diff --git a/patches/v8/.patches b/patches/v8/.patches index 4c5e530a4b41..fef333e6056c 100644 --- a/patches/v8/.patches +++ b/patches/v8/.patches @@ -9,3 +9,4 @@ fix_disable_implies_dcheck_for_node_stream_array_buffers.patch revert_runtime_dhceck_terminating_exception_in_microtasks.patch chore_disable_is_execution_terminating_dcheck.patch force_cppheapcreateparams_to_be_noncopyable.patch +cherry-pick-32b7dc86a763.patch diff --git a/patches/v8/cherry-pick-32b7dc86a763.patch b/patches/v8/cherry-pick-32b7dc86a763.patch new file mode 100644 index 000000000000..c6cd67e67b63 --- /dev/null +++ b/patches/v8/cherry-pick-32b7dc86a763.patch @@ -0,0 +1,65 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Igor Sheludko +Date: Thu, 1 Dec 2022 16:05:49 +0100 +Subject: Fix DCHECKs in VisitSpillSlot +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +... to match new encoding of the forwarding pointers. + +Bug: v8:11880, chromium:1393256 +Change-Id: I8bc8183c22ef8933c02470d5c8ed77cf83489e0f +Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4069706 +Commit-Queue: Igor Sheludko +Auto-Submit: Igor Sheludko +Reviewed-by: Dominik Inführ +Cr-Commit-Position: refs/heads/main@{#84601} + +diff --git a/src/execution/frames.cc b/src/execution/frames.cc +index 5065f5fe3bab7d8a9aca3db98754339ed86b0907..6dfdda7059cafb8a5bf597cd61b46fdb3177ddeb 100644 +--- a/src/execution/frames.cc ++++ b/src/execution/frames.cc +@@ -1119,8 +1119,8 @@ void VisitSpillSlot(Isolate* isolate, RootVisitor* v, + ? map_word.ToForwardingAddress(raw) + : raw; + bool is_self_forwarded = +- forwarded.map_word(cage_base, kRelaxedLoad).ptr() == +- forwarded.address(); ++ forwarded.map_word(cage_base, kRelaxedLoad) == ++ MapWord::FromForwardingAddress(forwarded, forwarded); + if (is_self_forwarded) { + // The object might be in a self-forwarding state if it's located + // in new large object space. GC will fix this at a later stage. +diff --git a/src/objects/objects.h b/src/objects/objects.h +index a40a169ce5d2b14e4b973cc1c5e6b4d986cbb314..2fa31a912c75a832cc0e051dfd54f4cd1ac50a79 100644 +--- a/src/objects/objects.h ++++ b/src/objects/objects.h +@@ -904,7 +904,17 @@ class MapWord { + // View this map word as a forwarding address. + inline HeapObject ToForwardingAddress(HeapObject map_word_host); + +- inline Address ptr() { return value_; } ++ constexpr inline Address ptr() const { return value_; } ++ ++ // When pointer compression is enabled, MapWord is uniquely identified by ++ // the lower 32 bits. On the other hand full-value comparison is not correct ++ // because map word in a forwarding state might have corrupted upper part. ++ constexpr bool operator==(MapWord other) const { ++ return static_cast(ptr()) == static_cast(other.ptr()); ++ } ++ constexpr bool operator!=(MapWord other) const { ++ return static_cast(ptr()) != static_cast(other.ptr()); ++ } + + #ifdef V8_MAP_PACKING + static constexpr Address Pack(Address map) { +@@ -929,7 +939,7 @@ class MapWord { + template + friend class TaggedField; + +- explicit MapWord(Address value) : value_(value) {} ++ explicit constexpr MapWord(Address value) : value_(value) {} + + Address value_; + };