Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: cherry-pick fix for 1234764 from v8 #30659

Merged
merged 3 commits into from Aug 30, 2021
Merged

chore: cherry-pick fix for 1234764 from v8 #30659

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d9c5aba
chore: cherry-pick fix for 1234764 from v8 (#30587)
zcbenz Aug 23, 2021
3a8fbd3
Update .patches
zcbenz Aug 23, 2021
11edc69
chore: update patches
patchup[bot] Aug 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions patches/v8/.patches
View file
Open in desktop
Expand Up @@ -35,3 +35,4 @@ cherry-pick-fd8cbdf7b888.patch
cherry-pick-fd9ce58ecd13.patch
merged_json_fix_gc_issue_in_buildjsonobject.patch
merged_compiler_fix_a_bug_in.patch
cherry-pick-1234764.patch
43 changes: 43 additions & 0 deletions patches/v8/cherry-pick-1234764.patch
View file
Open in desktop
@@ -0,0 +1,43 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Georg Neis <neis@chromium.org>
Date: Tue, 10 Aug 2021 09:29:33 +0200
Subject: Merged: [compiler] Harden
JSCallReducer::ReduceArrayIteratorPrototypeNext

Revision: 65b20a0e65e1078f5dd230a5203e231bec790ab4

BUG=chromium:1234764
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=vahl@chromium.org

Change-Id: I45faf253695011092de144c8e29bafac5337adec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3084363
Reviewed-by: Lutz Vahl <vahl@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/branch-heads/9.2@{#53}
Cr-Branched-From: 51238348f95a1f5e0acc321efac7942d18a687a2-refs/heads/9.2.230@{#1}
Cr-Branched-From: 587a04f02ab0487d194b55a7137dc2045e071597-refs/heads/master@{#74656}

diff --git a/src/compiler/js-call-reducer.cc b/src/compiler/js-call-reducer.cc
index b77094b7e1f0c57552fc7c8d3cea1f9d9ed7a269..a34b33e3a88b72f3ef6ca665f67cf3e9c7fff173 100644
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@@ -5826,11 +5826,12 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
Node* etrue = effect;
Node* if_true = graph()->NewNode(common()->IfTrue(), branch);
{
- // We know that the {index} is range of the {length} now.
+ // This extra check exists to refine the type of {index} but also to break
+ // an exploitation technique that abuses typer mismatches.
index = etrue = graph()->NewNode(
- common()->TypeGuard(
- Type::Range(0.0, length_access.type.Max() - 1.0, graph()->zone())),
- index, etrue, if_true);
+ simplified()->CheckBounds(p.feedback(),
+ CheckBoundsFlag::kAbortOnOutOfBounds),
+ index, length, etrue, if_true);

done_true = jsgraph()->FalseConstant();
if (iteration_kind == IterationKind::kKeys) {