[sandbox] Guard against freelist corruption in JSDispatchTable [v8/v8 : main]

[chromeperf@appspot.gserviceaccount.com (Gerrit)]

Attention needed from Arash Kazemi

Message from chrom...@appspot.gserviceaccount.com

📍 Job mac-m4-mini-perf/jetstream-main.crossbench complete.

See results at: https://pinpoint-dot-chromeperf.appspot.com/job/11a98407490000

Open in Gerrit

Related details

Attention is currently required from:

• Arash Kazemi

Submit Requirements:

• Code-Owners
• Code-Review
• Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: comment

Gerrit-Project: v8/v8

Gerrit-Branch: main

Gerrit-Change-Id: I59e4da059a676e79ad10a85a65963df7bfc17164

Gerrit-Change-Number: 7910807

Gerrit-PatchSet: 11

Gerrit-Owner: Arash Kazemi <ara...@chromium.org>

Gerrit-Reviewer: Arash Kazemi <ara...@chromium.org>

Gerrit-CC: chrom...@appspot.gserviceaccount.com <chrom...@appspot.gserviceaccount.com>

Gerrit-CC: v8-s...@luci-project-accounts.iam.gserviceaccount.com <v8-s...@luci-project-accounts.iam.gserviceaccount.com>

Gerrit-Attention: Arash Kazemi <ara...@chromium.org>

Gerrit-Comment-Date: Tue, 09 Jun 2026 14:49:36 +0000

Gerrit-HasComments: No

Gerrit-Has-Labels: No

[chromeperf@appspot.gserviceaccount.com (Gerrit)]

Attention needed from Arash Kazemi

Message from chrom...@appspot.gserviceaccount.com

📍 Job mac-m4-mini-perf/jetstream-main.crossbench complete.

See results at: https://pinpoint-dot-chromeperf.appspot.com/job/14834fcf490000

Open in Gerrit

Related details

Attention is currently required from:

• Arash Kazemi

Submit Requirements:

• Code-Owners
• Code-Review
• Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: comment

Gerrit-Project: v8/v8

Gerrit-Branch: main

Gerrit-Change-Id: I59e4da059a676e79ad10a85a65963df7bfc17164

Gerrit-Change-Number: 7910807

Gerrit-PatchSet: 11

Gerrit-Owner: Arash Kazemi <ara...@chromium.org>

Gerrit-Reviewer: Arash Kazemi <ara...@chromium.org>

Gerrit-CC: chrom...@appspot.gserviceaccount.com <chrom...@appspot.gserviceaccount.com>

Gerrit-CC: v8-s...@luci-project-accounts.iam.gserviceaccount.com <v8-s...@luci-project-accounts.iam.gserviceaccount.com>

Gerrit-Attention: Arash Kazemi <ara...@chromium.org>

Gerrit-Comment-Date: Tue, 09 Jun 2026 15:21:26 +0000

Gerrit-HasComments: No

Gerrit-Has-Labels: No

[Arash Kazemi (Gerrit)]

Attention needed from Samuel Groß

Arash Kazemi added 2 comments

Patchset-level comments

File-level comment, Patchset 11 (Latest):

Arash Kazemi . resolved

PTAL

File src/sandbox/js-dispatch-table-inl.h

Line 230, Patchset 11 (Latest): SBXCHECK(IsFreelistEntry());

Arash Kazemi . unresolved

Was your idea to instead create a dedicated bottleneck for all `entrypoint_` loads that returns nullpointer if it's a free list entry?

Open in Gerrit

Related details

Attention is currently required from:

• Samuel Groß

Submit Requirements:

• Code-Owners
• Code-Review

• No-Unresolved-Comments

• Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: comment

Gerrit-Project: v8/v8

Gerrit-Branch: main

Gerrit-Change-Id: I59e4da059a676e79ad10a85a65963df7bfc17164

Gerrit-Change-Number: 7910807

Gerrit-PatchSet: 11

Gerrit-Owner: Arash Kazemi <ara...@chromium.org>

Gerrit-Reviewer: Arash Kazemi <ara...@chromium.org>

Gerrit-Reviewer: Samuel Groß <sa...@chromium.org>

Gerrit-CC: chrom...@appspot.gserviceaccount.com <chrom...@appspot.gserviceaccount.com>

Gerrit-CC: v8-s...@luci-project-accounts.iam.gserviceaccount.com <v8-s...@luci-project-accounts.iam.gserviceaccount.com>

Gerrit-Attention: Samuel Groß <sa...@chromium.org>

Gerrit-Comment-Date: Tue, 09 Jun 2026 16:06:45 +0000

Gerrit-HasComments: Yes

Gerrit-Has-Labels: No

[Samuel Groß (Gerrit)]

Attention needed from Arash Kazemi

Samuel Groß added 1 comment

File src/sandbox/js-dispatch-table-inl.h

Line 230, Patchset 11 (Latest): SBXCHECK(IsFreelistEntry());

Arash Kazemi . unresolved

Was your idea to instead create a dedicated bottleneck for all `entrypoint_` loads that returns nullpointer if it's a free list entry?

Samuel Groß

Yeah so my concern here is that this approach seems fundamentally racy: `IsFreelistEntry()` will load the entrypoint and check for a specific tag. Then we load the entrypoint again and just drop the upper 32 bits. If the entry is overwritten in the meantime, we still have the same problem. I think we need to do what the other tables do: atomically load the entrypoint value, check that it has the expected tag, then return the lower 32 bits (or do proper untagging). And then I think we don't actually need to worry about freelist entries getting overwritten? WDYT?

Open in Gerrit

Related details

Attention is currently required from:

• Arash Kazemi

Submit Requirements:

• Code-Owners
• Code-Review
• No-Unresolved-Comments
• Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: comment

Gerrit-Project: v8/v8

Gerrit-Branch: main

Gerrit-Change-Id: I59e4da059a676e79ad10a85a65963df7bfc17164

Gerrit-Change-Number: 7910807

Gerrit-PatchSet: 11

Gerrit-Owner: Arash Kazemi <ara...@chromium.org>

Gerrit-Reviewer: Arash Kazemi <ara...@chromium.org>

Gerrit-Reviewer: Samuel Groß <sa...@chromium.org>

Gerrit-CC: chrom...@appspot.gserviceaccount.com <chrom...@appspot.gserviceaccount.com>

Gerrit-CC: v8-s...@luci-project-accounts.iam.gserviceaccount.com <v8-s...@luci-project-accounts.iam.gserviceaccount.com>

Gerrit-Attention: Arash Kazemi <ara...@chromium.org>

Gerrit-Comment-Date: Wed, 10 Jun 2026 15:03:23 +0000

Gerrit-HasComments: Yes

Gerrit-Has-Labels: No

Comment-In-Reply-To: Arash Kazemi <ara...@chromium.org>