Google Git
Sign in
chromium/v8/v8.git/refs/heads/lkgr
commit
a4b98d028bb4c5470f6fc5045214fd55de6afb75
[log]
author
Samuel Groß <saelo@google.com>
Thu Jun 11 13:37:06 2026
committer
v8-scoped@luci-project-accounts.iam.gserviceaccount.com <v8-scoped@luci-project-accounts.iam.gserviceaccount.com>
Thu Jun 11 15:42:56 2026
tree
a6f9caf945abb5f4673f2abd6e0ff0b82b5f8cd6
parent
23364e153e71fdee45e0a0e34521e56e786d3a16 [diff]
[sandbox] Use 32-bit offset accumulation in StringToSlice and Turboshaft

This resolves the same bug as crrev.com/c/7900075, but located within
Torque (`StringToSlice`) and Turboshaft (`MachineLoweringReducer`).
Under memory corruption, chaining sliced strings previously allowed
64-bit slow-path slice offset accumulation to exceed 32 bits or
underflow, enabling out-of-sandbox string reads.

This CL applies the same 32-bit truncation fix used in
`ToDirectStringAssembler` to both locations, ensuring that corrupted
accumulated offsets wrap around safely within 4 GB and land inside the
sandbox or its guard regions.

TAG=agy
CONV=6ac5b6a9-3e41-42fa-b5a7-4f7744db9a36

Bug: 519768343, 522397420
Change-Id: I3f3e18327b5908efc4b43f3c16fd638e75f60104
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7926028
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#107927}
5 files changed
tree: a6f9caf945abb5f4673f2abd6e0ff0b82b5f8cd6
  1. .github/
  2. agents/
  3. bazel/
  4. build_overrides/
  5. custom_deps/
  6. docs/
  7. gni/
  8. include/
  9. infra/
  10. samples/
  11. src/
  12. test/
  13. testing/
  14. third_party/
  15. tools/
  16. .bazelrc
  17. .clang-format
  18. .clang-tidy
  19. .editorconfig
  20. .flake8
  21. .git-blame-ignore-revs
  22. .gitattributes
  23. .gitignore
  24. .gn
  25. .mailmap
  26. .style.yapf
  27. .vpython3
  28. .ycm_extra_conf.py
  29. AUTHORS
  30. BUILD.bazel
  31. BUILD.gn
  32. CODE_OF_CONDUCT.md
  33. codereview.settings
  34. COMMON_OWNERS
  35. DEPS
  36. DIR_METADATA
  37. ENG_REVIEW_OWNERS
  38. INFRA_OWNERS
  39. INTL_OWNERS
  40. LICENSE
  41. LICENSE.fdlibm
  42. LICENSE.strongtalk
  43. LICENSE.v8
  44. LOONG_OWNERS
  45. MIPS_OWNERS
  46. MODULE.bazel
  47. OWNERS
  48. PPC_OWNERS
  49. PRESUBMIT.py
  50. pyrightconfig.json
  51. README.md
  52. RISCV_OWNERS
  53. S390_OWNERS
  54. SECURITY.md
  55. WATCHLISTS
README.md

V8 JavaScript Engine

V8 is Google's open source JavaScript engine.

V8 implements ECMAScript as specified in ECMA-262.

V8 is written in C++ and is used in Chromium, the open source browser from Google.

V8 can run standalone, or can be embedded into any C++ application.

V8 Project page: https://v8.dev/docs

Getting the Code

Checkout depot tools, and run

    fetch v8

This will checkout V8 into the directory v8 and fetch all of its dependencies. To stay up to date, run

    git pull origin
    gclient sync

For fetching all branches, add the following into your remote configuration in .git/config:

    fetch = +refs/branch-heads/*:refs/remotes/branch-heads/*
    fetch = +refs/tags/*:refs/tags/*

Contributing

Please follow the instructions mentioned at v8.dev/docs/contribute.