deps: patch V8 to 7.7.299.8

PR-URL: #29336
Refs: v8/v8@7.7.299.4...7.7.299.8
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Jiawen Geng <[email protected]>
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Ujjwal Sharma <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>

Author: targos

deps/v8/include/v8-version.h

@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 7
 #define V8_MINOR_VERSION 7
 #define V8_BUILD_NUMBER 299
-#define V8_PATCH_LEVEL 4
+#define V8_PATCH_LEVEL 8
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

deps/v8/src/builtins/builtins-console.cc

@@ -47,6 +47,22 @@ void ConsoleCall(
   CHECK(!isolate->has_scheduled_exception());
   if (!isolate->console_delegate()) return;
   HandleScope scope(isolate);
+
+  // Access check. The current context has to match the context of all
+  // arguments, otherwise the inspector might leak objects across contexts.
+  Handle<Context> context = handle(isolate->context(), isolate);
+  for (int i = 0; i < args.length(); ++i) {
+    Handle<Object> argument = args.at<Object>(i);
+    if (!argument->IsJSObject()) continue;
+
+    Handle<JSObject> argument_obj = Handle<JSObject>::cast(argument);
+    if (argument->IsAccessCheckNeeded(isolate) &&
+        !isolate->MayAccess(context, argument_obj)) {
+      isolate->ReportFailedAccessCheck(argument_obj);
+      return;
+    }
+  }
+
   debug::ConsoleCallArguments wrapper(args);
   Handle<Object> context_id_obj = JSObject::GetDataProperty(
       args.target(), isolate->factory()->console_context_id_symbol());

deps/v8/src/flags/flag-definitions.h

@@ -361,7 +361,7 @@ DEFINE_BOOL(enable_one_shot_optimization, true,
             "only be executed once")
 
 // Flag for sealed, frozen elements kind instead of dictionary elements kind
-DEFINE_BOOL_READONLY(enable_sealed_frozen_elements_kind, true,
+DEFINE_BOOL_READONLY(enable_sealed_frozen_elements_kind, false,
                      "Enable sealed, frozen elements kind")
 
 // Flags for data representation optimizations

deps/v8/test/unittests/api/access-check-unittest.cc

@@ -71,4 +71,52 @@ TEST_F(AccessCheckTest, GetOwnPropertyDescriptor) {
              "    .set.call(other, 42);");
 }
 
+namespace {
+bool failed_access_check_callback_called;
+
+v8::Local<v8::String> v8_str(const char* x) {
+  return v8::String::NewFromUtf8(v8::Isolate::GetCurrent(), x,
+                                 v8::NewStringType::kNormal)
+      .ToLocalChecked();
+}
+
+class AccessCheckTestConsoleDelegate : public debug::ConsoleDelegate {
+ public:
+  void Log(const debug::ConsoleCallArguments& args,
+           const debug::ConsoleContext& context) {
+    FAIL();
+  }
+};
+
+}  // namespace
+
+// Ensure that {console.log} does an access check for its arguments.
+TEST_F(AccessCheckTest, ConsoleLog) {
+  isolate()->SetFailedAccessCheckCallbackFunction(
+      [](v8::Local<v8::Object> host, v8::AccessType type,
+         v8::Local<v8::Value> data) {
+        failed_access_check_callback_called = true;
+      });
+  AccessCheckTestConsoleDelegate console{};
+  debug::SetConsoleDelegate(isolate(), &console);
+
+  Local<ObjectTemplate> object_template = ObjectTemplate::New(isolate());
+  object_template->SetAccessCheckCallback(AccessCheck);
+
+  Local<Context> context1 = Context::New(isolate(), nullptr);
+  Local<Context> context2 = Context::New(isolate(), nullptr);
+
+  Local<Object> object1 =
+      object_template->NewInstance(context1).ToLocalChecked();
+  EXPECT_TRUE(context2->Global()
+                  ->Set(context2, v8_str("object_from_context1"), object1)
+                  .IsJust());
+
+  Context::Scope context_scope(context2);
+  failed_access_check_callback_called = false;
+  CompileRun(isolate(), "console.log(object_from_context1);").ToLocalChecked();
+
+  ASSERT_TRUE(failed_access_check_callback_called);
+}
+
 }  // namespace v8