Add a missing check to reject illegal sections.

The test is added in three forms, to give fuzzers more food: A fuzzer
regression test for the streaming fuzzer, a unit test for the streaming
decoder, and an mjsunit test for streaming compilation.

Drive-by: Remove a redundant line in the synchronous decoder (this is
already handled by the following statement.

R=ahaas@chromium.org

Bug: chromium:1335023
Change-Id: Ic8c3b301f1b58981c7d68eafcffc89531ed2c64c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3698549Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81071}

The mid-tier register allocator keeps values in stack slots for too
long. This is incompatible with left-trimming, therefore we cannot
enable it for JS functions.

Bug: chromium:1335054
Change-Id: I61ab97d4fbfcbb81319e611a64a6454e050a1d65
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695266Reviewed-by: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81070}

... flag-definitions-unittest.

We should setup the isolate to get the correct Flag_*.
This CL fixes the breakage in https://ci.chromium.org/p/v8/g/ports/console including https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm%20-%20sim%20-%20lite and https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm%20-%20sim%20-%20lite%20-%20debug etc.

Bug: v8:12781
Change-Id: Ifca84c02f8458f0a906948f4a7e0f999af429abf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3697865Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#81069}

... base/platform/platform-unittest.

Bug: v8:12781
Change-Id: I05902bfa5ad6f391f7b7ffa8b22b46627c244fef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688893
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81068}

Bug: chromium:1325007
Change-Id: I6adb06c4b15e5656f2b2c47b49d6a225750a6b2a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695572
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81067}

... execution/thread-termination-unittest.

Bug: v8:12781
Change-Id: I772ad8550e242eae66f76c5785aeb7f1e4425fae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688894
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81066}

This CL splits two mjsunit files and skips the ones
which take the longest on the simulator and cause a timeout.

Change-Id: I89be764dc2d7684b401690a23bf53a3ef6384d16
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3693667
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81065}

... into VisitExternalPointer(HeapObject, ExternalPointerSlot,
                              ExternalPointerTag).

Drive-by: introduce ExternalPointerSlot - a slot containing an
ExternalPointer_t value.

This cleanup is a prerequisite for inlining Foreign object fields into
field's holder objects.

Bug: v8:12949
Change-Id: Ifd74ed285796b0952d7d06de82b56c63fd1f7f3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695361Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81064}

GCC fails to compile extract_first_nonzero_index because of the
signedness type mismatch in the NEON intrinsics.

Bug: chromium:819294
Change-Id: I9b73e5fa1d5fbf161740ab1b5d77f5c494369dfa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3693709Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: José Dapena Paz <jdapena@igalia.com>
Cr-Commit-Position: refs/heads/main@{#81063}

Use the "convert" parameter to SequentialStringKey to construct one-byte
strings out of two-byte input vectors, where appropriate.

Change-Id: I8a214b3960c677614d6f82ed3b29405e2e493e81
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2557981
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81062}

Run mem in simulator may be occurs segments fault. This cl to fix it.
If value of reg is small int, it should be smi.

Change-Id: I60b4eb8c959bc9f86ae28718ff6dd54ecf40a6ec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3698757
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#81061}

The module's "prefix hash" is based on a prefix of the module bytes that
starts at the beginning of the module and stops at the code section.

In the case of the streaming decoder, if the code section is empty,
`AsyncStreamingProcessor::ProcessCodeSectionHeader()` is never called,
and we keep accumulating bytes in the hash after the code section. Fix
this by always calling into the streaming processor even if the code
section is empty.

R=ahaas@chromium.org
CC=clemensb@chromium.org

Bug: chromium:1334651
Change-Id: Id2a03468b355867868e589523c994c268c7b4eaf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695564
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81060}

Currently, PageAllocator assumes that FreePages(start, size) will always
be called on the same region that was passed to AllocatePages(start,
size). This assumption is made in:
1) leak-sanitizer (LsanPageAllocator) that checks it explicitly,
2) on Windows, FreePages() calls VirtualFree() with zero-size and
   MEM_RELEASE, which causes the entire reservation to be freed.

The CL temporarily fixes the bot failures just by holding the unneeded
half and adds a TODO to return the unneded part back to the OS.

Bug: chromium:1325007
Change-Id: I2bd878876d43d693cf2138020f410ffe1615b4e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695363Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81059}

... static generator methods and static async generator methods
for Class.

Bug: v8:11525
Change-Id: I58e8059c95e8a24e1a09d84aea84b82d35f5e2d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688891
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81058}

... /interpreter.

This CL moves cctest/interpreter/{bytecode-expectations-printer,
test-bytecode-generator, test-interpreter-intrinsics,
interpreter-tester, test-interpreter, test-source-positions,
source-position-matcher} to unittests/interpreter/{
bytecode-expectations-printer, bytecode-generator-unittest,
interpreter-intrinsics-unittest, interpreter-tester,
interpreter-unittest, source-positions-unittest, source-position-matcher}.

Bug: v8:12781
Change-Id: I187583bd34f709dd0d7dfc0f92e18f191da0e30f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3609752Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81057}

Compaction currently considers only backing store pointers as slots and
those are uncompressed. The CL fixes the tests to use raw pointers
instead of Members.

Bug: chromium:1325007
Change-Id: I2ddfffeeab396552bb7cf31b2bd8502ebc2921fb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695590
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81056}

%GetAndResetRuntimeCallStats(...) is changed to throw:
- if the RCS compile-time flag was not set
- if --runtime-call-stats / tracing RCS is not enabled

This avoids a few debug cycles when trying to get RCS with official
release builds that don't ship it.

Change-Id: I92b1271b34b76439c2a5cddff853619c983549bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695563Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81055}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/a789781..2fdb9a9

Rolling v8/buildtools/linux64: git_revision:fd6cae41bd7d5d255dc2fb96004a8bf74ac9d972..git_revision:2ecd43a10266bd091c98e6dcde507c64f6a0dad3

Rolling v8/buildtools/third_party/libc++abi/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxxabi/+log/11395e5..013bcd8

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/8a8c0b9..ba0a827

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/b3579d4..a9467d8

Rolling v8/third_party/fuchsia-sdk/sdk: version:8.20220608.4.1..version:8.20220609.0.1

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I304eecaae92c311e7c5500a9c11de0fed69af561
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695971
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81054}

Add AOs: ToTemporalOffset and InterpretISODateTimeOffset

Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.zoneddatetime.prototype.with
https://tc39.es/proposal-temporal/#sec-temporal-totemporaloffset
https://tc39.es/proposal-temporal/#sec-temporal-interpretisodatetimeoffset

Bug: v8:11544
Change-Id: I8b757386596d0d73a73e8e9aa2d52cd72b90a95a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3692939Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81053}

Insert TypeGuard nodes for the result of br_on_non_null and the Forward
decoder interface function.
Also, add debug checks when inlining to check real vs. formal argument
types, because that is where the bug manifested.

Bug: v8:7748
Change-Id: I9bd8415a1f10c22ff1cabaa3949749b9495225d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695588
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81052}

Drive-by-fix: Reduce one branch in the type compairison since
JS_OBJECT_TYPE and JS_FIRST_API_INSTANCE_TYPE are adjacent.

Bug: v8:11476
Change-Id: I621ef2df4da2858cb1652276f800ccedba4e3015
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695562
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81051}

- basic file movement
- dependencies update
- grammar fix
- refactoring common files (from new folder 'common')

Change-Id: Ie47d565202aefe247ef6fd9e64108926e467d533
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695385Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Danylo Boiko <danielboyko02@gmail.com>
Cr-Commit-Position: refs/heads/main@{#81050}

The allowlist used for `Deoptimizer::IsValidReturnAddress` depends on
fixed embedded builtin addresses. Pass a pointer to the isolate to
this method, so that it can discover the actual builtin code start
(which may have been remapped) and calculate the offset from the start
of the builtins' code in order to check if the return address is
allowed.

After this change, do not disable short builtin calls when CFI is
enabled.

There's an important TODO for this change:
Since the builtin code pointer that's used to check whether a return
address is allowed is now writable, we should use pointer authentication
to protect it.

Bug: v8:10026
Change-Id: Iafd31d3ad7e10cb17faf33e76e78d3df36edeefd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3667506Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/main@{#81049}

This adds a handle scope to Module::validate in C API
so that the wasm_module_validate can be usable from C.

Without the added handle scope, attempting to call
wasm_module_validate function from C code fails with:

    #
    # Fatal error in v8::HandleScope::CreateHandle()
    # Cannot create a handle without a HandleScope
    #

Bug: v8:12941
Change-Id: I2b4d5dccdaed9501f31447158ebf8e7906a1f8f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3692020Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81048}

CodePageCollectionMemoryModificationScope now increases a per-thread
counter and inserts unprotected code chunks into a thread-local set
of chunks. This information is moved from Heap into LocalHeap.

We can't use kMaxWriteUnprotectCounter on the unprotect counter on the
MemoryChunk anymore, since e.g. for concurrent Sparkplug N threads might
now allocate a code object on the same page and since
CodePageCollectionMemoryModificationScope doesn't know about the
other threads anymore, each thread has to increase that counter by 1.
We DCHECK that nesting depth now in the scope's constructor instead.

We still need to remove chunks from `unprotected_memory_chunks_` when
freeing an executable MemoryChunk during GC. Fortunately we can still do
this, since all threads are in a safepoint during GC and we can remove
the chunk from each thread-local set without any synchronization.

Bug: chromium:1330887
Change-Id: Icefc61b8d8de113d8dcfb1cf64122d12dd9798c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688516Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81047}

Bug: v8:12868
Change-Id: I19190dc8163de42964fb3911f82e8aeabaf48524
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695585Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andy Wingo <wingo@igalia.com>
Cr-Commit-Position: refs/heads/main@{#81046}

- Functions related to table initialization now return an optional
  {MessageTemplate} if they fail. This is used to emit the correct error
  message in one test.
- InitExprInterface now uses {MessageTemplate} to describe errors.

Change-Id: I2428f7823859b95d14b6e81c8200f78da4510ceb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695579Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81045}

Operations are divided into 3 categories:
- Load/Store ops including prefixed.
- Load/Store ops including prefixed, with alignment requirements
  for their non-prefixed version.
- Non-prefixed Load/Store.

We first check if a non-prefixed instruction can be emitted
and if so will emit that instead while making sure to check
for its alignment (if needed).

Change-Id: I2300e4b1f0edfca107dc9f39c20898da57cac358
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695383
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#81044}

Add __attribute__((const)) so that the compiler may assume that the
variable doesn't change across calls (basically treat the variable as
const).

Bug: chromium:1325007
Change-Id: I1ecd9a6b7b142cbb9da20a44f568465e1ca45fe7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688400
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81043}

Bug: v8:12819
Change-Id: I9150a8a8ffa38b0628eee0f399d403af6363c04d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695587Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81042}

Context: https://github.com/WebAssembly/exception-handling/pull/197

This change adds the optional {traceStack: <bool>} parameter to the
WebAssembly.Exception constructor. When set to true, this captures the
stack and sets the `stack` accessor on the exception object.

R=jkummerow@chromium.org

Bug: v8:8091
Change-Id: I4430b6317b27ec62f11e951fbe95ee480ac72d37
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688402
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81041}

This reverts commit b1f89633.

Reason for revert: This causes a crash with streaming compilation when the stream gets aborted because the context gets destroyed, e.g. when a worker gets killed early.

Original change's description:
> [wasm] Enter CallDepthScope after compilation to execute microtasks
>
> When async compilation finishes for WebAssembly, the promise returned by
> `WebAssembly.compile()` gets resolved. Resolving the promise creates a
> microtask that should get executed automatically when the call stack
> empties up when MicrotasksPolicy::kAuto is used. However, this policy
> requires a CallDepthScope to work, but there is no CallDepthScope when
> WebAssembly compilation finishes. This CL adds this CallDepthScope.
>
> R=​jkummerow@chromium.org
>
> Bug: chromium:1297672
> Change-Id: I1bd607dec9daf08b3dbb1294393a8af255d222ff
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3679579
> Auto-Submit: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80872}

Bug: chromium:1297672, chromium:1335042
Change-Id: I1f186a7f17f007a448ca7188bd32605a4fc03497
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695359
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81040}

This is done by making sure that LSB of the cage-base is 1. This way we
know that on compression normal pointers after the shift will have the
MSB set to 1.

Bug: chromium:1325007
Change-Id: I8699aaa464f1a8c18d2092f5eb474266fb409fcb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688399
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81039}

This wraps CagedHeapLocalData in #if defined(CPPGC_CAGED_HEAP)

Bug: v8:12231
Change-Id: I462ddbbde2308e8d786fb99d6a557c1dcaea8a4e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695586
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81038}

Now that the cage is shared, we can remove the thread-local base and
instead use a simple global.

Bug: chromium:1325007
Change-Id: I05019de83868f823c66003740e277578f2a1d439
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688051
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81037}

This CL handles weakcallbacks for resetting WeakMember smart pointers in parallel.

Tracing data for browsing nytimes.com:
CppGC.AtomicWeak
4.628 ms
CppGC.ConcurrentWeakCallback
0.157 ms

Bug: v8:12796
Change-Id: I1e7aa9d27e22985072a8fc332376ac3bd84a3720
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3692433Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Jianxiao Lu <jianxiao.lu@intel.com>
Commit-Queue: Jianxiao Lu <jianxiao.lu@intel.com>
Cr-Commit-Position: refs/heads/main@{#81036}

Bug: v8:12868
Change-Id: I717326b27ce783710ffd141370648dde7e0d74a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695561
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81035}

This configuration allows testing the V8 sandbox by exposing the memory
corruption API (which emulates typical V8 exploit primitives) and
(through a d8 command line flag) enabling the sandbox crash filter which
filters out "harmless" crashes (those that don't break the sandbox's
security guarantees).

Bug: v8:12878
Change-Id: Iad3ee2a8c20b9056766c5c654018b41920fe8703
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695581Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81034}

Bug: v8:12868
Change-Id: I13b32086e736490c54b583a514ac3592179adf7f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695381
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81033}

The flag is causing build failures in some environments (when it is not
defined) and it is not actually needed since the behaviour of these FDs
across fork/exec isn't defined and this code is only used for testing.

Bug: chromium:1218005
Change-Id: If2bf6835705318079af56d920017accedaf769dd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695583
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81032}