diff options
| author | Darius M <dmercadier@chromium.org> | 2023-03-27 13:39:50 +0200 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-05-02 08:59:16 +0000 |
| commit | 3441a3e88b0be3c7eab697e564cb72445390d65d (patch) | |
| tree | a6353ac2705f1f20f3ade89ece7caabb4214b5dc | |
| parent | 84f868f86c24f7d19814a72855ea327bdfa775e5 (diff) | |
| download | qtwebengine-chromium-3441a3e88b0be3c7eab697e564cb72445390d65d.tar.gz | |
[Backport] Security bug 1427388
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/4370790:
Prevent constant folding of TypeGuard
TypeGuard are used to prevent operations from floating before a
preceding check, and thus shouldn't be constant-folded.
Fixed: chromium:1427388
Change-Id: Ia42d22ce45005d28c3831a16df23f806c3d68522
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4370790
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Darius Mercadier <dmercadier@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#86733}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474617
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/v8/src/compiler/constant-folding-reducer.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/chromium/v8/src/compiler/constant-folding-reducer.cc b/chromium/v8/src/compiler/constant-folding-reducer.cc index 5e74ba75352..4059e47c2db 100644 --- a/chromium/v8/src/compiler/constant-folding-reducer.cc +++ b/chromium/v8/src/compiler/constant-folding-reducer.cc @@ -66,7 +66,8 @@ ConstantFoldingReducer::~ConstantFoldingReducer() = default; Reduction ConstantFoldingReducer::Reduce(Node* node) { if (!NodeProperties::IsConstant(node) && NodeProperties::IsTyped(node) && node->op()->HasProperty(Operator::kEliminatable) && - node->opcode() != IrOpcode::kFinishRegion) { + node->opcode() != IrOpcode::kFinishRegion && + node->opcode() != IrOpcode::kTypeGuard) { Node* constant = TryGetConstant(jsgraph(), node); if (constant != nullptr) { DCHECK(NodeProperties::IsTyped(constant)); |