This allows off-thread flattening.

Bug: chromium:1011762
Change-Id: If83f7bbcbf74165987a4c157184f5b92dc554971
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924437
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65075}

This reverts commit 3c98a2a3.

Reason for revert: Fails on arm: https://ci.chromium.org/p/v8/builders/ci/V8%20Arm%20-%20debug/12134

Original change's description:
> [wasm] Prevent breakpoints on nonbreakable positions
> 
> If a breakpoint is set on a non-breakable position, the wasm interpreter
> just stores the value 0xFF (kInternalBreakpoint) in the function body
> (actually, a copy of the function body). This might overwrite immediates
> and cause subsequent failures in the wasm interpreter.
> 
> In JavaScript, breakpoints are just forwarded to the next breakable
> position. This CL implements the same for WebAssembly.
> A cctest tests this behavior, and the existing
> wasm-stepping-byte-offsets.js inspector test is extended to also set the
> breakpoint within an i32 constant immediate.
> 
> R=​leese@chromium.org, mstarzinger@chromium.org
> CC=​​bmeurer@chromium.org
> 
> Bug: chromium:1025184
> Change-Id: Ia2706f8f1c3d686cbbe8e1e7339d9ee86247bb4a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1925152
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#65070}

TBR=mstarzinger@chromium.org,clemensb@chromium.org,bmeurer@chromium.org,leese@chromium.org

Change-Id: I7468ea3b15fecccdea521308325cf4851e0a0396
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1025184
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1926032Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65074}

Port 3b0329ab

Original Commit Message:

    Since the old pipeline has been removed
    (https://chromium-review.googlesource.com/c/v8/v8/+/1903435), these
    opcodes and methods are unused.

R=solanes@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: I68b1dcc54c6bbaf873f277d4a1620eee6d96864c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1925555Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#65073}

This is necessary because the spec changed.

R=mstarzinger@chromium.org

Bug: v8:9865
Change-Id: Id8b4d85eafcf368d591666907036e6aa54664e63
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1921794
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65072}

Previously the fast path only asserted the correct instance types; but
when reading lastIndex we additionally rely on a specific object
shape.  This is checked by HasInitialRegExpMap().

Bug: chromium:1024758
Change-Id: I0b401ffb246dd47153caf798446d8d41bc84bc8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924354
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65071}

If a breakpoint is set on a non-breakable position, the wasm interpreter
just stores the value 0xFF (kInternalBreakpoint) in the function body
(actually, a copy of the function body). This might overwrite immediates
and cause subsequent failures in the wasm interpreter.

In JavaScript, breakpoints are just forwarded to the next breakable
position. This CL implements the same for WebAssembly.
A cctest tests this behavior, and the existing
wasm-stepping-byte-offsets.js inspector test is extended to also set the
breakpoint within an i32 constant immediate.

R=leese@chromium.org, mstarzinger@chromium.org
CC=​bmeurer@chromium.org

Bug: chromium:1025184
Change-Id: Ia2706f8f1c3d686cbbe8e1e7339d9ee86247bb4a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1925152
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65070}

Macro 'USE_SIMULATOR' should wrap the whole v8::internal namespace.

Change-Id: I2b0102e563b6cb976e5a450363bc770f8d5628e2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1916439
Auto-Submit: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65069}

That's possible because JS builtins are JSFunctions that embed a
NativeContext.

Bug: v8:7793
Change-Id: Id2bf7844fcfb53df733100f1e3e554f25a78482a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1926150Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65068}

In {EmptyBackingStore}, the {free_on_destruct} flag was not set as an
optimization: Since there is no memory, it also does not have to be
freed. However, this flag has a side-effect: any backing store where
this flag is not set is considered {external}. The {external} flag is
mis-used by blink to indicate if ArrayBuffers need to be wrapped or not.

With this CL we set the {free_on_destruct} flag in {EmptyBackingStore},
but we change the ArrayBufferTracker to just ignore empty backing
stores.

R=ulan@chromium.org

Bug: chromium:1008840
Change-Id: I1552a6e013c8b23f39fba1c2d9d9c61dc30c0c74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924263Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65067}

Since the old pipeline has been removed
(https://chromium-review.googlesource.com/c/v8/v8/+/1903435), these
opcodes and methods are unused.

Bug: v8:7703
Change-Id: I626645a1405c79c6a202da6075fb64f0a2a41d25
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1921799
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65066}

Bug: v8:9989
Change-Id: I6923f99398c0a1c8b447e18e0416a2630a09ee5d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924259Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65065}

When importing a JS function, Wasm tries to guess the type of function
(parameters & strict/sloppy mode). This can sometimes fail which leads
to re-creation of the wrapper. With this change, the same wrapper can
be used for strict and sloppy mode requiring the re-creation only on
arity mismatch.

R=mstarzinger@chromium.org

Change-Id: I77ec2b853153dec0772873cfb60c064a74065732
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1921793Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Emanuel Ziegler <ecmziegler@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65064}

Don't overwrite WATCHLISTS each time with a checkout from the latest
release branch as that means it will never pick up changes from
master.

No-Try: true
Bug: chromium:832032
Change-Id: I3a9231369caa9a6591acb9b7f0c76dc031ab9178
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1926029
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65063}

https://chromium-review.googlesource.com/c/v8/v8/+/1926027 deprecated the
"preparser" test suite.

This CL removes the remaining test suite configuration.

R=machenbach@chromium.org

Bug: v8:10001
Change-Id: I45afb709ddad5be1ec6072a42567e669f900095e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1926147
Auto-Submit: Tamer Tas <tmrts@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65062}

Bug: v8:9972
Change-Id: Ia85520eea8d3bcadc2573c16bf2778b1c3ff0c5a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1926028
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65061}

Bug: chromium:1010272
Change-Id: Ifc7ed5ff66b84e889668fd0820cea1d5b6af328f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1925809Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65060}

"preparser" is a legacy test-suite written in Python. "cctest/test-parsing"
provides the same coverage and more for the preparser.

This CL removes "preparser" stand-alone test-suite

R=verwaest@chromium.org
CC=​machenbach@chromium.org

Bug: v8:10001
Change-Id: I1823967e654e8d6d9e42eadfd667f90074d57ba9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1926027Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Tamer Tas <tmrts@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65059}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/456253c..9f9c46f

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/f7d5f0c..4c9781e

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/35a67a5..639872c

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: I34208500b48e4d745ae0aa83d6667c35ed8800cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924898Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#65058}

This reverts commit f2a74165.

Reason for revert: Clusterfuzz
Bug: chromium:1026479

Original change's description:
> [regexp] Re-execute regexp when '.indices' is accessed.
> 
> Instead of storing a pointer to the last_match_info, which may
> change, this cl modifies JSRegExpResult to store a pointer to
> the original JSRegExp which generated it, as well as additional
> data needed to re-execute the match.
> 
> Basically a straight copy and tidy off jgruber@'s prototype:
> https://chromium-review.googlesource.com/c/v8/v8/+/1876810
> 
> Bug: v8:9548
> Change-Id: I11b7deae681b8287e41e8d0e342291ff484751fb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910129
> Commit-Queue: Joshua Litt <joshualitt@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#65053}

TBR=jgruber@chromium.org,joshualitt@chromium.org

Change-Id: I6294e3d7ac0b3e2bd9404697823b8d3cc2545c16
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9548
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1925651Reviewed-by: Joshua Litt <joshualitt@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65057}

Bug: v8:9886
Change-Id: I5ed8ad13a4c92b61cddb8d86ec97e242252a556e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1922231
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65056}

Bug: v8:8976
Change-Id: Ifa9b874b5b75b51046ba611db2b9fad3cbd33905
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1920066
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65055}

Minor cleanup: some classes in Torque don't yet have any definitions for
their fields, so it doesn't make sense to emit field layout macros for
those classes.

Bug: v8:7793
Change-Id: Iee38aa3cbe684f4a63329a676e2e94944dc05de1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1925010Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#65054}

Instead of storing a pointer to the last_match_info, which may
change, this cl modifies JSRegExpResult to store a pointer to
the original JSRegExp which generated it, as well as additional
data needed to re-execute the match.

Basically a straight copy and tidy off jgruber@'s prototype:
https://chromium-review.googlesource.com/c/v8/v8/+/1876810

Bug: v8:9548
Change-Id: I11b7deae681b8287e41e8d0e342291ff484751fb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1910129
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65053}

function descriptor

Change-Id: I439bac759cb363f35f6aa23a699b6ef1d9079684
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1925027Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#65052}

These instructions should always treat inputs as signed, and saturate to
unsigned min/max values.

E.g. given -1, it should saturate to 0.

The spec text,
https://github.com/WebAssembly/simd/blob/master/proposals/simd/SIMD.md#integer-to-integer-narrowing,
has been updated to describe this.

The changes here include codegen changes to ia32, x64, arm, and arm64,
changes to arm simulator, assembler, and disassembler to handle the case
of treating input as signed and narrowing to unsigned. The vqmovn
instruction can handle this case, our assembler wasn't allowing callers
to specify this.

The interpreter and scalar lowering are also fixed with this change.

Bug: v8:9729
Change-Id: I6f72baa825f59037f7754485df6a2964af59fe31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1879423Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65051}

Bug: v8:9886
Change-Id: I860bea0c317e9666662329e9b36598952c8ecfad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1919697
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65050}

Spill/fill now take offsets instead of indices. We provide a
helper, GetStackOffsetFromIndex, for callers. This is currently only
useful while slot sizes are still fixed to 8 bytes.

StackTransferRecipe's RegisterLoad now works in terms of offset.

LiftoffStackSlots work in terms of offset as well.

TransferStackSlot currently still works in terms of indicies, but can be
converted to use offsets in a subsequent change.

Bug: v8:9909
Change-Id: If54fb844309bdfd641720d063135dd59551813e0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1922489Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65049}

This reverts commit 386e7dd2.

Reason for revert: blocking the V8 roll on linux_chromium_asan_rel_ng

Original change's description:
> [ptr-compr][x64] Temporarily enable pointer compression on x64
>
> Bug: v8:7703
> Change-Id: Iaa7a35a2438dc1181f60289190191b519e45bed0
> Cq-Include-Trybots: luci.v8.try:v8_linux64_ubsan_rel_ng,v8_linux64_tsan_rel
> Cq-Include-Trybots: luci.v8.try:v8_linux64_cfi_rel_ng
> Cq-Include-Trybots: luci.chromium.try:fuchsia_x64,linux-rel,mac-rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924347
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#65033}

TBR=machenbach@chromium.org,ishell@chromium.org,verwaest@chromium.org

Change-Id: I6dd5c0c80c9d5b4a786c9b42a60a5b850c9168ac
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7703
Cq-Include-Trybots: luci.v8.try:v8_linux64_ubsan_rel_ng,v8_linux64_tsan_rel
Cq-Include-Trybots: luci.v8.try:v8_linux64_cfi_rel_ng
Cq-Include-Trybots: luci.chromium.try:fuchsia_x64,linux-rel,mac-rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1925148
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65048}

Port a7b9e588

R=zhin@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: I3406f424dcf918edd8cc51f7fe94dc28c2b4ed85
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924867Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#65047}

This is part 3 of Torquifying DescriptorArray: making it possible to use
the "descriptors" indexed field from code written in Torque. A small
macro EnsureArrayLengthWritable is converted to demonstrate the new
functionality.

This CL also introduces the arrow token `->` and desugars a->b to (*a).b
so that the new builtin looks a little cleaner.

Bug: v8:7793
Change-Id: I84eaa97f664aa67273866760e6ede4346a3ee2f9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1900332
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65046}

Bug: v8:9886
Change-Id: I88a4364596ef529c3873f4c80f36e0bfbe71e022
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1919695Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65045}

Handlify raw SharedFunctionInfo in
CreateInterpreterDataForDeserializedCode.

Bug: v8:9992
Change-Id: I58fd2a78723cb3cd4784086c171c58cf2c32aacc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924362
Auto-Submit: Dan Elphick <delphick@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65044}

Bug: v8:9996
Change-Id: I8c39a3a74a58e35eea784b8b26a2c519819b3269
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924364
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65043}

Bug: chromium:1022270
Change-Id: I6f1ee944b6cee977894d3cc425445f326a0866e5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924351Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65042}

Bug: v8:9813
Change-Id: I75ca39612f0420548a56cc32edaa13a36a9713e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1900661Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65041}

Bug: v8:9708
Change-Id: Iba4bf148437b9aa27d9b57ee2ebf48948d1ac163
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1801838Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65040}

This reduction relies on a known object layout of the regexp instance
in order to access the lastIndex field through a statically-determined
offset. Prior to this CL, we checked only for instance types, not for
the map, and thus it was possible to read garbage from either inside
or outside the current object.

Bug: chromium:1024758,v8:7779
Change-Id: I1eec8220797f443bdf3d05804e54f33b21fa2f00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924353Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65039}

TBR=neis@chromium.org
NOTRY=true

Bug: v8:9984
Change-Id: If192eb8680f8147d64aaa796955cb2ca38d0246d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924360Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65038}

This CL implements torque builtins for BigInt subtraction and extends
the compilation pipeline to lower calls to the generic subtraction
to SpeculativeBigIntSubtract and later to BigIntSubtract with
necessary checks in case of BigInt feedback.

The CL also implements lowering of these operators to native machine
word operations on 64 bit architectures if they are used in a
truncating context (aka BigInt.asUintN).

Bug: v8:9407
Change-Id: Idf5da14c380bc7c12375e7f084a3e1c455303f5f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1895566Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65037}

Bytecode flushing bit me again.

Bug: v8:9945, v8:9983
Change-Id: I9e4f9dd5e1793d60b24def447a8374e550fa248a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924352
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65036}