deps: patch V8 to 13.6.233.17

targos · targos · commit fcbd8dbbdeac · 2025-11-25T09:33:16.000+01:00
Refs: v8/v8@13.6.233.10...13.6.233.17 PR-URL: #60712 Reviewed-By: Richard Lau <richard.lau@ibm.com>
diff --git a/deps/v8/PRESUBMIT.py b/deps/v8/PRESUBMIT.py
@@ -136,6 +136,7 @@ def FilterJSFile(affected_file):
 input_api, output_api, bot_allowlist=[
 'v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com',
 'v8-ci-test262-import-export@chops-service-accounts.iam.gserviceaccount.com',
+ 'chrome-cherry-picker@chops-service-accounts.iam.gserviceaccount.com',
 ]))
 return results
 
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 13
 #define V8_MINOR_VERSION 6
 #define V8_BUILD_NUMBER 233
-#define V8_PATCH_LEVEL 10
+#define V8_PATCH_LEVEL 17
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/infra/mb/mb_config.pyl b/deps/v8/infra/mb/mb_config.pyl
@@ -953,7 +953,7 @@
 },
 
 'no_reclient':{
- 'gn_args': 'use_remoteexec=false',
+ 'gn_args': 'use_remoteexec=false use_siso=false',
 },
 
 'no_sandbox':{
@@ -968,8 +968,11 @@
 'gn_args': 'v8_use_perfetto=true',
 },
 
+ # TODO(https://crbug.com/414724525): Temporarily use the reclient and siso
+ # configs synonym. In a follow up we'll drop the reclient parts and replace
+ # them with SISO configs.
 'reclient':{
- 'gn_args': 'use_remoteexec=true',
+ 'gn_args': 'use_remoteexec=true use_siso=true',
 },
 
 'release':{
diff --git a/deps/v8/src/compiler/representation-change.cc b/deps/v8/src/compiler/representation-change.cc
@@ -1323,7 +1323,12 @@ Node* RepresentationChanger::GetWord64RepresentationFor(
 }
 } else if (output_rep == MachineRepresentation::kTaggedSigned){
 if (output_type.Is(Type::SignedSmall())){
- op = simplified()->ChangeTaggedSignedToInt64();
+ if (output_type.IsRange() && output_type.AsRange()->Min() >= 0){
+ node = InsertChangeTaggedSignedToInt32(node);
+ op = machine()->ChangeUint32ToUint64();
+ } else{
+ op = simplified()->ChangeTaggedSignedToInt64();
+ }
 } else{
 return TypeError(node, output_rep, output_type,
 MachineRepresentation::kWord64);
diff --git a/deps/v8/src/compiler/turboshaft/late-load-elimination-reducer.cc b/deps/v8/src/compiler/turboshaft/late-load-elimination-reducer.cc
@@ -409,11 +409,17 @@ void LateLoadEliminationAnalyzer::ProcessStore(OpIndex op_idx,
 non_aliasing_objects_.Set(value, false);
 }
 
- // If we just stored a map, invalidate the maps for this base.
+ // If we just stored a map, invalidate all object_maps_.
 if (store.offset == HeapObject::kMapOffset && !store.index().valid()){
- if (object_maps_.HasKeyFor(store.base())){
- TRACE(">> Wiping map\n");
- object_maps_.Set(store.base(), MapMaskAndOr{});
+ // TODO(dmercadier): can we only do this for objects that are potentially
+ // aliasing with the `base` (based on their maps and the maps of `base`)?
+ // Also, it might be worth to record a new map if this is actually a map
+ // store.
+ // TODO(dmercadier): do this only if `value` is a Constant with kind
+ // kHeapObject, since all map stores should store a known constant maps.
+ TRACE(">> Wiping all maps\n");
+ for (auto it : object_maps_){
+ object_maps_.Set(it.second, MapMaskAndOr{});
 }
 }
 }
diff --git a/deps/v8/src/compiler/turboshaft/snapshot-table-opindex.h b/deps/v8/src/compiler/turboshaft/snapshot-table-opindex.h
@@ -60,6 +60,9 @@ class SparseOpIndexSnapshotTable : public SnapshotTable<Value, KeyData>{
 return std::nullopt;
 }
 
+ auto begin(){return indices_to_keys_.begin()}
+ auto end(){return indices_to_keys_.end()}
+
 private:
 Key GetOrCreateKey(OpIndex idx){
 auto it = indices_to_keys_.find(idx);
diff --git a/deps/v8/src/compiler/turboshaft/store-store-elimination-phase.cc b/deps/v8/src/compiler/turboshaft/store-store-elimination-phase.cc
@@ -18,6 +18,9 @@
 namespace v8::internal::compiler::turboshaft{
 
 void StoreStoreEliminationPhase::Run(PipelineData* data, Zone* temp_zone){
+ UnparkedScopeIfNeeded unparked_scope(
+ data->broker(), v8_flags.turboshaft_trace_load_elimination);
+
 turboshaft::CopyingPhase<
 LoopStackCheckElisionReducer, StoreStoreEliminationReducer,
 LateLoadEliminationReducer, MachineOptimizationReducer,
diff --git a/deps/v8/src/compiler/turboshaft/store-store-elimination-reducer-inl.h b/deps/v8/src/compiler/turboshaft/store-store-elimination-reducer-inl.h
@@ -325,10 +325,11 @@ class RedundantStoreAnalysis{
 // TODO(nicohartmann@): Use the new effect flags to distinguish heap
 // access once available.
 const bool is_on_heap_store = store.kind.tagged_base;
- const bool is_field_store = !store.index().valid();
+ const bool is_fixed_offset_store = !store.index().valid();
 const uint8_t size = store.stored_rep.SizeInBytes();
- // For now we consider only stores of fields of objects on the heap.
- if (is_on_heap_store && is_field_store){
+ // For now we consider only stores of fixed offsets of objects on the
+ // heap.
+ if (is_on_heap_store && is_fixed_offset_store){
 bool is_eliminable_store = false;
 switch (table_.GetObservability(store.base(), store.offset, size)){
 case StoreObservability::kUnobservable:
@@ -415,11 +416,16 @@ class RedundantStoreAnalysis{
 // TODO(nicohartmann@): Use the new effect flags to distinguish heap
 // access once available.
 const bool is_on_heap_load = load.kind.tagged_base;
- const bool is_field_load = !load.index().valid();
+ const bool is_fixed_offset_load = !load.index().valid();
 // For now we consider only loads of fields of objects on the heap.
- if (is_on_heap_load && is_field_load){
- table_.MarkPotentiallyAliasingStoresAsObservable(load.base(),
- load.offset);
+ if (is_on_heap_load){
+ if (is_fixed_offset_load){
+ table_.MarkPotentiallyAliasingStoresAsObservable(load.base(),
+ load.offset);
+ } else{
+ // A dynamically indexed load might alias any fixed offset.
+ table_.MarkAllStoresAsObservable();
+ }
 }
 break;
 }
diff --git a/deps/v8/src/flags/flag-definitions.h b/deps/v8/src/flags/flag-definitions.h
@@ -1618,6 +1618,8 @@ DEFINE_BOOL_READONLY(turboshaft_trace_emitted, false,
 "trace emitted Turboshaft instructions")
 DEFINE_BOOL_READONLY(turboshaft_trace_intermediate_reductions, false,
 "trace intermediate Turboshaft reduction steps")
+DEFINE_BOOL_READONLY(turboshaft_trace_load_elimination, false,
+ "trace Turboshaft's late load elimination")
 #endif // DEBUG
 
 DEFINE_BOOL(profile_guided_optimization, true, "profile guided optimization")
diff --git a/deps/v8/src/objects/js-regexp.cc b/deps/v8/src/objects/js-regexp.cc
@@ -190,10 +190,14 @@ bool IsLineTerminator(int c){
 // WriteEscapedRegExpSource into a single function to deduplicate dispatch logic
 // and move related code closer to each other.
 template <typename Char>
-int CountAdditionalEscapeChars(DirectHandle<String> source,
- bool* needs_escapes_out){
+uint32_t CountAdditionalEscapeChars(DirectHandle<String> source,
+ bool* needs_escapes_out){
 DisallowGarbageCollection no_gc;
- int escapes = 0;
+ uint32_t escapes = 0;
+ // The maximum growth-factor is 5 (for \u2028 and \u2029). Make sure that we
+ // won't overflow |escapes| given the current constraints on string length.
+ static_assert(uint64_t{String::kMaxLength} * 5 <
+ std::numeric_limits<decltype(escapes)>::max());
 bool needs_escapes = false;
 bool in_character_class = false;
 base::Vector<const Char> src = source->GetCharVector<Char>(no_gc);
@@ -232,14 +236,14 @@ int CountAdditionalEscapeChars(DirectHandle<String> source,
 }
 }
 DCHECK(!in_character_class);
- DCHECK_GE(escapes, 0);
 DCHECK_IMPLIES(escapes != 0, needs_escapes);
 *needs_escapes_out = needs_escapes;
 return escapes;
 }
 
 template <typename Char>
-void WriteStringToCharVector(base::Vector<Char> v, int* d, const char* string){
+void WriteStringToCharVector(base::Vector<Char> v, uint32_t* d,
+ const char* string){
 int s = 0;
 while (string[s] != '\0') v[(*d)++] = string[s++];
 }
@@ -250,21 +254,21 @@ DirectHandle<StringType> WriteEscapedRegExpSource(
 DisallowGarbageCollection no_gc;
 base::Vector<const Char> src = source->GetCharVector<Char>(no_gc);
 base::Vector<Char> dst(result->GetChars(no_gc), result->length());
- int s = 0;
- int d = 0;
+ uint32_t s = 0;
+ uint32_t d = 0;
 bool in_character_class = false;
- while (s < src.length()){
+ while (s < src.size()){
 const Char c = src[s];
 if (c == '\\'){
- if (s + 1 < src.length() && IsLineTerminator(src[s + 1])){
+ if (s + 1 < src.size() && IsLineTerminator(src[s + 1])){
 // This '\' is ignored since the next character itself will be escaped.
 s++;
 continue;
 } else{
 // Escape. Copy this and next character.
 dst[d++] = src[s++];
 }
- if (s == src.length()) break;
+ if (s == src.size()) break;
 } else if (c == '/' && !in_character_class){
 // Not escaped forward-slash needs escape.
 dst[d++] = '\\';
@@ -304,11 +308,13 @@ MaybeDirectHandle<String> EscapeRegExpSource(Isolate* isolate,
 if (source->length() == 0) return isolate->factory()->query_colon_string();
 bool one_byte = String::IsOneByteRepresentationUnderneath(*source);
 bool needs_escapes = false;
- int additional_escape_chars =
+ uint32_t additional_escape_chars =
 one_byte ? CountAdditionalEscapeChars<uint8_t>(source, &needs_escapes)
 : CountAdditionalEscapeChars<base::uc16>(source, &needs_escapes);
 if (!needs_escapes) return source;
- int length = source->length() + additional_escape_chars;
+ DCHECK_LE(static_cast<uint64_t>(source->length()) + additional_escape_chars,
+ std::numeric_limits<uint32_t>::max());
+ uint32_t length = source->length() + additional_escape_chars;
 if (one_byte){
 DirectHandle<SeqOneByteString> result;
 ASSIGN_RETURN_ON_EXCEPTION(isolate, result,
diff --git a/deps/v8/src/wasm/canonical-types.h b/deps/v8/src/wasm/canonical-types.h
@@ -356,7 +356,8 @@ class TypeCanonicalizer{
 const bool indexed = type1.has_index();
 if (indexed != type2.has_index()) return false;
 if (indexed){
- return EqualTypeIndex(type1.ref_index(), type2.ref_index());
+ return type1.is_equal_except_index(type2) &&
+ EqualTypeIndex(type1.ref_index(), type2.ref_index());
 }
 return type1 == type2;
 }
diff --git a/deps/v8/src/wasm/value-type.h b/deps/v8/src/wasm/value-type.h
@@ -1061,6 +1061,10 @@ class CanonicalValueType : public ValueTypeBase{
 return bit_field_ == other.bit_field_;
 }
 
+ constexpr bool is_equal_except_index(CanonicalValueType other) const{
+ return (bit_field_ & ~kIndexBits) == (other.bit_field_ & ~kIndexBits);
+ }
+
 constexpr bool IsFunctionType() const{
 return ref_type_kind() == RefTypeKind::kFunction;
 }
diff --git a/deps/v8/test/mjsunit/turboshaft/regress-417169470-1.js b/deps/v8/test/mjsunit/turboshaft/regress-417169470-1.js
@@ -0,0 +1,24 @@
+// Copyright 2025 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax --turbofan
+
+function foo(a, b, c){
+ a.x = 42;
+ b.y = 99; // Transitioning store
+ c.x = 17;
+ return a.x;
+}
+
+// Using a constructor so that we don't go out of object when creating the .y
+// property in foo.
+function MyObject(){this.x = 27}
+let o1 = new MyObject();
+let o2 = new MyObject();
+
+%PrepareFunctionForOptimization(foo);
+assertEquals(17, foo(o1, o1, o1));
+
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(17, foo(o2, o2, o2));
diff --git a/deps/v8/test/mjsunit/turboshaft/regress-417169470-2.js b/deps/v8/test/mjsunit/turboshaft/regress-417169470-2.js
@@ -0,0 +1,21 @@
+// Copyright 2025 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax --turbofan
+
+function foo(a, b, c){
+ a.x = 42;
+ b.y = 99; // Transitioning store
+ c.x = 17;
+ return a.x;
+}
+
+let o1 ={x : 27 };
+let o2 ={x : 27 };
+
+%PrepareFunctionForOptimization(foo);
+assertEquals(17, foo(o1, o1, o1));
+
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(17, foo(o2, o2, o2));
diff --git a/deps/v8/test/mjsunit/turboshaft/regress-417169470-3.js b/deps/v8/test/mjsunit/turboshaft/regress-417169470-3.js
@@ -0,0 +1,31 @@
+// Copyright 2025 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax --turbofan
+
+function foo(a, b, c){
+ a.x = 42;
+ b.y = 99; // Transitioning store
+ c.x = 17;
+ return a.x;
+}
+
+let o1 ={x : 27 };
+// If we add additional properties, we need to add at least 2 so that `b.y = 99`
+// doesn't end up at offset 12, because that's also the offset of .x (which is
+// in-object rather than out-of-object), and because we don't have map
+// information for backing stores in Late load elimination, we'll assume that
+// the store at b.y can alias with the a.x that was previously loaded.
+o1.unused1 = 12;
+o1.unused2 = 12;
+
+let o2 ={x : 27 };
+o2.unused1 = 12;
+o2.unused2 = 12;
+
+%PrepareFunctionForOptimization(foo);
+assertEquals(17, foo(o1, o1, o1));
+
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(17, foo(o2, o2, o2));
diff --git a/deps/v8/test/mjsunit/turboshaft/regress-417169470-4.js b/deps/v8/test/mjsunit/turboshaft/regress-417169470-4.js
@@ -0,0 +1,31 @@
+// Copyright 2025 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax --turbofan
+
+function opt(){
+ const nop = 0;
+ const empty ={};
+ const a ={p1: 42.42};
+
+ function foo(b){
+ nop;
+
+ a.p4 = 42;
+ b.p2 = 42;
+ b.p5 = empty;
+ a.p6 = 41.414;
+ }
+
+ a.p3 = 42;
+ a.p4 = 42;
+
+ for (let i = 0; i < 300; i++){
+ foo(a);
+ }
+}
+
+opt();
+opt();
+opt();

Original file line number	Diff line number	Diff line change
`@@ -409,11 +409,17 @@ void LateLoadEliminationAnalyzer::ProcessStore(OpIndex op_idx,`
`409`	`409`	`non_aliasing_objects_.Set(value, false);`
`410`	`410`	`}`
`411`	`411`
`412`		`- // If we just stored a map, invalidate the maps for this base.`
	`412`	`+ // If we just stored a map, invalidate all object_maps_.`
`413`	`413`	`if (store.offset == HeapObject::kMapOffset && !store.index().valid()){`
`414`		`- if (object_maps_.HasKeyFor(store.base())){`
`415`		`- TRACE(">> Wiping map\n");`
`416`		`- object_maps_.Set(store.base(), MapMaskAndOr{});`
	`414`	`+ // TODO(dmercadier): can we only do this for objects that are potentially`
	`415`	+ // aliasing with the `base` (based on their maps and the maps of `base`)?
	`416`	`+ // Also, it might be worth to record a new map if this is actually a map`
	`417`	`+ // store.`
	`418`	+ // TODO(dmercadier): do this only if `value` is a Constant with kind
	`419`	`+ // kHeapObject, since all map stores should store a known constant maps.`
	`420`	`+ TRACE(">> Wiping all maps\n");`
	`421`	`+ for (auto it : object_maps_){`
	`422`	`+ object_maps_.Set(it.second, MapMaskAndOr{});`
`417`	`423`	`}`
`418`	`424`	`}`
`419`	`425`	`}`
Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,9 @@ class SparseOpIndexSnapshotTable : public SnapshotTable<Value, KeyData>{`
`60`	`60`	`return std::nullopt;`
`61`	`61`	`}`
`62`	`62`
	`63`	`+ auto begin(){return indices_to_keys_.begin()}`
	`64`	`+ auto end(){return indices_to_keys_.end()}`
	`65`	`+`
`63`	`66`	`private:`
`64`	`67`	`Key GetOrCreateKey(OpIndex idx){`
`65`	`68`	`auto it = indices_to_keys_.find(idx);`