chore: cherry-pick 02f84c745fc0 from v8 (#28640)

* chore: cherry-pick 02f84c745fc0 from v8

* update patches

patches/v8/.patches

@@ -25,3 +25,4 @@ cherry-pick-36abafa0a316.patch
 merged_interpreter_store_accumulator_to_callee_after_optional.patch
 reland_regexp_hard-crash_on_invalid_offsets_in.patch
 regexp_throw_when_length_of_text_nodes_in_alternatives_is_too.patch
+cherry-pick-02f84c745fc0.patch

patches/v8/cherry-pick-02f84c745fc0.patch

@@ -0,0 +1,89 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Georg Neis <[email protected]>
+Date: Mon, 12 Apr 2021 09:42:03 +0200
+Subject: Fix bug in InstructionSelector::ChangeInt32ToInt64
+
+Bug: chromium:1196683
+Change-Id: Ib4ea738b47b64edc81450583be4c80a41698c3d1
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2820971
+Commit-Queue: Georg Neis <[email protected]>
+Reviewed-by: Nico Hartmann <[email protected]>
+Cr-Commit-Position: refs/heads/master@{#73903}
+
+diff --git a/src/compiler/backend/x64/instruction-selector-x64.cc b/src/compiler/backend/x64/instruction-selector-x64.cc
+index ab669864954fb5335b0e98881351a43134f870a4..82d8cbd6f7ec5309461d03fb1769382d0bf19877 100644
+--- a/src/compiler/backend/x64/instruction-selector-x64.cc
++++ b/src/compiler/backend/x64/instruction-selector-x64.cc
+@@ -1270,7 +1270,9 @@ void InstructionSelector::VisitChangeInt32ToInt64(Node* node) {
+         opcode = load_rep.IsSigned() ? kX64Movsxwq : kX64Movzxwq;
+         break;
+       case MachineRepresentation::kWord32:
+-        opcode = load_rep.IsSigned() ? kX64Movsxlq : kX64Movl;
++        // ChangeInt32ToInt64 must interpret its input as a _signed_ 32-bit
++        // integer, so here we must sign-extend the loaded value in any case.
++        opcode = kX64Movsxlq;
+         break;
+       default:
+         UNREACHABLE();
+diff --git a/test/mjsunit/compiler/regress-1196683.js b/test/mjsunit/compiler/regress-1196683.js
+new file mode 100644
+index 0000000000000000000000000000000000000000..abd7d6b2f8da45991e1e3b6c72582bc716d63efb
+--- /dev/null
++++ b/test/mjsunit/compiler/regress-1196683.js
+@@ -0,0 +1,56 @@
++// Copyright 2021 the V8 project authors. All rights reserved.
++// Use of this source code is governed by a BSD-style license that can be
++// found in the LICENSE file.
++
++// Flags: --allow-natives-syntax
++
++
++(function() {
++  const arr = new Uint32Array([2**31]);
++  function foo() {
++    return (arr[0] ^ 0) + 1;
++  }
++  %PrepareFunctionForOptimization(foo);
++  assertEquals(-(2**31) + 1, foo());
++  %OptimizeFunctionOnNextCall(foo);
++  assertEquals(-(2**31) + 1, foo());
++});
++
++
++// The remaining tests already passed without the bugfix.
++
++
++(function() {
++  const arr = new Uint16Array([2**15]);
++  function foo() {
++    return (arr[0] ^ 0) + 1;
++  }
++  %PrepareFunctionForOptimization(foo);
++  assertEquals(2**15 + 1, foo());
++  %OptimizeFunctionOnNextCall(foo);
++  assertEquals(2**15 + 1, foo());
++})();
++
++
++(function() {
++  const arr = new Uint8Array([2**7]);
++  function foo() {
++    return (arr[0] ^ 0) + 1;
++  }
++  %PrepareFunctionForOptimization(foo);
++  assertEquals(2**7 + 1, foo());
++  %OptimizeFunctionOnNextCall(foo);
++  assertEquals(2**7 + 1, foo());
++})();
++
++
++(function() {
++  const arr = new Int32Array([-(2**31)]);
++  function foo() {
++    return (arr[0] >>> 0) + 1;
++  }
++  %PrepareFunctionForOptimization(foo);
++  assertEquals(2**31 + 1, foo());
++  %OptimizeFunctionOnNextCall(foo);
++  assertEquals(2**31 + 1, foo());
++})();