chore: cherry-pick 3 changes from 5-M131 (#45156)

chore: [32-x-y] cherry-pick 3 changes from 5-M131 * e1b6fb924221 from v8 * 0d3c44362eea from v8 * f3300abe2fcd from chromium Co-authored-by: Charles Kerr <charles@charleskerr.com>
2025-01-13 23:30:09 +00:00 · 2025-01-13 23:30:09 +00:00 · 3f60b86559
commit 3f60b86559
parent 35bbcf7ca5
6 changed files with 492 additions and 0 deletions
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@ -144,3 +144,4 @@ ui_add_missing_shortcut_text_for_vkey_command_on_linux.patch
 wayland_support_outgoing_dnd_sessions_with_no_offered_mime_types.patch
 cherry-pick-3a6ff45cc3f4.patch
 cherry-pick-a51e7ebb7663.patch
+cherry-pick-f3300abe2fcd.patch
--- a/patches/chromium/cherry-pick-f3300abe2fcd.patch
+++ b/patches/chromium/cherry-pick-f3300abe2fcd.patch
@ -0,0 +1,255 @@
+From f3300abe2fcd0164794d7a782cc221d10c17f322 Mon Sep 17 00:00:00 2001
+From: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
+Date: Mon, 06 Jan 2025 05:34:49 -0800
+Subject: [PATCH] [M130] Make AcceptLanguagesWatcher a weak persistent object
+
+DedicatedWorkerOrSharedWorkerFetchContext keeps on having a pointer
+to the AcceptLanguagesWatcher as a raw_ptr.  Even if the implementing
+object gets garbage-collected, the pointer is kept.  Therefore,
+DedicatedWorkerOrSharedWorkerFetchContext may use it after the GC.
+
+This CL revised the raw_ptr to AcceptLanguagesWatcher to use
+WeakPersistent so that the users of the object won't access it
+after it gets GCed.
+
+(cherry picked from commit 9e7b77da977401361ef3bc9ad0f43e7563f49657)
+
+Bug: 379869752
+Change-Id: Ic3997fcf17aa93f45507241e0fc18a486efc1932
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6038980
+Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
+Auto-Submit: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
+Commit-Queue: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#1390151}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6148168
+Reviewed-by: Erhu Akpobaro <eakpobaro@google.com>
+Commit-Queue: Daniel Yip <danielyip@google.com>
+Auto-Submit: Daniel Yip <danielyip@google.com>
+Owners-Override: Daniel Yip <danielyip@google.com>
+Cr-Commit-Position: refs/branch-heads/6723@{#2761}
+Cr-Branched-From: 985f2961df230630f9cbd75bd6fe463009855a11-refs/heads/main@{#1356013}
+---
+
+diff --git a/third_party/blink/public/platform/web_worker_fetch_context.h b/third_party/blink/public/platform/web_worker_fetch_context.h
+index 6f2a2e9..cf8bfce4 100644
+--- a/third_party/blink/public/platform/web_worker_fetch_context.h
+++ b/third_party/blink/public/platform/web_worker_fetch_context.h
+@@ -33,19 +33,12 @@
+ 
+ namespace blink {
+ 
+class AcceptLanguagesWatcher;
+ class WebDocumentSubresourceFilter;
+ class URLLoaderFactory;
+ class WebURLRequest;
+ class URLLoaderThrottle;
+ 
+-// Helper class allowing DedicatedOrSharedWorkerFetchContextImpl to notify blink
+-// upon an accept languages update. This class will be extended by
+-// WorkerNavigator.
+-class AcceptLanguagesWatcher {
+- public:
+-  virtual void NotifyUpdate() = 0;
+-};
+-
+ // WebWorkerFetchContext is a per-worker object created on the main thread,
+ // passed to a worker (dedicated, shared and service worker) and initialized on
+ // the worker thread by InitializeOnWorkerThread(). It contains information
+diff --git a/third_party/blink/renderer/core/workers/worker_navigator.cc b/third_party/blink/renderer/core/workers/worker_navigator.cc
+index 344382b..a4159a4 100644
+--- a/third_party/blink/renderer/core/workers/worker_navigator.cc
+++ b/third_party/blink/renderer/core/workers/worker_navigator.cc
+@@ -61,4 +61,9 @@
+       *Event::Create(event_type_names::kLanguagechange));
+ }
+ 
+void WorkerNavigator::Trace(Visitor* visitor) const {
+  NavigatorBase::Trace(visitor);
+  AcceptLanguagesWatcher::Trace(visitor);
+}
+
+ }  // namespace blink
+diff --git a/third_party/blink/renderer/core/workers/worker_navigator.h b/third_party/blink/renderer/core/workers/worker_navigator.h
+index ea07a96..ab622f8e 100644
+--- a/third_party/blink/renderer/core/workers/worker_navigator.h
+++ b/third_party/blink/renderer/core/workers/worker_navigator.h
+@@ -29,6 +29,7 @@
+ #include "third_party/blink/public/platform/web_worker_fetch_context.h"
+ #include "third_party/blink/renderer/core/core_export.h"
+ #include "third_party/blink/renderer/core/execution_context/navigator_base.h"
+#include "third_party/blink/renderer/platform/accept_languages_watcher.h"
+ #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
+ 
+ namespace blink {
+@@ -46,6 +47,9 @@
+ 
+   // AcceptLanguagesWatcher override
+   void NotifyUpdate() override;
+
+  // Both NavigatorLanguage and AcceptLanguagesWatcher override
+  void Trace(Visitor* visitor) const override;
+ };
+ 
+ }  // namespace blink
+diff --git a/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.cc b/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.cc
+index 0815877..4930962 100644
+--- a/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.cc
+++ b/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.cc
+@@ -18,6 +18,7 @@
+ #include "third_party/blink/public/platform/url_loader_throttle_provider.h"
+ #include "third_party/blink/public/platform/web_url_request_extra_data.h"
+ #include "third_party/blink/public/platform/websocket_handshake_throttle_provider.h"
+#include "third_party/blink/renderer/platform/accept_languages_watcher.h"
+ #include "third_party/blink/renderer/platform/loader/fetch/url_loader/url_loader_factory.h"
+ #include "third_party/blink/renderer/platform/loader/internet_disconnected_url_loader.h"
+ 
+@@ -226,9 +227,12 @@
+ 
+ void WebServiceWorkerFetchContextImpl::NotifyUpdate(
+     const RendererPreferences& new_prefs) {
+-  DCHECK(accept_languages_watcher_);
+-  if (renderer_preferences_.accept_languages != new_prefs.accept_languages)
+-    accept_languages_watcher_->NotifyUpdate();
+  // Reserving `watcher` on the stack ensures it is not GC'd within this scope.
+  auto* watcher = accept_languages_watcher_.Get();
+  if (watcher &&
+      renderer_preferences_.accept_languages != new_prefs.accept_languages) {
+    watcher->NotifyUpdate();
+  }
+   renderer_preferences_ = new_prefs;
+ }
+ 
+diff --git a/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.h b/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.h
+index a7c897de..c2f1c9d 100644
+--- a/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.h
+++ b/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.h
+@@ -6,16 +6,16 @@
+ #define THIRD_PARTY_BLINK_RENDERER_MODULES_SERVICE_WORKER_WEB_SERVICE_WORKER_FETCH_CONTEXT_IMPL_H_
+ 
+ #include "base/memory/raw_ptr.h"
+#include "base/task/single_thread_task_runner.h"
+ #include "mojo/public/cpp/bindings/pending_receiver.h"
+ #include "mojo/public/cpp/bindings/receiver.h"
+ #include "third_party/blink/public/common/renderer_preferences/renderer_preferences.h"
+ #include "third_party/blink/public/mojom/renderer_preference_watcher.mojom-blink.h"
+ #include "third_party/blink/public/mojom/service_worker/service_worker.mojom-forward.h"
+ #include "third_party/blink/public/mojom/worker/subresource_loader_updater.mojom-blink.h"
+-
+-#include "base/task/single_thread_task_runner.h"
+ #include "third_party/blink/public/platform/modules/service_worker/web_service_worker_fetch_context.h"
+ #include "third_party/blink/public/platform/web_common.h"
+#include "third_party/blink/renderer/platform/heap/persistent.h"
+ #include "third_party/blink/renderer/platform/weborigin/kurl.h"
+ #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
+ #include "third_party/blink/renderer/platform/wtf/vector.h"
+@@ -135,7 +135,7 @@
+   // This is owned by ThreadedMessagingProxyBase on the main thread.
+   raw_ptr<base::WaitableEvent> terminate_sync_load_event_ = nullptr;
+ 
+-  raw_ptr<AcceptLanguagesWatcher> accept_languages_watcher_ = nullptr;
+  WeakPersistent<AcceptLanguagesWatcher> accept_languages_watcher_;
+ 
+   Vector<String> cors_exempt_header_list_;
+   bool is_offline_mode_ = false;
+diff --git a/third_party/blink/renderer/platform/BUILD.gn b/third_party/blink/renderer/platform/BUILD.gn
+index 5b8e391..12da20f 100644
+--- a/third_party/blink/renderer/platform/BUILD.gn
+++ b/third_party/blink/renderer/platform/BUILD.gn
+@@ -341,6 +341,7 @@
+   output_name = "blink_platform"
+ 
+   sources = [
+    "accept_languages_watcher.h",
+     "animation/animation_translation_util.cc",
+     "animation/animation_translation_util.h",
+     "animation/compositor_animation.cc",
+diff --git a/third_party/blink/renderer/platform/accept_languages_watcher.h b/third_party/blink/renderer/platform/accept_languages_watcher.h
+new file mode 100644
+index 0000000..7fd5de07f
+--- /dev/null
+++ b/third_party/blink/renderer/platform/accept_languages_watcher.h
+@@ -0,0 +1,22 @@
+// Copyright 2024 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef THIRD_PARTY_BLINK_RENDERER_PLATFORM_ACCEPT_LANGUAGES_WATCHER_H_
+#define THIRD_PARTY_BLINK_RENDERER_PLATFORM_ACCEPT_LANGUAGES_WATCHER_H_
+
+#include "third_party/blink/renderer/platform/heap/garbage_collected.h"
+
+namespace blink {
+
+// Helper class allowing DedicatedOrSharedWorkerFetchContextImpl to notify blink
+// upon an accept languages update. This class will be extended by
+// WorkerNavigator.
+class AcceptLanguagesWatcher : public GarbageCollectedMixin {
+ public:
+  virtual void NotifyUpdate() = 0;
+};
+
+}  // namespace blink
+
+#endif  // THIRD_PARTY_BLINK_RENDERER_PLATFORM_ACCEPT_LANGUAGES_WATCHER_H_
+diff --git a/third_party/blink/renderer/platform/loader/fetch/url_loader/DEPS b/third_party/blink/renderer/platform/loader/fetch/url_loader/DEPS
+index c8a92c06..7886b02 100644
+--- a/third_party/blink/renderer/platform/loader/fetch/url_loader/DEPS
+++ b/third_party/blink/renderer/platform/loader/fetch/url_loader/DEPS
+@@ -28,4 +28,7 @@
+     "web_url_loader_unittest.cc": [
+         "+net/test/cert_test_util.h"
+     ],
+    "dedicated_or_shared_worker_fetch_context_impl.cc": [
+        "+third_party/blink/renderer/platform/accept_languages_watcher.h",
+    ],
+ }
+diff --git a/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.cc b/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.cc
+index cc1954f6..c9f96ff 100644
+--- a/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.cc
+++ b/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.cc
+@@ -28,6 +28,7 @@
+ #include "third_party/blink/public/platform/web_security_origin.h"
+ #include "third_party/blink/public/platform/web_url_request_extra_data.h"
+ #include "third_party/blink/public/platform/websocket_handshake_throttle_provider.h"
+#include "third_party/blink/renderer/platform/accept_languages_watcher.h"
+ #include "third_party/blink/renderer/platform/loader/fetch/url_loader/url_loader.h"
+ #include "third_party/blink/renderer/platform/loader/fetch/url_loader/url_loader_factory.h"
+ #include "url/url_constants.h"
+@@ -605,9 +606,13 @@
+ 
+ void DedicatedOrSharedWorkerFetchContextImpl::NotifyUpdate(
+     const RendererPreferences& new_prefs) {
+-  if (accept_languages_watcher_ &&
+-      renderer_preferences_.accept_languages != new_prefs.accept_languages)
+-    accept_languages_watcher_->NotifyUpdate();
+  // Reserving `accept_languages_watcher` on the stack ensures it is not GC'd
+  // within this scope.
+  auto* accept_languages_watcher = accept_languages_watcher_.Get();
+  if (accept_languages_watcher &&
+      renderer_preferences_.accept_languages != new_prefs.accept_languages) {
+    accept_languages_watcher->NotifyUpdate();
+  }
+   renderer_preferences_ = new_prefs;
+   for (auto& watcher : child_preference_watchers_)
+     watcher->NotifyUpdate(new_prefs);
+diff --git a/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.h b/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.h
+index b95a25fe..d0387cf 100644
+--- a/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.h
+++ b/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.h
+@@ -23,6 +23,7 @@
+ #include "third_party/blink/public/platform/web_common.h"
+ #include "third_party/blink/public/platform/web_dedicated_or_shared_worker_fetch_context.h"
+ #include "third_party/blink/public/platform/web_string.h"
+#include "third_party/blink/renderer/platform/heap/persistent.h"
+ #include "third_party/blink/renderer/platform/wtf/casting.h"
+ #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
+ #include "third_party/blink/renderer/platform/wtf/vector.h"
+@@ -301,7 +302,7 @@
+   std::unique_ptr<WeakWrapperResourceLoadInfoNotifier>
+       weak_wrapper_resource_load_info_notifier_;
+ 
+-  raw_ptr<AcceptLanguagesWatcher> accept_languages_watcher_ = nullptr;
+  WeakPersistent<AcceptLanguagesWatcher> accept_languages_watcher_;
+ };
+ 
+ template <>
--- a/patches/v8/.patches
+++ b/patches/v8/.patches
@ -9,3 +9,6 @@ cherry-pick-d9893f4856af.patch
 merged_liftoff_fix_clobbered_scratch_register.patch
 cherry-pick-aad648bd2af9.patch
 cherry-pick-cb0d9e1d7b88.patch
+merged_wasm_arm_tail-call_free_scratch_register_earlier.patch
+merged_turboshaft_wasm_wasmgctypeanalyzer_fix_phi_input_for.patch
+merged_turboshaft_wasm_wasmgctypeanalyzer_fix_single-block_loops.patch
--- a/patches/v8/merged_turboshaft_wasm_wasmgctypeanalyzer_fix_phi_input_for.patch
+++ b/patches/v8/merged_turboshaft_wasm_wasmgctypeanalyzer_fix_phi_input_for.patch
@ -0,0 +1,83 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jakob Kummerow <jkummerow@chromium.org>
+Date: Mon, 16 Dec 2024 20:34:29 +0100
+Subject: Merged: [turboshaft][wasm] WasmGCTypeAnalyzer: Fix phi input for
+ single-block loops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixed: 383356864
+(cherry picked from commit f231d83cb3c08754413b3ee1aa249cebd4d5445f)
+
+Change-Id: I3247f6071a9a27eaef49ae8981b7eea93f83dc55
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6097632
+Reviewed-by: Eva Herencsárová <evih@chromium.org>
+Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
+Commit-Queue: Eva Herencsárová <evih@chromium.org>
+Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
+Cr-Commit-Position: refs/branch-heads/13.0@{#45}
+Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
+Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
+
+diff --git a/src/compiler/turboshaft/wasm-gc-typed-optimization-reducer.cc b/src/compiler/turboshaft/wasm-gc-typed-optimization-reducer.cc
+index 25a78a7c74dcd4a2d64abd8dcf4430e3d587533a..58a94afcbeb9acd4241cc9f67ed90922e1d59125 100644
+--- a/src/compiler/turboshaft/wasm-gc-typed-optimization-reducer.cc
+++ b/src/compiler/turboshaft/wasm-gc-typed-optimization-reducer.cc
+@@ -269,6 +269,28 @@ void WasmGCTypeAnalyzer::ProcessAllocateStruct(
+                       wasm::ValueType::Ref(type_index));
+ }
+ 
+wasm::ValueType WasmGCTypeAnalyzer::GetTypeForPhiInput(const PhiOp& phi,
+                                                       int input_index) {
+  OpIndex phi_id = graph_.Index(phi);
+  OpIndex input = ResolveAliases(phi.input(input_index));
+  // If the input of the phi is in the same block as the phi and appears
+  // before the phi, don't use the predecessor value.
+
+  if (current_block_->begin().id() <= input.id() && input.id() < phi_id.id()) {
+    // Phi instructions have to be at the beginning of the block, so this can
+    // only happen for inputs that are also phis. Furthermore, this is only
+    // possible in loop headers of loops with a single block (endless loops) and
+    // only for the backedge-input.
+    DCHECK(graph_.Get(input).Is<PhiOp>());
+    DCHECK(current_block_->IsLoop());
+    DCHECK(current_block_->HasBackedge(graph_));
+    DCHECK_EQ(current_block_->LastPredecessor(), current_block_);
+    DCHECK_EQ(input_index, 1);
+    return types_table_.Get(input);
+  }
+  return types_table_.GetPredecessorValue(input, input_index);
+}
+
+ void WasmGCTypeAnalyzer::ProcessPhi(const PhiOp& phi) {
+   // The result type of a phi is the union of all its input types.
+   // If any of the inputs is the default value ValueType(), there isn't any type
+@@ -281,12 +303,10 @@ void WasmGCTypeAnalyzer::ProcessPhi(const PhiOp& phi) {
+     RefineTypeKnowledge(graph_.Index(phi), GetResolvedType((phi.input(0))));
+     return;
+   }
+-  wasm::ValueType union_type =
+-      types_table_.GetPredecessorValue(ResolveAliases(phi.input(0)), 0);
+  wasm::ValueType union_type = GetTypeForPhiInput(phi, 0);
+   if (union_type == wasm::ValueType()) return;
+   for (int i = 1; i < phi.input_count; ++i) {
+-    wasm::ValueType input_type =
+-        types_table_.GetPredecessorValue(ResolveAliases(phi.input(i)), i);
+    wasm::ValueType input_type = GetTypeForPhiInput(phi, i);
+     if (input_type == wasm::ValueType()) return;
+     // <bottom> types have to be skipped as an unreachable predecessor doesn't
+     // change our type knowledge.
+diff --git a/src/compiler/turboshaft/wasm-gc-typed-optimization-reducer.h b/src/compiler/turboshaft/wasm-gc-typed-optimization-reducer.h
+index 56823cf991637f62fde4b86d35c83d248f712683..877490ecb3a926eda33e645a8f6ac5cd84b36e4a 100644
+--- a/src/compiler/turboshaft/wasm-gc-typed-optimization-reducer.h
+++ b/src/compiler/turboshaft/wasm-gc-typed-optimization-reducer.h
+@@ -80,6 +80,8 @@ class WasmGCTypeAnalyzer {
+   void ProcessPhi(const PhiOp& phi);
+   void ProcessTypeAnnotation(const WasmTypeAnnotationOp& type_annotation);
+ 
+  wasm::ValueType GetTypeForPhiInput(const PhiOp& phi, int input_index);
+
+   void CreateMergeSnapshot(const Block& block);
+   bool CreateMergeSnapshot(base::Vector<const Snapshot> predecessors,
+                            base::Vector<const bool> reachable);
--- a/patches/v8/merged_turboshaft_wasm_wasmgctypeanalyzer_fix_single-block_loops.patch
+++ b/patches/v8/merged_turboshaft_wasm_wasmgctypeanalyzer_fix_single-block_loops.patch
@ -0,0 +1,85 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jakob Kummerow <jkummerow@chromium.org>
+Date: Mon, 16 Dec 2024 20:41:57 +0100
+Subject: Merged: [turboshaft][wasm] WasmGCTypeAnalyzer: Fix single-block loops
+ properly
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While https://crrev.com/c/6087921 fixed a bug where the type in the
+loop header revisit was reflecting "older" knowledge, it didn't address
+the general issue of loop phis dependencies in single block loops where
+it might require many iterations until all type information has
+stabilized.
+
+The fix linked above also introduce too specific DCHECKs, as even
+outside of single-block loops we can end up with phis where a phi input
+appears in the same block before the phi itself.
+The binaryen fuzzer found the following pattern:
+  v113 = Phi(v26, v113)
+  v114 = Phi(v26, v113)
+
+In follow-up changes it should be ensured that the useless phi v113
+doesn't get emitted, then v114 wouldn't have that issue (and it could
+also be removed.)
+
+(cherry picked from commit c84e01e92bfd61d29541c59e378b9a15ba6fc891)
+
+Fixed: 383356864
+Bug: 383814042
+Change-Id: I222dc493bf0a2613d14ebb7df2bdeca931c8daa6
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6097772
+Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
+Commit-Queue: Eva Herencsárová <evih@chromium.org>
+Reviewed-by: Eva Herencsárová <evih@chromium.org>
+Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
+Cr-Commit-Position: refs/branch-heads/13.0@{#47}
+Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
+Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
+
+diff --git a/src/compiler/turboshaft/wasm-gc-typed-optimization-reducer.cc b/src/compiler/turboshaft/wasm-gc-typed-optimization-reducer.cc
+index 58a94afcbeb9acd4241cc9f67ed90922e1d59125..6848d15e6190feaeb13bcbdb6315fcfe539a64dc 100644
+--- a/src/compiler/turboshaft/wasm-gc-typed-optimization-reducer.cc
+++ b/src/compiler/turboshaft/wasm-gc-typed-optimization-reducer.cc
+@@ -45,9 +45,23 @@ void WasmGCTypeAnalyzer::Run() {
+         // defines more precise types than the previous iteration).
+         if (needs_revisit) {
+           block_to_snapshot_[loop_header.index()] = MaybeSnapshot(snapshot);
+-          // This will push the successors of the loop header to the iterator
+-          // stack, so the loop body will be visited in the next iteration.
+-          iterator.MarkLoopForRevisitSkipHeader();
+          if (block.index() != loop_header.index()) {
+            // This will push the successors of the loop header to the iterator
+            // stack, so the loop body will be visited in the next iteration.
+            iterator.MarkLoopForRevisitSkipHeader();
+          } else {
+            // A single-block loop doesn't have any successors which would be
+            // re-evaluated and which might trigger another re-evaluation of the
+            // loop header.
+            // TODO(mliedtke): This is not a great design: We don't just
+            // schedule revisiting the loop header but afterwards we revisit it
+            // once again to evaluate whether we need to revisit it more times,
+            // so for single block loops the revisitation count will always be a
+            // multiple of 2. While this is inefficient, single-block loops are
+            // rare and are either endless loops or need to trigger an exception
+            // (e.g. a wasm trap) to terminate.
+            iterator.MarkLoopForRevisit();
+          }
+         }
+       }
+     }
+@@ -279,12 +293,9 @@ wasm::ValueType WasmGCTypeAnalyzer::GetTypeForPhiInput(const PhiOp& phi,
+   if (current_block_->begin().id() <= input.id() && input.id() < phi_id.id()) {
+     // Phi instructions have to be at the beginning of the block, so this can
+     // only happen for inputs that are also phis. Furthermore, this is only
+-    // possible in loop headers of loops with a single block (endless loops) and
+-    // only for the backedge-input.
+    // possible in loop headers of loops and only for the backedge-input.
+     DCHECK(graph_.Get(input).Is<PhiOp>());
+     DCHECK(current_block_->IsLoop());
+-    DCHECK(current_block_->HasBackedge(graph_));
+-    DCHECK_EQ(current_block_->LastPredecessor(), current_block_);
+     DCHECK_EQ(input_index, 1);
+     return types_table_.Get(input);
+   }
--- a/patches/v8/merged_wasm_arm_tail-call_free_scratch_register_earlier.patch
+++ b/patches/v8/merged_wasm_arm_tail-call_free_scratch_register_earlier.patch
@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thibaud Michaud <thibaudm@chromium.org>
+Date: Wed, 18 Dec 2024 12:14:14 +0100
+Subject: Merged: [wasm][arm][tail-call] Free scratch register earlier
+
+In Liftoff's PrepareTailCall, we kept the UseScratchRegisterScope open
+for longer than necessary. Close the scope earlier to ensure that we
+don't run out of scratch registers in the last "sub" instruction if it
+needs one.
+
+R=clemensb@chromium.org
+
+Fixed: 384565015
+(cherry picked from commit 7c9e628fd07a457635db098483f7a956ecfa385a)
+
+Change-Id: I0100569d5276aa9188ccbc3c7ee409a9dd49be31
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6148448
+Reviewed-by: Daniel Lehmann <dlehmann@chromium.org>
+Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
+Cr-Commit-Position: refs/branch-heads/13.0@{#49}
+Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
+Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
+
+diff --git a/src/wasm/baseline/arm/liftoff-assembler-arm-inl.h b/src/wasm/baseline/arm/liftoff-assembler-arm-inl.h
+index d5964af013d7c38ba1d6592680480730b9960b2f..2d806f58aeb465f591d564369961aa71cb74a61f 100644
+--- a/src/wasm/baseline/arm/liftoff-assembler-arm-inl.h
+++ b/src/wasm/baseline/arm/liftoff-assembler-arm-inl.h
+@@ -496,21 +496,23 @@ void LiftoffAssembler::CallFrameSetupStub(int declared_function_index) {
+ 
+ void LiftoffAssembler::PrepareTailCall(int num_callee_stack_params,
+                                        int stack_param_delta) {
+-  UseScratchRegisterScope temps(this);
+-  Register scratch = temps.Acquire();
+  {
+    UseScratchRegisterScope temps(this);
+    Register scratch = temps.Acquire();
+ 
+-  // Push the return address and frame pointer to complete the stack frame.
+-  sub(sp, sp, Operand(8));
+-  ldr(scratch, MemOperand(fp, 4));
+-  str(scratch, MemOperand(sp, 4));
+-  ldr(scratch, MemOperand(fp, 0));
+-  str(scratch, MemOperand(sp, 0));
+-
+-  // Shift the whole frame upwards.
+-  int slot_count = num_callee_stack_params + 2;
+-  for (int i = slot_count - 1; i >= 0; --i) {
+-    ldr(scratch, MemOperand(sp, i * 4));
+-    str(scratch, MemOperand(fp, (i - stack_param_delta) * 4));
+    // Push the return address and frame pointer to complete the stack frame.
+    sub(sp, sp, Operand(8));
+    ldr(scratch, MemOperand(fp, 4));
+    str(scratch, MemOperand(sp, 4));
+    ldr(scratch, MemOperand(fp, 0));
+    str(scratch, MemOperand(sp, 0));
+
+    // Shift the whole frame upwards.
+    int slot_count = num_callee_stack_params + 2;
+    for (int i = slot_count - 1; i >= 0; --i) {
+      ldr(scratch, MemOperand(sp, i * 4));
+      str(scratch, MemOperand(fp, (i - stack_param_delta) * 4));
+    }
+   }
+ 
+   // Set the new stack and frame pointer.