This is a reland of b9bfd006

Original change's description:
> [torque] Convert few class layout to torque and updated torque code formatter.
>
> 1. Converted Module, JSModuleNameSpace, JSCollator, JSV8BreakIterator,
>       TemplateList,
>       JSStrictArgumentsObject to torque.
> 2. Updated torque code formatter to now handle multi-line
>             declarations correctly.
>
> Bug: v8:8952
> Change-Id: I97846b1bc0d2cba5d7a68468fc263423b1b55d19
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1536988
> Reviewed-by: Simon Zünd <szuend@chromium.org>
> Commit-Queue: Suraj Sharma <surshar@microsoft.com>
> Cr-Commit-Position: refs/heads/master@{#61624}

Removed the Torque code Formatter update from this CL

Bug: v8:8952
Change-Id: I01e88ac36acd7ba18791bec609e5ae737672c731
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619146
Commit-Queue: Suraj Sharma <surshar@microsoft.com>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61671}

When reconfigure data field (e.g. change representation), it was allowed to transition from dictionary elements kind to sealed elements kind. With this change, this transition is forbidden.

Bug: chromium:963346
Change-Id: I6c9a5f6f269bc5ee4cd6176ff5e8d803f08dba1f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1613840
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61670}

Also add mjsunit test for spread call with non-extensible objects

Micro-benchmark JSTests/ObjectFreeze shows ~7x improvement

Before:
SpreadCall
SpreadCall-Numbers(Score): 239

After:
SpreadCall
SpreadCall-Numbers(Score): 1461

Bug: v8:6831
Change-Id: Icefd89ad790ac159b7f0617d0a012eefd90d3b1d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1614296Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#61669}

Bug: v8:9093
Change-Id: I69aa3edddf5ea52e1cca185fa03f51122cdf02c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617937
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61668}

When the 'disabled-by-default-v8.gc' category is enabled, emit an instant event
with heap statistics after every GC. The data that's emitted is the same as what
the V8 API gives you with `GetHeapStatistics()` and `GetHeapSpaceStatistics()`.

We generate JSON with the following format:

```
{
 "isolate": "0x55dd5cf03b50",
 "id": 1,
 "time_ms": 42.619,

 "total_heap_size": 3981312,
 "total_heap_size_executable": 573440,
 "total_physical_size": 2820440,
 "total_available_size": 2195254440,

 "used_heap_size": 1799616,
 "heap_size_limit": 2197815296,
 "malloced_memory": 251024,
 "external_memory": 2981,
 "peak_malloced_memory": 589280,

 "spaces": [
   {
     "name": "read_only_space",
     "size": 262144,
     "used_size": 32568,
     "available_size": 229256,
     "physical_size": 32888
   },
   {
     "name": "new_space",
     "size": 2097152,
     "used_size": 903392,
     "available_size": 143904,
     "physical_size": 1856136
   },
   ...
 ]
}
```

Bug: v8:9186
Change-Id: I0d07aa37b65d45778d6b47dbe6e07a9dd25d1097
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619763Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#61667}

This reverts commit ad1fcd43.

Reason for revert: Breaks waterfall.

Original change's description:
> [cleanup] Remove the now-unused deopt_count from feedback vector.
> 
> Bug: v8:9183
> Change-Id: Iceeccc8ab1e4e77b428e7e2feec39bff3317f241
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617675
> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61665}

TBR=mstarzinger@chromium.org,jarin@chromium.org

Change-Id: Iea0e6a329f55a3a941f0b976925b2abdf7eece38
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9183
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619867Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61666}

Bug: v8:9183
Change-Id: Iceeccc8ab1e4e77b428e7e2feec39bff3317f241
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617675
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61665}

This is a reland of 5ce68669

TBR=ishell@chromium.org

Original change's description:
> Enable alignment checks when reading object fields
>
> Drive-by: Fix alignment bugs caused by DCHECKS.
>
> Bug: v8:9264
>
> Change-Id: I0836b1d08fea2ce11d8f7929e12f303b6ae06efe
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617676
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61643}

Bug: v8:9264
Change-Id: Ice9b819cc29eec0c341f16ef35fad4867f5df85b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619754Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61664}

This test needs detailed source positions which aren't available with
lazy source positions enabled so force them to always be present.

Bug: v8:8510
Change-Id: I1faf3d5614742b4181facc18eaf1d73d6a5712d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617677Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Auto-Submit: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61663}

Previously, compiling with perfetto would add 2.3 MiB to the d8 release
binary. With this change it's 472 KiB.

This is because trace:lite pulls in many more compiled proto classes
than we need, e.g. a bunch of stuff under ftrace/ which is only used
on Android.

Chrome uses a 'mirror proto' ChromeTrackPacket to only provide
compiled protos for the types of packets it will actually see, which on
non-android devices does not include anything under ftrace/.

We use the same trick here in the JSON consumer.

Cq-Include-Trybots: luci.v8.try:v8_linux64_perfetto_dbg_ng
Bug: v8:8339
Change-Id: Iae1f74eec3bd93b18e9f069701fc016440d3ce5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619759
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61662}

The read_only_object_cache call cannot return a vector when it is backed
by the embedded heap, so this adds a few methods to abstract this away.

ExtendReadOnlyObjectCache will eventually have a check to reject adding
objects to the embedded read-only object cache.

Prior to this change the read-only object cache would only be extended
conditionally if needed. Since it started out empty it was always
extended, so this removes this logic.

Bug: v8:7464
Change-Id: I5b172f629ac48be5cbb8f78b03a0a213ebd570e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619745Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Commit-Queue: Maciej Goszczycki <goszczycki@google.com>
Cr-Commit-Position: refs/heads/master@{#61661}

This adds two more message tests to test compile errors in
WebAssembly.compileStreaming and WebAssembly.instantiateStreaming.

R=mstarzinger@chromium.org

Bug: v8:9266
Change-Id: I34d1df4ce0fb02e14f3e5011569c8ba1d1374658
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619746
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61660}

This adds proper loading and parsing of the arguments that are being
passed to the {WebAssembly.Function} constructor function, including
tests covering most of the negative cases.

R=jkummerow@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742

Change-Id: Id4d67789604ee72aec5ad831004a01434c1c6d6f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619748Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61659}

ASAN on Windows uses exceptions to manage its shadow memory. However,
this behavior can conflict with WebAssembly trap handler, because
WebAssembly trap handler are executed before the ASAN exception handler.

For some WebAssembly instructions we do not generate assembly code but
call to C functions instead. Since these functions are very simple, we
do not want to reset the thread-in-wasm flag before calling them.
However, when these functions trigger the ASAN exceptions, the
thread-in-wasm flag gets out-of-sync. This happened for the
memory_fill_wrapper function. Originally we thought that it's sufficient
to just mark the function with DISABLE_ASAN. However, this is not enough
because clang compiles the function to use memset, and memset gets
replaced by ASAN with asan_memset.

Therefore I decided now that just for sanitizer builds on Windows, we
reset the thread-in-wasm flag in memory_fill_wrapper. This is not ideal
because it's test-specific code within production code. However, the
alternatives also don't sound convincing.

Alternatives would be:
* Resetting the thread-in-wasm flag whenever we call a c-function
  - This would be unnecessary performance overhead for production code
    just to make a test work.
* Configure ASAN to not change memset.
  - This would weaken ASAN also for other cases.
* Disable ASAN for trap handlers, or trap handlers in ASAN builds.
  - This would reduce test coverage.

R=binji@chromium.org

Bug: chromium:957405
Change-Id: Ibd13c6fe7b898238f636db576552e3e4b278c04a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617671
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61658}

The invariant is that Map::bit_field2 shouldn't change, and the
IsInRetainedMapListBit apparently changes when the map is held
weakly from optimized code. This causes TurboFan compilations to
change the Map::Hash() result, which in turn causes lookups on
the normalized map cache to miss (and maybe other bad consequences).

With this change we swap Map::IsInRetainedMapListBit (previously in
bit_field2) and Map::HasHiddenPrototypeBit (previously in bit_field3)
to address this problem.

Bug: chromium:963411, v8:9114, v8:9267
Change-Id: I040a27c37305fa602649750bd93bee40c91fca78
Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619747
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61657}

This reverts commit 0607f8ae.

Reason for revert: We should be able to reenable those tests now.

Original change's description:
> [test] Skip debugger tests failing with JSON parsing
> 
> NOTRY=true
> 
> Bug: v8:9257
> Change-Id: I4713fd90c2a8b544def09d7305fe84d789ed60c4
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1613250
> Auto-Submit: Maya Lekova <mslekova@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61543}

TBR=verwaest@chromium.org,mslekova@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:9257
Change-Id: Ieb28de987b0bfc7b408d3fe9bfe1f0a50c9db0c4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617932Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61656}

Recently* a second ResolveRenames appeared in
typed-optimization.cc. In some extreme (non-default) jumbo
builds that file shared translation unit (and thus anonymous
namespace) with load-elimination.cc which also has a
ResolveRenames which is slightly different.

To avoid that name clash and failed compilation, this
renames ResolveRenames -> ResolveRenamesForOpt.

*) It appeared in
 https://chromium-review.googlesource.com/c/v8/v8/+/1609803

Change-Id: Ia175468a8e978e93e95da1d28f74cee8dce253d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1615465
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Daniel Bratell <bratell@opera.com>
Cr-Commit-Position: refs/heads/master@{#61655}

This fixes the error message generated for compile errors during
asynchronous instantiation. It shows "WebAssembly.instantiate()" now
instead of "WebAssembly.compile()".

R=mstarzinger@chromium.org

Bug: v8:9266
Change-Id: Ieae478d1c4f6843fbc17e15debb6c49f72059d99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617940
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61654}

This adds three message tests to test the message stack trace we show
for
- synchronous compilation,
- asynchronous compilation, and
- asynchronous instantiation.

Note that the message for the asynchronous cases currently contain the
"WebAssembly.Module()" prefix, which will be fixed in a separate CL.

R=mstarzinger@chromium.org

Bug: v8:9266
Change-Id: I370f4211b5f577ea1b5da026a78b292b50c6a339
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617938Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61653}

This reverts commit a7695520.

Reason for revert: Was not the culprit.

Original change's description:
> Revert "Move deoptimizer files"
> 
> This reverts commit 61523c45.
> 
> Reason for revert: https://ci.chromium.org/p/v8/builders/ci/V8%20Win32%20-%20debug/20396
> 
> Original change's description:
> > Move deoptimizer files
> > 
> > Bug: v8:9247
> > Change-Id: I6287907edb8a36225bfa9fe864305ea59c20dd8b
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617667
> > Commit-Queue: Yang Guo <yangguo@chromium.org>
> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> > Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#61648}
> 
> TBR=yangguo@chromium.org,mstarzinger@chromium.org,jarin@chromium.org,bmeurer@chromium.org
> 
> Change-Id: Icf258f7bc409ef0c360cfa82029bfc45a41dc75f
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: v8:9247
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619749
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61650}

TBR=yangguo@chromium.org,mstarzinger@chromium.org,jarin@chromium.org,bmeurer@chromium.org

Change-Id: Ic2aa07ccd08b6070222ec7a65b92b7afb9db484c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9247
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619753Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61652}

This reverts commit 5ce68669.

Reason for revert: Fails on win32 debug: https://ci.chromium.org/p/v8/builders/ci/V8%20Win32%20-%20debug/20394

Original change's description:
> Enable alignment checks when reading object fields
> 
> Drive-by: Fix alignment bugs caused by DCHECKS.
> 
> Bug: v8:9264
> 
> Change-Id: I0836b1d08fea2ce11d8f7929e12f303b6ae06efe
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617676
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61643}

TBR=ulan@chromium.org,jkummerow@chromium.org,sigurds@chromium.org,petermarshall@chromium.org,ishell@chromium.org

Change-Id: I0ac73a880f2b7bd718e23e90c0867192def39dbb
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9264
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619750Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61651}

This reverts commit 61523c45.

Reason for revert: https://ci.chromium.org/p/v8/builders/ci/V8%20Win32%20-%20debug/20396

Original change's description:
> Move deoptimizer files
> 
> Bug: v8:9247
> Change-Id: I6287907edb8a36225bfa9fe864305ea59c20dd8b
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617667
> Commit-Queue: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61648}

TBR=yangguo@chromium.org,mstarzinger@chromium.org,jarin@chromium.org,bmeurer@chromium.org

Change-Id: Icf258f7bc409ef0c360cfa82029bfc45a41dc75f
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9247
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1619749Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61650}

This also fixes a bug in 'InitializeCallBuffer', where it wouldn't claim enough
slots for each parameter. This caused the Simd128 instruction selector test to
only claim 3 slots (rather than 4) and then perform an unnecessary padding poke.

v8_Default_embedded_blob_size from the generated file gen/embedded.S
  Before: 4957056
   After: 4954368

This gives a 0.05% size decrease.

Change-Id: Ic9bb998fb8a9111fb90e1c3e537ea0f2a5fa7b33
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617665Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#61649}

Bug: v8:9247
Change-Id: I6287907edb8a36225bfa9fe864305ea59c20dd8b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617667
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61648}

Added the comparison of two decompresses to the DecompressionElimination
AdvancedReducer. Note that it works in the case that lhs is equal to rhs.

Also added tests for its implementation.

Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:8977, v8:7703
Change-Id: I21676a78b592859692768c3499ea11117d3bb5a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1609793
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61647}

Fixes the crash stated in the chromium bug.

We weren't decompressing before CheckMap which resulted in a crash.
Implemented the same for CompareMap.

Bug: chromium:963917
Change-Id: I1dcaf6845758c7266bbc7d9ecc9e43cf8d6b639a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617252Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61646}

Now that we introduced the Compressed representation, we can simply use
AccessBuilder::ForMap. AccessBuilder::ForCompressedMap was introduced
as a placeholder previously.

Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:8977, v8:7703
Change-Id: I15b559c27641e6a673862c86be176e259835308e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617664Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61645}

This CL also removes "HasComplexElements" helpers on JSReceiver
and NumberDictionary.

Drive-by: Remove unused SmiLexicographicCompare runtime function.
The C++ funtion is still used, but it is entered using a fast
C call from Array#sort.

Bug: v8:9183
Change-Id: Ibb5d54cca623486806587bc90506af8d97910dc2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617929
Commit-Queue: Simon Zünd <szuend@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61644}

Drive-by: Fix alignment bugs caused by DCHECKS.

Bug: v8:9264

Change-Id: I0836b1d08fea2ce11d8f7929e12f303b6ae06efe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617676
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61643}

TBR=verwaest@chromium.org,rmcilroy@chromium.org
NOTREECHECKS=true
NOPRESUBMIT=true

Bug: v8:9247
Change-Id: I9ddfb6e56ca8e47c4ac186a8df5f442d26420a69
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617661
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61642}

COMPLETE events are being deprecated and don't work well with perfetto
because we can't give out a handle into the buffer like we used to so
that the caller can update the existing event with the duration.

BEGIN/END pairs should be used instead to add two separate trace events
to the buffer which can be associated with one another by the trace
processor e.g. the trace viewer UI.

Cq-Include-Trybots: luci.v8.try:v8_linux64_perfetto_dbg_ng
Bug: v8:8339
Change-Id: Ib73c19d77ad58456ce23d15f0b658c26f3dc3d53
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1615257Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61641}

These were leftover in another directory and can be incorporated into
our standard benchmark runner. We already had some Array slice cases
in js-perf-test so just add some of the important cases from the other
directory to the existing implementation.

Bug: v8:9254
Change-Id: I4cc235b8d3719ecd729f23fe9705ea36d445c340
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617258
Auto-Submit: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61640}

This reverts commit 3dd56612.

Reason for revert: causes leak tests in blink layout tests to fail: https://ci.chromium.org/p/chromium/builders/ci/WebKit%20Linux%20Trusty%20Leak/34295

Steps to reproduce:
- Build blink_tests with following GN args
is_component_build = false
is_debug = false
strip_absolute_paths_from_debug_symbols = true
- Run
third_party/blink/tools/run_web_tests.py --additional-expectations third_party/blink/web_tests/LeakExpectations --time-out-ms 48000 --enable-leak-detection external/wpt/wasm/webapi/body.any.html

Original change's description:
> [stack-trace] Include API functions in Error.stack stack trace
> 
> This CL extends Error.stack to include frames of functions declared
> with the C++ FunctionTemplate API. For example, "print" in d8.
> 
> Two changes are necessary:
>   - HandleApiCall and friends need to go through an BUILTIN_EXIT frame
>     instead of an EXIT frame. The existing stack-trace machinery will
>     then pick up FunctionTemplate frames without additional changes.
>   - Turbofan doesn't go through HandleApiCall, but instead uses an
>     ASM builtin to enter FunctionTemplate functions. A "marker"
>     frame state is needed to include these frames in the stack trace.
> 
> Note: This CL only includes these frames in Error.stack,
> but not (yet) in the stack-trace API (v8.h).
> 
> Bug: v8:8742,v8:6802
> Change-Id: Ic0631af883cf56e0d0122a2e0c54e36fed324d91
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1609835
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61602}

TBR=yangguo@chromium.org,sigurds@chromium.org,jgruber@chromium.org,bmeurer@chromium.org,szuend@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:8742, v8:6802
Change-Id: I4942cd32c6ee5e249dae046eea6b9b2f7120b8ba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617933Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61639}

Code that is being moved primarily deal with layout of a JSObject,
accessing properties and elements, and map transitions.

NOTREECHECKS=true
NOTRY=true

Bug: v8:9247
Change-Id: Ibce5d5926ac4021c8d40c4dd109948775ce1da58
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1613994
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61638}

This is a reland of e7e512da

Original change's description:
> [turbofan] Add fast path for single-character String#startsWith()
> 
> This CL adds a fast path to String#startsWith(s) if s is a
> single character string.
> 
> Bug: v8:8400
> Change-Id: Ibd6a9d1e46d98f41c198d2b579208e25003eedb0
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1525362
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61504}

Bug: v8:8400
Change-Id: Ic2d60ccb8fdeb51373fcd025a7e970fda0c14d79
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1618342Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61637}

We disabled the `delete` optimization, where `delete` on a fast-mode
object goes back in the transition tree, because that optimization
didn't pay attention to constant field tracking.

This change now does the proper fix, which is to invalidate the
constness and properly deoptimize all code that depends on it.

Drive-by-fix: Handlify the DeleteObjectPropertyFast helper.

Bug: chromium:962588, chromium:963999, v8:9233
Change-Id: I5978c32a48d1635b3ce42dc08b00bb2654baa36a
Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617251
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61636}

This CL also removes the ElementsAccessor "slice" implementation, as
the runtime function is the last use site.

R=verwaest@chromium.org

Bug: v8:9183
Change-Id: If268e20120e7c7bb4a58d9560482b35896b0992f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617662Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61635}

If speculation is disallowed, this change lets us still do the
optimization if (a) the maps were already reliable or
(b) we are able to take stability dependencies.

Bug: v8:8820
Change-Id: I08340fc19ac87b80aa2b7ed77753dd642e89804f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617663Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61634}

The --log-timer-events doesn't work anymore, since it cannot be enabled
after the snapshot was created ever since the CallApiCallback stub was
turned into a builtin.

Bug: v8:9183
Change-Id: I6e0b92141f1986fc791943ffef42dd4961aea0a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617931
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61633}

R=jgruber@chromium.org

Bug: v8:9183
Change-Id: I789295e5bbea682b2e46ccf5a55c69dc74f0ed72
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617669
Auto-Submit: Simon Zünd <szuend@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61632}