While pointer-compression still doesn't guarantee 8-byte alignment
for objects, the WasmInstanceObject definition should be prepared
for a future where that changes.
No behavioral differences are expected from this, and likely no
performance differences for now either.

Change-Id: Iedd85f4361d45e1e3cf5d645496b9ad34acf533b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3038527
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75855}

Some skips are no longer required.

BUG=v8:9684

Change-Id: I921f2032ea5c19429c735120ba80a09b8f1e352e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3043961
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75854}

Adds incompatibility between future/turboprop variants and stress-concurrent-inlining
due to incompatibility from both configs weakly setting --interrupt-budget. Also ensures
we maintain this incompatibility if --future is passed as an extra flag as is done on
some bots.

BUG=v8:9684

Change-Id: I4855b92a64db00da15efc2384e241d4bf0c373c2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041677
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75853}

- Rename AssemblerOptions::enable_root_array_delta_access to
  enable_root_relative_access.
- Remove the identical but duplicated
  PipelineData::roots_relative_addressing_enabled.

Bug: v8:9594
Change-Id: I41c5ddc3c1ad9681dce8402640c50529f00141cf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3043956
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75852}

Fold the stack interrupt check to happen as part of the bytecode budget
interrupt, so that we can skip the stack check on JumpLoop. This is a
minor improvement for Ignition, but it's mainly for for Sparkplug code
as it means we don't have to emit additional stack interrupt checks.

TurboFan doesn't have budget interrupts, so it keeps the stack interrupt
check.

Bug: v8:11420
Change-Id: I055fe752946fda6a50ca2675fa3847999898a951
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041674
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Auto-Submit: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75851}

The MapRef constructor contains a ParkedSharedMutexGuard which may
trigger gc; and MapRefs may be created for any HeapObjectRef (or
subclass) creation. Thus, calls to (Try)MakeRef must happen in
contexts in which garbage collection is allowed.

Bug: v8:7790,v8:12012
Change-Id: If0cb9e2dae7150b0aa5193a90ec3bc9cd9ac3b81
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3043951Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75850}

Rolling v8/base/trace_event/common: https://chromium.googlesource.com/chromium/src/base/trace_event/common/+log/d41864d..ad56859

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/51d7849..66e6c2e

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/6a2f664..9ac1fdf

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/c81b8b9..131233f

Rolling v8/tools/luci-go: git_revision:6387586e5b3279aebdf22bdab7ae619dbc156b66..git_revision:9ee8b1d719c0d3c268e0e19282351ca78024af2d

Rolling v8/tools/luci-go: git_revision:6387586e5b3279aebdf22bdab7ae619dbc156b66..git_revision:9ee8b1d719c0d3c268e0e19282351ca78024af2d

Rolling v8/tools/luci-go: git_revision:6387586e5b3279aebdf22bdab7ae619dbc156b66..git_revision:9ee8b1d719c0d3c268e0e19282351ca78024af2d

TBR=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: I1fb8aa68f5afba116d2f214f2128553a77e6ca7d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3045038Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75849}

RegExp match indices have shipped since M90

Bug: v8:9548
Change-Id: I8bf54ce1a50b5079aad71140f75c979a09aae5bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3042842
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75848}

This is a reland of 4cc547c7

Change: prevent a memcpy to nullptr by skipping the call to copy_out()
when the length is zero.

Original change's description:
> [wasm][eh] Add WebAssembly.Tag.type
>
> R=ahaas@chromium.org
>
> Bug: v8:8091
> Change-Id: Id069ffbf76bf836b613287788b1b1fccbb577475
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3021173
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75815}

Bug: v8:8091
Change-Id: I22f400b6e36d1322a4eabd20a68b4bdd70d61377
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041436Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75847}

Allow CrossThreadPersistent and its weak form to access ASAN poisoned
memory from the GC entry points.

In general, payloads of to-be-finalized objects are poisoned until the
finalizer actually runs to avoid accidentally touching that payload.

In the case of cross-thread handles, these may need to be cleared by a
different thread before the finalizer actually runs. In order to clear
those references, the slot needs to be unpoisoned.

This is issue is ASAN-only and does not affect production or other
debug builds.

Bug: chromium:1230599, chromium:1056170
Change-Id: If4d0808953047319b02653821abbb5c638084dc5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3040845
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75846}

Change-Id: I62b6ea126cd15c06fc48c8c7eae14b2b0c9b1dda
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3043962
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75845}

Bug: v8:7748
Change-Id: I1a9787514e105c70ab101aa035e6ee4ae2284ba3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041434Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75844}

This adds a little {Simulator::ProbeMemory} method that is used from
several places in the arm64 simulator to test if a memory address can be
accessed, and trigger a signal from a specific location such that the
trap-handler can handle it. In case of a trap, the simulator is
redirected to the landing pad and stops executing the memory
instruction that triggered the trap.

Standard memory accesses and SIMD memory loads and stores are
instrumented to probe the memory. This passes all existing tests. In
case this CL misses certain spots, we can still add them later. This
will not be a security problem, since we do not use the simulator in
production.

R=ahaas@chromium.org
CC=mseaborn@chromium.org, v8-arm-ports@googlegroups.com

Bug: v8:11955
Change-Id: I52a81341e99fabc5fcf9e41ef4d8dd2226092803
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3015557
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75843}

The concurrent sweeper destroyed large pages directly in case no
finalizer was needed during sweeping. This is unsafe as the logic of
BasePage::Destroy is not concurrency safe.

Bug: chromium:1056170, chromium:1231053
Change-Id: I8ae9b27b916f8c4aee0c239c7ac8f2ec61d92c56
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041671
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75842}

Since most Torque-defined extern classes use @generateCppClass, it makes
more sense to instead annotate the small number that don't. This is part
of the cleanup work that Nico recommended in [1].

Classes that still have to opt out:

- Those that can be converted by https://crrev.com/c/3015666
- HeapObject: sort of special since it's the root of the inheritance
  hierarchy. Generated code would include two declarations that don't
  compile until HeapObject is defined:
    bool IsHeapObject_NonInline(HeapObject o);
    explicit TorqueGeneratedHeapObject(
        Address ptr, HeapObject::AllowInlineSmiStorage allow_smi);
- SmallOrdered*: these classes use templates on the C++ side, which is
  not currently representable in Torque.
- SwissNameDictionary: according to a comment, the Torque generation for
  this class is incorrect. I haven't investigated further.

Drive-by fix: make the Torque formatter keep LF on Windows rather than
writing CRLF.

[1] https://docs.google.com/document/d/1q_gZLnXd4bGnCx3IUfbln46K3bSs9UHBGasy9McQtHI/edit#

Bug: v8:8952
Change-Id: I1fbb5290f0c645842b84c53816c09bb3398206a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3028721Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#75841}

We add additional num_types and liftoff parameters
for GetValueType to be able to generate user-def reftypes.
num_types is the number of types in the program and
liftoff checks if we could add reftypes or not.
The additional method (NumTypes) was added to WasmModuleBuilder and
additional field (liftoff) to WasmGenerator constructor.

Bug: v8:11954
Change-Id: I4904a41043264c65d5cba5b22129184d6a486bfe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041426
Commit-Queue: Rakhim Khismet <khismet@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75840}

This is a reland of cecc666f

Depends on:
https://crrev.com/c/3043611

Original change's description:
> [build] Add V8-specific dcheck_always_on
>
> This makes the V8 dcheck control independent of Chromium's and
> prepares switching Chromium's default behavior without affecting V8
> developers or builders.
>
> Preparation for: https://crrev.com/c/2893204
>
> Bug: chromium:1225701
> Change-Id: I520b96019b04196f4420716ff3500ebd6c21666f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3038528
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75827}

Bug: chromium:1225701
Change-Id: I56568b78592addba01793d2d14f768c9ee10103d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041670Reviewed-by: Liviu Rau <liviurau@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75839}

This was triggered by the inspector fuzzer, which terminates execution
after two seconds. This is done by triggering a termination exception
via an interrupt. In this case, the runtime function should return
immediately, and return the exception sentinel.
This CL fixes the WasmDebugBreak runtime function to do that correctly.

R=thibaudm@chromium.org

Bug: chromium:1215711
Change-Id: Idf8e9769809f135b426e4d1a0ef82fae826050b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041423Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75838}

This reverts commit 0cd8a913.

Reason for revert: There are reports of this check failing.
It's still unclear why it's failing and what the implications of
that are. The check had been disabled for many years so it seems
safe to disable it again for now (it's in --debug-code anyways).

Original change's description:
> [ia32] Restore FP stack check in the deoptimizer
>
> This restores the check that was removed in
> https://chromiumcodereview.appspot.com/12300020/
>
> Bug: chromium:736643
>
> Change-Id: I82e218b9f2572953a7f433d713dff0528574eea1
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2848469
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#74168}

Bug: chromium:1208057
Change-Id: I2f8ecfca3f4732583378a5d5b2a38ad636914e1c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041673Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75837}

This reverts commit e24fa913.

Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Mac64%20GC%20Stress/18917/overview

Original change's description:
> [offthread] Template deserializer on Isolate
>
> Make the deserializer class templated on Isolate/LocalIsolate. This
> allows the ObjectSerializer to be split into a main-thread and offthread
> variant, with the latter taking a LocalIsolate.
>
> Eventually, we probably want to anyway split off the code-cache de/serializer
> to a separate implementation (for various reasons), and this the only one that
> wants off-thread finalization, and at this point the deserializer can revert
> back to being un-templated, used only for bootstrapping. However, this is the
> simplest way, for now, to enable off-thread deserialization.
>
> Bug: chromium:1075999
> Change-Id: I49c0d2c5409f0aa58183673785296756c3714f22
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2562254
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75834}

Bug: chromium:1075999
Change-Id: Id699ebe0c17d3a61ec35b0f78417306175271647
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041675Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75836}

Currently deopt fuzzer passes --future and so should skip the same tests
as the future variant.

BUG=v8:9684

Change-Id: I3d10dae7ba7cffc36bd4777941ac053c42c80cef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041668
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75835}

Make the deserializer class templated on Isolate/LocalIsolate. This
allows the ObjectSerializer to be split into a main-thread and offthread
variant, with the latter taking a LocalIsolate.

Eventually, we probably want to anyway split off the code-cache de/serializer
to a separate implementation (for various reasons), and this the only one that
wants off-thread finalization, and at this point the deserializer can revert
back to being un-templated, used only for bootstrapping. However, this is the
simplest way, for now, to enable off-thread deserialization.

Bug: chromium:1075999
Change-Id: I49c0d2c5409f0aa58183673785296756c3714f22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2562254Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75834}

The JSFunction::set_context call happens 1. only on script functions
and 2. before the function is executed, and therefore the compiler
only ever sees the final value.

Bug: v8:7790
Change-Id: I618673c7ec6284dcf3d80b1edd7be516b048ed2c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041664
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75833}

This also fixes a little mistake from
https://chromium-review.googlesource.com/c/v8/v8/+/2992914.
The label must be far here.

Change-Id: Ie53cb3713b1b5db6c10e4ce6ed177a510da847f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3031897Reviewed-by: Brice Dobry <brice.dobry@futurewei.com>
Reviewed-by: Ji Qiu <qiuji@iscas.ac.cn>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Auto-Submit: Ji Qiu <qiuji@iscas.ac.cn>
Cr-Commit-Position: refs/heads/master@{#75832}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/33763d1..51d7849

Rolling v8/buildtools/linux64: git_revision:61a0153b5e60f11100a04e51393cae15268d1ee3..git_revision:d565aa3e72dd9e81da9595ee8c9d7b24cb45c48b

Rolling v8/third_party/aemu-linux-x64: XSfC0vpqwj2Qzz0hAfMHYCCe5KDFiXqzb4M3U-cT6i4C..jIoBgZ-iUWXLCCH8YkbLabPLzKXZ54b27lb6trJpzpUC

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/5cb3053..6a2f664

TBR=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com

Change-Id: Ifdc548675328ac064f37d6dfb3697f2c705f92fd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3042808Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75831}

This reverts commit cecc666f.

Reason for revert: Many crashes on clusterfuzz bots https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Clusterfuzz%20Win64%20ASAN%20-%20release%20builder/23404/overview

Original change's description:
> [build] Add V8-specific dcheck_always_on
>
> This makes the V8 dcheck control independent of Chromium's and
> prepares switching Chromium's default behavior without affecting V8
> developers or builders.
>
> Preparation for: https://crrev.com/c/2893204
>
> Bug: chromium:1225701
> Change-Id: I520b96019b04196f4420716ff3500ebd6c21666f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3038528
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75827}

Bug: chromium:1225701
Change-Id: I20329f77707caf8fba2405919aa13c67811a1469
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3042841
Auto-Submit: Zhi An Ng <zhin@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75830}

With lazy feedback allocation we don't tier up to baseline early. This
test requires us to tier up to baseline. So add
--lazy_feedback_allocation as a required flag.

Bug: v8:12009
Change-Id: Ibbc1d1cc74ae368ef414f513a0cd46e9bf068186
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3042718
Commit-Queue: Mythri Alle <mythria@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Auto-Submit: Mythri Alle <mythria@chromium.org>
Reviewed-by: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75829}

Bug: v8:11880
Change-Id: Ibcb1d16cf613027b1a0f17a37825ef95acfe94c1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041437
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75828}

This makes the V8 dcheck control independent of Chromium's and
prepares switching Chromium's default behavior without affecting V8
developers or builders.

Preparation for: https://crrev.com/c/2893204

Bug: chromium:1225701
Change-Id: I520b96019b04196f4420716ff3500ebd6c21666f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3038528Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75827}

... which will update both the CodeObjectSlot contents and the cached
value of the code entry point when the pointed Code object is
evacuated.
This is done by introducing an OLD_TO_CODE remembered set which is
populated with the recorded slots containing pointers to Code objects.
CodeDataContainer is the only kind of holder that can contain Code
pointers, so having a CodeObjectSlot is enough to compute the holder
CodeDataContainer object and update the cached code entry point there.

This CL fixes the data race in the previous implementation which were
updating the code entry point during Code object migration.

Bug: v8:11880
Change-Id: I44aa46af4bad7eb4eaa922b6876d5f2f836e0791
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3035084
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75826}

Enable --turboprop in the --future config.

BUG=v8:9684

Change-Id: I1a419b64eaa59c1425b8327c9c3e2cfde9e099a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3038530
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75825}

Avoiding the builtin call, and potentially enabling other Turbofan
optimizations to apply.
This required teaching the MemoryLowering pass how to produce
Wasm-style isolate-independent code, where external references won't
work, and builtin calls have to be encoded differently.

Bug: v8:7748
Change-Id: Ib6d87da644330e7c3623c11aa333b23074aeae19
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3038524
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75824}

Function CopyAndConvertArrayToCppBuffer doesn't work correctly with
holey arrays.

Bug: chromium:1230431, v8:11739
Change-Id: If24f645ebf4947f9efdccd1470ddf9e68c0b6780
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3037989Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#75823}

Earlier CL: https://chromium-review.googlesource.com/c/v8/v8/+/3030711
used esi register to load code object. When we use CallRuntime we
expect esi to contain Context object. So, restore this value from
the frame before calling into runtime.

Bug: chromium:1230936
Change-Id: I1f34aa85ff77555c5cbbe2d5b5401056b36278af
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041425
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75822}

This reverts commit 4cc547c7.

Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20UBSan/17396/overview

Original change's description:
> [wasm][eh] Add WebAssembly.Tag.type
>
> R=​ahaas@chromium.org
>
> Bug: v8:8091
> Change-Id: Id069ffbf76bf836b613287788b1b1fccbb577475
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3021173
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75815}

Bug: v8:8091
Change-Id: I2581f82e6bc8a622a833b79037b4e58f587918cc
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041432Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75821}

This reverts commit 04ae4904.

Reason for revert: crbug.com/1231108

Original change's description:
> [compiler] Enable --turbo-optimize-apply by default
>
> Bug: v8:9974
> Change-Id: I801f55687808bb5bd0c1ad19f37cd97264889962
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3035087
> Reviewed-by: Michael Stanton <mvstanton@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75792}

Bug: v8:9974
Change-Id: Ia6ee40cdc8b65b574d03ebb194efed3cdc4e8051
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041430
Auto-Submit: Georg Neis <neis@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75820}

Hashing FunctionSigs can be quite expensive for large modules;
luckily in some cases we can avoid doing that work.

Change-Id: Ia18060b4c27ab34b44bda4bb81ea05299ecb0f49
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3038523
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75819}

This CL fixes a previous change in String.prototype.startsWith which
didn't throw an exception (in the optimized version) when `undefined`
was passed as a receiver and the search string was the empty string.

Bug: chromium:1230260
Change-Id: I835bd409b09b78bf7235c77596f62b588c95611d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3040841
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75818}

Most Torque-defined extern classes already use @generateCppClass. As
Nico pointed out in [1], it would be nice to convert the remaining
classes and remove this option. This change converts most of those
remaining classes. I know that the future of Torque-defined classes is a
subject of some debate right now, but I think that it's worth doing a
few mechanical changes to reduce the existing variety of options.

Changes that don't exactly follow the usual pattern:
1. BigIntBase, MutableBigInt: we can define these without a body, and
   then Torque treats them as "really external" rather than "kind of
   external, but with some Torque-generated parts".
2. RegExpMatchInfo: moved its inline functions into a separate file,
   which the generated -tq.cc file requires.

[1] https://docs.google.com/document/d/1q_gZLnXd4bGnCx3IUfbln46K3bSs9UHBGasy9McQtHI/edit#

Bug: v8:8952
Change-Id: I84c7958a295caa0bab847683c05022e18c921cad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3027742Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#75817}

This is a reland of 3847b33f

Original change's description:
> Update V8 DEPS.
>
> Rolling v8/base/trace_event/common: https://chromium.googlesource.com/chromium/src/base/trace_event/common/+log/d5bb24e..d41864d
>
> Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/fd86d60..33763d1
>
> Rolling v8/buildtools/linux64: git_revision:b2d77ab1373192d1532af94b68fb8bab727b0e5b..git_revision:61a0153b5e60f11100a04e51393cae15268d1ee3
>
> Rolling v8/buildtools/third_party/libc++abi/trunk: https://chromium.googlesource.com/external/github.com/llvm/llvm-project/libcxxabi/+log/7d5c92f..e8bf577
>
> Rolling v8/third_party/aemu-linux-x64: eghzU3LI6jsGYPkSzAoCDHeiVyaydZjwxB5kjkPImaMC..XSfC0vpqwj2Qzz0hAfMHYCCe5KDFiXqzb4M3U-cT6i4C
>
> Rolling v8/third_party/logdog/logdog: https://chromium.googlesource.com/infra/luci/luci-py/client/libs/logdog/+log/88ab863..17ec234
>
> Rolling v8/tools/luci-go: git_revision:d10ff2af1182ccaad573bc5acb84a36f4c280876..git_revision:6387586e5b3279aebdf22bdab7ae619dbc156b66
>
> Rolling v8/tools/luci-go: git_revision:d10ff2af1182ccaad573bc5acb84a36f4c280876..git_revision:6387586e5b3279aebdf22bdab7ae619dbc156b66
>
> Rolling v8/tools/luci-go: git_revision:d10ff2af1182ccaad573bc5acb84a36f4c280876..git_revision:6387586e5b3279aebdf22bdab7ae619dbc156b66
>
> TBR=v8-waterfall-sheriff@grotations.appspotmail.com,mtv-sf-v8-sheriff@grotations.appspotmail.com
>
> Change-Id: Icb2300e3fddbb5c8550312216de5daedde164221
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3040126
> Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
> Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
> Cr-Commit-Position: refs/heads/master@{#75797}

TBR=machenbach@chromium.org

Change-Id: I5f84e89a742a28a93f574cef5d905604c372e76c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041422Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75816}