From cc943be2c1ec358f12e7701667ef6ed33cc27096 Mon Sep 17 00:00:00 2001
From: Zakhar Voit <voit@google.com>
Date: Wed, 18 Aug 2021 06:02:05 +0000
Subject: [PATCH] [Backport] Security bug 1228036

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3101487:
[M90-LTS] [deoptimizer] Finish concurrent sweeping before overwriting ByteArrays

(cherry picked from commit b63a59619530cb26bf5d51f39ef4cb4c20952d5f)

Bug: chromium:1228036
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I5abe7009920d2c8f81f024c9ae7bb6b13607da1a
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#75932}
Commit-Queue: Zakhar Voit <voit@google.com>
Reviewed-by: Achuith Bhandarkar <achuith@chromium.org>
Cr-Commit-Position: refs/branch-heads/9.0@{#75}
Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1}
Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 chromium/v8/src/deoptimizer/translated-state.cc | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/chromium/v8/src/deoptimizer/translated-state.cc b/chromium/v8/src/deoptimizer/translated-state.cc
index 7ace86fa7a9..0190b322c9f 100644
--- a/chromium/v8/src/deoptimizer/translated-state.cc
+++ b/chromium/v8/src/deoptimizer/translated-state.cc
@@ -525,6 +525,12 @@ Handle<Object> TranslatedValue::GetValue() {
     //    pass the verifier.
     container_->EnsureObjectAllocatedAt(this);
 
+    // Finish any sweeping so that it becomes safe to overwrite the ByteArray
+    // headers.
+    // TODO(hpayer): Find a cleaner way to support a group of
+    // non-fully-initialized objects.
+    isolate()->heap()->mark_compact_collector()->EnsureSweepingCompleted();
+
     // 2. Initialize the objects. If we have allocated only byte arrays
     //    for some objects, we now overwrite the byte arrays with the
     //    correct object fields. Note that this phase does not allocate
@@ -1398,9 +1404,9 @@ TranslatedValue* TranslatedState::GetValueByObjectIndex(int object_index) {
 }
 
 Handle<HeapObject> TranslatedState::InitializeObjectAt(TranslatedValue* slot) {
-  slot = ResolveCapturedObject(slot);
-
   DisallowGarbageCollection no_gc;
+
+  slot = ResolveCapturedObject(slot);
   if (slot->materialization_state() != TranslatedValue::kFinished) {
     std::stack<int> worklist;
     worklist.push(slot->object_index());