Google Git
Sign in
chromium / v8 / v8 / 4994cd8aea8ce7f0373a87a8018908f0f713ca46
commit4994cd8aea8ce7f0373a87a8018908f0f713ca46[log] [tgz]
authorLeszek Swirski <leszeks@chromium.org>Thu Nov 24 11:36:27 2022
committerV8 LUCI CQ <v8-scoped@luci-project-accounts.iam.gserviceaccount.com>Thu Nov 24 13:31:57 2022
tree889c852182a152d215d3d7c4abcb1d92a0b8be37
parentb18d3e8c0609a42f172ea25649865d4b7a32f960 [diff]
[maglev] Fix OOB in StringFromCharCode

StringFromCharCode expects an int32 value, but maglev isn't careful
about keeping the top 32 bits of the register valid (to avoid needing to
sign extend after every 32-bit operation). This means the top bits of
an int32 register might be invalid when it is used -- in particular,
complex addressing uses its inputs as 64-bit values, including the
index.

Long story short, we need to zero the top bits of the int32 char_code
used as the index into the single character table.

Bug: v8:7700
Change-Id: I3540230c865a1d07c105f35d024d598cc8e15180
Fixed: chromium:1392585
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4055502
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84456}
1 file changed
tree: 889c852182a152d215d3d7c4abcb1d92a0b8be37
  1. .github/
  2. bazel/
  3. build_overrides/
  4. custom_deps/
  5. docs/
  6. gni/
  7. include/
  8. infra/
  9. samples/
  10. src/
  11. test/
  12. testing/
  13. third_party/
  14. tools/
  15. .bazelrc
  16. .clang-format
  17. .clang-tidy
  18. .editorconfig
  19. .flake8
  20. .git-blame-ignore-revs
  21. .gitattributes
  22. .gitignore
  23. .gn
  24. .mailmap
  25. .style.yapf
  26. .vpython3
  27. .ycm_extra_conf.py
  28. AUTHORS
  29. BUILD.bazel
  30. BUILD.gn
  31. CODE_OF_CONDUCT.md
  32. codereview.settings
  33. COMMON_OWNERS
  34. DEPS
  35. DIR_METADATA
  36. ENG_REVIEW_OWNERS
  37. INFRA_OWNERS
  38. INTL_OWNERS
  39. LICENSE
  40. LICENSE.fdlibm
  41. LICENSE.strongtalk
  42. LICENSE.v8
  43. LOONG_OWNERS
  44. MIPS_OWNERS
  45. OWNERS
  46. PPC_OWNERS
  47. PRESUBMIT.py
  48. README.md
  49. RISCV_OWNERS
  50. S390_OWNERS
  51. WATCHLISTS
  52. WORKSPACE
README.md

V8 JavaScript Engine

V8 is Google's open source JavaScript engine.

V8 implements ECMAScript as specified in ECMA-262.

V8 is written in C++ and is used in Google Chrome, the open source browser from Google.

V8 can run standalone, or can be embedded into any C++ application.

V8 Project page: https://v8.dev/docs

Getting the Code

Checkout depot tools, and run

    fetch v8

This will checkout V8 into the directory v8 and fetch all of its dependencies. To stay up to date, run

    git pull origin
    gclient sync

For fetching all branches, add the following into your remote configuration in .git/config:

    fetch = +refs/branch-heads/*:refs/remotes/branch-heads/*
    fetch = +refs/tags/*:refs/tags/*

Contributing

Please follow the instructions mentioned at v8.dev/docs/contribute.