build,test: test array index hash collision

This enables v8_enable_seeded_array_index_hash and add a test for it.

deps: V8: backport 0a8b1cdcc8b2

Original commit message:

    implement rapidhash secret generation

    Bug: 409717082
    Change-Id: I471f33d66de32002f744aeba534c1d34f71e27d2
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6733490
    Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    Commit-Queue: snek <snek@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#101499}

deps: V8: backport 185f0fe09b72

Original commit message:

    [numbers] Refactor HashSeed as a lightweight view over ByteArray

    Instead of copying the seed and secrets into a struct with value
    fields, HashSeed now stores a pointer pointing either into the
    read-only ByteArray, or the static default seed for off-heap
    HashSeed::Default() calls. The underlying storage is always
    8-byte aligned so we can cast it directly into a struct.

    Change-Id: I5896a7f2ae24296eb4c80b757a5d90ac70a34866
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7609720
    Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    Commit-Queue: Joyee Cheung <joyee@igalia.com>
    Cr-Commit-Position: refs/heads/main@{#105531}

deps: V8: backport 1361b2a49d02

Original commit message:

    [strings] improve array index hash distribution

    Previously, the hashes stored in a Name's raw_hash_field for decimal
    numeric strings (potential array indices) consist of the literal
    integer value along with the length of the string. This means
    consecutive numeric strings can have consecutive hash values, which
    can lead to O(n^2) probing for insertion in the worst case when e.g.
    a non-numeric string happen to land in the these buckets.

    This patch adds a build-time flag v8_enable_seeded_array_index_hash
    that scrambles the 24-bit array-index value stored in a Name's
    raw_hash_field to improve the distribution.

    x ^= x >> kShift; x = (x * m1) & kMask;    // round 1
    x ^= x >> kShift; x = (x * m2) & kMask;    // round 2
    x ^= x >> kShift;                          // finalize

    To decode, apply the same steps with the modular inverses of m1
    and m2 in reverse order.

    x ^= x >> kShift; x = (x * m2_inv) & kMask;    // round 1
    x ^= x >> kShift; x = (x * m1_inv) & kMask;    // round 2
    x ^= x >> kShift;                              // finalize

    where kShift = kArrayIndexValueBits / 2, kMask = kArrayIndexValueMask,
    m1, m2 (both odd) are the lower bits of the rapidhash secrets, m1_inv,
    m2_inv (modular inverses) are precomputed modular inverse of m1 and m2.
    The pre-computed values are appended to the hash_seed ByteArray in
    ReadOnlyRoots and accessed in generated code to reduce overhead.
    In call sites that don't already have access to the seeds, we read them
    from the current isolate group/isolate's read only roots.

    To consolidate the code that encode/decode these hashes, this patch
    adds MakeArrayIndexHash/DecodeArrayIndexFromHashField in C++ and CSA
    that perform seeding/unseeding if enabled, and updates places where
    encoding/decoding of array index is needed to use them.

    Bug: 477515021
    Change-Id: I350afe511951a54c4378396538152cc56565fd55
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7564330
    Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    Commit-Queue: Joyee Cheung <joyee@igalia.com>
    Cr-Commit-Position: refs/heads/main@{#105596}

deps: V8: cherry-pick aac14dd95e5b

Original commit message:

    [string] add 3rd round to seeded array index hash

    Since we already have 3 derived secrets, and arithmetics are
    relatively cheap, add a 3rd round to the xorshift-multiply
    seeding scheme. This brings the bias from ~3.4 to ~0.4.

    Bug: 477515021
    Change-Id: I1ef48954bcee8768d8c90db06ac8adb02f06cebf
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7655117
    Reviewed-by: Chengzhong Wu <cwu631@bloomberg.net>
    Commit-Queue: Joyee Cheung <joyee@igalia.com>
    Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#105824}

PR-URL: nodejs-private/node-private#834
CVE-ID: CVE-2026-21717

deps: V8: backport 185f0fe09b72

Original commit message:

    [numbers] Refactor HashSeed as a lightweight view over ByteArray

    Instead of copying the seed and secrets into a struct with value
    fields, HashSeed now stores a pointer pointing either into the
    read-only ByteArray, or the static default seed for off-heap
    HashSeed::Default() calls. The underlying storage is always
    8-byte aligned so we can cast it directly into a struct.

    Change-Id: I5896a7f2ae24296eb4c80b757a5d90ac70a34866
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7609720
    Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    Commit-Queue: Joyee Cheung <joyee@igalia.com>
    Cr-Commit-Position: refs/heads/main@{#105531}

deps: V8: backport 1361b2a49d02

Original commit message:

    [strings] improve array index hash distribution

    Previously, the hashes stored in a Name's raw_hash_field for decimal
    numeric strings (potential array indices) consist of the literal
    integer value along with the length of the string. This means
    consecutive numeric strings can have consecutive hash values, which
    can lead to O(n^2) probing for insertion in the worst case when e.g.
    a non-numeric string happen to land in the these buckets.

    This patch adds a build-time flag v8_enable_seeded_array_index_hash that
    scrambles the 24-bit array-index value stored in a Name's raw_hash_field
    to improve the distribution.

    x ^= x >> kShift; x = (x * m1) & kMask;    // round 1
    x ^= x >> kShift; x = (x * m2) & kMask;    // round 2
    x ^= x >> kShift;                          // finalize

    To decode, apply the same steps with the modular inverses of m1 and m2
    in reverse order.

    x ^= x >> kShift; x = (x * m2_inv) & kMask;    // round 1
    x ^= x >> kShift; x = (x * m1_inv) & kMask;    // round 2
    x ^= x >> kShift;                              // finalize

    where kShift = kArrayIndexValueBits / 2, kMask = kArrayIndexValueMask,
    m1, m2 (both odd) are the lower bits of the rapidhash secrets, m1_inv,
    m2_inv (modular inverses) are precomputed modular inverse of m1 and m2.
    The pre-computed values are appended to the hash_seed ByteArray in
    ReadOnlyRoots and accessed in generated code to reduce overhead.
    In call sites that don't already have access to the seeds, we read them
    from the current isolate group/isolate's read only roots.

    To consolidate the code that encode/decode these hashes, this patch
    adds MakeArrayIndexHash/DecodeArrayIndexFromHashField in C++ and CSA
    that perform seeding/unseeding if enabled, and updates places where
    encoding/decoding of array index is needed to use them.

    Bug: 477515021
    Change-Id: I350afe511951a54c4378396538152cc56565fd55
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7564330
    Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    Commit-Queue: Joyee Cheung <joyee@igalia.com>
    Cr-Commit-Position: refs/heads/main@{#105596}

deps: V8: cherry-pick aac14dd95e5b

Original commit message:

    [string] add 3rd round to seeded array index hash

    Since we already have 3 derived secrets, and arithmetics are
    relatively cheap, add a 3rd round to the xorshift-multiply
    seeding scheme. This brings the bias from ~3.4 to ~0.4.

    Bug: 477515021
    Change-Id: I1ef48954bcee8768d8c90db06ac8adb02f06cebf
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7655117
    Reviewed-by: Chengzhong Wu <cwu631@bloomberg.net>
    Commit-Queue: Joyee Cheung <joyee@igalia.com>
    Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#105824}

Co-authored-by: Joyee Cheung <joyeec9h3@gmail.com>
Refs: https://hackerone.com/reports/3511792
Refs: v8/v8@aac14dd
PR-URL: #61898
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
(cherry picked from commit fff9a8a)

Author: joyeecheung

common.gypi

@@ -38,7 +38,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.17',
+    'v8_embedder_string': '-node.18',
 
     ##### V8 defaults for Node.js #####
 

deps/v8/BUILD.bazel

@@ -240,6 +240,11 @@ v8_flag(
     default = False,
 )
 
+v8_flag(
+    name = "v8_enable_seeded_array_index_hash",
+    default = False,
+)
+
 selects.config_setting_group(
     name = "enable_drumbrake_x64",
     match_all = [
@@ -512,6 +517,7 @@ v8_config(
         "v8_enable_webassembly": "V8_ENABLE_WEBASSEMBLY",
         "v8_enable_drumbrake": "V8_ENABLE_DRUMBRAKE",
         "v8_enable_drumbrake_tracing": "V8_ENABLE_DRUMBRAKE_TRACING",
+        "v8_enable_seeded_array_index_hash": "V8_ENABLE_SEEDED_ARRAY_INDEX_HASH",
         "v8_jitless": "V8_JITLESS",
         "v8_enable_vtunejit": "ENABLE_VTUNE_JIT_INTERFACE",
         "v8_enable_undefined_double": "V8_ENABLE_UNDEFINED_DOUBLE",
@@ -2028,6 +2034,7 @@ filegroup(
         "src/numbers/conversions.h",
         "src/numbers/conversions-inl.h",
         "src/numbers/hash-seed.h",
+        "src/numbers/hash-seed.cc",
         "src/numbers/hash-seed-inl.h",
         "src/numbers/ieee754.cc",
         "src/numbers/ieee754.h",

deps/v8/BUILD.gn

@@ -499,6 +499,9 @@ declare_args() {
   # Use a hard-coded secret value when hashing.
   v8_use_default_hasher_secret = true
 
+  # Enable seeded array index hash.
+  v8_enable_seeded_array_index_hash = false
+
   # add instrumentation for Dumpling differential fuzzing
   v8_dumpling = false
 
@@ -1241,6 +1244,9 @@ config("features") {
   if (v8_enable_lite_mode) {
     defines += [ "V8_LITE_MODE" ]
   }
+  if (v8_enable_seeded_array_index_hash) {
+    defines += [ "V8_ENABLE_SEEDED_ARRAY_INDEX_HASH" ]
+  }
   if (v8_enable_gdbjit) {
     defines += [ "ENABLE_GDB_JIT_INTERFACE" ]
   }
@@ -5981,6 +5987,7 @@ v8_source_set("v8_base_without_compiler") {
     "src/logging/runtime-call-stats.cc",
     "src/logging/tracing-flags.cc",
     "src/numbers/conversions.cc",
+    "src/numbers/hash-seed.cc",
     "src/numbers/ieee754.cc",
     "src/numbers/math-random.cc",
     "src/objects/abstract-code.cc",

deps/v8/src/DEPS

@@ -138,7 +138,7 @@ specific_include_rules = {
   "heap\.cc": [
     "+third_party/rapidhash-v8/secret.h",
   ],
-  "hash-seed-inl\.h": [
+  "hash-seed\.cc": [
     "+third_party/rapidhash-v8/secret.h",
   ],
 }

deps/v8/src/ast/ast-value-factory.cc

@@ -83,7 +83,8 @@ bool AstRawString::AsArrayIndex(uint32_t* index) const {
   // can't be convertible to an array index.
   if (!IsIntegerIndex()) return false;
   if (length() <= Name::kMaxCachedArrayIndexLength) {
-    *index = Name::ArrayIndexValueBits::decode(raw_hash_field_);
+    *index = StringHasher::DecodeArrayIndexFromHashField(
+        raw_hash_field_, HashSeed(GetReadOnlyRoots()));
     return true;
   }
   // Might be an index, but too big to cache it. Do the slow conversion. This

deps/v8/src/builtins/number.tq

@@ -300,7 +300,7 @@ transitioning javascript builtin NumberParseFloat(
     const hash: NameHash = s.raw_hash_field;
     if (IsIntegerIndex(hash) &&
         hash.array_index_length < kMaxCachedArrayIndexLength) {
-      const arrayIndex: uint32 = hash.array_index_value;
+      const arrayIndex: uint32 = DecodeArrayIndexFromHashField(hash);
       return SmiFromUint32(arrayIndex);
     }
     // Fall back to the runtime to convert string to a number.
@@ -351,7 +351,7 @@ transitioning builtin ParseInt(
     const hash: NameHash = s.raw_hash_field;
     if (IsIntegerIndex(hash) &&
         hash.array_index_length < kMaxCachedArrayIndexLength) {
-      const arrayIndex: uint32 = hash.array_index_value;
+      const arrayIndex: uint32 = DecodeArrayIndexFromHashField(hash);
       return SmiFromUint32(arrayIndex);
     }
     // Fall back to the runtime.

deps/v8/src/builtins/wasm.tq

@@ -1611,8 +1611,8 @@ builtin WasmStringToDouble(s: String): float64 {
   const hash: NameHash = s.raw_hash_field;
   if (IsIntegerIndex(hash) &&
       hash.array_index_length < kMaxCachedArrayIndexLength) {
-    const arrayIndex: int32 = Signed(hash.array_index_value);
-    return Convert<float64>(arrayIndex);
+    const arrayIndex: uint32 = DecodeArrayIndexFromHashField(hash);
+    return Convert<float64>(Signed(arrayIndex));
   }
   return StringToFloat64(Flatten(s));
 }

deps/v8/src/codegen/code-stub-assembler.cc

@@ -2711,6 +2711,66 @@ TNode<Uint32T> CodeStubAssembler::LoadJSReceiverIdentityHash(
   return var_hash.value();
 }
 
+#ifdef V8_ENABLE_SEEDED_ARRAY_INDEX_HASH
+// Mirror C++ StringHasher::SeedArrayIndexValue.
+TNode<Uint32T> CodeStubAssembler::SeedArrayIndexValue(TNode<Uint32T> value) {
+  // Load m1, m2 and m3 from the hash seed byte array. In the compiled code
+  // these will always come from the read-only roots.
+  TNode<ByteArray> hash_seed = CAST(LoadRoot(RootIndex::kHashSeed));
+  intptr_t base_offset = OFFSET_OF_DATA_START(ByteArray) - kHeapObjectTag;
+  TNode<Uint32T> m1 = Load<Uint32T>(
+      hash_seed, IntPtrConstant(base_offset + HashSeed::kDerivedM1Offset));
+  TNode<Uint32T> m2 = Load<Uint32T>(
+      hash_seed, IntPtrConstant(base_offset + HashSeed::kDerivedM2Offset));
+  TNode<Uint32T> m3 = Load<Uint32T>(
+      hash_seed, IntPtrConstant(base_offset + HashSeed::kDerivedM3Offset));
+
+  TNode<Word32T> x = value;
+  // 3-round xorshift-multiply.
+  x = Word32Xor(x, Word32Shr(x, Uint32Constant(Name::kArrayIndexHashShift)));
+  x = Word32And(Uint32Mul(Unsigned(x), m1),
+                Uint32Constant(Name::kArrayIndexValueMask));
+  x = Word32Xor(x, Word32Shr(x, Uint32Constant(Name::kArrayIndexHashShift)));
+  x = Word32And(Uint32Mul(Unsigned(x), m2),
+                Uint32Constant(Name::kArrayIndexValueMask));
+  x = Word32Xor(x, Word32Shr(x, Uint32Constant(Name::kArrayIndexHashShift)));
+  x = Word32And(Uint32Mul(Unsigned(x), m3),
+                Uint32Constant(Name::kArrayIndexValueMask));
+  x = Word32Xor(x, Word32Shr(x, Uint32Constant(Name::kArrayIndexHashShift)));
+
+  return Unsigned(x);
+}
+
+// Mirror C++ StringHasher::UnseedArrayIndexValue.
+TNode<Uint32T> CodeStubAssembler::UnseedArrayIndexValue(TNode<Uint32T> value) {
+  // Load m1_inv, m2_inv and m3_inv from the hash seed byte array. In the
+  // compiled code these will always come from the read-only roots.
+  TNode<ByteArray> hash_seed = CAST(LoadRoot(RootIndex::kHashSeed));
+  intptr_t base_offset = OFFSET_OF_DATA_START(ByteArray) - kHeapObjectTag;
+  TNode<Uint32T> m1_inv = Load<Uint32T>(
+      hash_seed, IntPtrConstant(base_offset + HashSeed::kDerivedM1InvOffset));
+  TNode<Uint32T> m2_inv = Load<Uint32T>(
+      hash_seed, IntPtrConstant(base_offset + HashSeed::kDerivedM2InvOffset));
+  TNode<Uint32T> m3_inv = Load<Uint32T>(
+      hash_seed, IntPtrConstant(base_offset + HashSeed::kDerivedM3InvOffset));
+
+  TNode<Word32T> x = value;
+  // 3-round xorshift-multiply (inverse).
+  // Xorshift is an involution when kShift is at least half of the value width.
+  x = Word32Xor(x, Word32Shr(x, Uint32Constant(Name::kArrayIndexHashShift)));
+  x = Word32And(Uint32Mul(Unsigned(x), m3_inv),
+                Uint32Constant(Name::kArrayIndexValueMask));
+  x = Word32Xor(x, Word32Shr(x, Uint32Constant(Name::kArrayIndexHashShift)));
+  x = Word32And(Uint32Mul(Unsigned(x), m2_inv),
+                Uint32Constant(Name::kArrayIndexValueMask));
+  x = Word32Xor(x, Word32Shr(x, Uint32Constant(Name::kArrayIndexHashShift)));
+  x = Word32And(Uint32Mul(Unsigned(x), m1_inv),
+                Uint32Constant(Name::kArrayIndexValueMask));
+  x = Word32Xor(x, Word32Shr(x, Uint32Constant(Name::kArrayIndexHashShift)));
+  return Unsigned(x);
+}
+#endif  // V8_ENABLE_SEEDED_ARRAY_INDEX_HASH
+
 TNode<Uint32T> CodeStubAssembler::LoadNameHashAssumeComputed(TNode<Name> name) {
   TNode<Uint32T> hash_field = LoadNameRawHash(name);
   CSA_DCHECK(this, IsClearWord32(hash_field, Name::kHashNotComputedMask));
@@ -9404,8 +9464,7 @@ TNode<Number> CodeStubAssembler::StringToNumber(TNode<String> input) {
   GotoIf(IsSetWord32(raw_hash_field, Name::kDoesNotContainCachedArrayIndexMask),
          &runtime);
 
-  var_result = SmiTag(Signed(
-      DecodeWordFromWord32<String::ArrayIndexValueBits>(raw_hash_field)));
+  var_result = SmiFromUint32(DecodeArrayIndexFromHashField(raw_hash_field));
   Goto(&end);
 
   BIND(&runtime);
@@ -10535,9 +10594,8 @@ void CodeStubAssembler::TryToName(TNode<Object> key, Label* if_keyisindex,
 
         BIND(&if_has_cached_index);
         {
-          TNode<IntPtrT> index =
-              Signed(DecodeWordFromWord32<String::ArrayIndexValueBits>(
-                  raw_hash_field));
+          TNode<IntPtrT> index = Signed(ChangeUint32ToWord(
+              DecodeArrayIndexFromHashField(raw_hash_field)));
           CSA_DCHECK(this, IntPtrLessThan(index, IntPtrConstant(INT_MAX)));
           *var_index = index;
           Goto(if_keyisindex);

deps/v8/src/codegen/code-stub-assembler.h

@@ -4835,6 +4835,12 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
     return WordEqual(WordAnd(flags, IntPtrConstant(mask)), IntPtrConstant(0));
   }
 
+#ifdef V8_ENABLE_SEEDED_ARRAY_INDEX_HASH
+  // Mirror C++ StringHasher::SeedArrayIndexValue and UnseedArrayIndexValue.
+  TNode<Uint32T> SeedArrayIndexValue(TNode<Uint32T> value);
+  TNode<Uint32T> UnseedArrayIndexValue(TNode<Uint32T> value);
+#endif  // V8_ENABLE_SEEDED_ARRAY_INDEX_HASH
+
  private:
   friend class CodeStubArguments;
 

deps/v8/src/heap/factory-base.cc

@@ -299,9 +299,9 @@ Handle<ProtectedWeakFixedArray> FactoryBase<Impl>::NewProtectedWeakFixedArray(
 }
 
 template <typename Impl>
-Handle<ByteArray> FactoryBase<Impl>::NewByteArray(int length,
-                                                  AllocationType allocation) {
-  return ByteArray::New(isolate(), length, allocation);
+Handle<ByteArray> FactoryBase<Impl>::NewByteArray(
+    int length, AllocationType allocation, AllocationAlignment alignment) {
+  return ByteArray::New(isolate(), length, allocation, alignment);
 }
 
 template <typename Impl>
@@ -1173,7 +1173,8 @@ inline Handle<String> FactoryBase<Impl>::SmiToString(Tagged<Smi> number,
     if (raw->raw_hash_field() == String::kEmptyHashField &&
         number.value() >= 0) {
       uint32_t raw_hash_field = StringHasher::MakeArrayIndexHash(
-          static_cast<uint32_t>(number.value()), raw->length());
+          static_cast<uint32_t>(number.value()), raw->length(),
+          HashSeed(read_only_roots()));
       raw->set_raw_hash_field(raw_hash_field);
     }
   }
@@ -1333,9 +1334,9 @@ FactoryBase<Impl>::AllocateRawTwoByteInternalizedString(
 
 template <typename Impl>
 Tagged<HeapObject> FactoryBase<Impl>::AllocateRawArray(
-    int size, AllocationType allocation, AllocationHint hint) {
-  Tagged<HeapObject> result =
-      AllocateRaw(size, allocation, AllocationAlignment::kTaggedAligned, hint);
+    int size, AllocationType allocation, AllocationHint hint,
+    AllocationAlignment alignment) {
+  Tagged<HeapObject> result = AllocateRaw(size, allocation, alignment, hint);
   if ((size >
        isolate()->heap()->AsHeap()->MaxRegularHeapObjectSize(allocation)) &&
       v8_flags.use_marking_progress_bar) {