The zone-allocated objects, the destructor is never called. Such
objects must therefore never contain members that themselves have
non-trivial destructors, e.g. std containers.

Fix occurrences of this antipattern in Maglev.

Bug: v8:7700
Change-Id: I6892cf5203bb6e842397fd4292918b18134f97cc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3822672
Auto-Submit: Jakob Linke <jgruber@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82358}

This reverts commit 532ca599.

Reason for revert: UBSan failures (integer overflow):
https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20UBSan/22615/overview

Original change's description:
> [maglev] Support LdaModuleVariable and StaModuleVariable
>
> Bug: v8:7700
> Change-Id: I036ac71324e0c1c96a4da4aacdb5a6718726db31
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3821203
> Reviewed-by: Victor Gomes <victorgomes@chromium.org>
> Commit-Queue: 王澳 <wangao.james@bytedance.com>
> Cr-Commit-Position: refs/heads/main@{#82347}

Bug: v8:7700
Change-Id: Iedbcb80a2ec41f299105bb814650ec4eff30db0d
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3824718
Auto-Submit: Adam Klein <adamk@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82356}

... intrinsic.

This CL also adds stack arguments support in CallBuiltin.

Bug: v8:7700
Change-Id: I59d900414585f724c48f1557ba606f5b61cfb6da
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813073Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#82355}

ML-TF tiering remains very similar to Ignition-TF tiering:

- When the interrupt budget is exhausted, enter the TieringManager
  which potentially decides to tier up and sets the appropriate
  TieringState on the FeedbackVector.
- The prologue on ML function entry recognizes the TieringState (and
  also available cached TF code) and starts compilation and/or jumps
  into optimized code.

TODOs:

- ML-to-TF OSR is not yet supported.
- ML code is no longer cached on the FeedbackVector.
- Tracing is rudimentary.
- The generated function-entry prologue is fairly large and must be
  either minimized or extracted into a builtin.
- Tiering involving Sparkplug is not entirely robust yet (Sparkplug
  code may be installed with unexpected timing).

Bug: v8:7700
Change-Id: I86b0692477f51b9967f318a4093bc874344120b3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3629149Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82351}

This adds a new {base::OS::SetDataReadOnly} method, which is similar to
{SetPermissions(kRead)}, but using another system call on Windows such
that it works on pages in the data segment.
{VirtualAlloc} will fail if called on a page of the data section,
whereas {VirtualProtect} succeeds. For the general {SetPermissions}
API we still want to use {VirtualAlloc} though, as it also changes the "committed" state of the pages.

Note that we do not add a platform API for this, as the memory was
never allocated through the platform. We just directly protect it in
V8.

R=mlippautz@chromium.org

Bug: v8:12887
Change-Id: If83bf6e5c500cc5cf08c76d04dfac5e2b4d35a2d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820482Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82349}

Bug: v8:7700
Change-Id: I036ac71324e0c1c96a4da4aacdb5a6718726db31
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3821203Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#82347}

Bug: v8:7700
Change-Id: I92596898718a57ea9d8fbd002306aa45a8e9a549
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3821206Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#82346}

Bug: v8:11525
Change-Id: I69c08f3cc4ee6b391e462a5d49de750f34bbc8cf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3815487Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#82345}

This is a reland of commit 6953b555

The reland fixes tests that retrieved the stack start from a
non-inlined frame's fp. This does not work in certain configurations
as the resulting marker is too low to consider the first local
variables in subsequent calls.

The fix uses an inline frame address for the tests to get an upper
bound of stack addresses to consider.

Original change's description:
> [handles] Remove precise on-stack representation of global handles
>
> Since https://crrev.com/c/3806439 on-stack traced handles are marked
> conservatively when being used in combination with CppHeap.
>
> This change removes the precise on-stack representation of the
> internal traced nodes as they nodes would anyways be marked
> conservatively. The effects are:
> - cheaper representation (just a single node space);
> - uniform handling: no checks to distinguish on-stack vs on-heap;
> - no brittleness around cleaning on-stack handles when the event loop
>  is empty;
>
> Change-Id: Id859623bfed77a66bdd064ea8065536264515eae
> Bug: v8:13141
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3812039
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82306}

Bug: v8:13141
Change-Id: I53ece36220e99d02be6df18f83c18450e5d5037b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820585Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82342}

Growing Wasm memory is allowed to fail nondeterministically.
I checked locally that this is indeed what is making this test fail in
--verify-predictable mode.

R=jkummerow@chromium.org

Bug: v8:13167
Change-Id: I91d21c91481ac692a9f6000be45d43d517e76cd4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3822684Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82341}

This CL adds a small inspector test to verify that Runtime.evaluate
with silent on/off can be interleaved while replMode is true for all
evaluations.

This is to check that the interaction between console and live
expressions works as expected when the user enables
"Pause on exceptions".

R=bmeurer@chromium.org

Bug: chromium:1335439
Change-Id: Iebd3f9f207312dc6dcd3d0b9a8483ef09608528f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3822685Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82337}

... which affect how builtin calls are generated.

This CL replaces the following boolean options
 - builtin_calls_as_table_load,
 - inline_offheap_trampolines,
 - short_builtin_calls,
 - use_pc_relative_calls_and_jumps,

with an enum BuiltinCallJumpMode and a boolean option
use_pc_relative_calls_and_jumps_for_mksnapshot.

Bug: v8:11880, v8:11527
Change-Id: Ia842b1d126c99dbe83e5b4f6118dcd44082ed168
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820063Reviewed-by: Jakob Linke <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82330}

This CL includes:
1) Using 1 full GC instead of 2 young GCs to force object promotion.
2) A couple of needed bailouts.
3) Using manual evacuation candidates in old space to ensure an object
   is evacuted (moved to a different address)  instead of relying on
   Scavenger.
And some other minor tweaks

Bug: v8:12612
Change-Id: Idfd925ccdf30215998ab6e7cc632ce750fa2077a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816661Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82327}

Change-Id: I1944a179131af2027bd69a4e39e0c4e0eafb1a65
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820582
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82326}

{memory-protection-unittest} assumes that code objects exist after
compilation. This is not true with lazy compilation. Therefore this
CL disables lazy compilation in the test.

R=clemensb@chromium.org

Bug: v8:12852
Change-Id: I66039319fdfe4354afb32064e3e9105d334f5b07
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3819643Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82325}

Black allocation is already enabled when starting incremental marking.

Bug: v8:12775
Change-Id: I492c3ab89a3a3251ab005d2f3fc4ee46f28f5615
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820067
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82321}

This CL tries to improve readability of TryMarkingComplete() by
splitting it up into multiple smaller methods.

It also removes StepResult::kWaitingForFinalization since this was
only used in one test which could easily be rewritten to not need this
value. This makes CombineStepResult() and Step()s return value simpler
to understand.

Bug: v8:12775
Change-Id: I981bc7b736246ab53058d1e61e3c67db0d1130b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816668Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82319}

This pr refactor all usage of v8_str in unittests/ into NewString
method in test-utils.h

Change-Id: I8ffc456851488e8c050d7a38f5459aebfa3f314f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813064Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#82314}

This reverts commit 6953b555.

Reason for revert: Failing on CI: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20full%20debug/22876/overview

Original change's description:
> [handles] Remove precise on-stack representation of global handles
>
> Since https://crrev.com/c/3806439 on-stack traced handles are marked
> conservatively when being used in combination with CppHeap.
>
> This change removes the precise on-stack representation of the
> internal traced nodes as they nodes would anyways be marked
> conservatively. The effects are:
> - cheaper representation (just a single node space);
> - uniform handling: no checks to distinguish on-stack vs on-heap;
> - no brittleness around cleaning on-stack handles when the event loop
>  is empty;
>
> Change-Id: Id859623bfed77a66bdd064ea8065536264515eae
> Bug: v8:13141
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3812039
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82306}

Bug: v8:13141
Change-Id: I5ebb2ed9eeec1394c2dd48504e91f6ff789b0711
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820584
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82313}

Bug: chromium:1351242
Change-Id: I3805c53e3103d105754474a48a94fa0888c635f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820062
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82312}

Add the receiver to the IteratorSymbolNonCallable error
message.

Bug: v8:12918
Change-Id: Ib863a357474282ec3723cc4e7e012052979ca2d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813069Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#82308}

Bug: v8:9407
Change-Id: Id7a04bbdd795bd91a62f3984b760a7f42db96a7f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3803225Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Qifan Pan <panq@google.com>
Cr-Commit-Position: refs/heads/main@{#82307}

Since https://crrev.com/c/3806439 on-stack traced handles are marked
conservatively when being used in combination with CppHeap.

This change removes the precise on-stack representation of the
internal traced nodes as they nodes would anyways be marked
conservatively. The effects are:
- cheaper representation (just a single node space);
- uniform handling: no checks to distinguish on-stack vs on-heap;
- no brittleness around cleaning on-stack handles when the event loop
 is empty;

Change-Id: Id859623bfed77a66bdd064ea8065536264515eae
Bug: v8:13141
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3812039Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82306}

This is a reland of commit 30ee0690

Avoid terminating from another thread in unit tests to make the termination of optimized bigint multiplication deterministic on windows

Original change's description:
> Reland "[TurboFan] Support BigIntMultiply"
>
> This is a reland of commit ccde4205
>
> Added a test case for terminating optimized bigint multiply and attached frame_state to the runtime call to provide deopt information to determine the throw location
>
> Original change's description:
> > [TurboFan] Support BigIntMultiply
> >
> > Bug: v8:9407
> > Change-Id: Iab0a4ca8dd5d83444d1addd6043a5c8e3a8577a7
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3773773
> > Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> > Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> > Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#82140}
>
> Bug: v8:9407
> Change-Id: Ia691d758265148da1de291365d41c7c1d1f98ddd
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810391
> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82232}

Bug: v8:9407
Change-Id: I7d04897f4e8f260aba31dbad55ce1263406473d9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3819621
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82304}

This reverts commit 9cca4e60.

Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20-%20debug%20-%20single%20generation/6185/overview

Original change's description:
> [heap] Handle old-to-new slot promotion to shared heap
>
> The GC might promote an in-place internalizable string from new space
> directly into the shared heap. This means that the GC might need to
> create OLD_TO_SHARED slots when updating OLD_TO_NEW slots.
>
> This CL implements this both for minor and full GCs.
>
> Bug: v8:11708
> Change-Id: I6102b9024d1dd5dd602d654b006ea5897ab5baa6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804604
> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82298}

Bug: v8:11708
Change-Id: I4cfdcff22552ff92ec85497d58021e83a6e038b0
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3819647
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82303}

The GC might promote an in-place internalizable string from new space
directly into the shared heap. This means that the GC might need to
create OLD_TO_SHARED slots when updating OLD_TO_NEW slots.

This CL implements this both for minor and full GCs.

Bug: v8:11708
Change-Id: I6102b9024d1dd5dd602d654b006ea5897ab5baa6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3804604
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82298}

Splitting off cosmetics and unrelated test refactorings from a larger
CL reworking traced global handles.

Bug: v8:13141
Change-Id: I675cdbd4898346ab55b0db65d53e992f2eb95744
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816671
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82295}

StepOrigin is enough to infer the right completion action: Either
finalization by task (for StepOrigin::kTask) or stack guard
(for StepOrigin::kV8).

Only tests with StepOrigin::kV8 were violating this but they also just
pass when enabling the stack guard.

Bug: v8:12775
Change-Id: I5df50198d8e3612ee97142f84bd497820a5cec78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816664Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82294}

This reverts commit b1020a43.

Reason for revert: Causes timeout for `condition-workers`: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux%20-%20debug/40516/overview

Original change's description:
> Reland "[shared-struct] Add Atomics.Condition"
>
> This is a reland of commit e2066ff6
>
> Changes since revert:
> - Rebased against c9918524, which
>   uses the external pointer table for the WaiterQueueNode stored
>   in the state field when compressing pointers. This relaxes
>   the alignment requirement of the state field to be 4-bytes when
>   compressing pointers.
> - Moved the state field into the JSSynchronizationPrimitive base
>   class, since alignment and padding can now be made simpler.
>
> Original change's description:
> > [shared-struct] Add Atomics.Condition
> >
> > Bug: v8:12547
> > Change-Id: Id439aef9cab3348171a23378cdd47ede5f4d7288
> > Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
> > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3630350
> > Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> > Reviewed-by: Adam Klein <adamk@chromium.org>
> > Commit-Queue: Shu-yu Guo <syg@chromium.org>
> > Cr-Commit-Position: refs/heads/main@{#81734}
>
> Bug: v8:12547
> Change-Id: I638304c3d5722c64bd04708ed4cf84863cdebb81
> Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3763787
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#82278}

Bug: v8:12547
Change-Id: I27c2aeb131f1b68c2240323189db88d552aa92f9
Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3817187
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/main@{#82292}

Avoid terminating from another thread in some thread termination
unit tests.

Change-Id: I0f66e49f1f4e7e3d6ec4c614c2cc1afc9fdb0a22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3816663
Commit-Queue: Qifan Pan <panq@google.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82284}

... when setting the prototype of TypedArray constructor.

Setting the __proto__ of TypedArray constructor could change TypedArray's
@@species, thus we need to invalidate the @@species protector.

Bug: v8:13110
Change-Id: Ib3b2c88d1136965c221492ff81a26ae69533b356
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813063
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82282}

Change-Id: I4671a704fc76063a64ed90c337770ec17fe8e393
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3815778
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#82281}

Change-Id: I406d211bdac02501b1bfefdf6ebb63b97bb02e44
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3815774Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Yahan Lu <yahan@iscas.ac.cn>
Reviewed-by: ji qiu <qiuji@iscas.ac.cn>
Auto-Submit: Yahan Lu <yahan@iscas.ac.cn>
Cr-Commit-Position: refs/heads/main@{#82279}

This is a reland of commit e2066ff6

Changes since revert:
- Rebased against c9918524, which
  uses the external pointer table for the WaiterQueueNode stored
  in the state field when compressing pointers. This relaxes
  the alignment requirement of the state field to be 4-bytes when
  compressing pointers.
- Moved the state field into the JSSynchronizationPrimitive base
  class, since alignment and padding can now be made simpler.

Original change's description:
> [shared-struct] Add Atomics.Condition
>
> Bug: v8:12547
> Change-Id: Id439aef9cab3348171a23378cdd47ede5f4d7288
> Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3630350
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Shu-yu Guo <syg@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#81734}

Bug: v8:12547
Change-Id: I638304c3d5722c64bd04708ed4cf84863cdebb81
Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_rel_ng,v8_linux64_tsan_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3763787Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82278}

Use a single SBFX instruction for Word64Sar(ChangeInt32ToInt64(x), imm)
when possible.

Using PGO, this improves Speedometer2 by 0.4% on a Cortex-A55 machine,
and 0.27% on a Neoverse-N1 machine.

Change-Id: I6fea5e473f0f0869f8f6cebd9a4e61bb2fc6e9ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3807586Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Rodolph Perfetta <rodolph.perfetta@arm.com>
Reviewed-by: Jakob Linke <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82277}

noextern is the abstract null type for the extern type.

Bug: v8:7748
Change-Id: I03ac0daf3051f479e096f3d05f4fa7cbf03968f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3810191Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82276}

nofunc is the abstract null type, the equivalent of none but for the
function type hierarchy.
none and nofunc (and later on noextern) all can only represent a null
value, however their nulls are distinct (as there isn't any subtype
relationship between them).

Bug: v8:7748
Change-Id: Ic5ae502cc21a581ca2e0f5abc46139435d950af9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3805884Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82274}

We should verify the consistency of the objects we produced after deserializing successfully.

Bug: v8:11525
Change-Id: Ieec1aa7112ab6eda0c61a1a9ab78e86ad8352942
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813061
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82272}

The test-gc cctest loads the WasmCode from the NativeModule and then
executes it. With lazy compilation, the WasmCode object first has to get
generated before it can get loaded.

R=jkummerow@chromium.org

Bug: v8:12852
Change-Id: I83a8a2433ac5d11690c82f07e4ae01ddc979821c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3809811
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82271}

Bug: v8:7700
Change-Id: Ib27a3a818189acb5c1a1f39543762b3f0fcd9d69
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3815485Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#82269}