When the stack is split in safe and unsafe parts, on-stack
TracedReferences are allocated on the unsafe stack. What currently
happens is that on GC we destroy all the on-stack references below the
current frame of the *safe* stack. If the safe stack is allocated above
the unsafe counterpart, then all the traced references will be
preliminary destructed on GC. This CL fixes it by using
__builtin___get_unsafe_stack_ptr() if -fsanitize=safe-stack is enabled.

In addition, deduplicate OnStackTracedNodeSpace::IsOnStack() and
Stack::IsOnStack() and move more logic into ::heap::base::Stack.

Bug: chromium:1278780
Change-Id: I9582bb1321958b7ec8ef2c0c46b9e42d51bb6f94
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3395033Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78660}

Bug: v8:12165
Change-Id: I6852686d67fac46fab536e93f8a63843f0580d3b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3251172Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77606}

Stack containment checks for slots should consider safe stacks when
they are enabled.

Bug: v8:11933, v8:12165
Change-Id: I2e2c8539c3c0a2dd795f87781ecb2942e059accc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3250642
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77601}

Other threads may write the stack of a different thread and use a lock
to synchronize such an access. An example for this is interrupt
handling.

Ignore TSAN for the methods performing the stack walk. There's no need
to use relaxed atomic reads as same-thread writes are consistent and
for other-thread writes there's no guarantee on what values to observe.

Bug: chromium:1245409
Change-Id: Ia3d3621590f1f5524d245632a2e8a2db23313f35
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3135573
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76622}

This aims to speed up stack scanning with a fast on-heap check. The
blooom-filter (at least with caged-heap enabled) is probably not needed
anymore.

Change-Id: I05536025c73df0cacdbbf6c474339dc71ecf33e5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2825590
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76429}

Bug: chromium:1056170
Change-Id: I09c6764c62cb459f3cfe317508bbc663debb66b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2919961Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74813}

The marking verifier used to run on a different stack than the marker
which could lead to it finding more objects than the marker. Fix this
by recording a stack end from which the verification starts. This
ensures that the verifier only finds a subset of the objects that the
actual stack scan finds.

Bug: v8:11709
Change-Id: I44fe7b247e56e75deded45b64c25379f1ad9e381
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2859848
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74320}

Bug: chromium:1056170
Change-Id: I41ebc2e507d1662588364396f1129c75a0f0841d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2851890
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74233}

- Move ASAN and MSAN support to base/
- Eval arguments for builds without sanitizer to preserve same
  semantics
- IWYU fixes

Bug: chromium:1056170
Change-Id: I212becf205e03b155c188ffd13cf5629df6f2cb8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2851887Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74225}

- Provide GetRealStackAddressForSlot that deals with ASAN fake stacks
  properly, also accounting for the fact that ASAN gets its real stack
  address in a nested call.
- Fix cppgc on-stack getter.
- Reuse platform routines in global handles.

Bug: chromium:1139914, chromium:1056170
Change-Id: If11a40d543b33edcea220bb70f170ac018e15053
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2509594
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70899}

This allows the implementation of different stack scanning mechanisms in
V8 (e.g. conservative scanning) while re-using the stack walking API.

Change-Id: I9b9c3b8ffe5d527ca3f7105776821776b509b187
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2238194
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68457}

Supported HW architectures:
ia32, x64, arm, arm64, ppc64, s390, mips, mips64

Compiler support:
- clang/gcc: all
- msvc tools: ia32, x64, arm64

Thanks all for porting!

Bug: chromium:1056170
Change-Id: I26ea7d727dc6d90929941668b8f115bdbaf226ab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2153210
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67203}

With this change we support allocation of objects and keeping them
alive via conservative stack scan.

This reverts commit 2b047a58.

Change-Id: Iac1913e7ef0556c28399509a160777a89e60150c
Bug: chromium:1056170
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2137402
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67016}

This reverts commit 44a1ed8f.

Reason for revert: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20gcc/6124?

Original change's description:
> cppgc: Integrate conservative stack scan into GC
> 
> With this change we support allocation of objects and keeping them alive via
> conservative stack scan.
> 
> Change-Id: Id94d7ced503ad0b1378643e0c13c2a8b65ad2327
> Bug: chromium:1056170
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2135729
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Anton Bikineev <bikineev@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67008}

TBR=ulan@chromium.org,hpayer@chromium.org,mlippautz@chromium.org,bikineev@chromium.org,omerkatz@chromium.org

Change-Id: I71bf7a9b7f54f0ec8d64b1b1781699adb0feb138
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1056170
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2137401Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67009}

With this change we support allocation of objects and keeping them alive via
conservative stack scan.

Change-Id: Id94d7ced503ad0b1378643e0c13c2a8b65ad2327
Bug: chromium:1056170
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2135729Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67008}

Add support for ia32 Windows using clang. Change the callback
function from a member function to a free function. This the
compiler generating thiscall calling convention for the member
function which allows for keeping the asm trampoline uniform.

Bug: chromium:1056170
Change-Id: Ic8fcac27a628a0de026d8fe7d2e376c8f58a1737
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2134136Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66975}

The trampoline should never inline the actual iteration method and
always use a full call. As a result, there can be no interesting data
in the redzone.

This allows simplifying as the existence and size of a red zone is platform
dependent.

Bug: chromium:1056170
Change-Id: I38d686b0e60fdcc383c40a45e7a81ec0e91f4d62
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2132788Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66955}

The stack scanner copies any potentially uninitialized values into a
temporary on the stack. The temporary is supposed to be unpoisoned
before processing.

This fixes an issue where we would pass the wrong address to
unpoisoning.

Bug: chromium:1056170
Change-Id: I8eb1564103d067e72f9de74b71d9ddfc23a68ade
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2130273
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66932}

Pure refactoring. The re-organization allows to easily
add more platforms.

Bug: chromium:1056170
Change-Id: Ia191c37a1dabff6952414c5314beeeae881713b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2129636Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66924}

Adds support for conservative stack scanning on x64. The trampolines
saving callee-saved registers are compiled using clang (non-Windows)
and MASM (Windows). This is using the default toolchain for assembly
in Chromium/V8.

This differs from Oilpan in Chromium where x86 and x64 are compiled
using NASM [1]. V8 does not yet require this dependency and building
the trampolines natively avoids it. (NASM also requires separate
blocks for x64 Windows and non-Windows.) On non-x86/x64 platforms
Chromium also uses clang, so there's little benefit in keeping the
dependency.

The trampolines are tested when building with clang.

Other platforms follow in separate CLs.

[1] https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/renderer/platform/heap/asm/SaveRegisters_x86.asm

Change-Id: Ice2e23e44391aa94147abe75ee0b5afac458b8f8
Bug: chromium:1056170
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2124319
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66913}