[Backport] Security Bug 831984

Merged: [keys] Don't keep chain of OrderedHashSets in KeyAccumulator

Revision: 7bb79b96bdd29c41acc8cf36c428dd66308e5b66

BUG=chromium:831984
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=ishell@chromium.org

Reviewed-on: https://chromium-review.googlesource.com/1028233
Change-Id: I075d4cd0df179e7ed283017f00888bc8bc75b9e0
Reviewed-by: Viktor Engelmann <viktor.engelmann@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 8 insertions, 2 deletions

diff --git a/chromium/v8/src/keys.cc b/chromium/v8/src/keys.cc
index 9b6c8f3381f..f798aecc2fb 100644
--- a/chromium/v8/src/keys.cc
+++ b/chromium/v8/src/keys.cc
@@ -3,7 +3,6 @@
 // found in the LICENSE file.
 
 #include "src/keys.h"
-
 #include "src/api-arguments.h"
 #include "src/elements.h"
 #include "src/factory.h"
@@ -77,7 +76,14 @@ void KeyAccumulator::AddKey(Handle<Object> key, AddKeyConversion convert) {
       Handle<String>::cast(key)->AsArrayIndex(&index)) {
     key = isolate_->factory()->NewNumberFromUint(index);
   }
-  keys_ = OrderedHashSet::Add(keys(), key);
+  Handle<OrderedHashSet> new_set = OrderedHashSet::Add(keys(), key);
+  if (*new_set != *keys_) {
+    // The keys_ Set is converted directly to a FixedArray in GetKeys which can
+    // be left-trimmer. Hence the previous Set should not keep a pointer to the
+    // new one.
+    keys_->set(OrderedHashSet::kNextTableIndex, Smi::kZero);
+    keys_ = new_set;
+  }
 }
 
 void KeyAccumulator::AddKeys(Handle<FixedArray> array,