nodejs · nodejs-github-bot · Oct 17, 2023 · Oct 10, 2023
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 11
 #define V8_MINOR_VERSION 8
 #define V8_BUILD_NUMBER 172
-#define V8_PATCH_LEVEL 13
+#define V8_PATCH_LEVEL 15
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

diff --git a/deps/v8/src/compiler/js-call-reducer.cc b/deps/v8/src/compiler/js-call-reducer.cc
@@ -6381,8 +6381,11 @@ Reduction JSCallReducer::ReduceArrayIterator(Node* node,
     }
   }
 
+  // JSCreateArrayIterator doesn't have control output, so we bypass the old
+  // JSCall node on the control chain.
+  ReplaceWithValue(node, node, node, control);
+
   // Morph the {node} into a JSCreateArrayIterator with the given {kind}.
-  RelaxControls(node);
   node->ReplaceInput(0, receiver);
   node->ReplaceInput(1, context);
   node->ReplaceInput(2, effect);

diff --git a/deps/v8/src/ic/ic.cc b/deps/v8/src/ic/ic.cc
@@ -3185,18 +3185,22 @@ bool CanFastCloneObjectWithDifferentMaps(Handle<Map> source_map,
                                          Handle<Map> target_map,
                                          Isolate* isolate) {
   DisallowGarbageCollection no_gc;
-  // TODO(olivf): Add support for non JS_OBJECT_TYPE source maps. The reason for
-  // this restriction is that the IC does not initialize the target object and
-  // instead relies on copying the source objects bytes. Thus they need to have
-  // the same binary layout.
+  // Ensure source and target have identical binary represenation of properties
+  // and elements as the IC relies on copying the raw bytes. This also excludes
+  // cases with non-enumerable properties or accessors on the source object.
   if (source_map->instance_type() != JS_OBJECT_TYPE ||
       target_map->instance_type() != JS_OBJECT_TYPE ||
       !source_map->OnlyHasSimpleProperties() ||
-      !target_map->OnlyHasSimpleProperties()) {
+      !target_map->OnlyHasSimpleProperties() ||
+      source_map->elements_kind() != target_map->elements_kind() ||
+      !source_map->has_fast_elements()) {
     return false;
   }
   // Check that the source inobject properties are big enough to initialize all
   // target slots, but not too big to fit.
+  // TODO(olivf): This restriction (and the same restriction on the backing
+  // store) could be lifted by properly initializing the target object instead
+  // of relying on copying empty slots.
   int source_inobj_properties = source_map->GetInObjectProperties();
   int target_inobj_properties = target_map->GetInObjectProperties();
   int source_used_inobj_properties =

diff --git a/deps/v8/test/mjsunit/compiler/regress-crbug-1486342.js b/deps/v8/test/mjsunit/compiler/regress-crbug-1486342.js
@@ -0,0 +1,25 @@
+// Copyright 2023 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --jit-fuzzing
+
+const o13 = {
+  "maxByteLength": 5368789,
+};
+const v14 = new ArrayBuffer(129, o13);
+const v16 = new Uint16Array(v14);
+
+function f3(param) {
+  for (let i = 0; i < 5; i++) {
+    try {"resize".includes(v14); } catch (e) {}
+    v14.resize(3.0, ..."resize", ...v16);
+  }
+
+  let f = function() { return param; }
+}
+
+%PrepareFunctionForOptimization(f3);
+f3();
+%OptimizeFunctionOnNextCall(f3);
+f3();