[Backport] CVE-2024-0518: Type Confusion in V8

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5125960:
[codegen] Install BytecodeArray last in SharedFunctionInfo

Maglev assumes that when a SharedFunctionInfo has a BytecodeArray,
then it should also have FeedbackMetadata. However, this may not
hold with concurrent compilation when the SharedFunctionInfo is
re-compiled after being flushed. Here the BytecodeArray was installed
on the SFI before the FeedbackMetadata and a concurrent thread could
observe the BytecodeArray but not the FeedbackMetadata.

Drive-by: Reset the age field before setting the BytecodeArray as
well. This ensures that the concurrent marker will not observe the
old age for the new BytecodeArray.

Bug: chromium:1507412
Change-Id: I8855ed7ecc50c4a47d2c89043d62ac053858bc75
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5125960
Reviewed-by: Leszek Swirski <[email protected]>
Commit-Queue: Dominik Inführ <[email protected]>
Cr-Commit-Position: refs/heads/main@{#91568}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/532071
Reviewed-by: Allan Sandfeld Jensen <[email protected]>

Author: Dominik Inführ

chromium/v8/src/codegen/compiler.cc

@@ -543,11 +543,11 @@ void InstallUnoptimizedCode(UnoptimizedCompilationInfo* compilation_info,
       shared_info->set_is_asm_wasm_broken(true);
     }
 
-    shared_info->set_bytecode_array(*compilation_info->bytecode_array());
-
     Handle<FeedbackMetadata> feedback_metadata = FeedbackMetadata::New(
         isolate, compilation_info->feedback_vector_spec());
     shared_info->set_feedback_metadata(*feedback_metadata);
+
+    shared_info->set_bytecode_array(*compilation_info->bytecode_array());
   } else {
     DCHECK(compilation_info->has_asm_wasm_data());
     // We should only have asm/wasm data when finalizing on the main thread.