Skip to content

Commit

Permalink
[Backport] CVE-2023-3079: Type Confusion in V8
Browse files Browse the repository at this point in the history
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/4590637:
Fix store handler selection for arguments objects

M108 merge issues:
src/diagnostics/objects-printer.cc:
  Type conflicts for the handler variable on and
  the IsWeakFixedArray() check isn't present in 108; kept
  the code changes from the fix.

Drive-by: fix printing of handlers in --trace-feedback-updates mode.

(cherry picked from commit e144f3b71e64e01d6ffd247eb15ca1ff56f6287b)

Bug: chromium:1450481
Change-Id: I1c0084701f7f8959da508481cab7a81a2bca3c8d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4584248
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#88021}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4590637
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/branch-heads/10.8@{#66}
Cr-Branched-From: f1bc03fd6b4c201abd9f0fd9d51fb989150f97b9-refs/heads/10.8.168@{#1}
Cr-Branched-From: 237de893e1c0a0628a57d0f5797483d3add7f005-refs/heads/main@{#83672}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/487335
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
  • Loading branch information
isheludko authored and mibrunin committed Jun 22, 2023
1 parent a41f9a7 commit b3fbbb6
Show file tree
Hide file tree
Showing 5 changed files with 39 additions and 5 deletions.
22 changes: 20 additions & 2 deletions chromium/v8/src/diagnostics/objects-printer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -980,14 +980,32 @@ void FeedbackNexus::Print(std::ostream& os) { // NOLINT
case FeedbackSlotKind::kStoreGlobalSloppy:
case FeedbackSlotKind::kStoreGlobalStrict:
case FeedbackSlotKind::kStoreInArrayLiteral:
case FeedbackSlotKind::kStoreOwnNamed: {
os << InlineCacheState2String(ic_state());
break;
}
case FeedbackSlotKind::kStoreKeyedSloppy:
case FeedbackSlotKind::kStoreKeyedStrict:
case FeedbackSlotKind::kStoreNamedSloppy:
case FeedbackSlotKind::kStoreNamedStrict:
case FeedbackSlotKind::kStoreOwnNamed: {
case FeedbackSlotKind::kStoreNamedStrict: {
os << InlineCacheState2String(ic_state());
if (ic_state() == InlineCacheState::MONOMORPHIC) {
HeapObject feedback = GetFeedback().GetHeapObject();
HeapObject feedback_extra = GetFeedbackExtra().GetHeapObject();
if (feedback.IsName()) {
os << " with name " << Brief(feedback);
WeakFixedArray array = WeakFixedArray::cast(feedback_extra);
os << "\n " << Brief(array.Get(0)) << ": ";
Object handler = array.Get(1).GetHeapObjectOrSmi();
StoreHandler::PrintHandler(handler, os);
} else {
os << "\n " << Brief(feedback) << ": ";
StoreHandler::PrintHandler(feedback_extra, os);
}
}
break;
}

case FeedbackSlotKind::kBinaryOp: {
os << "BinaryOp:" << GetBinaryOperationFeedback();
break;
Expand Down
3 changes: 3 additions & 0 deletions chromium/v8/src/ic/handler-configuration.cc
Original file line number Diff line number Diff line change
Expand Up @@ -503,6 +503,9 @@ void StoreHandler::PrintHandler(Object handler, std::ostream& os) {
os << "StoreHandler(Smi)(";
PrintSmiStoreHandler(raw_handler, os);
os << ")" << std::endl;
} else if (handler.IsMap()) {
os << "StoreHandler(field transition to " << Brief(handler) << ")"
<< std::endl;
} else {
os << "StoreHandler(";
StoreHandler store_handler = StoreHandler::cast(handler);
Expand Down
14 changes: 11 additions & 3 deletions chromium/v8/src/ic/ic.cc
Original file line number Diff line number Diff line change
Expand Up @@ -2025,9 +2025,17 @@ Handle<Object> KeyedStoreIC::StoreElementHandler(
receiver_map->has_sealed_elements() ||
receiver_map->has_nonextensible_elements() ||
receiver_map->has_typed_array_elements()) {
// TODO(jgruber): Update counter name.
TRACE_HANDLER_STATS(isolate(), KeyedStoreIC_StoreFastElementStub);
code = CodeFactory::StoreFastElementIC(isolate(), store_mode).code();
if (receiver_map->has_typed_array_elements()) return code;
if (receiver_map->IsJSArgumentsObjectMap() &&
receiver_map->has_fast_packed_elements()) {
// Allow fast behaviour for in-bounds stores while making it miss and
// properly handle the out of bounds store case.
code = CodeFactory::StoreFastElementIC(isolate(), STANDARD_STORE).code();
} else {
code = CodeFactory::StoreFastElementIC(isolate(), store_mode).code();
if (receiver_map->has_typed_array_elements()) return code;
}
} else if (IsStoreInArrayLiteralICKind(kind())) {
// TODO(jgruber): Update counter name.
TRACE_HANDLER_STATS(isolate(), StoreInArrayLiteralIC_SlowStub);
Expand All @@ -2037,7 +2045,7 @@ Handle<Object> KeyedStoreIC::StoreElementHandler(
TRACE_HANDLER_STATS(isolate(), KeyedStoreIC_StoreElementStub);
DCHECK(DICTIONARY_ELEMENTS == receiver_map->elements_kind() ||
receiver_map->has_frozen_elements());
code = StoreHandler::StoreSlow(isolate(), store_mode);
return StoreHandler::StoreSlow(isolate(), store_mode);
}

if (IsStoreInArrayLiteralICKind(kind())) return code;
Expand Down
4 changes: 4 additions & 0 deletions chromium/v8/src/objects/map-inl.h
Original file line number Diff line number Diff line change
Expand Up @@ -510,6 +510,10 @@ bool Map::has_fast_elements() const {
return IsFastElementsKind(elements_kind());
}

bool Map::has_fast_packed_elements() const {
return IsFastPackedElementsKind(elements_kind());
}

bool Map::has_sloppy_arguments_elements() const {
return IsSloppyArgumentsElementsKind(elements_kind());
}
Expand Down
1 change: 1 addition & 0 deletions chromium/v8/src/objects/map.h
Original file line number Diff line number Diff line change
Expand Up @@ -405,6 +405,7 @@ class Map : public HeapObject {
inline bool has_fast_smi_or_object_elements() const;
inline bool has_fast_double_elements() const;
inline bool has_fast_elements() const;
inline bool has_fast_packed_elements() const;
inline bool has_sloppy_arguments_elements() const;
inline bool has_fast_sloppy_arguments_elements() const;
inline bool has_fast_string_wrapper_elements() const;
Expand Down

0 comments on commit b3fbbb6

Please sign in to comment.