BASELINE: Update Chromium to 77.0.3865.98

Change-Id: Ice85979eb8b64af9a3c649d719bec6ea14ac3bf7
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

8 files changed, 72 insertions, 28 deletions

diff --git a/chromium/v8/src/builtins/base.tq b/chromium/v8/src/builtins/base.tq
index 4aa1d578374..07af1f441f8 100644
--- a/chromium/v8/src/builtins/base.tq
+++ b/chromium/v8/src/builtins/base.tq
@@ -336,10 +336,16 @@ macro NewJSObject(implicit context: Context)(): JSObject {
   };
 }
 
+extern macro HasPrototypeSlot(JSFunction): bool;
+
 macro GetDerivedMap(implicit context: Context)(
     target: JSFunction, newTarget: JSReceiver): Map {
   try {
     const constructor = Cast<JSFunction>(newTarget) otherwise SlowPath;
+    if (!HasPrototypeSlot(constructor)) {
+      goto SlowPath;
+    }
+    assert(IsConstructor(constructor));
     const map =
         Cast<Map>(constructor.prototype_or_initial_map) otherwise SlowPath;
     if (LoadConstructorOrBackPointer(map) != target) {
diff --git a/chromium/v8/src/codegen/code-stub-assembler.cc b/chromium/v8/src/codegen/code-stub-assembler.cc
index 390746c27dc..e4f35ddcc88 100644
--- a/chromium/v8/src/codegen/code-stub-assembler.cc
+++ b/chromium/v8/src/codegen/code-stub-assembler.cc
@@ -2622,6 +2622,11 @@ TNode<BoolT> CodeStubAssembler::IsGeneratorFunction(
                   Int32Constant(FunctionKind::kConciseGeneratorMethod))));
 }
 
+TNode<BoolT> CodeStubAssembler::HasPrototypeSlot(TNode<JSFunction> function) {
+  return TNode<BoolT>::UncheckedCast(IsSetWord32<Map::HasPrototypeSlotBit>(
+      LoadMapBitField(LoadMap(function))));
+}
+
 TNode<BoolT> CodeStubAssembler::HasPrototypeProperty(TNode<JSFunction> function,
                                                      TNode<Map> map) {
   // (has_prototype_slot() && IsConstructor()) ||
diff --git a/chromium/v8/src/codegen/code-stub-assembler.h b/chromium/v8/src/codegen/code-stub-assembler.h
index 00a84c39265..47abd027490 100644
--- a/chromium/v8/src/codegen/code-stub-assembler.h
+++ b/chromium/v8/src/codegen/code-stub-assembler.h
@@ -1272,6 +1272,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
   TNode<Map> LoadJSArrayElementsMap(SloppyTNode<Int32T> kind,
                                     SloppyTNode<Context> native_context);
 
+  TNode<BoolT> HasPrototypeSlot(TNode<JSFunction> function);
   TNode<BoolT> IsGeneratorFunction(TNode<JSFunction> function);
   TNode<BoolT> HasPrototypeProperty(TNode<JSFunction> function, TNode<Map> map);
   void GotoIfPrototypeRequiresRuntimeLookup(TNode<JSFunction> function,
diff --git a/chromium/v8/src/compiler/js-native-context-specialization.cc b/chromium/v8/src/compiler/js-native-context-specialization.cc
index 7d742a5f326..8f7552baa18 100644
--- a/chromium/v8/src/compiler/js-native-context-specialization.cc
+++ b/chromium/v8/src/compiler/js-native-context-specialization.cc
@@ -1060,7 +1060,8 @@ Reduction JSNativeContextSpecialization::ReduceNamedAccess(
   Node* control = NodeProperties::GetControlInput(node);
 
   ZoneVector<PropertyAccessInfo> access_infos(zone());
-  AccessInfoFactory access_info_factory(broker(), dependencies(), zone());
+  AccessInfoFactory access_info_factory(broker(), dependencies(),
+                                        graph()->zone());
   if (!access_info_factory.FinalizePropertyAccessInfos(
           feedback.access_infos(), access_mode, &access_infos)) {
     return NoChange();
@@ -1765,7 +1766,7 @@ Reduction JSNativeContextSpecialization::ReducePropertyAccess(
         if (name.has_value()) {
           ZoneVector<PropertyAccessInfo> access_infos(zone());
           AccessInfoFactory access_info_factory(broker(), dependencies(),
-                                                zone());
+                                                graph()->zone());
           access_info_factory.ComputePropertyAccessInfos(
               receiver_maps, name->object(), access_mode, &access_infos);
           processed = new (zone()) NamedAccessFeedback(*name, access_infos);
diff --git a/chromium/v8/src/inspector/custom-preview.cc b/chromium/v8/src/inspector/custom-preview.cc
index f56562341ca..77cd6dc5f56 100644
--- a/chromium/v8/src/inspector/custom-preview.cc
+++ b/chromium/v8/src/inspector/custom-preview.cc
@@ -242,10 +242,10 @@ void bodyCallback(const v8::FunctionCallbackInfo<v8::Value>& info) {
 }  // anonymous namespace
 
 void generateCustomPreview(int sessionId, const String16& groupName,
-                           v8::Local<v8::Context> context,
                            v8::Local<v8::Object> object,
                            v8::MaybeLocal<v8::Value> maybeConfig, int maxDepth,
                            std::unique_ptr<CustomPreview>* preview) {
+  v8::Local<v8::Context> context = object->CreationContext();
   v8::Isolate* isolate = context->GetIsolate();
   v8::MicrotasksScope microtasksScope(isolate,
                                       v8::MicrotasksScope::kDoNotRunMicrotasks);
diff --git a/chromium/v8/src/inspector/custom-preview.h b/chromium/v8/src/inspector/custom-preview.h
index 1ae8e25a4c7..1e8c74a154c 100644
--- a/chromium/v8/src/inspector/custom-preview.h
+++ b/chromium/v8/src/inspector/custom-preview.h
@@ -13,9 +13,9 @@ namespace v8_inspector {
 const int kMaxCustomPreviewDepth = 20;
 
 void generateCustomPreview(
-    int sessionId, const String16& groupName, v8::Local<v8::Context> context,
-    v8::Local<v8::Object> object, v8::MaybeLocal<v8::Value> config,
-    int maxDepth, std::unique_ptr<protocol::Runtime::CustomPreview>* preview);
+    int sessionId, const String16& groupName, v8::Local<v8::Object> object,
+    v8::MaybeLocal<v8::Value> config, int maxDepth,
+    std::unique_ptr<protocol::Runtime::CustomPreview>* preview);
 
 }  // namespace v8_inspector
 
diff --git a/chromium/v8/src/inspector/injected-script.cc b/chromium/v8/src/inspector/injected-script.cc
index 1edd559e4ef..ad91a8e65e9 100644
--- a/chromium/v8/src/inspector/injected-script.cc
+++ b/chromium/v8/src/inspector/injected-script.cc
@@ -458,7 +458,7 @@ Response InjectedScript::wrapObjectMirror(
   if (!response.isSuccess()) return response;
   if (customPreviewEnabled && value->IsObject()) {
     std::unique_ptr<protocol::Runtime::CustomPreview> customPreview;
-    generateCustomPreview(sessionId, groupName, context, value.As<v8::Object>(),
+    generateCustomPreview(sessionId, groupName, value.As<v8::Object>(),
                           customPreviewConfig, maxCustomPreviewDepth,
                           &customPreview);
     if (customPreview) (*result)->setCustomPreview(std::move(customPreview));
diff --git a/chromium/v8/src/regexp/regexp-compiler.cc b/chromium/v8/src/regexp/regexp-compiler.cc
index c643f988c0f..c70bbc3e4a5 100644
--- a/chromium/v8/src/regexp/regexp-compiler.cc
+++ b/chromium/v8/src/regexp/regexp-compiler.cc
@@ -1970,9 +1970,11 @@ void ChoiceNode::GetQuickCheckDetails(QuickCheckDetails* details,
   }
 }
 
+namespace {
+
 // Check for [0-9A-Z_a-z].
-static void EmitWordCheck(RegExpMacroAssembler* assembler, Label* word,
-                          Label* non_word, bool fall_through_on_word) {
+void EmitWordCheck(RegExpMacroAssembler* assembler, Label* word,
+                   Label* non_word, bool fall_through_on_word) {
   if (assembler->CheckSpecialCharacterClass(
           fall_through_on_word ? 'w' : 'W',
           fall_through_on_word ? non_word : word)) {
@@ -1994,24 +1996,37 @@ static void EmitWordCheck(RegExpMacroAssembler* assembler, Label* word,
 
 // Emit the code to check for a ^ in multiline mode (1-character lookbehind
 // that matches newline or the start of input).
-static void EmitHat(RegExpCompiler* compiler, RegExpNode* on_success,
-                    Trace* trace) {
+void EmitHat(RegExpCompiler* compiler, RegExpNode* on_success, Trace* trace) {
   RegExpMacroAssembler* assembler = compiler->macro_assembler();
-  // We will be loading the previous character into the current character
-  // register.
+
+  // We will load the previous character into the current character register.
   Trace new_trace(*trace);
   new_trace.InvalidateCurrentCharacter();
 
+  // A positive (> 0) cp_offset means we've already successfully matched a
+  // non-empty-width part of the pattern, and thus cannot be at or before the
+  // start of the subject string. We can thus skip both at-start and
+  // bounds-checks when loading the one-character lookbehind.
+  const bool may_be_at_or_before_subject_string_start =
+      new_trace.cp_offset() <= 0;
+
   Label ok;
-  if (new_trace.cp_offset() == 0) {
-    // The start of input counts as a newline in this context, so skip to
-    // ok if we are at the start.
-    assembler->CheckAtStart(&ok);
+  if (may_be_at_or_before_subject_string_start) {
+    // The start of input counts as a newline in this context, so skip to ok if
+    // we are at the start.
+    // TODO(jgruber): It would be less awkward to use CheckAtStart here, but
+    // that currently does not support a non-zero cp_offset.
+    Label not_at_start;
+    assembler->CheckNotAtStart(new_trace.cp_offset(), &not_at_start);
+    assembler->GoTo(&ok);
+    assembler->Bind(&not_at_start);
   }
-  // We already checked that we are not at the start of input so it must be
-  // OK to load the previous character.
+
+  // If we've already checked that we are not at the start of input, it's okay
+  // to load the previous character without bounds checks.
+  const bool can_skip_bounds_check = !may_be_at_or_before_subject_string_start;
   assembler->LoadCurrentCharacter(new_trace.cp_offset() - 1,
-                                  new_trace.backtrack(), false);
+                                  new_trace.backtrack(), can_skip_bounds_check);
   if (!assembler->CheckSpecialCharacterClass('n', new_trace.backtrack())) {
     // Newline means \n, \r, 0x2028 or 0x2029.
     if (!compiler->one_byte()) {
@@ -2024,6 +2039,8 @@ static void EmitHat(RegExpCompiler* compiler, RegExpNode* on_success,
   on_success->Emit(compiler, &new_trace);
 }
 
+}  // namespace
+
 // Emit the code to handle \b and \B (word-boundary or non-word-boundary).
 void AssertionNode::EmitBoundaryCheck(RegExpCompiler* compiler, Trace* trace) {
   RegExpMacroAssembler* assembler = compiler->macro_assembler();
@@ -2080,21 +2097,35 @@ void AssertionNode::BacktrackIfPrevious(
   Trace new_trace(*trace);
   new_trace.InvalidateCurrentCharacter();
 
-  Label fall_through, dummy;
-
+  Label fall_through;
   Label* non_word = backtrack_if_previous == kIsNonWord ? new_trace.backtrack()
                                                         : &fall_through;
   Label* word = backtrack_if_previous == kIsNonWord ? &fall_through
                                                     : new_trace.backtrack();
 
-  if (new_trace.cp_offset() == 0) {
+  // A positive (> 0) cp_offset means we've already successfully matched a
+  // non-empty-width part of the pattern, and thus cannot be at or before the
+  // start of the subject string. We can thus skip both at-start and
+  // bounds-checks when loading the one-character lookbehind.
+  const bool may_be_at_or_before_subject_string_start =
+      new_trace.cp_offset() <= 0;
+
+  if (may_be_at_or_before_subject_string_start) {
     // The start of input counts as a non-word character, so the question is
     // decided if we are at the start.
-    assembler->CheckAtStart(non_word);
-  }
-  // We already checked that we are not at the start of input so it must be
-  // OK to load the previous character.
-  assembler->LoadCurrentCharacter(new_trace.cp_offset() - 1, &dummy, false);
+    // TODO(jgruber): It would be less awkward to use CheckAtStart here, but
+    // that currently does not support a non-zero cp_offset.
+    Label not_at_start;
+    assembler->CheckNotAtStart(new_trace.cp_offset(), &not_at_start);
+    assembler->GoTo(non_word);
+    assembler->Bind(&not_at_start);
+  }
+
+  // If we've already checked that we are not at the start of input, it's okay
+  // to load the previous character without bounds checks.
+  const bool can_skip_bounds_check = !may_be_at_or_before_subject_string_start;
+  assembler->LoadCurrentCharacter(new_trace.cp_offset() - 1, non_word,
+                                  can_skip_bounds_check);
   EmitWordCheck(assembler, word, non_word, backtrack_if_previous == kIsNonWord);
 
   assembler->Bind(&fall_through);