From 611f423e1b1e10f1c074319fb1f01f7b705a3208 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Sat, 4 Aug 2018 18:09:52 +0200 Subject: [PATCH] deps: patch V8 to 6.8.275.30 Refs: https://github.com/v8/v8/compare/6.8.275.24...6.8.275.30 PR-URL: https://github.com/nodejs/node/pull/22125 Reviewed-By: James M Snell Reviewed-By: Ali Ijaz Sheikh --- deps/v8/include/v8-version.h | 2 +- deps/v8/src/code-stub-assembler.cc | 5 +++-- .../v8/src/compiler/ppc/code-generator-ppc.cc | 10 +++++---- .../src/compiler/s390/code-generator-s390.cc | 10 +++++---- .../mjsunit/regress/regress-crbug-867776.js | 22 +++++++++++++++++++ 5 files changed, 38 insertions(+), 11 deletions(-) create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-867776.js diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index e57efc3084acba..e52b5742f595ac 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 6 #define V8_MINOR_VERSION 8 #define V8_BUILD_NUMBER 275 -#define V8_PATCH_LEVEL 24 +#define V8_PATCH_LEVEL 30 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/code-stub-assembler.cc b/deps/v8/src/code-stub-assembler.cc index 7d3f71bc9df502..9a51017899dc97 100644 --- a/deps/v8/src/code-stub-assembler.cc +++ b/deps/v8/src/code-stub-assembler.cc @@ -8816,13 +8816,14 @@ void CodeStubAssembler::EmitBigTypedArrayElementStore( TNode object, TNode elements, TNode intptr_key, TNode value, TNode context, Label* opt_if_neutered) { + TNode bigint_value = ToBigInt(context, value); + if (opt_if_neutered != nullptr) { - // Check if buffer has been neutered. + // Check if buffer has been neutered. Must happen after {ToBigInt}! Node* buffer = LoadObjectField(object, JSArrayBufferView::kBufferOffset); GotoIf(IsDetachedBuffer(buffer), opt_if_neutered); } - TNode bigint_value = ToBigInt(context, value); TNode backing_store = LoadFixedTypedArrayBackingStore(elements); TNode offset = ElementOffsetFromIndex(intptr_key, BIGINT64_ELEMENTS, INTPTR_PARAMETERS, 0); diff --git a/deps/v8/src/compiler/ppc/code-generator-ppc.cc b/deps/v8/src/compiler/ppc/code-generator-ppc.cc index 54a0b0e67c18d9..f25fae6dfed854 100644 --- a/deps/v8/src/compiler/ppc/code-generator-ppc.cc +++ b/deps/v8/src/compiler/ppc/code-generator-ppc.cc @@ -1053,11 +1053,13 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction( case kArchPrepareTailCall: AssemblePrepareTailCall(); break; - case kArchComment: { - Address comment_string = i.InputExternalReference(0).address(); - __ RecordComment(reinterpret_cast(comment_string)); + case kArchComment: +#ifdef V8_TARGET_ARCH_PPC64 + __ RecordComment(reinterpret_cast(i.InputInt64(0))); +#else + __ RecordComment(reinterpret_cast(i.InputInt32(0))); +#endif break; - } case kArchCallCFunction: { int const num_parameters = MiscField::decode(instr->opcode()); if (instr->InputAt(0)->IsImmediate()) { diff --git a/deps/v8/src/compiler/s390/code-generator-s390.cc b/deps/v8/src/compiler/s390/code-generator-s390.cc index 81bd8266c046c4..7ecbc405cd1bad 100644 --- a/deps/v8/src/compiler/s390/code-generator-s390.cc +++ b/deps/v8/src/compiler/s390/code-generator-s390.cc @@ -1357,11 +1357,13 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction( ArchOpcode opcode = ArchOpcodeField::decode(instr->opcode()); switch (opcode) { - case kArchComment: { - Address comment_string = i.InputExternalReference(0).address(); - __ RecordComment(reinterpret_cast(comment_string)); + case kArchComment: +#ifdef V8_TARGET_ARCH_S390X + __ RecordComment(reinterpret_cast(i.InputInt64(0))); +#else + __ RecordComment(reinterpret_cast(i.InputInt32(0))); +#endif break; - } case kArchCallCodeObject: { if (HasRegisterInput(instr, 0)) { __ AddP(ip, i.InputRegister(0), diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-867776.js b/deps/v8/test/mjsunit/regress/regress-crbug-867776.js new file mode 100644 index 00000000000000..f108f2acc463ce --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-867776.js @@ -0,0 +1,22 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --expose-gc + +for (var i = 0; i < 3; i++) { + var array = new BigInt64Array(200); + + function evil_callback() { + %ArrayBufferNeuter(array.buffer); + gc(); + return 1094795585n; + } + + var evil_object = {valueOf: evil_callback}; + var root; + try { + root = BigInt64Array.of.call(function() { return array }, evil_object); + } catch(e) {} + gc(); +}