deps: update V8 to 8.3.110.9

PR-URL: https://github.com/nodejs/node/pull/32831
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

3 files changed, 181 insertions, 0 deletions

diff --git a/deps/v8/test/mjsunit/tools/foozzie.js b/deps/v8/test/mjsunit/tools/foozzie.js
new file mode 100644
index 0000000000..30faf46116
--- /dev/null
+++ b/deps/v8/test/mjsunit/tools/foozzie.js
@@ -0,0 +1,79 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+// Files: tools/clusterfuzz/v8_mock.js
+
+// Test foozzie mocks for differential fuzzing.
+
+// Deterministic Math.random.
+assertEquals(0.1, Math.random());
+assertEquals(0.2, Math.random());
+assertEquals(0.3, Math.random());
+
+// Deterministic date.
+assertEquals(1477662728698, Date.now());
+assertEquals(1477662728701, Date.now());
+assertEquals(1477662728705, new Date().getTime());
+assertEquals(710, new Date.prototype.constructor().getUTCMilliseconds());
+
+// Deterministic arguments in constructor keep working.
+assertEquals(819134640000,
+             new Date('December 17, 1995 03:24:00 GMT+1000').getTime());
+
+// Dummy performance methods.
+assertEquals(1.2, performance.now());
+assertEquals([], performance.measureMemory());
+
+// Worker messages follow a predefined deterministic pattern.
+const worker = new Worker(``, {type: 'string'});
+assertEquals(0, worker.getMessage());
+assertEquals(-1, worker.getMessage());
+
+// NaN patterns in typed arrays are mocked out. Test that we get no
+// difference between unoptimized and optimized code.
+function testSameOptimized(pattern, create_fun) {
+  const expected = new Uint32Array(pattern);
+  %PrepareFunctionForOptimization(create_fun);
+  assertEquals(expected, create_fun());
+  %OptimizeFunctionOnNextCall(create_fun);
+  assertEquals(expected, create_fun());
+}
+
+function testArrayType(arrayType, pattern) {
+  // Test passing NaNs to constructor with array.
+  let create = function() {
+    return new Uint32Array(new arrayType([-NaN]).buffer);
+  };
+  testSameOptimized(pattern, create);
+  // Test passing NaNs to constructor with iterator.
+  create = function() {
+    const iter = function*(){ yield* [-NaN]; }();
+    return new Uint32Array(new arrayType(iter).buffer);
+  };
+  testSameOptimized(pattern, create);
+  // Test setting NaN property.
+  create = function() {
+    const arr = new arrayType(1);
+    arr[0] = -NaN;
+    return new Uint32Array(arr.buffer);
+  };
+  // Test passing NaN using set.
+  testSameOptimized(pattern, create);
+  create = function() {
+    const arr = new arrayType(1);
+    arr.set([-NaN], 0);
+    return new Uint32Array(arr.buffer);
+  };
+  testSameOptimized(pattern, create);
+}
+
+var isBigEndian = new Uint8Array(new Uint16Array([0xABCD]).buffer)[0] === 0xAB;
+testArrayType(Float32Array, [1065353216]);
+if (isBigEndian){
+  testArrayType(Float64Array, [1072693248, 0]);
+}
+else {
+  testArrayType(Float64Array, [0, 1072693248]);
+}
diff --git a/deps/v8/test/mjsunit/tools/foozzie_archs.js b/deps/v8/test/mjsunit/tools/foozzie_archs.js
new file mode 100644
index 0000000000..9023428324
--- /dev/null
+++ b/deps/v8/test/mjsunit/tools/foozzie_archs.js
@@ -0,0 +1,84 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+// Files: tools/clusterfuzz/v8_mock.js
+// Files: tools/clusterfuzz/v8_mock_archs.js
+
+// Test foozzie architecture-specific mocks for differential fuzzing.
+
+// Max typed array length is mocked and restricted to 1MiB buffer.
+const maxBytes = 1048576;
+
+// The maximum also holds for array buffer and shared array buffer.
+assertEquals(maxBytes, new ArrayBuffer(maxBytes + 1).byteLength);
+assertEquals(maxBytes, new SharedArrayBuffer(maxBytes + 1).byteLength);
+
+function testArrayType(type) {
+  const name = type.name;
+  const bytesPerElem = type.BYTES_PER_ELEMENT;
+  const maxElem = maxBytes / bytesPerElem;
+
+  function testLength(expectedLength, arr) {
+    const expectedBytes = expectedLength * bytesPerElem;
+    assertEquals(expectedBytes, arr.byteLength, name);
+    assertEquals(expectedLength, arr.length, name);
+  }
+
+  // Test length argument in constructor.
+  testLength(maxElem - 1, new type(maxElem - 1));
+  testLength(maxElem, new type(maxElem));
+  testLength(maxElem, new type(maxElem + 1));
+
+  // Test buffer argument in constructor.
+  // Unaligned offsets don't throw.
+  const buffer = new ArrayBuffer(maxBytes);
+  new type(buffer, 1);
+  new type(buffer, 3);
+
+  // Offsets work or are capped.
+  function bytes(elements) {
+    return elements * bytesPerElem;
+  }
+  testLength(maxElem, new type(buffer, 0));
+  testLength(maxElem - 1, new type(buffer, bytes(1)));
+  testLength(1, new type(buffer, bytes(maxElem - 1)));
+  testLength(0, new type(buffer, bytes(maxElem)));
+  testLength(0, new type(buffer, bytes(maxElem + 1)));
+
+  // Offset and length work or are capped.
+  testLength(1, new type(buffer, 0, 1));
+  testLength(1, new type(buffer, bytesPerElem, 1));
+  testLength(maxElem - 2, new type(buffer, bytes(1), maxElem - 2));
+  testLength(maxElem - 1, new type(buffer, bytes(1), maxElem - 1));
+  testLength(maxElem - 1, new type(buffer, bytes(1), maxElem));
+  testLength(0, new type(buffer, bytes(maxElem - 1), 0));
+  testLength(1, new type(buffer, bytes(maxElem - 1), 1));
+  testLength(1, new type(buffer, bytes(maxElem - 1), 2));
+
+  // Insertion with "set" works or is capped.
+  let set0 = 0;
+  let set1 = 1;
+  if (name.startsWith("Big")) {
+    set0 = 0n;
+    set1 = 1n;
+  }
+  arr = new type(4);
+  arr.set([set1], 1);
+  assertEquals(new type([set0, set1, set0, set0]), arr, name);
+  arr.set([set1, set1], 3);  // Capped to 2.
+  assertEquals(new type([set0, set1, set1, set1]), arr, name);
+}
+
+testArrayType(Int8Array);
+testArrayType(Uint8Array);
+testArrayType(Uint8ClampedArray);
+testArrayType(Int16Array);
+testArrayType(Uint16Array);
+testArrayType(Int32Array);
+testArrayType(Uint32Array);
+testArrayType(BigInt64Array);
+testArrayType(BigUint64Array);
+testArrayType(Float32Array);
+testArrayType(Float64Array);
diff --git a/deps/v8/test/mjsunit/tools/foozzie_webassembly.js b/deps/v8/test/mjsunit/tools/foozzie_webassembly.js
new file mode 100644
index 0000000000..d5130a393b
--- /dev/null
+++ b/deps/v8/test/mjsunit/tools/foozzie_webassembly.js
@@ -0,0 +1,18 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+// Files: tools/clusterfuzz/v8_mock.js
+// Files: tools/clusterfuzz/v8_mock_webassembly.js
+
+// Test foozzie webassembly-specfific mocks for differential fuzzing.
+
+// No reference errors when accessing WebAssembly.
+WebAssembly[0];
+WebAssembly[" "];
+WebAssembly.foo;
+WebAssembly.foo();
+WebAssembly.foo().bar;
+WebAssembly.foo().bar();
+WebAssembly.foo().bar[0];