1. 08 Mar, 2019 1 commit
    • Jakob Kummerow's avatar
      [ubsan] Fix two more UBSan issues · 34b467e1
      Jakob Kummerow authored
      RotateRight32 needs a "number of bits" operand in the range 0..31.
      Thankfully that's how x86 shift instructions behave anyway, and
      how the bitwise shift operators in JavaScript are spec'ed, so this
      fix is unobservable in non-UBSan builds.
      
      RemoveArrayHolesGeneric can be used for length values anywhere in
      the uint32_t range, so it must not implicitly cast those to int.
      That actually caused an observable bug where a proxy's traps would
      not get called at all, but only for huge "length" properties, where
      the entire operation would also be painfully slow.
      
      Bug: chromium:935133, chromium:937652
      Change-Id: I13f74ca27eae6b2b089d58217842b699b2574509
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1510272
      Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
      Reviewed-by: 's avatarAdam Klein <adamk@chromium.org>
      Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#60112}
      34b467e1
  2. 07 Mar, 2019 1 commit
    • Jakob Kummerow's avatar
      [ubsan] Fix various ClusterFuzz-found issues · 91f0cd00
      Jakob Kummerow authored
      Fixing a few float and int overflows.
      Drive-by fix: with --experimental-wasm-bigint, Number values
      may not be used to initialize i64-typed globals. The existing
      code for doing that relied on UB; since it's a spec violation
      the fix is to throw instead.
      
      No regression test for 933103 because it will OOM anyway.
      No regression test for 932896 because it would be extremely slow.
      
      Bug: chromium:927894, chromium:927996, chromium:930086, chromium:932679, chromium:932896, chromium:933103, chromium:933134
      Change-Id: Iae1c1ff1038af4512a52d3e56b8c4b75f2233314
      Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1495911
      Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
      Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
      Reviewed-by: 's avatarAdam Klein <adamk@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#60075}
      91f0cd00
  3. 01 Feb, 2019 1 commit
  4. 28 Jan, 2019 1 commit
    • Jakob Kummerow's avatar
      [ubsan] Fix Clusterfuzz-found bugs · a8aa4b4e
      Jakob Kummerow authored
      Smi::LexicographicCompare: signed integer overflow on negation.
      Drive-by improvement: reduce number of branches.
      
      RegExpQuantifier: signed integer overflow on multiplication.
      
      DateCache::DaylightSavingsOffsetInMs: signed integer overflow
      on addition.
      
      Bug: v8:3770,chromium:923466,chromium:923642,chromium:923626
      Change-Id: If7d995a13893d1315449ee0bab8b5f2553e170f5
      Reviewed-on: https://chromium-review.googlesource.com/c/1436229Reviewed-by: 's avatarYang Guo <yangguo@chromium.org>
      Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#59143}
      a8aa4b4e