deps: V8: backport bbd800c6e359

Original commit message:

    [heap] Fix incorrect from space committed size

    NewSpace page operations like RemovePage, PrependPage, and
    EnsureCurrentCapacity should account for committed page size.

    This may happen when a page was promoted from the new space to
    old space on mark-compact.

    Also, add DCHECKs on Commit and Uncommit to ensure the final
    committed page size is the same as the current state.

    Bug: v8:12657
    Change-Id: I7aebc1fd3f51f177ae2ef6420f757f0c573e126b
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3504766
    Reviewed-by: Dominik Inführ <[email protected]>
    Commit-Queue: Chengzhong Wu <[email protected]>
    Cr-Commit-Position: refs/heads/main@{#79426}

Refs: v8/v8@bbd800c
PR-URL: #44947
Refs: v8/v8@b953542
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Jiawen Geng <[email protected]>
Reviewed-By: Richard Lau <[email protected]>

Author: legendecas

common.gypi

@@ -37,7 +37,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.23',
+    'v8_embedder_string': '-node.24',
 
     ##### V8 defaults for Node.js #####
 

deps/v8/src/heap/new-spaces.cc

@@ -54,6 +54,7 @@ bool SemiSpace::EnsureCurrentCapacity() {
     // Free all overallocated pages which are behind current_page.
     while (current_page) {
       MemoryChunk* next_current = current_page->list_node().next();
+      AccountUncommitted(Page::kPageSize);
       memory_chunk_list_.Remove(current_page);
       // Clear new space flags to avoid this page being treated as a new
       // space page that is potentially being swept.
@@ -74,6 +75,7 @@ bool SemiSpace::EnsureCurrentCapacity() {
               NOT_EXECUTABLE);
       if (current_page == nullptr) return false;
       DCHECK_NOT_NULL(current_page);
+      AccountCommitted(Page::kPageSize);
       memory_chunk_list_.PushBack(current_page);
       marking_state->ClearLiveness(current_page);
       current_page->SetFlags(first_page()->GetFlags(),
@@ -106,6 +108,7 @@ void SemiSpace::TearDown() {
 
 bool SemiSpace::Commit() {
   DCHECK(!IsCommitted());
+  DCHECK_EQ(CommittedMemory(), size_t(0));
   const int num_pages = static_cast<int>(target_capacity_ / Page::kPageSize);
   DCHECK(num_pages);
   for (int pages_added = 0; pages_added < num_pages; pages_added++) {
@@ -134,14 +137,19 @@ bool SemiSpace::Commit() {
 
 bool SemiSpace::Uncommit() {
   DCHECK(IsCommitted());
+  int actual_pages = 0;
   while (!memory_chunk_list_.Empty()) {
+    actual_pages++;
     MemoryChunk* chunk = memory_chunk_list_.front();
     memory_chunk_list_.Remove(chunk);
     heap()->memory_allocator()->Free<MemoryAllocator::kPooledAndQueue>(chunk);
   }
   current_page_ = nullptr;
   current_capacity_ = 0;
-  AccountUncommitted(target_capacity_);
+  size_t removed_page_size =
+      static_cast<size_t>(actual_pages * Page::kPageSize);
+  DCHECK_EQ(CommittedMemory(), removed_page_size);
+  AccountUncommitted(removed_page_size);
   heap()->memory_allocator()->unmapper()->FreeQueuedChunks();
   DCHECK(!IsCommitted());
   return true;
@@ -246,6 +254,7 @@ void SemiSpace::RemovePage(Page* page) {
     }
   }
   memory_chunk_list_.Remove(page);
+  AccountUncommitted(Page::kPageSize);
   for (size_t i = 0; i < ExternalBackingStoreType::kNumTypes; i++) {
     ExternalBackingStoreType t = static_cast<ExternalBackingStoreType>(i);
     DecrementExternalBackingStoreBytes(t, page->ExternalBackingStoreBytes(t));
@@ -258,6 +267,7 @@ void SemiSpace::PrependPage(Page* page) {
   page->set_owner(this);
   memory_chunk_list_.PushFront(page);
   current_capacity_ += Page::kPageSize;
+  AccountCommitted(Page::kPageSize);
   for (size_t i = 0; i < ExternalBackingStoreType::kNumTypes; i++) {
     ExternalBackingStoreType t = static_cast<ExternalBackingStoreType>(i);
     IncrementExternalBackingStoreBytes(t, page->ExternalBackingStoreBytes(t));
@@ -319,6 +329,7 @@ void SemiSpace::Verify() {
     external_backing_store_bytes[static_cast<ExternalBackingStoreType>(i)] = 0;
   }
 
+  int actual_pages = 0;
   for (Page* page : *this) {
     CHECK_EQ(page->owner(), this);
     CHECK(page->InNewSpace());
@@ -344,7 +355,11 @@ void SemiSpace::Verify() {
 
     CHECK_IMPLIES(page->list_node().prev(),
                   page->list_node().prev()->list_node().next() == page);
+
+    actual_pages++;
   }
+  CHECK_EQ(actual_pages * size_t(Page::kPageSize), CommittedMemory());
+
   for (int i = 0; i < kNumTypes; i++) {
     ExternalBackingStoreType t = static_cast<ExternalBackingStoreType>(i);
     CHECK_EQ(external_backing_store_bytes[t], ExternalBackingStoreBytes(t));

deps/v8/test/mjsunit/regress/regress-12657.js

@@ -0,0 +1,11 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --gc-global --expose-statistics --max-semi-space-size=1
+
+const a = new Array();
+for (var i = 0; i < 50000; i++) {
+  a[i] = new Object();
+}
+assertTrue(getV8Statistics().new_space_commited_bytes <= 2 * 1024 * 1024);