diff options
| author | Leszek Swirski <leszeks@chromium.org> | 2020-10-29 21:47:46 +0100 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-11-03 21:31:20 +0000 |
| commit | 938ca813d55ecf2c2ae06ebccb5b6e9a0aed73c9 (patch) | |
| tree | 235474fb22380b4e1461479edf2bee2741086816 | |
| parent | 860b9f7f0ce585ce6c75d44206e10d9040cea5ba (diff) | |
| download | qtwebengine-chromium-938ca813d55ecf2c2ae06ebccb5b6e9a0aed73c9.tar.gz | |
[Backport] CVE-2020-16009: Inappropriate implementation in V8
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2507715:
[map] Try to in-place transition during map update
When searching for a target map during map update, attempt to
update field representations in-place to the more general
representation, where possible.
Bug: chromium:1143772
Change-Id: I6a43c94910a1d2d8f8b0ad89048f94b51461f76c
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70887}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/v8/src/objects/map-updater.cc | 12 | ||||
| -rw-r--r-- | chromium/v8/src/objects/map.cc | 1 |
2 files changed, 12 insertions, 1 deletions
diff --git a/chromium/v8/src/objects/map-updater.cc b/chromium/v8/src/objects/map-updater.cc index 8c9b94014f8..4ea69120d14 100644 --- a/chromium/v8/src/objects/map-updater.cc +++ b/chromium/v8/src/objects/map-updater.cc @@ -401,7 +401,17 @@ MapUpdater::State MapUpdater::FindTargetMap() { } Representation tmp_representation = tmp_details.representation(); if (!old_details.representation().fits_into(tmp_representation)) { - break; + // Try updating the field in-place to a generalized type. + Representation generalized = + tmp_representation.generalize(old_details.representation()); + if (!tmp_representation.CanBeInPlaceChangedTo(generalized)) { + break; + } + Handle<Map> field_owner(tmp_map->FindFieldOwner(isolate_, i), isolate_); + tmp_representation = generalized; + GeneralizeField(field_owner, i, tmp_details.constness(), + tmp_representation, + handle(tmp_descriptors->GetFieldType(i), isolate_)); } if (tmp_details.location() == kField) { diff --git a/chromium/v8/src/objects/map.cc b/chromium/v8/src/objects/map.cc index 2dc288628c8..1799cff1a22 100644 --- a/chromium/v8/src/objects/map.cc +++ b/chromium/v8/src/objects/map.cc @@ -609,6 +609,7 @@ void Map::DeprecateTransitionTree(Isolate* isolate) { transitions.GetTarget(i).DeprecateTransitionTree(isolate); } DCHECK(!constructor_or_backpointer().IsFunctionTemplateInfo()); + DCHECK(CanBeDeprecated()); set_is_deprecated(true); if (FLAG_trace_maps) { LOG(isolate, MapEvent("Deprecate", handle(*this, isolate), Handle<Map>())); |