Check if storage for thread_local variables has been allocated before
attempting to access such variables, as exceptions may be raised in the
thread before this initializion is complete, causing an infinite loop.

Bug: v8:8966
Change-Id: Ifc6223b74999a55bfd0ed2d6ebf054bbffd7e809
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1507714
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60852}

This reverts commit 656f57bd.

Reason for revert: This blocks lkgr advancement/rolling, see https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8-Blink%20Linux%2064/31263. Please fix upstream tests first.

Original change's description:
> [wasm] Add off-by-default runtime flag for growing shared memory
> 
> Grow memory isn't ready to ship in M75.
> 
> Bug: v8:8564, chromium:951795
> Change-Id: I75602bce833653b7943f5606236a97ca6dbad5c9
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566239
> Reviewed-by: Ben Smith <binji@chromium.org>
> Commit-Queue: Adam Klein <adamk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60836}

TBR=binji@chromium.org,adamk@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:8564, chromium:951795
Change-Id: If212f1b21699394b66e9e306d12a3baf37ccf4b6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565901Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60848}

While crrev.com/c/1520721 tried to avoid collecting source positions
when throw exceptions, it failed because they were still collected in
Isolate::CaptureStackTrace.

This removes that collection point and lets SetStackFrameCacheCommon
bail out when trying to set the stack frame cache for a bytecode that
doesn't have source positions.

It also adds tests that ensure source positions are not collected when
an exception is thrown (although one is disabled as it does not yet
work).

Bug: v8:8510
Change-Id: Id5caf579dda549d637fa9b3129c419d524be5ff2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565898
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60847}

Added test cases for entirely lazily compiled modules. They are treated
just like empty modules are.

Bug: v8:9003
Change-Id: Ic0fcae7de32e50a0aac271567c18159bf8154028
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1562130
Commit-Queue: Frederik Gossen <frgossen@google.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60846}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/bee1272..a7f62a0

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/2309843..b614c56

Rolling v8/third_party/icu: https://chromium.googlesource.com/chromium/deps/icu/+log/4ae7482..35f7e13

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Bug: v8:9131
Change-Id: Ie342eb673ea4c987bc8f2010e37e15a6626ae9d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1567282
Commit-Queue: Sergiy Belozorov <sergiyb@chromium.org>
Reviewed-by: Sergiy Belozorov <sergiyb@chromium.org>
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#60840}

Tests streaming compilation with Wasm compilation hints enabled. In
particular, validation errors in lazily compiled functions are covered.

Bug: v8:9003
Change-Id: I81611988b8451ce2f6562962dbd50561f5086aef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561310
Commit-Queue: Frederik Gossen <frgossen@google.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60839}

Grow memory isn't ready to ship in M75.

Bug: v8:8564, chromium:951795
Change-Id: I75602bce833653b7943f5606236a97ca6dbad5c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566239Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60836}

Basically, SetPropertyInternal is called without handling COW map.

Improve test coverage as well.

Bug: chromium:951438
Change-Id: Iea8c818ab6a8ddea204f86a9d676a1ea42fd07f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1562731
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60834}

Should no longer be flaky since bug is fixed.

BUG=v8:8964
TBR=machenbach@chromium.org

Change-Id: I3fc124aca8bcfc16ddf7560d48d84dc01d4ce332
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564069Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60833}

This reverts commit 68ba8574.

Reason for revert: breaks windows builds https://ci.chromium.org/p/v8/builders/ci/V8%20Win32%20-%20builder/27839

Original change's description:
> Fix array.concat with double for sealed, frozen object
> 
> Treat packed sealed, frozen element as packed element.
> Also rename to IsPackedFrozenOrSealedElementsKind.
> 
> Bug: chromium:951988
> Change-Id: Ia636f0a14a229e4c44772627728927db1b877f27
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565470
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
> Cr-Commit-Position: refs/heads/master@{#60831}

TBR=jarin@chromium.org,ishell@chromium.org,verwaest@chromium.org,duongn@microsoft.com

Change-Id: I84caf106dbdd2209aef0a994173e1c3982e9f7b1
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:951988
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565542Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60832}

Treat packed sealed, frozen element as packed element.
Also rename to IsPackedFrozenOrSealedElementsKind.

Bug: chromium:951988
Change-Id: Ia636f0a14a229e4c44772627728927db1b877f27
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565470Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#60831}

Bug: v8:9060
Change-Id: Ia58f7f9e19726f26dd09665d32efc1037f71e7e2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1560409
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60830}

For slow-path of array.includes, it should be able to handle if arguments is undefined for sealed/frozen object

Bug: chromium:951780
Change-Id: I42dcf1e23ab07bfcd87e7a5d27b52e66b2d1d2ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565031Reviewed-by: Simon Zünd <szuend@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#60829}

This reverts commit 3d1d8eae.

Reason for revert: Speculative revert; seems to break all nosnap bots, e.g. https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20nosnap/25240

Original change's description:
> [heap] Skip ro-space from heap iterators, add CombinedHeapIterator.
> 
> Read-only space sharing requires an iterator independent of heap. This
> also enables future removal of read-only space from heap.
> 
> Bug: v8:7464
> Change-Id: Ia07a9369494ea2c547d12c01ffa1d7b8b6bbeabc
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552795
> Commit-Queue: Maciej Goszczycki <goszczycki@google.com>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60819}

TBR=ulan@chromium.org,hpayer@chromium.org,delphick@chromium.org,goszczycki@google.com

Change-Id: I64b58b1b0c5eb073a6d2cfae81bb4de65f0511bf
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7464
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565895Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60825}

This adds a new flag --modify-field-representation-inplace (enabled by
default), which lets the runtime perform field representation changes
for Smi to Tagged or for HeapObject to Tagged in-place instead of
creating new maps and marking the previous map tree as deprecated.

That means we create (a lot) fewer Maps and DescriptorArrays in the
beginning and also need to self-heal fewer objects later (migrating
off the deprecated maps). In TurboFan we just take the "field owner
dependency" whenever we use the field representation, which is very
similar to what we already do for the field types. That means if we
change the representation of a field that we used in optimized code,
we will simply deoptimize that code and have TurboFan potentially
later optimize it again with the new field representation.

On the Speedometer2/ElmJS-TodoMVC test, this reduces the total execution
time from around 415ms to around 352ms, which corresponds to a **15%**
improvement. The overall Speedometer2 score improves from around 74.1
to around 78.3 (on local runs with content_shell), corresponding to a
**5.6%** improvement here. 

On the CNN desktop browsing story, it seems that we reduce map space
utilization/fragmentation by about 4-5%. But since we allocate a lot
less (fewer Maps and DescriptorArrays) we also significantly change
the GC timing, which heavily influences the results here. So take this
with a grain of salt. 

Note: For Double fields, this doesn't change anything, meaning they
still create new maps and deprecate the previous map trees.

Bug: v8:8749, v8:8865, v8:9114
Change-Id: Ibd70efcb59be982863905663dbfaa89aa5b31e14
Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
Doc: http://bit.ly/v8-in-place-field-representation-changes
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565891
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60822}

Read-only space sharing requires an iterator independent of heap. This
also enables future removal of read-only space from heap.

Bug: v8:7464
Change-Id: Ia07a9369494ea2c547d12c01ffa1d7b8b6bbeabc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552795
Commit-Queue: Maciej Goszczycki <goszczycki@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60819}

... all of the kind that modifies the accumulator but no other
registers. Also move a few of that kind out of the IGNORED_BYTECODES
list, where they didn't belong.

R=mslekova@chromium.org

Bug: v8:7790
Change-Id: I67189750e5e01fc8a3b6b5117b61a0d21837693a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561320
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60817}

This enable test suites to check which test driver framework is used.
When using number fuzzer on mjsunit, we add a JS file that
switches off the optimization-state assertions.

Checking intrinsic state is not feasible on the number fuzzer and in
the past, we needed to skip tests on demand, which is a maintenance
burden. The main function of the fuzzer, to check for dcheck errors and
tsan issues, is retained.

Bug: v8:9127
Change-Id: I699b85d5f7c9aaed337a2130d9eddc160c059d7b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565892Reviewed-by: Sergiy Belozorov <sergiyb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60816}

Bug: v8:7790
Change-Id: Iab5df5e0f387612dfdb1f68b34941e65fe8e256c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561314Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60815}

This is not fixing the root cause of the flakiness, but prevents us from loosing
data in the short to medium term as investigation proved to be difficult and
will likely take even more time.

R=machenbach@chromium.org, tmrts@chromium.org

Bug: chromium:872257
Change-Id: Id5fbd0a00058f8612089ee4d6a858193924bd868
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564204
Commit-Queue: Sergiy Belozorov <sergiyb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60814}

Previously we had some kind of self-healing when calling lazy accessor
pairs via InvokeApiFunction(), but we also have other paths for calling
into FunctionTemplateInfos directly, which didn't do this check. Since
we already walk the heap when installing the DebugBreakTrampoline, and
compile all uncompiled functions, we can also just forcibly instantiate
all the lazy accessor pairs at that time and not have to worry about the
break-at-entry later.

Bug: v8:178, v8:7596, v8:8834
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Change-Id: I514392cf328fc8ed0b80ad19009f32e20ff850b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565890Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60813}

To keep things simple, we just ensure that the spill slots always
contain full uncompressed pointers before GC sees them.

Bug: v8:8977, v8:7703
Change-Id: I54eab1b3e79e8525200139e487ff64d82ae157e5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564198Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60811}

This reverts commit 1416d5a5.

Reason for revert: blocks roll https://chromium-review.googlesource.com/c/chromium/src/+/1564550

Original change's description:
> [map] Support in-place field representation changes.
> 
> This adds a new flag --modify-field-representation-inplace (enabled by
> default), which lets the runtime perform field representation changes
> for Smi to Tagged or for HeapObject to Tagged in-place instead of
> creating new maps and marking the previous map tree as deprecated.
> 
> That means we create (a lot) fewer Maps and DescriptorArrays in the
> beginning and also need to self-heal fewer objects later (migrating
> off the deprecated maps). In TurboFan we just take the "field owner
> dependency" whenever we use the field representation, which is very
> similar to what we already do for the field types. That means if we
> change the representation of a field that we used in optimized code,
> we will simply deoptimize that code and have TurboFan potentially
> later optimize it again with the new field representation.
> 
> On the Speedometer2/ElmJS-TodoMVC test, this reduces the total execution
> time from around 415ms to around 352ms, which corresponds to a **15%**
> improvement. The overall Speedometer2 score improves from around 74.1
> to around 78.3 (on local runs with content_shell), corresponding to a
> **5.6%** improvement here. 
> 
> On the CNN desktop browsing story, it seems that we reduce map space
> utilization/fragmentation by about 4-5%. But since we allocate a lot
> less (fewer Maps and DescriptorArrays) we also significantly change
> the GC timing, which heavily influences the results here. So take this
> with a grain of salt. ‍♂️
> 
> Note: For Double fields, this doesn't change anything, meaning they
> still create new maps and deprecate the previous map trees.
> 
> Bug: v8:8749, v8:8865, v8:9114
> Change-Id: I694a53f87ae5caeb868fd98a21809b66d4297d35
> Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
> Doc: http://bit.ly/v8-in-place-field-representation-changes
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561132
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60764}

TBR=jarin@chromium.org,neis@chromium.org,ishell@chromium.org,bmeurer@chromium.org,verwaest@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:8749, v8:8865, v8:9114
Change-Id: I666975d08d51bbe7ab4faec9428b9a1f88e9b322
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564208Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60807}

Bug: v8:9081
Change-Id: I505e8ee4bf58f2da09962ae9a7056931435c10f9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1562587Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60806}

This reverts commit ffe6940f.

Reason for revert: Breaks UBSan bot

Original change's description:
> Reland^2 "[torque] Throw exception instead of aborting if something goes wrong"
> 
> This is a reland of 251d1623
> 
> The reland fixes ASAN component builds by adding RTTI build config to both
> torque executables. Big thanks to sigurds for finding the fix.
> 
> Original change's description:
> > Reland "[torque] Throw exception instead of aborting if something goes wrong"
> >
> > This is a reland of 3bd49f9b
> >
> > The issue on the windows bot is apparently a compiler bug in MSVC related to
> > move construction. The fix seems to be to change the order of the fields in
> > "JsonParseResult" (go figure).
> >
> > Drive-by-change: Fix LS on windows by emitting correct line endings and
> > enabling exceptions for the LS executable as well.
> >
> > Original change's description:
> > > [torque] Throw exception instead of aborting if something goes wrong
> > >
> > > This CL enables exceptions for the Torque compiler and Torque language
> > > server. Instead of aborting when something goes wrong during
> > > compilation, a TorqueError is thrown, containing the error message
> > > and a source position. The compiler executable still prints the error
> > > and aborts, while the language server will pass this information
> > > along to the client (not included in this CL).
> > >
> > > R=danno@chromium.org
> > >
> > > Bug: v8:8880
> > > Change-Id: Iad83c46fb6a91c1babbc0ae7dbd94fbe4e7f1663
> > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1526003
> > > Reviewed-by: Daniel Clifford <danno@chromium.org>
> > > Commit-Queue: Simon Zünd <szuend@chromium.org>
> > > Cr-Commit-Position: refs/heads/master@{#60512}
> >
> > Bug: v8:8880
> > Change-Id: I00e6591bbb4c516dd7540a7e27196853bc637f11
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545995
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Commit-Queue: Simon Zünd <szuend@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#60736}
> 
> Bug: v8:8880
> Change-Id: Iba198d771169283e83e74324f27aa9e90b8d8975
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1563770
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60804}

TBR=sigurds@chromium.org,tebbi@chromium.org,szuend@chromium.org

Change-Id: I30ccec8ac28158c102a4e9a01074432172685f96
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8880
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564207Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60805}

This is a reland of 251d1623

The reland fixes ASAN component builds by adding RTTI build config to both
torque executables. Big thanks to sigurds for finding the fix.

Original change's description:
> Reland "[torque] Throw exception instead of aborting if something goes wrong"
>
> This is a reland of 3bd49f9b
>
> The issue on the windows bot is apparently a compiler bug in MSVC related to
> move construction. The fix seems to be to change the order of the fields in
> "JsonParseResult" (go figure).
>
> Drive-by-change: Fix LS on windows by emitting correct line endings and
> enabling exceptions for the LS executable as well.
>
> Original change's description:
> > [torque] Throw exception instead of aborting if something goes wrong
> >
> > This CL enables exceptions for the Torque compiler and Torque language
> > server. Instead of aborting when something goes wrong during
> > compilation, a TorqueError is thrown, containing the error message
> > and a source position. The compiler executable still prints the error
> > and aborts, while the language server will pass this information
> > along to the client (not included in this CL).
> >
> > R=danno@chromium.org
> >
> > Bug: v8:8880
> > Change-Id: Iad83c46fb6a91c1babbc0ae7dbd94fbe4e7f1663
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1526003
> > Reviewed-by: Daniel Clifford <danno@chromium.org>
> > Commit-Queue: Simon Zünd <szuend@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#60512}
>
> Bug: v8:8880
> Change-Id: I00e6591bbb4c516dd7540a7e27196853bc637f11
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1545995
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60736}

Bug: v8:8880
Change-Id: Iba198d771169283e83e74324f27aa9e90b8d8975
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1563770Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60804}

Adding a 'PrepareFunctionForOptimization' call will prevent the test
case in question to become flaky when stress testing bytecode flushing.

R=jarin@chromium.org

Bug: v8:9123
Change-Id: If192ebf571d3cd4f0d1ee31bc3f6313b74d3c866
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564202
Auto-Submit: Simon Zünd <szuend@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60803}

This CL changes the Symbol "stack_trace_symbol" to directly hold a
FrameArray instead of wrapping it with a JSArray first.

Bug: v8:9115
Change-Id: I2ac0b1fb380211568abdc6d9f50431c405349dec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564060Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60801}

See intent to ship here: https://groups.google.com/forum/#!topic/v8-users/zM05lYEBVog

wasm-module-builder.js is also changed to use the new syntax for specifying a table
index in an element segment. In the MVP, the table index was always zero. The
reference types proposal adds support for multiple tables, and originally used this
value to specify a non-zero table index. The bulk memory proposal needed a way to
specify a passive element segment, so it re-purposed the table index as a flags field
and uses a different field for the table index.

Bug: v8:7747
Change-Id: If24f2d04e88a29b714f1a78ed417803bae702c76
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1560215
Commit-Queue: Ben Smith <binji@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60796}

Bug: chromium:925244
Change-Id: If9c00f85b1dece93057b541bf0fe1b0a05b81ceb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1565032
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60795}

This is particularly useful to fuzzers that seek to provoke
optimization.

Bug: v8:9119
Change-Id: I729f72a0e22686fbd56793875175c230e0230823
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564196
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60794}

The last step in array.splice slow-path is to update length of the array https://cs.chromium.org/chromium/src/v8/src/builtins/array-splice.tq?rcl=59a29d88cc5972d2323a80a70de19ffd2812e5e4&l=349. For sealed object, it should be nop.

Bug: chromium:951164
Change-Id: I0c3098526c7df6c4dd734dd6c79cc0bba3b9b213
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559217
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60793}

Bug: v8:9110
Change-Id: I834ce91e8c77dc04fa261abb9bd415eb03bf949e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1562732Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60788}

It should work when Object.defineProperty is used to set a new value for seal object.
Add more test to cover this case as well.

Bug: chromium:951374
Change-Id: Idbbcc052b627587c71d5b5252340130d0fdfd595
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1562470Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#60786}

The shared engine tests started flaking. They are broken since some
time, because the shared pointer to the {NativeModule} has temporary
additional users during compilation (in the {BackgroundCompileScope}).
This CL fixes the test by just removing the checks for use counts.

R=mstarzinger@chromium.org

Bug: v8:9117
Change-Id: Ia55ce66426f8d85c0ed8e4185aa6e507a6d327ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564056
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Auto-Submit: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60781}

This adds references to HeapObject fields to Torque.
The syntax is based on Rust (which is essentially C pointer syntax).

The type &T is a reference to T (which must be a scalar type for now).
We can create references from field access expressions, using the
addressof(&) operator:
  &obj.fieldname
To read or assign a reference, we use the dereference(*) operator:
  *someref = *otherref

This CL also uses references internally normal class field accesses,
but only if there is no overload for field accessor functions.
This allows to have overloaded field accessors for a subtype like
FastJSArray. However, there is a change in behavior in that an
operator ".fieldname" will stop reference creation and will therefore
also stop write access to a class field of the same name. That's why
this CL had to add a write overload ".length=" for FastJSArray.

References desugar to a pair of a tagged HeapObject pointer and an
untagged offset into this HeapObject. On the CSA-side, they are
represented by the C++ struct

struct TorqueReference {
  TNode<HeapObject> object;
  TNode<IntPtrT> offset;
};

Bug: v8:7793
Change-Id: Ica6468d47847bd68fb6b85f731cf8fbe142fa401
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1557151
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60780}

The {code_table_} in {NativeModule} is protected by the
{allocation_mutex_}. The {code} and {code_table} accessors did not
acquire this lock though.
This CL removes the unsafe {code_table} accessor, renames {code} to
{GetCode} and protects it by a lock.

R=mstarzinger@chromium.org

Bug: v8:9112
Change-Id: Id2df68460b4c10291a49b4016b9574e02744e8b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561315Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60779}

On x64, we allocate one big code region such that we can use near jumps
and near calls. The jump table did not make use of that design yet.
This CL changes that by emitting jump table slots as near jumps. This
also speeds up patching jump table slots significantly, since far jumps
populate the inline constant pool, which is unneeded overhead in this
case.
As a drive-by, this CL cleans up the API of near_call and near_jmp. The
current semantics is broken, and only works because this is only used
for WebAssembly calls which are patched anyway after code generation.
Also, x64 now uses the same path in test-jump-table-assembler.cc as
arm64 to ensure that all targets are within near-call-distance.

R=mstarzinger@chromium.org

Bug: v8:8916
Change-Id: Iffc34e248b72167307ffdab62dd2212c4ae86a32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1561313Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60777}

Bug: v8:9113
Change-Id: I413d9df34f0bdea9c30db33ad79891218e229341
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1564053Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60776}

When clearing a DebugInfo, we need to check whether that function is
currently executing and, if so, update the on-stack BytecodeArray
pointer to refer to the original BytecodeArray. Otherwise, the original
BytecodeArray might get flushed, which can cause problems when
attempting to resume execution of the function.

Bug: v8:9067
Change-Id: Ief28a501294f5a34052e13f618fa084311eaa0b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1548573Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#60774}