Prevent page access in CSA when third-party-heap is enabled

Added a CSA assertion to disallow page access when FLAG_enable_third_party_heap = true. Also skipped two PageFromAddress callers in CSA that is not necessary when barriers are disabled. Bug: v8:11641 Change-Id: Ib0e3ff7a7dbacb7c6e7a53a720b95e51cdf2e645 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878757Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Wenyu Zhao <wenyu.zhao@anu.edu.au> Cr-Commit-Position: refs/heads/master@{#74562}

Prevent page access in CSA when third-party-heap is enabled
Added a CSA assertion to disallow page access when FLAG_enable_third_party_heap = true. Also skipped two PageFromAddress callers in CSA that is not necessary when barriers are disabled. Bug: v8:11641 Change-Id: Ib0e3ff7a7dbacb7c6e7a53a720b95e51cdf2e645 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878757Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Wenyu Zhao <wenyu.zhao@anu.edu.au> Cr-Commit-Position: refs/heads/master@{#74562}
5cee1bc1 · Wenyu Zhao · V8 LUCI CQ · 2f049049 · 5cee1bc1
Commit 5cee1bc1 authored May 12, 2021 by Wenyu Zhao Committed by V8 LUCI CQ May 14, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

code-stub-assembler.cc src/codegen/code-stub-assembler.cc +11 -0

No files found.
--- a/src/codegen/code-stub-assembler.cc
+++ b/src/codegen/code-stub-assembler.cc
@@ -4787,7 +4787,11 @@ void CodeStubAssembler::MoveElements(ElementsKind kind,
                                     TNode<IntPtrT> length) {
  Label finished(this);
  Label needs_barrier(this);
+#ifdef V8_DISABLE_WRITE_BARRIERS
+  const bool needs_barrier_check = false;
+#else
  const bool needs_barrier_check = !IsDoubleElementsKind(kind);
+#endif  // V8_DISABLE_WRITE_BARRIERS

  DCHECK(IsFastElementsKind(kind));
  CSA_ASSERT(this, IsFixedArrayWithKind(elements, kind));
@@ -4872,7 +4876,11 @@ void CodeStubAssembler::CopyElements(ElementsKind kind,
                                     WriteBarrierMode write_barrier) {
  Label finished(this);
  Label needs_barrier(this);
+#ifdef V8_DISABLE_WRITE_BARRIERS
+  const bool needs_barrier_check = false;
+#else
  const bool needs_barrier_check = !IsDoubleElementsKind(kind);
+#endif  // V8_DISABLE_WRITE_BARRIERS

  DCHECK(IsFastElementsKind(kind));
  CSA_ASSERT(this, IsFixedArrayWithKind(dst_elements, kind));
@@ -11123,6 +11131,8 @@ void CodeStubAssembler::TrapAllocationMemento(TNode<JSObject> object,

  // Bail out if the object is not in new space.
  TNode<IntPtrT> object_word = BitcastTaggedToWord(object);
+  // TODO(v8:11641): Skip TrapAllocationMemento when allocation-site
+  // tracking is disabled.
  TNode<IntPtrT> object_page = PageFromAddress(object_word);
  {
    TNode<IntPtrT> page_flags =
@@ -11180,6 +11190,7 @@ void CodeStubAssembler::TrapAllocationMemento(TNode<JSObject> object,
 }

 TNode<IntPtrT> CodeStubAssembler::PageFromAddress(TNode<IntPtrT> address) {
+  if (FLAG_enable_third_party_heap) Unreachable();
  return WordAnd(address, IntPtrConstant(~kPageAlignmentMask));
 }