Skip to content

Commit f336927

Browse files
GeorgNeismibrunin
authored andcommitted
[Backport] CVE-2021-30563: Type Confusion in V8
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/3027260: Merged: [compiler] Fix a bug in CodeGenerator::AddTranslationForOperand (cherry picked from commit 374354bfe4a30740b96936b33e522d6fcd1cda67) Bug: chromium:1228407 No-Try: true No-Presubmit: true No-Tree-Checks: true Change-Id: I358d8736b7b5f87300496cbb39a7689d8207d85f Bot-Commit: Rubber Stamper <[email protected]> Reviewed-by: Adam Klein <[email protected]> Commit-Queue: Adam Klein <[email protected]> Cr-Commit-Position: refs/branch-heads/9.1@{#77} Cr-Branched-From: 0e4ac64a8cf298b14034a22f9fe7b085d2cb238d-refs/heads/9.1.269@{#1} Cr-Branched-From: f565e72d5ba88daae35a59d0f978643e2343e912-refs/heads/master@{#73847} Reviewed-by: Allan Sandfeld Jensen <[email protected]>
1 parent 113be2c commit f336927

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

chromium/v8/src/compiler/backend/code-generator.cc

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1376,7 +1376,8 @@ void CodeGenerator::AddTranslationForOperand(Instruction* instr,
13761376
default:
13771377
UNREACHABLE();
13781378
}
1379-
if (literal.object().equals(info()->closure())) {
1379+
if (literal.object().equals(info()->closure()) &&
1380+
info()->function_context_specializing()) {
13801381
translations_.StoreJSFrameFunction();
13811382
} else {
13821383
int literal_id = DefineDeoptimizationLiteral(literal);

0 commit comments

Comments
 (0)