[Backport] Security bug 1415249

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/4290868:
Merged: [ic] store slow stubs for objects with access checks in DefineNamedIC

The CheckIfCanDefine() used to check the attributes of the object
as well as reporting to access check failure callbacks can update
the lookup iterator, resulting in wrong store handlers being
installed. Restart the lookup iterator in this case to make
sure that slow handlers are installed.

Bug: chromium:1415249
(cherry picked from commit da2df213bc70437ef76f47e0ab6995fa45f8014a)

Change-Id: I92d60af7ea798d80b1115e63b7fce8e2e8026ed9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4290868
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/branch-heads/11.0@{#33}
Cr-Branched-From: 06097c6f0c5af54fd5d6965d37027efb72decd4f-refs/heads/11.0.226@{#1}
Cr-Branched-From: 6bf3344f5d9940de1ab253f1817dcb99c641c9d3-refs/heads/main@{#84857}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468511
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 5 insertions, 0 deletions

diff --git a/chromium/v8/src/ic/ic.cc b/chromium/v8/src/ic/ic.cc
index ae1dde1a8c5..fff21e90bad 100644
--- a/chromium/v8/src/ic/ic.cc
+++ b/chromium/v8/src/ic/ic.cc
@@ -1818,6 +1818,11 @@ MaybeHandle<Object> StoreIC::Store(Handle<Object> object, Handle<Name> name,
     if (!can_define.FromJust()) {
       return isolate()->factory()->undefined_value();
     }
+    // Restart the lookup iterator updated by CheckIfCanDefine() for
+    // UpdateCaches() to handle access checks.
+    if (use_ic && object->IsAccessCheckNeeded()) {
+      it.Restart();
+    }
   }
 
   if (use_ic) {