summaryrefslogtreecommitdiff
path: root/chromium/v8/src
diff options
context:
space:
mode:
authorZakhar Voit <voit@google.com>2021-08-18 06:02:05 +0000
committerMichael BrĂ¼ning <michael.bruning@qt.io>2021-09-03 12:13:25 +0000
commitcc943be2c1ec358f12e7701667ef6ed33cc27096 (patch)
tree25c13d72e3df3d1f95aa00cc74d84be89573561f /chromium/v8/src
parent19f9a2b1432df1c534d6ad785ea1d85124e0e795 (diff)
downloadqtwebengine-chromium-cc943be2c1ec358f12e7701667ef6ed33cc27096.tar.gz
[Backport] Security bug 1228036
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/3101487: [M90-LTS] [deoptimizer] Finish concurrent sweeping before overwriting ByteArrays (cherry picked from commit b63a59619530cb26bf5d51f39ef4cb4c20952d5f) Bug: chromium:1228036 No-Try: true No-Presubmit: true No-Tree-Checks: true Change-Id: I5abe7009920d2c8f81f024c9ae7bb6b13607da1a Commit-Queue: Georg Neis <neis@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#75932} Commit-Queue: Zakhar Voit <voit@google.com> Reviewed-by: Achuith Bhandarkar <achuith@chromium.org> Cr-Commit-Position: refs/branch-heads/9.0@{#75} Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1} Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/v8/src')
-rw-r--r--chromium/v8/src/deoptimizer/translated-state.cc10
1 files changed, 8 insertions, 2 deletions
diff --git a/chromium/v8/src/deoptimizer/translated-state.cc b/chromium/v8/src/deoptimizer/translated-state.cc
index 7ace86fa7a9..0190b322c9f 100644
--- a/chromium/v8/src/deoptimizer/translated-state.cc
+++ b/chromium/v8/src/deoptimizer/translated-state.cc
@@ -525,6 +525,12 @@ Handle<Object> TranslatedValue::GetValue() {
// pass the verifier.
container_->EnsureObjectAllocatedAt(this);
+ // Finish any sweeping so that it becomes safe to overwrite the ByteArray
+ // headers.
+ // TODO(hpayer): Find a cleaner way to support a group of
+ // non-fully-initialized objects.
+ isolate()->heap()->mark_compact_collector()->EnsureSweepingCompleted();
+
// 2. Initialize the objects. If we have allocated only byte arrays
// for some objects, we now overwrite the byte arrays with the
// correct object fields. Note that this phase does not allocate
@@ -1398,9 +1404,9 @@ TranslatedValue* TranslatedState::GetValueByObjectIndex(int object_index) {
}
Handle<HeapObject> TranslatedState::InitializeObjectAt(TranslatedValue* slot) {
- slot = ResolveCapturedObject(slot);
-
DisallowGarbageCollection no_gc;
+
+ slot = ResolveCapturedObject(slot);
if (slot->materialization_state() != TranslatedValue::kFinished) {
std::stack<int> worklist;
worklist.push(slot->object_index());
View Lorry Controller Status