diff --git a/patches/v8/.patches b/patches/v8/.patches index 3d636e7deae70..4afbf4fe981d0 100644 --- a/patches/v8/.patches +++ b/patches/v8/.patches @@ -9,4 +9,6 @@ do_not_export_private_v8_symbols_on_windows.patch include_string_in_v8_h.patch objects_fix_memory_leak_in_prototypeusers_add.patch fix_bug_in_receiver_maps_inference.patch +make_createdynamicfunction_throw_if_disallowed.patch intl_fix_intl_numberformat_constructor.patch +merged_make_createdynamicfunction_switch_context_before_throwing.patch diff --git a/patches/v8/make_createdynamicfunction_throw_if_disallowed.patch b/patches/v8/make_createdynamicfunction_throw_if_disallowed.patch new file mode 100644 index 0000000000000..bafd0b04ad476 --- /dev/null +++ b/patches/v8/make_createdynamicfunction_throw_if_disallowed.patch @@ -0,0 +1,66 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Georg Neis +Date: Mon, 30 Mar 2020 11:55:10 +0200 +Subject: Make CreateDynamicFunction throw if disallowed + +... instead of returning undefined. + +Bug: chromium:1065094 +Change-Id: I0b0397a8affd44b58e7f4777f32ba22bbd001ab1 +Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2124837 +Reviewed-by: Toon Verwaest +Commit-Queue: Georg Neis +Cr-Commit-Position: refs/heads/master@{#66902} + +diff --git a/src/builtins/builtins-function.cc b/src/builtins/builtins-function.cc +index f75014d034626643ae83dc8f167a473b7291522c..b5c2e8b25f10f2fff9011a0a1bd1aeef23de5cb9 100644 +--- a/src/builtins/builtins-function.cc ++++ b/src/builtins/builtins-function.cc +@@ -31,7 +31,7 @@ MaybeHandle CreateDynamicFunction(Isolate* isolate, + + if (!Builtins::AllowDynamicFunction(isolate, target, target_global_proxy)) { + isolate->CountUsage(v8::Isolate::kFunctionConstructorReturnedUndefined); +- return isolate->factory()->undefined_value(); ++ THROW_NEW_ERROR(isolate, NewTypeError(MessageTemplate::kNoAccess), Object); + } + + // Build the source string. +diff --git a/test/mjsunit/mjsunit.status b/test/mjsunit/mjsunit.status +index 134a49f7480c87acbb08133a2d6a4d028bbdd090..7dcaa412199770d7c4f688d7f8a66d887130bf82 100644 +--- a/test/mjsunit/mjsunit.status ++++ b/test/mjsunit/mjsunit.status +@@ -232,6 +232,9 @@ + # BUG(v8:6306). + 'wasm/huge-memory': [SKIP], + ++ # Needs to be adapted after changes to Function constructor. chromium:1065094 ++ 'cross-realm-filtering': [SKIP], ++ + # Allocates a huge string and then flattens it, very slow in debug mode. + 'regress/regress-752764': [PASS, ['mode == debug', SLOW]], + +diff --git a/test/mjsunit/regress-1065094.js b/test/mjsunit/regress-1065094.js +new file mode 100644 +index 0000000000000000000000000000000000000000..365e20285bb0505dec3f84c4df57db0525e7acc3 +--- /dev/null ++++ b/test/mjsunit/regress-1065094.js +@@ -0,0 +1,19 @@ ++// Copyright 2020 the V8 project authors. All rights reserved. ++// Use of this source code is governed by a BSD-style license that can be ++// found in the LICENSE file. ++ ++// Flags: --allow-natives-syntax ++ ++function f(fnConstructor) { ++ return Object.is(new fnConstructor(), undefined); ++} ++ ++const realmIndex = Realm.createAllowCrossRealmAccess(); ++const otherFunction = Realm.global(realmIndex).Function; ++Realm.detachGlobal(realmIndex); ++ ++%PrepareFunctionForOptimization(f); ++assertFalse(f(Function)); ++assertThrows(_ => f(otherFunction)); ++%OptimizeFunctionOnNextCall(f); ++assertThrows(_ => f(otherFunction)); diff --git a/patches/v8/merged_make_createdynamicfunction_switch_context_before_throwing.patch b/patches/v8/merged_make_createdynamicfunction_switch_context_before_throwing.patch new file mode 100644 index 0000000000000..9a58b9a8887c7 --- /dev/null +++ b/patches/v8/merged_make_createdynamicfunction_switch_context_before_throwing.patch @@ -0,0 +1,45 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Georg Neis +Date: Tue, 31 Mar 2020 18:49:38 +0200 +Subject: Merged: Make CreateDynamicFunction switch context before throwing + +Revision: 093019ee1ab3a92de915c1f3a1a7a5a8c86e3a5d + +BUG=chromium:1065094,v8:10361 +NOTRY=true +NOPRESUBMIT=true +NOTREECHECKS=true +R=verwaest@chromium.org + +Change-Id: I19528a1bc6058e6596f34f73d13d9c249cc6c3a7 +Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2130127 +Commit-Queue: Georg Neis +Reviewed-by: Toon Verwaest +Cr-Commit-Position: refs/branch-heads/8.0@{#60} +Cr-Branched-From: 69827db645fcece065bf16a795a4ec8d3a51057f-refs/heads/8.0.426@{#2} +Cr-Branched-From: 2fe1552c5809d0dd92e81d36a5535cbb7c518800-refs/heads/master@{#65318} + +diff --git a/src/builtins/builtins-function.cc b/src/builtins/builtins-function.cc +index b5c2e8b25f10f2fff9011a0a1bd1aeef23de5cb9..7275e2fcede16a41cc5998b4957be9b8a8e53b88 100644 +--- a/src/builtins/builtins-function.cc ++++ b/src/builtins/builtins-function.cc +@@ -2,6 +2,7 @@ + // Use of this source code is governed by a BSD-style license that can be + // found in the LICENSE file. + ++#include "src/api/api-inl.h" + #include "src/builtins/builtins-utils-inl.h" + #include "src/builtins/builtins.h" + #include "src/codegen/code-factory.h" +@@ -31,6 +32,11 @@ MaybeHandle CreateDynamicFunction(Isolate* isolate, + + if (!Builtins::AllowDynamicFunction(isolate, target, target_global_proxy)) { + isolate->CountUsage(v8::Isolate::kFunctionConstructorReturnedUndefined); ++ // TODO(verwaest): We would like to throw using the calling context instead ++ // of the entered context but we don't currently have access to that. ++ HandleScopeImplementer* impl = isolate->handle_scope_implementer(); ++ SaveAndSwitchContext save( ++ isolate, impl->LastEnteredOrMicrotaskContext()->native_context()); + THROW_NEW_ERROR(isolate, NewTypeError(MessageTemplate::kNoAccess), Object); + } +