From 7dd68ac5b6f9a10bfd12913118f750a6d73a978a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Sat, 17 Apr 2021 16:28:49 +0200 Subject: [PATCH] deps: V8: cherry-pick 8ebd894186ed Original commit message: [LTS-M86][builtins] Fix Array.prototype.concat with @@species (cherry picked from commit 7989e04979c3195e60a6814e8263063eb91f7b47) No-Try: true No-Presubmit: true No-Tree-Checks: true Bug: chromium:1195977 Change-Id: I16843bce2e9f776abca0f2b943b898ab5e597e42 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2810787 Reviewed-by: Camillo Bruni Commit-Queue: Igor Sheludko Cr-Original-Commit-Position: refs/heads/master@{#73842} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2823829 Commit-Queue: Jana Grill Reviewed-by: Igor Sheludko Reviewed-by: Victor-Gabriel Savu Cr-Commit-Position: refs/branch-heads/8.6@{#77} Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1} Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472} Refs: https://github.com/v8/v8/commit/8ebd894186ed74afb7236ee6981e63e545b26db0 PR-URL: https://github.com/nodejs/node/pull/38275 Reviewed-By: Matteo Collina Reviewed-By: Jiawen Geng Reviewed-By: Shelley Vohr --- common.gypi | 2 +- deps/v8/src/builtins/builtins-array.cc | 15 +++++++++------ deps/v8/src/objects/fixed-array-inl.h | 6 ++++-- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/common.gypi b/common.gypi index e8b89a76e22487..13e78c55955ed0 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.51', + 'v8_embedder_string': '-node.52', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/builtins/builtins-array.cc b/deps/v8/src/builtins/builtins-array.cc index 5135f9599b6e2d..8055d8382d48f6 100644 --- a/deps/v8/src/builtins/builtins-array.cc +++ b/deps/v8/src/builtins/builtins-array.cc @@ -649,11 +649,14 @@ class ArrayConcatVisitor { index_offset_(0u), bit_field_(FastElementsField::encode(fast_elements) | ExceedsLimitField::encode(false) | - IsFixedArrayField::encode(storage->IsFixedArray()) | + IsFixedArrayField::encode(storage->IsFixedArray(isolate)) | HasSimpleElementsField::encode( - storage->IsFixedArray() || - !storage->map().IsCustomElementsReceiverMap())) { - DCHECK(!(this->fast_elements() && !is_fixed_array())); + storage->IsFixedArray(isolate) || + // Don't take fast path for storages that might have + // side effects when storing to them. + (!storage->map(isolate).IsCustomElementsReceiverMap() && + !storage->IsJSTypedArray(isolate)))) { + DCHECK_IMPLIES(this->fast_elements(), is_fixed_array()); } ~ArrayConcatVisitor() { clear_storage(); } @@ -1063,8 +1066,8 @@ bool IterateElements(Isolate* isolate, Handle receiver, return IterateElementsSlow(isolate, receiver, length, visitor); } - if (!HasOnlySimpleElements(isolate, *receiver) || - !visitor->has_simple_elements()) { + if (!visitor->has_simple_elements() || + !HasOnlySimpleElements(isolate, *receiver)) { return IterateElementsSlow(isolate, receiver, length, visitor); } Handle array = Handle::cast(receiver); diff --git a/deps/v8/src/objects/fixed-array-inl.h b/deps/v8/src/objects/fixed-array-inl.h index 174d4abc5b4e0a..25c808070661ae 100644 --- a/deps/v8/src/objects/fixed-array-inl.h +++ b/deps/v8/src/objects/fixed-array-inl.h @@ -309,7 +309,7 @@ int Search(T* array, Name name, int valid_entries, int* out_insertion_index) { double FixedDoubleArray::get_scalar(int index) { DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() && map() != GetReadOnlyRoots().fixed_array_map()); - DCHECK(index >= 0 && index < this->length()); + DCHECK_LT(static_cast(index), static_cast(length())); DCHECK(!is_the_hole(index)); return ReadField(kHeaderSize + index * kDoubleSize); } @@ -317,7 +317,7 @@ double FixedDoubleArray::get_scalar(int index) { uint64_t FixedDoubleArray::get_representation(int index) { DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() && map() != GetReadOnlyRoots().fixed_array_map()); - DCHECK(index >= 0 && index < this->length()); + DCHECK_LT(static_cast(index), static_cast(length())); int offset = kHeaderSize + index * kDoubleSize; // Bug(v8:8875): Doubles may be unaligned. return base::ReadUnalignedValue(field_address(offset)); @@ -335,6 +335,7 @@ Handle FixedDoubleArray::get(FixedDoubleArray array, int index, void FixedDoubleArray::set(int index, double value) { DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() && map() != GetReadOnlyRoots().fixed_array_map()); + DCHECK_LT(static_cast(index), static_cast(length())); int offset = kHeaderSize + index * kDoubleSize; if (std::isnan(value)) { WriteField(offset, std::numeric_limits::quiet_NaN()); @@ -351,6 +352,7 @@ void FixedDoubleArray::set_the_hole(Isolate* isolate, int index) { void FixedDoubleArray::set_the_hole(int index) { DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() && map() != GetReadOnlyRoots().fixed_array_map()); + DCHECK_LT(static_cast(index), static_cast(length())); int offset = kHeaderSize + index * kDoubleSize; base::WriteUnalignedValue(field_address(offset), kHoleNanInt64); }