AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[compiler] Harden JSCallReducer::ReduceArrayIteratorPrototypeNext

Browse Source 
Bug: chromium:1234764
Change-Id: I5b1053accf77331687939c789b7ed94df1219287
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3067327
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76052}
This commit is contained in:
Georg Neis 2021-08-02 22:14:20 +02:00 committed by V8 LUCI CQ
parent 098835f73a
commit 65b20a0e65
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/compiler/js-call-reducer.cc
View File

@ -6249,11 +6249,12 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
Node* etrue = effect;
Node* if_true = graph()->NewNode(common()->IfTrue(), branch);
{
// We know that the {index} is range of the {length} now.
// This extra check exists to refine the type of {index} but also to break
// an exploitation technique that abuses typer mismatches.
index = etrue = graph()->NewNode(
common()->TypeGuard(
Type::Range(0.0, length_access.type.Max() - 1.0, graph()->zone())),
index, etrue, if_true);
simplified()->CheckBounds(p.feedback(),
CheckBoundsFlag::kAbortOnOutOfBounds),
index, length, etrue, if_true);
done_true = jsgraph()->FalseConstant();
if (iteration_kind == IterationKind::kKeys) {