From the concurrent compiler's perspective, we can perform those
read/writes non-atomically and have wider TSAN coverage. The concurrent
marker, however, needs them to be atomic.
Bug: v8:7790
Change-Id: I96897f4f6237c90da018ec89be838aae894c24bc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817538
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73935}
When looking for intersections between the current range and inactive
range, we can stop the search as soon as the inactive range's next start
is past the current range's end position. We know that subsequent
inactive ranges cannot intersect either, because they are ordered by
their next start.
R=sigurds@chromium.org
Bug: chromium:986862
Change-Id: I249a781be281abc7b438f31848f5d6cb3a25303f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821434
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73932}
The method was scheduled for removal in M92, as finaly part of the
fn.displayName support removal.
Fixed: chromium:1177685
Doc: https://bit.ly/devtools-function-displayName-removal
Change-Id: I243dd6c9849a6f39e76dd003300b639bfd8df604
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821954
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73930}
The CanAllocateArray used to be executed during JSCreateLowering,
leading to bailouts when large arrays are passed as arguments to
an async function or a bound function. This meant that
JSCreateAsyncFunctionObject or JSCreateBoundFunction will reach
JSGenericLowering, where they are not lowered. This CL moves
the checks earlier in the pipeline during JSNativeContextSpecialization
and JSCallReducer respectively, so that those operators are not
created at all in such cases and we bail out to the runtime instead.
Bug: v8:11564
Change-Id: I232ce7d9378730ae0cc8690e52fde840a484e069
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807609
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73928}
Multivalue has been shipped for a while now, so it is time to remove
its experimental feature flag.
Additional change: Set kV8MaxWasmFunctionReturns to the old
kV8MaxWasmFunctionMultiReturns value.
Change-Id: I5c4d33b036e64a7221de17f0e97119bb0a036838
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817790
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73927}
Rolling v8/build: 563f147..79006be
Rolling v8/third_party/aemu-linux-x64: _EJXYI9PIL6jmQi9nGYfsMiQZf2CFqi_hE7uUCqpScAC..dXMWT4elldlEXvj4YHtc9u0W4YEfTP-KZbIKpA75-7MC
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/ab687ea..8680ff0
Rolling v8/tools/clang: 006bc90..7168936
Rolling v8/tools/luci-go: git_revision:f784260b204b2d93c7bd6d1a619f09c6822e5926..git_revision:cbabdf2ff62e64e99bfdf57ab5625d3da3eb5db9
Rolling v8/tools/luci-go: git_revision:f784260b204b2d93c7bd6d1a619f09c6822e5926..git_revision:cbabdf2ff62e64e99bfdf57ab5625d3da3eb5db9
Rolling v8/tools/luci-go: git_revision:f784260b204b2d93c7bd6d1a619f09c6822e5926..git_revision:cbabdf2ff62e64e99bfdf57ab5625d3da3eb5db9
TBR=v8-waterfall-sheriff@grotations.appspotmail.com
Change-Id: I73becb94dcd7fba838472e99d0bb9202146b221f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2822914
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#73926}
With a shared cage, there's no easy way to recover an Isolate from a
heap pointer. Symbol::Description relies on RO symbols' description slot
being uncompressed so a Handle could point to it. This isn't possible
with a shared cage without going through TLS to get an Isolate for
Handle construction, so deprecate the method in favor of one that takes
an Isolate directly.
Bug: v8:11460
Change-Id: I69b2b7d77f4c00d0f58954cd80e22cba5ff222e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2802860
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73924}
Port 5e0b94c4dc
Original Commit Message:
This CL adds features to pack/unpack map words.
Currently V8 cannot store extra metadata in object headers -- because V8
objects do not have a proper header, but only a map pointer at the start
of the object. To store per-object metadata like marking data, a side
table is required as the per-object metadata storage.
This CL enables V8 to use higher unused bits in a 64-bit map word as
per-object metadata storage. Map pointer stores come with an extra step
to encode the metadata into the pointer (we call it "map packing").
Map pointer loads will also remove the metadata bits as well (we call it
"map packing").
Since the map word is no longer a valid pointer after packing, we also
change the tag of the packed map word to make it looks like a Smi. This
helps various GC and barrier code to correctly skip them instead of
blindly dereferencing this invalid pointer.
A ninja flag `v8_enable_map_packing` is provided to turn this
map-packing feature on and off. It is disabled by default.
* Only works on x64 platform, with `v8_enable_pointer_compression`
set to `false`
R=wenyu.zhao@anu.edu.au, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com
BUG=
LOG=N
Change-Id: I4a13093e7b20bb38990d947c697008a920cfe715
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821649
Reviewed-by: Junliang Yan <junyan@redhat.com>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/master@{#73923}
It's used when setting up the context snapshot for blink, so we want to
be sure that it doesn't execute script.
Bug: chromium:728583
Change-Id: I46507e18d178e6473dd10348a9f253016a9178b7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807615
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73920}
Finer grained control of platforms that support threads are
enforced by chromium.
Bug: chromium:1167733
Change-Id: Ic34a4950aebf6ba394053b79df97b703af333636
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2810190
Reviewed-by: Lutz Vahl <vahl@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73919}
The existing code assumes that the number of inputs is fixed to 4.
However, the fuzzer says that at least 5 inputs are also possible.
This CL makes the number of inputs more flexible.
CC=sam.parker@arm.com
Bug: chromium:1197393
Change-Id: I487ac96570b96f04b4d0a47065e7b383ba39016f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821435
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73917}
The pointer compression cage is the virtual memory reservation
that all compressed pointers fall within. This CL splits pointer
compression into two modes: a per-Isolate cage and a shared cage
among multiple Isolates.
When multiple Isolates are sharing a cage, they can decompress
each others' pointers and share the same virtual memory range.
Bug: v8:11460
Change-Id: I7b89b7413b8e7ca6b8b6faafd083dc387542a8b4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2783674
Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73916}
This CL adds features to pack/unpack map words.
Currently V8 cannot store extra metadata in object headers -- because V8
objects do not have a proper header, but only a map pointer at the start
of the object. To store per-object metadata like marking data, a side
table is required as the per-object metadata storage.
This CL enables V8 to use higher unused bits in a 64-bit map word as
per-object metadata storage. Map pointer stores come with an extra step
to encode the metadata into the pointer (we call it "map packing").
Map pointer loads will also remove the metadata bits as well (we call it
"map packing").
Since the map word is no longer a valid pointer after packing, we also
change the tag of the packed map word to make it looks like a Smi. This
helps various GC and barrier code to correctly skip them instead of
blindly dereferencing this invalid pointer.
A ninja flag `v8_enable_map_packing` is provided to turn this
map-packing feature on and off. It is disabled by default.
* Only works on x64 platform, with `v8_enable_pointer_compression`
set to `false`
Bug: v8:11624
Change-Id: Ia2bdf79553945e5fc0b0874c87803d2cc733e073
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2247561
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73915}
We have to have special rules for bit_fields since we multiple accesors
touch the same field. I used:
* If the accessor is set at map initalization time only and:
* only the main thread accesses it: non-atomic write/read
* bg accesses it too: non-atomic write, relaxed read (read has to be
relaxed due to the whole bit_field being modified concurrently via
other bit_field3 accessors)
* If the accessor is set after map initialization:
* but it is not necessary for synchronization: relaxed write/read
* If the accessor is needed for synchronization: release/acquire
As a note, Map::NumberOfOwnDescriptors are the bits accessed by the
concurrent marker. For concurrent marker reasons it can be relaxed, but
we would like it to be release/acquire for the compiler since that's
where we synchronize Maps with adding descriptors to the descriptor
array.
Bug: v8:7790, chromium:1150811
Change-Id: I0ba7d2f8cb81d65a487970b4ea0bfa2a4cb3a975
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773286
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73911}
Make runtime-call-stats a compile-time flag. Disabling RCS saves roughly
1MB binary size on 64bit systems and yields minor performance
improvements.
Bug: v8:11299
Change-Id: Ia1db75e330a665db5251b685c164b96857e38d2d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2799766
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73910}
We have to respect the TypeCheckKind.
Bug: chromium:1195777
Change-Id: If1eed719fef79b7c61d99c29ba869ddd7985c413
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817791
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73909}
Skip wasm/simd test for riscv64
Add buitin info when call a builtin.
Port 064ca18ca2
Change-Id: I1150de98a95231abf9d5def9e95ad38a8a42bbb3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814128
Reviewed-by: Brice Dobry <brice.dobry@futurewei.com>
Commit-Queue: Brice Dobry <brice.dobry@futurewei.com>
Cr-Commit-Position: refs/heads/master@{#73908}
If a loop is removed in dead code elimination, we may have a dead node
in the control chain. This wasn't expected, and endless recursion could
result.
Bug: chromium:1196185
Change-Id: Id6d69d0eaed11b0c6158b5643d3433b11611af59
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817792
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73906}
This CL makes more assumptions in the fast-api-call mjsunit test
explicit and specifies --deopt-every-n-times=0 for it, as it relies
on particular optimization/deoptimization sequences. It also fixes an
inconsistency between the fast/slow path results.
Bug: v8:11620
Change-Id: I385949a04534cd1658236878875efa6622936bc5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817607
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73905}
In Isolate::UnwindAndFindHandler(), the thread-in-wasm flag was set
before the destructor of some objects in that function got executed,
e.g. the destructor of {WasmCodeRefScope}. On Windows-asan, these
destructors could throw exceptions (asan on Windows uses exceptions for
its memory access tracking), which get handled initially by the wasm
trap handler, and would thereby invalidate the thread-in-wasm flag.
With this CL a new scope gets introduced which makes sure that setting
the thread-in-wasm flag is the last thing that happens in
Isolate::UnwindAndFindHandler().
Bug: chromium:1195595
Change-Id: If9f5f486c55b3bc2718a1d5aee3e3bd290d0ff35
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817598
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73904}
Several spots in arm codegen require 24-bit integers; since getting
this wrong is usually a security problem, let's change these DCHECKs
into CHECKs.
Bug: chromium:1197363
Change-Id: I277dc8fe4771adae89375adbe19a33d2c9f6783c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2820972
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73902}
The de-duplication happens when
1) we have a JSFunction for an outer function and a JSFunction for its
inner function in the snapshot and
2) we call the outer function again after deserializing
Expectation: the created JSFunction for the inner function uses the
SFI which was created when deserializing.
Bug: v8:11525
Change-Id: I80933514873e857452585317248fa34913d8d8e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2794438
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73900}
This is a reland of 2b94e5677f
Original change's description:
> [inspector] Report [[Prototype]] as internal property.
>
> Previously the inspector was trying to add a special `__proto__`
> property to every JSObject, which looked and behaved like a real
> data property on the object. But this is confusing to developers
> since `__proto__` is not a real data property, but usually an
> accessor property on the `Object.prototype`.
>
> Additionally all other internal properties are reported using the
> [[Name]] notation, with the [[Prototype]] having been the strange
> outlier.
>
> Drive-by-cleanup: Use an ArrayList to collect the name/value pairs
> inside Runtime::GetInternalProperties(), which makes this function
> more readable and easier to add things.
>
> Bug: chromuium:1162229
> Fixed: chromium:1197019
> Screenshot: https://imgur.com/a/b7TZ32s.png
> Change-Id: Ic4c1e35e2e65f90619fcc12bf3a72806cadb0794
> Doc: http://doc/1Xetnc9s6r0yy4LnPbqeCwsnsOtBlvJsV4OCdXMZ1wCM
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814565
> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73881}
Bug: chromuium:1162229, chromium:1197019
Screenshot: https://imgur.com/a/b7TZ32s.png
Doc: http://doc/1Xetnc9s6r0yy4LnPbqeCwsnsOtBlvJsV4OCdXMZ1wCM
Change-Id: Ie1e2276b385b18a5f865fdae583d1ce0101157c0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2820970
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73899}
Defence in depth patch to prevent JavaScript from executing
from within IterateElements.
R=ishell@chromium.orgR=cbruni@chromium.org
Bug: chromium:1195977
Change-Id: Ie59d468b73b94818cea986a3ded0804f6dddd10b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2819941
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73898}
Fuzz tests could mess with some library methods used by stubs for
NaN-pattern problems in typed arrays. This change makes the stubs
more robust.
Bug: chromium:1197627
Change-Id: I84975f798d616fd5e82fd9ab84ad01fc35336a04
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2820968
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73896}
This CL enables the fast-api-calls mjsunit test again on gc_stress
with a fix for --stress-flush-bytecode.
Change-Id: I3a65f8cb4ec319945319d533ed92241b14f624c7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817604
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73895}
Rolling v8/build: 0006b44..2ae82a1
Rolling v8/third_party/aemu-linux-x64: SCU6888HuyC5TF12MrqnyC2eTRFiqzg1KUCITYThpxIC.._EJXYI9PIL6jmQi9nGYfsMiQZf2CFqi_hE7uUCqpScAC
Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/868d5d0..ab687ea
Rolling v8/third_party/depot_tools: 1cabb17..057831e
Rolling v8/tools/clang: 3b0c35b..6e92ef6
Rolling v8/tools/luci-go: git_revision:0f11e003d56071a19f4403570ebfdb8f197c2f87..git_revision:b1ba7603f4b71ab63a1df050e03137463309f348
Rolling v8/tools/luci-go: git_revision:0f11e003d56071a19f4403570ebfdb8f197c2f87..git_revision:b1ba7603f4b71ab63a1df050e03137463309f348
Rolling v8/tools/luci-go: git_revision:0f11e003d56071a19f4403570ebfdb8f197c2f87..git_revision:b1ba7603f4b71ab63a1df050e03137463309f348
TBR=v8-waterfall-sheriff@grotations.appspotmail.com
Change-Id: I7fc14996e10ac3d1e725af863ae6df9483bf6aa5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2819207
Reviewed-by: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Commit-Queue: v8-ci-autoroll-builder <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#73889}
This command is broken, no testing and no clear demand for it.
Change-Id: Ic86ab346ab29a5d6804f74a3d4458bb3332a7718
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814131
Reviewed-by: Seth Brenith <seth.brenith@microsoft.com>
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#73888}
This removes the heap sandbox's dependency on being able to reconstruct
an Isolate from the pointer cage base address.
Bug: v8:11460
Change-Id: I501ace5b83a2cefdf717de0d7387fd816edfb3f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2783673
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73887}
This reverts commit 2b94e5677f.
Reason for revert: Speculative based on layout test failures on
win and mac which could block the roll:
https://ci.chromium.org/p/v8/builders/ci/V8%20Blink%20Win/5294https://ci.chromium.org/p/v8/builders/ci/V8%20Blink%20Mac/4955
Original change's description:
> [inspector] Report [[Prototype]] as internal property.
>
> Previously the inspector was trying to add a special `__proto__`
> property to every JSObject, which looked and behaved like a real
> data property on the object. But this is confusing to developers
> since `__proto__` is not a real data property, but usually an
> accessor property on the `Object.prototype`.
>
> Additionally all other internal properties are reported using the
> [[Name]] notation, with the [[Prototype]] having been the strange
> outlier.
>
> Drive-by-cleanup: Use an ArrayList to collect the name/value pairs
> inside Runtime::GetInternalProperties(), which makes this function
> more readable and easier to add things.
>
> Bug: chromuium:1162229
> Fixed: chromium:1197019
> Screenshot: https://imgur.com/a/b7TZ32s.png
> Change-Id: Ic4c1e35e2e65f90619fcc12bf3a72806cadb0794
> Doc: http://doc/1Xetnc9s6r0yy4LnPbqeCwsnsOtBlvJsV4OCdXMZ1wCM
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2814565
> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73881}
Bug: chromuium:1162229
Change-Id: Ia893ad672eb370fa6fce7eddf2947bf8f6755831
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2818386
Auto-Submit: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#73886}
