Google Git
Sign in
android / platform / external / v8 / f04f2b72c6656659274eacb51dd7558e19914f89
commitf04f2b72c6656659274eacb51dd7558e19914f89[log] [tgz]
authorBryan Ferris <bferris@google.com>Tue Mar 05 16:19:48 2019 -0800
committerandroid-build-team Robot <android-build-team-robot@google.com>Wed Mar 13 18:01:32 2019 +0000
tree541a2f2c5844833ff53bbd9a22e4512ad144bcb2
parent9817e77d44b65abce2aba7f4d6c6372ed09a4a52 [diff]
Fix type confusion in libpac

From the upstream patch
(https://chromium.googlesource.com/v8/v8.git/+/55a98076827edac8eba775f8025df3749bcd8367%5E%21/#F0):

"""
Fix regexp fast path in MaybeCallFunctionAtSymbol

The regexp fast path in MaybeCallFunctionAtSymbol had an issue in which
we'd call ToString after checking that the given {object} was a fast
regexp and deciding to take the fast path. This is invalid since
ToString() can call into user-controlled JS and may mutate {object}.

There's no way to place the ToString call correctly in this instance:
1 before BranchIfFastRegExp, it's a spec violation if we end up on the
  slow regexp path;
2 the problem with the current location is already described above;
3 and we can't place it into the fast-path regexp builtin (e.g.
  RegExpReplace) either due to the same reasons as 1.

The solution in this CL is to restrict the fast path to string
arguments only, i.e. cases where ToString would be a nop and can safely
be skipped.
"""

Bug: 117556606

Test: /data/nativetest/proxy_resolver_v8_unittest/proxy_resolver_v8_unittest

Test: gts-tradefed run gts --test \
  com.google.android.gts.devicepolicy.DeviceOwnerTest#testProxyPacProxyTest \
  --module GtsGmscoreHostTestCases

Test: PoC from bug report

Merged-In: I2e02d994f107e64e4f465b4d8a02d4159a95240e

Change-Id: Ifb58de2b3c547c442f1ad69e0bca0fa934d1f728
(cherry picked from commit ce91afbb1b8ed1c0bbde11609be1f93e4bbfa461)
1 file changed
tree: 541a2f2c5844833ff53bbd9a22e4512ad144bcb2
  1. base/
  2. benchmarks/
  3. build_overrides/
  4. docs/
  5. gni/
  6. gypfiles/
  7. include/
  8. infra/
  9. samples/
  10. src/
  11. testing/
  12. tools/
  13. .clang-format
  14. .gitignore
  15. .gn
  16. .landmines
  17. .ycm_extra_conf.py
  18. Android.base.mk
  19. Android.d8.mk
  20. Android.libv8.mk
  21. Android.mk
  22. Android.mkpeephole.mk
  23. Android.platform.mk
  24. Android.sampler.mk
  25. Android.v8.mk
  26. Android.v8common.mk
  27. Android.v8gen.mk
  28. AUTHORS
  29. BUILD.gn
  30. ChangeLog
  31. CODE_OF_CONDUCT.md
  32. codereview.settings
  33. DEPS
  34. genmakefiles.py
  35. LICENSE
  36. LICENSE.fdlibm
  37. LICENSE.strongtalk
  38. LICENSE.v8
  39. LICENSE.valgrind
  40. Makefile
  41. Makefile.android
  42. merge.py
  43. MODULE_LICENSE_BSD
  44. NOTICE
  45. OWNERS
  46. PRESUBMIT.py
  47. README.md
  48. snapshot_toolchain.gni
  49. V8_MERGE_REVISION
  50. WATCHLISTS
README.md

V8 JavaScript Engine

V8 is Google's open source JavaScript engine.

V8 implements ECMAScript as specified in ECMA-262.

V8 is written in C++ and is used in Google Chrome, the open source browser from Google.

V8 can run standalone, or can be embedded into any C++ application.

V8 Project page: https://github.com/v8/v8/wiki

Getting the Code

Checkout depot tools, and run

    fetch v8

This will checkout V8 into the directory v8 and fetch all of its dependencies. To stay up to date, run

    git pull origin
    gclient sync

For fetching all branches, add the following into your remote configuration in .git/config:

    fetch = +refs/branch-heads/*:refs/remotes/branch-heads/*
    fetch = +refs/tags/*:refs/tags/*

Contributing

Please follow the instructions mentioned on the V8 wiki.