Skip to content

Commit 25a978e

Browse files
BridgeARrefack
BridgeAR
authored and
refack
committed
deps: V8: backport 3e010af
Original commit message: [CloneObjectIC] clone MutableHeapNumbers only if !FLAG_unbox_double_fields Change the macros added in bf84766a2cd3e09070adcd6228a3a487c8dc4bbd to only do the hard work if FLAG_unbox_double_fields is unset (otherwise, they will attempt to dereference raw float64s, which is bad!) Also adds a write barrier in CopyPropertyArrayValues for each store if it's possible that a MutableHeapNumber is cloned. BUG=chromium:901301, chromium:902965, chromium:903070, v8:7611 R=cbruni@chromium.org, jkummerow@chromium.org, ishell@chromium.org Change-Id: I224d3c4e7b0a887684bff68985b4d97021ba4cfb Reviewed-on: https://chromium-review.googlesource.com/c/1323911 Commit-Queue: Caitlin Potter <caitp@igalia.com> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{nodejs#57368} PR-URL: nodejs#25101 Refs: v8/v8@3e010af Fixes: nodejs#25089 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Gus Caplan <me@gus.host> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com> Reviewed-By: Yang Guo <yangguo@chromium.org>
1 parent 8e2ba9e commit 25a978e

File tree

6 files changed

+77
-22
lines changed

6 files changed

+77
-22
lines changed

common.gypi

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@
3838

3939
# Reset this number to 0 on major V8 upgrades.
4040
# Increment by one for each non-official patch applied to deps/v8.
41-
'v8_embedder_string': '-node.6',
41+
'v8_embedder_string': '-node.7',
4242

4343
##### V8 defaults for Node.js #####
4444

deps/v8/src/builtins/builtins-constructor-gen.cc

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -534,8 +534,7 @@ Node* ConstructorBuiltinsAssembler::EmitCreateShallowObjectLiteral(
534534
VARIABLE(offset, MachineType::PointerRepresentation(),
535535
IntPtrConstant(JSObject::kHeaderSize));
536536
// Mutable heap numbers only occur on 32-bit platforms.
537-
bool may_use_mutable_heap_numbers =
538-
FLAG_track_double_fields && !FLAG_unbox_double_fields;
537+
bool may_use_mutable_heap_numbers = !FLAG_unbox_double_fields;
539538
{
540539
Comment("Copy in-object properties fast");
541540
Label continue_fast(this, &offset);

deps/v8/src/code-stub-assembler.cc

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4931,6 +4931,13 @@ void CodeStubAssembler::CopyPropertyArrayValues(Node* from_array,
49314931
Comment("[ CopyPropertyArrayValues");
49324932

49334933
bool needs_write_barrier = barrier_mode == UPDATE_WRITE_BARRIER;
4934+
4935+
if (destroy_source == DestroySource::kNo) {
4936+
// PropertyArray may contain MutableHeapNumbers, which will be cloned on the
4937+
// heap, requiring a write barrier.
4938+
needs_write_barrier = true;
4939+
}
4940+
49344941
Node* start = IntPtrOrSmiConstant(0, mode);
49354942
ElementsKind kind = PACKED_ELEMENTS;
49364943
BuildFastFixedArrayForEach(

deps/v8/src/ic/accessor-assembler.cc

Lines changed: 41 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -3566,7 +3566,7 @@ void AccessorAssembler::GenerateCloneObjectIC_Slow() {
35663566

35673567
void AccessorAssembler::GenerateCloneObjectIC() {
35683568
typedef CloneObjectWithVectorDescriptor Descriptor;
3569-
Node* source = Parameter(Descriptor::kSource);
3569+
TNode<HeapObject> source = CAST(Parameter(Descriptor::kSource));
35703570
Node* flags = Parameter(Descriptor::kFlags);
35713571
Node* slot = Parameter(Descriptor::kSlot);
35723572
Node* vector = Parameter(Descriptor::kVector);
@@ -3576,8 +3576,7 @@ void AccessorAssembler::GenerateCloneObjectIC() {
35763576
Label miss(this, Label::kDeferred), try_polymorphic(this, Label::kDeferred),
35773577
try_megamorphic(this, Label::kDeferred);
35783578

3579-
CSA_SLOW_ASSERT(this, TaggedIsNotSmi(source));
3580-
Node* source_map = LoadMap(UncheckedCast<HeapObject>(source));
3579+
TNode<Map> source_map = LoadMap(UncheckedCast<HeapObject>(source));
35813580
GotoIf(IsDeprecatedMap(source_map), &miss);
35823581
TNode<MaybeObject> feedback = TryMonomorphicCase(
35833582
slot, vector, source_map, &if_handler, &var_handler, &try_polymorphic);
@@ -3598,7 +3597,7 @@ void AccessorAssembler::GenerateCloneObjectIC() {
35983597

35993598
// The IC fast case should only be taken if the result map a compatible
36003599
// elements kind with the source object.
3601-
TNode<FixedArrayBase> source_elements = LoadElements(source);
3600+
TNode<FixedArrayBase> source_elements = LoadElements(CAST(source));
36023601

36033602
auto flags = ExtractFixedArrayFlag::kAllFixedArraysDontCopyCOW;
36043603
var_elements = CAST(CloneFixedArray(source_elements, flags));
@@ -3633,22 +3632,45 @@ void AccessorAssembler::GenerateCloneObjectIC() {
36333632
// Lastly, clone any in-object properties.
36343633
// Determine the inobject property capacity of both objects, and copy the
36353634
// smaller number into the resulting object.
3636-
Node* source_start = LoadMapInobjectPropertiesStartInWords(source_map);
3637-
Node* source_size = LoadMapInstanceSizeInWords(source_map);
3638-
Node* result_start = LoadMapInobjectPropertiesStartInWords(result_map);
3639-
Node* field_offset_difference =
3635+
TNode<IntPtrT> source_start =
3636+
LoadMapInobjectPropertiesStartInWords(source_map);
3637+
TNode<IntPtrT> source_size = LoadMapInstanceSizeInWords(source_map);
3638+
TNode<IntPtrT> result_start =
3639+
LoadMapInobjectPropertiesStartInWords(result_map);
3640+
TNode<IntPtrT> field_offset_difference =
36403641
TimesPointerSize(IntPtrSub(result_start, source_start));
3641-
BuildFastLoop(source_start, source_size,
3642-
[=](Node* field_index) {
3643-
Node* field_offset = TimesPointerSize(field_index);
3644-
TNode<Object> field = LoadObjectField(source, field_offset);
3645-
field = CloneIfMutablePrimitive(field);
3646-
Node* result_offset =
3647-
IntPtrAdd(field_offset, field_offset_difference);
3648-
StoreObjectFieldNoWriteBarrier(object, result_offset,
3649-
field);
3650-
},
3651-
1, INTPTR_PARAMETERS, IndexAdvanceMode::kPost);
3642+
3643+
// If MutableHeapNumbers may be present in-object, allocations may occur
3644+
// within this loop, thus the write barrier is required.
3645+
//
3646+
// TODO(caitp): skip the write barrier until the first MutableHeapNumber
3647+
// field is found
3648+
const bool may_use_mutable_heap_numbers = !FLAG_unbox_double_fields;
3649+
3650+
BuildFastLoop(
3651+
source_start, source_size,
3652+
[=](Node* field_index) {
3653+
TNode<IntPtrT> field_offset =
3654+
TimesPointerSize(UncheckedCast<IntPtrT>(field_index));
3655+
3656+
if (may_use_mutable_heap_numbers) {
3657+
TNode<Object> field = LoadObjectField(source, field_offset);
3658+
field = CloneIfMutablePrimitive(field);
3659+
TNode<IntPtrT> result_offset =
3660+
IntPtrAdd(field_offset, field_offset_difference);
3661+
StoreObjectField(object, result_offset, field);
3662+
} else {
3663+
// Copy fields as raw data.
3664+
TNode<IntPtrT> field = UncheckedCast<IntPtrT>(
3665+
LoadObjectField(source, field_offset, MachineType::IntPtr()));
3666+
TNode<IntPtrT> result_offset =
3667+
IntPtrAdd(field_offset, field_offset_difference);
3668+
StoreObjectFieldNoWriteBarrier(
3669+
object, result_offset, field,
3670+
MachineType::IntPtr().representation());
3671+
}
3672+
},
3673+
1, INTPTR_PARAMETERS, IndexAdvanceMode::kPost);
36523674
Return(object);
36533675
}
36543676

deps/v8/test/mjsunit/es9/regress/regress-902965.js

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
// Copyright 2018 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
5+
// Previously, spreading in-object properties would always treat double fields
6+
// as tagged, potentially dereferencing a Float64.
7+
function inobjectDouble() {
8+
"use strict";
9+
this.x = -3.9;
10+
}
11+
const instance = new inobjectDouble();
12+
const clone = { ...instance, };

deps/v8/test/mjsunit/es9/regress/regress-903070.js

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
// Copyright 2018 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
5+
function clone(src) {
6+
return { ...src };
7+
}
8+
9+
function inobjectDoubles() {
10+
"use strict";
11+
this.p0 = -6400510997704731;
12+
}
13+
14+
// Check that unboxed double is not treated as tagged
15+
assertEquals({ p0: -6400510997704731 }, clone(new inobjectDoubles()));

0 commit comments

Comments
 (0)