From a4a9246ea1497aef022b57095916a12f0d7fa0ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Sat, 17 Apr 2021 16:28:48 +0200 Subject: [PATCH] deps: V8: cherry-pick 1e35f6472510 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Original commit message: [LTS-M86][builtins] Harden Array.prototype.concat. Defence in depth patch to prevent JavaScript from executing from within IterateElements. R=​ishell@chromium.org R=​cbruni@chromium.org (cherry picked from commit 8284359ed0607e452a4dda2ce89811fb019b4aaa) No-Try: true No-Presubmit: true No-Tree-Checks: true Bug: chromium:1195977 Change-Id: Ie59d468b73b94818cea986a3ded0804f6dddd10b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2819941 Reviewed-by: Camillo Bruni Reviewed-by: Igor Sheludko Commit-Queue: Igor Sheludko Cr-Original-Commit-Position: refs/heads/master@{#73898} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821961 Commit-Queue: Jana Grill Reviewed-by: Victor-Gabriel Savu Cr-Commit-Position: refs/branch-heads/8.6@{#76} Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1} Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472} Refs: https://github.com/v8/v8/commit/1e35f647251009019485ddb2b371281b182d04b0 PR-URL: https://github.com/nodejs/node/pull/38275 Reviewed-By: Matteo Collina Reviewed-By: Jiawen Geng Reviewed-By: Shelley Vohr --- common.gypi | 2 +- deps/v8/AUTHORS | 1 + deps/v8/src/builtins/builtins-array.cc | 9 +++++++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/common.gypi b/common.gypi index 0395077e443751..e8b89a76e22487 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.50', + 'v8_embedder_string': '-node.51', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/AUTHORS b/deps/v8/AUTHORS index 6f602e44560bca..13a915c130b7a2 100644 --- a/deps/v8/AUTHORS +++ b/deps/v8/AUTHORS @@ -67,6 +67,7 @@ Ben Newman Ben Noordhuis Benjamin Tan Bert Belder +Brendon Tiszka Burcu Dogan Caitlin Potter Craig Schlenter diff --git a/deps/v8/src/builtins/builtins-array.cc b/deps/v8/src/builtins/builtins-array.cc index 3c2fe33c5b4b33..5135f9599b6e2d 100644 --- a/deps/v8/src/builtins/builtins-array.cc +++ b/deps/v8/src/builtins/builtins-array.cc @@ -1080,6 +1080,9 @@ bool IterateElements(Isolate* isolate, Handle receiver, case HOLEY_SEALED_ELEMENTS: case HOLEY_NONEXTENSIBLE_ELEMENTS: case HOLEY_ELEMENTS: { + // Disallow execution so the cached elements won't change mid execution. + DisallowJavascriptExecution no_js(isolate); + // Run through the elements FixedArray and use HasElement and GetElement // to check the prototype for missing elements. Handle elements(FixedArray::cast(array->elements()), isolate); @@ -1106,6 +1109,9 @@ bool IterateElements(Isolate* isolate, Handle receiver, } case HOLEY_DOUBLE_ELEMENTS: case PACKED_DOUBLE_ELEMENTS: { + // Disallow execution so the cached elements won't change mid execution. + DisallowJavascriptExecution no_js(isolate); + // Empty array is FixedArray but not FixedDoubleArray. if (length == 0) break; // Run through the elements FixedArray and use HasElement and GetElement @@ -1142,6 +1148,9 @@ bool IterateElements(Isolate* isolate, Handle receiver, } case DICTIONARY_ELEMENTS: { + // Disallow execution so the cached dictionary won't change mid execution. + DisallowJavascriptExecution no_js(isolate); + Handle dict(array->element_dictionary(), isolate); std::vector indices; indices.reserve(dict->Capacity() / 2);