[bigint] Fix possibly-uninitialized leading digit on right shift

Fixed: chromium:1151890 Change-Id: I26f5c76494a9ff3f5a141f381e1c9a543e368571 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2561618 Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#71422}
v8 · Nov 26, 2020 · e82a3b4 · e82a3b4
1 parent f8fa0ed
commit e82a3b4
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/src/objects/bigint.cc b/src/objects/bigint.cc
@@ -1874,6 +1874,8 @@ Handle<BigInt> MutableBigInt::RightShiftByAbsolute(Isolate* isolate,
   DCHECK_LE(result_length, length);
   Handle<MutableBigInt> result = New(isolate, result_length).ToHandleChecked();
   if (bits_shift == 0) {
+    // Zero out any overflow digit (see "rounding_can_overflow" above).
+    result->set_digit(result_length - 1, 0);
     for (int i = digit_shift; i < length; i++) {
       result->set_digit(i - digit_shift, x->digit(i));
     }

diff --git a/test/mjsunit/regress/regress-crbug-1151890.js b/test/mjsunit/regress/regress-crbug-1151890.js
@@ -0,0 +1,11 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+for (let i = 0, j = 0; i < 10; ++i) {
+  let x = (-0xffffffffffffffff_ffffffffffffffffn >> 0x40n);
+  assertEquals(-0x10000000000000000n, x);
+  %SimulateNewspaceFull();
+}