Home Explore 引导页 在线工具 Blog
Register Sign In
Pchen0
/
electron
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

chore: cherry-pick fix for 1234764 from v8 (#30659)

* chore: cherry-pick fix for 1234764 from v8 (#30587)

* chore: cherry-pick fix for 1234764 from v8

* chore: update patches

Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>

* Update .patches

* chore: update patches

Co-authored-by: Cheng Zhao <[email protected]>
Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
trop[bot] 3 years ago
parent
585eea3f30
commit
de5a1d1158
2 changed files with 44 additions and 0 deletions
Split View Show Diff Stats
  1. 1 0
      patches/v8/.patches
  2. 43 0
      patches/v8/cherry-pick-1234764.patch

+ 1 - 0
patches/v8/.patches
View File 

@@ -35,3 +35,4 @@ cherry-pick-fd8cbdf7b888.patch
 
 cherry-pick-fd9ce58ecd13.patch
 
 merged_json_fix_gc_issue_in_buildjsonobject.patch
 
 merged_compiler_fix_a_bug_in.patch
 
+cherry-pick-1234764.patch

+ 43 - 0
patches/v8/cherry-pick-1234764.patch
View File 

@@ -0,0 +1,43 @@
 
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 
+From: Georg Neis <[email protected]>
 
+Date: Tue, 10 Aug 2021 09:29:33 +0200
 
+Subject: Merged: [compiler] Harden
 
+ JSCallReducer::ReduceArrayIteratorPrototypeNext
 
+
 
+Revision: 65b20a0e65e1078f5dd230a5203e231bec790ab4
 
+
 
+BUG=chromium:1234764
 
+NOTRY=true
 
+NOPRESUBMIT=true
 
+NOTREECHECKS=true
 
[email protected]
 
+
 
+Change-Id: I45faf253695011092de144c8e29bafac5337adec
 
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3084363
 
+Reviewed-by: Lutz Vahl <[email protected]>
 
+Commit-Queue: Georg Neis <[email protected]>
 
+Cr-Commit-Position: refs/branch-heads/9.2@{#53}
 
+Cr-Branched-From: 51238348f95a1f5e0acc321efac7942d18a687a2-refs/heads/9.2.230@{#1}
 
+Cr-Branched-From: 587a04f02ab0487d194b55a7137dc2045e071597-refs/heads/master@{#74656}
 
+
 
+diff --git a/src/compiler/js-call-reducer.cc b/src/compiler/js-call-reducer.cc
 
+index b77094b7e1f0c57552fc7c8d3cea1f9d9ed7a269..a34b33e3a88b72f3ef6ca665f67cf3e9c7fff173 100644
 
+--- a/src/compiler/js-call-reducer.cc
 
++++ b/src/compiler/js-call-reducer.cc
 
+@@ -5826,11 +5826,12 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
 
+   Node* etrue = effect;
 
+   Node* if_true = graph()->NewNode(common()->IfTrue(), branch);
 
+   {
 
+-    // We know that the {index} is range of the {length} now.
 
++    // This extra check exists to refine the type of {index} but also to break
 
++    // an exploitation technique that abuses typer mismatches.
 
+     index = etrue = graph()->NewNode(
 
+-        common()->TypeGuard(
 
+-            Type::Range(0.0, length_access.type.Max() - 1.0, graph()->zone())),
 
+-        index, etrue, if_true);
 
++        simplified()->CheckBounds(p.feedback(),
 
++                                  CheckBoundsFlag::kAbortOnOutOfBounds),
 
++        index, length, etrue, if_true);
 
+ 
+     done_true = jsgraph()->FalseConstant();
 
+     if (iteration_kind == IterationKind::kKeys) {