deps: V8: cherry-pick 1fada6b36f8d

Original commit message: [symbol-as-weakmap-key] Fix DCHECKs when clearing JS weakrefs Bug: chromium:1372500, v8:12947 Fixed: chromium:1372500 Change-Id: Id6330de5886e4ea72544b307c358e2190ea47d9c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3942586 Reviewed-by: Anton Bikineev <bikineev@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#83632} Refs: v8/v8@1fada6b PR-URL: #51004 Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
nodejs · Mar 15, 2024 · b0e8889 · b0e8889
1 parent d87a810
commit b0e8889
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 3 deletions.
diff --git a/common.gypi b/common.gypi
@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.33',
+    'v8_embedder_string': '-node.34',
 
     ##### V8 defaults for Node.js #####
 

diff --git a/deps/v8/src/heap/mark-compact.cc b/deps/v8/src/heap/mark-compact.cc
@@ -3027,7 +3027,7 @@ void MarkCompactCollector::ClearJSWeakRefs() {
     };
     HeapObject target = HeapObject::cast(weak_cell.target());
     if (!non_atomic_marking_state()->IsBlackOrGrey(target)) {
-      DCHECK(!target.IsUndefined());
+      DCHECK(target.CanBeHeldWeakly());
       // The value of the WeakCell is dead.
       JSFinalizationRegistry finalization_registry =
           JSFinalizationRegistry::cast(weak_cell.finalization_registry());
@@ -3049,6 +3049,7 @@ void MarkCompactCollector::ClearJSWeakRefs() {
 
     HeapObject unregister_token = weak_cell.unregister_token();
     if (!non_atomic_marking_state()->IsBlackOrGrey(unregister_token)) {
+      DCHECK(unregister_token.CanBeHeldWeakly());
       // The unregister token is dead. Remove any corresponding entries in the
       // key map. Multiple WeakCell with the same token will have all their
       // unregister_token field set to undefined when processing the first
@@ -3057,7 +3058,7 @@ void MarkCompactCollector::ClearJSWeakRefs() {
       JSFinalizationRegistry finalization_registry =
           JSFinalizationRegistry::cast(weak_cell.finalization_registry());
       finalization_registry.RemoveUnregisterToken(
-          JSReceiver::cast(unregister_token), isolate(),
+          unregister_token, isolate(),
           JSFinalizationRegistry::kKeepMatchedCellsInRegistry,
           gc_notify_updated_slot);
     } else {

diff --git a/deps/v8/test/mjsunit/harmony/regress/regress-crbug-1372500.js b/deps/v8/test/mjsunit/harmony/regress/regress-crbug-1372500.js
@@ -0,0 +1,14 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-symbol-as-weakmap-key --expose-gc
+
+// Register an object in a FinalizationRegistry with a Symbol as the unregister
+// token.
+let fr = new FinalizationRegistry(function () {});
+(function register() {
+  fr.register({}, "holdings", Symbol('unregisterToken'));
+})();
+// The unregister token should be dead, trigger its collection.
+gc();