diff options
| author | Tobias Tebbi <tebbi@chromium.org> | 2023-02-15 16:35:18 +0100 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-03-24 10:09:36 +0000 |
| commit | 4e2a01d1dc431582fa580aa44f796d4a262b5549 (patch) | |
| tree | aea112c872add61c30d1e40bbc54c4094d1e6588 | |
| parent | 09fea2f30573c1df22c1360e02392e157fb08fd4 (diff) | |
| download | qtwebengine-chromium-4e2a01d1dc431582fa580aa44f796d4a262b5549.tar.gz | |
[Backport] Security bug 1417585
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/4296377:
check if maps become deprecated during optimization
M102 merge issues:
codegen/bailout-reason.h:
Conflicting entries and indent level for BAILOUT_MESSAGES_LIST
Bug: chromium:1417585
Change-Id: Ie8eb76d2afb3ee4be66cf5d1c4bff8f745dc145b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4255648
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85848}
(cherry picked from commit f82d802a20aa62e42269f977302f26c5c3ed031b)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468620
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/v8/src/codegen/bailout-reason.h | 1 | ||||
| -rw-r--r-- | chromium/v8/src/compiler/pipeline.cc | 22 |
2 files changed, 22 insertions, 1 deletions
diff --git a/chromium/v8/src/codegen/bailout-reason.h b/chromium/v8/src/codegen/bailout-reason.h index c99730d1c78..5babb1ed2a7 100644 --- a/chromium/v8/src/codegen/bailout-reason.h +++ b/chromium/v8/src/codegen/bailout-reason.h @@ -95,6 +95,7 @@ namespace internal { V(kNoReason, "no reason") \ \ V(kBailedOutDueToDependencyChange, "Bailed out due to dependency change") \ + V(kConcurrentMapDeprecation, "Maps became deprecated during optimization")\ V(kCodeGenerationFailed, "Code generation failed") \ V(kCyclicObjectStateDetectedInEscapeAnalysis, \ "Cyclic object state detected by escape analysis") \ diff --git a/chromium/v8/src/compiler/pipeline.cc b/chromium/v8/src/compiler/pipeline.cc index a71427f5682..2aa9fc3d5d8 100644 --- a/chromium/v8/src/compiler/pipeline.cc +++ b/chromium/v8/src/compiler/pipeline.cc @@ -701,7 +701,10 @@ class PipelineImpl final { // Step D. Run the code finalization pass. MaybeHandle<Code> FinalizeCode(bool retire_broker = true); - // Step E. Install any code dependencies. + // Step E. Ensure all embedded maps are non-deprecated. + bool CheckNoDeprecatedMaps(Handle<Code> code); + + // Step F. Install any code dependencies. bool CommitDependencies(Handle<Code> code); void VerifyGeneratedCodeIsIdempotent(); @@ -1237,6 +1240,9 @@ PipelineCompilationJob::Status PipelineCompilationJob::FinalizeJobImpl( } return FAILED; } + if (!pipeline_.CheckNoDeprecatedMaps(code)) { + return RetryOptimization(BailoutReason::kConcurrentMapDeprecation); + } if (!pipeline_.CommitDependencies(code)) { return RetryOptimization(BailoutReason::kBailedOutDueToDependencyChange); } @@ -3686,6 +3692,20 @@ MaybeHandle<Code> PipelineImpl::GenerateCode(CallDescriptor* call_descriptor) { return FinalizeCode(); } +// We must not embed deprecated maps, as we rely in the compiler on all explicit +// maps not being deprecated. +bool PipelineImpl::CheckNoDeprecatedMaps(Handle<Code> code) { + int mode_mask = RelocInfo::EmbeddedObjectModeMask(); + for (RelocIterator it(*code, mode_mask); !it.done(); it.next()) { + DCHECK(RelocInfo::IsEmbeddedObjectMode(it.rinfo()->rmode())); + HeapObject obj = it.rinfo()->target_object(data_->isolate()); + if (obj.IsMap() && Map::cast(obj).is_deprecated()) { + return false; + } + } + return true; +} + bool PipelineImpl::CommitDependencies(Handle<Code> code) { return data_->dependencies() == nullptr || data_->dependencies()->Commit(code); |