From c1d61f2b4bbaeec7e84cd64d6ef8a15c45586fe0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Wed, 3 Apr 2019 08:31:46 +0200 Subject: [PATCH 1/2] deps: patch V8 to 7.4.288.17 Refs: https://github.com/v8/v8/compare/7.4.288.13...7.4.288.17 PR-URL: https://github.com/nodejs/node/pull/27066 Reviewed-By: Colin Ihrig Reviewed-By: Refael Ackermann --- deps/v8/include/v8-version.h | 2 +- deps/v8/src/builtins/array-map.tq | 2 +- deps/v8/src/builtins/base.tq | 2 - deps/v8/src/code-stub-assembler.cc | 13 +++--- deps/v8/src/compiler/node-properties.cc | 3 +- deps/v8/src/heap/mark-compact.cc | 1 + deps/v8/src/regexp/regexp-utils.cc | 10 ++--- deps/v8/src/runtime/runtime-regexp.cc | 40 ++++++++++--------- .../test/mjsunit/compiler/regress-939316.js | 19 +++++++++ .../mjsunit/regress/regress-crbug-944435.js | 38 ++++++++++++++++++ .../mjsunit/regress/regress-crbug-944971.js | 19 +++++++++ deps/v8/third_party/v8/builtins/array-sort.tq | 3 +- 12 files changed, 116 insertions(+), 36 deletions(-) create mode 100644 deps/v8/test/mjsunit/compiler/regress-939316.js create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-944435.js create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-944971.js diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 402da028c35054..7e869065a23992 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 7 #define V8_MINOR_VERSION 4 #define V8_BUILD_NUMBER 288 -#define V8_PATCH_LEVEL 13 +#define V8_PATCH_LEVEL 17 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/builtins/array-map.tq b/deps/v8/src/builtins/array-map.tq index d3bba562205ddf..aa43befb575611 100644 --- a/deps/v8/src/builtins/array-map.tq +++ b/deps/v8/src/builtins/array-map.tq @@ -127,7 +127,7 @@ namespace array_map { for (let i: Smi = 0; i < validLength; i++) { typeswitch (this.fixedArray.objects[i]) { case (n: Number): { - elements.floats[i] = Float64SilenceNaN(Convert(n)); + elements.floats[i] = Convert(n); } case (h: HeapObject): { assert(h == Hole); diff --git a/deps/v8/src/builtins/base.tq b/deps/v8/src/builtins/base.tq index eca9e4f66712ae..da5f072a215e43 100644 --- a/deps/v8/src/builtins/base.tq +++ b/deps/v8/src/builtins/base.tq @@ -1464,8 +1464,6 @@ operator '[]=' macro StoreFixedArrayDirect(a: FixedArray, i: Smi, v: Object) { extern operator '.instance_type' macro LoadMapInstanceType(Map): int32; -extern macro Float64SilenceNaN(float64): float64; - extern macro GetNumberDictionaryNumberOfElements(NumberDictionary): Smi; extern macro GetIteratorMethod(implicit context: Context)(HeapObject): Object labels IfIteratorUndefined; diff --git a/deps/v8/src/code-stub-assembler.cc b/deps/v8/src/code-stub-assembler.cc index 74e5423693b8b2..e4dba15750e282 100644 --- a/deps/v8/src/code-stub-assembler.cc +++ b/deps/v8/src/code-stub-assembler.cc @@ -2827,7 +2827,9 @@ void CodeStubAssembler::StoreFixedDoubleArrayElement( ElementOffsetFromIndex(index_node, PACKED_DOUBLE_ELEMENTS, parameter_mode, FixedArray::kHeaderSize - kHeapObjectTag); MachineRepresentation rep = MachineRepresentation::kFloat64; - StoreNoWriteBarrier(rep, object, offset, value); + // Make sure we do not store signalling NaNs into double arrays. + TNode value_silenced = Float64SilenceNaN(value); + StoreNoWriteBarrier(rep, object, offset, value_silenced); } void CodeStubAssembler::StoreFeedbackVectorSlot(Node* object, @@ -2981,7 +2983,9 @@ void CodeStubAssembler::TryStoreArrayElement(ElementsKind kind, } else if (IsDoubleElementsKind(kind)) { GotoIfNotNumber(value, bailout); } - if (IsDoubleElementsKind(kind)) value = ChangeNumberToFloat64(value); + if (IsDoubleElementsKind(kind)) { + value = ChangeNumberToFloat64(value); + } StoreElement(elements, kind, index, value, mode); } @@ -10236,9 +10240,8 @@ void CodeStubAssembler::StoreElement(Node* elements, ElementsKind kind, StoreNoWriteBarrier(rep, elements, offset, value); return; } else if (IsDoubleElementsKind(kind)) { - // Make sure we do not store signalling NaNs into double arrays. - TNode value_silenced = Float64SilenceNaN(value); - StoreFixedDoubleArrayElement(CAST(elements), index, value_silenced, mode); + TNode value_float64 = UncheckedCast(value); + StoreFixedDoubleArrayElement(CAST(elements), index, value_float64, mode); } else { WriteBarrierMode barrier_mode = IsSmiElementsKind(kind) ? SKIP_WRITE_BARRIER : UPDATE_WRITE_BARRIER; diff --git a/deps/v8/src/compiler/node-properties.cc b/deps/v8/src/compiler/node-properties.cc index a769fba5631c35..8f290b44380a6c 100644 --- a/deps/v8/src/compiler/node-properties.cc +++ b/deps/v8/src/compiler/node-properties.cc @@ -412,7 +412,8 @@ NodeProperties::InferReceiverMapsResult NodeProperties::InferReceiverMaps( mnewtarget.Ref(broker).IsJSFunction()) { JSFunctionRef original_constructor = mnewtarget.Ref(broker).AsJSFunction(); - if (original_constructor.has_initial_map()) { + if (original_constructor.map().has_prototype_slot() && + original_constructor.has_initial_map()) { original_constructor.Serialize(); MapRef initial_map = original_constructor.initial_map(); if (initial_map.GetConstructor().equals(mtarget.Ref(broker))) { diff --git a/deps/v8/src/heap/mark-compact.cc b/deps/v8/src/heap/mark-compact.cc index 77534b921dfd27..30bbd353b82f82 100644 --- a/deps/v8/src/heap/mark-compact.cc +++ b/deps/v8/src/heap/mark-compact.cc @@ -1645,6 +1645,7 @@ void MarkCompactCollector::ProcessEphemeronsLinear() { // is necessary. work_to_do = !marking_worklist()->IsEmpty() || + !marking_worklist()->IsEmbedderEmpty() || !heap()->local_embedder_heap_tracer()->IsRemoteTracingDone(); CHECK(weak_objects_.discovered_ephemerons.IsEmpty()); } diff --git a/deps/v8/src/regexp/regexp-utils.cc b/deps/v8/src/regexp/regexp-utils.cc index 36bc3e5df6aa73..e2e95493fec2a9 100644 --- a/deps/v8/src/regexp/regexp-utils.cc +++ b/deps/v8/src/regexp/regexp-utils.cc @@ -36,7 +36,7 @@ Handle RegExpUtils::GenericCaptureGetter( namespace { -V8_INLINE bool HasInitialRegExpMap(Isolate* isolate, Handle recv) { +V8_INLINE bool HasInitialRegExpMap(Isolate* isolate, JSReceiver recv) { return recv->map() == isolate->regexp_function()->initial_map(); } @@ -47,7 +47,7 @@ MaybeHandle RegExpUtils::SetLastIndex(Isolate* isolate, uint64_t value) { Handle value_as_object = isolate->factory()->NewNumberFromInt64(value); - if (HasInitialRegExpMap(isolate, recv)) { + if (HasInitialRegExpMap(isolate, *recv)) { JSRegExp::cast(*recv)->set_last_index(*value_as_object, SKIP_WRITE_BARRIER); return recv; } else { @@ -59,7 +59,7 @@ MaybeHandle RegExpUtils::SetLastIndex(Isolate* isolate, MaybeHandle RegExpUtils::GetLastIndex(Isolate* isolate, Handle recv) { - if (HasInitialRegExpMap(isolate, recv)) { + if (HasInitialRegExpMap(isolate, *recv)) { return handle(JSRegExp::cast(*recv)->last_index(), isolate); } else { return Object::GetProperty(isolate, recv, @@ -155,9 +155,7 @@ bool RegExpUtils::IsUnmodifiedRegExp(Isolate* isolate, Handle obj) { JSReceiver recv = JSReceiver::cast(*obj); - // Check the receiver's map. - Handle regexp_function = isolate->regexp_function(); - if (recv->map() != regexp_function->initial_map()) return false; + if (!HasInitialRegExpMap(isolate, recv)) return false; // Check the receiver's prototype's map. Object proto = recv->map()->prototype(); diff --git a/deps/v8/src/runtime/runtime-regexp.cc b/deps/v8/src/runtime/runtime-regexp.cc index 67bb8642c34a96..03024810283c0c 100644 --- a/deps/v8/src/runtime/runtime-regexp.cc +++ b/deps/v8/src/runtime/runtime-regexp.cc @@ -1250,10 +1250,9 @@ static Object SearchRegExpMultiple(Isolate* isolate, Handle subject, // doesn't properly call the underlying exec method. V8_WARN_UNUSED_RESULT MaybeHandle RegExpReplace( Isolate* isolate, Handle regexp, Handle string, - Handle replace_obj) { + Handle replace) { // Functional fast-paths are dispatched directly by replace builtin. DCHECK(RegExpUtils::IsUnmodifiedRegExp(isolate, regexp)); - DCHECK(!replace_obj->IsCallable()); Factory* factory = isolate->factory(); @@ -1261,9 +1260,6 @@ V8_WARN_UNUSED_RESULT MaybeHandle RegExpReplace( const bool global = (flags & JSRegExp::kGlobal) != 0; const bool sticky = (flags & JSRegExp::kSticky) != 0; - Handle replace; - ASSIGN_RETURN_ON_EXCEPTION(isolate, replace, - Object::ToString(isolate, replace_obj), String); replace = String::Flatten(isolate, replace); Handle last_match_info = isolate->regexp_last_match_info(); @@ -1363,18 +1359,23 @@ RUNTIME_FUNCTION(Runtime_RegExpExecMultiple) { CONVERT_ARG_HANDLE_CHECKED(String, subject, 1); CONVERT_ARG_HANDLE_CHECKED(RegExpMatchInfo, last_match_info, 2); CONVERT_ARG_HANDLE_CHECKED(JSArray, result_array, 3); + + DCHECK(RegExpUtils::IsUnmodifiedRegExp(isolate, regexp)); CHECK(result_array->HasObjectElements()); subject = String::Flatten(isolate, subject); CHECK(regexp->GetFlags() & JSRegExp::kGlobal); + Object result; if (regexp->CaptureCount() == 0) { - return SearchRegExpMultiple(isolate, subject, regexp, - last_match_info, result_array); + result = SearchRegExpMultiple(isolate, subject, regexp, + last_match_info, result_array); } else { - return SearchRegExpMultiple(isolate, subject, regexp, last_match_info, - result_array); + result = SearchRegExpMultiple(isolate, subject, regexp, + last_match_info, result_array); } + DCHECK(RegExpUtils::IsUnmodifiedRegExp(isolate, regexp)); + return result; } RUNTIME_FUNCTION(Runtime_StringReplaceNonGlobalRegExpWithFunction) { @@ -1691,24 +1692,27 @@ RUNTIME_FUNCTION(Runtime_RegExpReplace) { const bool functional_replace = replace_obj->IsCallable(); + Handle replace; + if (!functional_replace) { + ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, replace, + Object::ToString(isolate, replace_obj)); + } + // Fast-path for unmodified JSRegExps (and non-functional replace). if (RegExpUtils::IsUnmodifiedRegExp(isolate, recv)) { // We should never get here with functional replace because unmodified // regexp and functional replace should be fully handled in CSA code. CHECK(!functional_replace); - RETURN_RESULT_OR_FAILURE( - isolate, RegExpReplace(isolate, Handle::cast(recv), string, - replace_obj)); + Handle result; + ASSIGN_RETURN_FAILURE_ON_EXCEPTION( + isolate, result, + RegExpReplace(isolate, Handle::cast(recv), string, replace)); + DCHECK(RegExpUtils::IsUnmodifiedRegExp(isolate, recv)); + return *result; } const uint32_t length = string->length(); - Handle replace; - if (!functional_replace) { - ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, replace, - Object::ToString(isolate, replace_obj)); - } - Handle global_obj; ASSIGN_RETURN_FAILURE_ON_EXCEPTION( isolate, global_obj, diff --git a/deps/v8/test/mjsunit/compiler/regress-939316.js b/deps/v8/test/mjsunit/compiler/regress-939316.js new file mode 100644 index 00000000000000..56dd41e6232b02 --- /dev/null +++ b/deps/v8/test/mjsunit/compiler/regress-939316.js @@ -0,0 +1,19 @@ +// Copyright 2019 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function f(arg) { + const o = Reflect.construct(Object, arguments, Proxy); + o.foo = arg; +} + +function g(i) { + f(i); +} + +g(0); +g(1); +%OptimizeFunctionOnNextCall(g); +g(2); diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-944435.js b/deps/v8/test/mjsunit/regress/regress-crbug-944435.js new file mode 100644 index 00000000000000..c3810be13b2fb4 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-944435.js @@ -0,0 +1,38 @@ +// Copyright 2019 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --verify-heap --expose-gc + +function foo( ) { + return [ + 0, + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 0x1000000, + 0x40000000, + 12, + 60, + 100, + 1000 * 60 * 60 * 24].map(Math.asin); +} + +let b = []; +b.constructor = {}; +b.constructor[Symbol.species] = function() {}; + +let a = []; +for (let i = 0; i < 10; i++) { + a.push(foo()); + gc(); + gc(); + gc(); +} diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-944971.js b/deps/v8/test/mjsunit/regress/regress-crbug-944971.js new file mode 100644 index 00000000000000..8f3f4a8cf893cf --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-944971.js @@ -0,0 +1,19 @@ +// Copyright 2019 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +let re = /x/y; +let cnt = 0; +let str = re[Symbol.replace]("x", { + toString: () => { + cnt++; + if (cnt == 2) { + re.lastIndex = {valueOf: () => { + re.x = 42; + return 0; + }}; + } + return 'y$'; + } +}); +assertEquals("y$", str); diff --git a/deps/v8/third_party/v8/builtins/array-sort.tq b/deps/v8/third_party/v8/builtins/array-sort.tq index a7510835750dcd..938ac540fb9fea 100644 --- a/deps/v8/third_party/v8/builtins/array-sort.tq +++ b/deps/v8/third_party/v8/builtins/array-sort.tq @@ -275,8 +275,7 @@ namespace array { const object = UnsafeCast(sortState.receiver); const elements = UnsafeCast(object.elements); const heapVal = UnsafeCast(value); - // Make sure we do not store signalling NaNs into double arrays. - const val = Float64SilenceNaN(Convert(heapVal)); + const val = Convert(heapVal); StoreFixedDoubleArrayElementSmi(elements, index, val); return kSuccess; } From 135b79a31d51939d46b68eaea5249e28c7f67757 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Fri, 5 Apr 2019 12:04:55 +0200 Subject: [PATCH 2/2] deps: patch V8 to 7.4.288.18 Refs: https://github.com/v8/v8/compare/7.4.288.17...7.4.288.18 PR-URL: https://github.com/nodejs/node/pull/27066 Refs: https://github.com/v8/v8/compare/7.4.288.13...7.4.288.17 Reviewed-By: Colin Ihrig Reviewed-By: Refael Ackermann --- deps/v8/include/v8-version.h | 2 +- deps/v8/src/compiler/typed-optimization.cc | 6 ++--- .../test/mjsunit/compiler/regress-945644.js | 23 +++++++++++++++++++ 3 files changed, 27 insertions(+), 4 deletions(-) create mode 100644 deps/v8/test/mjsunit/compiler/regress-945644.js diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 7e869065a23992..e5641f118aeceb 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 7 #define V8_MINOR_VERSION 4 #define V8_BUILD_NUMBER 288 -#define V8_PATCH_LEVEL 17 +#define V8_PATCH_LEVEL 18 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/compiler/typed-optimization.cc b/deps/v8/src/compiler/typed-optimization.cc index 9b0df88da3bcdd..a555d7f63be606 100644 --- a/deps/v8/src/compiler/typed-optimization.cc +++ b/deps/v8/src/compiler/typed-optimization.cc @@ -727,7 +727,7 @@ Reduction TypedOptimization::ReduceSpeculativeNumberAdd(Node* node) { Node* const value = graph()->NewNode(simplified()->NumberAdd(), toNum_lhs, toNum_rhs); ReplaceWithValue(node, value); - return Replace(node); + return Replace(value); } return NoChange(); } @@ -796,7 +796,7 @@ Reduction TypedOptimization::ReduceSpeculativeNumberBinop(Node* node) { NumberOpFromSpeculativeNumberOp(simplified(), node->op()), toNum_lhs, toNum_rhs); ReplaceWithValue(node, value); - return Replace(node); + return Replace(value); } return NoChange(); } @@ -811,7 +811,7 @@ Reduction TypedOptimization::ReduceSpeculativeNumberComparison(Node* node) { Node* const value = graph()->NewNode( NumberOpFromSpeculativeNumberOp(simplified(), node->op()), lhs, rhs); ReplaceWithValue(node, value); - return Replace(node); + return Replace(value); } return NoChange(); } diff --git a/deps/v8/test/mjsunit/compiler/regress-945644.js b/deps/v8/test/mjsunit/compiler/regress-945644.js new file mode 100644 index 00000000000000..2cb8839d862549 --- /dev/null +++ b/deps/v8/test/mjsunit/compiler/regress-945644.js @@ -0,0 +1,23 @@ +// Copyright 2019 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function f(v5,v6) { + const v16 = [1337,1337,-765470.5051836492]; + let v19 = 0; + do { + const v20 = v19 + 1; + const v22 = Math.fround(v20); + v19 = v22; + const v23 = [v20, v22]; + function v24() { v20; v22; } + const v33 = v16.indexOf(v19); + } while (v19 < 6); +} + +f(); +Array.prototype.push(8); +%OptimizeFunctionOnNextCall(f); +f();