wasm-code-pointer-table.h

Go to the documentation of this file.

// Copyright 2024 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
 
#ifndef V8_WASM_WASM_CODE_POINTER_TABLE_H_
#define V8_WASM_WASM_CODE_POINTER_TABLE_H_
 
#include "include/v8-internal.h"
#include "src/common/segmented-table.h"
 
#if !V8_ENABLE_WEBASSEMBLY
#error This header should only be included if WebAssembly is enabled.
#endif  // !V8_ENABLE_WEBASSEMBLY
 
namespace v8::internal::wasm {
 
// Defines the entries in the WasmCodePointerTable and specifies the encoding.
// When entries are in use, they contain the address of a valid Wasm code entry,
// while free entries contain an index to the next element in the freelist.
//
// All reads and writes use relaxed memory ordering and need to be synchronized
// by the caller.
struct WasmCodePointerTableEntry {
  // We write-protect the WasmCodePointerTable on platforms that support it for
  // forward-edge CFI.
  static constexpr bool IsWriteProtected = true;
 
  // Set the entry to point to a given entrypoint.
  inline void MakeCodePointerEntry(Address entrypoint, uint64_t signature_hash);
  inline void UpdateCodePointerEntry(Address entrypoint,
                                     uint64_t signature_hash);
 
  // Make this entry a freelist entry, containing the index of the next entry
  // on the freelist.
  inline void MakeFreelistEntry(uint32_t next_entry_index);
 
  // Load code entrypoint pointer stored in this entry.
  inline Address GetEntrypoint(uint64_t signature_hash) const;
 
  // Load code entrypoint pointer stored in this entry.
  inline Address GetEntrypointWithoutSignatureCheck() const;
 
  // Get the index of the next entry on the freelist.
  inline uint32_t GetNextFreelistEntryIndex() const;
 
 private:
  friend class WasmCodePointerTable;
 
  std::atomic<Address> entrypoint_;
#ifdef V8_ENABLE_SANDBOX
  uint64_t signature_hash_;
#endif
};
 
// A table for storing valid Wasm code entrypoints. This table allows enforcing
// forward-edge CFI for Wasm calls:
// * The table gets write-protected (e.g. with pkeys) to prevent corruption of
//   entries.
// * At write time, we will check that the value is a valid entrypoint as
//   tracked in our CFI metadata.
// * Wasm calls can then be replaced with a bounds-checked table lookup + call
//   to enforce that only valid entrypoints can be called.
//
// All methods are thread-safe if not specified otherwise.
class V8_EXPORT_PRIVATE WasmCodePointerTable
    : public SegmentedTable<WasmCodePointerTableEntry,
                            kCodePointerTableReservationSize> {
  using Base = SegmentedTable<WasmCodePointerTableEntry,
                              kCodePointerTableReservationSize>;
 
 public:
  WasmCodePointerTable() = default;
  WasmCodePointerTable(const WasmCodePointerTable&) = delete;
  WasmCodePointerTable& operator=(const WasmCodePointerTable&) = delete;
 
  using Handle = uint32_t;
  static constexpr Handle kInvalidHandle = -1;
#ifdef V8_ENABLE_SANDBOX
  static constexpr int kOffsetOfSignatureHash =
      offsetof(WasmCodePointerTableEntry, signature_hash_);
#endif
 
#ifdef V8_TARGET_ARCH_64_BIT
  // 64-bit architectures reserve a large table upfront, hence there's a fixed
  // maximum number of Wasm code pointers.
  static constexpr size_t kMaxWasmCodePointers = kMaxCapacity;
#endif
 
  using WriteScope = CFIMetadataWriteScope;
 
  // The table should be initialized exactly once before use.
  void Initialize();
 
  // Free any resources used by the table.
  void TearDown();
 
  // Read the entrypoint at a given index.
  inline Address GetEntrypoint(WasmCodePointer index,
                               uint64_t signature_hash) const;
 
  inline Address GetEntrypointWithoutSignatureCheck(
      WasmCodePointer index) const;
 
  // Sets the entrypoint of the entry referenced by the given index.
  // The Unlocked version can be used in loops, but you need to hold a
  // `WriteScope` while calling it.
  inline void UpdateEntrypoint(WasmCodePointer index, Address value,
                               uint64_t signature_hash);
  inline void SetEntrypointAndSignature(WasmCodePointer index, Address value,
                                        uint64_t signature_hash);
  inline void SetEntrypointWithWriteScope(WasmCodePointer index, Address value,
                                          uint64_t signature_hash,
                                          WriteScope& write_scope);
 
  // Allocates a new entry in the table and optionally initialize it.
  inline WasmCodePointer AllocateAndInitializeEntry(Address entrypoint,
                                                    uint64_t signature_hash);
  inline WasmCodePointer AllocateUninitializedEntry();
 
  // Free an entry, which will add it to the free list.
  inline void FreeEntry(WasmCodePointer index);
 
  // Iterate through the freelist to find and unmap empty segments. Will return
  // early if there's less than `threshold` many elements in the freelist.
  void SweepSegments(size_t threshold = 2 * kEntriesPerSegment);
 
  // Add an entry for a native function address, used by the C API.
  WasmCodePointer GetOrCreateHandleForNativeFunction(Address addr);
 
  // Compare the address of the entry.
  bool EntrypointEqualTo(WasmCodePointer index, Address address);
 
 private:
  // Allow the ExternalReference to access the table base.
  friend class ::v8::internal::ExternalReference;
 
  // This marker is used to temporarily unlink the freelist to get exclusive
  // access.
  static constexpr FreelistHead kRetryMarker = FreelistHead(0xffffffff, 0);
  static bool IsRetryMarker(FreelistHead freelist) {
    return freelist.length() == kRetryMarker.length() &&
           freelist.next() == kRetryMarker.next();
  }
 
  // Access the Freelist head, retrying if the retry marker is seen.
  V8_INLINE FreelistHead ReadFreelistHead();
 
  // Allocate an entry either from the freelist or creating a new segment.
  uint32_t AllocateEntryImpl();
 
  // Atomically link a freelist into the current freelist head.
  V8_INLINE FreelistHead LinkFreelist(FreelistHead new_freelist,
                                      uint32_t last_element);
 
  // Helper functions for converting a freelist to a vector and back.
  // Freelist access is not atomic.
  std::vector<uint32_t> FreelistToVector(FreelistHead freelist);
  FreelistHead VectorToFreelist(std::vector<uint32_t> entries);
 
  // Try to allocate the first entry of the freelist.
  //
  // This method is mostly a wrapper around an atomic compare-and-swap which
  // replaces the current freelist head with the next entry in the freelist,
  // thereby allocating the entry at the start of the freelist.
  V8_INLINE bool TryAllocateFromFreelist(uint32_t* index);
 
  // Not atomic and should only be used if you have exclusive access to the
  // freelist.
  V8_INLINE uint32_t
  AllocateEntryFromFreelistNonAtomic(FreelistHead* freelist_head);
 
  // Free all handles in the `native_function_map_`.
  void FreeNativeFunctionHandles();
 
  std::atomic<FreelistHead> freelist_head_ = FreelistHead();
  // The mutex is used to avoid two threads from concurrently allocating
  // segments and using more memory than needed.
  base::Mutex segment_allocation_mutex_;
 
  base::Mutex native_function_map_mutex_;
  std::map<Address, WasmCodePointer> native_function_map_;
 
  friend class WasmCodePointerTableTest;
};
 
V8_EXPORT_PRIVATE WasmCodePointerTable* GetProcessWideWasmCodePointerTable();
 
}  // namespace v8::internal::wasm
 
#endif  // V8_WASM_WASM_CODE_POINTER_TABLE_H_