nodejs · targos · Apr 6, 2020 · Apr 18, 2020
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 8
 #define V8_MINOR_VERSION 1
 #define V8_BUILD_NUMBER 307
-#define V8_PATCH_LEVEL 26
+#define V8_PATCH_LEVEL 30
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

diff --git a/deps/v8/src/builtins/builtins-function.cc b/deps/v8/src/builtins/builtins-function.cc
@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "src/api/api-inl.h"
 #include "src/builtins/builtins-utils-inl.h"
 #include "src/builtins/builtins.h"
 #include "src/codegen/code-factory.h"
@@ -31,7 +32,12 @@ MaybeHandle<Object> CreateDynamicFunction(Isolate* isolate,
 
   if (!Builtins::AllowDynamicFunction(isolate, target, target_global_proxy)) {
     isolate->CountUsage(v8::Isolate::kFunctionConstructorReturnedUndefined);
-    return isolate->factory()->undefined_value();
+    // TODO(verwaest): We would like to throw using the calling context instead
+    // of the entered context but we don't currently have access to that.
+    HandleScopeImplementer* impl = isolate->handle_scope_implementer();
+    SaveAndSwitchContext save(
+        isolate, impl->LastEnteredOrMicrotaskContext()->native_context());
+    THROW_NEW_ERROR(isolate, NewTypeError(MessageTemplate::kNoAccess), Object);
   }
 
   // Build the source string.

diff --git a/deps/v8/src/regexp/regexp-interpreter.cc b/deps/v8/src/regexp/regexp-interpreter.cc
@@ -1051,8 +1051,29 @@ IrregexpInterpreter::Result IrregexpInterpreter::MatchForCallFromJs(
     return IrregexpInterpreter::RETRY;
   }
 
-  return Match(isolate, regexp_obj, subject_string, registers, registers_length,
-               start_position, call_origin);
+  // In generated code, registers are allocated on the stack. The given
+  // `registers` argument is only guaranteed to hold enough space for permanent
+  // registers (i.e. for captures), and not for temporary registers used only
+  // during matcher execution. We match that behavior in the interpreter by
+  // using a SmallVector as internal register storage.
+  static constexpr int kBaseRegisterArraySize = 64;  // Arbitrary.
+  const int internal_register_count =
+      Smi::ToInt(regexp_obj.DataAt(JSRegExp::kIrregexpMaxRegisterCountIndex));
+  base::SmallVector<int, kBaseRegisterArraySize> internal_registers(
+      internal_register_count);
+
+  Result result =
+      Match(isolate, regexp_obj, subject_string, internal_registers.data(),
+            internal_register_count, start_position, call_origin);
+
+  // Copy capture registers to the output array.
+  if (result == IrregexpInterpreter::SUCCESS) {
+    CHECK_GE(internal_registers.size(), registers_length);
+    MemCopy(registers, internal_registers.data(),
+            registers_length * sizeof(registers[0]));
+  }
+
+  return result;
 }
 
 IrregexpInterpreter::Result IrregexpInterpreter::MatchForCallFromRuntime(

diff --git a/deps/v8/src/wasm/wasm-engine.cc b/deps/v8/src/wasm/wasm-engine.cc
@@ -129,6 +129,9 @@ class WasmGCForegroundTask : public CancelableTask {
 std::shared_ptr<NativeModule> NativeModuleCache::MaybeGetNativeModule(
     ModuleOrigin origin, Vector<const uint8_t> wire_bytes) {
   if (origin != kWasmOrigin) return nullptr;
+  // Temporarily disabled to fix stability issue on M-81
+  // (https://crbug.com/1070199).
+  if (!FLAG_future) return nullptr;
   base::MutexGuard lock(&mutex_);
   while (true) {
     auto it = map_.find(wire_bytes);
@@ -153,6 +156,9 @@ void NativeModuleCache::Update(std::shared_ptr<NativeModule> native_module,
                                bool error) {
   DCHECK_NOT_NULL(native_module);
   if (native_module->module()->origin != kWasmOrigin) return;
+  // Temporarily disabled to fix stability issue on M-81
+  // (https://crbug.com/1070199).
+  if (!FLAG_future) return;
   Vector<const uint8_t> wire_bytes = native_module->wire_bytes();
   base::MutexGuard lock(&mutex_);
   auto it = map_.find(wire_bytes);

diff --git a/deps/v8/test/cctest/cctest.status b/deps/v8/test/cctest/cctest.status
@@ -600,4 +600,11 @@
   'test-cpu-profiler/DeoptUntrackedFunction': [SKIP],
 }],  # variant == turboprop
 
+##############################################################################
+['variant != future', {
+  # Wasm native module cache is temporarily disabled in non-future variant
+  # (https://crbug.com/1070199)
+  'test-compilation-cache/*': [SKIP]
+}],  # variant != future
+
 ]
diff --git a/deps/v8/test/inspector/inspector.status b/deps/v8/test/inspector/inspector.status
@@ -84,5 +84,11 @@
 }],  # 'arch == s390 or arch == s390x'
 
 ##############################################################################
+['variant != future', {
+  # Wasm native module cache is temporarily disabled in non-future variant
+  # (https://crbug.com/1070199)
+  'debugger/wasm-scripts': [SKIP],
+}],  # variant != future
+
 
 ]
diff --git a/deps/v8/test/mjsunit/mjsunit.status b/deps/v8/test/mjsunit/mjsunit.status
@@ -157,6 +157,9 @@
   # OOM with too many isolates/memory objects (https://crbug.com/1010272)
   # Predictable tests fail due to race between postMessage and GrowMemory
   'regress/wasm/regress-1010272': [PASS, NO_VARIANTS, ['system == android', SKIP], ['predictable', SKIP]],
+
+  # Needs to be adapted after changes to Function constructor. chromium:1065094
+  'cross-realm-filtering': [SKIP],
 }],  # ALWAYS
 
 ##############################################################################

diff --git a/deps/v8/test/mjsunit/regress-1065094.js b/deps/v8/test/mjsunit/regress-1065094.js
@@ -0,0 +1,19 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(fnConstructor) {
+    return Object.is(new fnConstructor(), undefined);
+}
+
+const realmIndex = Realm.createAllowCrossRealmAccess();
+const otherFunction = Realm.global(realmIndex).Function;
+Realm.detachGlobal(realmIndex);
+
+%PrepareFunctionForOptimization(f);
+assertFalse(f(Function));
+assertThrows(_ => f(otherFunction));
+%OptimizeFunctionOnNextCall(f);
+assertThrows(_ => f(otherFunction));
diff --git a/deps/v8/test/mjsunit/regress/regress-1067270.js b/deps/v8/test/mjsunit/regress/regress-1067270.js
@@ -0,0 +1,11 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+const needle = Array(1802).join(" +") + Array(16884).join("A");
+const string = "A";
+
+assertEquals(string.search(needle), -1);
+assertEquals(string.search(needle), -1);