This reverts commit 65630850.

Reason for revert: due to failures

Original change's description:
> Reland^3 "[runtime] Amortize descriptor array growing for fast-mode prototypes"
> 
> This CL:
>  - stops tracking transitions for fast maps that are known to be detached
>  - reuses descriptor arrays when transitioning detached maps to avoid O(n^2) performance and garbage creation
> 
> Fix in reland: check whether the map of the back pointer is the metamap rather than reading the map of the constructor-or-backpointer slot. If the slot contains a constructor, it's possible that the object transitions while the concurrent marker is reading the map (from which it's reading the instance type); and it's possible that the transitioned map isn't set up yet fully when we read the instance type. An acquire load for the constructor-or-backpointer map would also fix it by serializing stores, but is more expensive. Checking the metamap is faster.
> 
> Original commit message:
> > This avoids an O(n^2) algorithm that creates an equal amount of garbage.
> > Even though the actual final descriptor array might be a little bigger,
> > it reduces peak memory usage by allocating less.
> 
> TBR=ulan@chromium.org,ishell@chromium.org
> 
> Change-Id: I57000949debdee2b69dd41e0c5975b3e8a34c6f4
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: b:148346655, v8:10339
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2173363
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67499}

TBR=ulan@chromium.org,clemensb@chromium.org,ishell@chromium.org,verwaest@chromium.org

Change-Id: Ie7018912f591d397c8acede9b31fbf269d225fe4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: b:148346655, v8:10339
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2174299Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67500}

This CL:
 - stops tracking transitions for fast maps that are known to be detached
 - reuses descriptor arrays when transitioning detached maps to avoid O(n^2) performance and garbage creation

Fix in reland: check whether the map of the back pointer is the metamap rather than reading the map of the constructor-or-backpointer slot. If the slot contains a constructor, it's possible that the object transitions while the concurrent marker is reading the map (from which it's reading the instance type); and it's possible that the transitioned map isn't set up yet fully when we read the instance type. An acquire load for the constructor-or-backpointer map would also fix it by serializing stores, but is more expensive. Checking the metamap is faster.

Original commit message:
> This avoids an O(n^2) algorithm that creates an equal amount of garbage.
> Even though the actual final descriptor array might be a little bigger,
> it reduces peak memory usage by allocating less.

TBR=ulan@chromium.org,ishell@chromium.org

Change-Id: I57000949debdee2b69dd41e0c5975b3e8a34c6f4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: b:148346655, v8:10339
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2173363
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67499}

Forced GCs can either be invoked internally or communicate the fact that
they are forced externally via API. Before this CL, all uses were
passing kGCCallbackFlagForced to indicate that the GC was forced.

This flag is used by embedders though to trigger followup actions. E.g.,
it can be used to trigger a follow up call to
GarbageCollectionForTesting() call which requires --expose-gc.

This patch changes the semantics as follows:
- Internal forced GCs use a Heap GC flag (kForcedGC)
- External forced GCs and GC extension use kGCCallbackFlagForced

Bug: chromium:1074061
Change-Id: Ide7ea0ccdf88b8c8cac002289aef5b7eb0f9748c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172747Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67498}

This reverts commit d29b2f81.

Reason for revert: accidental reland without fix

Original change's description:
> Reland^2 "[runtime] Amortize descriptor array growing for fast-mode prototypes"
> 
> Fix: check whether the map of the back pointer is the metamap rather than reading the map of the constructor-or-backpointer slot. If the slot contains a constructor, it's possible that the object transitions while the concurrent marker is reading the map (from which it's reading the instance type); and it's possible that the transitioned map isn't set up yet fully when we read the instance type. An acquire load for the constructor-or-backpointer map would also fix it by serializing stores, but is more expensive. Checking the metamap is faster.
> 
> In case of false negatives (it is a map but we read the field before it was properly initialized) we'll simply mark too many descriptors in the worst case.
> 
> Original change's description:
> > Revert "Reland "[runtime] Amortize descriptor array growing for fast-mode prototypes""
> > 
> > This reverts commit 71f9c117.
> > 
> > Reason for revert: Seems to cause several TSan flakes, e.g. https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20concurrent%20marking/12926
> > 
> > Original change's description:
> > > Reland "[runtime] Amortize descriptor array growing for fast-mode prototypes"
> > > 
> > > This is a reland of 2de2d3dc
> > > 
> > > Original change's description:
> > > > [runtime] Amortize descriptor array growing for fast-mode prototypes
> > > >
> > > > This avoids an O(n^2) algorithm that creates an equal amount of garbage.
> > > > Even though the actual final descriptor array might be a little bigger,
> > > > it reduces peak memory usage by allocating less.
> > > >
> > > > Bug: b:148346655
> > > > Change-Id: I984159d36e9e0b37c19bc81afc90c94c9a9d168a
> > > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2135728
> > > > Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> > > > Reviewed-by: Igor Sheludko <ishell@chromium.org>
> > > > Cr-Commit-Position: refs/heads/master@{#67031}
> > > 
> > > Bug: b:148346655, v8:10339
> > > Change-Id: I24436d8f49dc1fe527c4f6558db1abcba323b6f8
> > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2139215
> > > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> > > Reviewed-by: Igor Sheludko <ishell@chromium.org>
> > > Auto-Submit: Toon Verwaest <verwaest@chromium.org>
> > > Commit-Queue: Igor Sheludko <ishell@chromium.org>
> > > Cr-Commit-Position: refs/heads/master@{#67475}
> > 
> > TBR=ulan@chromium.org,ishell@chromium.org,verwaest@chromium.org
> > 
> > Change-Id: I6fa02d0c89557eae33b792c1fe62c9c15eb0f7c7
> > No-Presubmit: true
> > No-Tree-Checks: true
> > No-Try: true
> > Bug: b:148346655, v8:10339
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172749
> > Reviewed-by: Clemens Backes <clemensb@chromium.org>
> > Commit-Queue: Clemens Backes <clemensb@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#67478}
> 
> TBR=ulan@chromium.org,clemensb@chromium.org,ishell@chromium.org,verwaest@chromium.org
> 
> Change-Id: Ib86e039374e721919cd5b02495c252ee7af283bd
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: b:148346655, v8:10339
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2173359
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67495}

TBR=ulan@chromium.org,clemensb@chromium.org,ishell@chromium.org,verwaest@chromium.org

Change-Id: Ia624ac774c021146b9b3b7e60372113c50a1ec61
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: b:148346655, v8:10339
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2173361Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67497}

When a background thread fails to allocate, it requests a GC and
retries the allocation afterwards. Make second allocation more likely
to succeed by allowing those allocations to expand the old space.

TLABs of LocalHeaps also need to be invalidated before the GC.

Bug: v8:10315
Change-Id: Idaea2c4ee25642d508c72ae274b06d60c6e225e0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2154193
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67496}

Fix: check whether the map of the back pointer is the metamap rather than reading the map of the constructor-or-backpointer slot. If the slot contains a constructor, it's possible that the object transitions while the concurrent marker is reading the map (from which it's reading the instance type); and it's possible that the transitioned map isn't set up yet fully when we read the instance type. An acquire load for the constructor-or-backpointer map would also fix it by serializing stores, but is more expensive. Checking the metamap is faster.

In case of false negatives (it is a map but we read the field before it was properly initialized) we'll simply mark too many descriptors in the worst case.

Original change's description:
> Revert "Reland "[runtime] Amortize descriptor array growing for fast-mode prototypes""
> 
> This reverts commit 71f9c117.
> 
> Reason for revert: Seems to cause several TSan flakes, e.g. https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20concurrent%20marking/12926
> 
> Original change's description:
> > Reland "[runtime] Amortize descriptor array growing for fast-mode prototypes"
> > 
> > This is a reland of 2de2d3dc
> > 
> > Original change's description:
> > > [runtime] Amortize descriptor array growing for fast-mode prototypes
> > >
> > > This avoids an O(n^2) algorithm that creates an equal amount of garbage.
> > > Even though the actual final descriptor array might be a little bigger,
> > > it reduces peak memory usage by allocating less.
> > >
> > > Bug: b:148346655
> > > Change-Id: I984159d36e9e0b37c19bc81afc90c94c9a9d168a
> > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2135728
> > > Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> > > Reviewed-by: Igor Sheludko <ishell@chromium.org>
> > > Cr-Commit-Position: refs/heads/master@{#67031}
> > 
> > Bug: b:148346655, v8:10339
> > Change-Id: I24436d8f49dc1fe527c4f6558db1abcba323b6f8
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2139215
> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> > Reviewed-by: Igor Sheludko <ishell@chromium.org>
> > Auto-Submit: Toon Verwaest <verwaest@chromium.org>
> > Commit-Queue: Igor Sheludko <ishell@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#67475}
> 
> TBR=ulan@chromium.org,ishell@chromium.org,verwaest@chromium.org
> 
> Change-Id: I6fa02d0c89557eae33b792c1fe62c9c15eb0f7c7
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: b:148346655, v8:10339
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172749
> Reviewed-by: Clemens Backes <clemensb@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67478}

TBR=ulan@chromium.org,clemensb@chromium.org,ishell@chromium.org,verwaest@chromium.org

Change-Id: Ib86e039374e721919cd5b02495c252ee7af283bd
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: b:148346655, v8:10339
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2173359Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67495}

Spilling a register in Liftoff require a scratch register when the
offset of the stack slot from fp is greater than 2^12. This CL adds
a check to LiftoffAssembler::Spill on arm to check that a scratch
register is available. It also fixes one case where the scratch register
was not available.

R=clemensb@chromium.org
CC=zhin@chromium.org

Bug: chromium:1075953
Change-Id: Idb2bc7e26e3d4fbd6bb0eb6c9a9b8cfd8b3c569e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172424
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67494}

Rolling to chrome/src is in
https://chromium-review.googlesource.com/c/chromium/src/+/2155530

Since auto rolling stop after 3/24/2020 and the rolling will cause
change of test status, I get this cl ready (but not running trybot due
to 1074260) and plan to hand roll after the submission of 2155530.

Bug: chromium:1064326, v8:9515, v8:10379, v8:10380, v8:10437
Change-Id: I19554f68cfdc5b717dfc7fc4b1222e9dc25b8d69
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2158486
Auto-Submit: Frank Tang <ftang@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67493}

Bug: v8:8179
Change-Id: I16170a197028beb35309b15613004b29a956896c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2171696Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67492}

The interpreter will be un-shipped soon, hence we cannot have a
compilation hint for interpreted execution.
This CL removes the respective enum value, removes a test which
specifically tested this one option, and adapts other code to use one of
the remaining hints.

R=ahaas@chromium.org

Bug: v8:10389
Change-Id: Ia754f7de95be271000a9e4e10ef2a3ee171da627
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172748Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67491}

Supporting WebAssembly evaluator modules requires support for passing
binary data as a parameter to CDP methods. Currently, the required base64
conversions are not implemented.

Bug: chromium:1020120
Change-Id: Ie74f93ee5accfa369aac428e5c5b5f882c921c52
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2152645
Commit-Queue: Philip Pfaffe <pfaffe@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67490}

The UnicodePropertyEscapeCodeSize test set the max code size as 150KB,
which is too strict for mips64. This CL loosen the limit to 200KB.

Bug: v8:10441
Change-Id: I8532d4d51eedd7713075d86e84c52a58d2412861
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172927Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/master@{#67489}

Bug: v8:10391
Change-Id: Ie019eb6253fdd29bfbae6a9f77c8b3396dacb599
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2134141
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67488}

Mechanical change to use std:: atomics instead.

Change-Id: If64cc972eb247c93e7080e9eb764cbc6b2cf35ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172966Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67487}

Bug: v8:9909
Change-Id: I881e5393e6eea16ed10624d4a81292c1241ee9dd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172639Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Jing Bao <jing.bao@intel.com>
Cr-Commit-Position: refs/heads/master@{#67486}

Somehow the auto rolling of ICU does not happen after 2020/3/24
(see https://bugs.chromium.org/p/v8/issues/detail?id=10481) so I hand roll
ICU now.

For example, the following icu hash into chrome/src/DEPS was not yet
auto rolled after ~4 weeks:
2020/4/1 https://chromium-review.googlesource.com/c/chromium/src/+/2109133
2020/4/28 https://chromium-review.googlesource.com/c/chromium/src/+/2162266

Bug: chromium:1074578
Change-Id: I7ba0d240351f7458997e66a1e580564684a8b5a2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2173670Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67485}

Bug: v8:10180
Change-Id: I30d7eb8201701c081dc72f6d47f50133e496bdf9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2169013
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67484}

Previously, we fixed the decoding of SIMD opcodes >= 0x80 that reads an
immediate. However, we left behind a TODO for SIMD opcodes <= 0x80. This
fixes it.

Given a byte sequence such as [0xfd, 0x80, 0x80, 0x0], it decodes to the
SIMD opcode S128LoadMem (the last 3 bytes decode to 0, it is not the
most efficient encoding, but is still valid). Then, when we are decoding
the immediate memarg that follows this, we need to skip ahead 3 bytes
(opcode_length). We were not doing that previously.

This patch changes the signature of SimdLaneImmediate and
Simd8x16ShuffleImmediate to make this requirement clearer. It takes a
new argument opcode_length, which is the number of bytes the LEB encoded
opcode takes up. The pc should then be passed in unchanged.

In function-body-decoder-impl.h, we also consistently pass down
opcode_length into the various helpers, and use that value to decode
immediates.

Changes have been made to wasm-interpreter to record the opcode_length
to be passed down to helpers.

Bug: chromium:1075719
Bug: v8:10258
Change-Id: I502c9ef47d4da2abadf14218bf0da19b291ec55c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2171460Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67483}

- vspltb
- vspltw
- vsplth


Change-Id: I76d42f301c10ff357a6b34825a3f6790b83758f9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2173243Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#67482}

Tweak the register allocation logic in liftoff-compiler.cc. If we reuse
src1 or src2 for dst, it complicates the logic in the codegen
significantly. We will need to check which operand dst is equals to,
back it up, then make sure the mask ends up in dst (since thats how vbsl
and bsl works, the first operand holds the mask and is overwritten). By
tweaking the allocation logic, no code gen is required for the other
backends.

Bug: v8:9909
Change-Id: I17843322508b18247c91e5959cf1b996b7f6a61d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2171468
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67481}

This reverts commit 908f08e4.

Reason for revert: Seems like it may be causing v8-fuzzer failures: https://ci.chromium.org/p/v8/builders/ci/V8%20Fuzzer/36017

Original change's description:
> [ast] Remove literal allocation from CallPrinter
> 
> Access literal data directly in CallPrinter, rather than allocating
> their values. This allows us to remove the isolate member from
> CallPrinter entirely.
> 
> Change-Id: Ib4203009c86b6778ee843e8956fc7cee2214841e
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2122019
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67471}

TBR=leszeks@chromium.org,verwaest@chromium.org

Change-Id: Ia7e0c95ee6ec58e5067d92c7517269fd334041a1
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2171929Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67480}

... and bottlenecks for C++, CSA, Torque, TurboFan and hand-written
assembly.

Bug: v8:10391
Change-Id: I62f8c6f9c934b2cd492e550b7c25f1078c2c6a71
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2134140
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67479}

This reverts commit 71f9c117.

Reason for revert: Seems to cause several TSan flakes, e.g. https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20concurrent%20marking/12926

Original change's description:
> Reland "[runtime] Amortize descriptor array growing for fast-mode prototypes"
> 
> This is a reland of 2de2d3dc
> 
> Original change's description:
> > [runtime] Amortize descriptor array growing for fast-mode prototypes
> >
> > This avoids an O(n^2) algorithm that creates an equal amount of garbage.
> > Even though the actual final descriptor array might be a little bigger,
> > it reduces peak memory usage by allocating less.
> >
> > Bug: b:148346655
> > Change-Id: I984159d36e9e0b37c19bc81afc90c94c9a9d168a
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2135728
> > Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> > Reviewed-by: Igor Sheludko <ishell@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#67031}
> 
> Bug: b:148346655, v8:10339
> Change-Id: I24436d8f49dc1fe527c4f6558db1abcba323b6f8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2139215
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Auto-Submit: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67475}

TBR=ulan@chromium.org,ishell@chromium.org,verwaest@chromium.org

Change-Id: I6fa02d0c89557eae33b792c1fe62c9c15eb0f7c7
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: b:148346655, v8:10339
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172749Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67478}

Add a test to stop at a trap, inspect values, and step from there.
For inspection, we need to spill all registers, which we usually don't
do because the trap never returns, so the values won't be used
afterwards.

R=thibaudm@chromium.org

Bug: v8:10235
Change-Id: Ia1c21aa0faa3ca656e40aae626e8e912eaf2c233
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2169890Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67477}

The output generated by --wasm-fuzzer-gen-test did not pass the
presubmit check:

* There was a trailing whitespace after "body";
* There was a trailing newline at the end;

Additionally the signature of addElementSegment changed at some point
and now also takes a table-index parameter.

R=thibaudm@chromium.org

Bug: v8:10155
Change-Id: I77481b0ac810a0e3ff06df24afa3ae22beaebb77
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172744Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67476}

This is a reland of 2de2d3dc

Original change's description:
> [runtime] Amortize descriptor array growing for fast-mode prototypes
>
> This avoids an O(n^2) algorithm that creates an equal amount of garbage.
> Even though the actual final descriptor array might be a little bigger,
> it reduces peak memory usage by allocating less.
>
> Bug: b:148346655
> Change-Id: I984159d36e9e0b37c19bc81afc90c94c9a9d168a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2135728
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67031}

Bug: b:148346655, v8:10339
Change-Id: I24436d8f49dc1fe527c4f6558db1abcba323b6f8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2139215Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67475}

Port 22242cb1

R=jing.bao@intel.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: I4bd073cda333620694d2d191ac1953976635efc4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2171926Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#67474}

With this CL the registers in a register pair get ordered such that the
low word register always has a lower register code than the high word
register. This should allow easier reasoning about the register
allocation, and prevent some register allocation bugs.

Background: for many operations in Liftoff, input registers are reused
as output registers. With register pairs, input register pairs are
reused as output register pairs. Additional reasoning, and sometimes
even additional code is needed when the registers of the output register
pair are swapped, i.e. when the high word register of the input becomes
the low word register of the output. With this CL the additional
reasoning is not necessary anymore, as the high word and low word
registers would get swapped during register allocation.

Additionally this CL fixes the logic of the last_spilled_regs list. This
list stored the last spilled registers, but recorded only one of the two
registers of a register pair. With this CL, both registers get recorded.

This CL does not have a regression test. The regression test was more
than 9000 lines long, and quite slow. I was not able to minimize it
substantially. The test would be fragile by nature, as it has to create
a special register configuration or otherwise does not test anything
meaningful. All in all I think it's better not to add the test.

R=clemensb@chromium.org

Bug: chromium:1074586
Change-Id: I4b2475b0c6537c7ce2e51fee281388cdd85f2953
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2168875Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67473}

Motivation:
Improve code efficiency by replacing runtime calls with manually
written turbofan code where possible.

Changes:
- Remove the runtime functions `Runtime_WasmNewMultiReturnFixedArray`
  and `Runtime_WasmNewMultiReturnJSArray` and replace them with
  turbofan code.
- Introduce the builtin function `WasmAllocateJSArray`.

R=clemensb@chromium.org
R=ecmziegler@chromium.org
R=jkummerow@chromium.org

Change-Id: Idc0db39286c4242392c0422919bbc8fd7bedf2af
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2143816Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67472}

Access literal data directly in CallPrinter, rather than allocating
their values. This allows us to remove the isolate member from
CallPrinter entirely.

Change-Id: Ib4203009c86b6778ee843e8956fc7cee2214841e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2122019Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67471}

The original motivation of the test case is long outdated, and it
has been repurposed. Making some cosmetic changes to clarify.

R=szuend@chromium.org

Fixed: v8:10455
Change-Id: I02c2e6f83d3475478efd37dbe834fca5d415b829
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172419
Commit-Queue: Yang Guo <yangguo@chromium.org>
Auto-Submit: Yang Guo <yangguo@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67470}

Port 22242cb1
https://crrev.com/c/2169026

Change-Id: I76f8639d4d939924db13e69eb366ac064eef447c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172364Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/master@{#67469}

To reduce the number of deoptimizations in TurboProp use call feedback
only when we know the call target is a builtin. Given that we don't
inline in TurboProp, call feedback isn't really useful and using Generic
lowering doesn't impact performance much. TurboProp still inlines
builtins, so it is important to use this feedback for generating better
optimized code.

BUG: v8:10431
Change-Id: I24d51e43728f9aea3099767deb7800119fea40e2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2116033
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67468}

arguments[i] already returns undefined if arguments is not large
enough.

BUG=v8:10468

Change-Id: I0755014d0f1b61d5e3e2069ef4d14a9b51f2ebee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170092Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67467}

Hole checks are done using a lower level comparison.

Change-Id: I61c5b787f12564ad3553d395a36938a00f5dd554
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172418
Auto-Submit: Georg Neis <neis@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67466}

We don't have mips32 CPU or 32-bits OS, so we are not going to implement
these functions on mips32.

Change-Id: Ie37e5cea360526a82bbbc52ec3933d74c32fea6d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2167741Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/master@{#67465}

This is a reland of 43b885a8
This fixes another signed overflow in the unit test.

Original change's description:
> Reland "[turbofan][csa] optimize Smi untagging better"
>
> This is a reland of ff22ae80
>
> Original change's description:
> > [turbofan][csa] optimize Smi untagging better
> >
> > - Introduce new operator variants for signed right-shifts with the
> >   additional information that they always shift out zeros.
> > - Use these new operators for Smi untagging.
> > - Merge left-shifts with a preceding Smi-untagging shift.
> > - Optimize comparisons of Smi-untagging shifts to operate on the
> >   unshifted word.
> > - Optimize 64bit comparisons of values expanded from 32bit to use
> >   a 32bit comparison instead.
> > - Change CodeStubAssembler::UntagSmi to first sign-extend and then
> >   right-shift to enable better address computations for Smi indices.
> >
> > Bug: v8:9962
> > Change-Id: If91300f365e8f01457aebf0bd43bdf88b305c460
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2135734
> > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> > Reviewed-by: Georg Neis <neis@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#67378}
>
> Bug: v8:9962
> Change-Id: Ieab0755806c95fb50022eb17596fb0c95f36004c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170001
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67430}

Bug: v8:9962
TBR: neis@chromium.org
Change-Id: I79883db546bf37873b3727b8023ef688507091d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2169103
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67464}

Follow-up to https://chromium-review.googlesource.com/c/v8/v8/+/1947688,
which unhid the third_party/jsoncpp directory, but the source subdir is
still synced via gclient so needs hiding.

Change-Id: Ica6f7e63e92dd9fa5a460e844a7d273f2ebe109c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2169102
Auto-Submit: Dan Elphick <delphick@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67463}

This is a reland of 6a0e7224

Original change's description:
> [regexp] Limit the size of inlined choice nodes
>
> Codegen for unicode property escapes (e.g.: /\p{L}/u) can produce huge
> code objects. This effect can be further magnified through inlining,
> leading to exponential code growth in the size of the pattern.
>
> This CL is a (fairly hacky) way to avoid exponential growth. We
> recognize choice nodes with 'many' choices and disable inlining for
> them. In the future we should fix this properly, either by using the
> code size budget correctly, or by improving codegen for property
> escapes.
>
> Bug: v8:10441
> Change-Id: I817f145251ec8b1b9906cc735c9e9bdb004c98ed
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170229
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67433}

Tbr: yangguo@chromium.org
Bug: v8:10441
Change-Id: I9a16cc9e8248cb46d3d16a4e2d250968cc1b7b39
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172679Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67462}

Bug: v8:9909
Change-Id: Ic75c75fa3693a59bf059cf852172900ad95a1941
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2169026
Commit-Queue: Jing Bao <jing.bao@intel.com>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67461}