The registry right now has no users. In a follow-up CL I will
remove the skip list for code pages and make users of the skip
list use the registry.

Bug: v8:9093
Change-Id: I23a2b9e0d4158e2ffa89626e71f58d3bb5a41201
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593074Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61184}

Bug: v8:8801, v8:8394
Change-Id: I7f27cb0a9dcbdd1ba0e3f90735472408c22185e1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593304
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61182}

This enables the embedder to check if the snapshot generated
from SnapshotCreator::CreateBlob() can be rehashed and the seed
can be recomputed during deserialization.

The lack of this functionality resulted in a temporary vunerability
in Node.js: https://github.com/nodejs/node/pull/27365

Change-Id: I88d52337217c40f79c26438be3c87d2db874d980
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578661
Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61175}

When asked to start at the receiver and the receiver is a primitive, the
dependency should be taken on the primitive map (which is a no-op)
rather than the wrapper object's map.

Bug: chromium:958716
Change-Id: I9c8b2b56436d134b2f79dbe458c0c527fe6d17a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593086
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61174}

Port 381a7f9e

Original Commit Message:

    On Arm/64 the last return address is stored in a link register instead of
    being pushed to the top-of-stack like on x64/ia32. Extend the support in the
    tick sampler to check for samples in a frameless bytecode handler with support
    for checking the link register if it exists instead of top-of-stack. In addition,
    make the x64/ia32 check more robust by ensuring we only apply the change if the
    pc is a bytecode handler and the top frame isn't a bytecode handler (stub) frame.

R=rmcilroy@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:9162
LOG=N

Change-Id: I893b45af40a48415fbbc2c9f5e9e5cd72ed8d9e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588888Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61173}

This reverts commit ad44c258.

Reason for revert: Missed some users: crbug.com/v8/9105

Original change's description:
> [typedarray] Make JSTypedArray::length authoritative.
>
> This is the first step towards full huge typed array support in V8.
> Before this change, the JSTypedArray::length and the elements backing
> store length (FixedTypedArrayBase::length) were used more or less
> interchangeably to determine the number of elements in a JSTypedArray.
>
> With this change we disentangle these two lengths, and instead make
> JSTypedArray::length authoritative. For on-heap typed arrays, the
> FixedTypedArrayBase::length will remain the number of elements in the
> backing store, but for the off-heap typed arrays, this length will be
> set to 0 (matching the fact that the FixedTypedArrayBase instance does
> not contain any elements itself).
>
> This also unifies the JSTypedArray::set_/length() and length_value()
> methods to only have JSTypedArray::set_/length() which returns/takes
> size_t values. Currently this still requires the values to be in Smi
> range, but later we will extend this to allow arbitrary size_t values
> (in the safe integer range).
>
> Bug: v8:4153, v8:7881
> Change-Id: Iff9089130bb31fa9e08e0cf913e7ab52c3dbf107
> Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
> Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1543729
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#60648}

TBR=jarin@chromium.org,titzer@chromium.org,hpayer@chromium.org,petermarshall@chromium.org,bmeurer@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

TBR=jarin@chromium.org, szuend@chromium.org

Bug: v8:4153, v8:7881
Change-Id: I96992bff15b4a2765ae4a557d2c37e78269c927d
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593294
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61172}

Bug: chromium:958021
Change-Id: I6cc6ff2666750b508786db010e202b1e8e1e9536
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593293Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61171}

This enables "goto definition" navigation for parent types.

R=sigurds@chromium.org

Bug: v8:8880
Change-Id: I3207ec8b85f0e36cbab3519b89af98bba1666406
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593081
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61169}

This is a reland of e632f8f4

Original change's description:
> [test] Remove longer timeout on bots
>
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_gc_stress_dbg
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_gcc_rel
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_msan_rel
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_tsan_rel
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_arm64_dbg
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_mac64_asan_rel
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_win64_dbg
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_android_arm64_n5x_rel_ng
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_cfi_rel_ng
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_ubsan_rel_ng
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_arm_lite_rel_ng
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_noi18n_rel_ng
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_mac64_dbg_ng
>
> Bug: v8:9145
> Change-Id: I6efee8579d9d9e0aad0431f6b87c152141d4ec7f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581261
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Tamer Tas <tmrts@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61107}

Bug: v8:9145
Change-Id: Id8f0468bbf2d67f62141e7f7c42417d351c3fffa
Cq-Include-Trybots: luci.v8.try:v8_linux_gc_stress_dbg
Cq-Include-Trybots: luci.v8.try:v8_linux_gcc_rel
Cq-Include-Trybots: luci.v8.try:v8_linux64_msan_rel
Cq-Include-Trybots: luci.v8.try:v8_linux64_tsan_rel
Cq-Include-Trybots: luci.v8.try:v8_linux_arm64_dbg
Cq-Include-Trybots: luci.v8.try:v8_mac64_asan_rel
Cq-Include-Trybots: luci.v8.try:v8_win64_dbg
Cq-Include-Trybots: luci.v8.try:v8_android_arm64_n5x_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_cfi_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_ubsan_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux_arm_lite_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_mac64_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588429Reviewed-by: Tamer Tas <tmrts@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61167}

This fixes a memory leak.

Bug: v8:9191, v8:7790
Change-Id: I0df49cd3a6791600638a67b4b7ad9687562e500b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588426
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61166}

NOTRY=true

Change-Id: I20f88cb163797690a3b91863c40f1ca7d201bb9b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593079Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61164}

The problem is with element kinds transitions without going through
runtime (i.e., IC or optimizing compiler).

Bug: chromium:952682
Change-Id: I6fe2bb30a0ea6fecb8f6e0750427cc50cc50f9e1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593083Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61158}

- Add missing uses of MapInference::NoChange.
- Insert map checks even if inferred maps were reliable, because
  they were inferred for an earlier effect input.

Bug: chromium:958420, chromium:958350, v8:9197
Change-Id: Id7677b1fc6f1e09dc12ae178f1155e4245b4e3e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593077
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61157}

Improve code generation for stores with write barriers slightly by using the
assembler's dedicated scratch registers (x16 and x17 on Arm64, ip on Arm)
instead of allocating temporaries.

To do this, we've done two things:

  - Use ip as a scratch register when loading page flags.

  - TurboAssembler::CallRecordWriteStub() now takes the offset of the slot
    that's written to rather than its address, removing the need to allocate a
    temporary register for it.

In essence, we've gone from:

```
;; Do the store.
stur x19, [x9, #15]
;; Check *destination* object page flags and jump out-of-line.
and x4, x9, #0xfffffffffff80000
ldr x4, [x4, #8]
tbnz x4, #2, #+0x1e7c
|     ;; Check *source* object page flags.
| `-> and x4, x19, #0xfffffffffff80000
|     ldr x4, [xM, #8]
|,--- tbz x4, #1, #-0x1e80
|     ;; Compute address of slot.
|     add x5, x9, #0xf (15)
|     ;; Setup arguments to RecordWrite
|     stp x2, x3, [sp, #-32]!
|     stp x4, lr, [sp, #16]
|     stp x0, x1, [sp, #-16]!
|     mov x0, x9 ;; Object address in x9
|     mov x1, x5 ;; Slot address in x5
|     movz x2, #0x0
|     movz x3, #0x100000000
|     ;; Call RecordWrite
|     ldr x16, pc+2056
|     blr x16
```

Which allocates x4 and x5 as temporaries.

To:

```
stur x19, [x9, #15]
and x16, x9, #0xfffffffffff80000 ;; Using x16 instead of allocating x4.
ldr x16, [x16, #8]
tbnz x16, #2, #+0x1e7c
| `-> and x16, x19, #0xfffffffffff80000
|     ldr x16, [xM, #8]
|,--- tbz x16, #1, #-0x1e80
|     stp x2, x3, [sp, #-32]!
|     stp x4, lr, [sp, #16]
|     stp x0, x1, [sp, #-16]!
|     mov x0, x9            ;; Object address still in x9.
|     add x1, x9, #0xf (15) ;; Compute the slot address directly.
|     movz x2, #0x0
|     movz x3, #0x100000000
|     ldr x16, pc+2056
|     blr x16
```

Finally, `RecordWriteField()` does not need an extra scratch register anymore.

Change-Id: Icb71310e7b8ab1ca83ced250851456166b337d00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1505793
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61153}

The "stress_background_compile" variant runs on all our bots. We
combine it with testing wasm code GC (which kind of fits into
background compile stressing) to get more coverage for that. Both
features are orthogonal, so we can test both at the same time without
loosing any coverage.

R=machenbach@chromium.org
CC=rmcilroy@chromium.org

Bug: v8:8217
Change-Id: Ib17decd4869978ff98e302694fa73d70ceec120e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588472Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61151}

With bytecode flushing and lazy feedback allocation, we need to call
%PrepareForOptimization before we call %OptimizeFunctionOnNextCall

Bug: v8:8801, v8:8394
Change-Id: I1f84477a8cef27b4cff61b54daf6fe1a9e5f8e76
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591775
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61148}

R=sigurds@chromium.org

Bug: v8:7793
Change-Id: Id0ba3a7b9f168e661ca786a0f1e18cd58c9210aa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593073Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61147}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/4087d63..d6fe3ed

Rolling v8/test/test262/harness: https://chromium.googlesource.com/external/github.com/test262-utils/test262-harness-py/+log/9bd99c6..4555345

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/5b26b37..5a34ef7

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/e49aed3..020b429

Rolling v8/third_party/googletest/src: https://chromium.googlesource.com/external/github.com/google/googletest/+log/a53e931..9997a83

Rolling v8/third_party/icu: https://chromium.googlesource.com/chromium/deps/icu/+log/35f7e13..ae4b77d

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: Ic24825a733ac1e0f6956de7096fc23952c673ff3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1591348
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#61145}

Two PR of test262 tests are in
https://github.com/tc39/test262/pull/2139 and
https://github.com/tc39/test262/pull/2134

Bug: v8:7729
Change-Id: Ic416be0cec0fda90ee89c03ba4c6bb3192bf871d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1589633Reviewed-by: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61144}

This is a reland of 9284ad57, after
adding a missing speculation mode check in ReduceCallApiFunction.

Original change's description:
> [turbofan] Avoid raw InferReceiverMaps in JSCallReducer
>
> Instead provide an abstraction that makes it hard to forget
> dealing with unreliable maps.
>
> This also fixes a deopt loop in Function.prototype.bind and
> one in Array.prototype.reduce.
>
> Bug: v8:9137
> Change-Id: If6a51182c8693a62e9fb6d302cec19b4d48e25cb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578501
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61106}

Tbr: jarin@chromium.org
Bug: v8:9137, v8:9197
Change-Id: I0db68d267055969553c0c1b85fad7b909075c062
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1589976
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61140}

Bug: v8:5367, v8:5368
Change-Id: I86f25f9f658e21a05604f3014e6ebf74f1a8a1f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1590164Reviewed-by: Mathias Bynens <mathias@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61139}

R=binji@chromium.org

Change-Id: I936d906be90c0c6d3b84b5ad4e8cb574ab8cd970
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585851
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61135}

R=clemensh@chromium.org

Bug: v8:7581
Change-Id: I6b20698e556ed3808f8b190f88cb700301825b54
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588432
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61129}

BUG=v8:8801

Change-Id: I20e1b343f33293a5de3a8953650a26852126533a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588466
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Auto-Submit: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61127}

With bytecode flushing and lazy feedback allocation, we need to call
%PrepareForOptimization before we call %OptimizeFunctionOnNextCall

Bug: v8:8801, v8:8394
Change-Id: I81918f174b2f97cbaa8b8ef2e459080c2581f535
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588415
Commit-Queue: Mythri Alle <mythria@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61122}

Fix several small compile problems which causes by
https://crrev.com/c/1585737.

Change-Id: I78a07d597db9d81d4a99aac08e257f380be8f7e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1589202Reviewed-by: Dan Elphick <delphick@chromium.org>
Commit-Queue: Yu Yin <xwafish@gmail.com>
Cr-Commit-Position: refs/heads/master@{#61120}

This reverts commit 9284ad57.

Reason for revert: breaks blink tests:
https://ci.chromium.org/p/v8/builders/ci/V8-Blink%20Win/16839

Original change's description:
> [turbofan] Avoid raw InferReceiverMaps in JSCallReducer
> 
> Instead provide an abstraction that makes it hard to forget
> dealing with unreliable maps.
> 
> This also fixes a deopt loop in Function.prototype.bind and
> one in Array.prototype.reduce.
> 
> Bug: v8:9137
> Change-Id: If6a51182c8693a62e9fb6d302cec19b4d48e25cb
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578501
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61106}

TBR=jarin@chromium.org,neis@chromium.org

Change-Id: I97e0f47fb82eda76656905a3f7cc494babd92be6
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9137
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588433Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61118}

This just adds the same case we already added in
https://chromium-review.googlesource.com/c/v8/v8/+/1478192
for conversions to tagged representation.

Bug: chromium:957559
Change-Id: I62a388ba47bd72d65fa07d0141362d7f1383c96e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588428Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61115}

Fix recognition of lazy functions when {--wasm-lazy-compilation} is
used.

Bug: chromium:956771
Change-Id: I3f9bb25ccf3920a6c3d266876faace8841dcdc61
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585843Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Frederik Gossen <frgossen@google.com>
Cr-Commit-Position: refs/heads/master@{#61114}

This CL refactors WasmTableObject::Grow to make it usable for the
table.grow instruction of WebAssembly.

The refactored version of WasmTableObject::Grow does additionally:
* Check if growing is possible
* Grow the FixedArray backing store of the table and initialize the new
  fields.
* Calculate the return value of WasmTableObject::Grow.

R=jkummerow@chromium.org

Bug: v8:7581
Change-Id: Ic6c867b96c30bd987ea281d5b3515a04bc5a3900
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588136
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61112}

This reverts commit e632f8f4.

Reason for revert: Seems to cause some timeouts to trigger failures: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN/26129

Original change's description:
> [test] Remove longer timeout on bots
> 
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_gc_stress_dbg
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_gcc_rel
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_msan_rel
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_tsan_rel
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_arm64_dbg
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_mac64_asan_rel
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_win64_dbg
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_android_arm64_n5x_rel_ng
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_cfi_rel_ng
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_ubsan_rel_ng
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_arm_lite_rel_ng
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_noi18n_rel_ng
> CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_mac64_dbg_ng
> 
> Bug: v8:9145
> Change-Id: I6efee8579d9d9e0aad0431f6b87c152141d4ec7f
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581261
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Tamer Tas <tmrts@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61107}

TBR=machenbach@chromium.org,tmrts@chromium.org

Change-Id: I5e23aebc41e6ab15baa57093f7f056cdabd58f21
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:9145
Cq-Include-Trybots: luci.v8.try:v8_linux_gc_stress_dbg, luci.v8.try:v8_linux_gcc_rel, luci.v8.try:v8_linux64_msan_rel, luci.v8.try:v8_linux64_tsan_rel, luci.v8.try:v8_linux_arm64_dbg, luci.v8.try:v8_mac64_asan_rel, luci.v8.try:v8_win64_dbg, luci.v8.try:v8_android_arm64_n5x_rel_ng, luci.v8.try:v8_linux64_cfi_rel_ng, luci.v8.try:v8_linux64_ubsan_rel_ng, luci.v8.try:v8_linux_arm_lite_rel_ng, luci.v8.try:v8_linux_noi18n_rel_ng, luci.v8.try:v8_mac64_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588425Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61111}

Instead, use std::sort and std::stable_sort at the 3 (!) call sites
directly. This also removes the weird comparer adaptors from Vector,
which are only used in ZoneList.

R=jkummerow@chromium.org

Bug: v8:9183
Change-Id: I4d0377976fb0a965cb68a21d4307df9ba09fd55d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587394Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61109}

New RelocInfo test needs to adapt to the new pattern.

Change-Id: I09e531d099541511f94b929de647a3e3510f748f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588465Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61108}

CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_gc_stress_dbg
CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_gcc_rel
CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_msan_rel
CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_tsan_rel
CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_arm64_dbg
CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_mac64_asan_rel
CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_win64_dbg
CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_android_arm64_n5x_rel_ng
CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_cfi_rel_ng
CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux64_ubsan_rel_ng
CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_arm_lite_rel_ng
CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_linux_noi18n_rel_ng
CQ_INCLUDE_TRYBOTS=luci.v8.try:v8_mac64_dbg_ng

Bug: v8:9145
Change-Id: I6efee8579d9d9e0aad0431f6b87c152141d4ec7f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581261
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Tamer Tas <tmrts@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61107}

Instead provide an abstraction that makes it hard to forget
dealing with unreliable maps.

This also fixes a deopt loop in Function.prototype.bind and
one in Array.prototype.reduce.

Bug: v8:9137
Change-Id: If6a51182c8693a62e9fb6d302cec19b4d48e25cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1578501
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61106}

Ignore the error type in {assertThrows} only if it was not passed as an
argument. If users do not care about the error type they can user the
generic type {Error}. Before this change, an undefined error type would
simply be ignored. A simple typo could therefore disable the error type
assertion without being recognized.

Change-Id: I9becfd0bf14dcaa511854e65ff94f94481cc79b0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1585855
Commit-Queue: Frederik Gossen <frgossen@google.com>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61105}

Failure addressed by not exposing the new test to the jitless environment.
(jgruber@ on TBR).

New enum RelocInfo::COMPRESSED_EMBEDDED_OBJECT created to support
compressed pointers in generated code. Enum name EMBEDDED_OBJECT
changed to FULL_EMBEDDED_OBJECT.

RelocInfo::[set_]target_object() abstract away the difference between
FULL_EMBEDDED_OBJECT and COMPRESSED_EMBEDDED_OBJECT.

Compressed embedded objects can only be created at this time on
x64 with pointer compression turned on. Arm64 constant pools don't
support compressed objects at this time.

NOPRESUBMIT=true

Bug: v8:7703
TBR: jgruber@chromium.org
Change-Id: Ifff53b041bab09b4b8c3e16085e5df4aa2b99f4f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588461Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61104}

Port 4b0f9c85

Original Commit Message:

    Our {Vector} template provides both {start} and {begin} methods. They
    return exactly the same value. Since the {begin} method is needed for
    iteration, and is also what standard containers provide, this CL
    switches all uses of the {start} method to use {begin} instead.

    Patchset 1 was auto-generated by using this clang AST matcher:
        callExpr(
            callee(
              cxxMethodDecl(
                hasName("start"),
                ofClass(hasName("v8::internal::Vector")))
            ),
            argumentCountIs(0))

    Patchset 2 was created by running clang-format. Patchset 3 then
    removes the now unused {Vector::start} method.

R=clemensh@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: I119532691af31a3db1107c47de8b6f0c84697b5c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588226Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Milad Farazmand <miladfar@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#61102}

This adds a new %_CopyDataProperties intrinsic, that reuses most of the
existing machinery that we already have in place for Object.assign() and
computed property names in object literals. This speeds up the general
case for object spread (where the spread is not the first item in an
object literal) and brings it on par with Object.assign() at least - in
most cases it's significantly faster than Object.assign().

In the test case [1] referenced from the bug, the performance goes from

  objectSpreadLast: 3624 ms.
  objectAssignLast: 1938 ms.

to

  objectSpreadLast: 646 ms.
  objectAssignLast: 1944 ms.

which corresponds to a **5-6x performance boost**, making object spread
faster than Object.assign() in general.

Drive-by-fix: This refactors the Object.assign() fast-path in a way that
it can be reused appropriately for object spread, and adds another new
builtin SetDataProperties, which does the core of the Object.assign()
work. We can teach TurboFan to inline Object.assign() based on the new
SetDataProperties builtin at some later point to further optimize
Object.assign().

[1]: https://gist.github.com/bmeurer/0dae4a6b0e23f43d5a22d7c91476b6c0

Bug: v8:9167
Change-Id: I57bea7a8781c4a1e8ff3d394873c3cd4c5d73834
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1587376Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61100}

Change-Id: I55e8e42b88c8df1f75ff05f22b39d69e9dc586ce
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1588457
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61097}