diff options
| author | Michaël Zasso <targos@protonmail.com> | 2018-11-03 15:20:30 +0300 |
|---|---|---|
| committer | Michaël Zasso <targos@protonmail.com> | 2018-11-06 16:44:10 +0300 |
| commit | f49b9e9c84394c7647e4d15f8a5d4ae2d8df3cdc (patch) | |
| tree | 0c5b19778e7849100cc93a167c900ba8a44709b0 /deps | |
| parent | 6f54a7ace894fd1402621148f65338cc59cdb4be (diff) | |
deps: patch V8 to 7.0.276.35
Refs: https://github.com/v8/v8/compare/7.0.276.32...7.0.276.35
PR-URL: https://github.com/nodejs/node/pull/24056
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Diffstat (limited to 'deps')
| -rw-r--r-- | deps/v8/include/v8-version.h | 2 | ||||
| -rw-r--r-- | deps/v8/infra/testing/builders.pyl | 9 | ||||
| -rw-r--r-- | deps/v8/src/runtime/runtime-array.cc | 12 | ||||
| -rw-r--r-- | deps/v8/test/mjsunit/regress/regress-897512.js | 24 | ||||
| -rw-r--r-- | deps/v8/third_party/v8/builtins/array-sort.tq | 40 | ||||
| -rwxr-xr-x | deps/v8/tools/v8_presubmit.py (renamed from deps/v8/tools/presubmit.py) | 0 |
6 files changed, 50 insertions, 37 deletions
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 360d80865ca..e476dff7bce 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 7 #define V8_MINOR_VERSION 0 #define V8_BUILD_NUMBER 276 -#define V8_PATCH_LEVEL 32 +#define V8_PATCH_LEVEL 35 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/infra/testing/builders.pyl b/deps/v8/infra/testing/builders.pyl index bf24d2c9954..31aef9c3214 100644 --- a/deps/v8/infra/testing/builders.pyl +++ b/deps/v8/infra/testing/builders.pyl @@ -685,11 +685,6 @@ {'name': 'mozilla'}, ], }, - 'V8 Linux - presubmit': { - 'tests': [ - {'name': 'presubmit'}, - ], - }, 'V8 Linux - shared': { 'tests': [ {'name': 'mozilla'}, @@ -1514,7 +1509,6 @@ }, 'tests': [ {'name': 'mozilla'}, - {'name': 'presubmit'}, {'name': 'test262'}, {'name': 'v8testing'}, ], @@ -1527,7 +1521,6 @@ }, 'tests': [ {'name': 'mozilla'}, - {'name': 'presubmit'}, {'name': 'test262'}, {'name': 'v8testing', 'shards': 3}, ], @@ -1540,7 +1533,6 @@ }, 'tests': [ {'name': 'mozilla'}, - {'name': 'presubmit'}, {'name': 'test262'}, {'name': 'v8testing'}, ], @@ -1553,7 +1545,6 @@ }, 'tests': [ {'name': 'mozilla'}, - {'name': 'presubmit'}, {'name': 'test262'}, {'name': 'v8testing', 'shards': 3}, ], diff --git a/deps/v8/src/runtime/runtime-array.cc b/deps/v8/src/runtime/runtime-array.cc index 31b03f6bb75..d72159b0acf 100644 --- a/deps/v8/src/runtime/runtime-array.cc +++ b/deps/v8/src/runtime/runtime-array.cc @@ -145,7 +145,15 @@ Object* RemoveArrayHolesGeneric(Isolate* isolate, Handle<JSReceiver> receiver, MAYBE_RETURN(delete_result, ReadOnlyRoots(isolate).exception()); } - return *isolate->factory()->NewNumberFromUint(result); + // TODO(jgruber, szuend, chromium:897512): This is a workaround to prevent + // returning a number greater than array.length to Array.p.sort, which could + // trigger OOB accesses. There is still a correctness bug here though in + // how we shift around undefineds and delete elements in the two blocks above. + // This needs to be fixed soon. + const uint32_t number_of_non_undefined_elements = std::min(limit, result); + + return *isolate->factory()->NewNumberFromUint( + number_of_non_undefined_elements); } // Collects all defined (non-hole) and non-undefined (array) elements at the @@ -162,6 +170,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver, Handle<JSObject> object = Handle<JSObject>::cast(receiver); if (object->HasStringWrapperElements()) { int len = String::cast(Handle<JSValue>::cast(object)->value())->length(); + DCHECK_LE(len, limit); return Smi::FromInt(len); } @@ -284,6 +293,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver, } } + DCHECK_LE(result, limit); return *isolate->factory()->NewNumberFromUint(result); } diff --git a/deps/v8/test/mjsunit/regress/regress-897512.js b/deps/v8/test/mjsunit/regress/regress-897512.js new file mode 100644 index 00000000000..0e676a06c2a --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-897512.js @@ -0,0 +1,24 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Fill up the Array prototype's elements. +for (let i = 0; i < 100; i++) Array.prototype.unshift(3.14); + +// Create a holey double elements array. +const o31 = [1.1]; +o31[37] = 2.2; + +// Concat converts to dictionary elements. +const o51 = o31.concat(false); + +// Set one element to undefined to trigger the movement bug. +o51[0] = undefined; + +assertEquals(o51.length, 39); + +// Sort triggers the bug. +o51.sort(); + +// TODO(chromium:897512): The length should be 39. +assertEquals(o51.length, 101); diff --git a/deps/v8/third_party/v8/builtins/array-sort.tq b/deps/v8/third_party/v8/builtins/array-sort.tq index a94b4329350..3f5a3b19b7a 100644 --- a/deps/v8/third_party/v8/builtins/array-sort.tq +++ b/deps/v8/third_party/v8/builtins/array-sort.tq @@ -1742,7 +1742,6 @@ module array { // 2. Let obj be ? ToObject(this value). const obj: JSReceiver = ToObject(context, receiver); - let map: Map = obj.map; const sort_state: FixedArray = AllocateZeroedFixedArray(kSortStateSize); @@ -1752,25 +1751,27 @@ module array { sort_state[kUserCmpFnIdx] = comparefnObj; sort_state[kSortComparePtrIdx] = comparefnObj != Undefined ? SortCompareUserFn : SortCompareDefault; - sort_state[kInitialReceiverMapIdx] = map; sort_state[kBailoutStatusIdx] = kSuccess; + // 3. Let len be ? ToLength(? Get(obj, "length")). + const len: Number = + ToLength_Inline(context, GetProperty(context, obj, 'length')); + if (len < 2) return receiver; + + // TODO(szuend): Investigate performance tradeoff of skipping this step + // for PACKED_* and handling Undefineds during sorting. + const nofNonUndefined: Smi = PrepareElementsForSort(context, obj, len); + assert(nofNonUndefined <= len); + + let map: Map = obj.map; + sort_state[kInitialReceiverMapIdx] = map; + sort_state[kInitialReceiverLengthIdx] = len; + try { const a: JSArray = cast<JSArray>(obj) otherwise slow; const elementsKind: ElementsKind = map.elements_kind; if (!IsFastElementsKind(elementsKind)) goto slow; - // 3. Let len be ? ToLength(? Get(obj, "length")). - const len: Smi = a.length_fast; - if (len < 2) return receiver; - - // TODO(szuend): Investigate performance tradeoff of skipping this step - // for PACKED_* and handling Undefineds during sorting. - const nofNonUndefined: Smi = PrepareElementsForSort(context, obj, len); - assert(a.map == map); - - sort_state[kInitialReceiverLengthIdx] = len; - if (IsDoubleElementsKind(elementsKind)) { InitializeSortStateAccessor<FastDoubleElements>(sort_state); } else if (elementsKind == PACKED_SMI_ELEMENTS) { @@ -1781,19 +1782,6 @@ module array { ArrayTimSort(context, sort_state, nofNonUndefined); } label slow { - // 3. Let len be ? ToLength(? Get(obj, "length")). - const len: Number = - ToLength_Inline(context, GetProperty(context, obj, 'length')); - - if (len < 2) return receiver; - const nofNonUndefined: Smi = PrepareElementsForSort(context, obj, len); - - sort_state[kInitialReceiverLengthIdx] = len; - - // Reload the map, PrepareElementsForSort might have changed the - // elements kind. - map = obj.map; - if (map.elements_kind == DICTIONARY_ELEMENTS && IsExtensibleMap(map) && !IsCustomElementsReceiverInstanceType(map.instance_type)) { InitializeSortStateAccessor<DictionaryElements>(sort_state); diff --git a/deps/v8/tools/presubmit.py b/deps/v8/tools/v8_presubmit.py index 13b4abd86cf..13b4abd86cf 100755 --- a/deps/v8/tools/presubmit.py +++ b/deps/v8/tools/v8_presubmit.py |