See details at https://groups.google.com/g/v8-dev/c/H3YXXKoauLI

Change-Id: Ibe255e95bfd1d09a115eb04d6cbfcca7a671d900
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3756729Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Jianxiao Lu <jianxiao.lu@intel.com>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81709}

Implements an initial prototype of the Wasm Trace proposal. A custom
section containing offsets to functions is decoded into trace
instructions that are inserted into the function. In Liftoff, these
are directly inserted. In TurboFan, these are added as StackEffect's,
this is a work in progress.

Traces will only be decoded and added when a flag is given to V8,
currently "--experimental-wasm-instruction-tracing". If a trace is ever
not valid or an error occurs, it is safe to just throw them away.

Code Metadata Tool Convention:
https://github.com/WebAssembly/tool-conventions/blob/main/CodeMetadata.md

Design Doc:
https://docs.google.com/document/d/1739a_LXbavBnek7pa0uqhHOCz8IJ56mn2C2Yvbssvkg/edit?usp=sharing

Wasm Trace Proposal:
https://github.com/WebAssembly/instrument-tracing

Bug: chromium:1090122, chromium:1252113
Change-Id: Id4690d8deca482ff0e863761668ffabca159bd29
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3386604
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81699}

This is a reland of commit 1ed7d0b8.
Fixes:
- https://crrev.com/c/3745533
- https://crrev.com/c/3758064
- https://crrev.com/c/3757709

Original change's description:
> [flags] Enable freezing of flags
>
> This enables the --freeze-flags-after-init flag globally. Note that
> tests, fuzzers, Node and other still explicitly disable the flag. The
> chrome renderer process and default d8 execution will have it enabled
> though.
>
> R=cbruni@chromium.org
>
> Bug: v8:12887
> Change-Id: I9a15ef64227e5e6e04779d8d671a2c50d99c9097
> Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695264
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81214}

Bug: v8:12887
Change-Id: Ibacb7b738a91f9a893a35a7b845ce4a6ff7bae3f
Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3758224
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81685}

... in order to prepare for smoother rollout via the finch flag.

Bug: v8:12054, chromium:1343515
Change-Id: I24f51b73daa35c8de6967e8eb088dd3bee95fc4f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3755120Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81659}

Bug: v8:11111
Change-Id: I4e96e5440b7cfc61758a595dfdcf534c00a24358
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3755109Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81637}

This reverts commit d34170f2.

Reason for revert: "The (hopefully) last issue in chromium is fixed"
  Narrator: It wasn't -- https://ci.chromium.org/ui/p/chromium/builders/try/cast_shell_linux/1260757/overview

Original change's description:
> Reland "[flags] Enable freezing of flags"
>
> This is a reland of commit 1ed7d0b8.
> The (hopefully) last issue in chromium is fixed in https://crrev.com/c/3745533.
>
> Original change's description:
> > [flags] Enable freezing of flags
> >
> > This enables the --freeze-flags-after-init flag globally. Note that
> > tests, fuzzers, Node and other still explicitly disable the flag. The
> > chrome renderer process and default d8 execution will have it enabled
> > though.
> >
> > R=cbruni@chromium.org
> >
> > Bug: v8:12887
> > Change-Id: I9a15ef64227e5e6e04779d8d671a2c50d99c9097
> > Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695264
> > Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> > Commit-Queue: Clemens Backes <clemensb@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#81214}
>
> Bug: v8:12887
> Change-Id: I6445c04abc55242d6e2f204d45ec9ce22c6ece34
> Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707284
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81603}

No-try: true
Bug: v8:12887
Change-Id: I73e0a52974a2730386e805b7de98de8d87e2d208
Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3749584
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81621}

It is currently incorrect and causing issues, put it behind a flag so
that we can fix these issues while working on the rest of maglev in
parallel.

Bug: v8:7700
Change-Id: Idab7056db1236366410c30c06473016842aee5ab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3748659
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81612}

This is a reland of commit 1ed7d0b8.
The (hopefully) last issue in chromium is fixed in https://crrev.com/c/3745533.

Original change's description:
> [flags] Enable freezing of flags
>
> This enables the --freeze-flags-after-init flag globally. Note that
> tests, fuzzers, Node and other still explicitly disable the flag. The
> chrome renderer process and default d8 execution will have it enabled
> though.
>
> R=cbruni@chromium.org
>
> Bug: v8:12887
> Change-Id: I9a15ef64227e5e6e04779d8d671a2c50d99c9097
> Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695264
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81214}

Bug: v8:12887
Change-Id: I6445c04abc55242d6e2f204d45ec9ce22c6ece34
Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707284Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81603}

Instead of just failing with a CHECK failure, do print the actual cycle.

Before:
# Check failed: iteration++ < 1000.

After:
# Cycle in flag implications:
--assert-types -> --no-concurrent-recompilation
--stress-concurrent-inlining -> --concurrent-recompilation

R=tebbi@chromium.org

Bug: chromium:1336577
Change-Id: I9707fbe19fbc3c27b54cf2ef7626a5f8825e8c60
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707275
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81577}

Change-Id: Id10cfdb8f3a380eb1cd39be569e152b3ebe41b44
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3735166Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#81528}

This adds a new --experimental-value-unavailable flag, which is disabled
for now. When enabled the debugger reports values that are optimized out
by TurboFan and values of certain variables in Temporal Dead Zones (TDZ)
as unavailable. Internally we use a special `value_unavailable` accessor
info to represent these values, and on the debugger boundary we report
these properties with `value`, `get`, or `set`.

Doc: https://goo.gle/devtools-value-unavailable
Bug: chromium:1328681
Demo: devtools-dbg-stories.netlify.app/crbug-1328681-value-unavailable
Change-Id: Idb09a4a148335a950deae60f7c07caecc48826ba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3627510
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81509}

This is a necessary assumption for concurrent marking in MinorMC and
will simplify the code as it allows MinorMC to reuse the same marking
bitmap as full GCs.

Bug: v8:12612
Change-Id: I5e9be45c7d84320721ce7f7578dee1eb972d6f6a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3732933Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81465}

Change-Id: Ia09e8c4528e59116be39be12d688f5b99a34c8e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3732938Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81437}

This change is only to get the API in place; the newly added functions
don't yet do anything.

Bug: v8:12808
Change-Id: Ic6a697d4f62c2b61761b2545dae6fcdf37653bbf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3681880Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#81418}

This CL introduces a compile flag v8_enable_inner_pointer_resolution_mb.
Behind it, it introduces a method `FindBasePtr` in `MemoryChunk`, which
implements inner pointer resolution using the chunk's marking bitmap.
This method is intended to be used for conservative stack scanning, to
resolve inner pointers to heap objects, at some point late in the
marking phase.

It also delays stack scanning during the marking phase of a full GC, to
ensure that marking has proceeded and most heap objects have already
been marked.

Bug: v8:12851
Change-Id: I40e291a86bb8d2587a2c1d9505574dde3c65eb16
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3703837
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81404}

This CL introduces a compile flag v8_enable_inner_pointer_resolution_osb
behind which lies the experimental implementation of the object start
bitmap. It disassociates the object start bitmap from the compile flag
v8_enable_conservative_stack_scanning. At the moment the former flag is
a prerequisite for the latter, as conservative stack scanning requires
some mechanism for inner pointer resolution and the object start bitmap
provides one such mechanism.

Bug: v8:12851
Change-Id: I24c6b389453fbaefc79ae50c34c5ec7a1bf23347
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3717322Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81295}

Initial implementation for concurrent shared arrays. Current implementation exposes a `SharedArray` constructor, but its syntax might
change in the future.

Shared arrays can be shared across Isolates, have a fixed size, have no
prototype, have no constructor, and can only store primitives, shared structs and other shared arrays. With this CL shared structs are also allowed to store shared arrays.

The Backing storage for the SharedArrays is a `FixedArrayBase`. This CL introdces a new ElementKind: `SHARED_ARRAY_ELEMENTS`. The new kind should match the overall functionality of the `PACKED_SEALED_ELEMENTS` kind, but having it as standalone kind allows for easier branching in CSA and turbofan code.

Bug: v8:12547
Change-Id: I054a04624d4cf1f37bc26ae4b92b6fe33408538a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3585353Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Luis Fernando Pardo Sixtos <lpardosixtos@microsoft.com>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81285}

Creates a feature (flag): transition from Done -> Wait
schedules a timer after 30s instead of 8s.
In local benchmark, this reduces by 50% cpu time spent doing
incremental marking and sweeping.

Bug: chromium:1330940
Change-Id: Iff9121243b88d0ed87d0b921e285ece52a83eaa9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3696168
Commit-Queue: Etienne Pierre-Doray <etiennep@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81283}

Bug: chromium:1336516
Change-Id: I28a2b9d72e00a17792f80cf2a65312eeb47f165a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707290
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81223}

This reverts commit 1ed7d0b8.

Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Blink%20Linux%20Future/13719/overview

Original change's description:
> [flags] Enable freezing of flags
>
> This enables the --freeze-flags-after-init flag globally. Note that
> tests, fuzzers, Node and other still explicitly disable the flag. The
> chrome renderer process and default d8 execution will have it enabled
> though.
>
> R=​cbruni@chromium.org
>
> Bug: v8:12887
> Change-Id: I9a15ef64227e5e6e04779d8d671a2c50d99c9097
> Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695264
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81214}

Bug: v8:12887
Change-Id: I63c45d4b026345d95a5de179600df960eae8ca0a
Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707280
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81218}

This enables the --freeze-flags-after-init flag globally. Note that
tests, fuzzers, Node and other still explicitly disable the flag. The
chrome renderer process and default d8 execution will have it enabled
though.

R=cbruni@chromium.org

Bug: v8:12887
Change-Id: I9a15ef64227e5e6e04779d8d671a2c50d99c9097
Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695264Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81214}

Stage 3 proposal

flag --harmony-intl-number-format-v3

Spec: https://github.com/tc39/proposal-intl-numberformat-v3
R2T: https://groups.google.com/a/chromium.org/g/blink-dev/c/vy6rCuh3r_0/m/1Q2FHx9hBAAJ
Design Doc: https://docs.google.com/document/d/19jAogPBb6W4Samt8NWGZKu47iv0_KoQhBvLgQH3xvr8/edit
https://docs.google.com/document/d/14zxGub6Os6nARzH6XstOZX05w2537sZo_ZSSlGjGpBM/edit#heading=h.86ckkob9p59r
https://chromestatus.com/feature/5707621009981440

Bug: v8:10776
Change-Id: I81d0385b09c283628c7c36096d26e07a817888a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3703471Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81198}

Bug: chromium:1052746
Change-Id: If5c7b9871047ea27a76efa4f04c9e6c0ea48b6ca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3705381
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81154}

The native module cache makes it difficult to test deserialization,
because the native module just gets loaded from the cache instead of
deserializing the serialized module. This CL adds a new flag,
--wasm-native-module-cache-enabled, to control whether the native module
cache is enabled or not. The cache gets disabled by handling all modules
like asm.js modules when the cache gets disabled, as the cache is not
used for asm.js.

The name of the flag is positive (i.e.
`enabled` instead of `disabled`) to avoid double negation. The flag is
true by default, and set to false in tests.

R=thibaudm@chromium.org
CC=clemensb@chromium.org

Bug: v8:12964
Change-Id: If2b96a95ccf37f2eb8a868ad1661c3325c1048f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3703836
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81132}

Add a new --wasm-max-module-size flag to replace the unused and more
specific --experimental-wasm-allow-huge-modules flag.
The new flag can be used in fuzzers to reduce the maximum allowed module
size, avoiding OOM on some systems (like 32-bit ASan builds).

R=ahaas@chromium.org

Bug: chromium:1334577
Change-Id: I2830d407c5b01be21a47b21392c1210061c40b20
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695267Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81102}

This CL extends the live edit mechanism to allow editing the function
that is currently on top of the stack, as long as that call frame is
the only activation of that  function.

The CL changes how we look for functions on the current JS stack:
Instead of starting at thread_local_top we start at the frame we
are currently paused in. This is possible since there can not be any
JavaScript frames above the current "break frame", only C++ frames
which are not relevant for live edit.

If the edited script modifes the top-most function, the inspector
will trigger a restart of that call frame. That is why we check
if we can actually restart the function and only allow the live
edit to go through if that is the case.

Note that this CL also adds a kill switch in the form of a runtime
flag for this feature, in case we need to pull the plug and disable
this feature again via back-merge.

R=jarin@chromium.org

Bug: chromium:1334484
Change-Id: I711913df96c8acc786ad4de28de804d2f90e1847
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695353Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81097}

After flags are frozen, this will not work any more. It's also not
required, as flags cannot be accessed after teardown anyway.
This CL changes that to only release the memory of dynamically allocated
string flags, which is something we still need to do after
write-protecting the flags anyway.

R=tebbi@chromium.org

Bug: v8:12887
Change-Id: Iff0e3845cbd91fb59878b2ed36a44d6df00572f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695379Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81030}

The getters and setters were not using the correct types for the casts
of {valptr_} and {defptr_}. It was mostly fine though, because
{FlagValue<T>} just wraps a {T}, so accessing a {FlagValue<T>*} as a
{T*} just works.

This CL fixes the casts of {valptr_} to use proper {FlagValue<T>*}, and
changes the definition of the default values to use plain {T} instead of
{FlagValue<T>}.

R=tebbi@chromium.org

Bug: v8:12887
Change-Id: I3a38ba466df95a4c7b45e83fbd5d37c9a4785a13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695558Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81029}

This is a reland of commit abcb6bb8.
The data race is fixed by using atomic operations.

Original change's description:
> [heap] Avoid dynamic updates of FLAG_gc_interval
>
> Flags will be protected from updates after V8 initialization (in the
> future). This CL avoids any updates of the --gc-interval flag during
> runtime, and instead updates a static field on the HeapAllocator
> directly.
>
> R=mlippautz@chromium.org
>
> Bug: v8:12887
> Change-Id: I17a495cae50a46d59a8159c6ece1558d4d61b949
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3687691
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80998}

Bug: v8:12887
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng
Change-Id: Ib5b537500413a627d9b2509354d20906e0474d8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695380Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81008}

This reverts commit abcb6bb8.

Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20isolates/20029/overview

Original change's description:
> [heap] Avoid dynamic updates of FLAG_gc_interval
>
> Flags will be protected from updates after V8 initialization (in the
> future). This CL avoids any updates of the --gc-interval flag during
> runtime, and instead updates a static field on the HeapAllocator
> directly.
>
> R=​mlippautz@chromium.org
>
> Bug: v8:12887
> Change-Id: I17a495cae50a46d59a8159c6ece1558d4d61b949
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3687691
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80998}

Bug: v8:12887
Change-Id: I18310a3f515506d617f42be7a208013957625eaf
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695559Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Owners-Override: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81002}

Flags will be protected from updates after V8 initialization (in the
future). This CL avoids any updates of the --gc-interval flag during
runtime, and instead updates a static field on the HeapAllocator
directly.

R=mlippautz@chromium.org

Bug: v8:12887
Change-Id: I17a495cae50a46d59a8159c6ece1558d4d61b949
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3687691
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80998}

... by default when fast W^X is enabled.

Bug: v8:12054
Change-Id: I242567a07aa323127e5f7cdcbf3a1a7d5708b923
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688518
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80995}

https://crrev.com/c/3471854 already disabled the RecordWrite builtin
specifically for incremental marking. Since this didn't regress performance as expected, we can now remove those versions of the
builtin.

This will simplify the barrier implementation a bit, but is also
required for the shared heap write barrier. Unlike the generational barrier, the shared heap barrier can't be elided for map values.

Bug: v8:11708
Change-Id: I44bc6ee79006a5be8c1b593dee7fc30c3b9cfa85
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3683341Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80966}

Extend the effect of --freeze-flags-after-init to also protect updates
of individual flags instead of only the API.
For this, we wrap each flag in a {FlagValue} class which implicitly
converts to the value of the flag. Some cases still require the explicit
{value()} accessor though. That accessor is {constexpr}, in contrast to
the implicit conversion, because otherwise clang emits a lot of warnings
about dead code within "if (FLAG...)" scopes.

R=cbruni@chromium.org

Bug: v8:12887
Change-Id: I87d3457e49ceb317d34d6a21cf09c520d4171eb5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3683321Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80938}

Use the existing {base::Optional} instead of the extra {MaybeBoolFlag}
struct. This makes writing to a maybe-flag simpler because you just
write a boolean value and that automatically initializes the optional.

R=cbruni@chromium.org

Bug: v8:12887
Change-Id: I940d20286d65ba4355dc04b4b6068a306706f295
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3686412Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80915}

This adds a new flag to freeze all flag values after initializing V8.
For now, the only effect is that future calls to {SetFlagsFromString},
{SetFlagsFromCommandLine} or {EnforceFlagImplications} will fail.
In the future (once tests and embedders are fixed to not change flags
after initialization) we plan to actually protect flag values via memory
protection.

R=cbruni@chromium.org

Bug: v8:12887
Change-Id: I7974bb9b86715694122f788e08952f7dcc3acdbd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3679099
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80914}

We introduce a typing phase into the Turbofan compilation pipeline for
wasm-gc. It has two functionalities: (1) to type nodes that were not
typed during code generation (mainly phi nodes) and (2) to narrow types
as much as possible.
The following nodes are handled, which should be enough for our
purposes: TypeGuard, WasmTypeCast, AssertNotNull, Phi, LoadFromObject,
and LoadImmutableFromObject.
Loop phi types are computed by first assigning the type of the
non-recursive input, and updating once we have the type of the recursive
inputs, and repeating this process to a fixed point.

Drive-by: Remove the narrowing of function signatures during wasm
inlining, as it created some issues and should not be needed after this
series of changes.

Bug: v8:7748
Change-Id: I8a72488d5c221c4ae8257fc5abf6f0368cf10e96
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3678208
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80912}

MinorMC only used a single color (grey) while the full MC used 2 colors
(grey and black). Update MinorMC to use black as well. This aligns and
brings full MC and MinorMC closer, and allows to reuse more of the
existing sweeping infrastructure for the non-moving MinorMC.

Bug: v8:12612
Change-Id: Ifa740537c4587dc197196e41829ea74a312b79d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3683320Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80894}

This reverts commit df73fd60.

Reason for revert: Reverting before branch

Original change's description:
> Reland "[rab/gsab] Temporarily stage --harmony-rab-gsab to enable fuzzing"
>
> This reverts commit 24286b8e.
>
> Reason for revert: Re-staging the experimental flag for fuzzing
>
> Original change's description:
> > Revert "[rab/gsab] Temporarily stage --harmony-rab-gsab to enable fuzzing"
> >
> > This reverts commit b8f88be0.
> >
> > Reason: disabling an experimental feature in release branch
> >
> > Bug: v8:11111,v8:12870
> > Change-Id: I6fbd6bdb318c0d25e69c04db208a0d5f2b9ebbd7
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647357
> > Auto-Submit: Marja Hölttä <marja@chromium.org>
> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> > Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#80520}
>
> Bug: v8:11111,v8:12870
> Change-Id: I0a45ed5ce53010196949dda23773d152aa605846
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647836
> Commit-Queue: Marja Hölttä <marja@chromium.org>
> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
> Cr-Commit-Position: refs/heads/main@{#80576}

Bug: v8:11111,v8:12870
Change-Id: Ib32c1ba464dde7a5c8cc16f32680bad144bb4304
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3683358Reviewed-by: Lutz Vahl <vahl@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80888}

Get some test coverage before restarting the map space compaction finch
again. This should test whether slots in invalidated objects are now
properly ignored when the invalidated object is dead.

Bug: v8:12578
Change-Id: I5b6f30b97c2db895183216ae5d5dbd4e5fa9d0c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3676855Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80814}