Marja Hölttä (Gerrit)

unread,

Sep 4, 2025, 8:31:35 AM (3 days ago) Sep 4

to Anton Bikineev, V8 LUCI CQ, v8-re...@googlegroups.com

Attention needed from Anton Bikineev

Marja Hölttä added 1 comment

Patchset-level comments

File-level comment, Patchset 8 (Latest):

Marja Hölttä . resolved

ptal

Open in Gerrit

Related details

Attention is currently required from:

Anton Bikineev

Submit Requirements:

Code-Owners
Code-Review

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Anton Bikineev (Gerrit)

unread,

Sep 4, 2025, 9:45:18 AM (3 days ago) Sep 4

to Marja Hölttä, V8 LUCI CQ, v8-re...@googlegroups.com

Attention needed from Marja Hölttä

Anton Bikineev voted and added 1 comment

Votes added by Anton Bikineev

Code-Review

+1

1 comment

Patchset-level comments

File-level comment, Patchset 8 (Latest):

Anton Bikineev . resolved

lgtm, thanks

Open in Gerrit

Related details

Attention is currently required from:

Marja Hölttä

Submit Requirements:

Code-Owners
Code-Review

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

Marja Hölttä (Gerrit)

unread,

Sep 5, 2025, 6:38:52 AM (2 days ago) Sep 5

to Anton Bikineev, V8 LUCI CQ, v8-re...@googlegroups.com

Marja Hölttä voted Commit-Queue+2

Commit-Queue

+2

Open in Gerrit

Related details

Attention set is empty

Submit Requirements:

Code-Owners
Code-Review

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

V8 LUCI CQ (Gerrit)

unread,

Sep 5, 2025, 7:12:42 AM (2 days ago) Sep 5

to Marja Hölttä, Anton Bikineev, v8-re...@googlegroups.com

V8 LUCI CQ submitted the change

Change information

Commit message:

[sandbox] Add checks to places where we access TypedArrays - part 1

Because of potential ElementsKind switcheroo, we might be pointing
outside the sandbox when doing the data + index * element size math, and
the sandbox guard region is not big enough to save us.

This is still incomplete - other places need similar checks.

Bug: 435630461

Change-Id: Ie206255753d00a51640170e6cb131329aa79b7cb

Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6818292

Commit-Queue: Marja Hölttä <ma...@chromium.org>

Reviewed-by: Anton Bikineev <biki...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#102272}

Files:

M src/objects/elements.cc
A test/mjsunit/sandbox/regress-435630461.js

Change size: M

Delta: 2 files changed, 51 insertions(+), 7 deletions(-)

Branch: refs/heads/main

Submit Requirements:

Code-Review: +1 by Anton Bikineev

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

open

diffy

satisfied_requirement

Krishna Ravishankar (Gerrit)

unread,

Sep 5, 2025, 10:25:51 AM (2 days ago) Sep 5

to Marja Hölttä, V8 LUCI CQ, Anton Bikineev, v8-re...@googlegroups.com

Attention needed from Marja Hölttä

Krishna Ravishankar added 1 comment

File src/objects/elements.cc

Line 3453, Patchset 9 (Latest): SBXCHECK(InsideSandbox(reinterpret_cast<Address>(data_ptr)));

Krishna Ravishankar . unresolved

Is it possible to have typed arrays that view data outside the v8 sandbox (eg. `AudioBuffer`/`GPUBuffer`?) and if so would this check and the one below cause regressions for v8 embedders?

Open in Gerrit

Related details

Attention is currently required from:

Marja Hölttä

Submit Requirements:

Code-Owners
Code-Review

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

Krishna Ravishankar (Gerrit)

unread,

Sep 5, 2025, 11:54:47 AM (2 days ago) Sep 5

to Marja Hölttä, V8 LUCI CQ, Anton Bikineev, v8-re...@googlegroups.com

Krishna Ravishankar added 1 comment

File src/objects/elements.cc

Line 3453, Patchset 9 (Latest): SBXCHECK(InsideSandbox(reinterpret_cast<Address>(data_ptr)));

Krishna Ravishankar . resolved

Is it possible to have typed arrays that view data outside the v8 sandbox (eg. `AudioBuffer`/`GPUBuffer`?) and if so would this check and the one below cause regressions for v8 embedders?

Krishna Ravishankar

Please ignore the above comment. It's [not possible to have backing stores outside the sandbox](https://source.chromium.org/chromium/chromium/src/+/main:v8/src/api/api.cc;l=9170-9175;drc=07d9e6615fd051f1447bb464057b5aa14cfebf11) when it's enabled to begin with.

Open in Gerrit

Related details

Attention set is empty

Submit Requirements:

Code-Owners
Code-Review

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

Reply all

Reply to author

Forward

[sandbox] Add checks to places where we access TypedArrays - part 1 [v8/v8 : main]

Marja Hölttä (Gerrit)

Marja Hölttä added 1 comment

Related details

Anton Bikineev (Gerrit)

Anton Bikineev voted and added 1 comment

Votes added by Anton Bikineev

1 comment

Related details

Marja Hölttä (Gerrit)

Marja Hölttä voted Commit-Queue+2

Related details

V8 LUCI CQ (Gerrit)

V8 LUCI CQ submitted the change

Change information

Krishna Ravishankar (Gerrit)

Krishna Ravishankar added 1 comment

Related details

Krishna Ravishankar (Gerrit)

Krishna Ravishankar added 1 comment

Related details