This is a reland of commit c8c17619

This CL includes:

- crrev.com/c/3679846 Add condition use_ic to the removing the optimized OSR code logic
- crrev.com/c/3686589 Add out of bytecode array to break condition of removing OSR code cache logic
- Add JumpLoop nesting level 0 to break condition of removing OSR code cache logic
- Change to use Deoptimizer::DeoptimizeFunction() to deoptimize OSR code

Original change's description:
> [compiler] Remove the optimized OSR code if deoptimizing at inside of loop
>
> If the optimized code is deoptimized and the deoptimized exit offset is
> inside of the optimized OSR code related loop, the optimized OSR code is
> also out of date, remove the optimized OSR code, it will avoid hit the
> optimized OSR code and soon later deoptimization of the optimized OSR
> code.
> This CL will reduce deoptimization. E.g. Deoptimization of JetStream2
> case navier-stokes function addFields is reduced from twice to once.
>
> Change-Id: I5bbf3039e916c3736b5b967d1f36b6ea90cfd40b
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3648219
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Tao Pan <tao.pan@intel.com>
> Cr-Commit-Position: refs/heads/main@{#80826}

Bug: chromium:1330444
Change-Id: I97a466ddfa764438b45f33c6ae33cb921d57278d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3690451Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Tao Pan <tao.pan@intel.com>
Cr-Commit-Position: refs/heads/main@{#81110}

A few more fixes for visiting bytecodes that are known to be dead:

  * Change JumpLoop dead frame merging to remove the loop predecessor,
    by moving the loop predecessor to be the last in the list and
    allowing it to be dropped the same way as other predecessors.
  * Remove the bytecode walk in EmitUnconditionalDeopt, opting instead
    to check for null current_block in the real bytecode visitor. This
    allows us to handle the case where the start of a basic block is
    dead, but there's no fallthrough into it, so it wouldn't be visited
    by the loop in EmitUnconditionalDeopt.

Bug: v8:7700
Change-Id: I7cf1a54c49a2affc0363c1a0919bb3d427f83f5c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3700070
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81109}

The race occurs when the write to instance_ happens after the static
thread-local initialization. The change simply moves the write into
CagedHeap's ctor.

Bug: chromium:1325007
No-Try: true
Change-Id: I55b6e286f311c9ddb4f3f89d12f7f9437b96cc58
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3702334
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81108}

... setting too low --max-old-space-size value.

Fixes: v8:12725
Change-Id: I5b1b533992d6b1024e81263525ed90914582e27a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695594
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81107}

We don't need to reset the entire age table, but merely the pages that
are known to contain young objects. This must improve memory use with
generational GC enabled.

The CL is a prerequisite for another CL that'll increase the size of
the age-table.

Bug: chromium:1029379
Change-Id: Ibb5b607af20380c3936b7396b3d9767f6f17c44b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695268
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81106}

Currently, young generation assumes that all the on-heap pointers are
compressed, which is currently not the case due to the backing-store
pointers in Blink. Fixing collections to have Member<> is not easy,
because the inlined collections may have the semantics that
 backing_pointer_ == inlined_buffer_;
where the inlined_buffer_ can be off-heap (e.g. on stack).

The CL introduces another type of barrier specifically for uncompressed
pointers. The followup is to use that barrier from Blink.

Bug: chromium:1029379
Change-Id: If0f519220658268dbdf915235c2e5afd7887dc0c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695358Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81105}

... factory-unittest.

Bug: v8:12781
Change-Id: I862ab02526c21820ef3f12f663a598793bbc6bbd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3699499Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#81104}

... hashcode-unittest.

Bug: v8:12781
Change-Id: I118ec1f2963abfaf6fbf738b97a984c9449d105d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3699498Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#81103}

Add a new --wasm-max-module-size flag to replace the unused and more
specific --experimental-wasm-allow-huge-modules flag.
The new flag can be used in fuzzers to reduce the maximum allowed module
size, avoiding OOM on some systems (like 32-bit ASan builds).

R=ahaas@chromium.org

Bug: chromium:1334577
Change-Id: I2830d407c5b01be21a47b21392c1210061c40b20
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695267Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81102}

This is just a minor refactoring: We include the kUnknownSectionCode in
the set of valid sections. There are only two uses of that function: The
first one already checks for kUnknownSectionCode in a separate
condition, the second one can be simplified with this refactoring.

R=ahaas@chromium.org

Bug: chromium:1335023
Change-Id: Ie1ae316db41f8111fff0af0d97a6c775f527156c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3698556
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81101}

Fixed: v8:12889
Change-Id: Ia11cfc0fb1dfd2952b43b732256d8ed3a144d1cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3702333
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81100}

... which shouldn't try to change permissions of RWX pages.

Bug: v8:12797
Change-Id: Ibf3de06f5243c2008a8d9dc41f6231373f844e40
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3700352
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81099}

When profiling V8 code generated with snapshot using ETW, there is a
huge difference enabling system instrumentation. This is because, for
populating the ETW tracing (when --interpreted-frames-native-stack is
enabled), we need the scripts line ends. But these are only generated if
log functions are enabled.

To prevent the problem, this CL also initializes script line ends for
the case interpreted frames native stacks are enabled.

Bug: v8:12910
Change-Id: I89eab727574a68a8b2fbc2575faf540218370e7d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3669698Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: José Dapena Paz <jdapena@igalia.com>
Cr-Commit-Position: refs/heads/main@{#81098}

This CL extends the live edit mechanism to allow editing the function
that is currently on top of the stack, as long as that call frame is
the only activation of that  function.

The CL changes how we look for functions on the current JS stack:
Instead of starting at thread_local_top we start at the frame we
are currently paused in. This is possible since there can not be any
JavaScript frames above the current "break frame", only C++ frames
which are not relevant for live edit.

If the edited script modifes the top-most function, the inspector
will trigger a restart of that call frame. That is why we check
if we can actually restart the function and only allow the live
edit to go through if that is the case.

Note that this CL also adds a kill switch in the form of a runtime
flag for this feature, in case we need to pull the plug and disable
this feature again via back-merge.

R=jarin@chromium.org

Bug: chromium:1334484
Change-Id: I711913df96c8acc786ad4de28de804d2f90e1847
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695353Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81097}

... which might fail because usual operator== for tagged values compares
only lower 32 bits of the pointer.

Bug: v8:11880, v8:12958
Change-Id: I0978d6c510424aecfee2f044c40ea424b6cb3ab9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695593Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81096}

R=thibaudm@chromium.org

Bug: chromium:1335523
Change-Id: I194915b37ea27b3d7d1a9f2367b6935b8a3bff39
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3702233
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81095}

Bug: v8:12783
Change-Id: I2d02b4466edb1da48512b1f2d2bc14f6d5cb8dc0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3701596Reviewed-by: Andreas Haas <ahaas@chromium.org>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81094}

Already after enabling Liftoff, the name did not match the semantics any
more. The callback was called after top-tier finished, not after initial
compilation of the module finished.
With dynamic tiering, the name is even less fitting.

This CL renames the "OnModuleCompiled" callback in the API to
"MoreFunctionsCanBeSerialized", which makes it more obvious what the
API should be used for. It also internally renames all related typedefs
and methods accordingly.

One call of the callback in the streaming decoder was already wrong
before this CL and is being removed.

R=jkummerow@chromium.org, cbruni@chromium.org

Bug: v8:12899
Change-Id: I95c0fc9e32442383e47e4370e31277cc065bf0fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3687689Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81093}

Deprecate the LegacyOOMErrorCallback in the 10.5 branch. Embedders are
expected to switch to OOMErrorCallback.
The deprecated LegacyOOMErrorCallback will then be removed in the 10.6
branch.

R=mlippautz@chromium.org

Bug: chromium:1323177
Change-Id: I83001bec760848ef39f0638ed5c5c9eaa7cdb6eb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3646014Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81092}

This reverts commit c2f25454.

Reason for revert: CFI build failures: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20arm64%20-%20sim%20-%20CFI/11255/overview

Original change's description:
> Avoid use of x18 register on arm64
>
> This causes crashes on Windows, as x18 is the "platform register",
> holding a pointer to thread-local storage.
>
> R=​jkummerow@chromium.org
> CC=​seth.brenith@microsoft.com
>
> Bug: v8:12959
> Change-Id: I20b8bee145d4ab3a40d8d140d98572df8300251c
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695569
> Reviewed-by: Seth Brenith <seth.brenith@microsoft.com>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81090}

Bug: v8:12959
Change-Id: Id239ccb55e0a2d29051f402af64a855a8fd2d23b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3702231
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81091}

This causes crashes on Windows, as x18 is the "platform register",
holding a pointer to thread-local storage.

R=jkummerow@chromium.org
CC=seth.brenith@microsoft.com

Bug: v8:12959
Change-Id: I20b8bee145d4ab3a40d8d140d98572df8300251c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695569Reviewed-by: Seth Brenith <seth.brenith@microsoft.com>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81090}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/8ac7b3a..eb941d4

Rolling v8/third_party/fuchsia-sdk/sdk: version:8.20220610.3.1..version:8.20220612.1.1

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/8c95aed..2b3af06

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I3145586bec136a2ee98f1d2c6d10170a35743c7b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3701217
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81089}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/36d2c30..8ac7b3a

Rolling v8/third_party/fuchsia-sdk/sdk: version:8.20220610.2.1..version:8.20220610.3.1

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: Ib61ca93d3d6047172ddc017d95e22951447dc302
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3701215
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81088}

Bug: v8:12868
Change-Id: Ib92cbf7eae8e4b7bc76bc918011be747254d931f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3700075
Commit-Queue: Andy Wingo <wingo@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81087}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/2fdb9a9..36d2c30

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/a9467d8..6fbb744

Rolling v8/third_party/fuchsia-sdk/sdk: version:8.20220609.0.1..version:8.20220610.2.1

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/2f657cf..8c95aed

R=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: Ie75126d6536441ebd96dc1846ccc053cb2cc9f32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3700894
Bot-Commit: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#81086}

... in unittests/testcfg.py on android.

Bug: v8:12781
Change-Id: I7a7f4edbae4f4fe646063d048f5132c401422be4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3697864Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#81085}

This is a partial reland of https://crrev.com/c/3597106

With this change, an old entry in the script compilation cache is not
completely removed by CompilationCacheScript::Age(). Instead, its value
is replaced with undefined. In that way, the Script is still accessible
from the table until the garbage collector destroys it and clears the
weak pointer.

Bug: v8:12808
Change-Id: Ib494674e67d0fec455e1fed40499c5cca3b7c0a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3673426Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#81084}

... to avoid additional indirection on every access.

Bug: v8:12949
Change-Id: I16840ac0517e86f1f70252153112ca3475527416
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3693707Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81083}

Bug: v8:12868
Change-Id: I5fb5dccb5ff6b691348a519253de338fa91e8be1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695269Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andy Wingo <wingo@igalia.com>
Cr-Commit-Position: refs/heads/main@{#81082}

- Added separate layer for phases
- Moved json parsing logic to new layer

Change-Id: I16289b1f4f62d011c1801fbc37bac49ff911e61e
Bug: v8:7327
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695566
Commit-Queue: Danylo Boiko <danielboyko02@gmail.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81081}

Adds Module::GetStalledTopLevelAwaitMessage() API which searches for
modules that have no pending async dependencies but have not yet
resolved. An embedder may call this API when they are about to exit
to check if TLA evaluation has stalled and provide a better error
message.

Change-Id: I3b88802f70cc84c973551f13d73ef3e3d06f4027
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2341765
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81080}

Minor refactoring; shouldn't affect behavior.

This is a partial reland of https://crrev.com/c/3597106

Bug: v8:12808
Change-Id: Ibcc683317a6a85bb332dc96b212275f832cc59d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3665263Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#81079}

Remove internal slot of LocalizedNumberRangeFormatter
in NumberFormat and PluralRules and converted from
LocalizedNumberFormatter on the calls require it instead.

Bug: chromium:1307699, chromium:1307698
Change-Id: I9be1b7dd1c931f273d845359ca4de1273ea837a8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3555261Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81078}

Use the field index to look up the descriptor for double fields, and add
a dependency on them.

Drive-by, fix store field optimisation to only emit the optimised direct
store for tagged fields, so that we don't accidentally insert
HeapNumbers into double fields (making them mutable).

Bug: v8:7700
Change-Id: I699c2a2e4e13194045139b9c995d05eb138c0e7c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3700071Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81077}

Bug: v8:12786
Change-Id: I0c53f9d7027c6b457186b2a04ab65daf7d6e0f85
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3698554Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81076}

profiling is enabled

Bug: v8:12952

Change-Id: Ie3c3de71c5ca4be8256ac87e60b183bc45e47cf6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3696481Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Vasili Skurydzin <vasili.skurydzin@ibm.com>
Cr-Commit-Position: refs/heads/main@{#81075}

In particular, this CL adds support for:
- exception handling
- source positions
- OSR
- various numeric operations and conversions

Since the test suite now passes with `--turboshaft`, this also adds a
new variant for Turboshaft and enables it on some bots.

Bug: v8:12783
Change-Id: Ia2dd2e16f56fc955d49e51f86d050218e70cb575
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3669251Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81074}

This method was intended to run single-threaded, so with parallel
marking disabled. While correctness isn't an issue here (simply because
we will later run this method single-threaded as well), some CHECKs do
not hold when parallel marking is active.

Bug: chromium:1325628
Change-Id: Iedebcf6241835011982217b1452271e38a36ce9d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3700074
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81073}

roll_merge.py manually checks out V8 into a temporary directory, locally
builds a cherrypick, and uploads this to Gerrit. However, Gerrit has its
own REST API which allows cherrypicking. Using this API directly has two
advantages:

  1) We don't need to perform any local checkouts, so it's much faster,
     and
  2) The cherry-picked commit is marked as a cherry-pick by Gerrit,
     which means Rubber-Stamper-Bot will treat it as a cherry-pick.

The implementation for now is very simple, and doesn't support things
like cherry-picking multiple revisions or applying an additional local
patch. It does, however, increment the patch value in v8-version.h, and
tries to set Owners-Override +1.

Bug: v8:12849
Change-Id: Ie242dbec6b3d24f5118d601e9d326465d190a8f0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3644609
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81072}

Add a missing check to reject illegal sections.

The test is added in three forms, to give fuzzers more food: A fuzzer
regression test for the streaming fuzzer, a unit test for the streaming
decoder, and an mjsunit test for streaming compilation.

Drive-by: Remove a redundant line in the synchronous decoder (this is
already handled by the following statement.

R=ahaas@chromium.org

Bug: chromium:1335023
Change-Id: Ic8c3b301f1b58981c7d68eafcffc89531ed2c64c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3698549Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81071}