Skip to content

V
V8
Switch branch/tag
  1. 15 Dec, 2021 1 commit
    • Samuel Groß's avatar
      V8 Sandbox rebranding · 277fdd1d
      Samuel Groß authored 
      This CL renames a number of things related to the V8 sandbox.
Mainly, what used to be under V8_HEAP_SANDBOX is now under
V8_SANDBOXED_EXTERNAL_POINTERS, while the previous V8 VirtualMemoryCage
is now simply the V8 Sandbox:

V8_VIRTUAL_MEMORY_CAGE => V8_SANDBOX
V8_HEAP_SANDBOX => V8_SANDBOXED_EXTERNAL_POINTERS
V8_CAGED_POINTERS => V8_SANDBOXED_POINTERS
V8VirtualMemoryCage => Sandbox
CagedPointer => SandboxedPointer
fake cage => partially reserved sandbox
src/security => src/sandbox

This naming scheme should simplify things: the sandbox is now the large
region of virtual address space inside which V8 mainly operates and
which should be considered untrusted. Mechanisms like sandboxed pointers
are then used to attempt to prevent escapes from the sandbox (i.e.
corruption of memory outside of it). Furthermore, the new naming scheme
avoids the confusion with the various other "cages" in V8, in
particular, the VirtualMemoryCage class, by dropping that name entirely.

Future sandbox features are developed under their own V8_SANDBOX_X flag,
and will, once final, be merged into V8_SANDBOX. Current future features
are sandboxed external pointers (using the external pointer table), and
sandboxed pointers (pointers guaranteed to point into the sandbox, e.g.
because they are encoded as offsets). This CL then also introduces a new
build flag, v8_enable_sandbox_future, which enables all future features.

Bug: v8:10391
Change-Id: I5174ea8f5ab40fb96a04af10853da735ad775c96
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3322981Reviewed-by: 's avatarHannes Payer <hpayer@chromium.org>
Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Reviewed-by: 's avatarMichael Achenbach <machenbach@chromium.org>
Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78384}
      277fdd1d
  3. 29 Oct, 2021 1 commit
    • Samuel Groß's avatar
      Introduce CagedPointer · afd15549
      Samuel Groß authored 
      A CagedPointer is guaranteed to point into the Virtual Memory Cage and
will for example be used for ArrayBuffer backing stores when the heap
sandbox is enabled. In the current implementation, CagedPointers are
stored as offsets from the cage base, shifted to the left. Because the
cage base address is usually available in a register, accessing a
CagedPointer is very efficient, requiring only an additional shift and
add operation.

Bug: chromium:1218005
Change-Id: Ifc8c088e3862400672051a8c52840514dee2911f
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3123417Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77614}
      afd15549
  5. 14 Jun, 2021 1 commit
    • Peter Kasting's avatar
      Fix -Wdeprecated-copy in V8. · 2af5cfa8
      Peter Kasting authored 
      TNode has a templated constructor from TNode<U>, but this doesn't take
precedence over the auto-generated copy constructor, which results in a
warning being fired.  Fix by adding an explicit copy constructor that
does what the templated constructor does, which in turn requires fixing
some missing #includes that slipped by due to the lack of
LazyTemplateChecks() in the autogenerated copy constructor.

Bug: chromium:1213098
Change-Id: Iad40950261af8f88396be9227355e4e013837341
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2953503Reviewed-by: 's avatarNico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75133}
      2af5cfa8
  7. 31 Mar, 2021 1 commit
    • Igor Sheludko's avatar
      Reland "[dict-proto] SIMD support for SwissNameDictionary in Torque" · 4cd6ad9e
      Igor Sheludko authored 
      This is a reland of 856e8577
The diff compared to the first attempt is that the tests that
require SSSE3/AVX are not run when these CPU features are not
available.

Original change's description:
> [dict-proto] SIMD support for SwissNameDictionary in Torque
>
> This CL adds a Torque-counterpart for swiss_table::GroupSse2Impl in
> Torque. This allows the Torque version of SwissNameDictionary to use
> SSE for lookups, rather than needing to bailout to the runtime on
> x64/ia32.
>
> Bug: v8:11330
> Change-Id: I74e3f97c460a8b89031016967ec0e545265016a9
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2787485
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
> Reviewed-by: Zhi An Ng <zhin@chromium.org>
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73727}

Bug: v8:11330
Cq-Include-Trybots: luci.v8.try:v8_linux_optional_rel_ng
Change-Id: Ibfa5ae5a39333778ea0d0406d5ea4ad683ad0dbe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2794431Reviewed-by: 's avatarSantiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: 's avatarMarja Hölttä <marja@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73740}
      4cd6ad9e
  9. 30 Mar, 2021 2 commits
  11. 08 Mar, 2021 1 commit
  13. 03 Mar, 2021 1 commit
  15. 02 Mar, 2021 1 commit
  17. 21 Jan, 2021 1 commit
  19. 13 Nov, 2020 1 commit
  21. 06 Nov, 2020 1 commit
    • Mythri A's avatar
      [csa][cleanup] TNodify StringAdd_CheckNone buitin · 452ca36b
      Mythri A authored 
      StringAdd_CheckNone is called from Turbofan with an empty context. This
builtin needs context when calling the StringAdd runtime function which
could potentially throw. Turbofan does bounds check before calling this
builtin so it is safe to pass an empty context. To enable TNodification
of this builtin this cl adds a new type that either accepts a context
or an empty context (Smi::Zero) and updates the builtin to use this new
type.

Bug: v8:6949, v8:11074
Change-Id: Iff12b391ff95109649f2c81fe081e277850f60d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2523205
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: 's avatarDan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71018}
      452ca36b
  23. 02 Nov, 2020 1 commit
  25. 17 Aug, 2020 1 commit
  27. 05 Aug, 2020 1 commit
  29. 29 Jul, 2020 1 commit
  31. 29 Apr, 2020 1 commit
  33. 07 Feb, 2020 1 commit
  35. 20 Dec, 2019 1 commit
    • Tobias Tebbi's avatar
      [torque] multiple arrays in one object · 59e8d45a
      Tobias Tebbi authored 
      This allows the definition of classes with several arrays and ports
SmallOrderedHashTable subclasses to Torque as an example, including
the existing CSA allocation functions for them.

Overview of changes:
- Introduce ResidueClass to encapsulate the modulo-arithmetic
  necessary to do alignment checks.
- Add MachineOperatorReducer to the CSA pipeline to address now
  missing CSA ad-hoc constant folding that got blocked by a
  temporary phi.
- Allow assignments to references to structs. This is needed to
  initialize the data_table part of SmallOrderedHashMap.
- Make the NumberLiteralExpression AST-node store a double instead
  of a string. This is necessary to detect arrays with constant size
  used for padding.
- Turn offsets into base::Optional<size_t> to ensure we don't use
  an invalid or statically unknown offset.
- Remove CreateFieldReferenceInstruction since it doesn't work for
  complex offset computations and the logic can be expressed better
  in ImplementationVisitor.
- Validate alignment of structs embedded in classes.

Bug: v8:10004 v8:7793
Change-Id: Ifa414b42278e572a0c577bf9da3d37f80771a258
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1958011
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: 's avatarClemens Backes <clemensb@chromium.org>
Reviewed-by: 's avatarNico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65538}
      59e8d45a
  37. 28 Nov, 2019 1 commit
  39. 11 Nov, 2019 3 commits
  41. 12 Sep, 2019 2 commits