Skip to content

Commit

Permalink
deps: patch V8 to 7.0.276.35
Browse files Browse the repository at this point in the history
Refs: v8/v8@7.0.276.32...7.0.276.35

PR-URL: nodejs#24056
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Refael Ackermann <[email protected]>
  • Loading branch information
targos committed Nov 5, 2018
1 parent 7e1b178 commit 5c2d555
Show file tree
Hide file tree
Showing 6 changed files with 50 additions and 37 deletions.
2 changes: 1 addition & 1 deletion deps/v8/include/v8-version.h
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
#define V8_MAJOR_VERSION 7
#define V8_MINOR_VERSION 0
#define V8_BUILD_NUMBER 276
#define V8_PATCH_LEVEL 32
#define V8_PATCH_LEVEL 35

// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
Expand Down
9 changes: 0 additions & 9 deletions deps/v8/infra/testing/builders.pyl
Original file line number Diff line number Diff line change
Expand Up @@ -685,11 +685,6 @@
{'name': 'mozilla'},
],
},
'V8 Linux - presubmit': {
'tests': [
{'name': 'presubmit'},
],
},
'V8 Linux - shared': {
'tests': [
{'name': 'mozilla'},
Expand Down Expand Up @@ -1514,7 +1509,6 @@
},
'tests': [
{'name': 'mozilla'},
{'name': 'presubmit'},
{'name': 'test262'},
{'name': 'v8testing'},
],
Expand All @@ -1527,7 +1521,6 @@
},
'tests': [
{'name': 'mozilla'},
{'name': 'presubmit'},
{'name': 'test262'},
{'name': 'v8testing', 'shards': 3},
],
Expand All @@ -1540,7 +1533,6 @@
},
'tests': [
{'name': 'mozilla'},
{'name': 'presubmit'},
{'name': 'test262'},
{'name': 'v8testing'},
],
Expand All @@ -1553,7 +1545,6 @@
},
'tests': [
{'name': 'mozilla'},
{'name': 'presubmit'},
{'name': 'test262'},
{'name': 'v8testing', 'shards': 3},
],
Expand Down
12 changes: 11 additions & 1 deletion deps/v8/src/runtime/runtime-array.cc
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,15 @@ Object* RemoveArrayHolesGeneric(Isolate* isolate, Handle<JSReceiver> receiver,
MAYBE_RETURN(delete_result, ReadOnlyRoots(isolate).exception());
}

return *isolate->factory()->NewNumberFromUint(result);
// TODO(jgruber, szuend, chromium:897512): This is a workaround to prevent
// returning a number greater than array.length to Array.p.sort, which could
// trigger OOB accesses. There is still a correctness bug here though in
// how we shift around undefineds and delete elements in the two blocks above.
// This needs to be fixed soon.
const uint32_t number_of_non_undefined_elements = std::min(limit, result);

return *isolate->factory()->NewNumberFromUint(
number_of_non_undefined_elements);
}

// Collects all defined (non-hole) and non-undefined (array) elements at the
Expand All @@ -162,6 +170,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver,
Handle<JSObject> object = Handle<JSObject>::cast(receiver);
if (object->HasStringWrapperElements()) {
int len = String::cast(Handle<JSValue>::cast(object)->value())->length();
DCHECK_LE(len, limit);
return Smi::FromInt(len);
}

Expand Down Expand Up @@ -284,6 +293,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver,
}
}

DCHECK_LE(result, limit);
return *isolate->factory()->NewNumberFromUint(result);
}

Expand Down
24 changes: 24 additions & 0 deletions deps/v8/test/mjsunit/regress/regress-897512.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Fill up the Array prototype's elements.
for (let i = 0; i < 100; i++) Array.prototype.unshift(3.14);

// Create a holey double elements array.
const o31 = [1.1];
o31[37] = 2.2;

// Concat converts to dictionary elements.
const o51 = o31.concat(false);

// Set one element to undefined to trigger the movement bug.
o51[0] = undefined;

assertEquals(o51.length, 39);

// Sort triggers the bug.
o51.sort();

// TODO(chromium:897512): The length should be 39.
assertEquals(o51.length, 101);
40 changes: 14 additions & 26 deletions deps/v8/third_party/v8/builtins/array-sort.tq
Original file line number Diff line number Diff line change
Expand Up @@ -1742,7 +1742,6 @@ module array {

// 2. Let obj be ? ToObject(this value).
const obj: JSReceiver = ToObject(context, receiver);
let map: Map = obj.map;

const sort_state: FixedArray =
AllocateZeroedFixedArray(kSortStateSize);
Expand All @@ -1752,25 +1751,27 @@ module array {
sort_state[kUserCmpFnIdx] = comparefnObj;
sort_state[kSortComparePtrIdx] =
comparefnObj != Undefined ? SortCompareUserFn : SortCompareDefault;
sort_state[kInitialReceiverMapIdx] = map;
sort_state[kBailoutStatusIdx] = kSuccess;

// 3. Let len be ? ToLength(? Get(obj, "length")).
const len: Number =
ToLength_Inline(context, GetProperty(context, obj, 'length'));
if (len < 2) return receiver;

// TODO(szuend): Investigate performance tradeoff of skipping this step
// for PACKED_* and handling Undefineds during sorting.
const nofNonUndefined: Smi = PrepareElementsForSort(context, obj, len);
assert(nofNonUndefined <= len);

let map: Map = obj.map;
sort_state[kInitialReceiverMapIdx] = map;
sort_state[kInitialReceiverLengthIdx] = len;

try {
const a: JSArray = cast<JSArray>(obj) otherwise slow;
const elementsKind: ElementsKind = map.elements_kind;
if (!IsFastElementsKind(elementsKind)) goto slow;

// 3. Let len be ? ToLength(? Get(obj, "length")).
const len: Smi = a.length_fast;
if (len < 2) return receiver;

// TODO(szuend): Investigate performance tradeoff of skipping this step
// for PACKED_* and handling Undefineds during sorting.
const nofNonUndefined: Smi = PrepareElementsForSort(context, obj, len);
assert(a.map == map);

sort_state[kInitialReceiverLengthIdx] = len;

if (IsDoubleElementsKind(elementsKind)) {
InitializeSortStateAccessor<FastDoubleElements>(sort_state);
} else if (elementsKind == PACKED_SMI_ELEMENTS) {
Expand All @@ -1781,19 +1782,6 @@ module array {
ArrayTimSort(context, sort_state, nofNonUndefined);
}
label slow {
// 3. Let len be ? ToLength(? Get(obj, "length")).
const len: Number =
ToLength_Inline(context, GetProperty(context, obj, 'length'));

if (len < 2) return receiver;
const nofNonUndefined: Smi = PrepareElementsForSort(context, obj, len);

sort_state[kInitialReceiverLengthIdx] = len;

// Reload the map, PrepareElementsForSort might have changed the
// elements kind.
map = obj.map;

if (map.elements_kind == DICTIONARY_ELEMENTS && IsExtensibleMap(map) &&
!IsCustomElementsReceiverInstanceType(map.instance_type)) {
InitializeSortStateAccessor<DictionaryElements>(sort_state);
Expand Down
File renamed without changes.

0 comments on commit 5c2d555

Please sign in to comment.