deps: patch V8 to 10.9.194.9

Refs: https://github.com/v8/v8/compare/10.9.194.6...10.9.194.9
PR-URL: https://github.com/nodejs/node/pull/45995
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

6 files changed, 41 insertions, 7 deletions

diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
index 9cecad7f89..a9d6f92aff 100644
--- a/deps/v8/include/v8-version.h
+++ b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 10
 #define V8_MINOR_VERSION 9
 #define V8_BUILD_NUMBER 194
-#define V8_PATCH_LEVEL 6
+#define V8_PATCH_LEVEL 9
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
diff --git a/deps/v8/src/ast/scopes.cc b/deps/v8/src/ast/scopes.cc
index fc06909c51..a66e4ea93f 100644
--- a/deps/v8/src/ast/scopes.cc
+++ b/deps/v8/src/ast/scopes.cc
@@ -929,6 +929,7 @@ void Scope::Snapshot::Reparent(DeclarationScope* new_parent) {
   // Move eval calls since Snapshot's creation into new_parent.
   if (outer_scope_->calls_eval_) {
     new_parent->RecordEvalCall();
+    outer_scope_->calls_eval_ = false;
     declaration_scope_->sloppy_eval_can_extend_vars_ = false;
   }
 }
diff --git a/deps/v8/src/codegen/arm/assembler-arm.cc b/deps/v8/src/codegen/arm/assembler-arm.cc
index b2d7cad096..3fe769a0ec 100644
--- a/deps/v8/src/codegen/arm/assembler-arm.cc
+++ b/deps/v8/src/codegen/arm/assembler-arm.cc
@@ -1444,10 +1444,6 @@ int Assembler::branch_offset(Label* L) {
     L->link_to(pc_offset());
   }
 
-  // Block the emission of the constant pool, since the branch instruction must
-  // be emitted at the pc offset recorded by the label.
-  if (!is_const_pool_blocked()) BlockConstPoolFor(1);
-
   return target_pos - (pc_offset() + Instruction::kPcLoadDelta);
 }
 
@@ -1458,6 +1454,11 @@ void Assembler::b(int branch_offset, Condition cond, RelocInfo::Mode rmode) {
   int imm24 = branch_offset >> 2;
   const bool b_imm_check = is_int24(imm24);
   CHECK(b_imm_check);
+
+  // Block the emission of the constant pool before the next instruction.
+  // Otherwise the passed-in branch offset would be off.
+  BlockConstPoolFor(1);
+
   emit(cond | B27 | B25 | (imm24 & kImm24Mask));
 
   if (cond == al) {
@@ -1472,6 +1473,11 @@ void Assembler::bl(int branch_offset, Condition cond, RelocInfo::Mode rmode) {
   int imm24 = branch_offset >> 2;
   const bool bl_imm_check = is_int24(imm24);
   CHECK(bl_imm_check);
+
+  // Block the emission of the constant pool before the next instruction.
+  // Otherwise the passed-in branch offset would be off.
+  BlockConstPoolFor(1);
+
   emit(cond | B27 | B25 | B24 | (imm24 & kImm24Mask));
 }
 
@@ -1481,6 +1487,11 @@ void Assembler::blx(int branch_offset) {
   int imm24 = branch_offset >> 2;
   const bool blx_imm_check = is_int24(imm24);
   CHECK(blx_imm_check);
+
+  // Block the emission of the constant pool before the next instruction.
+  // Otherwise the passed-in branch offset would be off.
+  BlockConstPoolFor(1);
+
   emit(kSpecialCondition | B27 | B25 | h | (imm24 & kImm24Mask));
 }
 
diff --git a/deps/v8/src/compiler/backend/x64/code-generator-x64.cc b/deps/v8/src/compiler/backend/x64/code-generator-x64.cc
index 6a29cb308e..e3f759f570 100644
--- a/deps/v8/src/compiler/backend/x64/code-generator-x64.cc
+++ b/deps/v8/src/compiler/backend/x64/code-generator-x64.cc
@@ -5295,7 +5295,22 @@ void CodeGenerator::AssembleMove(InstructionOperand* source,
     case MoveType::kStackToRegister: {
       Operand src = g.ToOperand(source);
       if (source->IsStackSlot()) {
-        __ movq(g.ToRegister(destination), src);
+        MachineRepresentation mr =
+            LocationOperand::cast(source)->representation();
+        const bool is_32_bit = mr == MachineRepresentation::kWord32 ||
+                               mr == MachineRepresentation::kCompressed ||
+                               mr == MachineRepresentation::kCompressedPointer;
+        // TODO(13581): Fix this for other code kinds (see
+        // https://crbug.com/1356461).
+        if (code_kind() == CodeKind::WASM_FUNCTION && is_32_bit) {
+          // When we need only 32 bits, move only 32 bits. Benefits:
+          // - Save a byte here and there (depending on the destination
+          //   register; "movl eax, ..." is smaller than "movq rax, ...").
+          // - Safeguard against accidental decompression of compressed slots.
+          __ movl(g.ToRegister(destination), src);
+        } else {
+          __ movq(g.ToRegister(destination), src);
+        }
       } else {
         DCHECK(source->IsFPStackSlot());
         XMMRegister dst = g.ToDoubleRegister(destination);
diff --git a/deps/v8/src/wasm/graph-builder-interface.cc b/deps/v8/src/wasm/graph-builder-interface.cc
index 95de1e88f7..4371d3a185 100644
--- a/deps/v8/src/wasm/graph-builder-interface.cc
+++ b/deps/v8/src/wasm/graph-builder-interface.cc
@@ -2099,7 +2099,7 @@ class WasmGraphBuildingInterface {
       }
       if (exception_value != nullptr) {
         *exception_value = builder_->LoopExitValue(
-            *exception_value, MachineRepresentation::kWord32);
+            *exception_value, MachineRepresentation::kTaggedPointer);
       }
       if (wrap_exit_values) {
         WrapLocalsAtLoopExit(decoder, control);
diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-1394973.js b/deps/v8/test/mjsunit/regress/regress-crbug-1394973.js
new file mode 100644
index 0000000000..c0b9ceebcc
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-crbug-1394973.js
@@ -0,0 +1,7 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --stress-lazy-source-positions
+
+((__v_0 = ((__v_0 =eval()) => {})()) => {})()