deps: patch V8 to 7.9.317.23

Refs: v8/v8@7.9.317.20...7.9.317.23

PR-URL: #30560
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Jiawen Geng <[email protected]>

Author: MylesBorins

deps/v8/include/v8-version.h

@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 7
 #define V8_MINOR_VERSION 9
 #define V8_BUILD_NUMBER 317
-#define V8_PATCH_LEVEL 20
+#define V8_PATCH_LEVEL 23
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

deps/v8/src/execution/isolate.cc

@@ -4274,9 +4274,8 @@ void Isolate::AddDetachedContext(Handle<Context> context) {
   HandleScope scope(this);
   Handle<WeakArrayList> detached_contexts = factory()->detached_contexts();
   detached_contexts = WeakArrayList::AddToEnd(
-      this, detached_contexts, MaybeObjectHandle(Smi::kZero, this));
-  detached_contexts = WeakArrayList::AddToEnd(this, detached_contexts,
-                                              MaybeObjectHandle::Weak(context));
+      this, detached_contexts, MaybeObjectHandle(Smi::kZero, this),
+      MaybeObjectHandle::Weak(context));
   heap()->set_detached_contexts(*detached_contexts);
 }
 

deps/v8/src/objects/backing-store.cc

@@ -605,8 +605,14 @@ std::shared_ptr<BackingStore> GlobalBackingStoreRegistry::Lookup(
     return std::shared_ptr<BackingStore>();
   }
   auto backing_store = result->second.lock();
-  DCHECK_EQ(buffer_start, backing_store->buffer_start());
-  DCHECK_EQ(length, backing_store->byte_length());
+  CHECK_EQ(buffer_start, backing_store->buffer_start());
+  if (backing_store->is_wasm_memory()) {
+    // Grow calls to shared WebAssembly threads can be triggered from different
+    // workers, length equality cannot be guaranteed here.
+    CHECK_LE(length, backing_store->byte_length());
+  } else {
+    CHECK_EQ(length, backing_store->byte_length());
+  }
   return backing_store;
 }
 

deps/v8/src/objects/fixed-array.h

@@ -338,6 +338,12 @@ class WeakArrayList : public HeapObject {
       Isolate* isolate, Handle<WeakArrayList> array,
       const MaybeObjectHandle& value);
 
+  // A version that adds to elements. This ensures that the elements are
+  // inserted atomically w.r.t GC.
+  V8_EXPORT_PRIVATE static Handle<WeakArrayList> AddToEnd(
+      Isolate* isolate, Handle<WeakArrayList> array,
+      const MaybeObjectHandle& value1, const MaybeObjectHandle& value2);
+
   inline MaybeObject Get(int index) const;
   inline MaybeObject Get(Isolate* isolate, int index) const;
 

deps/v8/src/objects/objects.cc

@@ -3951,6 +3951,20 @@ Handle<WeakArrayList> WeakArrayList::AddToEnd(Isolate* isolate,
   return array;
 }
 
+Handle<WeakArrayList> WeakArrayList::AddToEnd(Isolate* isolate,
+                                              Handle<WeakArrayList> array,
+                                              const MaybeObjectHandle& value1,
+                                              const MaybeObjectHandle& value2) {
+  int length = array->length();
+  array = EnsureSpace(isolate, array, length + 2);
+  // Reload length; GC might have removed elements from the array.
+  length = array->length();
+  array->Set(length, *value1);
+  array->Set(length + 1, *value2);
+  array->set_length(length + 2);
+  return array;
+}
+
 bool WeakArrayList::IsFull() { return length() == capacity(); }
 
 // static

deps/v8/src/wasm/wasm-objects.cc

@@ -1375,7 +1375,12 @@ int32_t WasmMemoryObject::Grow(Isolate* isolate,
                                                     new_pages);
         // Broadcasting the update should update this memory object too.
         CHECK_NE(*old_buffer, memory_object->array_buffer());
-        CHECK_EQ(new_byte_length, memory_object->array_buffer().byte_length());
+        // This is a less than check, as it is not guaranteed that the SAB
+        // length here will be equal to the stashed length above as calls to
+        // grow the same memory object can come in from different workers.
+        // It is also possible that a call to Grow was in progress when
+        // handling this call.
+        CHECK_LE(new_byte_length, memory_object->array_buffer().byte_length());
         return static_cast<int32_t>(old_pages);  // success
       }
     }

deps/v8/test/mjsunit/mjsunit.status

@@ -930,6 +930,9 @@
   # Deadlocks on predictable platform (https://crbug.com/v8/9760).
   'wasm/async-compile': [SKIP],
   'wasm/streaming-compile': [SKIP],
+
+  # Race between postMessage and wasm memory.grow. (https://crbug.com/1010272).
+  'regress/wasm/regress-1010272': [SKIP],
 }],  # 'predictable == True'
 
 ##############################################################################

deps/v8/test/mjsunit/regress/regress-1016703.js

@@ -0,0 +1,15 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc
+
+let realms = [];
+for (let i = 0; i < 4; i++) {
+  realms.push(Realm.createAllowCrossRealmAccess());
+}
+
+for (let i = 0; i < 4; i++) {
+  Realm.detachGlobal(realms[i]);
+  gc();
+}

deps/v8/test/mjsunit/regress/wasm/regress-1010272.js

@@ -0,0 +1,30 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-grow-shared-memory --experimental-wasm-threads
+
+const kNumWorkers = 100;
+const kNumMessages = 50;
+
+function AllocMemory(initial, maximum = initial) {
+  return new WebAssembly.Memory({initial : initial, maximum : maximum, shared : true});
+}
+
+(function RunTest() {
+  let worker = [];
+  for (let w = 0; w < kNumWorkers; w++) {
+    worker[w] = new Worker(
+        `onmessage =
+        function(msg) {
+          msg.memory.grow(1);
+        }`, {type : 'string'});
+  }
+
+  for (let i = 0; i < kNumMessages; i++) {
+    let memory = AllocMemory(1, 128);
+    for (let w = 0; w < kNumWorkers; w++) {
+      worker[w].postMessage({memory : memory});
+    }
+  }
+})();