Level 7 of PwnCollegeV8Exploitation

JavaScript/PwnCollegeV8Exploitation/Level7/patch

@@ -0,0 +1,72 @@
+diff --git a/src/compiler/turboshaft/machine-lowering-reducer-inl.h b/src/compiler/turboshaft/machine-lowering-reducer-inl.h
+index 170db78717b..17b0fe5c4e9 100644
+--- a/src/compiler/turboshaft/machine-lowering-reducer-inl.h
++++ b/src/compiler/turboshaft/machine-lowering-reducer-inl.h
+@@ -2740,7 +2740,7 @@ class MachineLoweringReducer : public Next {
+                             const ZoneRefSet<Map>& maps, CheckMapsFlags flags,
+                             const FeedbackSource& feedback) {
+     if (maps.is_empty()) {
+-      __ Deoptimize(frame_state, DeoptimizeReason::kWrongMap, feedback);
++      //__ Deoptimize(frame_state, DeoptimizeReason::kWrongMap, feedback);
+       return {};
+     }
+ 
+@@ -2749,14 +2749,14 @@ class MachineLoweringReducer : public Next {
+       IF_NOT (LIKELY(CompareMapAgainstMultipleMaps(heap_object_map, maps))) {
+         // Reloading the map slightly reduces register pressure, and we are on a
+         // slow path here anyway.
+-        MigrateInstanceOrDeopt(heap_object, __ LoadMapField(heap_object),
+-                               frame_state, feedback);
+-        __ DeoptimizeIfNot(__ CompareMaps(heap_object, maps), frame_state,
+-                           DeoptimizeReason::kWrongMap, feedback);
++        //MigrateInstanceOrDeopt(heap_object, __ LoadMapField(heap_object),
++        //                       frame_state, feedback);
++        //__ DeoptimizeIfNot(__ CompareMaps(heap_object, maps), frame_state,
++        //                   DeoptimizeReason::kWrongMap, feedback);
+       }
+     } else {
+-      __ DeoptimizeIfNot(__ CompareMaps(heap_object, maps), frame_state,
+-                         DeoptimizeReason::kWrongMap, feedback);
++      //__ DeoptimizeIfNot(__ CompareMaps(heap_object, maps), frame_state,
++      //                   DeoptimizeReason::kWrongMap, feedback);
+     }
+     // Inserting a AssumeMap so that subsequent optimizations know the map of
+     // this object.
+diff --git a/src/d8/d8.cc b/src/d8/d8.cc
+index facf0d86d79..382c015bc48 100644
+--- a/src/d8/d8.cc
++++ b/src/d8/d8.cc
+@@ -3364,7 +3364,7 @@ Local<FunctionTemplate> Shell::CreateNodeTemplates(
+ 
+ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
+   Local<ObjectTemplate> global_template = ObjectTemplate::New(isolate);
+-  global_template->Set(Symbol::GetToStringTag(isolate),
++/*  global_template->Set(Symbol::GetToStringTag(isolate),
+                        String::NewFromUtf8Literal(isolate, "global"));
+   global_template->Set(isolate, "version",
+                        FunctionTemplate::New(isolate, Version));
+@@ -3385,13 +3385,13 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
+   global_template->Set(isolate, "readline",
+                        FunctionTemplate::New(isolate, ReadLine));
+   global_template->Set(isolate, "load",
+-                       FunctionTemplate::New(isolate, ExecuteFile));
++                       FunctionTemplate::New(isolate, ExecuteFile));*/
+   global_template->Set(isolate, "setTimeout",
+                        FunctionTemplate::New(isolate, SetTimeout));
+   // Some Emscripten-generated code tries to call 'quit', which in turn would
+   // call C's exit(). This would lead to memory leaks, because there is no way
+   // we can terminate cleanly then, so we need a way to hide 'quit'.
+-  if (!options.omit_quit) {
++/*  if (!options.omit_quit) {
+     global_template->Set(isolate, "quit", FunctionTemplate::New(isolate, Quit));
+   }
+   global_template->Set(isolate, "testRunner",
+@@ -3410,7 +3410,7 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
+   if (i::v8_flags.expose_async_hooks) {
+     global_template->Set(isolate, "async_hooks",
+                          Shell::CreateAsyncHookTemplate(isolate));
+-  }
++  }*/
+ 
+   return global_template;
+ }