With this CL we reduce the difference between directly using a null prototype
in a literal or using Object.create(null).
- The EmitFastCloneShallowObject builtin now supports cloning slow
  object boilerplates.
- Unified behavior to find the matching Map and instantiating it for
  Object.create(null) and literals with a null prototype.
- Cleanup of literal type parameter of CompileTimeValue, now in sync with
  ObjectLiteral flags.

Review-Url: https://codereview.chromium.org/2445333002
Cr-Commit-Position: refs/heads/master@{#44941}

I moved the wasm update scripts from tools/ to tools/wasm. In addition
I cleaned up the scripts a bit.

R=machenbach@chromium.org

Change-Id: I545dd556712e272e6509b78e343e9063346abe56
Reviewed-on: https://chromium-review.googlesource.com/488601Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44940}

R=joransiu@ca.ibm.com, jyan@ca.ibm.com
BUG=
LOG=n

Review-Url: https://codereview.chromium.org/2839343003
Cr-Commit-Position: refs/heads/master@{#44939}

This makes sure that asm.js modules can only be instantiated with a
valid {ArrayBuffer} as the underlying heap buffer for all cases where
accepting anything else would be observably different from JavaScript
proper.

R=clemensh@chromium.org
TEST=mjsunit/asm/asm-memory
BUG=chromium:715505,chromium:715748

Change-Id: I355686200151c5667bf836824de922d657a8d943
Reviewed-on: https://chromium-review.googlesource.com/488521
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44938}

R=machenbach@chromium.org
BUG=v8:6318
NOTRY=true
NOTREECHECKS=true

Change-Id: If57bc5bab8d2544519f140ee4a19aa89b1125fd7
Reviewed-on: https://chromium-review.googlesource.com/488603
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44937}

Revert of PPC/s390: SmiUntag only for 32bit (patchset #1 id:1 of https://codereview.chromium.org/2842843005/ )

Reason for revert:
few tests are failing with stack overflow, will reland with the fix.

Original issue's description:
> PPC/s390: SmiUntag only for 32bit
>
> R=joransiu@ca.ibm.com, jyan@ca.ibm.com
> BUG=
> LOG=n
>
> Review-Url: https://codereview.chromium.org/2842843005
> Cr-Commit-Position: refs/heads/master@{#44908}
> Committed: https://chromium.googlesource.com/v8/v8/+/76dfdb7a32c4be41190ff6a01b23905976e5e0ff

TBR=joransiu@ca.ibm.com,jyan@ca.ibm.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review-Url: https://codereview.chromium.org/2852433002
Cr-Commit-Position: refs/heads/master@{#44936}

This reverts commit 9ceaf212.

Reason for revert: Fails on arm: http://build.chromium.org/p/client.v8.ports/builders/V8%20Arm%20-%20debug/builds/2950/steps/Check/logs/Bits.RoundUpToPowerOf..

Original change's description:
> [base] Introduce RoundUpToPowerOfTwo64
> 
> And fix RoundUpToPowerOfTwo32 to return 1 for the input 0.
> 0 is no power of two.
> Beside being the correct value, this also avoids a special case in the
> (new) fast path using the number of leading zeros.
> 
> R=​jochen@chromium.org, ahaas@chromium.org
> 
> Change-Id: I87173495e13b334954bcebbb55724fb666dfa809
> Reviewed-on: https://chromium-review.googlesource.com/488143
> Reviewed-by: Jochen Eisinger <jochen@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44925}

TBR=ahaas@chromium.org,jochen@chromium.org,clemensh@chromium.org,v8-reviews@googlegroups.com,wasm-v8@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Change-Id: Ib353ee0a944316da6f919bac3bb88d4f95d98ea0
Reviewed-on: https://chromium-review.googlesource.com/488365Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44935}

This reverts commit 33b0b710.

Reason for revert: Fails on arm: http://build.chromium.org/p/client.v8.ports/builders/V8%20Arm%20-%20debug/builds/2950/steps/Check/logs/Bits.RoundUpToPowerOf..

Original change's description:
> [wasm] [cleanup] Remove unused parameter from SyncValidate
> 
> R=​ahaas@chromium.org
> 
> Change-Id: I952c5461ef44d4b01e99390e668bfc0d7f7ba25b
> Reviewed-on: https://chromium-review.googlesource.com/488341
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44931}

TBR=ahaas@chromium.org,clemensh@chromium.org,v8-reviews@googlegroups.com,wasm-v8@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Change-Id: Ie5f28109b86d7810b95053cbca563dea96bd13b2
Reviewed-on: https://chromium-review.googlesource.com/488364Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44934}

The spec tests are stored on a mirror and are downloaded with the DEPS
file. The test files on the mirror are updated with a script which has
to be executed manually.

This CL contains the following changes:

* A script which updates the spec tests and uploads the generated files
  to the mirror.
* Changes to the DEPS file to download the files from the mirror.
* Changes so that tools/run-tests.py can run the spec tests.

R=machenbach@chromium.org, rossberg@chromium.org

Change-Id: Ia50d09bb1501c0c0f1d1506aa3657a3aa69c2864
Reviewed-on: https://chromium-review.googlesource.com/488083
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44933}

For int16 imm values Subu would emit addiu with -imm value, but doing
this with min_int16 would overflow and produce incorrect result. This is
fixed by checking if -imm is int16. A test for this case is created.

An optimization is also added for values imm where we cannot just emit
addiu and loading -imm to a register takes one instruction using ori.
Then instead of loading imm with lui;ori and subtracting with subu, we
can load -imm with ori and add with addu.

BUG=
TEST=cctest/test-assembler-mips/Subu

Review-Url: https://codereview.chromium.org/2845043002
Cr-Commit-Position: refs/heads/master@{#44932}

R=ahaas@chromium.org

Change-Id: I952c5461ef44d4b01e99390e668bfc0d7f7ba25b
Reviewed-on: https://chromium-review.googlesource.com/488341Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44931}

BUG=v8:6311
R=jkummerow@chromium.org

Review-Url: https://codereview.chromium.org/2845853003
Cr-Commit-Position: refs/heads/master@{#44930}

R=jkummerow@chromium.org

Change-Id: I6fc3817410df4f070675051397a30cc1b0ca7dfe
Reviewed-on: https://chromium-review.googlesource.com/488030Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44929}

This reverts commit 0322be81.

Reason for revert: Breaks:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20nosnap%20-%20debug/builds/4612

Original change's description:
> [ic] Handle JSArray::length in CodeStubAssembler::CallGetterIfAccessor.
> 
> When accessing JSArray::length property from GenericPropertyLoad
> (i.e. via a megamorphic KEYED_LOAD_IC), we'd always go to the runtime
> at this point, because the CallGetterIfAccessor method didn't support
> AccessorInfos at all. Now there's initial support for JSArray::length,
> which reduces the number of %KeyedGetProperty calls we see in the
> Speedometer/EmberJS test by 5000.
> 
> Also-By: ishell@chromium.org
> BUG=v8:5269
> R=​ishell@chromium.org
> 
> Change-Id: I44ce7966f9b7257808110a24d95a8167ab035df9
> Reviewed-on: https://chromium-review.googlesource.com/488224
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44915}

TBR=ishell@chromium.org,bmeurer@chromium.org,v8-reviews@googlegroups.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5269

Change-Id: Ib32e87c4ec4fd746abe3cdea3ec1cd96aabb4cff
Reviewed-on: https://chromium-review.googlesource.com/488362Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44928}

R=verwaest@chromium.org,haraken@chromium.org,yukishiino@chromium.org
BUG=

Change-Id: I273f5ce305f80b2aa5e9c8c42a6e8e5afc51a0a7
Reviewed-on: https://chromium-review.googlesource.com/484422Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44927}

This also fixes incorrect type for fixed array accesses.

BUG=chromium:715651,v8:6309,chromium:715204

Review-Url: https://codereview.chromium.org/2848583002
Cr-Commit-Position: refs/heads/master@{#44926}

And fix RoundUpToPowerOfTwo32 to return 1 for the input 0.
0 is no power of two.
Beside being the correct value, this also avoids a special case in the
(new) fast path using the number of leading zeros.

R=jochen@chromium.org, ahaas@chromium.org

Change-Id: I87173495e13b334954bcebbb55724fb666dfa809
Reviewed-on: https://chromium-review.googlesource.com/488143Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44925}

Bug:v8:4280

Change-Id: I83dfd26b47d554406d3ede633bbefc92db6a4faf
Reviewed-on: https://chromium-review.googlesource.com/487964Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44924}

Instructions after an unconditional jump can be omitted.

BUG=chromium:715582
R=bradnelson@chromium.org,verwaest@chromium.org
TBR=bradnelson@chromium.org

Change-Id: Ie4f4041ed836f328955a0ff396e2dfd6adc01513
Reviewed-on: https://chromium-review.googlesource.com/487983
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44923}

This refactors the {AsmJs} methods used for instantiating an asm.js
module to only use one single entry point. It is in preparation to
validate the "memory" argument as well.

R=clemensh@chromium.org
BUG=chromium:715505

Change-Id: I5e26fcf46f98c053080c70b26c0f562afc7f794a
Reviewed-on: https://chromium-review.googlesource.com/488226
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44922}

Revert of [tickprocessor] Consider top of the stack as pc if it points to a code object. (patchset #1 id:1 of https://codereview.chromium.org/2822433002/ )

Reason for revert:
Seems to lead to more (completely) misattributed ticks

Original issue's description:
> [tickprocessor] Consider top of the stack as pc if it points to a code object.
>
> Previously, we would only consider it if it pointed to a full-code JS function.
> Thus we could miss both optimized functions and bytecode handlers if they
> called frame-less code.
>
> Review-Url: https://codereview.chromium.org/2822433002
> Cr-Commit-Position: refs/heads/master@{#44640}
> Committed: https://chromium.googlesource.com/v8/v8/+/4433ac299eae30b75357b05dab16d142d239f64e

TBR=jarin@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.

Review-Url: https://codereview.chromium.org/2844053003
Cr-Commit-Position: refs/heads/master@{#44921}

NOTRY=true

Review-Url: https://codereview.chromium.org/2843393002
Cr-Commit-Position: refs/heads/master@{#44920}

The feedback collection was decoupled from the actual comparison in the
compare bytecode handlers. This involves checks on the type of operands both
when collecting the feedback and when performing the operation. To avoid this
the type feedback is collected inline with the actual comparison.

This cl inlines the type feedback collection for the StrictEqual bytecode
handler. The other compare operations will be handled in subsequent cls.

Bug:

Change-Id: I429ed3c58b344c1c492e743c190bf16ab991ce6e
Reviewed-on: https://chromium-review.googlesource.com/483399Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44919}

BUG=chromium:651354

Review-Url: https://codereview.chromium.org/2846683003
Cr-Commit-Position: refs/heads/master@{#44918}

Currently, the external API (e.g. v8::Object::Get()) will enter the
context passed to it automatically. This is incorrect and causes some
trouble for Blink, so we want to change that.

It then becomes a potential problem to call the external API without
first entering a context, which the inspector code does in some
places. This patch aims to correct this.

BUG=v8:6307

Review-Url: https://codereview.chromium.org/2841053002
Cr-Commit-Position: refs/heads/master@{#44917}

This is a highly requested feature!

Bug: v8:6276
Change-Id: I17b606ae0ff8fa9dfdd0fa74fd1f7ad0dd3fc4f8
Reviewed-on: https://chromium-review.googlesource.com/488044
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44916}

When accessing JSArray::length property from GenericPropertyLoad
(i.e. via a megamorphic KEYED_LOAD_IC), we'd always go to the runtime
at this point, because the CallGetterIfAccessor method didn't support
AccessorInfos at all. Now there's initial support for JSArray::length,
which reduces the number of %KeyedGetProperty calls we see in the
Speedometer/EmberJS test by 5000.

Also-By: ishell@chromium.org
BUG=v8:5269
R=ishell@chromium.org

Change-Id: I44ce7966f9b7257808110a24d95a8167ab035df9
Reviewed-on: https://chromium-review.googlesource.com/488224Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44915}

The AccessorAssembler::GenericPropertyLoad case went to
%KeyedGetProperty when the actual handler that we found
in the stub cache would miss. In this case we would always
fall into the same trap all the time, since no one updates
the stub cache.

BUG=v8:5269
R=ishell@chromium.org

Change-Id: I90fd83337c320f194dc31a69716627d047a6b070
Also-By: ishell@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/488147Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44914}

Performance regressed for this with the I+TF switch. This speeds up
the simple case by using optimizations in the elements accessor.

Bug: chromium:700835
Change-Id: Iaba30951b93daefa0fb32acd6656ac705cdc73ed
Reviewed-on: https://chromium-review.googlesource.com/483341
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44913}

kNumberOfSpaces includes map and large object spaces,
kNumberOfPreallocatedSpaces does not. Therefore we need
to output both separately.

R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2843353002
Cr-Commit-Position: refs/heads/master@{#44912}

This code was confusing, as it wasn't immediately obvious that this is
dead and doesn't need to updated anymore.

R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2844993002
Cr-Commit-Position: refs/heads/master@{#44911}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/95c219b..8ed22b4

Rolling v8/third_party/android_tools: https://chromium.googlesource.com/android_tools/+log/b65c477..cb6bc21

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/380124f..8062a57

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: Iae759fb661433fb664e2ed1c9b48beddaee0cc96
Reviewed-on: https://chromium-review.googlesource.com/488325Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44910}

TBR=machenbach@chromium.org
Bug: v8:6305

Change-Id: I1cc18597b9bbf4b140008228306c169d653b907a
Reviewed-on: https://chromium-review.googlesource.com/488105Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44909}

R=joransiu@ca.ibm.com, jyan@ca.ibm.com
BUG=
LOG=n

Review-Url: https://codereview.chromium.org/2842843005
Cr-Commit-Position: refs/heads/master@{#44908}

This reverts commit d7cdea6f.

Reason for revert: Flakiness on bots

Original change's description:
> [wasm] Add guard pages before Wasm Memory
> 
> Although Wasm memory indices are all unsigned, they sometimes get assembled
> as 32-bit signed immediates. Values in the top half of the Wasm memory space
> will then get sign extended, causing Wasm to access in front of its memory
> buffer.
> 
> Usually this region is not mapped anyway, so faults still happen as they are
> supposed to. This change protects this region with guard pages so we are
> guaranteed to always fault when this happens.
> 
> Bug: v8:5277
> Change-Id: Id791fbe2a5ac1b1d75460e65c72b5b9db2a47ee7
> Reviewed-on: https://chromium-review.googlesource.com/484747
> Commit-Queue: Eric Holk <eholk@chromium.org>
> Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44905}

TBR=bradnelson@chromium.org,gdeepti@chromium.org,mtrofin@chromium.org,eholk@chromium.org,mseaborn@chromium.org,adamk@chromium.org,v8-reviews@googlegroups.com,wasm-v8@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Change-Id: Ia1d3e5dbf4f518815a9fd4197047077bc8e42816
Reviewed-on: https://chromium-review.googlesource.com/487828Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44907}

Clearing out the constructor field is invalid in the case where the
function's map has transitioned since the last SetPrototype call.

Bug: chromium:714972
Change-Id: Ie918702a128219c4995b805f7c9a53b41cc4e4b6
Reviewed-on: https://chromium-review.googlesource.com/486130
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44906}

Although Wasm memory indices are all unsigned, they sometimes get assembled
as 32-bit signed immediates. Values in the top half of the Wasm memory space
will then get sign extended, causing Wasm to access in front of its memory
buffer.

Usually this region is not mapped anyway, so faults still happen as they are
supposed to. This change protects this region with guard pages so we are
guaranteed to always fault when this happens.

Bug: v8:5277
Change-Id: Id791fbe2a5ac1b1d75460e65c72b5b9db2a47ee7
Reviewed-on: https://chromium-review.googlesource.com/484747
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44905}

This allows us to avoid a separate receiver typecheck in a few places
without regressing the error messages generated.

As more Array methods move to C++, this will get more usage.

Bug: v8:3577
Change-Id: Ibdd17c781548520172ce62442bc3a800e5c09e99
Reviewed-on: https://chromium-review.googlesource.com/486103Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44904}

R=littledan@chromium.org

Bug: v8:5070
Change-Id: I15d26410eafca47eec7ecd0b3ca58d608f4ae0cc
Reviewed-on: https://chromium-review.googlesource.com/487029Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44903}

The interpreter used a ZoneVector<WasmVal> to model the value stack.
Thus, at each single pop to the stack, a bounds check was performed,
and the storage was potentially extended.
This CL changes this to pre-allocate enough space for the stack of a
function when a new frame is entered. This avoids any checks for pushs
and pops.
Instead of storing a ZoneVector<WasmVal>, we store WasmVal* directly.
The maximum value stack size is precomputed together with the control
transfer side table.

This CL speeds up interpreted execution by 15% on average (measured
locally on a Z840).

R=ahaas@chromium.org
BUG=v8:5822

Change-Id: If949f7ee5233d874cd6a04b7dde2d7b4a95e45ea
Reviewed-on: https://chromium-review.googlesource.com/488061
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44902}