[bigint] Fix possibly-uninitialized leading digit on right shift

Fixed: chromium:1151890 Change-Id: I26f5c76494a9ff3f5a141f381e1c9a543e368571 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2561618 Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#71422}
2020-11-25 23:09:27 +01:00 · 2020-11-25 23:09:27 +01:00 · e82a3b4d47
commit e82a3b4d47
parent f8fa0edf16
2 changed files with 13 additions and 0 deletions
--- a/src/objects/bigint.cc
+++ b/src/objects/bigint.cc
@ -1874,6 +1874,8 @@ Handle<BigInt> MutableBigInt::RightShiftByAbsolute(Isolate* isolate,
  DCHECK_LE(result_length, length);
  Handle<MutableBigInt> result = New(isolate, result_length).ToHandleChecked();
  if (bits_shift == 0) {
+    // Zero out any overflow digit (see "rounding_can_overflow" above).
+    result->set_digit(result_length - 1, 0);
    for (int i = digit_shift; i < length; i++) {
      result->set_digit(i - digit_shift, x->digit(i));
    }
--- a/test/mjsunit/regress/regress-crbug-1151890.js
+++ b/test/mjsunit/regress/regress-crbug-1151890.js
@ -0,0 +1,11 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+for (let i = 0, j = 0; i < 10; ++i) {
+  let x = (-0xffffffffffffffff_ffffffffffffffffn >> 0x40n);
+  assertEquals(-0x10000000000000000n, x);
+  %SimulateNewspaceFull();
+}