deps: patch V8 to 7.0.276.35

Refs: v8/v8@7.0.276.32...7.0.276.35

PR-URL: #24056
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>

Author: targos

deps/v8/include/v8-version.h

@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 7
 #define V8_MINOR_VERSION 0
 #define V8_BUILD_NUMBER 276
-#define V8_PATCH_LEVEL 32
+#define V8_PATCH_LEVEL 35
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

deps/v8/infra/testing/builders.pyl

@@ -685,11 +685,6 @@
       {'name': 'mozilla'},
     ],
   },
-  'V8 Linux - presubmit': {
-    'tests': [
-      {'name': 'presubmit'},
-    ],
-  },
   'V8 Linux - shared': {
     'tests': [
       {'name': 'mozilla'},
@@ -1514,7 +1509,6 @@
     },
     'tests': [
       {'name': 'mozilla'},
-      {'name': 'presubmit'},
       {'name': 'test262'},
       {'name': 'v8testing'},
     ],
@@ -1527,7 +1521,6 @@
     },
     'tests': [
       {'name': 'mozilla'},
-      {'name': 'presubmit'},
       {'name': 'test262'},
       {'name': 'v8testing', 'shards': 3},
     ],
@@ -1540,7 +1533,6 @@
     },
     'tests': [
       {'name': 'mozilla'},
-      {'name': 'presubmit'},
       {'name': 'test262'},
       {'name': 'v8testing'},
     ],
@@ -1553,7 +1545,6 @@
     },
     'tests': [
       {'name': 'mozilla'},
-      {'name': 'presubmit'},
       {'name': 'test262'},
       {'name': 'v8testing', 'shards': 3},
     ],

deps/v8/src/runtime/runtime-array.cc

@@ -145,7 +145,15 @@ Object* RemoveArrayHolesGeneric(Isolate* isolate, Handle<JSReceiver> receiver,
     MAYBE_RETURN(delete_result, ReadOnlyRoots(isolate).exception());
   }
 
-  return *isolate->factory()->NewNumberFromUint(result);
+  // TODO(jgruber, szuend, chromium:897512): This is a workaround to prevent
+  // returning a number greater than array.length to Array.p.sort, which could
+  // trigger OOB accesses. There is still a correctness bug here though in
+  // how we shift around undefineds and delete elements in the two blocks above.
+  // This needs to be fixed soon.
+  const uint32_t number_of_non_undefined_elements = std::min(limit, result);
+
+  return *isolate->factory()->NewNumberFromUint(
+      number_of_non_undefined_elements);
 }
 
 // Collects all defined (non-hole) and non-undefined (array) elements at the
@@ -162,6 +170,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver,
   Handle<JSObject> object = Handle<JSObject>::cast(receiver);
   if (object->HasStringWrapperElements()) {
     int len = String::cast(Handle<JSValue>::cast(object)->value())->length();
+    DCHECK_LE(len, limit);
     return Smi::FromInt(len);
   }
 
@@ -284,6 +293,7 @@ Object* RemoveArrayHoles(Isolate* isolate, Handle<JSReceiver> receiver,
     }
   }
 
+  DCHECK_LE(result, limit);
   return *isolate->factory()->NewNumberFromUint(result);
 }
 

deps/v8/test/mjsunit/regress/regress-897512.js

@@ -0,0 +1,24 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Fill up the Array prototype's elements.
+for (let i = 0; i < 100; i++) Array.prototype.unshift(3.14);
+
+// Create a holey double elements array.
+const o31 = [1.1];
+o31[37] = 2.2;
+
+// Concat converts to dictionary elements.
+const o51 = o31.concat(false);
+
+// Set one element to undefined to trigger the movement bug.
+o51[0] = undefined;
+
+assertEquals(o51.length, 39);
+
+// Sort triggers the bug.
+o51.sort();
+
+// TODO(chromium:897512): The length should be 39.
+assertEquals(o51.length, 101);

deps/v8/third_party/v8/builtins/array-sort.tq

@@ -1742,7 +1742,6 @@ module array {
 
     // 2. Let obj be ? ToObject(this value).
     const obj: JSReceiver = ToObject(context, receiver);
-    let map: Map = obj.map;
 
     const sort_state: FixedArray =
         AllocateZeroedFixedArray(kSortStateSize);
@@ -1752,25 +1751,27 @@ module array {
     sort_state[kUserCmpFnIdx] = comparefnObj;
     sort_state[kSortComparePtrIdx] =
         comparefnObj != Undefined ? SortCompareUserFn : SortCompareDefault;
-    sort_state[kInitialReceiverMapIdx] = map;
     sort_state[kBailoutStatusIdx] = kSuccess;
 
+    // 3. Let len be ? ToLength(? Get(obj, "length")).
+    const len: Number =
+        ToLength_Inline(context, GetProperty(context, obj, 'length'));
+    if (len < 2) return receiver;
+
+    // TODO(szuend): Investigate performance tradeoff of skipping this step
+    //               for PACKED_* and handling Undefineds during sorting.
+    const nofNonUndefined: Smi = PrepareElementsForSort(context, obj, len);
+    assert(nofNonUndefined <= len);
+
+    let map: Map = obj.map;
+    sort_state[kInitialReceiverMapIdx] = map;
+    sort_state[kInitialReceiverLengthIdx] = len;
+
     try {
       const a: JSArray = cast<JSArray>(obj) otherwise slow;
       const elementsKind: ElementsKind = map.elements_kind;
       if (!IsFastElementsKind(elementsKind)) goto slow;
 
-      // 3. Let len be ? ToLength(? Get(obj, "length")).
-      const len: Smi = a.length_fast;
-      if (len < 2) return receiver;
-
-      // TODO(szuend): Investigate performance tradeoff of skipping this step
-      //               for PACKED_* and handling Undefineds during sorting.
-      const nofNonUndefined: Smi = PrepareElementsForSort(context, obj, len);
-      assert(a.map == map);
-
-      sort_state[kInitialReceiverLengthIdx] = len;
-
       if (IsDoubleElementsKind(elementsKind)) {
         InitializeSortStateAccessor<FastDoubleElements>(sort_state);
       } else if (elementsKind == PACKED_SMI_ELEMENTS) {
@@ -1781,19 +1782,6 @@ module array {
       ArrayTimSort(context, sort_state, nofNonUndefined);
     }
     label slow {
-      // 3. Let len be ? ToLength(? Get(obj, "length")).
-      const len: Number =
-          ToLength_Inline(context, GetProperty(context, obj, 'length'));
-
-      if (len < 2) return receiver;
-      const nofNonUndefined: Smi = PrepareElementsForSort(context, obj, len);
-
-      sort_state[kInitialReceiverLengthIdx] = len;
-
-      // Reload the map, PrepareElementsForSort might have changed the
-      // elements kind.
-      map = obj.map;
-
       if (map.elements_kind == DICTIONARY_ELEMENTS && IsExtensibleMap(map) &&
           !IsCustomElementsReceiverInstanceType(map.instance_type)) {
         InitializeSortStateAccessor<DictionaryElements>(sort_state);