deps: patch V8 to 7.0.276.35

Refs: https://github.com/v8/v8/compare/7.0.276.32...7.0.276.35 PR-URL: https://github.com/nodejs/node/pull/24056 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Refael Ackermann <refack@gmail.com>
2018-11-03 13:20:30 +01:00 · 2018-11-03 13:20:30 +01:00 · 5c2d555b29
commit 5c2d555b29
parent 7e1b178fb6
6 changed files with 50 additions and 37 deletions
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 7
 #define V8_MINOR_VERSION 0
 #define V8_BUILD_NUMBER 276
-#define V8_PATCH_LEVEL 32
+#define V8_PATCH_LEVEL 35
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
--- a/deps/v8/infra/testing/builders.pyl
+++ b/deps/v8/infra/testing/builders.pyl
@ -685,11 +685,6 @@
      {'name': 'mozilla'},
    ],
  },
  'V8 Linux - presubmit': {
    'tests': [
      {'name': 'presubmit'},
    ],
  },
  'V8 Linux - shared': {
    'tests': [
      {'name': 'mozilla'},
@ -1514,7 +1509,6 @@
    },
    'tests': [
      {'name': 'mozilla'},
      {'name': 'presubmit'},
      {'name': 'test262'},
      {'name': 'v8testing'},
    ],
@ -1527,7 +1521,6 @@
    },
    'tests': [
      {'name': 'mozilla'},
      {'name': 'presubmit'},
      {'name': 'test262'},
      {'name': 'v8testing', 'shards': 3},
    ],
@ -1540,7 +1533,6 @@
    },
    'tests': [
      {'name': 'mozilla'},
      {'name': 'presubmit'},
      {'name': 'test262'},
      {'name': 'v8testing'},
    ],
@ -1553,7 +1545,6 @@
    },
    'tests': [
      {'name': 'mozilla'},
      {'name': 'presubmit'},
      {'name': 'test262'},
      {'name': 'v8testing', 'shards': 3},
    ],
--- a/deps/v8/src/runtime/runtime-array.cc
+++ b/deps/v8/src/runtime/runtime-array.cc
@ -145,7 +145,15 @@ Object* RemoveArrayHolesGeneric(Isolate* isolate, Handle<JSReceiver> receiver,
    MAYBE_RETURN(delete_result, ReadOnlyRoots(isolate).exception());
  }
-  return *isolate->factory()->NewNumberFromUint(result);
+  // TODO(jgruber, szuend, chromium:897512): This is a workaround to prevent
  // returning a number greater than array.length to Array.p.sort, which could
  // trigger OOB accesses. There is still a correctness bug here though in
  // how we shift around undefineds and delete elements in the two blocks above.
  // This needs to be fixed soon.
  const uint32_t number_of_non_undefined_elements = std::min(limit, result);
  return *isolate->factory()->NewNumberFromUint(
      number_of_non_undefined_elements);
 }
 // Collects all defined (non-hole) and non-undefined (array) elements at the
@ -162,6 +170,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver,
  Handle<JSObject> object = Handle<JSObject>::cast(receiver);
  if (object->HasStringWrapperElements()) {
    int len = String::cast(Handle<JSValue>::cast(object)->value())->length();
    DCHECK_LE(len, limit);
    return Smi::FromInt(len);
  }
@ -284,6 +293,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver,
    }
  }
  DCHECK_LE(result, limit);
  return *isolate->factory()->NewNumberFromUint(result);
 }
--- a/deps/v8/test/mjsunit/regress/regress-897512.js
+++ b/deps/v8/test/mjsunit/regress/regress-897512.js
@ -0,0 +1,24 @@
 // Copyright 2018 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 // Fill up the Array prototype's elements.
 for (let i = 0; i < 100; i++) Array.prototype.unshift(3.14);
 // Create a holey double elements array.
 const o31 = [1.1];
 o31[37] = 2.2;
 // Concat converts to dictionary elements.
 const o51 = o31.concat(false);
 // Set one element to undefined to trigger the movement bug.
 o51[0] = undefined;
 assertEquals(o51.length, 39);
 // Sort triggers the bug.
 o51.sort();
 // TODO(chromium:897512): The length should be 39.
 assertEquals(o51.length, 101);
--- a/deps/v8/third_party/v8/builtins/array-sort.tq
+++ b/deps/v8/third_party/v8/builtins/array-sort.tq
@ -1742,7 +1742,6 @@ module array {
    // 2. Let obj be ? ToObject(this value).
    const obj: JSReceiver = ToObject(context, receiver);
    let map: Map = obj.map;
    const sort_state: FixedArray =
        AllocateZeroedFixedArray(kSortStateSize);
@ -1752,25 +1751,27 @@ module array {
    sort_state[kUserCmpFnIdx] = comparefnObj;
    sort_state[kSortComparePtrIdx] =
        comparefnObj != Undefined ? SortCompareUserFn : SortCompareDefault;
    sort_state[kInitialReceiverMapIdx] = map;
    sort_state[kBailoutStatusIdx] = kSuccess;
    // 3. Let len be ? ToLength(? Get(obj, "length")).
    const len: Number =
        ToLength_Inline(context, GetProperty(context, obj, 'length'));
    if (len < 2) return receiver;
    // TODO(szuend): Investigate performance tradeoff of skipping this step
    //               for PACKED_* and handling Undefineds during sorting.
    const nofNonUndefined: Smi = PrepareElementsForSort(context, obj, len);
    assert(nofNonUndefined <= len);
    let map: Map = obj.map;
    sort_state[kInitialReceiverMapIdx] = map;
    sort_state[kInitialReceiverLengthIdx] = len;
    try {
      const a: JSArray = cast<JSArray>(obj) otherwise slow;
      const elementsKind: ElementsKind = map.elements_kind;
      if (!IsFastElementsKind(elementsKind)) goto slow;
      // 3. Let len be ? ToLength(? Get(obj, "length")).
      const len: Smi = a.length_fast;
      if (len < 2) return receiver;
      // TODO(szuend): Investigate performance tradeoff of skipping this step
      //               for PACKED_* and handling Undefineds during sorting.
      const nofNonUndefined: Smi = PrepareElementsForSort(context, obj, len);
      assert(a.map == map);
      sort_state[kInitialReceiverLengthIdx] = len;
      if (IsDoubleElementsKind(elementsKind)) {
        InitializeSortStateAccessor<FastDoubleElements>(sort_state);
      } else if (elementsKind == PACKED_SMI_ELEMENTS) {
@ -1781,19 +1782,6 @@ module array {
      ArrayTimSort(context, sort_state, nofNonUndefined);
    }
    label slow {
      // 3. Let len be ? ToLength(? Get(obj, "length")).
      const len: Number =
          ToLength_Inline(context, GetProperty(context, obj, 'length'));
      if (len < 2) return receiver;
      const nofNonUndefined: Smi = PrepareElementsForSort(context, obj, len);
      sort_state[kInitialReceiverLengthIdx] = len;
      // Reload the map, PrepareElementsForSort might have changed the
      // elements kind.
      map = obj.map;
      if (map.elements_kind == DICTIONARY_ELEMENTS && IsExtensibleMap(map) &&
          !IsCustomElementsReceiverInstanceType(map.instance_type)) {
        InitializeSortStateAccessor<DictionaryElements>(sort_state);
--- a/deps/v8/tools/v8_presubmit.py
+++ b/deps/v8/tools/v8_presubmit.py