In particular
* use variadic templates in BodyDescriptorApply(),
* ensure all the relevant classes have BodyDescriptor definition,
* ensure "objects-body-descriptors[-inl].h" headers are included only
  where necessary.

Bug: v8:12425
Change-Id: I7a95ed94bf62952e3d22d419d4a65ad2fe959d57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3312273Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78242}

Bug: chromium:1276129
Change-Id: I346d91282bccb4f75a8dfeec5e359d4a5c9a4891
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3317416
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78238}

... by using cage-friendly versions of HeapObject::IsBlah(),
HeapObject::map(), HeapObject::map_word() and HeapObject::Size()
on hot paths.

Bug: v8:11880
Change-Id: I70b72e46cc867b6b2ddbc48cd5e6a74ae4208397
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3308800Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78161}

This will allow making HeapObject::IsBlah() checks faster when external
code space is enabled.

Bug: v8:11880
Change-Id: Ibee4e19859c23f11316e3cfd7961f58d8e58240a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3301478
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78153}

... and thus avoid the need for special handling of objects located
in external code space.

This will also allow making HeapObject::IsBlah() checks faster when
external code space is enabled.

Bug: v8:11880
Change-Id: I12d07c05451ff198f0a6182d9b5849f76015e7fb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3300140Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78104}

Prior to this CL we regularly generated high counts of code
dependencies, and installation was not the most efficient.

This CL 1) implements early dependency deduplication and
2) simplifies the way dependencies are persisted on the heap
through DependentCode.

Re 1): we dedupe twice, once based on the CompilationDependency
contents, and again once we know the final target object.

Re 2): Instead of a linked list of weak fixed arrays per
dependency group, store deps in a flat array together with a
bitset of their dependency groups.

See also:
https://docs.google.com/document/d/1B34S1s3Iv6hbquZ93RugD0b-ZKfHEptJ8Fk_YyOvjDk/edit

Bug: v8:12195,v8:12397
Change-Id: I9ab47f6d87b10558194b5de30a36b1122f7e362a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3283074Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77969}

Bug: v8:12244,v8:12245
Change-Id: I3029cfb8e9afdcb5e53aa406359aa7246c23ea40
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3274021Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77906}

The is_shared bit bumps the number of reserved bits for Strings'
InstanceType from 6 to 7. This has the side effect of shuffling the
InstanceType enum values.

There are no users of this bit yet. This is steps 1-2 from the following
design doc [1], in preparation for sharing internalized and
in-place-internalizable strings.

[1] https://docs.google.com/document/d/1c5i8f2EfKIQygGZ23hNiGxouvRISjUMnJjNsOodj6z0/edit?usp=sharing

Bug: v8:12007
Change-Id: Idf11a6035305f0375b4f824ffd32a64f6b5b043b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3266017
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77831}

Directly memcpy char* literals if they fit in the current pending
part. This avoids incremental checks for the current part size.

This will improve JSON.stringify for objects with lots of
true, false, null values by roughly 10%;

Drive-by-fix:
- Improve JSON.stringify for empty [] and {}
- Add IncrementalStringBuilder::NoExtend DECHECKs

Bug: v8:12195
Change-Id: I81ebc9e088cf983adbcfb2d768137e4a3cef9a7a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3260524Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77817}

Bug: v8:12244,v8:12245
Change-Id: I1ec0d96b645afa9bbda670918ce57be3698f50ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3265684
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77804}

Due to caching issues we will not be able to store host-defined options
directly on the Script anymore. ScriptOrModule can thus no longer be
a i::Script.

NodeJS keeps weak references from ScriptOrModule to their import meta
data. This CL changes ScriptOrModule to be a temporary struct which has
a different lifetime. As a temporary fix until the API is fully updated
we introduce the v8_scriptormodule_legacy_lifetime compile-time flag.
It keeps references to ScriptOrModule alive on the Script to restore the
previous behavior (at an additional memory cost).

Bug: chromium:1244145
Change-Id: I1dc42d25930d7bc4f22ee3c9bba93d89425be406
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3211575
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77382}

Bug: v8:12244
Change-Id: I7ea68dd74a376221631d7f56b4a012207f68a1ec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3182899Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77129}

Bug: chromium:1250660, v8:7790
Change-Id: If96ab8879f54549b3b3d92ef2b1c13344dca17b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3171154
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76936}

It must be possible to determine an object's size on the heap without
relying on the presence of any other objects. Specifically, if an
object and its WasmTypeInfo die at the same time, they can be swept
in any order, and the sweeper may need to know their sizes.
This patch solves the problem by repurposing two bytes in the Map,
where WasmStructs can store their instance size, and WasmArrays can
store their element size (which can be used to compute their size).

Fixed: chromium:1240670
Change-Id: Ib960fd0a409936aff1aef4daafed4c38b8497880
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3106649
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76391}

Re-enable the creation of elements transition groups in
JSHeapBroker::ProcessFeedbackMapsForElementAccess. This turned out to be
quite important for performance.

Bug: v8:7790,v8:12031
Change-Id: I4d24837a668a5f7e78a5078212a7dc34b767d703
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3085262Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76215}

The getter and setter members may be set after initialization; in that
case, use acquire-release semantics.

Bug: v8:7790, chromium:1236965
Change-Id: Ia28c89b664787ff92a56a2f6dcc4d76655df5ff3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3080567Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76164}

- Add V8_WARN_UNUSED_RESULT to TryCopyAndConvertArrayToCppBuffer
  methods
- Remove --force-slow-path implications in
  Object::IterationHasObservableEffects

Bug: v8:11739
Change-Id: I20dcac1c460c6ee116ff372806cdf8764a99d9f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3063504Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76037}

Rename CopyAndConvertArrayToCppBuffer as
TryCopyAndConvertArrayToCppBuffer and implement type specialization for
int32_t and double in order to speed up V8 bindings with sequences.

This API is used by Blink code, for example see
https://chromium-review.googlesource.com/c/chromium/src/+/3027405.

Bug: v8:11739
Change-Id: I026a7f5e7833fb1afcc2ea9c296b66c7f733cbb1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3036407
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76016}

Bug: v8:11111
Change-Id: Ib3ae55349024ebeab9ceaf9472a6de2b4d86ce55
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3056975Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75993}

This is a reland of e24fa913
It fixes the heap verification errors by going back to using MakeThin
instead of manually creating a filler (that then makes the verifier
think that this was array left-trimming).

Original change's description:
> [offthread] Template deserializer on Isolate
>
> Make the deserializer class templated on Isolate/LocalIsolate. This
> allows the ObjectSerializer to be split into a main-thread and offthread
> variant, with the latter taking a LocalIsolate.
>
> Eventually, we probably want to anyway split off the code-cache de/serializer
> to a separate implementation (for various reasons), and this the only one that
> wants off-thread finalization, and at this point the deserializer can revert
> back to being un-templated, used only for bootstrapping. However, this is the
> simplest way, for now, to enable off-thread deserialization.
>
> Bug: chromium:1075999
> Change-Id: I49c0d2c5409f0aa58183673785296756c3714f22
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2562254
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75834}

Bug: chromium:1075999
Change-Id: I1d81fad2550a2a9f04dd0f9d8e66422d28faf378
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3043960Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75918}

* Avoid accessing thread_local_top directly and use getters:
  - scheduled_exception
  - pending_exception
  - pending_message

* Rename pending_message_obj to pending_message

Bug: chromium:1014421
Change-Id: I080b7d5919e180a943776c79ee9321235d58d3c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3010278Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75864}

This reverts commit e24fa913.

Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Mac64%20GC%20Stress/18917/overview

Original change's description:
> [offthread] Template deserializer on Isolate
>
> Make the deserializer class templated on Isolate/LocalIsolate. This
> allows the ObjectSerializer to be split into a main-thread and offthread
> variant, with the latter taking a LocalIsolate.
>
> Eventually, we probably want to anyway split off the code-cache de/serializer
> to a separate implementation (for various reasons), and this the only one that
> wants off-thread finalization, and at this point the deserializer can revert
> back to being un-templated, used only for bootstrapping. However, this is the
> simplest way, for now, to enable off-thread deserialization.
>
> Bug: chromium:1075999
> Change-Id: I49c0d2c5409f0aa58183673785296756c3714f22
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2562254
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75834}

Bug: chromium:1075999
Change-Id: Id699ebe0c17d3a61ec35b0f78417306175271647
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041675Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75836}

Make the deserializer class templated on Isolate/LocalIsolate. This
allows the ObjectSerializer to be split into a main-thread and offthread
variant, with the latter taking a LocalIsolate.

Eventually, we probably want to anyway split off the code-cache de/serializer
to a separate implementation (for various reasons), and this the only one that
wants off-thread finalization, and at this point the deserializer can revert
back to being un-templated, used only for bootstrapping. However, this is the
simplest way, for now, to enable off-thread deserialization.

Bug: chromium:1075999
Change-Id: I49c0d2c5409f0aa58183673785296756c3714f22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2562254Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75834}

Bug: chromium:1066980
Change-Id: I5c5e34b970a3b7a87abbec23110588518e99f6af
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3036345
Auto-Submit: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75806}

This is a reland of 819c3ae2

Original change's description:
> Reland "Reland "Improve error messages for property access on null/undefined""
>
> This is a reland of 8b18c5e6
>
> Original change's description:
> > Reland "Improve error messages for property access on null/undefined"
> >
> > This is a reland of 24c626c1
> >
> > Original change's description:
> > > Improve error messages for property access on null/undefined
> > >
> > > Only print the property name when accessing null/undefined if we can
> > > convert it to a string without causing side effects.
> > > If we can't, omit the property name in the error message.
> > > This should avoid confusion when the key is an object with toString().
> > > E.g. undefined[{toString:()=>'a'}] doesn't print 'read property [object
> > > Object]' anymore, which was misleading since the property accessed would
> > > be 'a', but we can't evaluate the key without side effects.
> > >
> > > Bug: v8:11365
> > > Change-Id: If82d1adb42561d4851e2bd2ca297a1c71738aee8
> > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2960211
> > > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > > Commit-Queue: Patrick Thier <pthier@chromium.org>
> > > Cr-Commit-Position: refs/heads/master@{#75250}
> >
> > Bug: v8:11365
> > Change-Id: Ie2312337f4f1915faa31528a728d90833d80dbd1
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2979599
> > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > Commit-Queue: Patrick Thier <pthier@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#75571}
>
> Bug: v8:11365
> Change-Id: I90360641ecd870bd93247aa6d91dfb0ad049cfb8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3008219
> Auto-Submit: Patrick Thier <pthier@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75604}

Bug: v8:11365
Change-Id: I002b537144f328ccbbdcd655e26e5dc87c49c6f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3013935Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75645}

This reverts commit 819c3ae2.

Reason for revert: Sorry Patrick, still failing on some layout tests :( https://test-results.appspot.com/data/layout_results/mac-rel/726365/blink_web_tests%20%28retry%20shards%20with%20patch%29/layout-test-results/results.html

Original change's description:
> Reland "Reland "Improve error messages for property access on null/undefined""
>
> This is a reland of 8b18c5e6
>
> Original change's description:
> > Reland "Improve error messages for property access on null/undefined"
> >
> > This is a reland of 24c626c1
> >
> > Original change's description:
> > > Improve error messages for property access on null/undefined
> > >
> > > Only print the property name when accessing null/undefined if we can
> > > convert it to a string without causing side effects.
> > > If we can't, omit the property name in the error message.
> > > This should avoid confusion when the key is an object with toString().
> > > E.g. undefined[{toString:()=>'a'}] doesn't print 'read property [object
> > > Object]' anymore, which was misleading since the property accessed would
> > > be 'a', but we can't evaluate the key without side effects.
> > >
> > > Bug: v8:11365
> > > Change-Id: If82d1adb42561d4851e2bd2ca297a1c71738aee8
> > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2960211
> > > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > > Commit-Queue: Patrick Thier <pthier@chromium.org>
> > > Cr-Commit-Position: refs/heads/master@{#75250}
> >
> > Bug: v8:11365
> > Change-Id: Ie2312337f4f1915faa31528a728d90833d80dbd1
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2979599
> > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > Commit-Queue: Patrick Thier <pthier@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#75571}
>
> Bug: v8:11365
> Change-Id: I90360641ecd870bd93247aa6d91dfb0ad049cfb8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3008219
> Auto-Submit: Patrick Thier <pthier@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75604}

Bug: v8:11365
Change-Id: I7d7c0f201288384c2aa38a51418b582a64213ae0
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3013352
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75626}

This is a reland of 8b18c5e6

Original change's description:
> Reland "Improve error messages for property access on null/undefined"
>
> This is a reland of 24c626c1
>
> Original change's description:
> > Improve error messages for property access on null/undefined
> >
> > Only print the property name when accessing null/undefined if we can
> > convert it to a string without causing side effects.
> > If we can't, omit the property name in the error message.
> > This should avoid confusion when the key is an object with toString().
> > E.g. undefined[{toString:()=>'a'}] doesn't print 'read property [object
> > Object]' anymore, which was misleading since the property accessed would
> > be 'a', but we can't evaluate the key without side effects.
> >
> > Bug: v8:11365
> > Change-Id: If82d1adb42561d4851e2bd2ca297a1c71738aee8
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2960211
> > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > Commit-Queue: Patrick Thier <pthier@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#75250}
>
> Bug: v8:11365
> Change-Id: Ie2312337f4f1915faa31528a728d90833d80dbd1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2979599
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75571}

Bug: v8:11365
Change-Id: I90360641ecd870bd93247aa6d91dfb0ad049cfb8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3008219
Auto-Submit: Patrick Thier <pthier@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75604}

TurboFan reads the value in HeapNumber, and TSAN detects a data
race between this read and sets on the main thread elsewhere.
We mark this as relaxed atomic (meaning, correct value of the read
is not guaranteed). The compiler uses the dependency mechanism
to re-read the value safely on the main thread later, and aborts
compilation if a change is detected.

Bug: chromium:1224277, v8:7790
Change-Id: I8931d8989812550c0c57b6bd27aa796f6f5e779d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2996201Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75586}

This reverts commit 8b18c5e6.

Reason for revert: Still failing: https://test-results.appspot.com/data/layout_results/V8_Blink_Linux/12469/blink_web_tests%20%28retry%20shards%20with%20patch%29/layout-test-results/results.html

Original change's description:
> Reland "Improve error messages for property access on null/undefined"
>
> This is a reland of 24c626c1
>
> Original change's description:
> > Improve error messages for property access on null/undefined
> >
> > Only print the property name when accessing null/undefined if we can
> > convert it to a string without causing side effects.
> > If we can't, omit the property name in the error message.
> > This should avoid confusion when the key is an object with toString().
> > E.g. undefined[{toString:()=>'a'}] doesn't print 'read property [object
> > Object]' anymore, which was misleading since the property accessed would
> > be 'a', but we can't evaluate the key without side effects.
> >
> > Bug: v8:11365
> > Change-Id: If82d1adb42561d4851e2bd2ca297a1c71738aee8
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2960211
> > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > Commit-Queue: Patrick Thier <pthier@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#75250}
>
> Bug: v8:11365
> Change-Id: Ie2312337f4f1915faa31528a728d90833d80dbd1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2979599
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75571}

Bug: v8:11365
Change-Id: Ic4137f0d70fa9b10ca70fa921b98ea7e1499f11b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3008217
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75577}

This is a reland of 24c626c1

Original change's description:
> Improve error messages for property access on null/undefined
>
> Only print the property name when accessing null/undefined if we can
> convert it to a string without causing side effects.
> If we can't, omit the property name in the error message.
> This should avoid confusion when the key is an object with toString().
> E.g. undefined[{toString:()=>'a'}] doesn't print 'read property [object
> Object]' anymore, which was misleading since the property accessed would
> be 'a', but we can't evaluate the key without side effects.
>
> Bug: v8:11365
> Change-Id: If82d1adb42561d4851e2bd2ca297a1c71738aee8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2960211
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75250}

Bug: v8:11365
Change-Id: Ie2312337f4f1915faa31528a728d90833d80dbd1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2979599Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75571}

There are still a few cases remaining that seem more controversial;
I'll upload those separately.

Bug: chromium:1066980
Change-Id: Iabbaf23f9bbe97781857c0c589f2b3db685dfdc2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2994804
Commit-Queue: Peter Kasting <pkasting@chromium.org>
Auto-Submit: Peter Kasting <pkasting@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75494}

.. and make JSGlobalObjectRef bg-serialized.

GetPropertyCell was implemented as:

 LookupIterator it(holder, isolate, name, LookupIterator::OWN);
 it.TryLookupCachedProperty();
 if (it.state() == LookupIterator::DATA) it.GetPropertyCell();

Due to concurrency requirements, we essentially have to reimplement
this entire path for use in a concurrent setting:

 - Reads in some cases have to use relaxed or acquire semantics.
 - The IsPendingAllocation predicate must be called on some objects
   before reading into them.
 - Repeated reads of the same field must be avoided due to the
   possibility of concurrent modifications.

This CL introduces two new methods:

ConcurrentLookupIterator::TryGetPropertyCell implements the outer
lookup logic, including the repeated lookup for accessors / cached
property names.

GlobalDictionary::TryFindPropertyCellForConcurrentLookupIterator is a
slightly modified HashTable::FindEntry which follows the above rules.

Bug: v8:7790
Change-Id: Ic9a52da766afdfedce8efcbda92876845a17eed9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2959616Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75467}

StoreICs use slow handler for now.

Bug: v8:11804
Change-Id: I008fc9a3639f649b63881f759078e664b16e25e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2985403Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75395}

... which didn't properly handle non-Smi integer indices with
JSTypedArray receivers.

The addition of new JSReceiver::OrdinaryDefineOwnProperty() overload
with LookupIterator::Key caused circular dependency between lookup.h
and js-objects.h, so the LookupIterator::Key was moved out of the
LookupIterator class in order to make it forward-declarable.

Bug: chromium:1209405
Change-Id: I265f0c00f65ab6476c8f1d0ca1264f555d43465f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2972727
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75326}

This reverts commit 24c626c1.

Reason for revert: Blocks V8 roll into Chromium (changed error messages cause tests to fail):
https://ci.chromium.org/p/chromium/builders/try/linux-rel/724109?

Original change's description:
> Improve error messages for property access on null/undefined
>
> Only print the property name when accessing null/undefined if we can
> convert it to a string without causing side effects.
> If we can't, omit the property name in the error message.
> This should avoid confusion when the key is an object with toString().
> E.g. undefined[{toString:()=>'a'}] doesn't print 'read property [object
> Object]' anymore, which was misleading since the property accessed would
> be 'a', but we can't evaluate the key without side effects.
>
> Bug: v8:11365
> Change-Id: If82d1adb42561d4851e2bd2ca297a1c71738aee8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2960211
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Patrick Thier <pthier@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75250}

Bug: v8:11365
Change-Id: Ic63f34033254f55b3871041633d84ea48586a75d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2977374
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75282}

Only print the property name when accessing null/undefined if we can
convert it to a string without causing side effects.
If we can't, omit the property name in the error message.
This should avoid confusion when the key is an object with toString().
E.g. undefined[{toString:()=>'a'}] doesn't print 'read property [object
Object]' anymore, which was misleading since the property accessed would
be 'a', but we can't evaluate the key without side effects.

Bug: v8:11365
Change-Id: If82d1adb42561d4851e2bd2ca297a1c71738aee8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2960211Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75250}

The adding of base:: was mostly prepared using git grep and sed:
git grep -l <pattern> | grep -v base/vector.h | \
  xargs sed -i 's/\b<pattern>\b/base::<pattern>/
with lots of manual clean-ups due to the resulting
v8::internal::base::Vectors.

#includes were fixed using:
git grep -l "src/utils/vector.h" | \
  axargs sed -i 's!src/utils/vector.h!src/base/vector.h!'

Bug: v8:11879
Change-Id: I3e6d622987fee4478089c40539724c19735bd625
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2968412Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75243}

In heap-refs.cc, GetOwnFastDataPropertyFromHeap() bottlenecks reading
a fast property. To make it safe to use from the background thread we
need to verify the object didn't shrink, and risk an out of heap
bounds read.

Bug: v8:7790
Change-Id: Idebbe0ffea089bf2a70aa7d611618430169082fd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2928185Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75186}

- Convert Builtin to enum class
- Change int-based builtin_index methods to use Builtin
- Change Builtins::builtin to Builtins::code

Change-Id: Id9e3bb83da97e8894ca7ca78e1e852da60675619
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2949104
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75127}

This moves all of the FunctionTemplateInfo code into templates.cc and
removes the inline keyword from BreakAtEntry which is moved out of
templates-inl.h. As a result templates-inl.h no longer depends on
shared-function-info-inl.h. This in turn uncovered lots of other missing
includes which are now in place.

Change-Id: I9bc152d5e3db0e793db135a8cfcf97f6d8bcbb8a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2953295Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75120}