From d20a32ba7b33bff1ed13aeb7e523bdc7ecf8f02c Mon Sep 17 00:00:00 2001
From: Georg Neis <neis@chromium.org>
Date: Tue, 13 Jul 2021 17:26:47 +0200
Subject: [PATCH] [Backport] CVE-2021-30563: Type Confusion in V8

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3027260:
Merged: [compiler] Fix a bug in CodeGenerator::AddTranslationForOperand

(cherry picked from commit 374354bfe4a30740b96936b33e522d6fcd1cda67)

Bug: chromium:1228407
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I358d8736b7b5f87300496cbb39a7689d8207d85f
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/branch-heads/9.1@{#77}
Cr-Branched-From: 0e4ac64a8cf298b14034a22f9fe7b085d2cb238d-refs/heads/9.1.269@{#1}
Cr-Branched-From: f565e72d5ba88daae35a59d0f978643e2343e912-refs/heads/master@{#73847}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/v8/src/compiler/backend/code-generator.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/chromium/v8/src/compiler/backend/code-generator.cc b/chromium/v8/src/compiler/backend/code-generator.cc
index 33a80f52d0d6..6f25ce706fd1 100644
--- a/chromium/v8/src/compiler/backend/code-generator.cc
+++ b/chromium/v8/src/compiler/backend/code-generator.cc
@@ -1306,7 +1306,8 @@ void CodeGenerator::AddTranslationForOperand(Translation* translation,
       default:
         UNREACHABLE();
     }
-    if (literal.object().equals(info()->closure())) {
+    if (literal.object().equals(info()->closure()) &&
+        info()->function_context_specializing()) {
       translation->StoreJSFrameFunction();
     } else {
       int literal_id = DefineDeoptimizationLiteral(literal);