deps: cherry-pick 4ab70f6 from V8 upstream

    [Compiler] Remove untrusted code mitigations.

    These are no longer enabled, so remove the code mitigation logic from
    the codebase.

    BUG=chromium:1003890

    Change-Id: I536bb1732e8463281c21da446bbba8f47ede8ebe
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3045704
    Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
    Reviewed-by: Jakob Gruber <jgruber@chromium.org>
    Reviewed-by: Clemens Backes <clemensb@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#76256}

Refs: v8/v8@4ab70f6
Fixes: #43296

PR-URL: #43328
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>

deps/v8/BUILD.bazel

@@ -150,7 +150,6 @@ config_setting(
 # v8_can_use_fpu_instructions
 # v8_use_mips_abi_hardfloat
 # v8_enable_gdbjit
-# v8_untrusted_code_mitigations
 # v8_enable_minor_mc
 # v8_check_header_includes
 # v8_enable_shared_ro_heap
@@ -305,9 +304,6 @@ v8_config(
             "V8_HAVE_TARGET_OS",
             "V8_TARGET_OS_MACOSX",
         ],
-    }) + select({
-        ":is_android_x86": [ "DISABLE_UNTRUSTED_CODE_MITIGATIONS" ],
-        "//conditions:default": [],
     }) + select({
         ":is_v8_enable_pointer_compression": [
             "V8_COMPRESS_POINTERS",

deps/v8/BUILD.gn

@@ -228,11 +228,6 @@ declare_args() {
                       (is_linux || is_chromeos || is_mac)) ||
                      (v8_current_cpu == "ppc64" && (is_linux || is_chromeos))
 
-  # Enable mitigations for executing untrusted code.
-  # Disabled by default on ia32 due to conflicting requirements with embedded
-  # builtins.
-  v8_untrusted_code_mitigations = false
-
   # Enable minor mark compact.
   v8_enable_minor_mc = true
 
@@ -461,9 +456,6 @@ if (build_with_chromium && v8_current_cpu == "arm64" &&
 assert(!v8_disable_write_barriers || v8_enable_single_generation,
        "Disabling write barriers works only with single generation")
 
-assert(v8_current_cpu != "x86" || !v8_untrusted_code_mitigations,
-       "Untrusted code mitigations are unsupported on ia32")
-
 assert(v8_current_cpu == "arm64" || !v8_control_flow_integrity,
        "Control-flow integrity is only supported on arm64")
 
@@ -480,9 +472,6 @@ assert(!v8_enable_map_packing || !v8_enable_pointer_compression,
 assert(!v8_enable_map_packing || v8_current_cpu == "x64",
        "Map packing is only supported on x64")
 
-assert(!v8_use_multi_snapshots || !v8_control_flow_integrity,
-       "Control-flow integrity does not support multisnapshots")
-
 assert(!v8_enable_heap_sandbox || v8_enable_pointer_compression,
        "V8 Heap Sandbox requires pointer compression")
 
@@ -872,9 +861,6 @@ config("features") {
   if (v8_enable_lazy_source_positions) {
     defines += [ "V8_ENABLE_LAZY_SOURCE_POSITIONS" ]
   }
-  if (v8_use_multi_snapshots) {
-    defines += [ "V8_MULTI_SNAPSHOTS" ]
-  }
   if (v8_use_siphash) {
     defines += [ "V8_USE_SIPHASH" ]
   }
@@ -1170,10 +1156,6 @@ config("toolchain") {
     defines += [ "V8_RUNTIME_CALL_STATS" ]
   }
 
-  if (!v8_untrusted_code_mitigations) {
-    defines += [ "DISABLE_UNTRUSTED_CODE_MITIGATIONS" ]
-  }
-
   if (v8_no_inline) {
     if (is_win) {
       cflags += [ "/Ob0" ]
@@ -1309,8 +1291,6 @@ template("asm_to_inline_asm") {
 if (is_android && enable_java_templates) {
   android_assets("v8_external_startup_data_assets") {
     if (v8_use_external_startup_data) {
-      # We don't support side-by-side snapshots on Android within Chromium.
-      assert(!v8_use_multi_snapshots)
       deps = [ "//v8" ]
       renaming_sources = [ "$root_out_dir/snapshot_blob.bin" ]
       if (current_cpu == "arm" || current_cpu == "x86" ||
@@ -1987,17 +1967,6 @@ if (emit_builtins_as_inline_asm) {
     args = []
   }
 }
-if (v8_use_multi_snapshots) {
-  run_mksnapshot("trusted") {
-    args = [ "--no-untrusted-code-mitigations" ]
-    embedded_variant = "Trusted"
-  }
-  if (emit_builtins_as_inline_asm) {
-    asm_to_inline_asm("trusted") {
-      args = []
-    }
-  }
-}
 
 action("v8_dump_build_config") {
   script = "tools/testrunner/utils/dump_build_config.py"
@@ -2086,16 +2055,6 @@ v8_source_set("v8_snapshot") {
     deps += [ ":v8_base" ]
 
     sources += [ "src/snapshot/snapshot-external.cc" ]
-
-    if (v8_use_multi_snapshots) {
-      public_deps += [ ":run_mksnapshot_trusted" ]
-      if (emit_builtins_as_inline_asm) {
-        deps += [ ":asm_to_inline_asm_trusted" ]
-        sources += [ "$target_gen_dir/embedded_trusted.cc" ]
-      } else {
-        sources += [ "$target_gen_dir/embedded_trusted.S" ]
-      }
-    }
   } else {
     # Also top-level visibility targets can depend on this.
     visibility += [ "//:gn_visibility" ]

deps/v8/gni/v8.gni

@@ -35,7 +35,8 @@ declare_args() {
   # as an argument to profiler's method `takeHeapSnapshot`.
   v8_enable_raw_heap_snapshots = false
 
-  # Enable several snapshots side-by-side (e.g. default and for trusted code).
+  # Deprecated flag that no longer does anything.
+  # TODO(rmcilroy): Remove this gn arg once it's no longer used by the bots.
   v8_use_multi_snapshots = false
 
   # Use external files for startup data blobs:
@@ -99,13 +100,6 @@ if (v8_use_external_startup_data == "") {
   v8_use_external_startup_data = !is_ios
 }
 
-if (v8_use_multi_snapshots) {
-  # Silently disable multi snapshots if they're incompatible with the current
-  # build configuration. This allows us to set v8_use_multi_snapshots=true on
-  # all bots, and e.g. no-snapshot bots will automatically do the right thing.
-  v8_use_multi_snapshots = v8_use_external_startup_data && !build_with_chromium
-}
-
 if (v8_enable_backtrace == "") {
   v8_enable_backtrace = is_debug && !v8_optimized_debug
 }

deps/v8/src/builtins/arm/builtins-arm.cc

@@ -2777,12 +2777,6 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
   __ cmp(cp, Operand(0));
   __ str(cp, MemOperand(fp, StandardFrameConstants::kContextOffset), ne);
 
-  // Reset the masking register. This is done independent of the underlying
-  // feature flag {FLAG_untrusted_code_mitigations} to make the snapshot work
-  // with both configurations. It is safe to always do this, because the
-  // underlying register is caller-saved and can be arbitrarily clobbered.
-  __ ResetSpeculationPoisonRegister();
-
   // Clear c_entry_fp, like we do in `LeaveExitFrame`.
   {
     UseScratchRegisterScope temps(masm);

deps/v8/src/builtins/arm64/builtins-arm64.cc

@@ -3250,12 +3250,6 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
   __ Str(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
   __ Bind(&not_js_frame);
 
-  // Reset the masking register. This is done independent of the underlying
-  // feature flag {FLAG_untrusted_code_mitigations} to make the snapshot work
-  // with both configurations. It is safe to always do this, because the
-  // underlying register is caller-saved and can be arbitrarily clobbered.
-  __ ResetSpeculationPoisonRegister();
-
   {
     // Clear c_entry_fp, like we do in `LeaveExitFrame`.
     UseScratchRegisterScope temps(masm);

deps/v8/src/builtins/mips/builtins-mips.cc

@@ -2723,12 +2723,6 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
   __ sw(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
   __ bind(&zero);
 
-  // Reset the masking register. This is done independent of the underlying
-  // feature flag {FLAG_untrusted_code_mitigations} to make the snapshot work
-  // with both configurations. It is safe to always do this, because the
-  // underlying register is caller-saved and can be arbitrarily clobbered.
-  __ ResetSpeculationPoisonRegister();
-
   // Clear c_entry_fp, like we do in `LeaveExitFrame`.
   {
     UseScratchRegisterScope temps(masm);

deps/v8/src/builtins/mips64/builtins-mips64.cc

@@ -2814,12 +2814,6 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
   __ Sd(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
   __ bind(&zero);
 
-  // Reset the masking register. This is done independent of the underlying
-  // feature flag {FLAG_untrusted_code_mitigations} to make the snapshot work
-  // with both configurations. It is safe to always do this, because the
-  // underlying register is caller-saved and can be arbitrarily clobbered.
-  __ ResetSpeculationPoisonRegister();
-
   // Clear c_entry_fp, like we do in `LeaveExitFrame`.
   {
     UseScratchRegisterScope temps(masm);

deps/v8/src/builtins/ppc/builtins-ppc.cc

@@ -2646,12 +2646,6 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
   __ StoreU64(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
   __ bind(&skip);
 
-  // Reset the masking register. This is done independent of the underlying
-  // feature flag {FLAG_untrusted_code_mitigations} to make the snapshot work
-  // with both configurations. It is safe to always do this, because the
-  // underlying register is caller-saved and can be arbitrarily clobbered.
-  __ ResetSpeculationPoisonRegister();
-
   // Clear c_entry_fp, like we do in `LeaveExitFrame`.
   {
     UseScratchRegisterScope temps(masm);

deps/v8/src/builtins/riscv64/builtins-riscv64.cc

@@ -2903,12 +2903,6 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
   __ Sd(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
   __ bind(&zero);
 
-  // Reset the masking register. This is done independent of the underlying
-  // feature flag {FLAG_untrusted_code_mitigations} to make the snapshot work
-  // with both configurations. It is safe to always do this, because the
-  // underlying register is caller-saved and can be arbitrarily clobbered.
-  __ ResetSpeculationPoisonRegister();
-
   // Compute the handler entry address and jump to it.
   UseScratchRegisterScope temp(masm);
   Register scratch = temp.Acquire();

deps/v8/src/builtins/s390/builtins-s390.cc

@@ -2679,12 +2679,6 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
   __ StoreU64(cp, MemOperand(fp, StandardFrameConstants::kContextOffset));
   __ bind(&skip);
 
-  // Reset the masking register. This is done independent of the underlying
-  // feature flag {FLAG_untrusted_code_mitigations} to make the snapshot work
-  // with both configurations. It is safe to always do this, because the
-  // underlying register is caller-saved and can be arbitrarily clobbered.
-  __ ResetSpeculationPoisonRegister();
-
   // Clear c_entry_fp, like we do in `LeaveExitFrame`.
   {
     UseScratchRegisterScope temps(masm);

deps/v8/src/builtins/setup-builtins-internal.cc

@@ -158,9 +158,8 @@ Code BuildWithCodeStubAssemblerJS(Isolate* isolate, Builtin builtin,
   Zone zone(isolate->allocator(), ZONE_NAME, kCompressGraphZone);
   const int argc_with_recv =
       (argc == kDontAdaptArgumentsSentinel) ? 0 : argc + 1;
-  compiler::CodeAssemblerState state(
-      isolate, &zone, argc_with_recv, CodeKind::BUILTIN, name,
-      PoisoningMitigationLevel::kDontPoison, builtin);
+  compiler::CodeAssemblerState state(isolate, &zone, argc_with_recv,
+                                     CodeKind::BUILTIN, name, builtin);
   generator(&state);
   Handle<Code> code = compiler::CodeAssembler::GenerateCode(
       &state, BuiltinAssemblerOptions(isolate, builtin),
@@ -183,9 +182,8 @@ Code BuildWithCodeStubAssemblerCS(Isolate* isolate, Builtin builtin,
   CallInterfaceDescriptor descriptor(interface_descriptor);
   // Ensure descriptor is already initialized.
   DCHECK_LE(0, descriptor.GetRegisterParameterCount());
-  compiler::CodeAssemblerState state(
-      isolate, &zone, descriptor, CodeKind::BUILTIN, name,
-      PoisoningMitigationLevel::kDontPoison, builtin);
+  compiler::CodeAssemblerState state(isolate, &zone, descriptor,
+                                     CodeKind::BUILTIN, name, builtin);
   generator(&state);
   Handle<Code> code = compiler::CodeAssembler::GenerateCode(
       &state, BuiltinAssemblerOptions(isolate, builtin),

deps/v8/src/builtins/x64/builtins-x64.cc

@@ -3691,12 +3691,6 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
   __ movq(Operand(rbp, StandardFrameConstants::kContextOffset), rsi);
   __ bind(&skip);
 
-  // Reset the masking register. This is done independent of the underlying
-  // feature flag {FLAG_untrusted_code_mitigations} to make the snapshot work
-  // with both configurations. It is safe to always do this, because the
-  // underlying register is caller-saved and can be arbitrarily clobbered.
-  __ ResetSpeculationPoisonRegister();
-
   // Clear c_entry_fp, like we do in `LeaveExitFrame`.
   ExternalReference c_entry_fp_address = ExternalReference::Create(
       IsolateAddressId::kCEntryFPAddress, masm->isolate());

deps/v8/src/codegen/arm/macro-assembler-arm.cc

@@ -2660,10 +2660,6 @@ void TurboAssembler::ComputeCodeStartAddress(Register dst) {
   sub(dst, pc, Operand(pc_offset() + Instruction::kPcLoadDelta));
 }
 
-void TurboAssembler::ResetSpeculationPoisonRegister() {
-  mov(kSpeculationPoisonRegister, Operand(-1));
-}
-
 void TurboAssembler::CallForDeoptimization(Builtin target, int, Label* exit,
                                            DeoptimizeKind kind, Label* ret,
                                            Label*) {

deps/v8/src/codegen/arm/macro-assembler-arm.h

@@ -560,8 +560,6 @@ class V8_EXPORT_PRIVATE TurboAssembler : public TurboAssemblerBase {
   // This is an alternative to embedding the {CodeObject} handle as a reference.
   void ComputeCodeStartAddress(Register dst);
 
-  void ResetSpeculationPoisonRegister();
-
   // Control-flow integrity:
 
   // Define a function entrypoint. This doesn't emit any code for this

deps/v8/src/codegen/arm/register-arm.h

@@ -336,7 +336,6 @@ constexpr Register kReturnRegister2 = r2;
 constexpr Register kJSFunctionRegister = r1;
 constexpr Register kContextRegister = r7;
 constexpr Register kAllocateSizeRegister = r1;
-constexpr Register kSpeculationPoisonRegister = r9;
 constexpr Register kInterpreterAccumulatorRegister = r0;
 constexpr Register kInterpreterBytecodeOffsetRegister = r5;
 constexpr Register kInterpreterBytecodeArrayRegister = r6;

deps/v8/src/codegen/arm64/macro-assembler-arm64.cc

@@ -3540,10 +3540,6 @@ void TurboAssembler::ComputeCodeStartAddress(const Register& rd) {
   adr(rd, -pc_offset());
 }
 
-void TurboAssembler::ResetSpeculationPoisonRegister() {
-  Mov(kSpeculationPoisonRegister, -1);
-}
-
 void TurboAssembler::RestoreFPAndLR() {
   static_assert(StandardFrameConstants::kCallerFPOffset + kSystemPointerSize ==
                     StandardFrameConstants::kCallerPCOffset,

deps/v8/src/codegen/arm64/macro-assembler-arm64.h

@@ -1347,8 +1347,6 @@ class V8_EXPORT_PRIVATE TurboAssembler : public TurboAssemblerBase {
   // This is an alternative to embedding the {CodeObject} handle as a reference.
   void ComputeCodeStartAddress(const Register& rd);
 
-  void ResetSpeculationPoisonRegister();
-
   // ---------------------------------------------------------------------------
   // Pointer compression Support
 

deps/v8/src/codegen/arm64/register-arm64.h

@@ -701,8 +701,6 @@ constexpr Register kJSFunctionRegister = x1;
 constexpr Register kContextRegister = cp;
 constexpr Register kAllocateSizeRegister = x1;
 
-constexpr Register kSpeculationPoisonRegister = x23;
-
 constexpr Register kInterpreterAccumulatorRegister = x0;
 constexpr Register kInterpreterBytecodeOffsetRegister = x19;
 constexpr Register kInterpreterBytecodeArrayRegister = x20;