The test fails because of the race condition between concurrent GC
threads and the destructor of the test.

Bug: v8:11413
Change-Id: I5a138a61c16ddf2398e7c54defe6cc4008ca3330
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2839552Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74065}

This is a reland of 6124a534

It fixes a UAF issue in the d8 test by moving the test API object
constructor to PerIsolateData. It also fixes a crash in Chromium
caused by current usage of v8::ApiObject, which should be migrated
to v8::Value*.

Original change's description:
> [fastcall] Add support for leaf interface type checks
>
> This CL adds an IsTemplateForApiObject method to FunctionTemplate
> allowing the embedder to check whether a given API object was
> instantiated by this template without including parent templates
> in the search. It also replaces the v8::ApiObject in the fast API
> with a raw v8::Value pointer to allow use of standard C++ casts.
>
> Bug: chromium:1052746
> Change-Id: I0812ec8b4daaa5f5005aabf10b63e1e84e0b8f03
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2595310
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73999}

Bug: chromium:1052746, chromium:1199900
Change-Id: I4b7f0c9e9152919dde4a1d0c48fbf5ac8c5b13d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2835711Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74064}

This is a reland of df52b65d

Skip test with variant stress-concurrent-allocation.
The test manually triggers pretenuring for allocation sites, but with
--stress-concurrent-allocation these pretenuring decisions are reset
due to low survival rate in old generation.

Original change's description:
> [test] Rework Allocation Site Pretenruing Tests
>
> - Add %PretenureAllocationSite to manually force pretenuring for an
> allocation site during the next GC.
> - Replace cctest test-compiler/DecideToPretenureDuringCompilation, which
> was not triggering the tested behaviour anymore with mjsunit test
> - Add tests for deoptimizations due to pretenuring decision changes
> during OSR.
>
> Bug: chromium:1193094
> Change-Id: I5d6c35e2914b705bf96f27051a4a286413b6fe26
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2825593
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Reviewed-by: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74032}

Bug: chromium:1193094
Change-Id: I366a4a074435ebffcf2b3af84152067731cd2a5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2839550Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74062}

This reverts commit f2741b13.

Reason for revert: breaks blink linux bot https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Blink%20Linux%20Debug/9089/blamelist

Original change's description:
> Resolving or rejecting promises doesn't execute script
>
> It just enqueues a microtask.
>
> Bug: chromium:728583
> Change-Id: Iecbc6f33db8a94acd10d9ae1f2173700d872ac50
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2827906
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Commit-Queue: Jochen Eisinger <jochen@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74036}

Bug: chromium:728583
Change-Id: I09a750b9c5cf43adedb395949e246421eeaf0a09
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2839547
Auto-Submit: Sathya Gunasekaran  <gsathya@chromium.org>
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#74059}

This is a reland of c83c9590

Changes since revert: nothing, issue was crbug.com/v8/11666

Original change's description:
> [ic] Add a new MegaDOM IC
>
> This patch implements the MegaDOM IC setup and access. A new MegaDOM
> IC state indicates that we've seen only DOM accessors at this access
> site.
>
> This CL only adds support for DOM getters in LoadIC, other kinds of
> access will be added in follow on CLs.
>
> Still remaining TODO before shipping:
> 1. Have a mechanism to invalidate the protector
> 2. Have a mechanism to find the accessors that aren't overloaded
> 3. Use a new builtin to miss to runtime on access check failure
>
> Change-Id: Ie12efe5e9fa284f023043b996d61e7d74e710ee2
> Bug: v8:11321
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2618239
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Dan Elphick <delphick@chromium.org>
> Reviewed-by: Mythri Alle <mythria@chromium.org>
> Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73733}

Bug: v8:11321
Change-Id: I2bec54465542b5b40c42adb6eb12b6ce72cce5bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2794439Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74056}

- Add v8_code_comments to allow runtime-enabled code comments with
  --code-comments
- v8_code_comments is enable by default in debug mode
- Make MacroAssembler::RecordComment helper inlineable to remove
  call and check overheads when v8_code_comments = false
- Make FLAG_code_comments readonly if v8_code_comments = false and
  benefit from dead-code elimination

This saves roughly 5% CompileBaselineVisit time in sparkplug
on a 5MiB JS file.

Bug: v8:11420
Change-Id: I1174ab37b4bbe1ff8880416c1f6a6e28377a962c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2824428Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74055}

Tbr: gsathya@chromium.org
Bug: v8:11668,v8:11649,v8:11576
Change-Id: I8bd0cb97d7682a8d752c5b78af6dfccd426be1d3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2839543Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74054}

Bug: v8:11542
Change-Id: Ib2f369cbbd91f3da07bd8f60476321ec99265872
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2836825
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74053}

Bug: v8:11613
Change-Id: Ica7fe5ca63fa3729614eb09ace26e679a88577ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826728
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74051}

The plan is to use VirtualMemoryCage both for the pointer compression
cage as well as the code range in a future CL. The PtrComprCage class is
removed in favor of using VirtualMemoryCage directly.

Bug: v8:11460
Change-Id: I4e34a3db1359319e3539ede587f6a73e0af03eec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2824098
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74048}

The --wasm-write-protect-code-memory flag previously enforced W^X, that
is the WebAssembly code space was either writable or executable, but
never both at the same time. With compilation in background threads
concurrent to execution in the main thread, this simple scheme is no
longer viable because the same memory page can indeed be written to and
executed at the same time. Hence, this flag is currently broken and
disabled and the code space is always writable AND executable.

As a first step towards more security, we at least want to
write-protect the code space (when not required writable by compilation
threads) but at the same time keep it always executable (because of
concurrent execution in the main thread). That is, we no longer switch
between RX and RW (W^X), but rather between RX and RWX
(write-protection only).

This CL starts to change from W^X (which was broken) to
write-protection only when enabling --wasm-write-protect-code-memory.
This is the first of two CLs, where the followup CL will fix the
feature, and this CL merely prepares and cleans up the code. In
particular, this CL changes the permissions from RW to RWX (due to
concurrent execution) and renames `WasmCodeAllocator::SetExecutable()`
to `WasmCodeAllocator::SetWritable()` (and similarly named callers) to
be consistent with that change. Since the code space is now always
executable, this CL also removes now unneeded calls to
`SetExecutable(true)` in tests.

R=clemensb@chromium.org
CC=​​jkummerow@chromium.org

Bug: v8:11663
Change-Id: I2065eed6770215892b81daefbddf74a349e783cc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2835237Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Daniel Lehmann <dlehmann@google.com>
Cr-Commit-Position: refs/heads/master@{#74041}

This reverts commit df52b65d.

Reason for revert: fails on TSan: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN/36351/overview

Original change's description:
> [test] Rework Allocation Site Pretenruing Tests
>
> - Add %PretenureAllocationSite to manually force pretenuring for an
> allocation site during the next GC.
> - Replace cctest test-compiler/DecideToPretenureDuringCompilation, which
> was not triggering the tested behaviour anymore with mjsunit test
> - Add tests for deoptimizations due to pretenuring decision changes
> during OSR.
>
> Bug: chromium:1193094
> Change-Id: I5d6c35e2914b705bf96f27051a4a286413b6fe26
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2825593
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Reviewed-by: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74032}

Bug: chromium:1193094
Change-Id: I0cd526984d467c4e1e3637ac642f630e3cffea41
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2835715
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#74039}

It just enqueues a microtask.

Bug: chromium:728583
Change-Id: Iecbc6f33db8a94acd10d9ae1f2173700d872ac50
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2827906Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74036}

Bug: v8:11666
Change-Id: I7ccb1a888d16202895aa6288b141d3e41b524572
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2835708
Auto-Submit: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74035}

- Add %PretenureAllocationSite to manually force pretenuring for an
allocation site during the next GC.
- Replace cctest test-compiler/DecideToPretenureDuringCompilation, which
was not triggering the tested behaviour anymore with mjsunit test
- Add tests for deoptimizations due to pretenuring decision changes
during OSR.

Bug: chromium:1193094
Change-Id: I5d6c35e2914b705bf96f27051a4a286413b6fe26
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2825593
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74032}

This test attempted to call mprotect to switch memory permissions,
which returns an error on MacOS on arm64. The workaround is simple:
don't call mprotect, rely on MacOS-specific permission switching.

See also https://chromium-review.googlesource.com/c/v8/v8/+/2679688
for a related fix in non-test code.

Drive-by: fix host arch detection in gm.py when building on M1 Macs.

Bug: v8:11657
Change-Id: I9b59ee8f2279e28f7561ac071df27508211741f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2831877Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74030}

This is a reland of dcd91455

This CL fixes two more tests that were uncovered by the
non-concurrent marking bot.

Original change's description:
> [heap] Do not scan main thread handles when starting marking
>
> We do not need to scan main thread handles when starting incremental
> marking. This reduces the time to start incremental marking.
>
> Bug: v8:11645
> Change-Id: Ib99a13e7875f50fbfe5346ac0e186d8960ea1337
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826124
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73994}

Bug: v8:11645
Change-Id: Id5b9dd0dcec08b6888a885b4f02783f674af90fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2831879Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74029}

Bug: chromium:1198188
Change-Id: Iaf2cdd85124295d842ff6bb139ab0d85371c08ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2833920Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74028}

Should be unskipped once the linked issue is fixed.

Tbr: mvstanton@chromium.org
Bug: v8:11649
Change-Id: I9916c6f044a9c66d9a55d7783a619b2830a776ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2833916Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74023}

The mechanisms don't interact well. NodeObserver assumes synchronous
compilation that finishes within the ObserverNodeScope. One could
ensure all relevant lifetimes (of the NodeObserver itself, and all
captured pointers) exceed that of all spawned jobs, but simply
disabling the additional concurrent job in these cases is a
pragmatic fix for now.

Bug: v8:11658
Change-Id: I41b2f96f0166b661cf0cca94ef809ca99475e420
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2833915
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74022}

This reverts commit d16eefe0.

It is not correct to check for node equality during the graph
construction phase, because we can have optimizations that will combine
same nodes. So it can happen that in wasm-compiler, the inputs to
shuffle are not the same, so we canonicalize using that knowledge that
it will not be the same, and allow indices > 15. But later we can have
optimizations that combine the 2 inputs (e.g. splat of the same
constants), and the instruction selector will see that the input nodes
are the same.

Bug: v8:11542,chromium:1199662
Change-Id: I21c175f4707708038710147f64d687d1b14c6ecc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2829986
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74017}

This reverts commit 6124a534.

Reason for revert: On suspicion of blocking V8 roll: https://ci.chromium.org/ui/p/chromium/builders/try/win10_chromium_x64_rel_ng/839568/overview

Original change's description:
> [fastcall] Add support for leaf interface type checks
>
> This CL adds an IsTemplateForApiObject method to FunctionTemplate
> allowing the embedder to check whether a given API object was
> instantiated by this template without including parent templates
> in the search. It also replaces the v8::ApiObject in the fast API
> with a raw v8::Value pointer to allow use of standard C++ casts.
>
> Bug: chromium:1052746
> Change-Id: I0812ec8b4daaa5f5005aabf10b63e1e84e0b8f03
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2595310
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73999}

Bug: chromium:1052746
Change-Id: Ic99ec616310f0f75800c3dad393b5d2d685b76ab
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2829988
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#74016}

Bug: chromium:1198188
Change-Id: I7f4a9e67a435fcb4b564599c5dd27c386bef143b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2831480
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74015}

When the enumerability flag is flipped we need to invalidate the
prototype info.

Bug: chromium:1163499
Change-Id: Iceeaa5fc47eebfe7d333c9eb594bf0763e6cef92
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2831871
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74013}

This is a reland of ae0752df

Reland fixes:

  * Remove UNREACHABLE() from constexpr switch, since we don't have a
    CONSTEXPR_UNREACHABLE() (it's ok, the switch is exhaustive for the
    enum anyway).
  * Fix IsRegisterArray trait to use public inheritance and size_t for
    std::array size.

Original change's description:
> [codegen] Add static interface descriptors
>
> Add a new CRTP StaticCallInterfaceDescriptor class, which provides
> static constexpr getters for a descriptor's registers, parameter counts,
> and so on. Each CallInterfaceDescriptor subclass is changed to extend
> StaticCallInterfaceDescriptor, with StaticCallInterfaceDescriptor itself
> extending CallInterfaceDescriptor to still provide a dynamic lookup
> where needed.
>
> StaticCallInterfaceDescriptor provides a couple of customisation points,
> where it reads its CRTP derived descriptor's static fields and
> functions, with default fallbacks where appropriate. With these
> customisation points, the definition of CallInterfaceDescriptor
> subclasses is simplified to:
>
>     a) Providing parameter names (as before)
>     b) Providing parameter types (as before)
>     c) Optionally setting flags (like kNoContext or kAllowVarArgs) as
>        static booleans on the class.
>     d) Optionally providing a `registers()` method that returns a
>        std::array<Register, N> of registers that may be used for
>        parameters (if not provided, this defaults to the implementation
>        specific default register set).
>
> Parameter registers (and register count) are automagically set based on
> the number of parameters and number of given registers, with extra magic
> to ignore no_reg registers (to reduce ia32 special casing). The
> CallInterfaceDescriptorData is initialized based on these static
> functions, rather than manual per-descriptor initializers.
>
> This allows us to skip loading descriptors dynamically for CallBuiltin
> in Sparkplug, and instead lets us use a bit of template magic to
> statically set up arguments for the calls. Any other users of statically
> known descriptors will also benefit, thanks to C++ picking the static
> methods over the dynamic methods on the base class when available.
>
> Because we can remove various virtual functions and trigger heavier
> inlining of constantly known values, binary size slightly decreases with
> this change.
>
> Note that torque-generated descriptors are changed to use the same magic,
> rather than having Torque-specific magic, for consistency.
>
> Bug: v8:11420
> Change-Id: Icc5e238b6313a08734feb564204a13226b450c22
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814518
> Auto-Submit: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73996}

TBR=nicohartmann@chromium.org,clemensb@chromium.org,ishell@chromium.org,clemensb@chromium.org

Bug: v8:11420
Change-Id: Icd1f6cdb3c178e74460044b1e9623139929ceba8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2831872Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74010}

This change slipped into https://crrev.com/c/2820970 and wasn't
intended. We actually need to rule out __proto__ here explicitly,
otherwise it starts showing up in previews for embedder objects
(i.e. for HTMLAllCollection, etc.).

Bug: chromium:1197019
Change-Id: Iadde73747c157c2b5b013b11a6b8a30cc4394a7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2831481
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Philip Pfaffe <pfaffe@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74009}

Optimize FPUCanonicalizeNaN
Float Round reutrn qNan when input is Nan
FMaxMin return qNan with Nan inputs

Change-Id: I7568be3d27d030e49f292a956b3084b54bdf8577
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814725
Commit-Queue: Brice Dobry <brice.dobry@futurewei.com>
Reviewed-by: Brice Dobry <brice.dobry@futurewei.com>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74006}

The "num_exceptions" field of the control block must be updated before
entering the stack check, because it is used in
"GetCurrentDebugSideTable" to compute the correct indices for the debug
side table.

R=clemensb@chromium.org

Bug: chromium:1199526
Change-Id: I54f1e4244bf84d0a78b47a764fedc83b54758d01
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2831483
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74003}

This reverts commit ae0752df.

Reason for revert: Predictably, constexpr issues on non-clang compilers.

Original change's description:
> [codegen] Add static interface descriptors
>
> Add a new CRTP StaticCallInterfaceDescriptor class, which provides
> static constexpr getters for a descriptor's registers, parameter counts,
> and so on. Each CallInterfaceDescriptor subclass is changed to extend
> StaticCallInterfaceDescriptor, with StaticCallInterfaceDescriptor itself
> extending CallInterfaceDescriptor to still provide a dynamic lookup
> where needed.
>
> StaticCallInterfaceDescriptor provides a couple of customisation points,
> where it reads its CRTP derived descriptor's static fields and
> functions, with default fallbacks where appropriate. With these
> customisation points, the definition of CallInterfaceDescriptor
> subclasses is simplified to:
>
>     a) Providing parameter names (as before)
>     b) Providing parameter types (as before)
>     c) Optionally setting flags (like kNoContext or kAllowVarArgs) as
>        static booleans on the class.
>     d) Optionally providing a `registers()` method that returns a
>        std::array<Register, N> of registers that may be used for
>        parameters (if not provided, this defaults to the implementation
>        specific default register set).
>
> Parameter registers (and register count) are automagically set based on
> the number of parameters and number of given registers, with extra magic
> to ignore no_reg registers (to reduce ia32 special casing). The
> CallInterfaceDescriptorData is initialized based on these static
> functions, rather than manual per-descriptor initializers.
>
> This allows us to skip loading descriptors dynamically for CallBuiltin
> in Sparkplug, and instead lets us use a bit of template magic to
> statically set up arguments for the calls. Any other users of statically
> known descriptors will also benefit, thanks to C++ picking the static
> methods over the dynamic methods on the base class when available.
>
> Because we can remove various virtual functions and trigger heavier
> inlining of constantly known values, binary size slightly decreases with
> this change.
>
> Note that torque-generated descriptors are changed to use the same magic,
> rather than having Torque-specific magic, for consistency.
>
> Bug: v8:11420
> Change-Id: Icc5e238b6313a08734feb564204a13226b450c22
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814518
> Auto-Submit: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73996}

Bug: v8:11420
Change-Id: Ie5469c9253fc140590ac30b72db6eb1d93f86806
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2831485
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#74000}

This CL adds an IsTemplateForApiObject method to FunctionTemplate
allowing the embedder to check whether a given API object was
instantiated by this template without including parent templates
in the search. It also replaces the v8::ApiObject in the fast API
with a raw v8::Value pointer to allow use of standard C++ casts.

Bug: chromium:1052746
Change-Id: I0812ec8b4daaa5f5005aabf10b63e1e84e0b8f03
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2595310
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73999}

This reverts commit dcd91455.

Reason for revert: Breaks TSAN no-concurrent-marking - https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20no-concurrent-marking/3341/overview

Original change's description:
> [heap] Do not scan main thread handles when starting marking
>
> We do not need to scan main thread handles when starting incremental
> marking. This reduces the time to start incremental marking.
>
> Bug: v8:11645
> Change-Id: Ib99a13e7875f50fbfe5346ac0e186d8960ea1337
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826124
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73994}

Bug: v8:11645
Change-Id: I5e2325ef326b79b1807b52384cc5473d126ca6cb
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2831482
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#73997}

Add a new CRTP StaticCallInterfaceDescriptor class, which provides
static constexpr getters for a descriptor's registers, parameter counts,
and so on. Each CallInterfaceDescriptor subclass is changed to extend
StaticCallInterfaceDescriptor, with StaticCallInterfaceDescriptor itself
extending CallInterfaceDescriptor to still provide a dynamic lookup
where needed.

StaticCallInterfaceDescriptor provides a couple of customisation points,
where it reads its CRTP derived descriptor's static fields and
functions, with default fallbacks where appropriate. With these
customisation points, the definition of CallInterfaceDescriptor
subclasses is simplified to:

    a) Providing parameter names (as before)
    b) Providing parameter types (as before)
    c) Optionally setting flags (like kNoContext or kAllowVarArgs) as
       static booleans on the class.
    d) Optionally providing a `registers()` method that returns a
       std::array<Register, N> of registers that may be used for
       parameters (if not provided, this defaults to the implementation
       specific default register set).

Parameter registers (and register count) are automagically set based on
the number of parameters and number of given registers, with extra magic
to ignore no_reg registers (to reduce ia32 special casing). The
CallInterfaceDescriptorData is initialized based on these static
functions, rather than manual per-descriptor initializers.

This allows us to skip loading descriptors dynamically for CallBuiltin
in Sparkplug, and instead lets us use a bit of template magic to
statically set up arguments for the calls. Any other users of statically
known descriptors will also benefit, thanks to C++ picking the static
methods over the dynamic methods on the base class when available.

Because we can remove various virtual functions and trigger heavier
inlining of constantly known values, binary size slightly decreases with
this change.

Note that torque-generated descriptors are changed to use the same magic,
rather than having Torque-specific magic, for consistency.

Bug: v8:11420
Change-Id: Icc5e238b6313a08734feb564204a13226b450c22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814518
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73996}

We do not need to scan main thread handles when starting incremental
marking. This reduces the time to start incremental marking.

Bug: v8:11645
Change-Id: Ib99a13e7875f50fbfe5346ac0e186d8960ea1337
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826124Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73994}

- This is a reland of d435eaa5
- Fix vtunedomain

Original change's description:
> [api] Add v8::Isolate::ThrowError helper
>
> Add a ThrowError helper to encourage throwing full Error objects
> instead of just v8::Strings.
>
> Bug: v8:11195
> Change-Id: I15d75b1d39b817de3b9026a836b57a70d7c16a28
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2811738
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Dan Elphick <delphick@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73958}

Bug: v8:11195
Change-Id: I3cffaa4f122d74705476c3f8791b549f85d8c87b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826534Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73993}

Bug: v8:11650
Change-Id: Ice830eda80e81faf920c73214f7cd8f4230af6d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2831472
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73989}

Instead, bail out of inline literal creation if a deprecated map is
found. This makes it easier to compile on the background thread.

Bug: v8:7790
Change-Id: I87941938d4f13dcf49230cf246c33bf2f49897f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2745134
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73988}

- represent smis as fake heap numbers
- numbers nodes (both smi and heap numbers) reference a child node whose
  name is "value" and whose entry is the string representation of that
  number

That feature is disabled by default, and can be enabled by passing
captureNumericValue: true when calling HeapProfiler.takeHeapSnapshot

This patch slightly refactors some functions that operate on "essential
objects". We now check that the object is essential before trying to
create the entry. Otherwise, we would end up with smi objects created,
but not referenced anywhere.

Design doc:
https://docs.google.com/document/d/1Qh1zxyn0SS5wzJzitD6ecBJTdFbQkJogSMwxDRsn44o/edit

Change-Id: Ibbe6e79a54c4f9eace72bc0a0ccb622a97698e00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2806747Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Arnaud Renevier <arenevier@fb.com>
Cr-Commit-Position: refs/heads/master@{#73985}

The typing of br_table was relaxed in
https://github.com/WebAssembly/spec/pull/1305. Before, we had to compute
the greatest lower bound of all branch types and make sure that stack
values are subtypes of that type. Now, we have to check that the stack
values are subtypes of each individual branch. This makes a difference
only in polymorphic stacks, but greatly simplifies the code, especially
with the upcoming introduction of a much more complex type system in
wasm-gc.

Change-Id: I6e3b410cfe0e71a97623b3030b3575ef707c4900
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2827897
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73982}

Drive-by: cleanup PersistentTest and MarkerTest

Bug: chromium:1056170
Change-Id: I85d674cda7d580e8cd7be807791ba883b0f7a111
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2827898
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73979}

This test relies on non-concurrent optimizations to precisely test
transitions between the different tiers.

Disable flags that invalidate this test:
--no-always-opt to test transiation from Ignition to Sparkplug
--deopt-every-n-times=0 to test transition from Sparkplug to TF

Bug: v8:11656
Change-Id: I85047015d3f7cfdf00bddad59c9742d5d8f5d223
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2827902
Auto-Submit: Patrick Thier <pthier@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73978}