Skip to content

Commit f455e08

Browse files
targostargos
committed
deps: patch V8 to 9.0.257.21
Refs: v8/v8@9.0.257.19...9.0.257.21 PR-URL: #38333 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com>
1 parent 277122e commit f455e08

File tree

3 files changed

+33
-13
lines changed

3 files changed

+33
-13
lines changed

deps/v8/include/v8-version.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
#define V8_MAJOR_VERSION 9
1212
#define V8_MINOR_VERSION 0
1313
#define V8_BUILD_NUMBER 257
14-
#define V8_PATCH_LEVEL 19
14+
#define V8_PATCH_LEVEL 21
1515

1616
// Use 1 for candidates and 0 otherwise.
1717
// (Boolean macro values are not supported by all preprocessors.)

deps/v8/src/compiler/js-call-reducer.cc

Lines changed: 24 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -5380,24 +5380,31 @@ Reduction JSCallReducer::ReduceArrayPrototypePop(Node* node) {
53805380
}
53815381

53825382
// Compute the new {length}.
5383-
length = graph()->NewNode(simplified()->NumberSubtract(), length,
5384-
jsgraph()->OneConstant());
5383+
Node* new_length = graph()->NewNode(simplified()->NumberSubtract(),
5384+
length, jsgraph()->OneConstant());
5385+
5386+
// This extra check exists solely to break an exploitation technique
5387+
// that abuses typer mismatches.
5388+
new_length = efalse = graph()->NewNode(
5389+
simplified()->CheckBounds(p.feedback(),
5390+
CheckBoundsFlag::kAbortOnOutOfBounds),
5391+
new_length, length, efalse, if_false);
53855392

53865393
// Store the new {length} to the {receiver}.
53875394
efalse = graph()->NewNode(
53885395
simplified()->StoreField(AccessBuilder::ForJSArrayLength(kind)),
5389-
receiver, length, efalse, if_false);
5396+
receiver, new_length, efalse, if_false);
53905397

53915398
// Load the last entry from the {elements}.
53925399
vfalse = efalse = graph()->NewNode(
53935400
simplified()->LoadElement(AccessBuilder::ForFixedArrayElement(kind)),
5394-
elements, length, efalse, if_false);
5401+
elements, new_length, efalse, if_false);
53955402

53965403
// Store a hole to the element we just removed from the {receiver}.
53975404
efalse = graph()->NewNode(
53985405
simplified()->StoreElement(
53995406
AccessBuilder::ForFixedArrayElement(GetHoleyElementsKind(kind))),
5400-
elements, length, jsgraph()->TheHoleConstant(), efalse, if_false);
5407+
elements, new_length, jsgraph()->TheHoleConstant(), efalse, if_false);
54015408
}
54025409

54035410
control = graph()->NewNode(common()->Merge(2), if_true, if_false);
@@ -5573,19 +5580,27 @@ Reduction JSCallReducer::ReduceArrayPrototypeShift(Node* node) {
55735580
}
55745581

55755582
// Compute the new {length}.
5576-
length = graph()->NewNode(simplified()->NumberSubtract(), length,
5577-
jsgraph()->OneConstant());
5583+
Node* new_length = graph()->NewNode(simplified()->NumberSubtract(),
5584+
length, jsgraph()->OneConstant());
5585+
5586+
// This extra check exists solely to break an exploitation technique
5587+
// that abuses typer mismatches.
5588+
new_length = etrue1 = graph()->NewNode(
5589+
simplified()->CheckBounds(p.feedback(),
5590+
CheckBoundsFlag::kAbortOnOutOfBounds),
5591+
new_length, length, etrue1, if_true1);
55785592

55795593
// Store the new {length} to the {receiver}.
55805594
etrue1 = graph()->NewNode(
55815595
simplified()->StoreField(AccessBuilder::ForJSArrayLength(kind)),
5582-
receiver, length, etrue1, if_true1);
5596+
receiver, new_length, etrue1, if_true1);
55835597

55845598
// Store a hole to the element we just removed from the {receiver}.
55855599
etrue1 = graph()->NewNode(
55865600
simplified()->StoreElement(AccessBuilder::ForFixedArrayElement(
55875601
GetHoleyElementsKind(kind))),
5588-
elements, length, jsgraph()->TheHoleConstant(), etrue1, if_true1);
5602+
elements, new_length, jsgraph()->TheHoleConstant(), etrue1,
5603+
if_true1);
55895604
}
55905605

55915606
Node* if_false1 = graph()->NewNode(common()->IfFalse(), branch1);

deps/v8/src/compiler/simplified-lowering.cc

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1474,10 +1474,15 @@ class RepresentationSelector {
14741474
Type right_feedback_type = TypeOf(node->InputAt(1));
14751475

14761476
// Using Signed32 as restriction type amounts to promising there won't be
1477-
// signed overflow. This is incompatible with relying on a Word32
1478-
// truncation in order to skip the overflow check.
1477+
// signed overflow. This is incompatible with relying on a Word32 truncation
1478+
// in order to skip the overflow check. Similarly, we must not drop -0 from
1479+
// the result type unless we deopt for -0 inputs.
14791480
Type const restriction =
1480-
truncation.IsUsedAsWord32() ? Type::Any() : Type::Signed32();
1481+
truncation.IsUsedAsWord32()
1482+
? Type::Any()
1483+
: (truncation.identify_zeros() == kIdentifyZeros)
1484+
? Type::Signed32OrMinusZero()
1485+
: Type::Signed32();
14811486

14821487
// Handle the case when no int32 checks on inputs are necessary (but
14831488
// an overflow check is needed on the output). Note that we do not

0 commit comments

Comments
 (0)