This is a reland of 1f0b0ed0e4
No actual code has changed in the relands.
The change was reverted due to triggering flaky failures in
WebMediaPlayerImplTest which was not set up properly. The test setup
has been fixed in https://crrev.com/c/3025796.
Original change's description:
> Reland "heap: Fix initial GC configuration for C++-only heaps"
>
> This is a reland of 7ef67b2e9e
>
> Manually checked that the CL was not the culprit breaking
> media_blink_unittests --gtest_filter=WebMediaPlayerImplTest.MemDumpReporting
>
> Original change's description:
> > heap: Fix initial GC configuration for C++-only heaps
> >
> > Heaps in V8 start with a large limit that is shrunk upon young
> > generation GCs, based on some liveness estimate. This provides best
> > throughput during startup while at the same time finding a reasonable
> > first limit.
> >
> > For C++ (embedder memory) there is no estimate which is why it was
> > piggy-backing on V8. This breaks in scenarios where no JS memory is
> > allocated.
> >
> > In this fix we start a memory reducer after embedder memory has hit
> > the activation threshold if no GC happened so far. As soon as a single
> > Scavenger has happened, we leave it up to the JS estimate to figure
> > out a limit. Memory reducing GCs will then find a regular limit based
> > on the initial live size.
> >
> > Drive-by: Give embedders the same activiation threshold of 8MB as JS.
> >
> > Bug: chromium:1217076
> > Change-Id: I8469696002ac2af8d75d6b47def062d2608387a1
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2944935
> > Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> > Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#75012}
>
> Bug: chromium:1217076
> Change-Id: I482d8525379e33095834d5b41be8bb49bdd8a5d4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2949094
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75048}
Bug: chromium:1217076
Change-Id: If920d6b2c54a0c9d67e55e276421e4694eb1414e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2960218
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75894}
This CL adds support for classes with methods.
More specifically:
- A new ValueSerializer is added and classes are serialized separetely
from functions, although the common parts are handled in the same way
and abstracted away.
- The function prototype is serialized as an object and any missing
information is set up again during deserialization.
- FunctionFlagsToFunctionKinds() is updated to allow for more function
kinds.
- Context serialization is updated to support serializing BlockContexts
and creating ScopeInfos of type CLASS_SCOPE.
- Map serialization is updated to support properties with custom
attributes.
Bug: v8:11525, v8:11706
Change-Id: I16ca7cbc17b1811721081cda05124ce36073f9be
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3006416
Commit-Queue: Vicky Kontoura <vkont@google.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75893}
Change the folded interrupt check to be on JumpLoop only, to avoid
calling it from Return. The call from Return could cause spurious stack
overflows, which interacted poorly with async functions that had already
resolved their promise.
Now the bytecode budget interrupt function is split into two functions,
one which does the stack check and one which doesn't. The former is
still called from JumpLoop, the latter is called from Return.
Bug: chromium:1231952, chromium:1232105
Change-Id: I8c4e2937f64b5f8fdbd6c1fcb2a76ec5f090ae3c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3049076
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75891}
Starting with Simd Add ops which are ported to liftoff.
Change-Id: I2128303accf9bc47812560f5aa38b5ccfc2e3e78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3049070
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#75890}
Enabling --turbo-optimize-apply breaks tests because we are
passing the wrong receiver;
in JSCallReducer::ReduceCallOrConstructWithArrayLikeOrSpread
we create a Call node with the wrong ConvertReceiverMode, we
pass kNullOrUndefined while it should be kAny. This may break
calls to API or in general calls to functions that use the
receiver.
Bug: chromium:1231108, v8:9974
Change-Id: Ib35a1bf8746ad254b6d63274f3ae11b12aa83de8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3043690
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75886}
The AsyncStackTrace had some magical self-healing where it'd try to not
stitch together async stack traces when the instrumentation seemed to be
broken. This silent self-healing however seems to be broken itself, and
instead of papering over the problem we should fix instrumentation bugs
when they are observed.
Fixed: chromium:1231064
Change-Id: I2bcc85679abdbe6f4df4866cb951c5f6cefb4f67
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3048181
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75885}
This reverts commit a5fd60e15a.
Reason for revert: As per crbug/1213374 this is not applied consistently. E.g. wrapping object into an array will bypass access checks. With the crrev/c/3041424 however, only accessible properties are shown in console, so logging a restricted object is no longer unsafe.
Original change's description:
> Calls to {console} require an access check for the provided arguments
>
> This CL adds an access check for the arguments to all calls to
> {console} like {console.log}. This is needed since the DevTools
> protocol notificiation event does not contain the context in which
> the {console.log} call occurred. Only the context of the argument.
> When DevTools then reads properties for the preview of the argument,
> it uses arguments context, instead of the calling context, potentially
> leaking objects/exceptions into the calling context.
>
> Bug: chromium:987502, chromium:986393
> Change-Id: I6f7682f7bee94a28ac61994bad259bd003511c39
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1741664
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63122}
Bug: chromium:987502, chromium:986393, chromium:1213374
Change-Id: I92a8bb7663ff97de8831ddeb2c8560fb9fa1c12e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3046189
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Danil Somsikov <dsv@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75881}
Now that we have advanced division algorithms, we can implement
a divide-and-conquer strategy for toString-conversions, to make
their complexity sub-quadratic.
For example, this speeds up `(2n ** (2n ** 21n)).toString().length`
from 9400 ms to 200 ms on my laptop.
Bug: v8:11515
Change-Id: Id20f7f2928dc7308609f4c1688f32b252e04f433
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3017805
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75880}
As an optimization, RegisterWeakReferenceIfNeeded checks whether the
target object is marked, and only registers it if it's not marked.
The target object may still be under construction, in which case
checking the mark bit will race with allocating the object.
Bug: chromium:1056170, chromium:1232339
Change-Id: I0a41afba7f48f288f708441176f89509a81ebb09
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3048171
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75879}
This is a reland of 84d5b027a7
It removes support for 8-byte types which were causing
unaligned reads.
Original change's description:
> [fastcall] Implement support for TypedArray arguments
>
> This CL adds TypedArrays as supported arguments for fast API calls.
> It implements "exact type" matching, i.e. if Float32Array is expected
> and e.g. Int32Array is passed instead, the generated code bails to the
> slow callback.
>
> Bug: chromium:1052746, chromium:1018624
> Change-Id: I01d4e681d2b367cbb57b06effcb591c090a23295
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2999094
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75756}
Bug: chromium:1052746, chromium:1018624
Change-Id: I872716d95bde8c340cf04990a3e4ae8ec8cd74a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3035090
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75877}
This properly threads through the `executionContextId` to the request
reported to the DevTools front-end, similarly to how we already report
the `executionContextId` as part of `Runtime.bindingCalled`.
Bug: chromium:1231521
Change-Id: I0a003041aedd8ec661d1b07cdddbcd1f2866a99f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3046187
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75875}
Replaces includes of v8.h with more fine-grained includes and moves the
deoptimizer.h include to the places that actually need it.
Bug: v8:11879
Change-Id: Ifc2e89caf455ddcf559fdb449d0fed7ad0d046d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3045706
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75873}
According to the spec https://tc39.github.io/proposal-error-cause,
the property 'cause' should not present on Error.prototype.
Bug: v8:12006
Change-Id: Ib1601769793b808c5f5a7065effcc77d1def4cbb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3037911
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75872}
Removes unnecessary includes of v8.h from
src/diagnostics/gdb-jit.h
src/diagnostics/system-jit-win.h
src/diagnostics/unwinder.h
by predeclaring types or using more appropriate headers.
Bug: v8:11879
Change-Id: I17f42acfef8e61133988453d67c3c0d473ff0337
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3045702
Auto-Submit: Dan Elphick <delphick@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75870}
The test is flaky on that hardware but seems to work just fine on other
arm hardware.
R=machenbach@chromium.org
Bug: v8:10948
Change-Id: Ic60cc23c1b4825623a91e3defcd21eada74554a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3043954
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75867}
The intrinsic default proto was not installed on async
function constructor, so the proto for those unable to
get a proper receiver fallbacks to the realms'
%Object.prototype%.
Bug: v8:9818
Change-Id: I08b9459d60da72dc894b983973e0a36019be9141
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3043691
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75866}
And use it to remove the set of TurboProp test skips.
BUG=v8:9684,v8:12013
Change-Id: I878e2b9c595449c954735290959d3b38eead5a5b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3043963
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75865}
...while on-heap objects are referring to it. This is accomplished
by storing a reference to its associated WasmInstanceObject on every
WasmTypeInfo object.
Details: https://bit.ly/2UxD4hW
Fixed: v8:11953
Change-Id: Ifb6f976142356021393d41c50717d210d525d521
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3043959
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75863}
These mutex guards may trigger GC on the slow paths; to detect misuse
(creating these guards inside GC-disallowed scopes) more reliably,
this CL adds
DCHECK(AllowGarbageCollection::IsAllowed())
to the guard constructors.
Bug: v8:12012
Change-Id: If59514c97ba6cc9bbca3b56559bf2496cafc78d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3043952
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75861}
This is a follow-up to https://crrev.com/c/3015557. Even though we
enabled trap handling and use it in wasm code, the embedder callback
still refused to handle the signal.
This CL removed an obsolete comment and simplifies the preprocessor
condition to just check for the V8_TRAP_HANDLER_SUPPORTED variable
instead of repeating the supported platforms.
R=ahaas@chromium.org
Bug: v8:11955, chromium:1231858
Change-Id: I417c790fdb755cba182578e7aa1ce4327f4c05ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3045352
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75860}
- Add DropArguments() to x64 TurboAssembler to get rid of arguments on
the stack while preserving the return address.
- Add DropArgumentsAndPushNewReceiver() to x64 TurboAssembler to get rid
of arguments on the stack and push a new receiver, while preserving
the return address.
Bug: v8:11112
Change-Id: I39ea012219ae3748a73933188eb860ce794de2f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3045349
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75859}
A mix of readability refactors, additional DCHECKs, and
addressed/updated TODOs.
Bug: v8:7790
Change-Id: I87ff996abd40b0ed081586e2c0da1a4c0942fed4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041665
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75858}
Move some methods that don't access the isolate from x64 MacroAssembler
to TurboAssembler.
Drive-by: Add RootAsOperand to create an operand for root-relative
constants.
Bug: v8:11112
Change-Id: Ic0b62d96af004860e5a05539f94d0ac003b06fc3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3045348
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75857}
While pointer-compression still doesn't guarantee 8-byte alignment
for objects, the WasmInstanceObject definition should be prepared
for a future where that changes.
No behavioral differences are expected from this, and likely no
performance differences for now either.
Change-Id: Iedd85f4361d45e1e3cf5d645496b9ad34acf533b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3038527
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75855}
Some skips are no longer required.
BUG=v8:9684
Change-Id: I921f2032ea5c19429c735120ba80a09b8f1e352e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3043961
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75854}
Adds incompatibility between future/turboprop variants and stress-concurrent-inlining
due to incompatibility from both configs weakly setting --interrupt-budget. Also ensures
we maintain this incompatibility if --future is passed as an extra flag as is done on
some bots.
BUG=v8:9684
Change-Id: I4855b92a64db00da15efc2384e241d4bf0c373c2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041677
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75853}
Fold the stack interrupt check to happen as part of the bytecode budget
interrupt, so that we can skip the stack check on JumpLoop. This is a
minor improvement for Ignition, but it's mainly for for Sparkplug code
as it means we don't have to emit additional stack interrupt checks.
TurboFan doesn't have budget interrupts, so it keeps the stack interrupt
check.
Bug: v8:11420
Change-Id: I055fe752946fda6a50ca2675fa3847999898a951
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041674
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75851}
The MapRef constructor contains a ParkedSharedMutexGuard which may
trigger gc; and MapRefs may be created for any HeapObjectRef (or
subclass) creation. Thus, calls to (Try)MakeRef must happen in
contexts in which garbage collection is allowed.
Bug: v8:7790,v8:12012
Change-Id: If0cb9e2dae7150b0aa5193a90ec3bc9cd9ac3b81
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3043951
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75850}
Rolling v8/base/trace_event/common: d41864d..ad56859
Rolling v8/build: 51d7849..66e6c2e
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/6a2f664..9ac1fdf
Rolling v8/tools/clang: c81b8b9..131233f
Rolling v8/tools/luci-go: git_revision:6387586e5b3279aebdf22bdab7ae619dbc156b66..git_revision:9ee8b1d719c0d3c268e0e19282351ca78024af2d
Rolling v8/tools/luci-go: git_revision:6387586e5b3279aebdf22bdab7ae619dbc156b66..git_revision:9ee8b1d719c0d3c268e0e19282351ca78024af2d
Rolling v8/tools/luci-go: git_revision:6387586e5b3279aebdf22bdab7ae619dbc156b66..git_revision:9ee8b1d719c0d3c268e0e19282351ca78024af2d
TBR=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
Change-Id: I1fb8aa68f5afba116d2f214f2128553a77e6ca7d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3045038
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75849}
RegExp match indices have shipped since M90
Bug: v8:9548
Change-Id: I8bf54ce1a50b5079aad71140f75c979a09aae5bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3042842
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75848}
This is a reland of 4cc547c759
Change: prevent a memcpy to nullptr by skipping the call to copy_out()
when the length is zero.
Original change's description:
> [wasm][eh] Add WebAssembly.Tag.type
>
> R=ahaas@chromium.org
>
> Bug: v8:8091
> Change-Id: Id069ffbf76bf836b613287788b1b1fccbb577475
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3021173
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75815}
Bug: v8:8091
Change-Id: I22f400b6e36d1322a4eabd20a68b4bdd70d61377
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041436
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75847}
Allow CrossThreadPersistent and its weak form to access ASAN poisoned
memory from the GC entry points.
In general, payloads of to-be-finalized objects are poisoned until the
finalizer actually runs to avoid accidentally touching that payload.
In the case of cross-thread handles, these may need to be cleared by a
different thread before the finalizer actually runs. In order to clear
those references, the slot needs to be unpoisoned.
This is issue is ASAN-only and does not affect production or other
debug builds.
Bug: chromium:1230599, chromium:1056170
Change-Id: If4d0808953047319b02653821abbb5c638084dc5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3040845
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75846}
