chore: cherry-pick bab8254c3 and 2dd23f757 from v8 (#32801)

* chore: cherry-pick bab8254c3 and 2dd23f757 from v8

Backports
https://chromium-review.googlesource.com/c/v8/v8/+/3204965
https://chromium-review.googlesource.com/c/v8/v8/+/3207892

* chore: update patches

Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>

patches/v8/.patches

@@ -6,3 +6,5 @@ workaround_an_undefined_symbol_error.patch
 do_not_export_private_v8_symbols_on_windows.patch
 fix_build_deprecated_attirbute_for_older_msvc_versions.patch
 fix_disable_implies_dcheck_for_node_stream_array_buffers.patch
+regexp_arm_fix_regexp_assembler_abortion.patch
+regexp_ensure_regress-1255368_runs_only_with_irregexp.patch

patches/v8/regexp_arm_fix_regexp_assembler_abortion.patch

@@ -0,0 +1,68 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Clemens Backes <clemensb@chromium.org>
+Date: Tue, 5 Oct 2021 13:37:34 +0200
+Subject: Fix regexp assembler abortion
+
+When aborting code generation, we need to call {AbortedCodeGeneration}
+on the {MacroAssembler} contained in the {RegExpMacroAssemblerARM}.
+
+R=jgruber@chromium.org
+
+Bug: chromium:1255368
+Change-Id: If37351e8f5715e23affd21ad2de8a8eaad3ea094
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3204965
+Reviewed-by: Jakob Gruber <jgruber@chromium.org>
+Commit-Queue: Clemens Backes <clemensb@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#77250}
+
+diff --git a/src/regexp/arm/regexp-macro-assembler-arm.cc b/src/regexp/arm/regexp-macro-assembler-arm.cc
+index f21ee023da951354c035b0bf2d9be29e77c9b6af..7d30c4be24eef7fbfb8e523807619dcedcf87202 100644
+--- a/src/regexp/arm/regexp-macro-assembler-arm.cc
++++ b/src/regexp/arm/regexp-macro-assembler-arm.cc
+@@ -112,7 +112,10 @@ RegExpMacroAssemblerARM::RegExpMacroAssemblerARM(Isolate* isolate, Zone* zone,
+   __ bind(&start_label_);  // And then continue from here.
+ }
+ 
+-RegExpMacroAssemblerARM::~RegExpMacroAssemblerARM() {
++RegExpMacroAssemblerARM::~RegExpMacroAssemblerARM() = default;
++
++void RegExpMacroAssemblerARM::AbortedCodeGeneration() {
++  masm_->AbortedCodeGeneration();
+   // Unuse labels in case we throw away the assembler without calling GetCode.
+   entry_label_.Unuse();
+   start_label_.Unuse();
+@@ -124,7 +127,6 @@ RegExpMacroAssemblerARM::~RegExpMacroAssemblerARM() {
+   fallback_label_.Unuse();
+ }
+ 
+-
+ int RegExpMacroAssemblerARM::stack_limit_slack()  {
+   return RegExpStack::kStackLimitSlack;
+ }
+diff --git a/src/regexp/arm/regexp-macro-assembler-arm.h b/src/regexp/arm/regexp-macro-assembler-arm.h
+index 478ed292ae95235a8aa4b44efc1f4ad8d07c20fc..1446fa69821a078d45b802288c8fcafa7d4311b6 100644
+--- a/src/regexp/arm/regexp-macro-assembler-arm.h
++++ b/src/regexp/arm/regexp-macro-assembler-arm.h
+@@ -17,6 +17,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM
+   RegExpMacroAssemblerARM(Isolate* isolate, Zone* zone, Mode mode,
+                           int registers_to_save);
+   virtual ~RegExpMacroAssemblerARM();
++  virtual void AbortedCodeGeneration();
+   virtual int stack_limit_slack();
+   virtual void AdvanceCurrentPosition(int by);
+   virtual void AdvanceRegister(int reg, int by);
+diff --git a/test/mjsunit/regress/regress-1255368.js b/test/mjsunit/regress/regress-1255368.js
+new file mode 100644
+index 0000000000000000000000000000000000000000..9284c5893ceb1d99d427870e9f0a287b4c725a65
+--- /dev/null
++++ b/test/mjsunit/regress/regress-1255368.js
+@@ -0,0 +1,9 @@
++// Copyright 2021 the V8 project authors. All rights reserved.
++// Use of this source code is governed by a BSD-style license that can be
++// found in the LICENSE file.
++
++// Flags: --no-regexp-tier-up
++
++const arr = new Array(20000).fill([1]);
++const regexp = RegExp(JSON.stringify(arr));
++assertThrows(() => regexp.exec(), SyntaxError, /Regular expression too large/);

patches/v8/regexp_ensure_regress-1255368_runs_only_with_irregexp.patch

@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jakob Gruber <jgruber@chromium.org>
+Date: Wed, 6 Oct 2021 13:01:34 +0200
+Subject: Ensure regress-1255368 runs only with irregexp
+
+The expected assertion is specific to irregexp codegen.
+
+Bug: chromium:1255368
+Change-Id: I14d033285014727de2e63582ed798fc82570497d
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3207892
+Auto-Submit: Jakob Gruber <jgruber@chromium.org>
+Commit-Queue: Jakob Gruber <jgruber@chromium.org>
+Reviewed-by: Clemens Backes <clemensb@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#77254}
+
+diff --git a/test/mjsunit/regress/regress-1255368.js b/test/mjsunit/regress/regress-1255368.js
+index 9284c5893ceb1d99d427870e9f0a287b4c725a65..7b4fb334ac7fa6adc3cb3af04dd3bb0ca72e3302 100644
+--- a/test/mjsunit/regress/regress-1255368.js
++++ b/test/mjsunit/regress/regress-1255368.js
+@@ -2,7 +2,8 @@
+ // Use of this source code is governed by a BSD-style license that can be
+ // found in the LICENSE file.
+ 
+-// Flags: --no-regexp-tier-up
++// Flags: --no-regexp-tier-up --no-enable-experimental-regexp-engine
++// Flags: --no-regexp-interpret-all
+ 
+ const arr = new Array(20000).fill([1]);
+ const regexp = RegExp(JSON.stringify(arr));
+diff --git a/tools/testrunner/local/variants.py b/tools/testrunner/local/variants.py
+index 42bf12d46474335b1ecc3233785d5713bcd8d2cb..a17313dcdf6ec8db209e2e6b09ee23dc4d22745b 100644
+--- a/tools/testrunner/local/variants.py
++++ b/tools/testrunner/local/variants.py
+@@ -54,7 +54,7 @@ ALL_VARIANT_FLAGS = {
+ INCOMPATIBLE_FLAGS_PER_VARIANT = {
+   "jitless": ["--opt", "--always-opt", "--liftoff", "--track-field-types",
+               "--validate-asm", "--sparkplug", "--always-sparkplug",
+-              "--regexp-tier-up"],
++              "--regexp-tier-up", "--no-regexp-interpret-all"],
+   "nooptimization": ["--always-opt"],
+   "slow_path": ["--no-force-slow-path"],
+   "stress_concurrent_allocation": ["--single-threaded-gc", "--predictable"],