deps: V8: cherry-pick 412ac52d8246

Original commit message: [bigint] Fix possibly-uninitialized leading digit on right shift (cherry picked from commit e82a3b4d47a93ab64f07d8c03e3cd17b6b961c3f) (cherry picked from commit 1162c460dee4218abd798b51b88926aef5c8bd61) No-Try: true No-Presubmit: true No-Tree-Checks: true Fixed: chromium:1151890 Change-Id: I26f5c76494a9ff3f5a141f381e1c9a543e368571 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2561618 Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Original-Original-Commit-Position: refs/heads/master@{#71422} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2565245 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Original-Commit-Position: refs/branch-heads/8.7@{#57} Cr-Original-Branched-From: 0d81cd72688512abcbe1601015baee390c484a6a-refs/heads/8.7.220@{#1} Cr-Original-Branched-From: 942c2ef85caef00fcf02517d049f05e9a3d4b440-refs/heads/master@{#70196} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2624611 Commit-Queue: Victor-Gabriel Savu <vsavu@google.com> Cr-Commit-Position: refs/branch-heads/8.6@{#54} Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1} Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472} Refs: v8/v8@412ac52 PR-URL: #38275 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Shelley Vohr <codebytere@gmail.com>
nodejs · Apr 30, 2021 · 931d31a · 931d31a
1 parent e99e456
commit 931d31a
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/common.gypi b/common.gypi
@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.39',
+    'v8_embedder_string': '-node.40',
 
     ##### V8 defaults for Node.js #####
 

diff --git a/deps/v8/src/objects/bigint.cc b/deps/v8/src/objects/bigint.cc
@@ -1862,6 +1862,8 @@ Handle<BigInt> MutableBigInt::RightShiftByAbsolute(Isolate* isolate,
   DCHECK_LE(result_length, length);
   Handle<MutableBigInt> result = New(isolate, result_length).ToHandleChecked();
   if (bits_shift == 0) {
+    // Zero out any overflow digit (see "rounding_can_overflow" above).
+    result->set_digit(result_length - 1, 0);
     for (int i = digit_shift; i < length; i++) {
       result->set_digit(i - digit_shift, x->digit(i));
     }

diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-1151890.js b/deps/v8/test/mjsunit/regress/regress-crbug-1151890.js
@@ -0,0 +1,11 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+for (let i = 0, j = 0; i < 10; ++i) {
+  let x = (-0xffffffffffffffff_ffffffffffffffffn >> 0x40n);
+  assertEquals(-0x10000000000000000n, x);
+  %SimulateNewspaceFull();
+}