Commit cca5ada9 authored by Jakob Gruber's avatar Jakob Gruber Committed by Commit Bot

[regexp] Fix UB (signed left shift) in peephole optimizer

Left-shifting a variable of signed type containing a negative value is
undefined behavior.

Bug: chromium:1010465,v8:9330
Change-Id: Ide524f87a7d76f906f6034de4c6605df150c66a8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1847151Reviewed-by: 's avatarClemens Backes <clemensb@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64154}
parent cea0ebcc
...@@ -975,8 +975,9 @@ void RegExpBytecodePeephole::EmitArgument(int start_pc, const byte* bytecode, ...@@ -975,8 +975,9 @@ void RegExpBytecodePeephole::EmitArgument(int start_pc, const byte* bytecode,
USE(prev_val); USE(prev_val);
#else #else
DCHECK_EQ(prev_val & 0xFFFFFF00, 0); DCHECK_EQ(prev_val & 0xFFFFFF00, 0);
OverwriteValue<uint32_t>(pc() - sizeof(uint32_t), OverwriteValue<uint32_t>(
(val << 8) | (prev_val & 0xFF)); pc() - sizeof(uint32_t),
(static_cast<uint32_t>(val) << 8) | (prev_val & 0xFF));
#endif // V8_TARGET_BIG_ENDIAN #endif // V8_TARGET_BIG_ENDIAN
break; break;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment