ClusterFuzz found another case where "weird" embedder calls can cause
signed integer overflow. This patch fixes the last addition in that
function to use unsigned types.

Bug: chromium:991676
Change-Id: Ia77a12020908de8f0a3bd1be7d3722ba5c5c919b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1743971
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63349}

This CL enables the FreeList strategy introduced by CL 1762292.

Bug: v8:9329
Change-Id: I73c1399aa9ae9a602f29f208c5543927a1405403
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1765533Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Darius Mercadier <dmercadier@google.com>
Cr-Commit-Position: refs/heads/master@{#63348}

This reverts commit 5c59ba4f.

Reason for revert: requires more thinking 

Original change's description:
> [ic] Fix KeyedLoadIC for ArrayIndex access
> 
> Previously, without support for converting strings to numbers we'd
> switch to megamorphic state and go to the runtime always to do the
> conversion causing a performance cliff.
> 
> This patch improves the following js-perf-test scores:
> Object-Lookup-String-Constant-BytecodeHandler: 4.25%
> Object-Lookup-Index-String-BytecodeHandler: 5.41%
> 
> Bug: v8:9449
> Change-Id: I63787fa84373fc946f1304b0141e48a52a1b4bcb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1690953
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63293}

TBR=mythria@chromium.org,jyan@ca.ibm.com,gsathya@chromium.org,leszeks@chromium.org,ishell@chromium.org,verwaest@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:9449
Change-Id: I6b6ad5901175c2e6bbd7516b13e91471adb5776d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1765532Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63347}

This preserves the object identity of a {WebAssembly.Function} instance
that is being re-exported by a module. Such functions are considered to
have an internal [[FunctionAddress]] slot and hence require their object
identity to be preserved (similar to {WasmExportedFunction} already).

R=jkummerow@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742

Change-Id: I88ba75fcd91ce04440008467f3b218a1ac3047db
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763545Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63346}

This new FreeList should be a reasonable replacement for our old
FreeListLegacy: it is slightly less efficient (~1%), but uses much
less memory (often 5% less old_space size).

It is based on FreeListMany, with the following additions:

  - A cache to waste less time iterating empty categories

  - A fast path for allocations done in the runtime and generated code

  - A slow path (the same as FreeListMany actually) for allocations
    done in the GC.

Bug: v8:9329
Change-Id: Ifc10b88df7861266a721afd2c6e6d8357255ec4e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762292
Commit-Queue: Darius Mercadier <dmercadier@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63345}

For import wrappers, we add a special "callable" parameter as the last
parameter. This parameter is not set in the TurboFan graph but in the
code generator. Therefore this parameter has to be allocated in a
special register and cannot be lowered generically. With this CL we
detect in the CallDescriptor lowering if the last parameter is this
special "callable" parameter. If so, we preserve it in the lowered
CallDescriptor in the same register.

R=jkummerow@chromium.org

Bug: v8:7741
Change-Id: I884baa41813011c811612ec84f4e3cfe86a0e83a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762014Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63344}

This CL adds a mechanism that prevents the RuntimeProfiler from
triggering optimization of a function after
%PrepareFunctionForOptimization has been called. This is useful to
prevent flakiness in tests, as sometimes a function that already
got deoptimized would receive a new code object from a concurrent
compile that was triggered by a heuristic just in the right moment
for the assertUnoptimized test to fail. For example, the following
was happening:

PrepareFunctionForOptimization
[marking `testAdd` for optimized recompilation, reason: small function]
[concurrently compiling method `testAdd` using TurboFan]
[manually marking `testAdd` for non-concurrent optimization]
[synchonously compiling method `testAdd` using TurboFan]
[synchonously optimizing `testAdd` produced code object 0xAAAA - took 1.638 ms]
Runtime_GetOptimizationStatus OPTIMIZED `testAdd` (code object 0xAAAA)
DeoptimizeFunction `testAdd` with Code Object 0xAAAA
[concurrently optimizing `testAdd` produced code object 0xBBBB - took 3.377 ms]
Runtime_GetOptimizationStatus OPTIMIZED `testAdd` (code object 0xBBBB)

Bug: v8:9563
Change-Id: Ia4c846aba95281589317d43b82383e70fe0a35f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763546Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63343}

This reverts commit aba185a7.

Reason for revert: We want to keep this API.

Original change's description:
> [heap] Remove slots when shrinking objects
>
> Immediately remove recorded old-to-new slots when shrinking objects.
> This operation needs to drain the store buffer, however the store buffer
> is supposed to be removed anyway.
>
> Also do not remove slots when left-trimming since this isn't needed for
> correctness.
>
> Bug: v8:9454
> Change-Id: I751baf2dcd03c87aee9cb1ebd168e05bf373a738
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762012
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63271}

TBR=ulan@chromium.org,dinfuehr@chromium.org


Bug: v8:9454
Change-Id: I9524a7448cc49948915fdccc5a6b1aa22e4de4a9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762524Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63342}

This reverts commit e66cee7e.

Reason for revert: Speculative revert for https://ci.chromium.org/p/chromium/builders/try/linux-rel/173349

Original change's description:
> [debug] only break on entry when immediately called from JS
> 
> When we break on function entry, check whether the target function is being
> called from JS after entering V8 through V8's API. We implement this by
> keeping track of the stack height when we enter V8 through the API, and compare
> the caller JS frame's stack height with that.
> 
> R=​szuend@chromium.org
> 
> Bug: chromium:991217, chromium:992406
> Change-Id: I258ad9cef11fe0ef48de6fd5055790792fd0ec0c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762298
> Commit-Queue: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63331}

TBR=yangguo@chromium.org,szuend@chromium.org

Change-Id: I4bfb42f7ce1484807696048a09609f14113d10f4
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:991217, chromium:992406
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762525Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63341}

R=mstarzinger@chromium.org

Change-Id: Ic7a3538bbdf3ec2e68c83c397818ab0ca838ddbe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1738855Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63340}

Bug: v8:7834, v8:4709, v8:9646, v8:9647
Change-Id: Ie3648aec127504b9d6eb5b8ed491ba056fb68a8f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763544
Auto-Submit: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63339}

This reverts commit 74e68e6a.

Reason for revert: We want to keep this API.

Original change's description:
> [heap] Remove ClearRecordedSlots
> 
> Do not pass it as argument to CreateObjectFillerAt and remove the enum.
> 
> Bug: v8:9454
> Change-Id: Iafa37acbfea73d3cabb1732dbec0944db859fac2
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762017
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63282}

TBR=ulan@chromium.org,petermarshall@chromium.org,dinfuehr@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:9454
Change-Id: I9a0a249294957740f831b28f5fefef132123d0e8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762523Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63338}

This was deleted in 5b2ab2f6, it seems only
the first part of the condition should have been deleted.

This changes (from the embedded builtins):

    movz x9, #0x2
    cmp x9, x8

Back to:

    cmp x8, #0x2

This saves 0.29% in the embedded builtins size for a pointer-compression enabled arm64 build.

Also a minor cleanup by removing the commutative boolean parameter and always commuting the
FlagsContinuation. For a commutative operation the FlagsContinuation will stay the same.

Change-Id: I5bba84a07bb32284b4756bc6293560ee106745f2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762522Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#63337}

Also: add hint for "prototype" property. This makes us not miss
the ObjectCreate map in any of our tests.

Bug: v8:7790
Change-Id: Icc9f91ebaf466a1cdfba27526335b930c744b9c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762519
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63336}

Automated cleanup which finds patterns of `Node* a = foo` where `foo` is
a TNode expression, and replaces Node* with the appropriate TNode.

Bug: v8:9396
Change-Id: I8b0cd9baf10e74d6e2e336eae62eca6cfe6a9c11
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762515
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63335}

Forge (Google3) can only run 64-bit executables. As Torque runs as part
of the build process, we need a 32-bit "cross-compile" mode when
we target 32-bit architectures. Note that this flag won't be needed
in Chromium/V8 land, since we build V8 with the same bit width as
the target architecture.

This CL adds a new runtime flag to torque "-m32". When enabled, the
flag forces 32-bit word sizes for various pointer/word sizes. By
default, the host system sizes from {src/commons/globals.h}
are used.

R=tebbi@chromium.org

Bug: v8:9641
Change-Id: I8701eec45e3fb59dc65049b0a679d34589c4127f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763540
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63334}

This fixes a serious performance regression in Octane2 future variant.

Bug: v8:7790
Change-Id: Ie72d7b8ecf8af12e06a0ecae216cfb456908fe5d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763542
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63333}

Previously, the handler would load the constant field from the holder
everytime by using the descriptor index. Instead, this patch inlines
the constant field directly into the handler.

Change-Id: Ia731811b135897033f4c5dc973031a30f25a64ed
Bug: v8:9616
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1688829
Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63332}

When we break on function entry, check whether the target function is being
called from JS after entering V8 through V8's API. We implement this by
keeping track of the stack height when we enter V8 through the API, and compare
the caller JS frame's stack height with that.

R=szuend@chromium.org

Bug: chromium:991217, chromium:992406
Change-Id: I258ad9cef11fe0ef48de6fd5055790792fd0ec0c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762298
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63331}

This is another step towards considering the unoptimized frame size in
stack checks within optimized code.

With the changes in this CL, we now keep track of the maximal
unoptimized frame size of the function that is currently being
compiled. An optimized function may inline multiple unoptimized
functions, so a single optimized frame can deopt to multiple
frames. The real frame size thus differs in different parts of the
optimized function.

We only care about the maximal frame size, which we calculate
conservatively as an over-approximation, and track in
InstructionSelector::max_unoptimized_frame_height_ for now. In future
work, this value will be passed on to codegen, where it will be
applied as an offset to the stack pointer during the stack check.

(The motivation behind this is to avoid stack overflows through deopts,
caused by size differences between optimized and unoptimized frames.)

Note that this offset only ensure that the topmost optimized frame can
deopt without overflowing the stack limit. That's fine, because we only
deopt optimized frames one at a time. Other (non-topmost) frames are
only deoptimized once they are returned to.

Drive-by: Print variable and total frame height in --trace-deopt.

Bug: v8:9534
Change-Id: I821684a9da93bff59c20c8ab226105e7e12d93eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762024
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63330}

We have internal::TickSample which inherits from this, but we never
use the public version in the API despite defining it there.

Change-Id: I6f0ce7ee663ef821be57cfbad540c1660484a525
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1745472
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63329}

New revision: d114a62e144cdfdae697fe0af6581ce39a31af37

Change-Id: I865edf40848d5593ae80a5ee0ed65c0c472a5a89
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1713234Reviewed-by: Alexei Filippov <alph@chromium.org>
Commit-Queue: Johannes Henkel <johannes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63328}

Bug: chromium:996232
Change-Id: I1df23835c18f5491a95e2faff17594ee7419cf75
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763157
Auto-Submit: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63327}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/5f675b2..abb522f

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/04a66c3..679dc37

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/5329779..bfcde3c

Rolling v8/third_party/fuchsia-sdk: https://chromium.googlesource.com/chromium/src/third_party/fuchsia-sdk/+log/d677ea6..1785f0a

Rolling v8/third_party/googletest/src: https://chromium.googlesource.com/external/github.com/google/googletest/+log/c9ccac7..fb49e6c

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: I29b600c24c77f268011669ac821dfcac0509885c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1764594Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#63326}

Implement move ctor and assignment for both, the version that matches T
and the version where T and S are related in the type hierarchy.

Bug: chromium:995684
Change-Id: I21a747d706b224117c398e6feff42cc4ffc4cae8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762296
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63325}

Bug: v8:9510
Change-Id: Icf2500240ee36c271992897a222da2f089acc035
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1756855Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63324}

Bug: v8:8976
Change-Id: I5eb7871a5d5daa15faff73666d400bb87627bbe0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762711
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63323}

Bug: v8:7790
Change-Id: I02de7cb5b89a20a4eb10407cb1ff56ed3ece098f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762520
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63322}

This CL was reviewed originally in https://crrev.com/c/1518181.

Bug: v8:7741
Change-Id: Iddb139a24c4b9aee6694e20cb5d04e9f9887160c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1752859
Auto-Submit: Sven Sauleau <sven@cloudflare.com>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63321}

Bug: v8:7790
Change-Id: I42ef762bdc9340d4cb8f03186c1961eddf35e46b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762516
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63320}

The LinkageLocation currently consists of two fields, a bit_field and a
machine_type. The existing equality check only checked the equality of
the bit_field, which meant that a FP register location and a GP register
location could alias. I added a static {IsSameLocation} function which
checks that not just the bit_field but also if one of the two locations
at least has a subtype of the other. Note that we do not check for
type-equality because {CanTailCall} checks, which are the main user of
the LinkageLocation equality check, should pass even if the result types
are in a sub-typing relationship.

R=mstarzinger@chromium.org

Bug: v8:9396
Change-Id: Iaa2d11311d0c18e8ffc1dd934e369106ab2456a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763533
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63319}

Change-Id: Ibab34553f1499bd5dee7cf7477284783cc0660fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763534Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63318}

This CL implements the nullish operator in bytecode as defined by:
https://github.com/tc39/proposal-nullish-coalescing. It can be
enabled by passing '--harmony-nullish'.

Nullish is similar to logical operators, but instead of truthy/falsey
values, it short circuits when it evaluates a null or undefined value.


Bug: v8:9547
Change-Id: Ia0f55877fc2714482b5547942baef9733537d1b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1738568Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63317}

Bug: v8:7790
Change-Id: I9a770fd6861c216121aef88f0119698edc0e224e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763537
Commit-Queue: Georg Neis <neis@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63316}

Bug: v8:7790
Change-Id: I6705e5399ad37201b89d5d6d5174138b22401ca1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762518Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63315}

This CL consists of several preparatory steps for slices in Torque. Above all, it introduces a user-defined struct, torque_internal::Slice<T>, that performs bounds checking and returns references to elements in arrays. To enable this, several smaller changes were also made:

- Constructors of internal classes such as torque_internal::Reference<T> now require a special 'Unsafe' argument, making it clear that there be dragons.
- Struct methods are now declared during finalization. This allows instances of generic structs to have methods referring to the same struct. Previously, methods would be declared before the instance had been fully registered, leading to errors during type resolution. Furthermore, such methods were declared in a temporary namespace, that would then erroneously escape and lead to use-after-free issues.
- Instances of TypeArgumentInference were not running in the correct (Torque) scopes, leading to type resolution errors.
- The chain of ContextualVariable::Scope for any given ContextualVariable (such as CurrentScope) can now be walked, simplifying debugging.

R=jgruber@chromium.org, tebbi@chromium.org

Bug: v8:7793
Change-Id: I36f808f63cc3ce441062dfc56f511f24f1e3121e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1758322
Commit-Queue: Georg Schmid <gsps@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63314}

The linkage should not have any knowledge about the existance of nodes.

R=mstarzinger@chromium.org

Bug: v8:9396
Change-Id: If10bf113c6ec19c434573a8d9bb7b736caef5dee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763532
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63313}

This adds type reflection support to the {WebAssembly.Module.exports} as
well as {WebAssembly.Module.imports} method. It also refactors existing
reflective code to use the internal instead of the public embedder API,
which is slightly more efficient anyways.

R=ahaas@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742

Change-Id: I88a6c7e9236a549808707c72e40a63302b7747a9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763527Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63312}

This just adds a test case checking against the current behavior, but
expectations might change once the proposal is clarified. For details
see: https://github.com/WebAssembly/js-types/issues/11

R=ahaas@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742

Change-Id: I2fc502460c0a8094a414d138703b75497b2d1c6f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762517Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63311}

Bug: v8:8510
Change-Id: Ie2b1cbbc136fecf3a81716b129e51857bd8db157
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762294Reviewed-by: Tamer Tas <tmrts@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63310}