deps: patch V8 to 6.6.346.27

MylesBorins · MylesBorins · commit bf22f4187c0d · 2018-05-08T14:22:25.000-07:00
PR-URL: #20480 Refs: v8/v8@6.6.346.24...6.6.346.27 Reviewed-By: Khaidi Chu <i@2333.moe> Reviewed-By: Michaël Zasso <targos@protonmail.com>
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 6
 #define V8_MINOR_VERSION 6
 #define V8_BUILD_NUMBER 346
-#define V8_PATCH_LEVEL 24
+#define V8_PATCH_LEVEL 27
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/keys.cc b/deps/v8/src/keys.cc
@@ -77,7 +77,14 @@ void KeyAccumulator::AddKey(Handle<Object> key, AddKeyConversion convert) {
       Handle<String>::cast(key)->AsArrayIndex(&index)) {
     key = isolate_->factory()->NewNumberFromUint(index);
   }
-  keys_ = OrderedHashSet::Add(keys(), key);
+  Handle<OrderedHashSet> new_set = OrderedHashSet::Add(keys(), key);
+  if (*new_set != *keys_) {
+    // The keys_ Set is converted directly to a FixedArray in GetKeys which can
+    // be left-trimmer. Hence the previous Set should not keep a pointer to the
+    // new one.
+    keys_->set(OrderedHashTableBase::kNextTableIndex, Smi::kZero);
+    keys_ = new_set;
+  }
 }
 
 void KeyAccumulator::AddKeys(Handle<FixedArray> array,
diff --git a/deps/v8/src/wasm/wasm-js.cc b/deps/v8/src/wasm/wasm-js.cc
@@ -330,42 +330,30 @@ MaybeLocal<Value> WebAssemblyInstantiateImpl(Isolate* isolate,
   i::MaybeHandle<i::Object> instance_object;
   {
     ScheduledErrorThrower thrower(i_isolate, "WebAssembly Instantiation");
+
+    // TODO(ahaas): These checks on the module should not be necessary here They
+    // are just a workaround for https://crbug.com/837417.
+    i::Handle<i::Object> module_obj = Utils::OpenHandle(*module);
+    if (!module_obj->IsWasmModuleObject()) {
+      thrower.TypeError("Argument 0 must be a WebAssembly.Module object");
+      return {};
+    }
+
     i::MaybeHandle<i::JSReceiver> maybe_imports =
         GetValueAsImports(ffi, &thrower);
     if (thrower.error()) return {};
 
-    i::Handle<i::WasmModuleObject> module_obj =
-        i::Handle<i::WasmModuleObject>::cast(
-            Utils::OpenHandle(Object::Cast(*module)));
     instance_object = i_isolate->wasm_engine()->SyncInstantiate(
-        i_isolate, &thrower, module_obj, maybe_imports,
-        i::MaybeHandle<i::JSArrayBuffer>());
+        i_isolate, &thrower, i::Handle<i::WasmModuleObject>::cast(module_obj),
+        maybe_imports, i::MaybeHandle<i::JSArrayBuffer>());
   }
 
   DCHECK_EQ(instance_object.is_null(), i_isolate->has_scheduled_exception());
   if (instance_object.is_null()) return {};
   return Utils::ToLocal(instance_object.ToHandleChecked());
 }
 
-// Entered as internal implementation detail of sync and async instantiate.
-// args[0] *must* be a WebAssembly.Module.
-void WebAssemblyInstantiateImplCallback(
-    const v8::FunctionCallbackInfo<v8::Value>& args) {
-  DCHECK_GE(args.Length(), 1);
-  v8::Isolate* isolate = args.GetIsolate();
-  MicrotasksScope does_not_run_microtasks(isolate,
-                                          MicrotasksScope::kDoNotRunMicrotasks);
-
-  HandleScope scope(args.GetIsolate());
-  Local<Value> module = args[0];
-  Local<Value> ffi = args.Data();
-  Local<Value> instance;
-  if (WebAssemblyInstantiateImpl(isolate, module, ffi).ToLocal(&instance)) {
-    args.GetReturnValue().Set(instance);
-  }
-}
-
-void WebAssemblyInstantiateToPairCallback(
+void WebAssemblyInstantiateCallback(
     const v8::FunctionCallbackInfo<v8::Value>& args) {
   DCHECK_GE(args.Length(), 1);
   Isolate* isolate = args.GetIsolate();
@@ -454,7 +442,7 @@ void WebAssemblyInstantiateStreaming(
   DCHECK(!module_promise.IsEmpty());
   Local<Value> data = args[1];
   ASSIGN(Function, instantiate_impl,
-         Function::New(context, WebAssemblyInstantiateToPairCallback, data));
+         Function::New(context, WebAssemblyInstantiateCallback, data));
   ASSIGN(Promise, result, module_promise->Then(context, instantiate_impl));
   args.GetReturnValue().Set(result);
 }
@@ -476,10 +464,12 @@ void WebAssemblyInstantiate(const v8::FunctionCallbackInfo<v8::Value>& args) {
   Local<Context> context = isolate->GetCurrentContext();
 
   ASSIGN(Promise::Resolver, resolver, Promise::Resolver::New(context));
-  Local<Promise> module_promise = resolver->GetPromise();
-  args.GetReturnValue().Set(module_promise);
+  Local<Promise> promise = resolver->GetPromise();
+  args.GetReturnValue().Set(promise);
 
   Local<Value> first_arg_value = args[0];
+  // If args.Length < 2, this will be undefined - see FunctionCallbackInfo.
+  Local<Value> ffi = args[1];
   i::Handle<i::Object> first_arg = Utils::OpenHandle(*first_arg_value);
   if (!first_arg->IsJSObject()) {
     thrower.TypeError(
@@ -490,26 +480,35 @@ void WebAssemblyInstantiate(const v8::FunctionCallbackInfo<v8::Value>& args) {
     return;
   }
 
-  FunctionCallback instantiator = nullptr;
   if (first_arg->IsWasmModuleObject()) {
-    module_promise = resolver->GetPromise();
-    if (!resolver->Resolve(context, first_arg_value).IsJust()) return;
-    instantiator = WebAssemblyInstantiateImplCallback;
-  } else {
-    ASSIGN(Function, async_compile, Function::New(context, WebAssemblyCompile));
-    ASSIGN(Value, async_compile_retval,
-           async_compile->Call(context, args.Holder(), 1, &first_arg_value));
-    module_promise = Local<Promise>::Cast(async_compile_retval);
-    instantiator = WebAssemblyInstantiateToPairCallback;
+    i::Handle<i::WasmModuleObject> module_obj =
+        i::Handle<i::WasmModuleObject>::cast(first_arg);
+    // If args.Length < 2, this will be undefined - see FunctionCallbackInfo.
+    i::MaybeHandle<i::JSReceiver> maybe_imports =
+        GetValueAsImports(ffi, &thrower);
+
+    if (thrower.error()) {
+      auto maybe = resolver->Reject(context, Utils::ToLocal(thrower.Reify()));
+      CHECK_IMPLIES(!maybe.FromMaybe(false),
+                    i_isolate->has_scheduled_exception());
+      return;
+    }
+
+    i_isolate->wasm_engine()->AsyncInstantiate(
+        i_isolate, Utils::OpenHandle(*promise), module_obj, maybe_imports);
+    return;
   }
-  DCHECK(!module_promise.IsEmpty());
-  DCHECK_NOT_NULL(instantiator);
-  // If args.Length < 2, this will be undefined - see FunctionCallbackInfo.
-  // We'll check for that in WebAssemblyInstantiateImpl.
-  Local<Value> data = args[1];
+
+  // We did not get a WasmModuleObject as input, we first have to compile the
+  // input.
+  ASSIGN(Function, async_compile, Function::New(context, WebAssemblyCompile));
+  ASSIGN(Value, async_compile_retval,
+         async_compile->Call(context, args.Holder(), 1, &first_arg_value));
+  promise = Local<Promise>::Cast(async_compile_retval);
+  DCHECK(!promise.IsEmpty());
   ASSIGN(Function, instantiate_impl,
-         Function::New(context, instantiator, data));
-  ASSIGN(Promise, result, module_promise->Then(context, instantiate_impl));
+         Function::New(context, WebAssemblyInstantiateCallback, ffi));
+  ASSIGN(Promise, result, promise->Then(context, instantiate_impl));
   args.GetReturnValue().Set(result);
 }
 
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-831984.js b/deps/v8/test/mjsunit/regress/regress-crbug-831984.js
@@ -0,0 +1,10 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+
+let arr = [...Array(9000)];
+for (let j = 0; j < 40; j++) {
+  Reflect.ownKeys(arr).shift();
+  Array(64386);
+}
diff --git a/deps/v8/test/mjsunit/regress/wasm/regress-836141.js b/deps/v8/test/mjsunit/regress/wasm/regress-836141.js
@@ -0,0 +1,20 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-constants.js');
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(16, 32);
+builder.addFunction("test", kSig_i_v).addBody([
+  kExprI32Const, 12,         // i32.const 0
+]);
+
+let module = new WebAssembly.Module(builder.toBuffer());
+module.then = () => {
+  // Use setTimeout to get out of the promise chain.
+  setTimeout(assertUnreachable);
+};
+
+WebAssembly.instantiate(module);
diff --git a/deps/v8/test/mjsunit/regress/wasm/regress-837417.js b/deps/v8/test/mjsunit/regress/wasm/regress-837417.js
@@ -0,0 +1,23 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-constants.js');
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(16, 32);
+builder.addFunction("test", kSig_i_v).addBody([
+  kExprI32Const, 12,         // i32.const 0
+]);
+
+WebAssembly.Module.prototype.then = resolve => resolve(
+    String.fromCharCode(null, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41));
+
+// WebAssembly.instantiate should not actually throw a TypeError in this case.
+// However, this is a workaround for
+assertPromiseResult(
+    WebAssembly.instantiate(builder.toBuffer()), assertUnreachable,
+    exception => {
+      assertInstanceof(exception, TypeError);
+    });
