summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichaël Zasso <targos@protonmail.com>2018-08-04 18:09:52 +0200
committerMichaël Zasso <targos@protonmail.com>2018-08-21 13:22:04 +0200
commit0f85e20d3ecca6e7bf8ca3a290960b21a86c5a12 (patch)
tree0001ed5493708a721ed9f4fd5c99afd44756732a
parent6e9e150b6a1746df899b68158dd540b4e790eff8 (diff)
downloadnode-new-0f85e20d3ecca6e7bf8ca3a290960b21a86c5a12.tar.gz
deps: patch V8 to 6.8.275.30
Refs: https://github.com/v8/v8/compare/6.8.275.24...6.8.275.30 PR-URL: https://github.com/nodejs/node/pull/22125 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
-rw-r--r--deps/v8/include/v8-version.h2
-rw-r--r--deps/v8/src/code-stub-assembler.cc5
-rw-r--r--deps/v8/src/compiler/ppc/code-generator-ppc.cc10
-rw-r--r--deps/v8/src/compiler/s390/code-generator-s390.cc10
-rw-r--r--deps/v8/test/mjsunit/regress/regress-crbug-867776.js22
5 files changed, 38 insertions, 11 deletions
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index e57efc3084..e52b5742f5 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
#define V8_MAJOR_VERSION 6
#define V8_MINOR_VERSION 8
#define V8_BUILD_NUMBER 275
-#define V8_PATCH_LEVEL 24
+#define V8_PATCH_LEVEL 30
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/code-stub-assembler.cc b/deps/v8/src/code-stub-assembler.cc
index 7d3f71bc9d..9a51017899 100644
--- a/deps/v8/src/code-stub-assembler.cc
+++ b/deps/v8/src/code-stub-assembler.cc
@@ -8816,13 +8816,14 @@ void CodeStubAssembler::EmitBigTypedArrayElementStore(
TNode<JSTypedArray> object, TNode<FixedTypedArrayBase> elements,
TNode<IntPtrT> intptr_key, TNode<Object> value, TNode<Context> context,
Label* opt_if_neutered) {
+ TNode<BigInt> bigint_value = ToBigInt(context, value);
+
if (opt_if_neutered != nullptr) {
- // Check if buffer has been neutered.
+ // Check if buffer has been neutered. Must happen after {ToBigInt}!
Node* buffer = LoadObjectField(object, JSArrayBufferView::kBufferOffset);
GotoIf(IsDetachedBuffer(buffer), opt_if_neutered);
}
- TNode<BigInt> bigint_value = ToBigInt(context, value);
TNode<RawPtrT> backing_store = LoadFixedTypedArrayBackingStore(elements);
TNode<IntPtrT> offset = ElementOffsetFromIndex(intptr_key, BIGINT64_ELEMENTS,
INTPTR_PARAMETERS, 0);
diff --git a/deps/v8/src/compiler/ppc/code-generator-ppc.cc b/deps/v8/src/compiler/ppc/code-generator-ppc.cc
index 54a0b0e67c..f25fae6dfe 100644
--- a/deps/v8/src/compiler/ppc/code-generator-ppc.cc
+++ b/deps/v8/src/compiler/ppc/code-generator-ppc.cc
@@ -1053,11 +1053,13 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
case kArchPrepareTailCall:
AssemblePrepareTailCall();
break;
- case kArchComment: {
- Address comment_string = i.InputExternalReference(0).address();
- __ RecordComment(reinterpret_cast<const char*>(comment_string));
+ case kArchComment:
+#ifdef V8_TARGET_ARCH_PPC64
+ __ RecordComment(reinterpret_cast<const char*>(i.InputInt64(0)));
+#else
+ __ RecordComment(reinterpret_cast<const char*>(i.InputInt32(0)));
+#endif
break;
- }
case kArchCallCFunction: {
int const num_parameters = MiscField::decode(instr->opcode());
if (instr->InputAt(0)->IsImmediate()) {
diff --git a/deps/v8/src/compiler/s390/code-generator-s390.cc b/deps/v8/src/compiler/s390/code-generator-s390.cc
index 81bd8266c0..7ecbc405cd 100644
--- a/deps/v8/src/compiler/s390/code-generator-s390.cc
+++ b/deps/v8/src/compiler/s390/code-generator-s390.cc
@@ -1357,11 +1357,13 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
ArchOpcode opcode = ArchOpcodeField::decode(instr->opcode());
switch (opcode) {
- case kArchComment: {
- Address comment_string = i.InputExternalReference(0).address();
- __ RecordComment(reinterpret_cast<const char*>(comment_string));
+ case kArchComment:
+#ifdef V8_TARGET_ARCH_S390X
+ __ RecordComment(reinterpret_cast<const char*>(i.InputInt64(0)));
+#else
+ __ RecordComment(reinterpret_cast<const char*>(i.InputInt32(0)));
+#endif
break;
- }
case kArchCallCodeObject: {
if (HasRegisterInput(instr, 0)) {
__ AddP(ip, i.InputRegister(0),
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-867776.js b/deps/v8/test/mjsunit/regress/regress-crbug-867776.js
new file mode 100644
index 0000000000..f108f2acc4
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-867776.js
@@ -0,0 +1,22 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+for (var i = 0; i < 3; i++) {
+ var array = new BigInt64Array(200);
+
+ function evil_callback() {
+ %ArrayBufferNeuter(array.buffer);
+ gc();
+ return 1094795585n;
+ }
+
+ var evil_object = {valueOf: evil_callback};
+ var root;
+ try {
+ root = BigInt64Array.of.call(function() { return array }, evil_object);
+ } catch(e) {}
+ gc();
+}