[Backport] Security bug 1195331

Reland "M86-LTS: [const-tracking] Ensure map is updated before generalizing constness"

This reverts commit 4b4ad58888faf938a76e0d792c3c3a639c79e2e4.

M86 merge conflicts and resolution:
* src/objects/map-updater.cc
  Map::instance_descriptor with kRelaxedLoad dispatcher was introduced after
  8.6 branch: https://crrev.com/c/2424130. Before the patch
  Map::instance_descriptor without distpacher was used. Do the same
  here.
* test/mjsunit/regress/regress-crbug-1195331.js
  HasOwnConstDataProperty did not exist in 8.6. Add it from
  https://crrev.com/c/2566757.

Original change's description:
> Revert "M86-LTS: [const-tracking] Ensure map is updated before generalizing constness"
>
> This reverts commit 69a043b410ff83f31ceba23eab410163403c1db0.
>
> Reason for revert: causes compilation errors. kRelaxedLoad is missing.
>
> Original change's description:
> > M86-LTS: [const-tracking] Ensure map is updated before generalizing constness
> >
> > Revision: db2acd7a046d42a8013da76c3f47d2970cef5447
> >
> > BUG=chromium:1195331
> > NOTRY=true
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > R=​​[email protected]
> >
> > (cherry picked from commit 5a0dd788cdae65bbfa37fbbd47a5e5dde15dd894)
> >
> > Change-Id: I7ce1b36b8860a49838d208bc7857021e03f83916
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2831474
> > Reviewed-by: Leszek Swirski <[email protected]>
> > Cr-Original-Commit-Position: refs/branch-heads/9.0@{#37}
> > Cr-Original-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
> > Cr-Original-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2850705
> > Reviewed-by: Igor Sheludko <[email protected]>
> > Reviewed-by: Victor-Gabriel Savu <[email protected]>
> > Commit-Queue: Artem Sumaneev <[email protected]>
> > Cr-Commit-Position: refs/branch-heads/8.6@{#82}
> > Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
> > Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
>
> Bug: chromium:1195331
> Change-Id: Id7170c30d67329b784e9a283c0171fed010970dc
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2853588
> Bot-Commit: Rubber Stamper <[email protected]>
> Commit-Queue: Artem Sumaneev <[email protected]>
> Cr-Commit-Position: refs/branch-heads/8.6@{#84}
> Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
> Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}

No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1195331
Change-Id: Ie103a7795893860c4c4834eefe9dc327c5c46d19
Reviewed-by: Victor-Gabriel Savu <[email protected]>
Commit-Queue: Victor-Gabriel Savu <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.6@{#93}
Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
Reviewed-by: Michal Klocek <[email protected]>

Author: Artem Sumaneev

chromium/v8/src/objects/map-updater.cc

@@ -135,11 +135,20 @@ Handle<Map> MapUpdater::ReconfigureToDataField(InternalIndex descriptor,
   if (old_details.constness() == PropertyConstness::kConst &&
       old_details.location() == kField &&
       old_details.attributes() != new_attributes_) {
+    // Ensure we'll be updating constness of the up-to-date version of old_map_.
+    Handle<Map> old_map = Map::Update(isolate_, old_map_);
+    PropertyDetails details =
+        old_map->instance_descriptors().GetDetails(descriptor);
     Handle<FieldType> field_type(
-        old_descriptors_->GetFieldType(modified_descriptor_), isolate_);
-    Map::GeneralizeField(isolate_, old_map_, descriptor,
-                         PropertyConstness::kMutable,
-                         old_details.representation(), field_type);
+        old_map->instance_descriptors().GetFieldType(descriptor),
+        isolate_);
+    Map::GeneralizeField(isolate_, old_map, descriptor,
+                         PropertyConstness::kMutable, details.representation(),
+                         field_type);
+    DCHECK_EQ(PropertyConstness::kMutable,
+              old_map->instance_descriptors()
+                  .GetDetails(descriptor)
+                  .constness());
     // The old_map_'s property must become mutable.
     // Note, that the {old_map_} and {old_descriptors_} are not expected to be
     // updated by the generalization if the map is already deprecated.

chromium/v8/src/runtime/runtime-object.cc

@@ -357,6 +357,34 @@ RUNTIME_FUNCTION(Runtime_ObjectHasOwnProperty) {
   return ReadOnlyRoots(isolate).false_value();
 }
 
+RUNTIME_FUNCTION(Runtime_HasOwnConstDataProperty) {
+  HandleScope scope(isolate);
+  DCHECK_EQ(2, args.length());
+  CONVERT_ARG_HANDLE_CHECKED(Object, object, 0);
+  CONVERT_ARG_HANDLE_CHECKED(Object, property, 1);
+
+  bool success;
+  LookupIterator::Key key(isolate, property, &success);
+  if (!success) return ReadOnlyRoots(isolate).undefined_value();
+
+  if (object->IsJSObject()) {
+    Handle<JSObject> js_obj = Handle<JSObject>::cast(object);
+    LookupIterator it(isolate, js_obj, key, js_obj, LookupIterator::OWN);
+
+    switch (it.state()) {
+      case LookupIterator::NOT_FOUND:
+        return isolate->heap()->ToBoolean(false);
+      case LookupIterator::DATA:
+        return isolate->heap()->ToBoolean(it.constness() ==
+                                          PropertyConstness::kConst);
+      default:
+        return ReadOnlyRoots(isolate).undefined_value();
+    }
+  }
+
+  return ReadOnlyRoots(isolate).undefined_value();
+}
+
 RUNTIME_FUNCTION(Runtime_AddDictionaryProperty) {
   HandleScope scope(isolate);
   Handle<JSObject> receiver = args.at<JSObject>(0);

chromium/v8/src/runtime/runtime.h

@@ -487,6 +487,7 @@ namespace internal {
   F(HasElementsInALargeObjectSpace, 1, 1)     \
   F(HasFastElements, 1, 1)                    \
   F(HasFastProperties, 1, 1)                  \
+  F(HasOwnConstDataProperty, 2, 1)            \
   F(HasFixedBigInt64Elements, 1, 1)           \
   F(HasFixedBigUint64Elements, 1, 1)          \
   F(HasFixedFloat32Elements, 1, 1)            \