chore: cherry-pick 1 changes from 3-M133 (#46008)

chore: [34-x-y] cherry-pick 1 changes from 3-M133 * 91343bb45c78 from v8 Co-authored-by: Charles Kerr <charles@charleskerr.com>
2026-04-10 03:01:51 -04:00 · 2025-03-13 21:27:22 +00:00
parent 370ffe0df5
commit 6b956d036d
2 changed files with 49 additions and 0 deletions
--- a/patches/v8/.patches
+++ b/patches/v8/.patches
@@ -2,3 +2,4 @@ chore_allow_customizing_microtask_policy_per_context.patch
 deps_add_v8_object_setinternalfieldfornodecore.patch
 revert_fastapi_promote_deprecation_of_fastapitypedarray.patch
 cherry-pick-2b4812d502b2.patch
+cherry-pick-91343bb45c78.patch
--- a/patches/v8/cherry-pick-91343bb45c78.patch
+++ b/patches/v8/cherry-pick-91343bb45c78.patch
@@ -0,0 +1,48 @@
+From 91343bb45c78ac5cf3d214f68161d8150d81fa8c Mon Sep 17 00:00:00 2001
+From: Darius Mercadier <dmercadier@chromium.org>
+Date: Tue, 18 Feb 2025 09:32:04 +0100
+Subject: [PATCH] [M132-LTS][turbofan] Disable escape analysis for TrustedHeapConstant
+
+More precisely: prevent eliding objects that contain
+TrustedHeapConstant, because it can lead to this constant flowing into
+a Phis where other inputs are regular HeapConstant, which confuses
+decompression optimization and leads to memory corruption.
+
+(cherry picked from commit b75e527fb521dca5e7621928846c0c7c6becc8dd)
+
+Fixed: chromium:390743124
+Change-Id: Ic60e4d7dd156367f7d4bb385d422591384c3033c
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6278358
+Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
+Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
+Auto-Submit: Darius Mercadier <dmercadier@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#98748}
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6317725
+Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
+Commit-Queue: Gyuyoung Kim (xWF) <qkim@google.com>
+Cr-Commit-Position: refs/branch-heads/13.2@{#82}
+Cr-Branched-From: 24068c59cedad9ee976ddc05431f5f497b1ebd71-refs/heads/13.2.152@{#1}
+Cr-Branched-From: 6054ba94db0969220be4f94dc1677fc4696bdc4f-refs/heads/main@{#97085}
+---
+
+diff --git a/src/compiler/escape-analysis.cc b/src/compiler/escape-analysis.cc
+index eb223bc..c9a7bc9 100644
+--- a/src/compiler/escape-analysis.cc
+++ b/src/compiler/escape-analysis.cc
+@@ -622,6 +622,16 @@
+       Node* value = current->ValueInput(1);
+       const VirtualObject* vobject = current->GetVirtualObject(object);
+       Variable var;
+      if (value->opcode() == IrOpcode::kTrustedHeapConstant) {
+        // TODO(dmercadier): enable escaping objects containing
+        // TrustedHeapConstants. This is currently disabled because it leads to
+        // bugs when Trusted HeapConstant and regular HeapConstant flow into the
+        // same Phi, which can then be marked as Compressed, messing up the
+        // tagging of the Trusted HeapConstant.
+        current->SetEscaped(object);
+        current->SetEscaped(value);
+        break;
+      }
+       // BoundedSize fields cannot currently be materialized by the deoptimizer,
+       // so we must not dematerialze them.
+       if (vobject && !vobject->HasEscaped() &&