Skip to content

Commit

Permalink
deps: V8: cherry-pick 1e35f6472510
Browse files Browse the repository at this point in the history
Original commit message:

    [LTS-M86][builtins] Harden Array.prototype.concat.

    Defence in depth patch to prevent JavaScript from executing
    from within IterateElements.

    R=​ishell@chromium.org
    R=​cbruni@chromium.org

    (cherry picked from commit 8284359ed0607e452a4dda2ce89811fb019b4aaa)

    No-Try: true
    No-Presubmit: true
    No-Tree-Checks: true
    Bug: chromium:1195977
    Change-Id: Ie59d468b73b94818cea986a3ded0804f6dddd10b
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2819941
    Reviewed-by: Camillo Bruni <cbruni@chromium.org>
    Reviewed-by: Igor Sheludko <ishell@chromium.org>
    Commit-Queue: Igor Sheludko <ishell@chromium.org>
    Cr-Original-Commit-Position: refs/heads/master@{#73898}
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821961
    Commit-Queue: Jana Grill <janagrill@chromium.org>
    Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
    Cr-Commit-Position: refs/branch-heads/8.6@{nodejs#76}
    Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
    Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}

Refs: v8/v8@1e35f64
  • Loading branch information
targos committed Apr 17, 2021
1 parent 3e0e10e commit 103203a
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 1 deletion.
2 changes: 1 addition & 1 deletion common.gypi
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@

# Reset this number to 0 on major V8 upgrades.
# Increment by one for each non-official patch applied to deps/v8.
'v8_embedder_string': '-node.52',
'v8_embedder_string': '-node.53',

##### V8 defaults for Node.js #####

Expand Down
1 change: 1 addition & 0 deletions deps/v8/AUTHORS
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ Ben Newman <ben@meteor.com>
Ben Noordhuis <info@bnoordhuis.nl>
Benjamin Tan <demoneaux@gmail.com>
Bert Belder <bertbelder@gmail.com>
Brendon Tiszka <btiszka@gmail.com>
Burcu Dogan <burcujdogan@gmail.com>
Caitlin Potter <caitpotter88@gmail.com>
Craig Schlenter <craig.schlenter@gmail.com>
Expand Down
9 changes: 9 additions & 0 deletions deps/v8/src/builtins/builtins-array.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1080,6 +1080,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
case HOLEY_SEALED_ELEMENTS:
case HOLEY_NONEXTENSIBLE_ELEMENTS:
case HOLEY_ELEMENTS: {
// Disallow execution so the cached elements won't change mid execution.
DisallowJavascriptExecution no_js(isolate);

// Run through the elements FixedArray and use HasElement and GetElement
// to check the prototype for missing elements.
Handle<FixedArray> elements(FixedArray::cast(array->elements()), isolate);
Expand All @@ -1106,6 +1109,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
}
case HOLEY_DOUBLE_ELEMENTS:
case PACKED_DOUBLE_ELEMENTS: {
// Disallow execution so the cached elements won't change mid execution.
DisallowJavascriptExecution no_js(isolate);

// Empty array is FixedArray but not FixedDoubleArray.
if (length == 0) break;
// Run through the elements FixedArray and use HasElement and GetElement
Expand Down Expand Up @@ -1142,6 +1148,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
}

case DICTIONARY_ELEMENTS: {
// Disallow execution so the cached dictionary won't change mid execution.
DisallowJavascriptExecution no_js(isolate);

Handle<NumberDictionary> dict(array->element_dictionary(), isolate);
std::vector<uint32_t> indices;
indices.reserve(dict->Capacity() / 2);
Expand Down

0 comments on commit 103203a

Please sign in to comment.