Add an implementation of compare ops which, like binary ops,
speculatively reads integers (but still returns a tagged true/false
value).

Bug: v8:7700
Change-Id: I38f0ba99f8f7af30c89d0b987e28483c9610463f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657440
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80692}

We weren't always clearing latest_checkpoint_state on merge points, so
bottleneck it in a better location.

Bug: v8:7700
Change-Id: Iaac5922d769d97d49b85613d5390196a14ad8059
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657437Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80691}

Deopt InputLocation next_use fields are not initialised, so if a deopt
is the last use of a node we won't release it. Fix this by initialising
the input location array. Also add a DCHECK to verify that register
assignments match what registers a node thinks it's in.

Bug: v8:7700
Change-Id: I4003a027489cf8eeef7c4e60fa64f72cebd2c4e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657438Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80690}

Mostly in comments, again, not much to be said...

Bug: v8:12425
Change-Id: If0890132606b5ae8d5e173907bfdc063b9811ac6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657428Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80689}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/b8694ed..b2f1ec8

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/2f98847..4e6aa25

Rolling v8/third_party/fuchsia-sdk/sdk: version:8.20220521.3.1..version:8.20220522.3.1

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: Ib008d9d40613b94ba54897d10f1a842683498570
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3659712
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80688}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/44ff734..b8694ed

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/0e9a7d2..2f98847

Rolling v8/third_party/fuchsia-sdk/sdk: version:8.20220520.3.1..version:8.20220521.3.1

Rolling v8/third_party/zlib: https://chromium.googlesource.com/chromium/src/third_party/zlib/+log/2fe249a..80b28c9

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/ec2da2f..6df1876

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I48af985a9d0f037c7ccdc3e7e6c66f0d0e6e7610
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3658142
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80687}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/399520d..44ff734

Rolling v8/buildtools/third_party/libc++abi/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxxabi/+log/3e4d383..4ad92ec

Rolling v8/buildtools/third_party/libunwind/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libunwind/+log/c9b2288..d03f56b

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/8111049..a1cf7a2

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/bd80a1b..0e9a7d2

Rolling v8/third_party/fuchsia-sdk/sdk: version:8.20220519.0.1..version:8.20220520.3.1

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/bec960d..ec2da2f

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I3cfe4f14fa51e977aa3efa79d124aeab74aaad17
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3658135
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80686}

Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.plaindatetime.prototype.tozoneddatetime

Bug: v8:11544
Change-Id: Ic4464e6d4521fb7e006164933df4f38c5d3115b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3554666
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80685}

Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.instant.prototype.tozoneddatetime
https://tc39.es/proposal-temporal/#sec-temporal.instant.prototype.tozoneddatetimeiso

Bug: v8:11544
Change-Id: I452dfbf027e5d58edde9f9691519204ff29d8082
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3382058
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80684}

Also Add AOs: ToTemporalYearMonth, YearMonthFromFields, ParseTemporalYearMonthString

Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.plainyearmonth.from
https://tc39.es/proposal-temporal/#sec-temporal-totemporalyearmonth
https://tc39.es/proposal-temporal/#sec-temporal-parsetemporalyearmonthstring
https://tc39.es/proposal-temporal/#sec-temporal-yearmonthfromfields

Bug: v8:11544
Change-Id: I04b30a4159142a996c765c542f19e66bee593e4e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3538666Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80683}

Bug: v8:11544
Change-Id: Iaf440009b2abdf9e90de3ed0e6e02eb35060a65b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3437889Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80682}

Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.zoneddatetime.prototype.withplaintime

Bug: v8:11544
Change-Id: I1c35c1105c9f2cc051d3b17718f52170fbee2a5f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3565027Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80681}

Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.plaindate.prototype.toplainmonthday
https://tc39.es/proposal-temporal/#sec-temporal.plaindate.prototype.toplainyearmonth
https://tc39.es/proposal-temporal/#sec-temporal.plaindatetime.prototype.toplainyearmonth
https://tc39.es/proposal-temporal/#sec-temporal.plaindatetime.prototype.toplainmonthday


Bug: v8:11544
Change-Id: Ia97de3b4dde183ae4ee514deb4d13da5d5ff9bae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3534451Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80680}

TSAN intercepts atomic accesses and uses locking. Since YIELD_PROCESSOR
is used in spinlock loops in conjunction with atomic accesses, such
spinlock loops can exhibit starvation in TSAN. To work around the
problem, have YIELD_PROCESSOR sleep the process for 1ms.

Change-Id: I042368cfc6b55abdba5c897a8f23cc633a70ba13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3651514Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80679}

Implement the following methods of ZonedDateTime
year, month, monthCode, day, dayOfWeek, dayOfYear, weekOfYear,
daysInWeek, daysInMonth, daysInYear, monthsInYear, inLeapYear,
era, eraYear

Also implement corresponding AOs (CalendarXXX).

Spec Text:
https://tc39.es/proposal-temporal/#sec-get-temporal.zoneddatetime.prototype.year
https://tc39.es/proposal-temporal/#sec-get-temporal.zoneddatetime.prototype.month
https://tc39.es/proposal-temporal/#sec-get-temporal.zoneddatetime.prototype.monthcode
https://tc39.es/proposal-temporal/#sec-get-temporal.zoneddatetime.prototype.day
https://tc39.es/proposal-temporal/#sec-get-temporal.zoneddatetime.prototype.dayofweek
https://tc39.es/proposal-temporal/#sec-get-temporal.zoneddatetime.prototype.dayofyear
https://tc39.es/proposal-temporal/#sec-get-temporal.zoneddatetime.prototype.weekofyear
https://tc39.es/proposal-temporal/#sec-get-temporal.zoneddatetime.prototype.daysinweek
https://tc39.es/proposal-temporal/#sec-get-temporal.zoneddatetime.prototype.daysinmonth
https://tc39.es/proposal-temporal/#sec-get-temporal.zoneddatetime.prototype.daysinyear
https://tc39.es/proposal-temporal/#sec-get-temporal.zoneddatetime.prototype.monthsinyear
https://tc39.es/proposal-temporal/#sec-get-temporal.zoneddatetime.prototype.inleapyear
https://tc39.es/proposal-temporal/#sec-get-temporal.zoneddatetime.prototype.era
https://tc39.es/proposal-temporal/#sec-get-temporal.zoneddatetime.prototype.erayear

Bug: v8:11544
Change-Id: I7d7008a719f0109836834d170c5f52b49c3ffb7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3565028
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80678}

Also add AO: TemporalDurationToString

Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.duration.prototype.tojson
https://tc39.es/proposal-temporal/#sec-temporal-temporaldurationtostring

Bug: v8:11544
Change-Id: I7dfdb5458b88646a4ac7b7713e7c8e63352f7539
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3438375
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80677}

Also add AOs: ParseTemporalMonthDayString, MonthDayFromFields,
ToTemporalMonthDay
Spec Text:
https://tc39.es/proposal-temporal/#sec-temporal.plainmonthday.from
https://tc39.es/proposal-temporal/#sec-temporal-totemporalmonthday
https://tc39.es/proposal-temporal/#sec-temporal-parsetemporalmonthdaystring
https://tc39.es/proposal-temporal/#sec-temporal-monthdayfromfields

Bug: v8:11544
Change-Id: I971b5a0f43b9dbeefe38ebe28035f7c9b1a617ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3538664Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80676}

Spec Text:
https://tc39.es/proposal-temporal/#sup-temporal.plaindate.prototype.tostring
https://tc39.es/proposal-temporal/#sup-temporal.plaindate.prototype.tolocalestring
https://tc39.es/proposal-temporal/#sup-temporal.plainmonthday.prototype.tostring
https://tc39.es/proposal-temporal/#sup-temporal.plainmonthday.prototype.tolocalestring
https://tc39.es/proposal-temporal/#sup-temporal.plainyearmonth.prototype.tostring
https://tc39.es/proposal-temporal/#sup-temporal.plainyearmonth.prototype.tolocalestring

Implement toString/toLocaleString as non-intl version.

Because toString took options bag in Temporal, we cannot use the
same way how we handle Date.prototype.toLocaleString() for non-intl
build by just forwarding to it's toString implementation.
Change built-ins-defintions.h to always has built-ins for
*.toLocaleString , not just in intl build.
Change src/init/bootstrapper.cc away of the toLocaleString forward
to toString approach.

Implement the non-intl version of ToLocaleString in js-temporal-objects.cc for
Temporal.Plain(Date|YearMonth|MonthDay)


Bug: v8:11544
Change-Id: I202bcf28ef05ed03c337475300cfdfd18b52ffb3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3656137Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80675}

Bug: v8:12868

Also adds wtf8.cc, wtf8.h to src/wasm, to implement WTF-8 validation and
possibly other utilities.  Also fixes a bug when parsing the string
literals section; I had misunderstood the way the unordered/ordered
sections mechanism worked.

Change-Id: I3c4205e0872379a69575f84ba33e0090a9d8d656
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652789
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80674}

Before: when cet is disabled v8_shell is marked with the
cetcompat bit, which breaks the chromium build on cet
machines.

With this CL: v8_shell is not marked as cetcompat unless
v8_enable_cet_shadow_stacks is true.

Bug: chromium:1289318
Change-Id: If8a79ac5288a9a3385bf6b692db566508cca248f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3656146
Commit-Queue: Alex Gough <ajgo@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80673}

Bug: v8:11525,v8:12820
Change-Id: Ic4cd3172a4d6884b8234ca6b6463dfc405e10ba1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652793
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80672}

Bug: v8:12893
Change-Id: Ibc2068011243b2ec811cd90646f0ec2a0d93cc05
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657433
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80671}

Add Int32/Float64 nodes for:

  * Subtract
  * Multiply
  * Divide

and additionally Int32 nodes for

  * BitwiseOr/And/Xor
  * ShiftLeft/Right/RightLogical

The latter ones don't have Float64 equivalents since they're implicitly
Int32 operations. In the future we'll add support for Number feedback by
adding Float64-to-Int32 conversions and using the Int32 nodes.

The divide node does an Int32 division and deopts if there's a remainder
to the division -- we may want to make it output a Float64 instead if we
think that's more likely in real-world code. There's also no peephole
optimisations for constant operations, which would generate much better
code, especially for shifts.

Bug: v8:7700
Change-Id: Ief1d24b46557cf4d2b7929ed50956df7b0d25992
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652301
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80670}

This reverts commit 74c68e2a.

Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20UBSan/21353/overview

Original change's description:
> [heap] Disable map space with --future
>
> Original CL got reverted, this time the failing test should be fixed.
>
> Bug: v8:12578
> Change-Id: Id2d8801f07742e8b00884fefec8200e4270f4250
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657434
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80668}

Bug: v8:12578
Change-Id: I2ee20c79ec09ff4f7bece6ddcc1c3a5cd9351223
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3647692
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80669}

Original CL got reverted, this time the failing test should be fixed.

Bug: v8:12578
Change-Id: Id2d8801f07742e8b00884fefec8200e4270f4250
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657434
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80668}

Unfortunately heap setup happens before setting up flags in practice.
This means that flags such as `--single-threaded-gc` were not respected
properly for Oilpan. Delay the setup until the GC is actually triggered.

Bug: chromium:1326723
Change-Id: Icabe7ecf27e879bd44bba5e09ca176beb012c58a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657430Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80667}

Enforce the parent context has a smaller id, this time more forcefully.

Bug: v8:11525,v8:12820
Change-Id: I05bf675545b81b818eebfcaa40ee6bb93f5bcf9e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652792
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80666}

These bots should run sandbox tests in the future, for which the memory
corruption API will be required.

Bug: v8:12878
Change-Id: Ib64bfb0ae080016db6d1629f375d2a71a20d70b4
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657427Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Auto-Submit: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80665}

This reverts commit 4ba3b515.

Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20no-concurrent-marking/8900/overview

Original change's description:
> [heap] Disable map space with --future
>
> Bug: v8:12578
> Change-Id: If0253a2feb383d6ef313729bf99b489eb9436303
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652794
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80660}

Bug: v8:12578
Change-Id: I9ccfc2641b29539a29258a6517824cdd5a5709d5
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3657432
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#80664}

A fixup to https://chromium-review.googlesource.com/c/v8/v8/+/3644961
that I had neglected to address then.  Whoops!

Change-Id: Id0f2721e6cdfb3493b5d11043f6a6a3273e1fc09
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652790Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80663}

This is a reland of commit e8cac377
The proxy resolver issue is fixed in a separate CL.

Original change's description:
> [rwx][mac] Enable fast W^X on Apple Silicon (M1)
>
> Bug: v8:12797
> Change-Id: I53bb803dd77db5bdd42b1a1b4b568e63857adf31
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3598861
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#80396}

Bug: v8:12797
Change-Id: Icd897d3f3ff1f1bcfdb9e874e13f6a654c985fc8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650925
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80662}

Fixed: chromium:1327321
Change-Id: I4868e0127b9dd14a0812cafca1681280534faa46
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652788Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80661}

Bug: v8:12578
Change-Id: If0253a2feb383d6ef313729bf99b489eb9436303
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652794Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80660}

When enabled, this API exposes a new global 'Sandbox' object which
contains a number of functions and objects that in effect emulate
typical memory corruption primitives constructed by exploits. In
particular, the 'MemoryView' constructor can construct ArrayBuffers
instances that can corrupt arbitrary memory inside the sandbox. Further,
the getAddressOf(obj) and getSizeInBytesOf(obj) functions can be used
respectively to obtain the address (relative to the base of the sandbox)
and size of any HeapObject that can be accessed from JavaScript.

This API is useful for testing the sandbox, for example to
facilitate developing PoC sandbox escapes or writing regression tests.
In the future, it may also be used by custom V8 sandbox fuzzers.

Bug: v8:12878
Change-Id: I4e420b2ff28bd834b0693f1546942e51c71bfdda
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650718Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80659}

Fixed: v8:12886
Change-Id: I729f6f11be3befa573ac6a201dc91e3d5f2eebc1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652791
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80658}

LLd and Scd should be used for StoreType::kI64Store* types.

Change-Id: Ic645c9149c7ade95e0a36acadb48d246ee817469
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3655179
Auto-Submit: Yu Liu <liuyu@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#80657}

Adding the shared heap write barrier caused regressions on some
benchmarks. Presumably this is because the compiler can't merge the
fast paths of the generational and shared heap write barrier.

This CL therefore introduces a CombinedHeapBarrier that manually
unifies the fast path for the marking, generational and shared heap
write barrier. This should make the barrier easier to optimize for
the compiler. In particular it should help to ensure that page flags
don't need to be loaded multiple times in a single full write barrier.

Bug: chromium:1326446, v8:11708
Change-Id: Iacd487f1263491cf4c05f25e004233a52b7c45a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644964Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80656}

By popular demand.

Bug: v8:7748
Change-Id: I6892d5cb92066ecc56574b5f27a09088c692e071
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3650927
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80655}

Bug: v8:12868

A slight modification to the existing DFA-based UTF-8 allocator to allow
decoding surrogates, for use in decoding WTF-8.  We'll need to
additionally constrain the decoder to disallow surrogate pairs.

Change-Id: Ifddbf08d4eeeff8f270df52a68f01769ea790eec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652787
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80654}

With crrev.com/c/3641564, Chromium now uses PartitionAlloc for
ArrayBuffer allocations even if one of the sanizier tools (e.g. ASan) is
enabled. As such, sanitizer builds are now compatible with the sandbox.

Bug: chromium:1218005
Change-Id: I100bf3ef442c556652fb00dd6c09d06b167e6577
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3652785
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80653}