BASELINE: Update Chromium to 85.0.4183.14085-based

Change-Id: Iaa42f4680837c57725b1344f108c0196741f6057
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 30 insertions, 14 deletions

diff --git a/chromium/v8/src/runtime/runtime-wasm.cc b/chromium/v8/src/runtime/runtime-wasm.cc
index 96c88357003..2431cc12b23 100644
--- a/chromium/v8/src/runtime/runtime-wasm.cc
+++ b/chromium/v8/src/runtime/runtime-wasm.cc
@@ -209,15 +209,12 @@ RUNTIME_FUNCTION(Runtime_WasmCompileLazy) {
 }
 
 // Should be called from within a handle scope
-Handle<JSArrayBuffer> GetSharedArrayBuffer(Handle<WasmInstanceObject> instance,
-                                           Isolate* isolate, uint32_t address) {
+Handle<JSArrayBuffer> GetArrayBuffer(Handle<WasmInstanceObject> instance,
+                                     Isolate* isolate, uint32_t address) {
   DCHECK(instance->has_memory_object());
   Handle<JSArrayBuffer> array_buffer(instance->memory_object().array_buffer(),
                                      isolate);
 
-  // Validation should have failed if the memory was not shared.
-  DCHECK(array_buffer->is_shared());
-
   // Should have trapped if address was OOB
   DCHECK_LT(address, array_buffer->byte_length());
   return array_buffer;
@@ -231,8 +228,12 @@ RUNTIME_FUNCTION(Runtime_WasmAtomicNotify) {
   CONVERT_NUMBER_CHECKED(uint32_t, address, Uint32, args[1]);
   CONVERT_NUMBER_CHECKED(uint32_t, count, Uint32, args[2]);
   Handle<JSArrayBuffer> array_buffer =
-      GetSharedArrayBuffer(instance, isolate, address);
-  return FutexEmulation::Wake(array_buffer, address, count);
+      GetArrayBuffer(instance, isolate, address);
+  if (array_buffer->is_shared()) {
+    return FutexEmulation::Wake(array_buffer, address, count);
+  } else {
+    return Smi::FromInt(0);
+  }
 }
 
 RUNTIME_FUNCTION(Runtime_WasmI32AtomicWait) {
@@ -245,7 +246,12 @@ RUNTIME_FUNCTION(Runtime_WasmI32AtomicWait) {
   CONVERT_ARG_HANDLE_CHECKED(BigInt, timeout_ns, 3);
 
   Handle<JSArrayBuffer> array_buffer =
-      GetSharedArrayBuffer(instance, isolate, address);
+      GetArrayBuffer(instance, isolate, address);
+
+  // Trap if memory is not shared
+  if (!array_buffer->is_shared()) {
+    return ThrowWasmError(isolate, MessageTemplate::kAtomicsWaitNotAllowed);
+  }
   return FutexEmulation::WaitWasm32(isolate, array_buffer, address,
                                     expected_value, timeout_ns->AsInt64());
 }
@@ -260,7 +266,12 @@ RUNTIME_FUNCTION(Runtime_WasmI64AtomicWait) {
   CONVERT_ARG_HANDLE_CHECKED(BigInt, timeout_ns, 3);
 
   Handle<JSArrayBuffer> array_buffer =
-      GetSharedArrayBuffer(instance, isolate, address);
+      GetArrayBuffer(instance, isolate, address);
+
+  // Trap if memory is not shared
+  if (!array_buffer->is_shared()) {
+    return ThrowWasmError(isolate, MessageTemplate::kAtomicsWaitNotAllowed);
+  }
   return FutexEmulation::WaitWasm64(isolate, array_buffer, address,
                                     expected_value->AsInt64(),
                                     timeout_ns->AsInt64());
@@ -344,6 +355,9 @@ RUNTIME_FUNCTION(Runtime_WasmTableInit) {
   CONVERT_ARG_HANDLE_CHECKED(WasmInstanceObject, instance, 0);
   CONVERT_UINT32_ARG_CHECKED(table_index, 1);
   CONVERT_UINT32_ARG_CHECKED(elem_segment_index, 2);
+  static_assert(
+      wasm::kV8MaxWasmTableSize < kSmiMaxValue,
+      "Make sure clamping to Smi range doesn't make an invalid call valid");
   CONVERT_UINT32_ARG_CHECKED(dst, 3);
   CONVERT_UINT32_ARG_CHECKED(src, 4);
   CONVERT_UINT32_ARG_CHECKED(count, 5);
@@ -363,6 +377,9 @@ RUNTIME_FUNCTION(Runtime_WasmTableCopy) {
   CONVERT_ARG_HANDLE_CHECKED(WasmInstanceObject, instance, 0);
   CONVERT_UINT32_ARG_CHECKED(table_dst_index, 1);
   CONVERT_UINT32_ARG_CHECKED(table_src_index, 2);
+  static_assert(
+      wasm::kV8MaxWasmTableSize < kSmiMaxValue,
+      "Make sure clamping to Smi range doesn't make an invalid call valid");
   CONVERT_UINT32_ARG_CHECKED(dst, 3);
   CONVERT_UINT32_ARG_CHECKED(src, 4);
   CONVERT_UINT32_ARG_CHECKED(count, 5);
@@ -440,14 +457,13 @@ RUNTIME_FUNCTION(Runtime_WasmDebugBreak) {
   // Enter the debugger.
   DebugScope debug_scope(isolate->debug());
 
-  const auto undefined = ReadOnlyRoots(isolate).undefined_value();
   WasmFrame* frame = frame_finder.frame();
   auto* debug_info = frame->native_module()->GetDebugInfo();
   if (debug_info->IsStepping(frame)) {
-    debug_info->ClearStepping();
+    debug_info->ClearStepping(isolate);
     isolate->debug()->ClearStepping();
     isolate->debug()->OnDebugBreak(isolate->factory()->empty_fixed_array());
-    return undefined;
+    return ReadOnlyRoots(isolate).undefined_value();
   }
 
   // Check whether we hit a breakpoint.
@@ -455,7 +471,7 @@ RUNTIME_FUNCTION(Runtime_WasmDebugBreak) {
   Handle<FixedArray> breakpoints;
   if (WasmScript::CheckBreakPoints(isolate, script, position)
           .ToHandle(&breakpoints)) {
-    debug_info->ClearStepping();
+    debug_info->ClearStepping(isolate);
     isolate->debug()->ClearStepping();
     if (isolate->debug()->break_points_active()) {
       // We hit one or several breakpoints. Notify the debug listeners.
@@ -474,7 +490,7 @@ RUNTIME_FUNCTION(Runtime_WasmDebugBreak) {
     debug_info->RemoveBreakpoint(frame->function_index(), position, isolate);
   }
 
-  return undefined;
+  return ReadOnlyRoots(isolate).undefined_value();
 }
 
 }  // namespace internal