
-  Isolate* isolate = GetIsolateForSandbox(*this);
  os << "\n - instance: " << Brief(instance());
  os << "\n - function_index: " << function_index();
-  os << "\n - signature: " << reinterpret_cast<void*>(sig(isolate));
+  os << "\n - signature: " << Brief(signature());
  os << "\n - wrapper_budget: " << wrapper_budget();
  os << "\n";
 }
--- a/src/heap/factory.cc
+++ b/src/heap/factory.cc
@ -1676,8 +1676,9 @@ Handle<WasmResumeData> Factory::NewWasmResumeData(
 Handle<WasmExportedFunctionData> Factory::NewWasmExportedFunctionData(
    Handle<CodeT> export_wrapper, Handle<WasmInstanceObject> instance,
    Address call_target, Handle<Object> ref, int func_index,
-    const wasm::FunctionSig* sig, int wrapper_budget, Handle<Map> rtt,
+    Address sig_address, int wrapper_budget, Handle<Map> rtt,
    wasm::Promise promise) {
+  Handle<Foreign> sig_foreign = NewForeign(sig_address);
  Handle<WasmInternalFunction> internal =
      NewWasmInternalFunction(call_target, Handle<HeapObject>::cast(ref), rtt);
  Map map = *wasm_exported_function_data_map();
@ -1690,7 +1691,7 @@ Handle<WasmExportedFunctionData> Factory::NewWasmExportedFunctionData(
  result.set_wrapper_code(*export_wrapper);
  result.set_instance(*instance);
  result.set_function_index(func_index);
-  result.init_sig(isolate(), sig);
+  result.set_signature(*sig_foreign);
  result.set_wrapper_budget(wrapper_budget);
  // We can't skip the write barrier when V8_EXTERNAL_CODE_SPACE is enabled
  // because in this case the CodeT (CodeDataContainer) objects are not
--- a/src/heap/factory.h
+++ b/src/heap/factory.h
@ -634,7 +634,7 @@ class V8_EXPORT_PRIVATE Factory : public FactoryBase<Factory> {
  Handle<WasmExportedFunctionData> NewWasmExportedFunctionData(
      Handle<CodeT> export_wrapper, Handle<WasmInstanceObject> instance,
      Address call_target, Handle<Object> ref, int func_index,
-      const wasm::FunctionSig* sig, int wrapper_budget, Handle<Map> rtt,
+      Address sig_address, int wrapper_budget, Handle<Map> rtt,
      wasm::Promise promise);
  Handle<WasmApiFunctionRef> NewWasmApiFunctionRef(
      Handle<JSReceiver> callable, wasm::Suspend suspend,
--- a/src/objects/object-macros.h
+++ b/src/objects/object-macros.h
@ -398,11 +398,11 @@
                kRelaxedStore);                                      \
  }

-#define DECL_EXTERNAL_POINTER_ACCESSORS(name, type)                       \
-  inline type name() const;                                               \
-  inline type name(i::Isolate* isolate_for_sandbox) const;                \
-  inline void init_##name(i::Isolate* isolate, const type initial_value); \
-  inline void set_##name(i::Isolate* isolate, const type value);
+#define DECL_EXTERNAL_POINTER_ACCESSORS(name, type)                 \
+  inline type name() const;                                         \
+  inline type name(i::Isolate* isolate_for_sandbox) const;          \
+  inline void init_##name(i::Isolate* isolate, type initial_value); \
+  inline void set_##name(i::Isolate* isolate, type value);

 #define EXTERNAL_POINTER_ACCESSORS(holder, name, type, offset, tag)         \
  type holder::name() const {                                               \
@ -417,20 +417,20 @@
        Object::ReadExternalPointerField<tag>(offset, isolate_for_sandbox); \
    return reinterpret_cast<type>(reinterpret_cast<C2440*>(result));        \
  }                                                                         \
-  void holder::init_##name(i::Isolate* isolate, const type initial_value) { \
-    /* This is a workaround for MSVC error C2440 not allowing  */           \
-    /* reinterpret casts to the same type. */                               \
-    struct C2440 {};                                                        \
-    Address the_value = reinterpret_cast<Address>(                          \
-        reinterpret_cast<const C2440*>(initial_value));                     \
-    Object::InitExternalPointerField<tag>(offset, isolate, the_value);      \
-  }                                                                         \
-  void holder::set_##name(i::Isolate* isolate, const type value) {          \
+  void holder::init_##name(i::Isolate* isolate, type initial_value) {       \
    /* This is a workaround for MSVC error C2440 not allowing  */           \
    /* reinterpret casts to the same type. */                               \
    struct C2440 {};                                                        \
    Address the_value =                                                     \
-        reinterpret_cast<Address>(reinterpret_cast<const C2440*>(value));   \
+        reinterpret_cast<Address>(reinterpret_cast<C2440*>(initial_value)); \
+    Object::InitExternalPointerField<tag>(offset, isolate, the_value);      \
+  }                                                                         \
+  void holder::set_##name(i::Isolate* isolate, type value) {                \
+    /* This is a workaround for MSVC error C2440 not allowing  */           \
+    /* reinterpret casts to the same type. */                               \
+    struct C2440 {};                                                        \
+    Address the_value =                                                     \
+        reinterpret_cast<Address>(reinterpret_cast<C2440*>(value));         \
    Object::WriteExternalPointerField<tag>(offset, isolate, the_value);     \
  }

--- a/src/objects/objects-body-descriptors-inl.h
+++ b/src/objects/objects-body-descriptors-inl.h
@ -742,27 +742,6 @@ class WasmApiFunctionRef::BodyDescriptor final : public BodyDescriptorBase {
  static inline int SizeOf(Map map, HeapObject object) { return kSize; }
 };

-class WasmExportedFunctionData::BodyDescriptor final
-    : public BodyDescriptorBase {
- public:
-  static bool IsValidSlot(Map map, HeapObject obj, int offset) {
-    UNREACHABLE();
-  }
-
-  template <typename ObjectVisitor>
-  static inline void IterateBody(Map map, HeapObject obj, int object_size,
-                                 ObjectVisitor* v) {
-    WasmFunctionData::BodyDescriptor::IterateBody<ObjectVisitor>(
-        map, obj, object_size, v);
-    IteratePointers(obj, kStartOfStrongFieldsOffset, kEndOfStrongFieldsOffset,
-                    v);
-    v->VisitExternalPointer(obj, obj.RawExternalPointerField(kSigOffset),
-                            kWasmExportedFunctionDataSignatureTag);
-  }
-
-  static inline int SizeOf(Map map, HeapObject object) { return kSize; }
-};
-
 class WasmInternalFunction::BodyDescriptor final : public BodyDescriptorBase {
 public:
  static bool IsValidSlot(Map map, HeapObject obj, int offset) {
@ -772,10 +751,10 @@ class WasmInternalFunction::BodyDescriptor final : public BodyDescriptorBase {
  template <typename ObjectVisitor>
  static inline void IterateBody(Map map, HeapObject obj, int object_size,
                                 ObjectVisitor* v) {
-    IteratePointers(obj, kStartOfStrongFieldsOffset, kEndOfStrongFieldsOffset,
-                    v);
    v->VisitExternalPointer(obj, obj.RawExternalPointerField(kCallTargetOffset),
                            kWasmInternalFunctionCallTargetTag);
+    IteratePointers(obj, kStartOfStrongFieldsOffset, kEndOfStrongFieldsOffset,
+                    v);
  }

  static inline int SizeOf(Map map, HeapObject object) { return kSize; }
--- a/src/wasm/wasm-objects-inl.h
+++ b/src/wasm/wasm-objects-inl.h
@ -296,8 +296,9 @@ EXTERNAL_POINTER_ACCESSORS(WasmInternalFunction, call_target, Address,
 // WasmFunctionData
 ACCESSORS(WasmFunctionData, internal, WasmInternalFunction, kInternalOffset)

-EXTERNAL_POINTER_ACCESSORS(WasmExportedFunctionData, sig, wasm::FunctionSig*,
-                           kSigOffset, kWasmExportedFunctionDataSignatureTag);
+wasm::FunctionSig* WasmExportedFunctionData::sig() const {
+  return reinterpret_cast<wasm::FunctionSig*>(signature().foreign_address());
+}

 // WasmJSFunction
 WasmJSFunction::WasmJSFunction(Address ptr) : JSFunction(ptr) {
--- a/src/wasm/wasm-objects.cc
+++ b/src/wasm/wasm-objects.cc
@ -1999,8 +1999,9 @@ Handle<WasmExportedFunction> WasmExportedFunction::New(
          : wasm::kNoPromise;
  Handle<WasmExportedFunctionData> function_data =
      factory->NewWasmExportedFunctionData(
-          export_wrapper, instance, call_target, ref, func_index, sig,
-          wasm::kGenericWrapperBudget, rtt, promise);
+          export_wrapper, instance, call_target, ref, func_index,
+          reinterpret_cast<Address>(sig), wasm::kGenericWrapperBudget, rtt,
+          promise);

  MaybeHandle<String> maybe_name;
  bool is_asm_js_module = instance->module_object().is_asm_js();
--- a/src/wasm/wasm-objects.h
+++ b/src/wasm/wasm-objects.h
@ -16,7 +16,6 @@
 #include "src/objects/foreign.h"
 #include "src/objects/js-function.h"
 #include "src/objects/js-objects.h"
-#include "src/objects/objects-body-descriptors.h"
 #include "src/objects/objects.h"
 #include "src/objects/struct.h"
 #include "src/wasm/module-instantiate.h"
@ -711,8 +710,7 @@ class WasmFunctionData

  DECL_PRINTER(WasmFunctionData)

-  using BodyDescriptor = FixedBodyDescriptor<kStartOfStrongFieldsOffset,
-                                             kEndOfStrongFieldsOffset, kSize>;
+  using BodyDescriptor = FlexibleBodyDescriptor<kStartOfStrongFieldsOffset>;

  using SuspendField = base::BitField<wasm::Suspend, 0, 1>;
  using PromiseField = base::BitField<wasm::Promise, 1, 1>;
@ -727,13 +725,14 @@ class WasmExportedFunctionData
    : public TorqueGeneratedWasmExportedFunctionData<WasmExportedFunctionData,
                                                     WasmFunctionData> {
 public:
-  DECL_EXTERNAL_POINTER_ACCESSORS(sig, wasm::FunctionSig*);
+  inline wasm::FunctionSig* sig() const;

  // Dispatched behavior.
  DECL_PRINTER(WasmExportedFunctionData)
  DECL_VERIFIER(WasmExportedFunctionData)

-  class BodyDescriptor;
+  using BodyDescriptor =
+      FlexibleBodyDescriptor<WasmFunctionData::kStartOfStrongFieldsOffset>;

  TQ_OBJECT_CONSTRUCTORS(WasmExportedFunctionData)
 };
--- a/src/wasm/wasm-objects.tq
+++ b/src/wasm/wasm-objects.tq
@ -30,6 +30,8 @@ extern class WasmApiFunctionRef extends HeapObject {
 // This is the representation that is used internally by wasm to represent
 // function references.
 extern class WasmInternalFunction extends HeapObject {
+  // The call target. Tagged with the kWasmInternalFunctionCallTargetTag
+  call_target: ExternalPointer;
  // This is the "reference" value that must be passed along in the "instance"
  // register when calling the given function. It is either the target instance
  // (for wasm functions), or a WasmApiFunctionRef object (for functions defined
@ -42,8 +44,6 @@ extern class WasmInternalFunction extends HeapObject {
  // This field is used when the call target is null.
  @if(V8_EXTERNAL_CODE_SPACE) code: CodeDataContainer;
  @ifnot(V8_EXTERNAL_CODE_SPACE) code: Code;
-  // The call target. Tagged with the kWasmInternalFunctionCallTargetTag
-  call_target: ExternalPointer;
 }

 extern operator '.call_target_ptr' macro LoadWasmInternalFunctionCallTargetPtr(
@ -65,13 +65,13 @@ extern class WasmExportedFunctionData extends WasmFunctionData {
  // where the function is defined -- for the latter see WasmFunctionData::ref).
  instance: WasmInstanceObject;
  function_index: Smi;
+  signature: Foreign;
  wrapper_budget: Smi;
-  // The next two fields are for fast calling from C++. The contract is
+  // The remaining fields are for fast calling from C++. The contract is
  // that they are lazily populated, and either all will be present or none.
  @if(V8_EXTERNAL_CODE_SPACE) c_wrapper_code: CodeDataContainer;
  @ifnot(V8_EXTERNAL_CODE_SPACE) c_wrapper_code: Code;
  packed_args_size: Smi;
-  sig: ExternalPointer;  // wasm::FunctionSig*
 }

 extern class WasmJSFunctionData extends WasmFunctionData {