[wasm] Do not sandbox isolate root pointer

The isolate root pointer in a WasmApiFuncionRef cannot be sandboxed, because we would need the isolate root in the first place to decode it. Therefore we do not use Foreign as the parent class of WasmApiFunctionRef. Bug: v8:11510 Change-Id: Idcbe654274c543ee571a335cb8e212ca3492d973 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3262134 Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#77751}

[wasm] Do not sandbox isolate root pointer
The isolate root pointer in a WasmApiFuncionRef cannot be sandboxed, because we would need the isolate root in the first place to decode it. Therefore we do not use Foreign as the parent class of WasmApiFunctionRef. Bug: v8:11510 Change-Id: Idcbe654274c543ee571a335cb8e212ca3492d973 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3262134 Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#77751}
02b73c94 · Manos Koukoutos · V8 LUCI CQ · 77599ffe · 02b73c94 · 02b73c94
Commit 02b73c94 authored Nov 08, 2021 by Manos Koukoutos Committed by V8 LUCI CQ Nov 08, 2021
7 changed files
--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@@ -660,9 +660,12 @@ Node* WasmGraphBuilder::BuildLoadIsolateRoot() {
      // that the generated code is Isolate independent.
      return LOAD_INSTANCE_FIELD(IsolateRoot, MachineType::Pointer());
    case kWasmApiFunctionRefMode:
-      return gasm_->Load(MachineType::Pointer(), Param(0),
-                         wasm::ObjectAccess::ToTagged(
-                             WasmApiFunctionRef::kForeignAddressOffset));
+      // Note: Even if V8_HEAP_SANDBOX, the pointer to the isolate root is not
+      // encoded, much like the case above. TODO(manoskouk): Decode the pointer
+      // here if that changes.
+      return gasm_->Load(
+          MachineType::Pointer(), Param(0),
+          wasm::ObjectAccess::ToTagged(WasmApiFunctionRef::kIsolateRootOffset));
    case kNoSpecialParameterMode:
      return mcgraph()->IntPtrConstant(isolate_->isolate_root());
  }

--- a/src/diagnostics/objects-printer.cc
+++ b/src/diagnostics/objects-printer.cc
@@ -1939,7 +1939,7 @@ void WasmJSFunctionData::WasmJSFunctionDataPrint(std::ostream& os) {

 void WasmApiFunctionRef::WasmApiFunctionRefPrint(std::ostream& os) {
  PrintHeader(os, "WasmApiFunctionRef");
-  os << "\n - isolate_root: " << reinterpret_cast<void*>(foreign_address());
+  os << "\n - isolate_root: " << reinterpret_cast<void*>(isolate_root());
  os << "\n - native_context: " << Brief(native_context());
  os << "\n - callable: " << Brief(callable());
  os << "\n";

--- a/src/heap/factory.cc
+++ b/src/heap/factory.cc
@@ -1483,7 +1483,7 @@ Handle<WasmApiFunctionRef> Factory::NewWasmApiFunctionRef(
  auto result = WasmApiFunctionRef::cast(AllocateRawWithImmortalMap(
      map.instance_size(), AllocationType::kOld, map));
  DisallowGarbageCollection no_gc;
-  result.set_foreign_address(isolate(), isolate()->isolate_root());
+  result.set_isolate_root(isolate()->isolate_root());
  result.set_native_context(*isolate()->native_context());
  if (!callable.is_null()) {
    result.set_callable(*callable);

--- a/src/objects/objects-body-descriptors-inl.h
+++ b/src/objects/objects-body-descriptors-inl.h
@@ -651,8 +651,6 @@ class WasmApiFunctionRef::BodyDescriptor final : public BodyDescriptorBase {
  template <typename ObjectVisitor>
  static inline void IterateBody(Map map, HeapObject obj, int object_size,
                                 ObjectVisitor* v) {
-    Foreign::BodyDescriptor::IterateBody<ObjectVisitor>(map, obj, object_size,
-                                                        v);
    IteratePointers(obj, kStartOfStrongFieldsOffset, kEndOfStrongFieldsOffset,
                    v);
  }

--- a/src/wasm/wasm-objects.h
+++ b/src/wasm/wasm-objects.h
@@ -733,7 +733,7 @@ class WasmExportedFunctionData
 };

 class WasmApiFunctionRef
-    : public TorqueGeneratedWasmApiFunctionRef<WasmApiFunctionRef, Foreign> {
+    : public TorqueGeneratedWasmApiFunctionRef<WasmApiFunctionRef, HeapObject> {
 public:
  // Dispatched behavior.
  DECL_PRINTER(WasmApiFunctionRef)

--- a/src/wasm/wasm-objects.tq
+++ b/src/wasm/wasm-objects.tq
@@ -14,9 +14,11 @@ extern class WasmInstanceObject extends JSObject;
 // Represents the context of a function that is defined through the JS or C
 // APIs. Corresponds to the WasmInstanceObject passed to a Wasm function
 // reference.
-// The {foreign_address} field inherited from {Foreign} points the IsolateRoots
-// of the defining isolate.
-extern class WasmApiFunctionRef extends Foreign {
+// TODO(manoskouk): If V8_HEAP_SANDBOX, we cannot encode the isolate_root as a
+// sandboxed pointer, because that would require having access to the isolate
+// root in the first place.
+extern class WasmApiFunctionRef extends HeapObject {
+  isolate_root: RawPtr;
  native_context: NativeContext;
  callable: JSReceiver|Undefined;
 }

--- a/tools/v8heapconst.py
+++ b/tools/v8heapconst.py