chore: cherry-pick 44d052c and 0919d75 from v8. (#27415)

Co-authored-by: Shelley Vohr <[email protected]>

patches/v8/.patches

@@ -10,3 +10,5 @@ fix_build_deprecated_attirbute_for_older_msvc_versions.patch
 fix_correct_calling_convention_for_windows_on_arm.patch
 perf_make_getpositioninfoslow_faster.patch
 cherry-pick-ffd6ff5a61b9.patch
+merged_deoptimizer_stricter_checks_during_deoptimization.patch
+merged_compiler_mark_jsstoreinarrayliteral_as_needing_a_frame.patch

patches/v8/merged_compiler_mark_jsstoreinarrayliteral_as_needing_a_frame.patch

@@ -0,0 +1,49 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Georg Neis <[email protected]>
+Date: Fri, 8 Jan 2021 10:24:06 +0100
+Subject: Merged: [compiler] Mark JSStoreInArrayLiteral as needing a frame
+ state
+
+Revision: b837e0338963611c08344cbb6f655a0abd9238c1
+
+BUG=chromium:1161357
+NOTRY=true
+NOPRESUBMIT=true
+NOTREECHECKS=true
[email protected]
+
+Change-Id: Ic95dfd20d45d895934dee1592ebf427544eec73b
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2616223
+Reviewed-by: Mythri Alle <[email protected]>
+Commit-Queue: Georg Neis <[email protected]>
+Cr-Commit-Position: refs/branch-heads/8.8@{#24}
+Cr-Branched-From: 2dbcdc105b963ee2501c82139eef7e0603977ff0-refs/heads/8.8.278@{#1}
+Cr-Branched-From: 366d30c99049b3f1c673f8a93deb9f879d0fa9f0-refs/heads/master@{#71094}
+
+diff --git a/src/compiler/operator-properties.cc b/src/compiler/operator-properties.cc
+index c77249f6216a8dd2dd181ad9bc6ca5172c8fe0b9..a8e29416b5d0dda398630df8a81a6712e8932197 100644
+--- a/src/compiler/operator-properties.cc
++++ b/src/compiler/operator-properties.cc
+@@ -193,16 +193,17 @@ bool OperatorProperties::HasFrameStateInput(const Operator* op) {
+     case IrOpcode::kJSCloneObject:
+ 
+     // Property access operations
++    case IrOpcode::kJSDeleteProperty:
++    case IrOpcode::kJSLoadGlobal:
+     case IrOpcode::kJSLoadNamed:
+     case IrOpcode::kJSLoadNamedFromSuper:
+-    case IrOpcode::kJSStoreNamed:
+     case IrOpcode::kJSLoadProperty:
+-    case IrOpcode::kJSStoreProperty:
+-    case IrOpcode::kJSLoadGlobal:
++    case IrOpcode::kJSStoreDataPropertyInLiteral:
++    case IrOpcode::kJSStoreInArrayLiteral:
+     case IrOpcode::kJSStoreGlobal:
++    case IrOpcode::kJSStoreNamed:
+     case IrOpcode::kJSStoreNamedOwn:
+-    case IrOpcode::kJSStoreDataPropertyInLiteral:
+-    case IrOpcode::kJSDeleteProperty:
++    case IrOpcode::kJSStoreProperty:
+ 
+     // Conversions
+     case IrOpcode::kJSToLength:

patches/v8/merged_deoptimizer_stricter_checks_during_deoptimization.patch

@@ -0,0 +1,69 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Georg Neis <[email protected]>
+Date: Fri, 8 Jan 2021 09:33:18 +0100
+Subject: Merged: [deoptimizer] Stricter checks during deoptimization
+
+Revision: 506e893b812e03dbebe34b11d8aa9d4eb6869d89
+
+BUG=chromium:1161357
+NOTRY=true
+NOPRESUBMIT=true
+NOTREECHECKS=true
[email protected]
+
+Change-Id: I97b69ae11d85bc0acd4a0c7bd28e1b692433de80
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2616219
+Reviewed-by: Mythri Alle <[email protected]>
+Commit-Queue: Georg Neis <[email protected]>
+Cr-Commit-Position: refs/branch-heads/8.8@{#23}
+Cr-Branched-From: 2dbcdc105b963ee2501c82139eef7e0603977ff0-refs/heads/8.8.278@{#1}
+Cr-Branched-From: 366d30c99049b3f1c673f8a93deb9f879d0fa9f0-refs/heads/master@{#71094}
+
+diff --git a/src/deoptimizer/deoptimizer.cc b/src/deoptimizer/deoptimizer.cc
+index c2b4d402eedc417f49137a1a670e08042f643d4e..a225bac2b73f3fe61e611aaca19c129374b64a44 100644
+--- a/src/deoptimizer/deoptimizer.cc
++++ b/src/deoptimizer/deoptimizer.cc
+@@ -294,6 +294,7 @@ class ActivationsFinder : public ThreadVisitor {
+           SafepointEntry safepoint = code.GetSafepointEntry(it.frame()->pc());
+           int trampoline_pc = safepoint.trampoline_pc();
+           DCHECK_IMPLIES(code == topmost_, safe_to_deopt_);
++          CHECK_GE(trampoline_pc, 0);
+           // Replace the current pc on the stack with the trampoline.
+           // TODO(v8:10026): avoid replacing a signed pointer.
+           Address* pc_addr = it.frame()->pc_address();
+diff --git a/test/mjsunit/mjsunit.status b/test/mjsunit/mjsunit.status
+index b95bc697604b983a4d48a0899776290bbe3720bf..277b48fc66c4024d9bea8c8dc1e6c2e36669f55c 100644
+--- a/test/mjsunit/mjsunit.status
++++ b/test/mjsunit/mjsunit.status
+@@ -81,6 +81,10 @@
+   # https://crbug.com/1129854
+   'tools/log': ['arch == arm or arch == arm64', SKIP],
+ 
++  # crbug.com/1161357
++  # TODO(solanes): Remove this entry once the underlying issue is fixed.
++  'regress/regress-1161357': [PASS, FAIL],
++
+   ##############################################################################
+   # Tests where variants make no sense.
+   'd8/enable-tracing': [PASS, NO_VARIANTS],
+diff --git a/test/mjsunit/regress/regress-1161357.js b/test/mjsunit/regress/regress-1161357.js
+new file mode 100644
+index 0000000000000000000000000000000000000000..b6f03b92ac970f1f24c8e6aa03b27e849d2ae7bc
+--- /dev/null
++++ b/test/mjsunit/regress/regress-1161357.js
+@@ -0,0 +1,15 @@
++// Copyright 2020 the V8 project authors. All rights reserved.
++// Use of this source code is governed by a BSD-style license that can be
++// found in the LICENSE file.
++
++for (let i = 0; i < 3; i++) {
++  for (let j = 0; j < 32767; j++) {
++    Number;
++  }
++  for (let j = 0; j < 2335; j++) {
++    Number;
++  }
++  var arr = [, ...(new Int16Array(0xffff)), 4294967296];
++  arr.concat(Number, arr)
++}
++eval(``);