chromium/src
0
Fork 0
Code Activity

Clean up V8 sandbox histograms

Browse Source 
This CL replaces two outdated histograms with newer ones:
V8.SandboxMode is identical (apart from renaming) to
V8.VirtualMemoryCageMode, however V8.SandboxReservationSizeGB now
captures the size of the virtual address space reservation backing the
sandbox while V8.VirtualMemoryCageSizeGB captured the size of the
sandbox itself (which is now a constant, and so no longer needs to be
recorded into UMA).

Bug: v8:10391
Change-Id: I9fe142b6aea71f56b34f60d085e3a577ba3911d7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3695415
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1012872}
This commit is contained in:
Samuel Groß
2022-06-10 09:31:04 +00:00
committed by Chromium LUCI CQ
parent 1957044da2
commit 5024ada375
3 changed files with 63 additions and 58 deletions
gin
v8_initializer.cc
tools/metrics/histograms
enums.xml
metadata
v8
histograms.xml

41
gin/v8_initializer.cc

@ -391,20 +391,6 @@ void V8Initializer::Initialize(IsolateHolder::ScriptMode mode,
base::FeatureList::IsEnabled(features::kV8VirtualMemoryCage)) {
v8_sandbox_is_initialized = v8::V8::InitializeSandbox();
CHECK(!must_initialize_sandbox || v8_sandbox_is_initialized);
// Record the size of the sandbox, in GB. The size will always be a power
// of two, so we use a sparse histogram to capture it. If the
// initialization failed, this API will return zero. The main reason for
// capturing this histogram here instead of having V8 do it is that there
// are no Isolates available yet, which are required for recording
// histograms in V8.
size_t size = v8::V8::GetSandboxSizeInBytes();
int sizeInGB = size >> 30;
DCHECK(base::bits::IsPowerOfTwo(size));
DCHECK(size == 0 || sizeInGB > 0);
// This uses the term "cage" instead of "sandbox" for historical reasons.
// TODO(1218005) remove this once the finch trial has ended.
base::UmaHistogramSparse("V8.VirtualMemoryCageSizeGB", sizeInGB);
}
#endif // V8_ENABLE_SANDBOX
@ -422,20 +408,33 @@ void V8Initializer::Initialize(IsolateHolder::ScriptMode mode,
#if defined(V8_ENABLE_SANDBOX)
if (v8_sandbox_is_initialized) {
// Record some sandbox statistics into UMA.
// The main reason for capturing these histograms here instead of having V8
// do it is that there are no Isolates available yet, which are required
// for recording histograms in V8.
// Record the mode of the sandbox.
// These values are persisted to logs. Entries should not be renumbered and
// numeric values should never be reused. This should match enum
// V8VirtualMemoryCageMode in \tools\metrics\histograms\enums.xml
// This uses the term "cage" instead of "sandbox" for historical reasons.
// TODO(1218005) remove this once the finch trial has ended.
enum class VirtualMemoryCageMode {
// V8SandboxMode in tools/metrics/histograms/enums.xml.
enum class V8SandboxMode {
kSecure = 0,
kInsecure = 1,
kMaxValue = kInsecure,
};
base::UmaHistogramEnumeration("V8.VirtualMemoryCageMode",
base::UmaHistogramEnumeration("V8.SandboxMode",
v8::V8::IsSandboxConfiguredSecurely()
? VirtualMemoryCageMode::kSecure
: VirtualMemoryCageMode::kInsecure);
? V8SandboxMode::kSecure
: V8SandboxMode::kInsecure);
// Record the size of the address space reservation backing the sandbox.
// The size will always be one of a handful of values, so use a sparse
// histogram to capture it.
size_t size = v8::V8::GetSandboxReservationSizeInBytes();
DCHECK_GT(size, 0U);
size_t sizeInGB = size >> 30;
DCHECK_EQ(sizeInGB << 30, size);
base::UmaHistogramSparse("V8.SandboxReservationSizeGB", sizeInGB);
// When the sandbox is enabled, ArrayBuffers must be allocated inside of
// it. To achieve that, PA's ConfigurablePool is created inside the sandbox

10
tools/metrics/histograms/enums.xml

@ -96184,9 +96184,13 @@ Full version information for the fingerprint enum values:
<int value="3" label="FAILED_OTHER">Failed for other reason</int>
</enum>
<enum name="V8VirtualMemoryCageMode">
<int value="0" label="kSecure">Using a normal, secure cage</int>
<int value="1" label="kInsecure">Using a fallback, insecure cage</int>
<enum name="V8SandboxMode">
<int value="0" label="kSecure">
Using a default, securely-configured sandbox
</int>
<int value="1" label="kInsecure">
Using a fallback, insecurely-configured sandbox
</int>
</enum>
<enum name="VaapiFunctions">

70
tools/metrics/histograms/metadata/v8/histograms.xml

@ -1443,6 +1443,42 @@ chromium-metrics-reviews@google.com.
</summary>
</histogram>
<histogram name="V8.SandboxMode" enum="V8SandboxMode"
expires_after="2022-12-04">
<owner>saelo@chromium.org</owner>
<owner>ishell@chromium.org</owner>
<summary>
Mode of operation of V8's sandbox.
By default, the V8 sandbox is fully backed by a large virtual address space
reservation, ensuring that only V8-related objects are located inside the
sandbox. In that case, the sandbox is configured securely. However, when it
is not possible to reserve a sufficient amount of virtual address space
during initialization (e.g. due to memory or virtual address space
constraints), the sandbox will instead use a fallback mode where only a part
of the sandbox's address space is actually reserved. In that case, unrelated
memory mappings may end up inside the sandbox though, where they could be
corrupted by an attacker. As such, this mode is considered insecure.
Recorded as enum value during initialization of V8.
</summary>
</histogram>
<histogram name="V8.SandboxReservationSizeGB" units="GB"
expires_after="2022-12-04">
<owner>saelo@chromium.org</owner>
<owner>ishell@chromium.org</owner>
<summary>
Size of the virtual address space reservation backing the V8 sandbox, in GB.
This value is typically larger than the size of the sandbox as it includes
the surrounding guard regions. However, in the case of a partially-reserved
(i.e. insecure) sandbox, this value will be smaller than the sandbox size.
Recorded during initialization of V8.
</summary>
</histogram>
<histogram name="V8.SharedArrayAllocationSizes" units="MB"
expires_after="2020-12-02">
<owner>gdeepti@chromium.org</owner>
@ -1615,40 +1651,6 @@ chromium-metrics-reviews@google.com.
</summary>
</histogram>
<histogram name="V8.VirtualMemoryCageMode" enum="V8VirtualMemoryCageMode"
expires_after="2022-12-04">
<owner>saelo@chromium.org</owner>
<owner>ishell@chromium.org</owner>
<summary>
Mode of operation of V8's virtual memory cage.
V8's virtual memory cage can operate in two different modes: the normal,
secure mode, and an insecure fallback mode, used if a normal cage can, for
whatever reason, not be created. The insecure mode does not have the desired
security properties but allows V8 to otherwise operate normally. The mode of
the cage is recorded as enum value during the initialization of V8, after
the virtual memory cage has been initialized.
</summary>
</histogram>
<histogram name="V8.VirtualMemoryCageSizeGB" units="GB"
expires_after="2022-12-04">
<owner>saelo@chromium.org</owner>
<owner>ishell@chromium.org</owner>
<summary>
Size of the virtual memory cage, in GB.
Recorded during initialization of V8, after the virtual memory cage has been
created. If the initial reservation attempt fails, the size of the cage is
reduced until either the reservation succeeds or a minimum size is reached.
A value of zero indicates that even the minimum size could not be reserved,
implying that the cage initialization failed.
This value excludes the size of any guard regions placed around the cage and
so represents only the usable size of the cage.
</summary>
</histogram>
<histogram name="V8.WasmCacheCount" units="count" expires_after="2022-11-13">
<owner>ahaas@chromium.org</owner>
<owner>ecmziegler@chromium.org</owner>