From 4e2a01d1dc431582fa580aa44f796d4a262b5549 Mon Sep 17 00:00:00 2001 From: Tobias Tebbi Date: Wed, 15 Feb 2023 16:35:18 +0100 Subject: [Backport] Security bug 1417585 Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/4296377: check if maps become deprecated during optimization M102 merge issues: codegen/bailout-reason.h: Conflicting entries and indent level for BAILOUT_MESSAGES_LIST Bug: chromium:1417585 Change-Id: Ie8eb76d2afb3ee4be66cf5d1c4bff8f745dc145b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4255648 Commit-Queue: Tobias Tebbi Cr-Commit-Position: refs/heads/main@{#85848} (cherry picked from commit f82d802a20aa62e42269f977302f26c5c3ed031b) Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468620 Reviewed-by: Michal Klocek --- chromium/v8/src/codegen/bailout-reason.h | 1 + chromium/v8/src/compiler/pipeline.cc | 22 +++++++++++++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/chromium/v8/src/codegen/bailout-reason.h b/chromium/v8/src/codegen/bailout-reason.h index c99730d1c78..5babb1ed2a7 100644 --- a/chromium/v8/src/codegen/bailout-reason.h +++ b/chromium/v8/src/codegen/bailout-reason.h @@ -95,6 +95,7 @@ namespace internal { V(kNoReason, "no reason") \ \ V(kBailedOutDueToDependencyChange, "Bailed out due to dependency change") \ + V(kConcurrentMapDeprecation, "Maps became deprecated during optimization")\ V(kCodeGenerationFailed, "Code generation failed") \ V(kCyclicObjectStateDetectedInEscapeAnalysis, \ "Cyclic object state detected by escape analysis") \ diff --git a/chromium/v8/src/compiler/pipeline.cc b/chromium/v8/src/compiler/pipeline.cc index a71427f5682..2aa9fc3d5d8 100644 --- a/chromium/v8/src/compiler/pipeline.cc +++ b/chromium/v8/src/compiler/pipeline.cc @@ -701,7 +701,10 @@ class PipelineImpl final { // Step D. Run the code finalization pass. MaybeHandle FinalizeCode(bool retire_broker = true); - // Step E. Install any code dependencies. + // Step E. Ensure all embedded maps are non-deprecated. + bool CheckNoDeprecatedMaps(Handle code); + + // Step F. Install any code dependencies. bool CommitDependencies(Handle code); void VerifyGeneratedCodeIsIdempotent(); @@ -1237,6 +1240,9 @@ PipelineCompilationJob::Status PipelineCompilationJob::FinalizeJobImpl( } return FAILED; } + if (!pipeline_.CheckNoDeprecatedMaps(code)) { + return RetryOptimization(BailoutReason::kConcurrentMapDeprecation); + } if (!pipeline_.CommitDependencies(code)) { return RetryOptimization(BailoutReason::kBailedOutDueToDependencyChange); } @@ -3686,6 +3692,20 @@ MaybeHandle PipelineImpl::GenerateCode(CallDescriptor* call_descriptor) { return FinalizeCode(); } +// We must not embed deprecated maps, as we rely in the compiler on all explicit +// maps not being deprecated. +bool PipelineImpl::CheckNoDeprecatedMaps(Handle code) { + int mode_mask = RelocInfo::EmbeddedObjectModeMask(); + for (RelocIterator it(*code, mode_mask); !it.done(); it.next()) { + DCHECK(RelocInfo::IsEmbeddedObjectMode(it.rinfo()->rmode())); + HeapObject obj = it.rinfo()->target_object(data_->isolate()); + if (obj.IsMap() && Map::cast(obj).is_deprecated()) { + return false; + } + } + return true; +} + bool PipelineImpl::CommitDependencies(Handle code) { return data_->dependencies() == nullptr || data_->dependencies()->Commit(code); -- cgit v1.2.1