diff options
author | Michael Bruening <michael.bruning@qt.io> | 2021-11-10 12:19:13 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-11-10 18:18:29 +0000 |
commit | aa004024cb5264799cc9ef95d1297ca6ce112c17 (patch) | |
tree | 5e2d88ae4ba9622eb5a95961ef431b768fa4bfa3 | |
parent | ae2a6fb88b52f4544b154aeef384e006e621d7ec (diff) | |
download | qtwebengine-chromium-aa004024cb5264799cc9ef95d1297ca6ce112c17.tar.gz |
Revert "[Backport] CVE-2021-21227: Insufficient data validation in V8"
This reverts commit bc38ef79d8c2e9ff87fac1937c31b0e5b7d740a2.
Change-Id: I492e1c163ddda95f23cfba2b7aecc489d3ca5d75
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/v8/src/compiler/simplified-lowering.cc | 11 |
1 files changed, 3 insertions, 8 deletions
diff --git a/chromium/v8/src/compiler/simplified-lowering.cc b/chromium/v8/src/compiler/simplified-lowering.cc index e2f34f08796..867a3f9d4a5 100644 --- a/chromium/v8/src/compiler/simplified-lowering.cc +++ b/chromium/v8/src/compiler/simplified-lowering.cc @@ -1318,15 +1318,10 @@ class RepresentationSelector { Type right_feedback_type = TypeOf(node->InputAt(1)); // Using Signed32 as restriction type amounts to promising there won't be - // signed overflow. This is incompatible with relying on a Word32 truncation - // in order to skip the overflow check. Similarly, we must not drop -0 from - // the result type unless we deopt for -0 inputs. + // signed overflow. This is incompatible with relying on a Word32 + // truncation in order to skip the overflow check. Type const restriction = - truncation.IsUsedAsWord32() - ? Type::Any() - : (truncation.identify_zeros() == kIdentifyZeros) - ? Type::Signed32OrMinusZero() - : Type::Signed32(); + truncation.IsUsedAsWord32() ? Type::Any() : Type::Signed32(); // Handle the case when no int32 checks on inputs are necessary (but // an overflow check is needed on the output). Note that we do not |