From 80dc038baec09a1c38c40ff6f3f42ebfc54cb86e Mon Sep 17 00:00:00 2001
From: Cheng Zhao <zcbenz@gmail.com>
Date: Mon, 23 Aug 2021 17:06:57 +0900
Subject: [PATCH 1/3] chore: cherry-pick fix for 1234764 from v8 (#30587)

* chore: cherry-pick fix for 1234764 from v8

* chore: update patches

Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
---
 patches/v8/.patches                  |  4 +++
 patches/v8/cherry-pick-1234764.patch | 43 ++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 patches/v8/cherry-pick-1234764.patch

diff --git a/patches/v8/.patches b/patches/v8/.patches
index c6f32a6065331..b23702073c262 100644
--- a/patches/v8/.patches
+++ b/patches/v8/.patches
@@ -26,3 +26,7 @@ cherry-pick-b9ad6a864c79.patch
 cherry-pick-50de6a8ddad9.patch
 cherry-pick-e76178b896f2.patch
 merged_compiler_fix_a_bug_in.patch
+cherry-pick-e38d55313ad9.patch
+cherry-pick-1234770.patch
+cherry-pick-1231950.patch
+cherry-pick-1234764.patch
diff --git a/patches/v8/cherry-pick-1234764.patch b/patches/v8/cherry-pick-1234764.patch
new file mode 100644
index 0000000000000..598dee0f62ea7
--- /dev/null
+++ b/patches/v8/cherry-pick-1234764.patch
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Georg Neis <neis@chromium.org>
+Date: Tue, 10 Aug 2021 09:29:33 +0200
+Subject: Merged: [compiler] Harden
+ JSCallReducer::ReduceArrayIteratorPrototypeNext
+
+Revision: 65b20a0e65e1078f5dd230a5203e231bec790ab4
+
+BUG=chromium:1234764
+NOTRY=true
+NOPRESUBMIT=true
+NOTREECHECKS=true
+R=vahl@chromium.org
+
+Change-Id: I45faf253695011092de144c8e29bafac5337adec
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3084363
+Reviewed-by: Lutz Vahl <vahl@chromium.org>
+Commit-Queue: Georg Neis <neis@chromium.org>
+Cr-Commit-Position: refs/branch-heads/9.2@{#53}
+Cr-Branched-From: 51238348f95a1f5e0acc321efac7942d18a687a2-refs/heads/9.2.230@{#1}
+Cr-Branched-From: 587a04f02ab0487d194b55a7137dc2045e071597-refs/heads/master@{#74656}
+
+diff --git a/src/compiler/js-call-reducer.cc b/src/compiler/js-call-reducer.cc
+index bb7a11d16dc70ef5747b3c0b9f1d99acb0be7adf..459c7fcfab156026f383abe086646e1046abd5cc 100644
+--- a/src/compiler/js-call-reducer.cc
++++ b/src/compiler/js-call-reducer.cc
+@@ -5947,11 +5947,12 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
+   Node* etrue = effect;
+   Node* if_true = graph()->NewNode(common()->IfTrue(), branch);
+   {
+-    // We know that the {index} is range of the {length} now.
++    // This extra check exists to refine the type of {index} but also to break
++    // an exploitation technique that abuses typer mismatches.
+     index = etrue = graph()->NewNode(
+-        common()->TypeGuard(
+-            Type::Range(0.0, length_access.type.Max() - 1.0, graph()->zone())),
+-        index, etrue, if_true);
++        simplified()->CheckBounds(p.feedback(),
++                                  CheckBoundsFlag::kAbortOnOutOfBounds),
++        index, length, etrue, if_true);
+ 
+     done_true = jsgraph()->FalseConstant();
+     if (iteration_kind == IterationKind::kKeys) {

From e594a3734a31a36a9eee1299787022835f0a6674 Mon Sep 17 00:00:00 2001
From: Cheng Zhao <zcbenz@gmail.com>
Date: Mon, 23 Aug 2021 17:17:46 +0900
Subject: [PATCH 2/3] Update .patches

---
 patches/v8/.patches | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/patches/v8/.patches b/patches/v8/.patches
index b23702073c262..9b2a80e7212f3 100644
--- a/patches/v8/.patches
+++ b/patches/v8/.patches
@@ -26,7 +26,4 @@ cherry-pick-b9ad6a864c79.patch
 cherry-pick-50de6a8ddad9.patch
 cherry-pick-e76178b896f2.patch
 merged_compiler_fix_a_bug_in.patch
-cherry-pick-e38d55313ad9.patch
-cherry-pick-1234770.patch
-cherry-pick-1231950.patch
 cherry-pick-1234764.patch

From b41e50514afdba232e47a907de8f72ec4d421b81 Mon Sep 17 00:00:00 2001
From: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
Date: Mon, 23 Aug 2021 08:27:25 +0000
Subject: [PATCH 3/3] chore: update patches

---
 patches/v8/cherry-pick-1234764.patch | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/patches/v8/cherry-pick-1234764.patch b/patches/v8/cherry-pick-1234764.patch
index 598dee0f62ea7..f38621aa1111b 100644
--- a/patches/v8/cherry-pick-1234764.patch
+++ b/patches/v8/cherry-pick-1234764.patch
@@ -21,10 +21,10 @@ Cr-Branched-From: 51238348f95a1f5e0acc321efac7942d18a687a2-refs/heads/9.2.230@{#
 Cr-Branched-From: 587a04f02ab0487d194b55a7137dc2045e071597-refs/heads/master@{#74656}
 
 diff --git a/src/compiler/js-call-reducer.cc b/src/compiler/js-call-reducer.cc
-index bb7a11d16dc70ef5747b3c0b9f1d99acb0be7adf..459c7fcfab156026f383abe086646e1046abd5cc 100644
+index 2c7b6788953092ffb3cf6fa75501dcbb02dce581..56f0ca99e252e715c9792222f95397950a451149 100644
 --- a/src/compiler/js-call-reducer.cc
 +++ b/src/compiler/js-call-reducer.cc
-@@ -5947,11 +5947,12 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
+@@ -5854,11 +5854,12 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
    Node* etrue = effect;
    Node* if_true = graph()->NewNode(common()->IfTrue(), branch);
    {