[Backport] CVE-2020-6512: Type Confusion in V8 (3/3)

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/2241517: [deoptimizer] Relax a CHECK The condition was too strong since we never store Smis into {previously_materialized_objects}. Bug: chromium:1094132 Change-Id: I680eb7f175f12d3c44882fd8a9eff0d062eda55f Commit-Queue: Georg Neis <neis@chromium.org> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Auto-Submit: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#68317} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Georg Neis <neis@chromium.org> 2020-06-12 11:08:09 +0200
committer: Michael Brüning <michael.bruning@qt.io> 2020-07-29 10:47:28 +0000
commit: 83793149bf555ece4daf0575fcb3cfbf7438dd05 (patch)
tree: d9aae3699274c9a2a51bcd9eef5cf7d352d0fd7a
parent: d8a0b1b22c1878a7aa2a1d67b6dd1b8981cb508e (diff)
download: qtwebengine-chromium-83793149bf555ece4daf0575fcb3cfbf7438dd05.tar.gz
1 files changed, 11 insertions, 5 deletions
diff --git a/chromium/v8/src/deoptimizer.cc b/chromium/v8/src/deoptimizer.cc
index 1e77083b59e..983e222ca9d 100644
--- a/chromium/v8/src/deoptimizer.cc
+++ b/chromium/v8/src/deoptimizer.cc
@@ -3897,24 +3897,30 @@ void TranslatedState::StoreMaterializedValuesAndDeopt(JavaScriptFrame* frame) {
 
     CHECK(value_info->IsMaterializedObject());
 
-    // Skip duplicate objects (i.e., those that point to some
-    // other object id).
+    // Skip duplicate objects (i.e., those that point to some other object id).
     if (value_info->object_index() != i) continue;
 
+    Handle<Object> previous_value(previously_materialized_objects->get(i),
+                                  isolate_);
     Handle<Object> value(value_info->GetRawValue(), isolate_);
 
-    if (!value.is_identical_to(marker)) {
-      if (previously_materialized_objects->get(i) == *marker) {
+    if (value.is_identical_to(marker)) {
+      DCHECK_EQ(*previous_value, *marker);
+    } else {
+      if (*previous_value == *marker) {
         if (value->IsSmi()) {
           value = isolate()->factory()->NewHeapNumber(value->Number());
         }
         previously_materialized_objects->set(i, *value);
         value_changed = true;
       } else {
-        CHECK(previously_materialized_objects->get(i) == *value);
+        CHECK(*previous_value == *value ||
+              (previous_value->IsHeapNumber() && value->IsSmi() &&
+               previous_value->Number() == value->Number()));
       }
     }
   }
+
   if (new_store && value_changed) {
     materialized_store->Set(stack_frame_pointer_,
                             previously_materialized_objects);
author	Georg Neis <neis@chromium.org>	2020-06-12 11:08:09 +0200
committer	Michael Brüning <michael.bruning@qt.io>	2020-07-29 10:47:28 +0000
commit	83793149bf555ece4daf0575fcb3cfbf7438dd05 (patch)
tree	d9aae3699274c9a2a51bcd9eef5cf7d352d0fd7a
parent	d8a0b1b22c1878a7aa2a1d67b6dd1b8981cb508e (diff)
download	qtwebengine-chromium-83793149bf555ece4daf0575fcb3cfbf7438dd05.tar.gz