Issue 10391 in v8: V8 Sandbox

[Git Watcher via monorail]

Comment #23 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c23

The following revision refers to this bug:
https://chromium.googlesource.com/v8/v8/+/c992a25635eb9ce722779d57b80ad5757251925c

commit c992a25635eb9ce722779d57b80ad5757251925c
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Jan 17 10:08:04 2022

[base] Add VirtualAddressSpace unittests

These tests cover the basic VirtualAddressSpace functionality for the
three different types of address spaces currently available: the root
space, subspaces, and emulated subspaces.

This CL also includes minor bugfixes in VirtualAddressSpace
implementations and removes RandomizedVirtualAlloc in platform-win32.cc
which doesn't seem to do anything useful anymore but prevents page
allocation hints from working correctly.

Bug: v8:10391
Change-Id: Ifa260d18fd366516b5a41ab42ce2f1785c57d061
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3386801
Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78666}

[modify] https://crrev.com/c992a25635eb9ce722779d57b80ad5757251925c/test/unittests/BUILD.gn
[add] https://crrev.com/c992a25635eb9ce722779d57b80ad5757251925c/test/unittests/base/virtual-address-space-unittest.cc
[modify] https://crrev.com/c992a25635eb9ce722779d57b80ad5757251925c/src/base/platform/platform-win32.cc
[modify] https://crrev.com/c992a25635eb9ce722779d57b80ad5757251925c/src/base/emulated-virtual-address-subspace.cc
[modify] https://crrev.com/c992a25635eb9ce722779d57b80ad5757251925c/src/base/virtual-address-space.cc

--
You received this message because:
1. The project was configured to send all issue notifications to this address

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

[Git Watcher via monorail]

Comment #24 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c24

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/972e226543a8791571b5310554c247e244242f6b

commit 972e226543a8791571b5310554c247e244242f6b
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Jan 20 09:42:41 2022

[base] Fix bugs in AllocateInternal on Fuchsia

This CL fixes two issues:

1) When the specified vmar_offset was zero, the previous logic would
incorrectly conclude that no target address was specified, and would
potentially place the allocation elsewhere in memory, not at the
desired address. This CL now passes both the target address and the
VMAR base address to AllocateInternal, which can then correctly
determine whether a target address was supplied.

2) When the root_vmar was used and a hint specified, the previous logic
would incorrectly use nullptr as base address of the root_vmar, which
appears to be incorrect. The new logic now obtains the actual base
(apparently 2MB) through zx_object_get_info during initialization.

Bug: v8:10391
Change-Id: Ia8215440a790b4a2a0c8d33f623d3ecb6a731a97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3398506
Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Reviewed-by: Victor Gomes <victo...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78693}

[modify] https://crrev.com/972e226543a8791571b5310554c247e244242f6b/src/base/platform/platform-posix.h
[modify] https://crrev.com/972e226543a8791571b5310554c247e244242f6b/src/base/platform/platform-fuchsia.cc
[modify] https://crrev.com/972e226543a8791571b5310554c247e244242f6b/src/base/platform/platform-posix.cc

[Git Watcher via monorail]

Comment #25 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c25

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d

commit 4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Jan 20 16:01:41 2022

[sandbox] Implement GC for the external pointer table

The external pointer table is now managed by the GC, which marks entries
that are alive during major GC, then sweeps the table afterwards to free
all dead entries and build a free list from them. For now, only major GCs
are supported, Scavenger GCs do not interact with the external pointer table.

In more detail, garbage collection of the external pointer table works
as follows:

1. The external pointer table now reserves a large region of virtual
address space for its backing buffer and is then never reallocated,
only grown in place until the maximum size is reached.
2. When the GC's marking visitor marks a HeapObject with an external
pointer as alive, it also marks the corresponding external pointer
table entry as alive. This can happen on a background thread.
3. For that, it uses the MSB of each entry in the table to indicate
whether the entry has been marked or not. This works because the MSB
is always cleared during the AND-based type check performed when
accessing an external pointer.
4. After marking, the external pointer table is swept while the mutator
is stopped. This builds an inline, singly-linked freelist of all
newly-dead and previously-free entries.
5. When allocating an entry from the table, the first entry on the
freelist is used. If the freelist is empty, the table grows,
populating the freelist with the new entries.
6. Every newly-allocated entry is marked as alive, and every store to an
existing entry also automatically marks that entry as alive (by also
setting the MSB). This simplifies the design of the table GC with
regards to concurrency (See ExternalPointerTable::Mark).

Bug: v8:10391
Change-Id: I8877fdf5576af3761bde65298951bb09e601bd14
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3359625
Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Reviewed-by: Maya Lekova <msle...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78708}

[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/objects/embedder-data-slot-inl.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/include/v8-internal.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/codegen/code-stub-assembler.cc
[delete] https://crrev.com/dc97b450587657c3d783496f248dd5f57e5e9668/src/common/ptr-compr.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/sandbox/sandbox.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/codegen/external-reference.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/objects/objects-inl.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/objects/string-inl.h
[add] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/init/heap-symbols.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/common/globals.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/BUILD.bazel
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/objects/heap-object.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/objects/objects.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/sandbox/external-pointer-inl.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/execution/isolate.cc
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/execution/isolate-data.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/heap/mark-compact.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/BUILD.gn
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/objects/visitors.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/compiler/memory-lowering.cc
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/logging/counters-definitions.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/codegen/external-reference.cc
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/objects/objects-body-descriptors-inl.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/heap/objects-visiting-inl.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/sandbox/external-pointer.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/include/v8config.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/init/bootstrapper.cc
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/init/isolate-allocator.cc
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/sandbox/external-pointer-table.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/common/ptr-compr-inl.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/heap/mark-compact.cc
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/heap/marking-visitor.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/objects/code-inl.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/objects/contexts-inl.h
[modify] https://crrev.com/4a3e41c5ca0b4a7b8c7a2956789f35e4ee7fde7d/src/objects/foreign-inl.h

[Git Watcher via monorail]

Comment #26 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c26

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/df3ebe5dcca41b88ae7801f816e1c97f272a0d77

commit df3ebe5dcca41b88ae7801f816e1c97f272a0d77
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Jan 25 10:47:51 2022

[sandbox] Shrink ExternalPointer_t to 32 bits

When sandboxed external pointers are enabled, external pointers now only
require 32 bits of storage space in a HeapObject. This CL does not shrink
the size of EmbedderDataSlots, which will happen in a follow-up CL.

Bug: v8:10391
Change-Id: I3cf8b68c3b985cf806a45183717f50462a88c281
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3359629
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Reviewed-by: Leszek Swirski <les...@chromium.org>
Reviewed-by: Maya Lekova <msle...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78754}

[modify] https://crrev.com/df3ebe5dcca41b88ae7801f816e1c97f272a0d77/include/v8-internal.h
[modify] https://crrev.com/df3ebe5dcca41b88ae7801f816e1c97f272a0d77/src/codegen/code-stub-assembler.cc
[modify] https://crrev.com/df3ebe5dcca41b88ae7801f816e1c97f272a0d77/test/cctest/test-api.cc
[modify] https://crrev.com/df3ebe5dcca41b88ae7801f816e1c97f272a0d77/src/compiler/backend/instruction.cc
[modify] https://crrev.com/df3ebe5dcca41b88ae7801f816e1c97f272a0d77/src/snapshot/deserializer.cc
[modify] https://crrev.com/df3ebe5dcca41b88ae7801f816e1c97f272a0d77/src/common/globals.h
[modify] https://crrev.com/df3ebe5dcca41b88ae7801f816e1c97f272a0d77/src/codegen/tnode.h
[modify] https://crrev.com/df3ebe5dcca41b88ae7801f816e1c97f272a0d77/src/compiler/wasm-compiler.h
[modify] https://crrev.com/df3ebe5dcca41b88ae7801f816e1c97f272a0d77/src/sandbox/external-pointer-inl.h
[modify] https://crrev.com/df3ebe5dcca41b88ae7801f816e1c97f272a0d77/src/compiler/wasm-compiler.cc
[modify] https://crrev.com/df3ebe5dcca41b88ae7801f816e1c97f272a0d77/test/cctest/test-strings.cc
[modify] https://crrev.com/df3ebe5dcca41b88ae7801f816e1c97f272a0d77/src/snapshot/serializer.cc
[modify] https://crrev.com/df3ebe5dcca41b88ae7801f816e1c97f272a0d77/src/objects/js-array-buffer.tq
[modify] https://crrev.com/df3ebe5dcca41b88ae7801f816e1c97f272a0d77/src/codegen/arm64/macro-assembler-arm64.cc
[modify] https://crrev.com/df3ebe5dcca41b88ae7801f816e1c97f272a0d77/src/compiler/memory-lowering.cc

[Git Watcher via monorail]

Comment #27 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c27

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/e62a3f038d35180502f4a33b979fabb8b4668d07

commit e62a3f038d35180502f4a33b979fabb8b4668d07
Author: Samuel Groß <sa...@chromium.org>
Date: Wed Jan 26 10:07:45 2022

[sandbox] Remove SandboxedExternalPointer turbofan type

This type is no longer required: all ExternalPointers are now
sandboxified in turbofan, so we use that type instead.

Bug: v8:10391
Change-Id: Ia2bd261bfe3cfd5c7d9c350ba0e553e57a596a42
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3359632
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Reviewed-by: Jakob Gruber <jgr...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78802}

[modify] https://crrev.com/e62a3f038d35180502f4a33b979fabb8b4668d07/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/e62a3f038d35180502f4a33b979fabb8b4668d07/src/compiler/access-builder.cc
[modify] https://crrev.com/e62a3f038d35180502f4a33b979fabb8b4668d07/src/compiler/types.h
[modify] https://crrev.com/e62a3f038d35180502f4a33b979fabb8b4668d07/src/objects/turbofan-types.tq
[modify] https://crrev.com/e62a3f038d35180502f4a33b979fabb8b4668d07/src/compiler/memory-lowering.cc

[Git Watcher via monorail]

Comment #28 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c28

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/e7f7c4bbdaae03622dbdc90a37fddd6d95e6bda3

commit e7f7c4bbdaae03622dbdc90a37fddd6d95e6bda3
Author: Samuel Groß <sa...@chromium.org>
Date: Fri Jan 28 10:21:09 2022

[sandbox] Store external pointer table indices shifted to the left

This guarantees that they are smaller than the maximum external pointer
table index when shifted to the right on load.

Bug: v8:10391
Change-Id: I601f37fbb9640ee4b5215958afcc474c5e0eb9af
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3359631
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Reviewed-by: Michael Lippautz <mlip...@chromium.org>

Reviewed-by: Leszek Swirski <les...@chromium.org>
Reviewed-by: Maya Lekova <msle...@chromium.org>

Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78873}

[modify] https://crrev.com/e7f7c4bbdaae03622dbdc90a37fddd6d95e6bda3/src/logging/counters-definitions.h
[modify] https://crrev.com/e7f7c4bbdaae03622dbdc90a37fddd6d95e6bda3/include/v8-internal.h
[modify] https://crrev.com/e7f7c4bbdaae03622dbdc90a37fddd6d95e6bda3/src/codegen/code-stub-assembler.cc
[modify] https://crrev.com/e7f7c4bbdaae03622dbdc90a37fddd6d95e6bda3/include/v8-context.h
[modify] https://crrev.com/e7f7c4bbdaae03622dbdc90a37fddd6d95e6bda3/src/sandbox/external-pointer-inl.h
[modify] https://crrev.com/e7f7c4bbdaae03622dbdc90a37fddd6d95e6bda3/include/v8-object.h
[modify] https://crrev.com/e7f7c4bbdaae03622dbdc90a37fddd6d95e6bda3/src/compiler/wasm-compiler.cc
[modify] https://crrev.com/e7f7c4bbdaae03622dbdc90a37fddd6d95e6bda3/src/codegen/code-stub-assembler.h
[modify] https://crrev.com/e7f7c4bbdaae03622dbdc90a37fddd6d95e6bda3/src/heap/marking-visitor.h
[modify] https://crrev.com/e7f7c4bbdaae03622dbdc90a37fddd6d95e6bda3/src/codegen/arm64/macro-assembler-arm64.cc
[modify] https://crrev.com/e7f7c4bbdaae03622dbdc90a37fddd6d95e6bda3/src/compiler/memory-lowering.cc
[modify] https://crrev.com/e7f7c4bbdaae03622dbdc90a37fddd6d95e6bda3/src/codegen/x64/macro-assembler-x64.cc

[Git Watcher via monorail]

Comment #29 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c29

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/aa83ce1efe32efe612b2348ccffa92c47435f1d8

commit aa83ce1efe32efe612b2348ccffa92c47435f1d8
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Feb 08 15:42:00 2022

[sandbox] Fix EmbedderDataSlot::ToAlignedPointerSafe

We need to properly handle the case of uninitialized embedder data slots
which contain the "undefined" value and thus might look like valid
external pointer table indices.

Bug: v8:10391
Change-Id: I169a3e42132dde223ea151c1a5d5956c72341f8d
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448378
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79009}

[modify] https://crrev.com/aa83ce1efe32efe612b2348ccffa92c47435f1d8/src/objects/embedder-data-slot-inl.h
[modify] https://crrev.com/aa83ce1efe32efe612b2348ccffa92c47435f1d8/src/objects/embedder-data-slot.h

[Git Watcher via monorail]

Comment #30 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c30

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/959d67e11b369a622e1a8109404b563ec85d68c1

commit 959d67e11b369a622e1a8109404b563ec85d68c1
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Feb 08 15:25:58 2022

[sandbox] Properly initialize LocalFactory::isolate_for_sandbox

This is required when allocating external pointer table entries from
background threads through the LocalFactory interface.

Bug: v8:10391
Change-Id: Ice5eee1000e1c7341bd0e58782cbb175080a5a74
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448376
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Reviewed-by: Dominik Inführ <dinf...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79010}

[modify] https://crrev.com/959d67e11b369a622e1a8109404b563ec85d68c1/src/heap/local-factory.h
[modify] https://crrev.com/959d67e11b369a622e1a8109404b563ec85d68c1/src/heap/local-factory.cc
[modify] https://crrev.com/959d67e11b369a622e1a8109404b563ec85d68c1/src/heap/factory-base.cc
[modify] https://crrev.com/959d67e11b369a622e1a8109404b563ec85d68c1/src/heap/factory.h

[Git Watcher via monorail]

Comment #31 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c31

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/a50d814e0b90f8573a29a299f9d4d704ff140371

commit a50d814e0b90f8573a29a299f9d4d704ff140371
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Feb 10 15:09:07 2022

[sandbox] Make ExternalPointerTable::Allocate atomic

With external code space and background compilation, external pointer
table entries are now allocated on background threads. For this to work
properly, the implementation must be atomic.

As atomic operations are not currently available in CSA, the fast path
in CSA::InitializeExternalPointerField has been removed for now.

Bug: v8:10391
Change-Id: I1119a9b5f97bc8d5f48de6872b62b9ddf001e9ce
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3448381
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79037}

[modify] https://crrev.com/a50d814e0b90f8573a29a299f9d4d704ff140371/src/codegen/code-stub-assembler.cc
[modify] https://crrev.com/a50d814e0b90f8573a29a299f9d4d704ff140371/src/execution/isolate-data.h
[modify] https://crrev.com/a50d814e0b90f8573a29a299f9d4d704ff140371/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/a50d814e0b90f8573a29a299f9d4d704ff140371/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/a50d814e0b90f8573a29a299f9d4d704ff140371/src/sandbox/external-pointer-table.h

[Git Watcher via monorail]

Comment #32 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c32

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/tools/build/+/09b93d5b6fe67a48a547bfa26966b1c4a17e8424

commit 09b93d5b6fe67a48a547bfa26966b1c4a17e8424
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Feb 10 18:09:00 2022

Add Chromium FYI bot for v8 sandbox future configuration

Bug: v8:10391
Change-Id: I9cb5bc6076603967842803ff3bfc553a3b324aa7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/build/+/3447295
Reviewed-by: Michael Achenbach <mache...@chromium.org>
Reviewed-by: Garrett Beaty <gbe...@google.com>
Commit-Queue: Samuel Groß <sa...@chromium.org>

[modify] https://crrev.com/09b93d5b6fe67a48a547bfa26966b1c4a17e8424/recipes/recipe_modules/chromium_tests_builder_config/builders/chromium_fyi.py

[Git Watcher via monorail]

Comment #33 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c33

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src/+/2c9f9b4b4b268dc016484e3c7f2889b8a82ca111

commit 2c9f9b4b4b268dc016484e3c7f2889b8a82ca111
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Feb 10 20:45:25 2022

Add Chromium FYI bot for v8 sandbox future configuration

Bug: v8:10391

Change-Id: I3e11d14ce0fc62cc92019c8856f0896a1881773e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3448779

Reviewed-by: Michael Achenbach <mache...@chromium.org>
Reviewed-by: Garrett Beaty <gbe...@google.com>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#969619}

[modify] https://crrev.com/2c9f9b4b4b268dc016484e3c7f2889b8a82ca111/infra/config/generated/luci/luci-scheduler.cfg
[add] https://crrev.com/2c9f9b4b4b268dc016484e3c7f2889b8a82ca111/infra/config/generated/builders/ci/linux-blink-v8-sandbox-future-dbg/properties.json
[modify] https://crrev.com/2c9f9b4b4b268dc016484e3c7f2889b8a82ca111/infra/config/generated/luci/cr-buildbucket.cfg
[modify] https://crrev.com/2c9f9b4b4b268dc016484e3c7f2889b8a82ca111/infra/config/generated/luci/luci-notify.cfg
[modify] https://crrev.com/2c9f9b4b4b268dc016484e3c7f2889b8a82ca111/tools/mb/mb_config_expectations/chromium.fyi.json
[modify] https://crrev.com/2c9f9b4b4b268dc016484e3c7f2889b8a82ca111/infra/config/notifiers.star
[modify] https://crrev.com/2c9f9b4b4b268dc016484e3c7f2889b8a82ca111/infra/config/generated/luci/luci-milo.cfg
[modify] https://crrev.com/2c9f9b4b4b268dc016484e3c7f2889b8a82ca111/tools/mb/mb_config.pyl
[modify] https://crrev.com/2c9f9b4b4b268dc016484e3c7f2889b8a82ca111/infra/config/subprojects/chromium/ci/chromium.fyi.star
[add] https://crrev.com/2c9f9b4b4b268dc016484e3c7f2889b8a82ca111/infra/config/generated/builders/ci/linux-blink-v8-sandbox-future-dbg/properties.textpb
[modify] https://crrev.com/2c9f9b4b4b268dc016484e3c7f2889b8a82ca111/testing/buildbot/chromium.fyi.json
[modify] https://crrev.com/2c9f9b4b4b268dc016484e3c7f2889b8a82ca111/testing/buildbot/waterfalls.pyl

[Git Watcher via monorail]

Comment #34 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c34

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/af78745f2ead2eba68e28807adaf0fa1bcfed1df

commit af78745f2ead2eba68e28807adaf0fa1bcfed1df
Author: Samuel Groß <sa...@chromium.org>
Date: Fri Feb 11 10:05:43 2022

Initialize V8 sandbox in samples

Bug: v8:10391
Change-Id: If54ba6ddaabd14e5f4c232cdc3c29746f89e1cb3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3455822
Reviewed-by: Camillo Bruni <cbr...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79068}

[modify] https://crrev.com/af78745f2ead2eba68e28807adaf0fa1bcfed1df/samples/process.cc
[modify] https://crrev.com/af78745f2ead2eba68e28807adaf0fa1bcfed1df/samples/shell.cc
[modify] https://crrev.com/af78745f2ead2eba68e28807adaf0fa1bcfed1df/samples/hello-world.cc

[Git Watcher via monorail]

Comment #35 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c35

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/6e06d756b754ac37058f8b7583db438641b4119b

commit 6e06d756b754ac37058f8b7583db438641b4119b
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Feb 15 10:19:44 2022

[sandbox] Disallow executable pages inside the sandbox

These should not be allowed inside the sandbox as they could be
corrupted by an attacker, thus posing a security risk. Furthermore,
executable pages require MAP_JIT on macOS, which causes fork() to become
excessively slow, in turn causing tests to time out.
Due to this, the sandbox now requires the external code space.

In addition, this CL adds a max_page_permissions member to the
VirtualAddressSpace API to make it possible to verify the maximum
permissions of a subspace.

Bug: v8:10391
Change-Id: Ib9562ecff6f018696bfa25143113d8583d1ec6cd
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3460406

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Reviewed-by: Michael Lippautz <mlip...@chromium.org>

Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79119}

[modify] https://crrev.com/6e06d756b754ac37058f8b7583db438641b4119b/src/sandbox/sandbox.cc
[modify] https://crrev.com/6e06d756b754ac37058f8b7583db438641b4119b/src/base/virtual-address-space.h
[modify] https://crrev.com/6e06d756b754ac37058f8b7583db438641b4119b/include/v8-platform.h
[modify] https://crrev.com/6e06d756b754ac37058f8b7583db438641b4119b/src/base/sanitizer/lsan-virtual-address-space.h
[modify] https://crrev.com/6e06d756b754ac37058f8b7583db438641b4119b/test/unittests/base/virtual-address-space-unittest.cc
[modify] https://crrev.com/6e06d756b754ac37058f8b7583db438641b4119b/BUILD.gn
[modify] https://crrev.com/6e06d756b754ac37058f8b7583db438641b4119b/src/base/platform/platform.h
[modify] https://crrev.com/6e06d756b754ac37058f8b7583db438641b4119b/src/base/virtual-address-space.cc
[modify] https://crrev.com/6e06d756b754ac37058f8b7583db438641b4119b/src/base/emulated-virtual-address-subspace.cc
[modify] https://crrev.com/6e06d756b754ac37058f8b7583db438641b4119b/src/base/sanitizer/lsan-virtual-address-space.cc
[modify] https://crrev.com/6e06d756b754ac37058f8b7583db438641b4119b/src/base/emulated-virtual-address-subspace.h

[Git Watcher via monorail]

Comment #36 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c36

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src/+/311d7a5c0579f41a5140feffe3d68b500133fb38

commit 311d7a5c0579f41a5140feffe3d68b500133fb38
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Feb 17 08:49:23 2022

Initialize the V8 sandbox in blink unit tests

If the V8 sandbox is enabled at compile-time, it should also be
initialized at runtime.

Bug: v8:10391
Change-Id: I1cac78aae6ac41eea95fe205c0c07b5d5ea61faa
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3455462
Reviewed-by: Kentaro Hara <har...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#972346}

[modify] https://crrev.com/311d7a5c0579f41a5140feffe3d68b500133fb38/third_party/blink/common/test/run_all_unittests.cc

[Git Watcher via monorail]

Comment #37 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c37

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/418b5fc2ce22d1578293b670afeea534b65c7789

commit 418b5fc2ce22d1578293b670afeea534b65c7789
Author: Samuel Groß <sa...@chromium.org>
Date: Fri Feb 18 14:25:52 2022

[sandbox] Store external pointers in EmbedderDataSlots in shifted form

Similar to other external pointers, the indices into the external
pointer table are stored shifted to the left to guarantee an upper
bound.

Bug: v8:10391
Change-Id: I079dc1568f49ae349c326a8e83fc32c93bdb35cf
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3455152
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Reviewed-by: Leszek Swirski <les...@chromium.org>
Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79209}

[modify] https://crrev.com/418b5fc2ce22d1578293b670afeea534b65c7789/include/v8-object.h
[modify] https://crrev.com/418b5fc2ce22d1578293b670afeea534b65c7789/src/objects/embedder-data-slot-inl.h
[modify] https://crrev.com/418b5fc2ce22d1578293b670afeea534b65c7789/src/objects/embedder-data-slot.h
[modify] https://crrev.com/418b5fc2ce22d1578293b670afeea534b65c7789/src/objects/js-objects-inl.h
[modify] https://crrev.com/418b5fc2ce22d1578293b670afeea534b65c7789/src/objects/js-objects.h
[modify] https://crrev.com/418b5fc2ce22d1578293b670afeea534b65c7789/src/heap/marking-visitor.h
[modify] https://crrev.com/418b5fc2ce22d1578293b670afeea534b65c7789/include/v8-context.h
[modify] https://crrev.com/418b5fc2ce22d1578293b670afeea534b65c7789/src/heap/factory.cc

[Git Watcher via monorail]

Comment #38 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c38

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/a0ad27195faeae0949fd2fb40426e2a83229e106

commit a0ad27195faeae0949fd2fb40426e2a83229e106
Author: Samuel Groß <sa...@chromium.org>
Date: Wed Feb 23 09:20:07 2022

[sandbox] Fix verify_csa mode when the sandbox is enabled

For the purpose of graph verification, a SandboxedPointer is equivalent
to a Word64. The SandboxedPointer representation only affects lowering,
which needs to perform encoding/decoding of the pointer when
storing/loading it to/from the heap. As such, this CL promotes
kSandboxedPointer to kWord64 representation for graph verification.

Bug: v8:10391
Change-Id: I466f03dc7bbe9ed8f7b4f431aee5b14bd6db3d31
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3483658
Reviewed-by: Tobias Tebbi <te...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79225}

[modify] https://crrev.com/a0ad27195faeae0949fd2fb40426e2a83229e106/src/compiler/machine-graph-verifier.cc

[Git Watcher via monorail]

Comment #39 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c39

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/c4712e8f7e0677bfb5f78b055879aa5cace312eb

commit c4712e8f7e0677bfb5f78b055879aa5cace312eb
Author: Igor Sheludko <ish...@chromium.org>
Date: Tue Feb 22 23:56:17 2022

[runtime] Fix embedder fields offset calculations

Embedder fields are located between JSObject header and inobject fields
and there must be no gaps.
This CL adds respective check to Map verification and fixes existing
issues.

Bug: v8:10391
Change-Id: If55652095588f8704c9a375fb86be1599816aa86
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3482436
Auto-Submit: Igor Sheludko <ish...@chromium.org>
Reviewed-by: Leszek Swirski <les...@chromium.org>
Commit-Queue: Igor Sheludko <ish...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79227}

[modify] https://crrev.com/c4712e8f7e0677bfb5f78b055879aa5cace312eb/src/diagnostics/objects-debug.cc
[modify] https://crrev.com/c4712e8f7e0677bfb5f78b055879aa5cace312eb/test/cctest/test-field-type-tracking.cc
[modify] https://crrev.com/c4712e8f7e0677bfb5f78b055879aa5cace312eb/src/init/bootstrapper.cc
[modify] https://crrev.com/c4712e8f7e0677bfb5f78b055879aa5cace312eb/src/objects/js-function.cc

[Git Watcher via monorail]

Comment #40 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c40

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/d8a5bd5694cfc03faf677db2aaf40343f649c156

commit d8a5bd5694cfc03faf677db2aaf40343f649c156
Author: Igor Sheludko <ish...@chromium.org>
Date: Wed Feb 23 13:18:29 2022

[runtime] Fix failing map verification on GC stress bot

This is a follow-up fix for
https://chromium-review.googlesource.com/c/v8/v8/+/3482436
which introduced a new check to Map verification.

Bug: v8:10391
Cq-Include-Trybots: luci.v8.try:v8_linux_gc_stress_dbg_ng
Change-Id: I8c02354bc159259c7157b296939790d0fc2c31c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3483662

Reviewed-by: Leszek Swirski <les...@chromium.org>
Commit-Queue: Igor Sheludko <ish...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#79232}

[modify] https://crrev.com/d8a5bd5694cfc03faf677db2aaf40343f649c156/src/objects/map.cc

[Git Watcher via monorail]

Comment #41 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c41

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/f29ae51cb3c830234e65c57e84692f44125f669a

commit f29ae51cb3c830234e65c57e84692f44125f669a
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Mar 07 12:07:29 2022

[sandbox] Initialize the raw part of EmbedderDataSlots to zero

This simplifies various bits of logic around EmbedderDataSlots as the
raw part will now always contain a valid index into an external pointer
table entry.

This CL also unifies the initialization of EmbedderDataSlots by
providing a EmbedderDataSlots::Initialize method and adds more
documentation about the layout of EmbedderDataSlots in the different
configurations.

Bug: v8:10391
Change-Id: Ie952598898a7a6c9d40b28d3a7370bfc1291bcf0
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3472495

Reviewed-by: Leszek Swirski <les...@chromium.org>
Reviewed-by: Michael Lippautz <mlip...@chromium.org>

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79384}

[modify] https://crrev.com/f29ae51cb3c830234e65c57e84692f44125f669a/src/objects/embedder-data-slot-inl.h
[modify] https://crrev.com/f29ae51cb3c830234e65c57e84692f44125f669a/src/objects/js-objects-inl.h
[modify] https://crrev.com/f29ae51cb3c830234e65c57e84692f44125f669a/src/objects/embedder-data-slot.h
[modify] https://crrev.com/f29ae51cb3c830234e65c57e84692f44125f669a/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/f29ae51cb3c830234e65c57e84692f44125f669a/src/snapshot/deserializer.cc
[modify] https://crrev.com/f29ae51cb3c830234e65c57e84692f44125f669a/src/sandbox/external-pointer-table.h
[modify] https://crrev.com/f29ae51cb3c830234e65c57e84692f44125f669a/src/objects/objects-body-descriptors-inl.h
[modify] https://crrev.com/f29ae51cb3c830234e65c57e84692f44125f669a/src/heap/marking-visitor.h
[modify] https://crrev.com/f29ae51cb3c830234e65c57e84692f44125f669a/src/objects/visitors.h
[modify] https://crrev.com/f29ae51cb3c830234e65c57e84692f44125f669a/src/heap/factory.cc
[modify] https://crrev.com/f29ae51cb3c830234e65c57e84692f44125f669a/src/heap/embedder-tracing-inl.h

[Git Watcher via monorail]

Comment #42 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c42

The following revision refers to this bug:

https://pdfium.googlesource.com/pdfium/+/d1b54c3a80d04b447846d65dac63b4827269c46b

commit d1b54c3a80d04b447846d65dac63b4827269c46b
Author: Samuel Groß <sa...@chromium.org>
Date: Mon May 09 20:52:49 2022

Initialize the V8 Sandbox if it is enabled

The sandbox must be initialized before initializing V8.

Bug: v8:10391
Change-Id: Ia4c198b865c13c97d1c3c761c6ca948c903ac388
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/93510
Commit-Queue: Tom Sepez <tse...@chromium.org>
Reviewed-by: Tom Sepez <tse...@chromium.org>

[modify] https://pdfium.googlesource.com/pdfium/+/d1b54c3a80d04b447846d65dac63b4827269c46b/samples/simple_with_v8.cc
[modify] https://pdfium.googlesource.com/pdfium/+/d1b54c3a80d04b447846d65dac63b4827269c46b/testing/v8_initializer.cpp

[Git Watcher via monorail]

Comment #43 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c43

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/6f5f5662cc87ec5fc56af90018a633e840da4168

commit 6f5f5662cc87ec5fc56af90018a633e840da4168
Author: Samuel Groß <sa...@chromium.org>
Date: Fri May 13 11:10:04 2022

[sandbox] Turn V8_SANDBOX into V8_ENABLE_SANDBOX

This is more consistent with similar features, for example
V8_ENABLE_WEBASSEMBLY or V8_ENABLE_MAGLEV.

Drive-by: remove V8_SANDBOX_IS_AVAILABLE as it's no longer needed.

Bug: v8:10391
Change-Id: I8658c5b0c331a4c73892737083b2c2f9b8f84056
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647355
Commit-Queue: Toon Verwaest <verw...@chromium.org>
Auto-Submit: Samuel Groß <sa...@chromium.org>
Reviewed-by: Toon Verwaest <verw...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80530}

[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/snapshot/mksnapshot.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/sandbox/sandbox.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/test/cctest/cctest.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/test/unittests/heap/unmapper-unittest.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/sandbox/sandbox.h
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/include/v8-internal.h
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/test/unittests/heap/cppgc/tests.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/test/fuzzer/fuzzer-support.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/utils/allocation.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/test/inspector/inspector-test.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/init/v8.h
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/BUILD.gn
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/test/mkgrokdump/mkgrokdump.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/test/unittests/test-utils.h
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/logging/counters-definitions.h
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/flags/flag-definitions.h
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/test/unittests/sandbox/sandbox-unittest.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/include/v8-initialization.h
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/include/v8config.h
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/test/unittests/libplatform/single-threaded-default-platform-unittest.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/wasm/c-api.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/init/v8.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/init/isolate-allocator.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/sandbox/external-pointer-table.h
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/d8/d8.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/utils/allocation.h
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/objects/backing-store.cc
[modify] https://crrev.com/6f5f5662cc87ec5fc56af90018a633e840da4168/src/api/api.cc

[Git Watcher via monorail]

Comment #44 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c44

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/b15aa56c820f70aec19993ba7d63a1ba24293afd

commit b15aa56c820f70aec19993ba7d63a1ba24293afd
Author: Samuel Groß <sa...@chromium.org>
Date: Mon May 16 08:25:58 2022

[sandbox] Clean up sandbox API

This CL removes some deprecated sandbox APIs and introduces new ones, in
particular IsSandboxInitialized and GetSandboxReservationSizeInBytes. In
additon, this CL also adds comments to the various public methods of the
Sandbox class.

Bug: v8:10391
Change-Id: If5c3081a0b9f7f192966150a0d2716099357363a
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647362
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Reviewed-by: Leszek Swirski <les...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80544}

[modify] https://crrev.com/b15aa56c820f70aec19993ba7d63a1ba24293afd/src/sandbox/sandbox.cc
[modify] https://crrev.com/b15aa56c820f70aec19993ba7d63a1ba24293afd/src/sandbox/sandbox.h
[modify] https://crrev.com/b15aa56c820f70aec19993ba7d63a1ba24293afd/src/init/v8.cc
[modify] https://crrev.com/b15aa56c820f70aec19993ba7d63a1ba24293afd/include/v8-initialization.h
[modify] https://crrev.com/b15aa56c820f70aec19993ba7d63a1ba24293afd/src/api/api.cc

[Git Watcher via monorail]

Comment #45 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c45

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src/+/6ad0a8d04f26081680f2d38212a18d1d8b1692b1

commit 6ad0a8d04f26081680f2d38212a18d1d8b1692b1
Author: Samuel Groß <sa...@chromium.org>
Date: Mon May 23 13:47:17 2022

Rename V8_SANDBOX into V8_ENABLE_SANDBOX

The macro was renamed on the V8 side in crrev.com/c/3647355, this CL
adjusts the Chromium side accordingly.

Bug: v8:10391
Change-Id: I45910ce4ffeaf257b01c415225499b469375b39b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3653852
Reviewed-by: Jonathan Metzman <met...@chromium.org>
Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Commit-Queue: Jonathan Metzman <met...@chromium.org>
Auto-Submit: Samuel Groß <sa...@chromium.org>
Reviewed-by: Daniel Cheng <dch...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1006427}

[modify] https://crrev.com/6ad0a8d04f26081680f2d38212a18d1d8b1692b1/third_party/blink/common/test/run_all_unittests.cc
[modify] https://crrev.com/6ad0a8d04f26081680f2d38212a18d1d8b1692b1/third_party/blink/renderer/core/typed_arrays/array_buffer/array_buffer_contents.cc
[modify] https://crrev.com/6ad0a8d04f26081680f2d38212a18d1d8b1692b1/testing/libfuzzer/fuzzers/v8_fuzzer.cc
[modify] https://crrev.com/6ad0a8d04f26081680f2d38212a18d1d8b1692b1/testing/libfuzzer/fuzzers/javascript_parser_proto_fuzzer.cc
[modify] https://crrev.com/6ad0a8d04f26081680f2d38212a18d1d8b1692b1/gin/v8_initializer.cc
[modify] https://crrev.com/6ad0a8d04f26081680f2d38212a18d1d8b1692b1/gin/array_buffer.cc

[Git Watcher via monorail]

Comment #46 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c46

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/47d8833875006fd531c73ced6c217ee3c3ef7d85

commit 47d8833875006fd531c73ced6c217ee3c3ef7d85
Author: Samuel Groß <sa...@chromium.org>
Date: Mon May 23 12:41:59 2022

[sandbox] Remove V8_SANDBOX

V8_SANDBOX has been renamed to V8_ENABLE_SANDBOX in crrev.com/c/3647355
and its remaining uses in Chromium have now been renamed as well.

Bug: v8:10391
Change-Id: Ibb23ecab6687438b462685ef7fa044c0024dd098
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3660251
Reviewed-by: Toon Verwaest <verw...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80739}

[modify] https://crrev.com/47d8833875006fd531c73ced6c217ee3c3ef7d85/samples/process.cc
[modify] https://crrev.com/47d8833875006fd531c73ced6c217ee3c3ef7d85/src/init/v8.cc
[modify] https://crrev.com/47d8833875006fd531c73ced6c217ee3c3ef7d85/samples/shell.cc
[modify] https://crrev.com/47d8833875006fd531c73ced6c217ee3c3ef7d85/samples/hello-world.cc
[modify] https://crrev.com/47d8833875006fd531c73ced6c217ee3c3ef7d85/BUILD.gn

[Git Watcher via monorail]

Comment #47 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c47

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src/+/5024ada375111fbb0c8c6c98e7e3d5f6260084be

commit 5024ada375111fbb0c8c6c98e7e3d5f6260084be
Author: Samuel Groß <sa...@chromium.org>
Date: Fri Jun 10 09:31:04 2022

Clean up V8 sandbox histograms

This CL replaces two outdated histograms with newer ones:
V8.SandboxMode is identical (apart from renaming) to
V8.VirtualMemoryCageMode, however V8.SandboxReservationSizeGB now
captures the size of the virtual address space reservation backing the
sandbox while V8.VirtualMemoryCageSizeGB captured the size of the
sandbox itself (which is now a constant, and so no longer needs to be
recorded into UMA).

Bug: v8:10391
Change-Id: I9fe142b6aea71f56b34f60d085e3a577ba3911d7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3695415
Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Reviewed-by: Leszek Swirski <les...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1012872}

[modify] https://crrev.com/5024ada375111fbb0c8c6c98e7e3d5f6260084be/tools/metrics/histograms/metadata/v8/histograms.xml
[modify] https://crrev.com/5024ada375111fbb0c8c6c98e7e3d5f6260084be/tools/metrics/histograms/enums.xml
[modify] https://crrev.com/5024ada375111fbb0c8c6c98e7e3d5f6260084be/gin/v8_initializer.cc

[Git Watcher via monorail]

Comment #48 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c48

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/5b9401dde4532719220ac698eef7012cdd371903

commit 5b9401dde4532719220ac698eef7012cdd371903
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Jun 16 11:18:12 2022

[sandbox] Also enable the sandbox outside of Chromium builds

Drive-by: include the right header in sandboxed-pointer-inl.h and fix
missing sandbox initialization in generate-bytecode-expectations.cc.

Bug: v8:10391
Change-Id: Ic39ba04b7c98eaa58ea3943189c23b297f581f5a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3630082
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81216}

[modify] https://crrev.com/5b9401dde4532719220ac698eef7012cdd371903/BUILD.gn
[modify] https://crrev.com/5b9401dde4532719220ac698eef7012cdd371903/src/sandbox/sandboxed-pointer-inl.h
[modify] https://crrev.com/5b9401dde4532719220ac698eef7012cdd371903/test/unittests/interpreter/generate-bytecode-expectations.cc

[Git Watcher via monorail]

Comment #49 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c49

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/c878117fa0a848be0f011f410210ac4026baec05

commit c878117fa0a848be0f011f410210ac4026baec05
Author: Nico Hartmann <nicoha...@chromium.org>
Date: Mon Jun 20 15:11:19 2022

Revert "[sandbox] Also enable the sandbox outside of Chromium builds"

This reverts commit 5b9401dde4532719220ac698eef7012cdd371903.

Reason for revert: A few memory tests flake on tsan (e.g. https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20isolates/20190/overview)

Original change's description:

> [sandbox] Also enable the sandbox outside of Chromium builds
>
> Drive-by: include the right header in sandboxed-pointer-inl.h and fix
> missing sandbox initialization in generate-bytecode-expectations.cc.
>
> Bug: v8:10391
> Change-Id: Ic39ba04b7c98eaa58ea3943189c23b297f581f5a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3630082
> Reviewed-by: Igor Sheludko <ish...@chromium.org>
> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81216}

Bug: v8:10391
Change-Id: I22560a6bdcffbf71651f655bdf7d183d5c832620
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714239
Bot-Commit: Rubber Stamper <rubber-...@appspot.gserviceaccount.com>
Owners-Override: Nico Hartmann <nicoha...@chromium.org>
Commit-Queue: Nico Hartmann <nicoha...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81256}

[modify] https://crrev.com/c878117fa0a848be0f011f410210ac4026baec05/src/sandbox/sandboxed-pointer-inl.h
[modify] https://crrev.com/c878117fa0a848be0f011f410210ac4026baec05/BUILD.gn
[modify] https://crrev.com/c878117fa0a848be0f011f410210ac4026baec05/test/unittests/interpreter/generate-bytecode-expectations.cc

[Git Watcher via monorail]

Comment #50 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c50

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/0d94a5144c5c2ef1b0fcc8d54c348b63c47a20cf

commit 0d94a5144c5c2ef1b0fcc8d54c348b63c47a20cf
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Jun 20 18:50:10 2022

[sandbox] Implement ReadExternalPointerField in v8-internal.h

Previously it was implemented in api.cc, therefore requiring an additional
function call when accessing external pointer fields from embedder code with
the sandbox enabled. Now ReadExternalPointerField can be inlined.

Bug: v8:10391
Change-Id: Ia8cb2df148ac96f979fd3e22989b0ff6177abcec
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714245
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Auto-Submit: Samuel Groß <sa...@chromium.org>
Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Commit-Queue: Michael Lippautz <mlip...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81271}

[modify] https://crrev.com/0d94a5144c5c2ef1b0fcc8d54c348b63c47a20cf/include/v8-object.h
[modify] https://crrev.com/0d94a5144c5c2ef1b0fcc8d54c348b63c47a20cf/src/execution/isolate.cc
[modify] https://crrev.com/0d94a5144c5c2ef1b0fcc8d54c348b63c47a20cf/include/v8-internal.h
[modify] https://crrev.com/0d94a5144c5c2ef1b0fcc8d54c348b63c47a20cf/src/execution/isolate-data.h
[modify] https://crrev.com/0d94a5144c5c2ef1b0fcc8d54c348b63c47a20cf/include/v8-primitive.h
[modify] https://crrev.com/0d94a5144c5c2ef1b0fcc8d54c348b63c47a20cf/include/v8-context.h
[modify] https://crrev.com/0d94a5144c5c2ef1b0fcc8d54c348b63c47a20cf/src/api/api.cc

[Git Watcher via monorail]

Comment #51 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c51

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/a4d17470ab23b057327d614d032fc05ef70dd683

commit a4d17470ab23b057327d614d032fc05ef70dd683
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Jun 21 12:42:18 2022

Reland "[sandbox] Also enable the sandbox outside of Chromium builds"

This is a reland of commit 5b9401dde4532719220ac698eef7012cdd371903

Now also skip tests that require large amounts of virtual address space
if tsan is enabled as tsan may cause V8 to create a smaller sandbox
which is then unable to allocate the required amount of memory.

Original change's description:
> [sandbox] Also enable the sandbox outside of Chromium builds
>
> Drive-by: include the right header in sandboxed-pointer-inl.h and fix
> missing sandbox initialization in generate-bytecode-expectations.cc.
>
> Bug: v8:10391
> Change-Id: Ic39ba04b7c98eaa58ea3943189c23b297f581f5a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3630082
> Reviewed-by: Igor Sheludko <ish...@chromium.org>
> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81216}

Bug: v8:10391

Change-Id: I141080fdf61a77ef48b22e353e3cfbc1ff816e5a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716474

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#81277}

[modify] https://crrev.com/a4d17470ab23b057327d614d032fc05ef70dd683/test/wasm-spec-tests/wasm-spec-tests.status
[modify] https://crrev.com/a4d17470ab23b057327d614d032fc05ef70dd683/src/sandbox/sandboxed-pointer-inl.h
[modify] https://crrev.com/a4d17470ab23b057327d614d032fc05ef70dd683/BUILD.gn
[modify] https://crrev.com/a4d17470ab23b057327d614d032fc05ef70dd683/test/unittests/interpreter/generate-bytecode-expectations.cc
[modify] https://crrev.com/a4d17470ab23b057327d614d032fc05ef70dd683/test/mjsunit/mjsunit.status

[s… via monorail]

Comment #52 on issue 10391 by s...@chromium.org: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c52

The reland is causing some Linux64 FYI failures: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20fyi/28192/overview

[Git Watcher via monorail]

Comment #54 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c54

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/9d3a645bec5da96f750d5f7f275170e00f190773

commit 9d3a645bec5da96f750d5f7f275170e00f190773
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Jun 21 15:38:00 2022

[sandbox] Fix two deserializer issues when sandbox is enabled

When the sandbox is enabled, an empty ArrayBuffer does not have a
nullptr backing store but instead points to a special EmptyBackingStore
pseudo-object inside the sandbox. This then requires special handling
during deserialization. This CL fixes two cases where this was not done
correctly, which caused some crashes when --stress-snapshot is active.

Bug: v8:10391
Change-Id: I412adace229b979b317864a3e8c12ed4c601b850
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716480
Reviewed-by: Toon Verwaest <verw...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81297}

[modify] https://crrev.com/9d3a645bec5da96f750d5f7f275170e00f190773/src/snapshot/deserializer.cc

[Git Watcher via monorail]

Comment #56 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c56

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/d22b3c9651f3ba62d5d494a30115fa608588eaee

commit d22b3c9651f3ba62d5d494a30115fa608588eaee
Author: Samuel Groß <sa...@chromium.org>
Date: Wed Jun 22 12:21:56 2022

[sandbox] Fix another deserializer issues when the sandbox is enabled

When a detached JSDataView is deserialized, it's backing ArrayBuffer
backing store is empty (i.e. the EmptyBackingStoreBuffer() pointer).
Previously, the JSDataView's data_pointer would then be set to
EmptyBackingStoreBuffer() + byte_offset(), which is not a valid backing
store pointer as it points outside of the sandbox. Instead, which this
CL the data_pointer is now simply set to EmptyBackingStoreBuffer().

Bug: v8:10391
Change-Id: Ic7d144f2f20d5ec99438d2b3bf33735fbf8d5fc6
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3717987
Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Toon Verwaest <verw...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81348}

[modify] https://crrev.com/d22b3c9651f3ba62d5d494a30115fa608588eaee/src/snapshot/deserializer.cc

[Git Watcher via monorail]

Comment #57 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c57

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/39f6787a190f6a1778c36a3c2622314723dca4a7

commit 39f6787a190f6a1778c36a3c2622314723dca4a7
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Jun 20 16:39:06 2022

[sandbox] Simplify sandbox initialization logic

Instead of creating smaller sandboxes when the allocation of the virtual
address space reservation fails, we now create partially-reserved
sandboxes and halve the reservation size until the initialization
succeeds. That way, the unreserved part of the sandbox can still be used
for allocating objects.

Bug: v8:10391
Change-Id: I89a7790ffcda87ab71cc7b7f1101c0a1c3c62829
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714241
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81379}

[modify] https://crrev.com/39f6787a190f6a1778c36a3c2622314723dca4a7/src/sandbox/sandbox.cc

[Git Watcher via monorail]

Comment #58 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c58

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/087d225520252a868748763fadaf73b597f36a96

commit 087d225520252a868748763fadaf73b597f36a96
Author: Samuel Groß <sa...@chromium.org>
Date: Fri Jun 24 11:45:23 2022

[snapshot] Simplify ArrayBuffer deserialization

It is no longer necessary to postpone the allocation of backing stores
to avoid triggering GC. As such, the logic around ArrayBuffer
deserialization can be simplified.

Bug: v8:10391, v8:11111
Change-Id: I7410392a6e658cd4be77e2192483c6d412b63412
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3717982
Reviewed-by: Marja Hölttä <ma...@chromium.org>
Reviewed-by: Leszek Swirski <les...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81384}

[modify] https://crrev.com/087d225520252a868748763fadaf73b597f36a96/src/snapshot/context-deserializer.cc
[modify] https://crrev.com/087d225520252a868748763fadaf73b597f36a96/src/snapshot/startup-deserializer.cc
[modify] https://crrev.com/087d225520252a868748763fadaf73b597f36a96/src/snapshot/context-deserializer.h
[modify] https://crrev.com/087d225520252a868748763fadaf73b597f36a96/src/snapshot/deserializer.h
[modify] https://crrev.com/087d225520252a868748763fadaf73b597f36a96/src/snapshot/object-deserializer.cc
[modify] https://crrev.com/087d225520252a868748763fadaf73b597f36a96/src/snapshot/deserializer.cc
[modify] https://crrev.com/087d225520252a868748763fadaf73b597f36a96/src/snapshot/read-only-deserializer.cc

[Git Watcher via monorail]

Comment #59 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c59

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/ece27af6932790856a96472a67081e7c5036faaf

commit ece27af6932790856a96472a67081e7c5036faaf
Author: Patrick Thier <pth...@chromium.org>
Date: Mon Jun 27 12:15:33 2022

[sandbox] Split ExternalPointerTag definitions for shared/non-shared

- Change definition to macro-style to be able to assert that masks/tags
are correct.
- Split definition of shared/non-shared tags.
- Use bit 62 (for now) to indicate tags are shared.

Bug: v8:10391
Change-Id: Ia3ad6294cf5e6fd0c4dc2a328f976f295da762f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3726009
Reviewed-by: Samuel Groß <sa...@chromium.org>
Commit-Queue: Patrick Thier <pth...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81400}

[modify] https://crrev.com/ece27af6932790856a96472a67081e7c5036faaf/include/v8-internal.h

[Git Watcher via monorail]

Comment #60 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c60

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701

commit 8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Jun 27 12:00:24 2022

[sandbox] Turn ExternalPointerTag into a template parameter

The ExternalPointerTags are assumed to be compile-time constants in most
cases, so turning them into template parameters enforces that. As
decisions such as whether to use the per-isolate or the shared external
pointer table are encoded into the tag values, forcing those to be
compile-time constants guarantees that the compiler will be able to
inline the correct logic when accessing an external pointer.

With this, there are now two (high-level) ways of accessing external pointer fields from C++: the Read/WriteExternalPointerField methods
which require the ExternalPointerTag to be a template parameter, and the
ExternalPointerSlot class which takes the tag as an argument. The latter
is for example used for snapshot deserialization and by the garbage
collector (more generally, by the ObjectVisitor::VisitExternalPointer
method), where the tag is not a compile-time constant.

Finally, this CL also introduces a new ExternalPointerHandle type which
represents the (opaque) on-heap representation of a reference to an
entry in an ExternalPointerTable when sandboxing is enabled. Making this
its own type makes the code a bit more readable.

Bug: v8:10391
Change-Id: I867b8ce41d15d485f1dc66786f233c710c56afcb
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3720641
Reviewed-by: Tobias Tebbi <te...@chromium.org>

Reviewed-by: Leszek Swirski <les...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81402}

[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/objects/embedder-data-slot-inl.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/include/v8-internal.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/objects/objects-inl.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/objects/string-inl.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/include/v8-primitive.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/snapshot/deserializer.cc
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/include/v8-context.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/objects/objects.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/objects/object-macros.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/sandbox/external-pointer-inl.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/tools/debug_helper/get-object-properties.cc
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/objects/api-callbacks-inl.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/heap/marking-visitor-inl.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/include/v8-object.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/objects/js-atomics-synchronization.cc
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/execution/isolate.cc
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/compiler/memory-lowering.cc
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/objects/slots-inl.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/compiler/memory-lowering.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/objects/js-objects-inl.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/snapshot/deserializer.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/execution/isolate.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/sandbox/external-pointer.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/sandbox/external-pointer-table.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/objects/code-inl.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/api/api.cc
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/objects/slots.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/objects/contexts-inl.h
[modify] https://crrev.com/8ca93205cc1c3b8f9e4c1b01e25e2cbfc0182701/src/objects/foreign-inl.h

[Git Watcher via monorail]

Comment #61 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c61

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/8a59678b8335ae8c3fa237317aa8ae6cb281efa2

commit 8a59678b8335ae8c3fa237317aa8ae6cb281efa2
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Jul 11 12:21:59 2022

[sandbox] Prepare ExternalPointerTable rollout

This CL does the following:
- It enables (i.e. allocates and initializes) the per-Isolate
ExternalPointerTable when the sandbox is enabled.
- It refactors the list of external pointer tags to mark them as
"sandboxed" or "unsandboxed". An unsandboxed external pointer has a
null tag.
- It changes V8_SANDBOXED_EXTERNAL_POINTERS to now essentially just
enable sandboxing for all available tags.
- It modifies all low-level external pointer accessors to perform the
ExternalPointerLookup only if the tag is non-zero and otherwise treat
the slot as containing a raw pointer.

This now allows rolling out external pointer sandboxing incrementally
(separately for each external pointer type), which will in turn allow
for more precise performance measurements of the impact of the sandbox.

Note: when an external pointer tag is now marked as sandboxed (and
V8_SANDBOXED_EXTERNAL_POINTERS is not enabled), the underlying slots are
still 64-bits in size. This simplifies the implementation as we would
otherwise need to deal with variably-sized external pointer slots. Local
benchmarking suggests that the benefits from 32-bit external pointer
slots are insignificant on typical benchmarks, so this should be ok.

Drive-by: rename kExternalPointerSize to kExternalPointerSlotSize to
make it more clear what it refers to (the on-heap storage size). Also
delete CodeStubAssembler::InitializeExternalPointerField as it is not
currently used and the implementation is fairly inefficient.

Bug: v8:10391
Change-Id: I7c38729c7e9048d737a1a8ced84749f5b1f7feab
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3736447

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Reviewed-by: Michael Lippautz <mlip...@chromium.org>

Reviewed-by: Leszek Swirski <les...@chromium.org>
Reviewed-by: Andreas Haas <ah...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Nico Hartmann <nicoha...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81636}

[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/codegen/code-stub-assembler.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/codegen/external-reference.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/snapshot/deserializer.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/objects/code.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/compiler/simplified-operator.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/common/globals.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/include/v8-object.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/snapshot/serializer.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/compiler/memory-lowering.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/heap/local-factory.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/sandbox/external-pointer.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/codegen/tnode.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/wasm/wasm-objects.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/torque/types.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/sandbox/external-pointer-table.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/heap/mark-compact.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/api/api.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/codegen/arm64/macro-assembler-arm64.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/include/v8-internal.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/objects/foreign.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/include/v8-context.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/heap/factory.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/wasm/wasm-objects-inl.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/wasm/baseline/liftoff-compiler.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/sandbox/external-pointer-inl.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/heap/marking-visitor-inl.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/execution/isolate.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/execution/isolate-data.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/heap/local-factory.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/BUILD.gn
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/compiler/memory-lowering.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/objects/slots-inl.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/torque/global-context.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/compiler/memory-optimizer.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/objects/js-atomics-synchronization.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/codegen/external-reference.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/heap/objects-visiting-inl.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/compiler/access-builder.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/execution/isolate.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/execution/isolate-utils-inl.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/compiler/wasm-compiler.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/codegen/code-stub-assembler.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/heap/marking-visitor.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/objects/slots.h
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/torque/torque-parser.cc
[modify] https://crrev.com/8a59678b8335ae8c3fa237317aa8ae6cb281efa2/src/codegen/x64/macro-assembler-x64.cc

[Git Watcher via monorail]

Comment #62 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c62

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/7683b9cd86a6c79f70d71ee66436ba816793a172

commit 7683b9cd86a6c79f70d71ee66436ba816793a172
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Jul 11 14:44:58 2022

[sandbox] Fix --stress-snapshot after recent sandbox changes

There seem to be some issues with sandboxed external references in the
serializer which cause the --stress-snapshot mode to fail. This CL
changes the serializer to serialize external pointers that are
unsandboxed (currently all of them) as "regular" external references,
not "sandboxed" ones. This should fix the issues on the bots.

Bug: v8:10391
Change-Id: I2f889e1d0aa9c5958d4f4337e114423b650c1bb2
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3755148

Reviewed-by: Leszek Swirski <les...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#81643}

[modify] https://crrev.com/7683b9cd86a6c79f70d71ee66436ba816793a172/src/snapshot/serializer.cc

[Git Watcher via monorail]

Comment #63 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c63

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/725ce4933c979b4acacce25797f2f1cf7c1df799

commit 725ce4933c979b4acacce25797f2f1cf7c1df799
Author: Samuel Groß <sa...@chromium.org>
Date: Wed Jul 13 11:32:51 2022

[sandbox] Verify that no EPT allocation can happen during sweeping

It is not safe to allocate ExternalPointerTable entries while the table
is being swept. This property is currently ensured by the GC. To better
catch any potential future violation of this requirement, this CL now
changes the Sweep() method to first set the freelist head to a special
marker value, which is checked in Allocate() in debug builds and will
cause a recognizable crash in release builds.

Bug: v8:10391
Change-Id: Iab69c1e97afc23ae5b2b894b2d765b82a760cdd8
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3758211
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81690}

[modify] https://crrev.com/725ce4933c979b4acacce25797f2f1cf7c1df799/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/725ce4933c979b4acacce25797f2f1cf7c1df799/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/725ce4933c979b4acacce25797f2f1cf7c1df799/src/sandbox/external-pointer-table.h

[Git Watcher via monorail]

Comment #64 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c64

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src/+/54df35306527a53984ed4f8b2a11c0f736fcccda

commit 54df35306527a53984ed4f8b2a11c0f736fcccda
Author: Samuel Groß <sa...@chromium.org>
Date: Wed Jul 13 17:36:23 2022

Add V8.SandboxedExternalPointersCount histogram

Bug: v8:10391
Change-Id: I88bd42b4545ac224f23691bac22e1f4f55c78271
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3757721
Commit-Queue: Michael Lippautz <mlip...@chromium.org>
Auto-Submit: Samuel Groß <sa...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1023814}

[modify] https://crrev.com/54df35306527a53984ed4f8b2a11c0f736fcccda/tools/metrics/histograms/metadata/v8/histograms.xml

[Git Watcher via monorail]

Comment #65 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c65

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/543b54da6607d7016adaabe2fdac2bef844fc0c4

commit 543b54da6607d7016adaabe2fdac2bef844fc0c4
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Jul 12 09:45:24 2022

[sandbox] Sandboxify Foreign external pointer

Bug: v8:10391
Change-Id: I4c5c209454db316fe86f379f6b2e6dfc7ba7754e
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757340

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#81703}

[modify] https://crrev.com/543b54da6607d7016adaabe2fdac2bef844fc0c4/include/v8-internal.h

[Git Watcher via monorail]

Comment #66 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c66

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/df2fc0725e5456159e42e1aaab71ccca8464f2c5

commit df2fc0725e5456159e42e1aaab71ccca8464f2c5
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Jul 12 12:03:49 2022

[sandbox] Always use a constant sandbox size

As sandboxed pointers assume a constant sandbox size (they are
essentially n-bit offsets), it is no longer useful to be able to create
smaller sandboxes. This CL simplifies the sandbox initialization logic
accordingly and adds CHECKS to ensure a fixed-size sandbox is created.

Bug: v8:10391
Change-Id: I6541ab769001e60c0256d3a719f926128a0a20b0
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647684

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#81720}

[modify] https://crrev.com/df2fc0725e5456159e42e1aaab71ccca8464f2c5/src/sandbox/sandbox.cc
[modify] https://crrev.com/df2fc0725e5456159e42e1aaab71ccca8464f2c5/src/sandbox/sandbox.h
[modify] https://crrev.com/df2fc0725e5456159e42e1aaab71ccca8464f2c5/include/v8-internal.h
[modify] https://crrev.com/df2fc0725e5456159e42e1aaab71ccca8464f2c5/test/unittests/sandbox/sandbox-unittest.cc
[modify] https://crrev.com/df2fc0725e5456159e42e1aaab71ccca8464f2c5/src/init/v8.cc

[Git Watcher via monorail]

Comment #67 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c67

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/63e054f5ee46ce44c936dc611fcb043af79fd6af

commit 63e054f5ee46ce44c936dc611fcb043af79fd6af
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Jul 14 13:27:24 2022

[sandbox] Fix serialization of raw external references

When testing the serializer (e.g. via --stress-snapshot), raw external
references (i.e. just raw pointers) can be embedded inside the snapshot.
When those pointers are sandboxed, the corresponding external pointer
tag also needs to be encoded in the snapshot. This CL adds the necessary
logic to support this by introducing new serializer Bytecodes for raw
external references and encoding the raw pointers together with the tag.

Bug: v8:10391
Change-Id: I7b3710c2144e19f7507e3f6db537d250d102ee28
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3762575
Reviewed-by: Leszek Swirski <les...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81723}

[modify] https://crrev.com/63e054f5ee46ce44c936dc611fcb043af79fd6af/src/snapshot/deserializer.cc
[modify] https://crrev.com/63e054f5ee46ce44c936dc611fcb043af79fd6af/src/snapshot/serializer-deserializer.h
[modify] https://crrev.com/63e054f5ee46ce44c936dc611fcb043af79fd6af/src/snapshot/serializer.cc

[Git Watcher via monorail]

Comment #68 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c68

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/c360a250136006a1d15a1c810b2fb596c38de3c2

commit c360a250136006a1d15a1c810b2fb596c38de3c2
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Jul 14 20:39:07 2022

Revert "[sandbox] Sandboxify Foreign external pointer"

This reverts commit 543b54da6607d7016adaabe2fdac2bef844fc0c4.

Reason for revert: Causes crashes on Android due to TBI: https://crbug.com/chromium/1344581

Original change's description:

> [sandbox] Sandboxify Foreign external pointer
>
> Bug: v8:10391
> Change-Id: I4c5c209454db316fe86f379f6b2e6dfc7ba7754e

> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng

> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757340
> Reviewed-by: Igor Sheludko <ish...@chromium.org>

> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81703}

Bug: v8:10391
Change-Id: I88899def209c592cd353dd4ed81003f1bbb7a760
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3764440
Commit-Queue: Igor Sheludko <ish...@chromium.org>
Auto-Submit: Samuel Groß <sa...@chromium.org>
Bot-Commit: Rubber Stamper <rubber-...@appspot.gserviceaccount.com>
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81731}

[modify] https://crrev.com/c360a250136006a1d15a1c810b2fb596c38de3c2/include/v8-internal.h

[Git Watcher via monorail]

Comment #69 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c69

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/f3737bbb12351042cf81198202ba07288b99f597

commit f3737bbb12351042cf81198202ba07288b99f597
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Jul 14 15:47:12 2022

[sandbox] Initialize sandbox during V8::Initialize

As sandboxed pointers are now default-enabled when the sandbox is
enabled, it is no longer possible to deactivate the sandbox at runtime.
This CL therefore removes all the logic that was required to support a
sandbox that could be disabled at runtime, moves the initialization of
the sandbox into V8::Initialize, and deprecates V8::InitializeSandbox.

This change also makes the sandbox initialization deterministic if
FLAG_random_seed is supplied.

Bug: v8:10391
Change-Id: Ibd49f7c251b7c58c642f18a551ecc2c391740970
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3762583
Reviewed-by: Toon Verwaest <verw...@chromium.org>
Reviewed-by: Camillo Bruni <cbr...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81746}

[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/src/snapshot/mksnapshot.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/src/sandbox/sandbox.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/tools/wasm/module-inspector.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/test/cctest/cctest.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/include/v8-internal.h
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/src/sandbox/sandbox.h
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/test/unittests/heap/cppgc/tests.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/test/fuzzer/fuzzer-support.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/samples/hello-world.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/src/utils/allocation.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/test/inspector/inspector-test.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/src/init/v8.h
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/test/mkgrokdump/mkgrokdump.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/test/unittests/interpreter/generate-bytecode-expectations.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/test/unittests/test-utils.h
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/test/unittests/sandbox/sandbox-unittest.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/include/v8-initialization.h
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/samples/process.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/test/unittests/libplatform/single-threaded-default-platform-unittest.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/src/wasm/c-api.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/src/init/v8.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/src/init/isolate-allocator.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/samples/shell.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/src/d8/d8.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/src/utils/allocation.h
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/src/objects/backing-store.cc
[modify] https://crrev.com/f3737bbb12351042cf81198202ba07288b99f597/src/api/api.cc

[Git Watcher via monorail]

Comment #70 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c70

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/4aa3dd83d96e44d0b9b6c06431931978bef047a5

commit 4aa3dd83d96e44d0b9b6c06431931978bef047a5
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Jul 18 08:23:58 2022

[sandbox] Install sandbox crash filter after V8::Initialize

The sandbox crash filter must be installed after the sandbox has been
initialized, which now happens during V8::Initialize.

Bug: v8:10391
Change-Id: I0103e32f091843415aaff4ec1c9bd93603244144
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3769689
Reviewed-by: Camillo Bruni <cbr...@chromium.org>
Commit-Queue: Camillo Bruni <cbr...@chromium.org>
Auto-Submit: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81771}

[modify] https://crrev.com/4aa3dd83d96e44d0b9b6c06431931978bef047a5/src/d8/d8.cc

[Git Watcher via monorail]

Comment #71 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c71

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src/+/162e6962fecb2ddf0377e2ba199b6ed13c5a14ca

commit 162e6962fecb2ddf0377e2ba199b6ed13c5a14ca
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Jul 19 07:48:05 2022

Remove V8::InitializeSandbox calls

These are no longer required after https://crrev.com/c/3762583.

Bug: v8:10391
Change-Id: I7e58bc4d79a69cd62451986c9cef252b07abff25
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3762613
Reviewed-by: Jonathan Metzman <met...@chromium.org>
Commit-Queue: Daniel Cheng <dch...@chromium.org>
Auto-Submit: Samuel Groß <sa...@chromium.org>
Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Reviewed-by: Daniel Cheng <dch...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1025607}

[modify] https://crrev.com/162e6962fecb2ddf0377e2ba199b6ed13c5a14ca/third_party/blink/common/test/run_all_unittests.cc
[modify] https://crrev.com/162e6962fecb2ddf0377e2ba199b6ed13c5a14ca/gin/gin_features.h
[modify] https://crrev.com/162e6962fecb2ddf0377e2ba199b6ed13c5a14ca/testing/libfuzzer/fuzzers/v8_fuzzer.cc
[modify] https://crrev.com/162e6962fecb2ddf0377e2ba199b6ed13c5a14ca/testing/libfuzzer/fuzzers/javascript_parser_proto_fuzzer.cc
[modify] https://crrev.com/162e6962fecb2ddf0377e2ba199b6ed13c5a14ca/gin/v8_initializer.cc
[modify] https://crrev.com/162e6962fecb2ddf0377e2ba199b6ed13c5a14ca/gin/array_buffer.cc
[modify] https://crrev.com/162e6962fecb2ddf0377e2ba199b6ed13c5a14ca/gin/gin_features.cc

[Git Watcher via monorail]

Comment #72 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c72

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/a7329344e52a0af3461aacaa8c538ddf8992e0d6

commit a7329344e52a0af3461aacaa8c538ddf8992e0d6
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Jul 19 11:22:14 2022

[sandbox] Disable the sandbox by default outside of Chromium builds

To work properly and securely, the sandbox requires cooperation from the
Embedder, for example in the form of a custom ArrayBufferAllocator and
later on custom type tags for external objects. As such, it likely does
not make sense to enable the sandbox by default everywhere.

Bug: v8:10391, v8:13058
Change-Id: Ief2720122f70b9a1bc3f2e6802e60b5b95b855d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3771841
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81805}

[modify] https://crrev.com/a7329344e52a0af3461aacaa8c538ddf8992e0d6/BUILD.gn

[Git Watcher via monorail]

Comment #73 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c73

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/e0b5a83f53ba9b860d72a4ab62e888e2c56b1e7a

commit e0b5a83f53ba9b860d72a4ab62e888e2c56b1e7a
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Jul 25 09:07:30 2022

[sandbox] Switch to 8-bit external pointer type tags

Due to top-byte ignore (TBI) in Arm64, only bits [48, 56) can be used
for type tags as otherwise type-check failures may go unnoticed if they
only leave bits in the top byte set. This CL therefore switches the
external pointer tagging scheme to use 8-bit tags.

Bug: v8:10391
Change-Id: Ia1f379ebc1bbda4117785d2dc119bc8dfa358711
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3776688

Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#81913}

[modify] https://crrev.com/e0b5a83f53ba9b860d72a4ab62e888e2c56b1e7a/include/v8-internal.h
[modify] https://crrev.com/e0b5a83f53ba9b860d72a4ab62e888e2c56b1e7a/src/sandbox/external-pointer-table.h

[Git Watcher via monorail]

Comment #74 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c74

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/efac35f3b8ef0572e1e0dfdfca74e8b40a797ffd

commit efac35f3b8ef0572e1e0dfdfca74e8b40a797ffd
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Jul 25 10:17:00 2022

[sandbox] Sandboxify JSExternalObject external pointer

Bug: v8:10391
Change-Id: I6075a8fe3c201f9221149e0c54edf4fb191088da
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757342

Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#81924}

[modify] https://crrev.com/efac35f3b8ef0572e1e0dfdfca74e8b40a797ffd/include/v8-internal.h

[Git Watcher via monorail]

Comment #75 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c75

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/0c1f779c1b44c3d2b987d24fc910e49d91d8acdb

commit 0c1f779c1b44c3d2b987d24fc910e49d91d8acdb
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Jul 26 07:15:11 2022

Revert "[sandbox] Sandboxify JSExternalObject external pointer"

This reverts commit efac35f3b8ef0572e1e0dfdfca74e8b40a797ffd.

Reason for revert: Seems to be causing memory leaks: https://ci.chromium.org/ui/p/chromium/builders/try/linux_chromium_asan_rel_ng/1234545/overview

Original change's description:

> [sandbox] Sandboxify JSExternalObject external pointer
>
> Bug: v8:10391
> Change-Id: I6075a8fe3c201f9221149e0c54edf4fb191088da
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757342
> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Reviewed-by: Igor Sheludko <ish...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81924}

Bug: v8:10391
Change-Id: I8cd64fd0a85182781b04cd1e4619b69dfa512210

Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true

Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3780497

Auto-Submit: Samuel Groß <sa...@chromium.org>
Bot-Commit: Rubber Stamper <rubber-...@appspot.gserviceaccount.com>

Commit-Queue: Leszek Swirski <les...@chromium.org>
Reviewed-by: Leszek Swirski <les...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81948}

[modify] https://crrev.com/0c1f779c1b44c3d2b987d24fc910e49d91d8acdb/include/v8-internal.h

[Git Watcher via monorail]

Comment #76 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c76

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/2eb73988a37a60520a0f8e0b1109edbcc0b91415

commit 2eb73988a37a60520a0f8e0b1109edbcc0b91415
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Jul 25 15:49:39 2022

[sandbox] Refactor and sandboxify WasmInternalFunction::call_target

This CL refactors WasmInternalFunction to no longer inherit from Foreign
but instead contain a (sandboxed) ExternalPointer field for the call target.

Bug: v8:10391
Change-Id: Iaaf25e635a275d7570e09699be3c8dec6108d4b3
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3782675
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Jakob Kummerow <jkum...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81957}

[modify] https://crrev.com/2eb73988a37a60520a0f8e0b1109edbcc0b91415/src/wasm/wasm-objects.tq
[modify] https://crrev.com/2eb73988a37a60520a0f8e0b1109edbcc0b91415/include/v8-internal.h
[modify] https://crrev.com/2eb73988a37a60520a0f8e0b1109edbcc0b91415/src/codegen/code-stub-assembler.cc
[modify] https://crrev.com/2eb73988a37a60520a0f8e0b1109edbcc0b91415/src/diagnostics/objects-printer.cc
[modify] https://crrev.com/2eb73988a37a60520a0f8e0b1109edbcc0b91415/src/objects/objects-body-descriptors-inl.h
[modify] https://crrev.com/2eb73988a37a60520a0f8e0b1109edbcc0b91415/src/builtins/x64/builtins-x64.cc
[modify] https://crrev.com/2eb73988a37a60520a0f8e0b1109edbcc0b91415/src/heap/factory.cc
[modify] https://crrev.com/2eb73988a37a60520a0f8e0b1109edbcc0b91415/src/wasm/baseline/liftoff-compiler.cc
[modify] https://crrev.com/2eb73988a37a60520a0f8e0b1109edbcc0b91415/src/wasm/wasm-objects-inl.h
[modify] https://crrev.com/2eb73988a37a60520a0f8e0b1109edbcc0b91415/src/wasm/wasm-objects.h
[modify] https://crrev.com/2eb73988a37a60520a0f8e0b1109edbcc0b91415/src/compiler/wasm-compiler.cc
[modify] https://crrev.com/2eb73988a37a60520a0f8e0b1109edbcc0b91415/src/wasm/c-api.cc
[modify] https://crrev.com/2eb73988a37a60520a0f8e0b1109edbcc0b91415/tools/v8heapconst.py
[modify] https://crrev.com/2eb73988a37a60520a0f8e0b1109edbcc0b91415/src/codegen/code-stub-assembler.h
[modify] https://crrev.com/2eb73988a37a60520a0f8e0b1109edbcc0b91415/src/builtins/wasm.tq

[Git Watcher via monorail]

Comment #77 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c77

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/e17ffa8d9f79d921a2ac46b11f780fdaf47197cf

commit e17ffa8d9f79d921a2ac46b11f780fdaf47197cf
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Jul 26 12:43:42 2022

[sandbox] Make the ExternalPointerTable cooperate with LSan

When the LeakSanitizer (LSan) runs, it scans all reachable memory
looking for pointers to other (live) objects, then reports all objects
that are still allocated but not reachable as leaked.
When the external pointer table is used, the pointers stored in it do
unfortunately not look like pointers to LSan as they will have some of
the top bits set. As such, LSan ignores them and may afterwards
incorrectly report some referenced objects as leaked.
To fix this, we now use a "shadow table" when LSan is active which
contains the raw pointer for every (tagged) pointer stored in the real
table. LSan can then scan this table and find all references.

Bug: v8:10391
Change-Id: If0c8b042fdd775ac3c8025d5688e62df37532ec3
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3779915
Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81972}

[modify] https://crrev.com/e17ffa8d9f79d921a2ac46b11f780fdaf47197cf/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/e17ffa8d9f79d921a2ac46b11f780fdaf47197cf/src/sandbox/external-pointer-table.h

[Git Watcher via monorail]

Comment #78 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c78

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/42af5dcd821c6d19b4fa99375cc06ca190439609

commit 42af5dcd821c6d19b4fa99375cc06ca190439609
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Jul 26 08:35:13 2022

[sandbox] Sandboxify NativeContext::microtask_queue external pointer

Bug: v8:10391
Change-Id: I4e7d4937ac4c6332da3c63c9e8c15e75fa951f2f
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757343

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#81973}

[modify] https://crrev.com/42af5dcd821c6d19b4fa99375cc06ca190439609/include/v8-internal.h

[Git Watcher via monorail]

Comment #79 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c79

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/2679a36ea9fb9fd7107fa589dbbba1d5656c6bc1

commit 2679a36ea9fb9fd7107fa589dbbba1d5656c6bc1
Author: Shu-yu Guo <s...@chromium.org>
Date: Tue Jul 26 19:35:32 2022

[sandbox] Make external ptr table usable under pointer compression

This CL moves the external pointer table out of V8_ENABLE_SANDBOX and
into V8_COMPRESS_POINTERS. The external pointer table is also useful
even when not sandboxing external pointers to ease alignment
requirements under pointer compression.

It is onerous for the allocator to support non-tagged-size alignment.
Under pointer compression, tagged is 4 bytes while system pointers are
8 bytes. Because external pointer table indices are 4-bytes, fields that
require natural alignment (e.g. the state field in JSAtomicsMutex) when
the system pointer size is 8-bytes can use an indirection via the
pointer table to ease the alignment restriction back to 4-bytes under
pointer compression.

Bug: v8:10391
Change-Id: Iac1200e40c987128cd6a227cd279ba4dac0e5c56
Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3783076
Reviewed-by: Samuel Groß <sa...@chromium.org>
Commit-Queue: Shu-yu Guo <s...@chromium.org>
Reviewed-by: Adam Klein <ad...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81977}

[modify] https://crrev.com/2679a36ea9fb9fd7107fa589dbbba1d5656c6bc1/src/logging/counters-definitions.h
[modify] https://crrev.com/2679a36ea9fb9fd7107fa589dbbba1d5656c6bc1/src/execution/isolate.cc
[modify] https://crrev.com/2679a36ea9fb9fd7107fa589dbbba1d5656c6bc1/src/execution/isolate-data.h
[modify] https://crrev.com/2679a36ea9fb9fd7107fa589dbbba1d5656c6bc1/include/v8-internal.h
[modify] https://crrev.com/2679a36ea9fb9fd7107fa589dbbba1d5656c6bc1/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/2679a36ea9fb9fd7107fa589dbbba1d5656c6bc1/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/2679a36ea9fb9fd7107fa589dbbba1d5656c6bc1/src/sandbox/external-pointer-table.h
[modify] https://crrev.com/2679a36ea9fb9fd7107fa589dbbba1d5656c6bc1/src/execution/isolate.h

[Git Watcher via monorail]

Comment #80 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c80

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/31e53c28e0c52238dfc3a5635a3e2b843b0e9a06

commit 31e53c28e0c52238dfc3a5635a3e2b843b0e9a06
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Jul 26 14:08:55 2022

Reland "[sandbox] Sandboxify JSExternalObject external pointer"

This is a reland of commit efac35f3b8ef0572e1e0dfdfca74e8b40a797ffd

The LSan issues have been fixed in https://crrev.com/c/3779915

Original change's description:
> [sandbox] Sandboxify JSExternalObject external pointer
>
> Bug: v8:10391
> Change-Id: I6075a8fe3c201f9221149e0c54edf4fb191088da
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757342

> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Reviewed-by: Igor Sheludko <ish...@chromium.org>

> Cr-Commit-Position: refs/heads/main@{#81924}

Bug: v8:10391

Change-Id: I954520ee324c9aa4c4ccc4941ae30d19676be2ba
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3780501

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#81978}

[modify] https://crrev.com/31e53c28e0c52238dfc3a5635a3e2b843b0e9a06/include/v8-internal.h

[Git Watcher via monorail]

Comment #81 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c81

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/7586dc7910e66f2a2d45721f685980535f961645

commit 7586dc7910e66f2a2d45721f685980535f961645
Author: Samuel Groß <sa...@chromium.org>
Date: Wed Jul 27 11:00:47 2022

[sandbox] Sandboxify AccessorInfo external pointers

Bug: v8:10391
Change-Id: I18745b415962e08fada5c0b9466a0d7e66a84a12
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757339

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#81999}

[modify] https://crrev.com/7586dc7910e66f2a2d45721f685980535f961645/include/v8-internal.h

[Git Watcher via monorail]

Comment #82 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c82

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/ba8ad5dd17ea85c856c09c2ff603641487d1f0ca

commit ba8ad5dd17ea85c856c09c2ff603641487d1f0ca
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Jul 28 13:29:20 2022

[sandbox] Decommit empty blocks in the ExternalPointerTable during Sweep

With this CL, blocks at the end of the ExternalPointerTable that are
completely empty after sweeping will be decommitted to reduce the
table's memory footprint.

Bug: v8:10391
Change-Id: I1002e95a0f9c22400fdd2620047d86738a1f7af4
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3791903

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#82085}

[modify] https://crrev.com/ba8ad5dd17ea85c856c09c2ff603641487d1f0ca/src/sandbox/external-pointer-table.cc

[Git Watcher via monorail]

Comment #83 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c83

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/c04716065626d3ea66032580d095eeb2e0df0e90

commit c04716065626d3ea66032580d095eeb2e0df0e90
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Aug 02 12:54:43 2022

[sandbox] Sandboxify CallHandlerInfo external pointers

Bug: v8:10391
Change-Id: I7f1b69b1fe41507e4eb72a35b4c143a970cc2f74
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3788205

Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#82149}

[modify] https://crrev.com/c04716065626d3ea66032580d095eeb2e0df0e90/include/v8-internal.h

[Git Watcher via monorail]

Comment #84 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c84

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/0195a5c9a966599f60eacf650cfe0fe99a5db933

commit 0195a5c9a966599f60eacf650cfe0fe99a5db933
Author: Samuel Groß <sa...@chromium.org>
Date: Fri Aug 05 17:57:02 2022

[sandbox] Refactor and sandboxify WasmContinuationObject::jmpbuf

This CL refactors WasmContinuationObject to have a direct
ExternalPointer to the jmpbuf structure instead of using a Foreign.
This in turn makes it possible to use a unique pointer tag for that
external pointer when the sandbox is enabled.

Bug: v8:10391, v8:12949
Change-Id: I25528bd8aaffb32dd617440d3ccb77d319894a38
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3805061
Reviewed-by: Thibaud Michaud <thib...@chromium.org>

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Reviewed-by: Michael Lippautz <mlip...@chromium.org>

Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82238}

[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/src/objects/objects-definitions.h
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/src/wasm/wasm-objects.tq
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/src/wasm/wasm-objects.cc
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/include/v8-internal.h
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/src/objects/map.cc
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/src/objects/objects-body-descriptors-inl.h
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/src/heap/setup-heap-internal.cc
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/src/builtins/x64/builtins-x64.cc
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/src/heap/factory.h
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/src/heap/factory.cc
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/src/wasm/wasm-objects-inl.h
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/src/heap/objects-visiting.h
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/src/wasm/wasm-objects.h
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/src/objects/map.h
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/tools/v8heapconst.py
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/src/objects/object-list-macros.h
[modify] https://crrev.com/0195a5c9a966599f60eacf650cfe0fe99a5db933/src/roots/roots.h

[Git Watcher via monorail]

Comment #85 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c85

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/f7c20baea04ef13add95c3d37cd2fd15c705ac8d

commit f7c20baea04ef13add95c3d37cd2fd15c705ac8d
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Aug 09 01:56:32 2022

[sandbox] Atomically load/store ExternalPointerHandles

Since those are accessed from background threads during marking, they
should generally be loaded and stored using atomic operations. Further,
when an external pointer slot is initialized, the handle should be
stored using release semantics to prevent reordering of the store into
the pointer table after the store of the handle to the object.

Bug: v8:10391, v8:13156
Change-Id: I5c33b4e791482f84e2770cd047a11f5762a0aa65
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3812035

Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82280}

[modify] https://crrev.com/f7c20baea04ef13add95c3d37cd2fd15c705ac8d/src/heap/marking-visitor-inl.h
[modify] https://crrev.com/f7c20baea04ef13add95c3d37cd2fd15c705ac8d/src/objects/slots.h
[modify] https://crrev.com/f7c20baea04ef13add95c3d37cd2fd15c705ac8d/src/objects/slots-inl.h
[modify] https://crrev.com/f7c20baea04ef13add95c3d37cd2fd15c705ac8d/src/sandbox/external-pointer-inl.h

[Git Watcher via monorail]

Comment #86 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c86

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/42ea632701a30a2d439ffb59618019a00b8278cc

commit 42ea632701a30a2d439ffb59618019a00b8278cc
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Aug 15 11:54:25 2022

[sandbox] Refactor external pointer field initialization

This CL replaces the AllocateExternalPointerEntries methods with
per-field init_##fieldname methods for every external pointer field.
These now initialize the field by allocating the external pointer table
entry for it and also set the initial value. This saves one memory write
in the typical case (what used to be AllocateExternalPointerEntries
followed by a set_##fieldname) and removes some code that can be
factored out into the (DECL_)EXTERNAL_POINTER_ACCESSORS macro.

Bug: v8:10391
Change-Id: Iac937316322910de0a8bb99b33592eca8c57a4a6
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810344
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Reviewed-by: Jakob Linke <jgr...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Jakob Kummerow <jkum...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82482}

[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/string.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/objects-inl.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/string-inl.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/js-objects-inl.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/foreign.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/snapshot/deserializer.cc
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/heap/factory-base.cc
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/js-objects.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/code.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/contexts.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/sandbox/external-pointer.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/heap/factory.cc
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/wasm/wasm-objects-inl.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/objects.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/sandbox/external-pointer-inl.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/object-macros.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/wasm/wasm-objects.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/api-callbacks-inl.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/string.cc
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/code-inl.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/contexts-inl.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/api-callbacks.h
[modify] https://crrev.com/42ea632701a30a2d439ffb59618019a00b8278cc/src/objects/foreign-inl.h

[Git Watcher via monorail]

Comment #87 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c87

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/76d7448925720510dde106da724370bce87d49fa

commit 76d7448925720510dde106da724370bce87d49fa
Author: Samuel Groß <sa...@chromium.org>
Date: Fri Aug 12 20:08:47 2022

[sandbox] Implement external pointer table compaction

The external pointer table is already to some degree self-compacting: as
the freelist is sorted in ascending order, free entries at the start of
the table should quickly fill up. However, any live entry at the end of
the table makes it impossible to shrink the table, thereby causing
higher memory consumption. To solve this, this CL implements a simple
table compaction algorithm, used when the freelist has become
sufficiently large (currently >= 10% of the table capacity):
- The goal of the algorithm is to shrink the table by freelist_size/2
entries at the end of compaction (during sweeping).
- At the start of the marking phase, the compaction area is computed as
roughly [capacity - freelist_size/2, capacity).
- When an entry is marked as alive that lies inside the compaction
area, a new "relocation entry" is allocated for it from the freelist
and the address of the handle for that entry is stored in that entry.
If there are no more free entries before the compaction area,
compaction is aborted. This is expected to happen rarely and is
logged into a histogram.
- During sweeping, all relocation entries are "resolved": the content
of the old entry is copied into the new entry and the handle is
updated to point to the new entry.
- Finally, the table is shrunk and the last initial_freelist_size/2
entries are decommitted.

See also the comments in the ExternalPointerTable class for more details.

Bug: v8:10391
Change-Id: I28d475c3596590e860421f0a054e2ad4dbebd487
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3794645
Reviewed-by: Igor Sheludko <ish...@chromium.org>

Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#82484}

[modify] https://crrev.com/76d7448925720510dde106da724370bce87d49fa/src/logging/counters-definitions.h
[modify] https://crrev.com/76d7448925720510dde106da724370bce87d49fa/src/heap/incremental-marking.cc
[modify] https://crrev.com/76d7448925720510dde106da724370bce87d49fa/include/v8-internal.h
[modify] https://crrev.com/76d7448925720510dde106da724370bce87d49fa/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/76d7448925720510dde106da724370bce87d49fa/src/execution/isolate.h
[modify] https://crrev.com/76d7448925720510dde106da724370bce87d49fa/src/sandbox/external-pointer-inl.h
[modify] https://crrev.com/76d7448925720510dde106da724370bce87d49fa/src/heap/marking-visitor-inl.h
[modify] https://crrev.com/76d7448925720510dde106da724370bce87d49fa/src/execution/isolate.cc
[modify] https://crrev.com/76d7448925720510dde106da724370bce87d49fa/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/76d7448925720510dde106da724370bce87d49fa/src/sandbox/external-pointer-table.h
[modify] https://crrev.com/76d7448925720510dde106da724370bce87d49fa/src/heap/mark-compact.cc
[modify] https://crrev.com/76d7448925720510dde106da724370bce87d49fa/src/objects/slots-inl.h

[Git Watcher via monorail]

Comment #88 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c88

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/f1033c43b7c58e6a0d2439f91028ae8fd58669d1

commit f1033c43b7c58e6a0d2439f91028ae8fd58669d1
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Aug 16 10:06:49 2022

[sandbox] Sandboxify WasmTypeInfo

This CL changes the WasmTypeInfo class to have a direct ExternalPointer
to the native type structure instead of using a Foreign. This in turn

makes it possible to use a unique pointer tag for that external pointer
when the sandbox is enabled.

Bug: v8:10391, v8:12949

Change-Id: Ifee4d2103cabfa6a7299d0d09e06d387034e5f8f
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829085
Reviewed-by: Jakob Kummerow <jkum...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82504}

[modify] https://crrev.com/f1033c43b7c58e6a0d2439f91028ae8fd58669d1/src/wasm/wasm-objects.tq
[modify] https://crrev.com/f1033c43b7c58e6a0d2439f91028ae8fd58669d1/include/v8-internal.h
[modify] https://crrev.com/f1033c43b7c58e6a0d2439f91028ae8fd58669d1/tools/v8heapconst.py
[modify] https://crrev.com/f1033c43b7c58e6a0d2439f91028ae8fd58669d1/src/diagnostics/objects-printer.cc
[modify] https://crrev.com/f1033c43b7c58e6a0d2439f91028ae8fd58669d1/src/codegen/code-stub-assembler.h
[modify] https://crrev.com/f1033c43b7c58e6a0d2439f91028ae8fd58669d1/src/objects/objects-body-descriptors-inl.h
[modify] https://crrev.com/f1033c43b7c58e6a0d2439f91028ae8fd58669d1/src/heap/factory.cc
[modify] https://crrev.com/f1033c43b7c58e6a0d2439f91028ae8fd58669d1/src/runtime/runtime-wasm.cc
[modify] https://crrev.com/f1033c43b7c58e6a0d2439f91028ae8fd58669d1/src/wasm/wasm-objects-inl.h
[modify] https://crrev.com/f1033c43b7c58e6a0d2439f91028ae8fd58669d1/src/builtins/wasm.tq
[modify] https://crrev.com/f1033c43b7c58e6a0d2439f91028ae8fd58669d1/src/wasm/wasm-objects.h

[Git Watcher via monorail]

Comment #89 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c89

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src/+/35f5deebd6ab492db010194aaca0d2e8d7527293

commit 35f5deebd6ab492db010194aaca0d2e8d7527293
Author: Samuel Groß <sa...@chromium.org>
Date: Wed Aug 17 05:30:21 2022

Add V8.ExternalPointerTableCompactionOutcome histogram

Bug: v8:10391
Change-Id: I44333c8a6f50f86c5eade10abc577dbd99274c30
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3832667
Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1035913}

[modify] https://crrev.com/35f5deebd6ab492db010194aaca0d2e8d7527293/tools/metrics/histograms/metadata/v8/histograms.xml
[modify] https://crrev.com/35f5deebd6ab492db010194aaca0d2e8d7527293/tools/metrics/histograms/enums.xml

[Git Watcher via monorail]

Comment #90 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c90

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/6ec7be21e68a72509c7fc4de19708283bb3a814e

commit 6ec7be21e68a72509c7fc4de19708283bb3a814e
Author: Samuel Groß <sa...@chromium.org>
Date: Wed Aug 17 09:18:08 2022

[sandbox] Sandboxify WasmExportedFunctionData::sig

This CL changes the WasmExportedFunctionData class to store a direct
ExternalPointer to the wasm::FunctionSig instead of referencing it
through a Foreign. This in turn makes it possible to use a unique

pointer tag for that external pointer when the sandbox is enabled.

Drive-by: move WasmInternalFunction::call_target external pointer to the
end of the object, in line with other external pointer fields.

Bug: v8:10391, v8:12949

Change-Id: Ic3ff622a075c9eaa2f8d8835803437466290c928
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829086
Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Reviewed-by: Jakob Kummerow <jkum...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82523}

[modify] https://crrev.com/6ec7be21e68a72509c7fc4de19708283bb3a814e/src/wasm/wasm-objects.tq
[modify] https://crrev.com/6ec7be21e68a72509c7fc4de19708283bb3a814e/include/v8-internal.h
[modify] https://crrev.com/6ec7be21e68a72509c7fc4de19708283bb3a814e/src/wasm/wasm-objects.cc
[modify] https://crrev.com/6ec7be21e68a72509c7fc4de19708283bb3a814e/src/diagnostics/objects-printer.cc
[modify] https://crrev.com/6ec7be21e68a72509c7fc4de19708283bb3a814e/src/objects/objects-body-descriptors-inl.h
[modify] https://crrev.com/6ec7be21e68a72509c7fc4de19708283bb3a814e/src/builtins/x64/builtins-x64.cc
[modify] https://crrev.com/6ec7be21e68a72509c7fc4de19708283bb3a814e/src/heap/factory.h
[modify] https://crrev.com/6ec7be21e68a72509c7fc4de19708283bb3a814e/src/heap/factory.cc
[modify] https://crrev.com/6ec7be21e68a72509c7fc4de19708283bb3a814e/src/wasm/wasm-objects-inl.h
[modify] https://crrev.com/6ec7be21e68a72509c7fc4de19708283bb3a814e/src/objects/object-macros.h
[modify] https://crrev.com/6ec7be21e68a72509c7fc4de19708283bb3a814e/src/wasm/wasm-objects.h

[Git Watcher via monorail]

Comment #91 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c91

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/d8b8024e923ac2dc5cd679b11ab3c5f2fdd8e866

commit d8b8024e923ac2dc5cd679b11ab3c5f2fdd8e866
Author: Nico Hartmann <nicoha...@chromium.org>
Date: Wed Aug 17 15:27:33 2022

Revert "[sandbox] Sandboxify WasmExportedFunctionData::sig"

This reverts commit 6ec7be21e68a72509c7fc4de19708283bb3a814e.

Reason for revert: Speculative revert for https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Win64/47984/overview

Original change's description:

> [sandbox] Sandboxify WasmExportedFunctionData::sig
>
> This CL changes the WasmExportedFunctionData class to store a direct
> ExternalPointer to the wasm::FunctionSig instead of referencing it
> through a Foreign. This in turn makes it possible to use a unique
> pointer tag for that external pointer when the sandbox is enabled.
>
> Drive-by: move WasmInternalFunction::call_target external pointer to the
> end of the object, in line with other external pointer fields.
>
> Bug: v8:10391, v8:12949
> Change-Id: Ic3ff622a075c9eaa2f8d8835803437466290c928
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829086
> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Reviewed-by: Igor Sheludko <ish...@chromium.org>
> Reviewed-by: Jakob Kummerow <jkum...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82523}

Bug: v8:10391, v8:12949

Change-Id: I18a7c9603e30d7cd78fd599e59596015260a5818

Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true

Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3834259
Bot-Commit: Rubber Stamper <rubber-...@appspot.gserviceaccount.com>
Owners-Override: Nico Hartmann <nicoha...@chromium.org>
Commit-Queue: Nico Hartmann <nicoha...@chromium.org>
Commit-Queue: Rubber Stamper <rubber-...@appspot.gserviceaccount.com>
Auto-Submit: Nico Hartmann <nicoha...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82535}

[modify] https://crrev.com/d8b8024e923ac2dc5cd679b11ab3c5f2fdd8e866/src/wasm/wasm-objects.tq
[modify] https://crrev.com/d8b8024e923ac2dc5cd679b11ab3c5f2fdd8e866/include/v8-internal.h
[modify] https://crrev.com/d8b8024e923ac2dc5cd679b11ab3c5f2fdd8e866/src/wasm/wasm-objects.cc
[modify] https://crrev.com/d8b8024e923ac2dc5cd679b11ab3c5f2fdd8e866/src/diagnostics/objects-printer.cc
[modify] https://crrev.com/d8b8024e923ac2dc5cd679b11ab3c5f2fdd8e866/src/objects/objects-body-descriptors-inl.h
[modify] https://crrev.com/d8b8024e923ac2dc5cd679b11ab3c5f2fdd8e866/src/builtins/x64/builtins-x64.cc
[modify] https://crrev.com/d8b8024e923ac2dc5cd679b11ab3c5f2fdd8e866/src/heap/factory.h
[modify] https://crrev.com/d8b8024e923ac2dc5cd679b11ab3c5f2fdd8e866/src/heap/factory.cc
[modify] https://crrev.com/d8b8024e923ac2dc5cd679b11ab3c5f2fdd8e866/src/wasm/wasm-objects-inl.h
[modify] https://crrev.com/d8b8024e923ac2dc5cd679b11ab3c5f2fdd8e866/src/objects/object-macros.h
[modify] https://crrev.com/d8b8024e923ac2dc5cd679b11ab3c5f2fdd8e866/src/wasm/wasm-objects.h

[Git Watcher via monorail]

Comment #92 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c92

The following revision refers to this bug:

https://pdfium.googlesource.com/pdfium/+/749e1577da34dcfa672f0672bb6d8d713a56bbe3

commit 749e1577da34dcfa672f0672bb6d8d713a56bbe3
Author: Samuel Groß <sa...@chromium.org>
Date: Wed Aug 17 19:04:43 2022

Remove V8::InitializeSandbox calls

These are no longer required after https://crrev.com/c/3762583.

Bug: v8:10391

Change-Id: Ic60aa902337421f115c2dc8d3a4604a76049ad81
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/96631
Reviewed-by: Tom Sepez <tse...@chromium.org>
Auto-Submit: Samuel Groß <sa...@chromium.org>
Commit-Queue: Tom Sepez <tse...@chromium.org>

[modify] https://pdfium.googlesource.com/pdfium/+/749e1577da34dcfa672f0672bb6d8d713a56bbe3/samples/simple_with_v8.cc
[modify] https://pdfium.googlesource.com/pdfium/+/749e1577da34dcfa672f0672bb6d8d713a56bbe3/testing/v8_initializer.cpp

[Git Watcher via monorail]

Comment #93 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c93

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/4e10c14edfafe51a65523b804e57940c219c4e49

commit 4e10c14edfafe51a65523b804e57940c219c4e49
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Aug 18 09:29:38 2022

[sandbox] Fix heuristics in EPT::StartCompactingIfNeeded

The previous code incorrectly rounded down the number of entries to free
to kBlockSize (expressed in KB) instead of kEntriesPerBlock (expressed
in # of entries) to compute the start of the evacuation area. Further,
depending on the block sized used, the previous heuristics does not
necessarily guarantee that at least one full block would be evacuated.
This CL fixes both of these issues.

Bug: v8:10391
Change-Id: I5ddecd5d582bcf89e1c52df431f006889685320a
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3837860

Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#82557}

[modify] https://crrev.com/4e10c14edfafe51a65523b804e57940c219c4e49/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/4e10c14edfafe51a65523b804e57940c219c4e49/src/sandbox/external-pointer-table.h

[Git Watcher via monorail]

Comment #94 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c94

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/5015c4ea7417003f399438a982fb84f277d5a8a6

commit 5015c4ea7417003f399438a982fb84f277d5a8a6
Author: Samuel Groß <sa...@chromium.org>

Date: Wed Aug 17 09:18:08 2022

Reland "[sandbox] Sandboxify WasmExportedFunctionData::sig"

This is a reland of commit 6ec7be21e68a72509c7fc4de19708283bb3a814e

The issues that caused the CL to be reverted appear to be unrelated
to this change as they still occurred after the revert.

Original change's description:
> [sandbox] Sandboxify WasmExportedFunctionData::sig
>
> This CL changes the WasmExportedFunctionData class to store a direct
> ExternalPointer to the wasm::FunctionSig instead of referencing it
> through a Foreign. This in turn makes it possible to use a unique
> pointer tag for that external pointer when the sandbox is enabled.
>
> Drive-by: move WasmInternalFunction::call_target external pointer to the
> end of the object, in line with other external pointer fields.
>
> Bug: v8:10391, v8:12949
> Change-Id: Ic3ff622a075c9eaa2f8d8835803437466290c928

> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng

> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829086
> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Reviewed-by: Igor Sheludko <ish...@chromium.org>
> Reviewed-by: Jakob Kummerow <jkum...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82523}

Bug: v8:10391, v8:12949

Change-Id: I108810ce86b95289dfb6d6377535813deac79a9f
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3838109

Reviewed-by: Jakob Kummerow <jkum...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>

Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82565}

[modify] https://crrev.com/5015c4ea7417003f399438a982fb84f277d5a8a6/src/wasm/wasm-objects.tq
[modify] https://crrev.com/5015c4ea7417003f399438a982fb84f277d5a8a6/src/wasm/wasm-objects.cc
[modify] https://crrev.com/5015c4ea7417003f399438a982fb84f277d5a8a6/include/v8-internal.h
[modify] https://crrev.com/5015c4ea7417003f399438a982fb84f277d5a8a6/src/diagnostics/objects-printer.cc
[modify] https://crrev.com/5015c4ea7417003f399438a982fb84f277d5a8a6/src/objects/objects-body-descriptors-inl.h
[modify] https://crrev.com/5015c4ea7417003f399438a982fb84f277d5a8a6/src/builtins/x64/builtins-x64.cc
[modify] https://crrev.com/5015c4ea7417003f399438a982fb84f277d5a8a6/src/heap/factory.h
[modify] https://crrev.com/5015c4ea7417003f399438a982fb84f277d5a8a6/src/heap/factory.cc
[modify] https://crrev.com/5015c4ea7417003f399438a982fb84f277d5a8a6/src/wasm/wasm-objects-inl.h
[modify] https://crrev.com/5015c4ea7417003f399438a982fb84f277d5a8a6/src/objects/object-macros.h
[modify] https://crrev.com/5015c4ea7417003f399438a982fb84f277d5a8a6/src/wasm/wasm-objects.h

[Git Watcher via monorail]

Updates:
Labels: merge-merged-10.6

Comment #95 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c95

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/485f2ecd8a924f7d5d91ce887773f42ff8ee1d30

commit 485f2ecd8a924f7d5d91ce887773f42ff8ee1d30
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Aug 18 11:49:40 2022

[sandbox] Disable external pointer sandboxing for 10.6

For shipping builds, it does not make sense to use the current
intermediate state where some external pointers are sandboxed but not
all of them, for example as this still requires all external pointer
fields to be 64-bits large (instead of 32). This CL therefore sets all
external pointers to "unsandboxed".

Bug: v8:10391
Change-Id: I9cc4dd573f675cf9e5e815a03b8b3320dbe90b22
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3838170
Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Lutz Vahl <va...@chromium.org>
Cr-Commit-Position: refs/branch-heads/10.6@{#2}
Cr-Branched-From: 41bc7435693fbce8ef86753cd9239e30550a3e2d-refs/heads/10.6.194@{#1}
Cr-Branched-From: d5f29b929ce7746409201d77f44048f3e9529b40-refs/heads/main@{#82548}

[modify] https://crrev.com/485f2ecd8a924f7d5d91ce887773f42ff8ee1d30/include/v8-internal.h

[Git Watcher via monorail]

Comment #96 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c96

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/5e07ef10e06c69a72cf515abfa11ecb9556e114f

commit 5e07ef10e06c69a72cf515abfa11ecb9556e114f
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Jul 18 08:31:20 2022

[sandbox] Remove V8::InitializeSandbox

The function is no longer used in Chromium or V8 and can therefore be
deleted. This CL also simplifies V8::GetSandboxSizeInBytes, which now no
longer needs to be able to deal with an uninitialized sandbox.

Bug: v8:10391
Change-Id: I22d6b0e03de1fd2ba3d38c4e476fca44068b62f9
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3769690
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82583}

[modify] https://crrev.com/5e07ef10e06c69a72cf515abfa11ecb9556e114f/include/v8-initialization.h
[modify] https://crrev.com/5e07ef10e06c69a72cf515abfa11ecb9556e114f/src/api/api.cc

[Git Watcher via monorail]

Comment #97 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c97

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/9661da60af37db17d4f508665808bda98e6cdc93

commit 9661da60af37db17d4f508665808bda98e6cdc93
Author: Shu-yu Guo <s...@chromium.org>
Date: Thu Aug 18 15:54:51 2022

[sandbox] Always initialize allocated external pointer handles

Otherwise allocated external pointer handles may be swept if never set
by the caller.

Bug: v8:10391
Change-Id: I3d727b80635ac8e21bd403de6bcad59091ed80a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3832528
Reviewed-by: Samuel Groß <sa...@chromium.org>
Reviewed-by: Jakob Kummerow <jkum...@chromium.org>
Commit-Queue: Shu-yu Guo <s...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82597}

[modify] https://crrev.com/9661da60af37db17d4f508665808bda98e6cdc93/src/execution/isolate.cc
[modify] https://crrev.com/9661da60af37db17d4f508665808bda98e6cdc93/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/9661da60af37db17d4f508665808bda98e6cdc93/src/sandbox/external-pointer-table.h
[modify] https://crrev.com/9661da60af37db17d4f508665808bda98e6cdc93/src/objects/slots-inl.h
[modify] https://crrev.com/9661da60af37db17d4f508665808bda98e6cdc93/src/sandbox/external-pointer-inl.h

[Git Watcher via monorail]

Comment #98 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c98

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/e1f585ed94d799555793a4150281ce2baf22a666

commit e1f585ed94d799555793a4150281ce2baf22a666
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Aug 16 12:47:06 2022

[sandbox] Sandboxify EmbedderDataSlots

Bug: v8:10391
Change-Id: If85a308a6f6ed1b17d86f87b4911c82d2327ea72
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757341

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#82623}

[modify] https://crrev.com/e1f585ed94d799555793a4150281ce2baf22a666/src/objects/embedder-data-slot-inl.h
[modify] https://crrev.com/e1f585ed94d799555793a4150281ce2baf22a666/include/v8-internal.h
[modify] https://crrev.com/e1f585ed94d799555793a4150281ce2baf22a666/src/objects/embedder-data-slot.h

[Git Watcher via monorail]

Comment #99 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c99

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/568221ee195aa8de4ee379c026c62f270d8ec7fb

commit 568221ee195aa8de4ee379c026c62f270d8ec7fb
Author: Samuel Groß <sa...@chromium.org>
Date: Tue Aug 23 12:07:06 2022

[sandbox] Fix DCHECK failure in ExternalPointerTable

When compaction is aborted during marking, the
start_of_evacuation_area_ value would previously be set to -1. This
would, however, cause some DCHECK failures during sweeping, which
expect this value to contain the (previous) start value. This is now
fixed by just setting the top bits of the start_of_evacuation_area_
value when aborting compaction. During sweeping, these bits are
cleared again and the DCHECKs work as expected.

Bug: v8:10391, chromium:1355640
Change-Id: Id48ee71a3942b3e0b88e8e1667a8f9e109a68bb3
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849650

Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Michael Lippautz <mlip...@chromium.org>

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82661}

[modify] https://crrev.com/568221ee195aa8de4ee379c026c62f270d8ec7fb/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/568221ee195aa8de4ee379c026c62f270d8ec7fb/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/568221ee195aa8de4ee379c026c62f270d8ec7fb/src/sandbox/external-pointer-table.h

[Git Watcher via monorail]

Comment #100 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c100

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/d30ba748a715c2ad11074243f0fbe93c0e0288b4

commit d30ba748a715c2ad11074243f0fbe93c0e0288b4
Author: Leszek Swirski <les...@chromium.org>
Date: Tue Aug 23 14:30:10 2022

Revert "[sandbox] Sandboxify EmbedderDataSlots"

This reverts commit e1f585ed94d799555793a4150281ce2baf22a666.

Reason for revert: GPU bot issues on roll (https://ci.chromium.org/ui/p/chromium/builders/try/linux_optional_gpu_tests_rel/87951/overview)

Original change's description:

> [sandbox] Sandboxify EmbedderDataSlots
>
> Bug: v8:10391
> Change-Id: If85a308a6f6ed1b17d86f87b4911c82d2327ea72

> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng

> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757341
> Reviewed-by: Igor Sheludko <ish...@chromium.org>
> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82623}

Bug: v8:10391, chromium:1355640

Change-Id: Iaba70796de18d5f3b3dc74cf068943093c0bf567
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3850722
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Bot-Commit: Rubber Stamper <rubber-...@appspot.gserviceaccount.com>
Commit-Queue: Igor Sheludko <ish...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82672}

[modify] https://crrev.com/d30ba748a715c2ad11074243f0fbe93c0e0288b4/src/objects/embedder-data-slot-inl.h
[modify] https://crrev.com/d30ba748a715c2ad11074243f0fbe93c0e0288b4/include/v8-internal.h
[modify] https://crrev.com/d30ba748a715c2ad11074243f0fbe93c0e0288b4/src/objects/embedder-data-slot.h

[Git Watcher via monorail]

Comment #101 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c101

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/d4d27367ecd7f8b60fbe8da81a20280a42eb1377

commit d4d27367ecd7f8b60fbe8da81a20280a42eb1377
Author: Samuel Groß <sa...@chromium.org>
Date: Wed Aug 24 06:58:16 2022

[sandbox] Access EPT::start_of_evacuation_area_ atomically

All (most) accesses to start_of_evacuation_area_ must be atomic as that
value may be written to from a background marking thread (when
compaction is aborted). Further, when evacuating entries, the
start_of_evacuation_area_ should not be reloaded during entry allocation
as it may have been modified by another background thread. In that case,
the method may end up allocating an evacuation entry _after_ the entry
to be evacuated, which doesn't make sense.

Drive-by: move some methods from external-pointer-table-inl.h into
external-pointer-table.cc.

Bug: v8:10391
Change-Id: Ia93cffb2cc311ef03d96d3a9ae6f0cf461cf2434
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3849376
Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82679}

[modify] https://crrev.com/d4d27367ecd7f8b60fbe8da81a20280a42eb1377/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/d4d27367ecd7f8b60fbe8da81a20280a42eb1377/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/d4d27367ecd7f8b60fbe8da81a20280a42eb1377/src/sandbox/external-pointer-table.h

[Git Watcher via monorail]

Comment #102 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c102

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/eca383c947da0c4faa890f72e4f89c6c8f592062

commit eca383c947da0c4faa890f72e4f89c6c8f592062
Author: Samuel Groß <sa...@chromium.org>

Date: Tue Aug 16 12:47:06 2022

Reland "[sandbox] Sandboxify EmbedderDataSlots"

This is a reland of commit e1f585ed94d799555793a4150281ce2baf22a666

ExternalPointerTable issues have been fixed in
https://crrev.com/c/3849650 and https://crrev.com/c/3849376

Original change's description:
> [sandbox] Sandboxify EmbedderDataSlots
>
> Bug: v8:10391
> Change-Id: If85a308a6f6ed1b17d86f87b4911c82d2327ea72

> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng

> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757341
> Reviewed-by: Igor Sheludko <ish...@chromium.org>

> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82623}

Bug: v8:10391
Change-Id: If77f6c10e81c30c2dfa6b33c788bc4a36e4da135
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3852602
Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82686}

[modify] https://crrev.com/eca383c947da0c4faa890f72e4f89c6c8f592062/src/objects/embedder-data-slot-inl.h
[modify] https://crrev.com/eca383c947da0c4faa890f72e4f89c6c8f592062/include/v8-internal.h
[modify] https://crrev.com/eca383c947da0c4faa890f72e4f89c6c8f592062/src/objects/embedder-data-slot.h

[Git Watcher via monorail]

Comment #103 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c103

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/a9dcb35e7d0a3124ab79915b2aa1dc7c3474fff6

commit a9dcb35e7d0a3124ab79915b2aa1dc7c3474fff6
Author: Samuel Groß <sa...@chromium.org>
Date: Wed Aug 24 15:19:44 2022

Revert "Reland "[sandbox] Sandboxify EmbedderDataSlots""

This reverts commit eca383c947da0c4faa890f72e4f89c6c8f592062.

Reason for revert: Still seeing DCHECK failures in SweepAndCompact

Original change's description:

> Reland "[sandbox] Sandboxify EmbedderDataSlots"
>
> This is a reland of commit e1f585ed94d799555793a4150281ce2baf22a666
>
> ExternalPointerTable issues have been fixed in
> https://crrev.com/c/3849650 and https://crrev.com/c/3849376
>
> Original change's description:
> > [sandbox] Sandboxify EmbedderDataSlots
> >
> > Bug: v8:10391
> > Change-Id: If85a308a6f6ed1b17d86f87b4911c82d2327ea72
> > Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757341
> > Reviewed-by: Igor Sheludko <ish...@chromium.org>
> > Commit-Queue: Samuel Groß <sa...@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#82623}
>
> Bug: v8:10391
> Change-Id: If77f6c10e81c30c2dfa6b33c788bc4a36e4da135
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3852602
> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Reviewed-by: Igor Sheludko <ish...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82686}

Bug: v8:10391
Change-Id: Icaa1ff64cabd1bb2f19d9b019eac0ca98e528eb6

Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true

Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3854677
Reviewed-by: Leszek Swirski <les...@chromium.org>
Bot-Commit: Rubber Stamper <rubber-...@appspot.gserviceaccount.com>
Commit-Queue: Leszek Swirski <les...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82698}

[modify] https://crrev.com/a9dcb35e7d0a3124ab79915b2aa1dc7c3474fff6/src/objects/embedder-data-slot-inl.h
[modify] https://crrev.com/a9dcb35e7d0a3124ab79915b2aa1dc7c3474fff6/include/v8-internal.h
[modify] https://crrev.com/a9dcb35e7d0a3124ab79915b2aa1dc7c3474fff6/src/objects/embedder-data-slot.h

[Git Watcher via monorail]

Comment #104 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c104

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/a31e8f242fda658b7263415e52b73541580a7735

commit a31e8f242fda658b7263415e52b73541580a7735
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Aug 25 13:27:02 2022

[sandbox] Forbid double-initialization of ExternalPointerSlots

Double initialization may cause the ExternalPointerTable compaction
algorithm to behave non-optimally: Consider the case of an Entry E1 that
is owned by a HeapObject O and is marked for evacuation during GC
marking. In that case, a new entry E2 is allocated for it, and during
sweeping, E1 will be evacuated into E2 and the Handle in O updated to
point to E2. However, if a new entry E3 for O is allocated before
sweeping, then during sweeping E3 (instead of E1) will be moved into E2.
This may then violate the invariant that the compaction algorithms
always evacuates an entry out of the evacuation area.

This CL therefore forbids double initializaiton of external pointer
slots and adds DCHECKs to attempt to catch these in debug builds.

Bug: v8:10391
Change-Id: I128dc930e8b3f863dab18ba648f34d68d8cb276b
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856563

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#82729}

[modify] https://crrev.com/a31e8f242fda658b7263415e52b73541580a7735/src/objects/string.h
[modify] https://crrev.com/a31e8f242fda658b7263415e52b73541580a7735/src/objects/embedder-data-slot-inl.h
[modify] https://crrev.com/a31e8f242fda658b7263415e52b73541580a7735/src/objects/string.cc
[modify] https://crrev.com/a31e8f242fda658b7263415e52b73541580a7735/src/objects/string-inl.h
[modify] https://crrev.com/a31e8f242fda658b7263415e52b73541580a7735/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/a31e8f242fda658b7263415e52b73541580a7735/src/sandbox/external-pointer-table.h
[modify] https://crrev.com/a31e8f242fda658b7263415e52b73541580a7735/src/sandbox/external-pointer.h
[modify] https://crrev.com/a31e8f242fda658b7263415e52b73541580a7735/src/objects/slots-inl.h
[modify] https://crrev.com/a31e8f242fda658b7263415e52b73541580a7735/src/sandbox/external-pointer-inl.h

[Git Watcher via monorail]

Comment #105 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c105

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/f7eda75efd53d2868a44b0015e81a27e6a9aef8e

commit f7eda75efd53d2868a44b0015e81a27e6a9aef8e
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Aug 25 16:22:17 2022

Revert "[sandbox] Forbid double-initialization of ExternalPointerSlots"

This reverts commit a31e8f242fda658b7263415e52b73541580a7735.

Reason for revert: Causes DCHECK failures with --stress-snapshot

Original change's description:

> [sandbox] Forbid double-initialization of ExternalPointerSlots
>
> Double initialization may cause the ExternalPointerTable compaction
> algorithm to behave non-optimally: Consider the case of an Entry E1 that
> is owned by a HeapObject O and is marked for evacuation during GC
> marking. In that case, a new entry E2 is allocated for it, and during
> sweeping, E1 will be evacuated into E2 and the Handle in O updated to
> point to E2. However, if a new entry E3 for O is allocated before
> sweeping, then during sweeping E3 (instead of E1) will be moved into E2.
> This may then violate the invariant that the compaction algorithms
> always evacuates an entry out of the evacuation area.
>
> This CL therefore forbids double initializaiton of external pointer
> slots and adds DCHECKs to attempt to catch these in debug builds.
>
> Bug: v8:10391
> Change-Id: I128dc930e8b3f863dab18ba648f34d68d8cb276b
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856563
> Reviewed-by: Igor Sheludko <ish...@chromium.org>
> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82729}

Bug: v8:10391
Change-Id: I37e6728cc16fe79fa7d743417dc9938d58fb0474

Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true

Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857422

Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>

Bot-Commit: Rubber Stamper <rubber-...@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82732}

[modify] https://crrev.com/f7eda75efd53d2868a44b0015e81a27e6a9aef8e/src/objects/string.h
[modify] https://crrev.com/f7eda75efd53d2868a44b0015e81a27e6a9aef8e/src/objects/string.cc
[modify] https://crrev.com/f7eda75efd53d2868a44b0015e81a27e6a9aef8e/src/objects/embedder-data-slot-inl.h
[modify] https://crrev.com/f7eda75efd53d2868a44b0015e81a27e6a9aef8e/src/objects/string-inl.h
[modify] https://crrev.com/f7eda75efd53d2868a44b0015e81a27e6a9aef8e/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/f7eda75efd53d2868a44b0015e81a27e6a9aef8e/src/sandbox/external-pointer-table.h
[modify] https://crrev.com/f7eda75efd53d2868a44b0015e81a27e6a9aef8e/src/sandbox/external-pointer.h
[modify] https://crrev.com/f7eda75efd53d2868a44b0015e81a27e6a9aef8e/src/objects/slots-inl.h
[modify] https://crrev.com/f7eda75efd53d2868a44b0015e81a27e6a9aef8e/src/sandbox/external-pointer-inl.h

[Git Watcher via monorail]

Comment #106 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c106

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/32b7b8e903ec6b35cdb8e397089abd4cdbf8cba1

commit 32b7b8e903ec6b35cdb8e397089abd4cdbf8cba1
Author: Samuel Groß <sa...@chromium.org>
Date: Fri Aug 26 08:22:41 2022

[sandbox] Avoid double-initialization of external pointer fields

This is a reland of commit a31e8f242fda658b7263415e52b73541580a7735

Remove the checking logic, which will be addressed in a separate CL.

Original change's description:
> [sandbox] Forbid double-initialization of ExternalPointerSlots
>
> Double initialization may cause the ExternalPointerTable compaction
> algorithm to behave non-optimally: Consider the case of an Entry E1 that
> is owned by a HeapObject O and is marked for evacuation during GC
> marking. In that case, a new entry E2 is allocated for it, and during
> sweeping, E1 will be evacuated into E2 and the Handle in O updated to
> point to E2. However, if a new entry E3 for O is allocated before
> sweeping, then during sweeping E3 (instead of E1) will be moved into E2.
> This may then violate the invariant that the compaction algorithms
> always evacuates an entry out of the evacuation area.
>
> This CL therefore forbids double initializaiton of external pointer
> slots and adds DCHECKs to attempt to catch these in debug builds.
>
> Bug: v8:10391
> Change-Id: I128dc930e8b3f863dab18ba648f34d68d8cb276b
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856563
> Reviewed-by: Igor Sheludko <ish...@chromium.org>
> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82729}

Bug: v8:10391

Change-Id: I6cef79f4adc340fdcdc291ad0f0c2210f5bf48cd
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857423

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#82744}

[modify] https://crrev.com/32b7b8e903ec6b35cdb8e397089abd4cdbf8cba1/src/objects/embedder-data-slot-inl.h
[modify] https://crrev.com/32b7b8e903ec6b35cdb8e397089abd4cdbf8cba1/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/32b7b8e903ec6b35cdb8e397089abd4cdbf8cba1/src/sandbox/external-pointer-table.h
[modify] https://crrev.com/32b7b8e903ec6b35cdb8e397089abd4cdbf8cba1/src/sandbox/external-pointer.h
[modify] https://crrev.com/32b7b8e903ec6b35cdb8e397089abd4cdbf8cba1/src/sandbox/external-pointer-inl.h

[Git Watcher via monorail]

Comment #107 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c107

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/e710981f3a2bc0133416f0a51de5689a441da9c0

commit e710981f3a2bc0133416f0a51de5689a441da9c0
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Aug 25 12:24:48 2022

Reland "Reland "[sandbox] Sandboxify EmbedderDataSlots""

This is a reland of commit eca383c947da0c4faa890f72e4f89c6c8f592062

More DCHECK failures have been fixed with https://crrev.com/c/3857423

Original change's description:
> Reland "[sandbox] Sandboxify EmbedderDataSlots"
>
> This is a reland of commit e1f585ed94d799555793a4150281ce2baf22a666
>
> ExternalPointerTable issues have been fixed in
> https://crrev.com/c/3849650 and https://crrev.com/c/3849376
>

> Original change's description:

> > [sandbox] Sandboxify EmbedderDataSlots
> >
> > Bug: v8:10391
> > Change-Id: If85a308a6f6ed1b17d86f87b4911c82d2327ea72

> > Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757341

> > Reviewed-by: Igor Sheludko <ish...@chromium.org>
> > Commit-Queue: Samuel Groß <sa...@chromium.org>

> > Cr-Commit-Position: refs/heads/main@{#82623}
>
> Bug: v8:10391
> Change-Id: If77f6c10e81c30c2dfa6b33c788bc4a36e4da135

> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3852602

> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Reviewed-by: Igor Sheludko <ish...@chromium.org>

> Cr-Commit-Position: refs/heads/main@{#82686}

Bug: v8:10391

Change-Id: Id982c022e50004e903851b160d30fc8767280e5b
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3854679

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#82767}

[modify] https://crrev.com/e710981f3a2bc0133416f0a51de5689a441da9c0/src/objects/embedder-data-slot-inl.h
[modify] https://crrev.com/e710981f3a2bc0133416f0a51de5689a441da9c0/include/v8-internal.h
[modify] https://crrev.com/e710981f3a2bc0133416f0a51de5689a441da9c0/src/objects/embedder-data-slot.h

[Git Watcher via monorail]

Comment #108 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c108

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/a94048877ddd3732b1ceacf797319af366a80c30

commit a94048877ddd3732b1ceacf797319af366a80c30
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Aug 29 10:54:02 2022

[sandbox] Unsandboxify CodeEntryPoint

For code pointers, the sandbox will require a custom, lightweight CFI
mechanism (likely based on the external pointer table). Simply turning
all code pointers into ExternalPointers is not sufficient.
This CL therefore turns code pointers back into raw pointers for now so
that they don't block the external pointer table rollout.

Bug: v8:10391
Change-Id: Ib2ba246be546bbf19fcd0f4ae20f4e9a2cf2e099
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859348
Reviewed-by: Jakob Kummerow <jkum...@chromium.org>

Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#82775}

[modify] https://crrev.com/a94048877ddd3732b1ceacf797319af366a80c30/src/codegen/code-stub-assembler.cc
[modify] https://crrev.com/a94048877ddd3732b1ceacf797319af366a80c30/src/compiler/wasm-compiler.cc
[modify] https://crrev.com/a94048877ddd3732b1ceacf797319af366a80c30/include/v8-internal.h
[modify] https://crrev.com/a94048877ddd3732b1ceacf797319af366a80c30/src/objects/objects-body-descriptors-inl.h
[modify] https://crrev.com/a94048877ddd3732b1ceacf797319af366a80c30/src/objects/code.h
[modify] https://crrev.com/a94048877ddd3732b1ceacf797319af366a80c30/src/objects/code-inl.h
[modify] https://crrev.com/a94048877ddd3732b1ceacf797319af366a80c30/src/codegen/arm64/macro-assembler-arm64.cc
[modify] https://crrev.com/a94048877ddd3732b1ceacf797319af366a80c30/src/codegen/x64/macro-assembler-x64.cc

[Git Watcher via monorail]

Comment #109 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c109

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/5898b1f9e8e1cb786a39e10d06d120bd4427afd5

commit 5898b1f9e8e1cb786a39e10d06d120bd4427afd5
Author: Samuel Groß <sa...@chromium.org>
Date: Fri Aug 26 13:40:21 2022

[sandbox] Detect double-initialization of external pointer fields

This CL adds lightweight checking to the ExternalPointerTable GC
algorithm to detect double initialization of external pointer fields.
These are forbidden as they interfere with the table compaction
algorithm.

Bug: v8:10391
Change-Id: Id69fdcce883aa86f8e2c456a0fe7a1f011719464
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858228

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#82777}

[modify] https://crrev.com/5898b1f9e8e1cb786a39e10d06d120bd4427afd5/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/5898b1f9e8e1cb786a39e10d06d120bd4427afd5/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/5898b1f9e8e1cb786a39e10d06d120bd4427afd5/src/sandbox/external-pointer-table.h

[Git Watcher via monorail]

Comment #110 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c110

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/fa6928544b8cf1205feb904b3378181f46e8c826

commit fa6928544b8cf1205feb904b3378181f46e8c826
Author: Junliang Yan <jun...@redhat.com>
Date: Mon Aug 29 20:54:32 2022

[sandbox] Use 64k block size on ppc64

Bug: v8:10391

Change-Id: Ib07287b166cfc54d4f52575ffecdc929f7ec3892
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3863406
Reviewed-by: Samuel Groß <sa...@chromium.org>
Commit-Queue: Junliang Yan <jun...@redhat.com>
Cr-Commit-Position: refs/heads/main@{#82820}

[modify] https://crrev.com/fa6928544b8cf1205feb904b3378181f46e8c826/src/sandbox/external-pointer-table.h

[Git Watcher via monorail]

Comment #111 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c111

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/d843cda7690404d574db25f6eb0ed390e090b598

commit d843cda7690404d574db25f6eb0ed390e090b598
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Aug 29 14:03:22 2022

[sandbox] Move ExternalPointerTable entry logic into new Entry class

This CL introduces a new ExternalPointerTable::Entry class and moves all
low-level logic related to entry management into this class.

Bug: v8:10391
Change-Id: Ib7eb05da1d277cb665503e98b3f074520e572bad
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829485

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#82825}

[modify] https://crrev.com/d843cda7690404d574db25f6eb0ed390e090b598/include/v8-internal.h
[modify] https://crrev.com/d843cda7690404d574db25f6eb0ed390e090b598/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/d843cda7690404d574db25f6eb0ed390e090b598/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/d843cda7690404d574db25f6eb0ed390e090b598/src/sandbox/external-pointer-table.h

[Git Watcher via monorail]

Comment #112 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c112

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/a27a527b7573977439fd07dca1f07c874535d90f

commit a27a527b7573977439fd07dca1f07c874535d90f
Author: Samuel Groß <sa...@chromium.org>
Date: Fri Aug 26 14:29:59 2022

[sandbox] Sandboxify Foreign external pointers

Bug: v8:10391
Change-Id: I567f94800119a9afd3f684134a6f4885026f813e
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859347

Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#82866}

[modify] https://crrev.com/a27a527b7573977439fd07dca1f07c874535d90f/include/v8-internal.h

[Git Watcher via monorail]

Comment #113 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c113

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/e7bf81100af1cdfd84994ec7d3071a29cbef5257

commit e7bf81100af1cdfd84994ec7d3071a29cbef5257
Author: Samuel Groß <sa...@chromium.org>
Date: Fri Sep 02 09:23:12 2022

[sandbox] Sandboxify ExternalString external pointers

Bug: v8:10391
Change-Id: I0f737e5adf6e4fd24f93436fa5680ff20c1536da
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757901

Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>

Reviewed-by: Leszek Swirski <les...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82958}

[modify] https://crrev.com/e7bf81100af1cdfd84994ec7d3071a29cbef5257/tools/debug_helper/get-object-properties.cc
[modify] https://crrev.com/e7bf81100af1cdfd84994ec7d3071a29cbef5257/include/v8-internal.h
[modify] https://crrev.com/e7bf81100af1cdfd84994ec7d3071a29cbef5257/src/snapshot/serializer.cc

[Git Watcher via monorail]

Comment #114 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c114

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/271bd0866fbea44ae2a5bf31bf4f018e107a6342

commit 271bd0866fbea44ae2a5bf31bf4f018e107a6342
Author: Matthias Liedtke <mlie...@chromium.org>
Date: Mon Sep 05 08:56:00 2022

Revert "[sandbox] Sandboxify ExternalString external pointers"

This reverts commit e7bf81100af1cdfd84994ec7d3071a29cbef5257.

Reason for revert: Failing TSAN runs

Original change's description:

> [sandbox] Sandboxify ExternalString external pointers
>
> Bug: v8:10391
> Change-Id: I0f737e5adf6e4fd24f93436fa5680ff20c1536da
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757901
> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Reviewed-by: Igor Sheludko <ish...@chromium.org>
> Reviewed-by: Leszek Swirski <les...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82958}

Bug: v8:10391
Change-Id: I384d49016b9494655866339a21dab60d451158a7

Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true

Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872271
Commit-Queue: Matthias Liedtke <mlie...@chromium.org>
Reviewed-by: Samuel Groß <sa...@chromium.org>
Bot-Commit: Rubber Stamper <rubber-...@appspot.gserviceaccount.com>
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Auto-Submit: Matthias Liedtke <mlie...@chromium.org>
Owners-Override: Leszek Swirski <les...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82963}

[modify] https://crrev.com/271bd0866fbea44ae2a5bf31bf4f018e107a6342/tools/debug_helper/get-object-properties.cc
[modify] https://crrev.com/271bd0866fbea44ae2a5bf31bf4f018e107a6342/include/v8-internal.h
[modify] https://crrev.com/271bd0866fbea44ae2a5bf31bf4f018e107a6342/src/snapshot/serializer.cc

[Git Watcher via monorail]

Comment #115 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c115

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/8137040c3a7457e115246a21eb3f6a99963df025

commit 8137040c3a7457e115246a21eb3f6a99963df025

Author: Samuel Groß <sa...@chromium.org>
Date: Fri Sep 02 09:23:12 2022

Reland "[sandbox] Sandboxify ExternalString external pointers"

This is a reland of commit e7bf81100af1cdfd84994ec7d3071a29cbef5257

Shared string GC issues have been fixed in https://crrev.com/c/3875028

Original change's description:
> [sandbox] Sandboxify ExternalString external pointers
>
> Bug: v8:10391
> Change-Id: I0f737e5adf6e4fd24f93436fa5680ff20c1536da
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757901
> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Reviewed-by: Igor Sheludko <ish...@chromium.org>
> Reviewed-by: Leszek Swirski <les...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82958}

Bug: v8:10391

Change-Id: I555498973dc9d5dcc4163b3b1258e41d7148e2d5
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872273
Reviewed-by: Leszek Swirski <les...@chromium.org>

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#83026}

[modify] https://crrev.com/8137040c3a7457e115246a21eb3f6a99963df025/tools/debug_helper/get-object-properties.cc
[modify] https://crrev.com/8137040c3a7457e115246a21eb3f6a99963df025/include/v8-internal.h
[modify] https://crrev.com/8137040c3a7457e115246a21eb3f6a99963df025/src/snapshot/serializer.cc

[Git Watcher via monorail]

Comment #116 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c116

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/49c59678301fafcd7f70221cdd7936253a229093

commit 49c59678301fafcd7f70221cdd7936253a229093
Author: Samuel Groß <sa...@chromium.org>
Date: Wed Sep 07 14:05:27 2022

[sandbox] Fold V8_SANDBOXED_EXTERNAL_POINTERS into V8_ENABLE_SANDBOX

Now that all external pointers have been sandboxed,
V8_SANDBOXED_EXTERNAL_POINTERS is no longer needed. This change also
shrinks external pointer slots to 32 bits when the sandbox is enabled.

Bug: v8:10391
Change-Id: Iccbef27ac107b988cb23fe9ef66da6fe0bae087a
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869269
Reviewed-by: Leszek Swirski <les...@chromium.org>
Reviewed-by: Manos Koukoutos <mano...@chromium.org>
Reviewed-by: Nico Hartmann <nicoha...@chromium.org>

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#83083}

[modify] https://crrev.com/49c59678301fafcd7f70221cdd7936253a229093/src/wasm/wasm-objects.tq
[modify] https://crrev.com/49c59678301fafcd7f70221cdd7936253a229093/include/v8-internal.h
[modify] https://crrev.com/49c59678301fafcd7f70221cdd7936253a229093/test/cctest/test-api.cc
[modify] https://crrev.com/49c59678301fafcd7f70221cdd7936253a229093/include/v8-initialization.h
[modify] https://crrev.com/49c59678301fafcd7f70221cdd7936253a229093/src/common/globals.h
[modify] https://crrev.com/49c59678301fafcd7f70221cdd7936253a229093/src/codegen/tnode.h
[modify] https://crrev.com/49c59678301fafcd7f70221cdd7936253a229093/test/cctest/test-strings.cc
[modify] https://crrev.com/49c59678301fafcd7f70221cdd7936253a229093/tools/v8heapconst.py
[modify] https://crrev.com/49c59678301fafcd7f70221cdd7936253a229093/BUILD.gn
[modify] https://crrev.com/49c59678301fafcd7f70221cdd7936253a229093/src/api/api.cc
[modify] https://crrev.com/49c59678301fafcd7f70221cdd7936253a229093/src/torque/torque-parser.cc
[modify] https://crrev.com/49c59678301fafcd7f70221cdd7936253a229093/src/objects/slots-inl.h

[Git Watcher via monorail]

Comment #117 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c117

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/68de20179cfec137d7197bb633786f238293f0cf

commit 68de20179cfec137d7197bb633786f238293f0cf
Author: Samuel Groß <sa...@chromium.org>
Date: Thu Sep 08 16:48:03 2022

[sandbox] Skip mkgrokdump test in non-sandbox mode

When the sandbox is disabled, object layouts are now different as
ExternalPointerSlots are then 64-bit (raw pointers) instead of 32-bit
(ExternalPointerHandles).

Bug: v8:10391
Change-Id: Ia03d1ae9300fad96e40b77f0ed9544a1a118b74a
Cq-Include-Trybots: luci.v8.try.triggered:v8_linux64_no_sandbox_dbg_ng_triggered
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3884075
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Auto-Submit: Samuel Groß <sa...@chromium.org>
Reviewed-by: Michael Achenbach <mache...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83089}

[modify] https://crrev.com/68de20179cfec137d7197bb633786f238293f0cf/test/mkgrokdump/mkgrokdump.status

[Git Watcher via monorail]

Comment #118 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c118

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/6852c402e7bb3a91a366922ccd15b930907425c2

commit 6852c402e7bb3a91a366922ccd15b930907425c2
Author: Matthias Liedtke <mlie...@chromium.org>
Date: Fri Sep 09 13:54:45 2022

Revert "[sandbox] Fold V8_SANDBOXED_EXTERNAL_POINTERS into V8_ENABLE_SANDBOX"

This reverts commit 49c59678301fafcd7f70221cdd7936253a229093.

Reason for revert: The change is suspected to be breaking chromium's determinism test: https://ci.chromium.org/ui/p/chromium/builders/ci/Deterministic%20Linux/35003/overview

Original change's description:

> [sandbox] Fold V8_SANDBOXED_EXTERNAL_POINTERS into V8_ENABLE_SANDBOX
>
> Now that all external pointers have been sandboxed,
> V8_SANDBOXED_EXTERNAL_POINTERS is no longer needed. This change also
> shrinks external pointer slots to 32 bits when the sandbox is enabled.
>
> Bug: v8:10391
> Change-Id: Iccbef27ac107b988cb23fe9ef66da6fe0bae087a
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869269
> Reviewed-by: Leszek Swirski <les...@chromium.org>
> Reviewed-by: Manos Koukoutos <mano...@chromium.org>
> Reviewed-by: Nico Hartmann <nicoha...@chromium.org>
> Reviewed-by: Igor Sheludko <ish...@chromium.org>

> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83083}

Bug: v8:10391
Change-Id: I515ba771aa21f58b752a3a5b36b4deb2abc5f9c0

Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true

Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3886870
Commit-Queue: Matthias Liedtke <mlie...@chromium.org>
Bot-Commit: Rubber Stamper <rubber-...@appspot.gserviceaccount.com>
Owners-Override: Matthias Liedtke <mlie...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83111}

[modify] https://crrev.com/6852c402e7bb3a91a366922ccd15b930907425c2/src/wasm/wasm-objects.tq
[modify] https://crrev.com/6852c402e7bb3a91a366922ccd15b930907425c2/include/v8-internal.h
[modify] https://crrev.com/6852c402e7bb3a91a366922ccd15b930907425c2/test/cctest/test-api.cc
[modify] https://crrev.com/6852c402e7bb3a91a366922ccd15b930907425c2/include/v8-initialization.h
[modify] https://crrev.com/6852c402e7bb3a91a366922ccd15b930907425c2/src/common/globals.h
[modify] https://crrev.com/6852c402e7bb3a91a366922ccd15b930907425c2/src/codegen/tnode.h
[modify] https://crrev.com/6852c402e7bb3a91a366922ccd15b930907425c2/test/cctest/test-strings.cc
[modify] https://crrev.com/6852c402e7bb3a91a366922ccd15b930907425c2/tools/v8heapconst.py
[modify] https://crrev.com/6852c402e7bb3a91a366922ccd15b930907425c2/BUILD.gn
[modify] https://crrev.com/6852c402e7bb3a91a366922ccd15b930907425c2/src/api/api.cc
[modify] https://crrev.com/6852c402e7bb3a91a366922ccd15b930907425c2/src/torque/torque-parser.cc
[modify] https://crrev.com/6852c402e7bb3a91a366922ccd15b930907425c2/src/objects/slots-inl.h

[Git Watcher via monorail]

Comment #119 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c119

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/0e2dbaac6b3d355b04460634742752dfeb2071d6

commit 0e2dbaac6b3d355b04460634742752dfeb2071d6
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Sep 12 07:20:02 2022

Reland "[sandbox] Fold V8_SANDBOXED_EXTERNAL_POINTERS into V8_ENABLE_SANDBOX"

This is a reland of commit 49c59678301fafcd7f70221cdd7936253a229093

The non-deterministic snapshot issue has been fixed by using the correct
field size for CodeDataContainers in serializer.cc.

Original change's description:
> [sandbox] Fold V8_SANDBOXED_EXTERNAL_POINTERS into V8_ENABLE_SANDBOX
>
> Now that all external pointers have been sandboxed,
> V8_SANDBOXED_EXTERNAL_POINTERS is no longer needed. This change also
> shrinks external pointer slots to 32 bits when the sandbox is enabled.
>
> Bug: v8:10391
> Change-Id: Iccbef27ac107b988cb23fe9ef66da6fe0bae087a
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869269
> Reviewed-by: Leszek Swirski <les...@chromium.org>
> Reviewed-by: Manos Koukoutos <mano...@chromium.org>
> Reviewed-by: Nico Hartmann <nicoha...@chromium.org>
> Reviewed-by: Igor Sheludko <ish...@chromium.org>
> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83083}

Bug: v8:10391

Change-Id: I29870404406902d99ba6016c570cc0c4d05c6c85
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3887899
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Reviewed-by: Leszek Swirski <les...@chromium.org>
Reviewed-by: Nico Hartmann <nicoha...@chromium.org>
Reviewed-by: Manos Koukoutos <mano...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83130}

[modify] https://crrev.com/0e2dbaac6b3d355b04460634742752dfeb2071d6/src/wasm/wasm-objects.tq
[modify] https://crrev.com/0e2dbaac6b3d355b04460634742752dfeb2071d6/include/v8-internal.h
[modify] https://crrev.com/0e2dbaac6b3d355b04460634742752dfeb2071d6/test/cctest/test-api.cc
[modify] https://crrev.com/0e2dbaac6b3d355b04460634742752dfeb2071d6/include/v8-initialization.h
[modify] https://crrev.com/0e2dbaac6b3d355b04460634742752dfeb2071d6/src/common/globals.h
[modify] https://crrev.com/0e2dbaac6b3d355b04460634742752dfeb2071d6/src/codegen/tnode.h
[modify] https://crrev.com/0e2dbaac6b3d355b04460634742752dfeb2071d6/test/cctest/test-strings.cc
[modify] https://crrev.com/0e2dbaac6b3d355b04460634742752dfeb2071d6/tools/v8heapconst.py
[modify] https://crrev.com/0e2dbaac6b3d355b04460634742752dfeb2071d6/BUILD.gn
[modify] https://crrev.com/0e2dbaac6b3d355b04460634742752dfeb2071d6/src/snapshot/serializer.cc
[modify] https://crrev.com/0e2dbaac6b3d355b04460634742752dfeb2071d6/src/api/api.cc
[modify] https://crrev.com/0e2dbaac6b3d355b04460634742752dfeb2071d6/src/torque/torque-parser.cc
[modify] https://crrev.com/0e2dbaac6b3d355b04460634742752dfeb2071d6/src/objects/slots-inl.h

[Git Watcher via monorail]

Comment #120 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c120

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/a9327e9394a41d16e5df1450cb41f89cbf599f2e

commit a9327e9394a41d16e5df1450cb41f89cbf599f2e
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Sep 12 11:40:00 2022

[sandbox] Schedule GC when EPT utilization reaches certain thresholds

During ExternalPointerTable::Grow, if we cross one of a handful of
predefined utilization thresholds, we now request a (major) GC to free
up entries that are no longer used in the table.

Bug: v8:10391
Change-Id: Id2d262f0f1d4dc37aec1e4978a8be2d223fb2b2b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890971
Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Michael Lippautz <mlip...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83155}

[modify] https://crrev.com/a9327e9394a41d16e5df1450cb41f89cbf599f2e/src/sandbox/external-pointer-table.cc

[Git Watcher via monorail]

Comment #121 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c121

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/7e4ee6862e122379703ce40c63e85e66a73b85c1

commit 7e4ee6862e122379703ce40c63e85e66a73b85c1
Author: Samuel Groß <sa...@chromium.org>
Date: Wed Sep 14 11:51:05 2022

[sandbox] Introduce ExternalPointerTable::Freelist

This struct represents the freelist of an ExternalPointerTable and
contains both the size and the head of the freelist. It is encoded and
stored as a single Atomic64 field (freelist_) inside the
ExternalPointerTable class. This ensures that the freelist head and size
are always synchronized.

Previously, the freelist size was encoded in freelist entries in the top
bits. This only works as long as the maximum table size is relatively
small however, as it requires both the freelist size and the index of
the next entry on the list to fit into 24 bits. To allow for bigger
maximum table sizes in the future, this CL moves the freelist size
directly into the table as part of the freelist_ field.

Bug: v8:10391
Change-Id: Id09c9b28d09d79b704ac47e6566029cfb209ecd1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891256
Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83193}

[modify] https://crrev.com/7e4ee6862e122379703ce40c63e85e66a73b85c1/src/execution/isolate.cc
[modify] https://crrev.com/7e4ee6862e122379703ce40c63e85e66a73b85c1/include/v8-internal.h
[modify] https://crrev.com/7e4ee6862e122379703ce40c63e85e66a73b85c1/src/sandbox/external-pointer-table.cc
[modify] https://crrev.com/7e4ee6862e122379703ce40c63e85e66a73b85c1/src/sandbox/external-pointer-table-inl.h
[modify] https://crrev.com/7e4ee6862e122379703ce40c63e85e66a73b85c1/src/sandbox/external-pointer-table.h

[Git Watcher via monorail]

Comment #122 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c122

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/d7fcbba80e35e845a85e900cf4e3c479e3b69790

commit d7fcbba80e35e845a85e900cf4e3c479e3b69790
Author: Samuel Groß <sa...@chromium.org>
Date: Wed Sep 14 14:15:08 2022

[sandbox] Increase ExternalPointerTable maximum capacity to 512MB

Bug: v8:10391
Change-Id: I383e11bdccf6fcaf13f29d25e1404545067d313e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891249

Reviewed-by: Igor Sheludko <ish...@chromium.org>
Commit-Queue: Samuel Groß <sa...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#83203}

[modify] https://crrev.com/d7fcbba80e35e845a85e900cf4e3c479e3b69790/include/v8-internal.h

[Git Watcher via monorail]

Comment #123 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c123

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/9e65a050492aa46ec1fd4e5bb19e6a48359b2ace

commit 9e65a050492aa46ec1fd4e5bb19e6a48359b2ace
Author: Leszek Swirski <les...@chromium.org>
Date: Mon Sep 19 13:36:00 2022

Revert "[sandbox] Increase ExternalPointerTable maximum capacity to 512MB"

This reverts commit d7fcbba80e35e845a85e900cf4e3c479e3b69790.

Reason for revert: Speculatively reverting because of blocked roll

Original change's description:

> [sandbox] Increase ExternalPointerTable maximum capacity to 512MB
>
> Bug: v8:10391
> Change-Id: I383e11bdccf6fcaf13f29d25e1404545067d313e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891249
> Reviewed-by: Igor Sheludko <ish...@chromium.org>
> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83203}

Bug: v8:10391
Change-Id: Id3a374a1f87a6ec3889d2e81d169ad004744ca99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3904605
Bot-Commit: Rubber Stamper <rubber-...@appspot.gserviceaccount.com>
Commit-Queue: Leszek Swirski <les...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83305}

[modify] https://crrev.com/9e65a050492aa46ec1fd4e5bb19e6a48359b2ace/include/v8-internal.h

[Git Watcher via monorail]

Comment #124 on issue 10391 by Git Watcher: V8 Sandbox
https://bugs.chromium.org/p/v8/issues/detail?id=10391#c124

The following revision refers to this bug:

https://chromium.googlesource.com/v8/v8/+/3285ad9ea4a2a8794849f4dcdaef3f904bbfbfc1

commit 3285ad9ea4a2a8794849f4dcdaef3f904bbfbfc1
Author: Samuel Groß <sa...@chromium.org>
Date: Mon Sep 19 18:28:30 2022

Reland "[sandbox] Increase ExternalPointerTable maximum capacity to 512MB"

This is a reland of commit d7fcbba80e35e845a85e900cf4e3c479e3b69790

The LSan support logic of the ExternalPointerTable has been optimized to
avoid timeouts on sanitizer bots

Original change's description:
> [sandbox] Increase ExternalPointerTable maximum capacity to 512MB
>
> Bug: v8:10391
> Change-Id: I383e11bdccf6fcaf13f29d25e1404545067d313e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3891249
> Reviewed-by: Igor Sheludko <ish...@chromium.org>
> Commit-Queue: Samuel Groß <sa...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#83203}

Bug: v8:10391

Change-Id: If50156d6fecff7ca8ece5c350e7b08936f50daa6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905141

Commit-Queue: Samuel Groß <sa...@chromium.org>
Reviewed-by: Igor Sheludko <ish...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#83322}

[modify] https://crrev.com/3285ad9ea4a2a8794849f4dcdaef3f904bbfbfc1/include/v8-internal.h
[modify] https://crrev.com/3285ad9ea4a2a8794849f4dcdaef3f904bbfbfc1/src/sandbox/external-pointer-table.cc