diff options
author | Jakob Gruber <jgruber@chromium.org> | 2019-11-11 14:34:07 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-03-24 08:13:09 +0000 |
commit | 86959566c4b101cfd54952fbca52fbc3d3dd9554 (patch) | |
tree | a7d54a44569d32e2a8debec3a659cc2e8f41b528 | |
parent | 4b2fb2f933fb85572334a90f31dabafb1883493b (diff) | |
download | qtwebengine-chromium-86959566c4b101cfd54952fbca52fbc3d3dd9554.tar.gz |
[Backport] Security bug 1020031
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/1903440:
[interpreter] Move function-entry stack check to start of bytecode array
The function-entry stack check should dominate all other
instructions in a function. Prior to this CL it was possible to create
paths not including a stack check due to SwitchOnGeneratorState: the
generator-creation branch had a stack check, while generator-resume
branches did not.
0 : af fb 00 01 SwitchOnGeneratorState r0, [0], [1] { 0: @22 }
4 : 27 fe fa Mov <closure>, r1
7 : 27 02 f9 Mov <this>, r2
10 : 64 0a fa 02 InvokeIntrinsic [_CreateJSGeneratorObject], r1-r2
14 : 26 fb Star r0
16 : a7 StackCheck
17 : b0 fb fb 01 00 SuspendGenerator r0, r0-r0, [0]
22 : b1 fb fb 01 ResumeGenerator r0, r0-r0
[... no stack check here ...]
This CL moves the stack check to the beginning of the bytecode array,
i.e. before SwitchOnGeneratorState.
Bug: chromium:1020031
Change-Id: I07ba6fdfa207309c2cc64b9c6e8a9cf171c84fb5
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/v8/src/interpreter/bytecode-generator.cc | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/chromium/v8/src/interpreter/bytecode-generator.cc b/chromium/v8/src/interpreter/bytecode-generator.cc index 4d0638a7292..be79f34adea 100644 --- a/chromium/v8/src/interpreter/bytecode-generator.cc +++ b/chromium/v8/src/interpreter/bytecode-generator.cc @@ -1040,6 +1040,9 @@ void BytecodeGenerator::GenerateBytecode(uintptr_t stack_limit) { AllocateTopLevelRegisters(); + // Perform a stack-check before the body. + builder()->StackCheck(info()->literal()->start_position()); + if (info()->literal()->CanSuspend()) { BuildGeneratorPrologue(); } @@ -1100,9 +1103,6 @@ void BytecodeGenerator::GenerateBytecodeBody() { // Emit initializing assignments for module namespace imports (if any). VisitModuleNamespaceImports(); - // Perform a stack-check before the body. - builder()->StackCheck(info()->literal()->start_position()); - // The derived constructor case is handled in VisitCallSuper. if (IsBaseConstructor(function_kind()) && info()->literal()->requires_instance_fields_initializer()) { |