It also updates the scripts to support Python3
Bug: chromium:1245634
Change-Id: Iffe29bacfd788575b35da6449d5830fc665da7a8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3194259
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77155}
Due to MIPS64 ISA feature, 32-bit values should be sign-extended
in 64-bit registers, no matter it's signed or unsigned.
Besides, LoongArch64 also has this feature, and a similar change
has been made before loong64 port's land in V8. This CL also make
a small fix for loong64.
Change-Id: Ib284662931082365f727925af61781e3653debc8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3193595
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Liu yu <liuyu@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#77154}
I'm trying to remove annotations and make behavior more consistent. For
@generatePrint, there are two options: either generate printers for
every extern class, or never generate printers for extern classes. This
change implements the option of always generating printers. Classes that
require custom printing can easily hide the generated printer by using
DECL_PRINTER. This causes the generated file
gen/torque-generated/objects-printer.cc to grow to 1600 lines, including
many functions that are never used, but I think the consistency benefit
outweighs a little more compilation time on one file. This change also
removes custom printers in cases where the generated printer includes
all of the same content.
If folks would prefer the option to never generate printers, I'm open to
doing that instead. I like the notion that generating more code could
reduce the friction of adding new classes and thereby encourage people
to define precise types rather than using FixedArrays, but the current
implementation of generated printers is limited, and many printers have
been customized to show the data that matters the most. Unlike verifiers
and body descriptors, there are no correctness or safety concerns with
hand-written printers.
Some bugs showed up once we start generating printers for everything,
and this change fixes them:
- Printers incorrectly included ungettable fields like padding
- Printers called getters which might be hidden by hand-written classes
- The generated getter for Map::instance_type used
ReadField<InstanceType>, which is not an arithmetic type since it's an
enum
One more tiny drive-by fix: added a missing newline in the printers for
JSMap and JSSet.
Bug: v8:7793
Change-Id: Ib9e9575fbcb57879935ff18bf4db49fe276d2966
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3172190
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#77152}
Nobody uses the generated *_FIELDS macros anymore, so we can remove
them. I also renamed the generated file to represent its content better.
Bug: v8:7793
Change-Id: I49ab39e363d6961e7210cd67018b6fb83b65a162
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3192191
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#77151}
This fixes a long-standing TODO to disallow importing receivers that
have "toString" or "valueOf" patched. Calling those methods could have
observable side effects, so allowing that would require bigger
refactorings to ensure that we only call each such function exactly once
per import, and in the right order.
Since this use case is rare, we just forbid importing such receivers.
R=jkummerow@chromium.org
Bug: chromium:1248677
Change-Id: I99bbd7db950ec3c7ac9cc1f59e8c476688e7d7b6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3190475
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77149}
Port: 1cd7a58223
Original Commit Message:
Class Constructors are special, because they are callable but [[Call]]
raises an exception. Instead of checking if a JS function is a class
constructor for every JS function call, this CL adds a new instance
type for class constructors.
This way we can use a fast instance type range check for the common
case, and only check for class constructors in the uncommon case were
a class constructor is called and when we need to raise an exception.
Change-Id: I578fde90d00d1e80cf36ba28205ce9bfe6830afb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3192422
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#77147}
This reverts commit 9495817296.
Reason for revert: Breaks arm/arm64 ports, e.g. https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim/30120/blamelist
Original change's description:
> [torque] Get rid of @noVerifier annotation
>
> As one small step toward reducing annotations, I propose that all
> classes get generated verifiers unless they've opted out of C++ class
> generation via @doNotGenerateCppClass, and that generated verifiers
> always verify every Torque-defined field. If a generated verifier is
> incorrect, such as for JSFunction or DataHandler, we can just avoid
> calling it and hand-code the verification.
>
> Bug: v8:7793
> Change-Id: I7c0edb660574d0c688a59c7e90c41ee7ad464b42
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3171758
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
> Cr-Commit-Position: refs/heads/main@{#77145}
Bug: v8:7793
Change-Id: I56da8a9726d23470e927be1be5e7bcede1399861
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3194262
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Owners-Override: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#77146}
As one small step toward reducing annotations, I propose that all
classes get generated verifiers unless they've opted out of C++ class
generation via @doNotGenerateCppClass, and that generated verifiers
always verify every Torque-defined field. If a generated verifier is
incorrect, such as for JSFunction or DataHandler, we can just avoid
calling it and hand-code the verification.
Bug: v8:7793
Change-Id: I7c0edb660574d0c688a59c7e90c41ee7ad464b42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3171758
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#77145}
This is a reland of e47f920071
Relanding for clang only.
GCC and MSVC will not inline.
Original change's description:
> cppgc: Inline allocation fast path across api boundary
>
> Bug: chromium:1239030, chromium:1056170
> Change-Id: I4a559027e63ebbd99e51344aa659d4fb284df88f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3190094
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Anton Bikineev <bikineev@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77124}
Bug: chromium:1239030, chromium:1056170
Change-Id: Iaa52118ea0e6ccd78f5e7818fa30ed163906da83
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3191211
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77144}
Class Constructors are special, because they are callable but [[Call]]
raises an exception. Instead of checking if a JS function is a class
constructor for every JS function call, this CL adds a new instance
type for class constructors.
This way we can use a fast instance type range check for the common
case, and only check for class constructors in the uncommon case were
a class constructor is called and when we need to raise an exception.
Change-Id: Ic6fdd9829722d05559fdfd01f6100c61873a0872
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3186434
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77140}
During a final atomic pause CrossThreadPersistent handles need to be
frozen after they have been marked to avoid any
WeakCrossThreadPersistent handles creating new strong references
(through their Lock() call) that would retain objects.
Handles are frozen by acquiring a lock. Since this lock is also taking
by other threads on WCTP::Lock() this can introduce jank.
This CL improves the situation by delaying processing of CTP
references until absolutely necessary, i.e., when we have otherwise no
more objects to mark.
Bug: chromium:1252743
Change-Id: I872f38c6d24d7955bea74fd59685abd3019b385e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3194253
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77139}
.. and refactor js-regexp.h.
- Hide the generic DataAt/SetDataAt accessors and replace them by
dedicated accessors. Use the common lower_case naming scheme for
these.
- Shuffle around definitions in js-regexp.h s.t. they are in a
meaningful order.
- Dedupe the source/flags accessors - these fields are stored both
on the instance and on the data array. We keep only accessors for
the instance. Previously, these were disambiguated through naming
oddities (e.g. Pattern() returned data->source).
Change-Id: I3d53c8b095f0d59621ff779608438f7fa5e8c92a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3193534
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77138}
Bug: v8:7790
Change-Id: I5439fa0a8ecfab8f407e2aeeaffd4b4f656cdfe1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3192674
Commit-Queue: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77137}
This is a reland of 7d849870ff
Original change's description:
> [regexp] Reorganize and deduplicate in the regexp parser
>
> The parser is organized in a somewhat tricky way s.t. it can be
> hard to map the implementation back to the specified grammar.
>
> In particular, the logic for CharacterClassEscape, ClassEscape,
> and CharacterEscape was implemented twice - once inside a character
> class, once outside.
>
> This CL refactors related logic to have only a single implementation.
>
> As a drive-by, fix one related inconsistency related to \k inside
> a character class.
>
> Fixed: v8:10602
> Change-Id: I5858840159694fa6f8d1aa857027db80754e3dfd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3178966
> Reviewed-by: Mathias Bynens <mathias@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77114}
Fixed: v8:10602,chromium:1253976
Change-Id: I9e7cc6a34d3be06e1a68895775aa50b0eee78c57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3193531
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77135}
Rolling v8/base/trace_event/common: 715537d..68d8169
Rolling v8/build: a76920d..ecb990f
Rolling v8/third_party/aemu-linux-x64: 6Vr4alb5803W2n5PbA5ZLwCcJznKdmFX1pDoy_5hfOAC..e_KiIcYNB7sHa2eqRBhqVoR_Mmg2Q7nqmzRCXzegWQAC
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/2146b04..5afc365
Rolling v8/third_party/depot_tools: ce514ad..764c927
Rolling v8/third_party/googletest/src: e4717df..ab36804
Rolling v8/tools/clang: 2e80143..278dd91
Rolling v8/tools/luci-go: git_revision:e9585787c808e21d6eaa2c7d7a928dbc19999172..git_revision:a373a19da0fbbbe81b2b684e3797260294393e40
Rolling v8/tools/luci-go: git_revision:e9585787c808e21d6eaa2c7d7a928dbc19999172..git_revision:a373a19da0fbbbe81b2b684e3797260294393e40
Rolling v8/tools/luci-go: git_revision:e9585787c808e21d6eaa2c7d7a928dbc19999172..git_revision:a373a19da0fbbbe81b2b684e3797260294393e40
TBR=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: I4765817d9f51dd6f7d9a600799098134eee1a8fb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3192297
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#77134}
This reverts commit 649e9113fd.
Reason for revert: Abseil was reverted due to gcc failures, so reverting this first. When upstream fixes land, we can reland abseil and this change.
Original change's description:
> [bazel] Adds support to abseil
>
> No-Try: true
> Bug: v8:11006
> Change-Id: Ie2758849fcb8b19ae34289d3e762094b062f2a5c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3168644
> Reviewed-by: Dan Elphick <delphick@chromium.org>
> Commit-Queue: Victor Gomes <victorgomes@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76938}
Bug: v8:11006
Change-Id: Iedde555df8bc736cf922b0d9f51b0a78f7e1db49
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3192192
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77133}
Refactor code such that the linear algorithm is actually executed
outside the method for the fixpoint iteration. Also added a CHECK
which verifies that iterating the ephemerons one more time results in
no further marked objects.
Also force another iteration when ProcessMarkingWorklist() processed
some object. In such cases we need to re-process all ephemerons
otherwise ephemeron semantics might be broken.
Bug: chromium:1252918
Change-Id: I9123dda50e34227a04825fd8b3172368286cc76f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3190100
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77131}
Because there can be fewer function signatures than there are
functions a new ForceAddSignature function was added which does
not deduplicate.
Bug: v8:11954
Change-Id: Ib028de47962dd1e797ead1b1f05a4e6815029487
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3186431
Commit-Queue: Maria Tîmbur <mtimbur@google.com>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77126}
This reverts commit 7d849870ff.
Reason for revert: Will block roll. Broke error message tests upstream:
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Blink%20Win/6635/overview
Original change's description:
> [regexp] Reorganize and deduplicate in the regexp parser
>
> The parser is organized in a somewhat tricky way s.t. it can be
> hard to map the implementation back to the specified grammar.
>
> In particular, the logic for CharacterClassEscape, ClassEscape,
> and CharacterEscape was implemented twice - once inside a character
> class, once outside.
>
> This CL refactors related logic to have only a single implementation.
>
> As a drive-by, fix one related inconsistency related to \k inside
> a character class.
>
> Fixed: v8:10602
> Change-Id: I5858840159694fa6f8d1aa857027db80754e3dfd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3178966
> Reviewed-by: Mathias Bynens <mathias@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77114}
Change-Id: Ic7404d6c9f0e6ea51e8cd8f1ab672856dca0c637
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3190692
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#77125}
Update outdated comments and address TODO about kDataIndex.
Change-Id: Ibf6e91857c0430cb9a598c98933db63ac42a1d1f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3189197
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77123}
When preparing to take a heap snapshot for the devtools, V8 uses
CollectAllAvailableGarbage, which runs 2 to 7 rounds of garbage
collection, depending on whether weak callbacks indicate that further
rounds might be beneficial. Depending on how many rounds of GC run,
varying amounts of bytecode and baseline code may be flushed, leading to
inconsistent behavior and underreporting the amount of memory used by
bytecode and baseline code. In this change, I propose that bytecode
should not increase in age during these collections, so that the
resulting snapshot is a better indication of actual memory usage.
Change-Id: I644be37833f85bb58e2e2fad5da62949cbdc9bef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3182885
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#77122}
Use `const void*` to signal that we are not hashing for the
`char*` contents.
Change-Id: Ib8c31e293ec1e57a7799a68cfd2d59ce39076d43
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3190108
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77119}
Add the use_remoteexec arg to the reclient mixin. Set both use_rbe and
use_remoteexec while switch from one ot the other.
Bug: chromium:1252752
Change-Id: I415a849dbd27c4de23d6f9fcfde7c1beba8f5f7f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3188950
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Savigny <msavigny@google.com>
Cr-Commit-Position: refs/heads/main@{#77117}
When handling the 'end' opcode, there was a confusion with the value of
"unreachable". This DCHECK assumes the value of "unreachable" before
closing the scope, but was placed after the value is potentially updated
to reflect the state after the 'end' opcode.
R=clemensb@chromium.org
Bug: chromium:1251845
Change-Id: Iea526e6485fa705f6ff4077f54a53204cc70a926
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3190102
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77116}
The parser is organized in a somewhat tricky way s.t. it can be
hard to map the implementation back to the specified grammar.
In particular, the logic for CharacterClassEscape, ClassEscape,
and CharacterEscape was implemented twice - once inside a character
class, once outside.
This CL refactors related logic to have only a single implementation.
As a drive-by, fix one related inconsistency related to \k inside
a character class.
Fixed: v8:10602
Change-Id: I5858840159694fa6f8d1aa857027db80754e3dfd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3178966
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77114}
The intent of the RISC-V ISA is that 32-bit C values are stored sign extended in registers, even for unsigned types.
So we skip cctest case RunLoadStoreZeroExtend64/RunUnalignedLoadStoreZeroExtend64 due to sign extend uint32
Change-Id: Icfe727916b1c04aad5681902ec4782cc98906964
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3184560
Reviewed-by: Ji Qiu <qiuji@iscas.ac.cn>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Ji Qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#77112}
Several of the cctest/test-bytecode-generator/* tests used to rely
on the __COUNTER__ C++ compiler macro, which could cause spurious
test failures due to mismatched expectations when usages of that
macro were added or removed elsewhere in the code. This patch switches
to a custom, controllable static counter variable instead, to make
the tests' behaviors self-contained.
Bug: v8:12244
Change-Id: I4d875b6095e4ee4ef91933ab8c60c89054d1894a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3186836
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77111}
Port commit a0ace8a8a5
On mips64 and loong64, sign-extend the 32-bit value.
Change-Id: I058e3fcba94c25ad36ab1d751dea6bfc0558471a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3189854
Reviewed-by: Liu yu <liuyu@loongson.cn>
Commit-Queue: Liu yu <liuyu@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/main@{#77110}
Port e301d71ff5
[compiler] Teach InstructionScheduler about protected memory accesses
Port a0ace8a8a5
[wasm] Interpret table.grow result as 32 bit
Port [regexp] Fix UAF in RegExpMacroAssembler
Change-Id: Ieac5e4deae9c6bbf844788d927f5201b906495f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3189213
Commit-Queue: Ji Qiu <qiuji@iscas.ac.cn>
Reviewed-by: Ji Qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#77108}
