deps: backport 3a9bfec from v8 upstream

bnoordhuis · evanlucas · commit 34b96c1322b6 · 2016-06-23T07:27:54.000-05:00
Original commit message: Fix overflow issue in Zone::New When requesting a large allocation near the end of the address space, the computation could overflow and erroneously *not* grow the Zone as required. BUG=chromium:606115 LOG=y Review-Url: https://codereview.chromium.org/1930873002 Cr-Commit-Position: refs/heads/master@{#35903} PR-URL: https://github.com/nodejs/node-private/pull/40 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org>
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 4
 #define V8_MINOR_VERSION 6
 #define V8_BUILD_NUMBER 85
-#define V8_PATCH_LEVEL 31
+#define V8_PATCH_LEVEL 32
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/zone.cc b/deps/v8/src/zone.cc
@@ -105,7 +105,10 @@ void* Zone::New(size_t size) {
   Address result = position_;
 
   const size_t size_with_redzone = size + kASanRedzoneBytes;
-  if (limit_ < position_ + size_with_redzone) {
+  const uintptr_t limit = reinterpret_cast<uintptr_t>(limit_);
+  const uintptr_t position = reinterpret_cast<uintptr_t>(position_);
+  // position_ > limit_ can be true after the alignment correction above.
+  if (limit < position || size_with_redzone > limit - position) {
     result = NewExpand(size_with_redzone);
   } else {
     position_ += size_with_redzone;
@@ -222,7 +225,10 @@ Address Zone::NewExpand(size_t size) {
   // Make sure the requested size is already properly aligned and that
   // there isn't enough room in the Zone to satisfy the request.
   DCHECK_EQ(size, RoundDown(size, kAlignment));
-  DCHECK_LT(limit_, position_ + size);
+  DCHECK(limit_ < position_ ||
+         reinterpret_cast<uintptr_t>(limit_) -
+                 reinterpret_cast<uintptr_t>(position_) <
+             size);
 
   // Compute the new segment size. We use a 'high water mark'
   // strategy, where we increase the segment size every time we expand
