Verify usages of SKIP_WRITE_BARRIER in builds with SLOW_DCHECKs enabled.
We can only remove the write barrier in specific circumstances that
can also be DCHECK'ed.

I also switched some write barriers to UPDATE_WRITE_BARRIER where those
simple rules didn't hold but relied on more elaborate explanations.

Bug: v8:12544
Change-Id: I4caa43627f8a3209d853e3352caabc161568e6eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3386803Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78649}

This is a reland of 142dd775

Original change's description:
> cppgc-js,heap: Implement snapshots for embedder fields
>
> https://crrev.com/c/3293410 added concurrent processing of C++ objects
> found through V8 embedder fields. The CL missed that those embedder
> fields are not read atomically from JS objects. The problem is that
> embedder fields are only aligned to kTaggedSize on builds with pointer
> compression and are as such mis-aligned for atomic ops. This is not a
> problem for on-heap values as the upper 32bits are anyways computed
> from the cage. Is is a problem for generic C++ values though, as they
> are used with Oilpan.
>
> This CL adds the standard marker snapshot protocol for embedder fields.
>
> Marker:
> 1. Snapshot embedder fields
> 2. Try to mark host object
> 3. On success: process snapshot
>
> Main thread:
> 1. On setting embedder fields mark the object black first
> 2. Emit a write barrier for the embedder fields
>
> This will get simpler with the heap sandbox that uses a separate table
> for embedder fields. Once the sandbox is the default configuration, we
> 	can use it as dependency for the concurrent fast path.
>
> Bug: chromium:1285706
> Change-Id: I6b975ea561be08cda840ef0dd27a11627de93900
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3380983
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#78604}

Bug: chromium:1285706
Change-Id: I024e50fc0757fbcd13cb9ffde027dff55f99d25c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3386600Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78631}

This reverts commit 142dd775.

Reason for revert: TSAN breaks: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20stress-incremental-marking/6113/overview

Original change's description:
> cppgc-js,heap: Implement snapshots for embedder fields
>
> https://crrev.com/c/3293410 added concurrent processing of C++ objects
> found through V8 embedder fields. The CL missed that those embedder
> fields are not read atomically from JS objects. The problem is that
> embedder fields are only aligned to kTaggedSize on builds with pointer
> compression and are as such mis-aligned for atomic ops. This is not a
> problem for on-heap values as the upper 32bits are anyways computed
> from the cage. Is is a problem for generic C++ values though, as they
> are used with Oilpan.
>
> This CL adds the standard marker snapshot protocol for embedder fields.
>
> Marker:
> 1. Snapshot embedder fields
> 2. Try to mark host object
> 3. On success: process snapshot
>
> Main thread:
> 1. On setting embedder fields mark the object black first
> 2. Emit a write barrier for the embedder fields
>
> This will get simpler with the heap sandbox that uses a separate table
> for embedder fields. Once the sandbox is the default configuration, we
> 	can use it as dependency for the concurrent fast path.
>
> Bug: chromium:1285706
> Change-Id: I6b975ea561be08cda840ef0dd27a11627de93900
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3380983
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#78604}

Bug: chromium:1285706
Change-Id: If1976c0356f450fc068aa4dcc39fb9a0d5417a40
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3386598
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#78605}

https://crrev.com/c/3293410 added concurrent processing of C++ objects
found through V8 embedder fields. The CL missed that those embedder
fields are not read atomically from JS objects. The problem is that
embedder fields are only aligned to kTaggedSize on builds with pointer
compression and are as such mis-aligned for atomic ops. This is not a
problem for on-heap values as the upper 32bits are anyways computed
from the cage. Is is a problem for generic C++ values though, as they
are used with Oilpan.

This CL adds the standard marker snapshot protocol for embedder fields.

Marker:
1. Snapshot embedder fields
2. Try to mark host object
3. On success: process snapshot

Main thread:
1. On setting embedder fields mark the object black first
2. Emit a write barrier for the embedder fields

This will get simpler with the heap sandbox that uses a separate table
for embedder fields. Once the sandbox is the default configuration, we
	can use it as dependency for the concurrent fast path.

Bug: chromium:1285706
Change-Id: I6b975ea561be08cda840ef0dd27a11627de93900
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3380983Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78604}

Included in this CL:
(*) Introduce CppMarkingState that V8 should use to push references to
    Oilpan. CppMarkingState allocates its own Worklist::Locals to
    support concurrent updates from V8.
(*) Split Oilpan MarkingWorklist object to form a base class used by
    CppMarkingState.
(*) Remove MarkerFactory and split marking initialization. Marking
    worklists should already be initialized when V8 initializes
    visitors. For incremental marking, this requires splitting
    marking initialization and marking start.
(*) Drive-by: Mark JSObject::IsApiWrapper and
    JSObject::IsDroppableApiWrapper as const.

Bug: v8:12407
Change-Id: I35cc816343da86f69a68306204675720e9b3913f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3293410Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78446}

Internal fields are used for implementing edges to C++ objects in
Oilpan. When setting the fields on a JS API object, we should also
emit a write barrier for this edge.

This mechanism replaces the explicit write barrier in V8's API which
is provided through `JSHeapConsistency::*`.

The internal barrier should also be slightly faster as it doesn't
require any API calls.

Bug: v8:12356
Change-Id: I639d18141acfb910d0ded8d987d8a0916e25431d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3257709
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77749}

TracedReferenceBase use (traced) global handles to implement the
referencs. Provide a write barrier in the corresponding handle
methods. Doing so
- avoids bugs by having embedders taking care of write barrier
  management.
- speeds up the barrier as it is better integrated in the handle
  methods.

Drive-by: We don't need write barriers on initializating stores.

Bug: v8:12165
Change-Id: Ie49cc3783aeed576fd46c957c473c61362fefbf2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3247039
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77593}

... by explicitly passing pointer compression cage base value to various
IsXXX() and map() calls in order to avoid using incorrect auto-computed
cage base value when applied to objects allocated in external code space.

This CL also introduces IsCodeObject(HeapObject) predicate which checks
the IS_EXECUTABLE bit in the page header's flags.

Bug: v8:11880
Change-Id: Ib44398c3125392e46e939044a9bd27e09d7944d5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3229368Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77459}

Inline the RememberedSetAction and SaveFPMode flags directly into the
RecordWrite stubs:
- Save two register for input arguments
- Avoid branches in the RecordWrite stubs

We end up with 2 stubs for the EphemeronKeyBarrier and 4 stubs for
RecordWrite. Due to more inlined calls we have roughly 1KiB more
builtins code for RecordWrite currently. We will address this in the
future by splitting out common code into a separate stub. There is
no additional code size overhead for EphemeronKeyBarrier.

This saves 4 to 8 bytes on x64 per RecordWrite call and 2.5% sparkplug
code size reduction on d3.min.js.

Bug: v8:11420
Change-Id: Ib7170265dd6dd4b3aaf8275083f096e76fae8251
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2902731Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74661}

This CL adds features to pack/unpack map words.

Currently V8 cannot store extra metadata in object headers -- because V8
objects do not have a proper header, but only a map pointer at the start
of the object. To store per-object metadata like marking data, a side
table is required as the per-object metadata storage.

This CL enables V8 to use higher unused bits in a 64-bit map word as
per-object metadata storage. Map pointer stores come with an extra step
to encode the metadata into the pointer (we call it "map packing").
Map pointer loads will also remove the metadata bits as well (we call it
"map packing").

Since the map word is no longer a valid pointer after packing, we also
change the tag of the packed map word to make it looks like a Smi. This
helps various GC and barrier code to correctly skip them instead of
blindly dereferencing this invalid pointer.

A ninja flag `v8_enable_map_packing` is provided to turn this
map-packing feature on and off. It is disabled by default.

* Only works on x64 platform, with `v8_enable_pointer_compression`
  set to `false`

Bug: v8:11624
Change-Id: Ia2bdf79553945e5fc0b0874c87803d2cc733e073
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2247561Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73915}

Change-Id: Ic00ce0856d6ce3f9c6872fa7f35c469f7177c9c8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807605
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73830}

Change-Id: I5d82528cd07c263bfbedfdd3a090bcd4f67ef55d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2428593Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70117}

This is a reland of 1dd7f3a9

Original change's description:
> [heap] Add concurrent marking write barrier
> 
> A LocalHeap creates and owns an instance of MarkingBarrier. A pointer to
> the marking barrier is set to a thread_local variable for a quick access.
> 
> WriteBarrier::MarkingSlow fetches the thread_local variable and invokes
> the write barrier if it is set. Otherwise, it invokes the main thread
> heap()->marking_barrier().
> 
> Each marking barrier has its own local marking worklist that is
> published during scavenge (for updating pointers) and at finalization
> of incremental marking.
> 
> Typed-slot recording does not work yet because it is not thread-safe.
> It will be fixed in a subsequent CL.
> 
> Bug: v8:10315
> Change-Id: I221a906436cd91e7405a253ce0eb06cf68046f2c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2354809
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69448}

Bug: v8:10315
Change-Id: I155bb0aadd53a5333672fb085b33d8da86f3f336
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2364509Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69517}

This reverts commit 1dd7f3a9.

Reason for revert: Breaks TSAN - https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN/32846?

Original change's description:
> [heap] Add concurrent marking write barrier
> 
> A LocalHeap creates and owns an instance of MarkingBarrier. A pointer to
> the marking barrier is set to a thread_local variable for a quick access.
> 
> WriteBarrier::MarkingSlow fetches the thread_local variable and invokes
> the write barrier if it is set. Otherwise, it invokes the main thread
> heap()->marking_barrier().
> 
> Each marking barrier has its own local marking worklist that is
> published during scavenge (for updating pointers) and at finalization
> of incremental marking.
> 
> Typed-slot recording does not work yet because it is not thread-safe.
> It will be fixed in a subsequent CL.
> 
> Bug: v8:10315
> Change-Id: I221a906436cd91e7405a253ce0eb06cf68046f2c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2354809
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69448}

TBR=ulan@chromium.org,dinfuehr@chromium.org

Change-Id: I9719d565aaa313cd23f5e759dcef1246f475eb46
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:10315
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362689Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69451}

A LocalHeap creates and owns an instance of MarkingBarrier. A pointer to
the marking barrier is set to a thread_local variable for a quick access.

WriteBarrier::MarkingSlow fetches the thread_local variable and invokes
the write barrier if it is set. Otherwise, it invokes the main thread
heap()->marking_barrier().

Each marking barrier has its own local marking worklist that is
published during scavenge (for updating pointers) and at finalization
of incremental marking.

Typed-slot recording does not work yet because it is not thread-safe.
It will be fixed in a subsequent CL.

Bug: v8:10315
Change-Id: I221a906436cd91e7405a253ce0eb06cf68046f2c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2354809
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69448}

This moves marking write barrier related functions from Heap and
IncrementalMarking into a separate class: MarkingBarrier.

Additionally, a new WriteBarrier class is added at the heap API level
that dispatches to MarkingBarrier.

Future CLs will move slots recording in MarkingBarrier and apply
the same refactoring to the generational barrier. An instance of
MarkingBarrier will be added to each LocalHeap and enable it to
emit a write barrier from a background thread.

Bug: v8:10315
Change-Id: Icc147b48563d88c85d99ead99b1e201f523721d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2280083Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68703}