deps: V8: backport 185f0fe09b72

joyeecheung · aduh95 · commit 7dc00fa5f4e3 · 2026-03-22T17:04:56.000+01:00
Original commit message: [numbers] Refactor HashSeed as a lightweight view over ByteArray Instead of copying the seed and secrets into a struct with value fields, HashSeed now stores a pointer pointing either into the read-only ByteArray, or the static default seed for off-heap HashSeed::Default() calls. The underlying storage is always 8-byte aligned so we can cast it directly into a struct. Change-Id: I5896a7f2ae24296eb4c80b757a5d90ac70a34866 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7609720 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Joyee Cheung <joyee@igalia.com> Cr-Commit-Position: refs/heads/main@{#105531} Refs: v8/v8@185f0fe Co-authored-by: Joyee Cheung <joyeec9h3@gmail.com> Backport-PR-URL: nodejs-private/node-private#833 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: nodejs-private/node-private#809 CVE-ID: CVE-2026-21717
diff --git a/common.gypi b/common.gypi
@@ -38,7 +38,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.36',
+    'v8_embedder_string': '-node.37',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/v8/BUILD.bazel b/deps/v8/BUILD.bazel
@@ -1850,6 +1850,7 @@ filegroup(
         "src/numbers/conversions.h",
         "src/numbers/conversions-inl.h",
         "src/numbers/hash-seed.h",
+        "src/numbers/hash-seed.cc",
         "src/numbers/hash-seed-inl.h",
         "src/numbers/integer-literal.h",
         "src/numbers/integer-literal-inl.h",
diff --git a/deps/v8/BUILD.gn b/deps/v8/BUILD.gn
@@ -5450,6 +5450,7 @@ v8_source_set("v8_base_without_compiler") {
     "src/logging/runtime-call-stats.cc",
     "src/logging/tracing-flags.cc",
     "src/numbers/conversions.cc",
+    "src/numbers/hash-seed.cc",
     "src/numbers/math-random.cc",
     "src/objects/abstract-code.cc",
     "src/objects/backing-store.cc",
diff --git a/deps/v8/src/DEPS b/deps/v8/src/DEPS
@@ -129,7 +129,7 @@ specific_include_rules = {
   "heap\.cc": [
     "+third_party/rapidhash-v8/secret.h",
   ],
-  "hash-seed-inl\.h": [
+  "hash-seed\.cc": [
     "+third_party/rapidhash-v8/secret.h",
   ],
 }
diff --git a/deps/v8/src/heap/factory-base.cc b/deps/v8/src/heap/factory-base.cc
@@ -272,9 +272,9 @@ Handle<WeakFixedArray> FactoryBase<Impl>::NewWeakFixedArray(
 }
 
 template <typename Impl>
-Handle<ByteArray> FactoryBase<Impl>::NewByteArray(int length,
-                                                  AllocationType allocation) {
-  return ByteArray::New(isolate(), length, allocation);
+Handle<ByteArray> FactoryBase<Impl>::NewByteArray(
+    int length, AllocationType allocation, AllocationAlignment alignment) {
+  return ByteArray::New(isolate(), length, allocation, alignment);
 }
 
 template <typename Impl>
@@ -1225,8 +1225,8 @@ FactoryBase<Impl>::AllocateRawTwoByteInternalizedString(
 
 template <typename Impl>
 Tagged<HeapObject> FactoryBase<Impl>::AllocateRawArray(
-    int size, AllocationType allocation) {
-  Tagged<HeapObject> result = AllocateRaw(size, allocation);
+    int size, AllocationType allocation, AllocationAlignment alignment) {
+  Tagged<HeapObject> result = AllocateRaw(size, allocation, alignment);
   if (!V8_ENABLE_THIRD_PARTY_HEAP_BOOL &&
       (size >
        isolate()->heap()->AsHeap()->MaxRegularHeapObjectSize(allocation)) &&
diff --git a/deps/v8/src/heap/factory-base.h b/deps/v8/src/heap/factory-base.h
@@ -181,7 +181,8 @@ class FactoryBase : public TorqueGeneratedFactory<Impl> {
 
   // The function returns a pre-allocated empty byte array for length = 0.
   Handle<ByteArray> NewByteArray(
-      int length, AllocationType allocation = AllocationType::kYoung);
+      int length, AllocationType allocation = AllocationType::kYoung,
+      AllocationAlignment alignment = kTaggedAligned);
 
   // Allocates a trusted byte array in trusted space, initialized with zeros.
   Handle<TrustedByteArray> NewTrustedByteArray(int length);
@@ -374,7 +375,9 @@ class FactoryBase : public TorqueGeneratedFactory<Impl> {
   static constexpr int kNumberToStringBufferSize = 32;
 
   // Allocate memory for an uninitialized array (e.g., a FixedArray or similar).
-  Tagged<HeapObject> AllocateRawArray(int size, AllocationType allocation);
+  Tagged<HeapObject> AllocateRawArray(
+      int size, AllocationType allocation,
+      AllocationAlignment alignment = kTaggedAligned);
   Tagged<HeapObject> AllocateRawFixedArray(int length,
                                            AllocationType allocation);
   Tagged<HeapObject> AllocateRawWeakArrayList(int length,
diff --git a/deps/v8/src/heap/heap.cc b/deps/v8/src/heap/heap.cc
@@ -119,7 +119,6 @@
 #include "src/tracing/trace-event.h"
 #include "src/utils/utils-inl.h"
 #include "src/utils/utils.h"
-#include "third_party/rapidhash-v8/secret.h"
 
 #ifdef V8_ENABLE_CONSERVATIVE_STACK_SCANNING
 #include "src/heap/conservative-stack-visitor.h"
@@ -5817,31 +5816,6 @@ void Heap::SetUpSpaces(LinearAllocationArea& new_allocation_info,
   }
 }
 
-void Heap::InitializeHashSeed() {
-  DCHECK(!deserialization_complete_);
-  uint64_t new_hash_seed;
-  if (v8_flags.hash_seed == 0) {
-    int64_t rnd = isolate()->random_number_generator()->NextInt64();
-    new_hash_seed = static_cast<uint64_t>(rnd);
-  } else {
-    new_hash_seed = static_cast<uint64_t>(v8_flags.hash_seed);
-  }
-
-  Tagged<ByteArray> hash_seed = ReadOnlyRoots(this).hash_seed();
-
-  MemCopy(hash_seed->begin(), reinterpret_cast<uint8_t*>(&new_hash_seed),
-          kInt64Size);
-
-#if V8_USE_DEFAULT_HASHER_SECRET
-  MemCopy(hash_seed->begin() + kInt64Size,
-          reinterpret_cast<const uint8_t*>(RAPIDHASH_DEFAULT_SECRET),
-          kInt64Size * 3);
-#else
-  rapidhash_make_secret(new_hash_seed, reinterpret_cast<uint64_t*>(
-                                           hash_seed->begin() + kInt64Size));
-#endif  // V8_USE_DEFAULT_HASHER_SECRET
-}
-
 std::shared_ptr<v8::TaskRunner> Heap::GetForegroundTaskRunner() const {
   return task_runner_;
 }
diff --git a/deps/v8/src/heap/heap.h b/deps/v8/src/heap/heap.h
@@ -725,9 +725,6 @@ class Heap final {
   // Prepares the heap, setting up for deserialization.
   void InitializeMainThreadLocalHeap(LocalHeap* main_thread_local_heap);
 
-  // (Re-)Initialize hash seed from flag or RNG.
-  void InitializeHashSeed();
-
   // Invoked once for the process from V8::Initialize.
   static void InitializeOncePerProcess();
 
diff --git a/deps/v8/src/heap/setup-heap-internal.cc b/deps/v8/src/heap/setup-heap-internal.cc
@@ -16,6 +16,7 @@
 #include "src/init/heap-symbols.h"
 #include "src/init/setup-isolate.h"
 #include "src/interpreter/interpreter.h"
+#include "src/numbers/hash-seed.h"
 #include "src/objects/arguments.h"
 #include "src/objects/call-site-info.h"
 #include "src/objects/cell-inl.h"
@@ -853,9 +854,10 @@ bool Heap::CreateImportantReadOnlyObjects() {
   // Hash seed for strings
 
   Factory* factory = isolate()->factory();
-  set_hash_seed(
-      *factory->NewByteArray(kInt64Size * 4, AllocationType::kReadOnly));
-  InitializeHashSeed();
+  set_hash_seed(*factory->NewByteArray(HashSeed::kTotalSize,
+                                       AllocationType::kReadOnly,
+                                       AllocationAlignment::kDoubleAligned));
+  HashSeed::InitializeRoots(isolate());
 
   // Important strings and symbols
   for (const ConstantStringInit& entry : kImportantConstantStringTable) {
diff --git a/deps/v8/src/numbers/hash-seed-inl.h b/deps/v8/src/numbers/hash-seed-inl.h
@@ -8,7 +8,6 @@
 #include "src/numbers/hash-seed.h"
 #include "src/objects/fixed-array-inl.h"
 #include "src/roots/roots-inl.h"
-#include "third_party/rapidhash-v8/secret.h"
 
 namespace v8 {
 namespace internal {
@@ -19,23 +18,13 @@ inline HashSeed::HashSeed(Isolate* isolate)
 inline HashSeed::HashSeed(LocalIsolate* isolate)
     : HashSeed(ReadOnlyRoots(isolate)) {}
 
-inline HashSeed::HashSeed(ReadOnlyRoots roots) {
-  // roots.hash_seed is not aligned
-  MemCopy(&seed_, roots.hash_seed()->begin(), sizeof(seed_));
-  MemCopy(secret_, roots.hash_seed()->begin() + sizeof(seed_), sizeof(secret_));
-}
-
-inline HashSeed::HashSeed(uint64_t seed, const uint64_t secret[3])
-    : seed_(seed),
-      secret_{
-          secret[0],
-          secret[1],
-          secret[2],
-      } {}
-
-inline HashSeed HashSeed::Default() {
-  return HashSeed(0, RAPIDHASH_DEFAULT_SECRET);
-}
+inline HashSeed::HashSeed(ReadOnlyRoots roots)
+    : data_(reinterpret_cast<const Data*>(roots.hash_seed()->begin())) {}
+
+inline HashSeed HashSeed::Default() { return HashSeed(kDefaultData); }
+
+inline uint64_t HashSeed::seed() const { return data_->seed; }
+inline const uint64_t* HashSeed::secret() const { return data_->secrets; }
 
 }  // namespace internal
 }  // namespace v8
diff --git a/deps/v8/src/numbers/hash-seed.cc b/deps/v8/src/numbers/hash-seed.cc
@@ -0,0 +1,55 @@
+// Copyright 2026 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "src/numbers/hash-seed.h"
+
+#include <cstddef>
+
+#include "src/execution/isolate.h"
+#include "src/flags/flags.h"
+#include "src/numbers/hash-seed-inl.h"
+#include "src/objects/name.h"
+#include "third_party/rapidhash-v8/secret.h"
+
+namespace v8 {
+namespace internal {
+
+namespace {
+
+static constexpr HashSeed::Data kDefaultSeed = {
+    0,
+    {RAPIDHASH_DEFAULT_SECRET[0], RAPIDHASH_DEFAULT_SECRET[1],
+     RAPIDHASH_DEFAULT_SECRET[2]}};
+
+}  // anonymous namespace
+
+static_assert(HashSeed::kSecretsCount == arraysize(RAPIDHASH_DEFAULT_SECRET));
+const HashSeed::Data* const HashSeed::kDefaultData = &kDefaultSeed;
+
+// static
+void HashSeed::InitializeRoots(Isolate* isolate) {
+  DCHECK(!isolate->heap()->deserialization_complete());
+  uint64_t seed;
+  if (v8_flags.hash_seed == 0) {
+    int64_t rnd = isolate->random_number_generator()->NextInt64();
+    seed = static_cast<uint64_t>(rnd);
+  } else {
+    seed = static_cast<uint64_t>(v8_flags.hash_seed);
+  }
+
+  // Write the seed and derived secrets into the read-only roots ByteArray.
+  Data* data = const_cast<Data*>(HashSeed(isolate).data_);
+
+#if V8_USE_DEFAULT_HASHER_SECRET
+  // Copy from the default seed and just override the meta seed.
+  *data = kDefaultSeed;
+  data->seed = seed;
+#else
+  data->seed = seed;
+  rapidhash_make_secret(seed, data->secrets);
+#endif  // V8_USE_DEFAULT_HASHER_SECRET
+}
+
+}  // namespace internal
+}  // namespace v8
diff --git a/deps/v8/src/numbers/hash-seed.h b/deps/v8/src/numbers/hash-seed.h
@@ -5,7 +5,11 @@
 #ifndef V8_NUMBERS_HASH_SEED_H_
 #define V8_NUMBERS_HASH_SEED_H_
 
-#include <stdint.h>
+#include <cstddef>
+#include <cstdint>
+#include <type_traits>
+
+#include "src/base/macros.h"
 
 namespace v8 {
 namespace internal {
@@ -14,28 +18,56 @@ class Isolate;
 class LocalIsolate;
 class ReadOnlyRoots;
 
-class HashSeed {
+// A lightweight view over the hash_seed ByteArray in read-only roots.
+class V8_EXPORT_PRIVATE HashSeed {
  public:
   inline explicit HashSeed(Isolate* isolate);
   inline explicit HashSeed(LocalIsolate* isolate);
   inline explicit HashSeed(ReadOnlyRoots roots);
-  inline explicit HashSeed(uint64_t seed, const uint64_t secret[3]);
 
   static inline HashSeed Default();
 
-  uint64_t seed() const { return seed_; }
-  const uint64_t* secret() const { return secret_; }
+  inline uint64_t seed() const;
+  inline const uint64_t* secret() const;
+
+  bool operator==(const HashSeed& b) const { return data_ == b.data_; }
+
+  static constexpr int kSecretsCount = 3;
+
+  // The ReadOnlyRoots::hash_seed() byte array can be interpreted
+  // as a HashSeed::Data struct.
+  // Since this maps over either the read-only roots or over a static byte
+  // array, and in both cases, must be allocated at 8-byte boundaries,
+  // we don't use V8_OBJECT here.
+  struct Data {
+    // meta seed from --hash-seed, 0 = generate at startup
+    uint64_t seed;
+    // When V8_USE_DEFAULT_HASHER_SECRET is enabled, these are just
+    // RAPIDHASH_DEFAULT_SECRET. Otherwise they are derived from the seed
+    // using rapidhash_make_secret().
+    uint64_t secrets[kSecretsCount];
+  };
 
-  constexpr bool operator==(const HashSeed& b) const {
-    return seed_ == b.seed_ && secret_[0] == b.secret_[0] &&
-           secret_[1] == b.secret_[1] && secret_[2] == b.secret_[2];
-  }
+  static constexpr int kTotalSize = sizeof(Data);
+
+  // Generates a hash seed (from --hash-seed or the RNG) and writes it
+  // together with derived secrets into the isolate's hash_seed in
+  // its read-only roots.
+  static void InitializeRoots(Isolate* isolate);
 
  private:
-  uint64_t seed_;
-  uint64_t secret_[3];
+  // Pointer into the Data overlaying the ByteArray data (either
+  // points to read-only roots or to kDefaultData).
+  const Data* data_;
+  HashSeed(const Data* data) : data_(data) {}
+
+  // Points to the static constexpr default seed.
+  static const Data* const kDefaultData;
 };
 
+static_assert(std::is_trivially_copyable_v<HashSeed>);
+static_assert(alignof(HashSeed::Data) == alignof(uint64_t));
+
 }  // namespace internal
 }  // namespace v8
 
diff --git a/deps/v8/src/objects/fixed-array-inl.h b/deps/v8/src/objects/fixed-array-inl.h
@@ -723,15 +723,15 @@ template <class IsolateT>
 Handle<D> PrimitiveArrayBase<D, S, P>::Allocate(
     IsolateT* isolate, int length,
     base::Optional<DisallowGarbageCollection>* no_gc_out,
-    AllocationType allocation) {
+    AllocationType allocation, AllocationAlignment alignment) {
   // Note 0-length is explicitly allowed since not all subtypes can be
   // assumed to have canonical 0-length instances.
   DCHECK_GE(length, 0);
   DCHECK_LE(length, kMaxLength);
   DCHECK(!no_gc_out->has_value());
 
   Tagged<D> xs = D::unchecked_cast(
-      isolate->factory()->AllocateRawArray(SizeFor(length), allocation));
+      isolate->factory()->AllocateRawArray(SizeFor(length), allocation, alignment));
 
   ReadOnlyRoots roots{isolate};
   if (DEBUG_BOOL) no_gc_out->emplace();
@@ -898,7 +898,8 @@ Handle<ArrayList> ArrayList::New(IsolateT* isolate, int capacity,
 // static
 template <class IsolateT>
 Handle<ByteArray> ByteArray::New(IsolateT* isolate, int length,
-                                 AllocationType allocation) {
+                                 AllocationType allocation,
+                                 AllocationAlignment alignment) {
   if (V8_UNLIKELY(static_cast<unsigned>(length) > kMaxLength)) {
     FATAL("Fatal JavaScript invalid size error %d", length);
   } else if (V8_UNLIKELY(length == 0)) {
@@ -907,7 +908,7 @@ Handle<ByteArray> ByteArray::New(IsolateT* isolate, int length,
 
   base::Optional<DisallowGarbageCollection> no_gc;
   Handle<ByteArray> result =
-      Handle<ByteArray>::cast(Allocate(isolate, length, &no_gc, allocation));
+      Handle<ByteArray>::cast(Allocate(isolate, length, &no_gc, allocation, alignment));
 
   int padding_size = SizeFor(length) - OffsetOfElementAt(length);
   memset(result->AddressOfElementAt(length), 0, padding_size);
diff --git a/deps/v8/src/objects/fixed-array.h b/deps/v8/src/objects/fixed-array.h
@@ -452,7 +452,8 @@ class PrimitiveArrayBase : public Super {
   static Handle<Derived> Allocate(
       IsolateT* isolate, int length,
       base::Optional<DisallowGarbageCollection>* no_gc_out,
-      AllocationType allocation = AllocationType::kYoung);
+      AllocationType allocation = AllocationType::kYoung,
+      AllocationAlignment alignment = kTaggedAligned);
 
   inline bool IsInBounds(int index) const;
 };
@@ -758,7 +759,8 @@ class ByteArray : public PrimitiveArrayBase<ByteArray, ByteArrayShape> {
   template <class IsolateT>
   static inline Handle<ByteArray> New(
       IsolateT* isolate, int capacity,
-      AllocationType allocation = AllocationType::kYoung);
+      AllocationType allocation = AllocationType::kYoung,
+      AllocationAlignment alignment = kTaggedAligned);
 
   inline uint32_t get_int(int offset) const;
   inline void set_int(int offset, uint32_t value);
diff --git a/deps/v8/src/snapshot/read-only-deserializer.cc b/deps/v8/src/snapshot/read-only-deserializer.cc
@@ -8,6 +8,7 @@
 #include "src/heap/heap-inl.h"
 #include "src/heap/read-only-heap.h"
 #include "src/logging/counters-scopes.h"
+#include "src/numbers/hash-seed.h"
 #include "src/objects/objects-inl.h"
 #include "src/objects/slots.h"
 #include "src/snapshot/embedded/embedded-data-inl.h"
@@ -165,7 +166,7 @@ void ReadOnlyDeserializer::DeserializeIntoIsolate() {
 #endif
 
   if (should_rehash()) {
-    isolate()->heap()->InitializeHashSeed();
+    HashSeed::InitializeRoots(isolate());
     Rehash();
   }
 
diff --git a/deps/v8/src/snapshot/shared-heap-deserializer.cc b/deps/v8/src/snapshot/shared-heap-deserializer.cc

Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,7 @@ specific_include_rules = {`
`129`	`129`	`"heap\.cc": [`
`130`	`130`	`"+third_party/rapidhash-v8/secret.h",`
`131`	`131`	`],`
`132`		`- "hash-seed-inl\.h": [`
	`132`	`+ "hash-seed\.cc": [`
`133`	`133`	`"+third_party/rapidhash-v8/secret.h",`
`134`	`134`	`],`
`135`	`135`	`}`