> There's not really any fully supported mechanism for this at all at the > moment; there's some logic for alignment of HeapNumbers so that their double > values stay aligned, so you can look for "AllocationAlignment" in the heap > directory (and the HeapObject::RequiredAlignment method), but at the moment > this isn't used and I think is broken if you allocate from optimised code. > Also keep in mind that allocation has to be preserved when the GC moves > objects, not just during allocation. Thank you very much for the answer. I see that this is a more difficult problem than expected.
> Is this for a multi-tenant Isolate or something like that? Yes exactly, we have that multi-tenant scenario and therefore I am currently enumerating some possibilities to make exploitation harder. > On 25.01.2024, at 18:30, Leszek Swirski <lesz...@chromium.org> wrote: > > +Samuel <> > > <> > There's not really any fully supported mechanism for this at all at the > moment; there's some logic for alignment of HeapNumbers so that their double > values stay aligned, so you can look for "AllocationAlignment" in the heap > directory (and the HeapObject::RequiredAlignment method), but at the moment > this isn't used and I think is broken if you allocate from optimised code. > Also keep in mind that allocation has to be preserved when the GC moves > objects, not just during allocation. > > Note that our security model doesn't really try to be robust against Spectre > at all (we rely on site isolation in Chrome to provide process-level memory > safety), and especially not for Spectre attacks that are limited to reading > within the V8 sandbox (which is not considered sensitive). Is this for a > multi-tenant Isolate or something like that? > > - Leszek > > On Thu, Jan 25, 2024 at 3:50 PM 'Martin Schwarzl' via v8-dev > <v8-dev@googlegroups.com <mailto:v8-dev@googlegroups.com>> wrote: >> Thank you for the response! >> >> It's more a security consideration w.r.t Spectre attacks >> (https://github.com/google/security-research-pocs/blob/master/spectre.js/leaky.page/templates/spectre_worker.js#L135). >> >> Is there an alternative way of aligning it, maybe after object generation? >> It feels like I am maybe missing where in compilation process I could >> influence the alignment. >> >> On Wednesday, January 24, 2024 at 6:45:05 PM UTC+1 les...@chromium.org >> <mailto:les...@chromium.org> wrote: >>> Hi, >>> >>> No, the V8 heap allocation doesn't currently support custom alignment. Are >>> you seeing these be in different cache lines a lot? I could imagine that >>> being a problem for a lot of objects if it's a performance issue. >>> >>> - Leszek >>> >>> On Wed, Jan 24, 2024 at 6:22 PM 'Martin Schwarzl' via v8-dev >>> <v8-...@googlegroups.com <>> wrote: >>>> Hi, >>>> >>>> I was wondering if there is a primitive to align the memory representation >>>> in torque >>>> similar to alignas in C++. >>>> >>>> To provide more context I'd like to align the JSArrayBuffers members >>>> raw_byte_length, raw_max_byte_length and backing_store to be in the same >>>> cache line. >>>> >>> >>>> -- >>>> -- >>>> v8-dev mailing list >>>> v8-...@googlegroups.com <> >>>> http://groups.google.com/group/v8-dev >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "v8-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to v8-dev+un...@googlegroups.com <>. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/v8-dev/82f8624c-9b77-49e2-a04d-0c92a1a60206n%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/v8-dev/82f8624c-9b77-49e2-a04d-0c92a1a60206n%40googlegroups.com?utm_medium=email&utm_source=footer>. >> >> >> -- >> -- >> v8-dev mailing list >> v8-dev@googlegroups.com <mailto:v8-dev@googlegroups.com> >> http://groups.google.com/group/v8-dev >> --- >> You received this message because you are subscribed to the Google Groups >> "v8-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to v8-dev+unsubscr...@googlegroups.com >> <mailto:v8-dev+unsubscr...@googlegroups.com>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/v8-dev/7d8b060f-de7c-4c87-914f-37368fd0841dn%40googlegroups.com >> >> <https://groups.google.com/d/msgid/v8-dev/7d8b060f-de7c-4c87-914f-37368fd0841dn%40googlegroups.com?utm_medium=email&utm_source=footer>. > > > -- > -- > v8-dev mailing list > v8-dev@googlegroups.com <mailto:v8-dev@googlegroups.com> > http://groups.google.com/group/v8-dev > --- > You received this message because you are subscribed to a topic in the Google > Groups "v8-dev" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/v8-dev/OLXPyZEsntk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > v8-dev+unsubscr...@googlegroups.com > <mailto:v8-dev+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/v8-dev/CAGRskv-Ucfk_iTD4O2_WHzVyzszL1AqKYFYWN44tUFcmK%3DsQdw%40mail.gmail.com > > <https://groups.google.com/d/msgid/v8-dev/CAGRskv-Ucfk_iTD4O2_WHzVyzszL1AqKYFYWN44tUFcmK%3DsQdw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- -- v8-dev mailing list v8-dev@googlegroups.com http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/4C7E612A-1A18-44D2-833E-9F3EA0165879%40cloudflare.com.
