[sandbox] Disallow ArrayBuffers outside the VM Cage

In a follow-up CL, the backing stores will, when the sandbox is enabled, be referenced from V8 objects through offsets rather than raw pointers. For that to work, all backing stores must be located inside the virtual memory cage. This CL prepares for that. Bug: chromium:1218005 Change-Id: Ibb989626ed7094bd4f02ca15464539f4e2bda90f Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114136 Commit-Queue: Samuel Groß <saelo@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#76486}
2021-08-24 21:12:19 +02:00 · 2021-08-24 21:12:19 +02:00 · e84ac8bc3b
commit e84ac8bc3b
parent 9a54cc55c7
24 changed files with 112 additions and 68 deletions
--- a/BUILD.gn
+++ b/BUILD.gn
@ -2038,6 +2038,7 @@ action("v8_dump_build_config") {
    "v8_enable_pointer_compression=$v8_enable_pointer_compression",
    "v8_enable_pointer_compression_shared_cage=" +
        "$v8_enable_pointer_compression_shared_cage",
+    "v8_enable_virtual_memory_cage=$v8_enable_virtual_memory_cage",
    "v8_enable_third_party_heap=$v8_enable_third_party_heap",
    "v8_enable_webassembly=$v8_enable_webassembly",
    "v8_control_flow_integrity=$v8_control_flow_integrity",
--- a/include/v8-internal.h
+++ b/include/v8-internal.h
@ -524,8 +524,15 @@ constexpr size_t kVirtualMemoryCageMinimumSize =
    2 * kVirtualMemoryCagePointerCageSize;

 // For now, even if the virtual memory cage is enabled, we still allow backing
-// stores to be allocated outside of it as fallback.
+// stores to be allocated outside of it as fallback. This will simplify the
+// initial rollout. However, if the heap sandbox is also enabled, we already use
+// the "enforcing mode" of the virtual memory cage. This is useful for testing.
+#ifdef V8_HEAP_SANDBOX
+constexpr bool kAllowBackingStoresOutsideDataCage = false;
+#else
 constexpr bool kAllowBackingStoresOutsideDataCage = true;
+#endif  // V8_HEAP_SANDBOX
+
 #endif  // V8_VIRTUAL_MEMORY_CAGE

 // Only perform cast check for types derived from v8::Data since
--- a/src/d8/d8.cc
+++ b/src/d8/d8.cc
@ -248,7 +248,7 @@ class MockArrayBufferAllocatiorWithLimit : public MockArrayBufferAllocator {
  std::atomic<size_t> space_left_;
 };

-#ifdef V8_OS_LINUX
+#if MULTI_MAPPED_ALLOCATOR_AVAILABLE

 // This is a mock allocator variant that provides a huge virtual allocation
 // backed by a small real allocation that is repeatedly mapped. If you create an
@ -341,7 +341,7 @@ class MultiMappedAllocator : public ArrayBufferAllocatorBase {
  base::Mutex regions_mutex_;
 };

-#endif  // V8_OS_LINUX
+#endif  // MULTI_MAPPED_ALLOCATOR_AVAILABLE

 v8::Platform* g_default_platform;
 std::unique_ptr<v8::Platform> g_platform;
@ -3510,15 +3510,9 @@ void Shell::ReadBuffer(const v8::FunctionCallbackInfo<v8::Value>& args) {
    isolate->ThrowError("Error reading file");
    return;
  }
-  std::unique_ptr<v8::BackingStore> backing_store =
-      ArrayBuffer::NewBackingStore(
-          data, length,
-          [](void* data, size_t length, void*) {
-            delete[] reinterpret_cast<uint8_t*>(data);
-          },
-          nullptr);
-  Local<v8::ArrayBuffer> buffer =
-      ArrayBuffer::New(isolate, std::move(backing_store));
+  Local<v8::ArrayBuffer> buffer = ArrayBuffer::New(isolate, length);
+  memcpy(buffer->GetBackingStore()->Data(), data, length);
+  delete[] data;

  args.GetReturnValue().Set(buffer);
 }
@ -4426,7 +4420,7 @@ bool Shell::SetOptions(int argc, char* argv[]) {
  options.mock_arraybuffer_allocator = i::FLAG_mock_arraybuffer_allocator;
  options.mock_arraybuffer_allocator_limit =
      i::FLAG_mock_arraybuffer_allocator_limit;
-#if V8_OS_LINUX
+#if MULTI_MAPPED_ALLOCATOR_AVAILABLE
  options.multi_mapped_mock_allocator = i::FLAG_multi_mapped_mock_allocator;
 #endif

@ -5081,24 +5075,19 @@ int Shell::Main(int argc, char* argv[]) {
      memory_limit >= options.mock_arraybuffer_allocator_limit
          ? memory_limit
          : std::numeric_limits<size_t>::max());
-#if V8_OS_LINUX
+#if MULTI_MAPPED_ALLOCATOR_AVAILABLE
  MultiMappedAllocator multi_mapped_mock_allocator;
-#endif  // V8_OS_LINUX
+#endif
  if (options.mock_arraybuffer_allocator) {
    if (memory_limit) {
      Shell::array_buffer_allocator = &mock_arraybuffer_allocator_with_limit;
    } else {
      Shell::array_buffer_allocator = &mock_arraybuffer_allocator;
    }
-#if V8_OS_LINUX
+#if MULTI_MAPPED_ALLOCATOR_AVAILABLE
  } else if (options.multi_mapped_mock_allocator) {
-#ifdef V8_VIRTUAL_MEMORY_CAGE
-    CHECK_WITH_MSG(internal::kAllowBackingStoresOutsideDataCage,
-                   "The multi-mapped arraybuffer allocator is currently "
-                   "incompatible with v8_enable_virtual_memory_cage");
-#endif
    Shell::array_buffer_allocator = &multi_mapped_mock_allocator;
-#endif  // V8_OS_LINUX
+#endif
  } else {
    Shell::array_buffer_allocator = &shell_array_buffer_allocator;
  }
--- a/src/d8/d8.h
+++ b/src/d8/d8.h
@ -399,8 +399,10 @@ class ShellOptions {
      "mock-arraybuffer-allocator", false};
  DisallowReassignment<size_t> mock_arraybuffer_allocator_limit = {
      "mock-arraybuffer-allocator-limit", 0};
+#if MULTI_MAPPED_ALLOCATOR_AVAILABLE
  DisallowReassignment<bool> multi_mapped_mock_allocator = {
      "multi-mapped-mock-allocator", false};
+#endif
  DisallowReassignment<bool> enable_inspector = {"enable-inspector", false};
  int num_isolates = 1;
  DisallowReassignment<v8::ScriptCompiler::CompileOptions, true>
--- a/src/execution/isolate.h
+++ b/src/execution/isolate.h
@ -1085,16 +1085,6 @@ class V8_EXPORT_PRIVATE Isolate final : private HiddenFactory {
    return isolate_allocator_->GetPtrComprCage();
  }

-  bool IsValidBackingStorePointer(void* ptr) {
-#ifdef V8_VIRTUAL_MEMORY_CAGE
-    Address addr = reinterpret_cast<Address>(ptr);
-    return kAllowBackingStoresOutsideDataCage || addr == kNullAddress ||
-           GetProcessWideVirtualMemoryCage()->Contains(addr);
-#else
-    return true;
-#endif
-  }
-
  // Generated code can embed this address to get access to the isolate-specific
  // data (for example, roots, external references, builtins, etc.).
  // The kRootRegister is set to this value.
--- a/src/flags/flag-definitions.h
+++ b/src/flags/flag-definitions.h
@ -181,6 +181,14 @@ struct MaybeBoolFlag {
 #define V8_VIRTUAL_MEMORY_CAGE_BOOL false
 #endif

+// D8's MultiMappedAllocator is only available on Linux, and only if the virtual
+// memory cage is not enabled.
+#if V8_OS_LINUX && !V8_VIRTUAL_MEMORY_CAGE_BOOL
+#define MULTI_MAPPED_ALLOCATOR_AVAILABLE true
+#else
+#define MULTI_MAPPED_ALLOCATOR_AVAILABLE false
+#endif
+
 #ifdef V8_ENABLE_CONTROL_FLOW_INTEGRITY
 #define ENABLE_CONTROL_FLOW_INTEGRITY_BOOL true
 #else
@ -1793,7 +1801,7 @@ DEFINE_BOOL(mock_arraybuffer_allocator, false,
 DEFINE_SIZE_T(mock_arraybuffer_allocator_limit, 0,
              "Memory limit for mock ArrayBuffer allocator used to simulate "
              "OOM for testing.")
-#if V8_OS_LINUX
+#if MULTI_MAPPED_ALLOCATOR_AVAILABLE
 DEFINE_BOOL(multi_mapped_mock_allocator, false,
            "Use a multi-mapped mock ArrayBuffer allocator for testing.")
 #endif
--- a/src/init/vm-cage.h
+++ b/src/init/vm-cage.h
@ -114,6 +114,16 @@ V8VirtualMemoryCage* GetProcessWideVirtualMemoryCage();

 #endif  // V8_VIRTUAL_MEMORY_CAGE

+V8_INLINE bool IsValidBackingStorePointer(void* ptr) {
+#ifdef V8_VIRTUAL_MEMORY_CAGE
+  Address addr = reinterpret_cast<Address>(ptr);
+  return kAllowBackingStoresOutsideDataCage || addr == kNullAddress ||
+         GetProcessWideVirtualMemoryCage()->Contains(addr);
+#else
+  return true;
+#endif
+}
+
 }  // namespace internal
 }  // namespace v8

--- a/src/objects/backing-store.cc
+++ b/src/objects/backing-store.cc
@ -274,7 +274,7 @@ std::unique_ptr<BackingStore> BackingStore::Allocate(
      return {};
    }

-    DCHECK(isolate->IsValidBackingStorePointer(buffer_start));
+    DCHECK(IsValidBackingStorePointer(buffer_start));
  }

  auto result = new BackingStore(buffer_start,                  // start
@ -440,7 +440,7 @@ std::unique_ptr<BackingStore> BackingStore::TryAllocateAndPartiallyCommitMemory(
    return {};
  }

-  DCHECK(isolate->IsValidBackingStorePointer(allocation_base));
+  DCHECK(IsValidBackingStorePointer(allocation_base));

  // Get a pointer to the start of the buffer, skipping negative guard region
  // if necessary.
@ -736,6 +736,7 @@ BackingStore::ResizeOrGrowResult BackingStore::GrowInPlace(
 std::unique_ptr<BackingStore> BackingStore::WrapAllocation(
    Isolate* isolate, void* allocation_base, size_t allocation_length,
    SharedFlag shared, bool free_on_destruct) {
+  DCHECK(IsValidBackingStorePointer(allocation_base));
  auto result = new BackingStore(allocation_base,               // start
                                 allocation_length,             // length
                                 allocation_length,             // max length
@ -757,6 +758,7 @@ std::unique_ptr<BackingStore> BackingStore::WrapAllocation(
    void* allocation_base, size_t allocation_length,
    v8::BackingStore::DeleterCallback deleter, void* deleter_data,
    SharedFlag shared) {
+  DCHECK(IsValidBackingStorePointer(allocation_base));
  bool is_empty_deleter = (deleter == v8::BackingStore::EmptyDeleter);
  auto result = new BackingStore(allocation_base,               // start
                                 allocation_length,             // length
--- a/src/objects/js-array-buffer-inl.h
+++ b/src/objects/js-array-buffer-inl.h
@ -43,7 +43,7 @@ DEF_GETTER(JSArrayBuffer, backing_store, void*) {
 }

 void JSArrayBuffer::set_backing_store(Isolate* isolate, void* value) {
-  DCHECK(isolate->IsValidBackingStorePointer(value));
+  DCHECK(IsValidBackingStorePointer(value));
  WriteField<Address>(kBackingStoreOffset, reinterpret_cast<Address>(value));
 }

@ -251,7 +251,7 @@ DEF_GETTER(JSTypedArray, external_pointer_raw, Address) {
 }

 void JSTypedArray::set_external_pointer(Isolate* isolate, Address value) {
-  DCHECK(isolate->IsValidBackingStorePointer(reinterpret_cast<void*>(value)));
+  DCHECK(IsValidBackingStorePointer(reinterpret_cast<void*>(value)));
  WriteField<Address>(kExternalPointerOffset, value);
 }

@ -376,7 +376,7 @@ DEF_GETTER(JSDataView, data_pointer, void*) {
 }

 void JSDataView::set_data_pointer(Isolate* isolate, void* value) {
-  DCHECK(isolate->IsValidBackingStorePointer(value));
+  DCHECK(IsValidBackingStorePointer(value));
  WriteField<Address>(kDataPointerOffset, reinterpret_cast<Address>(value));
 }

--- a/src/runtime/runtime-typedarray.cc
+++ b/src/runtime/runtime-typedarray.cc
@ -94,7 +94,7 @@ RUNTIME_FUNCTION(Runtime_TypedArraySortFast) {
  CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, array, 0);
  DCHECK(!array->WasDetached());

-#if V8_OS_LINUX
+#if MULTI_MAPPED_ALLOCATOR_AVAILABLE
  if (FLAG_multi_mapped_mock_allocator) {
    // Sorting is meaningless with the mock allocator, and std::sort
    // might crash (because aliasing elements violate its assumptions).
--- a/src/snapshot/mksnapshot.cc
+++ b/src/snapshot/mksnapshot.cc
@ -240,6 +240,11 @@ int main(int argc, char** argv) {
  v8::V8::InitializeICUDefaultLocation(argv[0]);
  std::unique_ptr<v8::Platform> platform = v8::platform::NewDefaultPlatform();
  v8::V8::InitializePlatform(platform.get());
+#ifdef V8_VIRTUAL_MEMORY_CAGE
+  if (!v8::V8::InitializeVirtualMemoryCage()) {
+    FATAL("Could not initialize the virtual memory cage");
+  }
+#endif
  v8::V8::Initialize();

  {
--- a/src/wasm/c-api.cc
+++ b/src/wasm/c-api.cc
@ -397,6 +397,11 @@ auto Engine::make(own<Config>&& config) -> own<Engine> {
  if (!engine) return own<Engine>();
  engine->platform = v8::platform::NewDefaultPlatform();
  v8::V8::InitializePlatform(engine->platform.get());
+#ifdef V8_VIRTUAL_MEMORY_CAGE
+  if (!v8::V8::InitializeVirtualMemoryCage()) {
+    FATAL("Could not initialize the virtual memory cage");
+  }
+#endif
  v8::V8::Initialize();
  return make_own(seal<Engine>(engine));
 }
--- a/test/cctest/test-api-array-buffer.cc
+++ b/test/cctest/test-api-array-buffer.cc
@ -336,8 +336,10 @@ THREADED_TEST(SkipArrayBufferBackingStoreDuringGC) {
  v8::Isolate* isolate = env->GetIsolate();
  v8::HandleScope handle_scope(isolate);

+  void* buffer = CcTest::array_buffer_allocator()->Allocate(100);
  // Make sure the pointer looks like a heap object
-  uint8_t* store_ptr = reinterpret_cast<uint8_t*>(i::kHeapObjectTag);
+  uintptr_t address = reinterpret_cast<uintptr_t>(buffer) | i::kHeapObjectTag;
+  void* store_ptr = reinterpret_cast<void*>(address);
  auto backing_store = v8::ArrayBuffer::NewBackingStore(
      store_ptr, 8, [](void*, size_t, void*) {}, nullptr);

@ -353,6 +355,8 @@ THREADED_TEST(SkipArrayBufferBackingStoreDuringGC) {

  // Should not move the pointer
  CHECK_EQ(ab->GetBackingStore()->Data(), store_ptr);
+
+  CcTest::array_buffer_allocator()->Free(buffer, 100);
 }

 THREADED_TEST(SkipArrayBufferDuringScavenge) {
@ -429,7 +433,7 @@ static void BackingStoreCustomDeleter(void* data, size_t length,
  CHECK_EQ(backing_store_custom_length, length);
  CHECK_EQ(backing_store_custom_deleter_data,
           reinterpret_cast<intptr_t>(deleter_data));
-  free(data);
+  CcTest::array_buffer_allocator()->Free(data, length);
  backing_store_custom_called = true;
 }

@ -437,7 +441,7 @@ TEST(ArrayBuffer_NewBackingStore_CustomDeleter) {
  {
    // Create and destroy a backing store.
    backing_store_custom_called = false;
-    backing_store_custom_data = malloc(100);
+    backing_store_custom_data = CcTest::array_buffer_allocator()->Allocate(100);
    backing_store_custom_length = 100;
    v8::ArrayBuffer::NewBackingStore(
        backing_store_custom_data, backing_store_custom_length,
@ -451,7 +455,7 @@ TEST(SharedArrayBuffer_NewBackingStore_CustomDeleter) {
  {
    // Create and destroy a backing store.
    backing_store_custom_called = false;
-    backing_store_custom_data = malloc(100);
+    backing_store_custom_data = CcTest::array_buffer_allocator()->Allocate(100);
    backing_store_custom_length = 100;
    v8::SharedArrayBuffer::NewBackingStore(
        backing_store_custom_data, backing_store_custom_length,
@ -465,9 +469,10 @@ TEST(ArrayBuffer_NewBackingStore_EmptyDeleter) {
  LocalContext env;
  v8::Isolate* isolate = env->GetIsolate();
  v8::HandleScope handle_scope(isolate);
-  char static_buffer[100];
+  size_t size = 100;
+  void* buffer = CcTest::array_buffer_allocator()->Allocate(size);
  std::unique_ptr<v8::BackingStore> backing_store =
-      v8::ArrayBuffer::NewBackingStore(static_buffer, sizeof(static_buffer),
+      v8::ArrayBuffer::NewBackingStore(buffer, size,
                                       v8::BackingStore::EmptyDeleter, nullptr);
  uint64_t external_memory_before =
      isolate->AdjustAmountOfExternalAllocatedMemory(0);
@ -477,17 +482,18 @@ TEST(ArrayBuffer_NewBackingStore_EmptyDeleter) {
  // The ArrayBuffer constructor does not increase the external memory counter.
  // The counter may decrease however if the allocation triggers GC.
  CHECK_GE(external_memory_before, external_memory_after);
+  CcTest::array_buffer_allocator()->Free(buffer, size);
 }

 TEST(SharedArrayBuffer_NewBackingStore_EmptyDeleter) {
  LocalContext env;
  v8::Isolate* isolate = env->GetIsolate();
  v8::HandleScope handle_scope(isolate);
-  char static_buffer[100];
+  size_t size = 100;
+  void* buffer = CcTest::array_buffer_allocator()->Allocate(size);
  std::unique_ptr<v8::BackingStore> backing_store =
      v8::SharedArrayBuffer::NewBackingStore(
-          static_buffer, sizeof(static_buffer), v8::BackingStore::EmptyDeleter,
-          nullptr);
+          buffer, size, v8::BackingStore::EmptyDeleter, nullptr);
  uint64_t external_memory_before =
      isolate->AdjustAmountOfExternalAllocatedMemory(0);
  v8::SharedArrayBuffer::New(isolate, std::move(backing_store));
@ -496,6 +502,7 @@ TEST(SharedArrayBuffer_NewBackingStore_EmptyDeleter) {
  // The SharedArrayBuffer constructor does not increase the external memory
  // counter. The counter may decrease however if the allocation triggers GC.
  CHECK_GE(external_memory_before, external_memory_after);
+  CcTest::array_buffer_allocator()->Free(buffer, size);
 }

 THREADED_TEST(BackingStore_NotShared) {
@ -506,7 +513,7 @@ THREADED_TEST(BackingStore_NotShared) {
  CHECK(!ab->GetBackingStore()->IsShared());
  CHECK(!v8::ArrayBuffer::NewBackingStore(isolate, 8)->IsShared());
  backing_store_custom_called = false;
-  backing_store_custom_data = malloc(100);
+  backing_store_custom_data = CcTest::array_buffer_allocator()->Allocate(100);
  backing_store_custom_length = 100;
  CHECK(!v8::ArrayBuffer::NewBackingStore(
             backing_store_custom_data, backing_store_custom_length,
@ -523,7 +530,7 @@ THREADED_TEST(BackingStore_Shared) {
  CHECK(ab->GetBackingStore()->IsShared());
  CHECK(v8::SharedArrayBuffer::NewBackingStore(isolate, 8)->IsShared());
  backing_store_custom_called = false;
-  backing_store_custom_data = malloc(100);
+  backing_store_custom_data = CcTest::array_buffer_allocator()->Allocate(100);
  backing_store_custom_length = 100;
  CHECK(v8::SharedArrayBuffer::NewBackingStore(
            backing_store_custom_data, backing_store_custom_length,
--- a/test/fuzzer/fuzzer-support.cc
+++ b/test/fuzzer/fuzzer-support.cc
@ -23,6 +23,11 @@ FuzzerSupport::FuzzerSupport(int* argc, char*** argv) {
  v8::V8::InitializeExternalStartupData((*argv)[0]);
  platform_ = v8::platform::NewDefaultPlatform();
  v8::V8::InitializePlatform(platform_.get());
+#ifdef V8_VIRTUAL_MEMORY_CAGE
+  if (!v8::V8::InitializeVirtualMemoryCage()) {
+    FATAL("Could not initialize the virtual memory cage");
+  }
+#endif
  v8::V8::Initialize();

  allocator_ = v8::ArrayBuffer::Allocator::NewDefaultAllocator();
--- a/test/inspector/inspector-test.cc
+++ b/test/inspector/inspector-test.cc
@ -750,6 +750,11 @@ int InspectorTestMain(int argc, char* argv[]) {
  v8::V8::InitializeICUDefaultLocation(argv[0]);
  std::unique_ptr<Platform> platform(platform::NewDefaultPlatform());
  v8::V8::InitializePlatform(platform.get());
+#ifdef V8_VIRTUAL_MEMORY_CAGE
+  if (!v8::V8::InitializeVirtualMemoryCage()) {
+    FATAL("Could not initialize the virtual memory cage");
+  }
+#endif
  FLAG_abort_on_contradictory_flags = true;
  v8::V8::SetFlagsFromCommandLine(&argc, argv, true);
  v8::V8::InitializeExternalStartupData(argv[0]);
--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@ -1281,8 +1281,9 @@
 }], # arch not in (x64, ia32, arm64, arm)

 ##############################################################################
-['system != linux', {
-  # Multi-mapped mock allocator is only available on Linux.
+['system != linux or virtual_memory_cage == True', {
+  # Multi-mapped mock allocator is only available on Linux, and only if the
+  # virtual memory cage is not enabled.
  'regress/regress-crbug-1041232': [SKIP],
  'regress/regress-crbug-1104608': [SKIP],
 }],
--- a/test/mkgrokdump/mkgrokdump.cc
+++ b/test/mkgrokdump/mkgrokdump.cc
@ -114,6 +114,11 @@ static int DumpHeapConstants(FILE* out, const char* argv0) {
  // Start up V8.
  std::unique_ptr<v8::Platform> platform = v8::platform::NewDefaultPlatform();
  v8::V8::InitializePlatform(platform.get());
+#ifdef V8_VIRTUAL_MEMORY_CAGE
+  if (!v8::V8::InitializeVirtualMemoryCage()) {
+    FATAL("Could not initialize the virtual memory cage");
+  }
+#endif
  v8::V8::Initialize();
  v8::V8::InitializeExternalStartupData(argv0);
  Isolate::CreateParams create_params;
--- a/test/unittests/objects/value-serializer-unittest.cc
+++ b/test/unittests/objects/value-serializer-unittest.cc
@ -268,12 +268,9 @@ class ValueSerializerTest : public TestWithIsolate {
  }

  Local<Object> NewDummyUint8Array() {
-    static uint8_t data[] = {4, 5, 6};
-    std::unique_ptr<v8::BackingStore> backing_store =
-        ArrayBuffer::NewBackingStore(
-            data, sizeof(data), [](void*, size_t, void*) {}, nullptr);
-    Local<ArrayBuffer> ab =
-        ArrayBuffer::New(isolate(), std::move(backing_store));
+    const uint8_t data[] = {4, 5, 6};
+    Local<ArrayBuffer> ab = ArrayBuffer::New(isolate(), sizeof(data));
+    memcpy(ab->GetBackingStore()->Data(), data, sizeof(data));
    return Uint8Array::New(ab, 0, sizeof(data));
  }

@ -2066,15 +2063,9 @@ class ValueSerializerTestWithSharedArrayBufferClone
 #endif  // V8_ENABLE_WEBASSEMBLY

    CHECK(!is_wasm_memory);
-    std::unique_ptr<v8::BackingStore> backing_store =
-        SharedArrayBuffer::NewBackingStore(
-            data, byte_length,
-            [](void*, size_t, void*) {
-              // Leak the buffer as it has the
-              // lifetime of the test.
-            },
-            nullptr);
-    return SharedArrayBuffer::New(isolate(), std::move(backing_store));
+    auto sab = SharedArrayBuffer::New(isolate(), byte_length);
+    memcpy(sab->GetBackingStore()->Data(), data, byte_length);
+    return sab;
  }

  static void SetUpTestCase() {
--- a/test/unittests/run-all-unittests.cc
+++ b/test/unittests/run-all-unittests.cc
@ -21,6 +21,9 @@ class DefaultPlatformEnvironment final : public ::testing::Environment {
        0, v8::platform::IdleTaskSupport::kEnabled);
    ASSERT_TRUE(platform_.get() != nullptr);
    v8::V8::InitializePlatform(platform_.get());
+#ifdef V8_VIRTUAL_MEMORY_CAGE
+    ASSERT_TRUE(v8::V8::InitializeVirtualMemoryCage());
+#endif
    cppgc::InitializeProcess(platform_->GetPageAllocator());
    ASSERT_TRUE(v8::V8::Initialize());
  }
--- a/tools/testrunner/base_runner.py
+++ b/tools/testrunner/base_runner.py
@ -192,6 +192,7 @@ class BuildConfig(object):
    self.lite_mode = build_config['v8_enable_lite_mode']
    self.pointer_compression = build_config['v8_enable_pointer_compression']
    self.pointer_compression_shared_cage = build_config['v8_enable_pointer_compression_shared_cage']
+    self.virtual_memory_cage = build_config['v8_enable_virtual_memory_cage']
    self.third_party_heap = build_config['v8_enable_third_party_heap']
    self.webassembly = build_config['v8_enable_webassembly']
    # Export only for MIPS target
@ -235,6 +236,8 @@ class BuildConfig(object):
      detected_options.append('pointer_compression')
    if self.pointer_compression_shared_cage:
      detected_options.append('pointer_compression_shared_cage')
+    if self.virtual_memory_cage:
+      detected_options.append('virtual_memory_cage')
    if self.third_party_heap:
      detected_options.append('third_party_heap')
    if self.webassembly:
@ -730,6 +733,7 @@ class BaseTestRunner(object):
      "lite_mode": self.build_config.lite_mode,
      "pointer_compression": self.build_config.pointer_compression,
      "pointer_compression_shared_cage": self.build_config.pointer_compression_shared_cage,
+      "virtual_memory_cage": self.build_config.virtual_memory_cage,
    }

  def _runner_flags(self):
--- a/tools/unittests/run_tests_test.py
+++ b/tools/unittests/run_tests_test.py
@ -350,7 +350,8 @@ class SystemTest(unittest.TestCase):
          v8_enable_i18n_support=False, v8_target_cpu='x86',
          v8_enable_verify_csa=False, v8_enable_lite_mode=False,
          v8_enable_pointer_compression=False,
-          v8_enable_pointer_compression_shared_cage=False)
+          v8_enable_pointer_compression_shared_cage=False,
+          v8_enable_virtual_memory_cage=False)
      result = run_tests(
          basedir,
          '--progress=verbose',
--- a/tools/unittests/testdata/testroot1/v8_build_config.json
+++ b/tools/unittests/testdata/testroot1/v8_build_config.json
@ -22,6 +22,7 @@
  "v8_enable_lite_mode": false,
  "v8_enable_pointer_compression": true,
  "v8_enable_pointer_compression_shared_cage": true,
+  "v8_enable_virtual_memory_cage": false,
  "v8_control_flow_integrity": false,
  "v8_enable_single_generation": false,
  "v8_enable_third_party_heap": false,
--- a/tools/unittests/testdata/testroot2/v8_build_config.json
+++ b/tools/unittests/testdata/testroot2/v8_build_config.json
@ -22,6 +22,7 @@
  "v8_enable_lite_mode": false,
  "v8_enable_pointer_compression": false,
  "v8_enable_pointer_compression_shared_cage": false,
+  "v8_enable_virtual_memory_cage": false,
  "v8_control_flow_integrity": false,
  "v8_enable_single_generation": false,
  "v8_enable_third_party_heap": false,
--- a/tools/unittests/testdata/testroot3/v8_build_config.json
+++ b/tools/unittests/testdata/testroot3/v8_build_config.json
@ -22,6 +22,7 @@
  "v8_enable_lite_mode": false,
  "v8_enable_pointer_compression": true,
  "v8_enable_pointer_compression_shared_cage": true,
+  "v8_enable_virtual_memory_cage": false,
  "v8_control_flow_integrity": false,
  "v8_enable_single_generation": false,
  "v8_enable_third_party_heap": false,