File Explorer

1// Copyright 2024 the V8 project authors. All rights reserved.2// Use of this source code is governed by a BSD-style license that can be3// found in the LICENSE file.4 5#ifndef INCLUDE_V8_SANDBOX_H_6#define INCLUDE_V8_SANDBOX_H_7 8#include <cstdint>9 10#include "v8-internal.h"  // NOLINT(build/include_directory)11#include "v8config.h"     // NOLINT(build/include_directory)12 13namespace v8 {14 15/**16 * A pointer tag used for wrapping and unwrapping `CppHeap` pointers as used17 * with JS API wrapper objects that rely on `v8::Object::Wrap()` and18 * `v8::Object::Unwrap()`.19 *20 * The CppHeapPointers use a range-based type checking scheme, where on access21 * to a pointer, the actual type of the pointer is checked to be within a22 * specified range of types. This allows supporting type hierarchies, where a23 * type check for a supertype must succeed for any subtype.24 *25 * The tag is currently in practice limited to 15 bits since it needs to fit26 * together with a marking bit into the unused parts of a pointer.27 */28enum class CppHeapPointerTag : uint16_t {29  kFirstTag = 0,30  kNullTag = 0,31 32  /**33   * The lower type ids are reserved for the embedder to assign. For that, the34   * main requirement is that all (transitive) child classes of a given parent35   * class have type ids in the same range, and that there are no unrelated36   * types in that range. For example, given the following type hierarchy:37   *38   *          A     F39   *         / \40   *        B   E41   *       / \42   *      C   D43   *44   * a potential type id assignment that satistifes these requirements is45   * {C: 0, D: 1, B: 2, A: 3, E: 4, F: 5}. With that, the type check for type A46   * would check for the range [0, 4], while the check for B would check range47   * [0, 2], and for F it would simply check [5, 5].48   *49   * In addition, there is an option for performance tweaks: if the size of the50   * type range corresponding to a supertype is a power of two and starts at a51   * power of two (e.g. [0x100, 0x13f]), then the compiler can often optimize52   * the type check to use even fewer instructions (essentially replace a AND +53   * SUB with a single AND).54   */55 56  kDefaultTag = 0x7000,57 58  kZappedEntryTag = 0x7ffd,59  kEvacuationEntryTag = 0x7ffe,60  kFreeEntryTag = 0x7fff,61  // The tags are limited to 15 bits, so the last tag is 0x7fff.62  kLastTag = 0x7fff,63};64 65// Convenience struct to represent tag ranges. This is used for type checks66// against supertypes, which cover a range of types (their subtypes).67// Both the lower- and the upper bound are inclusive. In other words, this68// struct represents the range [lower_bound, upper_bound].69// TODO(saelo): reuse internal::TagRange here.70struct CppHeapPointerTagRange {71  constexpr CppHeapPointerTagRange(CppHeapPointerTag lower,72                                   CppHeapPointerTag upper)73      : lower_bound(lower), upper_bound(upper) {}74  CppHeapPointerTag lower_bound;75  CppHeapPointerTag upper_bound;76 77  // Check whether the tag of the given CppHeapPointerTable entry is within78  // this range. This method encodes implementation details of the79  // CppHeapPointerTable, which is necessary as it is used by80  // ReadCppHeapPointerField below.81  // Returns true if the check is successful and the tag of the given entry is82  // within this range, false otherwise.83  bool CheckTagOf(uint64_t entry) {84    // Note: the cast to uint32_t is important here. Otherwise, the uint16_t's85    // would be promoted to int in the range check below, which would result in86    // undefined behavior (signed integer undeflow) if the actual value is less87    // than the lower bound. Then, the compiler would take advantage of the88    // undefined behavior and turn the range check into a simple89    // `actual_tag <= last_tag` comparison, which is incorrect.90    uint32_t actual_tag = static_cast<uint16_t>(entry);91    // The actual_tag is shifted to the left by one and contains the marking92    // bit in the LSB. To ignore that during the type check, simply add one to93    // the (shifted) range.94    constexpr int kTagShift = internal::kCppHeapPointerTagShift;95    uint32_t first_tag = static_cast<uint32_t>(lower_bound) << kTagShift;96    uint32_t last_tag = (static_cast<uint32_t>(upper_bound) << kTagShift) + 1;97    return actual_tag >= first_tag && actual_tag <= last_tag;98  }99};100 101constexpr CppHeapPointerTagRange kAnyCppHeapPointer(102    CppHeapPointerTag::kFirstTag, CppHeapPointerTag::kLastTag);103 104class SandboxHardwareSupport {105 public:106  /**107   * Initialize sandbox hardware support. This needs to be called before108   * creating any thread that might access sandbox memory since it sets up109   * hardware permissions to the memory that will be inherited on clone.110   */111  V8_EXPORT static void InitializeBeforeThreadCreation();112};113 114namespace internal {115 116#ifdef V8_COMPRESS_POINTERS117V8_INLINE static Address* GetCppHeapPointerTableBase(v8::Isolate* isolate) {118  Address addr = reinterpret_cast<Address>(isolate) +119                 Internals::kIsolateCppHeapPointerTableOffset +120                 Internals::kExternalPointerTableBasePointerOffset;121  return *reinterpret_cast<Address**>(addr);122}123#endif  // V8_COMPRESS_POINTERS124 125template <typename T>126V8_INLINE static T* ReadCppHeapPointerField(v8::Isolate* isolate,127                                            Address heap_object_ptr, int offset,128                                            CppHeapPointerTagRange tag_range) {129#ifdef V8_COMPRESS_POINTERS130  // See src/sandbox/cppheap-pointer-table-inl.h. Logic duplicated here so131  // it can be inlined and doesn't require an additional call.132  const CppHeapPointerHandle handle =133      Internals::ReadRawField<CppHeapPointerHandle>(heap_object_ptr, offset);134  const uint32_t index = handle >> kExternalPointerIndexShift;135  const Address* table = GetCppHeapPointerTableBase(isolate);136  const std::atomic<Address>* ptr =137      reinterpret_cast<const std::atomic<Address>*>(&table[index]);138  Address entry = std::atomic_load_explicit(ptr, std::memory_order_relaxed);139 140  Address pointer = entry;141  if (V8_LIKELY(tag_range.CheckTagOf(entry))) {142    pointer = entry >> kCppHeapPointerPayloadShift;143  } else {144    // If the type check failed, we simply return nullptr here. That way:145    //  1. The null handle always results in nullptr being returned here, which146    //     is a desired property. Otherwise, we would need an explicit check for147    //     the null handle above, and therefore an additional branch. This148    //     works because the 0th entry of the table always contains nullptr149    //     tagged with the null tag (i.e. an all-zeros entry). As such,150    //     regardless of whether the type check succeeds, the result will151    //     always be nullptr.152    //  2. The returned pointer is guaranteed to crash even on platforms with153    //     top byte ignore (TBI), such as Arm64. The alternative would be to154    //     simply return the original entry with the left-shifted payload.155    //     However, due to TBI, an access to that may not always result in a156    //     crash (specifically, if the second most significant byte happens to157    //     be zero). In addition, there shouldn't be a difference on Arm64158    //     between returning nullptr or the original entry, since it will159    //     simply compile to a `csel x0, x8, xzr, lo` instead of a160    //     `csel x0, x10, x8, lo` instruction.161    pointer = 0;162  }163  return reinterpret_cast<T*>(pointer);164#else   // !V8_COMPRESS_POINTERS165  return reinterpret_cast<T*>(166      Internals::ReadRawField<Address>(heap_object_ptr, offset));167#endif  // !V8_COMPRESS_POINTERS168}169 170}  // namespace internal171}  // namespace v8172 173#endif  // INCLUDE_V8_SANDBOX_H_174