R=ahaas@chromium.org
TEST=mjsunit/wasm/exceptions-global
BUG=v8:8091

Change-Id: I9eb4c92cca087719afda2da5d11c206aaed28c95
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771788Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63414}

Previously variations of #constructor can be parsed when they are
static. This patch throws early errors for them always.

Bug: v8:8330
Change-Id: I51ab9b83f713c70d0896c0e8cab3282ef9a105f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1770332Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/master@{#63413}

InvalidatedSlotsCleanup::Free assumed that the size of invalidated
objects was updated after sweeping a page and before allowing
allocations again. This is now not the case anymore, so remove
those CHECKs.

Bug: chromium:997901
Change-Id: Ic9af7136bb336464b8cc023c7c1022a233f4e887
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771786
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63412}

Prior to this CL, collected shared function infos with identical
source ranges were sorted non-deterministically during coverage
collection. This lead to non-deterministically incorrectly-reported
coverage due to an optimization which depended on the sort order later
on.

With this CL, we now sort shared function infos by the source range
*and* call count.

Bug: v8:6000,v8:9212
Change-Id: If8bf900727591e71dbd0df621e472a4303f3a353
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771776Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63411}

Since we use Word32Equal with a (truncating) ReinterpretCast for pointer
compressed TaggedEqual, we also have to allow it in the machine
verifier.

Change-Id: Ic16af837f03ebc51dde5bdc7f0c574b2aaf11909
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771784
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63410}

Using the tool again, the previous iteration accidentally ignored
Node/TNode behind a typedef. Automatic replacement of types with
manual cleanup/addition of CASTs where necessary.

Bug: v8:9396
Change-Id: I33b6d229669cb80586d5d8e82c04542df671f0b9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768367
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63409}

This makes sure that all encodings of a table index are based upon a
single implementation in the {TableIndexImmediate} class. It also fixes
one encoding that wasn't extended to support u32v yet.

R=ahaas@chromium.org
TEST=unittests/WasmOpcodeLengthTest.VariableLength

Change-Id: If24b6dc5e303d2d9e1e91cb2640c7c13eac40198
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768375Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63408}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/e3f4298..3f22131

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/1078fdd..7ad424d

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/31f187e..0e5fff1

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: Idd7c0eed9e9e090d9d45448e0b6dfd52583f0928
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771344Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#63407}

RegExpPrototypeDotAllGetter, RegExpPrototypeGlobalGetter,
RegExpPrototypeIgnoreCaseGetter, RegExpPrototypeMultilineGetter,
RegExpPrototypeStickyGetter, RegExpPrototypeUnicodeGetter.

Bug: v8:8976
Change-Id: I2a5c19256cacc2438a6b40516565960f5c847205
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1764491
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63406}

This off-by-1 error surfaces when the load/store opcodes take up 2
bytes, which is the case for v128.load and v128.store SIMD operations.

Bug: v8:9015
Change-Id: Ife17375ed3450a95399b326bc6415dbc3ed3773b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1769480
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63405}

Bug: v8:9642
Change-Id: I2dcd1c0e3c208b15b5c0ec0f08880744134f7474
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1769479Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63404}

By marking maps detached from the transition tree as prototypes, we'll
automatically stop tracking transitions from those detached fast maps. That
allows us to quickly check whether a map is detached (or the initial map
anyway); and saves memory. We can use this information to ignore sibling type
feedback when parsing a JSON array with many distinctly shaped json objects.

Bug: chromium:993980
Change-Id: I86d493ac2cabec2c31c6e322ad5c5a7ace059dfc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1771778Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63403}

For stores with Double feedback, StoreIC needs to check that the
representation is still Double before doing the store, in case it
accidentally tries to write to an object or worse, mutate a non-mutable
HeapNumber.

Bug: v8:9606
Bug: chromium:997485
Change-Id: I51e0953b40f752648c5e86b8644c23baf636367e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768373
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63402}

This CL adds a new class WasmModuleSourceMap for source map support of WasmModule,
which maps C/C++ source code to WASM bytecode. Via this support, V8 can build a
direct map of source code and JITted code and inform profilers of it, thus the
source-code-level profiling information is presented.

Change-Id: I346f6216809ce4f3bf8b27f1e839dd4efdb00ead
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708029Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Zhiguo Zhou <zhiguo.zhou@intel.com>
Cr-Commit-Position: refs/heads/master@{#63401}

Host info used to be stored on the global reference underlying a Ref;
now it is stored in a JSWeakMap and hence tied to the lifetime of the
actual object on V8's heap.
Additionally, the internal metadata needed for C-API functions is now
stored on the SharedFunctionInfo and no longer overlaps with the host
info mechanism.

Bonus content:
Roll 6db391e: Remove a few more leftover uses of _enum types

Change-Id: Ibb1fa4b0dd5157fef15c030bac705a11aa3beaea
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768368Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63400}

R=sigurds@chromium.org

Bug: chromium:997469
Change-Id: I83c8a50a5626b3e4679ff7977474d495cdbf7e90
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768369
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63399}

Forbid using LoadRoot in CSA (with a bailout via CodeAssembler), so that
users are forced to use helper macros for roots, which have statically
known types. Convert all current uses of LoadRoot to use these macros,
introducing new ones where necessary.

Bug: v8:9396
Change-Id: I91214fca6e5ace7554d79605706a8a60117468fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1762526
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63398}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/8528a36..e3f4298

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/2662d14..1078fdd

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/940c282..31f187e

Rolling v8/third_party/googletest/src: https://chromium.googlesource.com/external/github.com/google/googletest/+log/fb49e6c..ed2eef6

Rolling v8/third_party/icu: https://chromium.googlesource.com/chromium/deps/icu/+log/2b2ee71..952ccb9

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/656fd11..2ddb2b2

This required porting fuchsia related changes from
https://chromium.googlesource.com/chromium/src/+/9c4748c8106196fa5f8a13cbd958fbf9e9aadddd
over to this CL.

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: I2b3b81151c3023d67e970170191e6d5078970a7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768795Reviewed-by: Tamer Tas <tmrts@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: Tamer Tas <tmrts@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63397}

Introduce list of invalidated objects for old-to-new slots. Objects
are registered as invalidated in NotifyObjectLayoutChange, however
no slots are filtered right now. Slots are still deleted, so all
recorded slots are valid.

Always treat old-to-new slots in free space as valid. With
old-to-new slots, invalid ones are still cleared.

Bug: v8:9454
Change-Id: I18c65fdaccdb651f4124d36861105ce4e8af0fad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768357Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63396}

Changes in the reland: Rebased and added a check that JavaScript-linkage
builtins use JSAny in parameters and return type, plus the necessary
cleanups for this test to pass.

Design Doc: https://docs.google.com/document/d/1z6j0pWHnNIfId0v00uWN2HBrGRDJxJfYuCr5K7Kr1xA

This reverts commit 4418a7b9.

Original change's description:
> Revert "[torque] introduce JSAny type for user-accessible JavaScript values"
>
> This reverts commit 79b00555.
>
> Reason for revert: needs more discussion
>
> Original change's description:
> > [torque] introduce JSAny type for user-accessible JavaScript values
> >
> > This CL introduces a JSAny type for user-exposed JavaScript values and
> > a few new types to define it. Especially, it splits Symbol into
> > PrivateSymbol (not exposed) and PublicSymbol (JavaScript exposed
> > symbols).
> >
> > The change is mostly mechanical, but a few things are interesting:
> > - PropertyKey and JSPrimitive were designed to coincide with the spec
> >   notions of IsPropertyKey() and primitive value, respectively.
> > - Since Name is an open type, we define AnyName to be the known
> >   subtypes of Name. This is not too elegant, but by using AnyName
> >   instead of Name, typeswitch can properly conclude something if a
> >   subtype of Name is excluded.
> >
> > Small drive-by changes, which were necessary:
> > - Allow subtyping on label parameters.
> > - Fix the formatting of typeswitch, it was broken with union types
> >   in case types.
> >
> > Bug: v8:7793
> > Change-Id: I14b10507f8cf316ad85e048fe8d53d1df5e0bb13
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1735322
> > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#63114}
>
> TBR=neis@chromium.org,jgruber@chromium.org,tebbi@chromium.org
>
> Change-Id: Ifde7881d74afe407628f40047997339d54cb2424
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: v8:7793
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1741652
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63115}

TBR=neis@chromium.org,jgruber@chromium.org,tebbi@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:7793
Change-Id: Icca34e3824f55009b984d9348fd21884400f0081
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1769316
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63395}

The generation of TFJ declarations for non-vararg JavaScript-linkage
builtins was very broken. Now it works as it should: the explicit
parameters correspond to normal JavaScript parameters.

Bug: v8:7793
Change-Id: I9fa0bdd45f8c4b678d4f0436af3e9b53cba69475
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1769317
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63394}

Wrap the obj and method registers in BuildGetIterator in a register
allocation scope, so that they don't get materialised before the
JumpIfJSReceiver jump if they don't have to.

Bug: v8:9649
Change-Id: I8dfdd06a23c396124c495b5cb83c078080f1a7c9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768583
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63393}

As described in https://docs.google.com/document/d/1hB8mpWmzmtaxZ8PuJEkAWLwFqXTjrw7mJ3Ge9W1dB4E,
we want to enable --wasm-staging for libfuzzer fuzzers to increase test
coverage of new feature implementations. As discussed in https://docs.google.com/a/chromium.org/document/d/1hB8mpWmzmtaxZ8PuJEkAWLwFqXTjrw7mJ3Ge9W1dB4E/edit?disco=AAAADPrjhdA,
this has to be done in our implementations manually.


R=thibaudm@chromium.org

Bug: v8:9601
Change-Id: Iab35af75bb71b6fca697ab7e4ac37b04e1d6da35
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768581Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63392}

This is a reland of 8ff8ddba

Original change's description:
> [turbofan] Further brokerize BytecodeGraphBuilder
> 
> Replace all usages of VectorSlotPair with FeedbackSource.
> 
> Bug: v8:7790
> Change-Id: I0ac6e9cd8f5730154cc1842e267ca1ebfdebc874
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763536
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63378}

Bug: v8:7790
Change-Id: I54fbf4433a65681780fda4ded09ec2d145d36ec1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768361Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63391}

This reverts commit 604b0e1e.

Reason for revert: Clusterfuzz found an issue.

Original change's description:
> [heap] Introduce old-to-new invalidation set
> 
> Introduce list of invalidated objects for old-to-new slots. Objects
> are registered as invalidated in NotifyObjectLayoutChange, however
> no slots are filtered right now. Slots are still deleted, so all
> recorded slots are valid.
> 
> Bug: v8:9454
> Change-Id: Ic0ea15283c4075f4051fae6a5b148721265339f7
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1765528
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63367}

TBR=ulan@chromium.org,dinfuehr@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:9454
Change-Id: Ic898db38f297824aa54744123f85cd75df957159
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1770676Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63390}

ChangeTaggedSignedToInt32(ChangeCompressedSignedToTaggedSigned((x)) ->
  ChangeCompressedSignedToInt32(x)

This pattern shows up in the Octane Richards benchmark (on arm64):

    sxtw x11, w10
    asr w11, w11, #1

This patch will remove the sxtw.

ChangeCompressedSignedToInt32(CheckedInt32ToCompressedSigned(x)) -> x

This pattern shows up in the Octane Richards benchmark (on arm64):

    adds w10, w10, w10
    b.vs #+0x1118
    asr w11, w10, #1
    stur w10, [x6, #19]
    cmp w11, #0x1a

This patch will remove the asr, and produce:

    adds w11, w10, w10
    b.vs #+0x1108
    stur w11, [x6, #19]
    cmp w10, #0x1a

Bug: v8:7703
Change-Id: I5843e0a4f723b202857ee86130f835cd048d7e31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763529Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Rodolph Perfetta <rodolph.perfetta@arm.com>
Cr-Commit-Position: refs/heads/master@{#63389}

- Rename FunctionLiteral::FunctionType to FunctionSyntaxKind.

- Re-express IsWrappedBit, IsDeclarationBit, IsAnonymousExpressionBit,
  and IsNamedExpressionBit in SFI::flags as FunctionSyntaxKind. This
  frees up 1 bit in SFI::flags.

- Re-express the analogous bits in ParseInfo as FunctionSyntaxKind.

- Simplifies some logic in the back-and-forth passing of this info
  between SFI and ParseInfo.

- Drive-by fix parsing class member initializations as kAccessorOrMethod.

Bug: v8:9644
Change-Id: I6c165d5016d968f5057a32136385ddcdc4a46ef1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1767263Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63388}

This reverts commit 8ff8ddba.

Reason for revert: Causes failures on GC Stress and TSan:

https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20gc%20stress/24138
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN/27969

Original change's description:
> [turbofan] Further brokerize BytecodeGraphBuilder
> 
> Replace all usages of VectorSlotPair with FeedbackSource.
> 
> Bug: v8:7790
> Change-Id: I0ac6e9cd8f5730154cc1842e267ca1ebfdebc874
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763536
> Commit-Queue: Maya Lekova <mslekova@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63378}

TBR=neis@chromium.org,mslekova@chromium.org

Change-Id: Ieb6fb24dd0626fd9eb2183844614ac5b3c8084e8
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7790
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1769287Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63387}

This reverts commit 9460101c.

Reason for revert: Causes confusion on Blink side, as it introduces
an object with >=2 internal fields that is not a wrapper (see bug).

Bug: chromium:996681
Change-Id: I275b5a064a4ee8c73c05f97be322924a3bc5370e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1769148Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63386}

Even when a field is marked const, we may emit multiple consecutive in-literal stores to that field. That is, in 'JSNativeContextSpecialization::BuildPropertyStore', when the access mode is 'kStoreInLiteral' and we are accessing a const field, we may produce a StoreField node, even though another StoreField (that stores something other than 'Uninitialized') to the same const field dominates it. This appears to be sound, since earlier stores to literals cannot be observed anyways.

Unfortunately this behavior conflicts with the double const store invariant in load elimination: Roughly speaking, we assume that load elimination may never observe two consecutive const stores to the same field on the same object.

The apparent solution would be to treat 'kStoreInLiteral' accesses like regular 'kStore' accesses: For consecutive stores to const properties we don't emit StoreField, but instead emit code that checks whether the value about to be written is equivalent to the previously written one, and otherwise deopt ('DeoptimizeReason::kWrongValue'). Unfortunately this turns out impractical, since for 'kStoreInLiteral' accesses we can't easily decide whether we're dealing with the first such store or one of the consecutive ones. Also see this abandoned CL: https://chromium-review.googlesource.com/c/v8/v8/+/1762020.

This CL instead adds an exception to the invariant in load elimination. We track whether a store arose from a 'kStoreInLiteral' access, and use this information when visiting StoreField nodes in load elimination.

R=neis@chromium.org, tebbi@chromium.org

Bug: chromium:987205
Change-Id: I8829752aa0637e9599677d20aad2d706d40d7fe6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763535Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Schmid <gsps@google.com>
Cr-Commit-Position: refs/heads/master@{#63385}

Bug: v8:8460
Change-Id: If7fd1a497b2a3b74b921e175491233be884d574b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1749713Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63384}

This reverts commit dc1cc223.

Reason for revert: This was already reverted in https://crrev.com/c/1768897, but the revert did not work.

Original change's description:
> [regexp] Only append to JSRegExpResult's initial map if we add descriptor
> 
> Before this cl, we always added slack to JSRegExpResult's initial_map.
> However, this is incorrect. Now we only add slack to JSRegExpResult's initial map
> if we intend to actually append the indices descriptor.
> 
> Bug: chromium:996099
> Change-Id: Iac23e92415a9b60409915ff1de9634326ed109c5
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763064
> Commit-Queue: Joshua Litt <joshualitt@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63297}

TBR=jgruber@chromium.org,joshualitt@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:996099
Change-Id: I0c5df2165a3613f72bbcf674337f6f22f4506d90
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768585Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63383}

Bug: v8:9396
Change-Id: Ic183418c83367efe430396bd39a02fa900c193d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1764488Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63382}

StringAdd_ConvertRight and StringAdd_ConvertLeft

Change-Id: I7d4c560dd53e445ad73f374824ec6fddcce6a641
Bug: v8:8996
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1756853
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63381}

Running microtasks with exceptions scheduled violates varios invariants
within the microtasks code.

Bug: v8:9652
Change-Id: I78c868feed5b742e225cad19e55216f0ef250af4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1767261Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Andrey Kosyakov <caseq@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63380}

This reverts commit 5db04cc0.

Reason for revert: <INSERT REASONING HERE>

Original change's description:
> Revert "[regexp] Only append to JSRegExpResult's initial map if we add descriptor"
> 
> This reverts commit dc1cc223.
> 
> Revert "[regexp] Implement the match indices proposal"
> 
> This reverts commit 9460101c.
> 
> Reason for revert: Causes confusion on Blink side, as it introduces
> an object with >=2 internal fields that is not a wrapper (see bug).
> 
> Bug: chromium:996681
> Change-Id: I5c167e9e15bfbec2aa6b843e3063ead5d52fb26c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768897
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63376}

TBR=yangguo@chromium.org,sigurds@chromium.org,joshualitt@chromium.org

Change-Id: Ic58fc3fc83faaf86bd895da29eacb7d51c443beb
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:996681
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768584Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63379}

Replace all usages of VectorSlotPair with FeedbackSource.

Bug: v8:7790
Change-Id: I0ac6e9cd8f5730154cc1842e267ca1ebfdebc874
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763536
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63378}

With this Cl, a function that has been marked for deoptimization will
not be reported as optimized. This protects against potential races
where an mjsunit tests assertUnoptimized, and the optimized code for
the function has been marked for deoptimization, but not been disposed
of yet.

The potential for this race has been discovered in the context of bug
v8:9563, but this CL is not a fix for that bug.

Change-Id: I89d8aa85f19033e6b823324b3307b95d61367147
Bug: v8:9563
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1763543Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63377}

This reverts commit dc1cc223.

Revert "[regexp] Implement the match indices proposal"

This reverts commit 9460101c.

Reason for revert: Causes confusion on Blink side, as it introduces
an object with >=2 internal fields that is not a wrapper (see bug).

Bug: chromium:996681
Change-Id: I5c167e9e15bfbec2aa6b843e3063ead5d52fb26c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768897
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63376}

Change-Id: I9988ea2dfeccbfaa9e0197920703ab430a43acb7
Bug: v8:7327
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1674026
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63375}