libv8-node 21.7.2.0-aarch64-linux-musl → 24.12.0.0-aarch64-linux-musl

data/vendor/v8/include/v8-internal.h

@@ -10,9 +10,29 @@
 #include <string.h>
 
 #include <atomic>
+#include <iterator>
+#include <limits>
+#include <memory>
+#include <optional>
 #include <type_traits>
 
-#include "v8config.h"    // NOLINT(build/include_directory)
+#include "v8config.h"  // NOLINT(build/include_directory)
+
+// TODO(pkasting): Use <compare>/spaceship unconditionally after dropping
+// support for old libstdc++ versions.
+#if __has_include(<version>)
+#include <version>
+#endif
+#if defined(__cpp_lib_three_way_comparison) &&   \
+    __cpp_lib_three_way_comparison >= 201711L && \
+    defined(__cpp_lib_concepts) && __cpp_lib_concepts >= 202002L
+#include <compare>
+#include <concepts>
+
+#define V8_HAVE_SPACESHIP_OPERATOR 1
+#else
+#define V8_HAVE_SPACESHIP_OPERATOR 0
+#endif
 
 namespace v8 {
 
@@ -23,7 +43,11 @@ class Isolate;
 
 namespace internal {
 
+class Heap;
+class LocalHeap;
 class Isolate;
+class IsolateGroup;
+class LocalIsolate;
 
 typedef uintptr_t Address;
 static constexpr Address kNullAddress = 0;
@@ -84,7 +108,10 @@ struct SmiTagging<4> {
     // Truncate and shift down (requires >> to be sign extending).
     return static_cast<int32_t>(static_cast<uint32_t>(value)) >> shift_bits;
   }
-  V8_INLINE static constexpr bool IsValidSmi(intptr_t value) {
+
+  template <class T, typename std::enable_if_t<std::is_integral_v<T> &&
+                                               std::is_signed_v<T>>* = nullptr>
+  V8_INLINE static constexpr bool IsValidSmi(T value) {
     // Is value in range [kSmiMinValue, kSmiMaxValue].
     // Use unsigned operations in order to avoid undefined behaviour in case of
     // signed integer overflow.
@@ -93,6 +120,28 @@ struct SmiTagging<4> {
            (static_cast<uintptr_t>(kSmiMaxValue) -
             static_cast<uintptr_t>(kSmiMinValue));
   }
+
+  template <class T,
+            typename std::enable_if_t<std::is_integral_v<T> &&
+                                      std::is_unsigned_v<T>>* = nullptr>
+  V8_INLINE static constexpr bool IsValidSmi(T value) {
+    static_assert(kSmiMaxValue <= std::numeric_limits<uintptr_t>::max());
+    return value <= static_cast<uintptr_t>(kSmiMaxValue);
+  }
+
+  // Same as the `intptr_t` version but works with int64_t on 32-bit builds
+  // without slowing down anything else.
+  V8_INLINE static constexpr bool IsValidSmi(int64_t value) {
+    return (static_cast<uint64_t>(value) -
+            static_cast<uint64_t>(kSmiMinValue)) <=
+           (static_cast<uint64_t>(kSmiMaxValue) -
+            static_cast<uint64_t>(kSmiMinValue));
+  }
+
+  V8_INLINE static constexpr bool IsValidSmi(uint64_t value) {
+    static_assert(kSmiMaxValue <= std::numeric_limits<uint64_t>::max());
+    return value <= static_cast<uint64_t>(kSmiMaxValue);
+  }
 };
 
 // Smi constants for systems where tagged pointer is a 64-bit value.
@@ -109,9 +158,20 @@ struct SmiTagging<8> {
     // Shift down and throw away top 32 bits.
     return static_cast<int>(static_cast<intptr_t>(value) >> shift_bits);
   }
-  V8_INLINE static constexpr bool IsValidSmi(intptr_t value) {
+
+  template <class T, typename std::enable_if_t<std::is_integral_v<T> &&
+                                               std::is_signed_v<T>>* = nullptr>
+  V8_INLINE static constexpr bool IsValidSmi(T value) {
     // To be representable as a long smi, the value must be a 32-bit integer.
-    return (value == static_cast<int32_t>(value));
+    return std::numeric_limits<int32_t>::min() <= value &&
+           value <= std::numeric_limits<int32_t>::max();
+  }
+
+  template <class T,
+            typename std::enable_if_t<std::is_integral_v<T> &&
+                                      std::is_unsigned_v<T>>* = nullptr>
+  V8_INLINE static constexpr bool IsValidSmi(T value) {
+    return value <= std::numeric_limits<int32_t>::max();
   }
 };
 
@@ -172,7 +232,7 @@ using SandboxedPointer_t = Address;
 #ifdef V8_ENABLE_SANDBOX
 
 // Size of the sandbox, excluding the guard regions surrounding it.
-#ifdef V8_TARGET_OS_ANDROID
+#if defined(V8_TARGET_OS_ANDROID)
 // On Android, most 64-bit devices seem to be configured with only 39 bits of
 // virtual address space for userspace. As such, limit the sandbox to 128GB (a
 // quarter of the total available address space).
@@ -197,9 +257,12 @@ constexpr size_t kSandboxAlignment = kPtrComprCageBaseAlignment;
 constexpr uint64_t kSandboxedPointerShift = 64 - kSandboxSizeLog2;
 
 // Size of the guard regions surrounding the sandbox. This assumes a worst-case
-// scenario of a 32-bit unsigned index used to access an array of 64-bit
-// values.
-constexpr size_t kSandboxGuardRegionSize = 32ULL * GB;
+// scenario of a 32-bit unsigned index used to access an array of 64-bit values
+// with an additional 4GB (compressed pointer) offset. In particular, accesses
+// to TypedArrays are effectively computed as
+// `entry_pointer = array->base + array->offset + index * array->element_size`.
+// See also https://crbug.com/40070746 for more details.
+constexpr size_t kSandboxGuardRegionSize = 32ULL * GB + 4ULL * GB;
 
 static_assert((kSandboxGuardRegionSize % kSandboxAlignment) == 0,
               "The size of the guard regions around the sandbox must be a "
@@ -246,15 +309,16 @@ static_assert(1ULL << (64 - kBoundedSizeShift) ==
 // size allows omitting bounds checks on table accesses if the indices are
 // guaranteed (e.g. through shifting) to be below the maximum index. This
 // value must be a power of two.
-constexpr size_t kExternalPointerTableReservationSize = 512 * MB;
+constexpr size_t kExternalPointerTableReservationSize = 256 * MB;
 
 // The external pointer table indices stored in HeapObjects as external
 // pointers are shifted to the left by this amount to guarantee that they are
-// smaller than the maximum table size.
-constexpr uint32_t kExternalPointerIndexShift = 6;
+// smaller than the maximum table size even after the C++ compiler multiplies
+// them by 8 to be used as indexes into a table of 64 bit pointers.
+constexpr uint32_t kExternalPointerIndexShift = 7;
 #else
-constexpr size_t kExternalPointerTableReservationSize = 1024 * MB;
-constexpr uint32_t kExternalPointerIndexShift = 5;
+constexpr size_t kExternalPointerTableReservationSize = 512 * MB;
+constexpr uint32_t kExternalPointerIndexShift = 6;
 #endif  // V8_TARGET_OS_ANDROID
 
 // The maximum number of entries in an external pointer table.
@@ -273,6 +337,16 @@ constexpr size_t kMaxExternalPointers = 0;
 
 #endif  // V8_COMPRESS_POINTERS
 
+constexpr uint64_t kExternalPointerMarkBit = 1ULL << 48;
+constexpr uint64_t kExternalPointerTagShift = 49;
+constexpr uint64_t kExternalPointerTagMask = 0x00fe000000000000ULL;
+constexpr uint64_t kExternalPointerShiftedTagMask =
+    kExternalPointerTagMask >> kExternalPointerTagShift;
+static_assert(kExternalPointerShiftedTagMask << kExternalPointerTagShift ==
+              kExternalPointerTagMask);
+constexpr uint64_t kExternalPointerTagAndMarkbitMask = 0x00ff000000000000ULL;
+constexpr uint64_t kExternalPointerPayloadMask = 0xff00ffffffffffffULL;
+
 // A ExternalPointerHandle represents a (opaque) reference to an external
 // pointer that can be stored inside the sandbox. A ExternalPointerHandle has
 // meaning only in combination with an (active) Isolate as it references an
@@ -294,6 +368,124 @@ using ExternalPointer_t = Address;
 constexpr ExternalPointer_t kNullExternalPointer = 0;
 constexpr ExternalPointerHandle kNullExternalPointerHandle = 0;
 
+// See `ExternalPointerHandle` for the main documentation. The difference to
+// `ExternalPointerHandle` is that the handle does not represent an arbitrary
+// external pointer but always refers to an object managed by `CppHeap`. The
+// handles are using in combination with a dedicated table for `CppHeap`
+// references.
+using CppHeapPointerHandle = uint32_t;
+
+// The actual pointer to objects located on the `CppHeap`. When pointer
+// compression is enabled these pointers are stored as `CppHeapPointerHandle`.
+// In non-compressed configurations the pointers are simply stored as raw
+// pointers.
+#ifdef V8_COMPRESS_POINTERS
+using CppHeapPointer_t = CppHeapPointerHandle;
+#else
+using CppHeapPointer_t = Address;
+#endif
+
+constexpr CppHeapPointer_t kNullCppHeapPointer = 0;
+constexpr CppHeapPointerHandle kNullCppHeapPointerHandle = 0;
+
+constexpr uint64_t kCppHeapPointerMarkBit = 1ULL;
+constexpr uint64_t kCppHeapPointerTagShift = 1;
+constexpr uint64_t kCppHeapPointerPayloadShift = 16;
+
+#ifdef V8_COMPRESS_POINTERS
+// CppHeapPointers use a dedicated pointer table. These constants control the
+// size and layout of the table. See the corresponding constants for the
+// external pointer table for further details.
+constexpr size_t kCppHeapPointerTableReservationSize =
+    kExternalPointerTableReservationSize;
+constexpr uint32_t kCppHeapPointerIndexShift = kExternalPointerIndexShift;
+
+constexpr int kCppHeapPointerTableEntrySize = 8;
+constexpr int kCppHeapPointerTableEntrySizeLog2 = 3;
+constexpr size_t kMaxCppHeapPointers =
+    kCppHeapPointerTableReservationSize / kCppHeapPointerTableEntrySize;
+static_assert((1 << (32 - kCppHeapPointerIndexShift)) == kMaxCppHeapPointers,
+              "kCppHeapPointerTableReservationSize and "
+              "kCppHeapPointerIndexShift don't match");
+
+#else  // !V8_COMPRESS_POINTERS
+
+// Needed for the V8.SandboxedCppHeapPointersCount histogram.
+constexpr size_t kMaxCppHeapPointers = 0;
+
+#endif  // V8_COMPRESS_POINTERS
+
+// Generic tag range struct to represent ranges of type tags.
+//
+// When referencing external objects via pointer tables, type tags are
+// frequently necessary to guarantee type safety for the external objects. When
+// support for subtyping is necessary, range-based type checks are used in
+// which all subtypes of a given supertype use contiguous tags. This struct can
+// then be used to represent such a type range.
+//
+// In addition, there is an option for performance tweaks: if the size of the
+// type range corresponding to a supertype is a power of two and starts at a
+// power of two (e.g. [0x100, 0x13f]), then the compiler can often optimize
+// the type check to use even fewer instructions (essentially replace a AND +
+// SUB with a single AND).
+//
+template <typename Tag>
+struct TagRange {
+  static_assert(std::is_enum_v<Tag> &&
+                    std::is_same_v<std::underlying_type_t<Tag>, uint16_t>,
+                "Tag parameter must be an enum with base type uint16_t");
+
+  // Construct the inclusive tag range [first, last].
+  constexpr TagRange(Tag first, Tag last) : first(first), last(last) {}
+
+  // Construct a tag range consisting of a single tag.
+  //
+  // A single tag is always implicitly convertible to a tag range. This greatly
+  // increases readability as most of the time, the exact tag of a field is
+  // known and so no tag range needs to explicitly be created for it.
+  constexpr TagRange(Tag tag)  // NOLINT(runtime/explicit)
+      : first(tag), last(tag) {}
+
+  // Construct an empty tag range.
+  constexpr TagRange() : TagRange(static_cast<Tag>(0)) {}
+
+  // A tag range is considered empty if it only contains the null tag.
+  constexpr bool IsEmpty() const { return first == 0 && last == 0; }
+
+  constexpr size_t Size() const {
+    if (IsEmpty()) {
+      return 0;
+    } else {
+      return last - first + 1;
+    }
+  }
+
+  constexpr bool Contains(Tag tag) const {
+    // Need to perform the math with uint32_t. Otherwise, the uint16_ts would
+    // be promoted to (signed) int, allowing the compiler to (wrongly) assume
+    // that an underflow cannot happen as that would be undefined behavior.
+    return static_cast<uint32_t>(tag) - first <=
+           static_cast<uint32_t>(last) - first;
+  }
+
+  constexpr bool Contains(TagRange tag_range) const {
+    return tag_range.first >= first && tag_range.last <= last;
+  }
+
+  constexpr bool operator==(const TagRange other) const {
+    return first == other.first && last == other.last;
+  }
+
+  constexpr size_t hash_value() const {
+    static_assert(std::is_same_v<std::underlying_type_t<Tag>, uint16_t>);
+    return (static_cast<size_t>(first) << 16) | last;
+  }
+
+  // Internally we represent tag ranges as half-open ranges [first, last).
+  const Tag first;
+  const Tag last;
+};
+
 //
 // External Pointers.
 //
@@ -301,41 +493,12 @@ constexpr ExternalPointerHandle kNullExternalPointerHandle = 0;
 // pointer table and are referenced from HeapObjects through an index (a
 // "handle"). When stored in the table, the pointers are tagged with per-type
 // tags to prevent type confusion attacks between different external objects.
-// Besides type information bits, these tags also contain the GC marking bit
-// which indicates whether the pointer table entry is currently alive. When a
-// pointer is written into the table, the tag is ORed into the top bits. When
-// that pointer is later loaded from the table, it is ANDed with the inverse of
-// the expected tag. If the expected and actual type differ, this will leave
-// some of the top bits of the pointer set, rendering the pointer inaccessible.
-// The AND operation also removes the GC marking bit from the pointer.
 //
-// The tags are constructed such that UNTAG(TAG(0, T1), T2) != 0 for any two
-// (distinct) tags T1 and T2. In practice, this is achieved by generating tags
-// that all have the same number of zeroes and ones but different bit patterns.
-// With N type tag bits, this allows for (N choose N/2) possible type tags.
-// Besides the type tag bits, the tags also have the GC marking bit set so that
-// the marking bit is automatically set when a pointer is written into the
-// external pointer table (in which case it is clearly alive) and is cleared
-// when the pointer is loaded. The exception to this is the free entry tag,
-// which doesn't have the mark bit set, as the entry is not alive. This
-// construction allows performing the type check and removing GC marking bits
-// from the pointer in one efficient operation (bitwise AND). The number of
-// available bits is limited in the following way: on x64, bits [47, 64) are
-// generally available for tagging (userspace has 47 address bits available).
-// On Arm64, userspace typically has a 40 or 48 bit address space. However, due
-// to top-byte ignore (TBI) and memory tagging (MTE), the top byte is unusable
-// for type checks as type-check failures would go unnoticed or collide with
-// MTE bits. Some bits of the top byte can, however, still be used for the GC
-// marking bit. The bits available for the type tags are therefore limited to
-// [48, 56), i.e. (8 choose 4) = 70 different types.
-// The following options exist to increase the number of possible types:
-// - Using multiple ExternalPointerTables since tags can safely be reused
-//   across different tables
-// - Using "extended" type checks, where additional type information is stored
-//   either in an adjacent pointer table entry or at the pointed-to location
-// - Using a different tagging scheme, for example based on XOR which would
-//   allow for 2**8 different tags but require a separate operation to remove
-//   the marking bit
+// When loading an external pointer, a range of allowed tags can be specified.
+// This way, type hierarchies can be supported. The main requirement for that
+// is that all (transitive) child classes of a given parent class have type ids
+// in the same range, and that there are no unrelated types in that range. For
+// more details about how to assign type tags to types, see the TagRange class.
 //
 // The external pointer sandboxing mechanism ensures that every access to an
 // external pointer field will result in a valid pointer of the expected type
@@ -358,196 +521,285 @@ constexpr ExternalPointerHandle kNullExternalPointerHandle = 0;
 // extension (MTE) which would use bits [56, 60).
 //
 // External pointer tables are also available even when the sandbox is off but
-// pointer compression is on. In that case, the mechanism can be used to easy
+// pointer compression is on. In that case, the mechanism can be used to ease
 // alignment requirements as it turns unaligned 64-bit raw pointers into
 // aligned 32-bit indices. To "opt-in" to the external pointer table mechanism
 // for this purpose, instead of using the ExternalPointer accessors one needs to
 // use ExternalPointerHandles directly and use them to access the pointers in an
 // ExternalPointerTable.
-constexpr uint64_t kExternalPointerMarkBit = 1ULL << 62;
-constexpr uint64_t kExternalPointerTagMask = 0x40ff000000000000;
-constexpr uint64_t kExternalPointerTagMaskWithoutMarkBit = 0xff000000000000;
-constexpr uint64_t kExternalPointerTagShift = 48;
-
-// All possible 8-bit type tags.
-// These are sorted so that tags can be grouped together and it can efficiently
-// be checked if a tag belongs to a given group. See for example the
-// IsSharedExternalPointerType routine.
-constexpr uint64_t kAllExternalPointerTypeTags[] = {
-    0b00001111, 0b00010111, 0b00011011, 0b00011101, 0b00011110, 0b00100111,
-    0b00101011, 0b00101101, 0b00101110, 0b00110011, 0b00110101, 0b00110110,
-    0b00111001, 0b00111010, 0b00111100, 0b01000111, 0b01001011, 0b01001101,
-    0b01001110, 0b01010011, 0b01010101, 0b01010110, 0b01011001, 0b01011010,
-    0b01011100, 0b01100011, 0b01100101, 0b01100110, 0b01101001, 0b01101010,
-    0b01101100, 0b01110001, 0b01110010, 0b01110100, 0b01111000, 0b10000111,
-    0b10001011, 0b10001101, 0b10001110, 0b10010011, 0b10010101, 0b10010110,
-    0b10011001, 0b10011010, 0b10011100, 0b10100011, 0b10100101, 0b10100110,
-    0b10101001, 0b10101010, 0b10101100, 0b10110001, 0b10110010, 0b10110100,
-    0b10111000, 0b11000011, 0b11000101, 0b11000110, 0b11001001, 0b11001010,
-    0b11001100, 0b11010001, 0b11010010, 0b11010100, 0b11011000, 0b11100001,
-    0b11100010, 0b11100100, 0b11101000, 0b11110000};
-
-#define TAG(i)                                                    \
-  ((kAllExternalPointerTypeTags[i] << kExternalPointerTagShift) | \
-   kExternalPointerMarkBit)
-
-// clang-format off
-
-// When adding new tags, please ensure that the code using these tags is
-// "substitution-safe", i.e. still operate safely if external pointers of the
-// same type are swapped by an attacker. See comment above for more details.
-
-// Shared external pointers are owned by the shared Isolate and stored in the
-// shared external pointer table associated with that Isolate, where they can
-// be accessed from multiple threads at the same time. The objects referenced
-// in this way must therefore always be thread-safe.
-#define SHARED_EXTERNAL_POINTER_TAGS(V)                 \
-  V(kFirstSharedTag,                            TAG(0)) \
-  V(kWaiterQueueNodeTag,                        TAG(0)) \
-  V(kExternalStringResourceTag,                 TAG(1)) \
-  V(kExternalStringResourceDataTag,             TAG(2)) \
-  V(kLastSharedTag,                             TAG(2))
-
-// External pointers using these tags are kept in a per-Isolate external
-// pointer table and can only be accessed when this Isolate is active.
-#define PER_ISOLATE_EXTERNAL_POINTER_TAGS(V)             \
-  V(kForeignForeignAddressTag,                  TAG(10)) \
-  V(kNativeContextMicrotaskQueueTag,            TAG(11)) \
-  V(kEmbedderDataSlotPayloadTag,                TAG(12)) \
-/* This tag essentially stands for a `void*` pointer in the V8 API, and */ \
-/* it is the Embedder's responsibility to ensure type safety (against */   \
-/* substitution) and lifetime validity of these objects. */                \
-  V(kExternalObjectValueTag,                    TAG(13)) \
-  V(kCallHandlerInfoCallbackTag,                TAG(14)) \
-  V(kAccessorInfoGetterTag,                     TAG(15)) \
-  V(kAccessorInfoSetterTag,                     TAG(16)) \
-  V(kWasmInternalFunctionCallTargetTag,         TAG(17)) \
-  V(kWasmTypeInfoNativeTypeTag,                 TAG(18)) \
-  V(kWasmExportedFunctionDataSignatureTag,      TAG(19)) \
-  V(kWasmContinuationJmpbufTag,                 TAG(20)) \
-  V(kWasmIndirectFunctionTargetTag,             TAG(21)) \
-  V(kArrayBufferExtensionTag,                   TAG(22))
-
-// All external pointer tags.
-#define ALL_EXTERNAL_POINTER_TAGS(V) \
-  SHARED_EXTERNAL_POINTER_TAGS(V)    \
-  PER_ISOLATE_EXTERNAL_POINTER_TAGS(V)
-
-#define EXTERNAL_POINTER_TAG_ENUM(Name, Tag) Name = Tag,
-#define MAKE_TAG(HasMarkBit, TypeTag)                             \
-  ((static_cast<uint64_t>(TypeTag) << kExternalPointerTagShift) | \
-  (HasMarkBit ? kExternalPointerMarkBit : 0))
-enum ExternalPointerTag : uint64_t {
-  // Empty tag value. Mostly used as placeholder.
-  kExternalPointerNullTag =            MAKE_TAG(1, 0b00000000),
-  // External pointer tag that will match any external pointer. Use with care!
-  kAnyExternalPointerTag =             MAKE_TAG(1, 0b11111111),
-  // The free entry tag has all type bits set so every type check with a
-  // different type fails. It also doesn't have the mark bit set as free
-  // entries are (by definition) not alive.
-  kExternalPointerFreeEntryTag =       MAKE_TAG(0, 0b11111111),
-  // Evacuation entries are used during external pointer table compaction.
-  kExternalPointerEvacuationEntryTag = MAKE_TAG(1, 0b11100111),
-
-  ALL_EXTERNAL_POINTER_TAGS(EXTERNAL_POINTER_TAG_ENUM)
+//
+// The tag is currently in practice limited to 15 bits since it needs to fit
+// together with a marking bit into the unused parts of a pointer.
+enum ExternalPointerTag : uint16_t {
+  kFirstExternalPointerTag = 0,
+  kExternalPointerNullTag = 0,
+
+  // When adding new tags, please ensure that the code using these tags is
+  // "substitution-safe", i.e. still operate safely if external pointers of the
+  // same type are swapped by an attacker. See comment above for more details.
+
+  // Shared external pointers are owned by the shared Isolate and stored in the
+  // shared external pointer table associated with that Isolate, where they can
+  // be accessed from multiple threads at the same time. The objects referenced
+  // in this way must therefore always be thread-safe.
+  kFirstSharedExternalPointerTag,
+  kWaiterQueueNodeTag = kFirstSharedExternalPointerTag,
+  kExternalStringResourceTag,
+  kExternalStringResourceDataTag,
+  kLastSharedExternalPointerTag = kExternalStringResourceDataTag,
+
+  // External pointers using these tags are kept in a per-Isolate external
+  // pointer table and can only be accessed when this Isolate is active.
+  kNativeContextMicrotaskQueueTag,
+  kEmbedderDataSlotPayloadTag,
+  // This tag essentially stands for a `void*` pointer in the V8 API, and it is
+  // the Embedder's responsibility to ensure type safety (against substitution)
+  // and lifetime validity of these objects.
+  kExternalObjectValueTag,
+  kFirstMaybeReadOnlyExternalPointerTag,
+  kFunctionTemplateInfoCallbackTag = kFirstMaybeReadOnlyExternalPointerTag,
+  kAccessorInfoGetterTag,
+  kAccessorInfoSetterTag,
+  kLastMaybeReadOnlyExternalPointerTag = kAccessorInfoSetterTag,
+  kWasmInternalFunctionCallTargetTag,
+  kWasmTypeInfoNativeTypeTag,
+  kWasmExportedFunctionDataSignatureTag,
+  kWasmStackMemoryTag,
+  kWasmIndirectFunctionTargetTag,
+
+  // Foreigns
+  kFirstForeignExternalPointerTag,
+  kGenericForeignTag = kFirstForeignExternalPointerTag,
+  kApiNamedPropertyQueryCallbackTag,
+  kApiNamedPropertyGetterCallbackTag,
+  kApiNamedPropertySetterCallbackTag,
+  kApiNamedPropertyDescriptorCallbackTag,
+  kApiNamedPropertyDefinerCallbackTag,
+  kApiNamedPropertyDeleterCallbackTag,
+  kApiIndexedPropertyQueryCallbackTag,
+  kApiIndexedPropertyGetterCallbackTag,
+  kApiIndexedPropertySetterCallbackTag,
+  kApiIndexedPropertyDescriptorCallbackTag,
+  kApiIndexedPropertyDefinerCallbackTag,
+  kApiIndexedPropertyDeleterCallbackTag,
+  kApiIndexedPropertyEnumeratorCallbackTag,
+  kApiAccessCheckCallbackTag,
+  kApiAbortScriptExecutionCallbackTag,
+  kSyntheticModuleTag,
+  kMicrotaskCallbackTag,
+  kMicrotaskCallbackDataTag,
+  kCFunctionTag,
+  kCFunctionInfoTag,
+  kMessageListenerTag,
+  kWaiterQueueForeignTag,
+
+  // Managed
+  kFirstManagedResourceTag,
+  kFirstManagedExternalPointerTag = kFirstManagedResourceTag,
+  kGenericManagedTag = kFirstManagedExternalPointerTag,
+  kWasmWasmStreamingTag,
+  kWasmFuncDataTag,
+  kWasmManagedDataTag,
+  kWasmNativeModuleTag,
+  kIcuBreakIteratorTag,
+  kIcuUnicodeStringTag,
+  kIcuListFormatterTag,
+  kIcuLocaleTag,
+  kIcuSimpleDateFormatTag,
+  kIcuDateIntervalFormatTag,
+  kIcuRelativeDateTimeFormatterTag,
+  kIcuLocalizedNumberFormatterTag,
+  kIcuPluralRulesTag,
+  kIcuCollatorTag,
+  kDisplayNamesInternalTag,
+  kD8WorkerTag,
+  kD8ModuleEmbedderDataTag,
+  kLastForeignExternalPointerTag = kD8ModuleEmbedderDataTag,
+  kLastManagedExternalPointerTag = kLastForeignExternalPointerTag,
+  // External resources whose lifetime is tied to their entry in the external
+  // pointer table but which are not referenced via a Managed
+  kArrayBufferExtensionTag,
+  kLastManagedResourceTag = kArrayBufferExtensionTag,
+
+  kExternalPointerZappedEntryTag = 0x7d,
+  kExternalPointerEvacuationEntryTag = 0x7e,
+  kExternalPointerFreeEntryTag = 0x7f,
+  // The tags are limited to 7 bits, so the last tag is 0x7f.
+  kLastExternalPointerTag = 0x7f,
 };
 
-#undef MAKE_TAG
-#undef TAG
-#undef EXTERNAL_POINTER_TAG_ENUM
-
-// clang-format on
+using ExternalPointerTagRange = TagRange<ExternalPointerTag>;
+
+constexpr ExternalPointerTagRange kAnyExternalPointerTagRange(
+    kFirstExternalPointerTag, kLastExternalPointerTag);
+constexpr ExternalPointerTagRange kAnySharedExternalPointerTagRange(
+    kFirstSharedExternalPointerTag, kLastSharedExternalPointerTag);
+constexpr ExternalPointerTagRange kAnyForeignExternalPointerTagRange(
+    kFirstForeignExternalPointerTag, kLastForeignExternalPointerTag);
+constexpr ExternalPointerTagRange kAnyManagedExternalPointerTagRange(
+    kFirstManagedExternalPointerTag, kLastManagedExternalPointerTag);
+constexpr ExternalPointerTagRange kAnyMaybeReadOnlyExternalPointerTagRange(
+    kFirstMaybeReadOnlyExternalPointerTag,
+    kLastMaybeReadOnlyExternalPointerTag);
+constexpr ExternalPointerTagRange kAnyManagedResourceExternalPointerTag(
+    kFirstManagedResourceTag, kLastManagedResourceTag);
 
 // True if the external pointer must be accessed from the shared isolate's
 // external pointer table.
 V8_INLINE static constexpr bool IsSharedExternalPointerType(
-    ExternalPointerTag tag) {
-  return tag >= kFirstSharedTag && tag <= kLastSharedTag;
+    ExternalPointerTagRange tag_range) {
+  return kAnySharedExternalPointerTagRange.Contains(tag_range);
 }
 
-// Sanity checks.
-#define CHECK_SHARED_EXTERNAL_POINTER_TAGS(Tag, ...) \
-  static_assert(IsSharedExternalPointerType(Tag));
-#define CHECK_NON_SHARED_EXTERNAL_POINTER_TAGS(Tag, ...) \
-  static_assert(!IsSharedExternalPointerType(Tag));
-
-SHARED_EXTERNAL_POINTER_TAGS(CHECK_SHARED_EXTERNAL_POINTER_TAGS)
-PER_ISOLATE_EXTERNAL_POINTER_TAGS(CHECK_NON_SHARED_EXTERNAL_POINTER_TAGS)
+// True if the external pointer may live in a read-only object, in which case
+// the table entry will be in the shared read-only segment of the external
+// pointer table.
+V8_INLINE static constexpr bool IsMaybeReadOnlyExternalPointerType(
+    ExternalPointerTagRange tag_range) {
+  return kAnyMaybeReadOnlyExternalPointerTagRange.Contains(tag_range);
+}
 
-#undef CHECK_NON_SHARED_EXTERNAL_POINTER_TAGS
-#undef CHECK_SHARED_EXTERNAL_POINTER_TAGS
+// True if the external pointer references an external object whose lifetime is
+// tied to the entry in the external pointer table.
+// In this case, the entry in the ExternalPointerTable always points to an
+// object derived from ExternalPointerTable::ManagedResource.
+V8_INLINE static constexpr bool IsManagedExternalPointerType(
+    ExternalPointerTagRange tag_range) {
+  return kAnyManagedResourceExternalPointerTag.Contains(tag_range);
+}
 
-#undef SHARED_EXTERNAL_POINTER_TAGS
-#undef EXTERNAL_POINTER_TAGS
+// When an external poiner field can contain the null external pointer handle,
+// the type checking mechanism needs to also check for null.
+// TODO(saelo): this is mostly a temporary workaround to introduce range-based
+// type checks. In the future, we should either (a) change the type tagging
+// scheme so that null always passes or (b) (more likely) introduce dedicated
+// null entries for those tags that need them (similar to other well-known
+// empty value constants such as the empty fixed array).
+V8_INLINE static constexpr bool ExternalPointerCanBeEmpty(
+    ExternalPointerTagRange tag_range) {
+  return tag_range.Contains(kArrayBufferExtensionTag) ||
+         tag_range.Contains(kEmbedderDataSlotPayloadTag);
+}
 
-//
 // Indirect Pointers.
 //
 // When the sandbox is enabled, indirect pointers are used to reference
-// HeapObjects that live outside of the sandbox (but are still managed through
-// the GC). When object A references an object B through an indirect pointer,
-// object A will contain a IndirectPointerHandle, i.e. a shifted 32-bit index,
-// which identifies an entry in a pointer table (such as the CodePointerTable).
-// This table entry then contains the actual pointer to object B. Further,
-// object B owns this pointer table entry, and it is responsible for updating
-// the "self-pointer" in the entry when it is relocated in memory. This way, in
-// contrast to "normal" pointers, indirect pointers never need to be tracked by
-// the GC (i.e. there is no remembered set for them).
-// Currently there is only one type of object referenced through indirect
-// pointers (Code objects), but once there are different types of such objects,
-// the pointer table entry would probably also contain the type of the target
-// object (e.g. by XORing the instance type into the top bits of the pointer).
+// HeapObjects that live outside of the sandbox (but are still managed by V8's
+// garbage collector). When object A references an object B through an indirect
+// pointer, object A will contain a IndirectPointerHandle, i.e. a shifted
+// 32-bit index, which identifies an entry in a pointer table (either the
+// trusted pointer table for TrustedObjects, or the code pointer table if it is
+// a Code object). This table entry then contains the actual pointer to object
+// B. Further, object B owns this pointer table entry, and it is responsible
+// for updating the "self-pointer" in the entry when it is relocated in memory.
+// This way, in contrast to "normal" pointers, indirect pointers never need to
+// be tracked by the GC (i.e. there is no remembered set for them).
+// These pointers do not exist when the sandbox is disabled.
 
 // An IndirectPointerHandle represents a 32-bit index into a pointer table.
 using IndirectPointerHandle = uint32_t;
 
-// The indirect pointer handles are stores shifted to the left by this amount
-// to guarantee that they are smaller than the maximum table size.
-constexpr uint32_t kIndirectPointerHandleShift = 6;
-
 // A null handle always references an entry that contains nullptr.
 constexpr IndirectPointerHandle kNullIndirectPointerHandle = 0;
 
-// Currently only Code objects can be referenced through indirect pointers and
-// various places rely on that assumption. They will all static_assert against
-// this constant to make them easy to find and fix once we reference other types
-// of objects indirectly.
-constexpr bool kAllIndirectPointerObjectsAreCode = true;
+// When the sandbox is enabled, indirect pointers are used to implement:
+// - TrustedPointers: an indirect pointer using the trusted pointer table (TPT)
+//   and referencing a TrustedObject in one of the trusted heap spaces.
+// - CodePointers, an indirect pointer using the code pointer table (CPT) and
+//   referencing a Code object together with its instruction stream.
+
+//
+// Trusted Pointers.
+//
+// A pointer to a TrustedObject.
+// When the sandbox is enabled, these are indirect pointers using the trusted
+// pointer table (TPT). They are used to reference trusted objects (located in
+// one of V8's trusted heap spaces, outside of the sandbox) from inside the
+// sandbox in a memory-safe way. When the sandbox is disabled, these are
+// regular tagged pointers.
+using TrustedPointerHandle = IndirectPointerHandle;
+
+// The size of the virtual memory reservation for the trusted pointer table.
+// As with the external pointer table, a maximum table size in combination with
+// shifted indices allows omitting bounds checks.
+constexpr size_t kTrustedPointerTableReservationSize = 64 * MB;
+
+// The trusted pointer handles are stored shifted to the left by this amount
+// to guarantee that they are smaller than the maximum table size.
+constexpr uint32_t kTrustedPointerHandleShift = 9;
+
+// A null handle always references an entry that contains nullptr.
+constexpr TrustedPointerHandle kNullTrustedPointerHandle =
+    kNullIndirectPointerHandle;
+
+// The maximum number of entries in an trusted pointer table.
+constexpr int kTrustedPointerTableEntrySize = 8;
+constexpr int kTrustedPointerTableEntrySizeLog2 = 3;
+constexpr size_t kMaxTrustedPointers =
+    kTrustedPointerTableReservationSize / kTrustedPointerTableEntrySize;
+static_assert((1 << (32 - kTrustedPointerHandleShift)) == kMaxTrustedPointers,
+              "kTrustedPointerTableReservationSize and "
+              "kTrustedPointerHandleShift don't match");
 
 //
 // Code Pointers.
 //
-// When the sandbox is enabled, Code objects are referenced from inside the
-// sandbox through indirect pointers that reference entries in the code pointer
-// table (CPT). Each entry in the CPT contains both a pointer to a Code object
-// as well as a pointer to the Code's entrypoint. This allows calling/jumping
-// into Code with one fewer memory access (compared to the case where the
-// entrypoint pointer needs to be loaded from the Code object).
-// As such, a CodePointerHandle can be used both to obtain the referenced Code
-// object and to directly load its entrypoint pointer.
+// A pointer to a Code object.
+// Essentially a specialized version of a trusted pointer that (when the
+// sandbox is enabled) uses the code pointer table (CPT) instead of the TPT.
+// Each entry in the CPT contains both a pointer to a Code object as well as a
+// pointer to the Code's entrypoint. This allows calling/jumping into Code with
+// one fewer memory access (compared to the case where the entrypoint pointer
+// first needs to be loaded from the Code object). As such, a CodePointerHandle
+// can be used both to obtain the referenced Code object and to directly load
+// its entrypoint.
+//
+// When the sandbox is disabled, these are regular tagged pointers.
 using CodePointerHandle = IndirectPointerHandle;
-constexpr uint32_t kCodePointerHandleShift = kIndirectPointerHandleShift;
-constexpr CodePointerHandle kNullCodePointerHandle = 0;
 
-// The size of the virtual memory reservation for code pointer table.
-// This determines the maximum number of entries in a table. Using a maximum
-// size allows omitting bounds checks on table accesses if the indices are
-// guaranteed (e.g. through shifting) to be below the maximum index. This
-// value must be a power of two.
-constexpr size_t kCodePointerTableReservationSize = 1 * GB;
+// The size of the virtual memory reservation for the code pointer table.
+// As with the other tables, a maximum table size in combination with shifted
+// indices allows omitting bounds checks.
+constexpr size_t kCodePointerTableReservationSize = 128 * MB;
 
-// The maximum number of entries in an external pointer table.
+// Code pointer handles are shifted by a different amount than indirect pointer
+// handles as the tables have a different maximum size.
+constexpr uint32_t kCodePointerHandleShift = 9;
+
+// A null handle always references an entry that contains nullptr.
+constexpr CodePointerHandle kNullCodePointerHandle = kNullIndirectPointerHandle;
+
+// It can sometimes be necessary to distinguish a code pointer handle from a
+// trusted pointer handle. A typical example would be a union trusted pointer
+// field that can refer to both Code objects and other trusted objects. To
+// support these use-cases, we use a simple marking scheme where some of the
+// low bits of a code pointer handle are set, while they will be unset on a
+// trusted pointer handle. This way, the correct table to resolve the handle
+// can be determined even in the absence of a type tag.
+constexpr uint32_t kCodePointerHandleMarker = 0x1;
+static_assert(kCodePointerHandleShift > 0);
+static_assert(kTrustedPointerHandleShift > 0);
+
+// The maximum number of entries in a code pointer table.
 constexpr int kCodePointerTableEntrySize = 16;
 constexpr int kCodePointerTableEntrySizeLog2 = 4;
 constexpr size_t kMaxCodePointers =
     kCodePointerTableReservationSize / kCodePointerTableEntrySize;
 static_assert(
-    (1 << (32 - kIndirectPointerHandleShift)) == kMaxCodePointers,
+    (1 << (32 - kCodePointerHandleShift)) == kMaxCodePointers,
     "kCodePointerTableReservationSize and kCodePointerHandleShift don't match");
 
 constexpr int kCodePointerTableEntryEntrypointOffset = 0;
 constexpr int kCodePointerTableEntryCodeObjectOffset = 8;
 
+// Constants that can be used to mark places that should be modified once
+// certain types of objects are moved out of the sandbox and into trusted space.
+constexpr bool kRuntimeGeneratedCodeObjectsLiveInTrustedSpace = true;
+constexpr bool kBuiltinCodeObjectsLiveInTrustedSpace = false;
+constexpr bool kAllCodeObjectsLiveInTrustedSpace =
+    kRuntimeGeneratedCodeObjectsLiveInTrustedSpace &&
+    kBuiltinCodeObjectsLiveInTrustedSpace;
+
 // {obj} must be the raw tagged pointer representation of a HeapObject
 // that's guaranteed to never be in ReadOnlySpace.
 V8_EXPORT internal::Isolate* IsolateFromNeverReadOnlySpaceObject(Address obj);
@@ -579,6 +831,13 @@ class Internals {
 
   static const int kOddballKindOffset = 4 * kApiTaggedSize + kApiDoubleSize;
   static const int kJSObjectHeaderSize = 3 * kApiTaggedSize;
+#ifdef V8_COMPRESS_POINTERS
+  static const int kJSAPIObjectWithEmbedderSlotsHeaderSize =
+      kJSObjectHeaderSize + kApiInt32Size;
+#else   // !V8_COMPRESS_POINTERS
+  static const int kJSAPIObjectWithEmbedderSlotsHeaderSize =
+      kJSObjectHeaderSize + kApiTaggedSize;
+#endif  // !V8_COMPRESS_POINTERS
   static const int kFixedArrayHeaderSize = 2 * kApiTaggedSize;
   static const int kEmbedderDataArrayHeaderSize = 2 * kApiTaggedSize;
   static const int kEmbedderDataSlotSize = kApiSystemPointerSize;
@@ -595,6 +854,10 @@ class Internals {
 
   static const uint32_t kNumIsolateDataSlots = 4;
   static const int kStackGuardSize = 8 * kApiSystemPointerSize;
+  static const int kNumberOfBooleanFlags = 6;
+  static const int kErrorMessageParamSize = 1;
+  static const int kTablesAlignmentPaddingSize = 1;
+  static const int kRegExpStaticResultOffsetsVectorSize = kApiSystemPointerSize;
   static const int kBuiltinTier0EntryTableSize = 7 * kApiSystemPointerSize;
   static const int kBuiltinTier0TableSize = 7 * kApiSystemPointerSize;
   static const int kLinearAllocationAreaSize = 3 * kApiSystemPointerSize;
@@ -602,9 +865,11 @@ class Internals {
   static const int kHandleScopeDataSize =
       2 * kApiSystemPointerSize + 2 * kApiInt32Size;
 
-  // ExternalPointerTable layout guarantees.
+  // ExternalPointerTable and TrustedPointerTable layout guarantees.
   static const int kExternalPointerTableBasePointerOffset = 0;
   static const int kExternalPointerTableSize = 2 * kApiSystemPointerSize;
+  static const int kTrustedPointerTableSize = 2 * kApiSystemPointerSize;
+  static const int kTrustedPointerTableBasePointerOffset = 0;
 
   // IsolateData layout guarantees.
   static const int kIsolateCageBaseOffset = 0;
@@ -612,20 +877,28 @@ class Internals {
       kIsolateCageBaseOffset + kApiSystemPointerSize;
   static const int kVariousBooleanFlagsOffset =
       kIsolateStackGuardOffset + kStackGuardSize;
+  static const int kErrorMessageParamOffset =
+      kVariousBooleanFlagsOffset + kNumberOfBooleanFlags;
   static const int kBuiltinTier0EntryTableOffset =
-      kVariousBooleanFlagsOffset + 8;
+      kErrorMessageParamOffset + kErrorMessageParamSize +
+      kTablesAlignmentPaddingSize + kRegExpStaticResultOffsetsVectorSize;
   static const int kBuiltinTier0TableOffset =
       kBuiltinTier0EntryTableOffset + kBuiltinTier0EntryTableSize;
   static const int kNewAllocationInfoOffset =
       kBuiltinTier0TableOffset + kBuiltinTier0TableSize;
   static const int kOldAllocationInfoOffset =
       kNewAllocationInfoOffset + kLinearAllocationAreaSize;
-  static const int kIsolateFastCCallCallerFpOffset =
-      kOldAllocationInfoOffset + kLinearAllocationAreaSize;
+
+  static const int kFastCCallAlignmentPaddingSize =
+      kApiSystemPointerSize == 8 ? 5 * kApiSystemPointerSize
+                                 : 1 * kApiSystemPointerSize;
   static const int kIsolateFastCCallCallerPcOffset =
-      kIsolateFastCCallCallerFpOffset + kApiSystemPointerSize;
-  static const int kIsolateFastApiCallTargetOffset =
+      kOldAllocationInfoOffset + kLinearAllocationAreaSize +
+      kFastCCallAlignmentPaddingSize;
+  static const int kIsolateFastCCallCallerFpOffset =
       kIsolateFastCCallCallerPcOffset + kApiSystemPointerSize;
+  static const int kIsolateFastApiCallTargetOffset =
+      kIsolateFastCCallCallerFpOffset + kApiSystemPointerSize;
   static const int kIsolateLongTaskStatsCounterOffset =
       kIsolateFastApiCallTargetOffset + kApiSystemPointerSize;
   static const int kIsolateThreadLocalTopOffset =
@@ -639,34 +912,65 @@ class Internals {
       kIsolateEmbedderDataOffset + kNumIsolateDataSlots * kApiSystemPointerSize;
   static const int kIsolateSharedExternalPointerTableAddressOffset =
       kIsolateExternalPointerTableOffset + kExternalPointerTableSize;
-  static const int kIsolateApiCallbackThunkArgumentOffset =
+  static const int kIsolateCppHeapPointerTableOffset =
       kIsolateSharedExternalPointerTableAddressOffset + kApiSystemPointerSize;
+#ifdef V8_ENABLE_SANDBOX
+  static const int kIsolateTrustedCageBaseOffset =
+      kIsolateCppHeapPointerTableOffset + kExternalPointerTableSize;
+  static const int kIsolateTrustedPointerTableOffset =
+      kIsolateTrustedCageBaseOffset + kApiSystemPointerSize;
+  static const int kIsolateSharedTrustedPointerTableAddressOffset =
+      kIsolateTrustedPointerTableOffset + kTrustedPointerTableSize;
+  static const int kIsolateTrustedPointerPublishingScopeOffset =
+      kIsolateSharedTrustedPointerTableAddressOffset + kApiSystemPointerSize;
+  static const int kIsolateCodePointerTableBaseAddressOffset =
+      kIsolateTrustedPointerPublishingScopeOffset + kApiSystemPointerSize;
+  static const int kIsolateApiCallbackThunkArgumentOffset =
+      kIsolateCodePointerTableBaseAddressOffset + kApiSystemPointerSize;
+#else
+  static const int kIsolateApiCallbackThunkArgumentOffset =
+      kIsolateCppHeapPointerTableOffset + kExternalPointerTableSize;
+#endif  // V8_ENABLE_SANDBOX
 #else
   static const int kIsolateApiCallbackThunkArgumentOffset =
       kIsolateEmbedderDataOffset + kNumIsolateDataSlots * kApiSystemPointerSize;
-#endif
-  static const int kIsolateRootsOffset =
+#endif  // V8_COMPRESS_POINTERS
+  static const int kIsolateRegexpExecVectorArgumentOffset =
       kIsolateApiCallbackThunkArgumentOffset + kApiSystemPointerSize;
+  static const int kContinuationPreservedEmbedderDataOffset =
+      kIsolateRegexpExecVectorArgumentOffset + kApiSystemPointerSize;
+  static const int kIsolateRootsOffset =
+      kContinuationPreservedEmbedderDataOffset + kApiSystemPointerSize;
+
+  // Assert scopes
+  static const int kDisallowGarbageCollectionAlign = alignof(uint32_t);
+  static const int kDisallowGarbageCollectionSize = sizeof(uint32_t);
 
 #if V8_STATIC_ROOTS_BOOL
 
-// These constants need to be initialized in api.cc.
+// These constants are copied from static-roots.h and guarded by static asserts.
 #define EXPORTED_STATIC_ROOTS_PTR_LIST(V) \
-  V(UndefinedValue)                       \
-  V(NullValue)                            \
-  V(TrueValue)                            \
-  V(FalseValue)                           \
-  V(EmptyString)                          \
-  V(TheHoleValue)
+  V(UndefinedValue, 0x11)                 \
+  V(NullValue, 0x2d)                      \
+  V(TrueValue, 0x71)                      \
+  V(FalseValue, 0x55)                     \
+  V(EmptyString, 0x49)                    \
+  V(TheHoleValue, 0x761)
 
   using Tagged_t = uint32_t;
   struct StaticReadOnlyRoot {
-#define DEF_ROOT(name) V8_EXPORT static const Tagged_t k##name;
+#define DEF_ROOT(name, value) static constexpr Tagged_t k##name = value;
     EXPORTED_STATIC_ROOTS_PTR_LIST(DEF_ROOT)
 #undef DEF_ROOT
 
-    V8_EXPORT static const Tagged_t kFirstStringMap;
-    V8_EXPORT static const Tagged_t kLastStringMap;
+    // Use 0 for kStringMapLowerBound since string maps are the first maps.
+    static constexpr Tagged_t kStringMapLowerBound = 0;
+    static constexpr Tagged_t kStringMapUpperBound = 0x425;
+
+#define PLUSONE(...) +1
+    static constexpr size_t kNumberOfExportedStaticRoots =
+        2 + EXPORTED_STATIC_ROOTS_PTR_LIST(PLUSONE);
+#undef PLUSONE
   };
 
 #endif  // V8_STATIC_ROOTS_BOOL
@@ -683,8 +987,6 @@ class Internals {
   static const int kNodeStateMask = 0x3;
   static const int kNodeStateIsWeakValue = 2;
 
-  static const int kTracedNodeClassIdOffset = kApiSystemPointerSize;
-
   static const int kFirstNonstringType = 0x80;
   static const int kOddballType = 0x83;
   static const int kForeignType = 0xcc;
@@ -692,19 +994,24 @@ class Internals {
   static const int kJSObjectType = 0x421;
   static const int kFirstJSApiObjectType = 0x422;
   static const int kLastJSApiObjectType = 0x80A;
+  // Defines a range [kFirstEmbedderJSApiObjectType, kJSApiObjectTypesCount]
+  // of JSApiObject instance type values that an embedder can use.
+  static const int kFirstEmbedderJSApiObjectType = 0;
+  static const int kLastEmbedderJSApiObjectType =
+      kLastJSApiObjectType - kFirstJSApiObjectType;
 
-  static const int kUndefinedOddballKind = 5;
+  static const int kUndefinedOddballKind = 4;
   static const int kNullOddballKind = 3;
 
   // Constants used by PropertyCallbackInfo to check if we should throw when an
   // error occurs.
-  static const int kThrowOnError = 0;
-  static const int kDontThrow = 1;
+  static const int kDontThrow = 0;
+  static const int kThrowOnError = 1;
   static const int kInferShouldThrowMode = 2;
 
   // Soft limit for AdjustAmountofExternalAllocatedMemory. Trigger an
   // incremental GC once the external memory reaches this limit.
-  static constexpr int kExternalAllocationSoftLimit = 64 * 1024 * 1024;
+  static constexpr size_t kExternalAllocationSoftLimit = 64 * 1024 * 1024;
 
 #ifdef V8_MAP_PACKING
   static const uintptr_t kMapWordMetadataMask = 0xffffULL << 48;
@@ -732,14 +1039,36 @@ class Internals {
     return PlatformSmiTagging::SmiToInt(value);
   }
 
+  V8_INLINE static constexpr Address AddressToSmi(Address value) {
+    return (value << (kSmiTagSize + PlatformSmiTagging::kSmiShiftSize)) |
+           kSmiTag;
+  }
+
   V8_INLINE static constexpr Address IntToSmi(int value) {
-    return internal::IntToSmi(value);
+    return AddressToSmi(static_cast<Address>(value));
   }
 
-  V8_INLINE static constexpr bool IsValidSmi(intptr_t value) {
+  template <typename T,
+            typename std::enable_if_t<std::is_integral_v<T>>* = nullptr>
+  V8_INLINE static constexpr Address IntegralToSmi(T value) {
+    return AddressToSmi(static_cast<Address>(value));
+  }
+
+  template <typename T,
+            typename std::enable_if_t<std::is_integral_v<T>>* = nullptr>
+  V8_INLINE static constexpr bool IsValidSmi(T value) {
     return PlatformSmiTagging::IsValidSmi(value);
   }
 
+  template <typename T,
+            typename std::enable_if_t<std::is_integral_v<T>>* = nullptr>
+  static constexpr std::optional<Address> TryIntegralToSmi(T value) {
+    if (V8_LIKELY(PlatformSmiTagging::IsValidSmi(value))) {
+      return {AddressToSmi(static_cast<Address>(value))};
+    }
+    return {};
+  }
+
 #if V8_STATIC_ROOTS_BOOL
   V8_INLINE static bool is_identical(Address obj, Tagged_t constant) {
     return static_cast<Tagged_t>(obj) == constant;
@@ -763,6 +1092,15 @@ class Internals {
     return ReadRawField<uint16_t>(map, kMapInstanceTypeOffset);
   }
 
+  V8_INLINE static Address LoadMap(Address obj) {
+    if (!HasHeapObjectTag(obj)) return kNullAddress;
+    Address map = ReadTaggedPointerField(obj, kHeapObjectMapOffset);
+#ifdef V8_MAP_PACKING
+    map = UnpackMapWord(map);
+#endif
+    return map;
+  }
+
   V8_INLINE static int GetOddballKind(Address obj) {
     return SmiValue(ReadTaggedSignedField(obj, kOddballKindOffset));
   }
@@ -836,15 +1174,15 @@ class Internals {
     Address base = *reinterpret_cast<Address*>(
         reinterpret_cast<uintptr_t>(isolate) + kIsolateCageBaseOffset);
     switch (index) {
-#define DECOMPRESS_ROOT(name) \
-  case k##name##RootIndex:    \
+#define DECOMPRESS_ROOT(name, ...) \
+  case k##name##RootIndex:         \
     return base + StaticReadOnlyRoot::k##name;
       EXPORTED_STATIC_ROOTS_PTR_LIST(DECOMPRESS_ROOT)
 #undef DECOMPRESS_ROOT
+#undef EXPORTED_STATIC_ROOTS_PTR_LIST
       default:
         break;
     }
-#undef EXPORTED_STATIC_ROOTS_PTR_LIST
 #endif  // V8_STATIC_ROOTS_BOOL
     return *GetRootSlot(isolate, index);
   }
@@ -915,15 +1253,15 @@ class Internals {
 #endif
   }
 
-  template <ExternalPointerTag tag>
+  template <ExternalPointerTagRange tag_range>
   V8_INLINE static Address ReadExternalPointerField(v8::Isolate* isolate,
                                                     Address heap_object_ptr,
                                                     int offset) {
 #ifdef V8_ENABLE_SANDBOX
-    static_assert(tag != kExternalPointerNullTag);
-    // See src/sandbox/external-pointer-table-inl.h. Logic duplicated here so
+    static_assert(!tag_range.IsEmpty());
+    // See src/sandbox/external-pointer-table.h. Logic duplicated here so
     // it can be inlined and doesn't require an additional call.
-    Address* table = IsSharedExternalPointerType(tag)
+    Address* table = IsSharedExternalPointerType(tag_range)
                          ? GetSharedExternalPointerTableBase(isolate)
                          : GetExternalPointerTableBase(isolate);
     internal::ExternalPointerHandle handle =
@@ -932,7 +1270,14 @@ class Internals {
     std::atomic<Address>* ptr =
         reinterpret_cast<std::atomic<Address>*>(&table[index]);
     Address entry = std::atomic_load_explicit(ptr, std::memory_order_relaxed);
-    return entry & ~tag;
+    ExternalPointerTag actual_tag = static_cast<ExternalPointerTag>(
+        (entry & kExternalPointerTagMask) >> kExternalPointerTagShift);
+    if (V8_LIKELY(tag_range.Contains(actual_tag))) {
+      return entry & kExternalPointerPayloadMask;
+    } else {
+      return 0;
+    }
+    return entry;
 #else
     return ReadRawField<Address>(heap_object_ptr, offset);
 #endif  // V8_ENABLE_SANDBOX
@@ -943,6 +1288,10 @@ class Internals {
     return addr & -static_cast<intptr_t>(kPtrComprCageBaseAlignment);
   }
 
+  V8_INLINE static uint32_t CompressTagged(Address value) {
+    return static_cast<uint32_t>(value);
+  }
+
   V8_INLINE static Address DecompressTaggedField(Address heap_object_ptr,
                                                  uint32_t value) {
     Address base = GetPtrComprCageBaseFromOnHeapAddress(heap_object_ptr);
@@ -982,7 +1331,388 @@ class BackingStoreBase {};
 
 // The maximum value in enum GarbageCollectionReason, defined in heap.h.
 // This is needed for histograms sampling garbage collection reasons.
-constexpr int kGarbageCollectionReasonMaxValue = 27;
+constexpr int kGarbageCollectionReasonMaxValue = 29;
+
+// Base class for the address block allocator compatible with standard
+// containers, which registers its allocated range as strong roots.
+class V8_EXPORT StrongRootAllocatorBase {
+ public:
+  Heap* heap() const { return heap_; }
+
+  friend bool operator==(const StrongRootAllocatorBase& a,
+                         const StrongRootAllocatorBase& b) {
+    // TODO(pkasting): Replace this body with `= default` after dropping support
+    // for old gcc versions.
+    return a.heap_ == b.heap_;
+  }
+
+ protected:
+  explicit StrongRootAllocatorBase(Heap* heap) : heap_(heap) {}
+  explicit StrongRootAllocatorBase(LocalHeap* heap);
+  explicit StrongRootAllocatorBase(Isolate* isolate);
+  explicit StrongRootAllocatorBase(v8::Isolate* isolate);
+  explicit StrongRootAllocatorBase(LocalIsolate* isolate);
+
+  // Allocate/deallocate a range of n elements of type internal::Address.
+  Address* allocate_impl(size_t n);
+  void deallocate_impl(Address* p, size_t n) noexcept;
+
+ private:
+  Heap* heap_;
+};
+
+// The general version of this template behaves just as std::allocator, with
+// the exception that the constructor takes the isolate as parameter. Only
+// specialized versions, e.g., internal::StrongRootAllocator<internal::Address>
+// and internal::StrongRootAllocator<v8::Local<T>> register the allocated range
+// as strong roots.
+template <typename T>
+class StrongRootAllocator : private std::allocator<T> {
+ public:
+  using value_type = T;
+
+  template <typename HeapOrIsolateT>
+  explicit StrongRootAllocator(HeapOrIsolateT*) {}
+  template <typename U>
+  StrongRootAllocator(const StrongRootAllocator<U>& other) noexcept {}
+
+  using std::allocator<T>::allocate;
+  using std::allocator<T>::deallocate;
+};
+
+// TODO(pkasting): Replace with `requires` clauses after dropping support for
+// old gcc versions.
+template <typename Iterator, typename = void>
+inline constexpr bool kHaveIteratorConcept = false;
+template <typename Iterator>
+inline constexpr bool kHaveIteratorConcept<
+    Iterator, std::void_t<typename Iterator::iterator_concept>> = true;
+
+template <typename Iterator, typename = void>
+inline constexpr bool kHaveIteratorCategory = false;
+template <typename Iterator>
+inline constexpr bool kHaveIteratorCategory<
+    Iterator, std::void_t<typename Iterator::iterator_category>> = true;
+
+// Helper struct that contains an `iterator_concept` type alias only when either
+// `Iterator` or `std::iterator_traits<Iterator>` do.
+// Default: no alias.
+template <typename Iterator, typename = void>
+struct MaybeDefineIteratorConcept {};
+// Use `Iterator::iterator_concept` if available.
+template <typename Iterator>
+struct MaybeDefineIteratorConcept<
+    Iterator, std::enable_if_t<kHaveIteratorConcept<Iterator>>> {
+  using iterator_concept = typename Iterator::iterator_concept;
+};
+// Otherwise fall back to `std::iterator_traits<Iterator>` if possible.
+template <typename Iterator>
+struct MaybeDefineIteratorConcept<
+    Iterator, std::enable_if_t<kHaveIteratorCategory<Iterator> &&
+                               !kHaveIteratorConcept<Iterator>>> {
+  // There seems to be no feature-test macro covering this, so use the
+  // presence of `<ranges>` as a crude proxy, since it was added to the
+  // standard as part of the Ranges papers.
+  // TODO(pkasting): Add this unconditionally after dropping support for old
+  // libstdc++ versions.
+#if __has_include(<ranges>)
+  using iterator_concept =
+      typename std::iterator_traits<Iterator>::iterator_concept;
+#endif
+};
+
+// A class of iterators that wrap some different iterator type.
+// If specified, ElementType is the type of element accessed by the wrapper
+// iterator; in this case, the actual reference and pointer types of Iterator
+// must be convertible to ElementType& and ElementType*, respectively.
+template <typename Iterator, typename ElementType = void>
+class WrappedIterator : public MaybeDefineIteratorConcept<Iterator> {
+ public:
+  static_assert(
+      std::is_void_v<ElementType> ||
+      (std::is_convertible_v<typename std::iterator_traits<Iterator>::pointer,
+                             std::add_pointer_t<ElementType>> &&
+       std::is_convertible_v<typename std::iterator_traits<Iterator>::reference,
+                             std::add_lvalue_reference_t<ElementType>>));
+
+  using difference_type =
+      typename std::iterator_traits<Iterator>::difference_type;
+  using value_type =
+      std::conditional_t<std::is_void_v<ElementType>,
+                         typename std::iterator_traits<Iterator>::value_type,
+                         ElementType>;
+  using pointer =
+      std::conditional_t<std::is_void_v<ElementType>,
+                         typename std::iterator_traits<Iterator>::pointer,
+                         std::add_pointer_t<ElementType>>;
+  using reference =
+      std::conditional_t<std::is_void_v<ElementType>,
+                         typename std::iterator_traits<Iterator>::reference,
+                         std::add_lvalue_reference_t<ElementType>>;
+  using iterator_category =
+      typename std::iterator_traits<Iterator>::iterator_category;
+
+  constexpr WrappedIterator() noexcept = default;
+  constexpr explicit WrappedIterator(Iterator it) noexcept : it_(it) {}
+
+  // TODO(pkasting): Switch to `requires` and concepts after dropping support
+  // for old gcc and libstdc++ versions.
+  template <typename OtherIterator, typename OtherElementType,
+            typename = std::enable_if_t<
+                std::is_convertible_v<OtherIterator, Iterator>>>
+  constexpr WrappedIterator(
+      const WrappedIterator<OtherIterator, OtherElementType>& other) noexcept
+      : it_(other.base()) {}
+
+  [[nodiscard]] constexpr reference operator*() const noexcept { return *it_; }
+  [[nodiscard]] constexpr pointer operator->() const noexcept {
+    if constexpr (std::is_pointer_v<Iterator>) {
+      return it_;
+    } else {
+      return it_.operator->();
+    }
+  }
+
+  template <typename OtherIterator, typename OtherElementType>
+  [[nodiscard]] constexpr bool operator==(
+      const WrappedIterator<OtherIterator, OtherElementType>& other)
+      const noexcept {
+    return it_ == other.base();
+  }
+#if V8_HAVE_SPACESHIP_OPERATOR
+  template <typename OtherIterator, typename OtherElementType>
+  [[nodiscard]] constexpr auto operator<=>(
+      const WrappedIterator<OtherIterator, OtherElementType>& other)
+      const noexcept {
+    if constexpr (std::three_way_comparable_with<Iterator, OtherIterator>) {
+      return it_ <=> other.base();
+    } else if constexpr (std::totally_ordered_with<Iterator, OtherIterator>) {
+      if (it_ < other.base()) {
+        return std::strong_ordering::less;
+      }
+      return (it_ > other.base()) ? std::strong_ordering::greater
+                                  : std::strong_ordering::equal;
+    } else {
+      if (it_ < other.base()) {
+        return std::partial_ordering::less;
+      }
+      if (other.base() < it_) {
+        return std::partial_ordering::greater;
+      }
+      return (it_ == other.base()) ? std::partial_ordering::equivalent
+                                   : std::partial_ordering::unordered;
+    }
+  }
+#else
+  // Assume that if spaceship isn't present, operator rewriting might not be
+  // either.
+  template <typename OtherIterator, typename OtherElementType>
+  [[nodiscard]] constexpr bool operator!=(
+      const WrappedIterator<OtherIterator, OtherElementType>& other)
+      const noexcept {
+    return it_ != other.base();
+  }
+
+  template <typename OtherIterator, typename OtherElementType>
+  [[nodiscard]] constexpr bool operator<(
+      const WrappedIterator<OtherIterator, OtherElementType>& other)
+      const noexcept {
+    return it_ < other.base();
+  }
+  template <typename OtherIterator, typename OtherElementType>
+  [[nodiscard]] constexpr bool operator<=(
+      const WrappedIterator<OtherIterator, OtherElementType>& other)
+      const noexcept {
+    return it_ <= other.base();
+  }
+  template <typename OtherIterator, typename OtherElementType>
+  [[nodiscard]] constexpr bool operator>(
+      const WrappedIterator<OtherIterator, OtherElementType>& other)
+      const noexcept {
+    return it_ > other.base();
+  }
+  template <typename OtherIterator, typename OtherElementType>
+  [[nodiscard]] constexpr bool operator>=(
+      const WrappedIterator<OtherIterator, OtherElementType>& other)
+      const noexcept {
+    return it_ >= other.base();
+  }
+#endif
+
+  constexpr WrappedIterator& operator++() noexcept {
+    ++it_;
+    return *this;
+  }
+  constexpr WrappedIterator operator++(int) noexcept {
+    WrappedIterator result(*this);
+    ++(*this);
+    return result;
+  }
+
+  constexpr WrappedIterator& operator--() noexcept {
+    --it_;
+    return *this;
+  }
+  constexpr WrappedIterator operator--(int) noexcept {
+    WrappedIterator result(*this);
+    --(*this);
+    return result;
+  }
+  [[nodiscard]] constexpr WrappedIterator operator+(
+      difference_type n) const noexcept {
+    WrappedIterator result(*this);
+    result += n;
+    return result;
+  }
+  [[nodiscard]] friend constexpr WrappedIterator operator+(
+      difference_type n, const WrappedIterator& x) noexcept {
+    return x + n;
+  }
+  constexpr WrappedIterator& operator+=(difference_type n) noexcept {
+    it_ += n;
+    return *this;
+  }
+  [[nodiscard]] constexpr WrappedIterator operator-(
+      difference_type n) const noexcept {
+    return *this + -n;
+  }
+  constexpr WrappedIterator& operator-=(difference_type n) noexcept {
+    return *this += -n;
+  }
+  template <typename OtherIterator, typename OtherElementType>
+  [[nodiscard]] constexpr auto operator-(
+      const WrappedIterator<OtherIterator, OtherElementType>& other)
+      const noexcept {
+    return it_ - other.base();
+  }
+  [[nodiscard]] constexpr reference operator[](
+      difference_type n) const noexcept {
+    return it_[n];
+  }
+
+  [[nodiscard]] constexpr const Iterator& base() const noexcept { return it_; }
+
+ private:
+  Iterator it_;
+};
+
+// Helper functions about values contained in handles.
+// A value is either an indirect pointer or a direct pointer, depending on
+// whether direct local support is enabled.
+class ValueHelper final {
+ public:
+  // ValueHelper::InternalRepresentationType is an abstract type that
+  // corresponds to the internal representation of v8::Local and essentially
+  // to what T* really is (these two are always in sync). This type is used in
+  // methods like GetDataFromSnapshotOnce that need access to a handle's
+  // internal representation. In particular, if `x` is a `v8::Local<T>`, then
+  // `v8::Local<T>::FromRepr(x.repr())` gives exactly the same handle as `x`.
+#ifdef V8_ENABLE_DIRECT_HANDLE
+  static constexpr Address kTaggedNullAddress = 1;
+
+  using InternalRepresentationType = internal::Address;
+  static constexpr InternalRepresentationType kEmpty = kTaggedNullAddress;
+#else
+  using InternalRepresentationType = internal::Address*;
+  static constexpr InternalRepresentationType kEmpty = nullptr;
+#endif  // V8_ENABLE_DIRECT_HANDLE
+
+  template <typename T>
+  V8_INLINE static bool IsEmpty(T* value) {
+    return ValueAsRepr(value) == kEmpty;
+  }
+
+  // Returns a handle's "value" for all kinds of abstract handles. For Local,
+  // it is equivalent to `*handle`. The variadic parameters support handle
+  // types with extra type parameters, like `Persistent<T, M>`.
+  template <template <typename T, typename... Ms> typename H, typename T,
+            typename... Ms>
+  V8_INLINE static T* HandleAsValue(const H<T, Ms...>& handle) {
+    return handle.template value<T>();
+  }
+
+#ifdef V8_ENABLE_DIRECT_HANDLE
+
+  template <typename T>
+  V8_INLINE static Address ValueAsAddress(const T* value) {
+    return reinterpret_cast<Address>(value);
+  }
+
+  template <typename T, bool check_null = true, typename S>
+  V8_INLINE static T* SlotAsValue(S* slot) {
+    if (check_null && slot == nullptr) {
+      return reinterpret_cast<T*>(kTaggedNullAddress);
+    }
+    return *reinterpret_cast<T**>(slot);
+  }
+
+  template <typename T>
+  V8_INLINE static InternalRepresentationType ValueAsRepr(const T* value) {
+    return reinterpret_cast<InternalRepresentationType>(value);
+  }
+
+  template <typename T>
+  V8_INLINE static T* ReprAsValue(InternalRepresentationType repr) {
+    return reinterpret_cast<T*>(repr);
+  }
+
+#else  // !V8_ENABLE_DIRECT_HANDLE
+
+  template <typename T>
+  V8_INLINE static Address ValueAsAddress(const T* value) {
+    return *reinterpret_cast<const Address*>(value);
+  }
+
+  template <typename T, bool check_null = true, typename S>
+  V8_INLINE static T* SlotAsValue(S* slot) {
+    return reinterpret_cast<T*>(slot);
+  }
+
+  template <typename T>
+  V8_INLINE static InternalRepresentationType ValueAsRepr(const T* value) {
+    return const_cast<InternalRepresentationType>(
+        reinterpret_cast<const Address*>(value));
+  }
+
+  template <typename T>
+  V8_INLINE static T* ReprAsValue(InternalRepresentationType repr) {
+    return reinterpret_cast<T*>(repr);
+  }
+
+#endif  // V8_ENABLE_DIRECT_HANDLE
+};
+
+/**
+ * Helper functions about handles.
+ */
+class HandleHelper final {
+ public:
+  /**
+   * Checks whether two handles are equal.
+   * They are equal iff they are both empty or they are both non-empty and the
+   * objects to which they refer are physically equal.
+   *
+   * If both handles refer to JS objects, this is the same as strict equality.
+   * For primitives, such as numbers or strings, a `false` return value does not
+   * indicate that the values aren't equal in the JavaScript sense.
+   * Use `Value::StrictEquals()` to check primitives for equality.
+   */
+  template <typename T1, typename T2>
+  V8_INLINE static bool EqualHandles(const T1& lhs, const T2& rhs) {
+    if (lhs.IsEmpty()) return rhs.IsEmpty();
+    if (rhs.IsEmpty()) return false;
+    return lhs.ptr() == rhs.ptr();
+  }
+};
+
+V8_EXPORT void VerifyHandleIsNonEmpty(bool is_empty);
+
+// These functions are here just to match friend declarations in
+// XxxCallbackInfo classes allowing these functions to access the internals
+// of the info objects. These functions are supposed to be called by debugger
+// macros.
+void PrintFunctionCallbackInfo(void* function_callback_info);
+void PrintPropertyCallbackInfo(void* property_callback_info);
 
 }  // namespace internal
 }  // namespace v8