In optimized code, it's not guaranteed that the current context
is stored in its frame slot.

R=bmeurer@chromium.org
BUG=v8:4309
LOG=N

Review URL: https://codereview.chromium.org/1239033002

Cr-Commit-Position: refs/heads/master@{#29697}

R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/1238743002

Cr-Commit-Position: refs/heads/master@{#29696}

original commit message:

    This changes the calling convention of the CallConstructStub to take
    the original constructor (i.e. new.target in JS-speak) in a register
    instead of magically via the operand stack. For optimizing compilers
    the operand stack doesn't exist, hence cannot be peeked into.

BUG=

Review URL: https://codereview.chromium.org/1235273003

Cr-Commit-Position: refs/heads/master@{#29695}

port fc9c5275 (r29672).

original commit message:

    Debugger: use debug break slots to break at function exit.

    By not having to patch the return sequence (we patch the debug
    break slot right before it), we don't overwrite it and therefore
    don't have to keep the original copy of the code around.

BUG=

Review URL: https://codereview.chromium.org/1236023007

Cr-Commit-Position: refs/heads/master@{#29694}

Improved checking target ranges for J and JAL instructions.
Adapted disassembler test for J and JAL instructions.

TEST=cctest/test-disasm-mips[64]
BUG=

Review URL: https://codereview.chromium.org/1237083003

Cr-Commit-Position: refs/heads/master@{#29693}

Rolling v8/buildtools to 5215ee866bc3e8eb4a7f124212845abf4029e60b

Rolling v8/tools/clang to 4e7f85d6bc00cb296e34126c822cf57e5e6cf814

TBR=machenbach@chromium.org

Review URL: https://codereview.chromium.org/1237553004

Cr-Commit-Position: refs/heads/master@{#29692}

Unknown flag warning is adding unnecessary noise to terminal during
test runs

BUG=
LOG=N
R=adamk@chromium.org

Review URL: https://codereview.chromium.org/1236993003

Cr-Commit-Position: refs/heads/master@{#29691}

These were added when I thought they would be useful in Blink, but as
it turned out they were not. They could likely be deleted immediately,
but to play it safe I'll go through the usual deprecation process.

Review URL: https://codereview.chromium.org/1236263004

Cr-Commit-Position: refs/heads/master@{#29690}

This CL exposes the constructor function, defines type related
information, and implements value type semantics.
It also refactors test/mjsunit/samevalue.js to test SameValue and SameValueZero.

TEST=test/mjsunit/harmony/simd.js, test/cctest/test-simd.cc

LOG=Y
BUG=v8:4124

Review URL: https://codereview.chromium.org/1219943002

Cr-Commit-Position: refs/heads/master@{#29689}

Port c63e50ed

BUG=
TEST=test-disasm-mips/Type

Review URL: https://codereview.chromium.org/1233323002

Cr-Commit-Position: refs/heads/master@{#29688}

For unclear and probably accidental reasons the Windows 10 SDK
renamed some _Interlocked* functions to _InlineInterlocked. This
leads to these errors:

runtime-atomics.cc(159): error C3861: '_InterlockedExchange64': identifier not found
runtime-atomics.cc(159): error C3861: '_InterlockedExchangeAdd64': identifier not found
runtime-atomics.cc(159): error C3861: '_InterlockedAnd64': identifier not found
runtime-atomics.cc(159): error C3861: '_InterlockedOr64': identifier not found
runtime-atomics.cc(159): error C3861: '_InterlockedXor64': identifier not found

Fixing this requires either adding defines to map these five _Interlocked*
functions to _InlineInterlocked*, or else changing to using the
non-underscore versions. It appears that using the non-underscore versions
is preferable so I went that way. This also requires adding three  new
defines because there is a huge lack of consistency, probably due to these
macros being defined sometimes in <intrin.h> and sometimes in <winnt.h>

All five of the renamed 64-bit functions were manually checked to ensure
that the change to the non-underscore versions would make no differences -
the inline functions that they map to were identical. Other functions were
spot-checked.

Also, the 'volatile' qualifiers were removed. Volatile has no no useful
meaning for multi-threaded programming. It only exists in the Interlocked*
prototypes to *allow* volatile variables to be passed. Since this is a bad
habit to encourage there is no reason for us to permit it, and we can
still call the Microsoft functions (T* converts to volatile T*, just not
vice-versa).

The updated code builds with the Windows 8.1 SDK and with the Windows 10 SDK.

R=jarin@chromium.org
LOG=Y
BUG=440500,491424

Review URL: https://codereview.chromium.org/1228063005

Cr-Commit-Position: refs/heads/master@{#29687}

BUG=

Review URL: https://codereview.chromium.org/1241883002

Cr-Commit-Position: refs/heads/master@{#29686}

where bound functions started overriding the "name" accessor property with a data property. The bootstrapper must be kept in sync to avoid polymorphism.

BUG=chromium:509983
LOG=n
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1238903002

Cr-Commit-Position: refs/heads/master@{#29685}

During parsing, we now keep track of the first spread seen in an array
literal (if any), and make use of that information when creating the
FixedArray backing store representing the constant elements for array
literal materialization.

The old code tried to do this by setting the generated JSArray's length
in ArrayLiteral::BuildConstantElements(), but that Array length is never
read by the rest of the literal materialization code (it always uses
the length of the FixedArray backing store).

BUG=v8:4298
LOG=n

Review URL: https://codereview.chromium.org/1225223004

Cr-Commit-Position: refs/heads/master@{#29684}

BUG=v8:4302
LOG=n

Review URL: https://codereview.chromium.org/1237873003

Cr-Commit-Position: refs/heads/master@{#29683}

Review URL: https://codereview.chromium.org/1228373011

Cr-Commit-Position: refs/heads/master@{#29682}

This changes the calling convention of the CallConstructStub to take
the original constructor (i.e. new.target in JS-speak) in a register
instead of magically via the operand stack. For optimizing compilers
the operand stack doesn't exist, hence cannot be peeked into.

R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1237813002

Cr-Commit-Position: refs/heads/master@{#29681}

R=jochen@chromium.org
LOG=y
BUG=

Review URL: https://codereview.chromium.org/1209403005

Cr-Commit-Position: refs/heads/master@{#29680}

Gdb macro jfv on an object will print it as a feedback vector.
Printouts look like this:

DebugPrint: 0x5dc0d2ad: [TypeFeedbackVector]
 - length: 12
 - ics with type info: 3
 - generic ics: 0
 ICSlot 0 CALL_IC MONOMORPHIC
  [4]: 0x5dc0d365 WeakCell for 0x5dc0cd69 <JS Function foo (SharedFunctionInfo 0x5dc0cb0d)>
  [5]: 0x4203c4c1 <Code: HANDLER>
 ICSlot 1 LOAD_IC MONOMORPHIC
  [6]: 0x5dc0d1f5 WeakCell for 0x3a710481 <Map(FAST_HOLEY_SMI_ELEMENTS)>
  [7]: 0x4203a1c1 <Code: HANDLER>
 ICSlot 2 LOAD_IC UNINITIALIZED
  [8]: 0x3060d045 <Symbol: 711234650 <String[20]: uninitialized_symbol>>
  [9]: 0x3060d045 <Symbol: 711234650 <String[20]: uninitialized_symbol>>
 ICSlot 3 LOAD_IC MONOMORPHIC
  [10]: 0x5dc0d3b5 WeakCell for 0x3a710d71 <Map(FAST_HOLEY_ELEMENTS)>
  [11]: 0x4202af01 <Code: HANDLER>

BUG=

Review URL: https://codereview.chromium.org/1225403005

Cr-Commit-Position: refs/heads/master@{#29679}

BUG=v8:4137
LOG=n

Review URL: https://codereview.chromium.org/1237953002

Cr-Commit-Position: refs/heads/master@{#29678}

BUG=

Review URL: https://codereview.chromium.org/1228113003

Cr-Commit-Position: refs/heads/master@{#29677}

BUG=chromium:490559
LOG=NO

Review URL: https://codereview.chromium.org/1225713003

Cr-Commit-Position: refs/heads/master@{#29676}

Bunch of cleanups to allow us to get rid of handles-inl.h at some
point (in the not so far future); but more importantly to sanitize uses
of handles and prepare for handle canonicalization support.

R=yangguo@chromium.org

Committed: https://crrev.com/3283195d0408333cce552cf4087577e6f41054e5
Cr-Commit-Position: refs/heads/master@{#28222}

Committed: https://crrev.com/d940c6d3bcc227b459cb4123d9a8332d9ed0d5f8
Cr-Commit-Position: refs/heads/master@{#29666}

Review URL: https://codereview.chromium.org/1128533002

Cr-Commit-Position: refs/heads/master@{#29675}

R=adamk@chromium.org, littledan@chromium.org
BUG=v8:811
LOG=N

Review URL: https://codereview.chromium.org/1240463002

Cr-Commit-Position: refs/heads/master@{#29674}

Rolling v8/tools/clang to 58128abd44c22255def1163d30bc9bb2cc85e15c

Reland after https://codereview.chromium.org/1241643002/

TBR=jochen@chromium.org, thakis@chromium.org

Review URL: https://codereview.chromium.org/1237793003

Cr-Commit-Position: refs/heads/master@{#29673}

By not having to patch the return sequence (we patch the debug
break slot right before it), we don't overwrite it and therefore
don't have to keep the original copy of the code around.

R=ulan@chromium.org
BUG=v8:4269
LOG=N

Review URL: https://codereview.chromium.org/1234833003

Cr-Commit-Position: refs/heads/master@{#29672}

A sloppy mode eval call that establishes strict mode will leak that strictness
into the sloppy surrounding scope on recompile. This changes the structure
of the type feedback vector for the function and crashes follow.

The fix is straightforward.

BUG=491536, 503565
LOG=N

Review URL: https://codereview.chromium.org/1231343003

Cr-Commit-Position: refs/heads/master@{#29671}

Reland "Enable loads and stores to global vars through property cell shortcuts installed into parent script context."

Review URL: https://codereview.chromium.org/1237043006

Cr-Commit-Position: refs/heads/master@{#29670}

Revert of [handles] Sanitize Handle and friends. (patchset #5 id:180001 of https://codereview.chromium.org/1128533002/)

Reason for revert:
[Sheriff] Still breaks mac asan:
http://build.chromium.org/p/client.v8/builders/V8%20Mac64%20ASAN/builds/2066

Original issue's description:
> [handles] Sanitize Handle and friends.
>
> Bunch of cleanups to allow us to get rid of handles-inl.h at some
> point (in the not so far future); but more importantly to sanitize uses
> of handles and prepare for handle canonicalization support.
>
> R=yangguo@chromium.org
>
> Committed: https://crrev.com/3283195d0408333cce552cf4087577e6f41054e5
> Cr-Commit-Position: refs/heads/master@{#28222}
>
> Committed: https://crrev.com/d940c6d3bcc227b459cb4123d9a8332d9ed0d5f8
> Cr-Commit-Position: refs/heads/master@{#29666}

TBR=yangguo@chromium.org,bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1235253007

Cr-Commit-Position: refs/heads/master@{#29669}

Review URL: https://codereview.chromium.org/1231893007

Cr-Commit-Position: refs/heads/master@{#29668}

This makes Object.getOwnPropertyNames() return the integer keys in the
proper order, following the spec:

http://www.ecma-international.org/ecma-262/6.0/#sec-ordinary-object-internal-methods-and-internal-slots-ownpropertykeys

BUG=v8:4118
LOG=n

Review URL: https://codereview.chromium.org/1228803006

Cr-Commit-Position: refs/heads/master@{#29667}

Bunch of cleanups to allow us to get rid of handles-inl.h at some
point (in the not so far future); but more importantly to sanitize uses
of handles and prepare for handle canonicalization support.

R=yangguo@chromium.org

Committed: https://crrev.com/3283195d0408333cce552cf4087577e6f41054e5
Cr-Commit-Position: refs/heads/master@{#28222}

Review URL: https://codereview.chromium.org/1128533002

Cr-Commit-Position: refs/heads/master@{#29666}

This patch removes the MathMax call from String.prototype.includes
in order to improve performance. With some quick and dirty benchmarking,
(test case courtesy of the node folks) a sizable performance gain is visible:

d8> function testIndexOf() { var stringArray = [ 'hello', 'world', '123', 'abc' ]; return stringArray.some(function(val, idx, arr) { return val.indexOf('world') !== -1 })}
d8> function testIncludes() { var stringArray = [ 'hello', 'world', '123', 'abc' ]; return stringArray.some(function(val, idx, arr) { return val.includes('world') })}
d8> function testTime(fn) { var before = Date.now(); fn(); return Date.now() - before; }
d8> testTime(function() { for (var i = 0; i < 10000000; i++) { testIncludes() } })
2244
d8> testTime(function() { for (var i = 0; i < 10000000; i++) { testIndexOf() } })
2212

Compare that to before the test, when the performance difference was much larger:

d8> testTime(function() { for (var i = 0; i < 10000000; i++) { testIndexOf() } })
2223
d8> testTime(function() { for (var i = 0; i < 10000000; i++) { testIncludes() } })
2650

In my runs, performance of both functions drifts up and down, but running them in quick
succession back and forth shows a roughly consistent delta of about this magnitude.

String.prototype.includes is still slightly (maybe 5%) slower than String.prototype.indexOf,
but the effect is significantly reduced.

R=adamk
BUG=v8:3807
LOG=Y

Review URL: https://codereview.chromium.org/1231673008

Cr-Commit-Position: refs/heads/master@{#29665}

See http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN/builds/4695/steps/Check%20%28flakes%29/logs/d8-worker-sharedarray..

BUG=v8:4306
R=machenbach@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
LOG=n

Review URL: https://codereview.chromium.org/1241713003

Cr-Commit-Position: refs/heads/master@{#29664}

Reland of d8 workers: make sure Shell::Quit is only called once (patchset #1 id:1 of https://codereview.chromium.org/1235083004/)

Reason for revert:
Looks like the failure is unrelated to my change (still fails after the revert). See http://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Win/builds/856/steps/webkit_unit_tests/logs/stdio

Original issue's description:
> Revert of d8 workers: make sure Shell::Quit is only called once (patchset #5 id:80001 of https://codereview.chromium.org/1230403003/)
>
> Reason for revert:
> Breaks webkit_unit_tests. See http://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Win/builds/853/steps/webkit_unit_tests/logs/stdio
>
> Original issue's description:
> > d8 workers: make sure Shell::Quit is only called once
> >
> > When running with isolates, Quit can be called simultaneously by two threads.
> > If this happens, then both threads try to clean up the Workers, which could
> > crash.
> >
> > BUG=v8:4279
> > R=jarin@chromium.org
> > R=machenbach@chromium.org
> > LOG=n
> >
> > Committed: https://crrev.com/76184292b392d107609f21662a949b58bb1e258c
> > Cr-Commit-Position: refs/heads/master@{#29654}
>
> TBR=jarin@chromium.org,machenbach@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:4279
>
> Committed: https://crrev.com/6b2c6eb75678747afca59b4a78ace597e218145d
> Cr-Commit-Position: refs/heads/master@{#29656}

TBR=jarin@chromium.org,machenbach@chromium.org,adamk@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4279

Review URL: https://codereview.chromium.org/1224203004

Cr-Commit-Position: refs/heads/master@{#29663}

Duplicate parameters are banned both overall in strict mode and also
in arrow functions. Our error message for both cases blamed strict
mode, which is confusing. This patch fixes the message to point to
arrow functions as a possible source as well.

R=wingo, adamk
LOG=N

Review URL: https://codereview.chromium.org/1236863008

Cr-Commit-Position: refs/heads/master@{#29662}

For destructuring bind, the parser needs to complain about things
which are inappropriate to have on the left-hand side.

Previously, regexp literals and template literals were let through
the parser inappropriately. This patch turns those into errors.

This patch also fixes off-by-one errors in reporting the location
of this type of error for strings and numbers. Before the patch,
the error would look like:

d8> var {x: 3} = {x: 4}
(d8):1: SyntaxError: Unexpected number
var {x: 3} = {x: 4}
      ^
SyntaxError: Unexpected number

And with the patch, the error is

d8> var {x: 3} = {x: 4}
(d8):1: SyntaxError: Unexpected number
var {x: 3} = {x: 4}
        ^
SyntaxError: Unexpected number

R=rossberg

Review URL: https://codereview.chromium.org/1236803003

Cr-Commit-Position: refs/heads/master@{#29661}

Adds SameValue and SameValueZero functions for float and double.
These will be used for HeapNumber and SIMD values.

LOG=N
BUG=v8:4124

Review URL: https://codereview.chromium.org/1234073003

Cr-Commit-Position: refs/heads/master@{#29660}

Labels which are not associated with branches (e.g. labels which
record the location of the embedded constant pool or jump tables)
should not be tracked for the purpose of trampoline generation.

This also improves management of the high water mark in the buffer
which triggers trampoline generation such that it is reset whenever
the number of tracked branches drops to zero.

These changes should help minimize unnecessary trampoline and
(subsequent) slow branch generation.

R=dstence@us.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1237213002

Cr-Commit-Position: refs/heads/master@{#29659}

Note: the previous try was reverted for occasional flaky tests. This continued
after the revert, and should be fixed by
https://codereview.chromium.org/1226143003.

Previously, the serialization code would call Externalize for every transferred
ArrayBuffer or SharedArrayBuffer, but that function can only be called once. If
the buffer is already externalized, we should call GetContents instead.

Also fix use-after-free bug when transferring ArrayBuffers. The transferred
ArrayBuffer must be internalized in the new isolate, or be managed by the
Shell. The current code gives it to the isolate externalized and frees it
immediately afterward when the SerializationData object is destroyed.

BUG=chromium:497295
R=jarin@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1223813008

Cr-Commit-Position: refs/heads/master@{#29658}