This is basically the minimum viable signal handler for Wasm bounds checks.
It includes the TLS check and the fine grained instructions checks. These
two checks provide most of the safety for the signal handler. Future CLs will
add code range and data range checks for more robustness.

The trap handling code and data structures are all in src/trap-handler, with
the code that actually runs in the signal handler confined to
src/trap-handler/signal-handler.cc.

This changes adds a new V8 API that the embedder should call from a signal
handler that will give V8 the chance to handle the fault first. For hosts that
do not want to implement their own signal handler, we include the option to
install a simple one. This simple handler is also used for the tests.

When a Wasm module is instantiated, information about each function is passed
to the trap handler, which is used to classify faults. These are removed during
the instance finalizer.

Several future enhancements are planned before turning this on by default.
Obviously, the additional checks will be added to MaybeHandleFault. We are
also planning to add a two-level CodeObjectData table that is grouped by
isolates to make cleanup easier and also reduce potential for contending on
a single data structure.

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=5277

Review-Url: https://codereview.chromium.org/2371833007
Cr-Original-Commit-Position: refs/heads/master@{#43523}
Committed: https://chromium.googlesource.com/v8/v8/+/a5af7fe9ee388a636675f4a6872b1d34fa7d1a7a
Review-Url: https://codereview.chromium.org/2371833007
Cr-Commit-Position: refs/heads/master@{#43755}

We already filter out fillers in ProcessMarkingDeque.

BUG=

Change-Id: Iee0dbfffe6e4eb5c65a1c25ba75c4c69bf15355b
Reviewed-on: https://chromium-review.googlesource.com/453481Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43754}

BUG=v8:5495

Change-Id: I49e478f5d6b12a3b65f69fa8120a768f2dbd98f3
Reviewed-on: https://chromium-review.googlesource.com/451323Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43753}

I don't have a local master branch, so those commands failed for me.

R=hablich@chromium.org
NOTRY=true

Review-Url: https://codereview.chromium.org/2733923002
Cr-Commit-Position: refs/heads/master@{#43752}

Add PPC/s390 configs to mb_config and BUILD.gn. Also
use a script to get host byte ordering.

R=machenbach@chromium.org, dpranke@chromium.org
BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2736993004
Cr-Commit-Position: refs/heads/master@{#43751}

We emulate break by callling breakProgramCallback function in debugger context, we can just use HandleDebugBreak.
It allows us to move all stepping logic to debug.cc later and remove one usage of debugger context.
+ two minor issues fixed, see tests.

BUG=v8:5510
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2738503006
Cr-Commit-Position: refs/heads/master@{#43750}

A couple infrastructure changes went into this patch:
- test262 changed from expecting $ to $262
- upstream-local-tests.sh gets a command-line parameter for ease of use
- Fixed up the FAIL_SLOPPY infrastructure, which seems to have bit-rotted
- Inserted a terrible hack to get around test262 tests with a $ in the name

Drive-by fix for the length of Intl.DateTimeFormat.prototype.format

R=adamk

Review-Url: https://codereview.chromium.org/2733843002
Cr-Commit-Position: refs/heads/master@{#43749}

This makes it possible to directly request testing noturbofan_stress on the command line.

BUG=chromium:682617
TBR=mstarzinger@chromium.org,mvstanton@chromium.org,rmcilroy@chromium.org
NOTRY=true

Change-Id: I6ba9a022c4ef24fb5abe6878d3f2f972e8461eb8
Reviewed-on: https://chromium-review.googlesource.com/453180
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43748}

Part of the performance and refactoring work to move the TypedArray
constructors into CSA. This CL moves ConstructByArrayBuffer from JS
to CSA.

BUG=v8:5977

Change-Id: I0a200e6b3f6261ea2372ea9c3d3ca98e313cf2c5
Reviewed-on: https://chromium-review.googlesource.com/451620
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43747}

Test regress-694088.js is adapted for execution on big endian platforms.

TEST=test/mjsunit/compiler/regress-694088.js
BUG=

Review-Url: https://codereview.chromium.org/2739403002
Cr-Commit-Position: refs/heads/master@{#43746}

In the process, re-factor the implementation of Array.prototype.forEach so that
the bulk of the implementation can be re-used, since much of the spec is
identical. The refactor should also make it more straight-forward to implement
map and filter. The re-factored version only have a single slow path for processing
elements which is used for both the overall slow path and for the bailout from the
FAST_ELEMENTS case.

Review-Url: https://codereview.chromium.org/2709773002
Cr-Commit-Position: refs/heads/master@{#43745}

The switch statement itself is part of the switch block.
However, the source position of the statement is outside of
the block. This leads to confusion for the debugger, if the
switch block pushes a block context: the current context is
a block context, but the scope analysis based on the current
source position tells the debugger that we should be outside
the scope, so we should have the function context.

R=marja@chromium.org
BUG=v8:6085

Review-Url: https://codereview.chromium.org/2744213003
Cr-Commit-Position: refs/heads/master@{#43744}

Revert of [turbofan] Less aggressively insert SOFT deopts for property access. (patchset #2 id:20001 of https://codereview.chromium.org/2746013002/ )

Reason for revert:
Tanks Octane/Mandreel and Octane/MandreelLatency.

Original issue's description:
> [turbofan] Less aggressively insert SOFT deopts for property access.
>
> Sometimes TurboFan is able to extract receiver maps from the surrounding
> graph and thus is able to generate reasonable code for property accesses,
> even if those haven't been executed in the baseline tier yet. So, only
> stick in an SOFT deoptimization exit, if ExtractReceiverMaps failed to
> infer proper receiver maps.
>
> R=yangguo@chromium.org
> BUG=v8:5267
>
> Review-Url: https://codereview.chromium.org/2746013002
> Cr-Commit-Position: refs/heads/master@{#43736}
> Committed: https://chromium.googlesource.com/v8/v8/+/b8453628c94ddf71e05d70471355c7c924bbcf31

TBR=yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5267

Review-Url: https://codereview.chromium.org/2748663002
Cr-Commit-Position: refs/heads/master@{#43743}

Add a mechanic to set these Builtin exception predictions per-Isolate
rather than per-Context in the Bootstrapper.

Also add Debugger tests which would fail without these prediction
modes set.

Does not yet test for AsyncFromSyncIteratorPrototypeReturn, as this
requires AsyncGenerators and `yield*` to be hit.

BUG=chromium:691875
R=yangguo@chromium.org, jgruber@chromium.org, gsathya@chromium.org

Change-Id: Ic2d2aba3870cce2f7321080f4278875edf253c76
Reviewed-on: https://chromium-review.googlesource.com/451967Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#43742}

- Remove TypedArrayIndexOf in src/js/typedarray.js
- Implement it to C++ using the IndexOfValue in ElementsAccessor
- Add buffer neutering check also for %TypedArray%.prototype.includes

BUG=v8:5929

Review-Url: https://codereview.chromium.org/2733193002
Cr-Commit-Position: refs/heads/master@{#43741}

Previously, we would incorrectly not assign any debug id to scripts
deserialized from the code cache.

R=jgruber@chromium.org
BUG=v8:6072

Review-Url: https://codereview.chromium.org/2742713003
Cr-Commit-Position: refs/heads/master@{#43740}

With this change, on ia32 and x64, a load from memory into a register can be replaced by a memory operand for integer binops if it makes sense.

BUG=

Review-Url: https://codereview.chromium.org/2728533003
Cr-Commit-Position: refs/heads/master@{#43739}

Since typedarrays are integer indexed exotic objects, we don't need to
check if prototypes of a typedarray have elements or not.

https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-get-p-receiver

BUG=699020

Review-Url: https://codereview.chromium.org/2744103002
Cr-Commit-Position: refs/heads/master@{#43738}

TBR=mstarzinger@chromium.org,rmcilroy@chromium.org
NOTRY=true

Change-Id: I355953b0b24a64e3c5e1a43cdeaa8ec2650b0988
Reviewed-on: https://chromium-review.googlesource.com/453459Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43737}

Sometimes TurboFan is able to extract receiver maps from the surrounding
graph and thus is able to generate reasonable code for property accesses,
even if those haven't been executed in the baseline tier yet. So, only
stick in an SOFT deoptimization exit, if ExtractReceiverMaps failed to
infer proper receiver maps.

R=yangguo@chromium.org
BUG=v8:5267

Review-Url: https://codereview.chromium.org/2746013002
Cr-Commit-Position: refs/heads/master@{#43736}

BUG=v8:6082
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2743183003
Cr-Commit-Position: refs/heads/master@{#43735}

R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2747673003
Cr-Commit-Position: refs/heads/master@{#43734}

These operations don't need the context, so no need to pass the context
to them. Also avoids the loading of context in the interpreter bytecode
handlers for StrictEqual and Typeof.

BUG=v8:5268,v8:5269
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2744173002
Cr-Commit-Position: refs/heads/master@{#43733}

R=joransiu@ca.ibm.com, bjaideep@ca.ibm.com
BUG=

Review-Url: https://codereview.chromium.org/2741053004
Cr-Commit-Position: refs/heads/master@{#43732}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/cc228ab..1748b43

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: I03b8c1bc81ab91e6fc13acd13c88f63c1b7150b3
Reviewed-on: https://chromium-review.googlesource.com/453019Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43731}

To speed up Date.prototype.toString(), this patch adds a cache in
the DateCache for the string short name representing the time zone.
Because time zones in a particular location just have two short names
(for DST and standard time), and the DateCache already understands
whether a time is in DST or not, it is possible to keep the result
of OS::LocalTimezone around and select between the two based on
whether the time is DST or not.

In local microbenchmarks (calling Date.prototype.toString() in a
loop), I observed a 6-10% speedup with this patch. In the browser,
the speedup may be even greater as the system call needs to do
some extra work to break out of the sandbox. I don't think the
microbenchmark is extremely unrealistic; in any real program which
calls Date.prototype.toString() multiple times, the cache should
hit almost all of the time, as time zone changes are rare.

The proximate motivation for this patch was to enable ICU as a
backend for timezone information, which is drafted at
https://codereview.chromium.org/2724373002/
The ICU implementation of OS::LocalTimezone is even slower than
the system call one, but this patch makes their performance
indistinguishable on the microbenchmark.

In the tz database, many timezones actually do have a number of different
historical names. For example, America/Anchorage went through a number of
changes, from AST to AHST to YST to AKST. However, both ICU and the
Linux OS interfaces just report the modern timezone name in tests
for the appropriate timezone name, even for historical times. I can
see why this would be:
- For ICU, CLDR only has two short names in the data file: the one for
  dst and non-dst
- For Linux, the timezone names do seem to make it into the
  /etc/localtime file. However, glibc assumes there are only two relevant
  names and selects between them, as you can see in its implementation
  of localtime_r:
  http://bazaar.launchpad.net/~vcs-imports/glibc/master/view/head:/time/tzset.c#L573
So, this cache should be valid until we switch to a more accurate source
of short timezone names.

BUG=v8:6031

Review-Url: https://codereview.chromium.org/2726253002
Cr-Commit-Position: refs/heads/master@{#43730}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/957a0ba..cc228ab

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/2ae07fc..4550ebc

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/61f0bb2..49cece5

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: I6a50b1e956c7dc857729b570bbc0d29a4552f8a7
Reviewed-on: https://chromium-review.googlesource.com/453040Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43729}

R=joransiu@ca.ibm.com, bjaideep@ca.ibm.com
BUG=

Review-Url: https://codereview.chromium.org/2743803002
Cr-Commit-Position: refs/heads/master@{#43728}

There is no guarantee that Map::GetConstructor() returns a JSFunction.
Specifically, detached global proxies return the |null| sentinel. So
we have to check the object type before casting to JSFunction.

BUG=chromium:694141

Review-Url: https://codereview.chromium.org/2739303003
Cr-Commit-Position: refs/heads/master@{#43727}

Note that this changes the sampling interval from milliseconds to
microseconds -- this shouldn't cause issues except for tools that use
'profiler,"begin",<interval>' somehow.

Change-Id: I20222de91f7820e26eb3fc505a4752b0bc7e1642
Reviewed-on: https://chromium-review.googlesource.com/451658
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43726}

This fixes the catch predictions for the following builtins --
AsyncFunctionAwaitCaught
AsyncFunctionAwaitUncaught
PromiseResolveClosure
ResolvePromise
PromiseResolve

Added tests for each.

Added whitelist for builtins behind a flag.

BUG=chromium:691875

Change-Id: I816cafdb69f0c9f1eefc440a0a44c36713d0b7dc
Reviewed-on: https://chromium-review.googlesource.com/450894
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43725}

- additionally doesn't deoptimize function in HandleDebugBreak for debugger statements inside of blackboxed code.

BUG=none
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2742843003
Cr-Commit-Position: refs/heads/master@{#43724}

BUG=

Change-Id: I5a4d398283c6fbbbc778d6f6c4555763f8869249
Reviewed-on: https://chromium-review.googlesource.com/452581Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43723}

AllocateRawAligned called into AllocateRawUnaligned, which expected
the address of the pointer to the top of the stack, not the pointer
itself. Instead, the pointer itself was passed, causing segfaults
if this code is actually run.

Also do some drive-by clean up of the branching/labels and unused
vars etc. in AllocateRawAligned.

BUG=v8:6075

Change-Id: If71db4b61d777b6543e5246e92bb5b9e6c02c81f
Reviewed-on: https://chromium-review.googlesource.com/452374Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43722}

Removing it from default variants set which will substantially increase test speed for developers.

Pure ignition is intended to be tested only on bots unless opted in.

BUG=chromium:682617
R=mstarzinger@chromium.org,mvstanton@chromium.org,rmcilroy@chromium.org

Change-Id: I98adb81951a0a2d16f52e6b34b98d3a90e178d8a
Reviewed-on: https://chromium-review.googlesource.com/452580Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43721}

Now that the --turbo flag is on by default, this implication makes it
impossible to disable the runtime profiler to prevent functions from
being considered hot. Essentially the --nocrankshaft flag was borked.

R=machenbach@chromium.org

Change-Id: I698008b4b69038e8bfab6d8ec3ccf57e2fd71701
Reviewed-on: https://chromium-review.googlesource.com/452619Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43720}

Also format flags in single lines to make configs easier to read and modify.

BUG=chromium:673246
NOTRY=true
R=mstarzinger@chromium.org,titzer@chromium.org,rmcilroy@chromium.org

Change-Id: If37486c98af161467b639271b035207c3ae1077a
Reviewed-on: https://chromium-review.googlesource.com/452579Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43719}

The callers of this function already do the flushing (as its comment demands).

BUG=

Change-Id: Iff6720f4ddecb1a4569b6cac66eba4b857c46b17
Reviewed-on: https://chromium-review.googlesource.com/452504Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43718}

- lower the cutoff-threshold for bottom up graphs to 1%
- show all builtins/stubs/ics by default

R=jkummerow@chromium.org

Change-Id: I522173155b817ae20a37c40ecf411f2b55d82105
Reviewed-on: https://chromium-review.googlesource.com/452482Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43717}

BUG=
R=marja@chromium.org

Review-Url: https://codereview.chromium.org/2738153003
Cr-Commit-Position: refs/heads/master@{#43716}