deps: patch V8 to 14.4.258.13

targos · targos · commit fcd26495f8b6 · 2025-12-17T08:54:05.000+01:00
Refs: v8/v8@14.4.258.9...14.4.258.13
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 14
 #define V8_MINOR_VERSION 4
 #define V8_BUILD_NUMBER 258
-#define V8_PATCH_LEVEL 9
+#define V8_PATCH_LEVEL 13
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/codegen/code-stub-assembler.cc b/deps/v8/src/codegen/code-stub-assembler.cc
@@ -13325,7 +13325,8 @@ void CodeStubAssembler::UpdateEmbeddedFeedback(
   Label end(this);
 
   TNode<Int32T> previous_feedback =
-      Load<Uint16T>(bytecode_array, feedback_offset);
+      UnalignedLoad<Uint16T>(bytecode_array, feedback_offset);
+
   TNode<Int32T> combined_feedback = Word32Or(previous_feedback, feedback);
 
   GotoIf(Word32Equal(previous_feedback, combined_feedback), &end);
@@ -13335,8 +13336,8 @@ void CodeStubAssembler::UpdateEmbeddedFeedback(
     ExitSandbox();
 #endif
 
-    StoreNoWriteBarrier(MachineRepresentation::kWord16, bytecode_array,
-                        feedback_offset, combined_feedback);
+    UnalignedStoreNoWriteBarrier(MachineRepresentation::kWord16, bytecode_array,
+                                 feedback_offset, combined_feedback);
 
 #ifdef V8_ENABLE_SANDBOX_HARDWARE_SUPPORT
     EnterSandbox();
diff --git a/deps/v8/src/compiler/code-assembler.cc b/deps/v8/src/compiler/code-assembler.cc
@@ -1052,6 +1052,21 @@ void CodeAssembler::StoreNoWriteBarrier(MachineRepresentation rep, Node* base,
       CanBeTaggedPointer(rep) ? kAssertNoWriteBarrier : kNoWriteBarrier);
 }
 
+void CodeAssembler::UnalignedStoreNoWriteBarrier(MachineRepresentation rep,
+                                                 TNode<BytecodeArray> base,
+                                                 TNode<IntPtrT> offset,
+                                                 Node* value) {
+  DCHECK(!raw_assembler()->IsMapOffsetConstantMinusTag(offset));
+  if (UnalignedStoreSupported(rep)) {
+    raw_assembler()->Store(
+        rep, base, offset, value,
+        CanBeTaggedPointer(rep) ? kAssertNoWriteBarrier : kNoWriteBarrier);
+  } else {
+    Node* base_raw = BitcastTaggedToWord(base);
+    raw_assembler()->UnalignedStore(rep, base_raw, offset, value);
+  }
+}
+
 void CodeAssembler::UnsafeStoreNoWriteBarrier(MachineRepresentation rep,
                                               Node* base, Node* value) {
   raw_assembler()->Store(rep, base, value, kNoWriteBarrier);
diff --git a/deps/v8/src/compiler/code-assembler.h b/deps/v8/src/compiler/code-assembler.h
@@ -924,13 +924,27 @@ class V8_EXPORT_PRIVATE CodeAssembler {
     return UncheckedCast<Type>(UnalignedLoad(mt, base, offset));
   }
 
+  template <typename Type>
+  TNode<Type> UnalignedLoad(TNode<BytecodeArray> base, TNode<IntPtrT> offset) {
+    MachineType type = MachineTypeOf<Type>::value;
+    if (UnalignedLoadSupported(type.representation())) {
+      return UncheckedCast<Type>(Load(type, base, offset));
+    } else {
+      TNode<RawPtrT> base_raw = BitcastTaggedToWord(base);
+      return UncheckedCast<Type>(UnalignedLoad(type, base_raw, offset));
+    }
+  }
+
   // Store value to raw memory location.
   void Store(Node* base, Node* value);
   void Store(Node* base, Node* offset, Node* value);
   void StoreEphemeronKey(Node* base, Node* offset, Node* value);
   void StoreNoWriteBarrier(MachineRepresentation rep, Node* base, Node* value);
   void StoreNoWriteBarrier(MachineRepresentation rep, Node* base, Node* offset,
                            Node* value);
+  void UnalignedStoreNoWriteBarrier(MachineRepresentation rep,
+                                    TNode<BytecodeArray> base,
+                                    TNode<IntPtrT> offset, Node* value);
   void UnsafeStoreNoWriteBarrier(MachineRepresentation rep, Node* base,
                                  Node* value);
   void UnsafeStoreNoWriteBarrier(MachineRepresentation rep, Node* base,
diff --git a/deps/v8/src/maglev/arm64/maglev-ir-arm64.cc b/deps/v8/src/maglev/arm64/maglev-ir-arm64.cc
@@ -323,7 +323,7 @@ void Int32Multiply::GenerateCode(MaglevAssembler* masm,
   __ Smull(out, left, right);
 
   // Making sure that the 32-bit output is zero-extended.
-  __ Move(out.W(), out.W());
+  __ Mov(out.W(), out.W());
 }
 
 void Int32MultiplyOverflownBits::SetValueLocationConstraints() {
@@ -468,7 +468,7 @@ void Int32MultiplyWithOverflow::GenerateCode(MaglevAssembler* masm,
 
   // Making sure that the 32-bit output is zero-extended (and moving it to the
   // right register if {out_alias_input} is true).
-  __ Move(out, res.W());
+  __ Mov(out, res.W());
 }
 
 void Int32DivideWithOverflow::SetValueLocationConstraints() {
@@ -536,7 +536,7 @@ void Int32DivideWithOverflow::GenerateCode(MaglevAssembler* masm,
   __ CompareAndBranch(temp, Immediate(0), ne,
                       __ GetDeoptLabel(this, DeoptimizeReason::kNotInt32));
 
-  __ Move(out, res);
+  __ Mov(out, res);
 }
 
 void Int32ModulusWithOverflow::SetValueLocationConstraints() {
diff --git a/deps/v8/src/maglev/maglev-graph-builder.cc b/deps/v8/src/maglev/maglev-graph-builder.cc
@@ -12920,15 +12920,12 @@ MaybeReduceResult MaglevGraphBuilder::TryReduceConstructBuiltin(
       break;
     }
     case Builtin::kObjectConstructor: {
+      if (target != new_target) return {};
       // If no value is passed, we can immediately lower to a simple
       // constructor.
-      compiler::OptionalJSFunctionRef new_target_function =
-          TryGetConstant<JSFunction>(new_target);
-      if (args.count() == 0 && new_target_function.has_value() &&
-          new_target_function->has_initial_map(broker())) {
-        return BuildInlinedAllocation(
-            CreateJSConstructor(new_target_function.value()),
-            AllocationType::kYoung);
+      if (args.count() == 0) {
+        return BuildInlinedAllocation(CreateJSConstructor(target_function),
+                                      AllocationType::kYoung);
       }
       break;
     }
diff --git a/deps/v8/src/wasm/wasm-engine.cc b/deps/v8/src/wasm/wasm-engine.cc
@@ -1184,11 +1184,11 @@ void WasmEngine::DeleteCompileJobsOnContext(DirectHandle<Context> context) {
       DirectHandle<NativeContext> job_context;
       if (it->first->context().ToHandle(&job_context) &&
           job_context.is_identical_to(context)) {
+        jobs_to_delete.push_back(std::move(it->second));
+        it = async_compile_jobs_.erase(it);
+      } else {
         ++it;
-        continue;
       }
-      jobs_to_delete.push_back(std::move(it->second));
-      it = async_compile_jobs_.erase(it);
     }
   }
 }
@@ -1202,12 +1202,12 @@ void WasmEngine::DeleteCompileJobsOnIsolate(Isolate* isolate) {
     base::MutexGuard guard(&mutex_);
     for (auto it = async_compile_jobs_.begin();
          it != async_compile_jobs_.end();) {
-      if (it->first->isolate() != isolate) {
+      if (it->first->isolate() == isolate) {
+        jobs_to_delete.push_back(std::move(it->second));
+        it = async_compile_jobs_.erase(it);
+      } else {
         ++it;
-        continue;
       }
-      jobs_to_delete.push_back(std::move(it->second));
-      it = async_compile_jobs_.erase(it);
     }
     DCHECK(isolates_.contains(isolate));
     auto* isolate_info = isolates_[isolate].get();
diff --git a/deps/v8/test/mjsunit/maglev/regress-466786677.js b/deps/v8/test/mjsunit/maglev/regress-466786677.js
@@ -0,0 +1,22 @@
+// Copyright 2025 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function trigger(cond) {
+  let o = {};
+  let mul = (cond ? 1 : 0x80000000) | 0;
+  print(mul);
+  let idx = (mul * 2) | 0;
+  print(idx);
+  o[0] = 1.1;
+  if (cond) o[1] = 2.2;
+  return o[idx];
+}
+
+%PrepareFunctionForOptimization(trigger);
+trigger(true);
+trigger(false);
+%OptimizeMaglevOnNextCall(trigger);
+trigger(false);
diff --git a/deps/v8/test/mjsunit/regress/regress-467247247.js b/deps/v8/test/mjsunit/regress/regress-467247247.js
@@ -0,0 +1,27 @@
+// Copyright 2025 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+class C extends Object {
+  constructor() {
+    for (let i = 0; i < 5; i++) {
+      if (!i) {
+        super();
+      }
+    }
+  }
+}
+function opt_me() {
+  return Reflect.construct(C, [], WeakMap);
+}
+
+opt_me();
+opt_me();
+opt_me();
+opt_me();
+opt_me();
+let obj = opt_me();
+
+assertThrows(() => obj.set({}, 123), TypeError);

Original file line number	Diff line number	Diff line change
`@@ -323,7 +323,7 @@ void Int32Multiply::GenerateCode(MaglevAssembler* masm,`
`323`	`323`	`__ Smull(out, left, right);`
`324`	`324`
`325`	`325`	`// Making sure that the 32-bit output is zero-extended.`
`326`		`- __ Move(out.W(), out.W());`
	`326`	`+ __ Mov(out.W(), out.W());`
`327`	`327`	`}`
`328`	`328`
`329`	`329`	`void Int32MultiplyOverflownBits::SetValueLocationConstraints() {`
`@@ -468,7 +468,7 @@ void Int32MultiplyWithOverflow::GenerateCode(MaglevAssembler* masm,`
`468`	`468`
`469`	`469`	`// Making sure that the 32-bit output is zero-extended (and moving it to the`
`470`	`470`	`// right register if {out_alias_input} is true).`
`471`		`- __ Move(out, res.W());`
	`471`	`+ __ Mov(out, res.W());`
`472`	`472`	`}`
`473`	`473`
`474`	`474`	`void Int32DivideWithOverflow::SetValueLocationConstraints() {`
`@@ -536,7 +536,7 @@ void Int32DivideWithOverflow::GenerateCode(MaglevAssembler* masm,`
`536`	`536`	`__ CompareAndBranch(temp, Immediate(0), ne,`
`537`	`537`	`__ GetDeoptLabel(this, DeoptimizeReason::kNotInt32));`
`538`	`538`
`539`		`- __ Move(out, res);`
	`539`	`+ __ Mov(out, res);`
`540`	`540`	`}`
`541`	`541`
`542`	`542`	`void Int32ModulusWithOverflow::SetValueLocationConstraints() {`
Original file line number	Diff line number	Diff line change
`@@ -1184,11 +1184,11 @@ void WasmEngine::DeleteCompileJobsOnContext(DirectHandle<Context> context) {`
`1184`	`1184`	`DirectHandle<NativeContext> job_context;`
`1185`	`1185`	`if (it->first->context().ToHandle(&job_context) &&`
`1186`	`1186`	`job_context.is_identical_to(context)) {`
	`1187`	`+ jobs_to_delete.push_back(std::move(it->second));`
	`1188`	`+ it = async_compile_jobs_.erase(it);`
	`1189`	`+ } else {`
`1187`	`1190`	`++it;`
`1188`		`- continue;`
`1189`	`1191`	`}`
`1190`		`- jobs_to_delete.push_back(std::move(it->second));`
`1191`		`- it = async_compile_jobs_.erase(it);`
`1192`	`1192`	`}`
`1193`	`1193`	`}`
`1194`	`1194`	`}`
`@@ -1202,12 +1202,12 @@ void WasmEngine::DeleteCompileJobsOnIsolate(Isolate* isolate) {`
`1202`	`1202`	`base::MutexGuard guard(&mutex_);`
`1203`	`1203`	`for (auto it = async_compile_jobs_.begin();`
`1204`	`1204`	`it != async_compile_jobs_.end();) {`
`1205`		`- if (it->first->isolate() != isolate) {`
	`1205`	`+ if (it->first->isolate() == isolate) {`
	`1206`	`+ jobs_to_delete.push_back(std::move(it->second));`
	`1207`	`+ it = async_compile_jobs_.erase(it);`
	`1208`	`+ } else {`
`1206`	`1209`	`++it;`
`1207`		`- continue;`
`1208`	`1210`	`}`
`1209`		`- jobs_to_delete.push_back(std::move(it->second));`
`1210`		`- it = async_compile_jobs_.erase(it);`
`1211`	`1211`	`}`
`1212`	`1212`	`DCHECK(isolates_.contains(isolate));`
`1213`	`1213`	`auto* isolate_info = isolates_[isolate].get();`