diff options
| author | Anna Henningsen <anna@addaleax.net> | 2019-03-15 22:58:28 +0100 |
|---|---|---|
| committer | Refael Ackermann <refack@gmail.com> | 2019-03-28 16:37:31 -0400 |
| commit | bf572c7831fd121701c5571371ccd5ff7514c42c (patch) | |
| tree | fda98b5752e91388eb2dc1af5b44aaab1103f23f /deps/v8/include | |
| parent | 09f134fccf605476e0a0b8df01164946c5b1236a (diff) | |
| download | android-node-v8-bf572c7831fd121701c5571371ccd5ff7514c42c.tar.gz android-node-v8-bf572c7831fd121701c5571371ccd5ff7514c42c.tar.bz2 android-node-v8-bf572c7831fd121701c5571371ccd5ff7514c42c.zip | |
deps: V8: cherry-pick 91f0cd0
Original commit message:
[ubsan] Fix various ClusterFuzz-found issues
Fixing a few float and int overflows.
Drive-by fix: with --experimental-wasm-bigint, Number values
may not be used to initialize i64-typed globals. The existing
code for doing that relied on UB; since it's a spec violation
the fix is to throw instead.
No regression test for 933103 because it will OOM anyway.
No regression test for 932896 because it would be extremely slow.
Bug: chromium:927894, chromium:927996, chromium:930086, chromium:932679, chromium:932896, chromium:933103, chromium:933134
Change-Id: Iae1c1ff1038af4512a52d3e56b8c4b75f2233314
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1495911
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60075}
Refs: https://github.com/v8/v8/commit/91f0cd00820a6e8d4567c1ce3a51d48a28165ab5
PR-URL: https://github.com/nodejs/node/pull/26685
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaƫl Zasso <targos@protonmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Diffstat (limited to 'deps/v8/include')
| -rw-r--r-- | deps/v8/include/v8.h | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/deps/v8/include/v8.h b/deps/v8/include/v8.h index 5e45cc7620..a5a88b685b 100644 --- a/deps/v8/include/v8.h +++ b/deps/v8/include/v8.h @@ -10939,7 +10939,11 @@ int64_t Isolate::AdjustAmountOfExternalAllocatedMemory( reinterpret_cast<int64_t*>(reinterpret_cast<uint8_t*>(this) + I::kExternalMemoryAtLastMarkCompactOffset); - const int64_t amount = *external_memory + change_in_bytes; + // Embedders are weird: we see both over- and underflows here. Perform the + // addition with unsigned types to avoid undefined behavior. + const int64_t amount = + static_cast<int64_t>(static_cast<uint64_t>(change_in_bytes) + + static_cast<uint64_t>(*external_memory)); *external_memory = amount; int64_t allocation_diff_since_last_mc = |