[compiler] Harden JSCallReducer::ReduceArrayIteratorPrototypeNext

Bug: chromium:1234764 Change-Id: I5b1053accf77331687939c789b7ed94df1219287 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3067327Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#76052}

[compiler] Harden JSCallReducer::ReduceArrayIteratorPrototypeNext
Bug: chromium:1234764 Change-Id: I5b1053accf77331687939c789b7ed94df1219287 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3067327Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#76052}
65b20a0e · Georg Neis · V8 LUCI CQ · 098835f7 · 65b20a0e
Commit 65b20a0e authored Aug 02, 2021 by Georg Neis Committed by V8 LUCI CQ Aug 03, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 4 deletions

js-call-reducer.cc src/compiler/js-call-reducer.cc +5 -4

No files found.
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@@ -6249,11 +6249,12 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
  Node* etrue = effect;
  Node* if_true = graph()->NewNode(common()->IfTrue(), branch);
  {
-    // We know that the {index} is range of the {length} now.
+    // This extra check exists to refine the type of {index} but also to break
+    // an exploitation technique that abuses typer mismatches.
    index = etrue = graph()->NewNode(
-        common()->TypeGuard(
-            Type::Range(0.0, length_access.type.Max() - 1.0, graph()->zone())),
-        index, etrue, if_true);
+        simplified()->CheckBounds(p.feedback(),
+                                  CheckBoundsFlag::kAbortOnOutOfBounds),
+        index, length, etrue, if_true);

    done_true = jsgraph()->FalseConstant();
    if (iteration_kind == IterationKind::kKeys) {