This reverts commit 4d1b7af7.

Reason for revert: Broke clusterfuzz asan build

Original change's description:
> [turbofan][64] Remove Smi Untagging extra nodes for 31 bit smis
>
> There are some cases where we can ignore some truncations or
> change nodes for Smi Untagging, when we are using 31 bit smis
> in 64 bit architectures.
>
> Updated DecompressionOptimizer to match the new pattern.
>
> Change-Id: I89d34407e6f780ec0399cd427cf9d3e24ee5669a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1889877
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#64909}

TBR=jgruber@chromium.org,tebbi@chromium.org,solanes@chromium.org

Bug: chromium:1023972
Change-Id: I7773455a970a11c345a020c1421c961314c8eb5c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1914202
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64930}

When simulating bytecode, we store the current environment at the
site of the appropriate catch handler when entering a try range.
If the start of the try range is dead, we don't bother to store
an environment. However, generators can create alive regions
inside the try range. At such moments, we should recognize
we're in a try range and store the environment for the handler.

Bug: chromium:1017159
Change-Id: Icccc2ccf530895099bc62b97d9aaec8b97d5f4e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1879247Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64929}

This moves code for running d8 into its own class. No functional
changes intended.

No-Try: true
Bug: chromium:1023091
Change-Id: I7cbfeebd2911dc758322f89cf93666550f2956d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1906378
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64928}

Patch af608d4b https://crrev.com/c/1903969 removed some functions used on mips platform.

Original Commit Message:

  [utils] Remove unused classes and functions

  This removes dead classes and functions from utils.h.

Change-Id: I558de38370b51a3f7dd0ea9712d9c9dc47fa05a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1909747
Auto-Submit: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64927}

After allocation of an object, we need to initialize it to make it safe
for the GC to see it. For complex objects like SharedFunctionInfo, this
initialization code is long and requires understanding of the object. So,
it makes sense for the initialization to live in the SharedFunctionInfo
code itself (as an Init method) rather than in the factory.

Aside from being a neat cleanup, this will allow us to share this
initialization logic between different allocation methods, as part of the
off-thread allocation project:
https://docs.google.com/document/d/1-_96kok0AcavkbcdqqZvpqt_2q-_XWAsAJwbRXlfwCo/

Bug: chromium:1011762
Change-Id: Ie276eb711423272f85abfeb3d88df1826a77b984
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1872402
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64926}

port 80dc6a33 https://crrev.com/c/1903445

Original Commit Message:

  [ptr-compr] Remove CompressedSigned MachineRepresentation

  Since smi-corrputing, TaggedSigned (aka known smis) only have the lower
  bits used. This renders CompressedSigned useless.

Change-Id: I3d656752bb81a09bd3985bd39ab9f656504f4da1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1911268
Auto-Submit: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64925}

Change-Id: I2b1cf44670e12b22bbf5115742e1d62dafec7304
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1912220
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64924}

Bug: v8:9838
Change-Id: I8f1ca56517c4de097cab7e5fbd63ef3fe56d8f8c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1904120Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64923}

This reverts commit d46bd852.

Reason for revert: I suspect this breaks the 'V8 Linux - predictable' bot. Specifically, 'typedarray-copywithin' has been failing since this landed. I am not exactly sure what is wrong from the tests error message, but see this link for more information:
https://logs.chromium.org/logs/v8/buildbucket/cr-buildbucket.appspot.com/8896980452133814304/+/steps/Check_-_d8__flakes_/0/logs/typedarray-copywithin/0

Original change's description:
> [ic] Migrate Code-based handlers to use data driven handler.
> 
> All usage of KeyedLoadIC_Slow, HasIC_Slow, StoreInArrayLiteralIC_Slow
> and KeyedStoreIC_Slow now use data driven handlers
> 
> Bug: v8:9779
> Change-Id: Idd888c5c10b462a5fe155ba0add36f95169bd76d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1895988
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Commit-Queue: Suraj Sharma <surshar@microsoft.com>
> Cr-Commit-Position: refs/heads/master@{#64918}

TBR=rmcilroy@chromium.org,verwaest@chromium.org,surshar@microsoft.com

Change-Id: Id7c2b553f85b46048bed2c633b8bd24098f67147
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9779
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1912092Reviewed-by: Joshua Litt <joshualitt@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64922}

This allows us to use them in constexpr contexts, just as DCHECK.
There were some "constexpr" keywords missing, and we cannot have
explicit template instantiations for constexpr.

R=jkummerow@chromium.org

Bug: v8:9810
Change-Id: Iba7c6ed4a16ea5077324880f59f7f0e17d1757a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910956Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64921}

Optimizes BitVector::Iterator::Advance by using base::bits::CountTrailingZeros to
skip through bitvector. Also inlines Advance in the header. This reduces the
LiveRangeAnalysis phase of TurboFan/Prop by about 2-5% on Octane.

BUG=v8:9684

Change-Id: I3954d50d8ae9bd062a153e1fa2cb0abfd43d73eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910948
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64920}

This reverts commit f616b372.

Reason for revert: Might break incremental build: https://crbug.com/v8/9966

Original change's description:
> [build] Simplify snapshot target
> 
> Drops unnecessary visibility exception and uses minimum deps required
> for snapshot target.
> 
> Change-Id: I4098a443e9df31c25551540a0b6edfe9500f7bcd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910943
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#64907}

TBR=machenbach@chromium.org,jgruber@chromium.org

Change-Id: I01b087406e913faca42e21572d2fb62116c8c222
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9966
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1912219Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64919}

All usage of KeyedLoadIC_Slow, HasIC_Slow, StoreInArrayLiteralIC_Slow
and KeyedStoreIC_Slow now use data driven handlers

Bug: v8:9779
Change-Id: Idd888c5c10b462a5fe155ba0add36f95169bd76d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1895988Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Suraj Sharma <surshar@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#64918}

Fixed: v8:9949
Change-Id: I3e27660f3f3e679988e780a050050ffd5ae9f584
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910946Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64917}

Out of the six masks (for 64 bit value), three can be skipped because
the values are known to be within certain bounds.

R=jkummerow@chromium.org

Bug: v8:9810
Change-Id: I50c3bf2d374b14456aa0cbec076e894f25779151
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910110Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64916}

This reverts commit 75a61325.

Reason for revert: Fails arm64 gc stress (see bisect): https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim%20-%20gc%20stress/16691

Original change's description:
> [turbofan] Simplified LowerCheckedInt(32|64)ToTaggedSigned
> 
> Merge duplicate LowerCheckedInt32ToTaggedSigned code.
> 
> Skip ChangeInt32ToInt64:
> * In 32 bit archs, ChangeInt32ToInt64 is a no-op.
> * In 64 bit archs with 31 bit smis and smi corrupting enabled,
> ChangeInt32ToIntPtr can be skipped. This is because it would only
> change the upper bits, and those upper bits are not significant
> since we are smi-corrupting.
> 
> Change-Id: Ia217773fc7fccdd6227f66fbd600326ebbe9b86d
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1893193
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#64906}

TBR=jgruber@chromium.org,tebbi@chromium.org,solanes@chromium.org

Change-Id: I6586a6f226537acba988afa1be7454c2c3e6ee54
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910955Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64915}

This allows the tests to continue running on the gc fuzzers while
staying compatible with the --force-slow-path flag being passed
randomly.

When run in slow_path variants these tests are no-ops, but that's
negligible as the tests are also fast without slow_path.

Change-Id: I461c47b669b163e1e1594ea1a941f63e90f2221e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910947Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64914}

UMA data shows that we currently still allocate up to ten code spaces
per module. This is because the code size estimates are vastly off,
especially if both Liftoff and TurboFan is being used.
Also, code sizes differ by platform.

This CL adds more logic to the {EstimateNativeModuleCodeSize} function
to distinguish Liftoff and TurboFan, and to use different constants per
platform. A largeish comment explains how the numbers were generated,
and that they are an extreme over-generalization. However, without
further information about the module, this is the best we can do.
After all, being off even by a factor of two does not hurt too much, as
explained in the comment.

R=jkummerow@chromium.org

Change-Id: Icd178f5f4d0c7c8fa29b11b6eff7d14e64a1af1c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910102
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64913}

This reverts commit b3d748a2.

Reason for revert: Regressions, see https://crbug.com/1023423.

Original change's description:
> [regalloc] Use an adaptive data structure for live sets
> 
> Live sets represent sets of live virtual registers at block entry and
> exit points. They are usually sparsely populated; for example, a sample
> taken from Octane2 shows 80% of sampled live sets with a fill ratio of
> 10% or less.
> 
> Prior to this CL, live sets were implemented as a statically-sized bit
> vector. This is fine for low-ish virtual register counts, but becomes
> wasteful at higher numbers.
> 
> This CL attempts to address this issue through an adaptive
> implementation. Small live sets remain bit vectors, while larger sets
> switch to a PersistentMap-based implementation. PersistentMap has very
> memory-efficient add/remove/copy operations.
> 
> Of course, with adaptive data structures we enter the territory of
> parameter fiddling. In this case, two parameters are used:
> kMaxSmallSetSize controls when to switch implementations, and
> kMaxDeletionsBeforePrune controls when pruning (= managing the # of
> deleted entries in the map) sets in.
> 
> On the (degenerate) test case from the linked bug, the register
> allocation zone shrinks from 1008MB to 475MB. For more realistic cases
> I expect savings on the order of 10s of KB.
> 
> Bug: v8:9574
> Change-Id: Id903bbe23f030b418e8d887ef4839c8d65126c52
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1891693
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#64872}

TBR=jgruber@chromium.org,tebbi@chromium.org,thibaudm@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:9574
Change-Id: I5d684198f9c4575a0c892076459cc2c20dce9aec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910944Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64912}

On platforms that do not require the far jump table for wasm calls (32
bit platforms currently), we do not need to include a far jump table
slot per wasm function. Other places already used the
{NumWasmFunctionsInFarJumpTable} helper function, but in the actual
allocation of the far jump table, it was missing.

R=jkummerow@chromium.org

Change-Id: I30734a1a25cc80e38c47abfd39059d56c9e5de57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910101Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64911}

We used the same random seed for all test cases of a fuzz session
for transitioning from choosing the flags on V8 side.

Since the grace period for stable bisection is over, we now use
the same random number generator throughout the fuzz session which
leads to a wider range of differently chosen flags.

TBR=tmrts@chromium.org

No-Try: true
Bug: chromium:813833
Change-Id: I07b9fe5de378c01344afd486bfd85fcbf0fcd8d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1906377Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64910}

There are some cases where we can ignore some truncations or
change nodes for Smi Untagging, when we are using 31 bit smis
in 64 bit architectures.

Updated DecompressionOptimizer to match the new pattern.

Change-Id: I89d34407e6f780ec0399cd427cf9d3e24ee5669a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1889877
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64909}

Wasm code GC is on by default now.

R=machenbach@chromium.org

No-Try: true
Change-Id: Ib24e68f431876ecb91e7ae6ef6bc6cc08c2ea0c0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910942Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64908}

Drops unnecessary visibility exception and uses minimum deps required
for snapshot target.

Change-Id: I4098a443e9df31c25551540a0b6edfe9500f7bcd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910943Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64907}

Merge duplicate LowerCheckedInt32ToTaggedSigned code.

Skip ChangeInt32ToInt64:
* In 32 bit archs, ChangeInt32ToInt64 is a no-op.
* In 64 bit archs with 31 bit smis and smi corrupting enabled,
ChangeInt32ToIntPtr can be skipped. This is because it would only
change the upper bits, and those upper bits are not significant
since we are smi-corrupting.

Change-Id: Ia217773fc7fccdd6227f66fbd600326ebbe9b86d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1893193
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64906}

This is a reland of ab1b511c

The offending flags are removed.

Original change's description:
> [test] Add more flags to numfuzz flags fuzzer
>
> This adds a selection of flags to numfuzz that are already used
> for different testing variants or on clusterfuzz for
> correctness testing.
>
> No-Try: true
> Change-Id: I79745b281b001f57d2b24977f3a8e9ce3bbab2a4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1906573
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#64884}

No-Try: true
Change-Id: Ie01f244147be0b0fda8cec83f48ac3f73c5a81ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910113
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64905}

Change-Id: I208b0e39b3755e84683aae9f6e23053858120b6c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1906383Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64904}

This ports:
https://crrev.com/c/1538805

Bug: chromium:1023757
Change-Id: I664c07bd2fe9c93861cdeb9c5bb0af6c8a426e7c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910941Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64903}

This decomposes the crdtp library into multiple files.
Since it wasn't previously rolled
it's a bit more than just that.

Upstream review: https://chromium-review.googlesource.com/c/deps/inspector_protocol/+/1907115

New Revision: d020a9e614d4a5116a7c71f288c0340e282e1a6e

Change-Id: I5c588469654bec3e933804ac706fa967c6fe57bc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1907973
Auto-Submit: Johannes Henkel <johannes@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64902}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/789c8f5..8929104

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/56af378..3992f65

Rolling v8/third_party/googletest/src: https://chromium.googlesource.com/external/github.com/google/googletest/+log/f2fb48c..076c461

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/596e92a..ebea19a

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: I7250b847fdbd3c683aa970784443f8d8e56c99a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1911401Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#64901}

https://chromium.googlesource.com/external/github.com/tc39/test262/+log/21195de..1bc19352

Bug: v8:7834, v8:9808
Change-Id: I97b26749acf56f3db63b3989441ac4c2b8642807
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910859Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64900}

This patch excludes brand symbols from the result of
JSReceiver::GetPrivateEntries so that the brands do not show up
when the instances are inspected from the DevTools (e.g. via
`Runtime.getProperties()`).

To implement this, we use a bit in the Symbols to denote whether
it's a brand symbol. A brand symbol is also a private name
symbol so that we can just reuse the IC for accessing private
names and do not need to jump through extra ORs.

Design doc: https://docs.google.com/document/d/1N91LObhQexnB0eE7EvGe57HsvNMFX16CaWu-XCTnnmY/edit

Bug: v8:8671, v8:9839, v8:8330
Change-Id: I24346aeedce3602395289052d1e1350ae9390354
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1909757Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/master@{#64899}

Bug: v8:9810
Change-Id: I5d0341d9602c3df8b158227c6647414fc66481e5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1907634
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64898}

... even with ptr-compr.

Although full uintptr-sized TypedArrays are not supported yet
we may already start using uint32-sized typed arrays as we no
longer rely on TypedArray length to be a Smi.

Bug: v8:4153
Change-Id: If179541ad4f02c4ec7de9d1f3836138fe526d8a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1905847
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64897}

Instead of changing all of TryToName to do the conversion to array
index, this patch narrows this fast path just to the element load IC
handler.

This patch also restores the HeapNumber conversion in TryToIntPtr and
in Turbofan inlining as per the original state of things.

Bug: v8:9449, chromium:1016738, chromium:1016709
Change-Id: Ibf3a2c38637fc36e0ee037dc740f273848d1e8a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1902386
Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64896}

This reverts commit ab1b511c.

Reason for revert: too many spurious errors

Original change's description:
> [test] Add more flags to numfuzz flags fuzzer
> 
> This adds a selection of flags to numfuzz that are already used
> for different testing variants or on clusterfuzz for
> correctness testing.
> 
> No-Try: true
> Change-Id: I79745b281b001f57d2b24977f3a8e9ce3bbab2a4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1906573
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#64884}

TBR=machenbach@chromium.org,clemensb@chromium.org,almuthanna@google.com,liviurau@chromium.org

Change-Id: Iba9cfa8e6e8e2cb3b9fe0f803b07376ae55d783c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910112Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64895}

This reverts commit 509995d3.

Reason for revert: want to revert first CL

Original change's description:
> [numfuzz] Remove jitless from flags experiment
> 
> Produces too many spurious errors with tests that normally get
> skipped in jitless variant.
> 
> TBR=clemensb@chromium.org
> 
> No-Try: true
> Change-Id: Iddf0e39e4c454a3b17568ba17a014e8d38922052
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910107
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#64889}

TBR=machenbach@chromium.org,clemensb@chromium.org,almuthanna@google.com,liviurau@chromium.org

Change-Id: I238323289fd29fec82c58795c2ad829e7c0a073a
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910111Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64894}

They were there to avoid a GCC bug. Now that we do not support GCC 4 any
more, we can remove this workaround.

R=ahaas@chromium.org

Bug: v8:9810
Change-Id: I9346671cc1c5f0c83b47d0cfbd313cd1eb2179a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910104Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64893}

This creates a .tq file in src/objects for each src/objects/*.h file
with Torque-defined classes and moves the object definitions and
corresponding helpers/macros there.
In addition, we create files convert.tq and cast.tq in src/builtins
to move the casts and conversions to.

Since Torque-generated .cc files end up as .o files in the same
directory, there cannot be two .tq files of the same name. Thus it
was necessary to rename src/builtins/arguments.tq and
src/builtins/string.tq to not clash with the new files in src/objects.

This is a mechanical change that only moves code.

Design doc: http://doc/1fh4OUMjQMnQdJm3aiAPXQUNdgbQugkRGdJzDh8hmyzk

Bug: v8:9861 v8:9810 v8:7793
Change-Id: I9c54cb50f32b9ae0fb41752199515133eb59ea5c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910100Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64892}

Port 80dc6a33

Original Commit Message:

    Since smi-corrputing, TaggedSigned (aka known smis) only have the lower
    bits used. This renders CompressedSigned useless.

R=solanes@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: Ia3daa8e8fe60e8046784436b3dfcdad63b6597c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1907442Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#64891}