diff options
| author | Ulan Degenbaev <ulan@chromium.org> | 2020-01-15 17:49:45 +0100 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-01-16 09:08:16 +0000 |
| commit | 684a48706ad6ba6c52a084bddd846cf20c1b0416 (patch) | |
| tree | 7fe6f6fe78906379bea8a431bf2a33453d1920c6 | |
| parent | f32f09593b6dbd0d7e7f6adbf23e8cda24f7f0e6 (diff) | |
| download | qtwebengine-chromium-684a48706ad6ba6c52a084bddd846cf20c1b0416.tar.gz | |
[Backport] Security bug 1016703
Manual backport of patch:
Merged: [heap]: Make addition of detached contexts robust for GC
Revision: b33a8508ccad452b2581bf1e234b88b8871e6e5f
BUG=chromium:1016703
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=hablich@chromium.org
Change-Id: Ie60d9ebfd19196eb38b4ce00cb56c426dc5120c2
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/v8/src/execution/isolate.cc | 5 | ||||
| -rw-r--r-- | chromium/v8/src/objects/fixed-array.h | 6 | ||||
| -rw-r--r-- | chromium/v8/src/objects/objects.cc | 14 |
3 files changed, 22 insertions, 3 deletions
diff --git a/chromium/v8/src/execution/isolate.cc b/chromium/v8/src/execution/isolate.cc index 6fa6f64769f..b100bd14681 100644 --- a/chromium/v8/src/execution/isolate.cc +++ b/chromium/v8/src/execution/isolate.cc @@ -4570,9 +4570,8 @@ void Isolate::AddDetachedContext(Handle<Context> context) { HandleScope scope(this); Handle<WeakArrayList> detached_contexts = factory()->detached_contexts(); detached_contexts = WeakArrayList::AddToEnd( - this, detached_contexts, MaybeObjectHandle(Smi::kZero, this)); - detached_contexts = WeakArrayList::AddToEnd(this, detached_contexts, - MaybeObjectHandle::Weak(context)); + this, detached_contexts, MaybeObjectHandle(Smi::kZero, this), + MaybeObjectHandle::Weak(context)); heap()->set_detached_contexts(*detached_contexts); } diff --git a/chromium/v8/src/objects/fixed-array.h b/chromium/v8/src/objects/fixed-array.h index ca6f06e83cd..fceccf6d0a9 100644 --- a/chromium/v8/src/objects/fixed-array.h +++ b/chromium/v8/src/objects/fixed-array.h @@ -336,6 +336,12 @@ class WeakArrayList : public HeapObject { Isolate* isolate, Handle<WeakArrayList> array, const MaybeObjectHandle& value); + // A version that adds to elements. This ensures that the elements are + // inserted atomically w.r.t GC. + V8_EXPORT_PRIVATE static Handle<WeakArrayList> AddToEnd( + Isolate* isolate, Handle<WeakArrayList> array, + const MaybeObjectHandle& value1, const MaybeObjectHandle& value2); + inline MaybeObject Get(int index) const; inline MaybeObject Get(Isolate* isolate, int index) const; diff --git a/chromium/v8/src/objects/objects.cc b/chromium/v8/src/objects/objects.cc index 4d0b3c81ab4..57c1fc8930d 100644 --- a/chromium/v8/src/objects/objects.cc +++ b/chromium/v8/src/objects/objects.cc @@ -3958,6 +3958,20 @@ Handle<WeakArrayList> WeakArrayList::AddToEnd(Isolate* isolate, return array; } +Handle<WeakArrayList> WeakArrayList::AddToEnd(Isolate* isolate, + Handle<WeakArrayList> array, + const MaybeObjectHandle& value1, + const MaybeObjectHandle& value2) { + int length = array->length(); + array = EnsureSpace(isolate, array, length + 2); + // Reload length; GC might have removed elements from the array. + length = array->length(); + array->Set(length, *value1); + array->Set(length + 1, *value2); + array->set_length(length + 2); + return array; +} + bool WeakArrayList::IsFull() { return length() == capacity(); } // static |