diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 79ab6bb5753c6b..e34be9b283f45c 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 11 #define V8_MINOR_VERSION 8 #define V8_BUILD_NUMBER 172 -#define V8_PATCH_LEVEL 13 +#define V8_PATCH_LEVEL 15 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/compiler/js-call-reducer.cc b/deps/v8/src/compiler/js-call-reducer.cc index 65fd9b61753b39..caec49b87c5282 100644 --- a/deps/v8/src/compiler/js-call-reducer.cc +++ b/deps/v8/src/compiler/js-call-reducer.cc @@ -6381,8 +6381,11 @@ Reduction JSCallReducer::ReduceArrayIterator(Node* node, } } + // JSCreateArrayIterator doesn't have control output, so we bypass the old + // JSCall node on the control chain. + ReplaceWithValue(node, node, node, control); + // Morph the {node} into a JSCreateArrayIterator with the given {kind}. - RelaxControls(node); node->ReplaceInput(0, receiver); node->ReplaceInput(1, context); node->ReplaceInput(2, effect); diff --git a/deps/v8/src/ic/ic.cc b/deps/v8/src/ic/ic.cc index 630f4db9c82ae2..98af9536effafa 100644 --- a/deps/v8/src/ic/ic.cc +++ b/deps/v8/src/ic/ic.cc @@ -3185,18 +3185,22 @@ bool CanFastCloneObjectWithDifferentMaps(Handle source_map, Handle target_map, Isolate* isolate) { DisallowGarbageCollection no_gc; - // TODO(olivf): Add support for non JS_OBJECT_TYPE source maps. The reason for - // this restriction is that the IC does not initialize the target object and - // instead relies on copying the source objects bytes. Thus they need to have - // the same binary layout. + // Ensure source and target have identical binary represenation of properties + // and elements as the IC relies on copying the raw bytes. This also excludes + // cases with non-enumerable properties or accessors on the source object. if (source_map->instance_type() != JS_OBJECT_TYPE || target_map->instance_type() != JS_OBJECT_TYPE || !source_map->OnlyHasSimpleProperties() || - !target_map->OnlyHasSimpleProperties()) { + !target_map->OnlyHasSimpleProperties() || + source_map->elements_kind() != target_map->elements_kind() || + !source_map->has_fast_elements()) { return false; } // Check that the source inobject properties are big enough to initialize all // target slots, but not too big to fit. + // TODO(olivf): This restriction (and the same restriction on the backing + // store) could be lifted by properly initializing the target object instead + // of relying on copying empty slots. int source_inobj_properties = source_map->GetInObjectProperties(); int target_inobj_properties = target_map->GetInObjectProperties(); int source_used_inobj_properties = diff --git a/deps/v8/test/mjsunit/compiler/regress-crbug-1486342.js b/deps/v8/test/mjsunit/compiler/regress-crbug-1486342.js new file mode 100644 index 00000000000000..c35a7339801d03 --- /dev/null +++ b/deps/v8/test/mjsunit/compiler/regress-crbug-1486342.js @@ -0,0 +1,25 @@ +// Copyright 2023 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --jit-fuzzing + +const o13 = { + "maxByteLength": 5368789, +}; +const v14 = new ArrayBuffer(129, o13); +const v16 = new Uint16Array(v14); + +function f3(param) { + for (let i = 0; i < 5; i++) { + try {"resize".includes(v14); } catch (e) {} + v14.resize(3.0, ..."resize", ...v16); + } + + let f = function() { return param; } +} + +%PrepareFunctionForOptimization(f3); +f3(); +%OptimizeFunctionOnNextCall(f3); +f3();