[sandbox] Sandboxify WasmTypeInfo

This CL changes the WasmTypeInfo class to have a direct ExternalPointer
to the native type structure instead of using a Foreign. This in turn
makes it possible to use a unique pointer tag for that external pointer
when the sandbox is enabled.

Bug: v8:10391, v8:12949
Change-Id: Ifee4d2103cabfa6a7299d0d09e06d387034e5f8f
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829085Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82504}

include/v8-internal.h

@@ -389,7 +389,8 @@ constexpr uint64_t kAllExternalPointerTypeTags[] = {
   V(kAccessorInfoJsGetterTag,               sandboxed, TAG(18)) \
   V(kAccessorInfoSetterTag,                 sandboxed, TAG(19)) \
   V(kWasmInternalFunctionCallTargetTag,     sandboxed, TAG(20)) \
-  V(kWasmContinuationJmpbufTag,             sandboxed, TAG(21))
+  V(kWasmTypeInfoNativeTypeTag,             sandboxed, TAG(21)) \
+  V(kWasmContinuationJmpbufTag,             sandboxed, TAG(22))
 
 // All external pointer tags.
 #define ALL_EXTERNAL_POINTER_TAGS(V) \

src/builtins/wasm.tq

@@ -738,7 +738,7 @@ const kWasmValueTypeBitFieldOffset:
 
 macro IsWord16WasmArrayMap(map: Map): bool {
   const arrayTypePtr: RawPtr<int32> = %RawDownCast<RawPtr<int32>>(
-      WasmTypeInfo(map).foreign_address_ptr + kWasmArrayTypeRepOffset +
+      WasmTypeInfo(map).native_type_ptr + kWasmArrayTypeRepOffset +
       kWasmValueTypeBitFieldOffset);
   const arrayTypeRef: &int32 =
       torque_internal::unsafe::NewOffHeapReference(arrayTypePtr);

src/codegen/code-stub-assembler.h

@@ -1167,6 +1167,11 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
         object, WasmInternalFunction::kCallTargetOffset,
         kWasmInternalFunctionCallTargetTag);
   }
+
+  TNode<RawPtrT> LoadWasmTypeInfoNativeTypePtr(TNode<WasmTypeInfo> object) {
+    return LoadExternalPointerFromObject(
+        object, WasmTypeInfo::kNativeTypeOffset, kWasmTypeInfoNativeTypeTag);
+  }
 #endif  // V8_ENABLE_WEBASSEMBLY
 
   TNode<RawPtrT> LoadJSTypedArrayExternalPointerPtr(

src/diagnostics/objects-printer.cc

@@ -1861,7 +1861,7 @@ void AsmWasmData::AsmWasmDataPrint(std::ostream& os) {
 
 void WasmTypeInfo::WasmTypeInfoPrint(std::ostream& os) {
   PrintHeader(os, "WasmTypeInfo");
-  os << "\n - type address: " << reinterpret_cast<void*>(foreign_address());
+  os << "\n - type address: " << reinterpret_cast<void*>(native_type());
   // TODO(manoskouk): Print supertype info.
   os << "\n - supertypes: ";
   for (int i = 0; i < supertypes_length(); i++) {

src/heap/factory.cc

@@ -1596,7 +1596,7 @@ Handle<WasmTypeInfo> Factory::NewWasmTypeInfo(
   for (size_t i = 0; i < supertypes.size(); i++) {
     result.set_supertypes(static_cast<int>(i), *supertypes[i]);
   }
-  result.init_foreign_address(isolate(), type_address);
+  result.init_native_type(isolate(), type_address);
   result.set_instance(*instance);
   return handle(result, isolate());
 }
@@ -1788,9 +1788,9 @@ Handle<WasmArray> Factory::NewWasmArrayFromElements(
 Handle<WasmArray> Factory::NewWasmArrayFromMemory(uint32_t length,
                                                   Handle<Map> map,
                                                   Address source) {
-  wasm::ValueType element_type = reinterpret_cast<wasm::ArrayType*>(
-                                     map->wasm_type_info().foreign_address())
-                                     ->element_type();
+  wasm::ValueType element_type =
+      reinterpret_cast<wasm::ArrayType*>(map->wasm_type_info().native_type())
+          ->element_type();
   DCHECK(element_type.is_numeric());
   HeapObject raw =
       AllocateRaw(WasmArray::SizeFor(*map, length), AllocationType::kYoung);

src/objects/objects-body-descriptors-inl.h

@@ -713,10 +713,11 @@ class WasmTypeInfo::BodyDescriptor final : public BodyDescriptorBase {
   template <typename ObjectVisitor>
   static inline void IterateBody(Map map, HeapObject obj, int object_size,
                                  ObjectVisitor* v) {
-    Foreign::BodyDescriptor::IterateBody<ObjectVisitor>(map, obj, object_size,
-                                                        v);
     IteratePointer(obj, kInstanceOffset, v);
     IteratePointers(obj, kSupertypesOffset, SizeOf(map, obj), v);
+
+    v->VisitExternalPointer(obj, obj.RawExternalPointerField(kNativeTypeOffset),
+                            kWasmTypeInfoNativeTypeTag);
   }
 
   static inline int SizeOf(Map map, HeapObject object) {

src/runtime/runtime-wasm.cc

@@ -723,8 +723,8 @@ RUNTIME_FUNCTION(Runtime_WasmArrayNewSegment) {
   uint32_t length = args.positive_smi_value_at(3);
   Handle<Map> rtt(Map::cast(args[4]), isolate);
 
-  wasm::ArrayType* type = reinterpret_cast<wasm::ArrayType*>(
-      rtt->wasm_type_info().foreign_address());
+  wasm::ArrayType* type =
+      reinterpret_cast<wasm::ArrayType*>(rtt->wasm_type_info().native_type());
 
   uint32_t element_size = type->element_type().value_kind_size();
   // This check also implies no overflow.

src/wasm/wasm-objects-inl.h

@@ -330,10 +330,15 @@ PRIMITIVE_ACCESSORS(WasmIndirectFunctionTable, targets, Address*,
 OPTIONAL_ACCESSORS(WasmIndirectFunctionTable, managed_native_allocations,
                    Foreign, kManagedNativeAllocationsOffset)
 
+// WasmTypeInfo
+EXTERNAL_POINTER_ACCESSORS(WasmTypeInfo, native_type, Address,
+                           kNativeTypeOffset, kWasmTypeInfoNativeTypeTag)
+
 #undef OPTIONAL_ACCESSORS
 #undef READ_PRIMITIVE_FIELD
 #undef WRITE_PRIMITIVE_FIELD
 #undef PRIMITIVE_ACCESSORS
+#undef SANDBOXED_POINTER_ACCESSORS
 
 wasm::ValueType WasmTableObject::type() {
   return wasm::ValueType::FromRawBitField(raw_type());
@@ -504,17 +509,17 @@ void WasmObject::WriteValueAt(Isolate* isolate, Handle<HeapObject> obj,
 
 wasm::StructType* WasmStruct::type(Map map) {
   WasmTypeInfo type_info = map.wasm_type_info();
-  return reinterpret_cast<wasm::StructType*>(type_info.foreign_address());
+  return reinterpret_cast<wasm::StructType*>(type_info.native_type());
 }
 
 wasm::StructType* WasmStruct::GcSafeType(Map map) {
   DCHECK_EQ(WASM_STRUCT_TYPE, map.instance_type());
   HeapObject raw = HeapObject::cast(map.constructor_or_back_pointer());
-  // The {Foreign} might be in the middle of being moved, which is why we
-  // can't read its map for a checked cast. But we can rely on its payload
-  // being intact in the old location.
-  Foreign foreign = Foreign::unchecked_cast(raw);
-  return reinterpret_cast<wasm::StructType*>(foreign.foreign_address());
+  // The {WasmTypeInfo} might be in the middle of being moved, which is why we
+  // can't read its map for a checked cast. But we can rely on its native type
+  // pointer being intact in the old location.
+  WasmTypeInfo type_info = WasmTypeInfo::unchecked_cast(raw);
+  return reinterpret_cast<wasm::StructType*>(type_info.native_type());
 }
 
 int WasmStruct::Size(const wasm::StructType* type) {
@@ -580,17 +585,17 @@ void WasmStruct::SetField(Isolate* isolate, Handle<WasmStruct> obj,
 wasm::ArrayType* WasmArray::type(Map map) {
   DCHECK_EQ(WASM_ARRAY_TYPE, map.instance_type());
   WasmTypeInfo type_info = map.wasm_type_info();
-  return reinterpret_cast<wasm::ArrayType*>(type_info.foreign_address());
+  return reinterpret_cast<wasm::ArrayType*>(type_info.native_type());
 }
 
 wasm::ArrayType* WasmArray::GcSafeType(Map map) {
   DCHECK_EQ(WASM_ARRAY_TYPE, map.instance_type());
   HeapObject raw = HeapObject::cast(map.constructor_or_back_pointer());
-  // The {Foreign} might be in the middle of being moved, which is why we
-  // can't read its map for a checked cast. But we can rely on its payload
-  // being intact in the old location.
-  Foreign foreign = Foreign::unchecked_cast(raw);
-  return reinterpret_cast<wasm::ArrayType*>(foreign.foreign_address());
+  // The {WasmTypeInfo} might be in the middle of being moved, which is why we
+  // can't read its map for a checked cast. But we can rely on its native type
+  // pointer being intact in the old location.
+  WasmTypeInfo type_info = WasmTypeInfo::unchecked_cast(raw);
+  return reinterpret_cast<wasm::ArrayType*>(type_info.native_type());
 }
 
 wasm::ArrayType* WasmArray::type() const { return type(map()); }

src/wasm/wasm-objects.h

@@ -901,8 +901,11 @@ class AsmWasmData : public TorqueGeneratedAsmWasmData<AsmWasmData, Struct> {
   TQ_OBJECT_CONSTRUCTORS(AsmWasmData)
 };
 
-class WasmTypeInfo : public TorqueGeneratedWasmTypeInfo<WasmTypeInfo, Foreign> {
+class WasmTypeInfo
+    : public TorqueGeneratedWasmTypeInfo<WasmTypeInfo, HeapObject> {
  public:
+  DECL_EXTERNAL_POINTER_ACCESSORS(native_type, Address);
+
   DECL_PRINTER(WasmTypeInfo)
 
   class BodyDescriptor;

src/wasm/wasm-objects.tq

@@ -179,7 +179,7 @@ extern class AsmWasmData extends Struct {
   uses_bitset: HeapNumber;
 }
 
-extern class WasmTypeInfo extends Foreign {
+extern class WasmTypeInfo extends HeapObject {
   // We must make sure that the StructType/ArrayType, which is allocated in
   // the WasmModule's "signature_zone", stays around as long as there are
   // HeapObjects referring to it. Short term, we simply keep a reference to
@@ -188,11 +188,15 @@ extern class WasmTypeInfo extends Foreign {
   // lifetime separately by having WasmModule refer to it via std::shared_ptr,
   // and introduce a new link from here to just that zone using a Managed<...>.
   // Details: https://bit.ly/2UxD4hW
+  native_type: ExternalPointer;
   instance: WasmInstanceObject;
   const supertypes_length: Smi;
   supertypes[supertypes_length]: Object;
 }
 
+extern operator '.native_type_ptr' macro LoadWasmTypeInfoNativeTypePtr(
+    WasmTypeInfo): RawPtr;
+
 // WasmObject corresponds to data ref types which are WasmStruct and WasmArray.
 @abstract
 extern class WasmObject extends JSReceiver {