R=mstarzinger@chromium.org
BUG=v8:5294

Change-Id: If2cdb4d38829e69ddd8aecb99c99c3a03050f57c
Reviewed-on: https://chromium-review.googlesource.com/441824
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43158}

Test both cases where the interesting constructs occur at the
laziness boundary and cases where they occur deeper.

BUG=v8:5501
R=vogelheim@chromium.org

Change-Id: I99e32cb0c829616011bf7d1f389a8d309b54d67e
Reviewed-on: https://chromium-review.googlesource.com/441844Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43157}

BUG=v8:5950
NOTRY=true

Change-Id: I735e9be997167aa9f7252ad592c0881f6f5f621d
Reviewed-on: https://chromium-review.googlesource.com/441726Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43156}

BUG=chromium:691458
NOTRY=true
TBR=tandrii@chromium.org

Change-Id: I252f8624e18d54e0ba60800a2c4f3bf50c30c661
Reviewed-on: https://chromium-review.googlesource.com/441704Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Andrii Shyshkalov <tandrii@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43155}

BUG=chromium:689886

Change-Id: I4fd0cacd8b1a2de6507a4f33dfa5a01df8a3b2bf
Reviewed-on: https://chromium-review.googlesource.com/441725Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43154}

BUG=chromium:673246
NOTRY=true
TBR=jarin@chromium.org,ahaas@chromium.org

Change-Id: Ie2000f543e017dbef27c3faa49565fe838eddcee
Reviewed-on: https://chromium-review.googlesource.com/441345Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43153}

The StringEqual builtin can now deal with ExternalOneByteStrings
without going to the runtime. It still needs to go to the runtime
if the external string is short, i.e. if the resource data pointer
is not cached.

R=yangguo@chromium.org
BUG=v8:4913

Review-Url: https://codereview.chromium.org/2690853004
Cr-Commit-Position: refs/heads/master@{#43152}

The constructor for TypedArray in js/typedarray.js emitted
kInvalidTypedArrayAlignment if the array offset exceeded the size of the
underlying buffer. This seems like a typo introduced in
https://codereview.chromium.org/2090353003.

The error message to be emitted instead coincides with the already existing
kInvalidDataViewOffset. The message string is independent of whether the
object in question is a DataView or a typed array, so this CL:
  (1) renames kInvalidDataViewOffset to just kInvalidOffset, and
  (2) uses kInvalidOffset instead of kInvalidTypedArrayAlignment for cases
      when the TypedArray is constructed with an offset exceeding the buffer
      size.

BUG=v8:5733
TEST=Run d8, execute "new Uint8Array(new ArrayBuffer(1),2)", see the error message mention the invalid offset 2.

Review-Url: https://codereview.chromium.org/2692753002
Cr-Commit-Position: refs/heads/master@{#43151}

This CL fixes some nits in TypeError messages, unifying the form of
kDefineDisallowed and kObjectNotExtensible to match what is used by the
majority of the other messages:
  * "Cannot" vs. "Can't" -> choose "Cannot"
  * "property:%" -> "property %"
  * omit the full-stop at the end of the message

BUG=v8:5673

Review-Url: https://codereview.chromium.org/2686233008
Cr-Commit-Position: refs/heads/master@{#43150}

This adds support for deoptimizing into the JSConstructStub after the
receiver instantiation but before the actual constructor invocation.
Such a deoptimization point is needed for cases where instantiation
might be observed (e.g. when new.target is a proxy) and hence might
trigger a deopt.

We use this new deoptimization point for the "after" frame-state the
inliner attaches to {JSCreate} nodes being inserted when constructor
calls are being inlined.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-5638b
BUG=v8:5638

Change-Id: I7c72c807ee8fb76d12e0e9ccab86d970ab1a0efd
Reviewed-on: https://chromium-review.googlesource.com/440125Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43149}

Previously, accumulators and registers each had a single element cache,
distinct from the local register cache. This meant that

 a) Dead accumulator state nodes were not re-used if the accumulator
    became live.
 b) Functions with only one parameter (the this object) or only one
    local register could not reuse the single-valued state value node
    of the accumulator.

This patch introduces heavier re-use of state-value nodes, decreasing
memory use when building the graph and decreasing the number of nodes
created overall.

Change-Id: Ie3cc6913483aab0819d99be382eb2cb42de8c3d2
Reviewed-on: https://chromium-review.googlesource.com/440926Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43148}

After this, only 2 illegal includes to objects-inl.h remain (some wasm stuff).

R=​mstarzinger@chromium.org
BUG=v8:5294

Change-Id: I18682f42f0d2a7cc29a0a0be76f8e4eea26aafd9
Reviewed-on: https://chromium-review.googlesource.com/441744Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43147}

If exactly one byte in the upper half of the pushed 8-byte value is
set, use a smaller code sequence to push this value on the stack.
Before, we did
  movq r10,<constant>
  push r10
Now, we do
  push 0x0
  movb [rsp+<offset>],<byte>

The old sequence had 12 bytes, the new one has 7.
Pushing such values is used a lot for stack frame markers, which are
small numbers (1-17) encoded as SMIs.

Review-Url: https://codereview.chromium.org/2685213004
Cr-Commit-Position: refs/heads/master@{#43146}

BUG=chromium:673246
NOTRY=true
TBR=marja@chromium.org

Change-Id: If1fe4e886f03b3d6df57fb55df4db7efe7c625fa
Reviewed-on: https://chromium-review.googlesource.com/441764Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43145}

R=neis@chromium.org

Review-Url: https://codereview.chromium.org/2690723002
Cr-Commit-Position: refs/heads/master@{#43144}

This way it's possible to disable Assert() even in Debug
builds via --nodebug-code.

R=danno@chromium.org
BUG=v8:5268

Review-Url: https://codereview.chromium.org/2690983002
Cr-Commit-Position: refs/heads/master@{#43143}

(The bug below is fixed.)

BUG=v8:5938

Change-Id: Ifa0213b1475b1f065238ffad77a03cdfdc49bd28
Reviewed-on: https://chromium-review.googlesource.com/441724Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43142}

Windows won't create empty .lib files, and will subsequently fail to
find the library other rules expect

R=machenbach@chromium.org
BUG=

Change-Id: I8b848834a6957c2164f0eafc853587d39ccb6ca9
Reviewed-on: https://chromium-review.googlesource.com/440244Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43141}

NOTRY=true
R=hablich@chromium.org

Review-Url: https://codereview.chromium.org/2692443002
Cr-Original-Commit-Position: refs/heads/master@{#43138}
Committed: https://chromium.googlesource.com/v8/v8/+/a3de4726c3c1ced8c85a221edb66a55a2ed2a04c
Review-Url: https://codereview.chromium.org/2692443002
Cr-Commit-Position: refs/heads/master@{#43140}

Revert of [fuzzer] Format README.md (patchset #2 id:20001 of https://codereview.chromium.org/2692443002/ )

Reason for revert:
Found another mistake

Original issue's description:
> [fuzzer] Format README.md
>
> NOTRY=true
> R=hablich@chromium.org
>
> Review-Url: https://codereview.chromium.org/2692443002
> Cr-Commit-Position: refs/heads/master@{#43138}
> Committed: https://chromium.googlesource.com/v8/v8/+/a3de4726c3c1ced8c85a221edb66a55a2ed2a04c

TBR=hablich@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2693863002
Cr-Commit-Position: refs/heads/master@{#43139}

NOTRY=true
R=hablich@chromium.org

Review-Url: https://codereview.chromium.org/2692443002
Cr-Commit-Position: refs/heads/master@{#43138}

We cannot skip the @@hasInstance lookup in instanceof depending on a
global protector cell, as the lookup of the property is observable
via proxies or accessors. So remove the global protector and properly
implement CSA::InstanceOf via GetPropertyStub, with an appropriate
fast-path for Function.prototype[@@hasInstance] where we call the
builtin code object directly if the function matches, skipping all
the checks from the call sequence, and also avoid the redundant
ToBoolean conversion on the result.

R=yangguo@chromium.org
TBR=ulan@chromium.org
BUG=v8:5958

Review-Url: https://codereview.chromium.org/2684033012
Cr-Commit-Position: refs/heads/master@{#43137}

BUG=none
R=pfeldman@chromium.org,yangguo@chromium.org,jgruber@chromium.org

Review-Url: https://codereview.chromium.org/2688243004
Cr-Commit-Position: refs/heads/master@{#43136}

Use private symbols to mark default promise handler, instead of calling out to default
handlers defined in JS. We check for this symbol in PromiseHandle and perform the
appropriate behavior as the default handlers.

Catch prediction logic is updated to account for a symbol.

BUG=v8:5343

Review-Url: https://codereview.chromium.org/2695593002
Cr-Commit-Position: refs/heads/master@{#43135}

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/a6b2121..67cf0dc

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: Ife98ccbac145d280c8db845586dc73f14c20ad9f
Reviewed-on: https://chromium-review.googlesource.com/441605Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43134}

BUG=

Review-Url: https://codereview.chromium.org/2688483004
Cr-Commit-Position: refs/heads/master@{#43133}

Revert of [typedarrays] move %TypedArray%.prototype.copyWithin to C++ (patchset #6 id:100001 of https://codereview.chromium.org/2671233002/ )

Reason for revert:
Due to security issue described in review thread.

Original issue's description:
> [typedarrays] move %TypedArray%.prototype.copyWithin to C++
>
> - Removes shared InnerArrayCopyWithin JS builtin from src/js/array.js
> - Implements %TypedArray%.prototype.copyWithin as a C++ builtin, which
> relies on std::memmove rather than accessing individual eleements.
> - Fixes the case where copyWithin is invoked on a TypedArray with a
> detached buffer.
> - Add tests to ensure that +/-Infinity (for all 3 parameters) is handled correctly by the
> algorithm
>
> The C++ version gets through the benchmark more than 25000 times as
> quickly as the JS implementation.
>
> BUG=v8:5925, v8:5929, v8:4648
> R=cbruni@chromium.org, adamk@chromium.org, littledan@chromium.org
>
> Review-Url: https://codereview.chromium.org/2671233002
> Cr-Commit-Position: refs/heads/master@{#42975}
> Committed: https://chromium.googlesource.com/v8/v8/+/0f1c626d556cbf84b0e572635eb803729f88cbb3

TBR=cbruni@chromium.org,adamk@chromium.org,bmeurer@chromium.org,cwhan.tunz@gmail.com,caitp@igalia.com
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5925, v8:5929, v8:4648

Review-Url: https://codereview.chromium.org/2693753002
Cr-Commit-Position: refs/heads/master@{#43132}

These intrinsics are no longer required, but their runtime call pendants
are still in use. So remove support for those from all compilers.

BUG=v8:5049
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2694623002
Cr-Commit-Position: refs/heads/master@{#43131}

A couple of the builtins in src/js/typedarray.js still depends on these
intrinsics, so if we don't want to regress all of them, we'll have to
support these trivial intrinsics until the JS builtins are migrated.

R=yangguo@chromium.org
BUG=v8:5267

Review-Url: https://codereview.chromium.org/2695553002
Cr-Commit-Position: refs/heads/master@{#43130}

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2663433003
Cr-Commit-Position: refs/heads/master@{#43129}

It reduces the add operation for certain checked load/stores by pre-do
the add in compiling phase.

BUG=

Review-Url: https://codereview.chromium.org/2593483002
Cr-Commit-Position: refs/heads/master@{#43128}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/0d29448..3e5cfce

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: Id55df9c6550a29e463e64b6db43fbc25e661424d
Reviewed-on: https://chromium-review.googlesource.com/441604Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43127}

Do not allow that holey properties are defined in Array sort.
Throw a type error if the array is not extensible and there are holey
properties in the middle of the array.

BUG=v8:4888

Review-Url: https://codereview.chromium.org/2664173002
Cr-Commit-Position: refs/heads/master@{#43126}

R=neis@chromium.org

Review-Url: https://codereview.chromium.org/2686413002
Cr-Commit-Position: refs/heads/master@{#43125}

This patch removes the implication from --harmony to --harmony-tailcalls.

R=ishell@chromium.org
BUG=v8:4698

Review-Url: https://codereview.chromium.org/2691483004
Cr-Commit-Position: refs/heads/master@{#43124}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/9d467bb..0d29448

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/df42e55..a6b2121

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: If3df9091dd68f09541748bf31ff4eff512cb8534
Reviewed-on: https://chromium-review.googlesource.com/441405Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43123}

BUG=none
R=pfeldman@chromium.org

Review-Url: https://codereview.chromium.org/2690663003
Cr-Commit-Position: refs/heads/master@{#43122}

If a job was already enqueued, EnqueueAndStep would still step the job one
more step. However, since it didn't take the job out of the
pending_background_jobs pool, the job could get picked up by a background
thread which would try to step it, but it the job is now at a step which
can't be run on the background.

BUG=v8:5203,chromium:685515

Change-Id: I2cee2a33625ba455aca49a8037601be9ff8bb73f
Reviewed-on: https://chromium-review.googlesource.com/441084
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43121}

The heuristic checks for "(function", and now it also checks for
"(async function".

BUG=v8:4230

Review-Url: https://codereview.chromium.org/2682173005
Cr-Commit-Position: refs/heads/master@{#43120}

We have different modes of tracing: recording, event callback and
filtering. The cpu profiler should not be enabled when tracing is
enabled with filtering mode.

BUG=688651

Review-Url: https://codereview.chromium.org/2676403002
Cr-Commit-Position: refs/heads/master@{#43119}