The above intrinsic by now has to perform a check whether the prototype
of a derived constructor is actually a constructor function itself. This
is done as part of the {JSGetConstructorCall} operator. The intrinsic
should just reduce down to the operator to maintain correct semantics.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-696622
BUG=chromium:696622

Change-Id: Ia19c188f17ad16b12248db1f01a01b8d7258499b
Reviewed-on: https://chromium-review.googlesource.com/447716Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43479}

R=bmeurer@chromium.org

BUG=

Review-Url: https://codereview.chromium.org/2680973013
Cr-Original-Commit-Position: refs/heads/master@{#43163}
Committed: https://chromium.googlesource.com/v8/v8/+/f01c8a6e4b24ab38e58bb141fc251bc6b75dbe21
Review-Url: https://codereview.chromium.org/2680973013
Cr-Commit-Position: refs/heads/master@{#43478}

BUG=chromium:694088

Review-Url: https://codereview.chromium.org/2725593002
Cr-Commit-Position: refs/heads/master@{#43477}

The new NewUnmappedArgumentsElements node now takes two inputs:
- the frame holding the arguments (current frame or arguments adaptor frame)
- the length of the suffix of passed arguments to be copied into the backing store

These inputs are computed with two new node types:
ArgumentsFrame()
ArgumentsLength[formal_parameter_count,is_rest_length](Node* arguments_frame)
The node type NewRestParameterElements can now be expressed with NewUnmappedArgumentsElements and an appropriate length and is thus not needed anymore.

In escape analysis, we lower loads from the length field of NewUnmappedArgumentsElements with its length input and if we find out that no write access to the arguments elements exists, we replace element loads with direct stack access and replace the NewUnmappedArgumentsElements node with a node of the new node type ArgumentsElementsState. This corresponds to an ObjectState node and gets translated into a deoptimizer instruction to allocate the backing store. Together with the already existing deoptimizer support for the actual arguments object/rest parameters, this allows to remove all allocations for arguments objects/rest parameters in this case.
In the deoptimizer, we read the actual parameters from the stack while transforming the static deopt info into TranslatedValue objects.

If escape analysis cannot remove the backing store allocation, NewUnmappedArgumentsElements gets lo

BUG=v8:5726

Review-Url: https://codereview.chromium.org/2692753004
Cr-Commit-Position: refs/heads/master@{#43475}

R=bradnelson@chromium.org
TEST=mjsunit/wasm/asm-with-wasm-off
BUG=chromium:696655

Change-Id: I9375d8ac2f111009233dc480529fd0f0e00fe811
Reviewed-on: https://chromium-review.googlesource.com/447398Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43472}

perf regression. See crbug.com/695653 for more info.

Revert "[SAB] Move Atomics builtins to C++"

This reverts commit 2b9840d8.

Revert "[SAB] Remove unreachable Uint8Clamped atomics paths"

This reverts commit d1160fb1.

Revert "Remove tiny unit test for MinSimple/MaxSimple"

This reverts commit 837760ec.

Revert "Remove infrastructure for experimental JS natives"

This reverts commit 8cfe45b6.

BUG=695653
TBR=hablich@chromium.org

Review-Url: https://codereview.chromium.org/2715223003
Cr-Commit-Position: refs/heads/master@{#43462}

BUG= https://bugs.chromium.org/p/chromium/issues/detail?id=694954

Change-Id: I07d7eeccca716028e1151db3df7ebee81d4a9ef2
Reviewed-on: https://chromium-review.googlesource.com/446707
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43460}

When an instance of a constructor goes dictionary mode, this changes the initial map
of that constructor to also be in dictionary mode. This avoids spurious hidden class
creation, that also results in IC misses.

BUG=

Change-Id: I0e70f822ac345d0224f2092ec473621a603d4cc5
Reviewed-on: https://chromium-review.googlesource.com/446361Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43452}

BUG=chromium:688734

Change-Id: If5dd370971cb02c4463fa20a489d0fa60b0423c4
Reviewed-on: https://chromium-review.googlesource.com/446845Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43451}

Compare function for std::sort should satisfy strict weak ordering
relation.

BUG=chromium:696251

Change-Id: I1c07e3bb1b012fd203bc059a21a75ae0fc61f5ac
Reviewed-on: https://chromium-review.googlesource.com/447036Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43446}

BUG=chromium:695416

Change-Id: Ied3a389d0dfb0132c798bc85e10f7b1fd4432eb4
Reviewed-on: https://chromium-review.googlesource.com/446343Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43435}

Introduce a new Object to allow GetIterator("async") to function when the
iterable does not have a Symbol.asyncIterator method.

This patch has been split out from https://codereview.chromium.org/2622833002/
and incorporates test cases.

BUG=v8:5855, v8:4483
R=jgruber@chromium.org, rmcilroy@chromium.org, neis@chromium.org
TBR=hpayer@chromium.org, bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2645313003
Cr-Commit-Position: refs/heads/master@{#43419}

If the RHS is 0 and we have Smi feedback, speculate that the result (the LHS)
will continue to be in the Unsigned31 range.  This helps us avoid converting
the result to double when merging with Signed32.

R=jarin@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2709423002
Cr-Commit-Position: refs/heads/master@{#43415}

The source code of those functions is simple a ternary operator, and
the test seems to have been designed as a "regression" test for the
previous implementation (which used a macro, and thus evaluated its
arguments multiple times).

I don't think the test is worth the weight of supporting importing
JS natives from tests.

This patch removes the last test that depends on JS natives.

R=littledan@chromium.org

Review-Url: https://codereview.chromium.org/2711833002
Cr-Commit-Position: refs/heads/master@{#43394}

The test itself was for an issue that's handled statically since
https://codereview.chromium.org/1302313013 (we were missing some
instance types in a switch statement).

This leaves us with only a single test that depends on the JS
native import system.

R=littledan@chromium.org

Review-Url: https://codereview.chromium.org/2707133005
Cr-Commit-Position: refs/heads/master@{#43393}

This implements the proposal at
https://github.com/tc39/proposal-template-literal-revision
staged behind a flag --harmony-template-escapes. The proposal allows
invalid octal, unicode, and hexadecimal escape sequences to appear in
tagged template literals, instead of being a syntax error. These have
a 'cooked' value of 'undefined', but are still accessible through the
'raw' property.

BUG=v8:5546

Review-Url: https://codereview.chromium.org/2665513002
Cr-Commit-Position: refs/heads/master@{#43384}

R=mtrofin@chromium.org
BUG=chromium:575167,chromium:694657

Review-Url: https://codereview.chromium.org/2709753003
Cr-Original-Commit-Position: refs/heads/master@{#43368}
Committed: https://chromium.googlesource.com/v8/v8/+/c8329253ea345e06a923f7800f96f4ef59262997
Review-Url: https://codereview.chromium.org/2709753003
Cr-Commit-Position: refs/heads/master@{#43383}

This fixes a corner-case where the call reduction of the aforementioned
getter did not simulate the {ToObject} conversion of the receiver value
as required by the spec. This caused the wrong prototype to be constant
promoted (i.e. {null} instead of wrapper object prototype).

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-694709
BUG=chromium:694709

Change-Id: Idf3a37071949d9ddaf5ef43974570c06fd31c0c9
Reviewed-on: https://chromium-review.googlesource.com/445818Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43376}

Revert of [wasm] Remove support for experimental version 0xD. (patchset #3 id:40001 of https://codereview.chromium.org/2709753003/ )

Reason for revert:
Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/13730

Original issue's description:
> [wasm] Remove support for experimental version 0xD.
>
> R=mtrofin@chromium.org
> BUG=chromium:575167,chromium:694657
>
> Review-Url: https://codereview.chromium.org/2709753003
> Cr-Commit-Position: refs/heads/master@{#43368}
> Committed: https://chromium.googlesource.com/v8/v8/+/c8329253ea345e06a923f7800f96f4ef59262997

TBR=ahaas@chromium.org,mtrofin@chromium.org,titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:575167,chromium:694657

Review-Url: https://codereview.chromium.org/2706303004
Cr-Commit-Position: refs/heads/master@{#43373}

R=mtrofin@chromium.org
BUG=chromium:575167,chromium:694657

Review-Url: https://codereview.chromium.org/2709753003
Cr-Commit-Position: refs/heads/master@{#43368}

R=jgruber@chromium.org, kozyatinskiy@chromium.org, pfeldman@chromium.org
BUG=v8:5808

Review-Url: https://codereview.chromium.org/2700743002
Cr-Commit-Position: refs/heads/master@{#43363}

This is a speculative fix, but I believe it might work.

Idea is to keep `start_from` as a double while establishing an appropriate
index to begin iteration. This should keep -Infinity intact rather than
converting it to a positive high value, which would break the algorithm.
This is similar to what had been implemented on the fast path before it was
changed to send non-Smis to the slow path.

BUG=v8:5986
R=bmeurer@chromium.org, cbruni@chromium.org, machenbach@chromium.org, adamk@chromium.org

Change-Id: I9965fd2e75a8972f3f1c7a18e51bd580030a66ea
Reviewed-on: https://chromium-review.googlesource.com/445857
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43358}

The limit needs to be checked before casting the length to int in
ModuleWireBytes.

R=titzer@chromium.org
BUG=694433

Review-Url: https://codereview.chromium.org/2705233002
Cr-Commit-Position: refs/heads/master@{#43352}

This fixes a missing name check for keyed property loads targeting the
global object where the feedback was warmed up with a single name. This
affects {JSLoadProperty} nodes only, syntactic global property loads via
the {JSLoadGlobal} operator are not affected.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-694416
BUG=chromium:694416

Change-Id: I54aa3f27eaa72630539f02602ec7642b04835b27
Reviewed-on: https://chromium-review.googlesource.com/445224Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43344}

Two controls, one for instantiation and one for compilation. They allow
the embedder (e.g. Chrome) check properties of the parameters of those
two operations, and decide if they are allowed to continue.

For example, Chrome may now decline compilation of certain size buffers,
in synchronous cases; same for instantiation (where the buffer size
refers to the size of the buffer containing wasm wire bytes)

BUG=v8:5981

Review-Url: https://codereview.chromium.org/2699843003
Cr-Original-Commit-Position: refs/heads/master@{#43295}
Committed: https://chromium.googlesource.com/v8/v8/+/d9bc0ffb16e633d52d7bcfd547a6125f0e4dfb87
Review-Url: https://codereview.chromium.org/2699843003
Cr-Commit-Position: refs/heads/master@{#43336}

This patch refactors the Atomics builtins so that they are implemented
as C++ builtins rather than experimental JS builtins. Previously, each
of these functions called out to a runtime function, so no significant
change in performance is anticipated. The goal of this patch is to
remove the last user of experimental JS builtins so that the mechanism
can be removed, for performance reasons. The patch includes a drive-by
fix of a check-fail. For the most part, the patch is just moving code
without modification from runtime-atomics.cc to
builtins-sharedarraybuffer.cc .

BUG=v8:5880

Review-Url: https://codereview.chromium.org/2698813004
Cr-Commit-Position: refs/heads/master@{#43335}

qNaN and sNaN values have different binary representation on MIPS
compared to ARM/x86 architectures. We are skipping these tests because
we can't provide specific NaNs encodings from ARM/x86 architectures.

BUG=

Review-Url: https://codereview.chromium.org/2702213003
Cr-Commit-Position: refs/heads/master@{#43327}

Take runtime path if startIndex parameter requires a ToInteger() call,
which can modify the elements kind of the receiver.

This removes a stub call from the builtin, and simplifies code slightly.

BUG=v8:5986
R=bmeurer@chromium.org, cbruni@chromium.org

Change-Id: Id238a81ab8ba28621858004b34d00a4356b8037f
Reviewed-on: https://chromium-review.googlesource.com/445006Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#43323}

info.This returns a Local<Object>, which results in a call to
Utils::OpenHandle<JSReceiver>.  Casting to a Local<Value> first uses the
correct OpenHandle<Object> overload.

BUG=chromium:693500

Review-Url: https://codereview.chromium.org/2706833002
Cr-Commit-Position: refs/heads/master@{#43314}

The constant field tracking is still disabled.

BUG=v8:5495

Change-Id: I543fe50b82e2255bbf200ea785ec53e3623e30cb
Reviewed-on: https://chromium-review.googlesource.com/440924
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43304}

Revert of [wasm] Embedder can control what buffers wasm compilation works on. (patchset #3 id:60001 of https://codereview.chromium.org/2699843003/ )

Reason for revert:
Introduces a new test failure/flake: https://build.chromium.org/p/client.v8/builders/V8%20Linux/builds/16427

Original issue's description:
> [wasm] Embedder can control what buffers wasm compilation works on.
>
> Two controls, one for instantiation and one for compilation. They allow
> the embedder (e.g. Chrome) check properties of the parameters of those
> two operations, and decide if they are allowed to continue.
>
> For example, Chrome may now decline compilation of certain size buffers,
> in synchronous cases; same for instantiation (where the buffer size
> refers to the size of the buffer containing wasm wire bytes)
>
> BUG=v8:5981
>
> Review-Url: https://codereview.chromium.org/2699843003
> Cr-Commit-Position: refs/heads/master@{#43295}
> Committed: https://chromium.googlesource.com/v8/v8/+/d9bc0ffb16e633d52d7bcfd547a6125f0e4dfb87

TBR=bradnelson@chromium.org,titzer@chromium.org,mtrofin@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5981

Review-Url: https://codereview.chromium.org/2701413002
Cr-Commit-Position: refs/heads/master@{#43303}

The bytecode generator did not necessarily know for which scope, and
thus language mode, it was generating code, because it only tracked
scopes that have a context.  This led to wrong behavior in some
examples involving class expressions (which are always in strict
mode).

With this CL, the bytecode generator explicitly tracks the current
scope, independent of whether it has a context.

BUG=v8:5927

Change-Id: Ifa6b3ee5e13e07b63d00e74c7f557a328633c88b
Reviewed-on: https://chromium-review.googlesource.com/444785
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43300}

Currently, typeof o, where o is an undetectable
callable object (such as document.all), returns 'function' if
optimised. It should, however, return 'undefined'.

This CL excludes undetectable objects from the optimization
resulting in type 'function' and renames the related code to
reflect that.

BUG=v8:5972
R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2697063002
Cr-Commit-Position: refs/heads/master@{#43298}

Two controls, one for instantiation and one for compilation. They allow
the embedder (e.g. Chrome) check properties of the parameters of those
two operations, and decide if they are allowed to continue.

For example, Chrome may now decline compilation of certain size buffers,
in synchronous cases; same for instantiation (where the buffer size
refers to the size of the buffer containing wasm wire bytes)

BUG=v8:5981

Review-Url: https://codereview.chromium.org/2699843003
Cr-Commit-Position: refs/heads/master@{#43295}

Adds five new TF builtins for the spec defined functions/closures. This follows
mechanism similar to promise resolving functions approach where we store the
closure variables in a custom context.

Adds a new --harmony-promise-finally flag.

BUG=v8:5967

Review-Url: https://codereview.chromium.org/2695753002
Cr-Commit-Position: refs/heads/master@{#43294}

BUG=v8:5906
R=machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2697723004
Cr-Commit-Position: refs/heads/master@{#43292}

BUG=691323

Change-Id: I84f2c90355982567c421639e115745eadd5fcb21
Reviewed-on: https://chromium-review.googlesource.com/441964Reviewed-by: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43279}

For functions declared in source code, the .toString() representation
will be an excerpt of the source code.
* For functions declared with the "function" keyword, the excerpt
  starts at the "function" or "async" keyword and ends at the final "}".
  The previous behavior would start the excerpt at the "(" of the
  parameter list, and prepend a canonical `"function " + name` or
  similar, which would discard comments and formatting surrounding the
  function's name. Anonymous functions declared as function expressions
  no longer get the name "anonymous" in their toString representation.
* For methods, the excerpt starts at the "get", "set", "*" (for
  generator methods), or property name, whichever comes first.
  Previously, the toString representation for methods would use a
  canonical prefix before the "(" of the parameter list. Note that any
  "static" keyword is omitted.
* For arrow functions and class declarations, the excerpt is unchanged.

For functions created with the Function, GeneratorFunction, or
AsyncFunction constructors:
* The string separating the parameter text and body text is now
  "\n) {\n", where previously it was "\n/*``*/) {\n" or ") {\n".
* At one point, newline normalization was required by the spec here,
  but that was removed from the spec, and so this CL does not do it.

Included in this CL is a fix for CreateDynamicFunction parsing. ')'
and '`' characters in the parameter string are no longer disallowed,
and Function("a=function(", "}){") is no longer allowed.

BUG=v8:4958, v8:4230

Review-Url: https://codereview.chromium.org/2156303002
Cr-Commit-Position: refs/heads/master@{#43262}

Errors are swallowed by promises, so just exit with stack trace.

Review-Url: https://codereview.chromium.org/2693383004
Cr-Commit-Position: refs/heads/master@{#43254}

This is a workaround for the fact that %SetCode can "lose" the script for a js native. If the js native is re-initialized (for a Realm or something), then the source SharedFunctionInfo won't have a script anymore. Nonetheless, we may want to optimize the function. If we've compiled bytecode, then we can compile optimized code without a script.

Here, we carve out a special exception for this case, so that we can turn on the --mark-shared-functions-for-tier-up.

BUG=v8:5946
R=leszeks@chromium.org

Review-Url: https://codereview.chromium.org/2684033007
Cr-Original-Commit-Position: refs/heads/master@{#43240}
Committed: https://chromium.googlesource.com/v8/v8/+/4123a3dd790495c40cf839990318a85c146e057d
Review-Url: https://codereview.chromium.org/2684033007
Cr-Commit-Position: refs/heads/master@{#43252}