This CL adds PKU support for V8 heap, but we will not enable
PKU by default before adding bots that are able to test the
PKU machinery.

Bug: v8:13023
Change-Id: I0465604d56900536ad63311f119ea0324ebe4f2f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3793944Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Wenqin Yang <wenqin.yang@intel.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82965}

Inline DependOnStablePrototypeChain to iterate only those maps which
share a validity cell with the receiver map. This resolves an issue
where maps after the holder object violate the stability invariants, but
doesn't require looking up what the actual holder is.

Bug: v8:7700
Change-Id: Id06f0d13660f547e14dd25085799c0e6223c34b9
Fixed: chromium:1359215
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871298
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82964}

This reverts commit e7bf8110.

Reason for revert: Failing TSAN runs

Original change's description:
> [sandbox] Sandboxify ExternalString external pointers
>
> Bug: v8:10391
> Change-Id: I0f737e5adf6e4fd24f93436fa5680ff20c1536da
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757901
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82958}

Bug: v8:10391
Change-Id: I384d49016b9494655866339a21dab60d451158a7
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872271
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82963}

There was a missing write barrier for the saved registers and context
in GeneratorStore. Add (deferred) write barriers for these, with some
careful register reshuffling to minimise moves.

Bug: v8:7700
Change-Id: Icf50e96adf3775785ce9b2c5a7566ecbbd1d63d9
Fixed: chromium:1359163
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870914Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82962}

This ignores one of --assert-types and --stress-concurrent-inlining if
used together. We already filter those from trials, but they also might
get picked from // Flags lines in test cases.

No-Try: true
Bug: chromium:1359829
Change-Id: I7e46afb53bdbb0a871c7443a5a66a339046eb3de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871195Reviewed-by: Clemens Backes <clemensb@chromium.org>
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82961}

Bug: chromium:1355871
Fixed: chromium:1359712
No-Tree-Checks: true
Change-Id: I01e35ec6c35d82608797d8ae222d79a125ca5758
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872346
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Auto-Submit: Thomas Anderson <thomasanderson@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82960}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/aebd733..a412eb2

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/eb16430..a089281

Rolling v8/third_party/fuchsia-sdk/sdk: version:9.20220902.0.1..version:9.20220902.1.1

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: Ied5248bff1159fc65f61bfc512464e356578840b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872519
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82959}

Bug: v8:10391
Change-Id: I0f737e5adf6e4fd24f93436fa5680ff20c1536da
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757901
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82958}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/15f3aed..aebd733

Rolling v8/buildtools: https://chromium.googlesource.com/chromium/src/buildtools/+log/734683a..18d22db

Rolling v8/buildtools/third_party/libc++/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxx/+log/84f0693..369cbf3

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/8cdc635..eb16430

Rolling v8/third_party/fuchsia-sdk/sdk: version:9.20220831.2.1..version:9.20220902.0.1

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/e0c2881..0a22859

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I01a1df8f6fe1db74fad773480edb5801f2851219
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3872510
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82957}

This CL makes SelectGarbageCollector choose MinorMC to finalize
minor incremental marking if the allocation space is new space.

Bug: v8:13012
Change-Id: I0125d956842d83683cf3b1c5999de0e10a43dee5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871074
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82956}

This CL exclusively activates ScavengeTaskObserver, used by Scavenger
and atomic MinorMC, or MinorMCTaskObserver, used by concurrent
MinorMC.

Bug: v8:13012
Change-Id: I313b0cbe250828cc76d7d4b25e9abb457315112e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871295
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82955}

This is a reland of commit 5a318a23

Original change's description:
> Port Generic JS-Wasm Wrapper for arm64
>
> Bug: v8:10701
> Change-Id: I2014f8994c74379663998e2560d1d51b98a4a9a6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3811834
> Reviewed-by: Jakob Linke <jgruber@chromium.org>
> Commit-Queue: Ilya Rezvov <irezvov@chromium.org>
> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82915}

Bug: v8:10701
Change-Id: Ic0ac1478759150a5cc7e75d1a8e4e465e0d48233
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869197Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Ilya Rezvov <irezvov@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82954}

When internalizing cached external string that are not in-place
internalizable, there is an optimization that avoids copying the
contents of the string. This optimization doesn't work when the string
table is shared, as it leaves strings in a partly initialized state that
can be accessed in a concurrent environment.

Bug: v8:12007
Change-Id: I49fcbb232893c87d065af114546a6f1a15471016
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870469
Auto-Submit: Patrick Thier <pthier@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82953}

Change-Id: Ie36ef2b934b4ea1fd256175748daac73246be826
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870467Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82952}

When aborting compaction on a page, slots need to be recorded in the
non-evacuated part. Now that maps might be recorded as well, slots
need to be recorded in the map word as well.

Bug: chromium:1359294, v8:12578
Change-Id: I91e4a98ae2951d814d4b50e527b34d8e54d55434
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871297
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82951}

DoubleToInteger, which corresponds to the ToIntegerOrInfinity AO in
ecma262, never returns -0. Currently there's a bug as std::ceil can
return -0.

Bug: v8:10271
Change-Id: Id5e7d040ef9d186462022dc96052d7920be6ebed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869196
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82950}

A minor refactoring to call a static method instead of just creating an
instance in order to do the work.
This also makes it easier to later add methods to process all feedback
before dumping profile information.

R=jkummerow@chromium.org

Bug: v8:13209
Change-Id: I157357753b3a1cff83df426660501c43959937b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870468
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82949}

This CL fixes a regression caused by https://crrev.com/c/3865147.

Bug: v8:13012
Change-Id: I2a0b89965a305197b499044ea7b10285a763dc4d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3871296
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82948}

The `target` field of call feedback may be stored in the feedback
vector without protection by generated code (see
TryInitializeAsMonomorphic).  We thus can't assume a memory fence
exists when creating the ref, switch to TryMakeRef instead.

Bug: v8:7790,v8:12876
Change-Id: I428b00b19a417e818c315f1cf9ee62d19f0747d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3867728
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82947}

Add BitcastWordToTagged and BitcastWordToTagged to
CannotObserveStoreField in StoreStoreElimination to
allow more stores to be eliminated.

Also add the use properties in CannotObserveStoreField
so that future nodes don't block opportunities.

Improves Speedometer2 by 0.16% and 0.12% on a Cortex-A55
and a Neoverse-N1 machine respectively, with Preact seeing
+0.8% on both.

Change-Id: I0cfe887ec4c0c435dbb0f9d8dc3da4bfcdabc265
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865560Reviewed-by: Patrick Thier <pthier@chromium.org>
Commit-Queue: George Wort <george.wort@arm.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82946}

Fixes the use of v8_enable_fast_mksnapshot on platforms that
aren't ia32 or x64. This was introduced by
https://chromium-review.googlesource.com/c/v8/v8/+/3863281

Change-Id: I0d18c2d16dae4937baa40ee336d8c246a8b77889
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3867408Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: George Wort <george.wort@arm.com>
Cr-Commit-Position: refs/heads/main@{#82945}

This makes it clear that the constructors are to be used for a basic block that starts a loop or a basic block that starts an exception handler.

Bug: v8:7700
Change-Id: Ic58dd80f223e45b4e5cf5da6e78e989ba18d55a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870916
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82944}

Move the logic to negate a flag properly if the name starts with '!' to
the general {FlagName} helper. This fixes an otherwise weird formatting.

Before:
# Contradictory flag implications from --!liftoff and --wasm-speculative-inlining for flag --wasm-dynamic-tiering.

After:
# Contradictory flag implications from --no-liftoff and --wasm-speculative-inlining for flag --wasm-dynamic-tiering.

R=tebbi@chromium.org

Change-Id: I21236b4ff338aa4d2ddd0872f85e2362ef8dc813
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870915
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82943}

Bug: v8:12612, v8:13145
Change-Id: Ib44d3eb15f05aebe1c165221507517d9df472142
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870919
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Almothana Athamneh <almuthanna@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82942}

We used to scan the full heap of all clients for pointers into the
shared heap. Now that the OLD_TO_SHARED remembered set is considered
complete, we don't need to scan objects in the old generation anymore.
Instead we just need to check slots in the OLD_TO_SHARED remembered
set.

Since we don't have write barriers for objects guaranteed to be in
new space, we still need to scan objects in the young generation.

Bug: v8:11708
Change-Id: I1121f90ee63521c9141431f4cb31973796f1a67c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865561Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82941}

Now it's "source, target" in all places.

Change-Id: I6ce943214c79467aca4e3b62c3376921e206842a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870917
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82940}

Add logic to drop cyclic contradictory flags from
correctness-fuzzing command lines. Add the currently known
biggest offenders.

Without this, the correctness fuzzing harness runs into a CHECK
failure during smoke testing, when attempting to pass cyclic flags
to d8. It fails fast, but uselessly burns fuzzing time.

This change drops one of the known cyclic flags instead to make the
test run still useful. The precedence is right to left like in the
V8 test framework.

Additionally on Clusterfuzz, all crashes during smoke testing are
deduped as one crash report. We don't know if there are other
problems before this one is fixed/hidden.

No-Try: true
Bug: chromium:1330303
Change-Id: I06cbb4655cd3cf467f5cce6f84dba653834ca72e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865562Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Alexander Schulze <alexschulze@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82939}

Port 247b33e9

R=gdeepti@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N

Change-Id: Iaedf6d6579e8224ba90b19b70ed040b23b85b2b0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3868835Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#82938}

The intention is to be restrictive for now: modules should not
start to depend on this subtyping while the stringref type
hierarchy question is being settled (see
https://github.com/WebAssembly/stringref/issues/3 for details).

Bug: v8:12868
Change-Id: I0140e72f92550c88393dc84bb1fa3ce65840a048
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865019
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82937}

Bug: v8:7748
Change-Id: Ibb43799319f8032d69adcaaeebb48ec8e4e6078c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869146
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82936}

At the start of the graph builder, we add merge states to exception
handlers basic block with ExceptionPhis (normal phis with no input,
but with an interpreter register "owner").

Every Node that can throw, can also lazy deopt, so we use the
lazy deopt IFS to recover the exception phi values in a trampoline
before jumping to the exception catch block.

Bug: v8:7700
Change-Id: I62fe7f19ce5e89c3df645224ea62f9fc2798207c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865865Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82935}

This change adds support for defining globals whose value is imported
and not defined inline. This was already possible for importing globals
from other modules, now it is also supported for non-global values, e.g.
values created by a wasm function and exported to JS.

Bug: v8:7748
Change-Id: I4fe22a7ab33b431cb731458900c0f332dff8b8f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865554Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82934}

Instead of implementing our own shared mutex, use std::shared_mutex,
which does not have the problem of deadlocking when interrupted by
signals (see https://crbug.com/v8/12037).
This is on Mac only, for now. If this fixes the regressions, we can
switch all systems to std::shared_mutex.

R=ishell@chromium.org
CC=dmercadier@chromium.org

Bug: v8:12037, v8:13256, chromium:1358856
Change-Id: Ie4be7cc5431905ca1e4f74809168eb6a9f584d28
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870465
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82933}

Bug: v8:12612
Change-Id: I28a574435646073d65e6fe1e746267ffb0eaa01d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3864083
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82932}

ResumeGenerator is semantically a successor of SuspendGenerator (for
reasoning about liveness), but operationally it's a successor of
SwitchOnGeneratorState. This means that the jump to ResumeGenerator will
always create a new basic block, even if the SuspendGenerator was dead.

This causes problems if we made other assumptions on liveness based on
the semantics; in particular, we assume that JumpLoop is dead if the
loop header is dead (thanks to loop irreducibility).
SwitchOnGeneratorState breaks irreducibility, and this manifests as the
JumpLoop being alive and trying to jump to a dead header.

Since this is a special case, and loops are otherwise irreducible, we
can also fix it with a special case; namely, MarkBytecodeDead now has a
special case for SuspendGenerator which manually advances the iterator
and kills the ResumeGenerator.

Bug: v8:7700
Change-Id: Ice162f061e7ba1dda7ceb4f6fe9234889655b417
Fixed: v8:13250
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865556Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82931}

Bug: v8:12868
Change-Id: Ia70ddb1fb25bc1f14259d14a8a9f614de7d8cd52
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865558Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82930}

Check the function for TF code before finalizing a maglev compilation,
so that we don't accidentally overwrite the higher tier.

Bug: v8:7700
Change-Id: I20eb4e25f3bf2710b6e65f9d866cad143e77943d
Fixed: chromium:1359114
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870464Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82929}

Besides, fix a error in GetMemOp.

Port commit 247b33e9

Change-Id: I34cf0d22870f438fb6bfcd67ef50ec254fb92608
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869758
Auto-Submit: Liu Yu <liuyu@loongson.cn>
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#82928}

This CL refactors most of the cctests and unittests (22 out of 31) that
directly invoke heap GC, so that the corresponding internal heap methods
are called from a few specific places in boilerplate code. This will
facilitate impending changes to the interface of GC-related internal
heap methods.

Bug: v8:13257
Change-Id: Ia6773a7952501b0792b279b799171519620497d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3869264Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82927}

Port commit 8e069d62

Bug:chromium:1356718

Change-Id: I0f9f19e45c8f3fc18b46ac0c1341cc61d5b1ae59
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3868714
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82926}