Bug: v8:12978
Change-Id: Ic8c73eafbd080714915268c8bcb9f2c30614b9b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3711712
Auto-Submit: Adam Klein <adamk@chromium.org>
Reviewed-by: Frank Tang <ftang@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81288}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/7eec98d..3a562c9

Rolling v8/buildtools/linux64: git_revision:fcda46cf40422284f2e74b770da8b22f7f5d7006..git_revision:8883070fe77f9b484818e73e5892c08ca8a0fe7f

Rolling v8/buildtools/third_party/libc++abi/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxxabi/+log/2dba7d2..92ef8d4

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/9a3c4bc..39e4055

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/f0cfef3..f575df1

Rolling v8/tools/luci-go: git_revision:df39938896c4603fb2a214a2430450a85d9cca81..git_revision:5d9b6ecf87cdfb928e1112d2838d26bc7ede2b48

Rolling v8/tools/luci-go: git_revision:df39938896c4603fb2a214a2430450a85d9cca81..git_revision:5d9b6ecf87cdfb928e1112d2838d26bc7ede2b48

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I53ed1615267c094189506a11ee7cd693fb27a59a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3717722
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81287}

ICU 71 added new enum value UNUM_APPROXIMATELY_SIGN_FIELD
need to map to "approximatelySign"

We also discover a spec bug in
https://github.com/tc39/proposal-intl-numberformat-v3/issues/99

All the parts of formatRangeToParts should have a source "shared" for
the case that start and end are the same or very close.

Bug: chromium:1336865
Change-Id: I89142479989d3d2017d8cb89194db737710c38ed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3717278Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81286}

Initial implementation for concurrent shared arrays. Current implementation exposes a `SharedArray` constructor, but its syntax might
change in the future.

Shared arrays can be shared across Isolates, have a fixed size, have no
prototype, have no constructor, and can only store primitives, shared structs and other shared arrays. With this CL shared structs are also allowed to store shared arrays.

The Backing storage for the SharedArrays is a `FixedArrayBase`. This CL introdces a new ElementKind: `SHARED_ARRAY_ELEMENTS`. The new kind should match the overall functionality of the `PACKED_SEALED_ELEMENTS` kind, but having it as standalone kind allows for easier branching in CSA and turbofan code.

Bug: v8:12547
Change-Id: I054a04624d4cf1f37bc26ae4b92b6fe33408538a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3585353Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Luis Fernando Pardo Sixtos <lpardosixtos@microsoft.com>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81285}

Rolling v8/third_party/icu: https://chromium.googlesource.com/chromium/deps/icu/+log/1658259..1da9170

Add "delimiters" resources needed by ulocdata_getDelimiter (Frank Tang)
https://chromium.googlesource.com/chromium/deps/icu/+/1da9170

Cherry-Pick PR2085 to fix numbering system resolution in NumberRangeFormatter (Frank Tang)
https://chromium.googlesource.com/chromium/deps/icu/+/6fff4cf

Cherry-Pick PR2096 to fix TimeZone name (Frank Tang)
https://chromium.googlesource.com/chromium/deps/icu/+/12de966

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com,ftang@chromium.org

Change-Id: Iaf6a2c2f1557331efbd17127a75925ebee829ca5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714902Reviewed-by: Frank Tang <ftang@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81284}

Creates a feature (flag): transition from Done -> Wait
schedules a timer after 30s instead of 8s.
In local benchmark, this reduces by 50% cpu time spent doing
incremental marking and sweeping.

Bug: chromium:1330940
Change-Id: Iff9121243b88d0ed87d0b921e285ece52a83eaa9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3696168
Commit-Queue: Etienne Pierre-Doray <etiennep@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81283}

Bug: v8:12986
Change-Id: I5aa8dbc7f387856cc017ac9fd72ff57bc1d44af9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716469Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81282}

This is a reland of commit 15f372af

Change since revert: TSan fix for tier-up budget reset.

Original change's description:
> [wasm] Fix tier-up budget tracking for recursive calls
>
> In the previous implementation, functions overwrote any budget
> decrements caused by recursive invocations of themselves, which
> could cause tier-up decisions for certain unlucky functions to
> get delayed unreasonably long.
> This patch avoids this by working with the on-instance value
> directly instead of caching it in a stack slot. That generates
> the same amount of Liftoff code as the status quo, but handles
> recursive functions properly.
> The "barista3" benchmark's peak performance improves by almost 20%.
>
> Bug: v8:12281
> Change-Id: I8b487a88da99c2d22e132f2cc72bdf36aa5f6e63
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3693710
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81249}

Bug: v8:12281,v8:12984
Change-Id: Ia6ce776848dc86617546ec514660c9a840484cb1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716479Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81281}

This merges the separate opcode name definitions from wasm-opcodes-inl.h
into the main opcode-defining macros in wasm-opcodes.h. This is simpler
(avoids a bunch of fairly complex macros) and easier to update when we
add new opcodes in the future.
The tests become obsolete because they would simply repeat the implementation.

Change-Id: Ib6421da5670079e7725659c1f4008251f8ff7aed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714244
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81280}

The tier-up check in any backwards jumps in a br_table list cause the
instance to get cached if it wasn't cached before. When the branch is
not taken, we must not rely on this caching to have happened.
This is a variant of crbug.com/1314184.

Fixed: chromium:1338075
Change-Id: Id511e98f29ec13f0a38b5595ceb4a607c58b92a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716478
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81279}

This is likely just an issue in non-PGO builds, but it might skew
the results locally. JetStream2 seems to profit from this CL.

Change-Id: Id70030074dbabf2669fd42fb5fd9399e8692bed6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716475
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81278}

This is a reland of commit 5b9401dd

Now also skip tests that require large amounts of virtual address space
if tsan is enabled as tsan may cause V8 to create a smaller sandbox
which is then unable to allocate the required amount of memory.

Original change's description:
> [sandbox] Also enable the sandbox outside of Chromium builds
>
> Drive-by: include the right header in sandboxed-pointer-inl.h and fix
> missing sandbox initialization in generate-bytecode-expectations.cc.
>
> Bug: v8:10391
> Change-Id: Ic39ba04b7c98eaa58ea3943189c23b297f581f5a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3630082
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81216}

Bug: v8:10391
Change-Id: I141080fdf61a77ef48b22e353e3cfbc1ff816e5a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716474Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81277}

When picking an arbitrary register for an input, prefer picking a
register that's already used as input. If there's no such register,
block the newly picked register.

Bug: v8:7700
Change-Id: I5926ae33482aa615060fef3500c1d2d6079090a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716476
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81276}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/37b3bee..7eec98d

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/9ccf839..f0cfef3

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: Ie2cc0a1d0d801774ff76d377f5caf752ae17ab0c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716545
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81275}

The spec uses "v128" (not "s128") as the vector type name.
Some conversion instructions have more specific names that we used to
print, e.g. "i32x4.trunc_sat_f32x4_s" instead of "...convert...".

Bug: v8:8460
Change-Id: I4e06f452de6ce8b06670a8c5e53142c36d5e6010
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3704497
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81274}

- block regs that already contained the value
- clear the blocklists (including double) in more places
- check that a ForceAllocated reg isn't blocked yet (when allocated
  at start)

Bug: v8:7700
Change-Id: I17b58ff23e0558f962a5d798a39ebb7d9b0ae634
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716470Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81273}

This is a reland of commit 066d0233

Original change's description:
> Reland "[turbofan] Support additional operators in SLVerifier"
>
> This is a reland of commit dec4bb06
>
> Original change's description:
> > [turbofan] Support additional operators in SLVerifier
> >
> > This CL extends SimplifiedLoweringVerifier by a few additional operators.
> >
> > It fixes the missing type on a LoadElement node generated during
> > js-typed-lowering, that was detected by the verifier.
> >
> > Bug: v8:12619
> > Change-Id: I14e3ece15f6a90e6906c140696dcd2e6b74a2527
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3557510
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#80014}
>
> Bug: v8:12619
> Change-Id: If3cb6efe2005c41118f37b39b0209195b3e63a38
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3702330
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81125}

Bug: v8:12619
Change-Id: I58f88cff4b2eb20130be79a207995b63ff44ac2a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714232
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81272}

Previously it was implemented in api.cc, therefore requiring an additional
function call when accessing external pointer fields from embedder code with
the sandbox enabled. Now ReadExternalPointerField can be inlined.

Bug: v8:10391
Change-Id: Ia8cb2df148ac96f979fd3e22989b0ff6177abcec
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714245Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81271}

We factor out the path-state part of branch elimination, to reuse it for
wasm path-based type optimizations. The node state becomes a template
parameter for the {ControlPathState} and
{AdvancedReducerWithControlPathState} classes.

Change-Id: I5e9811ced0b71140ec73ba26fae358ac7d56c982
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714238Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81270}

Port commit b84c7dbd

Bug: chromium:1337221
Change-Id: I5f64995df3e0660740ef3915625373e1f147bc70
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3715957
Auto-Submit: Liu Yu <liuyu@loongson.cn>
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#81269}

By maintaining a separate list of registers that can't be freed we can
keep track of decisions already made for a node, and avoid creating
conflicts. This can be used to avoid freeing fixed input/temporary
requirements or other assigned registers.

Bug: v8:7700
Change-Id: I3c24e0502e66714cf5f68374811741bc9f5e8b21
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714242Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81268}

This reverts commit 15f372af.

Reason for revert: https://crbug.com/v8/12984

Original change's description:
> [wasm] Fix tier-up budget tracking for recursive calls
>
> In the previous implementation, functions overwrote any budget
> decrements caused by recursive invocations of themselves, which
> could cause tier-up decisions for certain unlucky functions to
> get delayed unreasonably long.
> This patch avoids this by working with the on-instance value
> directly instead of caching it in a stack slot. That generates
> the same amount of Liftoff code as the status quo, but handles
> recursive functions properly.
> The "barista3" benchmark's peak performance improves by almost 20%.
>
> Bug: v8:12281
> Change-Id: I8b487a88da99c2d22e132f2cc72bdf36aa5f6e63
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3693710
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81249}

Bug: v8:12281, v8:12984
Change-Id: Ie254236785628c07ac569de16ea82a67ed5bd221
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714247
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Owners-Override: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81267}

Maintaining an AST class just for testing constant exressions does not
seem justified. This CL changes constant expressions in mjsunit tests
to be represented with bytes, like regular expressions.

Change-Id: If5ec5f4d863176952442b1a7e2fec8a61e385971
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714237Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81266}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/ced5024..37b3bee

Rolling v8/buildtools/linux64: git_revision:e62d4e1938a45babc9afb6db543f388cd1802a52..git_revision:fcda46cf40422284f2e74b770da8b22f7f5d7006

Rolling v8/buildtools/third_party/libunwind/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libunwind/+log/1644d07..b387062

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/b83d69f..4ea19a6

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/f68dc6b..9ccf839

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: If9fc5d9bed6d9ad51f726b2395fe88501835154b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714901
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81265}

- Added parsing Turboshaft JSON output
- Refactored node.ts, edge.ts, node-label.ts, turbo-visualizer.ts, tabs.ts

P.S.: graph-phase.ts will be moved to graph-phase folder in the next CL

Bug: v8:7327
Change-Id: Ida854307392a2d513c36f86869ea00cadcf3667c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3706603
Commit-Queue: Danylo Boiko <danielboyko02@gmail.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81264}

Rolling v8/third_party/google_benchmark/src: https://chromium.googlesource.com/external/github.com/google/benchmark/+log/2365c4a..b7afda2

Revert "Add possibility to ask for libbenchmark version number (#1004) (#1403)" (#1417) (Dominic Hamon)
https://chromium.googlesource.com/external/github.com/google/benchmark/+/b7afda2

Clarify that the cpu frequency is not used for benchmark timings. (#1414) (Dominic Hamon)
https://chromium.googlesource.com/external/github.com/google/benchmark/+/af7de86

Fix DoNotOptimize() GCC copy overhead (#1340) (#1410) (Alexander Popov)
https://chromium.googlesource.com/external/github.com/google/benchmark/+/8545dfb

Add possibility to ask for libbenchmark version number (#1004) (#1403) (Matthias Donaubauer)
https://chromium.googlesource.com/external/github.com/google/benchmark/+/efadf67

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com,mlippautz@chromium.org

Change-Id: I4bced8816a42abb8cd4d95761c93e51b2611b727
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714903
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81263}

This is a temporary change to get more detailed crash reports for
further investigations.

Bug: chromium:1330861
Change-Id: Ifdd8d61692577dffd54d07fadb65575a5c30dcd3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707592Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81262}

This CL removes the the usage of custom byte reversing functions from
the simulator and uses the one provided by V8 utils under:
```
src/utils/utils.h
```

Change-Id: I9a334a10d659b8a3315c34563eb3e6f84644a9e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714898
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#81261}

Port commit b84c7dbd

Change-Id: I80ac3498e6cd21fffeb3988fa7341668e59593f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716150
Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#81260}

Bug: v8:11525
Change-Id: I227f0bb852e56551ec0333db52061842664c47c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3706963
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81259}

Before we assumed that no exception can be thrown when specifying a
function to be used as an async hook, but that's not the case when e.g.
the object passed to createHook is a proxy trapping on property access
and the trap throws an exception.

Bug: chromium:1337629
Change-Id: I7bd7893cd274afb6e642ed18aacb9e203f7fdd96
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714233
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81258}

Change-Id: Ia651b26af419a2187217b8b0f2941ff61a17d247
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3712913
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#81257}

This reverts commit 5b9401dd.

Reason for revert: A few memory tests flake on tsan (e.g. https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20isolates/20190/overview)

Original change's description:
> [sandbox] Also enable the sandbox outside of Chromium builds
>
> Drive-by: include the right header in sandboxed-pointer-inl.h and fix
> missing sandbox initialization in generate-bytecode-expectations.cc.
>
> Bug: v8:10391
> Change-Id: Ic39ba04b7c98eaa58ea3943189c23b297f581f5a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3630082
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81216}

Bug: v8:10391
Change-Id: I22560a6bdcffbf71651f655bdf7d183d5c832620
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714239
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81256}

PopToModifiableRegister did not check the {pinned} list, so it could
return a register which was already used for another (temporary) value.
This CL fixes that, and adds a little optimization which gives more
freedom to the choice of spilling and has a chance to avoid a register
mode.

R=jkummerow@chromium.org

Bug: chromium:1337221
Change-Id: Ifc02321038713ff03e8f8e7db78dde33f70ec847
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707287Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81255}

Previously, when embedders attempted to create ArrayBuffers backed by
memory outside the sandbox, V8 would simply crash with a failed CHECK
when converting the raw backing store pointer into a SandboxedPointer.
The new ApiCheck now provides a better error message in that case.

Bug: chromium:1218005
Change-Id: I7a1ad8cbf07fa346b1f09521850df9b18b428427
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3711882Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81254}

The original CL used Object::Set to create the result object of
WebAssembly instantiation. However, Object::Set is potentially
observable from JavaScript, and therefore required a MicrotasksScope.
This CL replaces the use of Object::Set with Object::CreateDataProperty.

Original message:

This CL switches resolving and rejecting the wasm result promise from
the V8-internal API to the external API added in
https://chromium-review.googlesource.com/c/v8/v8/+/3695584.

This CL can land once Chrome provided an implementation of the callback.

R=jkummerow@chromium.org

Bug: v8:12953
Change-Id: If1f252736fd3a13024d4b38adebf468530c59c03
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714234Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81253}

  * Move fixed temporary allocation before arbitrary input allocation,
    so that fixed temporaries don't accidentally clobber the arbitrary
    input register. Now the input allocation will pick a different
    register.
  * For the above, make temporary allocation 'block' the register with a
    sentinel value, rather than marking it free, so that the subsequent
    input allocation knows not to use those registers (including
    spilling into them).
  * Similarly, move arbitrary input allocation after phi resolution when
    allocating control nodes, since phis may have fixed requirements.
  * Allow deopts to spill their inputs if they are not in registers and
    not yet loadable. This is done during the equivalent of input
    allocation for deopts.
  * Allow there to be multiple targets for a single source during gap
    move collection / cycle detection. There can still only be a single
    source per target, therefore there can only be one cycle for each
    connected component -- this is DCHECKed.
  * Make register validation more complete -- also walk the entire
    graph, and check whether value nodes' result register states match
    the current register allocator state.
  * Add much more printing to --trace-maglev-regalloc because these bugs
    ain't easy to debug.

Bug: v8:7700
Change-Id: Id98259c2920d772ce168bf27497162e78b136f9f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3714235
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81252}

This bug may lead to gc_stats tracing doesn't stop after chrome://tracing stop as expected.

Change-Id: Ibc2ece4c0ad536a99c4aece039ef546d152df10a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3709242Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jianxiao Lu <jianxiao.lu@intel.com>
Cr-Commit-Position: refs/heads/main@{#81251}

According to the style guide, the implicit conversion of any number of
registers to a LiftoffRegList should not be there. This CL removes it,
and fixes two subideal call sites to use SpillRegister (receiving a
single register) instead of SpillOneRegister (receiving a register list
to choose from).

Plus some semantics-preserving rewrites.

R=jkummerow@chromium.org

Bug: chromium:1337221
Change-Id: Id22043ac1c185bc794dbde7baa4b1d5ab7cce56e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3707286Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81250}

In the previous implementation, functions overwrote any budget
decrements caused by recursive invocations of themselves, which
could cause tier-up decisions for certain unlucky functions to
get delayed unreasonably long.
This patch avoids this by working with the on-instance value
directly instead of caching it in a stack slot. That generates
the same amount of Liftoff code as the status quo, but handles
recursive functions properly.
The "barista3" benchmark's peak performance improves by almost 20%.

Bug: v8:12281
Change-Id: I8b487a88da99c2d22e132f2cc72bdf36aa5f6e63
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3693710
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81249}