[sandbox][arm64] Implement heap sandbox support on arm64

Add support for heap sandbox on arm64 when building with v8_enable_heap_sandbox=true Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng Bug: v8:10391 Change-Id: I3080f5970d2a604ca67827c732cd77761f7611a3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3165057 Commit-Queue: Martyn Capewell <martyn.capewell@arm.com> Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#76986}

[sandbox][arm64] Implement heap sandbox support on arm64
Add support for heap sandbox on arm64 when building with v8_enable_heap_sandbox=true Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng Bug: v8:10391 Change-Id: I3080f5970d2a604ca67827c732cd77761f7611a3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3165057 Commit-Queue: Martyn Capewell <martyn.capewell@arm.com> Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#76986}
1e96c29d · Michalis Spyrou · V8 LUCI CQ · 5458cfd0 · 1e96c29d · 1e96c29d
Commit 1e96c29d authored Sep 17, 2021 by Michalis Spyrou Committed by V8 LUCI CQ Sep 22, 2021
7 changed files
--- a/src/builtins/arm64/builtins-arm64.cc
+++ b/src/builtins/arm64/builtins-arm64.cc
@@ -3774,8 +3774,11 @@ void Builtins::Generate_CallApiGetter(MacroAssembler* masm) {
  Register js_getter = x4;
  __ LoadTaggedPointerField(
      js_getter, FieldMemOperand(callback, AccessorInfo::kJsGetterOffset));
-  __ Ldr(api_function_address,
-         FieldMemOperand(js_getter, Foreign::kForeignAddressOffset));
+
+  __ LoadExternalPointerField(
+      api_function_address,
+      FieldMemOperand(js_getter, Foreign::kForeignAddressOffset),
+      kForeignForeignAddressTag);

  const int spill_offset = 1 + kApiStackSpace;
  // +3 is to skip prolog, return address and name handle.

--- a/src/codegen/arm64/macro-assembler-arm64.cc
+++ b/src/codegen/arm64/macro-assembler-arm64.cc
@@ -2091,8 +2091,12 @@ void TurboAssembler::LoadCodeDataContainerEntry(
    Register destination, Register code_data_container_object) {
  ASM_CODE_COMMENT(this);
  CHECK(V8_EXTERNAL_CODE_SPACE_BOOL);
-  Ldr(destination, FieldMemOperand(code_data_container_object,
-                                   CodeDataContainer::kCodeEntryPointOffset));
+
+  LoadExternalPointerField(
+      destination,
+      FieldMemOperand(code_data_container_object,
+                      CodeDataContainer::kCodeEntryPointOffset),
+      kCodeEntryPointTag);
 }

 void TurboAssembler::LoadCodeDataContainerCodeNonBuiltin(
@@ -3059,6 +3063,34 @@ void MacroAssembler::RecordWriteField(Register object, int offset,
  Bind(&done);
 }

+void TurboAssembler::LoadExternalPointerField(Register destination,
+                                              MemOperand field_operand,
+                                              ExternalPointerTag tag,
+                                              Register isolate_root) {
+  DCHECK(!AreAliased(destination, isolate_root));
+  ASM_CODE_COMMENT(this);
+#ifdef V8_HEAP_SANDBOX
+  UseScratchRegisterScope temps(this);
+  Register external_table = temps.AcquireX();
+  if (isolate_root == no_reg) {
+    DCHECK(root_array_available_);
+    isolate_root = kRootRegister;
+  }
+  Ldr(external_table,
+      MemOperand(isolate_root,
+                 IsolateData::external_pointer_table_offset() +
+                     Internals::kExternalPointerTableBufferOffset));
+  Ldr(destination, field_operand);
+  Ldr(destination,
+      MemOperand(external_table, destination, LSL, kSystemPointerSizeLog2));
+  if (tag != 0) {
+    And(destination, destination, Immediate(~tag));
+  }
+#else
+  Ldr(destination, field_operand);
+#endif  // V8_HEAP_SANDBOX
+}
+
 void TurboAssembler::MaybeSaveRegisters(RegList registers) {
  if (registers == 0) return;
  ASM_CODE_COMMENT(this);

--- a/src/codegen/arm64/macro-assembler-arm64.h
+++ b/src/codegen/arm64/macro-assembler-arm64.h
@@ -1432,6 +1432,15 @@ class V8_EXPORT_PRIVATE TurboAssembler : public TurboAssemblerBase {
  void I64x2BitMask(Register dst, VRegister src);
  void I64x2AllTrue(Register dst, VRegister src);

+  // ---------------------------------------------------------------------------
+  // V8 Heap sandbox support
+
+  // Loads a field containing off-heap pointer and does necessary decoding
+  // if V8 heap sandbox is enabled.
+  void LoadExternalPointerField(Register destination, MemOperand field_operand,
+                                ExternalPointerTag tag,
+                                Register isolate_root = Register::no_reg());
+
 protected:
  // The actual Push and Pop implementations. These don't generate any code
  // other than that required for the push or pop. This allows

--- a/src/wasm/baseline/arm64/liftoff-assembler-arm64.h
+++ b/src/wasm/baseline/arm64/liftoff-assembler-arm64.h
@@ -452,6 +452,13 @@ void LiftoffAssembler::LoadTaggedPointerFromInstance(Register dst,
  LoadTaggedPointerField(dst, MemOperand{instance, offset});
 }

+void LiftoffAssembler::LoadExternalPointer(Register dst, Register instance,
+                                           int offset, ExternalPointerTag tag,
+                                           Register isolate_root) {
+  LoadExternalPointerField(dst, FieldMemOperand(instance, offset), tag,
+                           isolate_root);
+}
+
 void LiftoffAssembler::SpillInstance(Register instance) {
  Str(instance, liftoff::GetInstanceOperand());
 }

--- a/src/wasm/baseline/liftoff-assembler.h
+++ b/src/wasm/baseline/liftoff-assembler.h
@@ -670,6 +670,9 @@ class LiftoffAssembler : public TurboAssembler {
                               int size);
  inline void LoadTaggedPointerFromInstance(Register dst, Register instance,
                                            int offset);
+  inline void LoadExternalPointer(Register dst, Register instance, int offset,
+                                  ExternalPointerTag tag,
+                                  Register isolate_root);
  inline void SpillInstance(Register instance);
  inline void ResetOSRTarget();
  inline void FillInstanceInto(Register dst);

--- a/src/wasm/baseline/liftoff-compiler.cc
+++ b/src/wasm/baseline/liftoff-compiler.cc
@@ -5949,11 +5949,9 @@ class LiftoffCompiler {

 #ifdef V8_HEAP_SANDBOX
    LOAD_INSTANCE_FIELD(temp.gp(), IsolateRoot, kSystemPointerSize, pinned);
-    __ LoadExternalPointerField(
-        target.gp(),
-        FieldOperand(func_data.gp(), WasmFunctionData::kForeignAddressOffset),
-        kForeignForeignAddressTag, temp.gp(),
-        TurboAssembler::IsolateRootLocation::kInScratchRegister);
+    __ LoadExternalPointer(target.gp(), func_data.gp(),
+                           WasmFunctionData::kForeignAddressOffset,
+                           kForeignForeignAddressTag, temp.gp());
 #else
    __ Load(
        target, func_data.gp(), no_reg,

--- a/src/wasm/baseline/x64/liftoff-assembler-x64.h
+++ b/src/wasm/baseline/x64/liftoff-assembler-x64.h
@@ -357,6 +357,14 @@ void LiftoffAssembler::LoadTaggedPointerFromInstance(Register dst,
  LoadTaggedPointerField(dst, Operand(instance, offset));
 }

+void LiftoffAssembler::LoadExternalPointer(Register dst, Register instance,
+                                           int offset, ExternalPointerTag tag,
+                                           Register isolate_root) {
+  LoadExternalPointerField(dst, FieldOperand(instance, offset), tag,
+                           isolate_root,
+                           IsolateRootLocation::kInScratchRegister);
+}
+
 void LiftoffAssembler::SpillInstance(Register instance) {
  movq(liftoff::GetInstanceOperand(), instance);
 }