diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index eb1bdf134b8fbe..ad517231f6f758 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 14 #define V8_MINOR_VERSION 2 #define V8_BUILD_NUMBER 231 -#define V8_PATCH_LEVEL 16 +#define V8_PATCH_LEVEL 17 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/maglev/maglev-graph-builder.cc b/deps/v8/src/maglev/maglev-graph-builder.cc index 016506393b9171..a2cac0c5ded680 100644 --- a/deps/v8/src/maglev/maglev-graph-builder.cc +++ b/deps/v8/src/maglev/maglev-graph-builder.cc @@ -4531,9 +4531,20 @@ ValueNode* MaglevGraphBuilder::ConvertForField(ValueNode* value, AllocationType allocation_type) { switch (desc.type) { case vobj::FieldType::kTagged: { - if (value->Is() && - !NodeTypeIs(GetType(value), NodeType::kSmi)) { - // Note that NodeType::kSmi MUST go through GetTaggedValue for proper + // Subtle: we don't use `NodeTypeIs(...)` since the predicate must NOT + // be true for NodeType::kNone. + // TODO(jgruber): NodeType::kNone should never reach here. + if (GetType(value) == NodeType::kSmi) { + // TODO(jgruber): This is needed because HoleyFloat64ToTagged does not + // canonicalize smis by default in GetTaggedValue. We rely on + // canonicalization though in TryReduceConstructArrayConstructor. + // We should make this more robust. + MaybeReduceResult res = GetSmiValue(value); + CHECK(res.IsDoneWithValue()); + return res.value(); + } + if (value->Is()) { + // Note that NodeType::kSmi MUST go through GetSmiValue for proper // canonicalization. If we see a Float64Constant with type kSmi, it has // passed BuildCheckSmi, i.e. the runtime value is guaranteed to be // convertible to smi (we would have deoptimized otherwise). diff --git a/deps/v8/test/mjsunit/regress/regress-454485895.js b/deps/v8/test/mjsunit/regress/regress-454485895.js new file mode 100644 index 00000000000000..2e287c65497e3b --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-454485895.js @@ -0,0 +1,25 @@ +// Copyright 2025 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. +// +// Flags: --allow-natives-syntax --maglev + +// HOLEY_DOUBLE_ELEMENTS. +const arr = [1, , , , , 1.1]; + +function opt_me() { + for (let i = 0; i < 5; i++) { + const ele = arr[i]; + const arr2 = Array(ele, i); + function inner() { + arr2.join(); + arr.__proto__ = ele; + } + inner(); + } +} + +%PrepareFunctionForOptimization(opt_me); +opt_me(); +%OptimizeMaglevOnNextCall(opt_me); +opt_me(); diff --git a/deps/v8/test/mjsunit/regress/regress-454861480.js b/deps/v8/test/mjsunit/regress/regress-454861480.js new file mode 100644 index 00000000000000..835d6dd9003114 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-454861480.js @@ -0,0 +1,20 @@ +// Copyright 2025 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. +// +// Flags: --allow-natives-syntax --maglev + +function f0() { + try { + ([f0,f0]).forEach(undefined); + class C4 { + [undefined]; + } + } catch(e5) { + } + return f0; +} +const v6 = %PrepareFunctionForOptimization(f0); +f0(); +const v8 = %OptimizeMaglevOnNextCall(f0); +f0(); diff --git a/deps/v8/test/mjsunit/regress/regress-454943951.js b/deps/v8/test/mjsunit/regress/regress-454943951.js new file mode 100644 index 00000000000000..672e9c1aa4bd2e --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-454943951.js @@ -0,0 +1,19 @@ +// Copyright 2025 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. +// +// Flags: --allow-natives-syntax + +function* __f_0(__v_1) { + for (let __v_2 = 0; __v_2 < __v_1; __v_2++) { + for (let __v_3 = 0; __v_3 < __v_1; __v_3++) { + Math.acos(false); + yield __v_2 * 10 + __v_3; + } + } +} +%PrepareFunctionForOptimization(__f_0); +let __v_0 = __f_0(4); +__v_0.next().value; +%OptimizeFunctionOnNextCall(__f_0); +__v_0 = __f_0();