This code was confusing, as it wasn't immediately obvious that this is
dead and doesn't need to updated anymore.

R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2844993002
Cr-Commit-Position: refs/heads/master@{#44911}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/95c219b..8ed22b4

Rolling v8/third_party/android_tools: https://chromium.googlesource.com/android_tools/+log/b65c477..cb6bc21

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/380124f..8062a57

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: Iae759fb661433fb664e2ed1c9b48beddaee0cc96
Reviewed-on: https://chromium-review.googlesource.com/488325Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44910}

TBR=machenbach@chromium.org
Bug: v8:6305

Change-Id: I1cc18597b9bbf4b140008228306c169d653b907a
Reviewed-on: https://chromium-review.googlesource.com/488105Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44909}

R=joransiu@ca.ibm.com, jyan@ca.ibm.com
BUG=
LOG=n

Review-Url: https://codereview.chromium.org/2842843005
Cr-Commit-Position: refs/heads/master@{#44908}

This reverts commit d7cdea6f.

Reason for revert: Flakiness on bots

Original change's description:
> [wasm] Add guard pages before Wasm Memory
> 
> Although Wasm memory indices are all unsigned, they sometimes get assembled
> as 32-bit signed immediates. Values in the top half of the Wasm memory space
> will then get sign extended, causing Wasm to access in front of its memory
> buffer.
> 
> Usually this region is not mapped anyway, so faults still happen as they are
> supposed to. This change protects this region with guard pages so we are
> guaranteed to always fault when this happens.
> 
> Bug: v8:5277
> Change-Id: Id791fbe2a5ac1b1d75460e65c72b5b9db2a47ee7
> Reviewed-on: https://chromium-review.googlesource.com/484747
> Commit-Queue: Eric Holk <eholk@chromium.org>
> Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44905}

TBR=bradnelson@chromium.org,gdeepti@chromium.org,mtrofin@chromium.org,eholk@chromium.org,mseaborn@chromium.org,adamk@chromium.org,v8-reviews@googlegroups.com,wasm-v8@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Change-Id: Ia1d3e5dbf4f518815a9fd4197047077bc8e42816
Reviewed-on: https://chromium-review.googlesource.com/487828Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44907}

Clearing out the constructor field is invalid in the case where the
function's map has transitioned since the last SetPrototype call.

Bug: chromium:714972
Change-Id: Ie918702a128219c4995b805f7c9a53b41cc4e4b6
Reviewed-on: https://chromium-review.googlesource.com/486130
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44906}

Although Wasm memory indices are all unsigned, they sometimes get assembled
as 32-bit signed immediates. Values in the top half of the Wasm memory space
will then get sign extended, causing Wasm to access in front of its memory
buffer.

Usually this region is not mapped anyway, so faults still happen as they are
supposed to. This change protects this region with guard pages so we are
guaranteed to always fault when this happens.

Bug: v8:5277
Change-Id: Id791fbe2a5ac1b1d75460e65c72b5b9db2a47ee7
Reviewed-on: https://chromium-review.googlesource.com/484747
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44905}

This allows us to avoid a separate receiver typecheck in a few places
without regressing the error messages generated.

As more Array methods move to C++, this will get more usage.

Bug: v8:3577
Change-Id: Ibdd17c781548520172ce62442bc3a800e5c09e99
Reviewed-on: https://chromium-review.googlesource.com/486103Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44904}

R=littledan@chromium.org

Bug: v8:5070
Change-Id: I15d26410eafca47eec7ecd0b3ca58d608f4ae0cc
Reviewed-on: https://chromium-review.googlesource.com/487029Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44903}

The interpreter used a ZoneVector<WasmVal> to model the value stack.
Thus, at each single pop to the stack, a bounds check was performed,
and the storage was potentially extended.
This CL changes this to pre-allocate enough space for the stack of a
function when a new frame is entered. This avoids any checks for pushs
and pops.
Instead of storing a ZoneVector<WasmVal>, we store WasmVal* directly.
The maximum value stack size is precomputed together with the control
transfer side table.

This CL speeds up interpreted execution by 15% on average (measured
locally on a Z840).

R=ahaas@chromium.org
BUG=v8:5822

Change-Id: If949f7ee5233d874cd6a04b7dde2d7b4a95e45ea
Reviewed-on: https://chromium-review.googlesource.com/488061
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44902}

This still doesn't cover all the paths yet, since some paths are
impossible to trigger at this point due to the way the CanInlineCall
predicate works on the AllocationSite, which says multiple things:

 - In case of Array(len), the len was always a Smi so far.
 - In case of Array(...args), storing the args didn't change the
   elements kind.
 - In case of Array(len), the len was always less than the initial
   maximum fast element array size.

These conditions are tailored towards Crankshaft and don't really
make a lot of sense in the TurboFan world. We'd need more fine
grained protections, which we will achieve by refactoring the Array
constructor.

BUG=chromium:715404,v8:6262
TBR=machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2843033002
Cr-Commit-Position: refs/heads/master@{#44901}

To reduce size of Builtins::CallableFor function we can add only case which we actually use.

BUG=chromium:714893
R=ishell@chromium.org

Review-Url: https://codereview.chromium.org/2839933003
Cr-Commit-Position: refs/heads/master@{#44900}

For holey Smi and double source arrays, we would go to the general
case, which is much slower than before. We already check that there
are no prototype chain changes in IterableToListCanBeElided, and
there is no JS-code run between that check and the copying of the
elements, so we can safely check for the hole and convert it to
undefined, which is then converted to 0/NaN appropriately for the
given TypedArray.

Bug: chromium:713570,chromium:711275
Change-Id: I5b21c915907d71eebb73b7b1eea8eb58b4a5436d
Reviewed-on: https://chromium-review.googlesource.com/485520
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44899}

Revert of [turbofan] Fix impossible type handling for TypeGuard and BooleanNot. (patchset #1 id:1 of https://codereview.chromium.org/2836203004/ )

Reason for revert:
Tentative revert for https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20debug/builds/14886

Original issue's description:
> [turbofan] Fix impossible type handling for TypeGuard and BooleanNot.
>
> BUG=chromium:715204
>
> Review-Url: https://codereview.chromium.org/2836203004
> Cr-Commit-Position: refs/heads/master@{#44883}
> Committed: https://chromium.googlesource.com/v8/v8/+/9c47a061cf325addf8bd2ba4b71a4d1ef210c5d6

TBR=bmeurer@chromium.org,jarin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:715204

Review-Url: https://codereview.chromium.org/2842793004
Cr-Commit-Position: refs/heads/master@{#44898}

V8 can bundle user scripts in the start up snapshot. These are
shared across contexts, and do not work well context groups.

R=kozyatinskiy@chromium.org
BUG=v8:6274

Review-Url: https://codereview.chromium.org/2836623002
Cr-Original-Commit-Position: refs/heads/master@{#44847}
Committed: https://chromium.googlesource.com/v8/v8/+/9685cfd310a51b2b32f97223069abaaca77405a8
Review-Url: https://codereview.chromium.org/2836623002
Cr-Commit-Position: refs/heads/master@{#44897}

At the moment the AsyncCompileJob object is deallocated after one of its
task functions return false. This mechanism is, however, not documented,
potentially error-prone, and I think there are already some cases where
I think that we got it wrong.

This CL moves the deallocation of the AsyncCompileJob object to the
place where the promise which belongs to the AsyncCompileJob is either
resolved or rejected. This is a more appropriate place to deallocate the
object, because conceptionally, at the end of every an AsyncCompileJob
its promise should either be resolved or rejected.

R=clemensh@chromium.org, mtrofin@chromium.org

Change-Id: I87618c5619a3ac923645d1c3f6acaee9b0b14a83
Reviewed-on: https://chromium-review.googlesource.com/486884Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44896}

R=joransiu@ca.ibm.com, bjaideep@ca.ibm.com
BUG=

Review-Url: https://codereview.chromium.org/2842833002
Cr-Commit-Position: refs/heads/master@{#44895}

- Use Assembler in a few places that unneccessarily used MacroAssembler before.
- Fix some comments.

R=jarin@chromium.org
BUG=v8:6048

Review-Url: https://codereview.chromium.org/2843933002
Cr-Commit-Position: refs/heads/master@{#44894}

Revert of [turbofan] Set proper representation for initial arguments length. (patchset #1 id:1 of https://codereview.chromium.org/2810333004/ )

Reason for revert:
Field representation is not preserved

Original issue's description:
> [turbofan] Set proper representation for initial arguments length.
>
> The JSArgumentsObject::length representation is initially Smi, so we can
> record that on the initial map and use it to optimize the accesses in
> TurboFan based on that. Similar for JSSloppyArgumentsObject::caller.
>
> BUG=v8:6262
> R=yangguo@chromium.org
>
> Review-Url: https://codereview.chromium.org/2810333004
> Cr-Commit-Position: refs/heads/master@{#44644}
> Committed: https://chromium.googlesource.com/v8/v8/+/5eec7df9b319e5b7a8158d82825d61e90a7cfe33

TBR=yangguo@chromium.org,bmeurer@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:6262

Review-Url: https://codereview.chromium.org/2825323002
Cr-Commit-Position: refs/heads/master@{#44893}

R=clemensh@chromium.org
TEST=mjsunit/asm/int32-mul
BUG=chromium:715482

Change-Id: I525e901fd6ade101999694a53d5147b6e4ccc2e5
Reviewed-on: https://chromium-review.googlesource.com/488024Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44892}

This makes sure that the observable property order of the module export
maintains insertion order. Now that properties are configurable, we no
longer need to reverse the export processing.

R=clemensh@chromium.org
TEST=mjsunit/asm/asm-validation
BUG=chromium:715420

Change-Id: Ib2024254c07bdad7fee1cf2fa0bd3e847721f5b5
Reviewed-on: https://chromium-review.googlesource.com/488022Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44891}

This fixes the bounds checking of "unsigned" numeric literals (those
that do not contains dots) by the parser. In particular this fixes a
bogus truncation to 32-bit in the scanner. It also makes the scanner
more robust by limiting the range of those numeric literals, hence
completely avoiding rounding loss or truncation errors.

R=clemensh@chromium.org
TEST=unittests/AsmJsScannerTest.UnsignedNumbers
BUG=v8:6298

Change-Id: Id31ab3c652e99fa8d3d6663315768e1bfaf3b773
Reviewed-on: https://chromium-review.googlesource.com/486881Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44890}

Add PropertyDetails::AttributesField + PropertyDetails::LocationField.

Review-Url: https://codereview.chromium.org/2842843004
Cr-Commit-Position: refs/heads/master@{#44889}

Instead of calculating the OSR entry point both in the bytecode analysis
and in the bytecode graph builder, calculate it once in the analysis and
use that calculation in the graph builder.

Old TODO from https://codereview.chromium.org/2558093005.

Change-Id: I071bc622beb55dc5eddaee25ef28e21fc4b477f0
Reviewed-on: https://chromium-review.googlesource.com/485899
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44888}

This makes e.g., load(file) work within Realm.eval(realm, "load(file)") to load files into that realm.

Bug:

Change-Id: I85738f0dfab621f2a8c9e2703f4ce4b39dd882bf
Reviewed-on: https://chromium-review.googlesource.com/484379Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44887}

Only create a singleton array for Array(len) if Type(len) cannot be
Number, otherwise we might need to throw an exception instead.

BUG=chromium:715404
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2838123004
Cr-Commit-Position: refs/heads/master@{#44886}

The only users of the LoadStoreOpcodeOf function were a number of
macros in wasm-macro-gen.h, and three test functions using it directly.
This CL refactors those functions to also use the macros.
In one case, this requires storing the value in a local variable first.

R=ahaas@chromium.org

Change-Id: Ia2fbf67a3831fafc9345e155eb240cf1bf6feb5d
Reviewed-on: https://chromium-review.googlesource.com/486842Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44885}

Also move the responsibility of marking builtins as initialized
to the deserializer.

R=jkummerow@chromium.org

Review-Url: https://codereview.chromium.org/2840493002
Cr-Original-Commit-Position: refs/heads/master@{#44802}
Committed: https://chromium.googlesource.com/v8/v8/+/a2b3a2fbc562584ec298dfe674c97662a125a59e
Review-Url: https://codereview.chromium.org/2840493002
Cr-Commit-Position: refs/heads/master@{#44884}

BUG=chromium:715204

Review-Url: https://codereview.chromium.org/2836203004
Cr-Commit-Position: refs/heads/master@{#44883}

v8-info.sh relies on svn and doesn't work
anymore.

Bug:

Change-Id: Ib4bc996897111bf12d08f3cf0b83154c9d7965a4
Reviewed-on: https://chromium-review.googlesource.com/485639Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44882}

BUG=chromium:715151
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2839873004
Cr-Commit-Position: refs/heads/master@{#44881}

R=jarin@chromium.org
BUG=chromium:714696

Review-Url: https://codereview.chromium.org/2838143002
Cr-Original-Commit-Position: refs/heads/master@{#44854}
Committed: https://chromium.googlesource.com/v8/v8/+/87b5b53f6f3321ad33b15e686590da7b57df2ff9
Review-Url: https://codereview.chromium.org/2838143002
Cr-Commit-Position: refs/heads/master@{#44880}

Update the json file in js-perf-test with compare bytecode handler tests.
This cl (https://chromium-review.googlesource.com/c/485522/) adds new
tests but not all of them are updated in the json file.

Bug:v8:4280

Change-Id: Ifd1f479b770a4277fbba1de51ca2f7cbc26003cb
Reviewed-on: https://chromium-review.googlesource.com/487961Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44879}

- Throw TypeError in ValidateTypedArray, matching JSC, SpiderMonkey
  and ChakraCore.
- Validate typed arrays at start of each typed array prototype
  methods in src/js/typedarrays.js
- Add tests to check detached buffers
- Remove an unnecessary parameter of TypedArraySpeciesCreate
  in src/js/typedarrays.js
- Standardize TypedArray.prototype.subarray
- Update test262.status to pass detached buffer tests

Reland of https://codereview.chromium.org/2778623003

BUG=v8:4648, v8:4665, v8:4953
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel

Review-Url: https://codereview.chromium.org/2827443002
Cr-Commit-Position: refs/heads/master@{#44878}

Previously API function calls would only be optimized in TurboFan when
the receiver was a (compile-time) known constant, which was probably
only true for certain cases where functions where called on the global
proxy (the window object).

BUG=v8:5267,v8:6304
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2839953002
Cr-Commit-Position: refs/heads/master@{#44877}

Although we currently only support up to 1GB memory, we want to raise
this issue in the future. This test illustrates several issues we need
to be sure to fix first.

Bug: v8:6306
Change-Id: I362b7a9e51e8eb33a50e3b172a6f01d41995c3cb
Reviewed-on: https://chromium-review.googlesource.com/487047
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44876}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/87cefe1..95c219b

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/892a0b6..380124f

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/5d201de..dc087f5

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: I2e0f396b5c52ab4d40318b2856852a4f4a0f2942
Reviewed-on: https://chromium-review.googlesource.com/487561Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44875}

We should be ready for gone agent.

BUG=chromium:714819
R=dgozman@chromium.org

Review-Url: https://codereview.chromium.org/2842903002
Cr-Commit-Position: refs/heads/master@{#44874}

BUG=chromium:714486
R=dgozman@chromium.org

Review-Url: https://codereview.chromium.org/2834363003
Cr-Commit-Position: refs/heads/master@{#44873}

Port 46d0e481

Original Commit Message:

    The CallApiCallbackStub can avoid loading undefined in case the
    call_data is already undefined, which doubles the number of versions of
    the stub and adds unnecessary complexity (at the benefit of saving one
    stupid load). The idea is to turn the CallApiCallbackStub into a single
    builtin instead, which does the right thing, so this is the first step
    towards that goal.

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:6304
LOG=N

Review-Url: https://codereview.chromium.org/2837283004
Cr-Commit-Position: refs/heads/master@{#44872}