The instance type is set before setting the map inside an Object. It
is relaxed and not non-atomic to prevent a false positive TSAN failure
(see https://chromium-review.googlesource.com/c/v8/v8/+/2682641).

Bug: v8:7790
Change-Id: Iddd28ffb06b5a882e77c4bf88bf8580df792f198
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773042Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73570}

Bug: v8:11525
Change-Id: I9afd7095764fdb4b15c8a3492078073624b42a11
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2763869Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73569}

This reverts commit 0655aa05.

Reason for revert: intermittent failures on s390 native:

d8 --test test/wasm-spec-tests/tests/proposals/js-types/select.js --random-seed=-2107020726 --nohard-abort --testing-d8-test-runner --stress-background-compile --stress-wasm-code-gc --experimental-wasm-type-reflection --wasm-staging

Original change's description:
> Reland "s390x: [liftoff] implement CallRuntimeStub"
>
> This is a reland of 88c1ae95
>
> Original change's description:
> > s390x: [liftoff] implement CallRuntimeStub
> >
> > Change-Id: I505ea67af31006f3f233eef390f234cfc0188d6c
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2774479
> > Reviewed-by: Milad Fa <mfarazma@redhat.com>
> > Commit-Queue: Junliang Yan <junyan@redhat.com>
> > Cr-Commit-Position: refs/heads/master@{#73525}
>
> Change-Id: Id5d0ece78533439870fdc6b000026fe04e576448
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2774561
> Reviewed-by: Milad Fa <mfarazma@redhat.com>
> Commit-Queue: Junliang Yan <junyan@redhat.com>
> Cr-Commit-Position: refs/heads/master@{#73549}

Change-Id: If81175b752738bd76ab612ef43448fa775cf3083
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2778333Reviewed-by: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73568}

Stepping code that is left on the stack will repeatedly call the
WasmDebugBreak function. This has no observable effect, except for
severe slowdown of execution. In the linked bug, we were executing at
least another few million instructions in the same frame, so it appeared
that it never finishes.

This CL fixes that by replacing stepping code with non-stepping code if
the WasmDebugBreak runtime function is called from stepping code but we
are not stepping (any more).
Adding a test for this is difficult, since this only has an effect on
performance.

R=thibaudm@chromium.org

Bug: chromium:1153308
Change-Id: I02feb04a156dfe81ca76ce26f0af131c470ef7a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2775575
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73567}

Popping values from an empty stack is allowed in unreachable code, but
the stack height cannot be negative and stays at 0 instead.

R=clemensb@chromium.org

Bug: chromium:1190291
Change-Id: I84df7ab81ba6f5a9056c8341d88a4c47121363ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2778273Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73566}

Especially "kNoReturnCall" is confusing, because it can be read as "a
call that does not return", which is not meant here.
This CL renames the enum to "TailCall" with the boolean values
"kTailCall" and "kNoTailCall". Uses of the enum can be simplified to
boolean checks directly.

R=thibaudm@chromium.org

Change-Id: I7d9664203031ddd27f0bdcf318c637b4c00d9be8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2775705Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73565}

Change-Id: Icd46c44519a7cf524eba8a9ee3affdfb8f589bde
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2775716Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73564}

Related: https://chromium-review.googlesource.com/c/v8/v8/+/2682641

Bug: v8:7790, v8:11353
Change-Id: Iefbc154b8bc7659e98a0bf8090e2d0cfa78b7063
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773348Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73563}

The frame types to skip are only used in the constructor, hence pass
them as an initializer_list instead of template arguments.

R=thibaudm@chromium.org

Bug: v8:11384
Change-Id: I3ee57076a94514e5755f6f6541ebd9222306a634
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2775574Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73562}

This fixes a bug in which CompileTopLevel has a pending exception
that is never taken care of. This CL adds a check for the output
of CompileTopLevel and clears the pending exceptions if existent.

Also-by: bmeurer@chromium.org
Bug: chromium:1190290
Change-Id: Ieba537d5af78fc35475f9547c240c70850bea608
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773346
Commit-Queue: Kim-Anh Tran <kimanh@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73561}

Generic wasm wrappers are enabled by default now (since
https://crrev.com/c/2562241), so we can remove the flag from the
nooptimization variant. Instead, we should have a configuration which
tests --no-wasm-generic-wrapper to find bugs in the compiled wrappers
earlier.

Also add an entry for contradictory flags, and reformat that list to
respect the 80 columns limit.

R=machenbach@chromium.org
CC=ahaas@chromium.org

Bug: v8:10982
Change-Id: I780aaedbbf7fe761c39a41af1ff2db58c7447a76
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773057Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73560}

If liveedit patches a script there might be a mismatch between
the bytecode on a stackframe and the bytecode on the JSFunction
for that same frame. This allows the patched bytecode on the
JSFunction to be flushed which breaks the invariant that all
JSFunctions with live stack activations are compiled. To prevent
this disable bytecode flushing when liveedit patches a script.

BUG=v8:11445

Change-Id: I79e7403dfb6dfc317d4313f8cab5118b12c67ed9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2775577
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73559}

Change-Id: Iad4e33df76ce95b7f5543496fe1d2d7239f33c30
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2775566
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73558}

This is a more canonical type name, and is in line with {kVoidCode}.

Change-Id: Iaae9524b6fb6ecaafd63ce81cf30e3d01ca3e525
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2775565
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73557}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/1cd0c0e..5fcedaa

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/873d111..999f35f

TBR=v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: I4f283382cef4b9a7b88d7d2bdceffeabe13f8bd1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2777123Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#73556}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/ffb4c76..1cd0c0e

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/7caeed0..873d111

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/9629038..24cecab

Rolling v8/tools/luci-go: git_revision:4eef77dde582d6065203e3249dd80477391a7dd6..git_revision:92739fd8ab1f99ef55abfba4162eedb89fddfb7b

Rolling v8/tools/luci-go: git_revision:4eef77dde582d6065203e3249dd80477391a7dd6..git_revision:92739fd8ab1f99ef55abfba4162eedb89fddfb7b

Rolling v8/tools/luci-go: git_revision:4eef77dde582d6065203e3249dd80477391a7dd6..git_revision:92739fd8ab1f99ef55abfba4162eedb89fddfb7b

TBR=v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: I23c1bb53ef5d826af3b830afc32a9602b256daf6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2777111Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#73555}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/100ae19..ffb4c76

Rolling v8/third_party/aemu-linux-x64: ASZAw9q3qc9gzTTRn-mGL72ir5Z_qIi5GvZGRBYa4sMC..bhg2KKy6t2GgDqorzVeY1StsCo2DnehaEbW3S_o1r7gC

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/c730dae..7caeed0

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/9757ad5..e58ece5

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/283bb29..9629038

Rolling v8/tools/luci-go: git_revision:ea8dc31395c76b2990112b29b02386628d795d2d..git_revision:4eef77dde582d6065203e3249dd80477391a7dd6

Rolling v8/tools/luci-go: git_revision:ea8dc31395c76b2990112b29b02386628d795d2d..git_revision:4eef77dde582d6065203e3249dd80477391a7dd6

Rolling v8/tools/luci-go: git_revision:ea8dc31395c76b2990112b29b02386628d795d2d..git_revision:4eef77dde582d6065203e3249dd80477391a7dd6

TBR=v8-waterfall-sheriff@grotations.appspotmail.com

Change-Id: I7bc3399786e6a623656446ba4bbbda8cf47be6ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2776651Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#73554}

On SSE:

- use movaps (instead of movapd, movdqa)
- use movups (instead of movupd, movdqu)
- use andps (instead of andpd, pand)
- use andnps (instead of andnpd, pandn)
- use orps (instead of orpd, por)
- use xorps (instead of xorpd, pxor)

These *ps instructions are 1 byte shorter than the *pd or p*
instructions, and on systems without AVX, and most SSE-level processors
don't differentiate between integer and floating point domains.

For AVX systems, we use the instructions appropriate for the domain we
are operating in.

Related to b/175399220.

Bug: v8:11384
Change-Id: I332a2e741652f6c063ea1b84b0d9d41226d641ea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773787Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73553}

Change-Id: I5bd0079eb81b962e03e475e48a7429933295f25a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2774564Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73552}

This CL implements
https://github.com/tc39/proposal-top-level-await/pull/159, which reached
consensus at the March 2021 TC39.

The high-level intent is for parent modules that depend on async modules
to remember the DFS post-order such that when their async dependency
finishes, they execute in that original post-order. This aligns the
ordering between completely sync module graphs and async module graphs.

Bug: v8:11557
Change-Id: I5bd8f38f040115c255ca1ce8253b9686fdb4af03
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2757901
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73551}

Bug: v8:11573
Change-Id: Iab32d07443298bcd39c470ad92c5ce6db0a2b580
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2770603
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73550}

This is a reland of 88c1ae95

Original change's description:
> s390x: [liftoff] implement CallRuntimeStub
>
> Change-Id: I505ea67af31006f3f233eef390f234cfc0188d6c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2774479
> Reviewed-by: Milad Fa <mfarazma@redhat.com>
> Commit-Queue: Junliang Yan <junyan@redhat.com>
> Cr-Commit-Position: refs/heads/master@{#73525}

Change-Id: Id5d0ece78533439870fdc6b000026fe04e576448
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2774561Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73549}

This allows to hold a constexpr (empty) "builder" object instead of
creating it for every use.

R=ahaas@chromium.org

Bug: v8:11384
Change-Id: Ib5e13c58e81a950bb5dd0e8eefe4021bc77d8b64
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773801
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73548}

Port 7e6fe4ea

Original Commit Message:

    Although the result was unused, these functions used to return a (often
    random) Node* to satisfy old restrictions of graph-builder-interface.
    Now that these restrictions are lifted, we can type them properly as
    {void}.

R=manoskouk@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N

Change-Id: Iabcc889af26ddb2325530dc78d15f5a8f4667387
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2775570
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73547}

StoreTaggedSignedField wasn't clearing the lower bits of a
field when writing a 32-bit Smi

Bug: v8:11420
Change-Id: I543a35001ca8a78490de2d09539b72f52749b198
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2775571
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73546}

Change-Id: I7dfe3005554286f2f6a83acc4019c3cf06f7f65c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2774058Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73545}

Although the result was unused, these functions used to return a (often
random) Node* to satisfy old restrictions of graph-builder-interface.
Now that these restrictions are lifted, we can type them properly as
{void}.

Change-Id: I914024240f3005bc8a8636ac33ed4594f5ae5988
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2767218
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73544}

Port 4b3371c6

Original Message:
  This will make it easier to generate builtin calls that require the
  context to be passed in that register, because this can be represented
  as a {LiftoffRegister} then.

Change-Id: I35f14d9f5460706ef1d51f39a7eb3afdf0979f9d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2764682Reviewed-by: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73543}

If memory64 is enabled, memory.grow should consume and return an i64
instead of i32.
This CL implements this for both TurboFan and Liftoff, and adds
validation and execution tests at different layers.

R=manoskouk@chromium.org

Bug: v8:10949
Change-Id: I0b725dbd0d5767bda4609747c1f4aad163c35304
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773800Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73542}

This CL makes CTZ (count trailing zeros) and POPCOUNT (count set bits),
which are optional ops in the raw machine assembler, available in CSA.
A fallback exists for the case that they are not available.

This CL also adds the 64 bit version of the mandatory CLZ (count
leading zeros) op available.

Change-Id: I53cd6738b8ede8bd5842a83bb1161299824d39c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2742207Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Frank Emrich <emrich@google.com>
Cr-Commit-Position: refs/heads/master@{#73541}

The initial implementation of {FixedSizeSignature} contains undefined
behaviour, because {InitReps} wrote to the {reps_} array before the
constructor of that array has been called.
This also resulted in bugs if {FixedSizeSignature} was used with types
that actually have a constructor (like {ValueType}). The array
constructor would call the default constructor on each contained
element, thus overwriting the values written by {InitReps}.

This CL fixes that by switching to a plain array, and only writing to
the array in the body of the constructor (after the field was properly
initialized).

It also removes the {Concat} method in favor or simply copying from two
input arrays in a private constructor.

Drive-by: Use proper constant names for the template parameters to
make cpplint happy.

R=ahaas@chromium.org

Bug: v8:11384
Change-Id: Id748c8fef3c846069f91843f74d0555ed8ca9fb7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773799Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73540}

The condition can change between VisitBranch and VisitIf, so VisitIf
can't assume that the condition is not yet in the ControlPathConditions
list. Thanks Manos!

Change-Id: Ic74253b6faf2663cfa5212765d81392cb89d73b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773312Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73539}

This reverts commit 88c1ae95.

Reason for revert: illegal instruction

Original change's description:
> s390x: [liftoff] implement CallRuntimeStub
>
> Change-Id: I505ea67af31006f3f233eef390f234cfc0188d6c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2774479
> Reviewed-by: Milad Fa <mfarazma@redhat.com>
> Commit-Queue: Junliang Yan <junyan@redhat.com>
> Cr-Commit-Position: refs/heads/master@{#73525}

Change-Id: Ie464430bce6f768f38ebed193d10bbf0107a8484
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2774164Reviewed-by: Milad Fa <mfarazma@redhat.com>
Reviewed-by: Junliang Yan <junyan@redhat.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73538}

This is a reland of a3b1233e

Changes compared to original commit:
- Use a more canonical way to replace TrapIf/Unless nodes that always
  trap. This fixes the issue where their outputs were marked dead even
  if they were Merge/Loop nodes.
- Use Throw() over Return() to connect a dangling trap to End().
- Add regression test.

Original change's description:
> [turbofan] Optimize TrapIf/Unless in BranchElim. and CommonOp-Reducer
>
> Bug: v8:11510
> Change-Id: I1e8fcb54444e494c7d765ad556d09d954441361f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2752876
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73468}

Bug: v8:11510, chromium:1189454
Change-Id: I1d691a3ea299ed668cff925910ed231aad37cac6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2772601
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73537}

The `Script::source_url` field holds the value of the magic
`//# sourceURL` comment if found, and the `Script::name` field is
supposed to hold the actual name of the resource (as provided by
the embedder ideally), in case of Chromium that's supposed to be
the URL (in case of Node.js it's often the local path).

Using `source_url` worked by chance so far, but for loading DWARF
symbol files correctly we need the initiator (which we pick from
the embedderName of the Script as reported to DevTools). More
importantly, the partial handling of `//# sourceURL` in V8 is a
layering violation and causes trouble in DevTools, i.e. when users
put relative paths here. So as part of refactoring and correctifying
the handling of `//# sourceURL`, we need to make sure that the embedder
provided name (the URL in case of Chromium) is always stored in the
`Script::name` field.

Bug: chromium:1183990, chromium:974543, chromium:1174507
Change-Id: I32e11def2b9b52be11bd2e0e64a2ab6bdcf5e52d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773584
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73536}

This use of LR previously allowed overwriting it with arbitrary addresses
that aren't signed. Change this so we never return to an arbitrary LR.

Instead of loading the InterpreterTrampolineEntry address into LR directly,
use an ADR instruction to place into LR the address of a piece of code
that jumps to the InterpreterTrampolineEntry instead. This makes a difference
because BR is also constrained by BTI, whereas RET isn't.

An alternative would have been to `Call` instead of `Jump` to the target
bytecode and avoid the ADR instruction altogether, but I wanted to keep the
same behaviour with respect to the return stack that the existing code
exhibits.

Also add a comment to src/regexp/arm64/regexp-macro-assembler-arm64.cc for
a similar use of LR that should eventually be removed.

Bug: v8:10026
Change-Id: I24a13481f3fa416247dab8f9e5ae6f52f6b2ad42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2764761Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#73535}

Calls with a spread expression in a non-final position get transformed
to calls to Reflect.apply. This transformation is currently done in
the parser, which does not compose well with other features (e.g.
direct eval checking, optional chaining).

Do this transform in the BytecodeGenerator instead.

Bug: v8:11573, v8:11558, v8:5690
Change-Id: I56c90a2036fe5b43e0897c57766f666bf72bc3a8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2765783
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73534}

When making inlining decisions in the JSInliningHeuristic, it's
possible that a Node is not a candidate on the first visit, but
becomes a candidate in later visits due to other node reductions.

These later visits should also result in the inlining decision being
made. Until now this was prevented by the visit aborting early since
the Node was added to the seen_ list on the first (unsuccessful)
visit.

This CL changes the seen_ insertion to happen only once a positive
inlining decision was made.

Change-Id: Ide7f6abd3c1d9759d7422fcd5ad9c7daff825795
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2764759
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73533}

`has_non_instance_prototype` can be modified in live objects. For the
native context's map that we serialize on the background this bit is
"set" but it doesn't change value (i.e. it is set to false when it was
already false).

Bug: v8:7790, v8:11575
Change-Id: I070c0f0e383250d0e3cb92065d1113662976cabf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2772609
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73532}

Restore of https://chromium-review.googlesource.com/c/v8/v8/+/2194012.
I changed it to be non-atomic and missed the fact that the concurrent
marker accesses the has_prototype_slot concurrently.

Bug: v8:7790, v8:11353
Change-Id: I292aeacb340b6340c40b633db2591c7d0cbca3bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2772608Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73531}