deps: V8: cherry-pick e0fb10b5148c

Original commit message:

    [array] Increase the maximum size of FixedArrays

    Use the newly increased maximum FreeSpace size to allow a larger upper
    bound for FixedArray/FixedDoubleArray size.

    Bug: 417413670
    Change-Id: I655c98bb68dfe033ae62f2b16441c62bc4403058
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6597277
    Commit-Queue: Leszek Swirski <[email protected]>
    Reviewed-by: Igor Sheludko <[email protected]>
    Cr-Commit-Position: refs/heads/main@{#100593}

Refs: v8/v8@e0fb10b

Author: LeszekSwirski

common.gypi

@@ -38,7 +38,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.30',
+    'v8_embedder_string': '-node.31',
 
     ##### V8 defaults for Node.js #####
 

deps/v8/src/objects/fixed-array.h

@@ -9,6 +9,7 @@
 
 #include "src/common/globals.h"
 #include "src/handles/maybe-handles.h"
+#include "src/objects/free-space.h"
 #include "src/objects/heap-object.h"
 #include "src/objects/instance-type.h"
 #include "src/objects/maybe-object.h"
@@ -29,8 +30,10 @@ namespace v8::internal {
 // Limit all fixed arrays to the same max capacity, so that non-resizing
 // transitions between different elements kinds (like Smi to Double) will not
 // error.
+// This could be larger, but the next power of two up would push the maximum
+// byte size of FixedDoubleArray out of int32 range.
 static constexpr int kMaxFixedArrayCapacity =
-    V8_LOWER_LIMITS_MODE_BOOL ? (16 * 1024 * 1024) : (64 * 1024 * 1024);
+    V8_LOWER_LIMITS_MODE_BOOL ? (16 * 1024 * 1024) : (128 * 1024 * 1024);
 
 namespace detail {
 template <class Super, bool kLengthEqualsCapacity>
@@ -181,11 +184,8 @@ class TaggedArrayBase : public detail::TaggedArrayHeader<ShapeT, Super> {
   // Maximal allowed capacity, in number of elements. Chosen s.t. the byte size
   // fits into a Smi which is necessary for being able to create a free space
   // filler.
-  // TODO(jgruber): The kMaxCapacity could be larger (`(Smi::kMaxValue -
-  // Shape::kHeaderSize) / kElementSize`), but our tests rely on a
-  // smaller maximum to avoid timeouts.
   static constexpr int kMaxCapacity = kMaxFixedArrayCapacity;
-  static_assert(Smi::IsValid(SizeFor(kMaxCapacity)));
+  static_assert(SizeFor(kMaxCapacity) <= FreeSpace::kMaxSizeInBytes);
 
   // Maximally allowed length for regular (non large object space) object.
   static constexpr int kMaxRegularCapacity =
@@ -425,11 +425,8 @@ class PrimitiveArrayBase : public detail::ArrayHeaderBase<Super, true> {
   // Maximal allowed length, in number of elements. Chosen s.t. the byte size
   // fits into a Smi which is necessary for being able to create a free space
   // filler.
-  // TODO(jgruber): The kMaxLength could be larger (`(Smi::kMaxValue -
-  // sizeof(Header)) / kElementSize`), but our tests rely on a
-  // smaller maximum to avoid timeouts.
   static constexpr int kMaxLength = kMaxFixedArrayCapacity;
-  static_assert(Smi::IsValid(SizeFor(kMaxLength)));
+  static_assert(SizeFor(kMaxLength) <= FreeSpace::kMaxSizeInBytes);
 
   // Maximally allowed length for regular (non large object space) object.
   static constexpr int kMaxRegularLength =

deps/v8/src/objects/free-space.h

@@ -5,7 +5,9 @@
 #ifndef V8_OBJECTS_FREE_SPACE_H_
 #define V8_OBJECTS_FREE_SPACE_H_
 
+#include "src/common/globals.h"
 #include "src/objects/heap-object.h"
+#include "src/objects/smi.h"
 
 // Has to be the last include (doesn't have include guards):
 #include "src/objects/object-macros.h"
@@ -32,6 +34,9 @@ namespace internal {
 //    scheme.
 class FreeSpace : public TorqueGeneratedFreeSpace<FreeSpace, HeapObject> {
  public:
+  static constexpr uint32_t kMaxSizeInBytes =
+      uint32_t{Smi::kMaxValue} * kTaggedSize;
+
   // [size]: size of the free space including the header.
   DECL_RELAXED_INT_ACCESSORS(size)
   static inline void SetSize(const WritableFreeSpace& writable_free_space,

deps/v8/test/mjsunit/regress/regress-crbug-1057653.js

@@ -3,6 +3,6 @@
 // found in the LICENSE file.
 
 Object.prototype.length = 3642395160;
-const array = new Float32Array(2**27);
+const array = new Float32Array(2**28);
 
 assertThrows(() => {for (const key in array) {}}, RangeError);