[Backport] Security bug 1417585

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/4296133:
Merged: [compiler] check if maps become deprecated during optimization

Bug: chromium:1417585

(cherry picked from commit f82d802a20aa62e42269f977302f26c5c3ed031b)

Change-Id: Icdb0065ab6042fb2833bc63a741e78d59f937763
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4296133
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/branch-heads/11.1@{#24}
Cr-Branched-From: c77793a2ee5bfa7c5226dd8f622bf331b97a5a25-refs/heads/11.1.277@{#1}
Cr-Branched-From: 95b79bf04ba3f9de87f7bad77bc2d7552e5dc4d7-refs/heads/main@{#85479}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/469848
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

2 files changed, 22 insertions, 1 deletions

diff --git a/chromium/v8/src/codegen/bailout-reason.h b/chromium/v8/src/codegen/bailout-reason.h
index e55e691a08e..0c59785c4a4 100644
--- a/chromium/v8/src/codegen/bailout-reason.h
+++ b/chromium/v8/src/codegen/bailout-reason.h
@@ -90,6 +90,7 @@ namespace internal {
   V(kNoReason, "no reason")                                                 \
                                                                             \
   V(kBailedOutDueToDependencyChange, "Bailed out due to dependency change") \
+  V(kConcurrentMapDeprecation, "Maps became deprecated during optimization") \
   V(kCodeGenerationFailed, "Code generation failed")                        \
   V(kCyclicObjectStateDetectedInEscapeAnalysis,                             \
     "Cyclic object state detected by escape analysis")                      \
diff --git a/chromium/v8/src/compiler/pipeline.cc b/chromium/v8/src/compiler/pipeline.cc
index 7b99d07b6b6..a9d28d06db1 100644
--- a/chromium/v8/src/compiler/pipeline.cc
+++ b/chromium/v8/src/compiler/pipeline.cc
@@ -672,7 +672,10 @@ class PipelineImpl final {
   // Step D. Run the code finalization pass.
   MaybeHandle<Code> FinalizeCode(bool retire_broker = true);
 
-  // Step E. Install any code dependencies.
+  // Step E. Ensure all embedded maps are non-deprecated.
+  bool CheckNoDeprecatedMaps(Handle<Code> code);
+
+  // Step F. Install any code dependencies.
   bool CommitDependencies(Handle<Code> code);
 
   void VerifyGeneratedCodeIsIdempotent();
@@ -1219,6 +1222,9 @@ PipelineCompilationJob::Status PipelineCompilationJob::FinalizeJobImpl(
     }
     return FAILED;
   }
+  if (!pipeline_.CheckNoDeprecatedMaps(code)) {
+    return RetryOptimization(BailoutReason::kConcurrentMapDeprecation);
+  }
   if (!pipeline_.CommitDependencies(code)) {
     return RetryOptimization(BailoutReason::kBailedOutDueToDependencyChange);
   }
@@ -3549,6 +3555,20 @@ MaybeHandle<Code> PipelineImpl::GenerateCode(CallDescriptor* call_descriptor) {
   return FinalizeCode();
 }
 
+// We must not embed deprecated maps, as we rely in the compiler on all explicit
+// maps not being deprecated.
+bool PipelineImpl::CheckNoDeprecatedMaps(Handle<Code> code) {
+  int mode_mask = RelocInfo::EmbeddedObjectModeMask();
+  for (RelocIterator it(*code, mode_mask); !it.done(); it.next()) {
+    DCHECK(RelocInfo::IsEmbeddedObjectMode(it.rinfo()->rmode()));
+    HeapObject obj = it.rinfo()->target_object();
+    if (obj.IsMap() && Map::cast(obj).is_deprecated()) {
+      return false;
+    }
+  }
+  return true;
+}
+
 bool PipelineImpl::CommitDependencies(Handle<Code> code) {
   return data_->dependencies() == nullptr ||
          data_->dependencies()->Commit(code);