If an accessor property is non-configurable, one should not be able
to re-declare it as a function. This specifically applies to special properties like window.location.

BUG=chromium:670596

Review-Url: https://codereview.chromium.org/2582493002
Cr-Commit-Position: refs/heads/master@{#41725}

Similar to object grouping, we cannot trace through blink (and back to V8) after
making weak roots strong because phantom callbacks have already been scheduled
and the handles been zapped.

This is a short-term solution (mimicing what object grouping currently does). It
is not correct in general because we should fully process the subgraph that was
discovered by making some of the weak roots strong.  In long term we need  a
separate handle type on the API level for traced references that have their
handles zapped at a different stage.

Reproduction:
- Initial marking is done, i.e., both marking deques are empty.
- We make weak roots needed for regular finalizers strong.
- We collect phantom callback data and zap handles that are not reachable so far.
- Through new roots we discover wrappables on the blink side that would also keep
  objects that were already scheduled for phantom callbacks alive.
- Since the handle was already zapped we crash during dereferencing.

BUG=chromium:668060,chromium:468240

Review-Url: https://codereview.chromium.org/2580813002
Cr-Commit-Position: refs/heads/master@{#41724}

If the eval contains a let, we need to know whether an inner function
refers to the variable to be able to decide its context allocation
status.

The added test needs https://codereview.chromium.org/2435023002/ too
in order to pass.

BUG=v8:5736

Review-Url: https://codereview.chromium.org/2574753002
Cr-Commit-Position: refs/heads/master@{#41723}

BUG=

Review-Url: https://codereview.chromium.org/2580533002
Cr-Commit-Position: refs/heads/master@{#41722}

The error reported by the graph verifier looks like:

#
# Fatal error in ../src/compiler/machine-graph-verifier.cc, line 638
# TypeError: node #54:ChangeInt32ToInt64 uses node #53:ChangeUint32ToUint64 which doesn't have an int32-compatible representation.
#
# Specify option --csa-trap-on-node=test,54 for debugging.
#

BUG=

Review-Url: https://codereview.chromium.org/2574353002
Cr-Commit-Position: refs/heads/master@{#41721}

Some instructions in WebAssembly trap for some inputs, which means that the
execution is terminated and (at least at the moment) a JavaScript exception is
thrown. Examples for traps are out-of-bounds memory accesses, or integer
divisions by zero.

Without the TrapIf and TrapUnless operators trap check in WebAssembly introduces 5
TurboFan nodes (branch, if_true, if_false, trap-reason constant, trap-position
constant), in addition to the trap condition itself. Additionally, each
WebAssembly function has four TurboFan nodes (merge, effect_phi, 2 phis) whose
number of inputs is linear to the number of trap checks in the function.
Especially for functions with high numbers of trap checks we observe a
significant slowdown in compilation time, down to 0.22 MiB/s in the sqlite
benchmark instead of the average of 3 MiB/s in other benchmarks. By introducing
a TrapIf common operator only a single node is necessary per trap check, in
addition to the trap condition. Also the nodes which are shared between trap
checks (merge, effect_phi, 2 phis) would disappear. First measurements suggest a
speedup of 30-50% on average.

This CL only implements TrapIf and TrapUnless on x64. The implementation is also
hidden behind the --wasm-trap-if flag.

Please take a special look at how the source position is transfered from the
instruction selector to the code generator, and at the context that is used for
the runtime call.

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2562393002
Cr-Commit-Position: refs/heads/master@{#41720}

Adds assignment tracking to the bytecode analysis pass, and updates
bytecode graph builder to only create LoopExitValues for assigned
values.

Review-Url: https://codereview.chromium.org/2558093005
Cr-Commit-Position: refs/heads/master@{#41719}

Review-Url: https://codereview.chromium.org/2579743002
Cr-Commit-Position: refs/heads/master@{#41718}

MIPS[64]R6 supports only fusion multiply-accumulate instructions, and using
these causes failures of several tests that expect exact floating-point
results. Therefore we disable fusion multiply-accumulate in both emitted and
compiled code on R6.

TEST=cctest/test-run-machops/RunFloat64MulAndFloat64Add1,mjsunit/es6/math-expm1.js
mjsunit/es6/math-fround.js,mjsunit/compiler/multiply-add.js

BUG=

Review-Url: https://codereview.chromium.org/2569683002
Cr-Commit-Position: refs/heads/master@{#41717}

This splits branch ref creation and landing. The ref now directly uses
heads (without pending) and for landing we use depot_tools.

For simplicity, the check for existing tags is removed, as it now
is very unlikely to happen again without gnumbd.

BUG=chromium:674448
NOTRY=true
TBR=tandrii@chromium.org

Review-Url: https://codereview.chromium.org/2584523002
Cr-Commit-Position: refs/heads/master@{#41716}

[stubs] Enable machine graph verification for CodeStubAssembler and friends by default in debug mode.

BUG=

Review-Url: https://codereview.chromium.org/2570213002
Cr-Commit-Position: refs/heads/master@{#41715}

Allocate the registers used as arguments to a call on-demand after visiting the
argument (or reciever). This means that the visited expression can use registers
that would otherwise have been allocated for arguments which haven't been
visited yet.

The reason for doing this is to avoid keeping things live in registers
unecessarily for chained function calls, which avoids a memory leak for
functions which chain a large number of calls with large temporary arguments /
recievers.

BUG=chromium:672027

Review-Url: https://codereview.chromium.org/2557173004
Cr-Commit-Position: refs/heads/master@{#41714}

This fixes a corner case where the {FastCloneShallowArrayStub} was used
for literals that are backed by a double backing store and would exceed
limits for new-space allocations on 32-bit architectures. The stub in
question does not support such literals, callers must use the runtime.
Note that this fix is for Ignition as well as FullCodeGenerator.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-672792
BUG=chromium:672792

Review-Url: https://codereview.chromium.org/2570843002
Cr-Commit-Position: refs/heads/master@{#41713}

Reland of Whitespace change to test gnumbd shutdown - CQ (patchset #1 id:1 of https://codereview.chromium.org/2583443002/ )

Reason for revert:
Test reland

Original issue's description:
> Revert of Whitespace change to test gnumbd shutdown - CQ (patchset #1 id:1 of https://codereview.chromium.org/2579733002/ )
>
> Reason for revert:
> Test revert
>
> Original issue's description:
> > Whitespace change to test gnumbd shutdown - CQ
> >
> > BUG=chromium:674448
> > NOTRY=true
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > TBR=tandrii@chromium.org
> >
> > Review-Url: https://codereview.chromium.org/2579733002
> > Cr-Commit-Position: refs/heads/master@{#41710}
> > Committed: https://chromium.googlesource.com/v8/v8/+/47f8979d12543f814eddad990544447d4f95053c
>
> TBR=tandrii@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:674448
>
> Review-Url: https://codereview.chromium.org/2583443002
> Cr-Commit-Position: refs/heads/master@{#41711}
> Committed: https://chromium.googlesource.com/v8/v8/+/4619fbe42a91de67abe4f794cf67274035776d84

TBR=tandrii@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:674448

Review-Url: https://codereview.chromium.org/2580623003
Cr-Commit-Position: refs/heads/master@{#41712}

Revert of Whitespace change to test gnumbd shutdown - CQ (patchset #1 id:1 of https://codereview.chromium.org/2579733002/ )

Reason for revert:
Test revert

Original issue's description:
> Whitespace change to test gnumbd shutdown - CQ
>
> BUG=chromium:674448
> NOTRY=true
> NOPRESUBMIT=true
> NOTREECHECKS=true
> TBR=tandrii@chromium.org
>
> Review-Url: https://codereview.chromium.org/2579733002
> Cr-Commit-Position: refs/heads/master@{#41710}
> Committed: https://chromium.googlesource.com/v8/v8/+/47f8979d12543f814eddad990544447d4f95053c

TBR=tandrii@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:674448

Review-Url: https://codereview.chromium.org/2583443002
Cr-Commit-Position: refs/heads/master@{#41711}

BUG=chromium:674448
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=tandrii@chromium.org

Review-Url: https://codereview.chromium.org/2579733002
Cr-Commit-Position: refs/heads/master@{#41710}

BUG=chromium:674448
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=tandrii@chromium.org

Review-Url: https://codereview.chromium.org/2580743004 .
Cr-Commit-Position: refs/heads/master@{#41709}

Cr-Commit-Position: refs/heads/master@{#41708}

TBR=machenbach@chromium.org
NOTRY=True
NOPERSUBMIT=True
BUG=chromium:674448

Review-Url: https://codereview.chromium.org/2582443003
Cr-Commit-Position: refs/heads/master@{#41707}

Templatizes the AccumulatorUsage and OperandType for BytecodeNode creation and
BytecodeRegisterOptimizer::PrepareForBytecode. This allows the compiler to
statically know whether the bytecode being created accesses the accumulator
and what operand types need scaling, avoiding runtime checks in the code.

Also removes BytecodeNode::set_bytecode methods.

Review-Url: https://codereview.chromium.org/2542903003
Cr-Commit-Position: refs/heads/master@{#41706}

ES6 requires the compile method to return this:
www.ecma-international.org/ecma-262/6.0/#sec-regexp.prototype.compile

BUG=v8:5722,chromium:585775

Review-Url: https://codereview.chromium.org/2577653002
Cr-Commit-Position: refs/heads/master@{#41705}

Determine if the scope of the function to be serialized includes asm-
wasm, and if so, bypass serialization, since we do not support it in
that scenario.

In this change, we do so regardless of whether the asm-wasm path was
successful. This is so we keep the design simple, since the guidance
to developers, moving forward, is to use wasm.

BUG=643595

Review-Url: https://codereview.chromium.org/2573193002
Cr-Commit-Position: refs/heads/master@{#41704}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/d16d922..d4ca00b

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/b7b743b..ab73453

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/6b7c8d5..286099f

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review-Url: https://codereview.chromium.org/2578883002
Cr-Commit-Position: refs/heads/master@{#41703}

Review-Url: https://codereview.chromium.org/2581443002
Cr-Commit-Position: refs/heads/master@{#41702}

Promise catch prediction no longer has to be threaded through the
parser since the code using %catch has been moved to TF codestubs.

This is currently dead code.

BUG=v8:5343,v8:5741

Review-Url: https://codereview.chromium.org/2575133002
Cr-Commit-Position: refs/heads/master@{#41701}

Printing an asm.js success message and timings is useful,
but also non-deterministic. Making the message stable unless a flag is passed.
This will avoid making it a hassle in the future to create LayoutTests
that use asm.js and verify console output.

BUG=v8:4203
R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2574273002
Cr-Commit-Position: refs/heads/master@{#41700}

This CL moves even more limits to wasm-limits.h and enforces limits for
types, functions, parameter counts, return counts, local counts, imports,
globals, and exports.

R=clemensh@chromium.org, ahaas@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2574133002
Cr-Commit-Position: refs/heads/master@{#41699}

Avoid needless resizing of the StateValueList's fields vector by
reserving its (already known) size.

Review-Url: https://codereview.chromium.org/2572683005
Cr-Commit-Position: refs/heads/master@{#41698}

R=jarin@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2578563002
Cr-Commit-Position: refs/heads/master@{#41697}

This reverts commit 5c1babcc.

This seems to regress a range of benchmarks on ia32:
  Emscripten for Fannkuch, Zlib, MemOps, Life, Bullet
  AreWeFastYet for BulletLoadTime, Fasta, Fannkuch
  JetStream for towers.c, quicksort.c, gcc-loops.cpp, bigfib.cpp

BUG=673861
R=jarin@chromium.org,shiyu.zhang@intel.com

Review-Url: https://codereview.chromium.org/2573983003
Cr-Commit-Position: refs/heads/master@{#41696}

Adding timing info going to the console about asm.js

Rename ConvertAsmToWasm -> CompileAsmViaWasm, to be more precise.
Add enum for wasm data elements.

BUG=v8:4203
R=titzer@chromium.org,yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2577453003
Cr-Commit-Position: refs/heads/master@{#41695}

... and clean it up.

BUG=

Review-Url: https://codereview.chromium.org/2569353004
Cr-Commit-Position: refs/heads/master@{#41694}

R=danno@chromium.org

BUG=

Review-Url: https://codereview.chromium.org/2568303008
Cr-Commit-Position: refs/heads/master@{#41693}

Without this patch, the tests on lines 410, 414, 418 and 422 in
function testNonStaticName of test/mjsunit/es6/function-name.js
would all fail.  The bug caused non-static "name" methods and
properties to be mistaken for static ones.

R=adamk@chromium.org, verwaest@chromium.org
BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2567343004
Cr-Commit-Position: refs/heads/master@{#41692}

WASM exported functions have additional internal fields which change the instance
size. Adding a getter or setter to such an exported function results in its map
becoming normalized. The normalized map cache, however, finds a different map
with a different instance size, and thus BOOM.

R=verwaest@chromium.org,cbruni@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2554343002
Cr-Commit-Position: refs/heads/master@{#41691}

... and fix the inconsistencies.

BUG=

Review-Url: https://codereview.chromium.org/2573573004
Cr-Commit-Position: refs/heads/master@{#41690}

BUG=v8:5735

Review-Url: https://codereview.chromium.org/2574943002
Cr-Commit-Position: refs/heads/master@{#41689}

R=jgruber@chromium.org
BUG=v8:5530

Review-Url: https://codereview.chromium.org/2566093002
Cr-Commit-Position: refs/heads/master@{#41688}

The least two bits of the owner field of a Page are used to determine
whether the Page is part of a large object. If these bits are not equal
to 0x11, the page is part of a large object and needs special handling
e.g. in MemoryChunk::FromAnyPointerAddress to determine which chunk it
belongs to.

This CL fixes an issue in which the store buffer overflows after
a large object space allocation but before the object has been fully
initialized. Store buffer overflow handling attempts to look up the
chunk of a page, but fails to do so correctly since the page's owner
field has not yet been initialized.

This CL ensures that the owner field of all pages belonging to a large
object allocation are initialized to a value that is interpreted
correctly.

BUG=chromium:672041

Committed: https://crrev.com/9b6808bfb5366beebe3af30a06f9851edb2039d4
Review-Url: https://codereview.chromium.org/2565713002
Cr-Original-Commit-Position: refs/heads/master@{#41641}
Cr-Commit-Position: refs/heads/master@{#41687}

Debug mirrors will no longer be supported in the near future.
It will now only be tested by being used by the v8-inspector.

R=jgruber@chromium.org
BUG=v8:5530

Review-Url: https://codereview.chromium.org/2566103002
Cr-Commit-Position: refs/heads/master@{#41686}