[Backport] Security bug 1265570

Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/3275569: Ensure JSMessageObject has source positions Under certain conditions GC could flush bytecode array from SharedFunctionInfos. This CL ensures that the bytecode array is always available for reconstructing source positions. Bug: chromium:1265570 Change-Id: I2ce7eb04201f69121687ab0aaa2af42adb2caae0 Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#77877} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Igor Sheludko <ishell@chromium.org> 2021-11-12 16:49:02 +0100
committer: Michael Brüning <michael.bruning@qt.io> 2022-02-14 13:50:38 +0000
commit: ed5d6385e0e86407a6af221d936a0f00011d61df (patch)
tree: 971e3ddbc86375f61d5cf8556a6e2f130fbbb03b /chromium/v8
parent: b16741a83ce0d02c814752a2f4346818bf430b3e (diff)
download: qtwebengine-chromium-ed5d6385e0e86407a6af221d936a0f00011d61df.tar.gz
6 files changed, 34 insertions, 3 deletions
diff --git a/chromium/v8/src/codegen/compiler.cc b/chromium/v8/src/codegen/compiler.cc
index 4fd70a8d9e1..7bd68b34287 100644
--- a/chromium/v8/src/codegen/compiler.cc
+++ b/chromium/v8/src/codegen/compiler.cc
@@ -1817,7 +1817,8 @@ bool Compiler::CollectSourcePositions(Isolate* isolate,
 // static
 bool Compiler::Compile(Isolate* isolate, Handle<SharedFunctionInfo> shared_info,
                        ClearExceptionFlag flag,
-                       IsCompiledScope* is_compiled_scope) {
+                       IsCompiledScope* is_compiled_scope,
+                       CreateSourcePositions create_source_positions_flag) {
   // We should never reach here if the function is already compiled.
   DCHECK(!shared_info->is_compiled());
   DCHECK(!is_compiled_scope->is_compiled());
@@ -1838,6 +1839,9 @@ bool Compiler::Compile(Isolate* isolate, Handle<SharedFunctionInfo> shared_info,
   // Set up parse info.
   UnoptimizedCompileFlags flags =
       UnoptimizedCompileFlags::ForFunctionCompile(isolate, *shared_info);
+  if (create_source_positions_flag == CreateSourcePositions::kYes) {
+    flags.set_collect_source_positions(true);
+  }
 
   UnoptimizedCompileState compile_state(isolate);
   ParseInfo parse_info(isolate, flags, &compile_state);
diff --git a/chromium/v8/src/codegen/compiler.h b/chromium/v8/src/codegen/compiler.h
index 0d1582d872a..fc078352778 100644
--- a/chromium/v8/src/codegen/compiler.h
+++ b/chromium/v8/src/codegen/compiler.h
@@ -69,7 +69,9 @@ class V8_EXPORT_PRIVATE Compiler : public AllStatic {
 
   static bool Compile(Isolate* isolate, Handle<SharedFunctionInfo> shared,
                       ClearExceptionFlag flag,
-                      IsCompiledScope* is_compiled_scope);
+                      IsCompiledScope* is_compiled_scope,
+                      CreateSourcePositions create_source_positions_flag =
+                          CreateSourcePositions::kNo);
   static bool Compile(Isolate* isolate, Handle<JSFunction> function,
                       ClearExceptionFlag flag,
                       IsCompiledScope* is_compiled_scope);
diff --git a/chromium/v8/src/debug/debug.cc b/chromium/v8/src/debug/debug.cc
index 41775c89656..a3fc2d34295 100644
--- a/chromium/v8/src/debug/debug.cc
+++ b/chromium/v8/src/debug/debug.cc
@@ -1787,7 +1787,7 @@ bool Debug::EnsureBreakInfo(Handle<SharedFunctionInfo> shared) {
   IsCompiledScope is_compiled_scope = shared->is_compiled_scope(isolate_);
   if (!is_compiled_scope.is_compiled() &&
       !Compiler::Compile(isolate_, shared, Compiler::CLEAR_EXCEPTION,
-                         &is_compiled_scope)) {
+                         &is_compiled_scope, CreateSourcePositions::kYes)) {
     return false;
   }
   CreateBreakInfo(shared);
diff --git a/chromium/v8/src/objects/js-objects.cc b/chromium/v8/src/objects/js-objects.cc
index e329cba144b..657cf655a2e 100644
--- a/chromium/v8/src/objects/js-objects.cc
+++ b/chromium/v8/src/objects/js-objects.cc
@@ -5389,6 +5389,9 @@ void JSMessageObject::EnsureSourcePositionsAvailable(
     DCHECK_GE(message->bytecode_offset().value(), kFunctionEntryBytecodeOffset);
     Handle<SharedFunctionInfo> shared_info(
         SharedFunctionInfo::cast(message->shared_info()), isolate);
+    IsCompiledScope is_compiled_scope;
+    SharedFunctionInfo::EnsureBytecodeArrayAvailable(
+        isolate, shared_info, &is_compiled_scope, CreateSourcePositions::kYes);
     SharedFunctionInfo::EnsureSourcePositionsAvailable(isolate, shared_info);
     DCHECK(shared_info->HasBytecodeArray());
     int position = shared_info->abstract_code(isolate).SourcePosition(
diff --git a/chromium/v8/src/objects/shared-function-info.cc b/chromium/v8/src/objects/shared-function-info.cc
index 22e98a140c4..6ca4378f931 100644
--- a/chromium/v8/src/objects/shared-function-info.cc
+++ b/chromium/v8/src/objects/shared-function-info.cc
@@ -668,6 +668,19 @@ void SharedFunctionInfo::SetPosition(int start_position, int end_position) {
 }
 
 // static
+void SharedFunctionInfo::EnsureBytecodeArrayAvailable(
+    Isolate* isolate, Handle<SharedFunctionInfo> shared_info,
+    IsCompiledScope* is_compiled_scope, CreateSourcePositions flag) {
+  if (!shared_info->HasBytecodeArray()) {
+    if (!Compiler::Compile(isolate, shared_info, Compiler::CLEAR_EXCEPTION,
+                           is_compiled_scope, flag)) {
+      FATAL("Failed to compile shared info that was already compiled before");
+    }
+    DCHECK(shared_info->GetBytecodeArray(isolate).HasSourcePositionTable());
+  }
+}
+
+// static
 void SharedFunctionInfo::EnsureSourcePositionsAvailable(
     Isolate* isolate, Handle<SharedFunctionInfo> shared_info) {
   if (shared_info->CanCollectSourcePosition(isolate)) {
diff --git a/chromium/v8/src/objects/shared-function-info.h b/chromium/v8/src/objects/shared-function-info.h
index fd19f90165f..88a88fd500a 100644
--- a/chromium/v8/src/objects/shared-function-info.h
+++ b/chromium/v8/src/objects/shared-function-info.h
@@ -49,6 +49,10 @@ using FunctionSig = Signature<ValueType>;
 
 #include "torque-generated/src/objects/shared-function-info-tq.inc"
 
+// Defines whether the source positions should be created during function
+// compilation.
+enum class CreateSourcePositions { kNo, kYes };
+
 // Data collected by the pre-parser storing information about scopes and inner
 // functions.
 //
@@ -575,6 +579,11 @@ class SharedFunctionInfo
   void SetFunctionTokenPosition(int function_token_position,
                                 int start_position);
 
+  static void EnsureBytecodeArrayAvailable(
+      Isolate* isolate, Handle<SharedFunctionInfo> shared_info,
+      IsCompiledScope* is_compiled,
+      CreateSourcePositions flag = CreateSourcePositions::kNo);
+
   inline bool CanCollectSourcePosition(Isolate* isolate);
   static void EnsureSourcePositionsAvailable(
       Isolate* isolate, Handle<SharedFunctionInfo> shared_info);
author	Igor Sheludko <ishell@chromium.org>	2021-11-12 16:49:02 +0100
committer	Michael Brüning <michael.bruning@qt.io>	2022-02-14 13:50:38 +0000
commit	ed5d6385e0e86407a6af221d936a0f00011d61df (patch)
tree	971e3ddbc86375f61d5cf8556a6e2f130fbbb03b /chromium/v8
parent	b16741a83ce0d02c814752a2f4346818bf430b3e (diff)
download	qtwebengine-chromium-ed5d6385e0e86407a6af221d936a0f00011d61df.tar.gz