diff options
author | Georg Neis <neis@chromium.org> | 2020-06-12 11:08:09 +0200 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-07-29 10:47:28 +0000 |
commit | 83793149bf555ece4daf0575fcb3cfbf7438dd05 (patch) | |
tree | d9aae3699274c9a2a51bcd9eef5cf7d352d0fd7a | |
parent | d8a0b1b22c1878a7aa2a1d67b6dd1b8981cb508e (diff) | |
download | qtwebengine-chromium-83793149bf555ece4daf0575fcb3cfbf7438dd05.tar.gz |
[Backport] CVE-2020-6512: Type Confusion in V8 (3/3)
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2241517:
[deoptimizer] Relax a CHECK
The condition was too strong since we never store Smis into
{previously_materialized_objects}.
Bug: chromium:1094132
Change-Id: I680eb7f175f12d3c44882fd8a9eff0d062eda55f
Commit-Queue: Georg Neis <neis@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68317}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/v8/src/deoptimizer.cc | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/chromium/v8/src/deoptimizer.cc b/chromium/v8/src/deoptimizer.cc index 1e77083b59e..983e222ca9d 100644 --- a/chromium/v8/src/deoptimizer.cc +++ b/chromium/v8/src/deoptimizer.cc @@ -3897,24 +3897,30 @@ void TranslatedState::StoreMaterializedValuesAndDeopt(JavaScriptFrame* frame) { CHECK(value_info->IsMaterializedObject()); - // Skip duplicate objects (i.e., those that point to some - // other object id). + // Skip duplicate objects (i.e., those that point to some other object id). if (value_info->object_index() != i) continue; + Handle<Object> previous_value(previously_materialized_objects->get(i), + isolate_); Handle<Object> value(value_info->GetRawValue(), isolate_); - if (!value.is_identical_to(marker)) { - if (previously_materialized_objects->get(i) == *marker) { + if (value.is_identical_to(marker)) { + DCHECK_EQ(*previous_value, *marker); + } else { + if (*previous_value == *marker) { if (value->IsSmi()) { value = isolate()->factory()->NewHeapNumber(value->Number()); } previously_materialized_objects->set(i, *value); value_changed = true; } else { - CHECK(previously_materialized_objects->get(i) == *value); + CHECK(*previous_value == *value || + (previous_value->IsHeapNumber() && value->IsSmi() && + previous_value->Number() == value->Number())); } } } + if (new_store && value_changed) { materialized_store->Set(stack_frame_pointer_, previously_materialized_objects); |