This will allow it to take an OffThreadIsolate in the future, without
requiring GetIsolate on SharedFunctionInfo.

Change-Id: I7db56d5f0587585f829b26e60683c133760d8ff1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2282534Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68696}

This is a followup of the cl [1] that fixes a bug where bytecode was
getting flushed when allocating feedback vector. The fix added
IsCompiledScope before allocating a new feedback vector. We now pass
IsCompiledScope to JSFunction::EnsureFeedbackVector. This makes it
explicit that EnsureFeedbackVector expects a function that is compiled
and the bytecode shouldn't be flushed during the allocation.Also adds
a test.


[1] https://chromium-review.googlesource.com/c/v8/v8/+/2218066

Bug: v8:10560
Change-Id: I552c449a57555dffa625b2e4efa04c2c276fc0b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2222347
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68142}

This is a reland of 6204768b

The original issue exposed the problem that NumberEqual performs
implicit conversion of oddballs to numbers, which is incorrect for
abstract equality comparison (i.e. 0 == null must not be true).

This reland fixes this by applying the following steps:
* Introduced a new kNumberOrBoolean value for CompareOperationFeedback,
  CompareOperationHint, TypeCheckKind and CheckedTaggedInputMode.
* In CodeStubAssembler::Equal: Further distinguish between boolean and
  non-boolean oddballs and set feedback accoringly.
* In JSTypedLowering: Construct [Speculative]NumberEqual operator with
  CompareOperationHint::kNumberOrBoolean, when this feedback is present.
  JSOperatorBuilder and operator cache are extended accordingly.
* In SimplifiedLowering: Propagate a UseInfo with new
  TypeCheckKind::kNumberOrBoolean.
* This leads to the generation of CheckedTaggedToFloat64 in
  RepresentationChanger with new CheckedTaggedInputMode::kNumberOrBoolean.
* In EffectControlLinearizer: Handle this new mode. Accept and convert
  number and boolean and deopt for rest.

Original change's description:
> [turbofan] Improve equality on NumberOrOddball
>
> This CL cleans up CompareOperationFeedback by replacing it with a
> composable set of flags. The interpreter is changed to collect
> more specific feedback for abstract equality, especially if oddballs
> are involved.
>
> TurboFan is changed to construct SpeculativeNumberEqual operator
> instead of the generic JSEqual in many more cases. This change has
> shown a local speedup of a factor of 3-10, because the specific
> operator is way faster than calling into the generic builtin, but
> it also enables additional optimizations, further improving
> runtime performance.
>
> Bug: v8:5660
> Change-Id: I856752caa707e9a4f742c6e7a9c75552fb431d28
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2162854
> Reviewed-by: Mythri Alle <mythria@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67645}

TBR: tebbi@chromium.org
Bug: v8:5660
Change-Id: I12e733149a1d2773cafb781a1d4b10aa1eb242a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2193713
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68037}

This reverts commit 9d3cca1c.

Reason for revert: Only the test needs to be skipped on s390. Refer to this: https://crrev.com/c/1981505

Original change's description:
> s390: [arm] Add missing RELATIVE_CODE_TARGET iteration
> 
> Port b766299d
> Port 9592b043
> Port d915b8d6
> 
> Original Commit Message:
> 
>     Code object iteration was missing logic for RELATIVE_CODE_TARGET
>     reloc entries. Garbage collection could thus miss objects that were
>     referenced only as targets of pc-relative calls or jumps.
> 
>     RELATIVE_CODE_TARGETs are only used on arm, mips, and s390 and only
>     at mksnapshot-time.
> 
>     This exposed another issue in that the interpreter entry trampoline
>     copy we generate for profiling *did* contain relative calls in
>     runtime-accessible code. This is a problem, since code space on arm is,
>     by default, too large to be fully addressable through pc-relative
>     calls. This CL thus also disables the related
>     FLAG_interpreted_frames_native_stack feature on arm.
> 
>     objects.
> 
> R=​jgruber@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
> BUG=
> LOG=N
> 
> Change-Id: Ifbcaed98d90a2730f0d6a8a7d32c621dab1ff5b2
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2087693
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
> Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
> Cr-Commit-Position: refs/heads/master@{#66644}

TBR=michael_dawson@ca.ibm.com,mlippautz@chromium.org,jyan@ca.ibm.com,jgruber@chromium.org,joransiu@ca.ibm.com,miladfar@ca.ibm.com

# Not skipping CQ checks because original CL landed > 1 day ago.

Change-Id: Id645a9def23d278235ff77f25249d2187e8105ca
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2196521Reviewed-by: Milad Farazmand <miladfar@ca.ibm.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#67751}

This reverts commit 6204768b.

Reason for revert: A number of Clusterfuzz reports (e.g. https://bugs.chromium.org/p/chromium/issues/detail?id=1079474)

Original change's description:
> [turbofan] Improve equality on NumberOrOddball
> 
> This CL cleans up CompareOperationFeedback by replacing it with a
> composable set of flags. The interpreter is changed to collect
> more specific feedback for abstract equality, especially if oddballs
> are involved.
> 
> TurboFan is changed to construct SpeculativeNumberEqual operator
> instead of the generic JSEqual in many more cases. This change has
> shown a local speedup of a factor of 3-10, because the specific
> operator is way faster than calling into the generic builtin, but
> it also enables additional optimizations, further improving
> runtime performance.
> 
> Bug: v8:5660
> Change-Id: I856752caa707e9a4f742c6e7a9c75552fb431d28
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2162854
> Reviewed-by: Mythri Alle <mythria@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#67645}

TBR=rmcilroy@chromium.org,neis@chromium.org,mythria@chromium.org,nicohartmann@chromium.org

Change-Id: I3410310ed2b1ff2eaee70c1b91c3151d35866108
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:5660
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2190414Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67673}

Bug: v8:5368, v8:8330
Change-Id: I237541223289546b8de031f905d42bb9234c8448
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2184649
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67667}

Normative change in ecma262 [1].

Errors thrown by GetMethod(iterator, "return") are suppressed in favor
of the original exception.

[1] https://github.com/tc39/ecma262/pull/1408

Bug: v8:10397
Change-Id: I0dea8bd677c557cced7103c846416bd81f06f482
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2183400
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67662}

This CL cleans up CompareOperationFeedback by replacing it with a
composable set of flags. The interpreter is changed to collect
more specific feedback for abstract equality, especially if oddballs
are involved.

TurboFan is changed to construct SpeculativeNumberEqual operator
instead of the generic JSEqual in many more cases. This change has
shown a local speedup of a factor of 3-10, because the specific
operator is way faster than calling into the generic builtin, but
it also enables additional optimizations, further improving
runtime performance.

Bug: v8:5660
Change-Id: I856752caa707e9a4f742c6e7a9c75552fb431d28
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2162854Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67645}

Move rewriting, scope analysis, and internalization, to be unconditional
operations done after parsing rather than a separate compile phase. This
removes some of the complexity about rememberering when to call
Compiler::Analyze, and makes these paths a bit more uniform.

Also, forbid allocating any more AST strings after AstValueFactory
internalization, by nulling out the Zone. Add an InternalizePartial
method which doesn't null out the zone for those cases where we do want
to be able to allocate after internalizing (e.g. internalization before
scope analysis).

Change-Id: Id444246d8362a1d169baf664fc37657d9576fd96
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2182458Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67608}

Normative spec change: https://github.com/tc39/ecma262/pull/1814

Bug: v8:10382
Change-Id: Ib17ece9f0c8f75702c828b5336e75cab5d173e5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2163876
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67376}

Previously we use the error message for normal invalid private member
access, so for a failed brand check for class C, the error is

TypeError: Cannot read private member C from an object whose class did not declare it

This updates the message to

TypeError: Object must be an instance of class C

Bug: v8:8330
Change-Id: Ida98f46b8387631194a9b7a48bd1f419045ac6e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2100688
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66923}

Since now the IterationBody StackChecks are implicit within JumpLoops,
we are able to eagerly deopt in them. If we do that, whenever we advance
to the next bytecode we don't have to advance to the next literal
bytecode, but instead "advance" in the sense of doing the JumpLoop.

Adding tests that test this advancing for wide and extra wide JumpLoops.

Also, marking JumpLoop as needing source positions since now it has
the ability of causing an interrupt.

Bug: v8:10149, v8:9960
Fixes: v8:10149
Change-Id: Ib0d9efdfb379e0dfbba7a7f67cba9262668813b0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2064226Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66809}

Bug: v8:10201
Change-Id: I72cbe15912395b9b06ffdccce935abae6e7a050e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2093508Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66808}

Fix the test-interpreter and test-interpreter-instrinsics by adding the receiver
as an argument instead of relying on an undefined receiver.

Change-Id: I7af3216b915581155bc320b27a5454c78d04f1f5
Bug: v8:10325
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2102568
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66723}

This CL is a step towards making StackChecks implicit. In a follow-up CL
said StackChecks will become implicit within JumpLoops.

Cq-Include-Trybots: luci.chromium.try:linux-rel
Bug: v8:10149, v8:9960
Change-Id: I5ae247be3f7a58ccdf86398cace30724715767a8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2062391
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66668}

Port b766299d
Port 9592b043
Port d915b8d6

Original Commit Message:

    Code object iteration was missing logic for RELATIVE_CODE_TARGET
    reloc entries. Garbage collection could thus miss objects that were
    referenced only as targets of pc-relative calls or jumps.

    RELATIVE_CODE_TARGETs are only used on arm, mips, and s390 and only
    at mksnapshot-time.

    This exposed another issue in that the interpreter entry trampoline
    copy we generate for profiling *did* contain relative calls in
    runtime-accessible code. This is a problem, since code space on arm is,
    by default, too large to be fully addressable through pc-relative
    calls. This CL thus also disables the related
    FLAG_interpreted_frames_native_stack feature on arm.

    objects.

R=jgruber@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: Ifbcaed98d90a2730f0d6a8a7d32c621dab1ff5b2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2087693Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#66644}

String::NewFromLiteral is a templated function that takes a char[N]
argument that can be used as an alternative to String::NewFromUtf8 and
returns a Local<String> rather than a MaybeLocal<String> reducing the
number of ToLocalChecked() or other checks.

Since the string length is known at compile time, it can statically
assert that the length is less than String::kMaxLength, which means that
it can never fail at runtime.

This also converts all found uses of NewFromUtf8 taking a string literal
or a variable initialized from a string literal to use the new API. In
some cases the types of stored string literals are changed from const
char* to const char[] to ensure the size is retained.

This API does introduce a small difference compared to NewFromUtf8. For
a case like "abc\0def", NewFromUtf8 (using length -1 to infer length)
would treat this as a 3 character string, whereas the new API will treat
it as a 7 character string.

As a drive-by fix, this also fixes all redundant uses of
v8::NewStringType::kNormal when passed to any of the String::New*
functions.

Change-Id: Id96a44bc068d9c4eaa634aea688e024675a0e5b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2089935
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66622}

Remove OffThreadHandle, HandleOrOffThreadHandle, and HandleFor, and
make the OffThreadIsolate allocate "real" Handles. Rather than using
the main-thread Isolate's handle scopes, these off-thread Handles are
backed by a Zone, which is tied to the lifetime of the nearest
OffThreadHandleScope. Eventually, we'll likely want to merge the
implementation of OffThreadHandleScope and HandleScope, but currently
the latter is too tightly coupled to the main thread to do so.

Bug: chromium:1011762
Change-Id: I2a6361931fe3f90a7bef4cc28ee42155fa8d062f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2071865Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66516}

Currently implicit returns do not correctly resolve the async generator
objects. This is observable via AsyncGenerator#throw as the implicit
return won't override the rejection.

Bug: v8:10238
Change-Id: I012fc3507d1e4106e7f35b21275be180a6e274c3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2065343Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66413}

FunctionEntry StackChecks is one of the two cases where we generate a
StackCheck bytecode. In these cases, we do stack check against the js
limit (not to be confused with the real js limit). Their purpose is to
be able to interrupt the running code.

We can omit the FunctionEntry StackCheck by embedding its code into
the InterpreterEntryTrampoline builtin. We save one bytecode per
interpreted function.

This change has rippling effects for optimized code, as well as the
deoptimizer.

Bug: v8:10149, v8:9977, v8:9960
Change-Id: I6156de48b3bc0b519dd21190a8e6214fbe96c78d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1914218Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66206}

The Factory/OffThreadFactory allows us to cleanly separate object
construction behaviour between main-thread and off-thread in a
syntactically consistent way (so that methods templated on the factory
type can be made to work on both).

However, there are cases where we also have to access the Isolate, for
handle creation or exception throwing. So far we have been pushing more
and more "customization points" into the factories to allow these
factory-templated methods to dispatch on this isolate behaviour via
these factory methods. Unfortunately, this is an increasing layering
violation between Factory and Isolate, particularly around exception
handling.

Now, we introduce an OffThreadIsolate, analogous to Isolate in the same
way as OffThreadFactory is analogous to Factory. All methods which were
templated on Factory are now templated on Isolate, and methods which
used to take an Isolate, and which were recently changed to take a
templated Factory, are changed/reverted to take a templated Isolate.
OffThreadFactory gets an isolate() method to match Factory's.

Notably, FactoryHandle is changed to "HandleFor", where the template
argument can be either of the Isolate type or the Factory type (allowing
us to dispatch on both depending on what is available).

Bug: chromium:1011762
Change-Id: Id144176f7da534dd76f3d535ab2ade008b6845e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2030909
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66101}

This changes how we setup modules from being entirely bytecode based to a
single fixed array with metadata that's passed into a runtime function
DeclareModuleExports, similar to DeclareGlobals. This is preperatory work to
replace the bytecode that calls those functions with explicit calls before we
even start running the code. In the case of modules that will obviate the need
for modules to be generators.

Change-Id: Ibf1c913a9dc78041e3001b174c66ab89226d9c8e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2030733
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66097}

Add support for internalizing an AstValueFactory using the off-thread
factory. Includes adding ConsString support to OffThreadFactory.

This introduces a Handle union wrapper, which is used in locations that
can store a Handle or an OffThreadHandle. This is used in this patch for
the internalized "string" field of AST strings, and will be able to be
used for other similar fields in other classes (e.g. the ScopeInfo
handle in Scope, object boilerplate descriptor handles, the inferred
name handle on FunctionLiterals, etc.). It has a Factory-templated
getter which returns the appropriate handle for the factory, and a
debug-only tag to make sure the right getter is used at runtime. This
union wrapper currently decomposes implicitly to a Handle if the getter
is not called, to minimise code changes, but this implicit conversion
will likely be removed for clarity.

Bug: chromium:1011762
Change-Id: I5dd3a7bbdc483b66f5ff687e0079c545b636dc13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1993971
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65816}

Change-Id: I34aff1cef476a1237e59e8151b82bdb09819664f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1997126
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65728}

This makes the code a little more specific to what's happening: There is only 1
global scope, and if there is one, we know its declarations are
info->scope()->declarations(). That means we don't need multiple
GlobalDeclarationsBuilders, and we don't need to cache partially serialized
versions of the declarations. One builder is enough, and we can simply walk
those declarations if there are any.

Additionally this CL drops unnecessary information passed into DeclareGlobals:
- Global functions always have the name on the shared function info, so we can
  drop the name.
- Due to lazy feedback vectors there's no point in trying to preinitialize
  global loads. Also this was only preinitializing global loads at the script
  level, not sub functions; without even checking whether the global load was
  used. It may actually have caused us to do more work and allocate more global
  load feedback slots than neccessary.

Change-Id: Ibbdd029abe5a39ba27f7fc9be84670c5d444d98d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1997123
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65725}

This reverts commit 91e3243d.

Reason for revert: This deopts to the wrong point.

Original change's description:
> Extend GetIterator bytecode to perform JSReceiver check on object[Symbol.iterator]()
> 
> Current GetIterator bytecode loads and calls @@iterator property on a
> given object. This change extends the bytecode functionality to check
> whether the value returned after calling @@iterator property is a valid
> JSReceiver. The bytecode throws SymbolIteratorInvalid exception if the
> returned value is not a valid JSReceiver. This change absorbs the
> functionality of additional two bytecodes - JumpIfJSReceiver and
> CallRuntime, that are part of the iterator protocol in the GetIterator
> bytecode.
> 
> Bug: v8:9489
> Change-Id: I9e84cfe85eeb9a1b8a97ca0595375ac26ba1bbfd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1792905
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Swapnil Gaikwad <swapnilgaikwad@google.com>
> Cr-Commit-Position: refs/heads/master@{#63704}

TBR=rmcilroy@chromium.org,leszeks@chromium.org,tebbi@chromium.org,swapnilgaikwad@google.com

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:9489
Change-Id: I9324b5b01ead29912ad793a1e7b4d009643d7901
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1960288Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65541}

The current error message assumes all classes are named, which results
in a double space and awkward wording when calling an anonymous class
constructor.

Bug: v8:10025
Change-Id: Ibe913152c0816cbbaaa0c7a88db4e415762ae9bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1947336
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65354}

This patch implements inspector support for private instance methods:

- Previously to implement brand checking for instances with private
  instance methods we store the brand both as the value with the brand
  itself as the key in the stances. Now we make the value the context
  associated with the class instead.
- To retrieve the private instance methods and accessors from the
  instances at runtime, we look into the contexts stored with the
  brands, and analyze the scope info to get the names as well as
  context slot indices of them.
- This patch extends the `PrivatePropertyDescriptor` in the inspector
  protocol to include optional `get` and `set` fields, and make the
  `value` field optional (similar to `PropertyDescriptor`s).
  Private fields or private instance methods are returned in the
  `value` field while private accessors are returned in the `get`
  and/or `set` field. Property previews for the instaces containing
  private instance methods and accessors are also updated similarly,
  although no additional protocol change is necessary since the
  `PropertyPreview` type can already be used to display accessors.

Design doc: https://docs.google.com/document/d/1N91LObhQexnB0eE7EvGe57HsvNMFX16CaWu-XCTnnmY/edit

Bug: v8:9839, v8:8330
Change-Id: If37090bd23833a18f75deb1249ca5c4405ca2bf2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1934407
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65337}

This helps reduce the number of false positives encountered by
the dead variable analysis in gcmole.

TBR=jgruber@chromium.org, verwaest@chromium.org, yangguo@chromium.org

Bug: v8:9810
Change-Id: I1a34ccaab340e6abc37832b4ce1a0cabc56fa438
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1917146
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64981}

This patch excludes brand symbols from the result of
JSReceiver::GetPrivateEntries so that the brands do not show up
when the instances are inspected from the DevTools (e.g. via
`Runtime.getProperties()`).

To implement this, we use a bit in the Symbols to denote whether
it's a brand symbol. A brand symbol is also a private name
symbol so that we can just reuse the IC for accessing private
names and do not need to jump through extra ORs.

Design doc: https://docs.google.com/document/d/1N91LObhQexnB0eE7EvGe57HsvNMFX16CaWu-XCTnnmY/edit

Bug: v8:8671, v8:9839, v8:8330
Change-Id: I24346aeedce3602395289052d1e1350ae9390354
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1909757Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Cr-Commit-Position: refs/heads/master@{#64899}

The function-entry stack check should dominate all other
instructions in a function. Prior to this CL it was possible to create
paths not including a stack check due to SwitchOnGeneratorState: the
generator-creation branch had a stack check, while generator-resume
branches did not.

  0 : af fb 00 01       SwitchOnGeneratorState r0, [0], [1] { 0: @22 }
  4 : 27 fe fa          Mov <closure>, r1
  7 : 27 02 f9          Mov <this>, r2
 10 : 64 0a fa 02       InvokeIntrinsic [_CreateJSGeneratorObject], r1-r2
 14 : 26 fb             Star r0
 16 : a7                StackCheck
 17 : b0 fb fb 01 00    SuspendGenerator r0, r0-r0, [0]
 22 : b1 fb fb 01       ResumeGenerator r0, r0-r0
                        [... no stack check here ...]

This CL moves the stack check to the beginning of the bytecode array,
i.e. before SwitchOnGeneratorState.

Bug: chromium:1020031
Change-Id: I8ba8cba99611ddbe50c76023129d926cc84b1d5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1903440Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64888}

This reverts commit 10883f56.

Reason for revert: Causes bytecode mismatch

Bug:chromium:1020538, chromium:1021457

Original change's description:
> [hole-check-elimination] Simplest possible hole check elimination
>
> doc: https://docs.google.com/document/d/1Y9uF3hS2aUrwKU56vGxlvEs_IiGgmWSzau8097Y-XBM/edit
>
> Bug: v8:7427
> Change-Id: Iedd36c146cefff7e6687fdad48d263889c5c8347
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1778902
> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#63913}

TBR=rmcilroy@chromium.org,leszeks@chromium.org,verwaest@chromium.org,joshualitt@chromium.org

Bug: v8:7427
Change-Id: Ib4369a3560e929692585c4546435684deae5ee9b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1899163
Commit-Queue: Joshua Litt <joshualitt@chromium.org>
Reviewed-by: Joshua Litt <joshualitt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64789}

This change begins making use of the fact that Torque now knows about
the relationship between classes and instance types, to replace a few
repetitive lists:

- Instance type checkers (single and range), defined in
  src/objects/instance-type.h
- Verification dispatch in src/diagnostics/objects-debug.cc
- Printer dispatch in src/diagnostics/objects-printer.cc
- Postmortem object type detection in
  tools/debug_helper/get-object-properties.cc

Torque is updated to generate four macro lists for the instance types,
representing all of the classes separated in two dimensions: classes
that correspond to a single instance type versus those that have a
range, and classes that are fully defined in Torque (with fields and
methods inside '{}') versus those that are only declared. The latter
distinction is useful because fully-defined classes are guaranteed to
correspond to real C++ classes, whereas only-declared classes are not.

A few other changes were required to make the lists above work:

- Renamed IsFiller to IsFreeSpaceOrFiller to better reflect what it does
  and avoid conflicts with the new macro-generated IsFiller method. This
  is the part I'm most worried about: I think the new name is an
  improvement for clarity and consistency, but I could imagine someone
  typing IsFiller out of habit and introducing a bug. If we'd prefer to
  keep the name IsFiller, my other idea is to rename FreeSpace to
  VariableSizeFiller and Filler to FixedSizeFiller.
- Made Tuple3 extend from Struct, not Tuple2, because IsTuple2 is
  expected to check for only TUPLE2_TYPE and not include TUPLE3_TYPE.
- Normalized the dispatched behavior for BigIntBase and HeapNumber.
- Added a few new object printers.

Bug: v8:7793
Change-Id: I5462bb105f8a314baa59bd6ab6ab6215df6f313c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1860314
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64597}

Currently if the argument to matchAll has a null or undefined .flags
property, the error message will read "String.prototype.matchAll called
on null or undefined", which is very confusing.

Drive-by fix: Remove the related and unused
MethodInvokedOnNullOrUndefined error.

Bug: v8:9895
Change-Id: I3644545282ac8d2156c7a51086e37a0ab7f97a78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1874619
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64530}

Original change's description:
> [runtime] Remove extension slots from context objects
>
> Context objects have an extension slot, which contains further
> additional data that depends on the type of the context.
>
> This CL removes the extension slot from contexts that don't need
> them, hence reducing memory.
>
> The following contexts will still have an extension slot: native,
> module, await, block and with contexts. See objects/contexts.h for
> what the slot is used for.
> The following contexts will not have an extension slot anymore (they
> were not used before): script, catch and builtin contexts.
> Eval and function contexts only have the extension slot if they
> contain a sloppy eval.
>
> Bug: v8:9744
> Change-Id: I8ca56c22fa02437bbac392ea72174ebfca80e030
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1863191
> Commit-Queue: Victor Gomes <victorgomes@google.com>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Auto-Submit: Victor Gomes <victorgomes@google.com>
> Cr-Commit-Position: refs/heads/master@{#64372}

TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org

Bug: v8:9744
Change-Id: I8700ed2fa62c89e86c39bb16ac3167f38ea8d63f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1873695
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64477}

This reverts commit 392a1217.

Reason for revert: Several failures on mac64 gc stress: https://ci.chromium.org/p/v8/builders/ci/V8%20Mac64%20GC%20Stress/9747

Original change's description:
> Reland "Reland "[runtime] Remove extension slots from context objects""
> 
> This is a reland of c48096d4
> 
> Original change's description:
> > Reland "[runtime] Remove extension slots from context objects"
> >
> > This is a reland of c07c02e1
> >
> > Original change's description:
> > > [runtime] Remove extension slots from context objects
> > >
> > > Context objects have an extension slot, which contains further
> > > additional data that depends on the type of the context.
> > >
> > > This CL removes the extension slot from contexts that don't need
> > > them, hence reducing memory.
> > >
> > > The following contexts will still have an extension slot: native,
> > > module, await, block and with contexts. See objects/contexts.h for
> > > what the slot is used for.
> > > The following contexts will not have an extension slot anymore (they
> > > were not used before): script, catch and builtin contexts.
> > > Eval and function contexts only have the extension slot if they
> > > contain a sloppy eval.
> > >
> > > Bug: v8:9744
> > > Change-Id: I8ca56c22fa02437bbac392ea72174ebfca80e030
> > > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1863191
> > > Commit-Queue: Victor Gomes <victorgomes@google.com>
> > > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> > > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> > > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> > > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> > > Auto-Submit: Victor Gomes <victorgomes@google.com>
> > > Cr-Commit-Position: refs/heads/master@{#64372}
> >
> > TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org
> >
> > Bug: v8:9744
> > Change-Id: I0749cc2d8f59940c25841736634a70047116d647
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1869192
> > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> > Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> > Commit-Queue: Peter Marshall <petermarshall@chromium.org>
> > Auto-Submit: Victor Gomes <victorgomes@google.com>
> > Cr-Commit-Position: refs/heads/master@{#64380}
> 
> TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org
> 
> Bug: v8:9744
> Change-Id: I621ffe98722f8c4defaf277b8d1666484ba2963f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1872400
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Commit-Queue: Victor Gomes <victorgomes@google.com>
> Cr-Commit-Position: refs/heads/master@{#64451}

TBR=ulan@chromium.org,jgruber@chromium.org,petermarshall@chromium.org,leszeks@chromium.org,verwaest@chromium.org,victorgomes@google.com

Change-Id: I99a71180c6a00a87478867a8210ff9ceb46cb3ee
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9744
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1872405Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64453}

This is a reland of c48096d4

Original change's description:
> Reland "[runtime] Remove extension slots from context objects"
>
> This is a reland of c07c02e1
>
> Original change's description:
> > [runtime] Remove extension slots from context objects
> >
> > Context objects have an extension slot, which contains further
> > additional data that depends on the type of the context.
> >
> > This CL removes the extension slot from contexts that don't need
> > them, hence reducing memory.
> >
> > The following contexts will still have an extension slot: native,
> > module, await, block and with contexts. See objects/contexts.h for
> > what the slot is used for.
> > The following contexts will not have an extension slot anymore (they
> > were not used before): script, catch and builtin contexts.
> > Eval and function contexts only have the extension slot if they
> > contain a sloppy eval.
> >
> > Bug: v8:9744
> > Change-Id: I8ca56c22fa02437bbac392ea72174ebfca80e030
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1863191
> > Commit-Queue: Victor Gomes <victorgomes@google.com>
> > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> > Auto-Submit: Victor Gomes <victorgomes@google.com>
> > Cr-Commit-Position: refs/heads/master@{#64372}
>
> TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org
>
> Bug: v8:9744
> Change-Id: I0749cc2d8f59940c25841736634a70047116d647
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1869192
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Peter Marshall <petermarshall@chromium.org>
> Auto-Submit: Victor Gomes <victorgomes@google.com>
> Cr-Commit-Position: refs/heads/master@{#64380}

TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org

Bug: v8:9744
Change-Id: I621ffe98722f8c4defaf277b8d1666484ba2963f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1872400Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@google.com>
Cr-Commit-Position: refs/heads/master@{#64451}

This reverts commit c48096d4.

Reason for revert: Flaky bot failures (https://bugs.chromium.org/p/v8/issues/detail?id=9744#c9)

Original change's description:
> Reland "[runtime] Remove extension slots from context objects"
> 
> This is a reland of c07c02e1
> 
> Original change's description:
> > [runtime] Remove extension slots from context objects
> >
> > Context objects have an extension slot, which contains further
> > additional data that depends on the type of the context.
> >
> > This CL removes the extension slot from contexts that don't need
> > them, hence reducing memory.
> >
> > The following contexts will still have an extension slot: native,
> > module, await, block and with contexts. See objects/contexts.h for
> > what the slot is used for.
> > The following contexts will not have an extension slot anymore (they
> > were not used before): script, catch and builtin contexts.
> > Eval and function contexts only have the extension slot if they
> > contain a sloppy eval.
> >
> > Bug: v8:9744
> > Change-Id: I8ca56c22fa02437bbac392ea72174ebfca80e030
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1863191
> > Commit-Queue: Victor Gomes <victorgomes@google.com>
> > Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> > Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> > Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> > Auto-Submit: Victor Gomes <victorgomes@google.com>
> > Cr-Commit-Position: refs/heads/master@{#64372}
> 
> TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org
> 
> Bug: v8:9744
> Change-Id: I0749cc2d8f59940c25841736634a70047116d647
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1869192
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Peter Marshall <petermarshall@chromium.org>
> Auto-Submit: Victor Gomes <victorgomes@google.com>
> Cr-Commit-Position: refs/heads/master@{#64380}

TBR=ulan@chromium.org,jgruber@chromium.org,petermarshall@chromium.org,leszeks@chromium.org,verwaest@chromium.org,victorgomes@google.com

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:9744
Change-Id: Ia58067b41f1eb5880a52b36ead754d7190ff7f6f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1871922Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64424}

This is a reland of c07c02e1

Original change's description:
> [runtime] Remove extension slots from context objects
>
> Context objects have an extension slot, which contains further
> additional data that depends on the type of the context.
>
> This CL removes the extension slot from contexts that don't need
> them, hence reducing memory.
>
> The following contexts will still have an extension slot: native,
> module, await, block and with contexts. See objects/contexts.h for
> what the slot is used for.
> The following contexts will not have an extension slot anymore (they
> were not used before): script, catch and builtin contexts.
> Eval and function contexts only have the extension slot if they
> contain a sloppy eval.
>
> Bug: v8:9744
> Change-Id: I8ca56c22fa02437bbac392ea72174ebfca80e030
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1863191
> Commit-Queue: Victor Gomes <victorgomes@google.com>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Auto-Submit: Victor Gomes <victorgomes@google.com>
> Cr-Commit-Position: refs/heads/master@{#64372}

TBR=verwaest@chromium.org,jgruber@chromium.org,ulan@chromium.org,leszeks@chromium.org,petermarshall@chromium.org

Bug: v8:9744
Change-Id: I0749cc2d8f59940c25841736634a70047116d647
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1869192Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@google.com>
Cr-Commit-Position: refs/heads/master@{#64380}

This reverts commit c07c02e1.

Reason for revert: MSAN failures:
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/29251

Original change's description:
> [runtime] Remove extension slots from context objects
> 
> Context objects have an extension slot, which contains further
> additional data that depends on the type of the context.
> 
> This CL removes the extension slot from contexts that don't need
> them, hence reducing memory.
> 
> The following contexts will still have an extension slot: native,
> module, await, block and with contexts. See objects/contexts.h for
> what the slot is used for.
> The following contexts will not have an extension slot anymore (they
> were not used before): script, catch and builtin contexts.
> Eval and function contexts only have the extension slot if they
> contain a sloppy eval.
> 
> Bug: v8:9744
> Change-Id: I8ca56c22fa02437bbac392ea72174ebfca80e030
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1863191
> Commit-Queue: Victor Gomes <victorgomes@google.com>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Auto-Submit: Victor Gomes <victorgomes@google.com>
> Cr-Commit-Position: refs/heads/master@{#64372}

TBR=ulan@chromium.org,jgruber@chromium.org,petermarshall@chromium.org,leszeks@chromium.org,verwaest@chromium.org,victorgomes@google.com

Change-Id: I98dee04ab4d3ae977053982ec884b738d2f6f623
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9744
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1868611Reviewed-by: Sathya Gunasekaran  <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64373}