deps: patch V8 to 9.0.257.19

Refs: https://github.com/v8/v8/compare/9.0.257.17...9.0.257.19

PR-URL: https://github.com/nodejs/node/pull/38270
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>

8 files changed, 139 insertions, 17 deletions

diff --git a/deps/v8/AUTHORS b/deps/v8/AUTHORS
index 42a9f29d89a..aa6d32302b3 100644
--- a/deps/v8/AUTHORS
+++ b/deps/v8/AUTHORS
@@ -69,6 +69,7 @@ Ben Newman <ben@meteor.com>
 Ben Noordhuis <info@bnoordhuis.nl>
 Benjamin Tan <demoneaux@gmail.com>
 Bert Belder <bertbelder@gmail.com>
+Brendon Tiszka <btiszka@gmail.com>
 Brice Dobry <brice.dobry@futurewei.com>
 Burcu Dogan <burcujdogan@gmail.com>
 Caitlin Potter <caitpotter88@gmail.com>
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index 4826580f7b1..9ba8fc6d2ea 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 9
 #define V8_MINOR_VERSION 0
 #define V8_BUILD_NUMBER 257
-#define V8_PATCH_LEVEL 17
+#define V8_PATCH_LEVEL 19
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/builtins/builtins-array.cc b/deps/v8/src/builtins/builtins-array.cc
index 0c3707cee4b..ea21a19a86f 100644
--- a/deps/v8/src/builtins/builtins-array.cc
+++ b/deps/v8/src/builtins/builtins-array.cc
@@ -650,11 +650,14 @@ class ArrayConcatVisitor {
         index_offset_(0u),
         bit_field_(FastElementsField::encode(fast_elements) |
                    ExceedsLimitField::encode(false) |
-                   IsFixedArrayField::encode(storage->IsFixedArray()) |
+                   IsFixedArrayField::encode(storage->IsFixedArray(isolate)) |
                    HasSimpleElementsField::encode(
-                       storage->IsFixedArray() ||
-                       !storage->map().IsCustomElementsReceiverMap())) {
-    DCHECK(!(this->fast_elements() && !is_fixed_array()));
+                       storage->IsFixedArray(isolate) ||
+                       // Don't take fast path for storages that might have
+                       // side effects when storing to them.
+                       (!storage->map(isolate).IsCustomElementsReceiverMap() &&
+                        !storage->IsJSTypedArray(isolate)))) {
+    DCHECK_IMPLIES(this->fast_elements(), is_fixed_array());
   }
 
   ~ArrayConcatVisitor() { clear_storage(); }
@@ -1065,8 +1068,8 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
     return IterateElementsSlow(isolate, receiver, length, visitor);
   }
 
-  if (!HasOnlySimpleElements(isolate, *receiver) ||
-      !visitor->has_simple_elements()) {
+  if (!visitor->has_simple_elements() ||
+      !HasOnlySimpleElements(isolate, *receiver)) {
     return IterateElementsSlow(isolate, receiver, length, visitor);
   }
   Handle<JSObject> array = Handle<JSObject>::cast(receiver);
@@ -1082,6 +1085,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
     case HOLEY_SEALED_ELEMENTS:
     case HOLEY_NONEXTENSIBLE_ELEMENTS:
     case HOLEY_ELEMENTS: {
+      // Disallow execution so the cached elements won't change mid execution.
+      DisallowJavascriptExecution no_js(isolate);
+
       // Run through the elements FixedArray and use HasElement and GetElement
       // to check the prototype for missing elements.
       Handle<FixedArray> elements(FixedArray::cast(array->elements()), isolate);
@@ -1108,6 +1114,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
     }
     case HOLEY_DOUBLE_ELEMENTS:
     case PACKED_DOUBLE_ELEMENTS: {
+      // Disallow execution so the cached elements won't change mid execution.
+      DisallowJavascriptExecution no_js(isolate);
+
       // Empty array is FixedArray but not FixedDoubleArray.
       if (length == 0) break;
       // Run through the elements FixedArray and use HasElement and GetElement
@@ -1144,6 +1153,9 @@ bool IterateElements(Isolate* isolate, Handle<JSReceiver> receiver,
     }
 
     case DICTIONARY_ELEMENTS: {
+      // Disallow execution so the cached dictionary won't change mid execution.
+      DisallowJavascriptExecution no_js(isolate);
+
       Handle<NumberDictionary> dict(array->element_dictionary(), isolate);
       std::vector<uint32_t> indices;
       indices.reserve(dict->Capacity() / 2);
diff --git a/deps/v8/src/compiler/representation-change.cc b/deps/v8/src/compiler/representation-change.cc
index 64b274cdccd..3d937ada1e7 100644
--- a/deps/v8/src/compiler/representation-change.cc
+++ b/deps/v8/src/compiler/representation-change.cc
@@ -949,10 +949,10 @@ Node* RepresentationChanger::GetWord32RepresentationFor(
     return node;
   } else if (output_rep == MachineRepresentation::kWord64) {
     if (output_type.Is(Type::Signed32()) ||
-        output_type.Is(Type::Unsigned32())) {
-      op = machine()->TruncateInt64ToInt32();
-    } else if (output_type.Is(cache_->kSafeInteger) &&
-               use_info.truncation().IsUsedAsWord32()) {
+        (output_type.Is(Type::Unsigned32()) &&
+         use_info.type_check() == TypeCheckKind::kNone) ||
+        (output_type.Is(cache_->kSafeInteger) &&
+         use_info.truncation().IsUsedAsWord32())) {
       op = machine()->TruncateInt64ToInt32();
     } else if (use_info.type_check() == TypeCheckKind::kSignedSmall ||
                use_info.type_check() == TypeCheckKind::kSigned32 ||
diff --git a/deps/v8/src/objects/fixed-array-inl.h b/deps/v8/src/objects/fixed-array-inl.h
index b743d15ad89..bfd7d9563bc 100644
--- a/deps/v8/src/objects/fixed-array-inl.h
+++ b/deps/v8/src/objects/fixed-array-inl.h
@@ -368,7 +368,7 @@ int Search(T* array, Name name, int valid_entries, int* out_insertion_index,
 double FixedDoubleArray::get_scalar(int index) {
   DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() &&
          map() != GetReadOnlyRoots().fixed_array_map());
-  DCHECK(index >= 0 && index < this->length());
+  DCHECK_LT(static_cast<unsigned>(index), static_cast<unsigned>(length()));
   DCHECK(!is_the_hole(index));
   return ReadField<double>(kHeaderSize + index * kDoubleSize);
 }
@@ -376,7 +376,7 @@ double FixedDoubleArray::get_scalar(int index) {
 uint64_t FixedDoubleArray::get_representation(int index) {
   DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() &&
          map() != GetReadOnlyRoots().fixed_array_map());
-  DCHECK(index >= 0 && index < this->length());
+  DCHECK_LT(static_cast<unsigned>(index), static_cast<unsigned>(length()));
   int offset = kHeaderSize + index * kDoubleSize;
   // Bug(v8:8875): Doubles may be unaligned.
   return base::ReadUnalignedValue<uint64_t>(field_address(offset));
@@ -394,6 +394,7 @@ Handle<Object> FixedDoubleArray::get(FixedDoubleArray array, int index,
 void FixedDoubleArray::set(int index, double value) {
   DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() &&
          map() != GetReadOnlyRoots().fixed_array_map());
+  DCHECK_LT(static_cast<unsigned>(index), static_cast<unsigned>(length()));
   int offset = kHeaderSize + index * kDoubleSize;
   if (std::isnan(value)) {
     WriteField<double>(offset, std::numeric_limits<double>::quiet_NaN());
@@ -410,6 +411,7 @@ void FixedDoubleArray::set_the_hole(Isolate* isolate, int index) {
 void FixedDoubleArray::set_the_hole(int index) {
   DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() &&
          map() != GetReadOnlyRoots().fixed_array_map());
+  DCHECK_LT(static_cast<unsigned>(index), static_cast<unsigned>(length()));
   int offset = kHeaderSize + index * kDoubleSize;
   base::WriteUnalignedValue<uint64_t>(field_address(offset), kHoleNanInt64);
 }
diff --git a/deps/v8/src/objects/map-updater.cc b/deps/v8/src/objects/map-updater.cc
index 95b435085e2..31841992dec 100644
--- a/deps/v8/src/objects/map-updater.cc
+++ b/deps/v8/src/objects/map-updater.cc
@@ -139,11 +139,20 @@ Handle<Map> MapUpdater::ReconfigureToDataField(InternalIndex descriptor,
   if (old_details.constness() == PropertyConstness::kConst &&
       old_details.location() == kField &&
       old_details.attributes() != new_attributes_) {
+    // Ensure we'll be updating constness of the up-to-date version of old_map_.
+    Handle<Map> old_map = Map::Update(isolate_, old_map_);
+    PropertyDetails details =
+        old_map->instance_descriptors(kRelaxedLoad).GetDetails(descriptor);
     Handle<FieldType> field_type(
-        old_descriptors_->GetFieldType(modified_descriptor_), isolate_);
-    Map::GeneralizeField(isolate_, old_map_, descriptor,
-                         PropertyConstness::kMutable,
-                         old_details.representation(), field_type);
+        old_map->instance_descriptors(kRelaxedLoad).GetFieldType(descriptor),
+        isolate_);
+    Map::GeneralizeField(isolate_, old_map, descriptor,
+                         PropertyConstness::kMutable, details.representation(),
+                         field_type);
+    DCHECK_EQ(PropertyConstness::kMutable,
+              old_map->instance_descriptors(kRelaxedLoad)
+                  .GetDetails(descriptor)
+                  .constness());
     // The old_map_'s property must become mutable.
     // Note, that the {old_map_} and {old_descriptors_} are not expected to be
     // updated by the generalization if the map is already deprecated.
diff --git a/deps/v8/test/mjsunit/compiler/regress-1195777.js b/deps/v8/test/mjsunit/compiler/regress-1195777.js
new file mode 100644
index 00000000000..b122f4f0169
--- /dev/null
+++ b/deps/v8/test/mjsunit/compiler/regress-1195777.js
@@ -0,0 +1,62 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+
+(function() {
+  function foo(b) {
+    let y = (new Date(42)).getMilliseconds();
+    let x = -1;
+    if (b) x = 0xFFFF_FFFF;
+    return y < Math.max(1 << y, x, 1 + y);
+  }
+  assertTrue(foo(true));
+  %PrepareFunctionForOptimization(foo);
+  assertTrue(foo(false));
+  %OptimizeFunctionOnNextCall(foo);
+  assertTrue(foo(true));
+})();
+
+
+(function() {
+  function foo(b) {
+    let x = 0;
+    if (b) x = -1;
+    return x == Math.max(-1, x >>> Infinity);
+  }
+  assertFalse(foo(true));
+  %PrepareFunctionForOptimization(foo);
+  assertTrue(foo(false));
+  %OptimizeFunctionOnNextCall(foo);
+  assertFalse(foo(true));
+})();
+
+
+(function() {
+  function foo(b) {
+    let x = -1;
+    if (b) x = 0xFFFF_FFFF;
+    return -1 < Math.max(0, x, -1);
+  }
+  assertTrue(foo(true));
+  %PrepareFunctionForOptimization(foo);
+  assertTrue(foo(false));
+  %OptimizeFunctionOnNextCall(foo);
+  assertTrue(foo(true));
+})();
+
+
+(function() {
+  function foo(b) {
+    let x = 0x7FFF_FFFF;
+    if (b) x = 0;
+    return 0 < (Math.max(-5 >>> x, -5) % -5);
+  }
+  assertTrue(foo(true));
+  %PrepareFunctionForOptimization(foo);
+  assertTrue(foo(false));
+  %OptimizeFunctionOnNextCall(foo);
+  assertTrue(foo(true));
+})();
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-1195331.js b/deps/v8/test/mjsunit/regress/regress-crbug-1195331.js
new file mode 100644
index 00000000000..1bced5623e4
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-1195331.js
@@ -0,0 +1,36 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+let o1 = { a: 1, b: 0 };
+let o2 = { a: 2, b: 0 };
+assertTrue(%HaveSameMap(o1, o2));
+assertTrue(%HasOwnConstDataProperty(o1, "a"));
+assertTrue(%HasOwnConstDataProperty(o1, "b"));
+
+Object.defineProperty(o1, "b", {
+  value: 4.2, enumerable: true, configurable: true, writable: true,
+});
+assertFalse(%HaveSameMap(o1, o2));
+assertTrue(%HasOwnConstDataProperty(o1, "a"));
+assertFalse(%HasOwnConstDataProperty(o1, "b"));
+assertTrue(%HasOwnConstDataProperty(o2, "a"));
+assertTrue(%HasOwnConstDataProperty(o2, "b"));
+
+let o3 = { a: "foo", b: 0 };
+assertFalse(%HaveSameMap(o2, o3));
+assertTrue(%HasOwnConstDataProperty(o3, "a"));
+assertFalse(%HasOwnConstDataProperty(o3, "b"));
+
+Object.defineProperty(o2, "a", {
+  value:2, enumerable: false, configurable: true, writable: true,
+});
+assertFalse(%HasOwnConstDataProperty(o1, "a"));
+assertFalse(%HasOwnConstDataProperty(o1, "b"));
+assertFalse(%HasOwnConstDataProperty(o3, "a"));
+assertFalse(%HasOwnConstDataProperty(o3, "b"));
+
+assertFalse(%HasOwnConstDataProperty(o2, "a"));
+assertTrue(%HasOwnConstDataProperty(o2, "b"));