From e4659a4c8a8a7c18f7172fbf5b9f7f224d486aba Mon Sep 17 00:00:00 2001
From: Georg Neis <neis@chromium.org>
Date: Wed, 19 Feb 2020 11:22:16 +0100
Subject: [Backport] CVE-2020-6418 - Type confusion in V8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2062404:
Merged: [turbofan] Fix bug in receiver maps inference

Revision: fb0a60e15695466621cf65932f9152935d859447

BUG=chromium:1053604
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=mvstanton@chromium.org

Change-Id: If3d0f772f76e7b4879c5c3cb132b9bd276792c6c
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
---
 chromium/v8/src/compiler/node-properties.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/chromium/v8/src/compiler/node-properties.cc b/chromium/v8/src/compiler/node-properties.cc
index 1e00ec00f48..0e558311666 100644
--- a/chromium/v8/src/compiler/node-properties.cc
+++ b/chromium/v8/src/compiler/node-properties.cc
@@ -445,6 +445,7 @@ NodeProperties::InferReceiverMapsResult NodeProperties::InferReceiverMapsUnsafe(
           // We reached the allocation of the {receiver}.
           return kNoReceiverMaps;
         }
+        result = kUnreliableReceiverMaps;  // JSCreate can have side-effect.
         break;
       }
       case IrOpcode::kJSCreatePromise: {
-- 
cgit v1.2.1