This CL adds optimizations for Word64And, Word64Or and Word64Xor
to the MachineOperatorReducer. Some of these (esp. constant folding)
have previously been removed from CodeAssembler to streamline
the optimization pipeline.

Bug: v8:10021
Change-Id: I679f0b60589a84b2d92ca6d9083efaddfe0b6423
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1997131
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65781}

Some architectures used {kConstantStackSpace}, others used
{kInstanceOffset}. This CL unifies it to {kInstanceOffset} and uses that
constant consistently (in {GetInstanceOperand}).

R=zhin@chromium.org

Bug: v8:10019
Change-Id: Ia2b6908e289591e2dbc48e559e11407877b7c4ad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000146Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65780}

bug: chromium:1041232
No-Try: true
Change-Id: Icdf1b41016701a1c336793ee278ef704782e610a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000755Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65779}

https://chromium.googlesource.com/external/github.com/tc39/test262/+log/31f1bb5a..28b4fcca4

Bug: v8:7834, v8:7532, v8:10111, v8:9515, v8:10112
Change-Id: I4775a7788fe9158e1318ca04dd1d34adc21060be
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1994392
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65778}

Bug: v8:7793
Change-Id: Ibf045274ae48bd58f8c99361f02e51860b1a4150
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1997443
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65777}

This CL attempts to fix a chrome crash seen in the wild. Without a
reproducer, the current working theory is that we hit a 'null' context
in some edge case, causing us to access an empty handle. This CL
prevents the empty context handle to be dereferenced.

TBR=yangguo@chromium.org

Bug: chromium:1038747
Change-Id: Icd6f4853a22ddbf1e504f0f0f90c065b3437f8ab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000752Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65776}

Without the type check, Code() may read OOB. Note that this is an
internal, test-only runtime function.

Bug: chromium:1041316
Change-Id: I8c0b21ce3c2aea8aa3d065b99d8ab45a8c9e754f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000749
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65775}

Native C++ arrays cannot have size 0 and thus need a dummy element
when filled with variadic template args. std::array does not have this
limitation and makes related code easier to read.

Bug: v8:9972
Change-Id: I70304b55525bd67d966fa69c663a71c202245d14
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000751
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65774}

With --stress-opt, the second run will share the NativeModule with the
first run, hence it's in a nondeterministic state and the test
expectations fail.

TBR=ahaas@chromium.org
CC=​​duongn@microsoft.com

No-Try: true
Bug: v8:10086, v8:9654
Change-Id: I74cf5e841ae2330b3b846ee742cc022305ec9636
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000750
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65773}

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/71813e2..7431e17

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/a1266b6..2a04803

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: If4e16809f0065ee7780d7bb316d51fbc8f7e2a7b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2001822Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#65772}

blendvpd should not be defined in the macro list, since the AVX version
has 4 operands, not 3.

Change-Id: Id020b460fa1a3510a91490f3b2286024cc6c5994
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1990139
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65771}

Port 83b115c3

R=ahaas@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: I46030004c893430abf693b67f8f7b0bb56c49e7a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2001145Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#65770}

Also add missing disasm for SSE4_2 instruction.

Bug: v8:9561
Change-Id: Idc8d3c0e59f0e9aff57ebdcc5774bba375828597
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1986386Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65769}

Add kWasmS128 to the list of supported types, and implement Fill for all
the architectures so that LocalGet works.

Add a new test file to contain tests that run only on Liftoff, and
assert that the code is indeed compiled by Liftoff.
We cannot rely on the nooptimization variant for testing
because by default, if Liftoff compilation fails, it will fall back to
Turbofan, and we accidentally get a test passing.

We skip these tests on mips architecture that don't support SIMD, since
there is no way to implement these, and we don't have a "lowering" phase
for Liftoff.

As we implement more of SIMD in Liftoff, we can add more
tests to this file and ensure correctness. Future patches will introduce
support for globals and params.

Bug: v8:9909
Change-Id: I7fc911f2d588d60c709ddb258b2efc1f22805fab
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1999470
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65768}

Bug: v8:10114
Change-Id: Ia882bdf012399d6fc3345bd870e9038da4780f85
Fixed: v8:10114
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1999614Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65767}

Bug: chromium:1038178
Change-Id: I0c96015817b226368479bf8a384a654e6ed22969
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1987914Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65766}

R=clemensb@chromium.org

Bug: v8:10108
Change-Id: If34fe46611c4e3c558b658f741a9266fde634f99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1991495
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65765}

I also fixed one issue in the wasm interpreter.

R=clemensb@chromium.org

Bug: v8:10180
Change-Id: Ie30e908ad051a27fa611e8d36134b67aaf4c830c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000741
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65764}

Reuse logic in {CompileNativeModule} function in module-compiler.cc:
initialize parallel compile jobs, then wait for them to finish while
taking part in this compilation.

Bug: v8:9654
Change-Id: I9974d9f8b516e9faec716a592c7c0ee9c7077d8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1977041
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65763}

This Tnodifies the CombineFeedback and OverwriteFeedback methods and
changes the TaggedToWord32OrBigInt* ann TaggedToNumeric methods to take
TVariables.

Additionally it refactors bitwise binary operators in
intepreter-generator.cc and builtins-number-gen.cc and puts the common
code in NumberBuiltinsAssembler.

Bug: v8:10021
Change-Id: I3b15ecfadb42b50ffbfd0bd1114197e0fef42e99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1995387
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65762}

The DCHECK was not correct in pointer compression mode.

Change-Id: Ifc00478df10962a8114f2d9cd1596ddaedc60d97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000742Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65761}

This just removes the flag if it is not supported anyway. This avoids
fuzzers trapping over this.
The same was done for the --perf-prof flag in
https://crrev.com/c/1993969.

R=ahaas@chromium.org

Bug: chromium:1035233
Change-Id: I7b4b8fdd141df717cc62d795534f30435f7b38c1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1998083Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65760}

Tests which set the --perf-prof flag leave behind a file in the current
working directory every time they execute.
In order to avoid this, this CL introduces a --perf-prof-delete-file
flag, which removes this file right after creating it. This still allows
the process to write to it via the open handle, but the file will be
gone afterwards, even if the process crashes or gets killed while
executing.

R=ahaas@chromium.org

Bug: v8:10121
Change-Id: I99b159bb6d94255f77095ac78d98ba55106e94fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000738Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65759}

Port 4648b83c

Original Commit Message:

    This CL implements 4 of the 6 load extend operations. The added
    opcodes include: I16x8Load8x8S, I16x8Load8x8U, I32x4Load16x4S,
    I32x4Load16x4U.

R=zhiguo.zhou@intel.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: I3a3308522a69dba78c7a8d6b3ff4b25d25f2e569
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1999492Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#65758}

- Introduces a API to set top of the stack through
  EmbedderHeapTracer::SetStackTop.
- Introduces a new API to inform V8 about an empty embedder stack.
- Switch internal representation of TracedReference
  for on-stack handles to a proper stack that considers all
  contained handles as roots.
- Handle garbage is avoided by cleaning up on handle creation or
  GC.

Design doc: https://bit.ly/on-stack-traced-reference

Bug: chromium:1040038
Change-Id: I927ef0abb268fdb5853c9e17b1bc96e2491cf101
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1993973
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65757}

There is no particular reason that PropertyDescriptorObject should be a
subclass of FixedArray. By using a separate struct type, we get better
generated accessor functions, automatic verification, and runtime type
info, plus we save four bytes per instance.

Change-Id: If076782832aa9398806794e4ee6d019aea2f92b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1999463Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#65756}

Currently the on-hold area is reset on incremental marking steps.
At the start of marking we conservatively assume that the on-hold area
spans the initially allocated linear allocation area, which may be large.

Bug: chromium:973627
Change-Id: I83f2d0e38a2a255c1e8d48549352e9303be89920
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000737Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65755}

The fix in https://crrev.com/c/1997135 didn't properly recurse the cache
scope after a with scope, passing the current scope rather than the
original cache scope up the recursion. Now the "use external cache" check
is done in LookupWith (and, analogously, LookupSloppyEval) while passing
the given cache scope through the Lookup recursion.

Fixed: chromium:1041210
Fixed: chromium:1041616
Change-Id: I5ac9ddc6c16d63b59aa034721fccec2f7781c4f8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000133
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65754}

Just a cleanup to remove an unused enum marker.

R=ahaas@chromium.org

Change-Id: I7b40f2389796f43d82d06eb161569ecea7892ef6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000145Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65753}

Change-Id: I5889da6b5bb916639d00c450d06c35040c34a9a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1997130
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65752}

This fixes local names that are the string representation of a valid
element index.
Even though both the Liftoff and the interpreter-based test are changed,
only the latter needs to be fixed right now since Liftoff does not use
the names currently. Modifying the test just ensures that we implement
this correctly once we use the name.

R=jkummerow@chromium.org

Bug: v8:10019
Change-Id: Ib7f7d6e244a344a85ab540b6c2c67f98b1f3078e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1998079
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65751}

TSan complains in "isolates" tests otherwise. Also further reduce
virtual memory requirements of the sample test to address flaky
allocation failures on 32-bit platforms.

Change-Id: I26c9a59965009d7083876b4ff4836ee879d33350
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000138
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65750}

This saves the addition when accessing the stack slot, and (more
importantly) will make it easier to access the stack slot for debugging,
since there is no platform-specific constant to be added any more.

R=zhin@chromium.org

Bug: v8:10019
Change-Id: I3eaf1838b78c2b7b343a435d7c8a32e7e71508ed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1998082Reviewed-by: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65749}

It was missing the name field.

Bug: chromium:1036641
Change-Id: I686a46adfccfd656422cddef340ded58b7a9c9b1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000135
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65748}

This reverts commit 304e97d3.

Reason for revert: Last roll is failing - https://ci.chromium.org/p/chromium/builders/try/linux-rel/282356

Original change's description:
> [parser] Fix caching dynamic vars on wrong scope
> 
> When looking up a variable in a deserialized WITH scope, we were
> unconditionally passing in the cache scope to the lookup, even if the
> with was inside the cache scope. This would lead to and outer scope of
> the with holding the generated dynamic variable. If the cache scope was
> the SCRIPT scope, the dynamic variable would be interpreted as a global
> object property.
> 
> Now, we only store the WITH scope dynamic variables in the cache scope
> if it is an inner scope of the WITH scope, same as we do for 'normal'
> scope lookups.
> 
> Fixed: chromium:1041210
> Change-Id: I4e8eb25bbb8ea58311355d13a9c7c97bf2fa3ec7
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1997135
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Auto-Submit: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#65732}

TBR=leszeks@chromium.org,verwaest@chromium.org

Change-Id: I7b6d77d03b603152a9a47541db466934f46b1176
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000140Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65747}

This CL fixes a negative capacity check up the call-chain to fix an
issue found a clusterfuzz. This is temporary since mid-term we want to
change the interface of allocation functions to take an unsigned C++
type, so implicit conversion errors like this one, can't happen.

Fixed: chromium:1041240
Change-Id: Ib344e5738d2648fbf9a2951ca943ff566ddd5f09
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000134Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65746}

Removing this caused performance regressions.

Bug: chromium:1036514
Change-Id: If24826874c45c21670a59f9dbbe57dacd44ae5fc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1998080Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65745}

Rolling v8/buildtools/linux64: git_revision:a5bcbd726ac7bd342ca6ee3e3a006478fd1f00b5..git_revision:0c5557d173ce217cea095086a9c9610068123503

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/7a8bf94..a1266b6

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: Id7d531f24a9f1becd4c0d03fc09d747c2d1a9dda
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1999804Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#65744}

This CL implements 4 of the 6 load extend operations. The added
opcodes include: I16x8Load8x8S, I16x8Load8x8U, I32x4Load16x4S,
I32x4Load16x4U.

Bug: v8:9886
Change-Id: I9961f97325168e3a0036e1b282b769cc65b06ffb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1981329
Commit-Queue: Zhiguo Zhou <zhiguo.zhou@intel.com>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65743}

The UpdateSharedWasmMemoryObjects function only creates a new
JSArrayBuffer when the the legths of old/new ArrayBuffer objects
are unequal, but the CHECK in the Grow() funciton assumes that a new
object is always created. Fix so that a new ArrayBuffer is always
allocated.

Bug: v8:10044, chromium:1040325
Change-Id: I66912bdc091e65a57e5b50f4ed63b0da5492dcc4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1999603Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65742}