chore: cherry-pick 619083c7d8 from v8 (#28904)

2026-04-10 03:01:51 -04:00 · 2021-04-28 19:26:10 +02:00
parent b2fe673d6c
commit 8c87d0d3bb
2 changed files with 95 additions and 0 deletions
--- a/patches/v8/.patches
+++ b/patches/v8/.patches
@@ -14,3 +14,4 @@ patch_profiler_allow_empty_source_url_for_asm_modules.patch
 cherry-pick-512cd5e179f4.patch
 merged_squashed_multiple_commits.patch
 merged_compiler_fix_a_bug_in_visitspeculativeintegeradditiveop.patch
+merged_turbofan_harden_arrayprototypepop_and_arrayprototypeshift.patch
--- a/patches/v8/merged_turbofan_harden_arrayprototypepop_and_arrayprototypeshift.patch
+++ b/patches/v8/merged_turbofan_harden_arrayprototypepop_and_arrayprototypeshift.patch
@@ -0,0 +1,94 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Georg Neis <neis@chromium.org>
+Date: Sun, 18 Apr 2021 09:46:25 +0200
+Subject: Merged: [turbofan] Harden ArrayPrototypePop and ArrayPrototypeShift
+
+Revision: d4aafa4022b718596b3deadcc3cdcb9209896154
+
+TBR=glazunov@chromium.org
+BUG=chromium:1198696
+NOTRY=true
+NOPRESUBMIT=true
+NOTREECHECKS=true
+
+Change-Id: I1840ffabbed3a3caab75b0abea1d37d9ed446d3f
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2833911
+Reviewed-by: Georg Neis <neis@chromium.org>
+Commit-Queue: Georg Neis <neis@chromium.org>
+Cr-Commit-Position: refs/branch-heads/9.0@{#39}
+Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
+Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
+
+diff --git a/src/compiler/js-call-reducer.cc b/src/compiler/js-call-reducer.cc
+index 9684086a5d5ec03b366112048bf0cae1386408fc..2c7b6788953092ffb3cf6fa75501dcbb02dce581 100644
+--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
+@@ -5289,24 +5289,31 @@ Reduction JSCallReducer::ReduceArrayPrototypePop(Node* node) {
+       }
+ 
+       // Compute the new {length}.
+-      length = graph()->NewNode(simplified()->NumberSubtract(), length,
+-                                jsgraph()->OneConstant());
+      Node* new_length = graph()->NewNode(simplified()->NumberSubtract(),
+                                          length, jsgraph()->OneConstant());
+
+      // This extra check exists solely to break an exploitation technique
+      // that abuses typer mismatches.
+      new_length = efalse = graph()->NewNode(
+          simplified()->CheckBounds(p.feedback(),
+                                    CheckBoundsFlag::kAbortOnOutOfBounds),
+          new_length, length, efalse, if_false);
+ 
+       // Store the new {length} to the {receiver}.
+       efalse = graph()->NewNode(
+           simplified()->StoreField(AccessBuilder::ForJSArrayLength(kind)),
+-          receiver, length, efalse, if_false);
+          receiver, new_length, efalse, if_false);
+ 
+       // Load the last entry from the {elements}.
+       vfalse = efalse = graph()->NewNode(
+           simplified()->LoadElement(AccessBuilder::ForFixedArrayElement(kind)),
+-          elements, length, efalse, if_false);
+          elements, new_length, efalse, if_false);
+ 
+       // Store a hole to the element we just removed from the {receiver}.
+       efalse = graph()->NewNode(
+           simplified()->StoreElement(
+               AccessBuilder::ForFixedArrayElement(GetHoleyElementsKind(kind))),
+-          elements, length, jsgraph()->TheHoleConstant(), efalse, if_false);
+          elements, new_length, jsgraph()->TheHoleConstant(), efalse, if_false);
+     }
+ 
+     control = graph()->NewNode(common()->Merge(2), if_true, if_false);
+@@ -5480,19 +5487,27 @@ Reduction JSCallReducer::ReduceArrayPrototypeShift(Node* node) {
+         }
+ 
+         // Compute the new {length}.
+-        length = graph()->NewNode(simplified()->NumberSubtract(), length,
+-                                  jsgraph()->OneConstant());
+        Node* new_length = graph()->NewNode(simplified()->NumberSubtract(),
+                                            length, jsgraph()->OneConstant());
+
+        // This extra check exists solely to break an exploitation technique
+        // that abuses typer mismatches.
+        new_length = etrue1 = graph()->NewNode(
+            simplified()->CheckBounds(p.feedback(),
+                                      CheckBoundsFlag::kAbortOnOutOfBounds),
+            new_length, length, etrue1, if_true1);
+ 
+         // Store the new {length} to the {receiver}.
+         etrue1 = graph()->NewNode(
+             simplified()->StoreField(AccessBuilder::ForJSArrayLength(kind)),
+-            receiver, length, etrue1, if_true1);
+            receiver, new_length, etrue1, if_true1);
+ 
+         // Store a hole to the element we just removed from the {receiver}.
+         etrue1 = graph()->NewNode(
+             simplified()->StoreElement(AccessBuilder::ForFixedArrayElement(
+                 GetHoleyElementsKind(kind))),
+-            elements, length, jsgraph()->TheHoleConstant(), etrue1, if_true1);
+            elements, new_length, jsgraph()->TheHoleConstant(), etrue1,
+            if_true1);
+       }
+ 
+       Node* if_false1 = graph()->NewNode(common()->IfFalse(), branch1);