Skip to content

Commit

Permalink
[Backport] Security bug 1195331
Browse files Browse the repository at this point in the history
Reland "M86-LTS: [const-tracking] Ensure map is updated before generalizing constness"

This reverts commit 4b4ad58888faf938a76e0d792c3c3a639c79e2e4.

M86 merge conflicts and resolution:
* src/objects/map-updater.cc
  Map::instance_descriptor with kRelaxedLoad dispatcher was introduced after
  8.6 branch: https://crrev.com/c/2424130. Before the patch
  Map::instance_descriptor without distpacher was used. Do the same
  here.
* test/mjsunit/regress/regress-crbug-1195331.js
  HasOwnConstDataProperty did not exist in 8.6. Add it from
  https://crrev.com/c/2566757.

Original change's description:
> Revert "M86-LTS: [const-tracking] Ensure map is updated before generalizing constness"
>
> This reverts commit 69a043b410ff83f31ceba23eab410163403c1db0.
>
> Reason for revert: causes compilation errors. kRelaxedLoad is missing.
>
> Original change's description:
> > M86-LTS: [const-tracking] Ensure map is updated before generalizing constness
> >
> > Revision: db2acd7a046d42a8013da76c3f47d2970cef5447
> >
> > BUG=chromium:1195331
> > NOTRY=true
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > R=​​leszeks@chromium.org
> >
> > (cherry picked from commit 5a0dd788cdae65bbfa37fbbd47a5e5dde15dd894)
> >
> > Change-Id: I7ce1b36b8860a49838d208bc7857021e03f83916
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2831474
> > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> > Cr-Original-Commit-Position: refs/branch-heads/9.0@{#37}
> > Cr-Original-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
> > Cr-Original-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2850705
> > Reviewed-by: Igor Sheludko <ishell@chromium.org>
> > Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
> > Commit-Queue: Artem Sumaneev <asumaneev@google.com>
> > Cr-Commit-Position: refs/branch-heads/8.6@{#82}
> > Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
> > Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
>
> Bug: chromium:1195331
> Change-Id: Id7170c30d67329b784e9a283c0171fed010970dc
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2853588
> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
> Commit-Queue: Artem Sumaneev <asumaneev@google.com>
> Cr-Commit-Position: refs/branch-heads/8.6@{#84}
> Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
> Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}

No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1195331
Change-Id: Ie103a7795893860c4c4834eefe9dc327c5c46d19
Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
Commit-Queue: Victor-Gabriel Savu <vsavu@google.com>
Cr-Commit-Position: refs/branch-heads/8.6@{#93}
Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
  • Loading branch information
Artem Sumaneev authored and mibrunin committed May 28, 2021
1 parent 96953e1 commit 9827f0c
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 4 deletions.
17 changes: 13 additions & 4 deletions chromium/v8/src/objects/map-updater.cc
Original file line number Diff line number Diff line change
Expand Up @@ -135,11 +135,20 @@ Handle<Map> MapUpdater::ReconfigureToDataField(InternalIndex descriptor,
if (old_details.constness() == PropertyConstness::kConst &&
old_details.location() == kField &&
old_details.attributes() != new_attributes_) {
// Ensure we'll be updating constness of the up-to-date version of old_map_.
Handle<Map> old_map = Map::Update(isolate_, old_map_);
PropertyDetails details =
old_map->instance_descriptors().GetDetails(descriptor);
Handle<FieldType> field_type(
old_descriptors_->GetFieldType(modified_descriptor_), isolate_);
Map::GeneralizeField(isolate_, old_map_, descriptor,
PropertyConstness::kMutable,
old_details.representation(), field_type);
old_map->instance_descriptors().GetFieldType(descriptor),
isolate_);
Map::GeneralizeField(isolate_, old_map, descriptor,
PropertyConstness::kMutable, details.representation(),
field_type);
DCHECK_EQ(PropertyConstness::kMutable,
old_map->instance_descriptors()
.GetDetails(descriptor)
.constness());
// The old_map_'s property must become mutable.
// Note, that the {old_map_} and {old_descriptors_} are not expected to be
// updated by the generalization if the map is already deprecated.
Expand Down
28 changes: 28 additions & 0 deletions chromium/v8/src/runtime/runtime-object.cc
Original file line number Diff line number Diff line change
Expand Up @@ -357,6 +357,34 @@ RUNTIME_FUNCTION(Runtime_ObjectHasOwnProperty) {
return ReadOnlyRoots(isolate).false_value();
}

RUNTIME_FUNCTION(Runtime_HasOwnConstDataProperty) {
HandleScope scope(isolate);
DCHECK_EQ(2, args.length());
CONVERT_ARG_HANDLE_CHECKED(Object, object, 0);
CONVERT_ARG_HANDLE_CHECKED(Object, property, 1);

bool success;
LookupIterator::Key key(isolate, property, &success);
if (!success) return ReadOnlyRoots(isolate).undefined_value();

if (object->IsJSObject()) {
Handle<JSObject> js_obj = Handle<JSObject>::cast(object);
LookupIterator it(isolate, js_obj, key, js_obj, LookupIterator::OWN);

switch (it.state()) {
case LookupIterator::NOT_FOUND:
return isolate->heap()->ToBoolean(false);
case LookupIterator::DATA:
return isolate->heap()->ToBoolean(it.constness() ==
PropertyConstness::kConst);
default:
return ReadOnlyRoots(isolate).undefined_value();
}
}

return ReadOnlyRoots(isolate).undefined_value();
}

RUNTIME_FUNCTION(Runtime_AddDictionaryProperty) {
HandleScope scope(isolate);
Handle<JSObject> receiver = args.at<JSObject>(0);
Expand Down
1 change: 1 addition & 0 deletions chromium/v8/src/runtime/runtime.h
Original file line number Diff line number Diff line change
Expand Up @@ -487,6 +487,7 @@ namespace internal {
F(HasElementsInALargeObjectSpace, 1, 1) \
F(HasFastElements, 1, 1) \
F(HasFastProperties, 1, 1) \
F(HasOwnConstDataProperty, 2, 1) \
F(HasFixedBigInt64Elements, 1, 1) \
F(HasFixedBigUint64Elements, 1, 1) \
F(HasFixedFloat32Elements, 1, 1) \
Expand Down

0 comments on commit 9827f0c

Please sign in to comment.