[api] Implement StartupData::CanBeRehashed() for the snapshot blob

joyeecheung · Commit Bot · commit e0a109c05821 · 2019-05-02T14:43:15.000Z
This enables the embedder to check if the snapshot generated from SnapshotCreator::CreateBlob() can be rehashed and the seed can be recomputed during deserialization. The lack of this functionality resulted in a temporary vunerability in Node.js: nodejs/node#27365 Change-Id: I88d52337217c40f79c26438be3c87d2db874d980 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578661 Commit-Queue: Joyee Cheung <joyee@igalia.com> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#61175}
diff --git a/include/v8.h b/include/v8.h
@@ -8581,6 +8581,13 @@ class V8_EXPORT Isolate {
 
 class V8_EXPORT StartupData {
  public:
+  /**
+   * Whether the data created can be rehashed and and the hash seed can be
+   * recomputed when deserialized.
+   * Only valid for StartupData returned by SnapshotCreator::CreateBlob().
+   */
+  bool CanBeRehashed() const;
+
   const char* data;
   int raw_size;
 };
diff --git a/src/api.cc b/src/api.cc
@@ -887,6 +887,11 @@ StartupData SnapshotCreator::CreateBlob(
   return result;
 }
 
+bool StartupData::CanBeRehashed() const {
+  DCHECK(i::Snapshot::VerifyChecksum(this));
+  return i::Snapshot::ExtractRehashability(this);
+}
+
 void V8::SetDcheckErrorHandler(DcheckErrorCallback that) {
   v8::base::SetDcheckFunction(that);
 }
diff --git a/src/snapshot/snapshot-common.cc b/src/snapshot/snapshot-common.cc
@@ -230,7 +230,9 @@ uint32_t Snapshot::ExtractContextOffset(const v8::StartupData* data,
 
 bool Snapshot::ExtractRehashability(const v8::StartupData* data) {
   CHECK_LT(kRehashabilityOffset, static_cast<uint32_t>(data->raw_size));
-  return GetHeaderValue(data, kRehashabilityOffset) != 0;
+  uint32_t rehashability = GetHeaderValue(data, kRehashabilityOffset);
+  CHECK_IMPLIES(rehashability != 0, rehashability == 1);
+  return rehashability != 0;
 }
 
 namespace {
diff --git a/src/snapshot/snapshot.h b/src/snapshot/snapshot.h
@@ -86,11 +86,12 @@ class Snapshot : public AllStatic {
   static bool SnapshotIsValid(const v8::StartupData* snapshot_blob);
 #endif  // DEBUG
 
+  static bool ExtractRehashability(const v8::StartupData* data);
+
  private:
   static uint32_t ExtractNumContexts(const v8::StartupData* data);
   static uint32_t ExtractContextOffset(const v8::StartupData* data,
                                        uint32_t index);
-  static bool ExtractRehashability(const v8::StartupData* data);
   static Vector<const byte> ExtractStartupData(const v8::StartupData* data);
   static Vector<const byte> ExtractReadOnlyData(const v8::StartupData* data);
   static Vector<const byte> ExtractContextData(const v8::StartupData* data,
diff --git a/test/cctest/test-serialize.cc b/test/cctest/test-serialize.cc
@@ -3721,6 +3721,7 @@ UNINITIALIZED_TEST(ReinitializeHashSeedNotRehashable) {
     }
     blob =
         creator.CreateBlob(v8::SnapshotCreator::FunctionCodeHandling::kClear);
+    CHECK(!blob.CanBeRehashed());
   }
 
   i::FLAG_hash_seed = 1337;
@@ -3786,6 +3787,7 @@ UNINITIALIZED_TEST(ReinitializeHashSeedRehashable) {
     }
     blob =
         creator.CreateBlob(v8::SnapshotCreator::FunctionCodeHandling::kClear);
+    CHECK(blob.CanBeRehashed());
   }
 
   i::FLAG_hash_seed = 1337;

Original file line number	Diff line number	Diff line change
`@@ -887,6 +887,11 @@ StartupData SnapshotCreator::CreateBlob(`
`887`	`887`	`return result;`
`888`	`888`	`}`
`889`	`889`
	`890`	`+bool StartupData::CanBeRehashed() const {`
	`891`	`+ DCHECK(i::Snapshot::VerifyChecksum(this));`
	`892`	`+ return i::Snapshot::ExtractRehashability(this);`
	`893`	`+}`
	`894`	`+`
`890`	`895`	`void V8::SetDcheckErrorHandler(DcheckErrorCallback that) {`
`891`	`896`	`v8::base::SetDcheckFunction(that);`
`892`	`897`	`}`
Original file line number	Diff line number	Diff line change
`@@ -230,7 +230,9 @@ uint32_t Snapshot::ExtractContextOffset(const v8::StartupData* data,`
`230`	`230`
`231`	`231`	`bool Snapshot::ExtractRehashability(const v8::StartupData* data) {`
`232`	`232`	`CHECK_LT(kRehashabilityOffset, static_cast<uint32_t>(data->raw_size));`
`233`		`- return GetHeaderValue(data, kRehashabilityOffset) != 0;`
	`233`	`+ uint32_t rehashability = GetHeaderValue(data, kRehashabilityOffset);`
	`234`	`+ CHECK_IMPLIES(rehashability != 0, rehashability == 1);`
	`235`	`+ return rehashability != 0;`
`234`	`236`	`}`
`235`	`237`
`236`	`238`	`namespace {`
Original file line number	Diff line number	Diff line change
`@@ -3721,6 +3721,7 @@ UNINITIALIZED_TEST(ReinitializeHashSeedNotRehashable) {`
`3721`	`3721`	`}`
`3722`	`3722`	`blob =`
`3723`	`3723`	`creator.CreateBlob(v8::SnapshotCreator::FunctionCodeHandling::kClear);`
	`3724`	`+ CHECK(!blob.CanBeRehashed());`
`3724`	`3725`	`}`
`3725`	`3726`
`3726`	`3727`	`i::FLAG_hash_seed = 1337;`
`@@ -3786,6 +3787,7 @@ UNINITIALIZED_TEST(ReinitializeHashSeedRehashable) {`
`3786`	`3787`	`}`
`3787`	`3788`	`blob =`
`3788`	`3789`	`creator.CreateBlob(v8::SnapshotCreator::FunctionCodeHandling::kClear);`
	`3790`	`+ CHECK(blob.CanBeRehashed());`
`3789`	`3791`	`}`
`3790`	`3792`
`3791`	`3793`	`i::FLAG_hash_seed = 1337;`