Sanitize imports before we start the instance building process. This
avoids the possibility of exiting to JS while building instances,
and allowing JS to observe an inconsistent state of the wasm world -
e.g. incomplete specialization chains.

We now validate we never exit to JS during that process.

Bug: chromium:766260

Change-Id: I34930c8b70bdac16af464b3f62a2b6a38107acb3
Reviewed-on: https://chromium-review.googlesource.com/671480
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48074}

Promises can sometimes be resolved after the RealmScope has been destroyed, such
as when a Wasm compile job finishes after the script main has finished. If the
Promise.then function refers to Realm.current, we were getting a use-after free
error when it would search for the list of realms. This change also zeros out
realm_count_ in addition to deleting the realms_ so that RealmFind will not
reference freed memory.

Bug: chromium:761710
Change-Id: I2d42997f363b284ccc5f4b225d3f59e0361e68d6
Reviewed-on: https://chromium-review.googlesource.com/671923Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48073}

Also store the variable directly on ClassLiteral, as the proxy serves
as a useless form of indirection.

Bug: v8:6092
Change-Id: If0182a808cde4e349c1bf5a003a1ecee5bd14b13
Reviewed-on: https://chromium-review.googlesource.com/667800Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48072}

Chromium has rolled the Fuchsia SDK, so this can be removed now, and
the new zx_, etc. names used exclusively.

Bug: chromium:765754
Change-Id: I8bd60239da7a05e62d3b8d5209e1cfe898d8052a
Reviewed-on: https://chromium-review.googlesource.com/671769Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Scott Graham <scottmg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48071}

R=littledan@chromium.org, adamk@chromium.org, caitp@igalia.com
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux_noi18n_rel_ng

Bug: v8:5601
Change-Id: Ifc5fa3e9de05f64d8a6cb82d67fb272800a208a3
Reviewed-on: https://chromium-review.googlesource.com/669720Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Josh Wolfe <jwolfe@igalia.com>
Cr-Commit-Position: refs/heads/master@{#48070}

R=adamk@chromium.org, mstarzinger@chromium.org

Bug: v8:5244, chromium:765479
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I684805acc194a93b96d74e3e64834867dce78dee
Reviewed-on: https://chromium-review.googlesource.com/668677Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Josh Wolfe <jwolfe@igalia.com>
Cr-Commit-Position: refs/heads/master@{#48069}

Enable --harmony-async-iteration (Symbol.asyncIterator, async generator
syntax, and for-await-of syntax) by default, as discussed in
https://groups.google.com/forum/#!topic/v8-users/SlLEsgNv4JY

BUG=v8:5855
R=adamk@chromium.org, gsathya@chromium.org

Change-Id: I77a77124a68813431daceca1b0cbaec5af271fee
Reviewed-on: https://chromium-review.googlesource.com/668877
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48068}

This is a reland of aabb893a
Original change's description:
> fuchsia: Set up for 3-sided roll to convert Magenta->Zircon
> 
> Fuchsia changed their kernel name from Magenta to Zircon and all the
> functions and defines along with it. In order to be able to roll the SDK
> in Chromium, we first need to land with this define added in v8, so that
> can roll in to Chromium, then roll the Fuchsia SDK with this magic
> define set (CHROMIUM_ROLLING_MAGENTA_TO_ZIRCON), then actually update v8
> to reference zx_ instead of mx_ and roll that again.
> 
> Chromium-side for reference: https://chromium-review.googlesource.com/c/chromium/src/+/669139
> 
> Bug: chromium:765754, chromium:707030
> Change-Id: I4ed5027f455d2346f431e7c700e87693348d5b79
> Reviewed-on: https://chromium-review.googlesource.com/668751
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Commit-Queue: Scott Graham <scottmg@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48047}

TBR=bbudge@chromium.org

Bug: chromium:765754, chromium:707030
Change-Id: Ib6e99ca418af527014622614d07d295b6110f9d5
Reviewed-on: https://chromium-review.googlesource.com/670944Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48067}

The bug occurred when we detected an erroneous char late, and put the last
character in a chunk into the "incomplete char" buffer. It was not correctly
retrieved when seeking.

BUG=v8:6836

Change-Id: I8ca946dfdb39244c5ca0bdcebe047047010b3a07
Reviewed-on: https://chromium-review.googlesource.com/670729
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48066}

SetForceInline flag is no longer used. This flag was added for
inlining some of the javascript builtins. They are now ported to
TurboFan builtins. This cl removes SetForceInline runtime function
and the corresponding bits in the SharedFunctionInfo. Also update
inlining heuristics to not look for this bit.

Bug: v8:6682
Change-Id: Ie8df9648332b765a556e24609c38b4e55b810527
Reviewed-on: https://chromium-review.googlesource.com/668436Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48065}

This reverts commit 2b15425b.

Reason for revert: Re-enabling escape analysis after merging the flag change to 6.1.

Original change's description:
> [turbofan] Temporarily turn off escape analysis.
> 
> Bug: chromium:765433
> Change-Id: Iecc9540f6305bc24a0a5210c149b55403b9ce09d
> Reviewed-on: https://chromium-review.googlesource.com/667106
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48032}

TBR=mstarzinger@chromium.org,jarin@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:765433
Change-Id: Icac44fd76e2965df1e143700941b628ea7a69166
Reviewed-on: https://chromium-review.googlesource.com/670864Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48064}

This is now implemented as a build-time flag.

Change-Id: I10db18725ca6837ae04032725582717233b2c2e5
Reviewed-on: https://chromium-review.googlesource.com/670728Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48063}

This reverts commit 4dd293d9.

Reason for revert: Blocks roll: https://chromium-review.googlesource.com/c/chromium/src/+/669785

Original change's description:
> [Memory] Move VirtualMemory out of base:: platform.
> 
> - Moves base::VirtualMemory to v8::internal::VirtualMemory.
> - Makes VirtualMemory platform-independent by moving internals to new
>   OS:: static methods, for each platform.
> 
> This will make it easier to delegate memory management in VirtualMemory
> to V8::Platform, so that embedders like Blink can override it. We can't
> depend on V8::Platform in base/platform.
> 
> Bug: chromium:756050
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: Iadfe230b6850bd917727a373f277afded9883adf
> Reviewed-on: https://chromium-review.googlesource.com/653214
> Commit-Queue: Bill Budge <bbudge@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48048}

TBR=bbudge@chromium.org,ulan@chromium.org,hpayer@chromium.org,mlippautz@chromium.org,scottmg@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:756050
Change-Id: Ice2618ef72950e1b64c31434a239c626aa5e5970
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/670843Reviewed-by: Michael Hablich <hablich@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48062}

See https://bugs.chromium.org/p/chromium/issues/detail?id=762677#c12 for
the description of the bug.

Bug: chromium:762677
TBR: mlippautz@chromium.org
Change-Id: If5c4c2c15f2403d336edf34d10679521397db75c
Reviewed-on: https://chromium-review.googlesource.com/670823
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48061}

When using Lockers and Unlockers it is possible to create a
scenario where multiple threads point to the same optimized
code object. When that happens, if one of the threads triggers
deoptimization, then the stack replacement needs to happen in
the stacks of all threads.
With this CL, the deoptimizer visits all threads to do so.
The CL also adds three tests where V8 used to crash due to this
issue.

Bug: v8:6563
Change-Id: I74e9af472d4833aa8d13e579df45133791f6a503
Reviewed-on: https://chromium-review.googlesource.com/670783Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Juliana Patricia Vicente Franco <jupvfranco@google.com>
Cr-Commit-Position: refs/heads/master@{#48060}

This reverts commit aabb893a.

Reason for revert: blocks roll https://chromium-review.googlesource.com/c/chromium/src/+/669540; Fix has not landed yet: https://chromium-review.googlesource.com/c/v8/v8/+/670280

Original change's description:
> fuchsia: Set up for 3-sided roll to convert Magenta->Zircon
> 
> Fuchsia changed their kernel name from Magenta to Zircon and all the
> functions and defines along with it. In order to be able to roll the SDK
> in Chromium, we first need to land with this define added in v8, so that
> can roll in to Chromium, then roll the Fuchsia SDK with this magic
> define set (CHROMIUM_ROLLING_MAGENTA_TO_ZIRCON), then actually update v8
> to reference zx_ instead of mx_ and roll that again.
> 
> Chromium-side for reference: https://chromium-review.googlesource.com/c/chromium/src/+/669139
> 
> Bug: chromium:765754, chromium:707030
> Change-Id: I4ed5027f455d2346f431e7c700e87693348d5b79
> Reviewed-on: https://chromium-review.googlesource.com/668751
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Commit-Queue: Scott Graham <scottmg@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48047}

TBR=bbudge@chromium.org,scottmg@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:765754, chromium:707030
Change-Id: Ic1563b10a69372a0946ee9eacc8a2d21eb3ee302
Reviewed-on: https://chromium-review.googlesource.com/670619Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48059}

Bug: v8:5967
Change-Id: I7fe03ea6270434e2c798ee8faec8d7170607ceea
Reviewed-on: https://chromium-review.googlesource.com/670419Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48058}

I noticed that ScopeIterator::CurrentContext returns an empty Handle
whereas functions like ScopeIterator::CurrentScopeInfo call
Handle<Context>::null() instead. This commit suggests changing this for
consistency.

Bug: 
Change-Id: I8735d655a8c0affeb6a18e74efe0d33bf6d5e899
Reviewed-on: https://chromium-review.googlesource.com/668440Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48057}

  - Added TFJ builtins for S.p.{anchor, big, blink, bold, fontcolor,
      fontsize, fixed, italics, link, small, strike, sub, sup}
  - Removed functionality from string.js

Bug: v8:5049
Change-Id: I3a91b52eaceef5c47bb55ed62780d72ef1e802e9
Reviewed-on: https://chromium-review.googlesource.com/666487
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48056}

This reverts commit ee5c31f3.

Reason for revert: Fixed compiler failure

Original change's description:
> Revert "[wasm] A simple allocator datastructure for off-the heap"
> 
> This reverts commit 110d9ab0.
> 
> Reason for revert: https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20debug%20builder/builds/26607
> 
> Surprising we're seeing a failure on Linux 64 *after* CQ. Is the compiler there different?
> 
> Original change's description:
> > [wasm] A simple allocator datastructure for off-the heap
> > 
> > We'll use this allocator in a follow-up CL to:
> > - allocate speculative sizes of memory for a module that's being
> > compiled (e.g. 2*size of wasm code).
> > - each module will own such a sub-pool, and then use it to allocate
> > contiguous chunks of memory for code.
> > 
> > The underlying assumptions for the chosen allocation strategy is that:
> > - the allocation granularity for pools is 1 page, so that no one page
> > is owned by more than one wasm module
> > - typical pool sizes (given module sizes) are multiple pages.
> > - modules and module instances are typically few and long lived. Typically,
> > we expect one module and one instance. 
> > 
> > This means we shouldn't expect fragmentations that lead to code being
> > non-allocatable, or prohibitively many ranges.
> > 
> > The data structure just manages ranges of addresses. Virtual memory management
> > will be separate, as part of the responsibility of a "WasmHeap"
> > that will be introduced in the future. So will concurrency control.
> > 
> > Bug: 
> > Change-Id: Id99f46d10c25553b013054d994760f3c2a737c39
> > Reviewed-on: https://chromium-review.googlesource.com/669296
> > Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
> > Reviewed-by: Eric Holk <eholk@chromium.org>
> > Reviewed-by: Brad Nelson <bradnelson@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#48053}
> 
> TBR=bradnelson@chromium.org,mtrofin@chromium.org,eholk@chromium.org
> 
> Change-Id: Id82fa341b77624e4971f24c4757a9a666a65930c
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Reviewed-on: https://chromium-review.googlesource.com/670141
> Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
> Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48054}

TBR=bradnelson@chromium.org,mtrofin@chromium.org,eholk@chromium.org

Change-Id: Ib6a7a3e6098d2689e60cdca85ec77e57e5295e48
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/670142
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48055}

This reverts commit 110d9ab0.

Reason for revert: https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20debug%20builder/builds/26607

Surprising we're seeing a failure on Linux 64 *after* CQ. Is the compiler there different?

Original change's description:
> [wasm] A simple allocator datastructure for off-the heap
> 
> We'll use this allocator in a follow-up CL to:
> - allocate speculative sizes of memory for a module that's being
> compiled (e.g. 2*size of wasm code).
> - each module will own such a sub-pool, and then use it to allocate
> contiguous chunks of memory for code.
> 
> The underlying assumptions for the chosen allocation strategy is that:
> - the allocation granularity for pools is 1 page, so that no one page
> is owned by more than one wasm module
> - typical pool sizes (given module sizes) are multiple pages.
> - modules and module instances are typically few and long lived. Typically,
> we expect one module and one instance. 
> 
> This means we shouldn't expect fragmentations that lead to code being
> non-allocatable, or prohibitively many ranges.
> 
> The data structure just manages ranges of addresses. Virtual memory management
> will be separate, as part of the responsibility of a "WasmHeap"
> that will be introduced in the future. So will concurrency control.
> 
> Bug: 
> Change-Id: Id99f46d10c25553b013054d994760f3c2a737c39
> Reviewed-on: https://chromium-review.googlesource.com/669296
> Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
> Reviewed-by: Eric Holk <eholk@chromium.org>
> Reviewed-by: Brad Nelson <bradnelson@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48053}

TBR=bradnelson@chromium.org,mtrofin@chromium.org,eholk@chromium.org

Change-Id: Id82fa341b77624e4971f24c4757a9a666a65930c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/670141Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48054}

We'll use this allocator in a follow-up CL to:
- allocate speculative sizes of memory for a module that's being
compiled (e.g. 2*size of wasm code).
- each module will own such a sub-pool, and then use it to allocate
contiguous chunks of memory for code.

The underlying assumptions for the chosen allocation strategy is that:
- the allocation granularity for pools is 1 page, so that no one page
is owned by more than one wasm module
- typical pool sizes (given module sizes) are multiple pages.
- modules and module instances are typically few and long lived. Typically,
we expect one module and one instance. 

This means we shouldn't expect fragmentations that lead to code being
non-allocatable, or prohibitively many ranges.

The data structure just manages ranges of addresses. Virtual memory management
will be separate, as part of the responsibility of a "WasmHeap"
that will be introduced in the future. So will concurrency control.

Bug: 
Change-Id: Id99f46d10c25553b013054d994760f3c2a737c39
Reviewed-on: https://chromium-review.googlesource.com/669296
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48053}

This reverts commit 672a41c3.

Reason for revert: Linux64 TSAN bot failures

Original change's description:
> [profiler] proper observation of old space inline allocations
> 
> Bug: chromium:633920
> Change-Id: I9a2f4a89f6b9c0f63cb3b166b06a88a12f0a203c
> Reviewed-on: https://chromium-review.googlesource.com/631696
> Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48043}

TBR=ulan@chromium.org,mlippautz@chromium.org,ofrobots@google.com

Change-Id: Ib71baf69b29b067fa0ba76027170054b8faa78d3
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:633920
Reviewed-on: https://chromium-review.googlesource.com/669559Reviewed-by: Ali Ijaz Sheikh <ofrobots@google.com>
Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
Cr-Commit-Position: refs/heads/master@{#48052}

This reverts commit 86da38fd.

Reason for revert: Linux64 TSAN bot failures

Original change's description:
> [heap] minor cleanup in allocation observer code
> 
> Change-Id: If0bec38d41a415e9fbfff57ac891de0461bac13b
> Reviewed-on: https://chromium-review.googlesource.com/668836
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
> Cr-Commit-Position: refs/heads/master@{#48046}

TBR=ulan@chromium.org,ofrobots@google.com

Change-Id: Idf03622c4e0f785c8a0d8e4015765a0849a99c47
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/668917Reviewed-by: Ali Ijaz Sheikh <ofrobots@google.com>
Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
Cr-Commit-Position: refs/heads/master@{#48051}

This reverts commit 7b5a4022.

Reason for revert: GC stress-test failures exposed by 7742e534
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/15110/steps/Mjsunit/logs/exceptions


Original change's description:
> Add capability of throwing values in WASM
> 
> Extends the current implementation of WASM exceptions to be able to
> throw exceptions with values (not just tags).
> 
> An JS typed array (uint_16) is used to hold thrown values, so that the
> thrown values can be inspected in JS.
> 
> Bug: v8:6577
> Change-Id: I1007e79ceaffd64386b62562919cfbb920fc10c5
> Reviewed-on: https://chromium-review.googlesource.com/633866
> Commit-Queue: Karl Schimpf <kschimpf@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Eric Holk <eholk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48001}

TBR=bbudge@chromium.org,mtrofin@chromium.org,eholk@chromium.org,clemensh@chromium.org,kschimpf@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:6577
Change-Id: I8f545183c2d2abb1bf4a0b3ee23379f3754ffd55
Reviewed-on: https://chromium-review.googlesource.com/667019Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48050}

This reverts commit c87f8954.

Reason for revert: LazyDeoptimizationMultithread failing.

https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN%20-%20concurrent%20marking/builds/1876/steps/Bisect%20c87f8954.Retry/logs/LazyDeoptimizationMul..

Original change's description:
> Deoptimization and multithreading. 
> 
> When using Lockers and Unlockers it is possible to create a 
> scenario where multiple threads point to the same optimized 
> code object. When that happens, if one of the threads triggers
> deoptimization, then the stack replacement needs to happen in 
> the stacks of all threads.
> With this CL, the deoptimizer visits all threads to do so.
> The CL also adds three tests where V8 used to crash.
> 
> Bug: v8:6563
> Change-Id: Iea88f47af2f31181c0ef06d898faccde9ad14432
> Reviewed-on: https://chromium-review.googlesource.com/657423
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Commit-Queue: Juliana Patricia Vicente Franco <jupvfranco@google.com>
> Cr-Commit-Position: refs/heads/master@{#48033}

TBR=mstarzinger@chromium.org,jarin@chromium.org,bmeurer@chromium.org,jupvfranco@google.com

Change-Id: I290c9e339c367f68c0d1b6f7c0780cdbbbdf3f8a
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6563
Reviewed-on: https://chromium-review.googlesource.com/669399Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48049}

- Moves base::VirtualMemory to v8::internal::VirtualMemory.
- Makes VirtualMemory platform-independent by moving internals to new
  OS:: static methods, for each platform.

This will make it easier to delegate memory management in VirtualMemory
to V8::Platform, so that embedders like Blink can override it. We can't
depend on V8::Platform in base/platform.

Bug: chromium:756050
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Iadfe230b6850bd917727a373f277afded9883adf
Reviewed-on: https://chromium-review.googlesource.com/653214
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48048}

Fuchsia changed their kernel name from Magenta to Zircon and all the
functions and defines along with it. In order to be able to roll the SDK
in Chromium, we first need to land with this define added in v8, so that
can roll in to Chromium, then roll the Fuchsia SDK with this magic
define set (CHROMIUM_ROLLING_MAGENTA_TO_ZIRCON), then actually update v8
to reference zx_ instead of mx_ and roll that again.

Chromium-side for reference: https://chromium-review.googlesource.com/c/chromium/src/+/669139

Bug: chromium:765754, chromium:707030
Change-Id: I4ed5027f455d2346f431e7c700e87693348d5b79
Reviewed-on: https://chromium-review.googlesource.com/668751Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Scott Graham <scottmg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48047}

Change-Id: If0bec38d41a415e9fbfff57ac891de0461bac13b
Reviewed-on: https://chromium-review.googlesource.com/668836Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
Cr-Commit-Position: refs/heads/master@{#48046}

This is a reland of dbfdd4f9
Original change's description:
> [heap] Turn on v8_enable_csa_write_barrier
> 
> With this commit, write barrier is switched to use CodeStubAssembler.
> 
> Bug: chromium:749486
> Change-Id: I7e0914bee971e4f3a3257740ae7c83b31f791bd9
> Reviewed-on: https://chromium-review.googlesource.com/598088
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
> Cr-Commit-Position: refs/heads/master@{#48006}

Bug: chromium:749486
Change-Id: I00933d989568c82b5fbaf6203bb146c65f8e4282
Reviewed-on: https://chromium-review.googlesource.com/668636Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
Cr-Commit-Position: refs/heads/master@{#48045}

Since DeserializeLazy uses write barrier, deserializing write barrier
lazily would cause cyclic dependency. This commit changes RecordWrite to
be deserializd eagerly.

Bug: chromium:765301 chromium:749486
Change-Id: I363692baf9b742289c0443afac634662f0026922
Reviewed-on: https://chromium-review.googlesource.com/668454
Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48044}

Bug: chromium:633920
Change-Id: I9a2f4a89f6b9c0f63cb3b166b06a88a12f0a203c
Reviewed-on: https://chromium-review.googlesource.com/631696
Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48043}

The `SaveContext` operation in `AsyncCompileJob::CompileTask` allocates
a handle. However, the platform implementation may not be able
to provide a `HandleScope`, since it cannot tell whether the isolate
is disposed (and the task canceled) at the time it runs the task;
so it is an API requirement of `CancelableTask` is that `RunInternal()`
does not leak any handles into outside scopes.

Change-Id: I86db36ddc71f774a31d5bc13b7399ef961374d6f
Reviewed-on: https://chromium-review.googlesource.com/668397Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48042}

Empty slot set buckets can leak in the following scenarios.

Scenario 1 (large object space):
1) A large array is allocated in the large object space.
2) The array is filled with old->new references, which allocates new
   slot set buckets.
3) The references are overwritten with smis or old space pointers, which
   make the slots set buckets empty.
4) Garbage collection (scavenge or mark-compact) iterates the slots set
   of the array and pre-frees the empty buckets.
5) Steps 2-4 repeated many times and leak arbitary many empty buckets.
The fix to free empty buckets for large object space in mark-compact. 

Scenario 2 (no mark-compact):
1) A small array is allocated in the old space.
2) The array is filled with old->new references, which allocates new
   slot set buckets.
3) The references are overwritten with smis or old space pointers, which
   make the slots set buckets empty.
4) Scavenge iterates the slots set of the array and pre-frees the empty
   buckets.
5) Steps 2-4 repeated many times and leak arbitary many empty buckets.
The fix to free empty buckets for swept pages in scavenger.

Bug: v8:6800
TBR: mlippautz@chromium.org
Change-Id: I48d94870f5acf4f6208858271886911c895a9126
Reviewed-on: https://chromium-review.googlesource.com/668442Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48041}

Support inlining of Array.prototype.filter in TurboFan.

Bug: v8:1956
Change-Id: Iba4d683aaa86c6104e8a1cf4d0f549a0c516576a
Reviewed-on: https://chromium-review.googlesource.com/657021
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48040}

Given that the index we use is checked to be in array index range there is no
need for a costly ToString conversion. All involved helpers for lookup up
properties directly support Smi/HeapNumber indices directly.

Cleanup: Rename GotoUnlessNumberLessThan => GotoIfNumberGreaterThanOrEqual

Change-Id: Iaddc4940f5d984572aa218d568ca71bf694cee74
Reviewed-on: https://chromium-review.googlesource.com/640388
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48039}

Bug: chromium:763010
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I7d479f8abb16ffd7ffc19d3a6b58da01f5feddd0
Reviewed-on: https://chromium-review.googlesource.com/661054Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Sigurður Ásgeirsson <siggi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48038}

Bug: v8:6409
Change-Id: I23b5c20022dcda5f46489596b3de4fb69be7e568
Reviewed-on: https://chromium-review.googlesource.com/660539
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48037}

This reverts commit dbfdd4f9.

Reason for revert: https://clusterfuzz.com/v2/testcase-detail/5493096547876864?noredirect=1

Original change's description:
> [heap] Turn on v8_enable_csa_write_barrier
> 
> With this commit, write barrier is switched to use CodeStubAssembler.
> 
> Bug: chromium:749486
> Change-Id: I7e0914bee971e4f3a3257740ae7c83b31f791bd9
> Reviewed-on: https://chromium-review.googlesource.com/598088
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
> Cr-Commit-Position: refs/heads/master@{#48006}

TBR=ulan@chromium.org,albertnetymk@google.com

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:749486
Change-Id: I8cf6a3f1d2ea607a0160b37b797d743b88b004b5
Reviewed-on: https://chromium-review.googlesource.com/667018Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
Cr-Commit-Position: refs/heads/master@{#48036}

Bug: 
Change-Id: I7ac2f30c70c76ea7c3156750b53ad34baeb046cb
Reviewed-on: https://chromium-review.googlesource.com/667113Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48035}