Bug: chromium:645890
Change-Id: If34ac1336d0ee3c23e89050aef2cf30b754b67c1
Reviewed-on: https://chromium-review.googlesource.com/461145
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44272}

HasOrigin() can allocate. Make sure to wrap vulnerable raw pointers
in handles.

BUG=

Review-Url: https://codereview.chromium.org/2788663002
Cr-Commit-Position: refs/heads/master@{#44271}

BUG=chromium:432469
R=dgozman@chromium.org

Review-Url: https://codereview.chromium.org/2746743002
Cr-Commit-Position: refs/heads/master@{#44270}

- Add new address markers:
   T: tagged pointer in the minidump
   C: address into a module in the minidump
   S: pointer into the exception stack in the minidump
   *: other address in the minidump
- Show ASCII decoding of address in dd
- Display potential frame markers on the exception stack:
   00000032212fdae8: 0000000300000000   ........ Smi(3) EXIT frame marker
- Display relative addresses, useful to detect stack frames:
   00000032212fdb68: 00000032212fdb98 S ........  [+6]=00000032212fdcb0 S
   00000032212fdb70: 0000010ff5ca0a84   ........
   00000032212fdb78: 000001064c1fa881   ........
   00000032212fdb80: 0000016a8e52fcb1   ........
   00000032212fdb88: 0000010ff5ca0981   ........
   00000032212fdb90: 0000000d00000000   ........ Smi(13) INTERNAL frame marker
   00000032212fdb98: 00000032212fdcb0 S ........  [+35]=00000032212fdd61 S

Change-Id: I56bd7e6723a34bcb668719246dd5ff2898224928
Reviewed-on: https://chromium-review.googlesource.com/461862Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44269}

BUG=v8:5807

Review-Url: https://codereview.chromium.org/2781363002
Cr-Commit-Position: refs/heads/master@{#44268}

GetProperty(result, groups) needs to be called iff the
harmony-regexp-named-captures flag is enabled.

Also add a couple of DCHECKS.

BUG=v8:5437,chromium:706748

Review-Url: https://codereview.chromium.org/2786933002
Cr-Commit-Position: refs/heads/master@{#44267}

Compiler-generated copy constructor does not generate
correct code for this class, so make it move-only type.

Review-Url: https://codereview.chromium.org/2781993005
Cr-Commit-Position: refs/heads/master@{#44266}

We don't use it anywhere anymore.

BUG=

Change-Id: I9acd9c427c6af7422bbdf58088b61ceafd1ee655
Reviewed-on: https://chromium-review.googlesource.com/462968Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44265}

The inlining logic doesn't account for the fact that the derived
constructor could return a primitive, thus leaking the implicit
receiver (which is the hole).

R=jarin@chromium.org
BUG=chromium:706642

Review-Url: https://codereview.chromium.org/2788603002
Cr-Commit-Position: refs/heads/master@{#44264}

The source set only contained a header file, which caused problems
when compiling a static library with VS.

R=machenbach@chromium.org
BUG=v8:6158

Change-Id: I3eed4a888e72cf6a2917190e4a1db7b38006cd0c
Reviewed-on: https://chromium-review.googlesource.com/463027Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44263}

The parameter indices are shifted by 1 in BytecodeArrayBuilder
because the receiver is variable at index 0 and not -1.

Split BytecodeArrayBuilder::Parameter(index) method into
Receiver() (same as Parameter(-1)) and
Parameter(index).

This way we avoid confusing (index+1) counting in BytecodeGenerator().

BUG=

Change-Id: Id87ec7c708cecfc3108011994f3177f483772bcc
Reviewed-on: https://chromium-review.googlesource.com/461904Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44262}

R=clemensh@chromium.org
BUG=v8:6127

Change-Id: I5e1b0d3efdf7f4aede7da83a35c072b5ac85d5c7
Reviewed-on: https://chromium-review.googlesource.com/463026Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44261}

R=clemensh@chromium.org
BUG=v8:6127

Change-Id: I32d2a36cdc2a65c3e0016e49157524573755d09d
Reviewed-on: https://chromium-review.googlesource.com/461185
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44260}

Recognize the Boolean constructor calls in JSCallReducer and replace
them with simple JSToBoolean nodes.

R=yangguo@chromium.org
BUG=v8:5267,v8:6169

Review-Url: https://codereview.chromium.org/2782143003
Cr-Commit-Position: refs/heads/master@{#44259}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/133db8f..a634e44

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/0c870c7..d3a9107

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/e9e483c..c55112f

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: I06d2c4aa29c143c1c8198d109679db2341532507
Reviewed-on: https://chromium-review.googlesource.com/462596Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44258}

Implemented l[w|h|b]arx and st[w|h|b]cx instructions which are
needed to perform atomic exchange. Also added synchronization
primitives similar to arm to simulate those instructions.

R=joransiu@ca.ibm.com, jyan@ca.ibm.com, binji@chromium.org, aseemgarg@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2754263004
Cr-Commit-Position: refs/heads/master@{#44257}

We need to split creating of console and installing memory getter and remove console.assert hack before migration to builtin. We can implement super fast console.assert after migration.

BUG=chromium:588893
R=dgozman@chromium.org
TBR=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2781883003
Cr-Commit-Position: refs/heads/master@{#44256}

Do final change to Chrome flags so that UMA will start collecting
separate statistics, using a "histogram_suffixes" format.

Corresponding changes to chromium are in:

CL https://codereview.chromium.org/2781163002

BUG=chromium:704922
R=bradnelson@chromium.org,bbudge@chromium.org

Review-Url: https://codereview.chromium.org/2781073003
Cr-Commit-Position: refs/heads/master@{#44255}

Method should be ready to symbols inside of queue_arr.

BUG=v8:6168
R=gsathya@chromium.org

Review-Url: https://codereview.chromium.org/2782893003
Cr-Commit-Position: refs/heads/master@{#44254}

Port 5615e5b8

Original Commit Message:

    This hopefully shrinks binary size a bit, at the cost of (slightly)
    increasing the complexity of the ResumeGenerator stub. Includes ia32,
    x64, mips, mips64, arm and arm64 ports.

R=caitp@igalia.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:5855
LOG=N

Review-Url: https://codereview.chromium.org/2783043002
Cr-Commit-Position: refs/heads/master@{#44253}

This step is no longer necessary after https://codereview.chromium.org/2775913002/

BUG=chromium:705072

Review-Url: https://codereview.chromium.org/2774043002
Cr-Commit-Position: refs/heads/master@{#44252}

With this CL we don't need to store reference to InspectedContext inside of JavaScript console object and able to get all required information from callback data.
It allows us to implement console methods without taking in account how and where we create and store these methods:
- later we can move console object implementation to builtins..
- ..and install command line API methods smarter.

BUG=chromium:588893
R=dgozman@chromium.org

Review-Url: https://codereview.chromium.org/2784713002
Cr-Original-Original-Commit-Position: refs/heads/master@{#44212}
Committed: https://chromium.googlesource.com/v8/v8/+/908cd38123df33ce293e4c8d25e407f7ca915f4c
Review-Url: https://codereview.chromium.org/2784713002
Cr-Original-Commit-Position: refs/heads/master@{#44238}
Committed: https://chromium.googlesource.com/v8/v8/+/88f71126a5c067f98c75044bc26778f2e8ea2e79
Review-Url: https://codereview.chromium.org/2784713002
Cr-Commit-Position: refs/heads/master@{#44251}

The regression comes from attempting to serialize a module with memory
requirements after instantiation - which is what happens in common emscripten
scenarios, where the module is obtained from WebAssembly.instantiate(buffer). We then try and serialize the JSArrayBuffer
representing the instance memory. That operation fails.

Added regression test and also extended the test to cover the other 2
instance-specific values - globals and tables.

Added a discussion on WasmCompiledModule (comments) explaining design decisions.

BUG=chromium:705562

Review-Url: https://codereview.chromium.org/2784453002
Cr-Commit-Position: refs/heads/master@{#44250}

kRuntimeCallStatsTracingEnabled was used as a global flag for runtime stats in
tracing, now it is no longer used.

TBR=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2780293002
Cr-Commit-Position: refs/heads/master@{#44249}

This removes the debug information (i.e. direct references to the parser
source file) from the message, hence making messages consistent between
release and debug mode. The debug information can now be printed via the
new --trace-asm-parser flag.

Also adds two message test cases, showcasing that expected output can
now be tested. More tests might be added to the message test suite later
whenever it makes sense.

R=clemensh@chromium.org
BUG=v8:6127

Change-Id: I348044356896442ff9be2d638a564c82fec7a51c
Reviewed-on: https://chromium-review.googlesource.com/461942
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44248}

Port bf463c4d

Original Commit Message:

    - Introduce new struct AsyncGeneratorRequest, which holds
      information pertinent to resuming execution of an
      AsyncGenerator, such as the Promise associated with the async
      generator request. It is intended to be used as a singly
      linked list, and holds a pointer to the next item in te queue.

    - Introduce JSAsyncGeneratorObject (subclass of
      JSGeneratorObject), which includes several new internal fields
      (`queue` which contains a singly linked list of
      AsyncGeneratorRequest objects, and `await_input` which
      contains the sent value from an Await expression (This is
      necessary to prevent function.sent (used by yield*) from
      having the sent value observably overwritten during
      execution).

    - Modify SuspendGenerator to accept a set of Flags, which
      indicate whether the suspend is for a Yield or Await, and
      whether it takes place on an async generator or ES6
      generator.

    - Introduce interpreter intrinsics and TF intrinsic lowering for
      accessing the await input of an async generator

    - Modify the JSGeneratorStore operator to understand whether or
      not it's suspending for a normal yield, or an AsyncGenerator
      Await. This ensures appropriate registers are stored.

    - Add versions of ResumeGeneratorTrampoline which store the
      input value in a different field depending on wether it's an
      AsyncGenerator Await resume, or an ordinary resume. Also modifies
      whether debug code will assert that the generator object is a
      JSGeneratorObject or a JSAsyncGeneratorObject depending on the
      resume type.

R=caitp@igalia.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:5855
LOG=N

Review-Url: https://codereview.chromium.org/2780283002
Cr-Commit-Position: refs/heads/master@{#44247}

Revert of [inspector] console get all information from inspector when needed (patchset #5 id:80001 of https://codereview.chromium.org/2784713002/ )

Reason for revert:
One more failed layout test.

Original issue's description:
> [inspector] console get all information from inspector when needed
>
> With this CL we don't need to store reference to InspectedContext inside of JavaScript console object and able to get all required information from callback data.
> It allows us to implement console methods without taking in account how and where we create and store these methods:
> - later we can move console object implementation to builtins..
> - ..and install command line API methods smarter.
>
> BUG=chromium:588893
> R=dgozman@chromium.org
>
> Review-Url: https://codereview.chromium.org/2784713002
> Cr-Original-Commit-Position: refs/heads/master@{#44212}
> Committed: https://chromium.googlesource.com/v8/v8/+/908cd38123df33ce293e4c8d25e407f7ca915f4c
> Review-Url: https://codereview.chromium.org/2784713002
> Cr-Commit-Position: refs/heads/master@{#44238}
> Committed: https://chromium.googlesource.com/v8/v8/+/88f71126a5c067f98c75044bc26778f2e8ea2e79

TBR=dgozman@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:588893

Review-Url: https://codereview.chromium.org/2778743007
Cr-Commit-Position: refs/heads/master@{#44246}

BUG=v8:6171
TBR=dgozman@chromium.org

Review-Url: https://codereview.chromium.org/2785523004
Cr-Commit-Position: refs/heads/master@{#44245}

This hopefully shrinks binary size a bit, at the cost of (slightly)
increasing the complexity of the ResumeGenerator stub. Includes ia32,
x64, mips, mips64, arm and arm64 ports.

BUG=v8:5855
R=rmcilroy@chromium.org, paul.lind@imgtec.com, bmeurer@chromium.org, neis@chromium.org

Change-Id: I848ce08afd828091a11e03c89d5be065ff557ef3
Reviewed-on: https://chromium-review.googlesource.com/461303
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44244}

Add a few explanations to the documentation several methods and classes,
in particular Local, MaybeLocal, the HandleScopes.

Drive-by-fix: turn a few regular comments into documentation comments.

BUG=

Review-Url: https://codereview.chromium.org/2783843002
Cr-Commit-Position: refs/heads/master@{#44243}

This flushed out a number of bugs.

To reproduce, remove the inspector.status file entries, build with GN,
and run `tools/run-tests.py --gn --exhaustive-variants inspector`.

R=mstarzinger@chromium.org
BUG=v8:6165,v8:6166,v8:6167,v8:6168,v8:6170,v8:6171

Review-Url: https://codereview.chromium.org/2777413005
Cr-Commit-Position: refs/heads/master@{#44242}

R=bjaideep@ca.ibm.com, jyan@ca.ibm.com, joransiu@ca.ibm.com
BUG=

Review-Url: https://codereview.chromium.org/2775413002
Cr-Commit-Position: refs/heads/master@{#44241}

- Introduce new struct AsyncGeneratorRequest, which holds
  information pertinent to resuming execution of an
  AsyncGenerator, such as the Promise associated with the async
  generator request. It is intended to be used as a singly
  linked list, and holds a pointer to the next item in te queue.

- Introduce JSAsyncGeneratorObject (subclass of
  JSGeneratorObject), which includes several new internal fields
  (`queue` which contains a singly linked list of
  AsyncGeneratorRequest objects, and `await_input` which
  contains the sent value from an Await expression (This is
  necessary to prevent function.sent (used by yield*) from
  having the sent value observably overwritten during
  execution).

- Modify SuspendGenerator to accept a set of Flags, which
  indicate whether the suspend is for a Yield or Await, and
  whether it takes place on an async generator or ES6
  generator.

- Introduce interpreter intrinsics and TF intrinsic lowering for
  accessing the await input of an async generator

- Modify the JSGeneratorStore operator to understand whether or
  not it's suspending for a normal yield, or an AsyncGenerator
  Await. This ensures appropriate registers are stored.

- Add versions of ResumeGeneratorTrampoline which store the
  input value in a different field depending on wether it's an
  AsyncGenerator Await resume, or an ordinary resume. Also modifies
  whether debug code will assert that the generator object is a
  JSGeneratorObject or a JSAsyncGeneratorObject depending on the
  resume type.

BUG=v8:5855
R=bmeurer@chromium.org, rmcilroy@chromium.org, jgruber@chromium.org,
littledan@chromium.org, neis@chromium.org
TBR=marja@chromium.org

Change-Id: I9d58df1d344465fc937fe7eed322424204497187
Reviewed-on: https://chromium-review.googlesource.com/446961
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44240}

- Fix opcode names to be consistent with opcodes as in wasm-opcodes.h
- Fix Ordering of Ops, inconsistencies

BUG=v8:6020

Review-Url: https://codereview.chromium.org/2776753004
Cr-Commit-Position: refs/heads/master@{#44239}

With this CL we don't need to store reference to InspectedContext inside of JavaScript console object and able to get all required information from callback data.
It allows us to implement console methods without taking in account how and where we create and store these methods:
- later we can move console object implementation to builtins..
- ..and install command line API methods smarter.

BUG=chromium:588893
R=dgozman@chromium.org

Review-Url: https://codereview.chromium.org/2784713002
Cr-Original-Commit-Position: refs/heads/master@{#44212}
Committed: https://chromium.googlesource.com/v8/v8/+/908cd38123df33ce293e4c8d25e407f7ca915f4c
Review-Url: https://codereview.chromium.org/2784713002
Cr-Commit-Position: refs/heads/master@{#44238}

Apart from that this patch adds kVisitJSObjectFast for JSObjects that
do not have any unboxed double fields and can be visited without
run-time layout check.

BUG=chromium:694255

Review-Url: https://codereview.chromium.org/2763413007
Cr-Commit-Position: refs/heads/master@{#44237}

BUG=chromium:694255

Review-Url: https://codereview.chromium.org/2783873002
Cr-Commit-Position: refs/heads/master@{#44236}

There's no need to set it so early - it's only needed when the function has
really been parsed. This way we don't need to produce and store it for skipped
inner functions.

BUG=v8:5516

Change-Id: Ida2abd44b494030771b5663a8eb326edb0a53b72
Reviewed-on: https://chromium-review.googlesource.com/461160Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44235}

This reverts commit b606e1b6.

No longer flakes since
https://crrev.com/f6929084821d4f021b2c2768c9856472ffa42623

BUG=v8:5807
TBR=machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2782173002
Cr-Commit-Position: refs/heads/master@{#44234}

Previously code view was set using innerHTML. This would cause problems
for html characters in the code -- in particular, '<' without a space
after it would start new HTML tags, and the code following it wouldn't
be visible.

Now, the source text is set using textContent, which doesn't parse the
value as HTML and implicitly escapes any HTML characters in the code.

Change-Id: I612a18c37bbb4da6a87063bb39d7f7123a3c4c0d
Reviewed-on: https://chromium-review.googlesource.com/461826Reviewed-by: Daniel Clifford <danno@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44233}