deps: V8: cherry-pick e061cf9970d9

Original commit message: [arraybuffers] initialize max byte length of empty array buffers Without initializing the max byte length field, any empty array buffer captured in the snapshot can make the snapshot unreproducible. Refs: https://github.com/nodejs/node/issues/53579 Change-Id: I2489ab2e57ecbb405ec431a87d0acc92822b777c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5662576 Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#94754} Refs: e061cf9970 PR-URL: https://github.com/nodejs/node/pull/53755 Fixes: https://github.com/nodejs/node/issues/53579 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
2024-11-21 10:59:27 +00:00 · 2024-07-07 20:22:17 +02:00 · 2024-07-07 20:22:17 +02:00 · d15f514077
commit d15f514077
parent 307430e490
2 changed files with 3 additions and 1 deletions
--- a/common.gypi
+++ b/common.gypi
@ -36,7 +36,7 @@

    # Reset this number to 0 on major V8 upgrades.
    # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.15',
+    'v8_embedder_string': '-node.16',

    ##### V8 defaults for Node.js #####

--- a/deps/v8/src/builtins/builtins-typed-array-gen.cc
+++ b/deps/v8/src/builtins/builtins-typed-array-gen.cc
@ -68,6 +68,8 @@ TNode<JSArrayBuffer> TypedArrayBuiltinsAssembler::AllocateEmptyOnHeapBuffer(
                                 UndefinedConstant());
  StoreBoundedSizeToObject(buffer, JSArrayBuffer::kRawByteLengthOffset,
                           UintPtrConstant(0));
+  StoreBoundedSizeToObject(buffer, JSArrayBuffer::kRawMaxByteLengthOffset,
+                           UintPtrConstant(0));
  StoreSandboxedPointerToObject(buffer, JSArrayBuffer::kBackingStoreOffset,
                                EmptyBackingStoreBufferConstant());
 #ifdef V8_COMPRESS_POINTERS