[sandbox][leaptiering] Basic serializer support for dispatch handles

This CL implements basic support for serializing and deserializing
JSDispatchHandles. Previously, serializing an object would clear any
dispatch handles in the object. However, now that builtin JSFunctions
have a dispatch entry, the serializer needs to support them. With this
CL, the deserializer will now allocate entries in the JSDispatchTable
with the correct parameter count. Serializing the Code object stored in
the table entry will be done in a later CL.

Bug: 40931165, 42204201
Change-Id: I35b7eb21efc6eab74dc0be305a8b5f5c8c0069ed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5783522
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#95685}

Author: Samuel Groß

src/sandbox/isolate-inl.h

@@ -64,7 +64,9 @@ TrustedPointerTable::Space* IsolateForSandbox::GetTrustedPointerTableSpace() {
 #ifdef V8_ENABLE_LEAPTIERING
 JSDispatchTable::Space* IsolateForSandbox::GetJSDispatchTableSpaceFor(
     Address owning_slot) {
-  return isolate_->heap()->js_dispatch_table_space();
+  return ReadOnlyHeap::Contains(owning_slot)
+             ? isolate_->read_only_heap()->js_dispatch_table_space()
+             : isolate_->heap()->js_dispatch_table_space();
 }
 #endif  // V8_ENABLE_LEAPTIERING
 

src/snapshot/deserializer.cc

@@ -26,6 +26,7 @@
 #include "src/objects/slots.h"
 #include "src/objects/string.h"
 #include "src/roots/roots.h"
+#include "src/sandbox/js-dispatch-table-inl.h"
 #include "src/snapshot/embedded/embedded-data-inl.h"
 #include "src/snapshot/references.h"
 #include "src/snapshot/serializer-deserializer.h"
@@ -944,6 +945,8 @@ int Deserializer<IsolateT>::ReadSingleBytecodeData(uint8_t data,
       return ReadIndirectPointerPrefix(data, slot_accessor);
     case kInitializeSelfIndirectPointer:
       return ReadInitializeSelfIndirectPointer(data, slot_accessor);
+    case kAllocateJSDispatchEntry:
+      return ReadAllocateJSDispatchEntry(data, slot_accessor);
     case kProtectedPointerPrefix:
       return ReadProtectedPointerPrefix(data, slot_accessor);
     case CASE_RANGE(kRootArrayConstants, 32):
@@ -1282,6 +1285,40 @@ int Deserializer<IsolateT>::ReadInitializeSelfIndirectPointer(
 #endif  // V8_ENABLE_SANDBOX
 }
 
+template <typename IsolateT>
+template <typename SlotAccessor>
+int Deserializer<IsolateT>::ReadAllocateJSDispatchEntry(
+    uint8_t data, SlotAccessor slot_accessor) {
+#ifdef V8_ENABLE_LEAPTIERING
+  DCHECK_NE(slot_accessor.object()->address(), kNullAddress);
+  JSDispatchTable* jdt = GetProcessWideJSDispatchTable();
+  Handle<HeapObject> host = slot_accessor.object();
+
+  uint32_t entry_id = source_.GetUint30();
+  uint32_t parameter_count = source_.GetUint30();
+  DCHECK_LE(parameter_count, kMaxUInt16);
+
+  JSDispatchHandle handle;
+  auto it = js_dispatch_entries_map_.find(entry_id);
+  if (it != js_dispatch_entries_map_.end()) {
+    handle = it->second;
+    DCHECK_EQ(parameter_count, jdt->GetParameterCount(handle));
+  } else {
+    JSDispatchTable::Space* space =
+        IsolateForSandbox(isolate()).GetJSDispatchTableSpaceFor(
+            host->address());
+    handle = jdt->AllocateAndInitializeEntry(space, parameter_count);
+    js_dispatch_entries_map_[entry_id] = handle;
+  }
+
+  host->Relaxed_WriteField<JSDispatchHandle>(slot_accessor.offset(), handle);
+
+  return 1;
+#else
+  UNREACHABLE();
+#endif  // V8_ENABLE_SANDBOX
+}
+
 template <typename IsolateT>
 template <typename SlotAccessor>
 int Deserializer<IsolateT>::ReadProtectedPointerPrefix(

src/snapshot/deserializer.h

@@ -225,6 +225,8 @@ class Deserializer : public SerializerDeserializer {
   int ReadInitializeSelfIndirectPointer(uint8_t data,
                                         SlotAccessor slot_accessor);
   template <typename SlotAccessor>
+  int ReadAllocateJSDispatchEntry(uint8_t data, SlotAccessor slot_accessor);
+  template <typename SlotAccessor>
   int ReadProtectedPointerPrefix(uint8_t data, SlotAccessor slot_accessor);
   template <typename SlotAccessor>
   int ReadRootArrayConstants(uint8_t data, SlotAccessor slot_accessor);
@@ -284,6 +286,11 @@ class Deserializer : public SerializerDeserializer {
   // Vector of allocated objects that can be accessed by a backref, by index.
   std::vector<Handle<HeapObject>> back_refs_;
 
+  // Map of JSDispatchTable entries. When such an entry is serialized, we also
+  // serialize an ID of the entry, which then allows the deserializer to
+  // correctly reconstruct shared table entries.
+  std::unordered_map<int, JSDispatchHandle> js_dispatch_entries_map_;
+
   // Unresolved forward references (registered with kRegisterPendingForwardRef)
   // are collected in order as (object, field offset) pairs. The subsequent
   // forward ref resolution (with kResolvePendingForwardRef) accesses this

src/snapshot/serializer-deserializer.h

@@ -37,8 +37,8 @@ class SerializerDeserializer : public RootVisitor {
 
   // clang-format off
 #define UNUSED_SERIALIZER_BYTE_CODES(V)                           \
-  /* Free range 0x20..0x2f */                                     \
-  V(0x20) V(0x21) V(0x22) V(0x23) V(0x24) V(0x25) V(0x26) V(0x27) \
+  /* Free range 0x21..0x2f */                                     \
+          V(0x21) V(0x22) V(0x23) V(0x24) V(0x25) V(0x26) V(0x27) \
   V(0x28) V(0x29) V(0x2a) V(0x2b) V(0x2c) V(0x2d) V(0x2e) V(0x2f) \
   /* Free range 0x30..0x3f */                                     \
   V(0x30) V(0x31) V(0x32) V(0x33) V(0x34) V(0x35) V(0x36) V(0x37) \
@@ -158,6 +158,10 @@ class SerializerDeserializer : public RootVisitor {
     // that it will be deserialized before any inner objects, which may require
     // the pointer table entry for back reference to the trusted object.
     kInitializeSelfIndirectPointer,
+    // This bytecode instructs the deserializer to allocate an entry in the
+    // JSDispatchTable for the host object and store the corresponding dispatch
+    // handle into the current slot.
+    kAllocateJSDispatchEntry,
     // A prefix indicating that the following object is referenced through a
     // protected pointer, i.e. a pointer from one trusted object to another.
     kProtectedPointerPrefix,

src/snapshot/serializer.cc

@@ -21,6 +21,7 @@
 #include "src/objects/slots-inl.h"
 #include "src/objects/slots.h"
 #include "src/objects/smi.h"
+#include "src/sandbox/js-dispatch-table-inl.h"
 #include "src/snapshot/embedded/embedded-data.h"
 #include "src/snapshot/serializer-deserializer.h"
 #include "src/snapshot/serializer-inl.h"
@@ -1261,23 +1262,24 @@ void Serializer::ObjectSerializer::VisitProtectedPointer(
 void Serializer::ObjectSerializer::VisitJSDispatchTableEntry(
     Tagged<HeapObject> host, JSDispatchHandle handle) {
 #ifdef V8_ENABLE_LEAPTIERING
-  // New dispatch table entries will be allocated during deserialization if
-  // necessary. Here we just serialize an empty handle.
-  // TODO(saelo): we could also emit a kInitializeJSDispatchHandle opcode here
-  // and then allocate a dispatch entry during deserialization when we
-  // encounter that. That way we don't need to hook into object post
-  // processing. If the dispatch handle is empty, we would just skip it here
-  // (and would then serialize the raw null handle, which is correct).
+  // If the slot is empty, we will skip it here and then just serialize the
+  // null handle as raw data.
+  if (handle == kNullJSDispatchHandle) return;
+
   // TODO(saelo): we might want to call OutputRawData here, but for that we
   // first need to pass the slot address to this method (e.g. as part of a
   // JSDispatchHandleSlot struct).
-  static_assert(kJSDispatchHandleSize % kTaggedSize == 0);
-  sink_->Put(
-      FixedRawDataWithSize::Encode(kJSDispatchHandleSize >> kTaggedSizeLog2),
-      "FixedRawData");
-  sink_->PutRaw(reinterpret_cast<const uint8_t*>(&kNullJSDispatchHandle),
-                kJSDispatchHandleSize, "empty js dispatch handle");
+
   bytes_processed_so_far_ += kJSDispatchHandleSize;
+
+  sink_->Put(kAllocateJSDispatchEntry, "AllocateJSDispatchEntry");
+  sink_->PutUint30(handle >> kJSDispatchHandleShift, "EntryID");
+  sink_->PutUint30(GetProcessWideJSDispatchTable()->GetParameterCount(handle),
+                   "ParameterCount");
+
+  // TODO(saelo): in the future, we will probably also need to serialize the
+  // Code object here, then decode it in the deserializer and write it into the
+  // dispatch table entry.
 #else
   UNREACHABLE();
 #endif  // V8_ENABLE_LEAPTIERING