Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/c986429..bcbed09

Rolling v8/buildtools: https://chromium.googlesource.com/chromium/src/buildtools/+log/7b7a5c0..67b293c

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/42a883d..5075be9

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/f4e0cc6..0a0fbf1

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/558ca3e..3e2c753

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: Ia20af6ec0c7b23b4361c33dd4c5a820be023ee10
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709307Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#62838}

The bytes was accidentally mixed up when disasm for pand got added in
https://crrev.com/c/907489.

Change-Id: If5595f00356c20c5c9d9e9a0fb43f7ea853b2941
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710329
Auto-Submit: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62837}

Bug: v8:9523
Change-Id: Ib9d6772d2025b0452ddcd777cc777276f9038e97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710960Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62836}

All the whitespace checks need to be disabled because we use 2-space
indentation.

One day this could become part of a presubmit but for now its useful
simply to be able to run the flake8 tools directly on a file in the v8
repo.

Change-Id: I9d7ede102aaa17a7c6e7bf29887565ea2deeb887
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1697055Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Sam Clegg <sbc@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62835}

1. Sync with
https://github.com/tc39/proposal-unified-intl-numberformat/pull/57
so the formatting of {style: "unit" unit: "percent"} and
the formatting of {style: "percent:"} are treated different that
simplified the algorithm.
2. Store style into bit flags because we need it quickly during format.
3. Add more unit tests and regression test.

Bug: v8:9498
Change-Id: I75ed22fef1feb73ebf624bda70ebe45b80e7bc8b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1704948Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62834}

Fix CheckBaselineExpectations returning 2 when it can't read its input
file. Since this was originally just in main, convert it to std::exit.

Change-Id: I70ae6fbc6e5e12b748d2ab1cc83b1deb67a8f861
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710659
Auto-Submit: Dan Elphick <delphick@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62833}

In InterpreterCollectSourcePositions tests always unset
FLAG_stress_lazy_source_positions as the tests cannot work with it due
to assuming that source positions won't be collected immediately after a
normal compile.

Bug: v8:8510
Change-Id: I194ed06c59336f5af3b7b2113a12c1a21dd6bcac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709425
Commit-Queue: Dan Elphick <delphick@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Auto-Submit: Dan Elphick <delphick@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62832}

Bug: chromium:677883
Change-Id: Id28310da0eb8762f30927397c9eaa942ac74852a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709417Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62831}

Adds a new out param which allows accessing the ScriptOrModule
of a function, which allows an embedder such as Node.js to use
the function's i::Script lifetime.

Refs: https://github.com/nodejs/node-v8/issues/111
Change-Id: I34346d94d76e8f9b8377c97d948673f4b95eb9d5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1699698Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62830}

This is a reland of e55e0aa5

Original change's description:
> [runtime] Fix protector invalidation
>
> Protectors trigger when special properties are modified or masked. Previously
> we would check whether the property stored on the holder would invalidate the
> protector. Stores to to the receiver rather than the holder, however, so this
> CL changes holder for receiver, and adds additional checks that were missing.
>
> Bug: v8:9466
> Change-Id: I81bc3d73f91381da0d254e9eb79365ae2d25d998
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708468
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62805}

Tbr: leszeks@chromium.org
Bug: v8:9466
Change-Id: I693c73577ca9a35a271f509770cc1c87e5cc4b73
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709420
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62829}

Those helped investigating a surprisingly long delay in wasm code
caching.

R=titzer@chromium.org
CC=bbudge@chromium.org

Change-Id: Id5491b9cb8824f337c20f66d5ab26f94d1a53562
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709418Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62828}

Adds global allocation limit to the general overshoot safety net for triggering
GC. Adds a check to the interrupt that is triggered by the embedder to catch
cases where there's no on-heap allocation.

Bug: chromium:985641, chromium:948807
Change-Id: I3bc0c30f9344b57096db7ebbd8ad8c76808548ba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709414Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62827}

This makes sure the language mode of the module is correctly propagated
through the WebAssembly module, so that exported functions are allocated
with the correct language mode. It extends the existing {ModuleOrigin}
enum to consist of three values now.

R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-985154
BUG=chromium:985154

Change-Id: Id7b566738b1e710cc5001b894022bcd0f2c01bc3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708484
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62826}

Add a new mode to generate-bytecode-expectations to be used in a coming
test that tests that the bytecode expectations generated by
--rebaseline match the current state.

Change-Id: Ic03787cd853f9bf7d9b4412f96a767036c848c61
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708477
Auto-Submit: Dan Elphick <delphick@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62825}

This reverts commit c2ee4a79.

Reason for revert: webgl_conformance_tests deqp/data/gles2/shaders/conversions.html crashes on Android FYI Release (Nexus 9)
See https://bugs.chromium.org/p/chromium/issues/detail?id=985624

Original change's description:
> Reland "[regexp] Call the regexp interpreter without CEntry overhead"
>
> This is a reland of d4d28b73
>
> Original change's description:
> > [regexp] Call the regexp interpreter without CEntry overhead
> >
> > Previously all RegExp calls went through Runtime_RegExpExec when --regexp-interpret-all was set.
> >
> > This CL avoids the runtime overhead by calling into the interpreter directly from the RegExpExec Builtin when the regular expression subject was already compiled to ByteCode (i.e. after the first call).
> >
> > Bug: v8:8954
> > Change-Id: Iae9dfcef3370b772a05b2942305335d592f6f15a
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1698391
> > Commit-Queue: Patrick Thier <pthier@google.com>
> > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#62753}
>
> Bug: v8:8954
> Change-Id: I1f0b6de9c6da65bcb582ddb41a37419116a5c510
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1706053
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Patrick Thier <pthier@google.com>
> Cr-Commit-Position: refs/heads/master@{#62794}

TBR=jgruber@chromium.org,petermarshall@chromium.org,pthier@google.com

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:8954, chromium:985624
Change-Id: I5bc2c397a09979f42f28670f80a5366f2a33d80f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709411
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62824}

Fix a cctest/test-bytecode-generator/PrivateMethods mismatch between the
PrivateMethods source string and the snippet in the golden file due to
missing newline at the end of the string. Change C++ raw string back to
a normal string since in this case it makes it harder to see the
problem.

Change-Id: I3bea8873d37fbacac65548be8261f6b04104132f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709413
Auto-Submit: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62823}

This was introduced in https://crrev.com/c/1703762.

R=titzer@chromium.org
CC=zhin@chromium.org

Change-Id: I3f13ab1ea1e87a2615883aa441581c62166f3587
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709412Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62822}

This adds decoding and compilation of the "atomic.fence" operator, which
is intended to preserve the synchronization guarantees of higher-level
languages.

Unlike other atomic operators, it does not target a particular linear
memory. It may occur in modules which declare no memory, or a non-shared
memory, without causing a validation error.

See proposal: https://github.com/WebAssembly/threads/pull/141
See discussion: https://github.com/WebAssembly/threads/issues/140

R=clemensh@chromium.org
TEST=cctest/test-run-wasm-atomics/RunWasmXXX_AtomicFence
BUG=v8:9452

Change-Id: Ibf7e46227f7edfe5c81c097cfc15924c59614067
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1701856
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62821}

Every time we clang-format this list, one more element gets stripped
off into its own line. Fix this by disabling clang-format for this
chunk (we did the same for the chunk below).

R=mstarzinger@chromium.org

Change-Id: I49efdccc78eb4186cdb15513600594d539082fd0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708478Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62820}

Sync with https://github.com/tc39/proposal-unified-intl-numberformat/pull/54

Bug: v8:9483
Change-Id: I2aec5a78be235bddd4faa568665b73b9b84d7c93
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1700426Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62819}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/fb75973..c986429

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/f8c5b19..42a883d

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/9217ff8..f4e0cc6

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/29ddc91..558ca3e

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: I6e01c52d33ed9745dcfc170d829fa31545368ec1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709112Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#62818}

Bug: v8:8460
Change-Id: I3e649e1398be429b8aff5b57316e320f9ca5ae8f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1703763
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62817}

Bug: v8:8460
Change-Id: Ica8329efa9be5944037e205f371d2bc34b882e0d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1703762Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62816}

Bug: v8:8460
Change-Id: I132f7332d3dda572b72404ca20297c4defb5c62b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708450Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62815}

R=binji@chromium.org

Change-Id: I01721c708b1e40cdef4bd48a1f9ca68b31c8f49d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708470Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62814}

Reflect.deleteProperty now is a Torque builtins, also containing fast
path for proxy object.

Bug: v8:6664
Change-Id: I76d6fba2c9d05d991132957783d987a190585ec8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1704943
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62813}

This fixes the debug code which checks that API callbacks
return only valid JS values: BigInt was missing from the list
of allowable types.

Bug: chromium:985115
Change-Id: I8b3db409bd99e9e9b936d520d0fdbe75654e7602
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1706623Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62812}

This reverts commit bc33f5ae.

Reason for revert: Still failing (OOM on win32): https://ci.chromium.org/p/v8/builders/ci/V8%20Win32/22210

Original change's description:
> Reland "[arraybuffer] Rearchitect backing store ownership"
> 
> This is a reland of 31cd5d83
> 
> Original change's description:
> > [arraybuffer] Rearchitect backing store ownership
> > 
> > This CL completely rearchitects the ownership of array buffer backing stores,
> > consolidating ownership into a {BackingStore} C++ object that is tracked
> > throughout V8 using unique_ptr and shared_ptr where appropriate.
> > 
> > Overall, lifetime management is simpler and more explicit. The numerous
> > ways that array buffers were initialized have been streamlined to one
> > Attach() method on JSArrayBuffer. The array buffer tracker in the
> > GC implementation now manages std::shared_ptr<BackingStore> pointers,
> > and the construction and destruction of the BackingStore object itself
> > handles the underlying page or embedder-allocated memory.
> > 
> > The embedder API remains unchanged for now. We use the
> > v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> > keep the backing store alive properly, even in the case of aliases
> > from live heap objects. Thus the embedder has a lower chance of making
> > a mistake. Long-term, we should move the embedder to a model where they
> > manage backing stores using shared_ptr to an opaque backing store object.
> > 
> > R=mlippautz@chromium.org
> > BUG=v8:9380,v8:9221
> > 
> > Change-Id: I48fae5ac85dcf6172a83f252439e77e7c1a16ccd
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584323
> > Commit-Queue: Ben Titzer <titzer@chromium.org>
> > Reviewed-by: Ben Titzer <titzer@chromium.org>
> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> > Reviewed-by: Yang Guo <yangguo@chromium.org>
> > Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> > Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#62572}
> 
> Bug: v8:9380, v8:9221
> Change-Id: If3f72967a8ebeb067c0edcfc16ed631e36829dbc
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691906
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62809}

TBR=ulan@chromium.org,yangguo@chromium.org,mstarzinger@chromium.org,titzer@chromium.org,gdeepti@chromium.org,mlippautz@chromium.org

Change-Id: Iea755df9aaa1e95d284135bd0a6681b1340b6832
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9380, v8:9221
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708487Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62811}

Previously both tracing implementations would be run side-by-side when
perfetto was enabled with the V8_USE_PERFETTO build flag. This CL
makes them run separately.

Both implementations now use the trace file provided by the user in D8
or the default v8_trace.json.

Add tests for perfetto events (which must be tested differently
due to the proto output format).

Drive-by fix: Fix pass-by non-const ref in GetJSONStrings.

Remove the TraceEvent struct for testing; we can just store a copy of
the protobuf directly.

Bug: v8:8339
Change-Id: Id50003e0f96e44b99a63a26693da6bdaca989504
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1702619Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62810}

This is a reland of 31cd5d83

Original change's description:
> [arraybuffer] Rearchitect backing store ownership
> 
> This CL completely rearchitects the ownership of array buffer backing stores,
> consolidating ownership into a {BackingStore} C++ object that is tracked
> throughout V8 using unique_ptr and shared_ptr where appropriate.
> 
> Overall, lifetime management is simpler and more explicit. The numerous
> ways that array buffers were initialized have been streamlined to one
> Attach() method on JSArrayBuffer. The array buffer tracker in the
> GC implementation now manages std::shared_ptr<BackingStore> pointers,
> and the construction and destruction of the BackingStore object itself
> handles the underlying page or embedder-allocated memory.
> 
> The embedder API remains unchanged for now. We use the
> v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> keep the backing store alive properly, even in the case of aliases
> from live heap objects. Thus the embedder has a lower chance of making
> a mistake. Long-term, we should move the embedder to a model where they
> manage backing stores using shared_ptr to an opaque backing store object.
> 
> R=mlippautz@chromium.org
> BUG=v8:9380,v8:9221
> 
> Change-Id: I48fae5ac85dcf6172a83f252439e77e7c1a16ccd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584323
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62572}

Bug: v8:9380, v8:9221
Change-Id: If3f72967a8ebeb067c0edcfc16ed631e36829dbc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691906
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62809}

{Assembler::Nop} currently fails if {n} is bigger than {kGap} (the
destructor of {EnsureSpace} checks that not more than {kGap} bytes have
been emitted).
This CL fixes this by repeatedly using {EnsureSpace}, and also
optimizes the implementation of {Assembler::Nop} a bit.
It also removes stray cases for 10 and 11 nop bytes which have been
added in https://crrev.com/8773039 without further comment, and are not
documented in the Intel manual.

R=mstarzinger@chromium.org

Bug: v8:9477
Change-Id: I07bbe311d2daa75dc27b91a0ccb503427c52841f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708476
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62808}

This reverts commit e55e0aa5.

Reason for revert: speculative revert for tsan breakage
https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket.appspot.com/8907588363297935904/+/steps/Check__flakes_/0/logs/regress-437713/0

Original change's description:
> [runtime] Fix protector invalidation
> 
> Protectors trigger when special properties are modified or masked. Previously
> we would check whether the property stored on the holder would invalidate the
> protector. Stores to to the receiver rather than the holder, however, so this
> CL changes holder for receiver, and adds additional checks that were missing.
> 
> Bug: v8:9466
> Change-Id: I81bc3d73f91381da0d254e9eb79365ae2d25d998
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708468
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62805}

TBR=leszeks@chromium.org,verwaest@chromium.org

Change-Id: Id8fc36525b7c5631589a67073ad1fd5815ea2775
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9466
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708482Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62807}

R=gsathya@chromium.org

Change-Id: I892b96d5749066df476ace705f45a801a795c0a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1706060
Auto-Submit: Yang Guo <yangguo@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62806}

Protectors trigger when special properties are modified or masked. Previously
we would check whether the property stored on the holder would invalidate the
protector. Stores to to the receiver rather than the holder, however, so this
CL changes holder for receiver, and adds additional checks that were missing.

Bug: v8:9466
Change-Id: I81bc3d73f91381da0d254e9eb79365ae2d25d998
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708468
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62805}

The destructor of the {WasmGCForegroundTask} can be called immediately
when scheduling that task (if the platform determines that the task can
never execute anyway). In that case, we deregister the task from the
wasm engine so we do not access it later (which would be UAF). This
deregistration leads to recursively taking a mutex now.
The only later access to the task happens to cancel the task. For this
purpose, we can also use the {CancelableTaskManager} of the isolate,
and avoid all code in the destructor. This should fix the reentrant
mutex, which leads to a DCHECK failure in debug builds and deadlock
in release builds.

R=mstarzinger@chromium.org

Bug: chromium:984970, v8:8217
Change-Id: I14f05a21ea961ecc391dc59af3b5eebf31e0f873
Cq-Include-Trybots: luci.v8.try:v8_linux_blink_rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1706480Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62804}

With a write barrier, stores with negative offsets would allocate a temporary
register to hold the offset when the `str` instruction is able to encode it.

For instance, when writing the object map:

```
;; This could be 'str x2, [x5, #-1]'
movn x4, #0x0
str x2, [x5, x4]
and x16, x5, #0xfffffffffffc0000
ldr x16, [x16, #8]
tbnz w16, #2, #+0xba8  ; Jump out-of-line
```

The reason behind this is that the out-of-line code uses an 'add' instruction on
the offset to compute the field address, putting pressure on the instruction
selector to make sure the immediate fits in both 'str' and 'add'.

But, this is not necessary since the macro-assembler is able to turn the 'add'
into a 'sub' or use a temporary register if needed.

Change-Id: I8838e4b81a0c0c1f90aa3d67861a9da1a6dfed06
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708471Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#62803}

This test fails in --stress-opt mode because backing stores of
memories/arraybuffers that are postMessage()'d leak in d8. In normal
mode, only ~16 memories are allocated, which is not enough to OOM,
but in stress mode, it can be 5x that number. Should be fixed
by upcoming ownership changes.

BUG=v8:9380
R=clemensh@chromium.org

Change-Id: Iecec07d15339cf43b23f128f13d570dfe3b32130
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708475Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62802}

The multiplier should depend on the kTaggedSize.

Bug: v8:7703
Change-Id: I3a13e51d06c31b70f6191b23b1913e7bc35cdb8f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708473
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62801}

If we flush the bytecode from a SFI we might recompile a JSFunction while the function
still has its old feedback vector. This should usually be fine since the new and old
feedback vectors have the same layout, however some bugs in the parser mean that it's
possible for eagerly and lazily compiled eval functions to have different bytecode and
so potentially different feedback vector layouts.

For now reset the feedback vector if it doesn't have the same size when we compile the
JSFunction, and recreate a new one of the correct layout. This will be replaced with a
CHECK once the parser bugs are fixed.

BUG=chromium:984344,v8:9511

Change-Id: Ib8976f2541516f7a07e4d4ab7dc3c750dfe9b5d4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708474
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62800}

This is a reland of 6805395d, after
resolving another issue.

Original change's description:
> Revert "Temporarily remove --concurrent-inlining from --future"
>
> This reverts commit 060b9ec4, as the
> issue has been resolved.
>
> Bug: v8:7790
> Change-Id: Id8a56ad50a508eacd191f2777cc5afc0b838364f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1700078
> Commit-Queue: Georg Neis <neis@chromium.org>
> Commit-Queue: Michael Stanton <mvstanton@chromium.org>
> Reviewed-by: Michael Stanton <mvstanton@chromium.org>
> Reviewed-by: Maya Lekova <mslekova@chromium.org>
> Auto-Submit: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#62713}

TBR=neis@chromium.org

Bug: v8:7790
Change-Id: Ibc5991787982197d08942eb067c83001d91050ec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708472Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62799}