QuickJS Update

 * TypedArray.prototype.subarray: fixed the step at which '[[ByteOffset]]' is
 read
 bellard/quickjs@c942978
 * Fixed buffer overflow in `js_bigint_from_string()`
 bellard/quickjs@e1c18be
 * Fixed crash in OP_add_loc if the variable is modified in
 `JS_ToPrimitiveFree()`
 bellard/quickjs@1168c21
 * Fixed buffer overflow in `js_bigint_to_string1()`
 bellard/quickjs@9ce5442
 * Fixed buffer overflow in `TypedArray.prototype.lastIndexOf()`
 bellard/quickjs@c927eca
 * Avoid side effects in `JS_PrintValue()` which may lead to crashes in
 `print()` and `js_std_promise_rejection_check()`
 bellard/quickjs@4e0d0b7
 * Limit function and regexp bytecode to 1G to avoid buffer overflows (the
 bytecode generators assume that bytecode offsets can fit a 32 bit signed
 integer
 bellard/quickjs@d9ec8f1
 * Adjust lastIndex to leading surrogate when inside a surrogate pair in
 unicode RegExp
 bellard/quickjs@a4ac84d

Author: nickva

src/couch_quickjs/patches/01-spidermonkey-185-mode.patch

@@ -1,6 +1,6 @@
---- quickjs-master/quickjs.c	2025-06-14 05:51:48
-+++ quickjs/quickjs.c	2025-06-20 13:56:52
-@@ -30599,10 +30599,24 @@
+--- quickjs-master/quickjs.c	2025-08-25 12:20:58
++++ quickjs/quickjs.c	2025-08-25 15:10:50
+@@ -30776,10 +30776,24 @@
      if (s->token.val == TOK_FUNCTION ||
          (token_is_pseudo_keyword(s, JS_ATOM_async) &&
           peek_token(s, TRUE) == TOK_FUNCTION)) {

src/couch_quickjs/patches/02-test262-makefile.patch

@@ -1,13 +1,13 @@
---- quickjs-master/Makefile	2025-06-14 05:51:48
-+++ quickjs/Makefile	2025-06-20 18:03:41
+--- quickjs-master/Makefile	2025-08-25 12:20:58
++++ quickjs/Makefile	2025-08-25 15:27:47
 @@ -53,6 +53,10 @@
  #CONFIG_MSAN=y
  # use UB sanitizer
  #CONFIG_UBSAN=y
 +
 +# TEST262 bootstrap config: commit id and shallow "since" parameter
-+TEST262_COMMIT?=3316c0aaf676d657f5a6b33364fa7e579c78ac7f
-+TEST262_SINCE?=2025-05-21
++TEST262_COMMIT?=04eaeb99080ceb60d7b86ea0c4bed6355ef4cdcb
++TEST262_SINCE?=2025-08-20
 
  OBJDIR=.obj
 

src/couch_quickjs/patches/03-test262-yield.patch

@@ -1,5 +1,5 @@
---- quickjs-master/tests/test262.patch	2025-06-14 05:51:48
-+++ quickjs/tests/test262.patch	2025-06-20 18:03:41
+--- quickjs-master/tests/test262.patch	2025-08-25 12:20:58
++++ quickjs/tests/test262.patch	2025-08-25 15:10:50
 @@ -14,9 +14,9 @@
  +//  small: 200,
  +//  long: 1000,

src/couch_quickjs/patches/04-test262-errors.patch

@@ -1,9 +1,9 @@
---- quickjs-master/test262_errors.txt	2025-06-14 05:51:48
-+++ quickjs/test262_errors.txt	2025-06-20 18:03:41
-@@ -1,6 +1,8 @@
+--- quickjs-master/test262_errors.txt	2025-08-25 12:20:58
++++ quickjs/test262_errors.txt	2025-08-25 15:13:35
+@@ -7,6 +7,8 @@
+ test262/test/annexB/language/expressions/assignmenttargettype/cover-callexpression-and-asyncarrowhead.js:20: SyntaxError: invalid assignment left-hand side
  test262/test/built-ins/Atomics/notify/retrieve-length-before-index-coercion-non-shared-detached.js:34: TypeError: ArrayBuffer is detached
  test262/test/built-ins/Atomics/notify/retrieve-length-before-index-coercion-non-shared-detached.js:34: strict mode: TypeError: ArrayBuffer is detached
- test262/test/language/module-code/top-level-await/module-graphs-does-not-hang.js:10: TypeError: $DONE() not called
 +test262/test/language/statements/expression/S12.4_A1.js:15: unexpected error type: Test262: This statement should not be evaluated.
 +test262/test/language/statements/expression/S12.4_A1.js:15: strict mode: unexpected error type: Test262: This statement should not be evaluated.
  test262/test/staging/sm/Date/UTC-convert-all-arguments.js:75: Test262Error: index 1: expected 42, got Error: didn't throw Expected SameValue(«Error: didn't throw», «42») to be true

src/couch_quickjs/quickjs/Makefile

@@ -55,8 +55,8 @@ PREFIX?=/usr/local
 #CONFIG_UBSAN=y
 
 # TEST262 bootstrap config: commit id and shallow "since" parameter
-TEST262_COMMIT?=3316c0aaf676d657f5a6b33364fa7e579c78ac7f
-TEST262_SINCE?=2025-05-21
+TEST262_COMMIT?=04eaeb99080ceb60d7b86ea0c4bed6355ef4cdcb
+TEST262_SINCE?=2025-08-20
 
 OBJDIR=.obj
 

src/couch_quickjs/quickjs/libregexp.c

@@ -2433,6 +2433,17 @@ static int compute_stack_size(const uint8_t *bc_buf, int bc_buf_len)
     return stack_size_max;
 }
 
+static void *lre_bytecode_realloc(void *opaque, void *ptr, size_t size)
+{
+    if (size > (INT32_MAX / 2)) {
+        /* the bytecode cannot be larger than 2G. Leave some slack to 
+           avoid some overflows. */
+        return NULL;
+    } else {
+        return lre_realloc(opaque, ptr, size);
+    }
+}
+
 /* 'buf' must be a zero terminated UTF-8 string of length buf_len.
    Return NULL if error and allocate an error message in *perror_msg,
    otherwise the compiled bytecode and its length in plen.
@@ -2461,7 +2472,7 @@ uint8_t *lre_compile(int *plen, char *error_msg, int error_msg_size,
     s->total_capture_count = -1;
     s->has_named_captures = -1;
 
-    dbuf_init2(&s->byte_code, opaque, lre_realloc);
+    dbuf_init2(&s->byte_code, opaque, lre_bytecode_realloc);
     dbuf_init2(&s->group_names, opaque, lre_realloc);
 
     dbuf_put_u16(&s->byte_code, re_flags); /* first element is the flags */
@@ -3152,6 +3163,7 @@ int lre_exec(uint8_t **capture,
     REExecContext s_s, *s = &s_s;
     int re_flags, i, alloca_size, ret;
     StackInt *stack_buf;
+    const uint8_t *cptr;
 
     re_flags = lre_get_flags(bc_buf);
     s->is_unicode = (re_flags & (LRE_FLAG_UNICODE | LRE_FLAG_UNICODE_SETS)) != 0;
@@ -3176,8 +3188,17 @@ int lre_exec(uint8_t **capture,
         capture[i] = NULL;
     alloca_size = s->stack_size_max * sizeof(stack_buf[0]);
     stack_buf = alloca(alloca_size);
+
+    cptr = cbuf + (cindex << cbuf_type);
+    if (0 < cindex && cindex < clen && s->cbuf_type == 2) {
+        const uint16_t *p = (const uint16_t *)cptr;
+        if (is_lo_surrogate(*p) && is_hi_surrogate(p[-1])) {
+            cptr = (const uint8_t *)(p - 1);
+        }
+    }
+
     ret = lre_exec_backtrack(s, capture, stack_buf, 0, bc_buf + RE_HEADER_LEN,
-                             cbuf + (cindex << cbuf_type), FALSE);
+                             cptr, FALSE);
     lre_realloc(s->opaque, s->state_stack, 0);
     return ret;
 }

src/couch_quickjs/quickjs/quickjs-libc.c

@@ -4230,17 +4230,15 @@ static void js_std_promise_rejection_check(JSContext *ctx)
 /* main loop which calls the user JS callbacks */
 void js_std_loop(JSContext *ctx)
 {
-    JSContext *ctx1;
     int err;
 
     for(;;) {
         /* execute the pending jobs */
         for(;;) {
-            err = JS_ExecutePendingJob(JS_GetRuntime(ctx), &ctx1);
+            err = JS_ExecutePendingJob(JS_GetRuntime(ctx), NULL);
             if (err <= 0) {
-                if (err < 0) {
-                    js_std_dump_error(ctx1);
-                }
+                if (err < 0)
+                    js_std_dump_error(ctx);
                 break;
             }
         }
@@ -4271,11 +4269,10 @@ JSValue js_std_await(JSContext *ctx, JSValue obj)
             JS_FreeValue(ctx, obj);
             break;
         } else if (state == JS_PROMISE_PENDING) {
-            JSContext *ctx1;
             int err;
-            err = JS_ExecutePendingJob(JS_GetRuntime(ctx), &ctx1);
+            err = JS_ExecutePendingJob(JS_GetRuntime(ctx), NULL);
             if (err < 0) {
-                js_std_dump_error(ctx1);
+                js_std_dump_error(ctx);
             }
             if (err == 0) {
                 js_std_promise_rejection_check(ctx);
@@ -4303,6 +4300,7 @@ void js_std_eval_binary(JSContext *ctx, const uint8_t *buf, size_t buf_len,
         if (JS_VALUE_GET_TAG(obj) == JS_TAG_MODULE) {
             js_module_set_import_meta(ctx, obj, FALSE, FALSE);
         }
+        JS_FreeValue(ctx, obj);
     } else {
         if (JS_VALUE_GET_TAG(obj) == JS_TAG_MODULE) {
             if (JS_ResolveModule(ctx, obj) < 0) {