From d217134e930652188bce2111c0b56036a78aaea7 Mon Sep 17 00:00:00 2001
From: Georg Neis <neis@chromium.org>
Date: Mon, 12 Apr 2021 12:53:24 +0200
Subject: [PATCH] [Backport] CVE-2021-21224: Type Confusion in V8

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2838235:
M86-LTS: [compiler] Fix bug in RepresentationChanger::GetWord32RepresentationFor

We have to respect the TypeCheckKind.

(cherry picked from commit fd29e246f65a7cee130e72cd10f618f3b82af232)

No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Bug: chromium:1195777
Change-Id: If1eed719fef79b7c61d99c29ba869ddd7985c413
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#73909}
Owners-Override: Achuith Bhandarkar <achuith@chromium.org>
Reviewed-by: Artem Sumaneev <asumaneev@google.com>
Commit-Queue: Achuith Bhandarkar <achuith@chromium.org>
Cr-Commit-Position: refs/branch-heads/8.6@{#79}
Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 chromium/v8/src/compiler/representation-change.cc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/chromium/v8/src/compiler/representation-change.cc b/chromium/v8/src/compiler/representation-change.cc
index 46207a8b4ed4..7e7940f780a7 100644
--- a/chromium/v8/src/compiler/representation-change.cc
+++ b/chromium/v8/src/compiler/representation-change.cc
@@ -949,10 +949,10 @@ Node* RepresentationChanger::GetWord32RepresentationFor(
     return node;
   } else if (output_rep == MachineRepresentation::kWord64) {
     if (output_type.Is(Type::Signed32()) ||
-        output_type.Is(Type::Unsigned32())) {
-      op = machine()->TruncateInt64ToInt32();
-    } else if (output_type.Is(cache_->kSafeInteger) &&
-               use_info.truncation().IsUsedAsWord32()) {
+        (output_type.Is(Type::Unsigned32()) &&
+         use_info.type_check() == TypeCheckKind::kNone) ||
+        (output_type.Is(cache_->kSafeInteger) &&
+         use_info.truncation().IsUsedAsWord32())) {
       op = machine()->TruncateInt64ToInt32();
     } else if (use_info.type_check() == TypeCheckKind::kSignedSmall ||
                use_info.type_check() == TypeCheckKind::kSigned32 ||