v8
V8 is Google’s open source high-performance JavaScript and WebAssembly engine, written in C++.
Loading...
Searching...
No Matches
code-entrypoint-tag.h
Go to the documentation of this file.
1// Copyright 2023 the V8 project authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef V8_SANDBOX_CODE_ENTRYPOINT_TAG_H_
6#define V8_SANDBOX_CODE_ENTRYPOINT_TAG_H_
7
8#include "src/common/globals.h"
9
10namespace v8 {
11namespace internal {
12
13// A tag to distinguish code pointers with different calling conventions.
14//
15// When the sandbox is enabled, we assume that an attacker cannot modify memory
16// outside of the sandbox and so the code pointer table achieves a form of
17// coarse-grained control-flow integrity (CFI) for code running in the sandbox:
18// indirect control flow transfers initiated by such code (for example,
19// invoking a JavaScript or WebAssembly function or a compiled RegExp) will
20// always land at a valid code entrypoint. However, this is not enough:
21// different types of code may use different calling conventions or
22// incompatible signatures. Further, some internal builtins may not expect to
23// be called indirectly in this way at all. CodeEntrypointTags are therefore
24// used to achieve fine-grained CFI: used appropriately, they guarantee that
25// the callee and caller of such control-flow transfers are compatible. As
26// such, two code objects should use the same tag iff they can safely be
27// interchanged at all (indirect) callsites.
28//
29// Implementation-wise, the tags are simply XORed into the top bits of the
30// entrypoint pointer in the CPT and hardcoded at the callsite, where the
31// pointer is untagged (again via XOR) prior to invoking it. If the tags do not
32// match, the resulting pointer will be invalid and cause a safe crash.
33// TODO(saelo): on Arm64, we could probably use PAC instead of XORing the tag
34// into the pointer. This may be more efficient.
35constexpr int kCodeEntrypointTagShift = 48;
36enum CodeEntrypointTag : uint64_t {
37 // TODO(saelo): eventually, we'll probably want to remove the default tag.
38 kDefaultCodeEntrypointTag = 0,
39 // TODO(saelo): give these unique tags.
40 kJSEntrypointTag = kDefaultCodeEntrypointTag,
41 kWasmEntrypointTag = uint64_t{1} << kCodeEntrypointTagShift,
42 kBytecodeHandlerEntrypointTag = uint64_t{2} << kCodeEntrypointTagShift,
43 kLoadWithVectorICHandlerEntrypointTag = uint64_t{3}
44 << kCodeEntrypointTagShift,
45 kStoreWithVectorICHandlerEntrypointTag = uint64_t{4}
46 << kCodeEntrypointTagShift,
47 kStoreTransitionICHandlerEntrypointTag = uint64_t{5}
48 << kCodeEntrypointTagShift,
49 kRegExpEntrypointTag = uint64_t{6} << kCodeEntrypointTagShift,
50 // TODO(saelo): create more of these tags.
51
52 // Tag to use for code that will never be called indirectly via the CPT.
53 kInvalidEntrypointTag = uint64_t{0xff} << kCodeEntrypointTagShift,
54 // Tag used internally by the code pointer table to mark free entries.
55 kFreeCodePointerTableEntryTag = uint64_t{0xffff} << kCodeEntrypointTagShift,
56};
57
58} // namespace internal
59} // namespace v8
60
61#endif // V8_SANDBOX_CODE_ENTRYPOINT_TAG_H_
v8::internal::kStoreTransitionICHandlerEntrypointTag
@ kStoreTransitionICHandlerEntrypointTag
Definition code-entrypoint-tag.h:47
v8::internal::kLoadWithVectorICHandlerEntrypointTag
@ kLoadWithVectorICHandlerEntrypointTag
Definition code-entrypoint-tag.h:43
v8::internal::kStoreWithVectorICHandlerEntrypointTag
@ kStoreWithVectorICHandlerEntrypointTag
Definition code-entrypoint-tag.h:45
v8::internal::kCodeEntrypointTagShift
constexpr int kCodeEntrypointTagShift
Definition code-entrypoint-tag.h:35