This wraps up the transition away from kSerialized ref kinds.

Since JSFunctionRef is a complex type, we don't attempt full
consistency on the background thread. Instead, we serialize functions
on the background in a partially-racy manner, in which consistency
between different JSFunction fields is *not* guaranteed. Consistency
is later verified through a new compilation dependency kind during
finalization.

Bug: v8:7790, v8:12004
Change-Id: Ic2b78af9c9fe183c8769d323132bb304b151dc75
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2968404
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75789}

A stray 0xfeff character was accidentally added in
https://crrev.com/c/2952864, causing compilation problems on some
platforms. This CL removes it.

In case your diff looks empty, this is the change:
-<feff>// Copyright 2012 the V8 project authors. All rights reserved.
+// Copyright 2012 the V8 project authors. All rights reserved.

It was generated via
> git checkout -p 9c904a8f^ src/utils/alloca*.cc

R=leszeks@chromium.org

Bug: v8:11968
Change-Id: Ief3eba7875383c4a4c4238a4af47083304fc9782
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3038526Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75788}

... for visiting slots containing pointers to Code objects when
external code space mode is enabled.
These slots will require different handling once the code space is
moved out of the V8 heap cage.

This CL also introduces IsValidCodeObject() predicate similar to
IsValidHeapObject() for checking if given HeapObject is a valid Code
object.

Tbr: cbruni@chromium.org
Bug: v8:11880
Change-Id: I430940f4503cebfd2a6d387e44349810991a93e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3032085Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75787}

Since {CodeSpaceWriteScope} is now used from cctests (since
https://crrev.com/c/3024150), its constructor and destructor need to be
exported.

R=jkummerow@chromium.org

Change-Id: I30627d632a9f4e4fde51bcb037bad69ceaedf6fd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3038062
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75786}

This is a reland of 0b091e9b

Some blink web tests have been temporarily disabled to allow landing
changes to the JS API in V8.

Original change's description:
> [wasm][eh] Rename Exception to Tag in the JS API
>
> See:
> https://github.com/WebAssembly/exception-handling/issues/159
>
> This change only does the rename where it's observable. This should also
> be renamed throughout the codebase for consistency and will be done
> separately.
>
> R=ahaas@chromium.org
>
> Bug: v8:8091
> Change-Id: Iec1118194981dfd33be6e30256b6e72d12143e1f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3021172
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75718}

Bug: v8:8091
Change-Id: Id5375b5287fff81b8e0096377a55ef63e6d9b985
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3035083
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75785}

The new flags implementation can handle these kinds of implications.

Change-Id: I97cb5adbe00e4c6d92d13b4378582b4035c36475
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3030707
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75784}

This is in preparation for baseline code flushing. After a deopt we
choose to execute baseline or bytecode based on whether
SharedFunctionInfo has any baseline code. With baseline code flushing,
it is possible that baseline code is flushed after this point and before
we start executing the unoptimized code (for ex: materializing objects).
To handle such situations this CL updates the BaselineEnterAt* builtins
to check for baseline code and restart either at baseline / bytecode.

Bug: v8:11947
Change-Id: I2084e38196c882f802d1186ff8c9ab881a35b16b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3030711
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75783}

We add a struct type and array type to the fuzzed module.
Since the interpreter does not support wasm-gc,
we only do so if liftoff is used as a reference implementation.
Also, adding liftoff parameter to all GenerateModule definitions.

Bug: v8:11954
Change-Id: Ia8d2d7a8e1e12d375605f15d1393dd64f426607d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3024160Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Rakhim Khismet <khismet@google.com>
Cr-Commit-Position: refs/heads/master@{#75782}

This reverts commit 09b06657.

Reason for revert: Failures in TSan future: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20no-concurrent-marking/4731/overview

Original change's description:
> [Turboprop] Turboprop is the future.
>
> Enable --turboprop in the --future config.
>
> BUG=v8:9684
>
> Change-Id: I405832c2ef0e1b80200a8b8090d7672461cd9e00
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3035762
> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Mythri Alle <mythria@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75779}

Bug: v8:9684
Change-Id: I4ae2a51174565b3e773f4b5cb0f0cb652ca20111
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3035776
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75781}

This prepares the trap handler to support being used from simulators.
Modifications to the arm64 simulator will be done in a follow-up CL. For
now, the trap handler will be registered but not used in Wasm (we emit
explicit bounds checks instead, as before).

The implementation uses inline assembly, so it is only available on x64
POSIX systems for now. This is the main platform we use for testing and
for fuzzing, so it should give us the test coverage we need. If needed,
inline assembly for other platforms can be added later.
The new code will be executed by the existing arm64 simulator bots, e.g.
"V8 Linux - arm64 - sim".

R=ahaas@chromium.org, mseaborn@chromium.org

Bug: v8:11955
Change-Id: Idc50291c704d9dea902ae0098e5309f19055816c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3011160
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75780}

Enable --turboprop in the --future config.

BUG=v8:9684

Change-Id: I405832c2ef0e1b80200a8b8090d7672461cd9e00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3035762
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75779}

This reverts commit 6207d61f.

Reason for revert: Incorrect implementation of the flag-not-on case.

Original change's description:
> [rab/gsab] Update to the new spec
>
> - Remove ResizableArrayBuffer / GrowableSharedArrayBuffer constructors,
> use options bags
> - Add AB.prototype.resizable and SAB.prototype.growable
> - Update receiver checks in (S?)AB.prototype methods
>
> Bug: v8:11111
> Change-Id: I4f8cb71a4c8e07483a3ffad83d98129da162b839
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3021174
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Shu-yu Guo <syg@chromium.org>
> Commit-Queue: Marja Hölttä <marja@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75761}

Bug: v8:11111, chromium:1230129, chromium:1230408
No-Try: True
Tbr: mlippautz@chromium.org
Change-Id: I25aa10cb3dc20fdaeb45e6169fc01eec9a89f72c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3038061Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75778}

An object got allocated as part of a parameter expression, which may
have caused GC issues.

Bug: chromium:1230041
Change-Id: I9a046fe36cd3b84e5df7b1400670b76e201ac026
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3035765Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75777}

Bug: v8:7790
Change-Id: I763fcf7049b1b0157ebf2bd026674e2f2b05ae9c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3008637
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75776}

Bug: v8:7790
Change-Id: If0ffe7f09f4370c646ab85f363578912cb863673
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3008636
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75775}

Bug: v8:7790
Change-Id: Ic8bb9574c498ae3ce18d1ea29c943d0154d43280
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3008635
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75774}

- msjunit/compiler/regress-1226988

Bug: v8:12002
Change-Id: I413bb54d64caf33db5493c69dff83a7ba09810ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3035263Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/master@{#75773}

When run jalr and pc is contained in Builtin code range, sim will print "Call to builtin".
This cl reduces the print of "Call to builtin"  which only be printed when call builtin and return to builtin.

Change-Id: Ic84101e892ed661cf41ac4d8d83bfff1ef7b4d5f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3030382
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Commit-Queue: Ji Qiu <qiuji@iscas.ac.cn>
Reviewed-by: Ji Qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/master@{#75772}

Rolling v8/buildtools/linux64: git_revision:6c6885302fd94f41b060013ea94eeb0d886124e2..git_revision:b2d77ab1373192d1532af94b68fb8bab727b0e5b

Rolling v8/third_party/aemu-linux-x64: Gw2KXJAmd7MQfsDtWMYLLl6hvactBx7vjZgGKtL4bv8C..eghzU3LI6jsGYPkSzAoCDHeiVyaydZjwxB5kjkPImaMC

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/1ef8e41..5cb3053

TBR=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I41801db1c9579bca61034035a136abce2b3374b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3036106Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75771}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/c0b24c3..fd86d60

Rolling v8/buildtools: https://chromium.googlesource.com/chromium/src/buildtools/+log/2500c1d..37dc929

Rolling v8/buildtools/linux64: git_revision:24e2f7df92641de0351a96096fb2c490b2436bb8..git_revision:6c6885302fd94f41b060013ea94eeb0d886124e2

Rolling v8/buildtools/third_party/libc++abi/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxxabi/+log/486cb62..7d5c92f

Rolling v8/buildtools/third_party/libunwind/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libunwind/+log/70006b7..d7b11d7

Rolling v8/third_party/aemu-linux-x64: ez3lWv5ncjyheCkRQs_v1WGTCLoiJvIecfY-dKKkXcUC..Gw2KXJAmd7MQfsDtWMYLLl6hvactBx7vjZgGKtL4bv8C

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/88e3e03..1ef8e41

Rolling v8/tools/luci-go: git_revision:91a04914ac71b7b6fe7b95ce8691d45eeb69bf4f..git_revision:d10ff2af1182ccaad573bc5acb84a36f4c280876

Rolling v8/tools/luci-go: git_revision:91a04914ac71b7b6fe7b95ce8691d45eeb69bf4f..git_revision:d10ff2af1182ccaad573bc5acb84a36f4c280876

Rolling v8/tools/luci-go: git_revision:91a04914ac71b7b6fe7b95ce8691d45eeb69bf4f..git_revision:d10ff2af1182ccaad573bc5acb84a36f4c280876

TBR=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: Ie42d026cfb4113995d99ee9678451e4ea4fa4360
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3036603Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75770}

Change-Id: Ib8acd67b66f54dad8f6653c83aff2369f4d3a482
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3036541Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#75769}

Shared ops between TurboFan and Liftoff are moved into
the macro-assembler.

Change-Id: I03cd3af10074b6b4666a7d2a13e652629576f76f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3035764Reviewed-by: Junliang Yan <junyan@redhat.com>
Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#75768}

Turbolizer can fail to open traces that contain 'StoreLine' nodes.
There is a problem in operator<<(std::ostream& os, StoreLaneParameters
params) that prints StoreLaneParameters.laneidx as a char and not as
an integer, and this can cause the insertion of string terminators in
the trace json file.
This CL fixes the issue.

Change-Id: Icf7700660cca2b4068f61dafa0c8f485b1aa497a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3035362
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75767}

Avoid callers operating on raw top/limit where possible and provide
verification of the main invariant.

This is actually related to the refactoring suggest in v8:11958 in
that it cleans up the call sites a bit but doesn't go further than
that.

Bug: v8:11958
Change-Id: I35de29a5cd505b375408fc7c5399f637f3e9c755
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3034741
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75766}

This CL addresses two problems:
- the previous implementation of the large-function TF bailout
  didn't work for streaming compilation, because it tried to look
  at the size of wire bytes that weren't yet available. Moving the
  logic so it gets executed later ensures that the function size
  is available.
- module serialization currently requires all functions to be
  compiled with Turbofan, so the hard limit breaks serialization for
  modules containing such huge functions. This CL enables the limit
  only for --experimental-wasm-gc, so that non-experimental modules
  continue to be serializable as they always have been. In the
  future, we will avoid this limitation by making serialization more
  flexible.

Fixed: v8:11991
Change-Id: Ibcee6fafec00fb83c2b99ae906836e8598142529
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3035095Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75765}

Slightly lowers the interrupt budget for Turboprop and increases the
interrupt budget scaling factor for TurboFan. This gives the best
balance between benchmark performance and reducing optimization
overhead.

BUG=v8:9684

Change-Id: I6d555fb27d089bc8a6849612a4e02b2155020d85
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3026713
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75764}

This CL fixes the behaviour of String.prototype.startsWith when
undefined is passed as the search term. It also implements a small
shorthand when the search term is empty (according to the spec).

Bug: v8:11977
Change-Id: Iec2aa5f4301fcf444f20d5c1a80d3f634624d6f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3035089
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75763}

Convert Low I32x4 (S/U) to FP is changed to use
`Round to nearest with ties to even` which is used by ConvertI32x4
as well as the scalar variant ConvertIntToFloat.

Change-Id: Idcb235bdf7fcd43304af785713a4988986db3544
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3032262Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#75762}

- Remove ResizableArrayBuffer / GrowableSharedArrayBuffer constructors,
use options bags
- Add AB.prototype.resizable and SAB.prototype.growable
- Update receiver checks in (S?)AB.prototype methods

Bug: v8:11111
Change-Id: I4f8cb71a4c8e07483a3ffad83d98129da162b839
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3021174Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75761}

Change-Id: Ifdfdddb0b36cfefc25ba11d8884b30fcda04a494
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3032264Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#75760}

So far this kind was used only when concurrent inlining was enabled.
With this CL we always use it (for the corresponding objects).

This change has probably little effect but is one step towards the
"final" configuration.

Bug: v8:7790
Change-Id: Id56908382b2cd57e2f85246c814fb58aaea6b3c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3030712
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75759}

This reverts commit 84d5b027.

Reason for revert: Breaks UBSan - https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20UBSan/17349/overview

Original change's description:
> [fastcall] Implement support for TypedArray arguments
>
> This CL adds TypedArrays as supported arguments for fast API calls.
> It implements "exact type" matching, i.e. if Float32Array is expected
> and e.g. Int32Array is passed instead, the generated code bails to the
> slow callback.
>
> Bug: chromium:1052746, chromium:1018624
> Change-Id: I01d4e681d2b367cbb57b06effcb591c090a23295
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2999094
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75756}

Bug: chromium:1052746, chromium:1018624
Change-Id: I998afe766330f90efc878faa0e9546e709ddc4be
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3035088
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75758}

Use the map for both objects with 0 requested properties and the number
of inobject properties it has (4 currently) to share maptrees.

Change-Id: Ie4859d44bed39effff864d54e7d416b13898c7d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3035081
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75757}

This CL adds TypedArrays as supported arguments for fast API calls.
It implements "exact type" matching, i.e. if Float32Array is expected
and e.g. Int32Array is passed instead, the generated code bails to the
slow callback.

Bug: chromium:1052746, chromium:1018624
Change-Id: I01d4e681d2b367cbb57b06effcb591c090a23295
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2999094
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75756}

When the FFT multiplication algorithm invokes itself for the
recursive steps, the input is "mod Fn"-normalized, i.e. it is
at most of the shape (1 << N), but we only read N bits of it,
so in the rare case where it was exactly 1 << N, that lone top
bit was ignored, leading to an incorrect result of the overall
multiplication.

Fixed: chromium:1228267
Change-Id: I7b245fc3701696d95e5d75fb970f02d72ce40ff8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3032081Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75755}

Change-Id: Id843b276e59baeaf700f92e6bf71e20edcb0dd9d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3031581Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#75754}

vlr is placed in the middle since second input
could be the same as dst register and this avoids overwriting it.

Change-Id: Ifb6c2157d4bc5c3d83fda118b53b4f960291436a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3027226Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#75753}

Just like many other operations implemented in elements.cc, copyWithin
also needs to use relaxed atomics if operating on a shared array buffer
to avoid races with other threads.
Since the ranges can overlap, this CL also adds a {Relaxed_Memmove}
function that either copies forwards (like {Relaxed_Memcpy}) or
backwards depending on the ordering of source and destination.

R=leszeks@chromium.org

Bug: chromium:1221035
Change-Id: I76b7e43810ac9b85f4ff9abbc5a0406618771c25
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3032084Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75752}

This fixes 2 cluster fuzz bugs.

Bug: chromium:1229885, chromium:1229813
Change-Id: Icc2738d7fac35f36f50bd2e723ac8ab4add40068
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3034742
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75751}

Change-Id: Ide2aca9e7cbcd204a5668e59aa902bd2de363799
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3033842
Auto-Submit: Liu yu <liuyu@loongson.cn>
Reviewed-by: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/master@{#75750}