From 05f41cdbccac9bc6b6e2bd9ff9c6aec5a024a92b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Sat, 17 Apr 2021 09:36:55 +0200 Subject: [PATCH] deps: patch V8 to 9.0.257.19 Refs: https://github.com/v8/v8/compare/9.0.257.17...9.0.257.19 PR-URL: https://github.com/nodejs/node/pull/38270 Reviewed-By: Colin Ihrig Reviewed-By: Rich Trott --- deps/v8/AUTHORS | 1 + deps/v8/include/v8-version.h | 2 +- deps/v8/src/builtins/builtins-array.cc | 24 +++++-- deps/v8/src/compiler/representation-change.cc | 8 +-- deps/v8/src/objects/fixed-array-inl.h | 6 +- deps/v8/src/objects/map-updater.cc | 17 +++-- .../test/mjsunit/compiler/regress-1195777.js | 62 +++++++++++++++++++ .../mjsunit/regress/regress-crbug-1195331.js | 36 +++++++++++ 8 files changed, 139 insertions(+), 17 deletions(-) create mode 100644 deps/v8/test/mjsunit/compiler/regress-1195777.js create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-1195331.js diff --git a/deps/v8/AUTHORS b/deps/v8/AUTHORS index 42a9f29d89aa93..aa6d32302b3954 100644 --- a/deps/v8/AUTHORS +++ b/deps/v8/AUTHORS @@ -69,6 +69,7 @@ Ben Newman Ben Noordhuis Benjamin Tan Bert Belder +Brendon Tiszka Brice Dobry Burcu Dogan Caitlin Potter diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 4826580f7b16aa..9ba8fc6d2ea4b7 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 9 #define V8_MINOR_VERSION 0 #define V8_BUILD_NUMBER 257 -#define V8_PATCH_LEVEL 17 +#define V8_PATCH_LEVEL 19 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/builtins/builtins-array.cc b/deps/v8/src/builtins/builtins-array.cc index 0c3707cee4bbb5..ea21a19a86f3bb 100644 --- a/deps/v8/src/builtins/builtins-array.cc +++ b/deps/v8/src/builtins/builtins-array.cc @@ -650,11 +650,14 @@ class ArrayConcatVisitor { index_offset_(0u), bit_field_(FastElementsField::encode(fast_elements) | ExceedsLimitField::encode(false) | - IsFixedArrayField::encode(storage->IsFixedArray()) | + IsFixedArrayField::encode(storage->IsFixedArray(isolate)) | HasSimpleElementsField::encode( - storage->IsFixedArray() || - !storage->map().IsCustomElementsReceiverMap())) { - DCHECK(!(this->fast_elements() && !is_fixed_array())); + storage->IsFixedArray(isolate) || + // Don't take fast path for storages that might have + // side effects when storing to them. + (!storage->map(isolate).IsCustomElementsReceiverMap() && + !storage->IsJSTypedArray(isolate)))) { + DCHECK_IMPLIES(this->fast_elements(), is_fixed_array()); } ~ArrayConcatVisitor() { clear_storage(); } @@ -1065,8 +1068,8 @@ bool IterateElements(Isolate* isolate, Handle receiver, return IterateElementsSlow(isolate, receiver, length, visitor); } - if (!HasOnlySimpleElements(isolate, *receiver) || - !visitor->has_simple_elements()) { + if (!visitor->has_simple_elements() || + !HasOnlySimpleElements(isolate, *receiver)) { return IterateElementsSlow(isolate, receiver, length, visitor); } Handle array = Handle::cast(receiver); @@ -1082,6 +1085,9 @@ bool IterateElements(Isolate* isolate, Handle receiver, case HOLEY_SEALED_ELEMENTS: case HOLEY_NONEXTENSIBLE_ELEMENTS: case HOLEY_ELEMENTS: { + // Disallow execution so the cached elements won't change mid execution. + DisallowJavascriptExecution no_js(isolate); + // Run through the elements FixedArray and use HasElement and GetElement // to check the prototype for missing elements. Handle elements(FixedArray::cast(array->elements()), isolate); @@ -1108,6 +1114,9 @@ bool IterateElements(Isolate* isolate, Handle receiver, } case HOLEY_DOUBLE_ELEMENTS: case PACKED_DOUBLE_ELEMENTS: { + // Disallow execution so the cached elements won't change mid execution. + DisallowJavascriptExecution no_js(isolate); + // Empty array is FixedArray but not FixedDoubleArray. if (length == 0) break; // Run through the elements FixedArray and use HasElement and GetElement @@ -1144,6 +1153,9 @@ bool IterateElements(Isolate* isolate, Handle receiver, } case DICTIONARY_ELEMENTS: { + // Disallow execution so the cached dictionary won't change mid execution. + DisallowJavascriptExecution no_js(isolate); + Handle dict(array->element_dictionary(), isolate); std::vector indices; indices.reserve(dict->Capacity() / 2); diff --git a/deps/v8/src/compiler/representation-change.cc b/deps/v8/src/compiler/representation-change.cc index 64b274cdccddf4..3d937ada1e7e50 100644 --- a/deps/v8/src/compiler/representation-change.cc +++ b/deps/v8/src/compiler/representation-change.cc @@ -949,10 +949,10 @@ Node* RepresentationChanger::GetWord32RepresentationFor( return node; } else if (output_rep == MachineRepresentation::kWord64) { if (output_type.Is(Type::Signed32()) || - output_type.Is(Type::Unsigned32())) { - op = machine()->TruncateInt64ToInt32(); - } else if (output_type.Is(cache_->kSafeInteger) && - use_info.truncation().IsUsedAsWord32()) { + (output_type.Is(Type::Unsigned32()) && + use_info.type_check() == TypeCheckKind::kNone) || + (output_type.Is(cache_->kSafeInteger) && + use_info.truncation().IsUsedAsWord32())) { op = machine()->TruncateInt64ToInt32(); } else if (use_info.type_check() == TypeCheckKind::kSignedSmall || use_info.type_check() == TypeCheckKind::kSigned32 || diff --git a/deps/v8/src/objects/fixed-array-inl.h b/deps/v8/src/objects/fixed-array-inl.h index b743d15ad898b9..bfd7d9563bc424 100644 --- a/deps/v8/src/objects/fixed-array-inl.h +++ b/deps/v8/src/objects/fixed-array-inl.h @@ -368,7 +368,7 @@ int Search(T* array, Name name, int valid_entries, int* out_insertion_index, double FixedDoubleArray::get_scalar(int index) { DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() && map() != GetReadOnlyRoots().fixed_array_map()); - DCHECK(index >= 0 && index < this->length()); + DCHECK_LT(static_cast(index), static_cast(length())); DCHECK(!is_the_hole(index)); return ReadField(kHeaderSize + index * kDoubleSize); } @@ -376,7 +376,7 @@ double FixedDoubleArray::get_scalar(int index) { uint64_t FixedDoubleArray::get_representation(int index) { DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() && map() != GetReadOnlyRoots().fixed_array_map()); - DCHECK(index >= 0 && index < this->length()); + DCHECK_LT(static_cast(index), static_cast(length())); int offset = kHeaderSize + index * kDoubleSize; // Bug(v8:8875): Doubles may be unaligned. return base::ReadUnalignedValue(field_address(offset)); @@ -394,6 +394,7 @@ Handle FixedDoubleArray::get(FixedDoubleArray array, int index, void FixedDoubleArray::set(int index, double value) { DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() && map() != GetReadOnlyRoots().fixed_array_map()); + DCHECK_LT(static_cast(index), static_cast(length())); int offset = kHeaderSize + index * kDoubleSize; if (std::isnan(value)) { WriteField(offset, std::numeric_limits::quiet_NaN()); @@ -410,6 +411,7 @@ void FixedDoubleArray::set_the_hole(Isolate* isolate, int index) { void FixedDoubleArray::set_the_hole(int index) { DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() && map() != GetReadOnlyRoots().fixed_array_map()); + DCHECK_LT(static_cast(index), static_cast(length())); int offset = kHeaderSize + index * kDoubleSize; base::WriteUnalignedValue(field_address(offset), kHoleNanInt64); } diff --git a/deps/v8/src/objects/map-updater.cc b/deps/v8/src/objects/map-updater.cc index 95b435085e2d28..31841992dec18e 100644 --- a/deps/v8/src/objects/map-updater.cc +++ b/deps/v8/src/objects/map-updater.cc @@ -139,11 +139,20 @@ Handle MapUpdater::ReconfigureToDataField(InternalIndex descriptor, if (old_details.constness() == PropertyConstness::kConst && old_details.location() == kField && old_details.attributes() != new_attributes_) { + // Ensure we'll be updating constness of the up-to-date version of old_map_. + Handle old_map = Map::Update(isolate_, old_map_); + PropertyDetails details = + old_map->instance_descriptors(kRelaxedLoad).GetDetails(descriptor); Handle field_type( - old_descriptors_->GetFieldType(modified_descriptor_), isolate_); - Map::GeneralizeField(isolate_, old_map_, descriptor, - PropertyConstness::kMutable, - old_details.representation(), field_type); + old_map->instance_descriptors(kRelaxedLoad).GetFieldType(descriptor), + isolate_); + Map::GeneralizeField(isolate_, old_map, descriptor, + PropertyConstness::kMutable, details.representation(), + field_type); + DCHECK_EQ(PropertyConstness::kMutable, + old_map->instance_descriptors(kRelaxedLoad) + .GetDetails(descriptor) + .constness()); // The old_map_'s property must become mutable. // Note, that the {old_map_} and {old_descriptors_} are not expected to be // updated by the generalization if the map is already deprecated. diff --git a/deps/v8/test/mjsunit/compiler/regress-1195777.js b/deps/v8/test/mjsunit/compiler/regress-1195777.js new file mode 100644 index 00000000000000..b122f4f0169af5 --- /dev/null +++ b/deps/v8/test/mjsunit/compiler/regress-1195777.js @@ -0,0 +1,62 @@ +// Copyright 2021 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + + +(function() { + function foo(b) { + let y = (new Date(42)).getMilliseconds(); + let x = -1; + if (b) x = 0xFFFF_FFFF; + return y < Math.max(1 << y, x, 1 + y); + } + assertTrue(foo(true)); + %PrepareFunctionForOptimization(foo); + assertTrue(foo(false)); + %OptimizeFunctionOnNextCall(foo); + assertTrue(foo(true)); +})(); + + +(function() { + function foo(b) { + let x = 0; + if (b) x = -1; + return x == Math.max(-1, x >>> Infinity); + } + assertFalse(foo(true)); + %PrepareFunctionForOptimization(foo); + assertTrue(foo(false)); + %OptimizeFunctionOnNextCall(foo); + assertFalse(foo(true)); +})(); + + +(function() { + function foo(b) { + let x = -1; + if (b) x = 0xFFFF_FFFF; + return -1 < Math.max(0, x, -1); + } + assertTrue(foo(true)); + %PrepareFunctionForOptimization(foo); + assertTrue(foo(false)); + %OptimizeFunctionOnNextCall(foo); + assertTrue(foo(true)); +})(); + + +(function() { + function foo(b) { + let x = 0x7FFF_FFFF; + if (b) x = 0; + return 0 < (Math.max(-5 >>> x, -5) % -5); + } + assertTrue(foo(true)); + %PrepareFunctionForOptimization(foo); + assertTrue(foo(false)); + %OptimizeFunctionOnNextCall(foo); + assertTrue(foo(true)); +})(); diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-1195331.js b/deps/v8/test/mjsunit/regress/regress-crbug-1195331.js new file mode 100644 index 00000000000000..1bced5623e4f9a --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-1195331.js @@ -0,0 +1,36 @@ +// Copyright 2021 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +let o1 = { a: 1, b: 0 }; +let o2 = { a: 2, b: 0 }; +assertTrue(%HaveSameMap(o1, o2)); +assertTrue(%HasOwnConstDataProperty(o1, "a")); +assertTrue(%HasOwnConstDataProperty(o1, "b")); + +Object.defineProperty(o1, "b", { + value: 4.2, enumerable: true, configurable: true, writable: true, +}); +assertFalse(%HaveSameMap(o1, o2)); +assertTrue(%HasOwnConstDataProperty(o1, "a")); +assertFalse(%HasOwnConstDataProperty(o1, "b")); +assertTrue(%HasOwnConstDataProperty(o2, "a")); +assertTrue(%HasOwnConstDataProperty(o2, "b")); + +let o3 = { a: "foo", b: 0 }; +assertFalse(%HaveSameMap(o2, o3)); +assertTrue(%HasOwnConstDataProperty(o3, "a")); +assertFalse(%HasOwnConstDataProperty(o3, "b")); + +Object.defineProperty(o2, "a", { + value:2, enumerable: false, configurable: true, writable: true, +}); +assertFalse(%HasOwnConstDataProperty(o1, "a")); +assertFalse(%HasOwnConstDataProperty(o1, "b")); +assertFalse(%HasOwnConstDataProperty(o3, "a")); +assertFalse(%HasOwnConstDataProperty(o3, "b")); + +assertFalse(%HasOwnConstDataProperty(o2, "a")); +assertTrue(%HasOwnConstDataProperty(o2, "b"));