deps: patch V8 to 6.8.275.30

Refs: https://github.com/v8/v8/compare/6.8.275.24...6.8.275.30 PR-URL: https://github.com/nodejs/node/pull/22125 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
2018-08-04 18:09:52 +02:00 · 2018-08-04 18:09:52 +02:00 · 611f423e1b
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 6
 #define V8_MINOR_VERSION 8
 #define V8_BUILD_NUMBER 275
-#define V8_PATCH_LEVEL 24
+#define V8_PATCH_LEVEL 30

 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
--- a/deps/v8/src/code-stub-assembler.cc
+++ b/deps/v8/src/code-stub-assembler.cc
@ -8816,13 +8816,14 @@ void CodeStubAssembler::EmitBigTypedArrayElementStore(
    TNode<JSTypedArray> object, TNode<FixedTypedArrayBase> elements,
    TNode<IntPtrT> intptr_key, TNode<Object> value, TNode<Context> context,
    Label* opt_if_neutered) {
+  TNode<BigInt> bigint_value = ToBigInt(context, value);
+
  if (opt_if_neutered != nullptr) {
-    // Check if buffer has been neutered.
+    // Check if buffer has been neutered. Must happen after {ToBigInt}!
    Node* buffer = LoadObjectField(object, JSArrayBufferView::kBufferOffset);
    GotoIf(IsDetachedBuffer(buffer), opt_if_neutered);
  }

-  TNode<BigInt> bigint_value = ToBigInt(context, value);
  TNode<RawPtrT> backing_store = LoadFixedTypedArrayBackingStore(elements);
  TNode<IntPtrT> offset = ElementOffsetFromIndex(intptr_key, BIGINT64_ELEMENTS,
                                                 INTPTR_PARAMETERS, 0);
--- a/deps/v8/src/compiler/ppc/code-generator-ppc.cc
+++ b/deps/v8/src/compiler/ppc/code-generator-ppc.cc
@ -1053,11 +1053,13 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
    case kArchPrepareTailCall:
      AssemblePrepareTailCall();
      break;
-    case kArchComment: {
-      Address comment_string = i.InputExternalReference(0).address();
-      __ RecordComment(reinterpret_cast<const char*>(comment_string));
+    case kArchComment:
+#ifdef V8_TARGET_ARCH_PPC64
+      __ RecordComment(reinterpret_cast<const char*>(i.InputInt64(0)));
+#else
+      __ RecordComment(reinterpret_cast<const char*>(i.InputInt32(0)));
+#endif
      break;
-    }
    case kArchCallCFunction: {
      int const num_parameters = MiscField::decode(instr->opcode());
      if (instr->InputAt(0)->IsImmediate()) {
--- a/deps/v8/src/compiler/s390/code-generator-s390.cc
+++ b/deps/v8/src/compiler/s390/code-generator-s390.cc
@ -1357,11 +1357,13 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
  ArchOpcode opcode = ArchOpcodeField::decode(instr->opcode());

  switch (opcode) {
-    case kArchComment: {
-      Address comment_string = i.InputExternalReference(0).address();
-      __ RecordComment(reinterpret_cast<const char*>(comment_string));
+    case kArchComment:
+#ifdef V8_TARGET_ARCH_S390X
+      __ RecordComment(reinterpret_cast<const char*>(i.InputInt64(0)));
+#else
+      __ RecordComment(reinterpret_cast<const char*>(i.InputInt32(0)));
+#endif
      break;
-    }
    case kArchCallCodeObject: {
      if (HasRegisterInput(instr, 0)) {
        __ AddP(ip, i.InputRegister(0),
--- a/deps/v8/test/mjsunit/regress/regress-crbug-867776.js
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-867776.js
@ -0,0 +1,22 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+for (var i = 0; i < 3; i++) {
+  var array = new BigInt64Array(200);
+
+  function evil_callback() {
+    %ArrayBufferNeuter(array.buffer);
+    gc();
+    return 1094795585n;
+  }
+
+  var evil_object = {valueOf: evil_callback};
+  var root;
+  try {
+    root = BigInt64Array.of.call(function() { return array }, evil_object);
+  } catch(e) {}
+  gc();
+}