chore: cherry-pick aeceeb2187a6 from v8 (#37654)

* chore: [22-x-y] cherry-pick aeceeb2187a6 from v8 * chore: update patches --------- Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Co-authored-by: electron-patch-conflict-fixer[bot] <83340002+electron-patch-conflict-fixer[bot]@users.noreply.github.com>
2026-04-10 03:01:51 -04:00 · 2023-03-27 19:48:44 +01:00
parent 565c4fe9a7
commit be71423d32
2 changed files with 91 additions and 0 deletions
--- a/patches/v8/.patches
+++ b/patches/v8/.patches
@@ -10,5 +10,6 @@ revert_runtime_dhceck_terminating_exception_in_microtasks.patch
 chore_disable_is_execution_terminating_dcheck.patch
 force_cppheapcreateparams_to_be_noncopyable.patch
 cherry-pick-e17eee4894be.patch
+cherry-pick-aeceeb2187a6.patch
 cherry-pick-546e00df97ac.patch
 cherry-pick-f6ddbf42b1ea.patch
--- a/patches/v8/cherry-pick-aeceeb2187a6.patch
+++ b/patches/v8/cherry-pick-aeceeb2187a6.patch
@@ -0,0 +1,90 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marja=20H=C3=B6ltt=C3=A4?= <marja@chromium.org>
+Date: Tue, 21 Feb 2023 13:38:34 +0100
+Subject: Merged [valueserializer] Fix map transition chain following w/
+ dictionary maps
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Map::Update might return a dictionary map, and the calling code didn't
+take it into account.
+
+Bug: chromium:1412487
+(cherry picked from commit b0db6637936a88807b5512a4de68145d0a9d6f02)
+
+Change-Id: Ib5e55aa60719e4ac2f14d993a3fc3e908cd43d2e
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4290145
+Reviewed-by: Marja Hölttä <marja@chromium.org>
+Reviewed-by: Lutz Vahl <vahl@chromium.org>
+Commit-Queue: Lutz Vahl <vahl@chromium.org>
+Cr-Commit-Position: refs/branch-heads/11.0@{#35}
+Cr-Branched-From: 06097c6f0c5af54fd5d6965d37027efb72decd4f-refs/heads/11.0.226@{#1}
+Cr-Branched-From: 6bf3344f5d9940de1ab253f1817dcb99c641c9d3-refs/heads/main@{#84857}
+
+diff --git a/src/objects/value-serializer.cc b/src/objects/value-serializer.cc
+index 61a7cae8e8a900694ba22637d04368dac56ebd5f..640f8621719fa5dee4909e215ae788b09f1b0ba5 100644
+--- a/src/objects/value-serializer.cc
+++ b/src/objects/value-serializer.cc
+@@ -2408,37 +2408,38 @@ Maybe<uint32_t> ValueDeserializer::ReadJSObjectProperties(
+         // Deserializaton of |value| might have deprecated current |target|,
+         // ensure we are working with the up-to-date version.
+         target = Map::Update(isolate_, target);
+-
+-        InternalIndex descriptor(properties.size());
+-        PropertyDetails details =
+-            target->instance_descriptors(isolate_).GetDetails(descriptor);
+-        Representation expected_representation = details.representation();
+-        if (value->FitsRepresentation(expected_representation)) {
+-          if (expected_representation.IsHeapObject() &&
+-              !target->instance_descriptors(isolate_)
+-                   .GetFieldType(descriptor)
+-                   .NowContains(value)) {
+-            Handle<FieldType> value_type =
+-                value->OptimalType(isolate_, expected_representation);
+-            MapUpdater::GeneralizeField(isolate_, target, descriptor,
+-                                        details.constness(),
+-                                        expected_representation, value_type);
+-          }
+-          DCHECK(target->instance_descriptors(isolate_)
+        if (!target->is_dictionary_map()) {
+          InternalIndex descriptor(properties.size());
+          PropertyDetails details =
+              target->instance_descriptors(isolate_).GetDetails(descriptor);
+          Representation expected_representation = details.representation();
+          if (value->FitsRepresentation(expected_representation)) {
+            if (expected_representation.IsHeapObject() &&
+                !target->instance_descriptors(isolate_)
+                      .GetFieldType(descriptor)
+-                     .NowContains(value));
+-          properties.push_back(value);
+-          map = target;
+-          continue;
+-        } else {
+-          transitioning = false;
+                     .NowContains(value)) {
+              Handle<FieldType> value_type =
+                  value->OptimalType(isolate_, expected_representation);
+              MapUpdater::GeneralizeField(isolate_, target, descriptor,
+                                          details.constness(),
+                                          expected_representation, value_type);
+            }
+            DCHECK(target->instance_descriptors(isolate_)
+                       .GetFieldType(descriptor)
+                       .NowContains(value));
+            properties.push_back(value);
+            map = target;
+            continue;
+          }
+         }
+        transitioning = false;
+       }
+ 
+       // Fell out of transitioning fast path. Commit the properties gathered so
+       // far, and then start setting properties slowly instead.
+       DCHECK(!transitioning);
+       CHECK_LT(properties.size(), std::numeric_limits<uint32_t>::max());
+      CHECK(!map->is_dictionary_map());
+       CommitProperties(object, map, properties);
+       num_properties = static_cast<uint32_t>(properties.size());
+