deps: V8: cherry-pick 0ce9f16abc1f

Original commit message:

    [runtime] sort transition array after it grows beyond linear search size

    Previously, after the TransitionArray is rehashed,
    TransitionsAccessor::InsertHelper() can grow the transition
    array without making sure it's sorted after the size crosses
    kMaxElementsForLinearSearch, leading to search failures or
    duplicate entries in bigger transition arrays.

    See #61002 (comment)

    Change-Id: I3f45816b7d65bbbcfedeb7074d0c6907cbc08edf
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7252791
    Commit-Queue: Joyee Cheung <[email protected]>
    Reviewed-by: Igor Sheludko <[email protected]>
    Cr-Commit-Position: refs/heads/main@{#104384}

Refs: v8/v8@0ce9f16

Author: joyeecheung

common.gypi

@@ -38,7 +38,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.8',
+    'v8_embedder_string': '-node.9',
 
     ##### V8 defaults for Node.js #####
 

deps/v8/src/objects/transitions.cc

@@ -173,6 +173,11 @@ void TransitionsAccessor::InsertHelper(Isolate* isolate, DirectHandle<Map> map,
       }
       array->SetKey(insertion_index, *name);
       array->SetRawTarget(insertion_index, MakeWeak(*target));
+      // The new size exceeds the threshold for linear search, sort the array
+      // for binary search later.
+      if (new_nof == TransitionArray::kMaxElementsForLinearSearch + 1) {
+        array->Sort();
+      }
       SLOW_DCHECK(array->IsSortedNoDuplicates());
       return;
     }
@@ -222,6 +227,11 @@ void TransitionsAccessor::InsertHelper(Isolate* isolate, DirectHandle<Map> map,
     result->Set(i + 1, array->GetKey(i), array->GetRawTarget(i));
   }
 
+  // The new size exceeds the threshold for linear search, sort the array
+  // for binary search later.
+  if (new_nof == TransitionArray::kMaxElementsForLinearSearch + 1) {
+    result->Sort();
+  }
   SLOW_DCHECK(result->IsSortedNoDuplicates());
   ReplaceTransitions(isolate, map, result);
 }

deps/v8/test/cctest/test-transitions.cc

@@ -8,9 +8,11 @@
 
 #include <utility>
 
+#include "src/api/api-inl.h"
 #include "src/codegen/compilation-cache.h"
 #include "src/execution/execution.h"
 #include "src/heap/factory.h"
+#include "src/numbers/hash-seed-inl.h"
 #include "src/objects/field-type.h"
 #include "src/objects/objects-inl.h"
 #include "src/objects/transitions-inl.h"
@@ -316,5 +318,151 @@ TEST(TransitionArray_SameFieldNamesDifferentAttributes) {
   DCHECK(transitions.IsSortedNoDuplicates());
 }
 
+UNINITIALIZED_TEST(TransitionArray_InsertToBinarySearchSizeAfterRehashing) {
+  v8_flags.rehash_snapshot = true;
+  v8_flags.hash_seed = 42;
+  v8_flags.allow_natives_syntax = true;
+  DisableEmbeddedBlobRefcounting();
+  v8::StartupData blob;
+  int initial_size = TransitionArray::kMaxElementsForLinearSearch - 3;
+  int final_size = TransitionArray::kMaxElementsForLinearSearch + 3;
+
+  {
+    v8::Isolate::CreateParams testing_params;
+    testing_params.array_buffer_allocator = CcTest::array_buffer_allocator();
+    v8::SnapshotCreator creator(testing_params);
+    v8::Isolate* isolate = creator.GetIsolate();
+    {
+      v8::HandleScope handle_scope(isolate);
+      v8::Local<v8::Context> context = v8::Context::New(isolate);
+      v8::Context::Scope context_scope(context);
+      // Get the cached map for empty objects
+      Isolate* i_isolate = reinterpret_cast<Isolate*>(isolate);
+      v8::Local<v8::Object> obj = v8::Object::New(isolate);
+      DirectHandle<Map> first_map =
+          direct_handle(v8::Utils::OpenDirectHandle(*obj)->map(), i_isolate);
+
+      // Ensure that the transition array is empty initially.
+      {
+        TestTransitionsAccessor transitions(i_isolate, first_map);
+        CHECK_EQ(0, transitions.NumberOfTransitions());
+        DCHECK(transitions.transitions()->IsSortedNoDuplicates());
+      }
+
+      // Insert some transitions to grow the transition array, we'll rehash
+      // later using the snapshot which "shuffles" the entries in hash order.
+      v8::Local<v8::Value> null_value = v8::Null(isolate);
+      v8::LocalVector<v8::Value> objects(isolate);
+      for (int i = 0; i < initial_size; i++) {
+        std::string prop_name = "prop_" + std::to_string(i);
+        v8::Local<v8::String> name =
+            v8::String::NewFromUtf8(isolate, prop_name.c_str(),
+                                    v8::NewStringType::kNormal)
+                .ToLocalChecked();
+        v8::Local<v8::Object> new_obj = v8::Object::New(isolate);
+        new_obj->Set(context, name, null_value).Check();
+        objects.push_back(new_obj);
+      }
+      context->Global()
+          ->Set(context, v8_str("objects_for_transitions"),
+                v8::Array::New(isolate, objects.data(), objects.size()))
+          .Check();
+
+      creator.SetDefaultContext(context);
+
+      // Verify that the cached map has initial_size transitions.
+      TestTransitionsAccessor transitions(i_isolate, first_map);
+      CHECK_EQ(initial_size, transitions.NumberOfTransitions());
+      DCHECK(transitions.transitions()->IsSortedNoDuplicates());
+    }
+    blob =
+        creator.CreateBlob(v8::SnapshotCreator::FunctionCodeHandling::kClear);
+    CHECK(blob.CanBeRehashed());
+  }
+
+  // Create a new isolate from the snapshot with rehashing enabled.
+  v8_flags.hash_seed = 1337;
+  v8::Isolate::CreateParams testing_params;
+  testing_params.array_buffer_allocator = CcTest::array_buffer_allocator();
+  testing_params.snapshot_blob = &blob;
+  v8::Isolate* isolate = v8::Isolate::New(testing_params);
+  {
+    v8::Isolate::Scope isolate_scope(isolate);
+    // Check that rehashing has been performed.
+    CHECK_EQ(static_cast<uint64_t>(1337),
+             HashSeed(reinterpret_cast<Isolate*>(isolate)).seed());
+    v8::HandleScope handle_scope(isolate);
+    v8::Local<v8::Context> context = v8::Context::New(isolate);
+    CHECK(!context.IsEmpty());
+    v8::Context::Scope context_scope(context);
+
+    // Get the cached map for empty objects.
+    Isolate* i_isolate = reinterpret_cast<Isolate*>(isolate);
+    v8::Local<v8::Object> obj = v8::Object::New(isolate);
+    DirectHandle<Map> first_map =
+        direct_handle(v8::Utils::OpenDirectHandle(*obj)->map(), i_isolate);
+
+    // Verify that the cached map still has initial_size transitions.
+    {
+      TestTransitionsAccessor transitions(i_isolate, first_map);
+      CHECK_EQ(initial_size, transitions.NumberOfTransitions());
+      DCHECK(transitions.transitions()->IsSortedNoDuplicates());
+    }
+
+    v8::Local<v8::Value> null_value = v8::Null(isolate);
+    {
+      v8::LocalVector<v8::Value> objects(isolate);
+
+      // Insert some transitions to grow the rehashed transition array beyond
+      // linear search size
+      for (int i = initial_size; i < final_size; i++) {
+        std::string prop_name = "prop_" + std::to_string(i);
+        v8::Local<v8::String> name =
+            v8::String::NewFromUtf8(isolate, prop_name.c_str(),
+                                    v8::NewStringType::kNormal)
+                .ToLocalChecked();
+        v8::Local<v8::Object> new_obj = v8::Object::New(isolate);
+        new_obj->Set(context, name, null_value).Check();
+        objects.push_back(new_obj);
+      }
+      context->Global()
+          ->Set(context, v8_str("objects_for_transitions_2"),
+                v8::Array::New(isolate, objects.data(), objects.size()))
+          .Check();
+      TestTransitionsAccessor transitions(i_isolate, first_map);
+      CHECK_EQ(final_size, transitions.NumberOfTransitions());
+      DCHECK(transitions.transitions()->IsSortedNoDuplicates());
+    }
+
+    // Check existing transitions could be found after rehashing.
+    {
+      v8::LocalVector<v8::Value> objects(isolate);
+      for (int i = 0; i < final_size; i++) {
+        std::string prop_name = "prop_" + std::to_string(i);
+        v8::Local<v8::String> name =
+            v8::String::NewFromUtf8(isolate, prop_name.c_str(),
+                                    v8::NewStringType::kNormal)
+                .ToLocalChecked();
+        v8::Local<v8::Object> new_obj = v8::Object::New(isolate);
+        new_obj->Set(context, name, null_value).Check();
+        objects.push_back(new_obj);
+      }
+
+      context->Global()
+          ->Set(context, v8_str("objects_for_transitions_3"),
+                v8::Array::New(isolate, objects.data(), objects.size()))
+          .Check();
+
+      TestTransitionsAccessor transitions(i_isolate, first_map);
+      CHECK_EQ(final_size, transitions.NumberOfTransitions());
+      DCHECK(transitions.transitions()->IsSortedNoDuplicates());
+    }
+  }
+
+  isolate->Dispose();
+  delete[] blob.data;
+  FreeCurrentEmbeddedBlob();
+}
+
 }  // namespace internal
 }  // namespace v8