summaryrefslogtreecommitdiff
path: root/deps
diff options
context:
space:
mode:
authorMyles Borins <mylesborins@google.com>2019-11-20 12:32:59 -0500
committerMyles Borins <mylesborins@google.com>2019-11-21 13:36:13 -0500
commitcf1f1de1e621b311c7c50fc231159b8b918169f0 (patch)
treea6d0145de47d2877d8a1c79065314f636100c177 /deps
parent03b5c46bc41f8ffd8d30c7902247134e091dc8e9 (diff)
downloadandroid-node-v8-cf1f1de1e621b311c7c50fc231159b8b918169f0.tar.gz
android-node-v8-cf1f1de1e621b311c7c50fc231159b8b918169f0.tar.bz2
android-node-v8-cf1f1de1e621b311c7c50fc231159b8b918169f0.zip
deps: patch V8 to 7.9.317.23
Refs: https://github.com/v8/v8/compare/7.9.317.20...7.9.317.23 PR-URL: https://github.com/nodejs/node/pull/30560 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Diffstat (limited to 'deps')
-rw-r--r--deps/v8/include/v8-version.h2
-rw-r--r--deps/v8/src/execution/isolate.cc5
-rw-r--r--deps/v8/src/objects/backing-store.cc10
-rw-r--r--deps/v8/src/objects/fixed-array.h6
-rw-r--r--deps/v8/src/objects/objects.cc14
-rw-r--r--deps/v8/src/wasm/wasm-objects.cc7
-rw-r--r--deps/v8/test/mjsunit/mjsunit.status3
-rw-r--r--deps/v8/test/mjsunit/regress/regress-1016703.js15
-rw-r--r--deps/v8/test/mjsunit/regress/wasm/regress-1010272.js30
9 files changed, 85 insertions, 7 deletions
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index 298b479329..8970c573ef 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
#define V8_MAJOR_VERSION 7
#define V8_MINOR_VERSION 9
#define V8_BUILD_NUMBER 317
-#define V8_PATCH_LEVEL 20
+#define V8_PATCH_LEVEL 23
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/execution/isolate.cc b/deps/v8/src/execution/isolate.cc
index 2b6bb76d8a..e2d5ce8a40 100644
--- a/deps/v8/src/execution/isolate.cc
+++ b/deps/v8/src/execution/isolate.cc
@@ -4274,9 +4274,8 @@ void Isolate::AddDetachedContext(Handle<Context> context) {
HandleScope scope(this);
Handle<WeakArrayList> detached_contexts = factory()->detached_contexts();
detached_contexts = WeakArrayList::AddToEnd(
- this, detached_contexts, MaybeObjectHandle(Smi::kZero, this));
- detached_contexts = WeakArrayList::AddToEnd(this, detached_contexts,
- MaybeObjectHandle::Weak(context));
+ this, detached_contexts, MaybeObjectHandle(Smi::kZero, this),
+ MaybeObjectHandle::Weak(context));
heap()->set_detached_contexts(*detached_contexts);
}
diff --git a/deps/v8/src/objects/backing-store.cc b/deps/v8/src/objects/backing-store.cc
index 7f6d2251a7..cc6741765e 100644
--- a/deps/v8/src/objects/backing-store.cc
+++ b/deps/v8/src/objects/backing-store.cc
@@ -605,8 +605,14 @@ std::shared_ptr<BackingStore> GlobalBackingStoreRegistry::Lookup(
return std::shared_ptr<BackingStore>();
}
auto backing_store = result->second.lock();
- DCHECK_EQ(buffer_start, backing_store->buffer_start());
- DCHECK_EQ(length, backing_store->byte_length());
+ CHECK_EQ(buffer_start, backing_store->buffer_start());
+ if (backing_store->is_wasm_memory()) {
+ // Grow calls to shared WebAssembly threads can be triggered from different
+ // workers, length equality cannot be guaranteed here.
+ CHECK_LE(length, backing_store->byte_length());
+ } else {
+ CHECK_EQ(length, backing_store->byte_length());
+ }
return backing_store;
}
diff --git a/deps/v8/src/objects/fixed-array.h b/deps/v8/src/objects/fixed-array.h
index 1963eef728..b9d644b492 100644
--- a/deps/v8/src/objects/fixed-array.h
+++ b/deps/v8/src/objects/fixed-array.h
@@ -338,6 +338,12 @@ class WeakArrayList : public HeapObject {
Isolate* isolate, Handle<WeakArrayList> array,
const MaybeObjectHandle& value);
+ // A version that adds to elements. This ensures that the elements are
+ // inserted atomically w.r.t GC.
+ V8_EXPORT_PRIVATE static Handle<WeakArrayList> AddToEnd(
+ Isolate* isolate, Handle<WeakArrayList> array,
+ const MaybeObjectHandle& value1, const MaybeObjectHandle& value2);
+
inline MaybeObject Get(int index) const;
inline MaybeObject Get(Isolate* isolate, int index) const;
diff --git a/deps/v8/src/objects/objects.cc b/deps/v8/src/objects/objects.cc
index ec4a8594f6..227cff8da4 100644
--- a/deps/v8/src/objects/objects.cc
+++ b/deps/v8/src/objects/objects.cc
@@ -3951,6 +3951,20 @@ Handle<WeakArrayList> WeakArrayList::AddToEnd(Isolate* isolate,
return array;
}
+Handle<WeakArrayList> WeakArrayList::AddToEnd(Isolate* isolate,
+ Handle<WeakArrayList> array,
+ const MaybeObjectHandle& value1,
+ const MaybeObjectHandle& value2) {
+ int length = array->length();
+ array = EnsureSpace(isolate, array, length + 2);
+ // Reload length; GC might have removed elements from the array.
+ length = array->length();
+ array->Set(length, *value1);
+ array->Set(length + 1, *value2);
+ array->set_length(length + 2);
+ return array;
+}
+
bool WeakArrayList::IsFull() { return length() == capacity(); }
// static
diff --git a/deps/v8/src/wasm/wasm-objects.cc b/deps/v8/src/wasm/wasm-objects.cc
index 14e682ce23..93ce345a5f 100644
--- a/deps/v8/src/wasm/wasm-objects.cc
+++ b/deps/v8/src/wasm/wasm-objects.cc
@@ -1375,7 +1375,12 @@ int32_t WasmMemoryObject::Grow(Isolate* isolate,
new_pages);
// Broadcasting the update should update this memory object too.
CHECK_NE(*old_buffer, memory_object->array_buffer());
- CHECK_EQ(new_byte_length, memory_object->array_buffer().byte_length());
+ // This is a less than check, as it is not guaranteed that the SAB
+ // length here will be equal to the stashed length above as calls to
+ // grow the same memory object can come in from different workers.
+ // It is also possible that a call to Grow was in progress when
+ // handling this call.
+ CHECK_LE(new_byte_length, memory_object->array_buffer().byte_length());
return static_cast<int32_t>(old_pages); // success
}
}
diff --git a/deps/v8/test/mjsunit/mjsunit.status b/deps/v8/test/mjsunit/mjsunit.status
index f0d473f84a..4fbc027c69 100644
--- a/deps/v8/test/mjsunit/mjsunit.status
+++ b/deps/v8/test/mjsunit/mjsunit.status
@@ -930,6 +930,9 @@
# Deadlocks on predictable platform (https://crbug.com/v8/9760).
'wasm/async-compile': [SKIP],
'wasm/streaming-compile': [SKIP],
+
+ # Race between postMessage and wasm memory.grow. (https://crbug.com/1010272).
+ 'regress/wasm/regress-1010272': [SKIP],
}], # 'predictable == True'
##############################################################################
diff --git a/deps/v8/test/mjsunit/regress/regress-1016703.js b/deps/v8/test/mjsunit/regress/regress-1016703.js
new file mode 100644
index 0000000000..6830d194fd
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-1016703.js
@@ -0,0 +1,15 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc
+
+let realms = [];
+for (let i = 0; i < 4; i++) {
+ realms.push(Realm.createAllowCrossRealmAccess());
+}
+
+for (let i = 0; i < 4; i++) {
+ Realm.detachGlobal(realms[i]);
+ gc();
+}
diff --git a/deps/v8/test/mjsunit/regress/wasm/regress-1010272.js b/deps/v8/test/mjsunit/regress/wasm/regress-1010272.js
new file mode 100644
index 0000000000..ff685eda79
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/wasm/regress-1010272.js
@@ -0,0 +1,30 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-grow-shared-memory --experimental-wasm-threads
+
+const kNumWorkers = 100;
+const kNumMessages = 50;
+
+function AllocMemory(initial, maximum = initial) {
+ return new WebAssembly.Memory({initial : initial, maximum : maximum, shared : true});
+}
+
+(function RunTest() {
+ let worker = [];
+ for (let w = 0; w < kNumWorkers; w++) {
+ worker[w] = new Worker(
+ `onmessage =
+ function(msg) {
+ msg.memory.grow(1);
+ }`, {type : 'string'});
+ }
+
+ for (let i = 0; i < kNumMessages; i++) {
+ let memory = AllocMemory(1, 128);
+ for (let w = 0; w < kNumWorkers; w++) {
+ worker[w].postMessage({memory : memory});
+ }
+ }
+})();