To get there, also:

- Refactor AllocationSite serialization as necessary.

- Make some accessors on AllocationSite atomic.

- Add JSObjectRef::raw_properties_or_hash().

- Eliminate use of IsFastLiteral in JSCallReducer. It isn't really
  needed there and we want to have only a single piece of code
  traversing boilerplates. (We still have a separate traversal in the
  serializer but that will be removed soon.)

- Merge IsFastLiteral checks into JSCreateLowering's
  TryAllocateFastLiteral.
  Note: TryAllocateFastLiteral doesn't explicitly look at the
  boilerplate's elements kind beyond bailing out for
  DICTIONARY_ELEMENTS in the beginning. After that it looks only at
  the backing store instance type. There is no room for confusion
  because, while elements kind transitions can generally happen
  concurrently to TryAllocateFastLiteral, boilerplates can never
  transition to DICTIONARY_ELEMENTS (added a CHECK for that).

- Slightly adapt CompilationDependencies and remove obsolete comments.

- Fix JSHeapBroker::ClearReconstructibleData (clearing of Refs in
  stress mode) to exclude JSObjectRefs with extra data.

Bug: v8:7790
Change-Id: Iee1232d01e04bcd00db04d48f6e82064fce6ff62
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3008894
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75656}

Wasm has the attribute sourceLineToBytecodePosition and adds the source
lines via setSourceLineToBytecodePosition in which they are 0-based.
Non-Wasm doesn't have that attribute and uses insertSourcePositions
which is 1-based. In non-wasm we are being off by one.
As a note, the sourcePositionsInRange call in insertSourcePositions
doesn't return a list for Wasm since they rely on
setSourceLineToBytecodePosition and therefore do not have that
off-by-one error.

Drive-by: Several elements have the same source position so update
addHtmlElementToSourcePosition to handle more than one element.

Drive-by: Renames due to having the same name but different
capitalization, which was confusing.

Bug: v8:7327
Change-Id: Ie8a066ca629054a5f5a754deec0ed1917bed2b33
Notry: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3008634Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75655}

This is a bit odd, since `V8DebuggerScript::setBreakpoint()` is declared
as pure virtual in the header file, and the actual implementation is
inside the source file, in `ActualScript::setBreakpoint()`. So this is
dead code that was somehow not detected as such by the C++ compiler.

Bug: chromium:700516, chromium:1162229
Change-Id: Ifc7aa6926c21edbb0b6a5176a35711186c4958cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3017801
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Kim-Anh Tran <kimanh@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75654}

Bug: chromium:1056170
Change-Id: I490653677ed610f52502b963ffc00eedcc526cd2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3014457Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75653}

Bug: v8:11966
Change-Id: I3e5fe6e9d53938793c7f66cd05b4dcfe3073c22f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3015568Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75652}

No-Try: true
Bug: chromium:1226476
Change-Id: I844e634080a85377b1e4a72a7592b58cc81dfccd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3015569
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Commit-Queue: Liviu Rau <liviurau@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75651}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/dc699aa..9d1af1f

Rolling v8/buildtools/linux64: git_revision:31f2bba8aafa8015ca5761100a21f17c2d741062..git_revision:24e2f7df92641de0351a96096fb2c490b2436bb8

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/096f6b4..e397699

Rolling v8/third_party/icu: https://chromium.googlesource.com/chromium/deps/icu/+log/a0718d4..b9dfc58

Rolling v8/third_party/zlib: https://chromium.googlesource.com/chromium/src/third_party/zlib/+log/00ade15..199485d

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/293314a..d0c5792

TBR=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I600e490a68dca613ff1ed23edfcd9ed7d213ba41
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3015145Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75650}

GCInfoIndex cannot be used for a canonicalization of type names.

Example by omerkatz:
struct A : public GCed<A>, public NameProvider {
 override const char* GetHumanReadableName() { return "A"; }
};
struct B : public A {
 override const char* GetHumanReadableName() { return "B"; }
};

A and B will have the same GCInfoIndex but different type names.

Bug: chromium:1056170
Change-Id: I35b76a0d80498b8c39e3788f6c2556cdb29f3a7b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3013311
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75649}

Change-Id: I7174f13634112f9cc185fb422fb15cb6ea0b2dd5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3015517Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#75648}

Now that TurboProp doesn't have an earlier interupt budget, we
should no longer be scaling the number of ticks required to
OSR to TurboProp.

BUG=v8:9684

Change-Id: Ie4d41e75df697e36e7fbc3f7bc8a8d0f24f6743a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3014462
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75647}

Leftover from removing interpreter intrinsics.

Change-Id: I848c3ebd0706cb85126d5d7c3d5a6c97d97414b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3015555Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75646}

This is a reland of 819c3ae2

Original change's description:
> Reland "Reland "Improve error messages for property access on null/undefined""
>
> This is a reland of 8b18c5e6
>
> Original change's description:
> > Reland "Improve error messages for property access on null/undefined"
> >
> > This is a reland of 24c626c1
> >
> > Original change's description:
> > > Improve error messages for property access on null/undefined
> > >
> > > Only print the property name when accessing null/undefined if we can
> > > convert it to a string without causing side effects.
> > > If we can't, omit the property name in the error message.
> > > This should avoid confusion when the key is an object with toString().
> > > E.g. undefined[{toString:()=>'a'}] doesn't print 'read property [object
> > > Object]' anymore, which was misleading since the property accessed would
> > > be 'a', but we can't evaluate the key without side effects.
> > >
> > > Bug: v8:11365
> > > Change-Id: If82d1adb42561d4851e2bd2ca297a1c71738aee8
> > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2960211
> > > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > > Commit-Queue: Patrick Thier <pthier@chromium.org>
> > > Cr-Commit-Position: refs/heads/master@{#75250}
> >
> > Bug: v8:11365
> > Change-Id: Ie2312337f4f1915faa31528a728d90833d80dbd1
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2979599
> > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > Commit-Queue: Patrick Thier <pthier@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#75571}
>
> Bug: v8:11365
> Change-Id: I90360641ecd870bd93247aa6d91dfb0ad049cfb8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3008219
> Auto-Submit: Patrick Thier <pthier@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75604}

Bug: v8:11365
Change-Id: I002b537144f328ccbbdcd655e26e5dc87c49c6f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3013935Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75645}

Most register and immediate inputs are 5 bits long and 0x1f is used
as mask. Some immediates are byte sized in which case 0xff had to
be used.

Change-Id: Id7568732db9141743c839a2d1d21a27983547aba
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3009811Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#75644}

- Fixes the size check to include Code::kHeaderSize.
- Adds a DCHECK in NewEmptyCode.

Bug: v8:11872
Change-Id: I05156bbe42e7efa8aa0e1982c9e2166d7b09ef5b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3015055
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75643}

This is a reland of 8d3c8093 to make
UBsan happy: memcopy (and therefore MemCopy) seems to expect a non-null
src even when the given size is 0, so avoid calling it in that case.

Original change's description:
> [factory] Make NewByteArray return canonical empty byte array
>
> ... for length = 0, analogously to what e.g. NewFixedArray does.
>
> Simplify some call sites that had special handling for this case
> (there are others that didn't).
>
> Change-Id: Ib3de5506300e967aca072fad53df7ab04ef68839
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3009225
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75629}

Change-Id: Ib8dc471d63a4b11b846e9d436555a3615902b66f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3014456Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75642}

Port of https://chromium-review.googlesource.com/c/v8/v8/+/3009221
to ia32.

Bug: v8:11872
Change-Id: Ic142a35a1961afebca3f59f493bc801a59cf4914
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3014460Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75641}

The stack overflow used to occur when too many bound functions
are nested. The CL also adds a regression test.

Bug: chromium:1226264
Change-Id: I34329d8392d2385207dbd9a8d3188ad4f7cb3c2d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3011161
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75640}

R=ecmziegler@chromium.org

Change-Id: I90c7fbd1e963aaa063825d84ff6696a5534104b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3014455Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75639}

Change-Id: I2b1adb84fb62b60e62229252dadbd4c9e4c8042e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3010322Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#75638}

Setting promise hooks after running some promise-related code has hard
to control side-effects that make correctness fuzzing difficult.

Certain Promise functions are optimized and avoid creating intermediate
Promises. Dynamically enabled Promise hooks combined with --force-slow-path,
which would cause us to always create those intermediate Promises, will
get us very differet callbacks if the hooks are enabled half-way.

The exepected usage pattern is to only use setHooks if there are no
pending promises, something that cannot be guaranteed for fuzzing.

Bug: chromium:1202465
Change-Id: Ifa96f2db9c441b6f5da696b88a1c087160ec8eeb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3013355Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75637}

Optimize JSCallWithArrayLike with diamond speculation when probable arguments list is empty literal array

The JSCallWithArraylike can be replaced with a JSCall if its probable arguments list is empty literal array. This replacement will introduce a deoptimization check to make sure the length of arguments list is 0 at runtime.

This CL change this optimization to a diamond speculation which may help avoid deoptimization once and keep the fast path. This change may benefit a following usecase,

function calcMax(testArray) {
     Array.max = function(array) {
         return Math.max.apply(Math, array);
     };

     var result = [];
     for (var i = 0; i < testArray.length - 3; i++) {
         var positiveNumbers = [];
         for (var j = 0; j < 3; j++) {
             if (testArray[i + j] > 0) {
                 positiveNumbers.push(testArray[i + j]);
             }
         }
         result.push(Array.max(positiveNumbers));
     }
     return result;
 }

 testArray = [-1, 2, 3, -4, -5, -6, -7, -8, -9, 10];

 for (var i = 0; i < 1000000; i++) {
     calcMax(testArray);
 }

Bug: v8:9974
Change-Id: I595627e2fd937527350c8f8652d701c791b41dd3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2967757
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75636}

Bug: chromium:1226264
Change-Id: I270f09d33cd7a3bb795b79bae6ff1dbf41d11217
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3013357Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75635}

If we underestimate the size of the assembler buffer when compiling
directly on the GC heap, we fallback to off-heap compilation and
the Code object is incomplete in the memory.

We know a Code object is incomplete when its relocation_info is
undefined.

Bug: v8:11872
Change-Id: I282fd442e0bf227d9d2cca5a47b3139030f5d64e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3013937
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75634}

Add an option to use Liftoff instead of the interpreter as the reference
tier for fuzzing. The tier to use is chosen based on the input data
before generating the module. This way, the module can use features
depending on what is available in the reference tier, and we still get a
chance to find correctness issues that would only be detected by the
interpreter.

R=clemensb@chromium.org

Bug: v8:11856
Change-Id: I2e9878345355a37caec5fdb338dda42a84e8e63a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3008645
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75633}

Trap handling is not implemented yet for memory64. Make sure that no
code tries to use it, by setting {NativeModule::bounds_checks_}
accordingly.
This requires some changes to tests to make sure that the
{WasmModule::is_memory64} field is set before creating the corresponding
{NativeModule}.

R=ahaas@chromium.org

Bug: v8:10949
Change-Id: I11d9544b603fc471e3368bb4e7487da4711293a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3011167Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75632}

This reverts commit 8d3c8093.

Reason for revert: Fails on UBSan (nullptr on memcpy): https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20UBSan/17246/overview

Original change's description:
> [factory] Make NewByteArray return canonical empty byte array
>
> ... for length = 0, analogously to what e.g. NewFixedArray does.
>
> Simplify some call sites that had special handling for this case
> (there are others that didn't).
>
> Change-Id: Ib3de5506300e967aca072fad53df7ab04ef68839
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3009225
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75629}

Change-Id: I0cb1667b98a2f9285706c2623671d532419d1395
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3013358
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75631}

Adds a verification step when we're compiling on heap.

Bug: v8:11872
Change-Id: Ic71dc2b54e667ed4d5d861b4b9c1e1c2362f9821
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3013936
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75630}

... for length = 0, analogously to what e.g. NewFixedArray does.

Simplify some call sites that had special handling for this case
(there are others that didn't).

Change-Id: Ib3de5506300e967aca072fad53df7ab04ef68839
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3009225Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75629}

This is a reland of 036e5783.
Key JSBoundFunctionRef methods have been changed to return an optional
type, replacing the bogus always-true serialized() method.

Original change's description:
> [compiler] Make JSDataViewRef and JSBoundFunctionRef bg-serialized
>
> ... but keep/make subclass-specific methods do direct reads.
>
> Bug: v8:7790
> Change-Id: Ia4b9d207ce75cf28f6f0f33027ab05e27db49ce9
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2959621
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75457}

Bug: v8:11960, v8:7790
Change-Id: I1f29283b2fb6e5fe3644e2f4e33341fce2641775
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3013313
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75628}

The first CL https://chromium-review.googlesource.com/c/v8/v8/+/3010281
had a small mistake: the GC predicate alone doesn't yet guarantee that
Ref creation will succeed (due to JSFunction still being fg-serialized).

Bug: chromium:1227279, v8:11957, v8:7790
Change-Id: I81772baa66e0f778b92a03ea7941a199d92d4857
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3013353
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75627}

This reverts commit 819c3ae2.

Reason for revert: Sorry Patrick, still failing on some layout tests :( https://test-results.appspot.com/data/layout_results/mac-rel/726365/blink_web_tests%20%28retry%20shards%20with%20patch%29/layout-test-results/results.html

Original change's description:
> Reland "Reland "Improve error messages for property access on null/undefined""
>
> This is a reland of 8b18c5e6
>
> Original change's description:
> > Reland "Improve error messages for property access on null/undefined"
> >
> > This is a reland of 24c626c1
> >
> > Original change's description:
> > > Improve error messages for property access on null/undefined
> > >
> > > Only print the property name when accessing null/undefined if we can
> > > convert it to a string without causing side effects.
> > > If we can't, omit the property name in the error message.
> > > This should avoid confusion when the key is an object with toString().
> > > E.g. undefined[{toString:()=>'a'}] doesn't print 'read property [object
> > > Object]' anymore, which was misleading since the property accessed would
> > > be 'a', but we can't evaluate the key without side effects.
> > >
> > > Bug: v8:11365
> > > Change-Id: If82d1adb42561d4851e2bd2ca297a1c71738aee8
> > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2960211
> > > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > > Commit-Queue: Patrick Thier <pthier@chromium.org>
> > > Cr-Commit-Position: refs/heads/master@{#75250}
> >
> > Bug: v8:11365
> > Change-Id: Ie2312337f4f1915faa31528a728d90833d80dbd1
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2979599
> > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > Commit-Queue: Patrick Thier <pthier@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#75571}
>
> Bug: v8:11365
> Change-Id: I90360641ecd870bd93247aa6d91dfb0ad049cfb8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3008219
> Auto-Submit: Patrick Thier <pthier@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75604}

Bug: v8:11365
Change-Id: I7d7c0f201288384c2aa38a51418b582a64213ae0
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3013352
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75626}

According to go/kqovk, the builder name should be '(reclient)' instead
of '- reclient'.

Bug: chromium:1222951
Change-Id: I22e119d50fd48103f195bb03bc3ccc584a596e57
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3012340
Auto-Submit: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
Commit-Queue: Liviu Rau <liviurau@chromium.org>
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75625}

This reverts commit 036e5783.

Reason for revert: crbug.com/1227279

Original change's description:
> [compiler] Make JSDataViewRef and JSBoundFunctionRef bg-serialized
>
> ... but keep/make subclass-specific methods do direct reads.
>
> Bug: v8:7790
> Change-Id: Ia4b9d207ce75cf28f6f0f33027ab05e27db49ce9
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2959621
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75457}

Bug: chromium:1227279, v8:7790
Change-Id: I4a77107c926ce3d99407d87a3160c2a555e6fbfe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3013310
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75624}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/8969ad2..dc699aa

Rolling v8/buildtools: https://chromium.googlesource.com/chromium/src/buildtools/+log/fd3f3c1..2500c1d

Rolling v8/buildtools/third_party/libc++/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxx/+log/8fa8794..79a2e92

Rolling v8/buildtools/third_party/libc++abi/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxxabi/+log/d87a06d..cb34896

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/ccc7ba2..293314a

Rolling v8/tools/luci-go: git_revision:3501536c6f762461d322d6694711bb384ffce6f2..git_revision:6808332cfd84a07aeefa906674273fc762510c8c

Rolling v8/tools/luci-go: git_revision:3501536c6f762461d322d6694711bb384ffce6f2..git_revision:6808332cfd84a07aeefa906674273fc762510c8c

Rolling v8/tools/luci-go: git_revision:3501536c6f762461d322d6694711bb384ffce6f2..git_revision:6808332cfd84a07aeefa906674273fc762510c8c

TBR=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I9e62582c0f092257334fe50e998baa7aeb7c46ec
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3010323Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75623}

Change-Id: I1e90914aba634579a39a269b9a92881d488d4299
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3005769
Commit-Queue: Brice Dobry <brice.dobry@futurewei.com>
Reviewed-by: Brice Dobry <brice.dobry@futurewei.com>
Cr-Commit-Position: refs/heads/master@{#75622}

- Allows for differentiating committed and physical (resident) size on
  a page. This change merely adjusts the API surface and does not
  implement resident set size tracking.
- Add object types on page level as well which helps diagnosing almost
  empty pages.

Bug: chromium:1056170
Change-Id: I64c69dc55873a0ce97d2064356bfcd957e10cbf9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3011164
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75621}

This makes jco on gdb behave the same as jco on lldb.

Bug: v8:11879
Change-Id: Id6a338878d518984986d2b719588966ee09de3c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3000956Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75620}

We had some (dead) logic to create different parameter values pending on
the position of the parameter. As it was not used any more, it got
removed in https://crrev.com/c/3003464.
This CL changes the existing logic for creating default parameter values
to use a similar logic, which matches what --wasm-fuzzer-gen-test
creates and has a slightly higher chance of triggering interesting
behaviour.

R=ahaas@chromium.org

Change-Id: Ibb4394c1978f25d70166a03002e084211bfe7e1e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3003465
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75619}

A few fixes are applied in this CL:

1- Instructions which use UIM in V8 only use bits 16 to 19 inclusive.
2- get_simd_register is set to return a reference and not a copy.
3- On vector extract and insert instructions, UIM could be used
to select specific bytes as starting point which may not reflect a lane.
Vector splat uses UIM as a lane selector which remains
unchanged in this CL.

Change-Id: Ieb43afb977dac11d3ea10a2f265c2823f64457e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3011166Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#75618}

Change-Id: I2a131a783b99a0bfd6550d0032a594f2eb402421
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3009227Reviewed-by: Milad Fa <mfarazma@redhat.com>
Commit-Queue: Junliang Yan <junyan@redhat.com>
Cr-Commit-Position: refs/heads/master@{#75617}