Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/e4c7cf0..9275a0c

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: I16f6a0650309b8e0d1ce3f25cd1159cefebf861d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1757692Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#63231}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/ac11835..e4c7cf0

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/dbca9d1..ae25381

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/2dd0798..c5d786f

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: Ib4f4c7ac25c631fe8d14a5ba6c60dc6ca0a3f2d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1757690Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#63230}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/b9f7075..ac11835

Rolling v8/third_party/android_sdk/public: DLK621q5_Bga5EsOr7cp6bHWWxFKx6UHLu_Ix_m3AckC..5DL7LQQjVMLClXLzLgmGysccPGsGcjJdvH9z5-uetiIC

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/2ae52ad..dbca9d1

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/9f4b37d..72fbaf4

Rolling v8/third_party/googletest/src: https://chromium.googlesource.com/external/github.com/google/googletest/+log/e9d5f42..27e17f7

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/4327557..2dd0798

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: I3ebfd2a728ca0f15eaa9a2169360d46d0fb9da1a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1757688Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#63229}

Change-Id: Icc9a88012cd785a7676259e15da2a1bc6a6e26ba
Bug: v8:9510
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1756854Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63228}

- Move undef closer to end of usage
- Move I64x2ExtractWithF64x2 closer to Extract tests, and into ifdef
scope so it runs on arm64 builds

Change-Id: I7138c44097975d02e97f4b2b9bfcddd8eb9735c8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1754544Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63227}

This CL adds additional information in PropertyAccessInfos and FieldAccesses about the map that introduced the accessed field. We use this information to prevent load elimination from incorrectly optimizing certain accesses marked const.

Prior to this CL, load elimination simply stored information about eliminatable field accesses based on objects (identified by nodes in the graph) and offsets (i.e., statically known ones). In the presence of const stores and loads this is insufficient, since a single object (in the above sense) may contain distinct *const* properties at the same offset throughout its lifetime. As an example, consider the following piece of code:

    let obj = {};
    obj.a = 0;
    obj[1024] = 1;  // An offset of >=1024 forces an elements-kind transition
    delete obj.a;
    obj.b = 2;
    assertEquals(obj.b, 2);

In this scenario, *both* the first ('obj.a = 0') and the second ('obj.b = 2') store to a field will be marked const by the runtime. The reason that storing to 'a' above ends up being marked const, is that 'a' before and after the elements-kind transition is encoded in separate transition trees. Removing 'a' ('delete obj.a') only invalidates const-ness in the dictionary-elements transition tree; not the holey-elements one used at the time of 'obj.a = 0'.

The above situation on its own violates an invariant in load elimination. Namely, we assume that for the same object and offset, we will never encounter two const stores. One can extend the above snippet to coax load-elimination into producing incorrect results. For instance, by "hiding" 'obj.b = 2' in an unoptimized function call, the consecutive load from 'b' will incorrectly produce 0, violating the assert.

R=neis@chromium.org, tebbi@chromium.org

Bug: chromium:980183, chromium:983764
Change-Id: I576a9c7efd416fa9db6daff1f42d483e4bd369b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751346
Commit-Queue: Georg Schmid <gsps@google.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63226}

V8_EXPORT is not required for public class templates, and using it may
lead to linker errors when users attempt to dllimport V8.

Change-Id: I0b2db2371d0fcbf50af94ba629670486b8f2bc00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1757284Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63225}

GetIterator currently acts as a property load of the iterator symbol
(soon it will also call it). It makes sense to apply the same early
lowering logic as we do for property loads in the bytecode graph
builder. This also brings our treatment of the bytecode in-line with
the way it's treated in the serializer, which already respects the
early-lowering semantics.

Bug: v8:7790
Change-Id: Ieadc4b307b9f6d9a5aa77ca10c7c818026776f33
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758304
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63224}

There are some accesses that we know that are pointers, and we can
specialize them to have Pointer as their Machine Type and Write Barrier.

Drive-by fix: ForJSGeneratorObjectParametersAndRegisters can be changed
to use Pointer.

Bug: v8:7703
Change-Id: I88e371746fc5f08c84795c95b1885264ef6c067c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1741658
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63223}

This removes the restriction on load elimination to only track fields
of representations with kTaggedSize, and instead also allows fields with
representations using multiples of kTaggedSize (that is, Float64 and Word64
on pointer-compressed or 32-bit platforms).

In order not to regress JIT-compile time for the common case of
kTaggedSize-sized fields, we maintain information for bigger fields multiple
times, once for each kTaggedSize-multiple offset that covers it. By checking
that all copies of this information are still there when reading from the
load elimination state, updates to the load elimination state don't need to
take special care of bigger fields.

Change-Id: I9b5f3d2d6e3b4f145c20d33fbc764869bf50a365
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752843
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63222}

Bug: v8:9616
Change-Id: Ieca74f8df90b342672c8904beef2c2298f0ba597
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1755991Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63221}

Create a new function NewHeapNumberForCodeAssembler used only by
CodeAssembler that allocates in read_only_space whenever it is writable
(e.g. when constructing builtins). This can allocate in old_space for
CSA tests that run after read_only_space is sealed.

This move 512 bytes from old_space to read_only_space.

Bug: v8:7464
Change-Id: I3e29b38a8c062fa74feed63ecf0d07625c04347f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752855
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63220}

Rolling v8/test/wasm-js/data: https://chromium.googlesource.com/external/github.com/WebAssembly/spec/+log/ace189a..9867945

[interpreter] Tweak  target (Andreas Rossberg)
https://chromium.googlesource.com/external/github.com/WebAssembly/spec/+/9867945

[interpreter] Update BS support (#1058) (Andreas Rossberg)
https://chromium.googlesource.com/external/github.com/WebAssembly/spec/+/ae113ed

[interpreter] Make format roundtrips perfect (#1057) (Andreas Rossberg)
https://chromium.googlesource.com/external/github.com/WebAssembly/spec/+/81c5f27

TBR=ahaas@chromium.org,clemensh@chromium.org

Change-Id: Id626fc54563e5bd1e97403803dae6683c949d6f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1757684Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#63219}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/1bf9025..b9f7075

Rolling v8/third_party/android_ndk: https://chromium.googlesource.com/android_ndk/+log/4e2cea4..6258275

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/942e493..2ae52ad

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/979fa78..9f4b37d

Rolling v8/third_party/googletest/src: https://chromium.googlesource.com/external/github.com/google/googletest/+log/90a443f..e9d5f42

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/a05d5ea..4327557

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: If6324de29ba28dda02e9d87df14864eacf640802
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1757683Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#63218}

This reverts commit f54f92dd.

Reason for revert: CSA_ASSERTS failing while rolling into Chromium,
see https://crbug.com/994103 for details.

Original change's description:
> [builtins] Port RegExpTest to Torque
> 
> Bug: v8:8976
> Change-Id: Ia4dc120a31eb363599b47b22b749a3146a9c7c73
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1746083
> Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63211}

TBR=jgruber@chromium.org,tebbi@chromium.org,duongn@microsoft.com,szuend@chromium.org

Change-Id: Id3e1fe4e323826d3a48db667b032f0fddd7cb064
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8976
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1756389Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63217}

This is a CL in a string of CLs that aims to TNodify CSA. In particular,
there were some loads that were done in AnyTagged instead of
TaggedPointer. TNode-ifying them brings improvement in pointer
compression since we are able to decompress using the Pointer
decompression.

TNodified:
 * LoadJSFunctionPrototype
 * TryPrototypeChainLookup
 * OrdinaryHasInstance

Also TNodified loads regarding:
 * FeedbackCell::kValueOffset
 * HeapObject::kMapOffset
 * JSFunction::kSharedFunctionInfoOffset
 * JSFunction::kFeedbackCellOffset
 * Map::kInstanceTypeOffset
 * Map::kInstanceDescriptorsOffset
 * Map::kPrototypeOffset

Drive-by cleanup: StoreJSArrayLength and StoreElements were unused.

Bug: v8:6949, v8:9396
Change-Id: I89697b5c02490906be1eee63cf3d9e60a1094d48
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1755844
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63216}

Previously we allowed for only one extra parameter on the stack,
this CL makes it dynamic based on the kArgCount value.

Change-Id: I18cd74d0cc0ecba6fb75dcee991a0e907d423d6a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1755411Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Reviewed-by: Milad Farazmand <miladfar@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#63215}

Rolling v8/test/wasm-js/data: https://chromium.googlesource.com/external/github.com/WebAssembly/spec/+log/a221f25..ace189a

[spec] Terminology nits (#1053) (Andreas Rossberg)
https://chromium.googlesource.com/external/github.com/WebAssembly/spec/+/ace189a

TBR=ahaas@chromium.org,clemensh@chromium.org

Change-Id: I0d06e838557560d07ca8d9ec2e8323d2d6658b99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1755223Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#63214}

Bug: v8:8460
Change-Id: I81e48a99e34d7438c2b652a01d979bf8db4726ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1749666Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63213}

Bug: v8:9528
Change-Id: Ib1e9505686b85fa426f3f66f7d6e1e63efc48014
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1710333Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63212}

Bug: v8:8976
Change-Id: Ia4dc120a31eb363599b47b22b749a3146a9c7c73
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1746083
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63211}

Bug: v8:8460
Change-Id: I4bf23d884f5d6b587db741e9d19ac4b6b1ece506
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1749663Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63210}

Fixes DCHECK failure in DropStackFrameCacheCommon by returning early if
the source_position_table is Exception.

Bug: chromium:990582, v8:8510
Change-Id: I671f3e0cdc9f880dedf8ecd2fffb1083229dc6dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752856Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Auto-Submit: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63209}

This CL increases the maximum number of arguments for CallCFunction to
10 (was 9 previously).

All simulators also support up to 10 arguments now for host-calls.

Bug: v8:9621
Change-Id: Ib21cd39e965cdfcb0b04412261dc02e5fe106e47
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752852
Commit-Queue: Patrick Thier <pthier@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63208}

This change makes the code compatible with both Python 2 and Python 3.

Change-Id: I99d68af9c3163607c3a2fdbafac339a98b7471e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751331
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63207}

Otherwise there is a mismatch between eager parsing (where the reciever
is marked as MaybeAssigned) and lazy parsing (where the receiver is
deserialized and not marked MaybeAssigned) for arrow functions that
have an inner scope that calls eval.

BUG=chromium:989914

Change-Id: I8b8b78140858985a75a971b0e0a95bd61463457b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752851Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63206}

Moved code from the .cc file to the .h file, and added comments on important
methods.

There is still room for more cleanup / refactor, but it doesn't seem worth
it right now.

Bug: v8:9396
Change-Id: Id14d3ccaa853e0704732d468df504c379cd114b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748735
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63205}

The builtin in question was just tail-calling another existing builtin
anyways. Call sites of the above builtin are rare and only appear in
import wrappers, removing the unnecessary hop is more efficient.

R=thibaudm@chromium.org

Change-Id: I42286346119fc627f8b9ef23fb6e4b2da1da80de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752847Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63204}

Consistent naming, moved methods, etc.

There is a follow-up CL that moves code from this .cc to the private
part of the class in the .h file.

Bug: v8:9396
Change-Id: I9efac09baff7403bce1be9712c090d2ea70b60f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1748734Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63203}

Since we can just use the lower bits, we can make the compressions no-ops.
As a note, they still change the representation so that the machine graph
verifier is happy.

X64's version of: https://chromium-review.googlesource.com/c/v8/v8/+/1751722

Bug: v8:7703
Change-Id: I728eb8b6b3953f053a7042797f3c498d13e3c948
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751729Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63202}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/b5e8d0f..1bf9025

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/1c632e3..942e493

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/3c81495..979fa78

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: I87deff115e8d5070c1b57393afe3bfa4bcd05c7c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752433Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#63201}

Bug: v8:8460
Change-Id: Ibef60086b49a43a6d027b8904fe905eccbd8b069
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1749662Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63200}

We cherish the ability to create a (for example) JSFunctionRef by
passing an object handle in phases of the compiler where we can't
inspect the handle to verify the instance type. A slight change to
constructor definitions of classes derived from ObjectRef allows us to
police this typing effectively.

Bug: v8:7790
Change-Id: I6ac8e4780d578e9c9cad80fdc87f399a92bc988d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751343
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Auto-Submit: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63199}

This is a reland of
https://chromium-review.googlesource.com/c/v8/v8/+/1749712 with a fix in
test-run-wasm-simd.cc to use base::Divide to work around C++ undefined
behavior when the denominator is 0.

Bug: v8:8460
Change-Id: Ia0a4ff621cccc6d9b7528717bf3fa7c79e42ba1a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1745819
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63198}

PagedSpace::Available() is mostly used for counters. One may expect
that it'd be constant time or bearly noticeable performance-wise, but
its cost is linear in the number of freelists and number of pages in
the freelists. Overall, d8 --prof showed that it has a important
runtime cost, and prevents freelists from scaling.

This CL makes this counter constant-time, and should improve
performances, even using with our current FreeList strategy
(FreeListLegacy).

Bug: v8:9329
Bug: v8:9093
Change-Id: I7682c5debc78498fe46e8dbce70b2fbd540b0fd0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1746473
Commit-Queue: Darius Mercadier <dmercadier@google.com>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63197}

After compression, the values should only be used for their lower 32-bits (W registers).
This removes unnecessary 'ubfx' zero-extends.

The size of the embedded builtins is reduced by 0.2%.
This improves the ARES-6 by ~1.0%.

Bug: v8:7703

Change-Id: Ib9bd771b51e85717f415a346b37428f8821bf278
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751722Reviewed-by: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63196}

When GC triggered while an exception is pending, a read to
memory that was no longer valid could happen while backtracking in the
regexp interpreter (introduced with commit fb0df2c8).
This CL prevents this dirty read, that could have been a security issue.

Bug: chromium:992389, v8:9575
Change-Id: Ie1acd6faa16665e211666c6a8dcf2a9d74e0c886
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751342
Commit-Queue: Patrick Thier <pthier@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63195}

Port c4d31fea

Original Commit Message:

    Stack limits were additionally maintained in pseudo-smi roots.
    "Pseudo", because we stored the raw limit pointers there, just making
    sure their values looked like smis by masking the least significant
    bits.

    This mechanism is no longer needed now that we can access the stack
    limit external references as efficiently as the smi roots.

R=jgruber@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: Ida5c1fe10a494e9c6d665425bd464228978ecd1b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752142Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#63194}

Change-Id: If917f11f72d08e237fcb4ee43fabfc0c133dace6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752143Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#63193}

Previously we only used this flag if asm_wasm instantiation failed, but
we should avoid trying asm_wasm again if we failed during the initial
parse/compile, in case we have to recompile due to bytecode flushing. This
also avoids issues if there is a tranisent reason we fail asm_wasm compilation
(e.g., stack overflow) and later recompilations succeed and cause
inconsistencies like in the linked bug.

BUG=chromium:991133

Change-Id: Id156efa9d8625ce3db2058cb279ea23aeb66052f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751784Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63192}