From 3be89cc6e59077a7fa38739716f90d25b41db839 Mon Sep 17 00:00:00 2001 From: Joyee Cheung Date: Sun, 7 Jul 2024 20:22:17 +0200 Subject: [PATCH] deps: V8: cherry-pick e061cf9970d9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Original commit message: [arraybuffers] initialize max byte length of empty array buffers Without initializing the max byte length field, any empty array buffer captured in the snapshot can make the snapshot unreproducible. Refs: https://github.com/nodejs/node/issues/53579 Change-Id: I2489ab2e57ecbb405ec431a87d0acc92822b777c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5662576 Reviewed-by: Marja Hölttä Commit-Queue: Marja Hölttä Cr-Commit-Position: refs/heads/main@{#94754} Refs: https://github.com/v8/v8/commit/e061cf9970d95e98e2e8dad813b86a3068db01db PR-URL: https://github.com/nodejs/node/pull/53755 Fixes: https://github.com/nodejs/node/issues/53579 Reviewed-By: Benjamin Gruenbaum Reviewed-By: Chengzhong Wu --- common.gypi | 2 +- deps/v8/src/builtins/builtins-typed-array-gen.cc | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/common.gypi b/common.gypi index 27ebff44569b7b..637f8494dea889 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.15', + 'v8_embedder_string': '-node.16', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/builtins/builtins-typed-array-gen.cc b/deps/v8/src/builtins/builtins-typed-array-gen.cc index 1c0fca4db2c8e7..786e49843e3990 100644 --- a/deps/v8/src/builtins/builtins-typed-array-gen.cc +++ b/deps/v8/src/builtins/builtins-typed-array-gen.cc @@ -68,6 +68,8 @@ TNode TypedArrayBuiltinsAssembler::AllocateEmptyOnHeapBuffer( UndefinedConstant()); StoreBoundedSizeToObject(buffer, JSArrayBuffer::kRawByteLengthOffset, UintPtrConstant(0)); + StoreBoundedSizeToObject(buffer, JSArrayBuffer::kRawMaxByteLengthOffset, + UintPtrConstant(0)); StoreSandboxedPointerToObject(buffer, JSArrayBuffer::kBackingStoreOffset, EmptyBackingStoreBufferConstant()); #ifdef V8_COMPRESS_POINTERS