8bdce52713
This is a reland of e0c1a349ea
The issue was passing SentinelPointer (== +1) through T*.
The fix is disabling cfi unrelated cast diagnostic for the bottlenecks
(Get()). This means that nullptr is treated the same as
kSentinelPointer.
The alternative would be a DCHECK that Get() does not return
kSentinelPointer and adjusting all Member and Persistent logic that
uses Get() to work on void*. This is quite intrusive as it involves
Swap(), heterogeneous assignments, comparisons, etc.
Original change's description:
> cppgc: Properly clear (Weak)Peristent and WeakMember pointers
>
> The CL addresses two issues with (Weak)Persistent and WeakMember:
> 1. (Weak)Persistent pointers are cleared on heap teardown. Before this
> CL the pointers would contain stale values which could lead to UAF.
> 2. WeakPersistent and WeakMember are cleared using a combination of
> internal clearing methods and mutable fields which avoids the use
> of const_cast<>.
>
> Bug: chromium:1056170
> Change-Id: Ibf2b0f0856771b4f6906608cde13a6d43ebf81f3
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2248190
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Anton Bikineev <bikineev@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#68394}
Bug: chromium:1056170
Change-Id: I3d74b43464c2973df1956f51b1419d755dd9f519
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2250240
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68426}
69 lines
1.9 KiB
C++
69 lines
1.9 KiB
C++
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#ifndef INCLUDE_CPPGC_LIVENESS_BROKER_H_
|
|
#define INCLUDE_CPPGC_LIVENESS_BROKER_H_
|
|
|
|
#include "cppgc/heap.h"
|
|
#include "cppgc/member.h"
|
|
#include "cppgc/trace-trait.h"
|
|
#include "v8config.h" // NOLINT(build/include_directory)
|
|
|
|
namespace cppgc {
|
|
|
|
namespace internal {
|
|
class LivenessBrokerFactory;
|
|
} // namespace internal
|
|
|
|
/**
|
|
* The broker is passed to weak callbacks to allow (temporarily) querying
|
|
* the liveness state of an object. References to non-live objects must be
|
|
* cleared when IsHeapObjectAlive() returns false.
|
|
*
|
|
* \code
|
|
* class GCedWithCustomWeakCallback final
|
|
* : public GarbageCollected<GCedWithCustomWeakCallback> {
|
|
* public:
|
|
* UntracedMember<Bar> bar;
|
|
*
|
|
* void CustomWeakCallbackMethod(const LivenessBroker& broker) {
|
|
* if (!broker.IsHeapObjectAlive(bar))
|
|
* bar = nullptr;
|
|
* }
|
|
*
|
|
* void Trace(cppgc::Visitor* visitor) const {
|
|
* visitor->RegisterWeakCallbackMethod<
|
|
* GCedWithCustomWeakCallback,
|
|
* &GCedWithCustomWeakCallback::CustomWeakCallbackMethod>(this);
|
|
* }
|
|
* };
|
|
* \endcode
|
|
*/
|
|
class V8_EXPORT LivenessBroker final {
|
|
public:
|
|
template <typename T>
|
|
bool IsHeapObjectAlive(const T* object) const {
|
|
return object &&
|
|
IsHeapObjectAliveImpl(
|
|
TraceTrait<T>::GetTraceDescriptor(object).base_object_payload);
|
|
}
|
|
|
|
template <typename T>
|
|
bool IsHeapObjectAlive(const UntracedMember<T>& untraced_member) const {
|
|
return (untraced_member != kSentinelPointer) &&
|
|
IsHeapObjectAlive<T>(untraced_member.Get());
|
|
}
|
|
|
|
private:
|
|
LivenessBroker() = default;
|
|
|
|
bool IsHeapObjectAliveImpl(const void*) const;
|
|
|
|
friend class internal::LivenessBrokerFactory;
|
|
};
|
|
|
|
} // namespace cppgc
|
|
|
|
#endif // INCLUDE_CPPGC_LIVENESS_BROKER_H_
|