deps: V8: cherry-pick 9ebca66a5740

Original commit message:

    [rab/gsab] Remove --harmony-rab-gsab (has been on by default for a while)

    Bug: v8:11111
    Change-Id: Ie74e7737f3e2e8730820cf00f1cbc7ae02b515af
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5516580
    Commit-Queue: Marja Hölttä <marja@chromium.org>
    Reviewed-by: Camillo Bruni <cbruni@chromium.org>
    Reviewed-by: Shu-yu Guo <syg@chromium.org>
    Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#93848}

Refs: v8/v8@9ebca66
PR-URL: #53522
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: #53755
Fixes: #53579
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>

deps/v8/src/api/api.cc

@@ -8953,9 +8953,6 @@ std::unique_ptr<v8::BackingStore> v8::ArrayBuffer::NewBackingStore(
 // static
 std::unique_ptr<BackingStore> v8::ArrayBuffer::NewResizableBackingStore(
     size_t byte_length, size_t max_byte_length) {
-  Utils::ApiCheck(i::v8_flags.harmony_rab_gsab,
-                  "v8::ArrayBuffer::NewResizableBackingStore",
-                  "Constructing resizable ArrayBuffers is not supported");
   Utils::ApiCheck(byte_length <= max_byte_length,
                   "v8::ArrayBuffer::NewResizableBackingStore",
                   "Cannot construct resizable ArrayBuffer, byte_length must be "

deps/v8/src/builtins/builtins-arraybuffer.cc

@@ -134,18 +134,16 @@ BUILTIN(ArrayBufferConstructor) {
   }
 
   Handle<Object> number_max_length;
-  if (v8_flags.harmony_rab_gsab) {
-    Handle<Object> max_length;
-    Handle<Object> options = args.atOrUndefined(isolate, 2);
-    ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
-        isolate, max_length,
-        JSObject::ReadFromOptionsBag(
-            options, isolate->factory()->max_byte_length_string(), isolate));
+  Handle<Object> max_length;
+  Handle<Object> options = args.atOrUndefined(isolate, 2);
+  ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+      isolate, max_length,
+      JSObject::ReadFromOptionsBag(
+          options, isolate->factory()->max_byte_length_string(), isolate));
 
-    if (!IsUndefined(*max_length, isolate)) {
-      ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
-          isolate, number_max_length, Object::ToInteger(isolate, max_length));
-    }
+  if (!IsUndefined(*max_length, isolate)) {
+    ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, number_max_length,
+                                       Object::ToInteger(isolate, max_length));
   }
   return ConstructBuffer(isolate, target, new_target, number_length,
                          number_max_length, InitializedFlag::kZeroInitialized);

deps/v8/src/compiler/heap-refs.cc

@@ -1127,7 +1127,7 @@ bool MapRef::CanInlineElementAccess() const {
       (Is64() || (kind != BIGINT64_ELEMENTS && kind != BIGUINT64_ELEMENTS))) {
     return true;
   }
-  if (v8_flags.turbo_rab_gsab && IsRabGsabTypedArrayElementsKind(kind) &&
+  if (IsRabGsabTypedArrayElementsKind(kind) &&
       kind != RAB_GSAB_BIGUINT64_ELEMENTS &&
       kind != RAB_GSAB_BIGINT64_ELEMENTS) {
     return true;

deps/v8/src/compiler/js-call-reducer.cc

@@ -7552,7 +7552,7 @@ Reduction JSCallReducer::ReduceArrayBufferViewByteLengthAccessor(
     }
   }
 
-  if (!v8_flags.harmony_rab_gsab || !maybe_rab_gsab) {
+  if (!maybe_rab_gsab) {
     // We do not perform any change depending on this inference.
     Reduction unused_reduction = inference.NoChange();
     USE(unused_reduction);
@@ -7561,8 +7561,6 @@ Reduction JSCallReducer::ReduceArrayBufferViewByteLengthAccessor(
         node, JS_TYPED_ARRAY_TYPE,
         AccessBuilder::ForJSArrayBufferViewByteLength(),
         Builtin::kTypedArrayPrototypeByteLength);
-  } else if (!v8_flags.turbo_rab_gsab) {
-    return inference.NoChange();
   }
 
   const CallParameters& p = CallParametersOf(node->op());
@@ -7613,16 +7611,14 @@ Reduction JSCallReducer::ReduceTypedArrayPrototypeLength(Node* node) {
     if (IsRabGsabTypedArrayElementsKind(kind)) maybe_rab_gsab = true;
   }
 
-  if (!v8_flags.harmony_rab_gsab || !maybe_rab_gsab) {
+  if (!maybe_rab_gsab) {
     // We do not perform any change depending on this inference.
     Reduction unused_reduction = inference.NoChange();
     USE(unused_reduction);
     // Call default implementation for non-rab/gsab TAs.
     return ReduceArrayBufferViewAccessor(node, JS_TYPED_ARRAY_TYPE,
                                          AccessBuilder::ForJSTypedArrayLength(),
                                          Builtin::kTypedArrayPrototypeLength);
-  } else if (!v8_flags.turbo_rab_gsab) {
-    return inference.NoChange();
   }
 
   if (!inference.RelyOnMapsViaStability(dependencies())) {

deps/v8/src/compiler/js-native-context-specialization.cc

@@ -3199,8 +3199,6 @@ JSNativeContextSpecialization::BuildElementAccess(
   // TODO(bmeurer): We currently specialize based on elements kind. We should
   // also be able to properly support strings and other JSObjects here.
   ElementsKind elements_kind = access_info.elements_kind();
-  DCHECK_IMPLIES(IsRabGsabTypedArrayElementsKind(elements_kind),
-                 v8_flags.turbo_rab_gsab);
   ZoneVector<MapRef> const& receiver_maps =
       access_info.lookup_start_object_maps();
 
@@ -3586,8 +3584,6 @@ JSNativeContextSpecialization::
         KeyedAccessMode const& keyed_mode) {
   DCHECK(IsTypedArrayElementsKind(elements_kind) ||
          IsRabGsabTypedArrayElementsKind(elements_kind));
-  DCHECK_IMPLIES(IsRabGsabTypedArrayElementsKind(elements_kind),
-                 v8_flags.turbo_rab_gsab);
   // AccessMode::kDefine is not handled here. Optimization should be skipped by
   // caller.
   DCHECK(keyed_mode.access_mode() != AccessMode::kDefine);

deps/v8/src/flags/flag-definitions.h

@@ -280,8 +280,6 @@ DEFINE_BOOL(js_shipping, true, "enable all shipped JavaScript features")
   V(js_regexp_modifiers, "RegExp modifiers") \
   V(js_regexp_duplicate_named_groups, "RegExp duplicate named groups")
 
-DEFINE_WEAK_IMPLICATION(harmony_rab_gsab_transfer, harmony_rab_gsab)
-
 #ifdef V8_INTL_SUPPORT
 #define HARMONY_STAGED(V) HARMONY_STAGED_BASE(V)
 #define JAVASCRIPT_STAGED_FEATURES(V) JAVASCRIPT_STAGED_FEATURES_BASE(V)
@@ -293,11 +291,8 @@ DEFINE_WEAK_IMPLICATION(harmony_rab_gsab_transfer, harmony_rab_gsab)
 // Features that are shipping (turned on by default, but internal flag remains).
 #define HARMONY_SHIPPING_BASE(V)                                      \
   V(harmony_import_assertions, "harmony import assertions")           \
-  V(harmony_rab_gsab,                                                 \
-    "harmony ResizableArrayBuffer / GrowableSharedArrayBuffer")       \
   V(harmony_regexp_unicode_sets, "harmony RegExp Unicode Sets")       \
   V(harmony_json_parse_with_source, "harmony json parse with source") \
-  V(harmony_rab_gsab_transfer, "harmony ArrayBuffer.transfer")        \
   V(harmony_array_grouping, "harmony array grouping")                 \
   V(harmony_array_from_async, "harmony Array.fromAsync")              \
   V(harmony_iterator_helpers, "JavaScript iterator helpers")          \
@@ -1278,9 +1273,6 @@ DEFINE_BOOL_READONLY(turbo_rewrite_far_jumps, false,
                      "rewrite far to near jumps (ia32,x64)")
 #endif
 
-DEFINE_BOOL(
-    turbo_rab_gsab, true,
-    "optimize ResizableArrayBuffer / GrowableSharedArrayBuffer in TurboFan")
 DEFINE_BOOL(
     stress_gc_during_compilation, false,
     "simulate GC/compiler thread race related to https://crbug.com/v8/8520")

deps/v8/src/heap/factory.cc

@@ -3220,7 +3220,7 @@ Handle<JSArrayBuffer> Factory::NewJSArrayBuffer(
       isolate()->native_context()->array_buffer_fun()->initial_map(),
       isolate());
   ResizableFlag resizable_by_js = ResizableFlag::kNotResizable;
-  if (v8_flags.harmony_rab_gsab && backing_store->is_resizable_by_js()) {
+  if (backing_store->is_resizable_by_js()) {
     resizable_by_js = ResizableFlag::kResizable;
   }
   auto result =
@@ -3276,8 +3276,6 @@ MaybeHandle<JSArrayBuffer> Factory::NewJSArrayBufferAndBackingStore(
 
 Handle<JSArrayBuffer> Factory::NewJSSharedArrayBuffer(
     std::shared_ptr<BackingStore> backing_store) {
-  DCHECK_IMPLIES(backing_store->is_resizable_by_js(),
-                 v8_flags.harmony_rab_gsab);
   Handle<Map> map(
       isolate()->native_context()->shared_array_buffer_fun()->initial_map(),
       isolate());
@@ -3383,7 +3381,6 @@ Handle<JSTypedArray> Factory::NewJSTypedArray(
   ElementsKind elements_kind;
   JSTypedArray::ForFixedTypedArray(type, &element_size, &elements_kind);
 
-  CHECK_IMPLIES(is_length_tracking, v8_flags.harmony_rab_gsab);
   const bool is_backed_by_rab =
       buffer->is_resizable_by_js() && !buffer->is_shared();
 
@@ -3425,7 +3422,6 @@ Handle<JSTypedArray> Factory::NewJSTypedArray(
 Handle<JSDataViewOrRabGsabDataView> Factory::NewJSDataViewOrRabGsabDataView(
     DirectHandle<JSArrayBuffer> buffer, size_t byte_offset, size_t byte_length,
     bool is_length_tracking) {
-  CHECK_IMPLIES(is_length_tracking, v8_flags.harmony_rab_gsab);
   if (is_length_tracking) {
     // Security: enforce the invariant that length-tracking DataViews have their
     // byte_length set to 0.

deps/v8/src/init/bootstrapper.cc

@@ -4054,6 +4054,25 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
             "arrayBufferConstructor_DoNotInitialize"),
         Builtin::kArrayBufferConstructor_DoNotInitialize, 1, false);
     native_context()->set_array_buffer_noinit_fun(*array_buffer_noinit_fun);
+
+    Handle<JSObject> array_buffer_prototype(
+        JSObject::cast(array_buffer_fun->instance_prototype()), isolate_);
+    SimpleInstallGetter(isolate_, array_buffer_prototype,
+                        factory->max_byte_length_string(),
+                        Builtin::kArrayBufferPrototypeGetMaxByteLength, false);
+    SimpleInstallGetter(isolate_, array_buffer_prototype,
+                        factory->resizable_string(),
+                        Builtin::kArrayBufferPrototypeGetResizable, false);
+    SimpleInstallFunction(isolate_, array_buffer_prototype, "resize",
+                          Builtin::kArrayBufferPrototypeResize, 1, true);
+    SimpleInstallFunction(isolate_, array_buffer_prototype, "transfer",
+                          Builtin::kArrayBufferPrototypeTransfer, 0, false);
+    SimpleInstallFunction(
+        isolate_, array_buffer_prototype, "transferToFixedLength",
+        Builtin::kArrayBufferPrototypeTransferToFixedLength, 0, false);
+    SimpleInstallGetter(isolate_, array_buffer_prototype,
+                        factory->detached_string(),
+                        Builtin::kArrayBufferPrototypeGetDetached, false);
   }
 
   {  // -- S h a r e d A r r a y B u f f e r
@@ -4063,6 +4082,19 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
     InstallWithIntrinsicDefaultProto(isolate_, shared_array_buffer_fun,
                                      Context::SHARED_ARRAY_BUFFER_FUN_INDEX);
     InstallSpeciesGetter(isolate_, shared_array_buffer_fun);
+
+    Handle<JSObject> shared_array_buffer_prototype(
+        JSObject::cast(shared_array_buffer_fun->instance_prototype()),
+        isolate_);
+    SimpleInstallGetter(isolate_, shared_array_buffer_prototype,
+                        factory->max_byte_length_string(),
+                        Builtin::kSharedArrayBufferPrototypeGetMaxByteLength,
+                        false);
+    SimpleInstallGetter(isolate_, shared_array_buffer_prototype,
+                        factory->growable_string(),
+                        Builtin::kSharedArrayBufferPrototypeGetGrowable, false);
+    SimpleInstallFunction(isolate_, shared_array_buffer_prototype, "grow",
+                          Builtin::kSharedArrayBufferPrototypeGrow, 1, true);
   }
 
   {  // -- A t o m i c s
@@ -5300,7 +5332,6 @@ void Genesis::InitializeConsole(Handle<JSObject> extras_binding) {
 
 EMPTY_INITIALIZE_GLOBAL_FOR_FEATURE(harmony_import_assertions)
 EMPTY_INITIALIZE_GLOBAL_FOR_FEATURE(harmony_import_attributes)
-EMPTY_INITIALIZE_GLOBAL_FOR_FEATURE(harmony_rab_gsab_transfer)
 EMPTY_INITIALIZE_GLOBAL_FOR_FEATURE(js_regexp_modifiers)
 EMPTY_INITIALIZE_GLOBAL_FOR_FEATURE(js_regexp_duplicate_named_groups)
 
@@ -5768,46 +5799,6 @@ void Genesis::InitializeGlobal_regexp_linear_flag() {
   native_context()->set_regexp_prototype_map(regexp_prototype->map());
 }
 
-void Genesis::InitializeGlobal_harmony_rab_gsab() {
-  if (!v8_flags.harmony_rab_gsab) return;
-  Handle<JSObject> array_buffer_prototype(
-      JSObject::cast(
-          native_context()->array_buffer_fun()->instance_prototype()),
-      isolate());
-  SimpleInstallGetter(isolate(), array_buffer_prototype,
-                      factory()->max_byte_length_string(),
-                      Builtin::kArrayBufferPrototypeGetMaxByteLength, false);
-  SimpleInstallGetter(isolate(), array_buffer_prototype,
-                      factory()->resizable_string(),
-                      Builtin::kArrayBufferPrototypeGetResizable, false);
-  SimpleInstallFunction(isolate(), array_buffer_prototype, "resize",
-                        Builtin::kArrayBufferPrototypeResize, 1, true);
-  if (v8_flags.harmony_rab_gsab_transfer) {
-    SimpleInstallFunction(isolate(), array_buffer_prototype, "transfer",
-                          Builtin::kArrayBufferPrototypeTransfer, 0, false);
-    SimpleInstallFunction(
-        isolate(), array_buffer_prototype, "transferToFixedLength",
-        Builtin::kArrayBufferPrototypeTransferToFixedLength, 0, false);
-    SimpleInstallGetter(isolate(), array_buffer_prototype,
-                        factory()->detached_string(),
-                        Builtin::kArrayBufferPrototypeGetDetached, false);
-  }
-
-  Handle<JSObject> shared_array_buffer_prototype(
-      JSObject::cast(
-          native_context()->shared_array_buffer_fun()->instance_prototype()),
-      isolate());
-  SimpleInstallGetter(isolate(), shared_array_buffer_prototype,
-                      factory()->max_byte_length_string(),
-                      Builtin::kSharedArrayBufferPrototypeGetMaxByteLength,
-                      false);
-  SimpleInstallGetter(isolate(), shared_array_buffer_prototype,
-                      factory()->growable_string(),
-                      Builtin::kSharedArrayBufferPrototypeGetGrowable, false);
-  SimpleInstallFunction(isolate(), shared_array_buffer_prototype, "grow",
-                        Builtin::kSharedArrayBufferPrototypeGrow, 1, true);
-}
-
 void Genesis::InitializeGlobal_harmony_temporal() {
   if (!v8_flags.harmony_temporal) return;
 

deps/v8/src/objects/js-array-buffer.cc

@@ -177,7 +177,6 @@ size_t JSArrayBuffer::GsabByteLength(Isolate* isolate,
                                      Address raw_array_buffer) {
   // TODO(v8:11111): Cache the last seen length in JSArrayBuffer and use it
   // in bounds checks to minimize the need for calling this function.
-  DCHECK(v8_flags.harmony_rab_gsab);
   DisallowGarbageCollection no_gc;
   DisallowJavascriptExecution no_js(isolate);
   Tagged<JSArrayBuffer> buffer =
@@ -405,7 +404,6 @@ size_t JSTypedArray::LengthTrackingGsabBackedTypedArrayLength(
     Isolate* isolate, Address raw_array) {
   // TODO(v8:11111): Cache the last seen length in JSArrayBuffer and use it
   // in bounds checks to minimize the need for calling this function.
-  DCHECK(v8_flags.harmony_rab_gsab);
   DisallowGarbageCollection no_gc;
   DisallowJavascriptExecution no_js(isolate);
   Tagged<JSTypedArray> array = JSTypedArray::cast(Tagged<Object>(raw_array));

deps/v8/src/objects/value-serializer.cc

@@ -1009,7 +1009,6 @@ Maybe<bool> ValueSerializer::WriteJSArrayBufferView(
   ArrayBufferViewTag tag = ArrayBufferViewTag::kInt8Array;
   if (IsJSTypedArray(view)) {
     if (JSTypedArray::cast(view)->IsOutOfBounds()) {
-      DCHECK(v8_flags.harmony_rab_gsab);
       return ThrowDataCloneError(MessageTemplate::kDataCloneError,
                                  handle(view, isolate_));
     }
@@ -1025,7 +1024,6 @@ Maybe<bool> ValueSerializer::WriteJSArrayBufferView(
     DCHECK(IsJSDataViewOrRabGsabDataView(view));
     if (IsJSRabGsabDataView(view) &&
         JSRabGsabDataView::cast(view)->IsOutOfBounds()) {
-      DCHECK(v8_flags.harmony_rab_gsab);
       return ThrowDataCloneError(MessageTemplate::kDataCloneError,
                                  handle(view, isolate_));
     }
@@ -2105,13 +2103,6 @@ MaybeHandle<JSArrayBuffer> ValueDeserializer::ReadJSArrayBuffer(
     if (byte_length > max_byte_length) {
       return MaybeHandle<JSArrayBuffer>();
     }
-    if (!v8_flags.harmony_rab_gsab) {
-      // Disable resizability. This ensures that no resizable buffers are
-      // created in a version which has the harmony_rab_gsab turned off, even if
-      // such a version is reading data containing resizable buffers from disk.
-      is_resizable = false;
-      max_byte_length = byte_length;
-    }
   }
   if (byte_length > static_cast<size_t>(end_ - position_)) {
     return MaybeHandle<JSArrayBuffer>();
@@ -2233,16 +2224,6 @@ bool ValueDeserializer::ValidateJSArrayBufferViewFlags(
   // TODO(marja): When the version number is bumped the next time, check that
   // serialized_flags doesn't contain spurious 1-bits.
 
-  if (!v8_flags.harmony_rab_gsab) {
-    // Disable resizability. This ensures that no resizable buffers are
-    // created in a version which has the harmony_rab_gsab turned off, even if
-    // such a version is reading data containing resizable buffers from disk.
-    is_length_tracking = false;
-    is_backed_by_rab = false;
-    // The resizability of the buffer was already disabled.
-    CHECK(!buffer->is_resizable_by_js());
-  }
-
   if (is_backed_by_rab || is_length_tracking) {
     if (!buffer->is_resizable_by_js()) {
       return false;

deps/v8/test/cctest/test-api-array-buffer.cc

@@ -455,8 +455,6 @@ THREADED_TEST(ArrayBuffer_NewBackingStore) {
 }
 
 THREADED_TEST(ArrayBuffer_NewResizableBackingStore) {
-  FLAG_SCOPE(harmony_rab_gsab);
-
   LocalContext env;
   v8::Isolate* isolate = env->GetIsolate();
   v8::HandleScope handle_scope(isolate);
@@ -831,8 +829,6 @@ TEST(BackingStore_ReallocateShared) {
 }
 
 TEST(ArrayBuffer_Resizable) {
-  FLAG_SCOPE(harmony_rab_gsab);
-
   LocalContext env;
   v8::Isolate* isolate = env->GetIsolate();
   v8::HandleScope handle_scope(isolate);
@@ -854,8 +850,6 @@ TEST(ArrayBuffer_Resizable) {
 }
 
 TEST(ArrayBuffer_FixedLength) {
-  FLAG_SCOPE(harmony_rab_gsab);
-
   LocalContext env;
   v8::Isolate* isolate = env->GetIsolate();
   v8::HandleScope handle_scope(isolate);

deps/v8/test/mjsunit/compiler/typedarray-resizablearraybuffer.js

@@ -2,8 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-// Flags: --harmony-rab-gsab --allow-natives-syntax --turbofan
-// Flags: --no-always-turbofan --turbo-rab-gsab
+// Flags: --allow-natives-syntax --turbofan --no-always-turbofan
 // Flags: --js-float16array
 
 "use strict";

deps/v8/test/mjsunit/dataview-growablesharedarraybuffer.js

@@ -2,8 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-// Flags: --harmony-rab-gsab --allow-natives-syntax
-// Flags: --js-float16array
+// Flags: --allow-natives-syntax --js-float16array
 
 "use strict";
 

deps/v8/test/mjsunit/dataview-resizablearraybuffer-detach.js

@@ -2,8 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-// Flags: --harmony-rab-gsab --allow-natives-syntax
-// Flags: --js-float16array
+// Flags: --allow-natives-syntax --js-float16array
 
 "use strict";
 

deps/v8/test/mjsunit/dataview-resizablearraybuffer.js

@@ -2,8 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-// Flags: --harmony-rab-gsab --allow-natives-syntax
-// Flags: --js-float16array
+// Flags: --allow-natives-syntax --js-float16array
 
 "use strict";