diff options
| author | Kevin F. Haggerty <haggertk@lineageos.org> | 2019-11-11 19:41:45 -0700 |
|---|---|---|
| committer | Kevin F. Haggerty <haggertk@lineageos.org> | 2019-11-11 19:42:37 -0700 |
| commit | 098109a75c8886d6cfe9d8e371eba7f20a101700 (patch) | |
| tree | d4eca826d7dfce97b23537137397e5be4450d16c | |
| parent | 587b96882112c6c3c93e8000b42551faa5ef4f66 (diff) | |
| parent | 27798e9cc15435ca3e70df3ac4a201452ad08736 (diff) | |
| download | android_external_v8-lineage-16.0.tar.gz android_external_v8-lineage-16.0.tar.bz2 android_external_v8-lineage-16.0.zip | |
Merge tag 'android-9.0.0_r50' into staging/lineage-16.0_merge-android-9.0.0_r50lineage-16.0
Android 9.0.0 release 50
* tag 'android-9.0.0_r50':
[DO NOT MERGE] Fix OOB read in v8's Promise handling
[DO NOT MERGE] Fix OOB Access
Fix type confusion in libpac
[RESTRICT AUTOMERGE] Fix OOB Access in libpac
Fix Integer Overflow in libpac
Fix type confusion in libpac
Fix OOB read in libpac ast-numbering.cc
Fix type confusion in libpac
Backport: Fix Object.entries/values with changing elements
Change-Id: I32f8183d4353d5dea87b438a214b6472cacc0fff
| -rw-r--r-- | src/ast/ast-traversal-visitor.h | 1 | ||||
| -rw-r--r-- | src/builtins/builtins-promise.cc | 12 | ||||
| -rw-r--r-- | src/objects.cc | 4 |
3 files changed, 15 insertions, 2 deletions
diff --git a/src/ast/ast-traversal-visitor.h b/src/ast/ast-traversal-visitor.h index 6d0c386f..3a102b42 100644 --- a/src/ast/ast-traversal-visitor.h +++ b/src/ast/ast-traversal-visitor.h @@ -245,6 +245,7 @@ void AstTraversalVisitor<Subclass>::VisitForStatement(ForStatement* stmt) { template <class Subclass> void AstTraversalVisitor<Subclass>::VisitForInStatement(ForInStatement* stmt) { PROCESS_NODE(stmt); + RECURSE(Visit(stmt->each())); RECURSE(Visit(stmt->enumerable())); RECURSE(Visit(stmt->body())); } diff --git a/src/builtins/builtins-promise.cc b/src/builtins/builtins-promise.cc index 0d0238d2..1fb12902 100644 --- a/src/builtins/builtins-promise.cc +++ b/src/builtins/builtins-promise.cc @@ -98,6 +98,10 @@ Node* PromiseBuiltinsAssembler::NewPromiseCapability(Node* context, debug_event = TrueConstant(); } + Label if_not_constructor(this, Label::kDeferred); + GotoIf(TaggedIsSmi(constructor), &if_not_constructor); + GotoIfNot(IsConstructorMap(LoadMap(constructor)), &if_not_constructor); + Node* native_context = LoadNativeContext(context); Node* map = LoadRoot(Heap::kJSPromiseCapabilityMapRootIndex); @@ -182,6 +186,13 @@ Node* PromiseBuiltinsAssembler::NewPromiseCapability(Node* context, Unreachable(); } + Bind(&if_not_constructor); + { + Node* const message_id = SmiConstant(MessageTemplate::kNotConstructor); + CallRuntime(Runtime::kThrowTypeError, context, message_id, constructor); + Unreachable(); + } + Bind(&out); return var_result.value(); } @@ -310,6 +321,7 @@ Node* PromiseBuiltinsAssembler::SpeciesConstructor(Node* context, Node* object, // 7. If IsConstructor(S) is true, return S. Label throw_error(this); + GotoIf(TaggedIsSmi(species), &throw_error); Node* species_bitfield = LoadMapBitField(LoadMap(species)); GotoIfNot(Word32Equal(Word32And(species_bitfield, Int32Constant((1 << Map::kIsConstructor))), diff --git a/src/objects.cc b/src/objects.cc index d5b77777..c2996aed 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -13168,8 +13168,8 @@ Handle<JSObject> Script::GetWrapper(Handle<Script> script) { MaybeHandle<SharedFunctionInfo> Script::FindSharedFunctionInfo( Isolate* isolate, const FunctionLiteral* fun) { - DCHECK_NE(fun->function_literal_id(), FunctionLiteral::kIdTypeInvalid); - DCHECK_LT(fun->function_literal_id(), shared_function_infos()->length()); + CHECK_NE(fun->function_literal_id(), FunctionLiteral::kIdTypeInvalid); + CHECK_LT(fun->function_literal_id(), shared_function_infos()->length()); Object* shared = shared_function_infos()->get(fun->function_literal_id()); if (shared->IsUndefined(isolate) || WeakCell::cast(shared)->cleared()) { return MaybeHandle<SharedFunctionInfo>(); |