summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Tebbi <tebbi@chromium.org>2022-06-29 10:18:59 +0000
committerMichael Brüning <michael.bruning@qt.io>2022-08-03 10:07:13 +0000
commit2874d728ffe87d7e6eaad25954ded53fb4ca974a (patch)
tree798639d5a06e0031beaf54cb06eb3e6c9eea0681
parent45abf85387307e2937b25445a7c6cbdb920e1ecc (diff)
downloadqtwebengine-chromium-2874d728ffe87d7e6eaad25954ded53fb4ca974a.tar.gz
[Backport] Security bug 1340335
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/3755103: Merged: [compiler] fix FrameState revisit bug in escape analysis (cherry picked from commit 17da9e70833014e0a2646db5c11588f0aee02de7) Bug: chromium:1340335, chromium:1315901 Change-Id: I81cdc6bc3d6c7441ebc333d33801329c05fbd5d4 Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/branch-heads/10.2@{#25} Cr-Branched-From: 374091f382e88095694c1283cbdc2acddc1b1417-refs/heads/10.2.154@{#1} Cr-Branched-From: f0c353f6315eeb2212ba52478983a3b3af07b5b1-refs/heads/main@{#79976} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat
-rw-r--r--chromium/v8/src/compiler/escape-analysis.cc6
1 files changed, 5 insertions, 1 deletions
diff --git a/chromium/v8/src/compiler/escape-analysis.cc b/chromium/v8/src/compiler/escape-analysis.cc
index 316db298da8..bad74181f30 100644
--- a/chromium/v8/src/compiler/escape-analysis.cc
+++ b/chromium/v8/src/compiler/escape-analysis.cc
@@ -78,6 +78,8 @@ class ReduceScope {
explicit ReduceScope(Node* node, Reduction* reduction)
: current_node_(node), reduction_(reduction) {}
+ void SetValueChanged() { reduction()->set_value_changed(); }
+
protected:
Node* current_node() const { return current_node_; }
Reduction* reduction() { return reduction_; }
@@ -803,7 +805,9 @@ void ReduceNode(const Operator* op, EscapeAnalysisTracker::Scope* current,
break;
}
case IrOpcode::kStateValues:
- // These uses are always safe.
+ // We visit StateValue nodes through their correpsonding FrameState node,
+ // so we need to make sure we revisit the FrameState.
+ current->SetValueChanged();
break;
case IrOpcode::kFrameState: {
// We mark the receiver as escaping due to the non-standard `.getThis`
View Lorry Controller Status