[bigint] Fix GC unsafety issue

There must not be both an allocating function call and a handle deref in the list of arguments to a call. Depending on the evaluation order that the C++ compiler chooses, the deref could happen before the call and the resulting raw pointer be invalidated by the GC. Bug: chromium:818424 Change-Id: I525947252ff9d0b048a5bf82c2976e0acce739be Reviewed-on: https://chromium-review.googlesource.com/949782Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#51746}

[bigint] Fix GC unsafety issue
There must not be both an allocating function call and a handle deref in the list of arguments to a call. Depending on the evaluation order that the C++ compiler chooses, the deref could happen before the call and the resulting raw pointer be invalidated by the GC. Bug: chromium:818424 Change-Id: I525947252ff9d0b048a5bf82c2976e0acce739be Reviewed-on: https://chromium-review.googlesource.com/949782Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#51746}
2ce122e3 · Jakob Kummerow · Commit Bot · 1f0419da · 2ce122e3
Commit 2ce122e3 authored Mar 05, 2018 by Jakob Kummerow Committed by Commit Bot Mar 05, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

bigint.cc src/objects/bigint.cc +6 -3

No files found.
--- a/src/objects/bigint.cc
+++ b/src/objects/bigint.cc
@@ -556,7 +556,8 @@ MaybeHandle<MutableBigInt> MutableBigInt::BitwiseAnd(Handle<BigInt> x,
    if (!AbsoluteSubOne(x, result_length).ToHandle(&result)) {
      return MaybeHandle<MutableBigInt>();
    }
-    result = AbsoluteOr(result, AbsoluteSubOne(y), *result);
+    Handle<MutableBigInt> y_1 = AbsoluteSubOne(y);
+    result = AbsoluteOr(result, y_1, *result);
    return AbsoluteAddOne(result, true, *result);
  } else {
    DCHECK(x->sign() != y->sign());
@@ -580,7 +581,8 @@ MaybeHandle<MutableBigInt> MutableBigInt::BitwiseXor(Handle<BigInt> x,
    // (-x) ^ (-y) == ~(x-1) ^ ~(y-1) == (x-1) ^ (y-1)
    Handle<MutableBigInt> result =
        AbsoluteSubOne(x, result_length).ToHandleChecked();
-    return AbsoluteXor(result, AbsoluteSubOne(y), *result);
+    Handle<MutableBigInt> y_1 = AbsoluteSubOne(y);
+    return AbsoluteXor(result, y_1, *result);
  } else {
    DCHECK(x->sign() != y->sign());
    int result_length = Max(x->length(), y->length()) + 1;
@@ -610,7 +612,8 @@ MaybeHandle<MutableBigInt> MutableBigInt::BitwiseOr(Handle<BigInt> x,
    // == -(((x-1) & (y-1)) + 1)
    Handle<MutableBigInt> result =
        AbsoluteSubOne(x, result_length).ToHandleChecked();
-    result = AbsoluteAnd(result, AbsoluteSubOne(y), *result);
+    Handle<MutableBigInt> y_1 = AbsoluteSubOne(y);
+    result = AbsoluteAnd(result, y_1, *result);
    return AbsoluteAddOne(result, true, *result);
  } else {
    DCHECK(x->sign() != y->sign());