From f2d320b891fb557588f8dd573f72ecd75a29ff27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Sat, 7 Oct 2023 08:32:51 +0200 Subject: [PATCH 1/5] deps: V8: cherry-pick a1efa5343880 Original commit message: Merged: [runtime] Set instance prototypes directly on maps Bug: chromium:1452137 (cherry picked from commit c7c447735f762f6d6d0878e229371797845ef4ab) Change-Id: I611c41f942e2e51f3c4b4f1d119c18410617188e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4637888 Commit-Queue: Igor Sheludko Auto-Submit: Igor Sheludko Commit-Queue: Toon Verwaest Reviewed-by: Toon Verwaest Cr-Commit-Position: refs/branch-heads/11.4@{#47} Cr-Branched-From: 8a8a1e7086dacc426965d3875914efa66663c431-refs/heads/11.4.183@{#1} Cr-Branched-From: 5483d8e816e0bbce865cbbc3fa0ab357e6330bab-refs/heads/main@{#87241} Refs: https://github.com/v8/v8/commit/a1efa5343880dff50985782c6d573cbb4777388d --- common.gypi | 2 +- deps/v8/src/objects/js-function.cc | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/common.gypi b/common.gypi index 52636bb2fac590..1dca7c9a106e2e 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.20', + 'v8_embedder_string': '-node.21', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/objects/js-function.cc b/deps/v8/src/objects/js-function.cc index 1640cb0d31529c..94f7a672a704e1 100644 --- a/deps/v8/src/objects/js-function.cc +++ b/deps/v8/src/objects/js-function.cc @@ -676,6 +676,10 @@ void SetInstancePrototype(Isolate* isolate, Handle function, // At that point, a new initial map is created and the prototype is put // into the initial map where it belongs. function->set_prototype_or_initial_map(*value, kReleaseStore); + if (value->IsJSObjectThatCanBeTrackedAsPrototype()) { + // Optimize as prototype to detach it from its transition tree. + JSObject::OptimizeAsPrototype(Handle::cast(value)); + } } else { Handle new_map = Map::Copy(isolate, initial_map, "SetInstancePrototype"); @@ -801,8 +805,10 @@ void JSFunction::EnsureHasInitialMap(Handle function) { Handle prototype; if (function->has_instance_prototype()) { prototype = handle(function->instance_prototype(), isolate); + map->set_prototype(*prototype); } else { prototype = isolate->factory()->NewFunctionPrototype(function); + Map::SetPrototype(isolate, map, prototype); } DCHECK(map->has_fast_object_elements()); From 827dd00bd3b8c6de002c98691a3eb8bec2ba2c0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Sat, 7 Oct 2023 08:33:30 +0200 Subject: [PATCH 2/5] deps: V8: cherry-pick 840650f2ff4e Original commit message: Merged: [compiler] StackCheck can have side effects Bug: chromium:1452137 (cherry picked from commit e548943e473b020fdc1de6e5543ca31b24d8b7f9) Change-Id: Ibd7c9b02efd12341b452e4c34a635a58a817649f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4637129 Reviewed-by: Toon Verwaest Commit-Queue: Tobias Tebbi Auto-Submit: Tobias Tebbi Commit-Queue: Toon Verwaest Cr-Commit-Position: refs/branch-heads/11.4@{#49} Cr-Branched-From: 8a8a1e7086dacc426965d3875914efa66663c431-refs/heads/11.4.183@{#1} Cr-Branched-From: 5483d8e816e0bbce865cbbc3fa0ab357e6330bab-refs/heads/main@{#87241} Refs: https://github.com/v8/v8/commit/840650f2ff4ee0d96601dd4d2912c0733bf6c925 --- common.gypi | 2 +- deps/v8/src/compiler/js-operator.cc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/common.gypi b/common.gypi index 1dca7c9a106e2e..425219c015d7e1 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.21', + 'v8_embedder_string': '-node.22', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/compiler/js-operator.cc b/deps/v8/src/compiler/js-operator.cc index 34f6e9d7b08e71..fb678f80829a2f 100644 --- a/deps/v8/src/compiler/js-operator.cc +++ b/deps/v8/src/compiler/js-operator.cc @@ -1402,7 +1402,7 @@ const Operator* JSOperatorBuilder::CloneObject(FeedbackSource const& feedback, const Operator* JSOperatorBuilder::StackCheck(StackCheckKind kind) { return zone()->New>( // -- IrOpcode::kJSStackCheck, // opcode - Operator::kNoWrite, // properties + Operator::kNoProperties, // properties "JSStackCheck", // name 0, 1, 1, 0, 1, 2, // counts kind); // parameter From 03d1cb7cf3ac7338a1d24d5584abf1ba5f2a632a Mon Sep 17 00:00:00 2001 From: Shi Pujin Date: Tue, 17 Oct 2023 15:00:40 +0800 Subject: [PATCH 3/5] deps: V8: cherry-pick 9721082687c9 Original commit message: heap: Add missing include for std::remove GCC 14 changes some internal includes within libstdc++ so this transient include gets lost. Include explicitly for std::remove. Change-Id: Iab8a2c751a0f9c9dc6a770d6296ad6de724ef3bb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4583222 Reviewed-by: Michael Lippautz Commit-Queue: Michael Lippautz Cr-Commit-Position: refs/heads/main@{#88037} --- common.gypi | 2 +- deps/v8/AUTHORS | 1 + deps/v8/src/heap/cppgc/stats-collector.h | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/common.gypi b/common.gypi index 425219c015d7e1..326f8570ac1664 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.22', + 'v8_embedder_string': '-node.23', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/AUTHORS b/deps/v8/AUTHORS index d84c722b8dcb7b..644b17bcec8dd7 100644 --- a/deps/v8/AUTHORS +++ b/deps/v8/AUTHORS @@ -239,6 +239,7 @@ Sakthipriyan Vairamani (thefourtheye) Sander Mathijs van Veen Sandro Santilli Sanjoy Das +Sam James Seo Sanghyeon Shawn Anastasio Shawn Presser diff --git a/deps/v8/src/heap/cppgc/stats-collector.h b/deps/v8/src/heap/cppgc/stats-collector.h index 2cf728489d0a9c..d8414ae3c6e2d0 100644 --- a/deps/v8/src/heap/cppgc/stats-collector.h +++ b/deps/v8/src/heap/cppgc/stats-collector.h @@ -8,6 +8,7 @@ #include #include +#include #include #include From 29146d0bcbdf5b4f7520054abd0c316a1a88f2dd Mon Sep 17 00:00:00 2001 From: Luke Albao Date: Mon, 23 Oct 2023 08:27:33 -0700 Subject: [PATCH 4/5] deps: V8: cherry-pick f7d000a7ae7b Original commit message: [logging] Bugfix: LinuxPerfBasicLogger should log JS functions This patch fixes a typo that was introduced in commit c51041f45400928cd64fbc8f389c0dd0dd15f82f / https://chromium-review.googlesource.com/c/v8/v8/+/2336793, which reversed the behavior of the perf_basic_prof_only_functions flag. This also refactors the equivalent guard in LinuxPerfJitLogger to use the same inline CodeKind API for identifying JS Functions. This is unrelated to the bug, but it seems a fair rider to add on here. Bug: v8:14387 Change-Id: I25766b0d45f4c65dfec5ae01e094a1ed94111054 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4954225 Reviewed-by: Camillo Bruni Commit-Queue: Camillo Bruni Cr-Commit-Position: refs/heads/main@{#90501} Refs: https://github.com/v8/v8/commit/f7d000a7ae7b731805338338eb51a81fbcfe2628 --- common.gypi | 2 +- deps/v8/AUTHORS | 1 + deps/v8/src/diagnostics/perf-jit.cc | 5 ++--- deps/v8/src/logging/log.cc | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/common.gypi b/common.gypi index 326f8570ac1664..8da04166808183 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.23', + 'v8_embedder_string': '-node.24', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/AUTHORS b/deps/v8/AUTHORS index 644b17bcec8dd7..7b43882edca7ea 100644 --- a/deps/v8/AUTHORS +++ b/deps/v8/AUTHORS @@ -172,6 +172,7 @@ Kyounga Ra Loo Rong Jie Lu Yahan Luis Reis +Luke Albao Luke Zarko Ma Aiguo Maciej Małecki diff --git a/deps/v8/src/diagnostics/perf-jit.cc b/deps/v8/src/diagnostics/perf-jit.cc index b3758680d1d55e..4d8489c6644079 100644 --- a/deps/v8/src/diagnostics/perf-jit.cc +++ b/deps/v8/src/diagnostics/perf-jit.cc @@ -42,6 +42,7 @@ #include "src/codegen/assembler.h" #include "src/codegen/source-position-table.h" #include "src/diagnostics/eh-frame.h" +#include "src/objects/code-kind.h" #include "src/objects/objects-inl.h" #include "src/objects/shared-function-info.h" #include "src/snapshot/embedded/embedded-data.h" @@ -222,9 +223,7 @@ void LinuxPerfJitLogger::LogRecordedBuffer( DisallowGarbageCollection no_gc; if (v8_flags.perf_basic_prof_only_functions) { CodeKind code_kind = abstract_code.kind(isolate_); - if (code_kind != CodeKind::INTERPRETED_FUNCTION && - code_kind != CodeKind::TURBOFAN && code_kind != CodeKind::MAGLEV && - code_kind != CodeKind::BASELINE) { + if (!CodeKindIsJSFunction(code_kind)) { return; } } diff --git a/deps/v8/src/logging/log.cc b/deps/v8/src/logging/log.cc index ca97693465f427..b4903db16832a3 100644 --- a/deps/v8/src/logging/log.cc +++ b/deps/v8/src/logging/log.cc @@ -433,7 +433,7 @@ void LinuxPerfBasicLogger::LogRecordedBuffer(AbstractCode code, DisallowGarbageCollection no_gc; PtrComprCageBase cage_base(isolate_); if (v8_flags.perf_basic_prof_only_functions && - CodeKindIsBuiltinOrJSFunction(code.kind(cage_base))) { + !CodeKindIsBuiltinOrJSFunction(code.kind(cage_base))) { return; } From ac65ccc6f951334dbcd4eca6e8cded0db13bd523 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Mon, 13 Nov 2023 13:39:29 +0100 Subject: [PATCH 5/5] deps: V8: cherry-pick d90d4533b053 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Original commit message: Fix reading integer-indexed import assertions in dynamic import Use GetPropertyOrElement instead of GetProperty to read import assertion values from the import assertions object, to support cases in which the key is an integer index such as `"0"`. The added test case, when using GetProperty, triggers the following DCHECK in debug builds: https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/lookup-inl.h;l=108;drc=515f187ba067ee4a99fdf5198cca2c97abd342fd In release builds it silently fails to read the property, and thus throws about it not being a valid string. Bug: v8:14069 Change-Id: Ifd4645b7bd9bfd07f06fa33727441d27eabc4d32 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4614489 Reviewed-by: Victor Gomes Commit-Queue: Marja Hölttä Reviewed-by: Marja Hölttä Cr-Commit-Position: refs/heads/main@{#88267} Refs: https://github.com/v8/v8/commit/d90d4533b05301e2be813a5f90223f4c6c1bf63d --- common.gypi | 2 +- deps/v8/src/execution/isolate.cc | 4 ++-- .../mjsunit/harmony/modules-import-assertions-dynamic-6.mjs | 5 +++++ 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/common.gypi b/common.gypi index 8da04166808183..4589f515178093 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.24', + 'v8_embedder_string': '-node.25', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/execution/isolate.cc b/deps/v8/src/execution/isolate.cc index 3c62ba5a5caef9..33ff1348f58989 100644 --- a/deps/v8/src/execution/isolate.cc +++ b/deps/v8/src/execution/isolate.cc @@ -5228,8 +5228,8 @@ MaybeHandle Isolate::GetImportAssertionsFromArgument( for (int i = 0; i < assertion_keys->length(); i++) { Handle assertion_key(String::cast(assertion_keys->get(i)), this); Handle assertion_value; - if (!JSReceiver::GetProperty(this, import_assertions_object_receiver, - assertion_key) + if (!Object::GetPropertyOrElement(this, import_assertions_object_receiver, + assertion_key) .ToHandle(&assertion_value)) { // This can happen if the property has a getter function that throws // an error. diff --git a/deps/v8/test/mjsunit/harmony/modules-import-assertions-dynamic-6.mjs b/deps/v8/test/mjsunit/harmony/modules-import-assertions-dynamic-6.mjs index 3388aefb5c5b13..76a0eddb0fdc34 100644 --- a/deps/v8/test/mjsunit/harmony/modules-import-assertions-dynamic-6.mjs +++ b/deps/v8/test/mjsunit/harmony/modules-import-assertions-dynamic-6.mjs @@ -8,6 +8,11 @@ var life; import('modules-skip-1.json', { assert: { type: 'json', notARealAssertion: 'value' } }).then( namespace => life = namespace.default.life); +var life2; +import('modules-skip-1.json', { assert: { 0: 'value', type: 'json' } }).then( + namespace => life2 = namespace.default.life); + %PerformMicrotaskCheckpoint(); assertEquals(42, life); +assertEquals(42, life2);