[462][Backport] Security bug 424905890

Dominik Inführ · Michal Klocek · commit d92fc141c5fd · 2025-09-19T17:05:14.000+02:00
Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/6668536: Disable code compaction with stack Since fast api calls can now also call back to JS there can be multiple active fast c calls at the same time. This means just checking Isolate::InFastCCall() is not enough anymore because this only returns the state of the last CEntry frame. This CL therefore disables code space compaction when a stack is present to allow for multiple/nested fast C calls. Alternatively we could also just e.g. pin code objects referenced from the stack but this would require a bit more work. Bug: 424905890 Change-Id: I2798e77bb2534253a1dc4b0079cdfa8e5d3bcac1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6668536 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/main@{#101043} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/665063 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
diff --git a/chromium/v8/src/execution/frames.cc b/chromium/v8/src/execution/frames.cc
@@ -849,9 +849,9 @@ void StackFrame::IteratePc(RootVisitor* v, Address* constant_pool_address,
   // stack pointer is known. This means we cannot relocate InstructionStreams
   // for fast c calls.
   DCHECK(!InFastCCall());
-  // Currently we turn off code space compaction fully when performing a GC in a
-  // fast C call.
-  DCHECK(!isolate()->InFastCCall());
+  // Ensure that code space compaction is turned off with stack. This is
+  // necessary because we cannot update return addresses for fast c calls.
+  CHECK(!isolate()->heap()->IsGCWithStack());
 
   Tagged<InstructionStream> istream =
       GCSafeCast<InstructionStream>(visited_istream, isolate()->heap());
diff --git a/chromium/v8/src/flags/flag-definitions.h b/chromium/v8/src/flags/flag-definitions.h
@@ -588,9 +588,6 @@ DEFINE_WEAK_IMPLICATION(maglev_future, maglev_speculative_hoist_phi_untagging)
 DEFINE_WEAK_IMPLICATION(maglev_future, maglev_inline_api_calls)
 DEFINE_WEAK_IMPLICATION(maglev_future, maglev_escape_analysis)
 DEFINE_WEAK_IMPLICATION(maglev_future, maglev_licm)
-// This might be too big of a hammer but we must prohibit moving the C++
-// trampolines while we are executing a C++ code.
-DEFINE_NEG_IMPLICATION(maglev_inline_api_calls, compact_code_space_with_stack)
 
 DEFINE_UINT(
     concurrent_maglev_max_threads, 2,
@@ -2182,12 +2179,6 @@ DEFINE_BOOL(compact_on_every_full_gc, false,
             "Perform compaction on every full GC")
 DEFINE_BOOL(compact_with_stack, true,
             "Perform compaction when finalizing a full GC with stack")
-DEFINE_BOOL(
-    compact_code_space_with_stack, true,
-    "Perform code space compaction when finalizing a full GC with stack")
-// Disabling compaction with stack implies also disabling code space compaction
-// with stack.
-DEFINE_NEG_NEG_IMPLICATION(compact_with_stack, compact_code_space_with_stack)
 DEFINE_BOOL(shortcut_strings_with_stack, true,
             "Shortcut Strings during GC with stack")
 DEFINE_BOOL(stress_compaction, false,
@@ -2919,7 +2910,6 @@ DEFINE_BOOL(freeze_flags_after_init, true,
 #endif
 DEFINE_BOOL(cet_compatible, V8_CET_SHADOW_STACK_BOOL,
             "Generate Intel CET compatible code")
-DEFINE_NEG_IMPLICATION(cet_compatible, compact_code_space_with_stack)
 
 // mksnapshot.cc
 DEFINE_STRING(embedded_src, nullptr,
diff --git a/chromium/v8/src/heap/mark-compact.cc b/chromium/v8/src/heap/mark-compact.cc
@@ -354,7 +354,7 @@ bool MarkCompactCollector::StartCompaction(StartCompactionMode mode) {
   CollectEvacuationCandidates(heap_->trusted_space());
 
   if (heap_->isolate()->AllowsCodeCompaction() &&
-      (!heap_->IsGCWithStack() || v8_flags.compact_code_space_with_stack)) {
+      !(mode == StartCompactionMode::kAtomic && heap_->IsGCWithStack())) {
     CollectEvacuationCandidates(heap_->code_space());
   } else if (v8_flags.trace_fragmentation) {
     TraceFragmentation(heap_->code_space());
@@ -4904,8 +4904,7 @@ void MarkCompactCollector::EvacuatePagesInParallel() {
       for (PageMetadata* page : old_space_evacuation_pages_) {
         ReportAbortedEvacuationCandidateDueToFlags(page->area_start(), page);
       }
-    } else if (!v8_flags.compact_code_space_with_stack ||
-               heap_->isolate()->InFastCCall()) {
+    } else {
       // For fast C calls we cannot patch the return address in the native stack
       // frame if we would relocate InstructionStream objects.
       for (PageMetadata* page : old_space_evacuation_pages_) {
