deps: patch V8 to 6.4.388.44

PR-URL: https://github.com/nodejs/node/pull/18687 Refs: https://github.com/v8/v8/compare/6.4.388.42...6.4.388.44 Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
2018-02-09 18:30:22 -05:00 · 2018-02-09 18:30:22 -05:00 · b6000d8285
commit b6000d8285
parent 6abce37f34
7 changed files with 77 additions and 36 deletions
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 6
 #define V8_MINOR_VERSION 4
 #define V8_BUILD_NUMBER 388
-#define V8_PATCH_LEVEL 42
+#define V8_PATCH_LEVEL 44
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
--- a/deps/v8/src/objects-inl.h
+++ b/deps/v8/src/objects-inl.h
@ -2231,7 +2231,8 @@ int Map::NumberOfOwnDescriptors() const {
 void Map::SetNumberOfOwnDescriptors(int number) {
-  DCHECK(number <= instance_descriptors()->number_of_descriptors());
+  CHECK_LE(static_cast<unsigned>(number),
           static_cast<unsigned>(kMaxNumberOfDescriptors));
  set_bit_field3(NumberOfOwnDescriptorsBits::update(bit_field3(), number));
 }
@ -2239,8 +2240,9 @@ int Map::EnumLength() const { return EnumLengthBits::decode(bit_field3()); }
 void Map::SetEnumLength(int length) {
  if (length != kInvalidEnumCacheSentinel) {
-    DCHECK_GE(length, 0);
+    DCHECK_LE(length, NumberOfOwnDescriptors());
-    DCHECK(length <= NumberOfOwnDescriptors());
+    CHECK_LE(static_cast<unsigned>(length),
             static_cast<unsigned>(kMaxNumberOfDescriptors));
  }
  set_bit_field3(EnumLengthBits::update(bit_field3(), length));
 }
@ -3002,9 +3004,9 @@ int Map::instance_size() const {
 }
 void Map::set_instance_size(int value) {
-  DCHECK_EQ(0, value & (kPointerSize - 1));
+  CHECK_EQ(0, value & (kPointerSize - 1));
  value >>= kPointerSizeLog2;
-  DCHECK(0 <= value && value < 256);
+  CHECK_LT(static_cast<unsigned>(value), 256);
  set_instance_size_in_words(value);
 }
@ -3015,8 +3017,7 @@ int Map::inobject_properties_start_or_constructor_function_index() const {
 void Map::set_inobject_properties_start_or_constructor_function_index(
    int value) {
-  DCHECK_LE(0, value);
+  CHECK_LT(static_cast<unsigned>(value), 256);
  DCHECK_LT(value, 256);
  RELAXED_WRITE_BYTE_FIELD(
      this, kInObjectPropertiesStartOrConstructorFunctionIndexOffset,
      static_cast<byte>(value));
@ -3028,7 +3029,7 @@ int Map::GetInObjectPropertiesStartInWords() const {
 }
 void Map::SetInObjectPropertiesStartInWords(int value) {
-  DCHECK(IsJSObjectMap());
+  CHECK(IsJSObjectMap());
  set_inobject_properties_start_or_constructor_function_index(value);
 }
@ -3044,7 +3045,7 @@ int Map::GetConstructorFunctionIndex() const {
 void Map::SetConstructorFunctionIndex(int value) {
-  DCHECK(IsPrimitiveMap());
+  CHECK(IsPrimitiveMap());
  set_inobject_properties_start_or_constructor_function_index(value);
 }
@ -3153,8 +3154,7 @@ int Map::used_or_unused_instance_size_in_words() const {
 }
 void Map::set_used_or_unused_instance_size_in_words(int value) {
-  DCHECK_LE(0, value);
+  CHECK_LE(static_cast<unsigned>(value), 255);
  DCHECK_LE(value, 255);
  WRITE_BYTE_FIELD(this, kUsedOrUnusedInstanceSizeInWordsOffset,
                   static_cast<byte>(value));
 }
@ -3172,12 +3172,12 @@ int Map::UsedInstanceSize() const {
 void Map::SetInObjectUnusedPropertyFields(int value) {
  STATIC_ASSERT(JSObject::kFieldsAdded == JSObject::kHeaderSize / kPointerSize);
  if (!IsJSObjectMap()) {
-    DCHECK_EQ(0, value);
+    CHECK_EQ(0, value);
    set_used_or_unused_instance_size_in_words(0);
    DCHECK_EQ(0, UnusedPropertyFields());
    return;
  }
-  DCHECK_LE(0, value);
+  CHECK_LE(0, value);
  DCHECK_LE(value, GetInObjectProperties());
  int used_inobject_properties = GetInObjectProperties() - value;
  set_used_or_unused_instance_size_in_words(
@ -3187,8 +3187,7 @@ void Map::SetInObjectUnusedPropertyFields(int value) {
 void Map::SetOutOfObjectUnusedPropertyFields(int value) {
  STATIC_ASSERT(JSObject::kFieldsAdded == JSObject::kHeaderSize / kPointerSize);
-  DCHECK_LE(0, value);
+  CHECK_LT(static_cast<unsigned>(value), JSObject::kFieldsAdded);
  DCHECK_LT(value, JSObject::kFieldsAdded);
  // For out of object properties "used_instance_size_in_words" byte encodes
  // the slack in the property array.
  set_used_or_unused_instance_size_in_words(value);
@ -3227,8 +3226,8 @@ void Map::AccountAddedOutOfObjectPropertyField(int unused_in_property_array) {
  if (unused_in_property_array < 0) {
    unused_in_property_array += JSObject::kFieldsAdded;
  }
-  DCHECK_GE(unused_in_property_array, 0);
+  CHECK_LT(static_cast<unsigned>(unused_in_property_array),
-  DCHECK_LT(unused_in_property_array, JSObject::kFieldsAdded);
+           JSObject::kFieldsAdded);
  set_used_or_unused_instance_size_in_words(unused_in_property_array);
  DCHECK_EQ(unused_in_property_array, UnusedPropertyFields());
 }
@ -3358,7 +3357,7 @@ bool Map::should_be_fast_prototype_map() const {
 }
 void Map::set_elements_kind(ElementsKind elements_kind) {
-  DCHECK_LT(static_cast<int>(elements_kind), kElementsKindCount);
+  CHECK_LT(static_cast<int>(elements_kind), kElementsKindCount);
  DCHECK_LE(kElementsKindCount, 1 << Map::ElementsKindBits::kSize);
  set_bit_field2(Map::ElementsKindBits::update(bit_field2(), elements_kind));
  DCHECK(this->elements_kind() == elements_kind);
@ -3700,7 +3699,7 @@ Object* Map::prototype_info() const {
 void Map::set_prototype_info(Object* value, WriteBarrierMode mode) {
-  DCHECK(is_prototype_map());
+  CHECK(is_prototype_map());
  WRITE_FIELD(this, Map::kTransitionsOrPrototypeInfoOffset, value);
  CONDITIONAL_WRITE_BARRIER(
      GetHeap(), this, Map::kTransitionsOrPrototypeInfoOffset, value, mode);
@ -3708,11 +3707,11 @@ void Map::set_prototype_info(Object* value, WriteBarrierMode mode) {
 void Map::SetBackPointer(Object* value, WriteBarrierMode mode) {
-  DCHECK(instance_type() >= FIRST_JS_RECEIVER_TYPE);
+  CHECK_GE(instance_type(), FIRST_JS_RECEIVER_TYPE);
-  DCHECK(value->IsMap());
+  CHECK(value->IsMap());
-  DCHECK(GetBackPointer()->IsUndefined(GetIsolate()));
+  CHECK(GetBackPointer()->IsUndefined(GetIsolate()));
-  DCHECK(!value->IsMap() ||
+  CHECK_IMPLIES(value->IsMap(), Map::cast(value)->GetConstructor() ==
-         Map::cast(value)->GetConstructor() == constructor_or_backpointer());
+                                    constructor_or_backpointer());
  set_constructor_or_backpointer(value, mode);
 }
@ -3743,7 +3742,7 @@ FunctionTemplateInfo* Map::GetFunctionTemplateInfo() const {
 void Map::SetConstructor(Object* constructor, WriteBarrierMode mode) {
  // Never overwrite a back pointer with a constructor.
-  DCHECK(!constructor_or_backpointer()->IsMap());
+  CHECK(!constructor_or_backpointer()->IsMap());
  set_constructor_or_backpointer(constructor, mode);
 }
--- a/deps/v8/src/objects.cc
+++ b/deps/v8/src/objects.cc
@ -13014,14 +13014,19 @@ MaybeHandle<Map> JSFunction::GetDerivedMap(Isolate* isolate,
                          constructor_initial_map->UnusedPropertyFields();
      int instance_size;
      int in_object_properties;
-      CalculateInstanceSizeForDerivedClass(function, instance_type,
+      bool success = CalculateInstanceSizeForDerivedClass(
-                                           embedder_fields, &instance_size,
+          function, instance_type, embedder_fields, &instance_size,
-                                           &in_object_properties);
+          &in_object_properties);
      int unused_property_fields = in_object_properties - pre_allocated;
-      Handle<Map> map =
+
-          Map::CopyInitialMap(constructor_initial_map, instance_size,
+      Handle<Map> map;
-                              in_object_properties, unused_property_fields);
+      if (success) {
        map = Map::CopyInitialMap(constructor_initial_map, instance_size,
                                  in_object_properties, unused_property_fields);
      } else {
        map = Map::CopyInitialMap(constructor_initial_map);
      }
      map->set_new_target_is_base(false);
      JSFunction::SetInitialMap(function, map, prototype);
@ -13726,12 +13731,14 @@ void JSFunction::CalculateInstanceSizeHelper(InstanceType instance_type,
                          requested_embedder_fields;
 }
-void JSFunction::CalculateInstanceSizeForDerivedClass(
+// static
 bool JSFunction::CalculateInstanceSizeForDerivedClass(
    Handle<JSFunction> function, InstanceType instance_type,
    int requested_embedder_fields, int* instance_size,
    int* in_object_properties) {
  Isolate* isolate = function->GetIsolate();
  int expected_nof_properties = 0;
  bool result = true;
  for (PrototypeIterator iter(isolate, function, kStartAtReceiver);
       !iter.IsAtEnd(); iter.Advance()) {
    Handle<JSReceiver> current =
@ -13745,6 +13752,11 @@ void JSFunction::CalculateInstanceSizeForDerivedClass(
        Compiler::Compile(func, Compiler::CLEAR_EXCEPTION)) {
      DCHECK(shared->is_compiled());
      expected_nof_properties += shared->expected_nof_properties();
    } else if (!shared->is_compiled()) {
      // In case there was a compilation error for the constructor we will
      // throw an error during instantiation. Hence we directly return 0;
      result = false;
      break;
    }
    if (!IsDerivedConstructor(shared->kind())) {
      break;
@ -13753,6 +13765,7 @@ void JSFunction::CalculateInstanceSizeForDerivedClass(
  CalculateInstanceSizeHelper(instance_type, true, requested_embedder_fields,
                              expected_nof_properties, instance_size,
                              in_object_properties);
  return result;
 }
--- a/deps/v8/src/objects.h
+++ b/deps/v8/src/objects.h
@ -4082,7 +4082,7 @@ class JSFunction: public JSObject {
  DECL_CAST(JSFunction)
  // Calculate the instance size and in-object properties count.
-  static void CalculateInstanceSizeForDerivedClass(
+  static bool CalculateInstanceSizeForDerivedClass(
      Handle<JSFunction> function, InstanceType instance_type,
      int requested_embedder_fields, int* instance_size,
      int* in_object_properties);
--- a/deps/v8/src/profiler/heap-snapshot-generator.cc
+++ b/deps/v8/src/profiler/heap-snapshot-generator.cc
@ -1113,8 +1113,6 @@ void V8HeapExplorer::ExtractMapReferences(int entry, Map* map) {
                         constructor_or_backpointer,
                         Map::kConstructorOrBackPointerOffset);
  } else {
    DCHECK(constructor_or_backpointer->IsJSFunction() ||
           constructor_or_backpointer->IsNull(map->GetIsolate()));
    SetInternalReference(map, entry, "constructor", constructor_or_backpointer,
                         Map::kConstructorOrBackPointerOffset);
  }
--- a/deps/v8/test/cctest/test-heap-profiler.cc
+++ b/deps/v8/test/cctest/test-heap-profiler.cc
@ -3184,3 +3184,14 @@ TEST(SamplingHeapProfilerSampleDuringDeopt) {
  CHECK(profile);
  heap_profiler->StopSamplingHeapProfiler();
 }
 TEST(HeapSnapshotPrototypeNotJSReceiver) {
  LocalContext env;
  v8::HandleScope scope(env->GetIsolate());
  v8::HeapProfiler* heap_profiler = env->GetIsolate()->GetHeapProfiler();
  CompileRun(
      "function object() {}"
      "object.prototype = 42;");
  const v8::HeapSnapshot* snapshot = heap_profiler->TakeHeapSnapshot();
  CHECK(ValidateSnapshot(snapshot));
 }
--- a/deps/v8/test/mjsunit/regress/regress-crbug-806388.js
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-806388.js
@ -0,0 +1,20 @@
 // Copyright 2018 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 // Flags: --allow-natives-syntax --enable-slow-asserts --expose-gc
 class Derived extends Array {
    constructor(a) {
      // Syntax Error.
      const a = 1;
    }
 }
 // Derived is not a subclass of RegExp
 let o = Reflect.construct(RegExp, [], Derived);
 o.lastIndex = 0x1234;
 %HeapObjectVerify(o);
 gc();
 %HeapObjectVerify(o);