Revert of [typedarrays] move %TypedArray%.prototype.copyWithin to C++ (patchset #6 id:100001 of https://codereview.chromium.org/2671233002/ )

Reason for revert:
Due to security issue described in review thread.

Original issue's description:
> [typedarrays] move %TypedArray%.prototype.copyWithin to C++
>
> - Removes shared InnerArrayCopyWithin JS builtin from src/js/array.js
> - Implements %TypedArray%.prototype.copyWithin as a C++ builtin, which
> relies on std::memmove rather than accessing individual eleements.
> - Fixes the case where copyWithin is invoked on a TypedArray with a
> detached buffer.
> - Add tests to ensure that +/-Infinity (for all 3 parameters) is handled correctly by the
> algorithm
>
> The C++ version gets through the benchmark more than 25000 times as
> quickly as the JS implementation.
>
> BUG=v8:5925, v8:5929, v8:4648
> R=cbruni@chromium.org, adamk@chromium.org, littledan@chromium.org
>
> Review-Url: https://codereview.chromium.org/2671233002
> Cr-Commit-Position: refs/heads/master@{#42975}
> Committed: https://chromium.googlesource.com/v8/v8/+/0f1c626d556cbf84b0e572635eb803729f88cbb3

TBR=cbruni@chromium.org,adamk@chromium.org,bmeurer@chromium.org,cwhan.tunz@gmail.com,caitp@igalia.com
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5925, v8:5929, v8:4648

Review-Url: https://codereview.chromium.org/2693753002
Cr-Commit-Position: refs/heads/master@{#43132}

Where the arguments have already been inlined, we can replace these
calls with a direct call. We have to make sure that the iteration over
the arguments is not observable.

Also factor out the large chunk of logic shared with
ReduceJSConstructWithSpread.

BUG=v8:5932

Change-Id: I6c4fac670028fbd8ca82c4474d4392231573bc49
Reviewed-on: https://chromium-review.googlesource.com/439329Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43039}

- Removes shared InnerArrayCopyWithin JS builtin from src/js/array.js
- Implements %TypedArray%.prototype.copyWithin as a C++ builtin, which
relies on std::memmove rather than accessing individual eleements.
- Fixes the case where copyWithin is invoked on a TypedArray with a
detached buffer.
- Add tests to ensure that +/-Infinity (for all 3 parameters) is handled correctly by the
algorithm

The C++ version gets through the benchmark more than 25000 times as
quickly as the JS implementation.

BUG=v8:5925, v8:5929, v8:4648
R=cbruni@chromium.org, adamk@chromium.org, littledan@chromium.org

Review-Url: https://codereview.chromium.org/2671233002
Cr-Commit-Position: refs/heads/master@{#42975}

Where the arguments have already been inlined, we can replace these calls with a
direct call to construct. We have to make sure that the iteration over the arguments is not observable.

BUG=v8:5895

Review-Url: https://codereview.chromium.org/2659623002
Cr-Commit-Position: refs/heads/master@{#42765}

The mentioned asserts did not work properly with interpreted and turbofanned functions.

To fix this issue %GetOptimizationStatus() now returns a set of flags instead of a single value.

This CL also adds more helper functions to mjsunit, like isNeverOptimize(), isAlwaysOptimize(),
isOptimized(fun), etc.

BUG=v8:5890

Review-Url: https://codereview.chromium.org/2654733004
Cr-Original-Commit-Position: refs/heads/master@{#42703}
Committed: https://chromium.googlesource.com/v8/v8/+/d1ddec785725a184fe6d01bd0813262e3ba24966
Review-Url: https://codereview.chromium.org/2654733004
Cr-Commit-Position: refs/heads/master@{#42731}

This CL adds --crankshaft and --no-always-opt flags to the tests that use
assertOptimized() and assertUnoptimized() respectively.

This CL also adds presubmit checks that ensure that tests have the proper
flags set.

BUG=v8:5890

Review-Url: https://codereview.chromium.org/2653753007
Cr-Commit-Position: refs/heads/master@{#42709}

Revert of [tests] Make assertOptimized()/assertUnoptimized() great again. (patchset #6 id:130042 of https://codereview.chromium.org/2654733004/ )

Reason for revert:
Mac gc stress failures:
https://build.chromium.org/p/client.v8/builders/V8%20Mac%20GC%20Stress/builds/11195

There's also this flake, but maybe unrelated:
https://build.chromium.org/p/client.v8/builders/V8%20Win64/builds/15422

Original issue's description:
> [tests] Make assertOptimized()/assertUnoptimized() great again.
>
> The mentioned asserts did not work properly with interpreted and turbofanned functions.
>
> To fix this issue %GetOptimizationStatus() now returns a set of flags instead of a single value.
>
> This CL also adds more helper functions to mjsunit, like isNeverOptimize(), isAlwaysOptimize(),
> isOptimized(fun), etc.
>
> BUG=v8:5890
>
> Review-Url: https://codereview.chromium.org/2654733004
> Cr-Commit-Position: refs/heads/master@{#42703}
> Committed: https://chromium.googlesource.com/v8/v8/+/d1ddec785725a184fe6d01bd0813262e3ba24966

TBR=mstarzinger@chromium.org,ishell@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5890

Review-Url: https://codereview.chromium.org/2655223003
Cr-Commit-Position: refs/heads/master@{#42704}

The mentioned asserts did not work properly with interpreted and turbofanned functions.

To fix this issue %GetOptimizationStatus() now returns a set of flags instead of a single value.

This CL also adds more helper functions to mjsunit, like isNeverOptimize(), isAlwaysOptimize(),
isOptimized(fun), etc.

BUG=v8:5890

Review-Url: https://codereview.chromium.org/2654733004
Cr-Commit-Position: refs/heads/master@{#42703}

We did not smi-check the spread argument here, meaning we tried to take the map
of a smi, resulting in segfaults which clusterfuzz found.

Also added tests that exercise this path.

BUG=685086

Review-Url: https://codereview.chromium.org/2655013002
Cr-Commit-Position: refs/heads/master@{#42657}

BUG=v8:5659

Review-Url: https://codereview.chromium.org/2571563004
Cr-Commit-Position: refs/heads/master@{#42444}

Per spec change in https://github.com/tc39/ecma262/pull/724, this adds
the exception thrown when a TypedArray's array buffer is detached at
some point during iteration, after the iterator has already been
created.

BUG=v8:5388
R=littledan@chromium.org, bmeurer@chromium.org, petermarshall@chromium.org

Review-Url: https://codereview.chromium.org/2609913002
Cr-Commit-Position: refs/heads/master@{#42048}

These methods now return undefined upon finding a data property in the
prototype chain which shadows an accessor property, and when hitting
a Proxy, call the appropriate proxy traps.

R=cbruni@chromium.org, littledan@chromium.org
BUG=v8:5130

Review-Url: https://codereview.chromium.org/2592013003
Cr-Commit-Position: refs/heads/master@{#41929}

BUG=

Review-Url: https://codereview.chromium.org/2577143002
Cr-Commit-Position: refs/heads/master@{#41801}

Without this patch, the tests on lines 410, 414, 418 and 422 in
function testNonStaticName of test/mjsunit/es6/function-name.js
would all fail.  The bug caused non-static "name" methods and
properties to be mistaken for static ones.

R=adamk@chromium.org, verwaest@chromium.org
BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2567343004
Cr-Commit-Position: refs/heads/master@{#41692}

R=jgruber@chromium.org
BUG=v8:5530

Review-Url: https://codereview.chromium.org/2566093002
Cr-Commit-Position: refs/heads/master@{#41688}

Debug mirrors will no longer be supported in the near future.
It will now only be tested by being used by the v8-inspector.

R=jgruber@chromium.org
BUG=v8:5530

Review-Url: https://codereview.chromium.org/2566103002
Cr-Commit-Position: refs/heads/master@{#41686}

This allows to detect a static property also named 'name', and also makes sure 'name' is added last, to be standards-compliant.

BUG=v8:4199

Review-Url: https://codereview.chromium.org/2423053002
Cr-Commit-Position: refs/heads/master@{#41546}

Reland of [typedarrays] remove invalid optimization in NAMEConstructor() (patchset #1 id:1 of https://codereview.chromium.org/2548583003/ )

Reason for revert:
The bot was not affected by the revert. Speculation was wrong.

Original issue's description:
> Revert of [typedarrays] remove invalid optimization in NAMEConstructor() (patchset #1 id:1 of https://codereview.chromium.org/2544503002/ )
>
> Reason for revert:
> Speculative revert for causing timeouts on Win Debug gpu fyi bot
>
> Nothing else looks even remotely relevant in the list of changes.
> Will reland if this doesn't fix the issues.
>
> BUG=670396
>
> Original issue's description:
> > [typedarrays] remove invalid optimization in NAMEConstructor()
> >
> > Before, we were treating objects with the builtin ArrayValues iterator
> > method as array-like, where the iterator would iterate through to the
> > full length of the object.
> >
> > This optimization was not sound, because it does not ensure that the
> > next method hasn't been modified. Even if it hasn't been modified,
> > it's entirely possible to be modified during iteration. Thus, this
> > optimization has been removed due to its observability.
> >
> > BUG=v8:5699
> > R=littledan@chromium.org, cbruni@chromium.org
> >
> > Committed: https://crrev.com/77df8c67d9609ada3b7d79e8e6d33f198bbad5a1
> > Cr-Commit-Position: refs/heads/master@{#41394}
>
> TBR=cbruni@chromium.org,littledan@chromium.org,caitp@igalia.com
> # Not skipping CQ checks because original CL landed more than 1 days ago.
> BUG=v8:5699
>
> Committed: https://crrev.com/0ea4a542202d501c4e550474e89512532571f3a0
> Cr-Commit-Position: refs/heads/master@{#41461}

TBR=cbruni@chromium.org,littledan@chromium.org,caitp@igalia.com,enne@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=670396

Review-Url: https://codereview.chromium.org/2553873002
Cr-Commit-Position: refs/heads/master@{#41504}

R=adamk@chromium.org, verwaest@chromium.org
BUG=v8:5698

Review-Url: https://codereview.chromium.org/2537413003
Cr-Commit-Position: refs/heads/master@{#41495}

Revert of [typedarrays] remove invalid optimization in NAMEConstructor() (patchset #1 id:1 of https://codereview.chromium.org/2544503002/ )

Reason for revert:
Speculative revert for causing timeouts on Win Debug gpu fyi bot

Nothing else looks even remotely relevant in the list of changes.
Will reland if this doesn't fix the issues.

BUG=670396

Original issue's description:
> [typedarrays] remove invalid optimization in NAMEConstructor()
>
> Before, we were treating objects with the builtin ArrayValues iterator
> method as array-like, where the iterator would iterate through to the
> full length of the object.
>
> This optimization was not sound, because it does not ensure that the
> next method hasn't been modified. Even if it hasn't been modified,
> it's entirely possible to be modified during iteration. Thus, this
> optimization has been removed due to its observability.
>
> BUG=v8:5699
> R=littledan@chromium.org, cbruni@chromium.org
>
> Committed: https://crrev.com/77df8c67d9609ada3b7d79e8e6d33f198bbad5a1
> Cr-Commit-Position: refs/heads/master@{#41394}

TBR=cbruni@chromium.org,littledan@chromium.org,caitp@igalia.com
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5699

Review-Url: https://codereview.chromium.org/2548583003
Cr-Commit-Position: refs/heads/master@{#41461}

Before, we were treating objects with the builtin ArrayValues iterator
method as array-like, where the iterator would iterate through to the
full length of the object.

This optimization was not sound, because it does not ensure that the
next method hasn't been modified. Even if it hasn't been modified,
it's entirely possible to be modified during iteration. Thus, this
optimization has been removed due to its observability.

BUG=v8:5699
R=littledan@chromium.org, cbruni@chromium.org

Review-Url: https://codereview.chromium.org/2544503002
Cr-Commit-Position: refs/heads/master@{#41394}

Replaces the graph-based liveness analyzer in the bytecode graph builder
with an initial bytecode-based liveness analysis pass, which is added to
the existing loop extent analysis.

Now the StateValues in the graph have their inputs initialised to
optimized_out, rather than being modified after the graph is built.

Review-Url: https://codereview.chromium.org/2523893003
Cr-Commit-Position: refs/heads/master@{#41355}

Revert of [ignition/turbo] Perform liveness analysis on the bytecodes (patchset #17 id:320001 of https://codereview.chromium.org/2523893003/ )

Reason for revert:
Breaks the build:

https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20shared/builds/14886

Original issue's description:
> [ignition/turbo] Perform liveness analysis on the bytecodes
>
> Replaces the graph-based liveness analyzer in the bytecode graph builder
> with an initial bytecode-based liveness analysis pass, which is added to
> the existing loop extent analysis.
>
> Now the StateValues in the graph have their inputs initialised to
> optimized_out, rather than being modified after the graph is built.
>
> Committed: https://crrev.com/1852300954c216c29cf93444430681d213e87925
> Cr-Commit-Position: refs/heads/master@{#41344}

TBR=jarin@chromium.org,rmcilroy@chromium.org,yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2541443002
Cr-Commit-Position: refs/heads/master@{#41346}

Replaces the graph-based liveness analyzer in the bytecode graph builder
with an initial bytecode-based liveness analysis pass, which is added to
the existing loop extent analysis.

Now the StateValues in the graph have their inputs initialised to
optimized_out, rather than being modified after the graph is built.

Review-Url: https://codereview.chromium.org/2523893003
Cr-Commit-Position: refs/heads/master@{#41344}

BUG=v8:5510
R=jgruber@chromium.org

Review-Url: https://codereview.chromium.org/2536573002
Cr-Commit-Position: refs/heads/master@{#41311}

The tests were relying on early errors which we don't produce since we
now preparse more often.

BUG=v8:2728, v8:5501, v8:5663

Review-Url: https://codereview.chromium.org/2523683002
Cr-Commit-Position: refs/heads/master@{#41189}

* Fix setting script-scope variables through inspector by internalizing
  their names.
* Reconstruct values of Number, String, and Boolean classes.
* Adapt a couple of tests for API restrictions.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2512963002
Cr-Commit-Position: refs/heads/master@{#41175}

Adapted various tests to restrictions of inspector protocol:

* osr-typing-debug-change: Don't set function variable value.
* debug-evaluate-locals: Add variable introduced by eval, run typeof
  inside evaluate().
* regress-419663: Don't set duplicate breakpoints.
* regress-crbug-465298: Compare against function name instead of value.
* regress-crbug-621361: Make evaluate return string results.
* debug-script: Various counts were off due to new way tests are called.
                Added new inspector script type.

Breakpoints now contain the actual break position, and remote object
reconstruction has been extended a bit.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2505363002
Cr-Commit-Position: refs/heads/master@{#41129}

BUG=666622, v8:5388
R=bmeurer@chromium.org, mstarzinger@chromium.org

Review-Url: https://codereview.chromium.org/2515683002
Cr-Commit-Position: refs/heads/master@{#41118}

It originates from the era where we used to run a separate preparse step
before parsing and store the function data. Now the usage of preparser
is something completely different, so this flag doesn't make sense any
more.

In addition, this way we get more test coverage for preparser (for small
scripts).

BUG=

Review-Url: https://codereview.chromium.org/2513563002
Cr-Commit-Position: refs/heads/master@{#41110}

V8 was applying incorrect optimization to them advancing the start position.

This would cause /foo$/y too match "barfoo", which it should not.

BUG=

Review-Url: https://codereview.chromium.org/2510743003
Cr-Commit-Position: refs/heads/master@{#41077}

This adds access to the LiveEdit API object, frame.restart(), and
various breakpoint setters. The LiveEdit API still depends on the JS
debugging context and blocks its removal; but it should be removed
once LiveEdit is rewritten in the midterm.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2503293002
Cr-Commit-Position: refs/heads/master@{#41062}

We don't need to check for neutered array buffers unless at least one
JSArrayBuffer has been neutered (i.e. detached in TC39 speak). For this
we introduce a protector cell that get's invalidated on first call to
the JSArrayBuffer::Neuter() method.

R=jarin@chromium.org,ulan@chromium.org
BUG=v8:5267

Review-Url: https://codereview.chromium.org/2504163002
Cr-Commit-Position: refs/heads/master@{#41021}

This CL further extends the debug wrapper, migrates around 60 tests, and
removes a few tests that use functionality we will not support anymore.

In more detail:

* Removed tests that use:
  * enable/disable individual breakpoints
  * invocationText()
  * the ScriptCollected event
  * showBreakPoints
  * evalFromScript (and similar)
  * mirror.constructedBy and mirror.referencedBy
  * event_data.promise()
* Some frame.evaluate uses were adapted since due to differences between
  remote objects (inspector) and mirrors. For instance, exceptions are
  currently not recreated exactly, since the inspector protocol does not
  give us the stack and message separately. Other objects (such as
  'this' in debug-evaluate-receiver-before-super) need to be explicitly
  converted to a string before the test works correctly.
* Ensure that inspector stores the script before sending ScriptParsed and
  ScriptFailedToParse events in order to be able to use the script from
  within those events.
* Better remote object reconstruction (e.g. for undefined and arrays).
* New functionality in wrapper:
  * debuggerFlags().breakPointsActive.setValue()
  * scripts()
  * execState.setVariableValue()
  * execState.scopeObject().value()
  * execState.scopeObject().property()
  * execState.frame().allScopes()
  * eventData.exception()
  * eventData.script()
  * setBreakPointsActive()

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2497973002
Cr-Commit-Position: refs/heads/master@{#41019}

Avoid using the iterator for arrays with fast elements where the iterator has
not been modified.

Only deals with the case where there is a single spread argument.

Improves the six-speed "spread" benchmark to 1.5x slower than baseline es5 implementation, compared to 19x slower previously.

BUG=v8:5511

Review-Url: https://codereview.chromium.org/2465253011
Cr-Commit-Position: refs/heads/master@{#40998}

Do not take the fast path for Array.prototype.keys() if the array length is not
guaranteed to be an Smi.

BUG=660925, v8:5388
R=bmeurer@chromium.org, mstarzinger@chromium.org

Review-Url: https://codereview.chromium.org/2496323002
Cr-Commit-Position: refs/heads/master@{#40976}

Adds a protector cell to prevent inlining (which will likely lead to deopt
loops) when a JSArrayIterator's array transitions from a fast JSArray to a
slow JSArray (such as, when the array is touched during iteration in a way
which triggers a map transition).

Also adds TODO comments relating to the spec update proposed by Dan at
https://github.com/tc39/ecma262/pull/724

BUG=v8:5388
R=bmeurer@chromium.org, mstarzinger@chromium.org
TBR=hpayer@chromium.org, ulan@chromium.org

Review-Url: https://codereview.chromium.org/2484003002
Cr-Commit-Position: refs/heads/master@{#40970}

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2487673002
Cr-Commit-Position: refs/heads/master@{#40840}

This adds clearStepping plus the family of
{set,clear}BreakOn{,Uncaught}Exception functions.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2482903002
Cr-Commit-Position: refs/heads/master@{#40834}

This moves all tests currently working with the inspector debugger wrapper to
test/debugger.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2480223002
Cr-Commit-Position: refs/heads/master@{#40824}