update to Chromium 97.0.4692.56

Author: rogerwang

include/v8-version.h

@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 9
 #define V8_MINOR_VERSION 7
 #define V8_BUILD_NUMBER 106
-#define V8_PATCH_LEVEL 13
+#define V8_PATCH_LEVEL 18
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

include/v8-wasm.h

@@ -154,8 +154,12 @@ class V8_EXPORT WasmStreaming final {
    * {Finish} should be called after all received bytes where passed to
    * {OnBytesReceived} to tell V8 that there will be no more bytes. {Finish}
    * does not have to be called after {Abort} has been called already.
+   * If {can_use_compiled_module} is true and {SetCompiledModuleBytes} was
+   * previously called, the compiled module bytes can be used.
+   * If {can_use_compiled_module} is false, the compiled module bytes previously
+   * set by {SetCompiledModuleBytes} should not be used.
    */
-  void Finish();
+  void Finish(bool can_use_compiled_module = true);
 
   /**
    * Abort streaming compilation. If {exception} has a value, then the promise
@@ -170,6 +174,8 @@ class V8_EXPORT WasmStreaming final {
    * can be used, false otherwise. The buffer passed via {bytes} and {size}
    * is owned by the caller. If {SetCompiledModuleBytes} returns true, the
    * buffer must remain valid until either {Finish} or {Abort} completes.
+   * The compiled module bytes should not be used until {Finish(true)} is
+   * called, because they can be invalidated later by {Finish(false)}.
    */
   bool SetCompiledModuleBytes(const uint8_t* bytes, size_t size);
 

src/api/api.cc

@@ -10509,7 +10509,7 @@ void WasmStreaming::OnBytesReceived(const uint8_t* bytes, size_t size) {
   UNREACHABLE();
 }
 
-void WasmStreaming::Finish() { UNREACHABLE(); }
+void WasmStreaming::Finish(bool can_use_compiled_module) { UNREACHABLE(); }
 
 void WasmStreaming::Abort(MaybeLocal<Value> exception) { UNREACHABLE(); }
 

src/builtins/typed-array-createtypedarray.tq

@@ -292,7 +292,7 @@ transitioning macro ConstructByArrayBuffer(implicit context: Context)(
       // in the step 12 branch.
       newByteLength = bufferByteLength - offset;
       newLength = elementsInfo.CalculateLength(newByteLength)
-          otherwise IfInvalidOffset;
+          otherwise IfInvalidLength;
 
       // 12. Else,
     } else {

src/compiler/simplified-operator-reducer.cc

@@ -77,7 +77,7 @@ Reduction SimplifiedOperatorReducer::Reduce(Node* node) {
     case IrOpcode::kChangeInt32ToTagged: {
       Int32Matcher m(node->InputAt(0));
       if (m.HasResolvedValue()) return ReplaceNumber(m.ResolvedValue());
-      if (m.IsChangeTaggedToInt32() || m.IsChangeTaggedSignedToInt32()) {
+      if (m.IsChangeTaggedSignedToInt32()) {
         return Replace(m.InputAt(0));
       }
       break;

src/objects/js-array-buffer.cc

@@ -82,6 +82,7 @@ void JSArrayBuffer::Attach(std::shared_ptr<BackingStore> backing_store) {
     // invariant that their byte_length field is always 0.
     set_byte_length(0);
   } else {
+    CHECK_LE(backing_store->byte_length(), kMaxByteLength);
     set_byte_length(backing_store->byte_length());
   }
   set_max_byte_length(backing_store->max_byte_length());

src/regexp/regexp-ast.h

@@ -138,6 +138,9 @@ class CharacterRange {
   static void Negate(ZoneList<CharacterRange>* src,
                      ZoneList<CharacterRange>* dst, Zone* zone);
 
+  // Remove all ranges outside the one-byte range.
+  static void ClampToOneByte(ZoneList<CharacterRange>* ranges);
+
  private:
   CharacterRange(base::uc32 from, base::uc32 to) : from_(from), to_(to) {}
 

src/regexp/regexp-compiler-tonode.cc

@@ -1416,6 +1416,7 @@ void CharacterSet::Canonicalize() {
   CharacterRange::Canonicalize(ranges_);
 }
 
+// static
 void CharacterRange::Canonicalize(ZoneList<CharacterRange>* character_ranges) {
   if (character_ranges->length() <= 1) return;
   // Check whether ranges are already canonical (increasing, non-overlapping,
@@ -1451,6 +1452,7 @@ void CharacterRange::Canonicalize(ZoneList<CharacterRange>* character_ranges) {
   DCHECK(CharacterRange::IsCanonical(character_ranges));
 }
 
+// static
 void CharacterRange::Negate(ZoneList<CharacterRange>* ranges,
                             ZoneList<CharacterRange>* negated_ranges,
                             Zone* zone) {
@@ -1474,6 +1476,27 @@ void CharacterRange::Negate(ZoneList<CharacterRange>* ranges,
   }
 }
 
+// static
+void CharacterRange::ClampToOneByte(ZoneList<CharacterRange>* ranges) {
+  DCHECK(IsCanonical(ranges));
+
+  // Drop all ranges that don't contain one-byte code units, and clamp the last
+  // range s.t. it likewise only contains one-byte code units. Note this relies
+  // on `ranges` being canonicalized, i.e. sorted and non-overlapping.
+
+  static constexpr base::uc32 max_char = String::kMaxOneByteCharCodeU;
+  int n = ranges->length();
+  for (; n > 0; n--) {
+    CharacterRange& r = ranges->at(n - 1);
+    if (r.from() <= max_char) {
+      r.to_ = std::min(r.to_, max_char);
+      break;
+    }
+  }
+
+  ranges->Rewind(n);
+}
+
 namespace {
 
 // Scoped object to keep track of how much we unroll quantifier loops in the

src/regexp/regexp-compiler.cc

@@ -1222,20 +1222,11 @@ void EmitCharClass(RegExpMacroAssembler* macro_assembler,
   ZoneList<CharacterRange>* ranges = cc->ranges(zone);
   CharacterRange::Canonicalize(ranges);
 
-  const base::uc32 max_char = MaxCodeUnit(one_byte);
-
-  // Determine the 'interesting' set of ranges; may be a subset of the given
-  // range set if it contains ranges not representable by the current string
-  // representation.
-  int ranges_length = ranges->length();
-  while (ranges_length > 0) {
-    CharacterRange& range = ranges->at(ranges_length - 1);
-    if (range.from() <= max_char) break;
-    ranges_length--;
-  }
-
-  ranges->Rewind(ranges_length);  // Drop all uninteresting ranges.
+  // Now that all processing (like case-insensitivity) is done, clamp the
+  // ranges to the set of ranges that may actually occur in the subject string.
+  if (one_byte) CharacterRange::ClampToOneByte(ranges);
 
+  const int ranges_length = ranges->length();
   if (ranges_length == 0) {
     if (!cc->is_negated()) {
       macro_assembler->GoTo(on_failure);
@@ -1246,6 +1237,7 @@ void EmitCharClass(RegExpMacroAssembler* macro_assembler,
     return;
   }
 
+  const base::uc32 max_char = MaxCodeUnit(one_byte);
   if (ranges_length == 1 && ranges->at(0).IsEverything(max_char)) {
     if (cc->is_negated()) {
       macro_assembler->GoTo(on_failure);

src/wasm/streaming-decoder.cc

@@ -35,7 +35,7 @@ class V8_EXPORT_PRIVATE AsyncStreamingDecoder : public StreamingDecoder {
   // The buffer passed into OnBytesReceived is owned by the caller.
   void OnBytesReceived(base::Vector<const uint8_t> bytes) override;
 
-  void Finish() override;
+  void Finish(bool can_use_compiled_module) override;
 
   void Abort() override;
 
@@ -258,7 +258,7 @@ size_t AsyncStreamingDecoder::DecodingState::ReadBytes(
   return num_bytes;
 }
 
-void AsyncStreamingDecoder::Finish() {
+void AsyncStreamingDecoder::Finish(bool can_use_compiled_module) {
   TRACE_STREAMING("Finish\n");
   DCHECK(!stream_finished_);
   stream_finished_ = true;
@@ -268,9 +268,12 @@ void AsyncStreamingDecoder::Finish() {
     base::Vector<const uint8_t> wire_bytes =
         base::VectorOf(wire_bytes_for_deserializing_);
     // Try to deserialize the module from wire bytes and module bytes.
-    if (processor_->Deserialize(compiled_module_bytes_, wire_bytes)) return;
+    if (can_use_compiled_module &&
+        processor_->Deserialize(compiled_module_bytes_, wire_bytes))
+      return;
 
-    // Deserialization failed. Restart decoding using |wire_bytes|.
+    // Compiled module bytes are invalidated by can_use_compiled_module = false
+    // or the deserialization failed. Restart decoding using |wire_bytes|.
     compiled_module_bytes_ = {};
     DCHECK(!deserializing());
     OnBytesReceived(wire_bytes);

src/wasm/streaming-decoder.h

@@ -78,7 +78,7 @@ class V8_EXPORT_PRIVATE StreamingDecoder {
   // The buffer passed into OnBytesReceived is owned by the caller.
   virtual void OnBytesReceived(base::Vector<const uint8_t> bytes) = 0;
 
-  virtual void Finish() = 0;
+  virtual void Finish(bool can_use_compiled_module = true) = 0;
 
   virtual void Abort() = 0;
 
@@ -96,6 +96,7 @@ class V8_EXPORT_PRIVATE StreamingDecoder {
   }
 
   // Passes previously compiled module bytes from the embedder's cache.
+  // The content shouldn't be used until Finish(true) is called.
   bool SetCompiledModuleBytes(
       base::Vector<const uint8_t> compiled_module_bytes) {
     compiled_module_bytes_ = compiled_module_bytes;
@@ -124,6 +125,8 @@ class V8_EXPORT_PRIVATE StreamingDecoder {
 
   std::string url_;
   ModuleCompiledCallback module_compiled_callback_;
+  // The content of `compiled_module_bytes_` shouldn't be used until
+  // Finish(true) is called.
   base::Vector<const uint8_t> compiled_module_bytes_;
 };
 

src/wasm/sync-streaming-decoder.cc

@@ -32,7 +32,7 @@ class V8_EXPORT_PRIVATE SyncStreamingDecoder : public StreamingDecoder {
     buffer_size_ += bytes.size();
   }
 
-  void Finish() override {
+  void Finish(bool can_use_compiled_module) override {
     // We copy all received chunks into one byte buffer.
     auto bytes = std::make_unique<uint8_t[]>(buffer_size_);
     uint8_t* destination = bytes.get();
@@ -43,7 +43,7 @@ class V8_EXPORT_PRIVATE SyncStreamingDecoder : public StreamingDecoder {
     CHECK_EQ(destination - bytes.get(), buffer_size_);
 
     // Check if we can deserialize the module from cache.
-    if (deserializing()) {
+    if (can_use_compiled_module && deserializing()) {
       HandleScope scope(isolate_);
       SaveAndSwitchContext saved_context(isolate_, *context_);
 

src/wasm/wasm-engine.cc

@@ -1645,6 +1645,9 @@ WasmCodeManager* GetWasmCodeManager() {
 
 // {max_mem_pages} is declared in wasm-limits.h.
 uint32_t max_mem_pages() {
+  static_assert(
+      kV8MaxWasmMemoryPages * kWasmPageSize <= JSArrayBuffer::kMaxByteLength,
+      "Wasm memories must not be bigger than JSArrayBuffers");
   STATIC_ASSERT(kV8MaxWasmMemoryPages <= kMaxUInt32);
   return std::min(uint32_t{kV8MaxWasmMemoryPages}, FLAG_wasm_max_mem_pages);
 }

src/wasm/wasm-js.cc

@@ -63,7 +63,9 @@ class WasmStreaming::WasmStreamingImpl {
   void OnBytesReceived(const uint8_t* bytes, size_t size) {
     streaming_decoder_->OnBytesReceived(base::VectorOf(bytes, size));
   }
-  void Finish() { streaming_decoder_->Finish(); }
+  void Finish(bool can_use_compiled_module) {
+    streaming_decoder_->Finish(can_use_compiled_module);
+  }
 
   void Abort(MaybeLocal<Value> exception) {
     i::HandleScope scope(reinterpret_cast<i::Isolate*>(isolate_));
@@ -116,9 +118,9 @@ void WasmStreaming::OnBytesReceived(const uint8_t* bytes, size_t size) {
   impl_->OnBytesReceived(bytes, size);
 }
 
-void WasmStreaming::Finish() {
+void WasmStreaming::Finish(bool can_use_compiled_module) {
   TRACE_EVENT0("v8.wasm", "wasm.FinishStreaming");
-  impl_->Finish();
+  impl_->Finish(can_use_compiled_module);
 }
 
 void WasmStreaming::Abort(MaybeLocal<Value> exception) {

src/wasm/wasm-limits.h

@@ -40,7 +40,7 @@ constexpr size_t kV8MaxWasmDataSegments = 100000;
 // Also, do not use this limit to validate declared memory, use
 // kSpecMaxMemoryPages for that.
 constexpr size_t kV8MaxWasmMemoryPages = kSystemPointerSize == 4
-                                             ? 32768   // = 2 GiB
+                                             ? 32767   // = 2 GiB
                                              : 65536;  // = 4 GiB
 constexpr size_t kV8MaxWasmStringSize = 100000;
 constexpr size_t kV8MaxWasmModuleSize = 1024 * 1024 * 1024;  // = 1 GiB

test/mjsunit/regress/regress-1275096.js

@@ -0,0 +1,7 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --no-regexp-tier-up
+
+/[\u{0}zPudf\u{d3}-\ud809\udccc]/iu.exec("");  // Don't crash :)

tools/mb/mb.py

@@ -804,8 +804,6 @@ def WriteIsolateFiles(self, build_dir, target, runtime_deps):
     self.WriteJSON(
       {
         'args': [
-          '--isolated',
-          self.ToSrcRelPath('%s/%s.isolated' % (build_dir, target)),
           '--isolate',
           self.ToSrcRelPath('%s/%s.isolate' % (build_dir, target)),
         ],