Drive-by:
* don't create proto handlers for DefineOwnIC and StoreOwnIC,
* make sure that none of the DefineOwnIC and StoreOwnIC handlers are
  leaked into StoreIC's megamorphic stub cache.

Bug: v8:9888, chromium:1259950
Change-Id: I9db538e6ed14bc578aa80df037ffebd9e8c3c649
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3250641
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77632}

There is a bit of a contradictory register requirement in the
instruction selector for i64x2.mul. We want dst == lhs (when AVX not
supported), but we also want lhs and rhs to be unique (to ensure that
that they don't alias the temp).

We remove the requirement for dst == lhs, since the code gen can handle
both cases (dst == lhs, dst != lhs), at the expense of 1 movaps.

Bug: chromium:1264462
Change-Id: Ia48572412b1f6e0da3551880d8b68a03f42fe2a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3253661
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77625}

Bug: chromium:1264013
Change-Id: If2e504e6713617fdc1d098da3b71ffc78a4f0eb0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3251177
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77611}

No-Try: true
Change-Id: If5b38a16aad87ae4bb9e025d004f028d321ac088
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3250717
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77610}

This is a reland of 45227ffd
Differences:
- Handle one more flags conflict in variants.py.
- Disallow %VerifyType without --concurrent-recompilation.

Original change's description:
> [turbofan] extend type asserts to cover all JS types
>
> Extend type assertions to all types covering JavaScript values.
> This is achieved by allocating type representations on the heap using
> newly defined HeapObject subclasses. To allocate these in the compiler,
> we disable concurrent compilation for the --assert-types flag for now.
>
> Fix two type errors that came up with the existing tests:
> 1. JSCreateKeyValueArray has type Array (i.e., a JSArray) instead of
>    OtherObject.
> 2. OperationTyper::NumberToString(Type) can type the result as the
>    HeapConstant Factory::zero_string(). However, NumberToString does
>    not always produce this string. To avoid regressions, the CL keeps
>    the HeapConstant type and changes the runtime and builtin code to
>    always produce the canonical "0" string.
>
> A few tests were failing because they check for truncations to work
> and prevent deoptimization. However, AssertType nodes destroy all
> truncations (which is by design), so these tests are incompatible
> and now disabled for the assert_types variant.
>
> Drive-by fix: a few minor Torque issues that came up.
>
> Change-Id: If03b7851f7e6803a2f69edead4fa91231998f764
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3234717
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77565}

Change-Id: I5b3c6745c6ad349ff8c2b199d9afdf0a9b5a7392
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3247035
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77596}

The stack-switching test is not expected to pass yet if a GC happens
in the runtime call or in the wasm call.

R=ahaas@chromium.org

Bug: v8:12191, v8:12344
Change-Id: Iba66be58c1abd2ffbb22bbd7d34f8df0246a2a92
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3250900Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77594}

1. Skip leading zeros when parsing date string
2. Add necessary unittests

Bug: v8:12256
Change-Id: Ibc1f320382a2e33175f7f57542c8fe48afd05fa8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3223239Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77592}

A "store own" slow runtime was missing, and the slow handler on the
StoreOwnIC was using the non-own slow runtime function, incorrectly
causing setters to be called.

For baseline, [1] invalidates the invariant that StoreOwnIC is only used
for storing properties already in the literal boilerplate, since it's
also used when the new literal is cloned from an object spread.

[1] https://chromium-review.googlesource.com/c/v8/v8/+/3224666

Bug: chromium:1263389, v8:11429
Change-Id: I0284396f306f937d1b8ff96adda6cc133c19726a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3244308Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77591}

Bug: v8:12329
Change-Id: I51c38d70537889b7534fb7e6b4066e6ab440234a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3248163
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77582}

This reverts commit 45227ffd.

Reason for revert: Breaks on gc_stress mode, see https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/35988/overview

Original change's description:
> [turbofan] extend type asserts to cover all JS types
>
> Extend type assertions to all types covering JavaScript values.
> This is achieved by allocating type representations on the heap using
> newly defined HeapObject subclasses. To allocate these in the compiler,
> we disable concurrent compilation for the --assert-types flag for now.
>
> Fix two type errors that came up with the existing tests:
> 1. JSCreateKeyValueArray has type Array (i.e., a JSArray) instead of
>    OtherObject.
> 2. OperationTyper::NumberToString(Type) can type the result as the
>    HeapConstant Factory::zero_string(). However, NumberToString does
>    not always produce this string. To avoid regressions, the CL keeps
>    the HeapConstant type and changes the runtime and builtin code to
>    always produce the canonical "0" string.
>
> A few tests were failing because they check for truncations to work
> and prevent deoptimization. However, AssertType nodes destroy all
> truncations (which is by design), so these tests are incompatible
> and now disabled for the assert_types variant.
>
> Drive-by fix: a few minor Torque issues that came up.
>
> Change-Id: If03b7851f7e6803a2f69edead4fa91231998f764
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3234717
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77565}

Change-Id: Ia779a11fc811846194c7a8d1e40b372b265e7ea4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3247034
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Owners-Override: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#77566}

Extend type assertions to all types covering JavaScript values.
This is achieved by allocating type representations on the heap using
newly defined HeapObject subclasses. To allocate these in the compiler,
we disable concurrent compilation for the --assert-types flag for now.

Fix two type errors that came up with the existing tests:
1. JSCreateKeyValueArray has type Array (i.e., a JSArray) instead of
   OtherObject.
2. OperationTyper::NumberToString(Type) can type the result as the
   HeapConstant Factory::zero_string(). However, NumberToString does
   not always produce this string. To avoid regressions, the CL keeps
   the HeapConstant type and changes the runtime and builtin code to
   always produce the canonical "0" string.

A few tests were failing because they check for truncations to work
and prevent deoptimization. However, AssertType nodes destroy all
truncations (which is by design), so these tests are incompatible
and now disabled for the assert_types variant.

Drive-by fix: a few minor Torque issues that came up.

Change-Id: If03b7851f7e6803a2f69edead4fa91231998f764
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3234717Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77565}

Change-Id: Ie419fe63a0d63574a155b48a040beb0b633989e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3245930
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77558}

Recompute the spill offsets for values in the merge region, instead of
reusing the offsets of the source. This ensures that spill slots stay
contiguous (modulo alignment).
This also solves a correctness issue where the spill offsets in the
merge region could move up, thereby overwriting the source of another
move.
With this change, the spill offsets always move down (to fill the gap)
or stay the same, such that processing them from bottom to top
can only overwrite sources of already-processed moves.

Since we do not reuse the current state's offsets, this might generate
extra stack moves and regress generated code performance a bit.

Drive-by: print spill offsets in the Liftoff trace

R=clemensb@chromium.org

Bug: v8:12270
Change-Id: I8d20df8fc1e80dd36b6f651de457686e9935a628
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3245115
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77556}

According to the spec, the three parameters (stdlib, foreign, and heap)
must be mutually distinct. We did not check this yet, which led to
observable differences between asm validation and standard JavaScript
semantics.

R=thibaudm@chromium.org

Bug: chromium:1068355
Change-Id: I451f63d10ea50474aeb6e8a547918b5af769343b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3244408
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77554}

We used to apply an invalid optimization which skips `length` writes
if the JSArray is 'fast' and the old value equals the new value. This
optimization is not valid if e.g. `length` is non-writable.

Fixed: chromium:1262478
Change-Id: I49ef50de293dae5c3a62c64b303ec34b9c0f6cbc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3236720Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77552}

R=ahaas@chromium.org
CC=fgm@chromium.org

Bug: v8:12191
Change-Id: Ied9ab5fa5009e5ab268d1c9893729d8210ae62ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3220344
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77542}

A follow-up to crrev.com/c/3240782.

Drive-by: extend JSRegExp printing.

Fixed: chromium:1263327
Bug: v8:11069
Change-Id: Iff64ded27ca93641f0f572df2ce0a9f846948f7f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3245110
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77536}

Bug: v8:12297
Change-Id: Ifbf6ac61e6b61e419b361d1fc14009d6d745193c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3231484Reviewed-by: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Vasili Skurydzin <vasili.skurydzin@ibm.com>
Cr-Commit-Position: refs/heads/main@{#77528}

This CL fixes an issue in EffectControlLinearizer, where the primitive
type of the argument of a fast C call was used to compute its
MachineType even when the argument was actually a TypedArray, which
should always be treated as a Tagged type. This resulted in Float32/64
typed arrays being passed in FP registers, leading to a crash in the
register allocator.

Drive-by fix: Fixed output from --trace-turbo-alloc so that all of its
sub-parts are printed with PrintF, avoiding interleaved log lines.

Bug: chromium:1260954
Change-Id: I249c8629daae3af437fb52f53f45211f3a214222
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3231341Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77521}

No-Try: true
Bug: chromium:1262423
Change-Id: I9d56e347d046944f01e33aa6fb8752c889e2d38d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3240784
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77517}

Character class handling in the irregexp pipeline is quite complex;
codepoints outside the BMP (basic multilingual plane) are only
translated into surrogate pairs when needed, e.g. when the subject
string is two-byte. If not needed, the codepoints simply stay part of
the list of CharacterRanges.

In EmitCharClass, we determine the valid subset of ranges through
ranges_length; until this CL, we forgot to pass that information on to
MakeRangeArray. Do that now by truncating the list of CharacterRanges.

Fixed: chromium:1262423
Change-Id: I5bb5b839e9935890ca2d10908ad66d72c3217178
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3240782
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77514}

To get more details about the failure when it flakes.

Bug: v8:12332
Change-Id: I1bf5188efe13a75e34dd9832e6275fd985ee8dbd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3233974
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77498}

If an output operand has "same as input" policy, we cannot assume that
it's input 0. Instead we should look at the {input_index}.

The bug manifests on Wasm select instructions, where the input index is
actually 2 and not 0.

In order to test this better, we introduce the a new
--turbo-force-mid-tier-regalloc flag, which always uses the mid-tier
register allocator. Otherwise the bug would only manifest on huge
functions.

R=mslekova@chromium.org
CC=​thibaudm@chromium.org

Bug: v8:12330
Change-Id: I6a005a48bbd2aba354dc99fed587bffce24c8839
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3234722Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77495}

Calling class constructors without new is a spec violation and should
raise an exception.
In [1] calling class constructors with spread (without new) was handled
by reducing the node to a call to runtime to raise the exception.
However, arguments of the call have to be evaluated first ([2]).
This CL changes the reduction of JSCallWithSpread/JSCallWithArrayLike to
a no-op in JSCallReducer if the target is a class constructor, delaying
raising of the exception to the call builtin.

[1] https://crrev.com/c/3229369
[2] https://tc39.es/ecma262/#sec-evaluatecall

Bug: chromium:1262007
Change-Id: I2ef504d4ce6e51d582b5951beb6debb983cefba6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3236348
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77492}

--no-stress-flush-bytecode doesn't exist and should be
--no-stress-flush-code. Not supressing it means a tester could pass
--stress-flush-code and --no-flush-bytecode, which are contradictory and
will assert.

Bug: v8:12331
Cq-Include-Trybots: luci.v8.try:v8_numfuzz_dbg_ng,v8_numfuzz_ng
Change-Id: I6490271bcb11f5ea925eb8b65fbe0455c2dafeaf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3233952Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77483}

These tests depend on predictable optimize/deoptimize movements.
--no-stress-flush-bytecode and --no-flush-bytecode ensure the feedback
vector is not flushed, causing unexpected deoptimizations.

Bug: v8:12328, v8:12311
Change-Id: I2eb7575e8c943a92c907831d4d66d2b0c9716869
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3232825Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77478}

Handling of class constructors was moved from CallFunction to Call
in [1].
When reducing calls with spread we forward varargs directly to
CallFunction, if we are spreading to inlined arguments or arguments of
the outermost function.
In that case we didn't check for class constructors and therefore didn't
raise an exception.
This CL adds checks for class constructors to all JSCall* nodes in
JSCallReducer that missed them before.

[1] https://crrev.com/c/3186434

Bug: chromium:1260623
Change-Id: Id39cdfd09ff5aae804ae30d96909518e408c9613
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3229369
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77472}

These two tests rely on the functions being immediately compiled with SP.
Concurrent SP might add a delay and fail the test.

Bug: v8:12054
Change-Id: I52dbdfeb5c49c23f2d20a43bb8a87aba1f16358e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3233233
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77471}

mjsunit/regress/regress-crbug-9161 had two spinlocks on an atomic:

  1. WaitUntil(lock == kStageRunning)
  2. WaitUntil(lock == kStageDone)

But, in theory the worker updating the "lock" could progress all the way
to kStageDone before the first loop manages to check the lock value
again.

We can make this more robust by checking:

  1. WaitUntil(lock != kStageInit)
  2. WaitUntil(lock == kStageDone)

That way both loops check for _any_ state past the state they want to
progress past.

Bug: v8:11437
Change-Id: I5220e61070a305301c678928edb0925c04dae970
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3231339
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77460}

This CL adds support for BigInt.asIntN, the necessary operations and
extensions of the compiler's type system to allow lowering of BigInts
to word64 representations that are interpreted as signed 64 bit BigInts.

Bug: v8:9407
Change-Id: Id4f1f45437c1caf94e01c7b4e063c2ae2386c88a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3198070
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77458}

This is a reland of dca83ff7

Relanding without changes, looks like the bot that failed succeeded
again before the revert landed (https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN/38915/overview)

Original change's description:
> [snapshot] Fix two stress_snapshot failures
>
> 1. Stress snapshot discards code on SFIs, which breaks flushing
>    invariants. Add --stress-snapshot to those invariants.
> 2. Another test failing on IsScript, added it to the disabled list.
>
> Change-Id: Ic415923a9cc96d34b74f7450b29be99c1b53d077
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3229375
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Auto-Submit: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77430}

Change-Id: I18fd290c3794d90addc2a94765d57a3ee3ceab86
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3229563
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77447}

[1] fixes the behavior of StaNamedOwnProperty to no longer do prototype
lookups. This lets us revert [2] and go back to using the fast path in
the clone spread object literal bytecode.

The test case from [2] is kept.

[1] https://chromium-review.googlesource.com/c/v8/v8/+/2795831
[2] https://chromium-review.googlesource.com/c/v8/v8/+/3178969

Bug: v8:9888, chromium:1251366
Change-Id: I9d2cb69b803c403f63365f55d27c4de20ff7dafb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3224666Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77444}

This is a reland of 0c459ff5

Original change's description:
> [baseline] Concurrent Sparkplug n-thread with synchronised queue
>
> Installation in the main thread.
> Design doc: https://docs.google.com/document/d/1GmEiEt2VDmhY_Ag0PiIcGWKtvQupKgNcMZUvgpfQksk/edit?resourcekey=0-seYa-QJsx1ZbjelluPG1iQ
>
> Change-Id: Ifc6eccd44efdf377320c64cf9957c6060334e543
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3186831
> Commit-Queue: Victor Gomes <victorgomes@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77431}

Change-Id: I4ea8f3c026a0a448afcb16f57517ee75cedaf83f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3229379
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77437}

This reverts commit dca83ff7.

Reason for revert: Speculative revert for https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20TSAN/38914/overview

Original change's description:
> [snapshot] Fix two stress_snapshot failures
>
> 1. Stress snapshot discards code on SFIs, which breaks flushing
>    invariants. Add --stress-snapshot to those invariants.
> 2. Another test failing on IsScript, added it to the disabled list.
>
> Change-Id: Ic415923a9cc96d34b74f7450b29be99c1b53d077
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3229375
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Auto-Submit: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77430}

Change-Id: Ied1bd9e10389f361cd6e39a1c985ee134f098629
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3229561
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#77434}

This reverts commit 0c459ff5.

Reason for revert: breaks build on M1 (where W^X flag is RO) https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Mac%20-%20arm64%20-%20release%20builder/6999/overview

Original change's description:
> [baseline] Concurrent Sparkplug n-thread with synchronised queue
>
> Installation in the main thread.
> Design doc: https://docs.google.com/document/d/1GmEiEt2VDmhY_Ag0PiIcGWKtvQupKgNcMZUvgpfQksk/edit?resourcekey=0-seYa-QJsx1ZbjelluPG1iQ
>
> Change-Id: Ifc6eccd44efdf377320c64cf9957c6060334e543
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3186831
> Commit-Queue: Victor Gomes <victorgomes@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#77431}

Change-Id: I45a952aacf0ad29ebb703a742fdc6da7b0b7c826
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3229378
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77433}

Installation in the main thread.
Design doc: https://docs.google.com/document/d/1GmEiEt2VDmhY_Ag0PiIcGWKtvQupKgNcMZUvgpfQksk/edit?resourcekey=0-seYa-QJsx1ZbjelluPG1iQ

Change-Id: Ifc6eccd44efdf377320c64cf9957c6060334e543
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3186831
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77431}

1. Stress snapshot discards code on SFIs, which breaks flushing
   invariants. Add --stress-snapshot to those invariants.
2. Another test failing on IsScript, added it to the disabled list.

Change-Id: Ic415923a9cc96d34b74f7450b29be99c1b53d077
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3229375
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77430}

It was missing on the slow path before.

Bug: chromium:1259902, chromium:1260746, v8:10793
Change-Id: I9ae5f9efd552754a725f624307dd7caaeacd496f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3226541Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/main@{#77429}

This CL improves wasm inlining heuristics in Turbofan, for an average
8,5% performance improvement in selected benchmarks.

Changes:
- In WasmInliner::Reduce(), only collect inlining candidates into a
  priority queue, according to WasmInliner::LexicographicOrdering.
  Move actual inlining to Finalize().
- Remove the InlineFirstFew heuristic. Add two limits to inlining:
  Maximum relative size increase (reversely proportional to the function
  size), and absolute size increase.
- Pass information about call frequency from liftoff-collected feedback
  to the WasmInliner though the wasm module.
- Run wasm inlining along other optimizations in the pipeline.
- Split inlining and speculative inlining tests.

Bug: v8:7748, v8:12166
Change-Id: Iccee22093db765981889a24451fb458dfce1f1a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3222764Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77428}

Functions affected:
filter
find
findIndex
findLast
findLastIndex
forEach
reduce
reduceRight

Bug: v8:11111
Change-Id: Ifb40143e5b6ed4a3eb30cb25332e2387009e3274
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3205421
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77422}