EIC code displayed by LXR master/​include/​node/​v8-sandbox.h	Source navigation Diff markup Identifier search General search
	Version: master test Revert   Change

File indexing completed on 2026-01-06 10:14:50

 // Copyright 2024 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef INCLUDE_V8_SANDBOX_H_
 #define INCLUDE_V8_SANDBOX_H_
 
 #include <cstdint>
 
 #include "v8-internal.h"  // NOLINT(build/include_directory)
 #include "v8config.h"     // NOLINT(build/include_directory)
 
 namespace v8 {
 
 /**
  * A pointer tag used for wrapping and unwrapping `CppHeap` pointers as used
  * with JS API wrapper objects that rely on `v8::Object::Wrap()` and
  * `v8::Object::Unwrap()`.
  *
  * The CppHeapPointers use a range-based type checking scheme, where on access
  * to a pointer, the actual type of the pointer is checked to be within a
  * specified range of types. This allows supporting type hierarchies, where a
  * type check for a supertype must succeed for any subtype.
  *
  * The tag is currently in practice limited to 15 bits since it needs to fit
  * together with a marking bit into the unused parts of a pointer.
  */
 enum class CppHeapPointerTag : uint16_t {
   kFirstTag = 0,
   kNullTag = 0,
 
   /**
    * The lower type ids are reserved for the embedder to assign. For that, the
    * main requirement is that all (transitive) child classes of a given parent
    * class have type ids in the same range, and that there are no unrelated
    * types in that range. For example, given the following type hierarchy:
    *
    *          A     F
    *         / \
    *        B   E
    *       / \
    *      C   D
    *
    * a potential type id assignment that satistifes these requirements is
    * {C: 0, D: 1, B: 2, A: 3, E: 4, F: 5}. With that, the type check for type A
    * would check for the range [0, 4], while the check for B would check range
    * [0, 2], and for F it would simply check [5, 5].
    *
    * In addition, there is an option for performance tweaks: if the size of the
    * type range corresponding to a supertype is a power of two and starts at a
    * power of two (e.g. [0x100, 0x13f]), then the compiler can often optimize
    * the type check to use even fewer instructions (essentially replace a AND +
    * SUB with a single AND).
    */
 
   kDefaultTag = 0x7000,
 
   kZappedEntryTag = 0x7ffd,
   kEvacuationEntryTag = 0x7ffe,
   kFreeEntryTag = 0x7fff,
   // The tags are limited to 15 bits, so the last tag is 0x7fff.
   kLastTag = 0x7fff,
 };
 
 // Convenience struct to represent tag ranges. This is used for type checks
 // against supertypes, which cover a range of types (their subtypes).
 // Both the lower- and the upper bound are inclusive. In other words, this
 // struct represents the range [lower_bound, upper_bound].
 // TODO(saelo): reuse internal::TagRange here.
 struct CppHeapPointerTagRange {
   constexpr CppHeapPointerTagRange(CppHeapPointerTag lower,
                                    CppHeapPointerTag upper)
       : lower_bound(lower), upper_bound(upper) {}
   CppHeapPointerTag lower_bound;
   CppHeapPointerTag upper_bound;
 
   // Check whether the tag of the given CppHeapPointerTable entry is within
   // this range. This method encodes implementation details of the
   // CppHeapPointerTable, which is necessary as it is used by
   // ReadCppHeapPointerField below.
   // Returns true if the check is successful and the tag of the given entry is
   // within this range, false otherwise.
   bool CheckTagOf(uint64_t entry) {
     // Note: the cast to uint32_t is important here. Otherwise, the uint16_t's
     // would be promoted to int in the range check below, which would result in
     // undefined behavior (signed integer undeflow) if the actual value is less
     // than the lower bound. Then, the compiler would take advantage of the
     // undefined behavior and turn the range check into a simple
     // `actual_tag <= last_tag` comparison, which is incorrect.
     uint32_t actual_tag = static_cast<uint16_t>(entry);
     // The actual_tag is shifted to the left by one and contains the marking
     // bit in the LSB. To ignore that during the type check, simply add one to
     // the (shifted) range.
     constexpr int kTagShift = internal::kCppHeapPointerTagShift;
     uint32_t first_tag = static_cast<uint32_t>(lower_bound) << kTagShift;
     uint32_t last_tag = (static_cast<uint32_t>(upper_bound) << kTagShift) + 1;
     return actual_tag >= first_tag && actual_tag <= last_tag;
   }
 };
 
 constexpr CppHeapPointerTagRange kAnyCppHeapPointer(
     CppHeapPointerTag::kFirstTag, CppHeapPointerTag::kLastTag);
 
 class SandboxHardwareSupport {
  public:
   /**
    * Initialize sandbox hardware support. This needs to be called before
    * creating any thread that might access sandbox memory since it sets up
    * hardware permissions to the memory that will be inherited on clone.
    */
   V8_EXPORT static void InitializeBeforeThreadCreation();
 };
 
 namespace internal {
 
 #ifdef V8_COMPRESS_POINTERS
 V8_INLINE static Address* GetCppHeapPointerTableBase(v8::Isolate* isolate) {
   Address addr = reinterpret_cast<Address>(isolate) +
                  Internals::kIsolateCppHeapPointerTableOffset +
                  Internals::kExternalPointerTableBasePointerOffset;
   return *reinterpret_cast<Address**>(addr);
 }
 #endif  // V8_COMPRESS_POINTERS
 
 template <typename T>
 V8_INLINE static T* ReadCppHeapPointerField(v8::Isolate* isolate,
                                             Address heap_object_ptr, int offset,
                                             CppHeapPointerTagRange tag_range) {
 #ifdef V8_COMPRESS_POINTERS
   // See src/sandbox/cppheap-pointer-table-inl.h. Logic duplicated here so
   // it can be inlined and doesn't require an additional call.
   const CppHeapPointerHandle handle =
       Internals::ReadRawField<CppHeapPointerHandle>(heap_object_ptr, offset);
   const uint32_t index = handle >> kExternalPointerIndexShift;
   const Address* table = GetCppHeapPointerTableBase(isolate);
   const std::atomic<Address>* ptr =
       reinterpret_cast<const std::atomic<Address>*>(&table[index]);
   Address entry = std::atomic_load_explicit(ptr, std::memory_order_relaxed);
 
   Address pointer = entry;
   if (V8_LIKELY(tag_range.CheckTagOf(entry))) {
     pointer = entry >> kCppHeapPointerPayloadShift;
   } else {
     // If the type check failed, we simply return nullptr here. That way:
     //  1. The null handle always results in nullptr being returned here, which
     //     is a desired property. Otherwise, we would need an explicit check for
     //     the null handle above, and therefore an additional branch. This
     //     works because the 0th entry of the table always contains nullptr
     //     tagged with the null tag (i.e. an all-zeros entry). As such,
     //     regardless of whether the type check succeeds, the result will
     //     always be nullptr.
     //  2. The returned pointer is guaranteed to crash even on platforms with
     //     top byte ignore (TBI), such as Arm64. The alternative would be to
     //     simply return the original entry with the left-shifted payload.
     //     However, due to TBI, an access to that may not always result in a
     //     crash (specifically, if the second most significant byte happens to
     //     be zero). In addition, there shouldn't be a difference on Arm64
     //     between returning nullptr or the original entry, since it will
     //     simply compile to a `csel x0, x8, xzr, lo` instead of a
     //     `csel x0, x10, x8, lo` instruction.
     pointer = 0;
   }
   return reinterpret_cast<T*>(pointer);
 #else   // !V8_COMPRESS_POINTERS
   return reinterpret_cast<T*>(
       Internals::ReadRawField<Address>(heap_object_ptr, offset));
 #endif  // !V8_COMPRESS_POINTERS
 }
 
 }  // namespace internal
 }  // namespace v8
 
 #endif  // INCLUDE_V8_SANDBOX_H_

This page was automatically generated by the 2.3.7 LXR engine. The LXR team