This is a reland of 7458e67c

Original change's description:
> cppgc: Implement basic Member and Persistent checks
>
> Adds check for
> - same heap on assignment
> - header and containment
>
> The verification state is eagerly created for on-heap Member
> references using caged heap and lazily created on first assignment for
> all others.
>
> Bug: chromium:1056170
> Change-Id: I38ee18eeb7ac489f69a46670cc5e5abe07f62dfa
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878745
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74449}

Bug: chromium:1056170
Change-Id: I9cecfcf7ba2cb70650fd51f345fbf740b96ff6ba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2882804Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74468}

The value needs to be assembled in correct order depending
on the machine endianness.

Bug: v8:7790
Change-Id: I247ce97486721b846ea77de1f075f32c089537ed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878296Reviewed-by: Junliang Yan <junyan@redhat.com>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#74467}

No-Try: true
Bug: v8:11736
Change-Id: I684516d86d915f7e45c62bc2222dd5e58a29f118
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2880548
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74466}

Similar to removing synchronized_ from the object macros[1], we can do
it for RELAXED_SMI_ACCESSORS and use the corresponding relaxed tags.

Bug: v8:7790
Change-Id: Iafc0ed9587e30df0b83565b2976522c4aa634c63
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2880535Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74465}

This change turns the previously used XOR-based type checks for external
pointers into AND-based type checks. With those, the type tag is ORed
into the top bits of an external pointer when it is written, and the
type check performed on every load is done by ANDing the value with the
inverted tag. This will later allow type checking and masking off the GC
marking bits of external pointers in a single operation.

Bug: v8:10391
Change-Id: I89f2b22588b3f7467c79c7916c11f25cd9bcc82d
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2850639
Commit-Queue: Samuel Groß <saelo@google.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74464}

Torque-generated relaxed/acquire/release accessors now expect an
additional Tag argument to be more consistent with handwritten
accessors.

Torque's annotations are renamed from @relaxedRead, @relaxedWrite,
@acquireRead and @releaseWrite to @cppRelaxedLoad, @cppRelaxedStore,
@cppAcquireLoad and @cppReleaseStore, repesectively. This renaming
shall better reflect the fact that those annotations just generate
corresponding synchronization on the generated C++ accessors
(not CSA code) and be more consistent with the C++ side of things
where "Load" and "Store" is used instead of "Read" and "Write".

This CL uses these new annotations on a few fields in DebugInfo and
FunctionTemplateInfo to have Torque generate accessors automatically.

Bug: v8:11122
Change-Id: Ibdf3e6b37a254605ff69ba9a50d7b1646790ea15
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2876857Reviewed-by: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74463}

Besides, move the comparison of sp and input in kArchStackPointerGreaterThan
to AssembleArchInstruction from AssembleBranchToLabels.

Change-Id: Id2715ce89c673d16c94f1d9d7736644983c64248
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2882856
Auto-Submit: Liu yu <liuyu@loongson.cn>
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/master@{#74462}

Resetting the flag in the scope desctructor causes concurrent access to
the flag value, triggering a TSAN failure when
--stress-concurrent-inlining is on. The behaviour of the stress flag
was changed in crrev.com/c/2824440 to improve test coverage, so this
CL replaces the scope usage with simple flag assignment.

Bug: v8:11740
Change-Id: Ie706edaa50486dd3b6eaabc9d1f26a8d03068418
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2882801Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74461}

* Set v8_enable_pointer_compression_shared_cage = false for TPH.
* Skip three more tests that creates multiple isolates (which is not supported by TPH at the moment).

Bug: v8:11641
Change-Id: Iefec0ea3e2ed51e8973546441f5daaa2ac02ab57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2881510
Auto-Submit: Wenyu Zhao <wenyu.zhao@anu.edu.au>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74460}

Detailed list of changes:
https://docs.google.com/document/d/15i4-SZDzFDW7FfclIYuZEhFn-q-KpobCBy23x9zZZLc/edit?usp=sharing

Bug: v8:11111
Change-Id: I931003bd4552cf91d57de95af04a427a9e6d6ac9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814259Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74459}

Bug: v8:11399
No-Try: true
Change-Id: Iaf48e8e7d85394adfc430753229de6feede58a8f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2882799
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74458}

Bug: v8:11752
No-Try: true
Change-Id: I51fa50622d397e03d6c84c8bf43cb221f6059243
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2880553
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74457}

This changes the names reported in stack traces via the Chrome DevTools
protocol to follow the WAT naming convention for functions. This aligns
the behavior here with the rest of DevTools (i.e. the disassembly in the
Sources panel and the Scope sidebar, as well as the Console REPL) to use
one consistent naming scheme.

Fixed: chromium:1159307
Doc: http://bit.ly/devtools-wasm-entities
Bug: chromium:1162229, chromium:1164241, chromium:1071432
Change-Id: Ibe543f39c775944072073fe5f0959412529aa19b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878734Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74456}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/b3b05ab..f8d7f9d

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/b865acd..03dfb00

TBR=v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: Ibb52ba5ba8a831b0e1fe8fb23a1208de73a4e036
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2882477Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#74455}

The input load from the memory has redundant bits, so it
needs to be extracted with an offset;
But the input of InputRegister does not need the offset.

Change-Id: Iea6e9bce981ca8a2d1ee55b10a5c5ff3c205357f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2881383Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Auto-Submit: Liu yu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/master@{#74454}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/b320525..b3b05ab

Rolling v8/buildtools/linux64: git_revision:281c994dc67772cc2a6f5c5fa1c4bafb9dcb733e..git_revision:39a87c0b36310bdf06b692c098f199a0d97fc810

Rolling v8/buildtools/third_party/libc++abi/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxxabi/+log/5f51521..767de31

Rolling v8/buildtools/third_party/libunwind/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libunwind/+log/d6f21e0..7846d25

Rolling v8/tools/luci-go: git_revision:fa78eb7ab25ca5d574c0741c8c1a02d6fd7ed66d..git_revision:66f9c8541b85c7f6efc63e75e68d660d4fb30752

Rolling v8/tools/luci-go: git_revision:fa78eb7ab25ca5d574c0741c8c1a02d6fd7ed66d..git_revision:66f9c8541b85c7f6efc63e75e68d660d4fb30752

Rolling v8/tools/luci-go: git_revision:fa78eb7ab25ca5d574c0741c8c1a02d6fd7ed66d..git_revision:66f9c8541b85c7f6efc63e75e68d660d4fb30752

TBR=v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: I19e862ab74694a8bea22e85a9ab48e716015e932
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2882028Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#74453}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/c844180..b320525

Rolling v8/buildtools/linux64: git_revision:dfd036f3be5422c7b61cf16369bde28b3a8cccc8..git_revision:281c994dc67772cc2a6f5c5fa1c4bafb9dcb733e

Rolling v8/third_party/aemu-linux-x64: IFKk3HKRVi_NvWa_9abMZahaAGY7hGQ0MzuloLf6TkgC..H-kH9WxQErL_AR-Nu_ZL8hbu1D-rZmdQQUaYZYm3AOUC

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/e77e3c8..b865acd

Rolling v8/third_party/google_benchmark/src: https://chromium.googlesource.com/external/github.com/google/benchmark/+log/a2e8a8a..0852c79

Rolling v8/tools/luci-go: git_revision:1b257aacd4934e5a8b2508b240ffc7d866df9273..git_revision:fa78eb7ab25ca5d574c0741c8c1a02d6fd7ed66d

Rolling v8/tools/luci-go: git_revision:1b257aacd4934e5a8b2508b240ffc7d866df9273..git_revision:fa78eb7ab25ca5d574c0741c8c1a02d6fd7ed66d

Rolling v8/tools/luci-go: git_revision:1b257aacd4934e5a8b2508b240ffc7d866df9273..git_revision:fa78eb7ab25ca5d574c0741c8c1a02d6fd7ed66d

TBR=v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: Icb032950448a3f07fd039297f922e1159e2a87fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2881316Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#74452}

The line being modified currently causes a 32-bit build with MSVC to
give out this warning:

C2397: conversion from 'int32_t' to 'v8::internal::byte' requires a
narrowing conversion.

Avoid the warning by declaring `shift` as type byte to start with.

Change-Id: Ib11c8e24811bfc6fe076b845be140e86b7ca38c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2877949Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74451}

This reverts commit 7458e67c.

Reason for revert: Crash on windows https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Win64%20-%20debug/37698/overview

Original change's description:
> cppgc: Implement basic Member and Persistent checks
>
> Adds check for
> - same heap on assignment
> - header and containment
>
> The verification state is eagerly created for on-heap Member
> references using caged heap and lazily created on first assignment for
> all others.
>
> Bug: chromium:1056170
> Change-Id: I38ee18eeb7ac489f69a46670cc5e5abe07f62dfa
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878745
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74449}

Bug: chromium:1056170
Change-Id: I466522a7d879560c99dabbd96c3b097894743a87
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2880149
Auto-Submit: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#74450}

Adds check for
- same heap on assignment
- header and containment

The verification state is eagerly created for on-heap Member
references using caged heap and lazily created on first assignment for
all others.

Bug: chromium:1056170
Change-Id: I38ee18eeb7ac489f69a46670cc5e5abe07f62dfa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878745Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74449}

This is a reland of 6c65e858

Changes since revert:

- Add --disable-shared-ro-heap-for-testing flag that is implied by
  d8's --stress-snapshot, since RO heap sharing currently
  does not support deserializing/serializing while original Isolate
  is still running
- Add BUILD.gn assert that v8_enable_pointer_compression_shared_cage
  requires x64 or arm64

Original change's description:
> [ptr-cage] Turn on shared pointer cage by default for arm64 and x64
>
> Bug: v8:11460
> Change-Id: I9ab419b5e90fbe677e1d63b41699d90552839e98
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2873226
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74422}

Bug: v8:11460
Change-Id: I7eb189b7f8ac3e30da96b0dadd2c085f08a1a0b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878855
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74448}

Bug: v8:11460
Change-Id: Ie79e223f2ba49c9df816464760b0a8e5397e2841
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2876072
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74447}

The function will be used to implement the web memory measurement API.

This adds an |allocated_bytes_at_last_gc| counter to each normal page.
The counter is updated by the sweeper.

Bug: chromium:1181269
Change-Id: If6612de06f373a839fce986c71ba3dfde4d9c9c2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2880534
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74446}

The ScheduleEarly phase of the scheduler initializes the minimum_block
values which are only required for loop hoisting. If there are no loops,
running this step is unecessary overhead.

BUG=v8:9684

Change-Id: Iba181fd55ecd634c05d3f8eb4282bd0be3141c21
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2880538Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74445}

cpplint rules change over time, and we change the exact rules we enable
for v8. This CL removes NOLINT annotations which are not needed
according to the currently enabled rules.

R=ahaas@chromium.org

Bug: v8:11717
Change-Id: I26e5a247bcca6c9638b97b220bc08098c5d7ce07
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2862780Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74444}

This is the 1st CL in a series of CLs with the goal to significantly
reduce the number of includes in torque-generated files to reduce
the build time of Torque's output.

So far, all torque-generated builtins included all (197) other builtins
generated by Torque. This CL adds tracking of definition locations to
Torque's ImplementationVisitor that enables it to only include those
builtins that are actually needed for compilation. This change reduces
the number of includes for the majority of builtins by 150-180 files.

Bug: v8:11528

Change-Id: Id6f6dd60c9c0f197d14998e580f0fa5fbd60f194
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2876859Reviewed-by: Seth Brenith <seth.brenith@microsoft.com>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74443}

It was using MakeRef but it's not guaranteed that we can create a Ref
for the prototype if we haven't seen it during serialization. Use
TryMakeRef instead.

Tbr: jgruber@chromium.org
Bug: chromium:1206670, v8:7790
Change-Id: Ifc00cb1dbf7747c766011f5915bb15fe093b920c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878749Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74442}

This reland patch:
https://chromium-review.googlesource.com/c/v8/v8/+/2867473
(See patchset 1)

The problem was blink injecting interceptor into the window object. It
observes "observation" and "mutations" on this object. When it happens
to the initial empty document, the IPC DidAccessInitialDocument() is
sent and modify the state of the browser process. Causing two tests to
fail.

The diff (See patchset 1..2) includes:
1. Use JSObject::HasRealNamedProperty instead of JsObject::HasProperty.
   This skips the interceptor and do not walk the prototype chain.
2. Invert JSObject::HasRealNamedProperty() with
   IsSharedArrayBufferConstructorEnabled(), just in case. This avoid
   observing the object when not needed.

Original patch description:
---
This change makes it possible to enable SharedArrayBuffer per Context,
controlling whether it should be enabled or not with a callback. The
previous implementation of the reverse origin trial for
SharedArrayBuffer was broken, since the feature could only be enabled
globally per process, and only if the feature flag is set early enough
in the v8 initialization. This does not play well with how origin
trials work.

The implementation is similar to the callbacks that already exist for
the origin trials for WebAssembly simd and exceptions.

SharedArrayBuffer is still controlled by the flag
harmony_sharedarraybuffer. If that flag is disabled, then
SharedArrayBuffer is disabled unconditionally. On top of that, this CL
introduces a new flag for enabling SharedArrayBuffer per context. If
that flag is set, a callback is used to determine whether
SharedArrayBuffer should be enabled.

Note that this only controls whether the SharedArrayBuffer constructor
should be exposed on the global object or not. It is always possible
to construct a SharedArrayBuffer using

  new WebAssembly.Memory({
    shared:true, initial:0, maximum:0 }).buffer.constructor;

There are few things which I do not like of this approach, but I did
not have better ideas:

1. The complex logic of dobule flag + callback. However, this seemed
the best way to me to not break embedders which rely on that flag
being enabled by default.

2. The fact that what actually matters is just whether the callback
returns `true` once. It would be good to check that the callback gives
a consistent return value, or to provide a better API that cannot be
missunderstood.

Bug: chromium:923807,chromium:1071424,chromium:1138860
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2867473Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74378}

---

Bug: chromium:923807,chromium:1071424,chromium:1138860,chromium:1206187
Change-Id: Ibc6b4f8c0e0827178b7f0cbe4b942444bbbe6216
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2880215Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Lutz Vahl <vahl@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Auto-Submit: Arthur Sonzogni <arthursonzogni@chromium.org>
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74441}

Hopefully making it easier to determine the problem when a
dynamically-sized object type allows too small sizes.

Change-Id: Iac33c501da6349e02f570fe8c9092758cd9d59a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2874654
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74440}

Using xxbrq we can reverse the order of indices in a
single instruction.

xxbrq is also implemented in the simulator in this CL.

Change-Id: I4744cefeec0a4e07b41fcb0d35de08ad42e55883
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878573Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#74439}

Bug: chromium:1056170
Change-Id: Ifa1f8d4c1b1003e9d33f1c9b42e6647388c56d01
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878746Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74438}

Our current logic for the console API's monitor implementation relies on
JavaScript's arguments array. In arrow functions, this results in an
error, resulting missing print statements from monitor.

This CL at least re-enables the print statements, but does not print the
arguments in the case of arrow functions.

Change-Id: Ibf6c2a0fb5e0cc911c257520a59a875992fe3777
Bug: chromium:1206137
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2880216Reviewed-by: Philip Pfaffe <pfaffe@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74437}

Structs with zero fields weren't handled correctly, because the GC
has a requirement that each object occupies at least two pointers.

On the high end, Wasm structs accidentally had a limit of 255 pointers
including object header. This CL bumps that to the intended limit
of 999 fields (which is arbitrary and could be raised if needed).

Bug: v8:7748
Change-Id: I13a3f45b3ddb28023c76775da32be0d07ec2ffd0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2874653
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74436}

To enforce W^X for the WebAssembly code space, we want to explore using
Intel memory protection keys for userspace, also known as MPK, PKEYs, or
PKU. Instead of flipping page protection flags with mprotect (which
incurs a high syscall overhead; and which switches flags for the whole
process), with PKU we associate a key with each page once and then
change the permissions of that key with a fast thread-local register
write. That is, this gives both finger-grained permissions (per-thread)
and more performance.

This CL is starts experimenting with PKUs by
(1) adding a flag to turn on prototype PKU support; and if set to true
(2) allocates a protection key once per {WasmCodeManager} in x64 Linux
systems.

This is a partial reland of https://crrev.com/c/2850932, which was
reverted due to an added histogram failing Chromium integration.
Since the histogram (to record PKU support) is independent of the
functionality in this CL, we split it out into its own CL (to come).

R=clemensb@chromium.org
CC=​jkummerow@chromium.org

Bug: v8:11714
Change-Id: I67c8679495c55fa51da8243582963649abde660b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878738
Commit-Queue: Daniel Lehmann <dlehmann@google.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74435}

Bug: chromium:728583
Change-Id: Ie7a46ff884ae9474d342c50e5c6cdcf5c0c0e46a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2874397Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74434}

This is a reland of b271648e

Unfortunately the test can still throw a fatal error, since there are
other possible paths for OOM.

Original change's description:
> [runtime] Add length check in ConvertElementsWithCapacity
>
> This also propagates the exception through all the users of
> ConvertElementsWithCapacity.
>
> Bug: chromium:1201626
> Change-Id: Ie44ba4327a4c3a20f1376477f45d3cd95d0da3b3
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2857961
> Commit-Queue: Victor Gomes <victorgomes@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74412}

Bug: chromium:1201626
Change-Id: I164ca1aca21ad6f45ccf8893fb07a47cd5ed079a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2877833Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74433}

'override' implies 'virtual', thus 'virtual' should be skipped.

R=mlippautz@chromium.org

Bug: v8:11717
Change-Id: If5e9c2aeec85fcf0832f9712b6e09752c4d2c2d3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878737Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74432}

The application may itself change ASAN poisoning which conflicts with
the memset() right before poisoning memory.

This is relevant for destructors but also when invoking Resize() on an
object that uses ASAN container annotations. Annotations are hard to
adjust for the embedder as it is not clear upfront whether the call will
succeed.

Bug: chromium:1056170
Change-Id: I7f719e4130ba6149494a45f220a341658970bc6f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878733Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74431}

The DCHECK seems to fail with MSVC on x86 builds. This CL disables this
DCHECK when map packing isn't enabled until we have a proper fix.

Bug: v8:11748, v8:11624
Change-Id: Iec98d161c5cd2b6a910c29287b54c8e3de017e83
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2878735Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74430}

This CL changes the accounting of array buffers, such that Detach
deducts the backing store immediately. Previously this was corrected
in the next GC cycle.

Not updating backing_store_bytes_ immediately could cause an overflow
in WasmMemoryObject::Grow. Grow first detaches the backing store from
the old JSArrayBuffer and then attaches it to a new one. This results
in the backing store being accounted twice temporarily, this could cause
overflows on 32-bit systems.

Bug: chromium:1204455
Change-Id: I7cf2ca9a12bb5caf7bcffa25a34567774cf155b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2871458
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74429}