As sandboxed pointers are now default-enabled when the sandbox is
enabled, it is no longer possible to deactivate the sandbox at runtime.
This CL therefore removes all the logic that was required to support a
sandbox that could be disabled at runtime, moves the initialization of
the sandbox into V8::Initialize, and deprecates V8::InitializeSandbox.
This change also makes the sandbox initialization deterministic if
FLAG_random_seed is supplied.
Bug: v8:10391
Change-Id: Ibd49f7c251b7c58c642f18a551ecc2c391740970
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3762583
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81746}
Limit the allowed module size in the streaming decoder to 256kiB to
avoid OOMs on systems that are very memory constained (32-bit ASan
builds).
Drive-by: Skip linting wasm fuzzer input files, as those are binary
files.
R=ahaas@chromium.org
Bug: chromium:1334577, chromium:1337558
Change-Id: Ie5599088fd25c0bc7c8f9f1a953d31fe61a21844
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3700073
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81602}
Most often, the {ValueType::Ref} constructor was called with a
constant nullability. To make things more convenient, this CL renames
{Ref} to {RefMaybeNull}, and introduces {Ref} and {RefNull}
constructors with fixed nullability.
Bug: v8:7748
Change-Id: I664ff184ca936cc752e152c3c67546d79aa24390
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3732936
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81494}
This makes the internal V8 name consistent with the text-format name.
Bug: v8:7748
Change-Id: I44f7ac1eb5e634b4f829e596bf1f14caeb748d54
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3726291
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81491}
In crrev.com/c/3714237, we changed the representation of constant
expressions in mjsunit wasm tests to byte arrays. This CL complements
this change by updating the output of --wasm-fuzzer-gen-test to the
new format.
Change-Id: I6a9d861b5abe13621ffd2ceb3a54863b0188b40c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3726294
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81414}
Changes:
- Rename InitExpression -> ConstantExpression in places which reference
the ConstantExpression type.
- Move ConstantExpression to its own file, along with ValueOrError and
EvaluateConstantExpression.
Change-Id: Ife572d783531216b6ea3d2626e4fbf4048463253
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3702798
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81204}
This CL explicitly disables the --freeze-flags-after-init flag for cases
where we modify flags after initialization. This is only tests, fuzzers,
and special options to d8, thus not security relevant.
These should be the last blockers for enabling the flag globally.
R=cbruni@chromium.org
Bug: v8:12887
Change-Id: I1d8a03dcc20e524d30c967f6fe15f6401de77612
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3706619
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81179}
Add a missing check to reject illegal sections.
The test is added in three forms, to give fuzzers more food: A fuzzer
regression test for the streaming fuzzer, a unit test for the streaming
decoder, and an mjsunit test for streaming compilation.
Drive-by: Remove a redundant line in the synchronous decoder (this is
already handled by the following statement.
R=ahaas@chromium.org
Bug: chromium:1335023
Change-Id: Ic8c3b301f1b58981c7d68eafcffc89531ed2c64c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3698549
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81071}
The error message held in {CompilationResult} was not null-terminated,
leading to ASan complaints. Just store it in a {std::string} and use
{c_str()} to get a properly null-terminated C-string.
Drive-by: Enable execution of the fuzzer tests.
R=ahaas@chromium.org
Bug: chromium:1334548, v8:12922
Change-Id: Iafcfd5ce77e49e2aa1ff0910d8718bcd51f83662
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695356
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81020}
The fuzzer instantiates the module twice: Once for reference
interpretation / execution, and once for the actual execution of
Liftoff/TurboFan code.
For some reason, the two code paths for interpretation and Liftoff
reference execution used different patterns: Interpretation was using
the first instance, and then creating a second instance for actual
execution, whereas the Liftoff path used a second instance for the
reference execution and used the first one for the actual execution.
This CL refactors this to always create a "reference instance" first,
use that for either the interpreter or Liftoff, and then create a second
instance for the actual execution.
R=thibaudm@chromium.org
Bug: v8:12425
Change-Id: I19754264240d8570f00161abb7aecba1cc2b2ae0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3683323
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80900}
The fuzzers sometimes fail to instantiate a module that we already
instantiated before. This is nondetermistic and hard to reproduce (maybe
an out-of-memory situation).
Make the fuzzers print the error message so we learn more about those
failures.
R=ahaas@chromium.org
Bug: chromium:1330572
Change-Id: I0db103bdb113b1c1cedf662e02fb7a7f9d34ebd7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3680298
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80893}
The fuzzer runs the same wire bytes through the streaming decoder and
through synchronous compilation, and compares the result. In particular,
if one fails, then also the other should fail.
More checks for the result of both pipelines can be added later.
R=ahaas@chromium.org
Bug: v8:12922
Change-Id: I905adf740e581c4b7d0f4ab7c0d5d0e48d96fc4c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3675100
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80842}
This is more consistent with similar features, for example
V8_ENABLE_WEBASSEMBLY or V8_ENABLE_MAGLEV.
Drive-by: remove V8_SANDBOX_IS_AVAILABLE as it's no longer needed.
Bug: v8:10391
Change-Id: I8658c5b0c331a4c73892737083b2c2f9b8f84056
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647355
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80530}
Now that we require C++17 support, we can just use the standard
static_assert without message, instead of our STATIC_ASSERT macro.
R=leszeks@chromium.org
Bug: v8:12425
Change-Id: I1d4e39c310b533bcd3a4af33d027827e6c083afe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647353
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80524}
{LiftoffOptions} already contains many (optional) parameters for Liftoff
compilation, but not all of them.
This CL moves the function index and the {for_debugging} field also into
that struct, to further reduce the number of parameters to
{ExecuteLiftoffCompilation} and to improve readability by having a
factory-like initialization of the {LiftoffOptions} struct.
That struct is now also passed down to the LiftoffCompiler directly
instead of unpacking the fields again.
R=thibaudm@chromium.org
Bug: v8:12809
Change-Id: I8824a1908f214cbf4c21f113934fef3ece1bf88b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3513894
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80032}
Reporting messages can trigger termination in case of `inspector-test`,
which we need to be able to deal with gracefully for the fuzzer.
Fixed: chromium:1307449
Change-Id: I88ba2b13d920134a1670b808adc4ace4ca6d1dff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3540260
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79543}
This proposal adds i32 and i64 addition, subtraction, and multiplication
to the list of constant expressions.
See https://github.com/WebAssembly/extended-const.
Bug: v8:12089
Change-Id: I23a27a54a15fd37ee1d553992ab3b355eb9d317c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3497665
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79362}
According to the latest changes in wasm-gc, externref will be renamed
to anyref, and will be assigned as the top of the reference type
hierarchy. Since in the current wasm type system funcref is not a
subtype of anyref, subtyping is now dependent on whether wasm-gc is
enabled.
Bug: v8:7748
Change-Id: I0c0ae3dd5523e624d4490ca33d1fba4c2ae59393
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468345
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79322}
Previously, V8_OS_MACOSX was, somewhat confusingly, also used for iOS.
With this CL, V8_OS_DARWIN will be set on both macOS and iOS,
V8_OS_MACOS only on macOS, and V8_OS_IOS only on iOS.
This CL also renames V8_TARGET_OS_MACOSX to V8_TARGET_OS_MACOS and
renames platform-xnu.cc to platform-darwin.cc.
Change-Id: I4bcafc7c337586662114144f6c7ccf47d978da1f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3468577
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79167}
When a terminate_exception is raised while executing one of the promise
related jobs on the microtask queue, we don't clean up properly, leaving
the async stack in the inspector in an inconsistent state, not cleaning
up the promise stack on the Isolate, and also not resetting the global
current_microtask slot. This CL adds appropriate logic to perform the
correct cleanup.
Fixed: chromium:1297964
Change-Id: I4ec64405d4c66bfe1f0115e7039866447fb10f02
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3471815
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79162}
Data segments were missing in the output of --wasm-fuzzer-gen-test.
R=manoskouk@chromium.org
Bug: v8:11863
Change-Id: I40e60ef8626125ca9df6bead688607215d9e5b58
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3461932
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79106}
Since we do not yet have canonicalization for types, when emitting
ref.func in the fuzzer, it is not enough to pick a function whose
signature is equivalent with the requested type; we have to pick a
function that is declared exactly with the requested signature index.
Bug: chromium:1296936
Change-Id: Ie307a9a370bb9ba2c8c334ddf05268ed9c7077d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460411
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79081}
Changes:
- GenerateInitExpr should emit a function reference to a function that
is known to exist when funcref is expected.
- Add functions by signature index to the WasmModuleBuilder, so we avoid
signature canonicalization, which currently does not work for wasm-gc.
- Remove printing of recursive groups in the WasmModuleBuilder. Instead,
restrict type definitions to only refer to previous types.
- Some local restructuring of code, comments.
Bug: chromium:1296162
Change-Id: I5abd9bf8ec21ef6a51f00bc960b78519f2ec94f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3452433
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79054}
NaN detection is implemented on arm and arm64, so we can enable fuzzing
with Liftoff as the reference implementation on these architectures.
R=manoskouk@chromium.org
Bug: v8:11856, v8:11954
Change-Id: If80c2f16f52af59705d914396cfe029cb85e7293
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3451718
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79031}
As a temporary solution to reenable wasm-gc fuzzing, we modify
{WasmModuleBuilder} to optionally wrap all types in a recursive group.
Bug: v8:7748
Change-Id: Ib0f8ab17c48ecbe04b51da2b1d01502be77ad35a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450414
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79015}
We temporarily disable fuzzing for wasm-gc until we update the fuzzer
to the isorecursive hybrid type system.
Bug: chromium:1291959
Change-Id: I2238c37bc49cbac2bf1c4085815a2283db982ab3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3423782
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78869}
This CL replaces the equirecursive type system for wasm-gc with the
isorecursive hybrid type system presented here:
https://github.com/WebAssembly/gc/issues/257.
In broad strokes, this includes the following changes:
- In the module decoder, remove equirecursive types. Implement recursive
type groups, subtype definitions, and function/struct/array
definitions. Treat nominal modules as syntactic sugar of an
isorecursive module, where all types belong in the same recursive
group.
- Remove rtt.sub and all related infrastructure.
- Change subtyping to work with explicit supertypes only.
- Add ValidSubtypeDefinition in subtyping, to check that subtype
declarations are valid during decoding.
- Remove the subtyping cache.
- Add support for functions to have specific signature index in
WasmModuleBuilder and in test-gc.cc.
- Adapt tests.
Current restrictions:
- Recursive groups are not stored beyond decoding.
- Type canonicalization is not implemented. No tests relying on types
being considered identical post-canonicalization.
- No cross-module subtyping is possible. Tests relying on cross-module
subtyping have been commented out.
Bug: v8:7748
Change-Id: I69fd04ecc5611f6230c95d5c89d1c520163fffae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3416239
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78816}
Changes:
- Introduce {TypeDefinition} for wasm modules.
- Introduce an enum {TypeDefinition::Kind} to represent the three
different definition types.
- Collapse the {types}, {type_kinds} and {supertypes} vectors into a
single vector of {TypeDefinition}s.
- Use {TypeDefinition} in WasmModuleBuilder.
- Drive-by: Remove {kNullIndex} in WasmModuleBuilder.
- Drive-by: Tidy-up wasm-module.h.
Change-Id: I97c2c268bcad745176243c693cf169bfa5714f94
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3416233
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78813}
The last update (using tools/wasm/update-wasm-fuzzers.sh) was in
November 2020, thus update again to add modules from all existing tests
to the corpus used by ClusterFuzz.
This increases the number of files in the corpus from 47196 to 53779.
R=ahaas@chromium.org
Change-Id: Ie293bda0b4d5d7c34d5b7c53d8115d9d3883f1db
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3379813
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78590}
We introduce {ConstantExpression}, which represents the most frequent
constant expression types directly, and falls back to a {WireBytesRef}
for the rest. During module decoding, we decode the most common
expressions separately and store them as {ConstantExpression}, so we do
not have to decode them again during module instantiation.
Bug: chromium:1284557
Change-Id: Ie411bbe9811d0d9f6e750ba202bb0ccff801dfee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3378347
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78576}
We introduce a type arrayref, which is a supertype of all array types
and a subtype of dataref. We change array.len to accept values of type
(ref null array).
Drive-by: Fix kEq/kData case in TypecheckJSObject.
Bug: v8:7748
Change-Id: I47c6a4487ddf5e7280c1427f43abe87a97c896bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3368105
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78565}
We unify the implementation of element segment expression entries with
other initializer expressions: we represent them with a {WireBytesRef}
and decode them with {InitExprInterface}. Except for reducing code
duplication, this also fixes a bug where {global.get} entries in element
segments could reference invalid globals.
Changes:
- Change {WasmElemSegment::Entry} to a union of a {WireBytesRef}
initializer expression and a {uint32_t} function index.
- In module-decoder, change parsing of expression entries to use
{consume_init_expr}. Add type checking to
{consume_element_func_index}, to complement type checking happening in
{consume_init_expr}.
- In module-instantiate.cc:
- Move instantiation of indirect tables before loading of element
segments. This way, when we call {UpdateDispatchTables} in
{SetTableEntry}, the indirect table for the current table will also
be updated.
- Consolidate table entry instantiation into {SetTableEntry}, which
handles lazily instantiated functions, or dispatches to
{WasmTableObject::Set}.
- Rename {InitializeIndirectFunctionTables} to
{InitializeNonDefaultableTables}.
- Change {InitializeNonDefaultableTables} and {LoadElemSegmentImpl}
to use {EvaluateInitExpression}.
- Add a test to exclude mutable/non-imported globals from the element
section.
- Update tests as needed.
- Update .js module emission in wasm-fuzzer-common.
Change-Id: I29c541bbca8531e8d0312ed95869c8e78a5a0c57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3364082
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78476}
Shared array buffers are not tracked by the garbage collector, which
makes the fuzzer run out of memory pretty quickly. Since shared memory
is not needed any more for testing atomics, we can just make the memory
non-shared again.
This also improves the performance of the fuzzer (execs/s) by more than
2x locally.
R=ahaas@chromium.org
Bug: chromium:1281419
Change-Id: Ic7803617d6a14aaa698d9181327ec20b21d29faa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3350764
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78418}
This CL renames a number of things related to the V8 sandbox.
Mainly, what used to be under V8_HEAP_SANDBOX is now under
V8_SANDBOXED_EXTERNAL_POINTERS, while the previous V8 VirtualMemoryCage
is now simply the V8 Sandbox:
V8_VIRTUAL_MEMORY_CAGE => V8_SANDBOX
V8_HEAP_SANDBOX => V8_SANDBOXED_EXTERNAL_POINTERS
V8_CAGED_POINTERS => V8_SANDBOXED_POINTERS
V8VirtualMemoryCage => Sandbox
CagedPointer => SandboxedPointer
fake cage => partially reserved sandbox
src/security => src/sandbox
This naming scheme should simplify things: the sandbox is now the large
region of virtual address space inside which V8 mainly operates and
which should be considered untrusted. Mechanisms like sandboxed pointers
are then used to attempt to prevent escapes from the sandbox (i.e.
corruption of memory outside of it). Furthermore, the new naming scheme
avoids the confusion with the various other "cages" in V8, in
particular, the VirtualMemoryCage class, by dropping that name entirely.
Future sandbox features are developed under their own V8_SANDBOX_X flag,
and will, once final, be merged into V8_SANDBOX. Current future features
are sandboxed external pointers (using the external pointer table), and
sandboxed pointers (pointers guaranteed to point into the sandbox, e.g.
because they are encoded as offsets). This CL then also introduces a new
build flag, v8_enable_sandbox_future, which enables all future features.
Bug: v8:10391
Change-Id: I5174ea8f5ab40fb96a04af10853da735ad775c96
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3322981
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78384}
Since the reftypes proposal has shipped, we remove the respective flag
and the code that handled its absence. We maintain a WasmFeature for
reftypes for feature detection purposes. We remove the flag declaration
from tests, and adapt some tests that make no sense without the flag.
Bug: v8:7581
Change-Id: Icf2f8d0feae8f30ec68d5560f1e7ee5959481483
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3329781
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78351}
Introduce a ReusableUnoptimizedCompileState class, passed to ParseInfo,
which stores a couple of pointers and most importantly the Zone and
AstValueFactory of the parse. This allows the Zone and AstValueFactory
to be reused across multiple parses, rather than re-initialising
per-Parse.
With this, we can amend the LazyCompileDispatcher to initialise one
LocalIsolate, Zone and AstValueFactory per background thread loop,
rather than one per compile task, which allows us to reduce per-task
costs and re-use the AstValueFactory's string table and previous String
internalizations.
Change-Id: Ia0e29c4e31fbe29af57674ebb10916865d38b2ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3313106
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78289}
- V8::Deprecate ShutdownPlatform in favor of V8::DisposePlatform
- Rename i::V8::TearDown to i::V8::Dispose
- Clean up i::V8::Initialize
- Remove needless V8::Initialize() calls in cctests
- Remove CcTest::DisableAutomaticDispose()
- Add checks to Isolate::Allocate and Isolate::Dispose that there is
and active platform
Change-Id: Iac84f9ade9d1781e9e8b8c88ea8fe74013f51c4a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306482
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78162}
Use recursion scope only for nullable references in the
GenerateRef function. We declare the recursion scope as
an optional and only initialize it if the reference type
is nullable.
Bug: v8:11954, chromium:1270126
Change-Id: I1548290cc9d48167f6fd56ff653744d472f65635
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3284894
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Maria Tîmbur <mtimbur@google.com>
Cr-Commit-Position: refs/heads/main@{#77943}
