[Backport] CVE-2023-3420: Type Confusion in V8 (2/2)

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/4637129: Merged: [compiler] StackCheck can have side effects Bug: chromium:1452137 (cherry picked from commit e548943e473b020fdc1de6e5543ca31b24d8b7f9) Change-Id: Ibd7c9b02efd12341b452e4c34a635a58a817649f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4637129 Reviewed-by: Toon Verwaest <[email protected]> Commit-Queue: Tobias Tebbi <[email protected]> Auto-Submit: Tobias Tebbi <[email protected]> Commit-Queue: Toon Verwaest <[email protected]> Cr-Commit-Position: refs/branch-heads/11.4@{#49} Cr-Branched-From: 8a8a1e7086dacc426965d3875914efa66663c431-refs/heads/11.4.183@{#1} Cr-Branched-From: 5483d8e816e0bbce865cbbc3fa0ab357e6330bab-refs/heads/main@{#87241} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/489358 Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qt · Jul 11, 2023 · 8a2cbe9 · 8a2cbe9
1 parent 7d5063e
commit 8a2cbe9
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/chromium/v8/src/compiler/js-operator.cc b/chromium/v8/src/compiler/js-operator.cc
@@ -1400,7 +1400,7 @@ const Operator* JSOperatorBuilder::CloneObject(FeedbackSource const& feedback,
 const Operator* JSOperatorBuilder::StackCheck(StackCheckKind kind) {
   return zone()->New<Operator1<StackCheckKind>>(  // --
       IrOpcode::kJSStackCheck,                    // opcode
-      Operator::kNoWrite,                         // properties
+      Operator::kNoProperties,                    // properties
       "JSStackCheck",                             // name
       0, 1, 1, 0, 1, 2,                           // counts
       kind);                                      // parameter