chore: cherry-pick 2 changes from 1-M137

[VerteDinde]

electron/security#676 - 45eb42cd398e from v8

[turbofan] Convert Smi to Word64 using zero extension

... when a known type range contains only positive values.

Bug: 420637585
Change-Id: I8d9bb3f2fe2e5268e1659bb4ea7bbf97bfb52288
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6594731
Reviewed-by: Nico Hartmann nicohartmann@chromium.org
Commit-Queue: Igor Sheludko ishell@chromium.org
Cr-Commit-Position: refs/heads/main@{#100538}

Notes: Backported fix for 420637585.

electron/security#677 - f1e6422a355c from chromium

Enforce SharedWorker::Terminate() procedure order

During the investigation of crbug.com/409059706, we observed that
PerformShutdownOnWorkerThread() is called during the status is
running.

I suppose the root cause is race condition between Terminate()
procedure and a child process termination procedure in different
thread. WorkerThread can be terminated if two conditions are met;
Terminate() is called and all child worker threads have been
terminated. Both Terminate() and the child process termination
procedure may call PerformShutdownOnWorkerThread(), and former
is executed regardless of two conditions are met. The latter
is called if Terminate() is called and no child processes.
To be clear, "Terminate() is called" does not mean
PrepareForShutdownOnWorkerThread() is executed. Terminate()
queues it after the flag to tell Terminate() call. And, when
the issue happen, I am quite sure the flag is set but,
PrepareForShutdownOnWorkerThread() won't be executed yet.

The fix is that:

1. The "Terminate() is called" flag to be multi staged.
   The flag is used for two purpose; a. avoid re-enter of
   Terminate(), and b. PrepareForShutdownOnWorkerThread() is
   in flight. The CL changed the flag to enum to represent
   the stage properly.
2. PerformShutdownOnWorkerThread() is queued even if it is
   called within the child process termination procedure.
   It avoid the execution order flip between
   PrepareForShutdownOnWorkerThread() and
   PerformShutdownOnWorkerThread().

In addition, this change ensures PerformShutdownOnWorkerThread()
is called once. While PerformShutdownOnWorkerThread() touches
fields inside, the fields must not be touched at some point within
the function, the function is actually not re-entrant when it reaches
to the end. Upon mikt@ suggestion, I made
PerformShutdownOnWorkerThread() is called only when two conditions
are fulfilled. i.e. Terminate() is called and the number of child
threads is 0. Also, the CL uses the enum to show
PerformShutdownOnWorkerThread() is in-flight to avoid re-entrance
in this level.

Bug: 409059706
Change-Id: I81a1c3b1a34e827fa75ec2d1a9b37023965dbe27
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6543412
Reviewed-by: Hiroki Nakagawa nhiroki@chromium.org
Commit-Queue: Yoshisato Yanagisawa yyanagisawa@chromium.org
Cr-Commit-Position: refs/heads/main@{#1463892}

Notes:

• Security: Backported fix for CVE-2025-5068.
• Security: Backported fix for 409059706.

[release-clerk]

Release Notes Persisted

Backported fix for 420637585.