Move the current code sequence in TurboFan to a macro-assembler helper
function to allow Liftoff to reuse it.

Bug: v8:10997
Change-Id: I08a9d5b6d1f7898bf7e9239f54d69867e00b30eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2620906
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72057}

Rolling v8/base/trace_event/common: https://chromium.googlesource.com/chromium/src/base/trace_event/common/+log/eb94f1c..9b27757

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/d599553..787a10d

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/d1a3011..3889691

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/82b992a..8149a96

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/2246bee..b12d1c8

Rolling v8/tools/luci-go: git_revision:67aba6e3373bb0b9e3ef9871362045736cd29b6e..git_revision:16e6d735358b0166f06fd2e4daa0da4cff9918e9

Rolling v8/tools/luci-go: git_revision:67aba6e3373bb0b9e3ef9871362045736cd29b6e..git_revision:16e6d735358b0166f06fd2e4daa0da4cff9918e9

Rolling v8/tools/luci-go: git_revision:67aba6e3373bb0b9e3ef9871362045736cd29b6e..git_revision:16e6d735358b0166f06fd2e4daa0da4cff9918e9

TBR=machenbach@chromium.org,tmrts@chromium.org,v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: Id7c5629638d61e81b9868d7c905d88668a528b5a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2625753Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#72056}

Implement these 4 instructions for x64 Liftoff:
- i64x2.widen_low_i32x4_s
- i64x2.widen_high_i32x4_s
- i64x2.widen_low_i32x4_u
- i64x2.widen_high_i32x4_u

We move the codegen for the *high* instructions into macro-assembler to
allow sharing of the optimized code sequence between TurboFan and
Liftoff.

Bug: v8:10972
Change-Id: I900b24f96ee55784220656cb2664283b03c32110
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2621862
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72055}

Move the current code sequence in TurboFan to a macro-assembler helper
function to allow Liftoff to reuse it.

Bug: v8:10997
Change-Id: I6205350897a4afc7ca9d0f84fd514be24508aef0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2620905Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72054}

To improve incremental builds.

Bug: v8:7793
Change-Id: I6990a97e058d22d34acd1f609167cd30ca7518ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2596789Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#72053}

Change-Id: Ife7fb1c08acd864f59b1f45877e7e75fd81748a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2625488Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#72052}

Also fix the simulator to avoid overrating dst register
during VectorPack.

Bug: v8:10971
Change-Id: I137e3cf4f73ddfc12c50099d519668858f95ecf3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2625487Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#72051}

Bug: v8:10971
Change-Id: Idaa75b5c4d63695dbb8eed2be076f067ff5df9ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2623817Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#72050}

- Modify InstructionSelectors to track both padding and multiple
  slot values to correctly adjust stack pointers when pushing
  arguments. Pass stack offset as an immediate operand.
- Modify CodeGenerators to handle alignment padding.

Bug: v8:9198
Change-Id: I1c132284e07b5f5e73ce570a641f17decdfba504
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2596027Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72049}

Add nicohartmann@ as an owner.

Change-Id: I7c24b1ab575db857a15cff709f44c87c74106d80
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2593332Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72048}

Port d6c4c884

R=zhin@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N

Change-Id: I99c91b49c1fda7e50fee7d9a204e9ade3e336220
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2623808Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#72047}

Port acbdaa4c

Original Commit Message:

    Also remove some ifdefs since it is implemented on all architectures.

R=zhin@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N

Change-Id: I2ec501c15dda5a0aa970b8b7d18a995e60f71b60
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2624747Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#72046}

bulk-memory shipped in V8 v7.5, hence the feature flag can be removed
now. This saves some binary size and a few dynamic checks for the flag.

R=ahaas@chromium.org

Bug: v8:11074
Change-Id: Ia73622637939f2192940fdd6909520786ed27286
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2622913Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72045}

Drive-by-fix:
- fix load spinner z-index

Change-Id: I4a8f9b768ec858da4d91780ae0998a685f4438bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2624609Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72044}

Bug: v8:10667
Change-Id: Ie11b21f6610ad5e5be81e12191207ac85680a1ca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2622213
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72043}

This adds the following internal properties to `WasmInstanceObject`
values in DevTools:

 - `[[Module]]` pointing to the `WasmModuleObject`, allowing the
   developer to find the module to an instance no matter where in
   DevTools front-end the instance is inspected.
 - `[[Functions]]`, `[[Globals]]`, `[[Memories]]`, and `[[Tables]]`
   are shown (when they aren't empty), allowing developers to inspect
   the entities within an instance no matter where in DevTools front-end
   it's inspected.

This also updates the _Module_ scope for Wasm frames to show the entity
containers (`functions`, `globals`, `memories` and `tables`) in addition
to the `instance` and `module` to make it easier accessible (fewer
clicks to get there), but also to align it better with the _Add property
path to Watch_ and _Copy property path_ features (since exactly the same
names are exposed via Debug Evaluate on Wasm frames).

```
> Stack
> Locals
v Module
  > module
  > instance
  > functions
  > globals
  > memories
  > tables
```

Drive-by-fix: Move GetWasmModuleObjectInternalProperties() logic into
debug-wasm-support.cc

Screenshot: https://imgur.com/ksEHG2I.png
Doc: http://bit.ly/devtools-wasm-entities
Fixed: chromium:1165294
Bug: chromium:1071432, chromium:1164241, chromium:1165304
Change-Id: Ia88fb2705287c79988ff2b432e4a33ac34e098f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2622912Reviewed-by: Philip Pfaffe <pfaffe@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72042}

`0x12345678` will be written to memory in the same order on BE
machines however, as Wasm is LE enforced, a memory load will
force a byte reverse operation on BE machines which changes the value.

To fix the problem, we write the reversed value to memory.

Change-Id: I0d562768d5cef823cb918ed1b57a2a41e404ffc6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2622927
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72041}

The dead target check in TransitionArrayNeedsCompaction, confirming that
Smi (uninitialized) targets imply that no other target is dead, has to
additionally support Smi entries.

Bug: v8:11305
Change-Id: I6f3fa9e7420b1bd0a64a25dae670f439e3f41162
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2622914
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72040}

Make sure gcmole detects issue in DisallowGarbageCollection scopes.

DisallowGarbageCollection is widely used in the codebase to document
code that doesn't allocate. However, this has the rather unexpected
side-effect that gcmole is not run when such a scope is active.

This CL changes the default behavior of gcmole to run even with
DisallowGarbageCollection scopes present. This will give us the best
results of both worlds, dynamic checks by the fuzzer, and static
analysis by gcmole.

To allow crazy local raw pointer operations there is a new
DisableGCMole scope that explicitly disables gcmole.

Change-Id: I0a78fb3b4ceaad35be9bcf7293d917a41f90c91f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2615419Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72039}

Add a pre-loop over transition arrays during compaction, that checks
whether compaction is needed at all, and whether any of the entries are
still uninitialized values as part of deserialization (and therefore no
other targets can be dead). Bails out of compaction early if this is the
case.

Bug: v8:11305
Change-Id: I27af792a8a0bd3df17892f54ac95ed15e4bdfcc0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2622910Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72038}

.. instead of implicitly using -1 as a marker in a few spots.

Bug: chromium:1161357
Change-Id: Icfb9a2b81dbda844c8405c57454d63ae89dfe4f9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2606336
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72037}

The frame pointer did not point to the previous frame pointer, which
made the stack non-iterable with SafeStackFrameIterator.

This can cause pointer authentication failures when CFI is enabled,
as we expect the value stored above the previous frame pointer to
be a return address.

Bug: v8:10026
Change-Id: Ia55181038b1b277d0a6df519f1e7f61859847b1a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2614429Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#72036}

... and fix an issue in TurboFan and issues in Liftoff.

R=manoskouk@chromium.org

Bug: v8:10949
Change-Id: I3493205ab56a4ded550af6fcd75c465f7d8894ca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2618246
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72035}

Changes:
- Rename PassThrough -> Forward in function-body-decoder.
- Introduce IsHeapSubtypeOf in subtyping.
- Do not push a redundant bottom value in br_on_null, remove
  fallthrough. Also, improve code structure.
- Update a couple of comments.

Bug: v8:7748
Change-Id: I8d23cd3829c5504156ace595f8ac86c511c9f5e1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2611250
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72034}

Change-Id: I6970506864a5b2604f9d4607c2f20ffa2b409c9e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2621078Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72033}

As per https://v8.dev/docs/contribute: Code contributions to v8 are
done through Gerrit, not using GitHub pull requests.

Unfortunately not a lot of people seem to read this and end up opening
PRs on the github v8 mirror which then needs to be closed manually:
https://github.com/v8/v8/pulls?q=is%3Apr+is%3Aclosed

Rather than manually closing these PRs, once we add this config, we
can make the google GitHub bot automatically do this. See:
https://opensource.google/docs/github/disable-features/#close

Bug: v8:11301
Change-Id: I2b55f60cb095bd4d3e26e5a096dac2c1c886ba31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2617080Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72032}

The watchdog previously didn't terminate execution, it just prevented
the execution of additional tasks.
This CL fixes that by making {TaskRunner::Terminate} actually terminate
execution in the isolate.

It also adds a regression test for this.

R=szuend@chromium.org

Bug: chromium:1154412, chromium:1142437
Change-Id: Ic6638e8a5c37e8840a85651b4d4bea2ee0f71c43
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2622212Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72031}

Changes:
- Add LoopExit and LoopExitValue functions in wasm-compiler.
- Handle kLoopExitValue opcode in simd-scalar-lowering.

Bug: v8:11298
Change-Id: I4d00402ed1913f927bec973b3d480ddc1990962b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2611251Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72030}

Prototype these 4 instructions:

- i64x2.widen_low_i32x4_s
- i64x2.widen_high_i32x4_s
- i64x2.widen_low_i32x4_u
- i64x2.widen_high_i32x4_u

Bug: v8:10972
Change-Id: I57508a7fcafdf3b8a9477d6e9292fbb6b67e3619
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2612342
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72029}

Use a bit to work around the issue of ICU getType() bug.

Bug: v8:11295
Change-Id: I15d65bd44c489031d789e7638ea8abab90128124
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2614216
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72028}

Change-Id: I1024b336ac3d24c69f5a47a919b69a9ef363ec66
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2620002
Auto-Submit: Liu yu <liuyu@loongson.cn>
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/master@{#72027}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/d1a7463..d599553

Rolling v8/buildtools: https://chromium.googlesource.com/chromium/src/buildtools/+log/2277272..235cfe4

Rolling v8/buildtools/linux64: git_revision:0d67e272bdb8145f87d238bc0b2cb8bf80ccec90..git_revision:595e3be7c8381d4eeefce62a63ec12bae9ce5140

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/e174329..d1a3011

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/c1aa4ec..82b992a

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/01d7e1f..2246bee

TBR=machenbach@chromium.org,tmrts@chromium.org,v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: Ib358f0e49fab39cf13fb91a0db2a2b453b28c94a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2622902Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#72026}

Prototype these 4 instructions:

- i64x2.widen_low_i32x4_s
- i64x2.widen_high_i32x4_s
- i64x2.widen_low_i32x4_u
- i64x2.widen_high_i32x4_u

Implementation is the same as x64.

Drive-by fix to add a missing CpuFeatureScope to x64.

Bug: v8:10972
Change-Id: Iacc84bce156053d0ac39b1a419727c93c499a8c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2612339
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72025}

Also remove some ifdefs since it is implemented on all architectures.

Bug: v8:10997
Change-Id: I06f82e2c67219a8990bdd7c78e63b1300c8f34d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2620907Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72024}

Removing ifdef guards since our 4 supported architectures
implement this now.

Bug: v8:10971
Change-Id: Ic0295b1492a6316df61340a38f3e6d06d8fe64ed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2620900
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72023}

Bug: v8:10997
Change-Id: Ic7a3848792867ef3068151eff8dbf45e628ce6c2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2620901Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72022}

Implementation is the same as x64.

Disassembly support for the new instruction, pmulhrsw, is already
supported due to the macro list.

Bug: v8:10971
Change-Id: I099c4f8c3da521006ef5e2b151626f25a5df1ed9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2620898Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72021}

Bug: v8:11086
Change-Id: Ib896020b0865c0f87cabbde254bc8af36ce705d3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2623007Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#72020}

Currently, the CodeMap utilizes double indirection into a deque for
entries in its map. Since we don't reuse CodeEntry objects, this doesn't
confer any benefits really -- avoid this step and save memory by
maintaining only a single mapping.

Bug: v8:11054
Change-Id: I2cbc188ff64dd2faa9c4c03d9892b4c8e5e68794
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2617746Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Andrew Comminos <acomminos@fb.com>
Cr-Commit-Position: refs/heads/master@{#72019}

This CL fixes a bug in the code generation for I32AtomicCompareExchange
in Liftoff on ia32. The problem is the inconsistency that
LiftoffAssembler::PeekToRegister(...) introduces to the cache state.
PeekToRegister loads the value from the value stack into a register, but
does not pop the value off the stack. When the value was already stored
in a register, the use counter of that register gets decreased, even
though the value is still on the stack.

The problem arises when this register later gets reused, which is
necessary unfortunately on ia32. When SpillRegister is called for this
register, all stack values that are stored in this register get written
to memory. SpillRegister uses the use counter of the register to detect
when the register was spilled to all stack slots that were cached by
this register. However, as described above, the value stack and the use
counter are inconsistent at that moment, so SpillRegister finishes
early and does not spill the register to all stack values, and this
causes the bug later.

With this CL the decrement of the use counter gets delayed until when
the value actually gets popped off the stack.

R=clemensb@chromium.org

Bug: chromium:1145135
Change-Id: I07cb256a7e5135dbce41b246c120650635ad2758
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2602464Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72018}