The BodyDescriptor of an object should use its aligned size.

Change-Id: If743ca130b3cb97c4f25054db6dc887d88fc5e32
Reviewed-on: https://chromium-review.googlesource.com/1140309Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54510}

BUG=v8:7754,v8:5402

Change-Id: Ib3f3a879e68d96cd5d82b1ee461b57dc7367ebe2
Reviewed-on: https://chromium-review.googlesource.com/1139059Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54509}

R=machenbach@chromium.org

Bug: chromium:861668
Change-Id: Ic3225ed5919c21a7f6a9f21cba4aa491e1d6606d
Reviewed-on: https://chromium-review.googlesource.com/1140331Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54508}

Brokerized ReduceJSCreateEmptyLiteralObject and added the scope
for ReduceJSCreateLiteralArrayOrObject.

Bug: v8:7790
Change-Id: Ife34a6b610678a3fe24152151cf343400ee515bd
Reviewed-on: https://chromium-review.googlesource.com/1140306
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54507}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/7315579..e4fb293

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/fb73403..302bb84

Rolling v8/third_party/fuchsia-sdk: https://chromium.googlesource.com/chromium/src/third_party/fuchsia-sdk/+log/8227701..976ce5e

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/c0b1d89..5d1ce93

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: I202ee90eb4c3ea68e2677227dd0ad05cac352be2
Reviewed-on: https://chromium-review.googlesource.com/1141428Reviewed-by: V8 Autoroller <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: V8 Autoroller <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#54506}

We try to prevent side effects by forbidding running any JavaScript
when we get property from node object.
In case of object node it is possible that by calling property we force
internal object initialization which may force creation of new context,
this initialization can not be made with forbided JavaScript and at the
same time is side effect free.
As workaround we can warmup dom objects first and then generate
description.

R=dgozman@chromium.org

Bug: chromium:827585
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ifd2c6317ffd5cb3822d2a2eedf3d0b0f36a201f1
Reviewed-on: https://chromium-review.googlesource.com/1041078Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54505}

Fixes intl402/Locale/constructor-options-{casefirst,hourcycle,numeric}-invalid

Bug: v8:7684
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I43317f4bb1bb8422940faab1e5afa4162ed9ea11
Reviewed-on: https://chromium-review.googlesource.com/1137476Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54504}

https://chromium.googlesource.com/deps/inspector_protocol/+/0d4255502019144a5dec5669d7992165ae8924e7

Change-Id: I3711883a4cff11f71cca10054e4aac11293f5293
Reviewed-on: https://chromium-review.googlesource.com/1139095Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Johannes Henkel <johannes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54503}

This patch makes `d8` recognize files with the `.mjs` extension as
modules instead of classic scripts. This change can be tested by saving
the following JavaScript program as both `module.mjs` and as
`script.js`:

    console.log(this === undefined ? 'strict' : 'sloppy');

Then, run these files in `d8` without passing the `--module` flag:

    $ d8 module.mjs
    strict

    $ d8 script.js
    sloppy

The use of `.mjs` matches not just Google’s recommendation [1] but also
the current modules implementation in Node.js [2].

[1] https://developers.google.com/web/fundamentals/primers/modules
[2] https://nodejs.org/api/esm.html

Bug: v8:7950
Change-Id: I8f39420dc24a5eedd7e88d3b1aa48207ebfeff6e
Reviewed-on: https://chromium-review.googlesource.com/1140314
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54502}

Struct are bundles of value types. They are essentially just shorthand
for passing around a group of individually defined values.

Struct types are declared like this:

  struct A {
    x: Smi;
    y: int32;
  }

and can be constructed explicitly like this:

  A{0, 0}

Structs can be used wherever other types are used (e.g. variables,
parameters, return values) except for parameter/return types of
builtins and runtime functions.

Struct use field access notation to set/get their values like this:

  let a: A = A{0, 0};
  let b: Smi = a.x;
  a.y = 0;

Change-Id: I9fd36a6514c37882831256a49a50809c5db75b56
Reviewed-on: https://chromium-review.googlesource.com/1122133
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54501}

i32 stack parameters can be loaded by Turbofan as 64-bit value, hence
they would not be zero extended. If this loaded value is then passed to
Liftoff (which assumes zero-extended i32 values), we could use it for
memory accesses, which would be out of bounds.

R=mstarzinger@chromium.org

Bug: chromium:864509, v8:6600
Change-Id: I0f45a269b1fb1c2befc2e6bc660c559a88323767
Reviewed-on: https://chromium-review.googlesource.com/1140168
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54500}

Bug: v8:5751


Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: If71ab553f7f70dd148fb90a18ccd9b1c69791323
Reviewed-on: https://chromium-review.googlesource.com/1119103Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Brian Stell <bstell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54499}

This reverts commit f5a8352b.

Reason for revert: Performance issues

Original change's description:
> [embedded-builtins] Enable on all arches except x86 for benchmarks
> 
> This CL enables embedded builtins to get benchmark feedback. We need
> this feedback to identify and address remaining performance problems.
> 
> Bug: v8:6666
> Change-Id: I8f77f218e656b55ddabe1236eb2a1d14a5ac6233
> Reviewed-on: https://chromium-review.googlesource.com/1105834
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#53836}

TBR=sigurds@chromium.org,jgruber@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:6666
Change-Id: I0e0897eefa069b0b9ad2dd56b2ffc3e3617f9258
Reviewed-on: https://chromium-review.googlesource.com/1139974
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54498}

Bug: v8:7790
Change-Id: I747dccb8dcae74c5c0837c0cd7f3dd285a4bd9c0
Reviewed-on: https://chromium-review.googlesource.com/1140304Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54497}

This changes the ARM64-specific {TurboAssembler::AssertSpAligned} helper
to not generate calls to the {Abort} builtin. It is needed to ensure all
WebAssembly runtime stubs (e.g. {WasmGrowMemory}) are independent of the
Isolate. In general calling the {Abort} builtin without a valid frame
being present will produce bogus debug messages anyways. Hence we just
unconditionally use traps for the debug code in question.

R=sigurds@chromium.org

Change-Id: I93eb87e8b87209da8506c9b28e2c800950d1118a
Reviewed-on: https://chromium-review.googlesource.com/1140170
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54496}

We used to have an optimized version for ToString on number nodes
which was allocating an object on the heap, therefore
preventing this code from being executed on the compiler thread.
Octane benchmark results show insignificant increase in performance
(< 0.5%) without this optimization - see
https://docs.google.com/spreadsheets/d/1MC5NrMoMSsqxZqw0ojoZvomBb7q2EOt1S0sFoJ8ld2c/edit#gid=1732639373
which leads to the conclusion we can safely remove the optimization for now.

Bug: v8:7790
Change-Id: Ia1d53608f8d10ba20e0ff57cccb34583655382c6
Reviewed-on: https://chromium-review.googlesource.com/1139063
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54495}

Bug: Chromium:798921
Change-Id: I6cd3dbe49f586cdedfc70c6c6ad83391240a65d9
Reviewed-on: https://chromium-review.googlesource.com/1138550Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Max Moroz <mmoroz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54494}

Also moves ObjectVerify to GlobalHandles::CopyGlobal from
V8::CopyPersistent (which was the only caller) so it can get hold of an
Isolate*.

Bug: v8:7786
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I0758bf6e431bf6e617244741ab2e1583a3566b20
Reviewed-on: https://chromium-review.googlesource.com/1140295Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54493}

Reland part of https://chromium-review.googlesource.com/c/v8/v8/+/816515.

Change-Id: I72ad85ffd162fc0563fc25cdf35189e894f9dc82
Reviewed-on: https://chromium-review.googlesource.com/1138808
Commit-Queue: Timothy Gu <timothygu@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54492}

Bug: v8:7790
Change-Id: Idb838dabab8aaaedd7b8b9677975064541cc6491
Reviewed-on: https://chromium-review.googlesource.com/1140154Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54491}

Pass Isolate directly into several LayoutDescriptor methods so they
don't call GetIsolate on unsafe objects.

Also marks DebugInfo as non-read-only (so our GetIsolate removal tools
stop trying to change BreakIterator::isolate() to call itself).

Bug: v8:7786
Change-Id: I626a83d603ab74f648c72eb50d027b3866cedceb
Reviewed-on: https://chromium-review.googlesource.com/1138326
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54490}

The instruction selector currently sometimes emits a lea32 with an
offset of 0, which the code generator just ignores (emits no code at
all). This can result in the result of TruncateInt64ToInt32 to not be
zero extended.
This CL fixes that by disallowing lea32 instructions with 0 offset, and
fixing the instruction selector to generate a movl or just no code for
that case.

R=jarin@chromium.org

Bug: chromium:863810, v8:7947
Change-Id: I1b21fc5f0fda9ca3144917538c3d0bbf46601c33
Reviewed-on: https://chromium-review.googlesource.com/1137825Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54489}

Ran GetIsolate/GetHeap removal script over all the header files included
into objects.cc. Affected classes include: ScriptContextTable
RuntimeCallTimerScope GlobalDictionaryShape Map LookupIterator
PrototypeIterator FixedArrayBuilder

Manually fixed up Map to mark its write operations as safe for
GetIsolate since they modify the object as so can't be done in RO_SPACE.

Bug: v8:7786
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I2fd0960f085d1bcb4cf54b3418899ac0217917ca
Reviewed-on: https://chromium-review.googlesource.com/1138076
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54488}

Also deletes lots of code that attempts to detect when the heap is
corrupt but would likely just crash if the heap was corrupt.

Bug: v8:7786
Change-Id: I2e6bbea2e393b0f640a9d7180114560e7f6d3670
Reviewed-on: https://chromium-review.googlesource.com/1140061Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54487}

kMaximalCodeRangeSize can be zero to indicate no limit, which was
misinterpreted by mksnapshot.

Bug: v8:6666
Change-Id: I512412a5ef866c0595654aa78c6761bc00b82c56
Reviewed-on: https://chromium-review.googlesource.com/1140057Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54486}

Change-Id: Ia05e949e1a823e30a45894c47f6f6df2e159befe
Reviewed-on: https://chromium-review.googlesource.com/1135540
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54485}

This is a reland of f0a9a6a5

Original change's description:
> Update GN configs for v8_perf target to allow running perf tests in swarming
>
> This will allow us to migrate our deprecated configs to android_docker.
>
> R=machenbach@chromium.org
>
> Bug: chromium:838864
> Change-Id: I5f7db648520847aa2077e9fc2a5970e63daa9a50
> Reviewed-on: https://chromium-review.googlesource.com/1131944
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54441}

R=machenbach@chromium.org

Bug: chromium:838864
Change-Id: I35e1ab911ac3b5ddd8478faae4799ed5d7bbccbf
Reviewed-on: https://chromium-review.googlesource.com/1139973Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54484}

R=bmeurer@chromium.org

Change-Id: Iece8e73581e99456f9647b9ae6af6045305811f4
Reviewed-on: https://chromium-review.googlesource.com/1139058Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54483}

This changes several CHECK macros textually (but not semantically)
to make them distinguishable by message in crash dumps.

Bug: chromium:855041
Change-Id: I74b66a80c63b264b463eadb333b5359fb412130a
Reviewed-on: https://chromium-review.googlesource.com/1138320Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54482}

It's a growing weak array which also has an API for marking slots empty (those
will then be filled before growing the array again).

This is a more efficient implementation than the corresponding feature in
FixedArrayOfWeakCells, because we chain the empty slots together.

BUG=v8:7308

Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I335cd3f9cc7838c7f6ca350735b1503b2f5b8eed
Reviewed-on: https://chromium-review.googlesource.com/1090922
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54481}

This makes it more convenient to work with brokerized data.

Bug: v8:7790
Change-Id: I7ffb4054b809c10c67787b2fb89a05e8ce8f4575
Reviewed-on: https://chromium-review.googlesource.com/1138248
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54480}

This CL adds local const bindings. This means that instead of
generating TVARIABLEs for variables, we can generate simple TNodes.

Example:

macro FooBar(): {
  const kSomeSmi: Smi = 10;
  ...
}

This CL also enforces that variables with a constexpr type are bound
using 'const' and not 'let'.

R=tebbi@chromium.org

Bug: v8:7793
Change-Id: Id20a18149df9fc374ce718bdb1478e3eabb6e6df
Reviewed-on: https://chromium-review.googlesource.com/1138316
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54479}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/c0771e9..7315579

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/be45355..f5342c4

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/8d3925b..fb73403

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/e9cc24f..c0b1d89

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: I314761df6ad3e08de1ea13bff1daf2c9f85a2c05
Reviewed-on: https://chromium-review.googlesource.com/1139582
Commit-Queue: V8 Autoroller <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Reviewed-by: V8 Autoroller <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#54478}

[Intl] Change PluralRules.prototype.resolvedOptions to return newly created array for pluralCategories

Test: test262/intl402/PluralRules/prototype/resolvedOptions/pluralCategories

Bug: v8:7830
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ie527f51fab67e63cf5bf56a1da883a3e16ce48ac
Reviewed-on: https://chromium-review.googlesource.com/1132339Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54477}

Deprecate String::Utf8Length in favor of a new, similar function that
takes the Isolate used for the String::Flatten call as an argument.

BUG: v8:7786

Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Icaf04b272679fd853e9cdbe6c7088f63e9aacb95
Reviewed-on: https://chromium-review.googlesource.com/1124724
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54476}

  * JS_ERROR_TYPE is required for postmortem tools to inspect JSError
    objects (see https://github.com/nodejs/llnode/pull/215 for a usage
    example)
  * The context embedder index is required for postmortem tools to
    access embedder data stored in the context (see
    https://github.com/nodejs/llnode/pull/204 for a usage example)

R=bmeurer@google.com, yangguo@google.com

Change-Id: Ib7c7eb44f6ad327fc71a1d45f510c49377db7a25
Reviewed-on: https://chromium-review.googlesource.com/1138493Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54475}

Use the given locale and options when performing toLocaleString on each
individual element in a given array.

Bug: v8:7832
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I718a33c42e85819065599ee6bad59fb25afa7e15
Reviewed-on: https://chromium-review.googlesource.com/1132464
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54474}

SharedFunctionInfos store their original function literal's id. This is
also their index in the Script's SFI list.

The function literal id is only needed for lazy compilation and live edit,
and access only has to be fast in the former. So, we can move the SFI
function literal id field to UncompiledData, and if patching with live
edit, or discarding compiled code, we can perform a slower linear search
through the Script's SFI list.

This is a reland of
 1) https://chromium-review.googlesource.com/1082480 and
 2) https://chromium-review.googlesource.com/1128854
the differences being:
 1) caching the literal id on UncompiledData rather than always linearly
    searching the SFI list, and removing the unused runtime-liveedit.cc
    file instead of fixing it to support this change.
 2) clearing padding on UncompiledData now that it has 3 int32 fields,
    making its end unaligned on x64.

TBR=yangguo@chromium.org,marja@chromium.org,ulan@chromium.org,cbruni@chromium.org

Bug: chromium:818642
Change-Id: I58dcb12a2a60a680f662568da428e01189c62638
Reviewed-on: https://chromium-review.googlesource.com/1138325Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54473}

Since RO_SPACE objects can't move then IsDereferenceAllowed, just return
true for any objects in RO_SPACE.

R=leszeks

Bug: v8:7786
Change-Id: I67d2d8902a3c2196991bf57ba719c8b05220cdbb
Reviewed-on: https://chromium-review.googlesource.com/1138324Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54472}

This also fixes JSCreateLowering::ReduceJSCreate to use in-object
property count after slack tracking. This would still deserve some
more bullet-proof treatment; in particular, we should make it
somehow hard to access the pre-slack-tracking instance_size and
inobject_property_count (and possibly other things that might be
derived from the stale instance_size).

Bug: v8:7790
Change-Id: Ie374e5a030ec2fe000647e94d848ca0f9ee346f4
Reviewed-on: https://chromium-review.googlesource.com/1138235
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54471}