The Node 0.12 line was initially released with a version
of v8 that included Array.prototype.values(). In
https://github.com/joyent/node/pull/18206, v8 was
updated to a version that dropped support for values().
https://codereview.chromium.org/647703003 removed this
method because it causes problems with some versions of
Outlook Web Access. This commit reverts the removal of
Array.prototype.values().
Original commit message:
Revert "Version 3.28.71.17 (merged r24706, r24708)"
This reverts commit 529541ecb58fd0d6df4dfbe41d01bff9ae21ff06.
Conflicts:
src/version.cc
Reviewed-By: Julien Gilli <julien.gilli@joyent.com>
PR-URL: https://github.com/joyent/node/pull/25328
Backport 6964a9e0685fa186d9d9b7907be17505e839db1a from upstream v8.
Original commit message:
Make CPU profiler do not hog 100% of CPU.
Tick event processor should not stay in a tight loop
when there's nothing to do. It can go sleep until next sample event.
LOG=N
BUG=v8:3967
Committed: https://crrev.com/6964a9e0685fa186d9d9b7907be17505e839db1a
Cr-Commit-Position: refs/heads/master@{#28211}
Fixes#25137
Related: #9439, #8789
PR: #25268
PR-URL: https://github.com/joyent/node/pull/25268
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Julien Gilli <jgilli@fastmail.fm>
Backport b17eaaa5755e625493c5fe537f42b58838923c52 from upstream v8.
Original commit message:
Fix desugaring of let bindings in for loops to handle continue properly
This requires putting the original loop's body inside an inner for loop (with
the same labels as the original loop) and re-binding the temp variables in its
"next" expression. A second flag is added to the desugared code to ensure the
loop body executes at most once per loop.
BUG=v8:3683
LOG=y
Review URL: https://codereview.chromium.org/720863002
Cr-Commit-Position: refs/heads/master@{#25363}
Fixes#9113 and #14411.
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: https://github.com/joyent/node/pull/23948
The 3.28.73 update was technically unstable code. This reverts the code
to the latest 3.28 stable release.
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
PR-URL: https://github.com/joyent/node/pull/18206
V8 3.26.31 has received 14 patches since the upgrade to 3.26.33. Since
3.26.33 is technically a tag on the 3.27 branch, reverting back to
3.26.31 would remove now default functionality like WeakMaps. Because of
that the patches have simply been cherry-picked and squashed.
Here is a summary of all patches:
* Fix index register assignment in LoadFieldByIndex for arm, arm64, and
mips.
* Fix invalid attributes when generalizing because of incompatible map
change.
* Skip write barriers when updating the weak hash table.
* MIPS: Avoid HeapObject check in HStoreNamedField.
* Do GC if CodeRange fails to allocate a block.
* Array.concat: properly go to dictionary mode when required.
* Keep CodeRange::current_allocation_block_index_ in range.
* Grow heap slower if GC freed many global handles.
* Do not eliminate bounds checks for "<const> - x".
* Add missing map check to optimized f.apply(...).
* In GrowMode, force the value to the right representation to avoid
deopts between storing the length and storing the value.
* Reduce max executable size limit.
* Fix invalid condition in check elimination effects.
* Fix off-by-one error in Array.concat slow mode check.
For more information see: https://github.com/v8/v8/commits/3.26
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Quoting CVE-2013-6639:
The DehoistArrayIndex function in hydrogen-dehoist.cc in Google V8
before 3.22.24.7, as used in Google Chrome before 31.0.1650.63,
allows remote attackers to cause a denial of service (out-of-bounds
write) or possibly have unspecified other impact via JavaScript code
that sets the value of an array element with a crafted index.
Quoting CVE-2013-6640:
The DehoistArrayIndex function in hydrogen-dehoist.cc in Google V8
before 3.22.24.7, as used in Google Chrome before 31.0.1650.63,
allows remote attackers to cause a denial of service (out-of-bounds
read) via JavaScript code that sets a variable to the value of an
array element with a crafted index.
Like 6b92a7, this is unlikely to affect node.js because it only runs
local, trusted code. However, if there exists some module somewhere
that populates an array index with remotely provided data this could
very well be used to crash a remote server running node. Defense in
depth and all.
This is a backport of upstream commit r17801. Original commit log:
Limit size of dehoistable array indices
LOG=Y
BUG=chromium:319835,chromium:319860
R=dslomov@chromium.org
Review URL: https://codereview.chromium.org/74113002
This commit removes the simple/test-event-emitter-memory-leak test for
being unreliable with the new garbage collector: the memory pressure
exerted by the test case is too low for the garbage collector to kick
in. It can be made to work again by limiting the heap size with the
--max_old_space_size=x flag but that won't be very reliable across
platforms and architectures.
The security fix from commit 6b92a713 also back-ported the test case.
Said test case relies on API that is only available in newer versions
of V8 and, as a result, broke the `make native` and `make <arch.mode>`
builds. This commit reverts that part of the back-port. Fixes the
following build error:
../test/cctest/test-api.cc: In function ‘void TestRegress260106()’:
../test/cctest/test-api.cc:17712:34: error: ‘class v8::Context’ has
no member named ‘GetIsolate’
After the upgrade from 3.20.17.7 to 3.20.17.11, we've begun hitting
random assertions in V8 in memory-constrained / GC-heavy situations.
The assertions all seem to be related to heap allocations and garbage
collection but apart from that, they're all over the place.
This reverts commit 970bdccc38.
Quoting the CVE:
Google V8, as used in Google Chrome before 28.0.1500.95, allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that leverage "type confusion."
Likely has zero impact on node.js because it only runs local, trusted
code but let's apply it anyway.
This is a back-port of upstream commit r15665. Original commit log:
Use internal array as API function cache.
R=yangguo@chromium.org
BUG=chromium:260106
TEST=cctest/test-api/Regress260106
Review URL: https://codereview.chromium.org/19159003Fixes#5973.
yangguo@chromium.org
cjihrig
Mike Tunnicliffe
adamk
Trevor Norris
Julien Gilli
Refael Ackermann
Ben Noordhuis
Fedor Indutny
Fedor Indutny
Timothy J Fontaine
jkummerow@chromium.org
mstarzinger@chromium.org
isaacs