BASELINE: Update Chromium to 94.0.4606.111

Change-Id: I924781584def20fc800bedf6ff41fdb96c438193
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

12 files changed, 153 insertions, 45 deletions

diff --git a/chromium/gin/BUILD.gn b/chromium/gin/BUILD.gn
index b1dbac0232a..c6059fdb0e0 100644
--- a/chromium/gin/BUILD.gn
+++ b/chromium/gin/BUILD.gn
@@ -79,6 +79,7 @@ component("gin") {
 
   public_deps = [
     "//base",
+    "//base/allocator:buildflags",
     "//v8",
   ]
   deps = [ "//base/third_party/dynamic_annotations" ]
diff --git a/chromium/gin/OWNERS b/chromium/gin/OWNERS
index 79b041ed379..a145cf6bc64 100644
--- a/chromium/gin/OWNERS
+++ b/chromium/gin/OWNERS
@@ -1,4 +1,7 @@
 set noparent
-jochen@chromium.org
+cbruni@chromium.org
+haraken@chromium.org
+hpayer@chromium.org
 jbroman@chromium.org
-rmcilroy@chromium.org
+leszeks@chromium.org
+mlippautz@chromium.org
diff --git a/chromium/gin/array_buffer.cc b/chromium/gin/array_buffer.cc
index 210760801f1..769aa10920e 100644
--- a/chromium/gin/array_buffer.cc
+++ b/chromium/gin/array_buffer.cc
@@ -9,7 +9,6 @@
 
 #include "base/allocator/partition_allocator/page_allocator.h"
 #include "base/check_op.h"
-#include "base/partition_alloc_buildflags.h"
 #include "build/build_config.h"
 #include "gin/per_isolate_data.h"
 
diff --git a/chromium/gin/converter_unittest.cc b/chromium/gin/converter_unittest.cc
index f3f57bed24d..195d719ea3c 100644
--- a/chromium/gin/converter_unittest.cc
+++ b/chromium/gin/converter_unittest.cc
@@ -11,7 +11,7 @@
 #include <string>
 
 #include "base/compiler_specific.h"
-#include "base/stl_util.h"
+#include "base/cxx17_backports.h"
 #include "base/strings/utf_string_conversions.h"
 #include "gin/function_template.h"
 #include "gin/handle.h"
diff --git a/chromium/gin/cppgc.cc b/chromium/gin/cppgc.cc
index d56ab2f648d..62842785197 100644
--- a/chromium/gin/cppgc.cc
+++ b/chromium/gin/cppgc.cc
@@ -3,19 +3,33 @@
 // found in the LICENSE file.
 
 #include "gin/public/cppgc.h"
+
+#include "base/check_op.h"
 #include "gin/public/v8_platform.h"
 #include "v8/include/cppgc/platform.h"
 
 namespace gin {
 
+namespace {
+
+int g_init_count = 0;
+
+}  // namespace
+
 void InitializeCppgcFromV8Platform() {
-  static bool cppgc_is_initialized = false;
-  if (cppgc_is_initialized)
+  DCHECK_GE(g_init_count, 0);
+  if (g_init_count++ > 0)
     return;
 
   cppgc::InitializeProcess(gin::V8Platform::Get()->GetPageAllocator());
+}
+
+void MaybeShutdownCppgc() {
+  DCHECK_GT(g_init_count, 0);
+  if (--g_init_count > 0)
+    return;
 
-  cppgc_is_initialized = true;
+  cppgc::ShutdownProcess();
 }
 
 }  // namespace gin
diff --git a/chromium/gin/gin_features.cc b/chromium/gin/gin_features.cc
index 2e1d3a3543d..55c519e5a14 100644
--- a/chromium/gin/gin_features.cc
+++ b/chromium/gin/gin_features.cc
@@ -59,9 +59,10 @@ const base::Feature kV8ExperimentalRegexpEngine{
 const base::Feature kV8Turboprop{"V8Turboprop",
                                  base::FEATURE_DISABLED_BY_DEFAULT};
 
-// Enables experimental Sparkplug compiler.
+// Enables Sparkplug compiler. Note that this only sets the V8 flag when
+// manually overridden; otherwise it defers to whatever the V8 default is.
 const base::Feature kV8Sparkplug{"V8Sparkplug",
-                                 base::FEATURE_DISABLED_BY_DEFAULT};
+                                 base::FEATURE_ENABLED_BY_DEFAULT};
 
 // Makes sure the experimental Sparkplug compiler is only enabled if short
 // builtin calls are enabled too.
@@ -90,4 +91,14 @@ const base::FeatureParam<int> kV8ScriptDelayMs{&kV8ScriptAblation,
 const base::FeatureParam<double> kV8ScriptDelayFraction{
     &kV8ScriptAblation, "V8ScriptDelayFraction", 0.0};
 
+// Experiment to determine the maximum size of the ArrayBuffer cage.
+const base::Feature kV8ArrayBufferCageReservationExperiment{
+    "V8ArrayBufferCageReservationExperiment",
+    base::FEATURE_DISABLED_BY_DEFAULT};
+
+// Enables slow histograms that provide detailed information at increased
+// runtime overheads.
+const base::Feature kV8SlowHistograms{"V8SlowHistograms",
+                                      base::FEATURE_DISABLED_BY_DEFAULT};
+
 }  // namespace features
diff --git a/chromium/gin/gin_features.h b/chromium/gin/gin_features.h
index 7830c601657..2eb9e36d580 100644
--- a/chromium/gin/gin_features.h
+++ b/chromium/gin/gin_features.h
@@ -11,27 +11,29 @@
 
 namespace features {
 
-GIN_EXPORT extern const base::Feature kV8OptimizeJavascript;
+GIN_EXPORT extern const base::Feature kV8ArrayBufferCageReservationExperiment;
+GIN_EXPORT extern const base::Feature kV8ConcurrentInlining;
+GIN_EXPORT extern const base::Feature kV8ExperimentalRegexpEngine;
 GIN_EXPORT extern const base::Feature kV8FlushBytecode;
-GIN_EXPORT extern const base::Feature kV8OffThreadFinalization;
+GIN_EXPORT extern const base::Feature kV8FlushEmbeddedBlobICache;
 GIN_EXPORT extern const base::Feature kV8LazyFeedbackAllocation;
-GIN_EXPORT extern const base::Feature kV8ConcurrentInlining;
+GIN_EXPORT extern const base::Feature kV8LocalHeaps;
+GIN_EXPORT extern const base::Feature kV8NoReclaimUnmodifiedWrappers;
+GIN_EXPORT extern const base::Feature kV8OffThreadFinalization;
+GIN_EXPORT extern const base::Feature kV8OptimizeJavascript;
 GIN_EXPORT extern const base::Feature kV8PerContextMarkingWorklist;
-GIN_EXPORT extern const base::Feature kV8FlushEmbeddedBlobICache;
 GIN_EXPORT extern const base::Feature kV8ReduceConcurrentMarkingTasks;
-GIN_EXPORT extern const base::Feature kV8NoReclaimUnmodifiedWrappers;
-GIN_EXPORT extern const base::Feature kV8LocalHeaps;
-GIN_EXPORT extern const base::Feature kV8TurboDirectHeapAccess;
-GIN_EXPORT extern const base::Feature kV8ExperimentalRegexpEngine;
-GIN_EXPORT extern const base::Feature kV8TurboFastApiCalls;
-GIN_EXPORT extern const base::Feature kV8Turboprop;
-GIN_EXPORT extern const base::Feature kV8Sparkplug;
-GIN_EXPORT extern const base::Feature kV8SparkplugNeedsShortBuiltinCalls;
 GIN_EXPORT extern const base::Feature kV8ScriptAblation;
-GIN_EXPORT extern const base::FeatureParam<int> kV8ScriptDelayOnceMs;
-GIN_EXPORT extern const base::FeatureParam<int> kV8ScriptDelayMs;
 GIN_EXPORT extern const base::FeatureParam<double> kV8ScriptDelayFraction;
+GIN_EXPORT extern const base::FeatureParam<int> kV8ScriptDelayMs;
+GIN_EXPORT extern const base::FeatureParam<int> kV8ScriptDelayOnceMs;
 GIN_EXPORT extern const base::Feature kV8ShortBuiltinCalls;
+GIN_EXPORT extern const base::Feature kV8SlowHistograms;
+GIN_EXPORT extern const base::Feature kV8Sparkplug;
+GIN_EXPORT extern const base::Feature kV8SparkplugNeedsShortBuiltinCalls;
+GIN_EXPORT extern const base::Feature kV8TurboDirectHeapAccess;
+GIN_EXPORT extern const base::Feature kV8TurboFastApiCalls;
+GIN_EXPORT extern const base::Feature kV8Turboprop;
 GIN_EXPORT extern const base::Feature kV8UntrustedCodeMitigations;
 
 }  // namespace features
diff --git a/chromium/gin/isolate_holder.cc b/chromium/gin/isolate_holder.cc
index 08815f12ad8..f86478fb865 100644
--- a/chromium/gin/isolate_holder.cc
+++ b/chromium/gin/isolate_holder.cc
@@ -55,11 +55,14 @@ IsolateHolder::IsolateHolder(
     IsolateType isolate_type,
     IsolateCreationMode isolate_creation_mode)
     : access_mode_(access_mode), isolate_type_(isolate_type) {
+  CHECK(Initialized())
+      << "You need to invoke gin::IsolateHolder::Initialize first";
+
   DCHECK(task_runner);
   DCHECK(task_runner->BelongsToCurrentThread());
 
   v8::ArrayBuffer::Allocator* allocator = g_array_buffer_allocator;
-  CHECK(allocator) << "You need to invoke gin::IsolateHolder::Initialize first";
+  DCHECK(allocator);
 
   isolate_ = v8::Isolate::Allocate();
   isolate_data_ = std::make_unique<PerIsolateData>(isolate_, allocator,
@@ -112,6 +115,11 @@ void IsolateHolder::Initialize(ScriptMode mode,
   g_reference_table = reference_table;
 }
 
+// static
+bool IsolateHolder::Initialized() {
+  return g_array_buffer_allocator;
+}
+
 void IsolateHolder::EnableIdleTasks(
     std::unique_ptr<V8IdleTaskRunner> idle_task_runner) {
   DCHECK(isolate_data_.get());
diff --git a/chromium/gin/public/cppgc.h b/chromium/gin/public/cppgc.h
index f89a58b4dbe..8844f948ec0 100644
--- a/chromium/gin/public/cppgc.h
+++ b/chromium/gin/public/cppgc.h
@@ -9,8 +9,17 @@
 
 namespace gin {
 
+// A wrapper around `cppgc::InitializeProcess()` which helps to guarantee that
+// cppgc is initialized only once when there are multiple users of cppgc in same
+// process.
 GIN_EXPORT void InitializeCppgcFromV8Platform();
 
+// Calls `cppgc::ShutdownProcess()` only after being called as many times as
+// `InitializeCppgcFromV8Platform()`. Helps to guarantee that cppgc is shutdown
+// only after all users in the same process are done using it. Number of calls
+// cannot exceed that of `InitializeCppgcFromV8Platform()`.
+GIN_EXPORT void MaybeShutdownCppgc();
+
 }  // namespace gin
 
-#endif  // GIN_PUBLIC_CPPGC_H_
\ No newline at end of file
+#endif  // GIN_PUBLIC_CPPGC_H_
diff --git a/chromium/gin/public/isolate_holder.h b/chromium/gin/public/isolate_holder.h
index eaf06bd895f..41e516899dc 100644
--- a/chromium/gin/public/isolate_holder.h
+++ b/chromium/gin/public/isolate_holder.h
@@ -91,6 +91,11 @@ class GIN_EXPORT IsolateHolder {
                          v8::ArrayBuffer::Allocator* allocator,
                          const intptr_t* reference_table = nullptr);
 
+  // Returns whether `Initialize` has already been invoked in the process.
+  // Initialization is a one-way operation (i.e., this method cannot return
+  // false after returning true).
+  static bool Initialized();
+
   v8::Isolate* isolate() { return isolate_; }
 
   // This method returns if v8::Locker is needed to access isolate.
diff --git a/chromium/gin/public/v8_platform.h b/chromium/gin/public/v8_platform.h
index 967ef1dffdd..fa0e7faad92 100644
--- a/chromium/gin/public/v8_platform.h
+++ b/chromium/gin/public/v8_platform.h
@@ -5,9 +5,9 @@
 #ifndef GIN_PUBLIC_V8_PLATFORM_H_
 #define GIN_PUBLIC_V8_PLATFORM_H_
 
+#include "base/allocator/buildflags.h"
 #include "base/compiler_specific.h"
 #include "base/lazy_instance.h"
-#include "base/partition_alloc_buildflags.h"
 #include "gin/gin_export.h"
 #include "v8/include/v8-platform.h"
 
diff --git a/chromium/gin/v8_initializer.cc b/chromium/gin/v8_initializer.cc
index 6ccf88e1dfd..6e7261ff6e7 100644
--- a/chromium/gin/v8_initializer.cc
+++ b/chromium/gin/v8_initializer.cc
@@ -9,6 +9,7 @@
 
 #include <memory>
 
+#include "base/allocator/partition_allocator/page_allocator.h"
 #include "base/check.h"
 #include "base/debug/alias.h"
 #include "base/debug/crash_logging.h"
@@ -17,6 +18,7 @@
 #include "base/files/file_path.h"
 #include "base/files/memory_mapped_file.h"
 #include "base/lazy_instance.h"
+#include "base/metrics/histogram_functions.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/notreached.h"
 #include "base/path_service.h"
@@ -26,6 +28,7 @@
 #include "base/system/sys_info.h"
 #include "base/threading/platform_thread.h"
 #include "base/time/time.h"
+#include "base/win/windows_version.h"
 #include "build/build_config.h"
 #include "gin/gin_features.h"
 
@@ -185,14 +188,6 @@ base::File OpenV8File(const char* file_name,
   return file;
 }
 
-enum LoadV8FileResult {
-  V8_LOAD_SUCCESS = 0,
-  V8_LOAD_FAILED_OPEN,
-  V8_LOAD_FAILED_MAP,
-  V8_LOAD_FAILED_VERIFY,  // Deprecated.
-  V8_LOAD_MAX_VALUE
-};
-
 #endif  // defined(V8_USE_EXTERNAL_STARTUP_DATA)
 
 template <int LENGTH>
@@ -210,7 +205,63 @@ void SetV8FlagsFormatted(const char* format, ...) {
     return;
   }
   v8::V8::SetFlagsFromString(buffer, length - 1);
-  ;
+}
+
+void RunArrayBufferCageReservationExperiment() {
+  // TODO(1218005) remove this function and windows_version.h include once the
+  // experiment has ended.
+#if defined(ARCH_CPU_64_BITS)
+  constexpr size_t kGigaBytes = 1024 * 1024 * 1024;
+  constexpr size_t kTeraBytes = 1024 * kGigaBytes;
+
+  constexpr size_t kCageMaxSize = 1 * kTeraBytes;
+  constexpr size_t kCageMinSize = 8 * kGigaBytes;
+
+#if defined(OS_WIN)
+  // Windows prior to Win10 (or possibly Win8/8.1) appears to create page table
+  // entries when reserving virtual memory, causing unacceptably high memory
+  // consumption (e.g. ~2GB when reserving 1TB). As such, the experiment is
+  // only enabled on Win10.
+  if (base::win::GetVersion() < base::win::Version::WIN10) {
+    return;
+  }
+#endif
+
+  void* reservation = nullptr;
+  size_t current_size = kCageMaxSize;
+  while (!reservation && current_size >= kCageMinSize) {
+    // The cage reservation will need to be 4GB aligned.
+    reservation = base::AllocPages(nullptr, current_size, 4 * kGigaBytes,
+                                   base::PageInaccessible, base::PageTag::kV8);
+    if (!reservation) {
+      current_size /= 2;
+    }
+  }
+
+  int result = current_size / kGigaBytes;
+  if (reservation) {
+    base::FreePages(reservation, current_size);
+  } else {
+    result = 0;
+  }
+
+  base::UmaHistogramSparse("V8.MaxArrayBufferCageReservationSize", result);
+#endif
+}
+
+template <size_t N, size_t M>
+void SetV8FlagsIfOverridden(const base::Feature& feature,
+                            const char (&enabling_flag)[N],
+                            const char (&disabling_flag)[M]) {
+  auto overridden_state = base::FeatureList::GetStateIfOverridden(feature);
+  if (!overridden_state.has_value()) {
+    return;
+  }
+  if (overridden_state.value()) {
+    SetV8Flags(enabling_flag);
+  } else {
+    SetV8Flags(disabling_flag);
+  }
 }
 
 }  // namespace
@@ -221,6 +272,11 @@ void V8Initializer::Initialize(IsolateHolder::ScriptMode mode) {
   if (v8_is_initialized)
     return;
 
+  if (base::FeatureList::IsEnabled(
+          features::kV8ArrayBufferCageReservationExperiment)) {
+    RunArrayBufferCageReservationExperiment();
+  }
+
   v8::V8::InitializePlatform(V8Platform::Get());
 
   if (!base::FeatureList::IsEnabled(features::kV8OptimizeJavascript)) {
@@ -291,9 +347,8 @@ void V8Initializer::Initialize(IsolateHolder::ScriptMode mode) {
     SetV8Flags("--turboprop");
   }
 
-  if (base::FeatureList::IsEnabled(features::kV8Sparkplug)) {
-    SetV8Flags("--sparkplug");
-  }
+  SetV8FlagsIfOverridden(features::kV8Sparkplug, "--sparkplug",
+                         "--no-sparkplug");
 
   if (base::FeatureList::IsEnabled(
           features::kV8SparkplugNeedsShortBuiltinCalls)) {
@@ -327,6 +382,9 @@ void V8Initializer::Initialize(IsolateHolder::ScriptMode mode) {
     SetV8Flags("--no-short-builtin-calls");
   }
 
+  SetV8FlagsIfOverridden(features::kV8SlowHistograms, "--slow-histograms",
+                         "--no-slow-histograms");
+
   if (IsolateHolder::kStrictMode == mode) {
     SetV8Flags("--use_strict");
   }
@@ -384,8 +442,7 @@ void V8Initializer::LoadV8SnapshotFromFile(
     return;
 
   if (!snapshot_file.IsValid()) {
-    UMA_HISTOGRAM_ENUMERATION("V8.Initializer.LoadV8Snapshot.Result",
-                              V8_LOAD_FAILED_OPEN, V8_LOAD_MAX_VALUE);
+    LOG(FATAL) << "Error loading V8 startup snapshot file";
     return;
   }
 
@@ -395,11 +452,10 @@ void V8Initializer::LoadV8SnapshotFromFile(
     region = *snapshot_file_region;
   }
 
-  LoadV8FileResult result = V8_LOAD_SUCCESS;
-  if (!MapV8File(std::move(snapshot_file), region, &g_mapped_snapshot))
-    result = V8_LOAD_FAILED_MAP;
-  UMA_HISTOGRAM_ENUMERATION("V8.Initializer.LoadV8Snapshot.Result", result,
-                            V8_LOAD_MAX_VALUE);
+  if (!MapV8File(std::move(snapshot_file), region, &g_mapped_snapshot)) {
+    LOG(FATAL) << "Error mapping V8 startup snapshot file";
+    return;
+  }
 }
 
 #if defined(OS_ANDROID)