[Backport] CVE-2020-6512: Type Confusion in V8 (3/3)

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/2241517: Relax a CHECK The condition was too strong since we never store Smis into {previously_materialized_objects}. Bug: chromium:1094132 Change-Id: I680eb7f175f12d3c44882fd8a9eff0d062eda55f Commit-Queue: Georg Neis <neis@chromium.org> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Auto-Submit: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#68317} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Michael Brüning <michael.bruning@qt.io> 2020-07-24 15:47:11 +0200
committer: Michael Brüning <michael.bruning@qt.io> 2020-07-28 13:16:32 +0000
commit: 16ec5f179eb828ca6995d61eaa91a48353217626 (patch)
tree: 9abec9f2fafc568b151cdadc574094e5802f3b6f
parent: 0a4240a9c428d71656637ad4486d92bfeb52af93 (diff)
download: qtwebengine-chromium-16ec5f179eb828ca6995d61eaa91a48353217626.tar.gz
1 files changed, 11 insertions, 5 deletions
diff --git a/chromium/v8/src/deoptimizer/deoptimizer.cc b/chromium/v8/src/deoptimizer/deoptimizer.cc
index 19c57170b66..23277092c77 100644
--- a/chromium/v8/src/deoptimizer/deoptimizer.cc
+++ b/chromium/v8/src/deoptimizer/deoptimizer.cc
@@ -3923,24 +3923,30 @@ void TranslatedState::StoreMaterializedValuesAndDeopt(JavaScriptFrame* frame) {
 
     CHECK(value_info->IsMaterializedObject());
 
-    // Skip duplicate objects (i.e., those that point to some
-    // other object id).
+    // Skip duplicate objects (i.e., those that point to some other object id).
     if (value_info->object_index() != i) continue;
 
+    Handle<Object> previous_value(previously_materialized_objects->get(i),
+                                  isolate_);
     Handle<Object> value(value_info->GetRawValue(), isolate_);
 
-    if (!value.is_identical_to(marker)) {
-      if (previously_materialized_objects->get(i) == *marker) {
+    if (value.is_identical_to(marker)) {
+      DCHECK_EQ(*previous_value, *marker);
+    } else {
+      if (*previous_value == *marker) {
         if (value->IsSmi()) {
           value = isolate()->factory()->NewHeapNumber(value->Number());
         }
         previously_materialized_objects->set(i, *value);
         value_changed = true;
       } else {
-        CHECK(previously_materialized_objects->get(i) == *value);
+        CHECK(*previous_value == *value ||
+              (previous_value->IsHeapNumber() && value->IsSmi() &&
+               previous_value->Number() == value->Number()));
       }
     }
   }
+
   if (new_store && value_changed) {
     materialized_store->Set(stack_frame_pointer_,
                             previously_materialized_objects);
author	Michael Brüning <michael.bruning@qt.io>	2020-07-24 15:47:11 +0200
committer	Michael Brüning <michael.bruning@qt.io>	2020-07-28 13:16:32 +0000
commit	16ec5f179eb828ca6995d61eaa91a48353217626 (patch)
tree	9abec9f2fafc568b151cdadc574094e5802f3b6f
parent	0a4240a9c428d71656637ad4486d92bfeb52af93 (diff)
download	qtwebengine-chromium-16ec5f179eb828ca6995d61eaa91a48353217626.tar.gz