diff --git a/SOURCES/gcc-48-fix.patch b/SOURCES/gcc-48-fix.patch index f611cfc..af10148 100644 --- a/SOURCES/gcc-48-fix.patch +++ b/SOURCES/gcc-48-fix.patch @@ -19,7 +19,7 @@ index 78888b8..e49e54d 100644 'cflags': [ '-Wall', '<(werror)', '-W', '-Wno-unused-parameter', - '-Wnon-virtual-dtor', '-Woverloaded-virtual' ], + '-Wnon-virtual-dtor', '-Woverloaded-virtual', -+ '-Wno-unused-local-typedefs', '-Wno-aggressive-loop-optimizations' ], ++ '-Wno-unused-local-typedefs', '-Wno-aggressive-loop-optimizations', '-Wno-unused-but-set-variable' ], }], ['OS=="android"', { 'variables': { @@ -31,7 +31,7 @@ index 7145a16..84c072c 100644 or OS=="netbsd"', { 'target_defaults': { 'cflags': [ '-Wall', '<(werror)', '-W', '-Wno-unused-parameter', -+ '-Wno-unused-local-typedefs', '-Wno-aggressive-loop-optimizations', ++ '-Wno-unused-local-typedefs', '-Wno-aggressive-loop-optimizations', '-Wno-unused-but-set-variable', '-Wnon-virtual-dtor', '-pthread', '-fno-rtti', '-fno-exceptions', '-pedantic' ], 'ldflags': [ '-pthread', ], diff --git a/SOURCES/v8-3.14.5.10-CVE-2013-6640.patch b/SOURCES/v8-3.14.5.10-CVE-2013-6640.patch new file mode 100644 index 0000000..1a2a420 --- /dev/null +++ b/SOURCES/v8-3.14.5.10-CVE-2013-6640.patch @@ -0,0 +1,316 @@ +From 520f94a1da96b0f1fd3d0e0c0b82e4d7c1e7d58f Mon Sep 17 00:00:00 2001 +From: "T.C. Hollingsworth" +Date: Fri, 13 Dec 2013 00:45:27 -0700 +Subject: [PATCH] Limit size of dehoistable array indices + +backported from upstream r17801 +--- + src/elements-kind.cc | 30 ++++++++++++++++ + src/elements-kind.h | 2 ++ + src/hydrogen-instructions.h | 9 +++++ + src/hydrogen.cc | 2 +- + src/lithium.cc | 30 ---------------- + src/lithium.h | 3 -- + test/mjsunit/regress/regress-crbug-319835.js | 51 ++++++++++++++++++++++++++++ + test/mjsunit/regress/regress-crbug-319860.js | 47 +++++++++++++++++++++++++ + 8 files changed, 140 insertions(+), 34 deletions(-) + create mode 100644 test/mjsunit/regress/regress-crbug-319835.js + create mode 100644 test/mjsunit/regress/regress-crbug-319860.js + +diff --git a/src/elements-kind.cc b/src/elements-kind.cc +index 655a23b..c93a602 100644 +--- a/src/elements-kind.cc ++++ b/src/elements-kind.cc +@@ -35,6 +35,36 @@ namespace v8 { + namespace internal { + + ++int ElementsKindToShiftSize(ElementsKind elements_kind) { ++ switch (elements_kind) { ++ case EXTERNAL_BYTE_ELEMENTS: ++ case EXTERNAL_PIXEL_ELEMENTS: ++ case EXTERNAL_UNSIGNED_BYTE_ELEMENTS: ++ return 0; ++ case EXTERNAL_SHORT_ELEMENTS: ++ case EXTERNAL_UNSIGNED_SHORT_ELEMENTS: ++ return 1; ++ case EXTERNAL_INT_ELEMENTS: ++ case EXTERNAL_UNSIGNED_INT_ELEMENTS: ++ case EXTERNAL_FLOAT_ELEMENTS: ++ return 2; ++ case EXTERNAL_DOUBLE_ELEMENTS: ++ case FAST_DOUBLE_ELEMENTS: ++ case FAST_HOLEY_DOUBLE_ELEMENTS: ++ return 3; ++ case FAST_SMI_ELEMENTS: ++ case FAST_ELEMENTS: ++ case FAST_HOLEY_SMI_ELEMENTS: ++ case FAST_HOLEY_ELEMENTS: ++ case DICTIONARY_ELEMENTS: ++ case NON_STRICT_ARGUMENTS_ELEMENTS: ++ return kPointerSizeLog2; ++ } ++ UNREACHABLE(); ++ return 0; ++} ++ ++ + void PrintElementsKind(FILE* out, ElementsKind kind) { + ElementsAccessor* accessor = ElementsAccessor::ForKind(kind); + PrintF(out, "%s", accessor->name()); +diff --git a/src/elements-kind.h b/src/elements-kind.h +index 3be7711..c5d9df8 100644 +--- a/src/elements-kind.h ++++ b/src/elements-kind.h +@@ -77,6 +77,8 @@ const int kElementsKindCount = LAST_ELEMENTS_KIND - FIRST_ELEMENTS_KIND + 1; + const int kFastElementsKindCount = LAST_FAST_ELEMENTS_KIND - + FIRST_FAST_ELEMENTS_KIND + 1; + ++int ElementsKindToShiftSize(ElementsKind elements_kind); ++ + void PrintElementsKind(FILE* out, ElementsKind kind); + + ElementsKind GetInitialFastElementsKind(); +diff --git a/src/hydrogen-instructions.h b/src/hydrogen-instructions.h +index 015212d..a1e5b97 100644 +--- a/src/hydrogen-instructions.h ++++ b/src/hydrogen-instructions.h +@@ -4240,6 +4240,7 @@ class ArrayInstructionInterface { + virtual HValue* GetKey() = 0; + virtual void SetKey(HValue* key) = 0; + virtual void SetIndexOffset(uint32_t index_offset) = 0; ++ virtual int MaxIndexOffsetBits() = 0; + virtual bool IsDehoisted() = 0; + virtual void SetDehoisted(bool is_dehoisted) = 0; + virtual ~ArrayInstructionInterface() { }; +@@ -4274,6 +4275,7 @@ class HLoadKeyedFastElement + void SetIndexOffset(uint32_t index_offset) { + bit_field_ = IndexOffsetField::update(bit_field_, index_offset); + } ++ int MaxIndexOffsetBits() { return 25; } + HValue* GetKey() { return key(); } + void SetKey(HValue* key) { SetOperandAt(1, key); } + bool IsDehoisted() { return IsDehoistedField::decode(bit_field_); } +@@ -4343,6 +4345,7 @@ class HLoadKeyedFastDoubleElement + HValue* dependency() { return OperandAt(2); } + uint32_t index_offset() { return index_offset_; } + void SetIndexOffset(uint32_t index_offset) { index_offset_ = index_offset; } ++ int MaxIndexOffsetBits() { return 25; } + HValue* GetKey() { return key(); } + void SetKey(HValue* key) { SetOperandAt(1, key); } + bool IsDehoisted() { return is_dehoisted_; } +@@ -4420,6 +4423,7 @@ class HLoadKeyedSpecializedArrayElement + ElementsKind elements_kind() const { return elements_kind_; } + uint32_t index_offset() { return index_offset_; } + void SetIndexOffset(uint32_t index_offset) { index_offset_ = index_offset; } ++ int MaxIndexOffsetBits() { return 25; } + HValue* GetKey() { return key(); } + void SetKey(HValue* key) { SetOperandAt(1, key); } + bool IsDehoisted() { return is_dehoisted_; } +@@ -4595,6 +4599,7 @@ class HStoreKeyedFastElement + } + uint32_t index_offset() { return index_offset_; } + void SetIndexOffset(uint32_t index_offset) { index_offset_ = index_offset; } ++ int MaxIndexOffsetBits() { return 25; } + HValue* GetKey() { return key(); } + void SetKey(HValue* key) { SetOperandAt(1, key); } + bool IsDehoisted() { return is_dehoisted_; } +@@ -4648,6 +4653,7 @@ class HStoreKeyedFastDoubleElement + HValue* value() { return OperandAt(2); } + uint32_t index_offset() { return index_offset_; } + void SetIndexOffset(uint32_t index_offset) { index_offset_ = index_offset; } ++ int MaxIndexOffsetBits() { return 25; } + HValue* GetKey() { return key(); } + void SetKey(HValue* key) { SetOperandAt(1, key); } + bool IsDehoisted() { return is_dehoisted_; } +@@ -4706,6 +4712,9 @@ class HStoreKeyedSpecializedArrayElement + ElementsKind elements_kind() const { return elements_kind_; } + uint32_t index_offset() { return index_offset_; } + void SetIndexOffset(uint32_t index_offset) { index_offset_ = index_offset; } ++ int MaxIndexOffsetBits() { ++ return 31 - ElementsKindToShiftSize(elements_kind_); ++ } + HValue* GetKey() { return key(); } + void SetKey(HValue* key) { SetOperandAt(1, key); } + bool IsDehoisted() { return is_dehoisted_; } +diff --git a/src/hydrogen.cc b/src/hydrogen.cc +index 8393e51..e3f79ee 100644 +--- a/src/hydrogen.cc ++++ b/src/hydrogen.cc +@@ -3737,7 +3737,7 @@ static void DehoistArrayIndex(ArrayInstructionInterface* array_operation) { + int32_t value = constant->Integer32Value() * sign; + // We limit offset values to 30 bits because we want to avoid the risk of + // overflows when the offset is added to the object header size. +- if (value >= 1 << 30 || value < 0) return; ++ if (value >= 1 << array_operation->MaxIndexOffsetBits() || value < 0) return; + array_operation->SetKey(subexpression); + if (index->HasNoUses()) { + index->DeleteAndReplaceWith(NULL); +diff --git a/src/lithium.cc b/src/lithium.cc +index eb2198d..1232bf1 100644 +--- a/src/lithium.cc ++++ b/src/lithium.cc +@@ -227,36 +227,6 @@ void LPointerMap::PrintTo(StringStream* stream) { + } + + +-int ElementsKindToShiftSize(ElementsKind elements_kind) { +- switch (elements_kind) { +- case EXTERNAL_BYTE_ELEMENTS: +- case EXTERNAL_PIXEL_ELEMENTS: +- case EXTERNAL_UNSIGNED_BYTE_ELEMENTS: +- return 0; +- case EXTERNAL_SHORT_ELEMENTS: +- case EXTERNAL_UNSIGNED_SHORT_ELEMENTS: +- return 1; +- case EXTERNAL_INT_ELEMENTS: +- case EXTERNAL_UNSIGNED_INT_ELEMENTS: +- case EXTERNAL_FLOAT_ELEMENTS: +- return 2; +- case EXTERNAL_DOUBLE_ELEMENTS: +- case FAST_DOUBLE_ELEMENTS: +- case FAST_HOLEY_DOUBLE_ELEMENTS: +- return 3; +- case FAST_SMI_ELEMENTS: +- case FAST_ELEMENTS: +- case FAST_HOLEY_SMI_ELEMENTS: +- case FAST_HOLEY_ELEMENTS: +- case DICTIONARY_ELEMENTS: +- case NON_STRICT_ARGUMENTS_ELEMENTS: +- return kPointerSizeLog2; +- } +- UNREACHABLE(); +- return 0; +-} +- +- + LLabel* LChunk::GetLabel(int block_id) const { + HBasicBlock* block = graph_->blocks()->at(block_id); + int first_instruction = block->first_instruction_index(); +diff --git a/src/lithium.h b/src/lithium.h +index 089926e..a29d9d0 100644 +--- a/src/lithium.h ++++ b/src/lithium.h +@@ -704,9 +704,6 @@ class LChunk: public ZoneObject { + }; + + +-int ElementsKindToShiftSize(ElementsKind elements_kind); +- +- + } } // namespace v8::internal + + #endif // V8_LITHIUM_H_ +diff --git a/test/mjsunit/regress/regress-crbug-319835.js b/test/mjsunit/regress/regress-crbug-319835.js +new file mode 100644 +index 0000000..48f871f +--- /dev/null ++++ b/test/mjsunit/regress/regress-crbug-319835.js +@@ -0,0 +1,51 @@ ++// Copyright 2013 the V8 project authors. All rights reserved. ++// Redistribution and use in source and binary forms, with or without ++// modification, are permitted provided that the following conditions are ++// met: ++// ++// * Redistributions of source code must retain the above copyright ++// notice, this list of conditions and the following disclaimer. ++// * Redistributions in binary form must reproduce the above ++// copyright notice, this list of conditions and the following ++// disclaimer in the documentation and/or other materials provided ++// with the distribution. ++// * Neither the name of Google Inc. nor the names of its ++// contributors may be used to endorse or promote products derived ++// from this software without specific prior written permission. ++// ++// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ++// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ++// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ++// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ++// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ ++// Flags: --allow-natives-syntax ++ ++try {} catch(e) {} // No need to optimize the top level. ++ ++var size = 0x20000; ++var a = new Float64Array(size); ++var training = new Float64Array(10); ++function store(a, index) { ++ var offset = 0x20000000; ++ for (var i = 0; i < 1; i++) { ++ a[index + offset] = 0xcc; ++ } ++} ++ ++store(training, -0x20000000); ++store(training, -0x20000000 + 1); ++store(training, -0x20000000); ++store(training, -0x20000000 + 1); ++%OptimizeFunctionOnNextCall(store); ++ ++// Segfault maybe? ++for (var i = -0x20000000; i < -0x20000000 + size; i++) { ++ store(a, i); ++} +diff --git a/test/mjsunit/regress/regress-crbug-319860.js b/test/mjsunit/regress/regress-crbug-319860.js +new file mode 100644 +index 0000000..b81fb85 +--- /dev/null ++++ b/test/mjsunit/regress/regress-crbug-319860.js +@@ -0,0 +1,47 @@ ++// Copyright 2013 the V8 project authors. All rights reserved. ++// Redistribution and use in source and binary forms, with or without ++// modification, are permitted provided that the following conditions are ++// met: ++// ++// * Redistributions of source code must retain the above copyright ++// notice, this list of conditions and the following disclaimer. ++// * Redistributions in binary form must reproduce the above ++// copyright notice, this list of conditions and the following ++// disclaimer in the documentation and/or other materials provided ++// with the distribution. ++// * Neither the name of Google Inc. nor the names of its ++// contributors may be used to endorse or promote products derived ++// from this software without specific prior written permission. ++// ++// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ++// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ++// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ++// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ++// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ ++// Flags: --allow-natives-syntax ++ ++function read(a, index) { ++ var offset = 0x2000000; ++ var result; ++ for (var i = 0; i < 1; i++) { ++ result = a[index + offset]; ++ } ++ return result; ++} ++ ++var a = new Int8Array(0x2000001); ++read(a, 0); ++read(a, 0); ++%OptimizeFunctionOnNextCall(read); ++ ++// Segfault maybe? ++for (var i = 0; i > -1000000; --i) { ++ read(a, i); ++} +-- +1.8.4.2 + diff --git a/SOURCES/v8-3.14.5.10-CVE-2013-6650.patch b/SOURCES/v8-3.14.5.10-CVE-2013-6650.patch new file mode 100644 index 0000000..d44811f --- /dev/null +++ b/SOURCES/v8-3.14.5.10-CVE-2013-6650.patch @@ -0,0 +1,80 @@ +From 3928813f014d3cdaed83fefc3a454078272f114b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hr=C4=8Dka?= +Date: Tue, 18 Feb 2014 00:23:04 +0100 +Subject: [PATCH] Backport Fix for CVE-2013-6650 Original patch + https://code.google.com/p/v8/source/detail?r=18483 + +Resolve: rhbz#1059070 +--- + src/store-buffer.cc | 2 +- + test/mjsunit/regress/regress-331444.js | 45 ++++++++++++++++++++++++++++++++++ + 2 files changed, 46 insertions(+), 1 deletion(-) + create mode 100644 test/mjsunit/regress/regress-331444.js + +diff --git a/src/store-buffer.cc b/src/store-buffer.cc +index 66488ae..b9055f8 100644 +--- a/src/store-buffer.cc ++++ b/src/store-buffer.cc +@@ -242,7 +242,7 @@ void StoreBuffer::ExemptPopularPages(int prime_sample_step, int threshold) { + containing_chunk = MemoryChunk::FromAnyPointerAddress(addr); + } + int old_counter = containing_chunk->store_buffer_counter(); +- if (old_counter == threshold) { ++ if (old_counter >= threshold) { + containing_chunk->set_scan_on_scavenge(true); + created_new_scan_on_scavenge_pages = true; + } +diff --git a/test/mjsunit/regress/regress-331444.js b/test/mjsunit/regress/regress-331444.js +new file mode 100644 +index 0000000..3df0a08 +--- /dev/null ++++ b/test/mjsunit/regress/regress-331444.js +@@ -0,0 +1,45 @@ ++// Copyright 2014 the V8 project authors. All rights reserved. ++// Redistribution and use in source and binary forms, with or without ++// modification, are permitted provided that the following conditions are ++// met: ++// ++// * Redistributions of source code must retain the above copyright ++// notice, this list of conditions and the following disclaimer. ++// * Redistributions in binary form must reproduce the above ++// copyright notice, this list of conditions and the following ++// disclaimer in the documentation and/or other materials provided ++// with the distribution. ++// * Neither the name of Google Inc. nor the names of its ++// contributors may be used to endorse or promote products derived ++// from this software without specific prior written permission. ++// ++// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ++// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ++// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ++// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ++// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ ++// Flags: --expose-gc ++ ++ ++function boom() { ++ var args = []; ++ for (var i = 0; i < 125000; i++) ++ args.push(i); ++ return Array.apply(Array, args); ++} ++var array = boom(); ++function fib(n) { ++ var f0 = 0, f1 = 1; ++ for (; n > 0; n = n - 1) { ++ f0 + f1; ++ f0 = array; ++ } ++} ++fib(12); +-- +1.8.3.1 + diff --git a/SOURCES/v8-3.14.5.10-CVE-2013-6668-segfault.patch b/SOURCES/v8-3.14.5.10-CVE-2013-6668-segfault.patch new file mode 100644 index 0000000..8e3d600 --- /dev/null +++ b/SOURCES/v8-3.14.5.10-CVE-2013-6668-segfault.patch @@ -0,0 +1,60 @@ +From 3122e0eae64c5ab494b29d0a9cadef902d93f1f9 Mon Sep 17 00:00:00 2001 +From: Fedor Indutny +Date: Fri, 22 Aug 2014 03:59:35 +0400 +Subject: [PATCH] deps: fix up v8 after fd80a3 + +fd80a31e0697d6317ce8c2d289575399f4e06d21 has introduced a segfault +during redundant boundary check elimination (#8208). + +The problem consists of two parts: + + 1. Abscense of instruction iterator in + `EliminateRedundantBoundsChecks`. It was present in recent v8, but + wasn't considered important at the time of backport. However, since + the function is changing instructions order in block, it is + important to not rely at `i->next()` at the end of the loop. + 2. Too strict ASSERT in `MoveIndexIfNecessary`. It is essentially a + backport of a45c96ab from v8's upstream. See + https://github.com/v8/v8/commit/a45c96ab for details. + +fix #8208 +--- + src/hydrogen.cc | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/hydrogen.cc b/src/hydrogen.cc +index 50d8e49..18a6b60 100644 +--- a/src/hydrogen.cc ++++ b/src/hydrogen.cc +@@ -3546,7 +3546,11 @@ class BoundsCheckBbData: public ZoneObject { + void MoveIndexIfNecessary(HValue* index_raw, + HBoundsCheck* insert_before, + HInstruction* end_of_scan_range) { +- ASSERT(index_raw->IsAdd() || index_raw->IsSub()); ++ if (!index_raw->IsAdd() && !index_raw->IsSub()) { ++ // index_raw can be HAdd(index_base, offset), HSub(index_base, offset), ++ // or index_base directly. In the latter case, no need to move anything. ++ return; ++ } + HBinaryOperation* index = + HArithmeticBinaryOperation::cast(index_raw); + HValue* left_input = index->left(); +@@ -3581,7 +3585,6 @@ class BoundsCheckBbData: public ZoneObject { + HBoundsCheck* tighter_check) { + ASSERT(original_check->length() == tighter_check->length()); + MoveIndexIfNecessary(tighter_check->index(), original_check, tighter_check); +- original_check->ReplaceAllUsesWith(original_check->index()); + original_check->SetOperandAt(0, tighter_check->index()); + } + }; +@@ -3624,7 +3627,9 @@ void HGraph::EliminateRedundantBoundsChecks(HBasicBlock* bb, + BoundsCheckTable* table) { + BoundsCheckBbData* bb_data_list = NULL; + +- for (HInstruction* i = bb->first(); i != NULL; i = i->next()) { ++ HInstruction* next; ++ for (HInstruction* i = bb->first(); i != NULL; i = next) { ++ next = i->next(); + if (!i->IsBoundsCheck()) continue; + + HBoundsCheck* check = HBoundsCheck::cast(i); diff --git a/SOURCES/v8-3.14.5.10-CVE-2013-6668.patch b/SOURCES/v8-3.14.5.10-CVE-2013-6668.patch new file mode 100644 index 0000000..fe5cb6d --- /dev/null +++ b/SOURCES/v8-3.14.5.10-CVE-2013-6668.patch @@ -0,0 +1,186 @@ +From fd80a31e0697d6317ce8c2d289575399f4e06d21 Mon Sep 17 00:00:00 2001 +From: Fedor Indutny +Date: Thu, 14 Aug 2014 19:29:28 +0400 +Subject: [PATCH] deps: backport 5f836c from v8 upstream + +Original commit message: + + Fix Hydrogen bounds check elimination + + When combining bounds checks, they must all be moved before the first load/store + that they are guarding. + + BUG=chromium:344186 + LOG=y + R=svenpanne@chromium.org + + Review URL: https://codereview.chromium.org/172093002 + + git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@19475 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 + +fix #8070 +--- + src/hydrogen.cc | 106 +++++++++++++++++++++++------------------------- + 1 file changed, 50 insertions(+), 56 deletions(-) + +diff --git a/src/hydrogen.cc b/src/hydrogen.cc +index e3f79ee..50d8e49 100644 +--- a/src/hydrogen.cc ++++ b/src/hydrogen.cc +@@ -3487,13 +3487,7 @@ class BoundsCheckBbData: public ZoneObject { + keep_new_check = true; + upper_check_ = new_check; + } else { +- BuildOffsetAdd(upper_check_, +- &added_upper_index_, +- &added_upper_offset_, +- Key()->IndexBase(), +- new_check->index()->representation(), +- new_offset); +- upper_check_->SetOperandAt(0, added_upper_index_); ++ TightenCheck(upper_check_, new_check); + } + } else if (new_offset < lower_offset_) { + lower_offset_ = new_offset; +@@ -3501,28 +3495,27 @@ class BoundsCheckBbData: public ZoneObject { + keep_new_check = true; + lower_check_ = new_check; + } else { +- BuildOffsetAdd(lower_check_, +- &added_lower_index_, +- &added_lower_offset_, +- Key()->IndexBase(), +- new_check->index()->representation(), +- new_offset); +- lower_check_->SetOperandAt(0, added_lower_index_); ++ TightenCheck(lower_check_, new_check); + } + } else { +- ASSERT(false); ++ // Should never have called CoverCheck() in this case. ++ UNREACHABLE(); + } + + if (!keep_new_check) { + new_check->DeleteAndReplaceWith(NULL); ++ } else { ++ HBoundsCheck* first_check = new_check == lower_check_ ? upper_check_ ++ : lower_check_; ++ // The length is guaranteed to be live at first_check. ++ ASSERT(new_check->length() == first_check->length()); ++ HInstruction* old_position = new_check->next(); ++ new_check->Unlink(); ++ new_check->InsertAfter(first_check); ++ MoveIndexIfNecessary(new_check->index(), new_check, old_position); + } + } + +- void RemoveZeroOperations() { +- RemoveZeroAdd(&added_lower_index_, &added_lower_offset_); +- RemoveZeroAdd(&added_upper_index_, &added_upper_offset_); +- } +- + BoundsCheckBbData(BoundsCheckKey* key, + int32_t lower_offset, + int32_t upper_offset, +@@ -3537,10 +3530,6 @@ class BoundsCheckBbData: public ZoneObject { + basic_block_(bb), + lower_check_(lower_check), + upper_check_(upper_check), +- added_lower_index_(NULL), +- added_lower_offset_(NULL), +- added_upper_index_(NULL), +- added_upper_offset_(NULL), + next_in_bb_(next_in_bb), + father_in_dt_(father_in_dt) { } + +@@ -3551,44 +3540,50 @@ class BoundsCheckBbData: public ZoneObject { + HBasicBlock* basic_block_; + HBoundsCheck* lower_check_; + HBoundsCheck* upper_check_; +- HAdd* added_lower_index_; +- HConstant* added_lower_offset_; +- HAdd* added_upper_index_; +- HConstant* added_upper_offset_; + BoundsCheckBbData* next_in_bb_; + BoundsCheckBbData* father_in_dt_; + +- void BuildOffsetAdd(HBoundsCheck* check, +- HAdd** add, +- HConstant** constant, +- HValue* original_value, +- Representation representation, +- int32_t new_offset) { +- HConstant* new_constant = new(BasicBlock()->zone()) +- HConstant(new_offset, Representation::Integer32()); +- if (*add == NULL) { +- new_constant->InsertBefore(check); +- // Because of the bounds checks elimination algorithm, the index is always +- // an HAdd or an HSub here, so we can safely cast to an HBinaryOperation. +- HValue* context = HBinaryOperation::cast(check->index())->context(); +- *add = new(BasicBlock()->zone()) HAdd(context, +- original_value, +- new_constant); +- (*add)->AssumeRepresentation(representation); +- (*add)->InsertBefore(check); +- } else { +- new_constant->InsertBefore(*add); +- (*constant)->DeleteAndReplaceWith(new_constant); ++ void MoveIndexIfNecessary(HValue* index_raw, ++ HBoundsCheck* insert_before, ++ HInstruction* end_of_scan_range) { ++ ASSERT(index_raw->IsAdd() || index_raw->IsSub()); ++ HBinaryOperation* index = ++ HArithmeticBinaryOperation::cast(index_raw); ++ HValue* left_input = index->left(); ++ HValue* right_input = index->right(); ++ bool must_move_index = false; ++ bool must_move_left_input = false; ++ bool must_move_right_input = false; ++ for (HInstruction* cursor = end_of_scan_range; cursor != insert_before;) { ++ if (cursor == left_input) must_move_left_input = true; ++ if (cursor == right_input) must_move_right_input = true; ++ if (cursor == index) must_move_index = true; ++ if (cursor->previous() == NULL) { ++ cursor = cursor->block()->dominator()->end(); ++ } else { ++ cursor = cursor->previous(); ++ } + } +- *constant = new_constant; +- } + +- void RemoveZeroAdd(HAdd** add, HConstant** constant) { +- if (*add != NULL && (*constant)->Integer32Value() == 0) { +- (*add)->DeleteAndReplaceWith((*add)->left()); +- (*constant)->DeleteAndReplaceWith(NULL); ++ // The BCE algorithm only selects mergeable bounds checks that share ++ // the same "index_base", so we'll only ever have to move constants. ++ if (must_move_left_input) { ++ HConstant::cast(left_input)->Unlink(); ++ HConstant::cast(left_input)->InsertBefore(index); ++ } ++ if (must_move_right_input) { ++ HConstant::cast(right_input)->Unlink(); ++ HConstant::cast(right_input)->InsertBefore(index); + } + } ++ ++ void TightenCheck(HBoundsCheck* original_check, ++ HBoundsCheck* tighter_check) { ++ ASSERT(original_check->length() == tighter_check->length()); ++ MoveIndexIfNecessary(tighter_check->index(), original_check, tighter_check); ++ original_check->ReplaceAllUsesWith(original_check->index()); ++ original_check->SetOperandAt(0, tighter_check->index()); ++ } + }; + + +@@ -3683,7 +3678,6 @@ void HGraph::EliminateRedundantBoundsChecks(HBasicBlock* bb, + for (BoundsCheckBbData* data = bb_data_list; + data != NULL; + data = data->NextInBasicBlock()) { +- data->RemoveZeroOperations(); + if (data->FatherInDominatorTree()) { + table->Insert(data->Key(), data->FatherInDominatorTree(), zone()); + } else { diff --git a/SOURCES/v8-3.14.5.10-CVE-2014-1704-1.patch b/SOURCES/v8-3.14.5.10-CVE-2014-1704-1.patch new file mode 100644 index 0000000..2df5230 --- /dev/null +++ b/SOURCES/v8-3.14.5.10-CVE-2014-1704-1.patch @@ -0,0 +1,77 @@ +From bf973073d98660edf35e01e6984029e46eb85368 Mon Sep 17 00:00:00 2001 +From: "dslomov@chromium.org" + +Date: Mon, 13 Jan 2014 13:00:09 +0000 +Subject: [PATCH] Use unsigned integer arithmetic in Zone::NewExpand. + + BUG=328202 + R=jkummerow@chromium.org + LOG=N + + Review URL: https://codereview.chromium.org/108783005 + + git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@18564 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 +--- + src/zone.cc | 29 +++++++++++++++++++---------- + 1 file changed, 19 insertions(+), 10 deletions(-) + +diff --git a/src/zone.cc b/src/zone.cc +index 51b8113..c12978f 100644 +--- a/src/zone.cc ++++ b/src/zone.cc +@@ -175,25 +175,31 @@ Address Zone::NewExpand(int size) { + // except that we employ a maximum segment size when we delete. This + // is to avoid excessive malloc() and free() overhead. + Segment* head = segment_head_; +- int old_size = (head == NULL) ? 0 : head->size(); +- static const int kSegmentOverhead = sizeof(Segment) + kAlignment; +- int new_size_no_overhead = size + (old_size << 1); +- int new_size = kSegmentOverhead + new_size_no_overhead; ++ const size_t old_size = (head == NULL) ? 0 : head->size(); ++ static const size_t kSegmentOverhead = sizeof(Segment) + kAlignment; ++ const size_t new_size_no_overhead = size + (old_size << 1); ++ size_t new_size = kSegmentOverhead + new_size_no_overhead; ++ const size_t min_new_size = kSegmentOverhead + static_cast(size); + // Guard against integer overflow. +- if (new_size_no_overhead < size || new_size < kSegmentOverhead) { ++ if (new_size_no_overhead < static_cast(size) || ++ new_size < static_cast(kSegmentOverhead)) { + V8::FatalProcessOutOfMemory("Zone"); + return NULL; + } +- if (new_size < kMinimumSegmentSize) { ++ if (new_size < static_cast(kMinimumSegmentSize)) { + new_size = kMinimumSegmentSize; +- } else if (new_size > kMaximumSegmentSize) { ++ } else if (new_size > static_cast(kMaximumSegmentSize)) { + // Limit the size of new segments to avoid growing the segment size + // exponentially, thus putting pressure on contiguous virtual address space. + // All the while making sure to allocate a segment large enough to hold the + // requested size. +- new_size = Max(kSegmentOverhead + size, kMaximumSegmentSize); ++ new_size = Max(min_new_size, static_cast(kMaximumSegmentSize)); + } +- Segment* segment = NewSegment(new_size); ++ if (new_size > INT_MAX) { ++ V8::FatalProcessOutOfMemory("Zone"); ++ return NULL; ++ } ++ Segment* segment = NewSegment(static_cast(new_size)); + if (segment == NULL) { + V8::FatalProcessOutOfMemory("Zone"); + return NULL; +@@ -203,7 +209,10 @@ Address Zone::NewExpand(int size) { + Address result = RoundUp(segment->start(), kAlignment); + position_ = result + size; + // Check for address overflow. +- if (position_ < result) { ++ // (Should not happen since the segment is guaranteed to accomodate ++ // size bytes + header and alignment padding) ++ if (reinterpret_cast(position_) ++ < reinterpret_cast(result)) { + V8::FatalProcessOutOfMemory("Zone"); + return NULL; + } +-- +1.8.5.3 + diff --git a/SOURCES/v8-3.14.5.10-enumeration.patch b/SOURCES/v8-3.14.5.10-enumeration.patch new file mode 100644 index 0000000..4dea2a5 --- /dev/null +++ b/SOURCES/v8-3.14.5.10-enumeration.patch @@ -0,0 +1,30 @@ +From 196184d332ba2d2defc56ad0b37653659a7d3ec0 Mon Sep 17 00:00:00 2001 +From: "svenpanne@chromium.org" +Date: Fri, 9 Nov 2012 11:30:05 +0000 +Subject: [PATCH] v8: backport codereview.chromium.org/11362182 + +Keep the number of descriptors below +DescriptorArray::kMaxNumberOfDescriptors even for accessors + +Review URL: https://codereview.chromium.org/11362182 +--- + src/objects.cc | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/objects.cc b/src/objects.cc +--- a/src/objects.cc ++++ b/src/objects.cc +@@ -4453,7 +4453,9 @@ MaybeObject* JSObject::DefinePropertyAccessor(String* name, + // to do a lookup, which seems to be a bit of overkill. + Heap* heap = GetHeap(); + bool only_attribute_changes = getter->IsNull() && setter->IsNull(); +- if (HasFastProperties() && !only_attribute_changes) { ++ if (HasFastProperties() && !only_attribute_changes && ++ (map()->NumberOfOwnDescriptors() < ++ DescriptorArray::kMaxNumberOfDescriptors)) { + MaybeObject* getterOk = heap->undefined_value(); + if (!getter->IsNull()) { + getterOk = DefineFastAccessor(name, ACCESSOR_GETTER, getter, attributes); +-- +1.8.5.1 + diff --git a/SOURCES/v8-3.14.5.10-mem-corruption-stack-overflow.patch b/SOURCES/v8-3.14.5.10-mem-corruption-stack-overflow.patch new file mode 100644 index 0000000..452464b --- /dev/null +++ b/SOURCES/v8-3.14.5.10-mem-corruption-stack-overflow.patch @@ -0,0 +1,33 @@ +From 530af9cb8e700e7596b3ec812bad123c9fa06356 Mon Sep 17 00:00:00 2001 +From: Fedor Indutny +Date: Wed, 30 Jul 2014 15:33:52 -0700 +Subject: [PATCH] v8: Interrupts must not mask stack overflow. + +Backport of https://codereview.chromium.org/339883002 +--- + src/isolate.h | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/src/isolate.h b/src/isolate.h +index b90191d..2769ca7 100644 +--- a/src/isolate.h ++++ b/src/isolate.h +@@ -1392,14 +1392,9 @@ class StackLimitCheck BASE_EMBEDDED { + public: + explicit StackLimitCheck(Isolate* isolate) : isolate_(isolate) { } + +- bool HasOverflowed() const { ++ inline bool HasOverflowed() const { + StackGuard* stack_guard = isolate_->stack_guard(); +- // Stack has overflowed in C++ code only if stack pointer exceeds the C++ +- // stack guard and the limits are not set to interrupt values. +- // TODO(214): Stack overflows are ignored if a interrupt is pending. This +- // code should probably always use the initial C++ limit. +- return (reinterpret_cast(this) < stack_guard->climit()) && +- stack_guard->IsStackOverflow(); ++ return reinterpret_cast(this) < stack_guard->real_climit(); + } + private: + Isolate* isolate_; +-- +2.0.3 diff --git a/SOURCES/v8-3.14.5.10-unused-local-typedefs.patch b/SOURCES/v8-3.14.5.10-unused-local-typedefs.patch new file mode 100644 index 0000000..c168875 --- /dev/null +++ b/SOURCES/v8-3.14.5.10-unused-local-typedefs.patch @@ -0,0 +1,39 @@ +From 53b4accb6e5747b156be91a2b90f42607e33a7cc Mon Sep 17 00:00:00 2001 +From: Timothy J Fontaine +Date: Mon, 4 Aug 2014 13:43:50 -0700 +Subject: [PATCH] v8: Fix compliation with GCC 4.8 + +Supresses a very loud warning from GCC 4.8 about unused typedefs + +Original url https://codereview.chromium.org/69413002 +--- + src/checks.h | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/checks.h b/src/checks.h +index d0a0c2b..4396ada 100644 +--- a/src/checks.h ++++ b/src/checks.h +@@ -230,6 +230,13 @@ inline void CheckNonEqualsHelper(const char* file, + #define CHECK_LE(a, b) CHECK((a) <= (b)) + + ++#if defined(__clang__) || defined(__GNUC__) ++# define V8_UNUSED __attribute__((unused)) ++#else ++# define V8_UNUSED ++#endif ++ ++ + // This is inspired by the static assertion facility in boost. This + // is pretty magical. If it causes you trouble on a platform you may + // find a fix in the boost code. +@@ -248,7 +255,7 @@ template class StaticAssertionHelper { }; + #define STATIC_CHECK(test) \ + typedef \ + StaticAssertionHelper((test))>)> \ +- SEMI_STATIC_JOIN(__StaticAssertTypedef__, __LINE__) ++ SEMI_STATIC_JOIN(__StaticAssertTypedef__, __LINE__) V8_UNUSED + + + extern bool FLAG_enable_slow_asserts; diff --git a/SOURCES/v8-3.14.5.10-use-clock_gettime.patch b/SOURCES/v8-3.14.5.10-use-clock_gettime.patch new file mode 100644 index 0000000..cb25591 --- /dev/null +++ b/SOURCES/v8-3.14.5.10-use-clock_gettime.patch @@ -0,0 +1,122 @@ +From f9ced08de30c37838756e8227bd091f80ad9cafa Mon Sep 17 00:00:00 2001 +From: Ben Noordhuis +Date: Thu, 24 Apr 2014 04:27:40 +0200 +Subject: [PATCH] deps: make v8 use CLOCK_REALTIME_COARSE + +Date.now() indirectly calls gettimeofday() on Linux and that's a system +call that is extremely expensive on virtualized systems when the host +operating system has to emulate access to the hardware clock. + +Case in point: output from `perf record -c 10000 -e cycles:u -g -i` +for a benchmark/http_simple bytes/8 benchmark with a light load of +50 concurrent clients: + + 53.69% node node [.] v8::internal::OS::TimeCurrentMillis() + | + --- v8::internal::OS::TimeCurrentMillis() + | + |--99.77%-- v8::internal::Runtime_DateCurrentTime(v8::internal::Arguments, v8::internal::Isolate*) + | 0x23587880618e + +That's right - over half of user time spent inside the V8 function that +calls gettimeofday(). + +Notably, nearly all system time gets attributed to acpi_pm_read(), the +kernel function that reads the ACPI power management timer: + + 32.49% node [kernel.kallsyms] [k] acpi_pm_read + | + --- acpi_pm_read + | + |--98.40%-- __getnstimeofday + | getnstimeofday + | | + | |--71.61%-- do_gettimeofday + | | sys_gettimeofday + | | system_call_fastpath + | | 0x7fffbbaf6dbc + | | | + | | |--98.72%-- v8::internal::OS::TimeCurrentMillis() + +The cost of the gettimeofday() system call is normally measured in +nanoseconds but we were seeing 100 us averages and spikes >= 1000 us. +The numbers were so bad, my initial hunch was that the node process was +continuously getting rescheduled inside the system call... + +v8::internal::OS::TimeCurrentMillis()'s most frequent caller is +v8::internal::Runtime_DateCurrentTime(), the V8 run-time function +that's behind Date.now(). The timeout handling logic in lib/http.js +and lib/net.js calls into lib/timers.js and that module will happily +call Date.now() hundreds or even thousands of times per second. +If you saw exports._unrefActive() show up in --prof output a lot, +now you know why. + +That's why this commit makes V8 switch over to clock_gettime() on Linux. +In particular, it checks if CLOCK_REALTIME_COARSE is available and has +a resolution <= 1 ms because in that case the clock_gettime() call can +be fully serviced from the vDSO. + +It speeds up the aforementioned benchmark by about 100% on the affected +systems and should go a long way toward addressing the latency issues +that StrongLoop customers have been reporting. + +This patch will be upstreamed as a CR against V8 3.26. I'm sending it +as a pull request for v0.10 first because that's what our users are +running and because the delta between 3.26 and 3.14 is too big to +reasonably back-port the patch. I'll open a pull request for the +master branch once the CR lands upstream. + +Signed-off-by: Trevor Norris +Signed-off-by: Fedor Indutny +--- + src/platform-posix.cc | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +diff --git a/src/platform-posix.cc b/src/platform-posix.cc +index ad74eba..3c86868 100644 +--- a/src/platform-posix.cc ++++ b/src/platform-posix.cc +@@ -188,19 +188,37 @@ int OS::GetUserTime(uint32_t* secs, uint32_t* usecs) { + + + double OS::TimeCurrentMillis() { +- struct timeval tv; +- if (gettimeofday(&tv, NULL) < 0) return 0.0; +- return (static_cast(tv.tv_sec) * 1000) + +- (static_cast(tv.tv_usec) / 1000); ++ return static_cast(Ticks()) / 1000; + } + + + int64_t OS::Ticks() { ++#if defined(__linux__) ++ static clockid_t clock_id = static_cast(-1); ++ struct timespec spec; ++ if (clock_id == static_cast(-1)) { ++ // CLOCK_REALTIME_COARSE may not be defined by the system headers but ++ // might still be supported by the kernel so use the clock id directly. ++ // Only use CLOCK_REALTIME_COARSE when its granularity <= 1 ms. ++ const clockid_t clock_realtime_coarse = 5; ++ if (clock_getres(clock_realtime_coarse, &spec) == 0 && ++ spec.tv_nsec <= 1000 * 1000) { ++ clock_id = clock_realtime_coarse; ++ } else { ++ clock_id = CLOCK_REALTIME; ++ } ++ } ++ if (clock_gettime(clock_id, &spec) != 0) { ++ return 0; // Not really possible. ++ } ++ return static_cast(spec.tv_sec) * 1000000 + (spec.tv_nsec / 1000); ++#else + // gettimeofday has microsecond resolution. + struct timeval tv; + if (gettimeofday(&tv, NULL) < 0) + return 0; + return (static_cast(tv.tv_sec) * 1000000) + tv.tv_usec; ++#endif + } + + +-- +1.9.1 diff --git a/SOURCES/v8-3.14.5.10-use-upstream-test-values-regress-test-1122.patch b/SOURCES/v8-3.14.5.10-use-upstream-test-values-regress-test-1122.patch new file mode 100644 index 0000000..aa5c29c --- /dev/null +++ b/SOURCES/v8-3.14.5.10-use-upstream-test-values-regress-test-1122.patch @@ -0,0 +1,27 @@ +From 2d5987cc5dd086a2e670909986719ce32d85015b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hr=C4=8Dka?= +Date: Tue, 30 Sep 2014 15:37:35 +0200 +Subject: [PATCH] use upstream test values + +--- + test/mjsunit/regress/regress-1122.js | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/test/mjsunit/regress/regress-1122.js b/test/mjsunit/regress/regress-1122.js +index 815511d..da576ba 100644 +--- a/test/mjsunit/regress/regress-1122.js ++++ b/test/mjsunit/regress/regress-1122.js +@@ -62,7 +62,6 @@ assertEquals('prefix 16000 suffix', + assertEquals('prefix undefined suffix', + function_with_n_params_and_m_args(32000, 10000)); + +-assertThrows("function_with_n_params_and_m_args(35000, 35000)"); +-assertThrows("function_with_n_params_and_m_args(100000, 100000)"); +-assertThrows("function_with_n_params_and_m_args(35000, 30000)"); +-assertThrows("function_with_n_params_and_m_args(30000, 35000)"); ++assertThrows("function_with_n_params_and_m_args(66000, 60000)"); ++assertThrows("function_with_n_params_and_m_args(60000, 66000)"); ++ +-- +1.8.3.1 + diff --git a/SOURCES/v8-3.14.5.10-x64-MathMinMax.patch b/SOURCES/v8-3.14.5.10-x64-MathMinMax.patch new file mode 100644 index 0000000..e7b167d --- /dev/null +++ b/SOURCES/v8-3.14.5.10-x64-MathMinMax.patch @@ -0,0 +1,105 @@ +From 3530fa9cd09f8db8101c4649cab03bcdf760c434 Mon Sep 17 00:00:00 2001 +From: Fedor Indutny +Date: Fri, 21 Dec 2012 17:52:00 +0000 +Subject: [PATCH] deps: backport 4ed5fde4f from v8 upstream + +Original commit message: + + Fix x64 MathMinMax for negative untagged int32 arguments. + + An untagged int32 has zeros in the upper half even if it is negative. + Using cmpq to compare such numbers will incorrectly ignore the sign. + + BUG=164442 + R=mvstanton@chromium.org + + Review URL: https://chromiumcodereview.appspot.com/11665007 + + git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@13273 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 + +Signed-off-by: Fedor Indutny +--- + src/x64/lithium-codegen-x64.cc | 6 ++-- + test/mjsunit/regress/regress-164442.js | 45 ++++++++++++++++++++++++++ + 2 files changed, 48 insertions(+), 3 deletions(-) + create mode 100644 test/mjsunit/regress/regress-164442.js + +diff --git a/src/x64/lithium-codegen-x64.cc b/src/x64/lithium-codegen-x64.cc +index b461e62..ff01f44 100644 +--- a/src/x64/lithium-codegen-x64.cc ++++ b/src/x64/lithium-codegen-x64.cc +@@ -1457,17 +1457,17 @@ void LCodeGen::DoMathMinMax(LMathMinMax* instr) { + if (right->IsConstantOperand()) { + Immediate right_imm = + Immediate(ToInteger32(LConstantOperand::cast(right))); +- __ cmpq(left_reg, right_imm); ++ __ cmpl(left_reg, right_imm); + __ j(condition, &return_left, Label::kNear); + __ movq(left_reg, right_imm); + } else if (right->IsRegister()) { + Register right_reg = ToRegister(right); +- __ cmpq(left_reg, right_reg); ++ __ cmpl(left_reg, right_reg); + __ j(condition, &return_left, Label::kNear); + __ movq(left_reg, right_reg); + } else { + Operand right_op = ToOperand(right); +- __ cmpq(left_reg, right_op); ++ __ cmpl(left_reg, right_op); + __ j(condition, &return_left, Label::kNear); + __ movq(left_reg, right_op); + } +diff --git a/test/mjsunit/regress/regress-164442.js b/test/mjsunit/regress/regress-164442.js +new file mode 100644 +index 0000000..1160d87 +--- /dev/null ++++ b/test/mjsunit/regress/regress-164442.js +@@ -0,0 +1,45 @@ ++// Copyright 2012 the V8 project authors. All rights reserved. ++// Redistribution and use in source and binary forms, with or without ++// modification, are permitted provided that the following conditions are ++// met: ++// ++// * Redistributions of source code must retain the above copyright ++// notice, this list of conditions and the following disclaimer. ++// * Redistributions in binary form must reproduce the above ++// copyright notice, this list of conditions and the following ++// disclaimer in the documentation and/or other materials provided ++// with the distribution. ++// * Neither the name of Google Inc. nor the names of its ++// contributors may be used to endorse or promote products derived ++// from this software without specific prior written permission. ++// ++// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ++// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ++// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ++// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ++// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ ++// Flags: --allow-natives-syntax ++ ++// Should not take a very long time (n^2 algorithms are bad) ++ ++ ++function ensureNotNegative(x) { ++ return Math.max(0, x | 0); ++} ++ ++ ++ensureNotNegative(1); ++ensureNotNegative(2); ++ ++%OptimizeFunctionOnNextCall(ensureNotNegative); ++ ++var r = ensureNotNegative(-1); ++ ++assertEquals(0, r); +-- +2.0.3 + diff --git a/SOURCES/v8-3.14.5.10-x64-compare-stubs.patch b/SOURCES/v8-3.14.5.10-x64-compare-stubs.patch new file mode 100644 index 0000000..bf7c542 --- /dev/null +++ b/SOURCES/v8-3.14.5.10-x64-compare-stubs.patch @@ -0,0 +1,116 @@ +From a960d1707a0038bfa5546c669b5b63c35bdb75c5 Mon Sep 17 00:00:00 2001 +From: Fedor Indutny +Date: Fri, 2 May 2014 22:44:45 +0400 +Subject: [PATCH] deps: backport 23f2736a from v8 upstream + +Original text: + + Fix corner case in x64 compare stubs. + + BUG=v8:2416 + + Review URL: https://codereview.chromium.org/11413087 + +fix #7528 +--- + src/x64/code-stubs-x64.cc | 2 +- + test/mjsunit/regress/regress-2416.js | 75 ++++++++++++++++++++++++++++ + 2 files changed, 76 insertions(+), 1 deletion(-) + create mode 100644 test/mjsunit/regress/regress-2416.js + +diff --git a/src/x64/code-stubs-x64.cc b/deps/v8/src/x64/code-stubs-x64.cc +index f0f9c5d..9ad0167 100644 +--- a/src/x64/code-stubs-x64.cc ++++ b/src/x64/code-stubs-x64.cc +@@ -5580,7 +5580,7 @@ void ICCompareStub::GenerateSmis(MacroAssembler* masm) { + __ subq(rdx, rax); + __ j(no_overflow, &done, Label::kNear); + // Correct sign of result in case of overflow. +- __ SmiNot(rdx, rdx); ++ __ not_(rdx); + __ bind(&done); + __ movq(rax, rdx); + } +diff --git a/test/mjsunit/regress/regress-2416.js b/deps/v8/test/mjsunit/regress/regress-2416.js +new file mode 100644 +index 0000000..02afeb9 +--- /dev/null ++++ b/test/mjsunit/regress/regress-2416.js +@@ -0,0 +1,75 @@ ++// Copyright 2012 the V8 project authors. All rights reserved. ++// Redistribution and use in source and binary forms, with or without ++// modification, are permitted provided that the following conditions are ++// met: ++// ++// * Redistributions of source code must retain the above copyright ++// notice, this list of conditions and the following disclaimer. ++// * Redistributions in binary form must reproduce the above ++// copyright notice, this list of conditions and the following ++// disclaimer in the documentation and/or other materials provided ++// with the distribution. ++// * Neither the name of Google Inc. nor the names of its ++// contributors may be used to endorse or promote products derived ++// from this software without specific prior written permission. ++// ++// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ++// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ++// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ++// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ++// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ ++assertFalse(2147483647 < -2147483648) ++assertFalse(2147483647 <= -2147483648) ++assertFalse(2147483647 == -2147483648) ++assertTrue(2147483647 >= -2147483648) ++assertTrue(2147483647 > -2147483648) ++ ++assertTrue(-2147483648 < 2147483647) ++assertTrue(-2147483648 <= 2147483647) ++assertFalse(-2147483648 == 2147483647) ++assertFalse(-2147483648 >= 2147483647) ++assertFalse(-2147483648 > 2147483647) ++ ++assertFalse(2147483647 < 2147483647) ++assertTrue(2147483647 <= 2147483647) ++assertTrue(2147483647 == 2147483647) ++assertTrue(2147483647 >= 2147483647) ++assertFalse(2147483647 > 2147483647) ++ ++assertFalse(-2147483648 < -2147483648) ++assertTrue(-2147483648 <= -2147483648) ++assertTrue(-2147483648 == -2147483648) ++assertTrue(-2147483648 >= -2147483648) ++assertFalse(-2147483648 > -2147483648) ++ ++ ++assertFalse(1073741823 < -1073741824) ++assertFalse(1073741823 <= -1073741824) ++assertFalse(1073741823 == -1073741824) ++assertTrue(1073741823 >= -1073741824) ++assertTrue(1073741823 > -1073741824) ++ ++assertTrue(-1073741824 < 1073741823) ++assertTrue(-1073741824 <= 1073741823) ++assertFalse(-1073741824 == 1073741823) ++assertFalse(-1073741824 >= 1073741823) ++assertFalse(-1073741824 > 1073741823) ++ ++assertFalse(1073741823 < 1073741823) ++assertTrue(1073741823 <= 1073741823) ++assertTrue(1073741823 == 1073741823) ++assertTrue(1073741823 >= 1073741823) ++assertFalse(1073741823 > 1073741823) ++ ++assertFalse(-1073741824 < -1073741824) ++assertTrue(-1073741824 <= -1073741824) ++assertTrue(-1073741824 == -1073741824) ++assertTrue(-1073741824 >= -1073741824) ++assertFalse(-1073741824 > -1073741824) +-- +1.9.3 diff --git a/SPECS/v8.spec b/SPECS/v8.spec index cfefa3a..fa31a1b 100644 --- a/SPECS/v8.spec +++ b/SPECS/v8.spec @@ -35,7 +35,7 @@ Name: %{?scl_prefix}v8 Version: %{somajor}.%{sominor}.%{sobuild}.%{sotiny} -Release: 3.6%{?dist} +Release: 6%{?dist} Epoch: 1 Summary: JavaScript Engine Group: System Environment/Libraries @@ -49,11 +49,55 @@ BuildRoot: %{_tmppath}/%{pkg_name}-%{version}-%{release}-root-%(%{__id_u} -n) ExclusiveArch: %{ix86} x86_64 %{arm} BuildRequires: %{?scl_prefix}gyp, readline-devel, libicu-devel, chrpath #backport fix for CVE-2013-2634 (RHBZ#924495) -Patch1: v8-3.14.5.8-CVE-2013-2634.patch +Patch1: v8-3.14.5.8-CVE-2013-2634.patch #backport fix for CVE-2013-2882 (RHBZ#991116) -Patch2: v8-3.14.5.10-CVE-2013-2882.patch +Patch2: v8-3.14.5.10-CVE-2013-2882.patch +#backport fix for CVE-2013-6640 (RHBZ#1039889) +Patch3: v8-3.14.5.10-CVE-2013-6640.patch + +#backport fix for enumeration for objects with lots of properties +#https://codereview.chromium.org/11362182 +Patch4: v8-3.14.5.10-enumeration.patch + +#backport fix for CVE-2013-6650 (RHBZ#1059070) +Patch5: v8-3.14.5.10-CVE-2013-6650.patch + +#backport only applicable fix for CVE-2014-1704 (RHBZ#1077136) +#the other two patches don't affect this version of v8 +Patch6: v8-3.14.5.10-CVE-2014-1704-1.patch + +# use clock_gettime() instead of gettimeofday(), which increases performance +# dramatically on virtual machines +# https://github.com/joyent/node/commit/f9ced08de30c37838756e8227bd091f80ad9cafa +# see above link or head of patch for complete rationale +Patch7: v8-3.14.5.10-use-clock_gettime.patch + +# fix corner case in x64 compare stubs +# fixes bug resulting in an incorrect result when comparing certain integers +# (e.g. 2147483647 > -2147483648 is false instead of true) +# https://code.google.com/p/v8/issues/detail?id=2416 +# https://github.com/joyent/node/issues/7528 +Patch8: v8-3.14.5.10-x64-compare-stubs.patch + +# backport security fix for memory corruption/stack overflow (RHBZ#1125464) +# https://groups.google.com/d/msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ +# https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356 +Patch9: v8-3.14.5.10-mem-corruption-stack-overflow.patch + +# backport bugfix for x64 MathMinMax: +# Fix x64 MathMinMax for negative untagged int32 arguments. +# An untagged int32 has zeros in the upper half even if it is negative. +# Using cmpq to compare such numbers will incorrectly ignore the sign. +# https://github.com/joyent/node/commit/3530fa9cd09f8db8101c4649cab03bcdf760c434 +Patch10: v8-3.14.5.10-x64-MathMinMax.patch + #we need this to get over some ugly code -Patch3: gcc-48-fix.patch +Patch11: gcc-48-fix.patch +Patch12: v8-3.14.5.10-unused-local-typedefs.patch +Patch13: v8-3.14.5.10-CVE-2013-6668.patch +Patch14: v8-3.14.5.10-CVE-2013-6668-segfault.patch +Patch15: v8-3.14.5.10-use-upstream-test-values-regress-test-1122.patch + Obsoletes: nodejs010-v8, ruby193-v8, mongodb24-v8 %{?scl:Requires: %{scl}-runtime} @@ -77,6 +121,19 @@ Development headers and libraries for v8. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 + %build mkdir -p build/gyp @@ -171,6 +228,17 @@ rm -rf %{buildroot} %{?_scl_root}%{python_sitelib}/j*.py* %changelog +* Tue Sep 30 2014 Tomas Hrcka - 1:3.14.5.10-6 +- Update regress test 1122 + +* Tue Sep 23 2014 Tomas Hrcka - 1:3.14.5.10-5 +- Add CVE-2013-6668 patch + +* Wed Sep 10 2014 Tomas Hrcka - 1:3.14.5.10-4 +- multiple CVE fixes +- CVE-2013-6639 CVE-2013-6640 CVE-2013-6650 +- CVE-2013-6668 CVE-2014-1704 CVE-2014-5256 + * Mon Mar 24 2014 Tomas Hrcka - 1:3.14.5.10-3.6 - Remove rpaths