deps: patch V8 to 9.1.269.38

Refs: v8/v8@9.1.269.36...9.1.269.38
Fixes: #37553

PR-URL: #39196
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Gireesh Punathil <[email protected]>
Reviewed-By: Jiawen Geng <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>

Author: targos

deps/v8/include/v8-version.h

@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 9
 #define V8_MINOR_VERSION 1
 #define V8_BUILD_NUMBER 269
-#define V8_PATCH_LEVEL 36
+#define V8_PATCH_LEVEL 38
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

deps/v8/src/heap/heap.cc

@@ -2129,6 +2129,10 @@ void Heap::CompleteSweepingYoung(GarbageCollector collector) {
   array_buffer_sweeper()->EnsureFinished();
 }
 
+void Heap::EnsureSweepingCompleted() {
+  mark_compact_collector()->EnsureSweepingCompleted();
+}
+
 void Heap::UpdateCurrentEpoch(GarbageCollector collector) {
   if (IsYoungGenerationCollector(collector)) {
     epoch_young_ = next_epoch();

deps/v8/src/heap/heap.h

@@ -1074,6 +1074,8 @@ class Heap {
   void CompleteSweepingFull();
   void CompleteSweepingYoung(GarbageCollector collector);
 
+  void EnsureSweepingCompleted();
+
   IncrementalMarking* incremental_marking() {
     return incremental_marking_.get();
   }

deps/v8/src/json/json-parser.cc

@@ -620,6 +620,11 @@ Handle<Object> JsonParser<Char>::BuildJsonObject(
         DCHECK_EQ(mutable_double_address, end);
       }
 #endif
+      // Before setting the length of mutable_double_buffer back to zero, we
+      // must ensure that the sweeper is not running or has already swept the
+      // object's page. Otherwise the GC can add the contents of
+      // mutable_double_buffer to the free list.
+      isolate()->heap()->EnsureSweepingCompleted();
       mutable_double_buffer->set_length(0);
     }
   }

deps/v8/src/wasm/wasm-js.cc

@@ -2318,28 +2318,49 @@ void WasmJs::InstallConditionalFeatures(Isolate* isolate,
     Handle<JSGlobalObject> global = handle(context->global_object(), isolate);
     MaybeHandle<Object> maybe_webassembly =
         JSObject::GetProperty(isolate, global, "WebAssembly");
-    Handle<JSObject> webassembly =
-        Handle<JSObject>::cast(maybe_webassembly.ToHandleChecked());
+    Handle<Object> webassembly_obj;
+    if (!maybe_webassembly.ToHandle(&webassembly_obj)) {
+      // There is not {WebAssembly} object. We just return without adding the
+      // {Exception} constructor.
+      return;
+    }
+    if (!webassembly_obj->IsJSObject()) {
+      // The {WebAssembly} object is invalid. As we cannot add the {Exception}
+      // constructor, we just return.
+      return;
+    }
+    Handle<JSObject> webassembly = Handle<JSObject>::cast(webassembly_obj);
     // Setup Exception
     Handle<String> exception_name = v8_str(isolate, "Exception");
-    if (!JSObject::HasProperty(webassembly, exception_name).FromMaybe(true)) {
-      Handle<JSFunction> exception_constructor =
-          CreateFunc(isolate, exception_name, WebAssemblyException, true,
-                     SideEffectType::kHasSideEffect);
-      exception_constructor->shared().set_length(1);
-      JSObject::AddProperty(isolate, webassembly, exception_name,
-                            exception_constructor, DONT_ENUM);
-      // Install the constructor on the context.
-      context->set_wasm_exception_constructor(*exception_constructor);
-      SetDummyInstanceTemplate(isolate, exception_constructor);
-      JSFunction::EnsureHasInitialMap(exception_constructor);
-      Handle<JSObject> exception_proto(
-          JSObject::cast(exception_constructor->instance_prototype()), isolate);
-      Handle<Map> exception_map = isolate->factory()->NewMap(
-          i::WASM_EXCEPTION_OBJECT_TYPE, WasmExceptionObject::kHeaderSize);
-      JSFunction::SetInitialMap(isolate, exception_constructor, exception_map,
-                                exception_proto);
+
+    if (JSObject::HasOwnProperty(webassembly, exception_name).FromMaybe(true)) {
+      // The {Exception} constructor already exists, there is nothing more to
+      // do.
+      return;
+    }
+
+    bool has_prototype = true;
+    Handle<JSFunction> exception_constructor =
+        CreateFunc(isolate, exception_name, WebAssemblyException, has_prototype,
+                   SideEffectType::kHasNoSideEffect);
+    exception_constructor->shared().set_length(1);
+    auto result = Object::SetProperty(
+        isolate, webassembly, exception_name, exception_constructor,
+        StoreOrigin::kNamed, Just(ShouldThrow::kDontThrow));
+    if (result.is_null()) {
+      // Setting the {Exception} constructor failed. We just bail out.
+      return;
     }
+    // Install the constructor on the context.
+    context->set_wasm_exception_constructor(*exception_constructor);
+    SetDummyInstanceTemplate(isolate, exception_constructor);
+    JSFunction::EnsureHasInitialMap(exception_constructor);
+    Handle<JSObject> exception_proto(
+        JSObject::cast(exception_constructor->instance_prototype()), isolate);
+    Handle<Map> exception_map = isolate->factory()->NewMap(
+        i::WASM_EXCEPTION_OBJECT_TYPE, WasmExceptionObject::kHeaderSize);
+    JSFunction::SetInitialMap(isolate, exception_constructor, exception_map,
+                              exception_proto);
   }
 }
 #undef ASSIGN