From 3664807fc083b233c8efc35dc9bb4acf41525f68 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= <targos@protonmail.com>
Date: Mon, 6 Apr 2020 21:29:15 +0200
Subject: [PATCH] deps: patch V8 to 8.1.307.30

PR-URL: https://github.com/nodejs/node/pull/32693
Refs: https://github.com/v8/v8/compare/8.1.307.26...8.1.307.28
Reviewed-By: Matheus Marchini <mat@mmarchini.me>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
---
 deps/v8/include/v8-version.h                  |  2 +-
 deps/v8/src/builtins/builtins-function.cc     |  8 +++++-
 deps/v8/src/regexp/regexp-interpreter.cc      | 25 +++++++++++++++++--
 deps/v8/src/wasm/wasm-engine.cc               |  6 +++++
 deps/v8/test/cctest/cctest.status             |  7 ++++++
 deps/v8/test/inspector/inspector.status       |  6 +++++
 deps/v8/test/mjsunit/mjsunit.status           |  3 +++
 deps/v8/test/mjsunit/regress-1065094.js       | 19 ++++++++++++++
 .../test/mjsunit/regress/regress-1067270.js   | 11 ++++++++
 9 files changed, 83 insertions(+), 4 deletions(-)
 create mode 100644 deps/v8/test/mjsunit/regress-1065094.js
 create mode 100644 deps/v8/test/mjsunit/regress/regress-1067270.js

diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index 4fd23ab095329f..39e5a9bcc984b6 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 8
 #define V8_MINOR_VERSION 1
 #define V8_BUILD_NUMBER 307
-#define V8_PATCH_LEVEL 26
+#define V8_PATCH_LEVEL 30
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/builtins/builtins-function.cc b/deps/v8/src/builtins/builtins-function.cc
index e13c670f00d5ff..b3fbc4fd94bea5 100644
--- a/deps/v8/src/builtins/builtins-function.cc
+++ b/deps/v8/src/builtins/builtins-function.cc
@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "src/api/api-inl.h"
 #include "src/builtins/builtins-utils-inl.h"
 #include "src/builtins/builtins.h"
 #include "src/codegen/code-factory.h"
@@ -31,7 +32,12 @@ MaybeHandle<Object> CreateDynamicFunction(Isolate* isolate,
 
   if (!Builtins::AllowDynamicFunction(isolate, target, target_global_proxy)) {
     isolate->CountUsage(v8::Isolate::kFunctionConstructorReturnedUndefined);
-    return isolate->factory()->undefined_value();
+    // TODO(verwaest): We would like to throw using the calling context instead
+    // of the entered context but we don't currently have access to that.
+    HandleScopeImplementer* impl = isolate->handle_scope_implementer();
+    SaveAndSwitchContext save(
+        isolate, impl->LastEnteredOrMicrotaskContext()->native_context());
+    THROW_NEW_ERROR(isolate, NewTypeError(MessageTemplate::kNoAccess), Object);
   }
 
   // Build the source string.
diff --git a/deps/v8/src/regexp/regexp-interpreter.cc b/deps/v8/src/regexp/regexp-interpreter.cc
index a78d73f86359b9..a74df90c1d9f33 100644
--- a/deps/v8/src/regexp/regexp-interpreter.cc
+++ b/deps/v8/src/regexp/regexp-interpreter.cc
@@ -1051,8 +1051,29 @@ IrregexpInterpreter::Result IrregexpInterpreter::MatchForCallFromJs(
     return IrregexpInterpreter::RETRY;
   }
 
-  return Match(isolate, regexp_obj, subject_string, registers, registers_length,
-               start_position, call_origin);
+  // In generated code, registers are allocated on the stack. The given
+  // `registers` argument is only guaranteed to hold enough space for permanent
+  // registers (i.e. for captures), and not for temporary registers used only
+  // during matcher execution. We match that behavior in the interpreter by
+  // using a SmallVector as internal register storage.
+  static constexpr int kBaseRegisterArraySize = 64;  // Arbitrary.
+  const int internal_register_count =
+      Smi::ToInt(regexp_obj.DataAt(JSRegExp::kIrregexpMaxRegisterCountIndex));
+  base::SmallVector<int, kBaseRegisterArraySize> internal_registers(
+      internal_register_count);
+
+  Result result =
+      Match(isolate, regexp_obj, subject_string, internal_registers.data(),
+            internal_register_count, start_position, call_origin);
+
+  // Copy capture registers to the output array.
+  if (result == IrregexpInterpreter::SUCCESS) {
+    CHECK_GE(internal_registers.size(), registers_length);
+    MemCopy(registers, internal_registers.data(),
+            registers_length * sizeof(registers[0]));
+  }
+
+  return result;
 }
 
 IrregexpInterpreter::Result IrregexpInterpreter::MatchForCallFromRuntime(
diff --git a/deps/v8/src/wasm/wasm-engine.cc b/deps/v8/src/wasm/wasm-engine.cc
index 28b0aa0ca5c838..c1fceb83113cb8 100644
--- a/deps/v8/src/wasm/wasm-engine.cc
+++ b/deps/v8/src/wasm/wasm-engine.cc
@@ -129,6 +129,9 @@ class WasmGCForegroundTask : public CancelableTask {
 std::shared_ptr<NativeModule> NativeModuleCache::MaybeGetNativeModule(
     ModuleOrigin origin, Vector<const uint8_t> wire_bytes) {
   if (origin != kWasmOrigin) return nullptr;
+  // Temporarily disabled to fix stability issue on M-81
+  // (https://crbug.com/1070199).
+  if (!FLAG_future) return nullptr;
   base::MutexGuard lock(&mutex_);
   while (true) {
     auto it = map_.find(wire_bytes);
@@ -153,6 +156,9 @@ void NativeModuleCache::Update(std::shared_ptr<NativeModule> native_module,
                                bool error) {
   DCHECK_NOT_NULL(native_module);
   if (native_module->module()->origin != kWasmOrigin) return;
+  // Temporarily disabled to fix stability issue on M-81
+  // (https://crbug.com/1070199).
+  if (!FLAG_future) return;
   Vector<const uint8_t> wire_bytes = native_module->wire_bytes();
   base::MutexGuard lock(&mutex_);
   auto it = map_.find(wire_bytes);
diff --git a/deps/v8/test/cctest/cctest.status b/deps/v8/test/cctest/cctest.status
index c4f41001d31edc..06583f6bd5ea20 100644
--- a/deps/v8/test/cctest/cctest.status
+++ b/deps/v8/test/cctest/cctest.status
@@ -600,4 +600,11 @@
   'test-cpu-profiler/DeoptUntrackedFunction': [SKIP],
 }],  # variant == turboprop
 
+##############################################################################
+['variant != future', {
+  # Wasm native module cache is temporarily disabled in non-future variant
+  # (https://crbug.com/1070199)
+  'test-compilation-cache/*': [SKIP]
+}],  # variant != future
+
 ]
diff --git a/deps/v8/test/inspector/inspector.status b/deps/v8/test/inspector/inspector.status
index 8fe52411aad80b..0b6d8abda21a78 100644
--- a/deps/v8/test/inspector/inspector.status
+++ b/deps/v8/test/inspector/inspector.status
@@ -84,5 +84,11 @@
 }],  # 'arch == s390 or arch == s390x'
 
 ##############################################################################
+['variant != future', {
+  # Wasm native module cache is temporarily disabled in non-future variant
+  # (https://crbug.com/1070199)
+  'debugger/wasm-scripts': [SKIP],
+}],  # variant != future
+
 
 ]
diff --git a/deps/v8/test/mjsunit/mjsunit.status b/deps/v8/test/mjsunit/mjsunit.status
index c44d07be9bbe8c..dd3b2dcb87e69d 100644
--- a/deps/v8/test/mjsunit/mjsunit.status
+++ b/deps/v8/test/mjsunit/mjsunit.status
@@ -157,6 +157,9 @@
   # OOM with too many isolates/memory objects (https://crbug.com/1010272)
   # Predictable tests fail due to race between postMessage and GrowMemory
   'regress/wasm/regress-1010272': [PASS, NO_VARIANTS, ['system == android', SKIP], ['predictable', SKIP]],
+
+  # Needs to be adapted after changes to Function constructor. chromium:1065094
+  'cross-realm-filtering': [SKIP],
 }],  # ALWAYS
 
 ##############################################################################
diff --git a/deps/v8/test/mjsunit/regress-1065094.js b/deps/v8/test/mjsunit/regress-1065094.js
new file mode 100644
index 00000000000000..365e20285bb050
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress-1065094.js
@@ -0,0 +1,19 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(fnConstructor) {
+    return Object.is(new fnConstructor(), undefined);
+}
+
+const realmIndex = Realm.createAllowCrossRealmAccess();
+const otherFunction = Realm.global(realmIndex).Function;
+Realm.detachGlobal(realmIndex);
+
+%PrepareFunctionForOptimization(f);
+assertFalse(f(Function));
+assertThrows(_ => f(otherFunction));
+%OptimizeFunctionOnNextCall(f);
+assertThrows(_ => f(otherFunction));
diff --git a/deps/v8/test/mjsunit/regress/regress-1067270.js b/deps/v8/test/mjsunit/regress/regress-1067270.js
new file mode 100644
index 00000000000000..1c6eddf505aa55
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-1067270.js
@@ -0,0 +1,11 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+const needle = Array(1802).join(" +") + Array(16884).join("A");
+const string = "A";
+
+assertEquals(string.search(needle), -1);
+assertEquals(string.search(needle), -1);