Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Backport] CVE-2024-0518: Type Confusion in V8
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/5180369: Merged: [codegen] Install BytecodeArray last in SharedFunctionInfo Maglev assumes that when a SharedFunctionInfo has a BytecodeArray, then it should also have FeedbackMetadata. However, this may not hold with concurrent compilation when the SharedFunctionInfo is re-compiled after being flushed. Here the BytecodeArray was installed on the SFI before the FeedbackMetadata and a concurrent thread could observe the BytecodeArray but not the FeedbackMetadata. Drive-by: Reset the age field before setting the BytecodeArray as well. This ensures that the concurrent marker will not observe the old age for the new BytecodeArray. Bug: chromium:1507412 (cherry picked from commit 46cb67e3b296e50d7fda5a58233d18b9f3dab0d5) Change-Id: Ide73ac1c6b0a68a1fcf847c8351ec65016e55762 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5180369 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/branch-heads/12.0@{#28} Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1} Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/531979 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
- Loading branch information
