[Backport] CVE-2020-6418 - Type confusion in V8

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/2062404: Merged: [turbofan] Fix bug in receiver maps inference Revision: fb0a60e15695466621cf65932f9152935d859447 BUG=chromium:1053604 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=mvstanton@chromium.org Change-Id: If3d0f772f76e7b4879c5c3cb132b9bd276792c6c Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
author: Georg Neis <neis@chromium.org> 2020-02-19 11:22:16 +0100
committer: Michael Brüning <michael.bruning@qt.io> 2020-03-05 09:49:53 +0000
commit: e4659a4c8a8a7c18f7172fbf5b9f7f224d486aba (patch)
tree: f4a9723e420dcfb7c47e1f5e52145b331a56abdc
parent: 24581ca7dde88e3faed1fe085c09f0d7ba635320 (diff)
download: qtwebengine-chromium-e4659a4c8a8a7c18f7172fbf5b9f7f224d486aba.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/chromium/v8/src/compiler/node-properties.cc b/chromium/v8/src/compiler/node-properties.cc
index 1e00ec00f48..0e558311666 100644
--- a/chromium/v8/src/compiler/node-properties.cc
+++ b/chromium/v8/src/compiler/node-properties.cc
@@ -445,6 +445,7 @@ NodeProperties::InferReceiverMapsResult NodeProperties::InferReceiverMapsUnsafe(
           // We reached the allocation of the {receiver}.
           return kNoReceiverMaps;
         }
+        result = kUnreliableReceiverMaps;  // JSCreate can have side-effect.
         break;
       }
       case IrOpcode::kJSCreatePromise: {
author	Georg Neis <neis@chromium.org>	2020-02-19 11:22:16 +0100
committer	Michael Brüning <michael.bruning@qt.io>	2020-03-05 09:49:53 +0000
commit	e4659a4c8a8a7c18f7172fbf5b9f7f224d486aba (patch)
tree	f4a9723e420dcfb7c47e1f5e52145b331a56abdc
parent	24581ca7dde88e3faed1fe085c09f0d7ba635320 (diff)
download	qtwebengine-chromium-e4659a4c8a8a7c18f7172fbf5b9f7f224d486aba.tar.gz