From 684a48706ad6ba6c52a084bddd846cf20c1b0416 Mon Sep 17 00:00:00 2001
From: Ulan Degenbaev <ulan@chromium.org>
Date: Wed, 15 Jan 2020 17:49:45 +0100
Subject: [Backport] Security bug 1016703

Manual backport of patch:
Merged: [heap]: Make addition of detached contexts robust for GC

Revision: b33a8508ccad452b2581bf1e234b88b8871e6e5f

BUG=chromium:1016703
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=hablich@chromium.org

Change-Id: Ie60d9ebfd19196eb38b4ce00cb56c426dc5120c2
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 chromium/v8/src/execution/isolate.cc  |  5 ++---
 chromium/v8/src/objects/fixed-array.h |  6 ++++++
 chromium/v8/src/objects/objects.cc    | 14 ++++++++++++++
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/chromium/v8/src/execution/isolate.cc b/chromium/v8/src/execution/isolate.cc
index 6fa6f64769f..b100bd14681 100644
--- a/chromium/v8/src/execution/isolate.cc
+++ b/chromium/v8/src/execution/isolate.cc
@@ -4570,9 +4570,8 @@ void Isolate::AddDetachedContext(Handle<Context> context) {
   HandleScope scope(this);
   Handle<WeakArrayList> detached_contexts = factory()->detached_contexts();
   detached_contexts = WeakArrayList::AddToEnd(
-      this, detached_contexts, MaybeObjectHandle(Smi::kZero, this));
-  detached_contexts = WeakArrayList::AddToEnd(this, detached_contexts,
-                                              MaybeObjectHandle::Weak(context));
+      this, detached_contexts, MaybeObjectHandle(Smi::kZero, this),
+      MaybeObjectHandle::Weak(context));
   heap()->set_detached_contexts(*detached_contexts);
 }
 
diff --git a/chromium/v8/src/objects/fixed-array.h b/chromium/v8/src/objects/fixed-array.h
index ca6f06e83cd..fceccf6d0a9 100644
--- a/chromium/v8/src/objects/fixed-array.h
+++ b/chromium/v8/src/objects/fixed-array.h
@@ -336,6 +336,12 @@ class WeakArrayList : public HeapObject {
       Isolate* isolate, Handle<WeakArrayList> array,
       const MaybeObjectHandle& value);
 
+  // A version that adds to elements. This ensures that the elements are
+  // inserted atomically w.r.t GC.
+  V8_EXPORT_PRIVATE static Handle<WeakArrayList> AddToEnd(
+      Isolate* isolate, Handle<WeakArrayList> array,
+      const MaybeObjectHandle& value1, const MaybeObjectHandle& value2);
+
   inline MaybeObject Get(int index) const;
   inline MaybeObject Get(Isolate* isolate, int index) const;
 
diff --git a/chromium/v8/src/objects/objects.cc b/chromium/v8/src/objects/objects.cc
index 4d0b3c81ab4..57c1fc8930d 100644
--- a/chromium/v8/src/objects/objects.cc
+++ b/chromium/v8/src/objects/objects.cc
@@ -3958,6 +3958,20 @@ Handle<WeakArrayList> WeakArrayList::AddToEnd(Isolate* isolate,
   return array;
 }
 
+Handle<WeakArrayList> WeakArrayList::AddToEnd(Isolate* isolate,
+                                              Handle<WeakArrayList> array,
+                                              const MaybeObjectHandle& value1,
+                                              const MaybeObjectHandle& value2) {
+  int length = array->length();
+  array = EnsureSpace(isolate, array, length + 2);
+  // Reload length; GC might have removed elements from the array.
+  length = array->length();
+  array->Set(length, *value1);
+  array->Set(length + 1, *value2);
+  array->set_length(length + 2);
+  return array;
+}
+
 bool WeakArrayList::IsFull() { return length() == capacity(); }
 
 // static
-- 
cgit v1.2.1