Some recent runs had the test passing, which painted the bot red.

NOTRY=true
NOTREECHECKS=true
TBR=mstarzinger@chromium.org,rmcilroy@chromium.org


Bug: v8:8040
Change-Id: Icc289f6615be299e9e401bc42e16a2e712f1445c
Reviewed-on: https://chromium-review.googlesource.com/1184902Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55304}

Builtin functions were being logged via both LogCodeObjects and
LogCompiledFunctions. The latter assumes the code in question has a
Name and so would end up logging an unattributable entry. This patch
stops logging that entry.

Bug: v8:8061
Change-Id: I20e5a853b8a214a91191fa644083bac7af9dc2c4
Reviewed-on: https://chromium-review.googlesource.com/1177759Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Bret Sepulveda <bsep@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55302}

This reverts commit 1b3b808a.

Reason for revert: Speculatively reverting because of https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8-Blink%20Linux%2064%20(dbg)/13264

Original change's description:
> inspector: find magic comment using V8 scanner
> 
> Inspector tries to provide sourceURL and sourceMappingURL for scripts
> with parser errors. Without this CL we convert source of each script
> to inspector string and search for magic comment there. Some web sites
> use pattern when they get some data from network and constantly try to
> parse this data as JSON, in this case we do a lot of useless work.
> 
> So we can parse magic comments on V8 side only for compilation errors
> (excluding parse JSON errors), to do it we can reuse scanner by running
> it on each potential comment.
> 
> R=​alph@chromium.org,verwaest@chromium.org,yangguo@chromium.org
> 
> Bug: chromium:873865,v8:7731
> Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;master.tryserver.blink:linux_trusty_blink_rel
> Change-Id: I77c270fd0e95cd7b2c9ee4b7f72ef344bc1fa104
> Reviewed-on: https://chromium-review.googlesource.com/1182446
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Alexei Filippov <alph@chromium.org>
> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55280}

TBR=alph@chromium.org,yangguo@chromium.org,kozyatinskiy@chromium.org,verwaest@chromium.org

Change-Id: I60ab243107d5fcce100064232d0e278a51f38db9
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:873865, v8:7731
Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;master.tryserver.blink:linux_trusty_blink_rel
Reviewed-on: https://chromium-review.googlesource.com/1184921Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55300}

R=ahaas@chromium.org

Change-Id: Ida5a43f65d09a48cce316185932f6d863b0e58a4
Reviewed-on: https://chromium-review.googlesource.com/1184711Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55295}

We would return the wrong chunk for the first element past the chunk
boundary, e.g. if the first chunk was size=8, then Find(8) would
return an address in the first block rather than the second one.

Bug: v8:8077
Change-Id: I90281f853dd7ca68dc065ed773d0ae9787f00988
Reviewed-on: https://chromium-review.googlesource.com/1183483
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55294}

This is useful even if there are other uses of the
arithmetic result, because it moves dependencies further back.

Change-Id: I6136a657b547198cb4ec92f38b89ddf5df334124
Reviewed-on: https://chromium-review.googlesource.com/1179662Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Bogdan Lazarescu <bogdan.lazarescu@arm.com>
Cr-Commit-Position: refs/heads/master@{#55292}

R=titzer@chromium.org

Change-Id: I6c817fa82333ca12d2d8f9f8704eac157f3caa9f
Reviewed-on: https://chromium-review.googlesource.com/1184705Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55291}

This reverts commit cdaaa311.

Reason for revert: chromium:876445 chromium:876453 chromium:876443

Original change's description:
> [builtins] Reland Array.prototype.splice() Torque implementation.
> 
> Before, splice was implemented with a C++ fast path and a
> comprehensive JavaScript version.
> 
> This impl. is entirely in Torque with a fastpath for SMI,
> DOUBLE and OBJECT arrays, and a comprehensive slow path.
> The same level of "sparse" array support as given by the
> array.js implementation is included.
> 
> Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
> Change-Id: Ia7334a30b401988309e9909cfa0069da0bb6fb9f
> Reviewed-on: https://chromium-review.googlesource.com/1169466
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55263}

TBR=mvstanton@chromium.org,jgruber@chromium.org,tebbi@chromium.org

Change-Id: I5b750a98e671b7284474ffcabc6b4d37a9d1219e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/1184741Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55289}

This call can be used by embedder to request a GC for testing reasons.
The GC also takes the current embedder stack state as an argument that
is forwarded to the embedder when entering the atomic pause.

This way embedders can request garbage collections for testing and set
how the embedder should treat the stack.

Bug: chromium:843903
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Id10604565b4457dd0fca402afeb5f8e592fa0bae
Reviewed-on: https://chromium-review.googlesource.com/1183431
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55285}

R=mstarzinger@chromium.org

Change-Id: Iacdff28dd1383d77d7708de4ee22d9f2a77d872a
Reviewed-on: https://chromium-review.googlesource.com/1183440
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55284}

Refactor the ArrayIteratorPrototypeNext CSA builtin to handle the
JSArray element access in a dedicated helper macro, very similar
to how it's done for JSTypedArray's. Also add support for dictionary
elements to this helper macro using the existing dictionary access
logic in the CodeStubAssembler.

This improves the readability of the builtin significantly and the
performance of iterating arrays with dictionary elements goes up by
a factor of ~3.5x.

Bug: v8:8015, v8:8070
Change-Id: Ibfee760ea1e4bc0fffb42b232fb1d097b706bd1f
Reviewed-on: https://chromium-review.googlesource.com/1183305Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55283}

This patch splits the log file into a vector of std::strings when
logging is stopped, so verifying that lines are present can be done in
terms of std library functions. Verifications are now done by simple
substring matching instead of via a prefix or suffix, in preparation for
a new test that needs to match the middle of a line.

This patch also deletes some dead/debugging code.

Change-Id: I5c6b75b0807c41312d35208deda26546dc0f7216
Reviewed-on: https://chromium-review.googlesource.com/1183187Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Bret Sepulveda <bsep@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55281}

Inspector tries to provide sourceURL and sourceMappingURL for scripts
with parser errors. Without this CL we convert source of each script
to inspector string and search for magic comment there. Some web sites
use pattern when they get some data from network and constantly try to
parse this data as JSON, in this case we do a lot of useless work.

So we can parse magic comments on V8 side only for compilation errors
(excluding parse JSON errors), to do it we can reuse scanner by running
it on each potential comment.

R=alph@chromium.org,verwaest@chromium.org,yangguo@chromium.org

Bug: chromium:873865,v8:7731
Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I77c270fd0e95cd7b2c9ee4b7f72ef344bc1fa104
Reviewed-on: https://chromium-review.googlesource.com/1182446Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55280}

BUG=v8:8040

Change-Id: I004f5748bafeff60885fd85f1b1a6ea44af06340
Reviewed-on: https://chromium-review.googlesource.com/1183196Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55270}

Change-Id: I692ce8dbe3169cfb912647c31a9e8121dc5eff5d
Reviewed-on: https://chromium-review.googlesource.com/1183306
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55268}

Before, splice was implemented with a C++ fast path and a
comprehensive JavaScript version.

This impl. is entirely in Torque with a fastpath for SMI,
DOUBLE and OBJECT arrays, and a comprehensive slow path.
The same level of "sparse" array support as given by the
array.js implementation is included.

Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ia7334a30b401988309e9909cfa0069da0bb6fb9f
Reviewed-on: https://chromium-review.googlesource.com/1169466Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55263}

Instead of changing the [[IteratedObject]] field to undefined to mark an
array iterator as exhausted, store the appropriate maximum value into
the [[ArrayIteratorNextIndex]] field such that the iterator will never
produce any values again.

Without this change the map check and the "length" access on the
[[IteratedObject]] cannot be eliminated inside the loop, since the
object can either be the array or undefined. Even with this change
it's still not possible immediately due to missing aliasing
information in the LoadElimination, but it paves the way for follow
up improvements. Eventually the goal is to have `for..of` as fast as
a traditional `for` loop even for really tight loops.

This CL also hardens the implementation of the ArrayIterator by using
proper CASTs and CSA_ASSERTs. The readability of the CSA builtin was
improved by utilizing proper helper functions.

Bug: v8:7510, v8:7514, v8:8070
Change-Id: Ib46604fadad1a0f80e77fe71a1f47b0ca31ab841
Reviewed-on: https://chromium-review.googlesource.com/1181902
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55261}

BUG=v8:8040

Change-Id: I705f9afebfa770a8415fa268dd13ba00e90808d4
Reviewed-on: https://chromium-review.googlesource.com/1181429
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55260}

This reverts the following 3 CLs:

Revert "[scanner] Templatize scan functions by encoding"
Revert "[asm] Remove invalid static cast of character stream"
Revert "[scanner] Prepare CharacterStreams for specializing scanner and parser by character type"

The original idea behind this work was to avoid copying, converting and
buffering characters to be scanned by specializing the scanner functions. The
additional benefit was for scanner functions to have a bigger window over the
input. Even though we can get a pretty nice speedup from having a larger
window, in practice this rarely helps. The cost is a larger binary.

Since we can't eagerly convert utf8 to utf16 due to memory overhead, we'd also
need to have a specialized version of the scanner just for utf8. That's pretty
complex, and likely won't be better than simply bulk converting and buffering
utf8 as utf16.

Change-Id: Ic3564683932a0097e3f9f51cd88f62c6ac879dcb
Reviewed-on: https://chromium-review.googlesource.com/1183190Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55258}

Bug: v8:7973
Change-Id: I44ad457c3a103c36bd7b928cc64a056c1a1afc46
Reviewed-on: https://chromium-review.googlesource.com/1183102Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Hai Dang <dhai@google.com>
Cr-Commit-Position: refs/heads/master@{#55257}

Add source code location for generators into heap snapshot file.

Bug: chromium:854097
Change-Id: I726b245a707515502976476703e57b7f58c92782
Reviewed-on: https://chromium-review.googlesource.com/1174433
Commit-Queue: Dominik Inführ <dinfuehr@google.com>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55254}

This is a reland of 5c309271
(the CL was reverted because of a Chromium test that is now fixed)

Original change's description:
> Reland "[asmjs] Properly validate asm.js heap sizes"
>
> This is a reland of 5d69010e
>
> Original change's description:
> > [asmjs] Properly validate asm.js heap sizes
> >
> > Enforce both engine limitations and spec (http://asmjs.org/spec/latest/)
> > limitations on the size of asm.js heaps.
> >
> > R=clemensh@chromium.org
> > CC=​mstarzinger@chromium.org
> >
> > Bug: chromium:873600
> > Change-Id: I104c23bbd0a9a7c494f97f8f9e83ac5a37496dfd
> > Reviewed-on: https://chromium-review.googlesource.com/1174411
> > Commit-Queue: Ben Titzer <titzer@chromium.org>
> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#55163}
>
> Bug: chromium:873600
> Change-Id: Id24070bda3aafb9e1a32af0732a1b18f633ef932
> Reviewed-on: https://chromium-review.googlesource.com/1179681
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55193}

Bug: chromium:873600
Change-Id: I6eca2a89589070837b109278f964fc8e9a0fd6f1
Reviewed-on: https://chromium-review.googlesource.com/1183081Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55249}

Start storing locations in heap snapshot file. Initial support
for closure, additional object types might be added in the future.
Needed to show source code locations for objects in the DevTools
heap snapshot viewer.

Bug: chromium:854097
Change-Id: I12659373ce1adf67b55c6a10ea1d0465fcdb4a10
Reviewed-on: https://chromium-review.googlesource.com/1174257
Commit-Queue: Dominik Inführ <dinfuehr@google.com>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55245}

This reverts commit 5c309271.

Reason for revert: Broke fast/workers/worker-shared-asm-buffer.html

Original change's description:
> Reland "[asmjs] Properly validate asm.js heap sizes"
>
> This is a reland of 5d69010e
>
> Original change's description:
> > [asmjs] Properly validate asm.js heap sizes
> >
> > Enforce both engine limitations and spec (http://asmjs.org/spec/latest/)
> > limitations on the size of asm.js heaps.
> >
> > R=clemensh@chromium.org
> > CC=​mstarzinger@chromium.org
> >
> > Bug: chromium:873600
> > Change-Id: I104c23bbd0a9a7c494f97f8f9e83ac5a37496dfd
> > Reviewed-on: https://chromium-review.googlesource.com/1174411
> > Commit-Queue: Ben Titzer <titzer@chromium.org>
> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#55163}
>
> Bug: chromium:873600
> Change-Id: Id24070bda3aafb9e1a32af0732a1b18f633ef932
> Reviewed-on: https://chromium-review.googlesource.com/1179681
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55193}

TBR=mstarzinger@chromium.org,titzer@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:873600
Change-Id: I5845c584c7ac399b9b7939f5fd50c09b7b2cc3d2
Reviewed-on: https://chromium-review.googlesource.com/1182616
Commit-Queue: Aseem Garg <aseemgarg@chromium.org>
Reviewed-by: Aseem Garg <aseemgarg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55242}

BUG=v8:8074

Change-Id: I012666ff1a06d0a53f893031a3caf38ed0d40229
Reviewed-on: https://chromium-review.googlesource.com/1181421Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55237}

Change-Id: I8a0081acb9c5eb662bf43eceb52218096eac327c
Reviewed-on: https://chromium-review.googlesource.com/1174560Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#55229}

Bug: v8:6532

Change-Id: Id89f81b12205900fc935e6232840e1976e24d3b4
Reviewed-on: https://chromium-review.googlesource.com/1176962
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55228}

BUG=v8:8040

Change-Id: I8de22af3978f2a8eb844eabdb757bd635050f901
Reviewed-on: https://chromium-review.googlesource.com/1181432Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55227}

TBR=ahaas@chromium.org

Change-Id: I862cae063d85703235ead073b0f23515721a409f
Reviewed-on: https://chromium-review.googlesource.com/1181431
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55226}

R=mlippautz@chromium.org
BUG=v8:7490

Change-Id: Ifb4b41db3ca34567d735203667978451815c60d4
Reviewed-on: https://chromium-review.googlesource.com/1181056Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55221}

This makes sure that debug info and interpreter handle are created
lazily, even when interpretation is triggered by a different Isolate
sharing the same WasmEngine (and hence the native module).

R=titzer@chromium.org
TEST=mjsunit/wasm/worker-interpreter
BUG=v8:7424

Change-Id: Iba17e207a537007fd2e642cede22dad7a708c6c7
Reviewed-on: https://chromium-review.googlesource.com/1181045
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55220}

This commit adds a single NumberToString test suite.
It recognizes the following revert by showing more than 100x improvement:
https://chromium-review.googlesource.com/c/v8/v8/+/1166783

Bug: chromium:865494
Change-Id: I93dab3f0b21e98565c76e65722e90a92adc41d72
Reviewed-on: https://chromium-review.googlesource.com/1181042
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55219}

This way we can avoid reencoding everything to utf16 (buffered) and avoid the
overhead of needing to check the encoding for each character individually.

This may result in a minor asm.js scanning regression due to one-byte tokens
possibly being more common.

Change-Id: I90b51c256d56d4f4fa2d235d7e1e58fc01e43f31
Reviewed-on: https://chromium-review.googlesource.com/1172437
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55217}

R=titzer@chromium.org

Bug: chromium:875556
Change-Id: I989dbaaec1eac3b7d0c761f25efec043cdeb9d71
Reviewed-on: https://chromium-review.googlesource.com/1180964Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55212}

The RegExp replace implementation is a bit of a mess. Here, we first
try to handle parts of RegExp.p.exec, and then call directly into the
raw irregexp code (skipping RegExp.p.exec).

We got parts of this wrong: when lastIndex > string.length and the
regexp instance is sticky, two things should happen. 1. The match
should fail, and 2. lastIndex should be reset to 0. On the fast path,
we did the latter but not the former, instead running exec with a
lastIndex of 0.

This CL omits the irregexp call in this case, and defaults to a failed
match instead.

Bug: chromium:875493
Change-Id: I8c959610d267575e37686076a3fd5dfde322f0ca
Reviewed-on: https://chromium-review.googlesource.com/1180889
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55207}

This makes sure the aforementioned predicate is independent of the
current context (aka. Realm) and only uses the instance type of the
given object to determine whether it is a WebAssembly module object.

R=titzer@chromium.org
TEST=mjsunit/regress/wasm/regress-8059
BUG=v8:8059

Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Icc8e400f8412483f2a3883ca65c58b7ef938ef23
Reviewed-on: https://chromium-review.googlesource.com/1180886Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55205}

Bug: v8:7926
Change-Id: I32bfb4399d588b48ba3d00ff02ac0133dbd33e8b
Reviewed-on: https://chromium-review.googlesource.com/1179673
Commit-Queue: Florian Sattler <sattlerf@google.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55203}

This makes sure that a tier-up from Ignition to TurboFan (or any other
code publishing) preserves redirections to the Interpreter. Currently an
interpreted function never switches back to compiled.

R=titzer@chromium.org
TEST=mjsunit/wasm/interpreter-mixed
BUG=v8:7921,v8:8018

Change-Id: Ifca479953509708c998c11cc00b481c232678e00
Reviewed-on: https://chromium-review.googlesource.com/1179661
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55195}

This is a reland of 5d69010e

Original change's description:
> [asmjs] Properly validate asm.js heap sizes
> 
> Enforce both engine limitations and spec (http://asmjs.org/spec/latest/)
> limitations on the size of asm.js heaps.
> 
> R=clemensh@chromium.org
> CC=​mstarzinger@chromium.org
> 
> Bug: chromium:873600
> Change-Id: I104c23bbd0a9a7c494f97f8f9e83ac5a37496dfd
> Reviewed-on: https://chromium-review.googlesource.com/1174411
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55163}

Bug: chromium:873600
Change-Id: Id24070bda3aafb9e1a32af0732a1b18f633ef932
Reviewed-on: https://chromium-review.googlesource.com/1179681
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55193}

This reduced the number of targets depending on assembler.h
from ~900 to ~350.

Bug: v8:8054
Change-Id: I74ae2ce7a4b27791d0ee25542ee0b2175bedf5f7
Reviewed-on: https://chromium-review.googlesource.com/1174534
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55188}