[bigint] Fix possibly-uninitialized leading digit on right shift

Fixed: chromium:1151890 Change-Id: I26f5c76494a9ff3f5a141f381e1c9a543e368571 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2561618 Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#71422}

[bigint] Fix possibly-uninitialized leading digit on right shift
Fixed: chromium:1151890 Change-Id: I26f5c76494a9ff3f5a141f381e1c9a543e368571 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2561618 Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#71422}
e82a3b4d · Jakob Kummerow · Commit Bot · f8fa0edf · e82a3b4d · e82a3b4d
Commit e82a3b4d authored Nov 25, 2020 by Jakob Kummerow Committed by Commit Bot Nov 26, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 0 deletions

bigint.cc src/objects/bigint.cc +2 -0

regress-crbug-1151890.js test/mjsunit/regress/regress-crbug-1151890.js +11 -0

No files found.
--- a/src/objects/bigint.cc
+++ b/src/objects/bigint.cc
@@ -1874,6 +1874,8 @@ Handle<BigInt> MutableBigInt::RightShiftByAbsolute(Isolate* isolate,
  DCHECK_LE(result_length, length);
  Handle<MutableBigInt> result = New(isolate, result_length).ToHandleChecked();
  if (bits_shift == 0) {
+    // Zero out any overflow digit (see "rounding_can_overflow" above).
+    result->set_digit(result_length - 1, 0);
    for (int i = digit_shift; i < length; i++) {
      result->set_digit(i - digit_shift, x->digit(i));
    }

--- a/test/mjsunit/regress/regress-crbug-1151890.js
+++ b/test/mjsunit/regress/regress-crbug-1151890.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+// Flags: --allow-natives-syntax
+for (let i = 0, j = 0; i < 10; ++i) {
+  let x = (-0xffffffffffffffff_ffffffffffffffffn >> 0x40n);
+  assertEquals(-0x10000000000000000n, x);
+  %SimulateNewspaceFull();
+}