deps: patch V8 to 14.6.202.34

nodejs-github-bot · web-flow · commit 4e3a873286d9 · 2026-04-28T01:49:52.000Z
Refs: v8/v8@14.6.202.33...14.6.202.34 PR-URL: #62964 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com>
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 14
 #define V8_MINOR_VERSION 6
 #define V8_BUILD_NUMBER 202
-#define V8_PATCH_LEVEL 33
+#define V8_PATCH_LEVEL 34
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/maglev/maglev-graph-builder.cc b/deps/v8/src/maglev/maglev-graph-builder.cc
@@ -4125,9 +4125,16 @@ ReduceResult MaglevGraphBuilder::BuildCheckSmi(ValueNode* object,
       value_as_phi->SetUseRequires31BitValue();
     }
   }
-  // For constants, we may be able to skip the runtime check.
-  if (std::optional<int32_t> constant_value = TryGetInt32Constant(object)) {
-    if (Smi::IsValid(constant_value.value())) return object;
+  // For non-tagged constants, we may be able to skip the runtime check: every
+  // non-tagged arm of the switch below emits a value-range check, which is
+  // exactly what `Smi::IsValid` proves. For tagged inputs the runtime check
+  // (CheckSmi) is a tag-bit check, and value-equivalence (e.g. via the
+  // checked_value alternative, which may hold a HeapNumber constant) does not
+  // imply Smi tagging.
+  if (object->value_representation() != ValueRepresentation::kTagged) {
+    if (std::optional<int32_t> constant_value = TryGetInt32Constant(object)) {
+      if (Smi::IsValid(constant_value.value())) return object;
+    }
   }
   switch (object->value_representation()) {
     case ValueRepresentation::kInt32:
diff --git a/deps/v8/test/mjsunit/maglev/regress/regress-500880819.js b/deps/v8/test/mjsunit/maglev/regress/regress-500880819.js
@@ -0,0 +1,31 @@
+// Copyright 2026 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax --maglev --expose-gc
+
+let f = new Float64Array(1); f[0] = 5;
+let HN5 = f[0];
+globalThis.G = HN5;
+
+let obj = { smiField: 1 };
+obj.smiField = 2;
+obj.smiField = 3;
+
+function sh(o, x, c) { if (c) o.smiField = x; }
+function corrupt(o, x, c) { G = x; sh(o, x, c); }
+
+%PrepareFunctionForOptimization(sh);
+%PrepareFunctionForOptimization(corrupt);
+sh(obj, 5, true);
+corrupt(obj, HN5, false);
+corrupt(obj, HN5, false);
+%OptimizeMaglevOnNextCall(sh);
+%OptimizeMaglevOnNextCall(corrupt);
+
+// Trigger: HeapNumber(5.0) ends up in a kSmi-typed field without a Smi check.
+corrupt(obj, HN5, true);
+
+// Force a write-barrier verification path by allocating.
+gc();
+assertEquals(5, obj.smiField);
diff --git a/deps/v8/test/mjsunit/maglev/regress/regress-501789186.js b/deps/v8/test/mjsunit/maglev/regress/regress-501789186.js
@@ -0,0 +1,26 @@
+// Copyright 2026 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --fuzzing --expose-gc --allow-natives-syntax --disable-abortjs
+// Flags: --disable-in-process-stack-traces
+
+let f64 = new Float64Array(1);
+f64[0] = 1.0;
+let hn = f64[0];
+
+let script_var_1 = hn;
+let script_var_2 = 1;
+script_var_2 = 2;
+
+function foo(x) {
+  script_var_1 = x;
+  script_var_2 = x;
+}
+
+%PrepareFunctionForOptimization(foo);
+%OptimizeMaglevOnNextCall(foo);
+
+foo(hn);
+
+assertEquals(1, script_var_2);
