diff options
| author | Myles Borins <mylesborins@google.com> | 2017-12-19 20:45:44 -0500 |
|---|---|---|
| committer | Myles Borins <mylesborins@google.com> | 2017-12-22 11:20:48 -0500 |
| commit | b5d415311bc98d9d7c3f0bb0a22250899e33ac77 (patch) | |
| tree | 54c98d38da85520c04e6de49cbcbda65da8456bd | |
| parent | 1a396bbd6b60297bc6132a63ca69743ae1e37850 (diff) | |
| download | node-new-b5d415311bc98d9d7c3f0bb0a22250899e33ac77.tar.gz | |
deps: patch V8 to 6.3.292.48
Refs: https://github.com/v8/v8/compare/6.3.292.46...6.3.292.48
PR-URL: https://github.com/nodejs/node/pull/17773
Reviewed-By: Michaƫl Zasso <targos@protonmail.com>
| -rw-r--r-- | deps/v8/include/v8-version.h | 2 | ||||
| -rw-r--r-- | deps/v8/src/builtins/builtins-typedarray-gen.cc | 10 | ||||
| -rw-r--r-- | deps/v8/src/debug/debug-coverage.cc | 3 | ||||
| -rw-r--r-- | deps/v8/test/mjsunit/regress/regress-786784.js | 34 |
4 files changed, 40 insertions, 9 deletions
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 46bb92f650..86c50fd4f5 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 6 #define V8_MINOR_VERSION 3 #define V8_BUILD_NUMBER 292 -#define V8_PATCH_LEVEL 46 +#define V8_PATCH_LEVEL 48 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/builtins/builtins-typedarray-gen.cc b/deps/v8/src/builtins/builtins-typedarray-gen.cc index 07f122b909..86ec0e7bd9 100644 --- a/deps/v8/src/builtins/builtins-typedarray-gen.cc +++ b/deps/v8/src/builtins/builtins-typedarray-gen.cc @@ -799,7 +799,7 @@ void TypedArrayBuiltinsAssembler::SetTypedArraySource( // means we're safe from overflows in the following multiplication. TNode<IntPtrT> source_byte_length = IntPtrMul(source_length, source_el_size); CSA_ASSERT(this, - IntPtrGreaterThanOrEqual(source_byte_length, IntPtrConstant(0))); + UintPtrGreaterThanOrEqual(source_byte_length, IntPtrConstant(0))); Label call_memmove(this), fast_c_call(this), out(this); Branch(Word32Equal(source_el_kind, target_el_kind), &call_memmove, @@ -821,8 +821,8 @@ void TypedArrayBuiltinsAssembler::SetTypedArraySource( TNode<IntPtrT> target_byte_length = IntPtrMul(target_length, target_el_size); - CSA_ASSERT(this, - IntPtrGreaterThanOrEqual(target_byte_length, IntPtrConstant(0))); + CSA_ASSERT( + this, UintPtrGreaterThanOrEqual(target_byte_length, IntPtrConstant(0))); TNode<IntPtrT> target_data_end_ptr = IntPtrAdd(target_data_ptr, target_byte_length); @@ -830,8 +830,8 @@ void TypedArrayBuiltinsAssembler::SetTypedArraySource( IntPtrAdd(source_data_ptr, source_byte_length); GotoIfNot( - Word32Or(IntPtrLessThanOrEqual(target_data_end_ptr, source_data_ptr), - IntPtrLessThanOrEqual(source_data_end_ptr, target_data_ptr)), + Word32Or(UintPtrLessThanOrEqual(target_data_end_ptr, source_data_ptr), + UintPtrLessThanOrEqual(source_data_end_ptr, target_data_ptr)), call_runtime); TNode<IntPtrT> source_length = diff --git a/deps/v8/src/debug/debug-coverage.cc b/deps/v8/src/debug/debug-coverage.cc index 8fe2edc08a..8b87286d29 100644 --- a/deps/v8/src/debug/debug-coverage.cc +++ b/deps/v8/src/debug/debug-coverage.cc @@ -544,9 +544,6 @@ void Coverage::SelectMode(Isolate* isolate, debug::Coverage::Mode mode) { if (!shared->IsSubjectToDebugging()) continue; vector->clear_invocation_count(); vectors.emplace_back(vector, isolate); - } else if (current_obj->IsJSFunction()) { - JSFunction* function = JSFunction::cast(current_obj); - function->set_code(function->shared()->code()); } } } diff --git a/deps/v8/test/mjsunit/regress/regress-786784.js b/deps/v8/test/mjsunit/regress/regress-786784.js new file mode 100644 index 0000000000..fb0f3a95b3 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-786784.js @@ -0,0 +1,34 @@ +// Copyright 2017 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function f() { + function g(arg) { return arg; } + // The closure contains a call IC slot. + return function() { return g(42); }; +} + +const a = Realm.create(); +const b = Realm.create(); + +// Create two closures in different contexts sharing the same +// SharedFunctionInfo (shared due to code caching). +const x = Realm.eval(a, f.toString() + " f()"); +const y = Realm.eval(b, f.toString() + " f()"); + +// Run the first closure to create SFI::code. +x(); + +// At this point, SFI::code is set and `x` has a feedback vector (`y` does not). + +// Enabling block code coverage deoptimizes all functions and triggers the +// buggy code path in which we'd unconditionally replace JSFunction::code with +// its SFI::code (but skip feedback vector setup). +%DebugToggleBlockCoverage(true); + +// Still no feedback vector set on `y` but it now contains code. Run it to +// trigger the crash when attempting to write into the non-existent feedback +// vector. +y(); |