These are unused and unmaintained, there are probably a lot of paths by
now which don't funnel through this, so remove them.

Bug: v8:9183
Change-Id: I4b48034e396b3ee481ae87283ab9a860f2f41d1b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632155
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61900}

This reverts commit 8092acbe.

Reason for revert: Causes UBSan warnings:
https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20UBSan/6436

Original change's description:
> [wasm] Store signature with {WebAssembly.Function} objects.
> 
> This adds simple serialization and deserialization of the signature
> provided when a {WebAssembly.Function} object is constructed. For now
> this signature is only used by the {WebAssembly.Function.type} method,
> but will soon be used when importing such functions as well.
> 
> R=​jkummerow@chromium.org
> TEST=mjsunit/wasm/type-reflection
> BUG=v8:7742
> 
> Change-Id: If4a687ea537d8c12f4f01a7d3ac5a795ceb999c6
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632211
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61898}

TBR=jkummerow@chromium.org,mstarzinger@chromium.org

Change-Id: I56ea9df5db3f95c05068186097e298cb73a3675d
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7742
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632218Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61899}

This adds simple serialization and deserialization of the signature
provided when a {WebAssembly.Function} object is constructed. For now
this signature is only used by the {WebAssembly.Function.type} method,
but will soon be used when importing such functions as well.

R=jkummerow@chromium.org
TEST=mjsunit/wasm/type-reflection
BUG=v8:7742

Change-Id: If4a687ea537d8c12f4f01a7d3ac5a795ceb999c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632211Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61898}

R=tebbi@chromium.org

Change-Id: I30aab2663180382a078901c10e39cd1ad6c906f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627541
Commit-Queue: Georg Schmid <gsps@google.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61897}

Bug: v8:9247
Change-Id: I2f999ed3a8cc0931e5092f2ac6e709b8ff3f9e42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1630678
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61896}

R=danno@chromium.org

Bug: v8:9247
Change-Id: I98188260a6ef95570ababa403958f7a28845b450
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627331Reviewed-by: Daniel Clifford <danno@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61895}

Feedback pollution can create situations in which we statically see stores to the same field with incompatible representations; dynamically this should be impossible for a single TurboFan compilation unit. Instead of failing an assertion we produce Unreachable nodes.

R=tebbi@chromium.org

Bug: chromium:967434 chromium:967506
Change-Id: Id549ec84f28b4fed2d2e5ef05b40b48bc5b30e97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632169
Commit-Queue: Georg Schmid <gsps@google.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61894}

Add .exe to the produced executable for the protoc compiler.

Use include_dirs instead of -isystem. Remove some more warnings that
that causes.

Cq-Include-Trybots: luci.v8.try:v8_linux64_perfetto_dbg_ng
Bug: v8:8339
Change-Id: Ia6b0df63107470ec78f8038834205a0e4fe34b21
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632069
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Auto-Submit: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61893}

There were some cases that were not yet contemplated on machine graph
verifier.

Also, there is some work to be done to create a Compressed HeapConstant.
Until that happens, we have to ignore HeapConstants for
DecompressionElimination's reductions.

Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:8977, v8:7703, v8:9298
Change-Id: I9de8dd4272866830807a8d88e625e863fb5f1d0d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632209
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61892}

Due to bug chromium:893437, Torque has ASAN disabled on Windows, which
makes it impossible to run unittests for Torque with ASAN being enabled
in the unittests. To fix this, this skips Torque unittests in the
unsupported configuration.

Bug: chromium:893437
Change-Id: I6c8eee1448c63223af4d7336954190e649d125e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632214Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61891}

R=bmeurer@chromium.org

Bug: v8:9299
Change-Id: I77e8b201bd5fd1c544cced301c8805571c4c1167
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632212Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Schmid <gsps@google.com>
Cr-Commit-Position: refs/heads/master@{#61890}

Just use standard C++ syntax to define structs and enums instead.

R=ahaas@chromium.org

Bug: v8:9183
Change-Id: Ibae1643bd1dc74267cdd14ec45a36fc65bf0ab4b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631410Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61889}

Bug: v8:4153
Change-Id: I0aa5a3947fbeb9b4f186cff459518d95512ec5a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632151
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61888}

Reduces compressions of constants, going from
     Constant <- Compress <- Child
to
     Compressed_Constant <- Child

This pattern commonly appeared when the Constant was being used as a
Store value (e.g StoreElement's value).

Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:8977, v8:7703
Change-Id: I2e71f79ddd2a6fba42cdfe782cc89fff3a8d5ac1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627988
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61887}

The instruction is the same as the existing {select} instruction with
type. Both inputs must be in a sub-type relationship with the type
specified in the type instruction.

R=clemensh@chromium.org

Bug: v8:7581
Change-Id: Ibead6cd0253210828c8114336ea0942e6cbd6126
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631413
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61886}

In a new test suite: "wasm-api-tests", using a new binary "wasm_api_tests",
powered by gtest/gmock (like unittests).
Also fix a bunch of issues that these tests uncovered, mostly to ensure
that the stack is walkable.

Change-Id: I1d5604eea85da078ebecd4ebb7383647595f16ac
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627539
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61885}

see https://crrev.com/c/1627548
that CL remove this functions declaration in the header file, but did not
drop function definition in the cpp file.

Bug: v8:9183
Change-Id: I98bba3664510c0a6a6a047a8b9c7c43bcc4c3962
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631812
Auto-Submit: Yu Yin <xwafish@gmail.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61884}

The DecompressionElimination reducer can handle that case with the
comparison of Decompress vs HeapConstant. There is no need to do extra
work.

Reverts parts of https://chromium-review.googlesource.com/c/v8/v8/+/1518182.
The rest of that CL was reverted in a previous CL where the AccessBuilders
were updated.

Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:8977, v8:7703
Change-Id: I871577e49f9ccd95864af54bdd61884d34b7f223
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1628792Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61883}

We currently have three different compresses that we thought it could be
a good idea to merge into only one. Merging them would make sense since
they all end up with the same code being generated. However, we would be
losing knowing the MachineRepresentation in the cases of CompressSigned
and Pointer.

For example, in machine-graph-verifier everything will have to be
MachineRepresentation::kCompressed
https://cs.chromium.org/chromium/src/v8/src/compiler/machine-graph-verifier.cc?l=226

Cq-Include-Trybots: luci.v8.try:v8_linux64_pointer_compression_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_arm64_pointer_compression_rel_ng
Bug: v8:8977, v8:7703
Change-Id: I244e2e61cab2bb87830bc0aabdbe5e43f243b424
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1624798Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61882}

Change-Id: I94ad60d487e64fa72cd3123c85a1b8460ea1007b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1630671
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61881}

- Fix a non-observable bug in the typer.
- Add some CHECKs where we rely on not receiving None types.
- Remove an explicit handling of None types where it's redundant and
  misleading (later ToNumeric conversions can again introduce None).

Bug: chromium:965911
Change-Id: I4bb84422de3f9297131e7304216b86884f04ed49
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1630679
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61880}

This removes a special case from JSObject::WriteToField() where we
didn't store anything in case of initializing a double field with
the uninitialized sentinel. Instead we now store the hole NaN pattern
there, as in other places. This makes it possible to do stricter
checking in the TurboFan frontend when it comes to detecting bit
patterns.

Drive-by-fix: Refactor the related code in MigrateFastToFast() to
make it easier to follow the control flow.

Bug: v8:9299
Change-Id: Ic35d05c69fbbb136d422d29ce6abf2b09ebe22a6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631606Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61879}

These two calls used Tagged, which may not match the field in question
and thus might leak a MutableHeapNumber.  Since the result was used in a
very limited way, this was not a correctness bug but it should be fixed
anyways.

Bug: chromium:966229
Change-Id: Id237729b60d980ded154f70d03e98375f5edc4cc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1630681
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61878}

This is a quick fix for the recent bailout-on-uninitialized feature of
the serializer, which does not work with resumables. For now, simply
treat the ResumeGenerator bytecode as if it was an exception handler
entry point. I want to revisit this later because the proper fix might
be to teach the serializer about the SwitchOnGeneratorState bytecode.

Bug: chromium:966560, v8:7790
Change-Id: I48bc6ba7299faa29802159cc7c36f4629667b5d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1630670Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61877}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/97564df..4cebfa3

Rolling v8/buildtools: https://chromium.googlesource.com/chromium/src/buildtools/+log/6884242..0218c0f

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/4d346fb..a7b3312

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/181e44c..26af0d3

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/9d46446..fe8ba88

TBR=machenbach@chromium.org,sergiyb@chromium.org,tmrts@chromium.org

Change-Id: I956064690ecd2aded8da168065711f8d0ca4e210
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1629851Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#61876}

..to the case where the intermediary add is unused.

Bug: chromium:967186
Change-Id: I8ff95e71fbad88b9b1544f375303eb5400377631
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632071Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61875}

Otherwise, we may execute the checkpoint more often which may change
timing on GCs unnecessarily as this code path is dependen on global
memory scheduling.

Bug: chromium:967573, chromium:948807
Change-Id: I8d5812dc752638801c6729b9b0c5640c3da945d1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631608
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61874}

Change-Id: Ie4e12c8b65430a62f7ec045a28417f42e35a4c99
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1632070Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61873}

Especially for function types, this increases readability significantly.
Also the style guide recommends for 'using' over 'typedef'.

R=mstarzinger@chromium.org

Bug: v8:9183
Change-Id: If2d17863de39383f5a35e089298d37408791ce4b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631415
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61872}

In BuildLoadNativeContextField(), we have access to the native context
as a constant. Use it directly, rather than loading from the current
context.

Change-Id: I60cd97586bbe5f8336f809967a3df556d0d43049
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1630682Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61871}

Now heap checks for the --inline-new flag immediately after setup
before creating the initial objects.

Disabled inline allocation also disables allocation folding.

Additionally, the memory optimizer is changed to not update the
linear allocation area if allocation folding is disabled.

Change-Id: Ie43fe2d1b92c8e86204ee72a273dcf42ac89da59
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1624803
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61870}

R=bmeurer@chromium.org

Change-Id: I88f3300d34b185e88f8b6f391346630a7c22ecb4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631422Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Schmid <gsps@google.com>
Cr-Commit-Position: refs/heads/master@{#61869}

Drive-by fix: For JSON, it's illegal to have an \' escape sequence in a
double quote (") string literal.

Bug: v8:8880
Change-Id: I16de0ee731e93f5ea0db8f743c9b363a6bf50a43
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631599
Auto-Submit: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61868}

Win64 unwind data can specify a language-specific handler function which is
called as part of the search for an exception handler, as described in
https://docs.microsoft.com/en-us/cpp/build/exception-handling-x64?view=vs-2019.
This is used for example by Crashpad to register its own exception handler for
exceptions in V8-generated code.
There is a problem in the code that may cause a freeze on abort: in file
\deps\v8\src\unwinding-info-win64.cc in function CRASH_HANDLER_FUNCTION_NAME the
line:
    return EXCEPTION_CONTINUE_SEARCH;
should be
    return ExceptionContinueSearch;

These constants are both used in the context of Win32 exception handlers, but
they have different semantics and unfortunately different values:
EXCEPTION_CONTINUE_SEARCH (=0) should be returned by an exception filter
while a language-specific handler should return an EXCEPTION_DISPOSITION value,
and more precisely ExceptionContinueSearch (=1) in this case.

Bug: v8:9295
Change-Id: I1a3aaabf357e52a909611814f1ea013cf652ae06
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1629795Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#61867}

Plan to flip to ship in early June (after m76 branch) for chrome m77.
Spec: https://tc39.github.io/proposal-unified-intl-numberformat/
Design Doc: https://goo.gl/ZAtL1f
I2I: https://groups.google.com/a/chromium.org/forum/?fromgroups#!searchin/blink-dev/Intl%7Csort:date/blink-dev/q3U7sPOG1uo/M7XZU7fxAwAJ

Tests:
intl/number-format/unified/*
test262/intl402/NumberFormat/* (tests with Intl.NumberFormat-unified)

Bug: v8:8515
Change-Id: Ica4108d6ffcc8819940cb6cecb15d852ae7cdf14
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1629407Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Frank Tang <ftang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61866}

Instead of generating one CodeStubAssembler-like class per namespace,
Torque-generated macros are now free-standing functions not included
from CSA code, and explicitly exported macros become part of the new
TorqueGeneratedExportedMacrosAssembler, which CodeStubAssembler
inherits from, thus making them available to all CSA code.

Structs are now defined in a new header csa-types-tq.h as free-standing
types with the prefix "TorqueStruct".

This is a preparation for generating per Torque-file instead of per
namespace.

Change-Id: I60fadc493a63f85d1d340768ec6f11ae47be0cb8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1628787
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61865}

This is a reland of 4b86fea5 with
copy&paste typo in CodeStubAssembler::AllocateByteArray() fixed
(bug led to holes in new space, which was crashing reproducibly
on the ia32 bot).

Original change's description:
> [typedarray] Move external/data pointer to JSTypedArray.
>
> As the next step in supporting huge typed arrays in V8, this moves the
> external/data pointer from the FixedTypedArrayBase backing store to the
> JSTypedArray instance itself, and replaces the special backing stores
> with a plain ByteArray (removing all the code for the FixedTypedArrayBase
> class hierarchy). By doing so, we can drastically simplify the system
> around typed arrays.
>
> Note: Several places in the code base used to check the instance type
> of the elements backing store of a JSTypedArray instead of checking the
> elements kind on the JSTypedArray map directly. Those had to be fixed,
> since the backing store is now always a ByteArray.
>
> Drive-by-fix: Move all the typed elements access related code into the
> elements.cc file to properly encapsulate the accesses.
>
> Doc: http://doc/1Z-wM2qwvAuxH46e9ivtkYvKzzwYZg8ymm0x0wJaomow
> Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
> Change-Id: I8cc06b190c53e34155000b4560f5f3ef40621646
> Cq-Include-Trybots: luci.chromium.try:linux-rel,win7-rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627535
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61855}

Tbr: petermarshall@chromium.org
Bug: chromium:951196, chromium:965583, v8:4153, v8:7881, v8:9183
Change-Id: I87fcdb28532c5f08cc227332a4d59546cb423810
Cq-Include-Trybots: luci.chromium.try:linux-rel, win7-rel
Cq-Include-Trybots: luci.v8.try:v8_linux_shared_compile_rel
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631592Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61864}

The code that copies code bytes from a MacroAssembler into a buffer in a
CodeRangeUnwindingRecord struct (used to store stack unwinding data) has an
error: it copies the whole MacroAssembler buffer size, not just the size of the
compiled instructions into an "exception thunk" array.
This has no real bad effects, because a CodeRangeUnwindingRecord is stored at
the beginning of a page reserved at the beginning of an isolate code range, but
it is quite bad and we need to fix it.

Bug: v8:3598
Change-Id: I0df0cf0173561cc939e6431bc0f01ef040fc189e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1629310Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#61863}

Improve micro-benchmark by ~5x
Before:
ApplySpreadLiteral
ApplySpreadLiteral-Numbers(Score): 279
SpreadCallSpreadLiteral
SpreadCallSpreadLiteral-Numbers(Score): 285

After:
ApplySpreadLiteral
ApplySpreadLiteral-Numbers(Score): 1074
SpreadCallSpreadLiteral
SpreadCallSpreadLiteral-Numbers(Score): 1009


Bug: v8:6831
Change-Id: Ifd676ca13d5b7e86afc1578636fdd4dc2733c474
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1628244
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61862}

Consider embedder allocation rate when scheduling full garbage
collections.

Change-Id: If9c40df514c8346e21f6ba63eeca976acce4d122
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1631423Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61861}