- 08 Mar, 2019 1 commit
-
-
Jakob Kummerow authored
RotateRight32 needs a "number of bits" operand in the range 0..31. Thankfully that's how x86 shift instructions behave anyway, and how the bitwise shift operators in JavaScript are spec'ed, so this fix is unobservable in non-UBSan builds. RemoveArrayHolesGeneric can be used for length values anywhere in the uint32_t range, so it must not implicitly cast those to int. That actually caused an observable bug where a proxy's traps would not get called at all, but only for huge "length" properties, where the entire operation would also be painfully slow. Bug: chromium:935133, chromium:937652 Change-Id: I13f74ca27eae6b2b089d58217842b699b2574509 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1510272 Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Adam Klein <adamk@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#60112}
-
- 07 Mar, 2019 1 commit
-
-
Jakob Kummerow authored
Fixing a few float and int overflows. Drive-by fix: with --experimental-wasm-bigint, Number values may not be used to initialize i64-typed globals. The existing code for doing that relied on UB; since it's a spec violation the fix is to throw instead. No regression test for 933103 because it will OOM anyway. No regression test for 932896 because it would be extremely slow. Bug: chromium:927894, chromium:927996, chromium:930086, chromium:932679, chromium:932896, chromium:933103, chromium:933134 Change-Id: Iae1c1ff1038af4512a52d3e56b8c4b75f2233314 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1495911 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/master@{#60075}
-
- 01 Feb, 2019 1 commit
-
-
Jakob Kummerow authored
The result of Object::ToInteger is a number rounded to an integer value, but not necessarily in the range of what a C++ "int" can represent. Doing the 2 <= radix <= 36 range check first makes the subsequent cast safe. Bug: chromium:927212 Change-Id: I49f115140f6dc1f951cbc08a3025b3ac92ec8628 Reviewed-on: https://chromium-review.googlesource.com/c/1449040 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#59303}
-
- 28 Jan, 2019 1 commit
-
-
Jakob Kummerow authored
Smi::LexicographicCompare: signed integer overflow on negation. Drive-by improvement: reduce number of branches. RegExpQuantifier: signed integer overflow on multiplication. DateCache::DaylightSavingsOffsetInMs: signed integer overflow on addition. Bug: v8:3770,chromium:923466,chromium:923642,chromium:923626 Change-Id: If7d995a13893d1315449ee0bab8b5f2553e170f5 Reviewed-on: https://chromium-review.googlesource.com/c/1436229Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#59143}
-