From ef84cee69e57564644e7a1bd4b1efbfc5a37bff0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= <targos@protonmail.com>
Date: Tue, 27 Aug 2019 09:51:09 +0200
Subject: [PATCH] deps: patch V8 to 7.7.299.8

PR-URL: https://github.com/nodejs/node/pull/29336
Refs: https://github.com/v8/v8/compare/7.7.299.4...7.7.299.8
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
---
 deps/v8/include/v8-version.h                  |  2 +-
 deps/v8/src/builtins/builtins-console.cc      | 16 +++++++
 deps/v8/src/flags/flag-definitions.h          |  2 +-
 .../unittests/api/access-check-unittest.cc    | 48 +++++++++++++++++++
 4 files changed, 66 insertions(+), 2 deletions(-)

diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index 91d7633b0551e2..8c333c3e1ce79d 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 7
 #define V8_MINOR_VERSION 7
 #define V8_BUILD_NUMBER 299
-#define V8_PATCH_LEVEL 4
+#define V8_PATCH_LEVEL 8
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/builtins/builtins-console.cc b/deps/v8/src/builtins/builtins-console.cc
index 9ab3566cecf32a..28c9261ed41fdc 100644
--- a/deps/v8/src/builtins/builtins-console.cc
+++ b/deps/v8/src/builtins/builtins-console.cc
@@ -47,6 +47,22 @@ void ConsoleCall(
   CHECK(!isolate->has_scheduled_exception());
   if (!isolate->console_delegate()) return;
   HandleScope scope(isolate);
+
+  // Access check. The current context has to match the context of all
+  // arguments, otherwise the inspector might leak objects across contexts.
+  Handle<Context> context = handle(isolate->context(), isolate);
+  for (int i = 0; i < args.length(); ++i) {
+    Handle<Object> argument = args.at<Object>(i);
+    if (!argument->IsJSObject()) continue;
+
+    Handle<JSObject> argument_obj = Handle<JSObject>::cast(argument);
+    if (argument->IsAccessCheckNeeded(isolate) &&
+        !isolate->MayAccess(context, argument_obj)) {
+      isolate->ReportFailedAccessCheck(argument_obj);
+      return;
+    }
+  }
+
   debug::ConsoleCallArguments wrapper(args);
   Handle<Object> context_id_obj = JSObject::GetDataProperty(
       args.target(), isolate->factory()->console_context_id_symbol());
diff --git a/deps/v8/src/flags/flag-definitions.h b/deps/v8/src/flags/flag-definitions.h
index 40edde34437991..c32bb034078828 100644
--- a/deps/v8/src/flags/flag-definitions.h
+++ b/deps/v8/src/flags/flag-definitions.h
@@ -361,7 +361,7 @@ DEFINE_BOOL(enable_one_shot_optimization, true,
             "only be executed once")
 
 // Flag for sealed, frozen elements kind instead of dictionary elements kind
-DEFINE_BOOL_READONLY(enable_sealed_frozen_elements_kind, true,
+DEFINE_BOOL_READONLY(enable_sealed_frozen_elements_kind, false,
                      "Enable sealed, frozen elements kind")
 
 // Flags for data representation optimizations
diff --git a/deps/v8/test/unittests/api/access-check-unittest.cc b/deps/v8/test/unittests/api/access-check-unittest.cc
index 8bfb507a7c95aa..65e20d2510e130 100644
--- a/deps/v8/test/unittests/api/access-check-unittest.cc
+++ b/deps/v8/test/unittests/api/access-check-unittest.cc
@@ -71,4 +71,52 @@ TEST_F(AccessCheckTest, GetOwnPropertyDescriptor) {
              "    .set.call(other, 42);");
 }
 
+namespace {
+bool failed_access_check_callback_called;
+
+v8::Local<v8::String> v8_str(const char* x) {
+  return v8::String::NewFromUtf8(v8::Isolate::GetCurrent(), x,
+                                 v8::NewStringType::kNormal)
+      .ToLocalChecked();
+}
+
+class AccessCheckTestConsoleDelegate : public debug::ConsoleDelegate {
+ public:
+  void Log(const debug::ConsoleCallArguments& args,
+           const debug::ConsoleContext& context) {
+    FAIL();
+  }
+};
+
+}  // namespace
+
+// Ensure that {console.log} does an access check for its arguments.
+TEST_F(AccessCheckTest, ConsoleLog) {
+  isolate()->SetFailedAccessCheckCallbackFunction(
+      [](v8::Local<v8::Object> host, v8::AccessType type,
+         v8::Local<v8::Value> data) {
+        failed_access_check_callback_called = true;
+      });
+  AccessCheckTestConsoleDelegate console{};
+  debug::SetConsoleDelegate(isolate(), &console);
+
+  Local<ObjectTemplate> object_template = ObjectTemplate::New(isolate());
+  object_template->SetAccessCheckCallback(AccessCheck);
+
+  Local<Context> context1 = Context::New(isolate(), nullptr);
+  Local<Context> context2 = Context::New(isolate(), nullptr);
+
+  Local<Object> object1 =
+      object_template->NewInstance(context1).ToLocalChecked();
+  EXPECT_TRUE(context2->Global()
+                  ->Set(context2, v8_str("object_from_context1"), object1)
+                  .IsJust());
+
+  Context::Scope context_scope(context2);
+  failed_access_check_callback_called = false;
+  CompileRun(isolate(), "console.log(object_from_context1);").ToLocalChecked();
+
+  ASSERT_TRUE(failed_access_check_callback_called);
+}
+
 }  // namespace v8