Implement Push and Load CallerFrameSlot instructions.
Also, fix some issues that was revealed after these changes.

Bug: v8:6600
Change-Id: I658c26b0dcec489e7e549d4f1fbd4ccd89a6ea99
Reviewed-on: https://chromium-review.googlesource.com/964001Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#51942}

R=titzer@chromium.org

Change-Id: I9c947440e4e92ff7176d8dc2f334182c524898f9
Reviewed-on: https://chromium-review.googlesource.com/962451
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51941}

This test creates a BigInt object with size more then 250 MB. On certain
test systems, this large memory consumption will cause the test failing.
Therefore, this test will be skipped for MIPS32 architecture.

TEST=mjsunit/harmony/bigint/regressions
BUG=

Change-Id: I21bf86c3e6058818c6db3ed8970c0f1e3873e0a6
Reviewed-on: https://chromium-review.googlesource.com/962381
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#51940}

Previously install-sysroot.py relied on gyp. This should be fixed now.
This way, tools/node/fetch_deps.py can also be used to fetch
dependencies when building V8 to run V8 tests from a Node.js checkout.

R=machenbach@chromium.org

Change-Id: Ic4ee425d6ae744c32f604d14fbfdb0554a00c486
Reviewed-on: https://chromium-review.googlesource.com/962421
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51939}

Now, 'queryObjects' takes an optional 'objectGroup' argument,
allowing the frontend to release the response value.

This is important because each call produces a new Array, which
could not be released before.

Bug: chromium:815263
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I18c9a68c4ba45020fce9eea63cb263396a18d498
Reviewed-on: https://chromium-review.googlesource.com/935153
Commit-Queue: Erik Luo <luoe@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51938}

- Update CodeSpecialization::RelocateDirectCalls and ApplyToWholeInstance to take a native module instead
- Use CodeSpecialization on NativeModule::LinkAll

Bug: v8:7539
Change-Id: I71ceb3114e8a0fca71dfa32f0721ef5fb4485eb4
Reviewed-on: https://chromium-review.googlesource.com/959592
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51937}

Annotate global handle with label to identify the context held alive for
debugging in DevTools

Bug: chromium:811842
Change-Id: I24f08b4d01939421ba1b7ec7b03982f00ebbdd1a
Reviewed-on: https://chromium-review.googlesource.com/962788Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51936}

TBR=machenbach@chromium.org

BUG=chromium:815092

Change-Id: Ib49dc50e41f0a7ec26d974b3d9d302003230f6e4
Reviewed-on: https://chromium-review.googlesource.com/962993Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Corentin Wallez <cwallez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51935}

TBR=sergiyb@chromium.org

No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Bug: chromium:821689
Change-Id: Ia4010368738791ded4f0b27ef28d54ca3961e165
Reviewed-on: https://chromium-review.googlesource.com/962790
Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51934}

- Add a new bytecode for the ToString operation, replacing the old
intrinsic call (currently does not collect type feedback).
- Add a new AST node to represent TemplateLiterals, and avoid
generating unnecessary ToString operations in some simple cases.
- Use a single feedback slot for each string addition, because the
type feedback should always be the same for each addition

This seems to produce a very slight improvement on JSTests benchmarks
and bench-ruben.js from v8:7415, and it's possible that type feedback
for the ToString bytecode could provide more opportunities to eliminate
the runtime call in TurboFan.

Doesn't touch tagged templates

[esnext] fix OOB read in ASTPrinter::VisistTemplateLiteral

Fixes an error where TemplateLiteral printing in --print-ast
would try to read an element beyond the length of a vector.

BUG=v8:7415, chromium:820596
R=adamk@chromium.org, gsathya@chromum.org, rmcilroy@chromium.org, ishell@chromium.org, bmeurer@chromium.org

Change-Id: Ie56894f73a6445550a5f95f42160c4e29ab1da42
Reviewed-on: https://chromium-review.googlesource.com/958408Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#51933}

This CL is preparation for moving the contents of the WasmContext
directly into the WasmInstanceObject. The moved fields are all untagged
pointers to C++ memory or untagged sizes which will be used in
generated machine code for WASM. They are not currently used, but
they are all set to kHeapObjectTag to make sure they are not
interpreted as tagged by the GC, using a custom object descriptor.

R=mstarzinger@chromium.org
CC=clemensh@chromium.org

Bug: v8:7424
Change-Id: Ie5d5161df32564dcac74c6ff659f1a38ddca3cb0
Reviewed-on: https://chromium-review.googlesource.com/961065
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51932}

TBR=sergiyb@chromium.org

No-Try: true
No-Presubmit: true
Bug: chromium:821689
Change-Id: Ia5c13fb9d22a5695025434f3e48821469a79a0a3
Reviewed-on: https://chromium-review.googlesource.com/963021
Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51931}

This adds support for i32.wrap/i64, i64.extend_s/i32, and
i64.extend_u/i32.

R=titzer@chromium.org

Bug: v8:6600
Change-Id: Iaeac1d24a53d044151cb244fffe3eab04314d908
Reviewed-on: https://chromium-review.googlesource.com/962281
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51930}

Now that Array.from() always calls the runtime to set the length if it's
not equal to the current length, don't actually set it on the fast path
since it's unobservable and doesn't change anything.

Also remove check for the array being writable since it's no longer
needed.

Change-Id: I0928d80b445807912fd925f7957c9a76385fc6bc
Reviewed-on: https://chromium-review.googlesource.com/961403Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51929}

R=titzer@chromium.org
BUG=v8:7549

Change-Id: Ie77a22f0a6204d673d130be45ca20d5986cddd88
Reviewed-on: https://chromium-review.googlesource.com/962423
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51928}

R=titzer@chromium.org
BUG=v8:7549

Change-Id: Ibae3ea41306ae89ee5caaa6ab2fdec6f08f2040c
Reviewed-on: https://chromium-review.googlesource.com/962361Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51927}

This removes the relocation mode and code specialization for table
sizes. These are now stored in the context and not inlined into code.

Bug: v8:7549, v8:7424

R=mstarzinger@chromium.org

Change-Id: I4cec78fdd365cd0c1dab9f5f4b40ffb69f540bda
Reviewed-on: https://chromium-review.googlesource.com/962221
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51926}

R=clemensh@chromium.org
BUG=v8:7549

Change-Id: Ied73ba2c146441c87c5ada65285037b68a83abe1
Reviewed-on: https://chromium-review.googlesource.com/962026Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51925}

This is a partial revert of e583fc83.
The reasoning here is that the treatment of SpeculativeToNumber[hint]
was not consistent (which led to the original bug that caused the
performance regression): The semantics of the operator is that it turns
its input into a number, and might bailout if the input is too complex
to accomplish that within optimized code. It can use the hint to handle
even fewer cases without the risk of a deoptimization loop. However it
cannot rely on the hint influencing the output, especially not before
SimplifiedLowering ran. The code for the OOB element access however
relied on the hint being enforced, which caused the original bug.

This CL repairs that and instead uses CheckSmi for the OOB element
access guard.

Also-By: tebbi@chromium.org
Bug: chromium:819298, chromium:820729
Change-Id: I9b2170ccf9b5561d698c0108e93e538cac1e708c
Reviewed-on: https://chromium-review.googlesource.com/961066Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51924}

R=clemensh@chromium.org
BUG=v8:7549

Change-Id: Ie2d9d9b569b46396e78b3a6c39fe7e36b6090608
Reviewed-on: https://chromium-review.googlesource.com/962247Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51923}

SafeStackFrameIterator used to skip over wasm frames, thus hiding them
for example in the Chrome profiler.

Change-Id: I81b1d73ab0b4fb1886f3300083a9550dc0f55525
Reviewed-on: https://chromium-review.googlesource.com/955697Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Stephan Herhut <herhut@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51922}

In case of Node.js (and Electron) we are guaranteed to always have only
off-heap typed arrays, indicated by V8_TYPED_ARRAY_MAX_SIZE_IN_HEAP
being 0. So we can leverage this fact in TurboFan to generate more
efficient code, avoiding the offset computation.

Bug: v8:7253
Change-Id: I97db0dfec21c594ff8be0f1d405e828c7ae38c33
Reviewed-on: https://chromium-review.googlesource.com/962243Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51921}

This adds support for i32.reinterpret/f32, i64.reinterpret/f64,
f32.reinterpret/i32, and f64.reinterpret/i64.
On x64, all operations are straight-forward. On ia32, conversions from
or to i64 are done via the stack.

R=titzer@chromium.org

Bug: v8:6600
Change-Id: If5562caf7367726904c6e405ad4fc5436d21144e
Reviewed-on: https://chromium-review.googlesource.com/962224Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51920}

Always use the runtime to set the length on an array if it doesn't match
the expected length after populating it using Array.from.

Bug: chromium:821137
Change-Id: I5a730db58de61ba789040e6dfc815d6067fbae64
Reviewed-on: https://chromium-review.googlesource.com/962222Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51919}

Previously the error was "undefined is not a function". Now it is
"1 is not iterable".

Bug: v8:6522
Change-Id: If338ddefca78fd6a10cc12b26f0dec632900f32b
Reviewed-on: https://chromium-review.googlesource.com/959728
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51918}

R=machenbach@chromium.org, sigurds@chromium.org

Bug: v8:7551
Change-Id: If7aca6477acc86eddd2ca7d96a8b222dca9298c2
Reviewed-on: https://chromium-review.googlesource.com/960662Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51917}

During a C call, a previous value of the stack pointer is stored in a
platform specific callee saved register. Loading the out argument of the
C call might overwrite the value in that register, if the destination
register collides with the platform specific register. Hence, do first
use that register to restore the previous stack pointer, and only then
load the out argument.
Similarly, when pushing arguments to the stack, do first push all
values and then set the platform specific register in order to avoid
overwriting an argument value held in that register.

Drive-by: Fix offset computations for parameters pushed to the stack
for c calls.

R=titzer@chromium.org

Bug: chromium:820802,chromium:820896,chromium:820807,v8:6600
Change-Id: If4567467b7912454f0bd2cad5927233c98894b03
Reviewed-on: https://chromium-review.googlesource.com/959064Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51916}

Since f32 and f64 constants are loaded into registers right away, we
never need to spill them as constants later.

R=titzer@chromium.org

Bug: v8:6600
Change-Id: I7da91bb995e5127b0a9cb1a12a0fcd6566ed98ff
Reviewed-on: https://chromium-review.googlesource.com/960943Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51915}

This reverts commit 98dec8f2.

Reason for revert: Speculative revert as win32/64 debug seems to
hang after this:
https://build.chromium.org/p/client.v8/builders/V8%20Win32%20-%20debug/builds/13691

Original change's description:
> [inspector] added Runtime.terminateExecution
> 
> Runtime.terminateExecution terminates current or next JavaScript
> call. Termination flag is automatically reset as soon as v8 call
> or microtasks are completed.
> 
> R=​pfeldman@chromium.org
> 
> Bug: chromium:820640
> Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
> Change-Id: Ie21c123be3a61fe25cf6e04c38a8b6c664622ed7
> Reviewed-on: https://chromium-review.googlesource.com/957386
> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51912}

TBR=dgozman@chromium.org,pfeldman@chromium.org,kozyatinskiy@chromium.org

Change-Id: I25258ca5e9a2c2c514f0834da0ef0f5e75421d52
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:820640
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Reviewed-on: https://chromium-review.googlesource.com/962002Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51914}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/cd1fe2b..95a628b

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/548a5bc..7b53f08

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: I863f435f975b1323a2b8c1ce19b4dd9bd317a68d
Reviewed-on: https://chromium-review.googlesource.com/961810
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51913}

Runtime.terminateExecution terminates current or next JavaScript
call. Termination flag is automatically reset as soon as v8 call
or microtasks are completed.

R=pfeldman@chromium.org

Bug: chromium:820640
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ie21c123be3a61fe25cf6e04c38a8b6c664622ed7
Reviewed-on: https://chromium-review.googlesource.com/957386
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51912}

While deserializing a BigInt with the --harmony-bigint flag off is
harmless in itself, trying to wrap one as an Object (either during
deserialization of a JSValue or later from user code) requires the
BigInt constructor to be available. Since there's no strong reason
to support deserialization of BigInts without the flag, this patch
simply disallows it, which fixes the problem.

Bug: chromium:820819
Change-Id: I024a4f13715bbe95ee8eb6e1710e8f47ca227644
Reviewed-on: https://chromium-review.googlesource.com/959802Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51911}

Bug: chromium:819298, chromium:820729
Change-Id: I3a1bccfe889ca409085396e2e1c4ae991093d0ea
Reviewed-on: https://chromium-review.googlesource.com/960321
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51910}

Function names are optional in wasm and might not be present for most
functions. Instead of storing an empty name with each function, this
change loads names, if present, on first access of the name.

This also fixes an inconsistency with streaming compilation. Under
streaming compilation, functions are compiled before parsing the name
section. Hence, they always received an empty name. With this change,
assignment of names is typically deferred until the whole module was
parsed.

Bug: chromium:820291
Change-Id: I86d76aa40b7c45897d152725547795c8b6b9b9ba
Reviewed-on: https://chromium-review.googlesource.com/955647
Commit-Queue: Stephan Herhut <herhut@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51909}

Change-Id: I6504174103af71cba65a078d1918cddd748c6067
Reviewed-on: https://chromium-review.googlesource.com/934283Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#51908}

This can protect against refactoring bugs when adding fields to an
aggregate-initialized struct.

Change-Id: Id2e9824a1adb8bf5dbdc3775dc59ee9f18c43412
Reviewed-on: https://chromium-review.googlesource.com/960324
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51907}

R=clemensh@chromium.org
BUG=v8:7549

Change-Id: I2d3d063d9e34e8a0fd6e1f760a7d8ec9f4692789
Reviewed-on: https://chromium-review.googlesource.com/960025Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51906}

This CL removes String.fromCharCode from comparisons and uses
a WordEqual on char codes if possible.

Bug: v8:7531
Change-Id: Idb3529d4709df3976bf92f3ddb51f81de54c7465
Reviewed-on: https://chromium-review.googlesource.com/960082
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51905}

This allows to enable -Wmissing-field-initializers in a future CL.

Change-Id: I67ac828be97bf4f283e97486981adebaf8e4ebf9
Reviewed-on: https://chromium-review.googlesource.com/957731
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51904}

BuildHoleCheckAndThrow in the bytecode graph builder did not
insert a loop exit; this defeated loop peeling, so we missed
out on performance. This CL inserts the LoopExit in that place,
and inserts two TODOs at places where additional loop exits might
be needed.

Bug: v8:7099
Change-Id: I08c08103cf125d505e37d3aa29a79aaff63a2d61
Reviewed-on: https://chromium-review.googlesource.com/960123Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51903}