Skip to content

Commit 8447989

Browse files
carewolfcarewolf
committed
<v8> Cherry-pick fix for CVE-2015-1290
Move compatible receiver check from CompileHandler to UpdateCaches We also need to do the check before using an existing handler from the cache BUG=chromium:505374 [email protected] LOG=y Review URL: https://codereview.chromium.org/1221433010 Change-Id: I65b463301804ded47e730048d110956f68b05c91 Reviewed-by: Kai Koehne <[email protected]>
1 parent f7c5611 commit 8447989

File tree

1 file changed

+43
-5
lines changed

1 file changed

+43
-5
lines changed

chromium/v8/src/ic/ic.cc

Lines changed: 43 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -965,7 +965,39 @@ void LoadIC::UpdateCaches(LookupIterator* lookup) {
965965
code = slow_stub();
966966
}
967967
} else {
968-
code = ComputeHandler(lookup);
968+
if (lookup->state() == LookupIterator::ACCESSOR) {
969+
Handle<Object> accessors = lookup->GetAccessors();
970+
Handle<HeapType> type = receiver_type();
971+
if (accessors->IsExecutableAccessorInfo()) {
972+
Handle<ExecutableAccessorInfo> info =
973+
Handle<ExecutableAccessorInfo>::cast(accessors);
974+
if ((v8::ToCData<Address>(info->getter()) != 0) &&
975+
!ExecutableAccessorInfo::IsCompatibleReceiverType(isolate(), info,
976+
type)) {
977+
TRACE_GENERIC_IC(isolate(), "LoadIC", "incompatible receiver type");
978+
code = slow_stub();
979+
}
980+
} else if (accessors->IsAccessorPair()) {
981+
Handle<Object> getter(Handle<AccessorPair>::cast(accessors)->getter(),
982+
isolate());
983+
Handle<JSObject> holder = lookup->GetHolder<JSObject>();
984+
Handle<Object> receiver = lookup->GetReceiver();
985+
if (getter->IsJSFunction() && holder->HasFastProperties()) {
986+
Handle<JSFunction> function = Handle<JSFunction>::cast(getter);
987+
if (receiver->IsJSObject() || function->IsBuiltin() ||
988+
function->shared()->strict_mode() != SLOPPY) {
989+
CallOptimization call_optimization(function);
990+
if (call_optimization.is_simple_api_call() &&
991+
!call_optimization.IsCompatibleReceiver(receiver, holder)) {
992+
TRACE_GENERIC_IC(isolate(), "LoadIC",
993+
"incompatible receiver type");
994+
code = slow_stub();
995+
}
996+
}
997+
}
998+
}
999+
}
1000+
if (code.is_null()) code = ComputeHandler(lookup);
9691001
}
9701002

9711003
PatchCache(lookup->name(), code);
@@ -1096,6 +1128,8 @@ Handle<Code> LoadIC::CompileHandler(LookupIterator* lookup,
10961128
if (v8::ToCData<Address>(info->getter()) == 0) break;
10971129
if (!ExecutableAccessorInfo::IsCompatibleReceiverType(isolate(), info,
10981130
type)) {
1131+
// This case should be already handled in LoadIC::UpdateCaches.
1132+
UNREACHABLE();
10991133
break;
11001134
}
11011135
if (!holder->HasFastProperties()) break;
@@ -1118,10 +1152,14 @@ Handle<Code> LoadIC::CompileHandler(LookupIterator* lookup,
11181152
CallOptimization call_optimization(function);
11191153
NamedLoadHandlerCompiler compiler(isolate(), receiver_type(), holder,
11201154
cache_holder);
1121-
if (call_optimization.is_simple_api_call() &&
1122-
call_optimization.IsCompatibleReceiver(receiver, holder)) {
1123-
return compiler.CompileLoadCallback(lookup->name(),
1124-
call_optimization);
1155+
if (call_optimization.is_simple_api_call()) {
1156+
if (call_optimization.IsCompatibleReceiver(receiver, holder)) {
1157+
return compiler.CompileLoadCallback(lookup->name(),
1158+
call_optimization);
1159+
} else {
1160+
// This case should be already handled in LoadIC::UpdateCaches.
1161+
UNREACHABLE();
1162+
}
11251163
}
11261164
return compiler.CompileLoadViaGetter(lookup->name(), function);
11271165
}

0 commit comments

Comments
 (0)