Revert "[Backport] CVE-2021-30513: Type Confusion in V8."

This reverts commits 7ea027a7d8e05d14e02d93b91a7bf70a23d90b23 and
0532d46d8991dd853421c2f270f8fb45e4d3e6e0.

Change-Id: I64f337bcb3ddd18660c059ba266f502751f54ed3
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 27 insertions, 39 deletions

diff --git a/chromium/v8/src/compiler/simplified-lowering.cc b/chromium/v8/src/compiler/simplified-lowering.cc
index c008fe0d4a9..e2f34f08796 100644
--- a/chromium/v8/src/compiler/simplified-lowering.cc
+++ b/chromium/v8/src/compiler/simplified-lowering.cc
@@ -707,11 +707,13 @@ class RepresentationSelector {
         info->set_restriction_type(restriction_type);
         break;
       case RETYPE:
+        DCHECK(info->restriction_type().Is(restriction_type));
         DCHECK(restriction_type.Is(info->restriction_type()));
         info->set_output(representation);
         break;
       case LOWER:
         DCHECK_EQ(info->representation(), representation);
+        DCHECK(info->restriction_type().Is(restriction_type));
         DCHECK(restriction_type.Is(info->restriction_type()));
         break;
     }
@@ -1261,28 +1263,18 @@ class RepresentationSelector {
     return jsgraph_->simplified();
   }
 
-  void VisitForCheckedInt32Mul(Node* node, Truncation truncation,
-                               Type input0_type, Type input1_type,
-                               UseInfo input_use) {
-    DCHECK_EQ(node->opcode(), IrOpcode::kSpeculativeNumberMultiply);
-    // A -0 input is impossible or will cause a deopt.
-    DCHECK(BothInputsAre(node, Type::Signed32()) ||
-           !input_use.truncation().IdentifiesZeroAndMinusZero());
-    CheckForMinusZeroMode mz_mode;
-    Type restriction;
-    if (IsSomePositiveOrderedNumber(input0_type) ||
-        IsSomePositiveOrderedNumber(input1_type)) {
-      mz_mode = CheckForMinusZeroMode::kDontCheckForMinusZero;
-      restriction = Type::Signed32();
-    } else if (truncation.IdentifiesZeroAndMinusZero()) {
-      mz_mode = CheckForMinusZeroMode::kDontCheckForMinusZero;
-      restriction = Type::Signed32OrMinusZero();
-    } else {
-      mz_mode = CheckForMinusZeroMode::kCheckForMinusZero;
-      restriction = Type::Signed32();
-    }
-    VisitBinop(node, input_use, MachineRepresentation::kWord32, restriction);
-    if (lower()) NodeProperties::ChangeOp(node, simplified()->CheckedInt32Mul(mz_mode));
+  void LowerToCheckedInt32Mul(Node* node, Truncation truncation,
+                              Type input0_type, Type input1_type) {
+    // If one of the inputs is positive and/or truncation is being applied,
+    // there is no need to return -0.
+    CheckForMinusZeroMode mz_mode =
+        truncation.IdentifiesZeroAndMinusZero() ||
+                IsSomePositiveOrderedNumber(input0_type) ||
+                IsSomePositiveOrderedNumber(input1_type)
+            ? CheckForMinusZeroMode::kDontCheckForMinusZero
+            : CheckForMinusZeroMode::kCheckForMinusZero;
+
+    NodeProperties::ChangeOp(node, simplified()->CheckedInt32Mul(mz_mode));
   }
 
   void ChangeToInt32OverflowOp(Node* node) {
@@ -1461,22 +1453,12 @@ class RepresentationSelector {
                    MachineRepresentation::kWord32);
         if (lower()) DeferReplacement(node, lowering->Int32Mod(node));
       } else if (BothInputsAre(node, Type::Unsigned32OrMinusZeroOrNaN())) {
-        Type const restriction =
-            truncation.IdentifiesZeroAndMinusZero() &&
-                    TypeOf(node->InputAt(0)).Maybe(Type::MinusZero())
-                ? Type::Unsigned32OrMinusZero()
-                : Type::Unsigned32();
         VisitBinop(node, CheckedUseInfoAsWord32FromHint(hint),
-                   MachineRepresentation::kWord32, restriction);
+                   MachineRepresentation::kWord32, Type::Unsigned32());
         if (lower()) ChangeToUint32OverflowOp(node);
       } else {
-        Type const restriction =
-            truncation.IdentifiesZeroAndMinusZero() &&
-                    TypeOf(node->InputAt(0)).Maybe(Type::MinusZero())
-                ? Type::Signed32OrMinusZero()
-                : Type::Signed32();
         VisitBinop(node, CheckedUseInfoAsWord32FromHint(hint),
-                   MachineRepresentation::kWord32, restriction);
+                   MachineRepresentation::kWord32, Type::Signed32());
         if (lower()) ChangeToInt32OverflowOp(node);
       }
       return;
@@ -1822,17 +1804,23 @@ class RepresentationSelector {
           // If both inputs and feedback are int32, use the overflow op.
           if (hint == NumberOperationHint::kSignedSmall ||
               hint == NumberOperationHint::kSigned32) {
-            VisitForCheckedInt32Mul(node, truncation, input0_type,
-                                    input1_type,
-                                    UseInfo::TruncatingWord32());
+            VisitBinop(node, UseInfo::TruncatingWord32(),
+                       MachineRepresentation::kWord32, Type::Signed32());
+            if (lower()) {
+              LowerToCheckedInt32Mul(node, truncation, input0_type,
+                                     input1_type);
+            }
             return;
           }
         }
 
         if (hint == NumberOperationHint::kSignedSmall ||
             hint == NumberOperationHint::kSigned32) {
-          VisitForCheckedInt32Mul(node, truncation, input0_type, input1_type,
-                                  CheckedUseInfoAsWord32FromHint(hint));
+          VisitBinop(node, CheckedUseInfoAsWord32FromHint(hint),
+                     MachineRepresentation::kWord32, Type::Signed32());
+          if (lower()) {
+            LowerToCheckedInt32Mul(node, truncation, input0_type, input1_type);
+          }
           return;
         }