The regexp parser historically has tried to gracefully detect and bail
out from excess zone allocations, where 'excess' was determined to be
an arbitrary limit of 256MB.

This leads to issues now that the regexp parser may run from within
the JS parser - the JS parser doesn't observe this arbitrary limit and
happily keeps allocating until the underlying allocator actually runs
out of memory; this way, the JS parser can handle very large JS files,
and it's now counterproductive if the regexp parser (which reuses the
JS parser zone) bails out on excess allocations.

This CL simply removes the excess_allocation mechanism.

Bug: chromium:1264014
Change-Id: I8d93a1e52aa65bb0ea6c2aab3b68b479ce79a1f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3401580Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78991}

Previously the inspector was trying to handle step-out for async
functions by annotating the async stacks, but this was merely a
hack and didn't work reliably

(a) when the async caller that is `await`ing the result of the
    callee was still in the synchronous part (because then there
    was no async task yet in the inspector), or
(b) not at all when the async stack tracking wasn't enabled or the
    maximum async stack depth was too small.

This CL replaces that hack with a pragmatic solution inside the
V8 debugger, where upon `await` we memorize the async function
object of the caller on the outer promise of the callee, and when
stepping out of the callee we check whether the returned promise
has a memorized async function object and if so, we schedule that
to resume.

This CL thereby effectively reverts https://crrev.com/c/1054618
and replaces it with a V8 debug solution, and thereby further
reduces the (memory) overhead of an AsyncStackTrace.

Fixed: chromium:1246867
Bug: v8:6161, v8:7753, chromium:1277451, chromium:1280519
Change-Id: I6aa79e90f49d204f66bfd37e7a328c7fb8d635b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3439865Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78990}

Rolling v8/third_party/google_benchmark/src: https://chromium.googlesource.com/external/github.com/google/benchmark/+log/1ee7bee..bdea505

Add mutex when reading counters_ (Fixes #1335) (#1338) (Liqiang TAO)
https://chromium.googlesource.com/external/github.com/google/benchmark/+/bdea505

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com,mlippautz@chromium.org

Change-Id: I5acd1ef0af30aac9f76e6f7b215fd51d89c73c75
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3446781
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#78989}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/3233ed2..dfc291f

Rolling v8/buildtools/third_party/libc++abi/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxxabi/+log/5b0a8cf..77c52e2

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/66c9784..9c0ccc7

Rolling v8/third_party/googletest/src: https://chromium.googlesource.com/external/github.com/google/googletest/+log/14aa11d..43efa0a

Rolling v8/third_party/zlib: https://chromium.googlesource.com/chromium/src/third_party/zlib/+log/fc5cfd7..3fc7923

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/a8ca822..94a76bd

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: Ia89843d90b9b115b302e4281991f3a7b2284b963
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3445842
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#78988}

Change-Id: I948d17b34334caae9deb9282176a76e6be3d28a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3443174Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Commit-Queue: ji qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#78987}

Bug: chromium:1290612
Change-Id: If1e3030882786ccc0c6a9b42128bc1ac044f43f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3445201Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78986}

This reverts commit 78bc7852.

Reason for revert: revert due to failure on native tests.

Original change's description:
> s390x: [baseline] enable sparkplug on s390x
>
> Change-Id: I4646bb0f3f6291c97bb4b397d6248b9bdaa2059a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3439641
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Commit-Queue: Junliang Yan <junyan@redhat.com>
> Cr-Commit-Position: refs/heads/main@{#78959}

Change-Id: I8d006211e42ace4db804f1a88f2749282ef2de32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3440771
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78985}

Properly push back the current request promise for async generators when
resuming after an `await` to ensure that the catch prediction works as
expected for async generators.

Fixed: chromium:1220203
Change-Id: I8c3592ceb567aadcba8f460794cd5d60a965a360
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3442680
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Philip Pfaffe <pfaffe@chromium.org>
Commit-Queue: Philip Pfaffe <pfaffe@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78984}

Bug: v8:12315
Change-Id: If750c9528d4f20c6695a6b25f4d1abc8a14dba62
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3431486
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78983}

all_ones and all_zero is also moved to the macro assembler
which will be used later.

Change-Id: I72787c9bb217dd78f6fd8a818b95939e936bc68d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3439916Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#78982}

After https://crrev.com/c/3416191 there are too many mixed concerns in
the clusterfuzz directory. We split it into js-fuzzer, foozzie and
trials.

Change-Id: I9a21ee83985e6113d77acba4583e99df88723c60
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3443505
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Almothana Athamneh <almuthanna@chromium.org>
Commit-Queue: Almothana Athamneh <almuthanna@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78981}

Currently, the stack-switching import wrapper always suspends. Only
suspend if the returned value is a promise, otherwise just convert and
return the value back to wasm.

R=ahaas@chromium.org
CC=fgm@chromium.org

Bug: v8:12191
Change-Id: I26e7a3921aeae30fcce7f0ccc98d790a1a6f8c35
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3440655Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78980}

When performing a shared allocation in a client we have checks for the
AlwaysAllocateScope in both client and shared isolate slow allocation
code paths. We need to enable both such that we don't fail with
spurious OOM failures with GC stress bots.

This change was already introduced with the reverted CL
https://crrev.com/c/3422630. Land this as its own CL until that CL
relands.

Bug: v8:11708, v8:12582
Change-Id: I81ca3f0aaec3ac3fbef9d0b7219e09fa056000f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3443503Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78979}

Verification code in HeapObject::set_map() is supposed to run on the
main thread since object layout change is only supported on the main
thread. There are some users of set_map() on background threads though,
which resulted in crashes. Since those users all perform a safe map
transition, we introduce a separate method for this purpose:
HeapObject::set_map_safe_transition(). This method behaves just like
set_map() but verifies that this is a safe map transition and not an
object layout change and therefore can be used on background threads
as well.

This CL also adds a DCHECK to HeapObject::set_map() to ensure we run
this method only on the main thread.

Bug: chromium:1293484
Change-Id: I25de6fda08de21b8b7a3645cf0ea5b1334e8a2f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3439905Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78978}

Turn on fuzzing to get additional test coverage.

Bug: v8:12578
Change-Id: Ia614fb9e4ba519163024f3b7b40f22ad6ebb3297
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3442677Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78977}

Make it include the invalid length again, but this time consistently.

Bug: chromium:923688
Change-Id: I0ec2543e02b58ff2b79547021a8e0d47a9debe46
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3440068Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78976}

We introduce a new information type ForwardingIndex to be stored in
the Name::Hash field (to be used in the future).
To do so we use the 2 least significant bit to distinguish types
of information stored in the hash field (in contrast to only bit 1
to distinguis integer indicies from "real" hashes).
This motivated a refactor to use base::BitField for the hash field.

Bug: v8:12007
Change-Id: I651c86807edfc218792d0db12379374eaa50c930
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3432385Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78975}

This is the final step towards moving away from sending `url` with
every call frame when emitting the `Debugger.paused` event.

Fixed: chromium:1270316
Bug: chromium:1271078
Change-Id: I87a286d81eb91a9bed64213c4b18db0675858822
Doc: https://bit.ly/devtools-debugger-callframe-url
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3345001
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78974}

- Suspender.suspendOnReturnedPromise expects a function with type
[ti*]->[externref] and returns a function with the same type.
- Suspender.returnPromiseOnSuspend expects a function with type
[ti*]->[to] and returns a function with type [ti*]->[externref].

Changes:
- Check the wrapped function's return types
- Skip type checking of return types when importing a wrapper (and
assert that the return type is externref)
- Add special case for WebAssembly.Function.type of a
WasmExportedFunction: it currently returns the signature declared by
the module. Change the return type to externref if this is a
stack-switching export.

Bug: v8:12191
Change-Id: I6619c306e9613825ad1b021cb3400d73cd684656
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3435190Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78973}

Drive-by: cleanup accessor declaration and definition macros.

Bug: v8:11880, v8:12596
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel_ng
Change-Id: Ia04a7f21d911386e610f963f55cbc1d310b2f442
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3439917Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78972}

We have two different kinds of GC prologues/epilogues. The user-exposed
one in Heap and the internal one in LocalHeap. During parsing and in
the JSON parser we were using the former. While this is definitely
correct and at the time of implementation it was the only existing
mechanism, I believe the internal callbacks are now a better fit for
these use cases.

Internal callbacks are simpler since they don't allow allocations, which
allows us to run them during the GC safepoint. The user-exposed
interfaces are allowed to allocate and are run either before or after
the safepoint. Such allocations could cause recursive GCs, which is
impossible for internal callbacks.

Bug: v8:12545
Change-Id: Ie697556cec9aa77b2f70704445aa5bd58e0a381a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3435188Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78971}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/4852ab2..3233ed2

Rolling v8/buildtools/third_party/libunwind/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libunwind/+log/659c7d9..f2ef96e

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I5494824f0c480b20bcd653855dce9cf9827d73a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3441242
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#78970}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/f1292c4..4852ab2

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I923602ab54a92259568d1b264ef82f97144e6265
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3441240
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#78969}

Bug: v8:11544
Change-Id: Iab90377372dcd97f1919fde1d886dfe67b336198
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3379236Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78968}

get Temporal.Plain*Time.prototype.(hour|minute|*second)

Bug: v8:11544
Change-Id: I6de1304c1a920f8047d499e4e6dcedbd72ba07f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3374073Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78967}

Bug: v8:11544
Change-Id: I72e005c0937418f4160e763edc4fd2b81b14b9c0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3385604Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78966}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/3a9b7ad..f1292c4

Rolling v8/buildtools: https://chromium.googlesource.com/chromium/src/buildtools/+log/8ccda4f..2a745cc

Rolling v8/third_party/android_platform: https://chromium.googlesource.com/chromium/src/third_party/android_platform/+log/f0d4a3b..87b4b48

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/87e6066..b4974c8

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/df01c5a..66c9784

Rolling v8/third_party/googletest/src: https://chromium.googlesource.com/external/github.com/google/googletest/+log/25ad42a..14aa11d

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/f246ca2..a8ca822

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: Idbd708109a5b352fb33489a66cd0c620931a4fa3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3441237
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#78965}

Currently the Isolate is gotten off of the object that the operation is
being performed on. Shared objects return the shared Isolate, which is
incorrect as it shouldn't be used to run JS, nor does it have
HandleScopes open. Plumb the executing Isolate through.

Bug: v8:12547
Change-Id: I1cd23b18b5b841c5b4339f52adecf1b86f3253dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3441398Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78964}

Currently the Isolate is gotten off of the object that the operation is
being performed on. Shared objects return the shared Isolate, which is
incorrect as it shouldn't be used to run JS, nor does it have
HandleScopes open. Plumb the executing Isolate through.

Bug: v8:12547
Change-Id: I428d21f5e6a9c51c8c7c4577395bf27c8706bdb4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3441033Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78963}

Currently the Isolate is gotten off of the object that the operation is
being performed on. Shared objects return the shared Isolate, which is
incorrect as it shouldn't be used to run JS, nor does it have
HandleScopes open. Plumb the executing Isolate through.

Bug: v8:12547
Change-Id: I7524a956876a0ff2d362c1ad6ec3ae044445215f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3441023Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78962}

Currently the Isolate is gotten off of the object that the operation is
being performed on. Shared objects return the shared Isolate, which is
incorrect as it shouldn't be used to run JS, nor does it have
HandleScopes open. Plumb the executing Isolate through.

Bug: v8:12547
Change-Id: I52d5a172ea602f4ad058d979003d51a80cdb4405
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3441022Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78961}

Currently the Isolate is gotten off of the object that the operation is
being performed on. Shared objects return the shared Isolate, which is
incorrect as it shouldn't be used to run JS, nor does it have
HandleScopes open. Plumb the executing Isolate through.

Bug: v8:12547
Change-Id: I4d2c9f5d4d7bc50b3aeb515eb78c08eb1b2a6824
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3440902Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78960}

Change-Id: I4646bb0f3f6291c97bb4b397d6248b9bdaa2059a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3439641Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#78959}

This method returns the unique debugger ID for a v8::Context (i.e. the
V8DebuggerID), serialized to a pair of int64_ts.

Bug: v8:12528
Change-Id: Ib2cdda73447f8233f9afb773fed4a634d4618aef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3369124Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Alex Turner <alexmt@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78958}

Using UTF-8 encoding couldn't properly read:
test/webkit/parser-high-byte-character.js

Fix itertools rename and one usage of map that's now an iterator.

Bug: chromium:1292016
Cq-Include-Trybots: luci.v8.try.triggered:v8_linux64_python3_rel_ng_triggered
Change-Id: I2b2ab72ce0eb355d1e70f247b5ea38d1d71c7845
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3439914Reviewed-by: Liviu Rau <liviurau@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78957}

Change-Id: Id233437d92a9af0d7726bcd6207133802ee3d129
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3439640Reviewed-by: Milad Farazmand <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#78956}

Change-Id: I5d9fc560a398328674907962a3730036b72172a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3439638Reviewed-by: Milad Farazmand <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/main@{#78955}

Change-Id: I709253796b8493cf365f21247c367974ffbb3106
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3440435Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#78954}

The size is queried from the background thread to check whether
incremental marking should be started.

Bug: chromium:1292728
Change-Id: I60e0def5756b62ef2ae2d10cc76ce745f3aef308
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3440654
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78953}

The web app owner who notified me about bugs v8:12112 and v8:12126 asked
me a reasonable question: "how am I ever supposed to trust the retaining
paths in the devtools, if the heap snapshot is generated by a different
component than the actual marking code?". This change is my attempt to
answer that question. If verification is enabled, the heap snapshot
generator will visit each heap object with a realistic marking visitor
to find all references from that object. It will then check that those
references match the HeapGraphEdges in the snapshot.

I also considered the idea that we could collect retaining information
during the last GC cycle before taking the heap snapshot, or during an
extra GC cycle immediately after. However, running the full GC provides
the embedder with the opportunity to run arbitrary code (including JS)
both before and after PerformGarbageCollection, so there is no clear
guarantee that the heap state during the snapshot actually matches the
heap state during marking.

Bug: v8:12112, v8:12126
Change-Id: Id29e75ecf9eee19e35daedbdb4a3e1df64785380
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3299590Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#78952}