Those sets are to be released on the main thread without concurrent
accesses. Making this explicit will give TSAN a chance to help us once
the surrounding code changes.

Bug: 
Change-Id: Ia73754caafbeec385d4c922fb8140e3e64f7378c
Reviewed-on: https://chromium-review.googlesource.com/541375Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46025}

These are no longer being used.

BUG=v8:6408

Review-Url: https://codereview.chromium.org/2944013002
Cr-Commit-Position: refs/heads/master@{#46024}

This reverts commit 1835b4b1.

Reason for revert: This has a perf regression, wasn't ready just yet.

Original change's description:
> Revert "Revert "[wasm] Throttle the amount of unfinished work to avoid OOM""
> 
> This reverts commit 4ee49181.
> 
> Reason for revert: Fix: in d8, blocking all the bg threads starves the GC.
> 
> Original change's description:
> > Revert "[wasm] Throttle the amount of unfinished work to avoid OOM"
> > 
> > This reverts commit 1280954d.
> > 
> > Reason for revert: Speculative, GC stress bots started taking much longer after this change.
> > 
> > Original change's description:
> > > [wasm] Throttle the amount of unfinished work to avoid OOM
> > > 
> > > It is possible that the foreground task is unable to clear the
> > > scheduled unfinished work, eventually leading to an OOM.
> > > 
> > > We use either code_range on 64 bit, or the capacity of the code space,
> > > as a heuristic for how much memory to use for compilation.
> > > 
> > > Bug: v8:6492, chromium:732010
> > > Change-Id: I1e4c0825351a42fa0b8369ccc41800ac3445563d
> > > Reviewed-on: https://chromium-review.googlesource.com/535017
> > > Commit-Queue: Brad Nelson <bradnelson@chromium.org>
> > > Reviewed-by: Brad Nelson <bradnelson@chromium.org>
> > > Cr-Commit-Position: refs/heads/master@{#46017}
> > 
> > TBR=bradnelson@chromium.org,mtrofin@chromium.org,ahaas@chromium.org
> > 
> > Change-Id: I8883cee7f77667530bc50f91bfb468c485e6f7f2
> > No-Presubmit: true
> > No-Tree-Checks: true
> > No-Try: true
> > Bug: v8:6492, chromium:732010
> > Reviewed-on: https://chromium-review.googlesource.com/540270
> > Reviewed-by: Bill Budge <bbudge@chromium.org>
> > Commit-Queue: Bill Budge <bbudge@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#46020}
> 
> TBR=bradnelson@chromium.org,bbudge@chromium.org,mtrofin@chromium.org,ahaas@chromium.org
> 
> Change-Id: I1e7a1d0202c3161f9a7139e8895eebf472473ad3
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: v8:6492, chromium:732010
> Reviewed-on: https://chromium-review.googlesource.com/540841
> Reviewed-by: Brad Nelson <bradnelson@chromium.org>
> Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
> Commit-Queue: Brad Nelson <bradnelson@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46022}

TBR=bradnelson@chromium.org,bbudge@chromium.org,mtrofin@chromium.org,mtrofin@google.com,ahaas@chromium.org

Change-Id: Ic1351325173b233be3972ff3c159c035838fa963
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6492, chromium:732010
Reviewed-on: https://chromium-review.googlesource.com/540842Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46023}

This reverts commit 4ee49181.

Reason for revert: Fix: in d8, blocking all the bg threads starves the GC.

Original change's description:
> Revert "[wasm] Throttle the amount of unfinished work to avoid OOM"
> 
> This reverts commit 1280954d.
> 
> Reason for revert: Speculative, GC stress bots started taking much longer after this change.
> 
> Original change's description:
> > [wasm] Throttle the amount of unfinished work to avoid OOM
> > 
> > It is possible that the foreground task is unable to clear the
> > scheduled unfinished work, eventually leading to an OOM.
> > 
> > We use either code_range on 64 bit, or the capacity of the code space,
> > as a heuristic for how much memory to use for compilation.
> > 
> > Bug: v8:6492, chromium:732010
> > Change-Id: I1e4c0825351a42fa0b8369ccc41800ac3445563d
> > Reviewed-on: https://chromium-review.googlesource.com/535017
> > Commit-Queue: Brad Nelson <bradnelson@chromium.org>
> > Reviewed-by: Brad Nelson <bradnelson@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#46017}
> 
> TBR=bradnelson@chromium.org,mtrofin@chromium.org,ahaas@chromium.org
> 
> Change-Id: I8883cee7f77667530bc50f91bfb468c485e6f7f2
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: v8:6492, chromium:732010
> Reviewed-on: https://chromium-review.googlesource.com/540270
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Commit-Queue: Bill Budge <bbudge@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46020}

TBR=bradnelson@chromium.org,bbudge@chromium.org,mtrofin@chromium.org,ahaas@chromium.org

Change-Id: I1e7a1d0202c3161f9a7139e8895eebf472473ad3
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6492, chromium:732010
Reviewed-on: https://chromium-review.googlesource.com/540841Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46022}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/bf51d56..97e4bb9

Rolling v8/buildtools: https://chromium.googlesource.com/chromium/buildtools/+log/ee9c3a7..9a65473

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/57e600c..c2d7f3a

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: I07f5b7705651eec34733919182793ee6981b067c
Reviewed-on: https://chromium-review.googlesource.com/541056Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46021}

This reverts commit 1280954d.

Reason for revert: Speculative, GC stress bots started taking much longer after this change.

Original change's description:
> [wasm] Throttle the amount of unfinished work to avoid OOM
> 
> It is possible that the foreground task is unable to clear the
> scheduled unfinished work, eventually leading to an OOM.
> 
> We use either code_range on 64 bit, or the capacity of the code space,
> as a heuristic for how much memory to use for compilation.
> 
> Bug: v8:6492, chromium:732010
> Change-Id: I1e4c0825351a42fa0b8369ccc41800ac3445563d
> Reviewed-on: https://chromium-review.googlesource.com/535017
> Commit-Queue: Brad Nelson <bradnelson@chromium.org>
> Reviewed-by: Brad Nelson <bradnelson@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46017}

TBR=bradnelson@chromium.org,mtrofin@chromium.org,ahaas@chromium.org

Change-Id: I8883cee7f77667530bc50f91bfb468c485e6f7f2
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6492, chromium:732010
Reviewed-on: https://chromium-review.googlesource.com/540270Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46020}

Adds a 'performance' test which tracks the number of expressions
which can be nested before the compiler runs out of stack space.
This isn't really a performance test, but is created as a js-perf-test
to enable regression tracking in the dashboards.

Change-Id: Iee0c00df53b38b083e2dde09676ac9b13e439461
Reviewed-on: https://chromium-review.googlesource.com/539419Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46019}

BUG: v8:6020
Change-Id: I7280827aa9a493677253cc2fbd42be8173b55b7a
Reviewed-on: https://chromium-review.googlesource.com/534956Reviewed-by: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46018}

It is possible that the foreground task is unable to clear the
scheduled unfinished work, eventually leading to an OOM.

We use either code_range on 64 bit, or the capacity of the code space,
as a heuristic for how much memory to use for compilation.

Bug: v8:6492, chromium:732010
Change-Id: I1e4c0825351a42fa0b8369ccc41800ac3445563d
Reviewed-on: https://chromium-review.googlesource.com/535017
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46017}

 - Use correct prefixes for SIMD/Atomics ops
 - S128 LoadMem/StoreMem should not use 0xc0/0xc1 opcodes, these are now
 being used for sign extension
 - S128 LoadMem/StoreMem should use prefixed opcodes

BUG=v8:6020

Review-Url: https://codereview.chromium.org/2943773002
Cr-Commit-Position: refs/heads/master@{#46016}

This patch updates the error positition and the error msg.

Previously,

  → ./out.gn/x64.release/d8 test.js
  test.js:1: TypeError: undefined is not a function
  var [a] = {};
  ^
  TypeError: undefined is not a function
      at test.js:1:1


With this patch,

  → ./out.gn/x64.release/d8 test.js
  test.js:1: TypeError: [Symbol.iterator] is not a function
  var [a] = {};
            ^
  TypeError: [Symbol.iterator] is not a function
      at test.js:1:11

Bug: v8:5532
Change-Id: Ib066e8ec8a53fdf06cce491bde4b1d0c6d564cbc
Reviewed-on: https://chromium-review.googlesource.com/539024Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46015}

Merge OLD_TO_OLD and OLD_TO_NEW per page. This enables removing atomic
operations for the slot updates, effectively removing the need for
fences.

Bug: chromium:651354
Change-Id: I9e318bef06c403b135d638cf94fda9569dcf0e36
Reviewed-on: https://chromium-review.googlesource.com/539338
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46014}

For functions without any calls, there is no value in executing a stack
check. The current frame is materialized at that point anyway.
Note that for loops, we still emit additional stack checks in the loop
header.

For unity, the reduction in code size is moderate (0.53%), as only 4000
of the 34000 functions are leaf functions (no calls). However, we also
save some compile time and gain performance, so this is still worth
doing it.

Drive-by: Fix the effect chain generated in {StackCheck()}.

R=mstarzinger@chromium.org, ahaas@chromium.org

Change-Id: Ia6ec58d0ea46de02634c923cdf8e6e08d8902c59
Reviewed-on: https://chromium-review.googlesource.com/533333Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46013}

We only need to use this for certain Intrinsics defined in the spec.
This CL removes unnecessary uses.

Bug: v8:6474
Change-Id: I13a9f0c57d877dd65a883a38f9683d55623030d3
Reviewed-on: https://chromium-review.googlesource.com/529224
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46012}

This avoids emitting the costly barriers on arm.

Bug: chromium:651354
Change-Id: Ibb29e58f7c41aab37ed5c4971b2a754b4ecd7155
Reviewed-on: https://chromium-review.googlesource.com/533337
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46011}

Change-Id: If0f80ceac9582f5bd0f9177db67b2a833fa8c8cd
Reviewed-on: https://chromium-review.googlesource.com/539418Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46010}

R=rmcilroy@chromium.org
BUG=v8:6408

Change-Id: I724a14e4f3b9395eed5d56ec3b5f7be835e9390a
Reviewed-on: https://chromium-review.googlesource.com/539595Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46009}

Change-Id: I0aa40ce54833c81a15a6dd0010b2eeb46799a984
Reviewed-on: https://chromium-review.googlesource.com/539519Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46008}

Move obvious candidates to the cc file.

Bug: 
Change-Id: I9b2bca0ed1f2836a4873760d6677a9c0dff9c064
Reviewed-on: https://chromium-review.googlesource.com/538664Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46007}

Track execution counts of the continuations of block structures (e.g.
IfStatements) to capture cases in which execution does not continue after a
block. For example:

for (;;) {
  return;
}
// Never reached, tracked by continuation counter.

A continuation counter only has a start position; it's range is implicitly
until the next sibling range or the end of the parent range.

Bug: v8:6000
Change-Id: I8e8f1f5b140b64c86754b916e626eb50f0707d70
Reviewed-on: https://chromium-review.googlesource.com/530846
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46006}

If we pass in thin-string into a keyed load, the underlying internalized string is used to find the handler. However, the thin string itself was used to interpret the handler. Since the thin string itself isn't unique, this caused existing properties on the prototype chain to not be found in case of dictionary-mode prototypes.

Bug: chromium:731193
Change-Id: Ic98d3789ecf9175e17d9c898ab13231aad59efcc
Reviewed-on: https://chromium-review.googlesource.com/539596Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46005}

Bug: v8:6494
Change-Id: Ie6f91c3bad38e467dd047f4d2848473cc4085c2a
Reviewed-on: https://chromium-review.googlesource.com/536397
Commit-Queue: Loo Rong Jie <loorongjie@gmail.com>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46004}

It might happen that we deprecate the map of previous sub-literals if we create
literals with the same map several times. This is usually the case for
configuration arrays.

Bug: chromium:734051
Change-Id: I82284e5aae632286135b2092816d776d229c65af
Reviewed-on: https://chromium-review.googlesource.com/538665Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46003}

Bug: v8:6474
Change-Id: Ia20250d74c94bf2568ad044795188db583b7f36c
Reviewed-on: https://chromium-review.googlesource.com/539555Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46002}

Here we optimize Dsubu by instead of loading imm and subtracting, we
load -imm and perform addition when loading -imm takes less instructions
than loading imm. Similarily li is optimized by loading -imm and
performing addition or loading ~imm and inverting bits using nor when
one of these loads takes two instructions less than loading imm, saving
at least one instruction. Tests are adjusted to cover these
optimizations.

BUG=
TEST=cctest/test-assembler-mips/li_macro
     cctest/test-assembler-mips/Dsubu

Review-Url: https://codereview.chromium.org/2909913002
Cr-Commit-Position: refs/heads/master@{#46001}

Mechanical change to remove argument adaption (should be a tad faster
this way). Especially next is called without arguments in the common
case.

Bug: v8:6354, v8:6369
Change-Id: I4180caabfc4c1bbf1a10a881dcbcd41e03614b27
Reviewed-on: https://chromium-review.googlesource.com/535453
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46000}

Large allocations would fail due to the flag not being set.

Bug: chromium:732836
Change-Id: I31686e382386a2d08582c86b29dc8f89841040d1
Reviewed-on: https://chromium-review.googlesource.com/535563Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45999}

Minor differences in how we dispatch on the regexp type
(IRREGEXP,ATOM,NOT_COMPILED) make significant differences in benchmark
performance. A simple switch turns out to be the best alternative.

BUG=chromium:734035, v8:6462

Change-Id: I09c613658e828b9fd1e3082624ef692b8b4a0c5f
Reviewed-on: https://chromium-review.googlesource.com/539295Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45998}

For interpreted functions, use the optimized code slot in the feedback
vector to store an optimization marker (optimize/in optimization queue)
rather than changing the JSFunction's code object. Then, adapt the
self-healing mechanism to also dispatch based on this optimization
marker. Similarly, replace SFI marking with optimization marker checks
in CompileLazy.

This allows JSFunctions to share optimization information (replacing
shared function marking) without leaking this information across native
contexts. Non I+TF functions (asm.js or --no-turbo) use a
CheckOptimizationMarker shim which generalises the old
CompileOptimized/InOptimizationQueue builtins and also checks the same
optimization marker as CompileLazy and InterpreterEntryTrampoline.

This is a reland of https://chromium-review.googlesource.com/c/509716

Change-Id: I02b790544596562373da4c9c9f6afde5fb3bcffe
Reviewed-on: https://chromium-review.googlesource.com/535460Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45997}

R=neis@chromium.org

Change-Id: I23298e2c0adcfdc4e6e963e98cde641bef9cdb5b
Reviewed-on: https://chromium-review.googlesource.com/539296Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45996}

R=mvstanton@chromium.org
BUG=v8:6408

Change-Id: I228d276670a3540cdc593442ae79084b84a915d3
Reviewed-on: https://chromium-review.googlesource.com/538617Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45995}

Unify, simplify logic, reduce UTF8 specific handling.

Intend of this is also to have stream views.
Stream views can be used concurrently by multiple threads, but
only one thread may fetch new data from the underlying source.
This together with unified stream view creation is intended to be
used for parse tasks.

BUG=v8:6093

Change-Id: I83c6f1e6ad280c28da690da41c466dfcbb7915e6
Reviewed-on: https://chromium-review.googlesource.com/535474Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45994}

Toon suggested this as a mitigation to the problem of prototype fast mode switching invalidating prototype chain validity cell, and thus sending keyed store ICs to megamorphic state.

BUG=chromium:723479

Review-Url: https://codereview.chromium.org/2943313002
Cr-Commit-Position: refs/heads/master@{#45993}

This CL also reduces the minimum semi-space size to 512K.

BUG=chromium:716032
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_rel_ng

Review-Url: https://codereview.chromium.org/2942543002
Cr-Commit-Position: refs/heads/master@{#45992}

This removes both {BailoutId} as well as {TypeFeedbackId} numbers from
almost all AST nodes. The only exception are {IterationStatement} nodes
which still require an ID for on-stack replacement support.

R=verwaest@chromium.org
BUG=v8:6409

Change-Id: I5f7b7673ae5797b9cbc9741144d304f0d31d4446
Reviewed-on: https://chromium-review.googlesource.com/538792
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45991}

... in order to avoid creating an OsrHelper during code assembly,
because its constructor accesses the heap.

Bug: v8:6048
Change-Id: I3bf592a5a0f91752a9f5ec35982f962445512bb7
Reviewed-on: https://chromium-review.googlesource.com/530370
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45990}

We need to constant-fold JSHasInPrototypeChain nodes early during
inlining, otherwise we already miss a couple of optimization
opportunities if we wait until after typing. This moves the
constant-folding part of the JSHasInPrototypeChain lowering back to
JSNativeContextSpecialization, where it was before the changes in
https://codereview.chromium.org/2934893002 (part of
JSOrdinaryHasInstance lowering back then).

BUG=v8:5269,v8:5989,v8:6483,chromium:733158
R=jgruber@chromium.org

Review-Url: https://codereview.chromium.org/2943293002
Cr-Commit-Position: refs/heads/master@{#45989}

The heap verifier does certain invariant checks on JSBoundFunction
objects, i.e. it assumes that the bound_target_function is a proper
JSReceiver. The Deoptimizer cannot maintain this invariant, because it
first allocates the JSBoundFunction in an invalid state and only
afterwards fix up the state. But the GC (and thus the heap verifier)
can observe this invalid state why materializing field values, so
we need to relax the verification slightly.

BUG=chromium:729573,chromium:732176
R=mstarzinger@chromium.org

Review-Url: https://codereview.chromium.org/2933283002
Cr-Commit-Position: refs/heads/master@{#45988}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/c6f78e9..bf51d56

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/59a182b..57e600c

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/a248bd9..7659b77

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: Ifc9e2d8d7e1f2a1b223ffa3b20d55b1880eb88e7
Reviewed-on: https://chromium-review.googlesource.com/538261Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45987}

Bug: v8:5717
Change-Id: I6bed5f36b7d32cd893c4d1cb1bcc9f21b7fac2f1
Reviewed-on: https://chromium-review.googlesource.com/527932
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45986}