Bug: v8:9197
Change-Id: I7d2062d9c1000d17f7010786edfc50b5d82b1631
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1594559Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61203}

Fix function name in error messages thrown by the streaming API. The API
functions {WebAssembly.compileStreaming} and
{WebAssembly.instantiateStreaming} are now mentioned where needed.

Bug: v8:9184
Change-Id: I70b27efe1c027d119fa7b5b9be27988a92304682
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588468Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Frederik Gossen <frgossen@google.com>
Cr-Commit-Position: refs/heads/master@{#61202}

... from JSNativeContextSpecialization.

Bug: v8:9197
Change-Id: I332ba27e78b0c10b3406cf39e9a2178c8c74fede
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593339
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61201}

Bug: v8:8801, v8:8394
Change-Id: I6bb46ecafe1bd94adbf0409f13c9b2e558da0823
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1594558
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61200}

Bug: v8:9197
Change-Id: If72dbf1507f68fa344db389c08ad8614bca6667e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593337
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61199}

Notry: true
Bug: v8:9179, v8:9180
Change-Id: I2f79bd6d4f2ad53d70955f2e22739b1b8873ae12
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591598Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61198}

This new function forwards to v8::Object::CreationContext but has
special handling for JSGlobalProxy objects to prevent the former from
crashing.

R=yangguo@chromium.org

Bug: chromium:952057
Change-Id: I5ade682976efd1724c13f52b468e4fb30bb9ade7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1569425
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61197}

Bug: chromium:958725
Change-Id: I02d2f3ad19fa60482f8fdd8a539205091f428b68
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1594434Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61196}

This CL adds decoding and code generation for the table.size
instruction.

R=mstarzinger@chromium.org

Bug: v8:7581
Change-Id: I0e689a993d25db72281ebba0854454be12f4d350
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593302
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61195}

This reverts commit bbd740f0.

Reason for revert: blocks lkgr due to layout test failure:
https://ci.chromium.org/p/v8/builders/ci/V8-Blink%20Linux%2064/31607

Original change's description:
> Reland "[json] Speed up json parsing"
> 
> This is a reland of b0c4a876
> 
> Original change's description:
> > [json] Speed up json parsing
> >
> > - scan using raw data pointers + GC callback
> > - scan using scanner tables
> > - cap internalizing large string values
> > - inline fast transitioning logic
> >
> > Fixes previous CL by moving AllowHeapAllocation to callers of
> > ReportUnexpectedCharacter where needed to make it clear we need to exit.
> >
> > Tbr: ulan@chromium.org
> > Change-Id: Icfbb7cd536e0fbe153f34acca5d0fab6b5453d71
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591778
> > Reviewed-by: Igor Sheludko <ishell@chromium.org>
> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> > Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#61159}
> 
> Tbr: verwaest@chromium.org
> Cq-Include-Trybots: luci.v8.try:v8_linux64_msan_rel
> Change-Id: Ic7d0057178c649fc45b8c8f4587ee9128e351515
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593292
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61179}

TBR=ulan@chromium.org,ishell@google.com,verwaest@google.com,ishell@chromium.org,verwaest@chromium.org

Change-Id: I3ae8f9ce8214bebe7fab9d87c5daf8cdfdb94199
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Cq-Include-Trybots: luci.v8.try:v8_linux64_msan_rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1594438
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61194}

This reverts commit a87a971b.

Reason for revert: required for revert of 
bbd740f0

Original change's description:
> [runtime] Inline SeqOneByteSubStringKey IsMatch and AsHandle
> 
> The performance actually matters to JSON parsing and this improves it by a % or
> 2.
> 
> In the longer run we should probably share the IsMatch implementation in
> StringTableKey directly and call a virtual GetBytes on the key implementation.
> 
> Change-Id: I838a106f9c8c52f0385057a52a8c0b9141ae025b
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1589977
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Auto-Submit: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61183}

TBR=ishell@chromium.org,verwaest@chromium.org

Change-Id: I8797310ef7834c04b44c735ce60813e3fb596013
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1594440Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61193}

This CL add decoding and code generation for the table.grow
instruction. For code generation we just generate a runtime
call. The implementation is quite straight-forward. However,
I did several small cleanups along the way. I hope it's still
acceptable. I could also split out some cleanups into separate
CLs.

R=mstarzinger@chromium.org

Bug: v8:7581
Change-Id: Id885b7e70eb4f5bccfe779eb216f7cc9302ea3a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593078
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61192}

The script still works with Python 2.
There are no intended behaviour changes.

Bug: chromium:941669
Change-Id: I5ec63564fdb29a326c64d6ac7465f86b30ef16c1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585857Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Auto-Submit: Raul Tambre <raul@tambre.ee>
Cr-Commit-Position: refs/heads/master@{#61191}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/d6fe3ed..aba3ab5

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/5a34ef7..bf6e6c9

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/fe1dbe1..9c06201

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/210f1dc..0ab75b6

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: Ic51ecc5069b24ee9db1033cd186c9b9bfd038db5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1594194Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#61190}

This reverts commit b7134d3a.

Reason for revert: breaks presubmit

Original change's description:
> [DevTools] Add V8InspectorSession::state(), which returns binary (CBOR).
> 
> Keep the existing method for compatibility, by converting
> to json from CBOR using the inspector_protocol_encoding library,
> via a v8 specific interface library that directs routines for
> converting between strings and doubles to v8's implementations.
> 
> This change also brings in the encoding.h / encoding.cc files from the
> upstream inspector_protocol project. The only modification here
> are the header guards, and the namespace. I will fix roll.py to
> make it so that we pick up future changes.
> 
> third_party/inspector_protocol/BUILD.gn is specific to v8, by necessity.
> third_party/inspector_protocol/.clang-format is a copy of the upstream
> file. If we don't put this, we'll find ourselves auto-formatting the roll,
> which is annoying.
> 
> Change-Id: I20fa8759164e7a39f8a7c30e0d2a3f8a7e4be227
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1590627
> Reviewed-by: Alexei Filippov <alph@chromium.org>
> Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
> Commit-Queue: Johannes Henkel <johannes@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61187}

TBR=dgozman@chromium.org,alph@chromium.org,caseq@chromium.org,johannes@chromium.org

Change-Id: I67f297ef8454499036c94bf88e0d23657a579140
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1592130Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Johannes Henkel <johannes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61189}

Various small changes are required to enable this.

HeapObject::GetReadOnlyRoots no longer uses the Space's heap when
possible (see comment in ReadOnlyHeap::GetReadOnlyRoots definition).
This requires that ReadOnlyRoots be construct-able using a raw pointer
to the read-only space's roots array.

Global read-only heap state is now cleared by tests where appropriate
and extra DCHECKs in ReadOnlyHeap::SetUp should make catching future
issues easier.

String padding is now always cleared just before read-only space is
sealed when not deserializing.

Change-Id: I7d1db1c11567be5df06ff7066f3a699125f8b372
Bug: v8:7464
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1535830
Commit-Queue: Maciej Goszczycki <goszczycki@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61188}

Keep the existing method for compatibility, by converting
to json from CBOR using the inspector_protocol_encoding library,
via a v8 specific interface library that directs routines for
converting between strings and doubles to v8's implementations.

This change also brings in the encoding.h / encoding.cc files from the
upstream inspector_protocol project. The only modification here
are the header guards, and the namespace. I will fix roll.py to
make it so that we pick up future changes.

third_party/inspector_protocol/BUILD.gn is specific to v8, by necessity.
third_party/inspector_protocol/.clang-format is a copy of the upstream
file. If we don't put this, we'll find ourselves auto-formatting the roll,
which is annoying.

Change-Id: I20fa8759164e7a39f8a7c30e0d2a3f8a7e4be227
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1590627Reviewed-by: Alexei Filippov <alph@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Johannes Henkel <johannes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61187}

On Windows, expanding the stack by more than 4 KB at a time can cause
access violations. This change fixes a few known cases (and includes
unit tests for those), and attempts to make stack expansion more
consistent overall by using the AllocateStackSpace helper method
everywhere we can, even when the offset is a small constant.

On arm64, there was already a consistent method for stack pointer
manipulation using the Claim and Drop methods, so Claim is updated to
touch every page.

Bug: v8:9017
Change-Id: I2dbbceeebbdefaf45803e9b621fe83f52234a395
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1570666
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61186}

Code relocation info is now always allocated in old-space. Before relocation
info allocated for placeholders and builtins (which get replaced with
trampolines in nosnap builds) would become unreachable. Since read-only space
is not GCed and ReadOnlyHeapIterator doesn't check for reachability,
ValidateSnapshot would fail finding unreachable objects returned by
ReadOnlyHeapIterator.

Because trampoline relocation info gets replaced with canonical one, this only
affects no-embdded-builtins nosnap builds, which don't get much benefit from
read-only relocation info anyway.

A new check has been added to the read-only deserializer to verify that every
read-only object is reachable at mksnapshot-time.

The CombinedHeapIterator iteration order was changed to iterate over
read-only space first, because that's how HeapIterator worked.

This is a reland of 3d1d8eae

Original change's description:
> [heap] Skip ro-space from heap iterators, add CombinedHeapIterator.
>
> Read-only space sharing requires an iterator independent of heap. This
> also enables future removal of read-only space from heap.
>
> Bug: v8:7464
> Change-Id: Ia07a9369494ea2c547d12c01ffa1d7b8b6bbeabc
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552795
> Commit-Queue: Maciej Goszczycki <goszczycki@google.com>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60819}

Bug: v8:7464
Change-Id: I49ae070955b77956962334a84f762ab29052d5ff
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566513Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Maciej Goszczycki <goszczycki@google.com>
Cr-Commit-Position: refs/heads/master@{#61185}

The registry right now has no users. In a follow-up CL I will
remove the skip list for code pages and make users of the skip
list use the registry.

Bug: v8:9093
Change-Id: I23a2b9e0d4158e2ffa89626e71f58d3bb5a41201
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593074Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61184}

The performance actually matters to JSON parsing and this improves it by a % or
2.

In the longer run we should probably share the IsMatch implementation in
StringTableKey directly and call a virtual GetBytes on the key implementation.

Change-Id: I838a106f9c8c52f0385057a52a8c0b9141ae025b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1589977
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61183}

Bug: v8:8801, v8:8394
Change-Id: I7f27cb0a9dcbdd1ba0e3f90735472408c22185e1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593304
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61182}

This ensures that the parent class' field 'elements' is not shadowed.

Bug: v8:9194
Change-Id: Ibb53dedc0205cbb4c61e810e2d5822a94843c605
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593076
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61181}

This is the first CL that aims to eliminate the straggler tagged loads and
stores.

Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:8977, v8:7703
Change-Id: If3782c0c7047d4c7d8669e12fb423cc0c74bc58a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587392Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61180}

This is a reland of b0c4a876

Original change's description:
> [json] Speed up json parsing
>
> - scan using raw data pointers + GC callback
> - scan using scanner tables
> - cap internalizing large string values
> - inline fast transitioning logic
>
> Fixes previous CL by moving AllowHeapAllocation to callers of
> ReportUnexpectedCharacter where needed to make it clear we need to exit.
>
> Tbr: ulan@chromium.org
> Change-Id: Icfbb7cd536e0fbe153f34acca5d0fab6b5453d71
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591778
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61159}

Tbr: verwaest@chromium.org
Cq-Include-Trybots: luci.v8.try:v8_linux64_msan_rel
Change-Id: Ic7d0057178c649fc45b8c8f4587ee9128e351515
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593292
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61179}

This reverts commit febe3a10.

Reason for revert: Regressions

Original change's description:
> [regalloc] Enable control-flow aware allocation
> 
> We enable this feature to collect performance data; revert at will.
> 
> Bug: v8:9088
> Change-Id: I57cd79707fe56ec5a2d6d5ee65b7ce24bda57773
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585726
> Auto-Submit: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61117}

TBR=mstarzinger@chromium.org,jarin@chromium.org,sigurds@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:9088, chromium:958623, chromium:958726, chromium:958727
Change-Id: Ib07e9f201f8e35c190717ddb6e81a30bcadb1c07
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593300Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61178}

BUG=v8:8395

Change-Id: Ic6fb17c25ab3625721998898de2c05ee9b1bab0d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593299
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61177}

This reverts commit b6fb2707.

Reason for revert: TSan issues, e.g. https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN/26177

Original change's description:
> [wasm][gc] Free WasmCode objects
> 
> This adds the next step to freeing code: We free the actual C++
> {WasmCode} objects. This will cause UAF if any C++ code uses stale
> references.
> The underlying machine code will still not be freed.
> 
> For simplicity, this CL changes the vector of owned_code to an ordered
> set, such that lookup and removal is much simpler. The drawback is that
> insertion is now more expensive.
> 
> R=​mstarzinger@chromium.org
> 
> Bug: v8:8217
> Change-Id: I07fc81167816637fbaad6c06ff79e3f952f2fde8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593080
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61165}

TBR=mstarzinger@chromium.org,clemensh@chromium.org

Change-Id: I167a8d806a8c6ac1c90e0743cdf86d492389bbed
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8217, v8:9200
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593305Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61176}

This enables the embedder to check if the snapshot generated
from SnapshotCreator::CreateBlob() can be rehashed and the seed
can be recomputed during deserialization.

The lack of this functionality resulted in a temporary vunerability
in Node.js: https://github.com/nodejs/node/pull/27365

Change-Id: I88d52337217c40f79c26438be3c87d2db874d980
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578661
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61175}

When asked to start at the receiver and the receiver is a primitive, the
dependency should be taken on the primitive map (which is a no-op)
rather than the wrapper object's map.

Bug: chromium:958716
Change-Id: I9c8b2b56436d134b2f79dbe458c0c527fe6d17a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593086
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61174}

Port 381a7f9e

Original Commit Message:

    On Arm/64 the last return address is stored in a link register instead of
    being pushed to the top-of-stack like on x64/ia32. Extend the support in the
    tick sampler to check for samples in a frameless bytecode handler with support
    for checking the link register if it exists instead of top-of-stack. In addition,
    make the x64/ia32 check more robust by ensuring we only apply the change if the
    pc is a bytecode handler and the top frame isn't a bytecode handler (stub) frame.

R=rmcilroy@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:9162
LOG=N

Change-Id: I893b45af40a48415fbbc2c9f5e9e5cd72ed8d9e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588888Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61173}

This reverts commit ad44c258.

Reason for revert: Missed some users: crbug.com/v8/9105

Original change's description:
> [typedarray] Make JSTypedArray::length authoritative.
>
> This is the first step towards full huge typed array support in V8.
> Before this change, the JSTypedArray::length and the elements backing
> store length (FixedTypedArrayBase::length) were used more or less
> interchangeably to determine the number of elements in a JSTypedArray.
>
> With this change we disentangle these two lengths, and instead make
> JSTypedArray::length authoritative. For on-heap typed arrays, the
> FixedTypedArrayBase::length will remain the number of elements in the
> backing store, but for the off-heap typed arrays, this length will be
> set to 0 (matching the fact that the FixedTypedArrayBase instance does
> not contain any elements itself).
>
> This also unifies the JSTypedArray::set_/length() and length_value()
> methods to only have JSTypedArray::set_/length() which returns/takes
> size_t values. Currently this still requires the values to be in Smi
> range, but later we will extend this to allow arbitrary size_t values
> (in the safe integer range).
>
> Bug: v8:4153, v8:7881
> Change-Id: Iff9089130bb31fa9e08e0cf913e7ab52c3dbf107
> Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
> Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1543729
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60648}

TBR=jarin@chromium.org,titzer@chromium.org,hpayer@chromium.org,petermarshall@chromium.org,bmeurer@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

TBR=jarin@chromium.org, szuend@chromium.org

Bug: v8:4153, v8:7881
Change-Id: I96992bff15b4a2765ae4a557d2c37e78269c927d
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593294
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61172}

Bug: chromium:958021
Change-Id: I6cc6ff2666750b508786db010e202b1e8e1e9536
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593293Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61171}

This is a reland of 7c426286

Original change's description:
> [heap] Use normal marking write barrier for fixed array elements
> 
> This simplifies the marking write barrier for elements to mark the
> values instead of revisiting the array.
> 
> Bug: chromium:918485
> 
> Change-Id: Id5da0d5b9ff8385a256fe14f4bf7171f9f6343e1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588459
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61125}

Bug: chromium:918485
Change-Id: I8075e0333b3a05bc6193eb4bc030bfdcd72e64d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593088Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61170}

This enables "goto definition" navigation for parent types.

R=sigurds@chromium.org

Bug: v8:8880
Change-Id: I3207ec8b85f0e36cbab3519b89af98bba1666406
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593081
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61169}

This patch ports the following builtins to torque:
- Math.acos()
- Math.acosh()
- Math.asin()
- Math.asinh()
- Math.atan()
- Math.atan2()
- Math.atanh()
- Math.cbrt()
- Math.cos()
- Math.cosh()
- Math.exp()
- Math.expm1()
- Math.fround()
- Math.log()
- Math.log1p()
- Math.log10()
- Math.log2()
- Math.sin()
- Math.sinh()
- Math.sqrt()
- Math.tan()
- Math.tanh()

Change-Id: Ia7b0246744e4b0cace696dc309622e287397be1f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584169
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61168}

This is a reland of e632f8f4

Original change's description:
> [test] Remove longer timeout on bots
>
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_gc_stress_dbg
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_gcc_rel
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_msan_rel
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_tsan_rel
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_arm64_dbg
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_mac64_asan_rel
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_win64_dbg
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_android_arm64_n5x_rel_ng
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_cfi_rel_ng
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_ubsan_rel_ng
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_arm_lite_rel_ng
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_noi18n_rel_ng
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_mac64_dbg_ng
>
> Bug: v8:9145
> Change-Id: I6efee8579d9d9e0aad0431f6b87c152141d4ec7f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581261
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Tamer Tas <tmrts@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61107}

Bug: v8:9145
Change-Id: Id8f0468bbf2d67f62141e7f7c42417d351c3fffa
Cq-Include-Trybots: luci.v8.try:v8_linux_gc_stress_dbg
Cq-Include-Trybots: luci.v8.try:v8_linux_gcc_rel
Cq-Include-Trybots: luci.v8.try:v8_linux64_msan_rel
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel
Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_dbg
Cq-Include-Trybots: luci.v8.try:v8_mac64_asan_rel
Cq-Include-Trybots: luci.v8.try:v8_win64_dbg
Cq-Include-Trybots: luci.v8.try:v8_android_arm64_n5x_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_cfi_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_ubsan_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux_arm_lite_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_mac64_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588429Reviewed-by: Tamer Tas <tmrts@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61167}

This fixes a memory leak.

Bug: v8:9191, v8:7790
Change-Id: I0df49cd3a6791600638a67b4b7ad9687562e500b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588426
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61166}

This adds the next step to freeing code: We free the actual C++
{WasmCode} objects. This will cause UAF if any C++ code uses stale
references.
The underlying machine code will still not be freed.

For simplicity, this CL changes the vector of owned_code to an ordered
set, such that lookup and removal is much simpler. The drawback is that
insertion is now more expensive.

R=mstarzinger@chromium.org

Bug: v8:8217
Change-Id: I07fc81167816637fbaad6c06ff79e3f952f2fde8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593080
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61165}

NOTRY=true

Change-Id: I20f88cb163797690a3b91863c40f1ca7d201bb9b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593079Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61164}