Skip to content

Commit

Permalink
[Backport] Security bug 1171954
Browse files Browse the repository at this point in the history 
Partial cherry-pick (leaving out tests) of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2674008:
Merged: [interpreter] Store accumulator to callee after optional chain checks

Revision: df98901c19ce17ca995ee6750379b0f004210d68

BUG=chromium:1171954
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
[email protected]

Change-Id: If09e1503ca07b47a112362495ec0bb9d502118c9
Reviewed-by: Ross McIlroy <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.9@{#33}
Cr-Branched-From: 16b9bbbd581c25391981aa03180b76aa60463a3e-refs/heads/8.9.255@{#1}
Cr-Branched-From: d16a2a688498bd1c3e6a49edb25d8c4ca56232dc-refs/heads/master@{#72039}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
  • Loading branch information
@mythrialle @mibrunin
mythrialle authored and mibrunin committed Feb 19, 2021
1 parent 472fd21 commit 0b26b3a
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion chromium/v8/src/interpreter/bytecode-generator.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4921,8 +4921,9 @@ void BytecodeGenerator::VisitCall(Call* expr) {
Property* property = chain->expression()->AsProperty();
BuildOptionalChain([&]() {
VisitAndPushIntoRegisterList(property->obj(), &args);
VisitPropertyLoadForRegister(args.last_register(), property, callee);
VisitPropertyLoad(args.last_register(), property);
});
builder()->StoreAccumulatorInRegister(callee);
break;
}
case Call::SUPER_CALL:
Expand Down

0 comments on commit 0b26b3a

Please sign in to comment.