[Backport] CVE-2020-6418 - Type confusion in V8

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/2062404: Merged: [turbofan] Fix bug in receiver maps inference Revision: fb0a60e15695466621cf65932f9152935d859447 BUG=chromium:1053604 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=mvstanton@chromium.org Change-Id: If3d0f772f76e7b4879c5c3cb132b9bd276792c6c Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
author: Georg Neis <neis@chromium.org> 2020-02-19 11:22:16 +0100
committer: Michael Brüning <michael.bruning@qt.io> 2020-03-20 08:10:34 +0000
commit: 50d216266c1d1964ad6272fdd3a31fdca98faf3d (patch)
tree: 9428c6f393f6d7715bd1344b1eff4ae07ba2fc29
parent: 7ce30813cdccbbdc1c39ecdb2e877872957301b9 (diff)
download: qtwebengine-chromium-50d216266c1d1964ad6272fdd3a31fdca98faf3d.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/chromium/v8/src/compiler/node-properties.cc b/chromium/v8/src/compiler/node-properties.cc
index 3c3bf817756..95281e2d902 100644
--- a/chromium/v8/src/compiler/node-properties.cc
+++ b/chromium/v8/src/compiler/node-properties.cc
@@ -429,6 +429,7 @@ NodeProperties::InferReceiverMapsResult NodeProperties::InferReceiverMaps(
           // We reached the allocation of the {receiver}.
           return kNoReceiverMaps;
         }
+        result = kUnreliableReceiverMaps;  // JSCreate can have side-effect.
         break;
       }
       case IrOpcode::kStoreField: {
author	Georg Neis <neis@chromium.org>	2020-02-19 11:22:16 +0100
committer	Michael Brüning <michael.bruning@qt.io>	2020-03-20 08:10:34 +0000
commit	50d216266c1d1964ad6272fdd3a31fdca98faf3d (patch)
tree	9428c6f393f6d7715bd1344b1eff4ae07ba2fc29
parent	7ce30813cdccbbdc1c39ecdb2e877872957301b9 (diff)
download	qtwebengine-chromium-50d216266c1d1964ad6272fdd3a31fdca98faf3d.tar.gz