diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index e57efc3084acba..e52b5742f595ac 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 6 #define V8_MINOR_VERSION 8 #define V8_BUILD_NUMBER 275 -#define V8_PATCH_LEVEL 24 +#define V8_PATCH_LEVEL 30 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/code-stub-assembler.cc b/deps/v8/src/code-stub-assembler.cc index 7d3f71bc9df502..9a51017899dc97 100644 --- a/deps/v8/src/code-stub-assembler.cc +++ b/deps/v8/src/code-stub-assembler.cc @@ -8816,13 +8816,14 @@ void CodeStubAssembler::EmitBigTypedArrayElementStore( TNode object, TNode elements, TNode intptr_key, TNode value, TNode context, Label* opt_if_neutered) { + TNode bigint_value = ToBigInt(context, value); + if (opt_if_neutered != nullptr) { - // Check if buffer has been neutered. + // Check if buffer has been neutered. Must happen after {ToBigInt}! Node* buffer = LoadObjectField(object, JSArrayBufferView::kBufferOffset); GotoIf(IsDetachedBuffer(buffer), opt_if_neutered); } - TNode bigint_value = ToBigInt(context, value); TNode backing_store = LoadFixedTypedArrayBackingStore(elements); TNode offset = ElementOffsetFromIndex(intptr_key, BIGINT64_ELEMENTS, INTPTR_PARAMETERS, 0); diff --git a/deps/v8/src/compiler/ppc/code-generator-ppc.cc b/deps/v8/src/compiler/ppc/code-generator-ppc.cc index 54a0b0e67c18d9..f25fae6dfed854 100644 --- a/deps/v8/src/compiler/ppc/code-generator-ppc.cc +++ b/deps/v8/src/compiler/ppc/code-generator-ppc.cc @@ -1053,11 +1053,13 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction( case kArchPrepareTailCall: AssemblePrepareTailCall(); break; - case kArchComment: { - Address comment_string = i.InputExternalReference(0).address(); - __ RecordComment(reinterpret_cast(comment_string)); + case kArchComment: +#ifdef V8_TARGET_ARCH_PPC64 + __ RecordComment(reinterpret_cast(i.InputInt64(0))); +#else + __ RecordComment(reinterpret_cast(i.InputInt32(0))); +#endif break; - } case kArchCallCFunction: { int const num_parameters = MiscField::decode(instr->opcode()); if (instr->InputAt(0)->IsImmediate()) { diff --git a/deps/v8/src/compiler/s390/code-generator-s390.cc b/deps/v8/src/compiler/s390/code-generator-s390.cc index 81bd8266c046c4..7ecbc405cd1bad 100644 --- a/deps/v8/src/compiler/s390/code-generator-s390.cc +++ b/deps/v8/src/compiler/s390/code-generator-s390.cc @@ -1357,11 +1357,13 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction( ArchOpcode opcode = ArchOpcodeField::decode(instr->opcode()); switch (opcode) { - case kArchComment: { - Address comment_string = i.InputExternalReference(0).address(); - __ RecordComment(reinterpret_cast(comment_string)); + case kArchComment: +#ifdef V8_TARGET_ARCH_S390X + __ RecordComment(reinterpret_cast(i.InputInt64(0))); +#else + __ RecordComment(reinterpret_cast(i.InputInt32(0))); +#endif break; - } case kArchCallCodeObject: { if (HasRegisterInput(instr, 0)) { __ AddP(ip, i.InputRegister(0), diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-867776.js b/deps/v8/test/mjsunit/regress/regress-crbug-867776.js new file mode 100644 index 00000000000000..f108f2acc463ce --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-867776.js @@ -0,0 +1,22 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --expose-gc + +for (var i = 0; i < 3; i++) { + var array = new BigInt64Array(200); + + function evil_callback() { + %ArrayBufferNeuter(array.buffer); + gc(); + return 1094795585n; + } + + var evil_object = {valueOf: evil_callback}; + var root; + try { + root = BigInt64Array.of.call(function() { return array }, evil_object); + } catch(e) {} + gc(); +}