| Commit-Queue | +1 |
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
| Code-Review | +1 |
constexpr uint64_t kCppHeapPointerTagMask = 0xfffe;Compute from shift?
kMicrotaskQueueTag,Can we keep the stuff insite First/Last tag lexically sorted?
V(kMicrotaskQueueOffset, kMicrotaskQueueSlotSize) \Somewhere: Can you leave a TODO to implemented a `CppHeapMember`? We should provide the same primitive as TaggedMember to the C++ world here.
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
| Commit-Queue | +2 |
constexpr uint64_t kCppHeapPointerTagMask = 0xfffe;Igor SheludkoCompute from shift?
Done
Can we keep the stuff insite First/Last tag lexically sorted?
Done
V(kMicrotaskQueueOffset, kMicrotaskQueueSlotSize) \Somewhere: Can you leave a TODO to implemented a `CppHeapMember`? We should provide the same primitive as TaggedMember to the C++ world here.
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
10 is the latest approved patch-set.
The change was submitted with unreviewed changes in the following files:
```
The name of the file: test/mjsunit/d8/d8-realm-microtask-queue.js
Insertions: 4, Deletions: 3.
The diff is too large to show. Please review the diff.
```
```
The name of the file: include/v8-sandbox.h
Insertions: 1, Deletions: 1.
The diff is too large to show. Please review the diff.
```
```
The name of the file: src/objects/contexts.h
Insertions: 5, Deletions: 0.
The diff is too large to show. Please review the diff.
```
```
The name of the file: test/mjsunit/regress/regress-515252150.js
Insertions: 1, Deletions: 1.
The diff is too large to show. Please review the diff.
```
```
The name of the file: include/v8-internal.h
Insertions: 3, Deletions: 1.
The diff is too large to show. Please review the diff.
```
```
The name of the file: test/mjsunit/sandbox/regress/regress-508092629.js
Insertions: 2, Deletions: 4.
The diff is too large to show. Please review the diff.
```
[runtime] Fix MicrotaskQueue liveness and serialization issues
This fixes a Use-After-Free (UAF) vulnerability where the CppGC-managed
MicrotaskQueue in NativeContext was not traced by the V8 GC, allowing
it to be prematurely reclaimed.
In addition, this CL adds infrastructure in d8 and sandbox testing
tools to verify custom MicrotaskQueue lifecycle and isolation across
native contexts.
1. Extend Realm.create() with an option bag argument for requesting a
new realm to be created with its own MicrotaskQueue.
2. Extend SandboxTesting::GetFieldOffsetMap() and GetInstanceTypeMap()
with offsets for NativeContext's microtask_queue and JSFunction's
context fields, and export cppgc_microtask_queue in build config.
3. Add regression mjsunit tests verifying microtask queue separation
and triggering UAF via sandbox memory corruption Api.
TAG=agy
CONV=4bb71540-afc9-4de3-8c14-b9a4b213d916
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |