nodejs · nodejs-github-bot · Nov 11, 2025 · Nov 9, 2025
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 14
 #define V8_MINOR_VERSION 2
 #define V8_BUILD_NUMBER 231
-#define V8_PATCH_LEVEL 16
+#define V8_PATCH_LEVEL 17
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

diff --git a/deps/v8/src/maglev/maglev-graph-builder.cc b/deps/v8/src/maglev/maglev-graph-builder.cc
@@ -4531,9 +4531,20 @@ ValueNode* MaglevGraphBuilder::ConvertForField(ValueNode* value,
                                                AllocationType allocation_type) {
   switch (desc.type) {
     case vobj::FieldType::kTagged: {
-      if (value->Is<Float64Constant>() &&
-          !NodeTypeIs(GetType(value), NodeType::kSmi)) {
-        // Note that NodeType::kSmi MUST go through GetTaggedValue for proper
+      // Subtle: we don't use `NodeTypeIs(...)` since the predicate must NOT
+      // be true for NodeType::kNone.
+      // TODO(jgruber): NodeType::kNone should never reach here.
+      if (GetType(value) == NodeType::kSmi) {
+        // TODO(jgruber): This is needed because HoleyFloat64ToTagged does not
+        // canonicalize smis by default in GetTaggedValue. We rely on
+        // canonicalization though in TryReduceConstructArrayConstructor.
+        // We should make this more robust.
+        MaybeReduceResult res = GetSmiValue(value);
+        CHECK(res.IsDoneWithValue());
+        return res.value();
+      }
+      if (value->Is<Float64Constant>()) {
+        // Note that NodeType::kSmi MUST go through GetSmiValue for proper
         // canonicalization. If we see a Float64Constant with type kSmi, it has
         // passed BuildCheckSmi, i.e. the runtime value is guaranteed to be
         // convertible to smi (we would have deoptimized otherwise).

diff --git a/deps/v8/test/mjsunit/regress/regress-454485895.js b/deps/v8/test/mjsunit/regress/regress-454485895.js
@@ -0,0 +1,25 @@
+// Copyright 2025 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax --maglev
+
+// HOLEY_DOUBLE_ELEMENTS.
+const arr = [1, , , , , 1.1];
+
+function opt_me() {
+  for (let i = 0; i < 5; i++) {
+    const ele = arr[i];
+    const arr2 = Array(ele, i);
+    function inner() {
+      arr2.join();
+      arr.__proto__ = ele;
+    }
+    inner();
+  }
+}
+
+%PrepareFunctionForOptimization(opt_me);
+opt_me();
+%OptimizeMaglevOnNextCall(opt_me);
+opt_me();
diff --git a/deps/v8/test/mjsunit/regress/regress-454861480.js b/deps/v8/test/mjsunit/regress/regress-454861480.js
@@ -0,0 +1,20 @@
+// Copyright 2025 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax --maglev
+
+function f0() {
+  try {
+    ([f0,f0]).forEach(undefined);
+    class C4 {
+      [undefined];
+    }
+  } catch(e5) {
+  }
+  return f0;
+}
+const v6 = %PrepareFunctionForOptimization(f0);
+f0();
+const v8 = %OptimizeMaglevOnNextCall(f0);
+f0();
diff --git a/deps/v8/test/mjsunit/regress/regress-454943951.js b/deps/v8/test/mjsunit/regress/regress-454943951.js
@@ -0,0 +1,19 @@
+// Copyright 2025 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+function* __f_0(__v_1) {
+  for (let __v_2 = 0; __v_2 < __v_1; __v_2++) {
+    for (let __v_3 = 0; __v_3 < __v_1; __v_3++) {
+      Math.acos(false);
+      yield __v_2 * 10 + __v_3;
+    }
+  }
+}
+%PrepareFunctionForOptimization(__f_0);
+let __v_0 = __f_0(4);
+__v_0.next().value;
+%OptimizeFunctionOnNextCall(__f_0);
+__v_0 = __f_0();