Those are not safe in combination with the sandbox as they are stored as
raw pointers. Instead of turning them into ExternalPointers (which use
the ExternalPointerTable indirection), this CL simply turns them into
on-heap ByteArrays which is cheaper and should be unproblematic
security-wise as their contents can be corrupted without causing memory
corruption outside the sandbox address space (just incorrect behaviour
and/or further memory corruption *inside* the sandbox, which is fine).

Bug: chromium:1335046
Change-Id: Id2b901a58b7d6c91dd7596fca553d7c76cbc61ec
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3845636Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82765}

Add a new ACCESSOR_GETTER_LIST macro to define all the accesor getters
and allow using non statically known accessor names. This allows
exposing the ModuleNamespaceEntryGetter to the external-reference-table

Change-Id: I40700e2cd19bc58ba55569c7b1e6fc34357bd80f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856924Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82764}

Bug: v8:10470
No-Tree-Checks: true
No-Try: true
Change-Id: Ic59bd42221776248dfc1bde35c1299aa4d1d3b0c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3861049
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82763}

Manually removed fuchsia-sdk update for https://crbug.com/1357478.

Rolling v8/base/trace_event/common: https://chromium.googlesource.com/chromium/src/base/trace_event/common/+log/2ba7a48..640fc6d

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/8291582..7e25322

Rolling v8/buildtools: https://chromium.googlesource.com/chromium/src/buildtools/+log/3a4c850..cf8185c

Rolling v8/buildtools/linux64: git_revision:0bcd37bd2b83f1a9ee17088037ebdfe6eab6d31a..git_revision:5705e56a0e5856621415cfdf444432554e72c9c9

Rolling v8/buildtools/third_party/libc++/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxx/+log/db72216..26e3467

Rolling v8/buildtools/third_party/libc++abi/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxxab/+log/d2e4dc7..48afced

Rolling v8/buildtools/third_party/libunwind/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libunwind/+log/f87795e..42aa6de

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapul/+log/7294631..2417ba3

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/44b7330..b7ec673

Rolling v8/third_party/zlib: https://chromium.googlesource.com/chromium/src/third_party/zlib/+log/8d1d3e3..926ac23

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clan/+log/a56fd8b..ae771c8

Rolling v8/tools/luci-go: git_revision:a0ba80649473055bae3d789eec28c9967adb5e45..git_revision:3226112a79a7c2de84c3186191e24dd61680a77d

Rolling v8/tools/luci-go: git_revision:a0ba80649473055bae3d789eec28c9967adb5e45..git_revision:3226112a79a7c2de84c3186191e24dd61680a77d

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Bug: chromium:1357478
Change-Id: I4e0a9cdc9958c9261c1d615991f0a98c9ceabda0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3861215
Owners-Override: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82762}

This CL only moves method definitions from heap.cc into the new file
heap-verifier.cc. Apart from this code is not changed.

Bug: v8:11708
Change-Id: Ice7e5f12c6370bc05b82b3a7bd15f94292c4235f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856260Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82761}

Bug: v8:12547
Change-Id: I32898a4382397663967d7e784e16d7930f3600a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859097
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82760}

https://chromium.googlesource.com/external/github.com/tc39/test262/+log/adba7dfd9c..8dcc0e19

Also add "Intl402" (notice the uppercase I) to the excluded dirs for noi18n
because of https://github.com/tc39/test262/pull/3638

Bug: v8:7834
Change-Id: Ibd53c7917a4fd8d1b27989e3c040c5ab47a66e50
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857450Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82759}

Sync https://github.com/tc39/proposal-temporal/pull/2269
Add AO MaybeFormatCalendarAnnotation
Use MaybeFormatCalendarAnnotation in
TemporalDateToString
TemporalDateTimeToString
TemporalZonedDateTimeToString

Spec text:
https://tc39.es/proposal-temporal/#sec-temporal-maybeformatcalendarannotation
https://tc39.es/proposal-temporal/#sec-temporal-temporaldatetostring
https://tc39.es/proposal-temporal/#sec-temporal-temporaldatetimetostring
https://tc39.es/proposal-temporal/#sec-temporal-temporalzoneddatetimetostring

Bug: v8:11544
Change-Id: Ia361b1cba1b2e9db77125a8888054cfd89626611
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3855699
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82758}

Spec Change PR:
https://github.com/tc39/proposal-temporal/pull/2344

Relative tests in test262 are
built-ins/Temporal/Duration/prototype/round/february-leap-year.js

Bug: v8:11544
Change-Id: Id31648436f629a8adf395e3b4c835adf46a2c455
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3855701Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82757}

Currently the ability to create shared isolates is partially exposed to
API. Instead of fully exposing it, this CL makes shared isolate and
shared heap handling transparent to the embedder.

If a flag that requires the shared heap is true (currently
--shared-string-table and --harmony-struct), the first isolate created
in the process will create and attach to a process-wide shared isolate.
Subsequent isolates will attach to that shared isolate. When that first isolate is deleted, the shared isolate is also deleted.

Bug: v8:12547
Change-Id: Idaf2947bc354066c44f2d10243e10162b1b7e4d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3848825Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Owners-Override: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82756}

This reverts commit a165e82e.

Reason for revert: SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../src/objects/js-temporal-objects.cc:3837:22  

Original change's description:
> [Temporal] Use double/int32_t instead of int64_t for duration parsing
>
> Use double instead of int64_t and int32_t in duration parsing result
> so we can parse very large duration fields as infinity and throw RangeError in later stages. The three fractional parts can hold up value from 0 to 999,999,999 so we use int32_t to hold it. Other part could be infinity so we use double to hold it. Also rearrange the order of the three int32_t in the struct ParsedISO8601Duration after all the double
>
> Bug: v8:11544
> Change-Id: I7e5b02f7c7bbb60997f1419f016aed61dd3e0d6c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3840761
> Reviewed-by: Shu-yu Guo <syg@chromium.org>
> Commit-Queue: Frank Tang <ftang@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82754}

Bug: v8:11544
Change-Id: Ia9d0a014463b00640d43b051753a554f42171c2b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858575Reviewed-by: Shu-yu Guo <syg@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82755}

Use double instead of int64_t and int32_t in duration parsing result
so we can parse very large duration fields as infinity and throw RangeError in later stages. The three fractional parts can hold up value from 0 to 999,999,999 so we use int32_t to hold it. Other part could be infinity so we use double to hold it. Also rearrange the order of the three int32_t in the struct ParsedISO8601Duration after all the double

Bug: v8:11544
Change-Id: I7e5b02f7c7bbb60997f1419f016aed61dd3e0d6c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3840761Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82754}

This change also modifies the way references are typed: Instead of
using the static type (which may be a generic type like anyref) the
actual type based on the referenced object is used.
While this is very useful for arrays and structs (and somewhat nice for
i31 not just being a number but also having some type information), it
means for non-null values that the reference type is "not nullable",
so it will show e.g. "ref $type0" although the static type  might be
"ref null $type0".

Bug: v8:7748
Change-Id: I00c3258b0da6f89ec5efffd2a963889b1f341c3a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3852485Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82753}

This change follows up on 3cc93154 on which Table::grow() was missed.

Bug: v8:7748
Change-Id: I83dc4e4894354ad8c97e577da03d67a36f6d9443
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858227Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82752}

- LoadCallerFrameSlot
- StoreCallerFrameSlot
- LoadReturnStackSlot
- MoveStackValue
- Spill
- Fill

Change-Id: I5fee06a60b36ec145b4d35d59ede35bb849e57b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3851544Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#82751}

This reverts commit adb5e163.

Reason for revert: ClusterFuzz ain't happy. (crbug.com/1356461 and others)

Original change's description:
> [turbofan][x64] When spilling 32bit values, reload only 32 bits
>
> When we spill a register that we know contains only 32 interesting bits
> and then reload it from the spill slot, it's enough to reload its lower
> half. This may save a few bytes, and guards against accidental changes
> to the upper half (e.g. via pointer decompression).
>
> Bug: v8:13216
> Change-Id: I1d950d6e33d8ae94cf385af4f3e1db028bf333c5
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3854506
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82704}

Bug: v8:13216
Change-Id: I8923cbe00c73191f2fdd51f361d7cd073f338a00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859323Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82750}

For the branching control flow structure we set up for feedback-directed
inlining-capable `call_ref` sequences, we have to manually take care of
the "instance cache nodes" in the SSA environment.

Drive-by: improve Runtime_WasmTierUpFunction to process type feedback,
making it usable for the included regression test.

Fixed: v8:13230
Change-Id: I06a449ad73af90b96d0cc15c3cb9a0e4bed87be6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859326Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82749}

Change the has-optimized FeedbackVector bit to two bits, one for Maglev
and one for Turbofan. Ignition and Sparkplug can check both bits, while
Maglev will only check the Turbofan one.

Bug: v8:7700
Change-Id: I95f6e4326180cac02f127a97438f960950f09d82
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856569
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82748}

Bug: v8:7700
Change-Id: I2860bea3008ea1d357cf7e89fb0453221f065786
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859344
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82747}

This is a left-over of the removal of the dynamic (rtt-based)
variants.

Bug: v8:7748
Change-Id: I93bb74a72543a5697f1102d283c7d65c6be99466
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856577
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82746}

Fixes undefined behavior, which manifests as a compiler error in C++20 in Google3.

This was caused by using members of vector<T> before T has been defined.
This change just massages the code a bit to get everything in the proper order.

See cl/468678068 on Google3.

Bug: chromium:1284275
Change-Id: I0b65e7f850e8dd1ed482be1b5cc0b8d9d77776eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859343
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82745}

This is a reland of commit a31e8f24

Remove the checking logic, which will be addressed in a separate CL.

Original change's description:
> [sandbox] Forbid double-initialization of ExternalPointerSlots
>
> Double initialization may cause the ExternalPointerTable compaction
> algorithm to behave non-optimally: Consider the case of an Entry E1 that
> is owned by a HeapObject O and is marked for evacuation during GC
> marking. In that case, a new entry E2 is allocated for it, and during
> sweeping, E1 will be evacuated into E2 and the Handle in O updated to
> point to E2. However, if a new entry E3 for O is allocated before
> sweeping, then during sweeping E3 (instead of E1) will be moved into E2.
> This may then violate the invariant that the compaction algorithms
> always evacuates an entry out of the evacuation area.
>
> This CL therefore forbids double initializaiton of external pointer
> slots and adds DCHECKs to attempt to catch these in debug builds.
>
> Bug: v8:10391
> Change-Id: I128dc930e8b3f863dab18ba648f34d68d8cb276b
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856563
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82729}

Bug: v8:10391
Change-Id: I6cef79f4adc340fdcdc291ad0f0c2210f5bf48cd
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857423Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82744}

Bug: v8:12781
Change-Id: I0c1234c5a649f3533eebbab89f7fe16140327d59
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858927
Commit-Queue: Feng Yu <f3n67u@gmail.com>
Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82743}

Maglev uses a different safepoint table. This CL introduces the
functions FindReturnPCForTrampoline for MaglevFrame and TurboFanFrame.

Bug: v8:7700, chromium:1356902
Change-Id: I90784ddfdc96604c5ada8047e6f7447c17e6c3aa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859342
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82742}

Bug: v8:9407
Change-Id: I29f8f5ec68f09e8631b59d3a6a2926bab3b3bcd3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3845638Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82741}

Port commit 1e5c03c7

Bug: v8:11880
Change-Id: I706056509c2d23e6d57203aba7adcbcbe22607cf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859164Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Auto-Submit: Liu Yu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#82740}

This allows x64 to select shrl instead of shrq instruction for the
below pattern:

  2: ChangeUint32ToUint64(1)
  3: Int64Constant[2]
  4: Word64Shr(2, 3)

Change-Id: I3278b9ab52dd7212d1a616291d114a6bff0d13d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857740Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Hao A Xu <hao.a.xu@intel.com>
Cr-Commit-Position: refs/heads/main@{#82739}

This CL fixes a data race that was found using TSAN.

Bug: v8:13012
Change-Id: Ic29620edce116effea097a9f1d58532ba93b2224
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857424Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Cr-Commit-Position: refs/heads/main@{#82738}

This is a reland of commit 59d7cf52

Original change's description:
> [riscv] Port [heap] Add shared barrier to RecordWrite builtin
>
> Bug: v8:11708
>
> Change-Id: I803b5499f1bbc3f7b4e626628a73f98239df8454
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3854435
> Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
> Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
> Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
> Cr-Commit-Position: refs/heads/main@{#82710}

Bug: v8:11708
Change-Id: I56fcfc8a92c71463bce22a8090e161173cc2c64c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857980
Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#82737}

Rolling v8/third_party/icu: https://chromium.googlesource.com/chromium/deps/icu/+log/31c77cb..bbdc7d8

Add microsecond and nanosecond unit (Frank Tang)
https://chromium.googlesource.com/chromium/deps/icu/+/bbdc7d8

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com,ftang@chromium.org

Change-Id: I2d996e16a0e3e52c1de237eb13ca656829ff3d0c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857874
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82736}

This reverts commit 59d7cf52.

Reason for revert: wrong port

Original change's description:
> [riscv] Port [heap] Add shared barrier to RecordWrite builtin
>
> Bug: v8:11708
>
> Change-Id: I803b5499f1bbc3f7b4e626628a73f98239df8454
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3854435
> Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
> Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
> Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
> Cr-Commit-Position: refs/heads/main@{#82710}

Bug: v8:11708
Change-Id: I0e091b2eb086c87e7c60b9840d19b7c383124e42
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857979
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#82735}

Port 1e5c03c7

Original Commit Message:

    This CL simplifies the API calls by removing some instructions from
    the most common path.

R=ishell@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N

Change-Id: I989c7da21347dc8a081b55ecea6374d3415d4aa3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857444Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82734}

Also add AO: ToISOWeekOfYear

Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.calendar.prototype.weekofyear
https://tc39.es/proposal-temporal/#sec-temporal-toisoweekofyear

Note- this is only the non-intl version. intl version in
https://tc39.es/proposal-temporal/#sup-temporal.calendar.prototype.weekofyear
will be implemented in later cl.

PR https://github.com/tc39/proposal-temporal/pull/2378

Sync spec text for ToISODayOfYear and ToISODayOfWeek
in the comment and add DCHECK for assertion.


Bug: v8:11544
Change-Id: If07ff76551707d17d125e41bc624c12da6efa45a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3531567
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82733}

This reverts commit a31e8f24.

Reason for revert: Causes DCHECK failures with --stress-snapshot

Original change's description:
> [sandbox] Forbid double-initialization of ExternalPointerSlots
>
> Double initialization may cause the ExternalPointerTable compaction
> algorithm to behave non-optimally: Consider the case of an Entry E1 that
> is owned by a HeapObject O and is marked for evacuation during GC
> marking. In that case, a new entry E2 is allocated for it, and during
> sweeping, E1 will be evacuated into E2 and the Handle in O updated to
> point to E2. However, if a new entry E3 for O is allocated before
> sweeping, then during sweeping E3 (instead of E1) will be moved into E2.
> This may then violate the invariant that the compaction algorithms
> always evacuates an entry out of the evacuation area.
>
> This CL therefore forbids double initializaiton of external pointer
> slots and adds DCHECKs to attempt to catch these in debug builds.
>
> Bug: v8:10391
> Change-Id: I128dc930e8b3f863dab18ba648f34d68d8cb276b
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856563
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82729}

Bug: v8:10391
Change-Id: I37e6728cc16fe79fa7d743417dc9938d58fb0474
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857422
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82732}

Bug: v8:7327
Change-Id: Ie10dd2b7fde80f100589b388644143e626b7e610
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856570Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Danylo Boiko <danielboyko02@gmail.com>
Cr-Commit-Position: refs/heads/main@{#82731}

- Move StringForwardingTable implementation to own compilation unit.
- Refactoring preparing for layout change (Introduce explicit record
  class to make transition from contiguous Tagged_t fields to a
  heterogeneous record layout easier).
- Replace RootVisitor pattern for transitioning/cleanup during GC with
  callback.
- Minor cleanups.

Bug: v8:12957
Change-Id: Iae343393f470130eac0c54148a1303b67fb95aa4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3845635Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82730}

Double initialization may cause the ExternalPointerTable compaction
algorithm to behave non-optimally: Consider the case of an Entry E1 that
is owned by a HeapObject O and is marked for evacuation during GC
marking. In that case, a new entry E2 is allocated for it, and during
sweeping, E1 will be evacuated into E2 and the Handle in O updated to
point to E2. However, if a new entry E3 for O is allocated before
sweeping, then during sweeping E3 (instead of E1) will be moved into E2.
This may then violate the invariant that the compaction algorithms
always evacuates an entry out of the evacuation area.

This CL therefore forbids double initializaiton of external pointer
slots and adds DCHECKs to attempt to catch these in debug builds.

Bug: v8:10391
Change-Id: I128dc930e8b3f863dab18ba648f34d68d8cb276b
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856563Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82729}

Bugs that are older than the switch of v8_foozzie.py to Python3
bisect to the switch commit unfortunately. This change attempts to
let bisect run longer if a python2 executable still exists.

No-Try: true
Bug: chromium:1355824
Change-Id: I457a50af21704ddd2985793861eee8be5601a673
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856574Reviewed-by: Liviu Rau <liviurau@google.com>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82728}

ThinStrings are not transitioned to other string representations, so we
shouldn't need the snapshotting protocol for them.

Change-Id: I17cee1a4171b10c441a005ac29bd232a0a065207
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3852489Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82727}

This does not enable exception handlers yet, we still bail out in
MaglevCompiler::Compile if we have an exception handler table in
the bytecode array.

This CL:
- Generates code for exception handler blocks (which previously were
set as dead code)
- Creates a machinery for nodes to set the property CanThrow
- Reads the exception handler table from the bytecode array and
identifies if we're emitting nodes inside a try-block and for which
handler we should jump in case of an exception
- Generates an exception handler table for Maglev code


Change-Id: Ifc9d4cb7440d3222f4fda48a86e4e482340b3b15
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3854061
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82726}