[Backport] CVE-2021-30563: Type Confusion in V8

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/3027260: Merged: [compiler] Fix a bug in CodeGenerator::AddTranslationForOperand (cherry picked from commit 374354bfe4a30740b96936b33e522d6fcd1cda67) Bug: chromium:1228407 No-Try: true No-Presubmit: true No-Tree-Checks: true Change-Id: I358d8736b7b5f87300496cbb39a7689d8207d85f Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/branch-heads/9.1@{#77} Cr-Branched-From: 0e4ac64a8cf298b14034a22f9fe7b085d2cb238d-refs/heads/9.1.269@{#1} Cr-Branched-From: f565e72d5ba88daae35a59d0f978643e2343e912-refs/heads/master@{#73847} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
qt · Aug 4, 2021 · d20a32b · d20a32b
1 parent 82dbe6e
commit d20a32b
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/chromium/v8/src/compiler/backend/code-generator.cc b/chromium/v8/src/compiler/backend/code-generator.cc
@@ -1306,7 +1306,8 @@ void CodeGenerator::AddTranslationForOperand(Translation* translation,
       default:
         UNREACHABLE();
     }
-    if (literal.object().equals(info()->closure())) {
+    if (literal.object().equals(info()->closure()) &&
+        info()->function_context_specializing()) {
       translation->StoreJSFrameFunction();
     } else {
       int literal_id = DefineDeoptimizationLiteral(literal);