Skip to content

Commit

Permalink
deps: patch V8 to 11.8.172.15
Browse files Browse the repository at this point in the history
Refs: v8/v8@11.8.172.13...11.8.172.15
PR-URL: #50114
Reviewed-By: Jiawen Geng <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
  • Loading branch information
targos committed Oct 23, 2023
1 parent dda33c2 commit 571f7ef
Show file tree
Hide file tree
Showing 4 changed files with 39 additions and 7 deletions.
2 changes: 1 addition & 1 deletion deps/v8/include/v8-version.h
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
#define V8_MAJOR_VERSION 11
#define V8_MINOR_VERSION 8
#define V8_BUILD_NUMBER 172
#define V8_PATCH_LEVEL 13
#define V8_PATCH_LEVEL 15

// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
Expand Down
5 changes: 4 additions & 1 deletion deps/v8/src/compiler/js-call-reducer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -6381,8 +6381,11 @@ Reduction JSCallReducer::ReduceArrayIterator(Node* node,
}
}

// JSCreateArrayIterator doesn't have control output, so we bypass the old
// JSCall node on the control chain.
ReplaceWithValue(node, node, node, control);

// Morph the {node} into a JSCreateArrayIterator with the given {kind}.
RelaxControls(node);
node->ReplaceInput(0, receiver);
node->ReplaceInput(1, context);
node->ReplaceInput(2, effect);
Expand Down
14 changes: 9 additions & 5 deletions deps/v8/src/ic/ic.cc
Original file line number Diff line number Diff line change
Expand Up @@ -3185,18 +3185,22 @@ bool CanFastCloneObjectWithDifferentMaps(Handle<Map> source_map,
Handle<Map> target_map,
Isolate* isolate) {
DisallowGarbageCollection no_gc;
// TODO(olivf): Add support for non JS_OBJECT_TYPE source maps. The reason for
// this restriction is that the IC does not initialize the target object and
// instead relies on copying the source objects bytes. Thus they need to have
// the same binary layout.
// Ensure source and target have identical binary represenation of properties
// and elements as the IC relies on copying the raw bytes. This also excludes
// cases with non-enumerable properties or accessors on the source object.
if (source_map->instance_type() != JS_OBJECT_TYPE ||
target_map->instance_type() != JS_OBJECT_TYPE ||
!source_map->OnlyHasSimpleProperties() ||
!target_map->OnlyHasSimpleProperties()) {
!target_map->OnlyHasSimpleProperties() ||
source_map->elements_kind() != target_map->elements_kind() ||
!source_map->has_fast_elements()) {
return false;
}
// Check that the source inobject properties are big enough to initialize all
// target slots, but not too big to fit.
// TODO(olivf): This restriction (and the same restriction on the backing
// store) could be lifted by properly initializing the target object instead
// of relying on copying empty slots.
int source_inobj_properties = source_map->GetInObjectProperties();
int target_inobj_properties = target_map->GetInObjectProperties();
int source_used_inobj_properties =
Expand Down
25 changes: 25 additions & 0 deletions deps/v8/test/mjsunit/compiler/regress-crbug-1486342.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
// Copyright 2023 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --jit-fuzzing

const o13 = {
"maxByteLength": 5368789,
};
const v14 = new ArrayBuffer(129, o13);
const v16 = new Uint16Array(v14);

function f3(param) {
for (let i = 0; i < 5; i++) {
try {"resize".includes(v14); } catch (e) {}
v14.resize(3.0, ..."resize", ...v16);
}

let f = function() { return param; }
}

%PrepareFunctionForOptimization(f3);
f3();
%OptimizeFunctionOnNextCall(f3);
f3();

0 comments on commit 571f7ef

Please sign in to comment.