Merge Android R

Bug: 168057903
Merged-In: Idf5e53bd1a54aa5b8b8a831db8bf1c67703e5552
Change-Id: I84b14fdd858f0afc9b7143518ff7a898dc3a97ad

3 files changed, 8 insertions, 1 deletions

diff --git a/Android.v8.bp b/Android.v8.bp
index 81f82af0..bd839ab7 100644
--- a/Android.v8.bp
+++ b/Android.v8.bp
@@ -614,4 +614,8 @@ cc_library_static {
     ],
     generated_headers: ["v8_torque_file"],
     generated_sources: ["v8_torque_file_cc"],
+    sanitize: {
+        cfi: true,
+        blocklist: "./tools/cfi/blacklist.txt",
+    },
 }
diff --git a/src/heap/factory.cc b/src/heap/factory.cc
index c8528f9f..2ac0d990 100644
--- a/src/heap/factory.cc
+++ b/src/heap/factory.cc
@@ -469,7 +469,7 @@ Handle<FixedArrayBase> Factory::NewFixedDoubleArray(int length,
                                                     PretenureFlag pretenure) {
   DCHECK_LE(0, length);
   if (length == 0) return empty_fixed_array();
-  if (length > FixedDoubleArray::kMaxLength) {
+  if (length < 0 || length > FixedDoubleArray::kMaxLength) {
     isolate()->heap()->FatalProcessOutOfMemory("invalid array length");
   }
   int size = FixedDoubleArray::SizeFor(length);
diff --git a/tools/cfi/blacklist.txt b/tools/cfi/blacklist.txt
index c1571b8c..822f83f1 100644
--- a/tools/cfi/blacklist.txt
+++ b/tools/cfi/blacklist.txt
@@ -24,3 +24,6 @@ fun:*PendingPhantomCallback*Invoke*
 fun:*GlobalHandles*PostGarbageCollectionProcessing*
 
 fun:*InvokeAccessorGetterCallback*
+
+# check for type failed during indirect function call
+fun:*MemMove*