BASELINE: Update Chromium to 90.0.4430.228

Change-Id: I2d24c073cefc4842980b84cc7e9c5419c107c501
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

6 files changed, 65 insertions, 12 deletions

diff --git a/chromium/v8/src/compiler-dispatcher/optimizing-compile-dispatcher.cc b/chromium/v8/src/compiler-dispatcher/optimizing-compile-dispatcher.cc
index 8bcb609f1ba..b07c85a1903 100644
--- a/chromium/v8/src/compiler-dispatcher/optimizing-compile-dispatcher.cc
+++ b/chromium/v8/src/compiler-dispatcher/optimizing-compile-dispatcher.cc
@@ -50,7 +50,6 @@ class OptimizingCompileDispatcher::CompileTask : public CancelableTask {
         worker_thread_runtime_call_stats_(
             isolate->counters()->worker_thread_runtime_call_stats()),
         dispatcher_(dispatcher) {
-    base::MutexGuard lock_guard(&dispatcher_->ref_count_mutex_);
     ++dispatcher_->ref_count_;
   }
 
@@ -98,12 +97,7 @@ class OptimizingCompileDispatcher::CompileTask : public CancelableTask {
 };
 
 OptimizingCompileDispatcher::~OptimizingCompileDispatcher() {
-#ifdef DEBUG
-  {
-    base::MutexGuard lock_guard(&ref_count_mutex_);
-    DCHECK_EQ(0, ref_count_);
-  }
-#endif
+  DCHECK_EQ(0, ref_count_);
   DCHECK_EQ(0, input_queue_length_);
   DeleteArray(input_queue_);
 }
@@ -234,6 +228,14 @@ void OptimizingCompileDispatcher::InstallOptimizedFunctions() {
   }
 }
 
+bool OptimizingCompileDispatcher::HasJobs() {
+  DCHECK_EQ(ThreadId::Current(), isolate_->thread_id());
+  // Note: This relies on {output_queue_} being mutated by a background thread
+  // only when {ref_count_} is not zero. Also, {ref_count_} is never incremented
+  // by a background thread.
+  return !(ref_count_ == 0 && output_queue_.empty());
+}
+
 void OptimizingCompileDispatcher::QueueForOptimization(
     OptimizedCompilationJob* job) {
   DCHECK(IsQueueAvailable());
diff --git a/chromium/v8/src/compiler-dispatcher/optimizing-compile-dispatcher.h b/chromium/v8/src/compiler-dispatcher/optimizing-compile-dispatcher.h
index 36f285d1631..7d7a5bebb74 100644
--- a/chromium/v8/src/compiler-dispatcher/optimizing-compile-dispatcher.h
+++ b/chromium/v8/src/compiler-dispatcher/optimizing-compile-dispatcher.h
@@ -53,6 +53,9 @@ class V8_EXPORT_PRIVATE OptimizingCompileDispatcher {
 
   static bool Enabled() { return FLAG_concurrent_recompilation; }
 
+  // This method must be called on the main thread.
+  bool HasJobs();
+
  private:
   class CompileTask;
 
@@ -90,7 +93,7 @@ class V8_EXPORT_PRIVATE OptimizingCompileDispatcher {
 
   int blocked_jobs_;
 
-  int ref_count_;
+  std::atomic<int> ref_count_;
   base::Mutex ref_count_mutex_;
   base::ConditionVariable ref_count_zero_;
 
diff --git a/chromium/v8/src/compiler/access-info.cc b/chromium/v8/src/compiler/access-info.cc
index 06806feb420..ee82d7d1792 100644
--- a/chromium/v8/src/compiler/access-info.cc
+++ b/chromium/v8/src/compiler/access-info.cc
@@ -894,7 +894,7 @@ PropertyAccessInfo AccessInfoFactory::LookupTransition(
   // Transitioning stores *may* store to const fields. The resulting
   // DataConstant access infos can be distinguished from later, i.e. redundant,
   // stores to the same constant field by the presence of a transition map.
-  switch (details.constness()) {
+  switch (dependencies()->DependOnFieldConstness(transition_map_ref, number)) {
     case PropertyConstness::kMutable:
       return PropertyAccessInfo::DataField(
           zone(), map, std::move(unrecorded_dependencies), field_index,
diff --git a/chromium/v8/src/heap/heap.cc b/chromium/v8/src/heap/heap.cc
index 23b84296be1..a38080108b2 100644
--- a/chromium/v8/src/heap/heap.cc
+++ b/chromium/v8/src/heap/heap.cc
@@ -22,6 +22,7 @@
 #include "src/codegen/compilation-cache.h"
 #include "src/common/assert-scope.h"
 #include "src/common/globals.h"
+#include "src/compiler-dispatcher/optimizing-compile-dispatcher.h"
 #include "src/debug/debug.h"
 #include "src/deoptimizer/deoptimizer.h"
 #include "src/execution/isolate-utils-inl.h"
@@ -3006,6 +3007,12 @@ bool Heap::CanMoveObjectStart(HeapObject object) {
 
   if (IsLargeObject(object)) return false;
 
+  // Compilation jobs may have references to the object.
+  if (isolate()->concurrent_recompilation_enabled() &&
+      isolate()->optimizing_compile_dispatcher()->HasJobs()) {
+    return false;
+  }
+
   // We can move the object start if the page was already swept.
   return Page::FromHeapObject(object)->SweepingDone();
 }
diff --git a/chromium/v8/src/inspector/v8-debugger-agent-impl.cc b/chromium/v8/src/inspector/v8-debugger-agent-impl.cc
index 4e0b83952e2..1ea1c6fab3f 100644
--- a/chromium/v8/src/inspector/v8-debugger-agent-impl.cc
+++ b/chromium/v8/src/inspector/v8-debugger-agent-impl.cc
@@ -499,6 +499,8 @@ Response V8DebuggerAgentImpl::setBreakpointByUrl(
     Maybe<int> optionalColumnNumber, Maybe<String16> optionalCondition,
     String16* outBreakpointId,
     std::unique_ptr<protocol::Array<protocol::Debugger::Location>>* locations) {
+  if (!enabled()) return Response::ServerError(kDebuggerNotEnabled);
+
   *locations = std::make_unique<Array<protocol::Debugger::Location>>();
 
   int specified = (optionalURL.isJust() ? 1 : 0) +
@@ -587,6 +589,8 @@ Response V8DebuggerAgentImpl::setBreakpoint(
   String16 breakpointId = generateBreakpointId(
       BreakpointType::kByScriptId, location->getScriptId(),
       location->getLineNumber(), location->getColumnNumber(0));
+  if (!enabled()) return Response::ServerError(kDebuggerNotEnabled);
+
   if (m_breakpointIdToDebuggerBreakpointIds.find(breakpointId) !=
       m_breakpointIdToDebuggerBreakpointIds.end()) {
     return Response::ServerError(
@@ -605,6 +609,8 @@ Response V8DebuggerAgentImpl::setBreakpoint(
 Response V8DebuggerAgentImpl::setBreakpointOnFunctionCall(
     const String16& functionObjectId, Maybe<String16> optionalCondition,
     String16* outBreakpointId) {
+  if (!enabled()) return Response::ServerError(kDebuggerNotEnabled);
+
   InjectedScript::ObjectScope scope(m_session, functionObjectId);
   Response response = scope.initialize();
   if (!response.IsSuccess()) return response;
diff --git a/chromium/v8/src/objects/objects.cc b/chromium/v8/src/objects/objects.cc
index d9cb7486be8..338254bd5cf 100644
--- a/chromium/v8/src/objects/objects.cc
+++ b/chromium/v8/src/objects/objects.cc
@@ -2520,9 +2520,21 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
           if ((maybe_attributes.FromJust() & READ_ONLY) != 0) {
             return WriteToReadOnlyProperty(it, value, should_throw);
           }
-          if (maybe_attributes.FromJust() == ABSENT) break;
-          *found = false;
-          return Nothing<bool>();
+          // At this point we might have called interceptor's query or getter
+          // callback. Assuming that the callbacks have side effects, we use
+          // Object::SetSuperProperty() which works properly regardless on
+          // whether the property was present on the receiver or not when
+          // storing to the receiver.
+          if (maybe_attributes.FromJust() == ABSENT) {
+            // Proceed lookup from the next state.
+            it->Next();
+          } else {
+            // Finish lookup in order to make Object::SetSuperProperty() store
+            // property to the receiver.
+            it->NotFound();
+          }
+          return Object::SetSuperProperty(it, value, store_origin,
+                                          should_throw);
         }
         break;
       }
@@ -2597,6 +2609,8 @@ Maybe<bool> Object::SetProperty(LookupIterator* it, Handle<Object> value,
     if (found) return result;
   }
 
+  // TODO(ishell): refactor this: both SetProperty and and SetSuperProperty have
+  // this piece of code.
   // If the receiver is the JSGlobalObject, the store was contextual. In case
   // the property did not exist yet on the global object itself, we have to
   // throw a reference error in strict mode.  In sloppy mode, we continue.
@@ -2640,6 +2654,8 @@ Maybe<bool> Object::SetSuperProperty(LookupIterator* it, Handle<Object> value,
   }
   Handle<JSReceiver> receiver = Handle<JSReceiver>::cast(it->GetReceiver());
 
+  // Note, the callers rely on the fact that this code is redoing the full own
+  // lookup from scratch.
   LookupIterator::Configuration c = LookupIterator::OWN;
   LookupIterator own_lookup =
       it->IsElement() ? LookupIterator(isolate, receiver, it->index(), c)
@@ -2702,6 +2718,25 @@ Maybe<bool> Object::SetSuperProperty(LookupIterator* it, Handle<Object> value,
     }
   }
 
+  // TODO(ishell): refactor this: both SetProperty and and SetSuperProperty have
+  // this piece of code.
+  // If the receiver is the JSGlobalObject, the store was contextual. In case
+  // the property did not exist yet on the global object itself, we have to
+  // throw a reference error in strict mode.  In sloppy mode, we continue.
+  if (receiver->IsJSGlobalObject() &&
+      (GetShouldThrow(isolate, should_throw) == ShouldThrow::kThrowOnError)) {
+    if (own_lookup.state() == LookupIterator::TRANSITION) {
+      // The property cell that we have created is garbage because we are going
+      // to throw now instead of putting it into the global dictionary. However,
+      // the cell might already have been stored into the feedback vector, so
+      // we must invalidate it nevertheless.
+      own_lookup.transition_cell()->ClearAndInvalidate(ReadOnlyRoots(isolate));
+    }
+    isolate->Throw(*isolate->factory()->NewReferenceError(
+        MessageTemplate::kNotDefined, own_lookup.GetName()));
+    return Nothing<bool>();
+  }
+
   return AddDataProperty(&own_lookup, value, NONE, should_throw, store_origin);
 }