Skip to content

[v24.x] deps: V8: backport 6a0a25abaed3#61670

Open
kxxt wants to merge 109 commits intonodejs:v24.x-stagingfrom
kxxt:v24-rv-sp
Open

[v24.x] deps: V8: backport 6a0a25abaed3#61670
kxxt wants to merge 109 commits intonodejs:v24.x-stagingfrom
kxxt:v24-rv-sp

Conversation

@kxxt
Copy link
Contributor

@kxxt kxxt commented Feb 4, 2026

Original commit message:

[riscv] Fix sp handling in MacroAssembler::LeaveFrame

Keep sp <= fp to ensure that data right above fp doesn't get clobbered
by an inopportune signal and its handler.

Such clobbering can happen in e.g. Node.js when JIT-compiled code is
interrupted by a SIGCHLD handler.

Bug: None
Change-Id: Ief0836032ada7942e89f081f7605f61632c4d414
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7540554
Reviewed-by: Ji Qiu <[email protected]>
Commit-Queue: Yahan Lu (LuYahan) <[email protected]>
Reviewed-by: Rezvan Mahdavi Hezaveh <[email protected]>
Cr-Commit-Position: refs/heads/main@{#105069}

Refs: v8/v8@6a0a25a

This V8 backport fixes a long-standing heisenbug that affects riscv64 since at least node.js 16.

CC @sxa

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/gyp
  • @nodejs/security-wg
  • @nodejs/v8-update

@nodejs-github-bot nodejs-github-bot added build Issues and PRs related to build files or the CI. needs-ci PRs that need a full CI run. v24.x Issues that can be reproduced on v24.x or PRs targeting the v24.x-staging branch. v8 engine Issues and PRs related to the V8 dependency. labels Feb 4, 2026
kxxt added a commit to kxxt/archriscv-packages that referenced this pull request Feb 4, 2026
- Backport chromium-review.googlesource.com/c/v8/v8/+/7540554 to fix the
  long-standing nodejs heisenbug Sporadic Nodejs segfault on sg2042 revyos/revyos#27.
  Upstream PR: nodejs/node#61670
- `--nocheck` is needed. There is one test failure:

    === release test-repl-paste-big-data ===
    Path: parallel/test-repl-paste-big-data
    node:internal/assert/utils:77
        throw err;
        ^

    AssertionError [ERR_ASSERTION]: The expression evaluated to a falsy value:

      assert.ok(diff.user < 1e6)

        at REPLServer.<anonymous> (/build/nodejs-lts-krypton/src/node/test/parallel/test-repl-paste-big-data.js:22:10)
        at REPLServer.<anonymous> (/build/nodejs-lts-krypton/src/node/test/common/index.js:476:15)
        at Object.onceWrapper (node:events:622:28)
        at REPLServer.emit (node:events:508:28)
        at REPLServer.emit (node:domain:489:12)
        at REPLServer.emitExit (node:repl:850:10)
        at REPLServer.emit (node:events:520:35)
        at REPLServer.emit (node:domain:489:12)
        at REPLServer.close (node:internal/readline/interface:555:10)
        at node:repl:1114:5 {
      generatedMessage: true,
      code: 'ERR_ASSERTION',
      actual: false,
      expected: true,
      operator: '==',
      diff: 'simple'
    }

    Node.js v24.13.0
    Command: out/Release/node /build/nodejs-lts-krypton/src/node/test/parallel/test-repl-paste-big-data.js
@aduh95 aduh95 added the blocked PRs that are blocked by other issues or PRs. label Feb 4, 2026
@aduh95
Copy link
Contributor

aduh95 commented Feb 4, 2026

Blocked on #61666

felixonmars pushed a commit to felixonmars/archriscv-packages that referenced this pull request Feb 4, 2026
- Backport chromium-review.googlesource.com/c/v8/v8/+/7540554 to fix the
  long-standing nodejs heisenbug Sporadic Nodejs segfault on sg2042 revyos/revyos#27.
  Upstream PR: nodejs/node#61670
- `--nocheck` is needed. There is one test failure:

    === release test-repl-paste-big-data ===
    Path: parallel/test-repl-paste-big-data
    node:internal/assert/utils:77
        throw err;
        ^

    AssertionError [ERR_ASSERTION]: The expression evaluated to a falsy value:

      assert.ok(diff.user < 1e6)

        at REPLServer.<anonymous> (/build/nodejs-lts-krypton/src/node/test/parallel/test-repl-paste-big-data.js:22:10)
        at REPLServer.<anonymous> (/build/nodejs-lts-krypton/src/node/test/common/index.js:476:15)
        at Object.onceWrapper (node:events:622:28)
        at REPLServer.emit (node:events:508:28)
        at REPLServer.emit (node:domain:489:12)
        at REPLServer.emitExit (node:repl:850:10)
        at REPLServer.emit (node:events:520:35)
        at REPLServer.emit (node:domain:489:12)
        at REPLServer.close (node:internal/readline/interface:555:10)
        at node:repl:1114:5 {
      generatedMessage: true,
      code: 'ERR_ASSERTION',
      actual: false,
      expected: true,
      operator: '==',
      diff: 'simple'
    }

    Node.js v24.13.0
    Command: out/Release/node /build/nodejs-lts-krypton/src/node/test/parallel/test-repl-paste-big-data.js
mcollina and others added 16 commits February 10, 2026 15:11
Wrap pskCallback and ALPNCallback invocations in try-catch blocks
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This prevents remote attackers from
crashing TLS servers or causing resource exhaustion.

Fixes: https://hackerone.com/reports/3473882
PR-URL: nodejs-private/node-private#782
PR-URL: nodejs-private/node-private#790
CVE-ID: CVE-2026-21637
Add support for the creation of ReadableByteStream to Readable.toWeb()
and Duplex.toWeb()
This enables the use of .getReader({ mode: "byob" }) on
e.g. socket().toWeb()

Refs: nodejs#56004 (comment)
Refs: https://developer.mozilla.org/en-US/docs/Web/API/Streams_API/Using_readable_byte_streams
PR-URL: nodejs#58664
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Ethan Arrowood <[email protected]>
Reviewed-By: Mattias Buelens <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.0 to 5.0.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@08c6903...93cb6ef)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 5.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
PR-URL: nodejs#60767
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Ulises Gascón <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Signed-off-by: hainenber <[email protected]>
PR-URL: nodejs#60319
Reviewed-By: Ruben Bridgewater <[email protected]>
Reviewed-By: René <[email protected]>
PR-URL: nodejs#60796
Reviewed-By: René <[email protected]>
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: nodejs#60214
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.1
to 6.0.0.

- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
PR-URL: nodejs#60925
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Ulises Gascón <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
It's a common ecosystem pattern to map a source root directory to
`@/` but it requires special tooling support. This turns `#/*` into
a more realistic alternative for that pattern.

PR-URL: nodejs#60864
Reviewed-By: Guy Bedford <[email protected]>
Reviewed-By: Geoffrey Booth <[email protected]>
Reviewed-By: Claudio Wunder <[email protected]>
Reviewed-By: Zeyu "Alex" Yang <[email protected]>
This adds an API to dynamically enable built-in proxy support
for all of fetch() and http.request()/https.request(), so
that users do not have to be aware of them all and configure them
one by one.

PR-URL: nodejs#60953
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Tim Perry <[email protected]>
Add convertProcessSignalToExitCode() to convert signal names to POSIX
exit codes (128 + signal number). Exposed in public util API.

Refs: nodejs#60720
PR-URL: nodejs#60963
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Moshe Atlow <[email protected]>
PR-URL: nodejs#61043
Reviewed-By: Chemi Atlow <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
Reviewed-By: Aviv Keller <[email protected]>
PR-URL: nodejs#60913
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Stephen Belanger <[email protected]>
Reviewed-By: Gerhard Stöbich <[email protected]>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5.0.0 to 6.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@330a01c...b7c566a)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
PR-URL: nodejs#61238
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Ulises Gascón <[email protected]>
MikeMcC399 and others added 23 commits February 10, 2026 17:39
PR-URL: nodejs#61642
Reviewed-By: Jacob Smith <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Signed-off-by: Tierney Cyren <[email protected]>
PR-URL: nodejs#61663
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
PR-URL: nodejs#61672
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Tierney Cyren <[email protected]>
Defer socket.destroy() calls in internalConnect and
internalConnectMultiple to the next tick. This ensures that error
handlers have a chance to be set up before errors are emitted,
particularly important when using http.request with a custom
lookup function that returns synchronously.

Previously, if a synchronous lookup function returned an IP that
triggered an immediate error (e.g., via blockList), the error would
be emitted before the HTTP client had set up its error handler
(which happens via process.nextTick in onSocket). This caused
unhandled 'error' events.

Fixes: nodejs#48771
PR-URL: nodejs#61658
Refs: nodejs#51038
Reviewed-By: Tim Perry <[email protected]>
Reviewed-By: Jason Zhang <[email protected]>
On Windows, file paths are case-insensitive but string comparison is
case-sensitive. When the drive letter case differs between the computed
project root and the actual output (e.g., 'C:/' vs 'c:/'), the path
replacement in transformProjectRoot() would fail.

This fix uses case-insensitive regex replacement on Windows to ensure
paths are correctly normalized in snapshot tests regardless of drive
letter casing.

Refs: nodejs/reliability#1453
PR-URL: nodejs#61682
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Stefan Stojanovic <[email protected]>
Reviewed-By: Daijiro Wachi <[email protected]>
PR-URL: nodejs#61683
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Matthew Aitken <[email protected]>
PR-URL: nodejs#61675
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Tierney Cyren <[email protected]>
Reviewed-By: Ulises Gascón <[email protected]>
When binding UTF-8 strings to prepared statements, transfer ownership of
malloc-backed Utf8Value buffers to SQLite to avoid an extra copy for
large strings. Use sqlite3_bind_blob64() when binding BLOB parameters.

PR-URL: nodejs#61580
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Edy Silva <[email protected]>
Reviewed-By: René <[email protected]>
Reviewed-By: Zeyu "Alex" Yang <[email protected]>
PR-URL: nodejs#61696
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Stephen Belanger <[email protected]>
Reviewed-By: Daniel Lemire <[email protected]>
Reviewed-By: Vinícius Lourenço Claro Cardoso <[email protected]>
Reviewed-By: Сковорода Никита Андреевич <[email protected]>
Reviewed-By: Gürgün Dayıoğlu <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: René <[email protected]>
PR-URL: nodejs#61659
Reviewed-By: Ethan Arrowood <[email protected]>
Reviewed-By: Jacob Smith <[email protected]>
Reviewed-By: Moshe Atlow <[email protected]>
Reviewed-By: Pietro Marchini <[email protected]>
Reviewed-By: Chemi Atlow <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Tierney Cyren <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
`require(mod)` does not keep the mod in require cache if
mod throws synchronously. This fixes the tests to print
the stack immediately in case that source map cache could
be cleaned up when the CJS module is reclaimed by GC in
the next event loop tick.

PR-URL: nodejs#61699
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Minwoo Jung <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Add documentation explaining that applications are expected to attach
'error' event handlers to EventEmitters that can emit errors, including
HTTP streams. Crashes resulting from missing error handlers are not
considered denial-of-service vulnerabilities in Node.js.

PR-URL: nodejs#61701
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Ulises Gascón <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Small perf improvement:

    $ node benchmark/compare.js --runs 100 \
    >   --old ./node-0da120f879 --new ./node \
    >   --filter structured-clone misc > comparison.csv && \
    >   npx node-benchmark-compare comparison.csv

    [00:02:15|% 100| 1/1 files | 200/200 runs | 3/3 configs]: Done
                                                        confidence improvement accuracy (*)   (**)  (***)
    misc/structured-clone.js n=10000 type='arraybuffer'         **      1.81 %       ±1.28% ±1.68% ±2.16%
    misc/structured-clone.js n=10000 type='object'               *      0.62 %       ±0.55% ±0.73% ±0.93%
    misc/structured-clone.js n=10000 type='string'             ***      8.30 %       ±1.46% ±1.92% ±2.47%

    Be aware that when doing many comparisons the risk of a false-positive result increases.
    In this case, there are 3 comparisons, you can thus expect the following amount of false-positive results:
      0.15 false positives, when considering a   5% risk acceptance (*, **, ***),
      0.03 false positives, when considering a   1% risk acceptance (**, ***),
      0.00 false positives, when considering a 0.1% risk acceptance (***)

PR-URL: nodejs#61703
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
PR-URL: nodejs#61732
Reviewed-By: Moshe Atlow <[email protected]>
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
PR-URL: nodejs#61730
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Ulises Gascón <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
PR-URL: nodejs#61685
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Gürgün Dayıoğlu <[email protected]>
PR-URL: nodejs#61279
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
PR-URL: nodejs#61280
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
PR-URL: nodejs#61341
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Aviv Keller <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
PR-URL: nodejs#61456
Reviewed-By: Guy Bedford <[email protected]>
Reviewed-By: Daniel Lemire <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
@kxxt
Copy link
Contributor Author

kxxt commented Feb 13, 2026

Blocked on #61666

This could be unblocked now as #61666 has landed.

Original commit message:

    [riscv] Fix sp handling in MacroAssembler::LeaveFrame

    Keep sp <= fp to ensure that data right above fp doesn't get clobbered
    by an inopportune signal and its handler.

    Such clobbering can happen in e.g. Node.js when JIT-compiled code is
    interrupted by a SIGCHLD handler.

    Bug: None
    Change-Id: Ief0836032ada7942e89f081f7605f61632c4d414
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7540554
    Reviewed-by: Ji Qiu <[email protected]>
    Commit-Queue: Yahan Lu (LuYahan) <[email protected]>
    Reviewed-by: Rezvan Mahdavi Hezaveh <[email protected]>
    Cr-Commit-Position: refs/heads/main@{#105069}

Refs: v8/v8@6a0a25a
Co-authored-by: kxxt <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

blocked PRs that are blocked by other issues or PRs. build Issues and PRs related to build files or the CI. needs-ci PRs that need a full CI run. v8 engine Issues and PRs related to the V8 dependency. v24.x Issues that can be reproduced on v24.x or PRs targeting the v24.x-staging branch.

Projects

None yet

Development

Successfully merging this pull request may close these issues.