deps: update V8 to 7.8.279.9

PR-URL: https://github.com/nodejs/node/pull/29694
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>

1 files changed, 54 insertions, 46 deletions

diff --git a/deps/v8/src/objects/js-objects.cc b/deps/v8/src/objects/js-objects.cc
index 5c4db16206..3666f5afbe 100644
--- a/deps/v8/src/objects/js-objects.cc
+++ b/deps/v8/src/objects/js-objects.cc
@@ -1509,20 +1509,27 @@ namespace {
 
 Maybe<bool> GetPropertyDescriptorWithInterceptor(LookupIterator* it,
                                                  PropertyDescriptor* desc) {
+  Handle<InterceptorInfo> interceptor;
+
   if (it->state() == LookupIterator::ACCESS_CHECK) {
     if (it->HasAccess()) {
       it->Next();
-    } else if (!JSObject::AllCanRead(it) ||
-               it->state() != LookupIterator::INTERCEPTOR) {
-      it->Restart();
-      return Just(false);
+    } else {
+      interceptor = it->GetInterceptorForFailedAccessCheck();
+      if (interceptor.is_null() &&
+          (!JSObject::AllCanRead(it) ||
+           it->state() != LookupIterator::INTERCEPTOR)) {
+        it->Restart();
+        return Just(false);
+      }
     }
   }
 
-  if (it->state() != LookupIterator::INTERCEPTOR) return Just(false);
-
+  if (it->state() == LookupIterator::INTERCEPTOR) {
+    interceptor = it->GetInterceptor();
+  }
+  if (interceptor.is_null()) return Just(false);
   Isolate* isolate = it->isolate();
-  Handle<InterceptorInfo> interceptor = it->GetInterceptor();
   if (interceptor->descriptor().IsUndefined(isolate)) return Just(false);
 
   Handle<Object> result;
@@ -1607,12 +1614,14 @@ Maybe<bool> JSReceiver::GetOwnPropertyDescriptor(LookupIterator* it,
     // 6. Else X is an accessor property, so
     Handle<AccessorPair> accessors =
         Handle<AccessorPair>::cast(it->GetAccessors());
+    Handle<NativeContext> native_context =
+        it->GetHolder<JSReceiver>()->GetCreationContext();
     // 6a. Set D.[[Get]] to the value of X's [[Get]] attribute.
-    desc->set_get(
-        AccessorPair::GetComponent(isolate, accessors, ACCESSOR_GETTER));
+    desc->set_get(AccessorPair::GetComponent(isolate, native_context, accessors,
+                                             ACCESSOR_GETTER));
     // 6b. Set D.[[Set]] to the value of X's [[Set]] attribute.
-    desc->set_set(
-        AccessorPair::GetComponent(isolate, accessors, ACCESSOR_SETTER));
+    desc->set_set(AccessorPair::GetComponent(isolate, native_context, accessors,
+                                             ACCESSOR_SETTER));
   }
 
   // 7. Set D.[[Enumerable]] to the value of X's [[Enumerable]] attribute.
@@ -2039,7 +2048,7 @@ MaybeHandle<JSObject> JSObject::ObjectCreate(Isolate* isolate,
 void JSObject::EnsureWritableFastElements(Handle<JSObject> object) {
   DCHECK(object->HasSmiOrObjectElements() ||
          object->HasFastStringWrapperElements() ||
-         object->HasFrozenOrSealedElements());
+         object->HasAnyNonextensibleElements());
   FixedArray raw_elems = FixedArray::cast(object->elements());
   Isolate* isolate = object->GetIsolate();
   if (raw_elems.map() != ReadOnlyRoots(isolate).fixed_cow_array_map()) return;
@@ -2622,12 +2631,12 @@ void MigrateFastToFast(Isolate* isolate, Handle<JSObject> object,
         FieldIndex::ForDescriptor(isolate, *new_map, new_map->LastAdded());
     if (index.is_inobject() || index.outobject_array_index() <
                                    object->property_array(isolate).length()) {
-      // We still need to allocate MutableHeapNumbers for double fields
+      // We still need to allocate HeapNumbers for double fields
       // if either double field unboxing is disabled or the double field
       // is in the PropertyArray backing store (where we don't support
       // double field unboxing).
       if (index.is_double() && !new_map->IsUnboxedDoubleField(isolate, index)) {
-        auto value = isolate->factory()->NewMutableHeapNumberWithHoleNaN();
+        auto value = isolate->factory()->NewHeapNumberWithHoleNaN();
         object->RawFastPropertyAtPut(index, *value);
       }
       object->synchronized_set_map(*new_map);
@@ -2644,7 +2653,7 @@ void MigrateFastToFast(Isolate* isolate, Handle<JSObject> object,
     // Properly initialize newly added property.
     Handle<Object> value;
     if (details.representation().IsDouble()) {
-      value = isolate->factory()->NewMutableHeapNumberWithHoleNaN();
+      value = isolate->factory()->NewHeapNumberWithHoleNaN();
     } else {
       value = isolate->factory()->uninitialized_value();
     }
@@ -2708,7 +2717,7 @@ void MigrateFastToFast(Isolate* isolate, Handle<JSObject> object,
         // must already be prepared for data of certain type.
         DCHECK(!details.representation().IsNone());
         if (details.representation().IsDouble()) {
-          value = isolate->factory()->NewMutableHeapNumberWithHoleNaN();
+          value = isolate->factory()->NewHeapNumberWithHoleNaN();
         } else {
           value = isolate->factory()->uninitialized_value();
         }
@@ -2722,11 +2731,7 @@ void MigrateFastToFast(Isolate* isolate, Handle<JSObject> object,
       FieldIndex index = FieldIndex::ForDescriptor(isolate, *old_map, i);
       if (object->IsUnboxedDoubleField(isolate, index)) {
         uint64_t old_bits = object->RawFastDoublePropertyAsBitsAt(index);
-        if (representation.IsDouble()) {
-          value = isolate->factory()->NewMutableHeapNumberFromBits(old_bits);
-        } else {
-          value = isolate->factory()->NewHeapNumberFromBits(old_bits);
-        }
+        value = isolate->factory()->NewHeapNumberFromBits(old_bits);
       } else {
         value = handle(object->RawFastPropertyAt(isolate, index), isolate);
         if (!old_representation.IsDouble() && representation.IsDouble()) {
@@ -2754,7 +2759,7 @@ void MigrateFastToFast(Isolate* isolate, Handle<JSObject> object,
     DCHECK_EQ(kData, details.kind());
     Handle<Object> value;
     if (details.representation().IsDouble()) {
-      value = isolate->factory()->NewMutableHeapNumberWithHoleNaN();
+      value = isolate->factory()->NewHeapNumberWithHoleNaN();
     } else {
       value = isolate->factory()->uninitialized_value();
     }
@@ -2784,10 +2789,10 @@ void MigrateFastToFast(Isolate* isolate, Handle<JSObject> object,
     // Can't use JSObject::FastPropertyAtPut() because proper map was not set
     // yet.
     if (new_map->IsUnboxedDoubleField(isolate, index)) {
-      DCHECK(value.IsMutableHeapNumber(isolate));
+      DCHECK(value.IsHeapNumber(isolate));
       // Ensure that all bits of the double value are preserved.
       object->RawFastDoublePropertyAsBitsAtPut(
-          index, MutableHeapNumber::cast(value).value_as_bits());
+          index, HeapNumber::cast(value).value_as_bits());
       if (i < old_number_of_fields && !old_map->IsUnboxedDoubleField(index)) {
         // Transition from tagged to untagged slot.
         heap->ClearRecordedSlot(*object, object->RawField(index.offset()));
@@ -2859,8 +2864,8 @@ void MigrateFastToSlow(Isolate* isolate, Handle<JSObject> object,
         } else {
           value = handle(object->RawFastPropertyAt(isolate, index), isolate);
           if (details.representation().IsDouble()) {
-            DCHECK(value->IsMutableHeapNumber(isolate));
-            double old_value = Handle<MutableHeapNumber>::cast(value)->value();
+            DCHECK(value->IsHeapNumber(isolate));
+            double old_value = Handle<HeapNumber>::cast(value)->value();
             value = isolate->factory()->NewHeapNumber(old_value);
           }
         }
@@ -3048,7 +3053,7 @@ void JSObject::AllocateStorageForMap(Handle<JSObject> object, Handle<Map> map) {
       if (!representation.IsDouble()) continue;
       FieldIndex index = FieldIndex::ForDescriptor(*map, i);
       if (map->IsUnboxedDoubleField(index)) continue;
-      auto box = isolate->factory()->NewMutableHeapNumberWithHoleNaN();
+      auto box = isolate->factory()->NewHeapNumberWithHoleNaN();
       if (index.is_inobject()) {
         storage->set(index.property_index(), *box);
       } else {
@@ -3464,7 +3469,8 @@ Handle<NumberDictionary> JSObject::NormalizeElements(Handle<JSObject> object) {
 
   DCHECK(object->HasSmiOrObjectElements() || object->HasDoubleElements() ||
          object->HasFastArgumentsElements() ||
-         object->HasFastStringWrapperElements() || object->HasSealedElements());
+         object->HasFastStringWrapperElements() ||
+         object->HasSealedElements() || object->HasNonextensibleElements());
 
   Handle<NumberDictionary> dictionary =
       object->GetElementsAccessor()->Normalize(object);
@@ -3637,6 +3643,7 @@ bool TestElementsIntegrityLevel(JSObject object, PropertyAttributes level) {
   }
   if (IsFrozenElementsKind(kind)) return true;
   if (IsSealedElementsKind(kind) && level != FROZEN) return true;
+  if (IsNonextensibleElementsKind(kind) && level == NONE) return true;
 
   ElementsAccessor* accessor = ElementsAccessor::ForKind(kind);
   // Only DICTIONARY_ELEMENTS and SLOW_SLOPPY_ARGUMENTS_ELEMENTS have
@@ -3795,9 +3802,9 @@ Maybe<bool> JSObject::PreventExtensionsWithTransition(
   if (attrs == NONE && !object->map().is_extensible()) return Just(true);
   {
     ElementsKind old_elements_kind = object->map().elements_kind();
+    if (IsFrozenElementsKind(old_elements_kind)) return Just(true);
     if (attrs != FROZEN && IsSealedElementsKind(old_elements_kind))
       return Just(true);
-    if (old_elements_kind == PACKED_FROZEN_ELEMENTS) return Just(true);
   }
 
   if (object->IsJSGlobalProxy()) {
@@ -3842,8 +3849,7 @@ Maybe<bool> JSObject::PreventExtensionsWithTransition(
   // elements kind change in one go. If seal or freeze with Smi or Double
   // elements kind, we will transition to Object elements kind first to make
   // sure of valid element access.
-  if (FLAG_enable_sealed_frozen_elements_kind &&
-      (attrs == SEALED || attrs == FROZEN)) {
+  if (FLAG_enable_sealed_frozen_elements_kind) {
     switch (object->map().elements_kind()) {
       case PACKED_SMI_ELEMENTS:
       case PACKED_DOUBLE_ELEMENTS:
@@ -3871,9 +3877,9 @@ Maybe<bool> JSObject::PreventExtensionsWithTransition(
     DCHECK(transition_map->has_dictionary_elements() ||
            transition_map->has_typed_array_elements() ||
            transition_map->elements_kind() == SLOW_STRING_WRAPPER_ELEMENTS ||
-           transition_map->has_frozen_or_sealed_elements());
+           transition_map->has_any_nonextensible_elements());
     DCHECK(!transition_map->is_extensible());
-    if (!transition_map->has_frozen_or_sealed_elements()) {
+    if (!transition_map->has_any_nonextensible_elements()) {
       new_element_dictionary = CreateElementDictionary(isolate, object);
     }
     JSObject::MigrateToMap(isolate, object, transition_map);
@@ -3881,7 +3887,7 @@ Maybe<bool> JSObject::PreventExtensionsWithTransition(
     // Create a new descriptor array with the appropriate property attributes
     Handle<Map> new_map = Map::CopyForPreventExtensions(
         isolate, old_map, attrs, transition_marker, "CopyForPreventExtensions");
-    if (!new_map->has_frozen_or_sealed_elements()) {
+    if (!new_map->has_any_nonextensible_elements()) {
       new_element_dictionary = CreateElementDictionary(isolate, object);
     }
     JSObject::MigrateToMap(isolate, object, new_map);
@@ -3922,7 +3928,7 @@ Maybe<bool> JSObject::PreventExtensionsWithTransition(
     }
   }
 
-  if (object->map().has_frozen_or_sealed_elements()) {
+  if (object->map().has_any_nonextensible_elements()) {
     DCHECK(new_element_dictionary.is_null());
     return Just(true);
   }
@@ -3980,6 +3986,7 @@ bool JSObject::HasEnumerableElements() {
     case PACKED_ELEMENTS:
     case PACKED_FROZEN_ELEMENTS:
     case PACKED_SEALED_ELEMENTS:
+    case PACKED_NONEXTENSIBLE_ELEMENTS:
     case PACKED_DOUBLE_ELEMENTS: {
       int length = object.IsJSArray()
                        ? Smi::ToInt(JSArray::cast(object).length())
@@ -3989,6 +3996,7 @@ bool JSObject::HasEnumerableElements() {
     case HOLEY_SMI_ELEMENTS:
     case HOLEY_FROZEN_ELEMENTS:
     case HOLEY_SEALED_ELEMENTS:
+    case HOLEY_NONEXTENSIBLE_ELEMENTS:
     case HOLEY_ELEMENTS: {
       FixedArray elements = FixedArray::cast(object.elements());
       int length = object.IsJSArray()
@@ -4146,7 +4154,7 @@ Object JSObject::SlowReverseLookup(Object value) {
         } else {
           Object property = RawFastPropertyAt(field_index);
           if (field_index.is_double()) {
-            DCHECK(property.IsMutableHeapNumber());
+            DCHECK(property.IsHeapNumber());
             if (value_is_number && property.Number() == value.Number()) {
               return descs.GetKey(i);
             }
@@ -4691,8 +4699,9 @@ void JSObject::TransitionElementsKind(Handle<JSObject> object,
   if (from_kind == to_kind) return;
 
   // This method should never be called for any other case.
-  DCHECK(IsFastElementsKind(from_kind));
-  DCHECK(IsFastElementsKind(to_kind));
+  DCHECK(IsFastElementsKind(from_kind) ||
+         IsNonextensibleElementsKind(from_kind));
+  DCHECK(IsFastElementsKind(to_kind) || IsNonextensibleElementsKind(to_kind));
   DCHECK_NE(TERMINAL_FAST_ELEMENTS_KIND, from_kind);
 
   UpdateAllocationSite(object, to_kind);
@@ -4735,6 +4744,7 @@ int JSObject::GetFastElementsUsage() {
     case PACKED_ELEMENTS:
     case PACKED_FROZEN_ELEMENTS:
     case PACKED_SEALED_ELEMENTS:
+    case PACKED_NONEXTENSIBLE_ELEMENTS:
       return IsJSArray() ? Smi::ToInt(JSArray::cast(*this).length())
                          : store.length();
     case FAST_SLOPPY_ARGUMENTS_ELEMENTS:
@@ -4744,6 +4754,7 @@ int JSObject::GetFastElementsUsage() {
     case HOLEY_ELEMENTS:
     case HOLEY_FROZEN_ELEMENTS:
     case HOLEY_SEALED_ELEMENTS:
+    case HOLEY_NONEXTENSIBLE_ELEMENTS:
     case FAST_STRING_WRAPPER_ELEMENTS:
       return HoleyElementsUsage(*this, FixedArray::cast(store));
     case HOLEY_DOUBLE_ELEMENTS:
@@ -4801,6 +4812,8 @@ bool JSObject::IsApiWrapper() {
   return instance_type == JS_API_OBJECT_TYPE ||
          instance_type == JS_ARRAY_BUFFER_TYPE ||
          instance_type == JS_DATA_VIEW_TYPE ||
+         instance_type == JS_GLOBAL_OBJECT_TYPE ||
+         instance_type == JS_GLOBAL_PROXY_TYPE ||
          instance_type == JS_SPECIAL_API_OBJECT_TYPE ||
          instance_type == JS_TYPED_ARRAY_TYPE;
 }
@@ -4987,13 +5000,9 @@ void JSFunction::InitializeFeedbackCell(Handle<JSFunction> function) {
   Isolate* const isolate = function->GetIsolate();
 
   if (function->has_feedback_vector()) {
-    // TODO(984344): Make this a CHECK that feedback vectors are identical to
-    // what we expect once we have removed all bytecode generation differences
-    // between eager and lazy compilation. For now just reset if they aren't
-    // identical
-    FeedbackVector vector = function->feedback_vector();
-    if (vector.length() == vector.metadata().slot_count()) return;
-    function->raw_feedback_cell().reset();
+    CHECK_EQ(function->feedback_vector().length(),
+             function->feedback_vector().metadata().slot_count());
+    return;
   }
 
   bool needs_feedback_vector = !FLAG_lazy_feedback_allocation;
@@ -5241,7 +5250,6 @@ bool CanSubclassHaveInobjectProperties(InstanceType instance_type) {
     case JS_GLOBAL_PROXY_TYPE:
     case JS_PROXY_TYPE:
     case MAP_TYPE:
-    case MUTABLE_HEAP_NUMBER_TYPE:
     case ODDBALL_TYPE:
     case PROPERTY_CELL_TYPE:
     case SHARED_FUNCTION_INFO_TYPE: