diff options
author | Michaël Zasso <targos@protonmail.com> | 2018-08-04 18:09:52 +0200 |
---|---|---|
committer | Michaël Zasso <targos@protonmail.com> | 2018-08-21 13:22:04 +0200 |
commit | 0f85e20d3ecca6e7bf8ca3a290960b21a86c5a12 (patch) | |
tree | 0001ed5493708a721ed9f4fd5c99afd44756732a | |
parent | 6e9e150b6a1746df899b68158dd540b4e790eff8 (diff) | |
download | node-new-0f85e20d3ecca6e7bf8ca3a290960b21a86c5a12.tar.gz |
deps: patch V8 to 6.8.275.30
Refs: https://github.com/v8/v8/compare/6.8.275.24...6.8.275.30
PR-URL: https://github.com/nodejs/node/pull/22125
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
-rw-r--r-- | deps/v8/include/v8-version.h | 2 | ||||
-rw-r--r-- | deps/v8/src/code-stub-assembler.cc | 5 | ||||
-rw-r--r-- | deps/v8/src/compiler/ppc/code-generator-ppc.cc | 10 | ||||
-rw-r--r-- | deps/v8/src/compiler/s390/code-generator-s390.cc | 10 | ||||
-rw-r--r-- | deps/v8/test/mjsunit/regress/regress-crbug-867776.js | 22 |
5 files changed, 38 insertions, 11 deletions
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index e57efc3084..e52b5742f5 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 6 #define V8_MINOR_VERSION 8 #define V8_BUILD_NUMBER 275 -#define V8_PATCH_LEVEL 24 +#define V8_PATCH_LEVEL 30 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/code-stub-assembler.cc b/deps/v8/src/code-stub-assembler.cc index 7d3f71bc9d..9a51017899 100644 --- a/deps/v8/src/code-stub-assembler.cc +++ b/deps/v8/src/code-stub-assembler.cc @@ -8816,13 +8816,14 @@ void CodeStubAssembler::EmitBigTypedArrayElementStore( TNode<JSTypedArray> object, TNode<FixedTypedArrayBase> elements, TNode<IntPtrT> intptr_key, TNode<Object> value, TNode<Context> context, Label* opt_if_neutered) { + TNode<BigInt> bigint_value = ToBigInt(context, value); + if (opt_if_neutered != nullptr) { - // Check if buffer has been neutered. + // Check if buffer has been neutered. Must happen after {ToBigInt}! Node* buffer = LoadObjectField(object, JSArrayBufferView::kBufferOffset); GotoIf(IsDetachedBuffer(buffer), opt_if_neutered); } - TNode<BigInt> bigint_value = ToBigInt(context, value); TNode<RawPtrT> backing_store = LoadFixedTypedArrayBackingStore(elements); TNode<IntPtrT> offset = ElementOffsetFromIndex(intptr_key, BIGINT64_ELEMENTS, INTPTR_PARAMETERS, 0); diff --git a/deps/v8/src/compiler/ppc/code-generator-ppc.cc b/deps/v8/src/compiler/ppc/code-generator-ppc.cc index 54a0b0e67c..f25fae6dfe 100644 --- a/deps/v8/src/compiler/ppc/code-generator-ppc.cc +++ b/deps/v8/src/compiler/ppc/code-generator-ppc.cc @@ -1053,11 +1053,13 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction( case kArchPrepareTailCall: AssemblePrepareTailCall(); break; - case kArchComment: { - Address comment_string = i.InputExternalReference(0).address(); - __ RecordComment(reinterpret_cast<const char*>(comment_string)); + case kArchComment: +#ifdef V8_TARGET_ARCH_PPC64 + __ RecordComment(reinterpret_cast<const char*>(i.InputInt64(0))); +#else + __ RecordComment(reinterpret_cast<const char*>(i.InputInt32(0))); +#endif break; - } case kArchCallCFunction: { int const num_parameters = MiscField::decode(instr->opcode()); if (instr->InputAt(0)->IsImmediate()) { diff --git a/deps/v8/src/compiler/s390/code-generator-s390.cc b/deps/v8/src/compiler/s390/code-generator-s390.cc index 81bd8266c0..7ecbc405cd 100644 --- a/deps/v8/src/compiler/s390/code-generator-s390.cc +++ b/deps/v8/src/compiler/s390/code-generator-s390.cc @@ -1357,11 +1357,13 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction( ArchOpcode opcode = ArchOpcodeField::decode(instr->opcode()); switch (opcode) { - case kArchComment: { - Address comment_string = i.InputExternalReference(0).address(); - __ RecordComment(reinterpret_cast<const char*>(comment_string)); + case kArchComment: +#ifdef V8_TARGET_ARCH_S390X + __ RecordComment(reinterpret_cast<const char*>(i.InputInt64(0))); +#else + __ RecordComment(reinterpret_cast<const char*>(i.InputInt32(0))); +#endif break; - } case kArchCallCodeObject: { if (HasRegisterInput(instr, 0)) { __ AddP(ip, i.InputRegister(0), diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-867776.js b/deps/v8/test/mjsunit/regress/regress-crbug-867776.js new file mode 100644 index 0000000000..f108f2acc4 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-867776.js @@ -0,0 +1,22 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --expose-gc + +for (var i = 0; i < 3; i++) { + var array = new BigInt64Array(200); + + function evil_callback() { + %ArrayBufferNeuter(array.buffer); + gc(); + return 1094795585n; + } + + var evil_object = {valueOf: evil_callback}; + var root; + try { + root = BigInt64Array.of.call(function() { return array }, evil_object); + } catch(e) {} + gc(); +} |