File: v8-sandbox.h

package info (click to toggle)
chromium 139.0.7258.127-2
  • links: PTS, VCS
  • area: main
  • in suites: forky
  • size: 6,122,156 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (173 lines) | stat: -rw-r--r-- 7,647 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
// Copyright 2024 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef INCLUDE_V8_SANDBOX_H_
#define INCLUDE_V8_SANDBOX_H_

#include <cstdint>

#include "v8-internal.h"  // NOLINT(build/include_directory)
#include "v8config.h"     // NOLINT(build/include_directory)

namespace v8 {

/**
 * A pointer tag used for wrapping and unwrapping `CppHeap` pointers as used
 * with JS API wrapper objects that rely on `v8::Object::Wrap()` and
 * `v8::Object::Unwrap()`.
 *
 * The CppHeapPointers use a range-based type checking scheme, where on access
 * to a pointer, the actual type of the pointer is checked to be within a
 * specified range of types. This allows supporting type hierarchies, where a
 * type check for a supertype must succeed for any subtype.
 *
 * The tag is currently in practice limited to 15 bits since it needs to fit
 * together with a marking bit into the unused parts of a pointer.
 */
enum class CppHeapPointerTag : uint16_t {
  kFirstTag = 0,
  kNullTag = 0,

  /**
   * The lower type ids are reserved for the embedder to assign. For that, the
   * main requirement is that all (transitive) child classes of a given parent
   * class have type ids in the same range, and that there are no unrelated
   * types in that range. For example, given the following type hierarchy:
   *
   *          A     F
   *         / \
   *        B   E
   *       / \
   *      C   D
   *
   * a potential type id assignment that satistifes these requirements is
   * {C: 0, D: 1, B: 2, A: 3, E: 4, F: 5}. With that, the type check for type A
   * would check for the range [0, 4], while the check for B would check range
   * [0, 2], and for F it would simply check [5, 5].
   *
   * In addition, there is an option for performance tweaks: if the size of the
   * type range corresponding to a supertype is a power of two and starts at a
   * power of two (e.g. [0x100, 0x13f]), then the compiler can often optimize
   * the type check to use even fewer instructions (essentially replace a AND +
   * SUB with a single AND).
   */

  kDefaultTag = 0x7000,

  kZappedEntryTag = 0x7ffd,
  kEvacuationEntryTag = 0x7ffe,
  kFreeEntryTag = 0x7fff,
  // The tags are limited to 15 bits, so the last tag is 0x7fff.
  kLastTag = 0x7fff,
};

// Convenience struct to represent tag ranges. This is used for type checks
// against supertypes, which cover a range of types (their subtypes).
// Both the lower- and the upper bound are inclusive. In other words, this
// struct represents the range [lower_bound, upper_bound].
// TODO(saelo): reuse internal::TagRange here.
struct CppHeapPointerTagRange {
  constexpr CppHeapPointerTagRange(CppHeapPointerTag lower,
                                   CppHeapPointerTag upper)
      : lower_bound(lower), upper_bound(upper) {}
  CppHeapPointerTag lower_bound;
  CppHeapPointerTag upper_bound;

  // Check whether the tag of the given CppHeapPointerTable entry is within
  // this range. This method encodes implementation details of the
  // CppHeapPointerTable, which is necessary as it is used by
  // ReadCppHeapPointerField below.
  // Returns true if the check is successful and the tag of the given entry is
  // within this range, false otherwise.
  bool CheckTagOf(uint64_t entry) {
    // Note: the cast to uint32_t is important here. Otherwise, the uint16_t's
    // would be promoted to int in the range check below, which would result in
    // undefined behavior (signed integer undeflow) if the actual value is less
    // than the lower bound. Then, the compiler would take advantage of the
    // undefined behavior and turn the range check into a simple
    // `actual_tag <= last_tag` comparison, which is incorrect.
    uint32_t actual_tag = static_cast<uint16_t>(entry);
    // The actual_tag is shifted to the left by one and contains the marking
    // bit in the LSB. To ignore that during the type check, simply add one to
    // the (shifted) range.
    constexpr int kTagShift = internal::kCppHeapPointerTagShift;
    uint32_t first_tag = static_cast<uint32_t>(lower_bound) << kTagShift;
    uint32_t last_tag = (static_cast<uint32_t>(upper_bound) << kTagShift) + 1;
    return actual_tag >= first_tag && actual_tag <= last_tag;
  }
};

constexpr CppHeapPointerTagRange kAnyCppHeapPointer(
    CppHeapPointerTag::kFirstTag, CppHeapPointerTag::kLastTag);

class SandboxHardwareSupport {
 public:
  /**
   * Initialize sandbox hardware support. This needs to be called before
   * creating any thread that might access sandbox memory since it sets up
   * hardware permissions to the memory that will be inherited on clone.
   */
  V8_EXPORT static void InitializeBeforeThreadCreation();
};

namespace internal {

#ifdef V8_COMPRESS_POINTERS
V8_INLINE static Address* GetCppHeapPointerTableBase(v8::Isolate* isolate) {
  Address addr = reinterpret_cast<Address>(isolate) +
                 Internals::kIsolateCppHeapPointerTableOffset +
                 Internals::kExternalPointerTableBasePointerOffset;
  return *reinterpret_cast<Address**>(addr);
}
#endif  // V8_COMPRESS_POINTERS

template <typename T>
V8_INLINE static T* ReadCppHeapPointerField(v8::Isolate* isolate,
                                            Address heap_object_ptr, int offset,
                                            CppHeapPointerTagRange tag_range) {
#ifdef V8_COMPRESS_POINTERS
  // See src/sandbox/cppheap-pointer-table-inl.h. Logic duplicated here so
  // it can be inlined and doesn't require an additional call.
  const CppHeapPointerHandle handle =
      Internals::ReadRawField<CppHeapPointerHandle>(heap_object_ptr, offset);
  const uint32_t index = handle >> kExternalPointerIndexShift;
  const Address* table = GetCppHeapPointerTableBase(isolate);
  const std::atomic<Address>* ptr =
      reinterpret_cast<const std::atomic<Address>*>(&table[index]);
  Address entry = std::atomic_load_explicit(ptr, std::memory_order_relaxed);

  Address pointer = entry;
  if (V8_LIKELY(tag_range.CheckTagOf(entry))) {
    pointer = entry >> kCppHeapPointerPayloadShift;
  } else {
    // If the type check failed, we simply return nullptr here. That way:
    //  1. The null handle always results in nullptr being returned here, which
    //     is a desired property. Otherwise, we would need an explicit check for
    //     the null handle above, and therefore an additional branch. This
    //     works because the 0th entry of the table always contains nullptr
    //     tagged with the null tag (i.e. an all-zeros entry). As such,
    //     regardless of whether the type check succeeds, the result will
    //     always be nullptr.
    //  2. The returned pointer is guaranteed to crash even on platforms with
    //     top byte ignore (TBI), such as Arm64. The alternative would be to
    //     simply return the original entry with the left-shifted payload.
    //     However, due to TBI, an access to that may not always result in a
    //     crash (specifically, if the second most significant byte happens to
    //     be zero). In addition, there shouldn't be a difference on Arm64
    //     between returning nullptr or the original entry, since it will
    //     simply compile to a `csel x0, x8, xzr, lo` instead of a
    //     `csel x0, x10, x8, lo` instruction.
    pointer = 0;
  }
  return reinterpret_cast<T*>(pointer);
#else   // !V8_COMPRESS_POINTERS
  return reinterpret_cast<T*>(
      Internals::ReadRawField<Address>(heap_object_ptr, offset));
#endif  // !V8_COMPRESS_POINTERS
}

}  // namespace internal
}  // namespace v8

#endif  // INCLUDE_V8_SANDBOX_H_