... capable of computing the forwarding pointer for objects allocated
outside of the main pointer compression cage.

Drive-by: hoist computation of pointer compression cage base out of
certain loops in GC code.

Bug: v8:11880
Change-Id: I23efdffd1a237d9eedd0e2975e8e40811417ef31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3204968Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77244}

IsActive is misleading as the current implementation forces to use
v8::Locker for all Isolate access once any Locker has been used in
the same process.

Bug: chromium:1240851
Change-Id: Ieb2cfa352313b6f2cbec1bafdbc94a3fc718f3d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3190093Reviewed-by: Dan Elphick <delphick@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77243}

Fix several edge cases consistency issues with ICU discovered by test262 test by
using Intl Enumeration API
1. Work around ICU short coming of always fallback in currency display
 name so when the fallback is "none" in DisplayNames, the force fallback
code will produce the correct undefined from the of(currency_code) method.
2. Always check numbering system is not algorithm based numbering system
to fix DateTimeFormat/RelativeTimeFormat/NumberFormat
resolvedOptions().numberingSystem when the reqested numberingSystem is one
of the numbering systems that we filter out the resources and not supported.
3. Generalize the iso8601 bit solution in DateTimeFormat and rename it to
alt_calendar bit to also fix DateTimeFormat resolvedOptions report
calendar as "islamic" while requesting "islamic-rgsa".
4. Work around reporting inconsistency of currency code and display name
in ICU.

Bug: v8:12209
Change-Id: Ibd349ee55426fad7d6f20a5e93fb35ff7438e111
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3153576
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77242}

A mov can be up to 10 bytes, 6 for displacement, 4 for instr. Other
instructions (like pshufb) with a complex addressing mode can take 10
bytes too. So adjust the padding for disassembly of hex accordingly.
This requires fixing up all the test cases too.

Bug: v8:12207
Change-Id: I372d67a818a5dbfe6f49f67047493d7f67b59bcd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3180375Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77241}

This is a reland of 75dd3600

crrev.com/c/3205901 should fix the test failures on Fuchsia.

Original change's description:
> Reland "Turn on v8_enable_virtual_memory_cage for Chromium builds"
>
> This is a reland of 4fb3eae7
>
> crrev.com/c/3202002 fixed the Chromium build issue.
>
> Original change's description:
> > Turn on v8_enable_virtual_memory_cage for Chromium builds
> >
> > This CL enables the virtual memory cage at compile time by default for
> > Chromium builds on x64 and arm64. However, the cage will only be used at
> > runtime if the correpsonding Chromium feature is enabled as well.
> >
> > Bug: chromium:1218005
> > Change-Id: I5a452d299ac950f8ec0f741f6b9a153e57b2a666
> > Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200081
> > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > Commit-Queue: Samuel Groß <saelo@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#77212}
>
> Bug: chromium:1218005
> Change-Id: I32b1a4088ca44827ca4f76b5d19b8138875bfc97
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3204950
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77229}

Bug: chromium:1218005
Change-Id: Id258ded659e4abc31f052ff4c57804d4bd9c5ba0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3205897Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77240}

Bug: chromium:794619
Change-Id: I335291b8ea7a326abbf66df535d3fa98aff9e4fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3206277
Commit-Queue: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Auto-Submit: Peter Kasting <pkasting@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77239}

The error showed when printing the resulting code object, because the
tier was neither TurboFan nor Liftoff, even though the code was
registered as a standard wasm function (instead of an import wrapper).

R=jkummerow@chromium.org

Bug: chromium:1254674
Change-Id: I26482fd88d72403393428979abf08e9f60cd8c4c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3202001
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77238}

Bug: chromium:1218005
Change-Id: I00168c25921fd71d925c71c7b7b9ddafd392e95e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3205901Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77237}

This reverts commit 75dd3600.

Reason for revert: Breaks V8 roll, failure on Fuchsia: https://ci.chromium.org/ui/p/chromium/builders/try/fuchsia_arm64/964489/overview

Original change's description:
> Reland "Turn on v8_enable_virtual_memory_cage for Chromium builds"
>
> This is a reland of 4fb3eae7
>
> crrev.com/c/3202002 fixed the Chromium build issue.
>
> Original change's description:
> > Turn on v8_enable_virtual_memory_cage for Chromium builds
> >
> > This CL enables the virtual memory cage at compile time by default for
> > Chromium builds on x64 and arm64. However, the cage will only be used at
> > runtime if the correpsonding Chromium feature is enabled as well.
> >
> > Bug: chromium:1218005
> > Change-Id: I5a452d299ac950f8ec0f741f6b9a153e57b2a666
> > Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200081
> > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > Commit-Queue: Samuel Groß <saelo@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#77212}
>
> Bug: chromium:1218005
> Change-Id: I32b1a4088ca44827ca4f76b5d19b8138875bfc97
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3204950
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77229}

Bug: chromium:1218005
Change-Id: I90f3d5e2878f429125c2a2ebde1105a4116c8d1f
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3205895
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#77236}

The {wasm_kind} is completely unused, thus remove it before fixing a
wrong {CodeKind} for wasm-to-js functions.

R=mslekova@chromium.org

Bug: chromium:1254674
Change-Id: Ie3d260a7664d9a390d7edc49c2bf0692c8d798d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3202000Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77235}

Bug: v8:11111
Change-Id: I784a9d347fa4a21fd38f04b4d4e3a8a4398292c0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3186438
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77234}

Change-Id: Id4336aae4e8ef8974657a28cb5e8ea66a968c60c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3202474Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#77233}

The Merge node for merging exceptions into the catch environment had
type kWord32, which is not a reference type. Because of this the GC does
not visit it and can collect it too early. Change the type to
kTaggedPointer.
Also change the type of ExceptionLocation() from IntPtr to TaggedPointer
for consistency. This one does not affect correctness because the
IfException node is already marked as tagged.

R=clemensb@chromium.org

Bug: v8:12254
Change-Id: I190d48b85f4b889ab083228b8fcedd439090e1de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3201994Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77232}

R=dinfuehr@chromium.org

Bug: v8:12278
Change-Id: I54c2e623e80e13b04b9acbb0915d251ab551eec3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3201996Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77231}

Do not require the --verify-heap flag to test aborting evacuation of a
page but randomly abort evacuation in debug builds with
--stress-compaction. This is intended to increase test coverage of this
mechanism.

Bug: v8:12251
Change-Id: I6cd08904ee195dbf2a1ef1e9c2c773c514c2cf7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3201999Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77230}

This is a reland of 4fb3eae7

crrev.com/c/3202002 fixed the Chromium build issue.

Original change's description:
> Turn on v8_enable_virtual_memory_cage for Chromium builds
>
> This CL enables the virtual memory cage at compile time by default for
> Chromium builds on x64 and arm64. However, the cage will only be used at
> runtime if the correpsonding Chromium feature is enabled as well.
>
> Bug: chromium:1218005
> Change-Id: I5a452d299ac950f8ec0f741f6b9a153e57b2a666
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200081
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77212}

Bug: chromium:1218005
Change-Id: I32b1a4088ca44827ca4f76b5d19b8138875bfc97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3204950Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77229}

These are used by unittests which can be compiled as a separate binary
that links againt libv8.

Bug: chromium:1218005
Change-Id: Ibb29c4fa104be61fc26cbd6c1b349d74d74c50a6
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3202002
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77228}

Port a partial revert of https://crrev.com/c/3189512. The comments are
kept around to document what each flag does.

Fixed: chromium:1255096
Change-Id: I8758a536a6f77826b0eb4918d7d8c85b772d9394
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3203004Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77227}

Bug: v8:12207
Change-Id: I6d8a62bb69c6011e6e7f6da2663f9db297b76f7f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3180374
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77226}

Bug: v8:12244,v8:12245
Change-Id: I96dfc288c47df0f53b63f04ebb567dcb65dadf8c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200402Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77225}

Bug: v8:12244,v8:12245
Change-Id: Ib2e00ec2164b4f19508731d7aadf50114c6cd06a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200403Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77224}

Bug: v8:12244,v8:12245
Change-Id: I811e50b747813f253cd3ebe0bc56d01a92532a1a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200401Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77223}

Bug: v8:12207
Change-Id: Ic59dbbce330221c917f20c7d20ac7ddb421932ee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3180373Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77222}

This reverts commit d7c9b31a.

Reason for revert: investigating intermittent failures on `test/mjsunit/wasm/parallel_compilation.js`

Original change's description:
> ppc: [liftoff] implement DropStackSlotsAndRet
>
> Change-Id: I05bcba3ad27b46b7c7888940895605ad463fc960
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3155302
> Reviewed-by: Milad Fa <mfarazma@redhat.com>
> Commit-Queue: Junliang Yan <junyan@redhat.com>
> Cr-Commit-Position: refs/heads/main@{#76774}

Change-Id: I19452e75aad78b446ac6e2cd8b80cec4d792671f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3202471Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#77221}

This reverts commit 4fb3eae7.

Reason for revert: Fails to link on chromium, blocking the roll: https://cr-buildbucket.appspot.com/build/8834293599516974577

Original change's description:
> Turn on v8_enable_virtual_memory_cage for Chromium builds
>
> This CL enables the virtual memory cage at compile time by default for
> Chromium builds on x64 and arm64. However, the cage will only be used at
> runtime if the correpsonding Chromium feature is enabled as well.
>
> Bug: chromium:1218005
> Change-Id: I5a452d299ac950f8ec0f741f6b9a153e57b2a666
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200081
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77212}

Bug: chromium:1218005
Change-Id: Id17946641b7b4e0d377d4e211aab929bb39ec341
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3201998
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#77220}

This reenables a test which is passing, independent of missing
accounting for shared memory. This is because we repeatedly trigger a GC
explicitly in all workers.

R=dinfuehr@chromium.org

Bug: v8:12278
Change-Id: I73d1513d809787284af0be4956018806719acd50
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3201995Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77219}

The field in JSFunction uses acquire-release semantics, therefore
the read is store-ordered.

Bug: v8:7790, v8:12282
Change-Id: Ic6e9d02e7aca1ca68c74502c3afed6eb6e964975
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3201992Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77218}

Add the array.get and struct.get functions to GenerateOptRef.

Bug: v8:11954
Change-Id: I39b03f909abfd19d89d7d6a76cdef5f0d5219b8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3197689Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Maria Tîmbur <mtimbur@google.com>
Cr-Commit-Position: refs/heads/main@{#77217}

This CL allows aborting of compaction on a page based on an Address
instead of a HeapObject.

Bug: v8:12251
Change-Id: Ib928ace9aa24a0ff1ab5f44026d5b287f7cdcdb3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199881
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77216}

This is needed in case of 'let', where OpcodeLength transitively calls
{read_value_type()}.

Bug: v8:9495
Change-Id: I8aebffabc7ba1c47418d363dc9257f132fac33df
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200074Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77215}

No functional changes.

Bug: v8:12251
Change-Id: I155524875032e553b48e358ec7ecd562d177b27f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199880Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77214}

1. In ElementAccessFeedback::HasOnlyStringMaps - we can assume
  the map is safe to read because it was read earlier from the
  feedback vector and passed the gc predicate then.
2. In JSHeapBroker::GetPropertyAccessInfo - we can assume that the
  feedback vector in a FeedbackSource is store-ordered/safe to read.

Bug: v8:7790, v8:12282
Change-Id: Ie09acdfaac3d5e767ffe74e4bad941d4eeb47f9a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200082
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77213}

This CL enables the virtual memory cage at compile time by default for
Chromium builds on x64 and arm64. However, the cage will only be used at
runtime if the correpsonding Chromium feature is enabled as well.

Bug: chromium:1218005
Change-Id: I5a452d299ac950f8ec0f741f6b9a153e57b2a666
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200081Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77212}

Trying to optimize in such case breaks down the optimization, as we
end up with potentially non-eliminatable nodes that depend on the dead
IfTrue/IfFalse node.
Drive-by: Clean up dead nodes with {Kill()}.

Bug: v8:11510, chromium:1255354

Change-Id: Ia89fe6c243974c3c2abac6ad80bd4677a935f637
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200073Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77211}

This reverts commit b65e72c6.

Reason for revert: CFs issues

Original change's description:
> [TurboFan] Change representation of NumberConstant in 32-bit arch
>
> Smi constants in 32 bit machines are guaranteed to be 31 bits.
>
> Bug: chromium:1254189
> Change-Id: I4ea296a7212c5e6ea14119fbd71cfb5789762b55
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3195874
> Commit-Queue: Victor Gomes <victorgomes@chromium.org>
> Reviewed-by: Maya Lekova <mslekova@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77185}

Bug: chromium:1254189, chromium:1255213, chromium:1255330
Change-Id: Idd9a6e76a44612d1ab9aada0d8ee093b9aab34a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200079
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77210}

Since we are reading an Object field, it could be that the gc
predicate fails. Therefore, this CL changes to TryMakeRef, and
makes the return value of length_unsafe() optional.

Bug: v8:7790, v8:12282
Change-Id: I86a8bcc6649d5e8121e52f8947b8331fcf242887
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200078Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77209}

The checks for assignemnts to member during prefinalizers assumed the
slot has to live. It was assumed that if a slot is dead then we would
not be updating it.
Prefinalizers are allowed to touch dead objects and thus are techincally
allowed to write to dead slots. Such writes are usually redundant (the
object will be swept soon anyway) but are not always easy to get rid of.

Bug: chromium:1255152, v8:11749
Change-Id: I57e143abd53d434c3198616909c506eb70d8944b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199800Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77208}

Bug: v8:7790,v8:12282
Change-Id: Id6a129c21648bb7919b1d162b47bb24c5d6b432a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200077
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77207}

MapRef::GetConstructor and GetBackPointer are immutable after
initialization.

Bug: v8:7790, v8:12282
Change-Id: I1059aabdd85a08af5f6d570a2eee206bda4f7ac3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200076
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77206}

Since the WasmStackGuard build-in is not kNoThrow, it needs to be
inserted in the control chain between the IfFalse and Merge nodes of the
stack check.

Change-Id: I5ad1c4f01e079c0c9079ea129f8e3363ade80217
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199798Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77205}