Change-Id: I8570c748a9e4e509b0f609fcbb6aa37a3a986971
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3862267Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82781}

When a call_indirect fails because of a signature mismatch or a null
target, the value stack generated for debug doesn't contain the target
index anymore, which makes it hard for users to understand the error.

Keep the index on the stack, and ensure that the index is not modified
until we generate the debug info. Previously, the index was shifted
in-place to compute various offsets. Instead, use scaled loads to
compute the offset directly in the load instruction.

R=clemensb@chromium.org

Bug: chromium:1350384
Change-Id: Iad5359ec80deef25a69ac119119a0b5ca559a336
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3854309Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82780}

Bug: chromium:1355990
Change-Id: I1a822ce7b476baf5866070b11b65c464800d3b7b
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859849
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82779}

Bump the limit to give TF enough time to finish compiling. The
`keep_going` limit is fairly ugly, but it lets us test the real
(=concurrent) pipeline.

Bug: v8:7700
Fixed: v8:13176
Change-Id: Iba97111d752c8a4894e99ab57e8f42abcc8c29bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3862204
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82778}

This CL adds lightweight checking to the ExternalPointerTable GC
algorithm to detect double initialization of external pointer fields.
These are forbidden as they interfere with the table compaction
algorithm.

Bug: v8:10391
Change-Id: Id69fdcce883aa86f8e2c456a0fe7a1f011719464
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858228Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82777}

Read of size 2 at 0x7eef001a3666 by main thread (mutexes: write M0):
 0: LoadEncoded
 1: IsMarked<(cppgc::internal::AccessMode)0>
 2: operator()
 3: DrainWorklistWithPredicate
 4: DrainWorklistWithBytesAndTimeDeadline

Previous atomic write of size 2 at 0x7eef001a3666 by thread T8:

 0: __cxx_atomic_compare_exchange_strong<unsigned short>
 1: compare_exchange_strong
 2: TryMarkAtomic
 3: MarkNoPush

Change-Id: I0708516382ea860c877ff76ee02216f6f27c9d04
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858239
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82776}

For code pointers, the sandbox will require a custom, lightweight CFI
mechanism (likely based on the external pointer table). Simply turning
all code pointers into ExternalPointers is not sufficient.
This CL therefore turns code pointers back into raw pointers for now so
that they don't block the external pointer table rollout.

Bug: v8:10391
Change-Id: Ib2ba246be546bbf19fcd0f4ae20f4e9a2cf2e099
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859348Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82775}

Avoid the deprecated FLAG_* syntax, access flag values via the
{v8_flags} struct instead.

R=jkummerow@chromium.org

Bug: v8:12887
Change-Id: Ieccf35730f69bcefa3740227f15e05686080d122
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3843517
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82774}

This is the normal state on the main branch, let's not emit this warning
on every build.

Bug: v8:10470
Change-Id: I29744ea7f67881570fa12c249b12f00d2313289c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859851
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82773}

- Adopt v8.dev page structure and styling
- Use v8.dev-style navigation tabs

Change-Id: I036be991af57939ea260ab236ddb61875fda86db
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856261
Auto-Submit: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82772}

... so that the offset fits into the maximum offset for load byte
instruction for arm/arm64 (Ldrb) in order to produce smaller code.

Update code generation so that the loading of the flag value is
combined with the comparison operation where possible.

Additionally, this CL moves the Isolate::is_profiling flag to the
IsolateData so that it can be loaded directly via roots register which
removes one indirection.

The fields moved in the IsolateData:
 - is_marking_flag and is_minor_marking_flag (checked by write barriers)
 - is_profiling (checked on API callbacks/getter calls)
 - stack_is_iterable (not super hot, checked during deoptimization).

Drive-by: this CL defines the bool fields as uint8_t in order to make
the field size expectations clear.

Bug: v8:11880
Change-Id: I80c292c6ec919861684152b6062225aa0fda2d3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856580Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82771}

This limits the number of DECHECK failures in fuzzing builds that have
no side-effects or security implications.

Bug: chromium:1355059
Change-Id: I909934c62711439f1edd95492b93ee0c582a495d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859751
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82770}

R=clemensb@chromium.org

Bug: v8:12191, v8:13231
Change-Id: I0104f54ce5cdc022f22800d4aeec68aac481219d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856573Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82769}

The API was deprecated in v10.6 (https://crrev.com/c/3789510).
Remove now, in v10.7.

R=mlippautz@chromium.org

Bug: v8:12899
Change-Id: I21d79cdd357315daf9684d9cdd6c1f1be088ad6b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3852490Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82768}

This is a reland of commit eca383c9

More DCHECK failures have been fixed with https://crrev.com/c/3857423

Original change's description:
> Reland "[sandbox] Sandboxify EmbedderDataSlots"
>
> This is a reland of commit e1f585ed
>
> ExternalPointerTable issues have been fixed in
> https://crrev.com/c/3849650 and https://crrev.com/c/3849376
>
> Original change's description:
> > [sandbox] Sandboxify EmbedderDataSlots
> >
> > Bug: v8:10391
> > Change-Id: If85a308a6f6ed1b17d86f87b4911c82d2327ea72
> > Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3757341
> > Reviewed-by: Igor Sheludko <ishell@chromium.org>
> > Commit-Queue: Samuel Groß <saelo@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#82623}
>
> Bug: v8:10391
> Change-Id: If77f6c10e81c30c2dfa6b33c788bc4a36e4da135
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3852602
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82686}

Bug: v8:10391
Change-Id: Id982c022e50004e903851b160d30fc8767280e5b
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3854679Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82767}

We use a hash for different things:
- dumping wasm module to file,
- generating the script name, and
- computing prefix hash / wire byte hash for caching.

Two of them were using the StringHasher, one use base::hash_range.
For experimental PGO support, we will also need a hash value, so unify
this to use the same hash everywhere.
Since the result of base::hash_range is platform-dependent, use the
StringHasher everywhere.

R=thibaudm@chromium.org

Bug: v8:13209
Change-Id: Iae8c2385264ecedd4daea16d7f9221bc94650eef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3855310Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82766}

Those are not safe in combination with the sandbox as they are stored as
raw pointers. Instead of turning them into ExternalPointers (which use
the ExternalPointerTable indirection), this CL simply turns them into
on-heap ByteArrays which is cheaper and should be unproblematic
security-wise as their contents can be corrupted without causing memory
corruption outside the sandbox address space (just incorrect behaviour
and/or further memory corruption *inside* the sandbox, which is fine).

Bug: chromium:1335046
Change-Id: Id2b901a58b7d6c91dd7596fca553d7c76cbc61ec
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3845636Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82765}

Add a new ACCESSOR_GETTER_LIST macro to define all the accesor getters
and allow using non statically known accessor names. This allows
exposing the ModuleNamespaceEntryGetter to the external-reference-table

Change-Id: I40700e2cd19bc58ba55569c7b1e6fc34357bd80f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856924Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82764}

Bug: v8:10470
No-Tree-Checks: true
No-Try: true
Change-Id: Ic59bd42221776248dfc1bde35c1299aa4d1d3b0c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3861049
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82763}

Manually removed fuchsia-sdk update for https://crbug.com/1357478.

Rolling v8/base/trace_event/common: https://chromium.googlesource.com/chromium/src/base/trace_event/common/+log/2ba7a48..640fc6d

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/8291582..7e25322

Rolling v8/buildtools: https://chromium.googlesource.com/chromium/src/buildtools/+log/3a4c850..cf8185c

Rolling v8/buildtools/linux64: git_revision:0bcd37bd2b83f1a9ee17088037ebdfe6eab6d31a..git_revision:5705e56a0e5856621415cfdf444432554e72c9c9

Rolling v8/buildtools/third_party/libc++/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxx/+log/db72216..26e3467

Rolling v8/buildtools/third_party/libc++abi/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxxab/+log/d2e4dc7..48afced

Rolling v8/buildtools/third_party/libunwind/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libunwind/+log/f87795e..42aa6de

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapul/+log/7294631..2417ba3

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/44b7330..b7ec673

Rolling v8/third_party/zlib: https://chromium.googlesource.com/chromium/src/third_party/zlib/+log/8d1d3e3..926ac23

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clan/+log/a56fd8b..ae771c8

Rolling v8/tools/luci-go: git_revision:a0ba80649473055bae3d789eec28c9967adb5e45..git_revision:3226112a79a7c2de84c3186191e24dd61680a77d

Rolling v8/tools/luci-go: git_revision:a0ba80649473055bae3d789eec28c9967adb5e45..git_revision:3226112a79a7c2de84c3186191e24dd61680a77d

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Bug: chromium:1357478
Change-Id: I4e0a9cdc9958c9261c1d615991f0a98c9ceabda0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3861215
Owners-Override: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82762}

This CL only moves method definitions from heap.cc into the new file
heap-verifier.cc. Apart from this code is not changed.

Bug: v8:11708
Change-Id: Ice7e5f12c6370bc05b82b3a7bd15f94292c4235f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856260Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82761}

Bug: v8:12547
Change-Id: I32898a4382397663967d7e784e16d7930f3600a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859097
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82760}

https://chromium.googlesource.com/external/github.com/tc39/test262/+log/adba7dfd9c..8dcc0e19

Also add "Intl402" (notice the uppercase I) to the excluded dirs for noi18n
because of https://github.com/tc39/test262/pull/3638

Bug: v8:7834
Change-Id: Ibd53c7917a4fd8d1b27989e3c040c5ab47a66e50
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857450Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82759}

Sync https://github.com/tc39/proposal-temporal/pull/2269
Add AO MaybeFormatCalendarAnnotation
Use MaybeFormatCalendarAnnotation in
TemporalDateToString
TemporalDateTimeToString
TemporalZonedDateTimeToString

Spec text:
https://tc39.es/proposal-temporal/#sec-temporal-maybeformatcalendarannotation
https://tc39.es/proposal-temporal/#sec-temporal-temporaldatetostring
https://tc39.es/proposal-temporal/#sec-temporal-temporaldatetimetostring
https://tc39.es/proposal-temporal/#sec-temporal-temporalzoneddatetimetostring

Bug: v8:11544
Change-Id: Ia361b1cba1b2e9db77125a8888054cfd89626611
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3855699
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82758}

Spec Change PR:
https://github.com/tc39/proposal-temporal/pull/2344

Relative tests in test262 are
built-ins/Temporal/Duration/prototype/round/february-leap-year.js

Bug: v8:11544
Change-Id: Id31648436f629a8adf395e3b4c835adf46a2c455
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3855701Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82757}

Currently the ability to create shared isolates is partially exposed to
API. Instead of fully exposing it, this CL makes shared isolate and
shared heap handling transparent to the embedder.

If a flag that requires the shared heap is true (currently
--shared-string-table and --harmony-struct), the first isolate created
in the process will create and attach to a process-wide shared isolate.
Subsequent isolates will attach to that shared isolate. When that first isolate is deleted, the shared isolate is also deleted.

Bug: v8:12547
Change-Id: Idaf2947bc354066c44f2d10243e10162b1b7e4d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3848825Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Owners-Override: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82756}

This reverts commit a165e82e.

Reason for revert: SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../src/objects/js-temporal-objects.cc:3837:22  

Original change's description:
> [Temporal] Use double/int32_t instead of int64_t for duration parsing
>
> Use double instead of int64_t and int32_t in duration parsing result
> so we can parse very large duration fields as infinity and throw RangeError in later stages. The three fractional parts can hold up value from 0 to 999,999,999 so we use int32_t to hold it. Other part could be infinity so we use double to hold it. Also rearrange the order of the three int32_t in the struct ParsedISO8601Duration after all the double
>
> Bug: v8:11544
> Change-Id: I7e5b02f7c7bbb60997f1419f016aed61dd3e0d6c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3840761
> Reviewed-by: Shu-yu Guo <syg@chromium.org>
> Commit-Queue: Frank Tang <ftang@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82754}

Bug: v8:11544
Change-Id: Ia9d0a014463b00640d43b051753a554f42171c2b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858575Reviewed-by: Shu-yu Guo <syg@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82755}

Use double instead of int64_t and int32_t in duration parsing result
so we can parse very large duration fields as infinity and throw RangeError in later stages. The three fractional parts can hold up value from 0 to 999,999,999 so we use int32_t to hold it. Other part could be infinity so we use double to hold it. Also rearrange the order of the three int32_t in the struct ParsedISO8601Duration after all the double

Bug: v8:11544
Change-Id: I7e5b02f7c7bbb60997f1419f016aed61dd3e0d6c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3840761Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82754}

This change also modifies the way references are typed: Instead of
using the static type (which may be a generic type like anyref) the
actual type based on the referenced object is used.
While this is very useful for arrays and structs (and somewhat nice for
i31 not just being a number but also having some type information), it
means for non-null values that the reference type is "not nullable",
so it will show e.g. "ref $type0" although the static type  might be
"ref null $type0".

Bug: v8:7748
Change-Id: I00c3258b0da6f89ec5efffd2a963889b1f341c3a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3852485Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82753}

This change follows up on 3cc93154 on which Table::grow() was missed.

Bug: v8:7748
Change-Id: I83dc4e4894354ad8c97e577da03d67a36f6d9443
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858227Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82752}

- LoadCallerFrameSlot
- StoreCallerFrameSlot
- LoadReturnStackSlot
- MoveStackValue
- Spill
- Fill

Change-Id: I5fee06a60b36ec145b4d35d59ede35bb849e57b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3851544Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Farazmand <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#82751}

This reverts commit adb5e163.

Reason for revert: ClusterFuzz ain't happy. (crbug.com/1356461 and others)

Original change's description:
> [turbofan][x64] When spilling 32bit values, reload only 32 bits
>
> When we spill a register that we know contains only 32 interesting bits
> and then reload it from the spill slot, it's enough to reload its lower
> half. This may save a few bytes, and guards against accidental changes
> to the upper half (e.g. via pointer decompression).
>
> Bug: v8:13216
> Change-Id: I1d950d6e33d8ae94cf385af4f3e1db028bf333c5
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3854506
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82704}

Bug: v8:13216
Change-Id: I8923cbe00c73191f2fdd51f361d7cd073f338a00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859323Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82750}

For the branching control flow structure we set up for feedback-directed
inlining-capable `call_ref` sequences, we have to manually take care of
the "instance cache nodes" in the SSA environment.

Drive-by: improve Runtime_WasmTierUpFunction to process type feedback,
making it usable for the included regression test.

Fixed: v8:13230
Change-Id: I06a449ad73af90b96d0cc15c3cb9a0e4bed87be6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859326Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82749}

Change the has-optimized FeedbackVector bit to two bits, one for Maglev
and one for Turbofan. Ignition and Sparkplug can check both bits, while
Maglev will only check the Turbofan one.

Bug: v8:7700
Change-Id: I95f6e4326180cac02f127a97438f960950f09d82
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856569
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82748}

Bug: v8:7700
Change-Id: I2860bea3008ea1d357cf7e89fb0453221f065786
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859344
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82747}

This is a left-over of the removal of the dynamic (rtt-based)
variants.

Bug: v8:7748
Change-Id: I93bb74a72543a5697f1102d283c7d65c6be99466
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856577
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82746}

Fixes undefined behavior, which manifests as a compiler error in C++20 in Google3.

This was caused by using members of vector<T> before T has been defined.
This change just massages the code a bit to get everything in the proper order.

See cl/468678068 on Google3.

Bug: chromium:1284275
Change-Id: I0b65e7f850e8dd1ed482be1b5cc0b8d9d77776eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859343
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82745}

This is a reland of commit a31e8f24

Remove the checking logic, which will be addressed in a separate CL.

Original change's description:
> [sandbox] Forbid double-initialization of ExternalPointerSlots
>
> Double initialization may cause the ExternalPointerTable compaction
> algorithm to behave non-optimally: Consider the case of an Entry E1 that
> is owned by a HeapObject O and is marked for evacuation during GC
> marking. In that case, a new entry E2 is allocated for it, and during
> sweeping, E1 will be evacuated into E2 and the Handle in O updated to
> point to E2. However, if a new entry E3 for O is allocated before
> sweeping, then during sweeping E3 (instead of E1) will be moved into E2.
> This may then violate the invariant that the compaction algorithms
> always evacuates an entry out of the evacuation area.
>
> This CL therefore forbids double initializaiton of external pointer
> slots and adds DCHECKs to attempt to catch these in debug builds.
>
> Bug: v8:10391
> Change-Id: I128dc930e8b3f863dab18ba648f34d68d8cb276b
> Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3856563
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Samuel Groß <saelo@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82729}

Bug: v8:10391
Change-Id: I6cef79f4adc340fdcdc291ad0f0c2210f5bf48cd
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3857423Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82744}

Bug: v8:12781
Change-Id: I0c1234c5a649f3533eebbab89f7fe16140327d59
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3858927
Commit-Queue: Feng Yu <f3n67u@gmail.com>
Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82743}

Maglev uses a different safepoint table. This CL introduces the
functions FindReturnPCForTrampoline for MaglevFrame and TurboFanFrame.

Bug: v8:7700, chromium:1356902
Change-Id: I90784ddfdc96604c5ada8047e6f7447c17e6c3aa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859342
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82742}