From b0e88899e17464e2194ff4342de13697422e5f78 Mon Sep 17 00:00:00 2001 From: Joyee Cheung Date: Fri, 1 Dec 2023 20:01:24 +0100 Subject: [PATCH] deps: V8: cherry-pick 1fada6b36f8d Original commit message: [symbol-as-weakmap-key] Fix DCHECKs when clearing JS weakrefs Bug: chromium:1372500, v8:12947 Fixed: chromium:1372500 Change-Id: Id6330de5886e4ea72544b307c358e2190ea47d9c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3942586 Reviewed-by: Anton Bikineev Commit-Queue: Shu-yu Guo Cr-Commit-Position: refs/heads/main@{#83632} Refs: https://github.com/v8/v8/commit/1fada6b36f8df9c34f0f841e4ad51892e1984603 PR-URL: https://github.com/nodejs/node/pull/51004 Reviewed-By: Chengzhong Wu --- common.gypi | 2 +- deps/v8/src/heap/mark-compact.cc | 5 +++-- .../harmony/regress/regress-crbug-1372500.js | 14 ++++++++++++++ 3 files changed, 18 insertions(+), 3 deletions(-) create mode 100644 deps/v8/test/mjsunit/harmony/regress/regress-crbug-1372500.js diff --git a/common.gypi b/common.gypi index 960c169a789c5d..58fef6b3f1726a 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.33', + 'v8_embedder_string': '-node.34', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/heap/mark-compact.cc b/deps/v8/src/heap/mark-compact.cc index ef0b67ca2b6274..0baf08ee74a35b 100644 --- a/deps/v8/src/heap/mark-compact.cc +++ b/deps/v8/src/heap/mark-compact.cc @@ -3027,7 +3027,7 @@ void MarkCompactCollector::ClearJSWeakRefs() { }; HeapObject target = HeapObject::cast(weak_cell.target()); if (!non_atomic_marking_state()->IsBlackOrGrey(target)) { - DCHECK(!target.IsUndefined()); + DCHECK(target.CanBeHeldWeakly()); // The value of the WeakCell is dead. JSFinalizationRegistry finalization_registry = JSFinalizationRegistry::cast(weak_cell.finalization_registry()); @@ -3049,6 +3049,7 @@ void MarkCompactCollector::ClearJSWeakRefs() { HeapObject unregister_token = weak_cell.unregister_token(); if (!non_atomic_marking_state()->IsBlackOrGrey(unregister_token)) { + DCHECK(unregister_token.CanBeHeldWeakly()); // The unregister token is dead. Remove any corresponding entries in the // key map. Multiple WeakCell with the same token will have all their // unregister_token field set to undefined when processing the first @@ -3057,7 +3058,7 @@ void MarkCompactCollector::ClearJSWeakRefs() { JSFinalizationRegistry finalization_registry = JSFinalizationRegistry::cast(weak_cell.finalization_registry()); finalization_registry.RemoveUnregisterToken( - JSReceiver::cast(unregister_token), isolate(), + unregister_token, isolate(), JSFinalizationRegistry::kKeepMatchedCellsInRegistry, gc_notify_updated_slot); } else { diff --git a/deps/v8/test/mjsunit/harmony/regress/regress-crbug-1372500.js b/deps/v8/test/mjsunit/harmony/regress/regress-crbug-1372500.js new file mode 100644 index 00000000000000..6264570fdd3bd7 --- /dev/null +++ b/deps/v8/test/mjsunit/harmony/regress/regress-crbug-1372500.js @@ -0,0 +1,14 @@ +// Copyright 2022 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --harmony-symbol-as-weakmap-key --expose-gc + +// Register an object in a FinalizationRegistry with a Symbol as the unregister +// token. +let fr = new FinalizationRegistry(function () {}); +(function register() { + fr.register({}, "holdings", Symbol('unregisterToken')); +})(); +// The unregister token should be dead, trigger its collection. +gc();