Commit Graph

159 Commits

Author SHA1 Message Date
Michael Lippautz
b5485fd81f [handles] TracedHandles: Rely on AllocateAtLeast()
Use AllocateAtLeast() to create a TracedNodeBlock. In todays Blink
this increases capacity from 256 to 284, reducing memory and
preserving the fast path longer.

Limit capacity to '1' for ASAN builds to flush out UAFs.

Bug: v8:13372
Change-Id: Iaa0ca940b59ed58015fcb768b851e6054ac7e152
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3999730
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84131}
2022-11-08 18:40:37 +00:00
Michael Lippautz
c23bc72c83 [handles] Split off traced handles from regular global handles
v8::TracedReference and their underlying traced handles are not
actually phantom references but have been historically represented as
such. This patch splits off their backing implementaton into
`TracedHandles`.

As a drive-by, re-organize the free list to rely on indices instead of
pointers, saving a full word for each node. In additon, the setup also
allows for freeing fully empty node blocks after GCs.

Allocation/free of nodes is also organized in a way that avoids
jumping between handles/blocks/nodes for accounting purposes.

Removing CRTP in GlobalHandle internals is left for a follow up.

Bug: v8:13372
Change-Id: Ib55aa9ba71202d5918b486c161fe6f747d31c719
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3966952
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83872}
2022-10-24 10:04:08 +00:00
Samuel Groß
e9775165b6 [sandbox] Introduce BoundedSize
A BoundedSize is just a regular size_t when the sandbox is disabled.
However, when the sandbox is enabled, a BoundedLength is guaranteed to
be in the range [0, kMaxSafeBufferSizeForSandbox]. This is (currently)
achieved by storing the length shifted to the left, then right-shifting
it when loading it. This guarantees that the top bits are zero.

BoundedSizes are used to ensure safe access to variable-sized buffers,
in particular ArrayBuffers and their views, located inside the sandbox.
If a full size_t is used to represent their size, it may allow an
attacker to "reach out of" the sandbox address space by setting the
length to a very large value. A BoundedSize prevents this.

Bug: chromium:1360375
Change-Id: I0579693db528af96c41eeaa64bd3ed71266aacd9
Cq-Include-Trybots: luci.v8.try.triggered:v8_linux64_no_sandbox_dbg_ng_triggered
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3876823
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83631}
2022-10-11 13:43:43 +00:00
Samuel Groß
3285ad9ea4 Reland "[sandbox] Increase ExternalPointerTable maximum capacity to 512MB"
This is a reland of commit d7fcbba80e

The LSan support logic of the ExternalPointerTable has been optimized to
avoid timeouts on sanitizer bots

Original change's description:
> [sandbox] Increase ExternalPointerTable maximum capacity to 512MB
>
> Bug: v8:10391
> Change-Id: I383e11bdccf6fcaf13f29d25e1404545067d313e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891249
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83203}

Bug: v8:10391
Change-Id: If50156d6fecff7ca8ece5c350e7b08936f50daa6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905141
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83322}
2022-09-20 10:36:02 +00:00
Leszek Swirski
9e65a05049 Revert "[sandbox] Increase ExternalPointerTable maximum capacity to 512MB"
This reverts commit d7fcbba80e.

Reason for revert: Speculatively reverting because of blocked roll

Original change's description:
> [sandbox] Increase ExternalPointerTable maximum capacity to 512MB
>
> Bug: v8:10391
> Change-Id: I383e11bdccf6fcaf13f29d25e1404545067d313e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891249
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83203}

Bug: v8:10391
Change-Id: Id3a374a1f87a6ec3889d2e81d169ad004744ca99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904605
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83305}
2022-09-19 14:37:42 +00:00
Samuel Groß
d7fcbba80e [sandbox] Increase ExternalPointerTable maximum capacity to 512MB
Bug: v8:10391
Change-Id: I383e11bdccf6fcaf13f29d25e1404545067d313e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891249
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83203}
2022-09-14 19:35:38 +00:00
Samuel Groß
7e4ee6862e [sandbox] Introduce ExternalPointerTable::Freelist
This struct represents the freelist of an ExternalPointerTable and
contains both the size and the head of the freelist. It is encoded and
stored as a single Atomic64 field (freelist_) inside the
ExternalPointerTable class. This ensures that the freelist head and size
are always synchronized.

Previously, the freelist size was encoded in freelist entries in the top
bits. This only works as long as the maximum table size is relatively
small however, as it requires both the freelist size and the index of
the next entry on the list to fit into 24 bits. To allow for bigger
maximum table sizes in the future, this CL moves the freelist size
directly into the table as part of the freelist_ field.

Bug: v8:10391
Change-Id: Id09c9b28d09d79b704ac47e6566029cfb209ecd1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891256
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83193}
2022-09-14 13:57:23 +00:00
Hao Xu
e1dbe835d7 [csa][codegen] Optimize IsStrong/IsWeakOrCleared
The way to determine whether a MaybeObject is a strong or weak
reference to the heap object is to check its lowest two bits.
However, if the MaybeObject is known to not be a smi, that is, the
lowest bit is known to be 1, we can check one bit instead. This
allows Turbofan to select better instructions:

x64:

  Before:
    movl r9,r11
    andl r9,0x3
    cmpb r9l,0x1

  After:
    testb r11,0x2

arm64:

  Before:
    and w8, w7, #0x3
    cmp w8, #0x1 (1)
    b.ne #+0x320

  After:
    tbnz w7, #1, #+0x320

Change-Id: I03623183406ad7d920c96a752651e0116a22832e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3861310
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Hao A Xu <hao.a.xu@intel.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83153}
2022-09-13 09:25:25 +00:00
Samuel Groß
0e2dbaac6b Reland "[sandbox] Fold V8_SANDBOXED_EXTERNAL_POINTERS into V8_ENABLE_SANDBOX"
This is a reland of commit 49c5967830

The non-deterministic snapshot issue has been fixed by using the correct
field size for CodeDataContainers in serializer.cc.

Original change's description:
> [sandbox] Fold V8_SANDBOXED_EXTERNAL_POINTERS into V8_ENABLE_SANDBOX
>
> Now that all external pointers have been sandboxed,
> V8_SANDBOXED_EXTERNAL_POINTERS is no longer needed. This change also
> shrinks external pointer slots to 32 bits when the sandbox is enabled.
>
> Bug: v8:10391
> Change-Id: Iccbef27ac107b988cb23fe9ef66da6fe0bae087a
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869269
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83083}

Bug: v8:10391
Change-Id: I29870404406902d99ba6016c570cc0c4d05c6c85
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3887899
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83130}
2022-09-12 11:48:02 +00:00
Matthias Liedtke
6852c402e7 Revert "[sandbox] Fold V8_SANDBOXED_EXTERNAL_POINTERS into V8_ENABLE_SANDBOX"
This reverts commit 49c5967830.

Reason for revert: The change is suspected to be breaking chromium's determinism test: https://ci.chromium.org/ui/p/chromium/builders/ci/Deterministic%20Linux/35003/overview

Original change's description:
> [sandbox] Fold V8_SANDBOXED_EXTERNAL_POINTERS into V8_ENABLE_SANDBOX
>
> Now that all external pointers have been sandboxed,
> V8_SANDBOXED_EXTERNAL_POINTERS is no longer needed. This change also
> shrinks external pointer slots to 32 bits when the sandbox is enabled.
>
> Bug: v8:10391
> Change-Id: Iccbef27ac107b988cb23fe9ef66da6fe0bae087a
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869269
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83083}

Bug: v8:10391
Change-Id: I515ba771aa21f58b752a3a5b36b4deb2abc5f9c0
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3886870
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83111}
2022-09-09 13:55:35 +00:00
Samuel Groß
49c5967830 [sandbox] Fold V8_SANDBOXED_EXTERNAL_POINTERS into V8_ENABLE_SANDBOX
Now that all external pointers have been sandboxed,
V8_SANDBOXED_EXTERNAL_POINTERS is no longer needed. This change also
shrinks external pointer slots to 32 bits when the sandbox is enabled.

Bug: v8:10391
Change-Id: Iccbef27ac107b988cb23fe9ef66da6fe0bae087a
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869269
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83083}
2022-09-08 15:25:30 +00:00
Samuel Groß
8137040c3a Reland "[sandbox] Sandboxify ExternalString external pointers"
This is a reland of commit e7bf81100a

Shared string GC issues have been fixed in https://crrev.com/c/3875028

Original change's description:
> [sandbox] Sandboxify ExternalString external pointers
>
> Bug: v8:10391
> Change-Id: I0f737e5adf6e4fd24f93436fa5680ff20c1536da
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757901
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82958}

Bug: v8:10391
Change-Id: I555498973dc9d5dcc4163b3b1258e41d7148e2d5
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872273
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83026}
2022-09-07 12:15:46 +00:00
Matthias Liedtke
271bd0866f Revert "[sandbox] Sandboxify ExternalString external pointers"
This reverts commit e7bf81100a.

Reason for revert: Failing TSAN runs

Original change's description:
> [sandbox] Sandboxify ExternalString external pointers
>
> Bug: v8:10391
> Change-Id: I0f737e5adf6e4fd24f93436fa5680ff20c1536da
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757901
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82958}

Bug: v8:10391
Change-Id: I384d49016b9494655866339a21dab60d451158a7
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872271
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82963}
2022-09-05 09:47:24 +00:00
Samuel Groß
e7bf81100a [sandbox] Sandboxify ExternalString external pointers
Bug: v8:10391
Change-Id: I0f737e5adf6e4fd24f93436fa5680ff20c1536da
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757901
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82958}
2022-09-05 07:32:39 +00:00
Samuel Groß
a27a527b75 [sandbox] Sandboxify Foreign external pointers
Bug: v8:10391
Change-Id: I567f94800119a9afd3f684134a6f4885026f813e
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859347
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82866}
2022-08-31 12:42:38 +00:00
Michael Lippautz
881fc0496c [cppgc, cppgc-js] Implement GC on allocation failure
So far Oilpan garbage collection was only ever triggered via growing
strategies in either V8 or stand-alone heap growing. This CL
implements a fallback for GC on allocation.

- Stand-alone implementation will defer to GCInvoker which is aware of
  stack support.
- CppHeap implementation will just trigger a full V8 GC.

Bug: chromium:1352649
Change-Id: If92f705b4e272290ca7022864fd7b90f0fcb809e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865148
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82844}
2022-08-30 19:36:18 +00:00
Samuel Groß
d843cda769 [sandbox] Move ExternalPointerTable entry logic into new Entry class
This CL introduces a new ExternalPointerTable::Entry class and moves all
low-level logic related to entry management into this class.

Bug: v8:10391
Change-Id: Ib7eb05da1d277cb665503e98b3f074520e572bad
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829485
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82825}
2022-08-30 14:24:54 +00:00
Samuel Groß
a94048877d [sandbox] Unsandboxify CodeEntryPoint
For code pointers, the sandbox will require a custom, lightweight CFI
mechanism (likely based on the external pointer table). Simply turning
all code pointers into ExternalPointers is not sufficient.
This CL therefore turns code pointers back into raw pointers for now so
that they don't block the external pointer table rollout.

Bug: v8:10391
Change-Id: Ib2ba246be546bbf19fcd0f4ae20f4e9a2cf2e099
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859348
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82775}
2022-08-29 13:12:36 +00:00
Igor Sheludko
8a56da4459 [builtins][masm] Move hot flags to the beginning of IsolateData
... so that the offset fits into the maximum offset for load byte
instruction for arm/arm64 (Ldrb) in order to produce smaller code.

Update code generation so that the loading of the flag value is
combined with the comparison operation where possible.

Additionally, this CL moves the Isolate::is_profiling flag to the
IsolateData so that it can be loaded directly via roots register which
removes one indirection.

The fields moved in the IsolateData:
 - is_marking_flag and is_minor_marking_flag (checked by write barriers)
 - is_profiling (checked on API callbacks/getter calls)
 - stack_is_iterable (not super hot, checked during deoptimization).

Drive-by: this CL defines the bool fields as uint8_t in order to make
the field size expectations clear.

Bug: v8:11880
Change-Id: I80c292c6ec919861684152b6062225aa0fda2d3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856580
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82771}
2022-08-29 11:22:56 +00:00
Samuel Groß
e710981f3a Reland "Reland "[sandbox] Sandboxify EmbedderDataSlots""
This is a reland of commit eca383c947

More DCHECK failures have been fixed with https://crrev.com/c/3857423

Original change's description:
> Reland "[sandbox] Sandboxify EmbedderDataSlots"
>
> This is a reland of commit e1f585ed94
>
> ExternalPointerTable issues have been fixed in
> https://crrev.com/c/3849650 and https://crrev.com/c/3849376
>
> Original change's description:
> > [sandbox] Sandboxify EmbedderDataSlots
> >
> > Bug: v8:10391
> > Change-Id: If85a308a6f6ed1b17d86f87b4911c82d2327ea72
> > Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757341
> > Reviewed-by: Igor Sheludko <ishell@chromium.org>
> > Commit-Queue: Samuel Groß <saelo@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#82623}
>
> Bug: v8:10391
> Change-Id: If77f6c10e81c30c2dfa6b33c788bc4a36e4da135
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3852602
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82686}

Bug: v8:10391
Change-Id: Id982c022e50004e903851b160d30fc8767280e5b
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3854679
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82767}
2022-08-29 10:02:45 +00:00
Samuel Groß
a9dcb35e7d Revert "Reland "[sandbox] Sandboxify EmbedderDataSlots""
This reverts commit eca383c947.

Reason for revert: Still seeing DCHECK failures in SweepAndCompact

Original change's description:
> Reland "[sandbox] Sandboxify EmbedderDataSlots"
>
> This is a reland of commit e1f585ed94
>
> ExternalPointerTable issues have been fixed in
> https://crrev.com/c/3849650 and https://crrev.com/c/3849376
>
> Original change's description:
> > [sandbox] Sandboxify EmbedderDataSlots
> >
> > Bug: v8:10391
> > Change-Id: If85a308a6f6ed1b17d86f87b4911c82d2327ea72
> > Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757341
> > Reviewed-by: Igor Sheludko <ishell@chromium.org>
> > Commit-Queue: Samuel Groß <saelo@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#82623}
>
> Bug: v8:10391
> Change-Id: If77f6c10e81c30c2dfa6b33c788bc4a36e4da135
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3852602
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82686}

Bug: v8:10391
Change-Id: Icaa1ff64cabd1bb2f19d9b019eac0ca98e528eb6
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3854677
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82698}
2022-08-24 15:22:50 +00:00
Samuel Groß
eca383c947 Reland "[sandbox] Sandboxify EmbedderDataSlots"
This is a reland of commit e1f585ed94

ExternalPointerTable issues have been fixed in
https://crrev.com/c/3849650 and https://crrev.com/c/3849376

Original change's description:
> [sandbox] Sandboxify EmbedderDataSlots
>
> Bug: v8:10391
> Change-Id: If85a308a6f6ed1b17d86f87b4911c82d2327ea72
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757341
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82623}

Bug: v8:10391
Change-Id: If77f6c10e81c30c2dfa6b33c788bc4a36e4da135
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3852602
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82686}
2022-08-24 11:18:32 +00:00
Leszek Swirski
d30ba748a7 Revert "[sandbox] Sandboxify EmbedderDataSlots"
This reverts commit e1f585ed94.

Reason for revert: GPU bot issues on roll (https://ci.chromium.org/ui/p/chromium/builders/try/linux_optional_gpu_tests_rel/87951/overview)

Original change's description:
> [sandbox] Sandboxify EmbedderDataSlots
>
> Bug: v8:10391
> Change-Id: If85a308a6f6ed1b17d86f87b4911c82d2327ea72
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757341
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82623}

Bug: v8:10391, chromium:1355640
Change-Id: Iaba70796de18d5f3b3dc74cf068943093c0bf567
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3850722
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82672}
2022-08-23 17:14:39 +00:00
ishell@chromium.org
134ca75cd3 [runtime] Merge redirected and non-redirected callback fields
Namely:
 - AccessorInfo::getter and AccessorInfo::js_getter,
 - CallHandlerInfo::callback and CallHandlerInfo::js_callback.

The redirected/non-redirected callback distinction is required only
for simulated builds but we wasted memory also for all native builds.

Now we store these fields in "redirected" form which allows us to call
them directly from builtins or generated code. In case it's necessary
to call a callback from C++ code the C function address is read from
the redirection. This additional indirection makes the callback calls
from C++ code in simulated builds slower but saves memory for native
builds.

This CL should recover a part of memory regression caused by inlining
Foreign fields into AccessorInfo and CallHandlerInfo.

Bug: v8:12949, chromium:1336105, chromium:1335930
Change-Id: I38470ed21ee23b281247c11a9531542c7e4acca1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3835686
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82631}
2022-08-22 18:01:48 +00:00
Samuel Groß
e1f585ed94 [sandbox] Sandboxify EmbedderDataSlots
Bug: v8:10391
Change-Id: If85a308a6f6ed1b17d86f87b4911c82d2327ea72
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757341
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82623}
2022-08-22 13:08:38 +00:00
Samuel Groß
5015c4ea74 Reland "[sandbox] Sandboxify WasmExportedFunctionData::sig"
This is a reland of commit 6ec7be21e6

The issues that caused the CL to be reverted appear to be unrelated
to this change as they still occurred after the revert.

Original change's description:
> [sandbox] Sandboxify WasmExportedFunctionData::sig
>
> This CL changes the WasmExportedFunctionData class to store a direct
> ExternalPointer to the wasm::FunctionSig instead of referencing it
> through a Foreign. This in turn makes it possible to use a unique
> pointer tag for that external pointer when the sandbox is enabled.
>
> Drive-by: move WasmInternalFunction::call_target external pointer to the
> end of the object, in line with other external pointer fields.
>
> Bug: v8:10391, v8:12949
> Change-Id: Ic3ff622a075c9eaa2f8d8835803437466290c928
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829086
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82523}

Bug: v8:10391, v8:12949
Change-Id: I108810ce86b95289dfb6d6377535813deac79a9f
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3838109
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82565}
2022-08-18 14:41:01 +00:00
Nico Hartmann
d8b8024e92 Revert "[sandbox] Sandboxify WasmExportedFunctionData::sig"
This reverts commit 6ec7be21e6.

Reason for revert: Speculative revert for https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Win64/47984/overview

Original change's description:
> [sandbox] Sandboxify WasmExportedFunctionData::sig
>
> This CL changes the WasmExportedFunctionData class to store a direct
> ExternalPointer to the wasm::FunctionSig instead of referencing it
> through a Foreign. This in turn makes it possible to use a unique
> pointer tag for that external pointer when the sandbox is enabled.
>
> Drive-by: move WasmInternalFunction::call_target external pointer to the
> end of the object, in line with other external pointer fields.
>
> Bug: v8:10391, v8:12949
> Change-Id: Ic3ff622a075c9eaa2f8d8835803437466290c928
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829086
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82523}

Bug: v8:10391, v8:12949
Change-Id: I18a7c9603e30d7cd78fd599e59596015260a5818
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3834259
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82535}
2022-08-17 15:28:18 +00:00
Samuel Groß
6ec7be21e6 [sandbox] Sandboxify WasmExportedFunctionData::sig
This CL changes the WasmExportedFunctionData class to store a direct
ExternalPointer to the wasm::FunctionSig instead of referencing it
through a Foreign. This in turn makes it possible to use a unique
pointer tag for that external pointer when the sandbox is enabled.

Drive-by: move WasmInternalFunction::call_target external pointer to the
end of the object, in line with other external pointer fields.

Bug: v8:10391, v8:12949
Change-Id: Ic3ff622a075c9eaa2f8d8835803437466290c928
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829086
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82523}
2022-08-17 12:30:39 +00:00
Samuel Groß
f1033c43b7 [sandbox] Sandboxify WasmTypeInfo
This CL changes the WasmTypeInfo class to have a direct ExternalPointer
to the native type structure instead of using a Foreign. This in turn
makes it possible to use a unique pointer tag for that external pointer
when the sandbox is enabled.

Bug: v8:10391, v8:12949
Change-Id: Ifee4d2103cabfa6a7299d0d09e06d387034e5f8f
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829085
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82504}
2022-08-16 20:03:47 +00:00
Samuel Groß
76d7448925 [sandbox] Implement external pointer table compaction
The external pointer table is already to some degree self-compacting: as
the freelist is sorted in ascending order, free entries at the start of
the table should quickly fill up. However, any live entry at the end of
the table makes it impossible to shrink the table, thereby causing
higher memory consumption. To solve this, this CL implements a simple
table compaction algorithm, used when the freelist has become
sufficiently large (currently >= 10% of the table capacity):
 - The goal of the algorithm is to shrink the table by freelist_size/2
   entries at the end of compaction (during sweeping).
 - At the start of the marking phase, the compaction area is computed as
   roughly [capacity - freelist_size/2, capacity).
 - When an entry is marked as alive that lies inside the compaction
   area, a new "relocation entry" is allocated for it from the freelist
   and the address of the handle for that entry is stored in that entry.
   If there are no more free entries before the compaction area,
   compaction is aborted. This is expected to happen rarely and is
   logged into a histogram.
 - During sweeping, all relocation entries are "resolved": the content
   of the old entry is copied into the new entry and the handle is
   updated to point to the new entry.
 - Finally, the table is shrunk and the last initial_freelist_size/2
   entries are decommitted.

See also the comments in the ExternalPointerTable class for more details.

Bug: v8:10391
Change-Id: I28d475c3596590e860421f0a054e2ad4dbebd487
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3794645
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82484}
2022-08-16 10:46:27 +00:00
Samuel Groß
0195a5c9a9 [sandbox] Refactor and sandboxify WasmContinuationObject::jmpbuf
This CL refactors WasmContinuationObject to have a direct
ExternalPointer to the jmpbuf structure instead of using a Foreign.
This in turn makes it possible to use a unique pointer tag for that
external pointer when the sandbox is enabled.

Bug: v8:10391, v8:12949
Change-Id: I25528bd8aaffb32dd617440d3ccb77d319894a38
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3805061
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82238}
2022-08-05 22:38:29 +00:00
Samuel Groß
c047160656 [sandbox] Sandboxify CallHandlerInfo external pointers
Bug: v8:10391
Change-Id: I7f1b69b1fe41507e4eb72a35b4c143a970cc2f74
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3788205
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82149}
2022-08-02 16:32:03 +00:00
Nico Weber
d15d49b09d Make bitfields only as wide as necessary for enums
clang now complains when a BitField for an enum is too wide.
We could suppress this, but it seems kind of useful from an
uninformed distance, so I made a few bitfields smaller instead.

(For AddressingMode, since its size is target-dependent, I added
an explicit underlying type to the enum instead, which suppresses
the diag on a per-enum basis.)

This is without any understanding of the code I'm touching.
Especially the change in v8-internal.h feels a bit risky to me.

Bug: chromium:1348574
Change-Id: I73395de593045036b72dadf4e3147b5f7e13c958
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3794708
Commit-Queue: Nico Weber <thakis@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Auto-Submit: Nico Weber <thakis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82109}
2022-08-01 15:09:04 +00:00
Samuel Groß
7586dc7910 [sandbox] Sandboxify AccessorInfo external pointers
Bug: v8:10391
Change-Id: I18745b415962e08fada5c0b9466a0d7e66a84a12
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757339
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81999}
2022-07-27 12:22:48 +00:00
Samuel Groß
31e53c28e0 Reland "[sandbox] Sandboxify JSExternalObject external pointer"
This is a reland of commit efac35f3b8

The LSan issues have been fixed in https://crrev.com/c/3779915

Original change's description:
> [sandbox] Sandboxify JSExternalObject external pointer
>
> Bug: v8:10391
> Change-Id: I6075a8fe3c201f9221149e0c54edf4fb191088da
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757342
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81924}

Bug: v8:10391
Change-Id: I954520ee324c9aa4c4ccc4941ae30d19676be2ba
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3780501
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81978}
2022-07-26 21:36:57 +00:00
Shu-yu Guo
2679a36ea9 [sandbox] Make external ptr table usable under pointer compression
This CL moves the external pointer table out of V8_ENABLE_SANDBOX and
into V8_COMPRESS_POINTERS. The external pointer table is also useful
even when not sandboxing external pointers to ease alignment
requirements under pointer compression.

It is onerous for the allocator to support non-tagged-size alignment.
Under pointer compression, tagged is 4 bytes while system pointers are
8 bytes. Because external pointer table indices are 4-bytes, fields that
require natural alignment (e.g. the state field in JSAtomicsMutex) when
the system pointer size is 8-bytes can use an indirection via the
pointer table to ease the alignment restriction back to 4-bytes under
pointer compression.

Bug: v8:10391
Change-Id: Iac1200e40c987128cd6a227cd279ba4dac0e5c56
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3783076
Reviewed-by: Samuel Groß <saelo@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81977}
2022-07-26 21:10:47 +00:00
Samuel Groß
42af5dcd82 [sandbox] Sandboxify NativeContext::microtask_queue external pointer
Bug: v8:10391
Change-Id: I4e7d4937ac4c6332da3c63c9e8c15e75fa951f2f
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757343
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81973}
2022-07-26 15:23:27 +00:00
Samuel Groß
2eb73988a3 [sandbox] Refactor and sandboxify WasmInternalFunction::call_target
This CL refactors WasmInternalFunction to no longer inherit from Foreign
but instead contain a (sandboxed) ExternalPointer field for the call target.

Bug: v8:10391
Change-Id: Iaaf25e635a275d7570e09699be3c8dec6108d4b3
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3782675
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81957}
2022-07-26 09:47:23 +00:00
Samuel Groß
0c1f779c1b Revert "[sandbox] Sandboxify JSExternalObject external pointer"
This reverts commit efac35f3b8.

Reason for revert: Seems to be causing memory leaks: https://ci.chromium.org/ui/p/chromium/builders/try/linux_chromium_asan_rel_ng/1234545/overview

Original change's description:
> [sandbox] Sandboxify JSExternalObject external pointer
>
> Bug: v8:10391
> Change-Id: I6075a8fe3c201f9221149e0c54edf4fb191088da
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757342
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81924}

Bug: v8:10391
Change-Id: I8cd64fd0a85182781b04cd1e4619b69dfa512210
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3780497
Auto-Submit: Samuel Groß <saelo@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81948}
2022-07-26 07:46:36 +00:00
Samuel Groß
efac35f3b8 [sandbox] Sandboxify JSExternalObject external pointer
Bug: v8:10391
Change-Id: I6075a8fe3c201f9221149e0c54edf4fb191088da
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757342
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81924}
2022-07-25 13:15:46 +00:00
Samuel Groß
e0b5a83f53 [sandbox] Switch to 8-bit external pointer type tags
Due to top-byte ignore (TBI) in Arm64, only bits [48, 56) can be used
for type tags as otherwise type-check failures may go unnoticed if they
only leave bits in the top byte set. This CL therefore switches the
external pointer tagging scheme to use 8-bit tags.

Bug: v8:10391
Change-Id: Ia1f379ebc1bbda4117785d2dc119bc8dfa358711
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3776688
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81913}
2022-07-25 10:09:26 +00:00
Samuel Groß
f3737bbb12 [sandbox] Initialize sandbox during V8::Initialize
As sandboxed pointers are now default-enabled when the sandbox is
enabled, it is no longer possible to deactivate the sandbox at runtime.
This CL therefore removes all the logic that was required to support a
sandbox that could be disabled at runtime, moves the initialization of
the sandbox into V8::Initialize, and deprecates V8::InitializeSandbox.

This change also makes the sandbox initialization deterministic if
FLAG_random_seed is supplied.

Bug: v8:10391
Change-Id: Ibd49f7c251b7c58c642f18a551ecc2c391740970
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3762583
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81746}
2022-07-15 09:29:32 +00:00
Samuel Groß
c360a25013 Revert "[sandbox] Sandboxify Foreign external pointer"
This reverts commit 543b54da66.

Reason for revert: Causes crashes on Android due to TBI: https://crbug.com/chromium/1344581

Original change's description:
> [sandbox] Sandboxify Foreign external pointer
>
> Bug: v8:10391
> Change-Id: I4c5c209454db316fe86f379f6b2e6dfc7ba7754e
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757340
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81703}

Bug: v8:10391
Change-Id: I88899def209c592cd353dd4ed81003f1bbb7a760
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3764440
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81731}
2022-07-14 20:41:39 +00:00
Samuel Groß
df2fc0725e [sandbox] Always use a constant sandbox size
As sandboxed pointers assume a constant sandbox size (they are
essentially n-bit offsets), it is no longer useful to be able to create
smaller sandboxes. This CL simplifies the sandbox initialization logic
accordingly and adds CHECKS to ensure a fixed-size sandbox is created.

Bug: v8:10391
Change-Id: I6541ab769001e60c0256d3a719f926128a0a20b0
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647684
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81720}
2022-07-14 13:21:04 +00:00
Samuel Groß
543b54da66 [sandbox] Sandboxify Foreign external pointer
Bug: v8:10391
Change-Id: I4c5c209454db316fe86f379f6b2e6dfc7ba7754e
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757340
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81703}
2022-07-13 21:04:14 +00:00
Samuel Groß
8a59678b83 [sandbox] Prepare ExternalPointerTable rollout
This CL does the following:
- It enables (i.e. allocates and initializes) the per-Isolate
  ExternalPointerTable when the sandbox is enabled.
- It refactors the list of external pointer tags to mark them as
  "sandboxed" or "unsandboxed". An unsandboxed external pointer has a
  null tag.
- It changes V8_SANDBOXED_EXTERNAL_POINTERS to now essentially just
  enable sandboxing for all available tags.
- It modifies all low-level external pointer accessors to perform the
  ExternalPointerLookup only if the tag is non-zero and otherwise treat
  the slot as containing a raw pointer.

This now allows rolling out external pointer sandboxing incrementally
(separately for each external pointer type), which will in turn allow
for more precise performance measurements of the impact of the sandbox.

Note: when an external pointer tag is now marked as sandboxed (and
V8_SANDBOXED_EXTERNAL_POINTERS is not enabled), the underlying slots are
still 64-bits in size. This simplifies the implementation as we would
otherwise need to deal with variably-sized external pointer slots. Local
benchmarking suggests that the benefits from 32-bit external pointer
slots are insignificant on typical benchmarks, so this should be ok.

Drive-by: rename kExternalPointerSize to kExternalPointerSlotSize to
make it more clear what it refers to (the on-heap storage size). Also
delete CodeStubAssembler::InitializeExternalPointerField as it is not
currently used and the implementation is fairly inefficient.

Bug: v8:10391
Change-Id: I7c38729c7e9048d737a1a8ced84749f5b1f7feab
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3736447
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81636}
2022-07-11 13:34:54 +00:00
Samuel Groß
8ca93205cc [sandbox] Turn ExternalPointerTag into a template parameter
The ExternalPointerTags are assumed to be compile-time constants in most
cases, so turning them into template parameters enforces that. As
decisions such as whether to use the per-isolate or the shared external
pointer table are encoded into the tag values, forcing those to be
compile-time constants guarantees that the compiler will be able to
inline the correct logic when accessing an external pointer.

With this, there are now two (high-level) ways of accessing external pointer fields from C++: the Read/WriteExternalPointerField methods
which require the ExternalPointerTag to be a template parameter, and the
ExternalPointerSlot class which takes the tag as an argument. The latter
is for example used for snapshot deserialization and by the garbage
collector (more generally, by the ObjectVisitor::VisitExternalPointer
method), where the tag is not a compile-time constant.

Finally, this CL also introduces a new ExternalPointerHandle type which
represents the (opaque) on-heap representation of a reference to an
entry in an ExternalPointerTable when sandboxing is enabled. Making this
its own type makes the code a bit more readable.

Bug: v8:10391
Change-Id: I867b8ce41d15d485f1dc66786f233c710c56afcb
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3720641
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81402}
2022-06-27 13:45:20 +00:00
Patrick Thier
ece27af693 [sandbox] Split ExternalPointerTag definitions for shared/non-shared
- Change definition to macro-style to be able to assert that masks/tags
  are correct.
- Split definition of shared/non-shared tags.
- Use bit 62 (for now) to indicate tags are shared.

Bug: v8:10391
Change-Id: Ia3ad6294cf5e6fd0c4dc2a328f976f295da762f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3726009
Reviewed-by: Samuel Groß <saelo@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81400}
2022-06-27 13:05:00 +00:00
Patrick Thier
8933f9fe8e [sandbox] Store waiter queue node of JS Atomic.Mutex in shared table
The waiter queue node of JS Atomics.Mutex is now stored in the shared
external pointer table.

Bug: v8:12547
Change-Id: I2f4ce1c705d5e710b49872942702f60edf6c4043
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3721696
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81380}
2022-06-27 08:56:57 +00:00
Patrick Thier
6b4850484f [sandbox] Add shared external pointer table for strings
To be able to share external strings, we need to share the external
pointer table in sandbox builds.
To avoid branches at runtime all pointers for external strings are
stored in the shared external pointer table.

Bug: v8:12957
Change-Id: Iaa6be7839a2f5e50f80fd58c5b33fb9c6af61057
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695263
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81324}
2022-06-23 11:30:39 +00:00