This reverts commit 71f9c117.

Reason for revert: Seems to cause several TSan flakes, e.g. https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20concurrent%20marking/12926

Original change's description:
> Reland "[runtime] Amortize descriptor array growing for fast-mode prototypes"
> 
> This is a reland of 2de2d3dc
> 
> Original change's description:
> > [runtime] Amortize descriptor array growing for fast-mode prototypes
> >
> > This avoids an O(n^2) algorithm that creates an equal amount of garbage.
> > Even though the actual final descriptor array might be a little bigger,
> > it reduces peak memory usage by allocating less.
> >
> > Bug: b:148346655
> > Change-Id: I984159d36e9e0b37c19bc81afc90c94c9a9d168a
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2135728
> > Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> > Reviewed-by: Igor Sheludko <ishell@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#67031}
> 
> Bug: b:148346655, v8:10339
> Change-Id: I24436d8f49dc1fe527c4f6558db1abcba323b6f8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2139215
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Auto-Submit: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67475}

TBR=ulan@chromium.org,ishell@chromium.org,verwaest@chromium.org

Change-Id: I6fa02d0c89557eae33b792c1fe62c9c15eb0f7c7
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: b:148346655, v8:10339
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172749Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67478}

Add a test to stop at a trap, inspect values, and step from there.
For inspection, we need to spill all registers, which we usually don't
do because the trap never returns, so the values won't be used
afterwards.

R=thibaudm@chromium.org

Bug: v8:10235
Change-Id: Ia1c21aa0faa3ca656e40aae626e8e912eaf2c233
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2169890Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67477}

The output generated by --wasm-fuzzer-gen-test did not pass the
presubmit check:

* There was a trailing whitespace after "body";
* There was a trailing newline at the end;

Additionally the signature of addElementSegment changed at some point
and now also takes a table-index parameter.

R=thibaudm@chromium.org

Bug: v8:10155
Change-Id: I77481b0ac810a0e3ff06df24afa3ae22beaebb77
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172744Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67476}

This is a reland of 2de2d3dc

Original change's description:
> [runtime] Amortize descriptor array growing for fast-mode prototypes
>
> This avoids an O(n^2) algorithm that creates an equal amount of garbage.
> Even though the actual final descriptor array might be a little bigger,
> it reduces peak memory usage by allocating less.
>
> Bug: b:148346655
> Change-Id: I984159d36e9e0b37c19bc81afc90c94c9a9d168a
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2135728
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67031}

Bug: b:148346655, v8:10339
Change-Id: I24436d8f49dc1fe527c4f6558db1abcba323b6f8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2139215Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67475}

Port 22242cb1

R=jing.bao@intel.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: I4bd073cda333620694d2d191ac1953976635efc4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2171926Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#67474}

With this CL the registers in a register pair get ordered such that the
low word register always has a lower register code than the high word
register. This should allow easier reasoning about the register
allocation, and prevent some register allocation bugs.

Background: for many operations in Liftoff, input registers are reused
as output registers. With register pairs, input register pairs are
reused as output register pairs. Additional reasoning, and sometimes
even additional code is needed when the registers of the output register
pair are swapped, i.e. when the high word register of the input becomes
the low word register of the output. With this CL the additional
reasoning is not necessary anymore, as the high word and low word
registers would get swapped during register allocation.

Additionally this CL fixes the logic of the last_spilled_regs list. This
list stored the last spilled registers, but recorded only one of the two
registers of a register pair. With this CL, both registers get recorded.

This CL does not have a regression test. The regression test was more
than 9000 lines long, and quite slow. I was not able to minimize it
substantially. The test would be fragile by nature, as it has to create
a special register configuration or otherwise does not test anything
meaningful. All in all I think it's better not to add the test.

R=clemensb@chromium.org

Bug: chromium:1074586
Change-Id: I4b2475b0c6537c7ce2e51fee281388cdd85f2953
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2168875Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67473}

Motivation:
Improve code efficiency by replacing runtime calls with manually
written turbofan code where possible.

Changes:
- Remove the runtime functions `Runtime_WasmNewMultiReturnFixedArray`
  and `Runtime_WasmNewMultiReturnJSArray` and replace them with
  turbofan code.
- Introduce the builtin function `WasmAllocateJSArray`.

R=clemensb@chromium.org
R=ecmziegler@chromium.org
R=jkummerow@chromium.org

Change-Id: Idc0db39286c4242392c0422919bbc8fd7bedf2af
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2143816Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67472}

Access literal data directly in CallPrinter, rather than allocating
their values. This allows us to remove the isolate member from
CallPrinter entirely.

Change-Id: Ib4203009c86b6778ee843e8956fc7cee2214841e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2122019Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67471}

The original motivation of the test case is long outdated, and it
has been repurposed. Making some cosmetic changes to clarify.

R=szuend@chromium.org

Fixed: v8:10455
Change-Id: I02c2e6f83d3475478efd37dbe834fca5d415b829
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172419
Commit-Queue: Yang Guo <yangguo@chromium.org>
Auto-Submit: Yang Guo <yangguo@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67470}

Port 22242cb1
https://crrev.com/c/2169026

Change-Id: I76f8639d4d939924db13e69eb366ac064eef447c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172364Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/master@{#67469}

To reduce the number of deoptimizations in TurboProp use call feedback
only when we know the call target is a builtin. Given that we don't
inline in TurboProp, call feedback isn't really useful and using Generic
lowering doesn't impact performance much. TurboProp still inlines
builtins, so it is important to use this feedback for generating better
optimized code.

BUG: v8:10431
Change-Id: I24d51e43728f9aea3099767deb7800119fea40e2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2116033
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67468}

arguments[i] already returns undefined if arguments is not large
enough.

BUG=v8:10468

Change-Id: I0755014d0f1b61d5e3e2069ef4d14a9b51f2ebee
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170092Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67467}

Hole checks are done using a lower level comparison.

Change-Id: I61c5b787f12564ad3553d395a36938a00f5dd554
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172418
Auto-Submit: Georg Neis <neis@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67466}

We don't have mips32 CPU or 32-bits OS, so we are not going to implement
these functions on mips32.

Change-Id: Ie37e5cea360526a82bbbc52ec3933d74c32fea6d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2167741Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Cr-Commit-Position: refs/heads/master@{#67465}

This is a reland of 43b885a8
This fixes another signed overflow in the unit test.

Original change's description:
> Reland "[turbofan][csa] optimize Smi untagging better"
>
> This is a reland of ff22ae80
>
> Original change's description:
> > [turbofan][csa] optimize Smi untagging better
> >
> > - Introduce new operator variants for signed right-shifts with the
> >   additional information that they always shift out zeros.
> > - Use these new operators for Smi untagging.
> > - Merge left-shifts with a preceding Smi-untagging shift.
> > - Optimize comparisons of Smi-untagging shifts to operate on the
> >   unshifted word.
> > - Optimize 64bit comparisons of values expanded from 32bit to use
> >   a 32bit comparison instead.
> > - Change CodeStubAssembler::UntagSmi to first sign-extend and then
> >   right-shift to enable better address computations for Smi indices.
> >
> > Bug: v8:9962
> > Change-Id: If91300f365e8f01457aebf0bd43bdf88b305c460
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2135734
> > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> > Reviewed-by: Georg Neis <neis@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#67378}
>
> Bug: v8:9962
> Change-Id: Ieab0755806c95fb50022eb17596fb0c95f36004c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170001
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67430}

Bug: v8:9962
TBR: neis@chromium.org
Change-Id: I79883db546bf37873b3727b8023ef688507091d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2169103
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67464}

Follow-up to https://chromium-review.googlesource.com/c/v8/v8/+/1947688,
which unhid the third_party/jsoncpp directory, but the source subdir is
still synced via gclient so needs hiding.

Change-Id: Ica6f7e63e92dd9fa5a460e844a7d273f2ebe109c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2169102
Auto-Submit: Dan Elphick <delphick@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67463}

This is a reland of 6a0e7224

Original change's description:
> [regexp] Limit the size of inlined choice nodes
>
> Codegen for unicode property escapes (e.g.: /\p{L}/u) can produce huge
> code objects. This effect can be further magnified through inlining,
> leading to exponential code growth in the size of the pattern.
>
> This CL is a (fairly hacky) way to avoid exponential growth. We
> recognize choice nodes with 'many' choices and disable inlining for
> them. In the future we should fix this properly, either by using the
> code size budget correctly, or by improving codegen for property
> escapes.
>
> Bug: v8:10441
> Change-Id: I817f145251ec8b1b9906cc735c9e9bdb004c98ed
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170229
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67433}

Tbr: yangguo@chromium.org
Bug: v8:10441
Change-Id: I9a16cc9e8248cb46d3d16a4e2d250968cc1b7b39
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172679Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67462}

Bug: v8:9909
Change-Id: Ic75c75fa3693a59bf059cf852172900ad95a1941
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2169026
Commit-Queue: Jing Bao <jing.bao@intel.com>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67461}

Bug: v8:9909
Change-Id: Id16bc151fd76febabb05987eebf2f2e1ae357b2e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2169025Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Zhiguo Zhou <zhiguo.zhou@intel.com>
Cr-Commit-Position: refs/heads/master@{#67460}

The worklist in this CL is a merge of the worklists of Oilpan and V8. This implementation supports both use cases and should serve as the shared worklist once we start merging the codebase.

Bug: chromium:1056170
Change-Id: I4ecdb475f3900c33eced9249efa112a69c1b2707
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170828Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67459}

HeapVisitor is a simple visitor implementing both visitation and accept
interfaces. HeapVisitor is aimed to replace functions that traverse the
heap in Blink: PrepareForSweep, Sweep, FinalizeSweep, MakeConsistentForGC,
ObjectPayloadSize, VerifyObjectStartBitmap, CollectStatistics, etc.

This CL also introduces a Heap::ObjectPayloadSize function.

Bug: chromium:1056170
Change-Id: I85a2b8b572486bea29704fc436b002d8f7405201
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2165733
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67458}

Bug: v8:10180
Change-Id: I58df9f445a67c35b352f5a3058fd8e40d04a3eb0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2168548Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67457}

Creates a new large-spaces.h and large-spaces.cc to contain
LargeObjectSpace and subclasses.

Bug: v8:10473
Change-Id: Ifdb4eac9df5c8213f992d549e04b612b62f6df0b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170826
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67456}

Prepare for pointer compression changes

Change-Id: I8ec56ac65194f1f89f2803af155d5bec520a569f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2171036
Auto-Submit: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Milad Farazmand <miladfar@ca.ibm.com>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#67455}

Since ES6, optional arguments are treated the same as undefined. This
was recently cleaned up in https://github.com/tc39/ecma262/pull/1411.
The current Torque implementation of %TypedArray%.from incorrectly
interpreted the old (and confusing) language of a parameter being "not
present" as testing using arguments.length instead of testing directly
for undefined.

Bug: v8:10458
Change-Id: I055f1fa3be570a31a4f7369ba5b51b7d6b022f0a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2168674
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67454}

When creating a filler, we pass through whether we need to clear slots
in the old to new remembered set.

This patch adds a verification check that, when we claim we don't need
to clear slots, checks that no slots are set in the remembered set for
the range of the filler. Effectively, this is a range counterpart to
VerifyClearedSlot.

Change-Id: Id994c56d941988cc282463304bc7307a51943e99
Bug: chromium:1075999
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2139572
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67453}

Bug: v8:9909
Change-Id: I7f32769ad85d05e91a39782816f1c2da042454a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2169017Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67452}

Having no value argument in DataView setters (e.g. setFloat64) caused
wrong behavior in compiled code.

Bug: chromium:1071190
Change-Id: I37ddba8555dafad321f8d4c1352da8a501a98453
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170091Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67451}

R=szuend@chromium.org

Fixed: chromium:1075763
Change-Id: I7f67cfb9c643d8f30bec808ccb2a9e1326ad1921
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170030Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67450}

We don't redirect to the interpreter for debugging any more, hence we
can remove methods and data structures for storing and accessing
information about functions redirected to the interpreter.

R=thibaudm@chromium.org

Bug: v8:10389
Change-Id: I31ce1ef09748eb65d62910269548bc66eb02e01c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2164795Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67449}

base::List is only used inside of heap and has some pretty strange
semantics that don't lend themselves to it being a general purpose data
structure so this moves it to heap where it can be safe isolated.

Bug: v8:10454
Change-Id: I7921c22286276432956005c72143b22b0364fc93
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170029
Auto-Submit: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67448}

Redirection to the interpreter is removed from mjsunit tests. Hence the
runtime function will always return 0.
This CL removes the runtime function and the respective method from the
interpreter.

R=thibaudm@chromium.org

Bug: v8:10389
Change-Id: Ia17bebf3992f42a17a9c1b385ecdc2f2e3061b65
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2164794
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67447}

Port 97a4b795
Port f8be9948

R=zhiguo.zhou@intel.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: Id72fd94459b13713d25aefbf96fd00c88e352c85
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2169841Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#67446}

In AtomicOp64 ClearRegister is called twice to clear the registers r8
and r9. Thereby new registers may get allocated. We forgot to add the
newly allocated registers to pinned after the first call to
ClearRegister, which caused the same registers to be allocated again in
the second ClearRegister, and thereby caused the bug.

R=clemensb@chromium.org

Change-Id: I0d069aea4c9438fe30c30c22406b4075ddf3e95c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170088
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67445}

Change-Id: Idbb678e3fd8491c3568ddf7084f969368ac527cc
Bug: v8:10201
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2139582
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67444}

Change-Id: Ic5f703f29525ce7680249666454cf146c1f088dd
Bug: v8:10201
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2116198Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67443}

Subtracting RSP to allocate stack space is not safe on Windows, where we could subtract several pages away and the value could not be committed yet in memory yielding a segfault. We use the macro assembler AllocateStackSpace instead.

Change-Id: I69ac9d96c57af57276b480a33c7cefa81fc018a7
Bug: v8:10201
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2166169
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67442}

RegExpMacroAssembler::GetCode returns a Handle<Object>. However, that
Handle is almost immediately dereferenced, and is stored as a bare
Object in both RegExpCompiler::CompilationResult and RegExpCompileData.

This makes SpiderMonkey's rooting hazard analysis somewhat
antsy. While RegExpCompileData is alive on the stack, the hazard
analysis will not allow any calls that might GC, because it isn't
smart enough to prove that the code field can't be clobbered by a GC.

As far as I can tell, there is no real hazard here, but storing a
Handle in RegExpCompileData instead of a bare Object will simplify SM
and prevent a future patch from accidentally breaking something.

Bug: v8:10406
Change-Id: I9642dd05c591bfd23b340a89df2f2bf5c9fcac2c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2161578Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67441}

When RO_SPACE is to be shared, this constructs SharedReadOnlySpace
object (via ReadOnlySpace::DetachPagesAndAddToArtifacts) that contains
the shared artifacts and the original ReadOnlySpace is destroyed. This
is mostly a conceptual change and SharedReadOnlySpace behaves
identically to ReadOnlySpace (and subclasses it).

Also adds ReadOnlyArtifacts that contains the shared artifacts and which
is stored as a std::weak_ptr in a global so it can be destroyed when all
std::shared_ptrs to it are destroyed. Since this allows the ReadOnlyHeap
to be reconstructed when all Isolates are destroyed,
ReadOnlyHeap::ClearSharedHeapForTest is removed along with all uses
since that is now done automatically.

The ReadOnlyArtifacts class now owns all the shared artifacts and is
responsible for deleting them on exit (mostly via unique_ptr).

Bug: v8:10454
Change-Id: I2fe7110a4ab9cf8719dd198bafc1d083bee641b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2154204
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67440}

Make sure to set the right page flags on pages merged from off-thread
LO space have the right flags set -- in particular, the marking bit.

Bug: chromium:1011762
Change-Id: I595a3afb5e40d92b8d4c26c7671a43ea8e9e94d2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2169096
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67439}