deps: V8: cherry-pick 47800791b35c

jakobkummerow · targos · commit b59af772dc76 · 2025-11-13T15:09:30.000+01:00
Original commit message: [wasm] Fix DCHECK in AtomicWait after memory growth With the changes in crrev.com/c/7003085, calling memory.grow() via the JS API didn't immediately update the memory's array buffer any more, which triggered a DCHECK in the runtime functions for atomic waits. This patch restores immediate updating of the buffer for the current isolate, which maintains the other CL's goal to not allocate on loop back edges. Fixed: 454991459 Change-Id: Id633cebb9ac24606bc0d8a3df703c74531d3c8a0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7100806 Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#103431} Refs: v8/v8@4780079 PR-URL: #60488 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com>
diff --git a/common.gypi b/common.gypi
@@ -38,7 +38,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.7',
+    'v8_embedder_string': '-node.8',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/v8/src/wasm/wasm-objects.cc b/deps/v8/src/wasm/wasm-objects.cc
@@ -1207,6 +1207,9 @@ int32_t WasmMemoryObject::Grow(Isolate* isolate,
     if (!old_buffer->is_resizable_by_js()) {
       // Broadcasting the update should update this memory object too.
       CHECK(memory_object->needs_new_buffer());
+      // For the current isolate, immediately update the buffer.
+      RefreshSharedBuffer(isolate, memory_object, old_buffer,
+                          ResizableFlag::kNotResizable);
     }
     // As {old_pages} was read racefully, we return here the synchronized
     // value provided by {GrowWasmMemoryInPlace}, to provide the atomic
diff --git a/deps/v8/test/mjsunit/regress/wasm/regress-454991459.js b/deps/v8/test/mjsunit/regress/wasm/regress-454991459.js
@@ -0,0 +1,20 @@
+// Copyright 2025 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
+
+let memory = new WebAssembly.Memory({ initial: 1, maximum: 2, shared: true });
+let builder = new WasmModuleBuilder();
+builder.addImportedMemory("m", "memory", 1, 2, "shared");
+builder.addFunction("wait", kSig_i_ii)
+  .addBody([
+    kExprLocalGet, 0, // address
+    kExprLocalGet, 1, // expected_value
+    kExprI64Const, 0, // timeout
+    kAtomicPrefix, kExprI32AtomicWait, 2, 0
+  ])
+  .exportFunc();
+let instance = builder.instantiate({m: {memory}});
+memory.grow(1);
+instance.exports.wait(kPageSize);
