[Backport] Security bug 1415249

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/4290868:
Merged: [ic] store slow stubs for objects with access checks in DefineNamedIC

The CheckIfCanDefine() used to check the attributes of the object
as well as reporting to access check failure callbacks can update
the lookup iterator, resulting in wrong store handlers being
installed. Restart the lookup iterator in this case to make
sure that slow handlers are installed.

Bug: chromium:1415249
(cherry picked from commit da2df213bc70437ef76f47e0ab6995fa45f8014a)

Change-Id: I92d60af7ea798d80b1115e63b7fce8e2e8026ed9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4290868
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/branch-heads/11.0@{#33}
Cr-Branched-From: 06097c6f0c5af54fd5d6965d37027efb72decd4f-refs/heads/11.0.226@{#1}
Cr-Branched-From: 6bf3344f5d9940de1ab253f1817dcb99c641c9d3-refs/heads/main@{#84857}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468618
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 5 insertions, 0 deletions

diff --git a/chromium/v8/src/ic/ic.cc b/chromium/v8/src/ic/ic.cc
index 1fdf72440a4..b73dbeb263d 100644
--- a/chromium/v8/src/ic/ic.cc
+++ b/chromium/v8/src/ic/ic.cc
@@ -1879,6 +1879,11 @@ MaybeHandle<Object> StoreIC::Store(Handle<Object> object, Handle<Name> name,
     if (can_define.IsNothing() || !can_define.FromJust()) {
       return MaybeHandle<Object>();
     }
+    // Restart the lookup iterator updated by CheckIfCanDefine() for
+    // UpdateCaches() to handle access checks.
+    if (use_ic && object->IsAccessCheckNeeded()) {
+      it.Restart();
+    }
   }
 
   if (use_ic) {