Per https://tc39.github.io/ecma262/#sec-array.prototype.concat, step 6.

Bug: v8:6707, v8:6708
Change-Id: Iad3eb94a3b5fe35e5ecd1b8632612a7f2f169434
Reviewed-on: https://chromium-review.googlesource.com/636695
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47654}

This makes sure the minimum memory size for WebAssembly modules derived
from asm.js is set to zero. It allows instatiation without allocating an
underlying memory, when such memory is unused. It also fixes a bug in
patching of embedded memory sizes for asm.js modules.

R=ahaas@chromium.org
TEST=mjsunit/regress/regress-crbug-759327
BUG=chromium:759327

Change-Id: If5a965b96a03cbb5ba15bc41fbaf359f74961f41
Reviewed-on: https://chromium-review.googlesource.com/637912
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47646}

We cannot assume that the receiver is a JSObject, nor can we assume
ToObject() completes successfully.

TBR=yangguo@chromium.org

Bug: chromium:739954
Change-Id: Id55571131ef8755e86f15cd2acb918ff0f1b7788
Reviewed-on: https://chromium-review.googlesource.com/632376Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47611}

The Uint32(limit) conversion can end up transitioning the regexp
instance to slow mode. In this case we need to bail out to runtime while
ensuring that ToUint32 is not observably called a second time. We do
this by passing the already-converted value to runtime.

This particular path was broken and we ended up passing the original
maybe_limit value to runtime instead.

TBR=yangguo@chromium.org

Bug: chromium:758763
Change-Id: If7f23b452d2e134ad9be3d4ef1d78d1c946fcef0
Reviewed-on: https://chromium-review.googlesource.com/635588Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47609}

Bug: chromium:757199, chromium:758773, chromium:758821
Change-Id: I70644853770501b13992bd7bf78d168ca2308d64
Reviewed-on: https://chromium-review.googlesource.com/635223Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47603}

This makes sure instantiate of asm.js modules fails gracefully on heap
buffers exceeding the uint32_t range supported by WebAssembly.

R=clemensh@chromium.org
TEST=mjsunit/regress/regress-crbug-754175
BUG=chromium:754175

Change-Id: I4a9c6791beaab6da826b5b6b5a495f97e9d3b4e9
Reviewed-on: https://chromium-review.googlesource.com/632618Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47598}

This reverts commit 8974b75b.

Reason for revert: In hindsight, the CL made only partially sense and causes unnecessary IC-misses.

Original change's description:
> [runtime] Deprecate old prototype maps
> 
> Bug: chromium:757199
> Change-Id: I5936fab1784ebf8de6eddd3b2bec0e2cf1b73f82
> Reviewed-on: https://chromium-review.googlesource.com/632317
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47581}

TBR=cbruni@chromium.org,ishell@chromium.org

Change-Id: I9f43a5f8c5242f575346f47c24377dd832eeccd1
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:757199
Reviewed-on: https://chromium-review.googlesource.com/634906Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47594}

Bug: chromium:757199
Change-Id: I5936fab1784ebf8de6eddd3b2bec0e2cf1b73f82
Reviewed-on: https://chromium-review.googlesource.com/632317Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47581}

Initialize the code table with a valid default (e.g. illegal builtin),
otherwise we're invalidating assumptions when relocating.

Bug: chromium:757217
Change-Id: I77890f1fe0e31534d9844d2e91694df1ec185110
Reviewed-on: https://chromium-review.googlesource.com/630097Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47560}

BytecodeGenerator previously assumed that any UNALLOCATED variable
must be a global object property, but that's incorrect for global
lexical variables declared in a different script.

This patch fixes the behavior by always falling back to the runtime
to deal with deleting UNALLOCATED variables. This is sub-optimal,
but should be correct, and it's unclear if speed is important for
this case.

Bug: v8:6733
Change-Id: I83c2a0b6e30e5e5f4c79bfe14ebf196529816c71
Reviewed-on: https://chromium-review.googlesource.com/627636Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47554}

Due to shortcuts we take on the RegExp.p[@@split] fast path (we don't allocate
a new instance), we need to send sticky regexps to the slow path.

The problem is a slight impedance mismatch between the spec and our fast-path
implementation.

Spec: Creates a new regexp instance `splitter` that is guaranteed to be sticky,
uses `splitter.lastIndex` to advance the search range, advances by itself using
AdvanceStringIndex if `splitter` did not match at the current position.

Our fast path: Uses the given regexp instance and does not modify stickyness,
uses last_match_info to advance search range, returns (and assumes no more
matches) once RegExpExecInternal fails to match.

This is fine if the given regexp is non-sticky, since 1. the value of lastIndex
is ignored, and 2. non-sticky regexps match if a match is found anywhere in the
string, not just exactly at the current lastIndex.

Sticky regexps though are a problem. If no match is found exactly at the current
position, @@split assumes no more matches and exits.

In a follow-up, we could explore other options, such as allocating a new
instance or saving/restoring flags and lastIndex.

Bug: v8:6706
Change-Id: I6da2266df72b2f80f00c1ce3cd7c8655de91f680
Reviewed-on: https://chromium-review.googlesource.com/626065Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47543}

R=tebbi@chromium.org
TEST=mjsunit/regress/regress-crbug-755044
BUG=chromium:755044

Change-Id: I909eeeccaf4e4e9757a2f952c00f557ee6c495ee
Reviewed-on: https://chromium-review.googlesource.com/625878Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47510}

This makes sure that shift expressions (not wrapped in parentheses) can
appear as part of the index in a valid heap access expression. Only the
last operand of a sequence of shift expressions is taken into account
when validating the heap access.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-6700
BUG=v8:6700,chromium:754751

Change-Id: Icc7a71bd64461da4d3daea41b995964e3dfc6dc6
Reviewed-on: https://chromium-review.googlesource.com/623811
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47497}

If the elements fixed array is large enough, it must be allocated in
large-object space. This fixes two cases in which we'd incorrectly
assume elements fits into new space.

There are potentially quite a few other spots affected by a similar
issue, and we should find a more robust solution. See also:
crbug.com/636391.

Bug: v8:6716
Change-Id: I91f09355ac6b7cf399e13cc21d34113a506e58fb
Reviewed-on: https://chromium-review.googlesource.com/623808Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47495}

Before 983eec89, RewritableExpressions
which had been queued for destructuring assignment rewriting but which
turned out to be part of a binding pattern in arrow function parameters
would be silently ignored by the PatternRewriter. After that CL, they
failed with a DCHECK.

This patch reverts to the previous behavior, with a TODO to handle this
in a better way by dequeuing RewritableExpressions that turned out
to be part of an inner arrow function.

Bug: chromium:756332
Change-Id: I0a9bf51499940c944034d9a8128e89950de38059
Reviewed-on: https://chromium-review.googlesource.com/619506Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47435}

The crash used to happen when trap is a Smi.

Bug: chromium:756608
Change-Id: I0a6f0328afc64d8e521b5b370a291f9aef6b08d0
Reviewed-on: https://chromium-review.googlesource.com/620647Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Maya Lekova <mslekova@google.com>
Cr-Commit-Position: refs/heads/master@{#47429}

This is a reland of 21da12a9
Original change's description:
> [Compiler] Remove CompileDebugCode and EnsureBytecode and replace with Compile
> 
> Removes the Compiler::CompileDebugCode and Compiler::EnsureBytecode functions
> and replaces them with a Compiler::Compile(Handle<SharedFunctionInfo> shared)
> function. The code in compiler.cc is refactored to use this function to compile
> the SharedFunctionInfo when compiling a JSFunction.
> 
> Also does some other cleanup:
>  - Removes CompileUnoptimizedFunction and inlines into new Compiler function
>  - Moves code to create top level SharedFunctionInfo into CompilerTopLevel and
>    out of FinalizeUnoptimizedCompile.
> 
> BUG=v8:6409
> 
> Change-Id: Ic54afcd8eb005c17f3ae6b2355060846e3091ca3
> Reviewed-on: https://chromium-review.googlesource.com/613760
> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47394}

TBR=yangguo@chromium.org
TBR=jarin@chromium.org

Bug: v8:6409
Change-Id: If2eae66a85f129e746a5ca5c04935540f3f86b04
Reviewed-on: https://chromium-review.googlesource.com/618886Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47399}

This reverts commit 21da12a9.

Reason for revert: Failing on arm64 simulator

Original change's description:
> [Compiler] Remove CompileDebugCode and EnsureBytecode and replace with Compile
> 
> Removes the Compiler::CompileDebugCode and Compiler::EnsureBytecode functions
> and replaces them with a Compiler::Compile(Handle<SharedFunctionInfo> shared)
> function. The code in compiler.cc is refactored to use this function to compile
> the SharedFunctionInfo when compiling a JSFunction.
> 
> Also does some other cleanup:
>  - Removes CompileUnoptimizedFunction and inlines into new Compiler function
>  - Moves code to create top level SharedFunctionInfo into CompilerTopLevel and
>    out of FinalizeUnoptimizedCompile.
> 
> BUG=v8:6409
> 
> Change-Id: Ic54afcd8eb005c17f3ae6b2355060846e3091ca3
> Reviewed-on: https://chromium-review.googlesource.com/613760
> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47394}

TBR=rmcilroy@chromium.org,yangguo@chromium.org,jarin@chromium.org,leszeks@chromium.org

Change-Id: I4ba63e82417a185f1528ff2633eb6c8872fbbfe5
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6409
Reviewed-on: https://chromium-review.googlesource.com/618687Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47397}

Removes the Compiler::CompileDebugCode and Compiler::EnsureBytecode functions
and replaces them with a Compiler::Compile(Handle<SharedFunctionInfo> shared)
function. The code in compiler.cc is refactored to use this function to compile
the SharedFunctionInfo when compiling a JSFunction.

Also does some other cleanup:
 - Removes CompileUnoptimizedFunction and inlines into new Compiler function
 - Moves code to create top level SharedFunctionInfo into CompilerTopLevel and
   out of FinalizeUnoptimizedCompile.

BUG=v8:6409

Change-Id: Ic54afcd8eb005c17f3ae6b2355060846e3091ca3
Reviewed-on: https://chromium-review.googlesource.com/613760
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47394}

'9. Let targetName be ? Get(Target, "name").' didn't produce required
side effects.

Bug: v8:6712
Change-Id: Iebf007b4e93ebbf9c6c85c9729d972a8c1a7b129
Reviewed-on: https://chromium-review.googlesource.com/616727Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47393}

In the case of a function constructor or eval, we create a new script
object which doesn't have a script name. In this case, we traverse
upwards on the list of SFI's through script->eval_from_shared() to get
the outermost script that was not an eval script and get the script
name from that script.

Bug: chromium:746909, v8:6683, v8:5785
Change-Id: I430459f632a0e3b18fc3111a5cf1c00cedb9f520
Reviewed-on: https://chromium-review.googlesource.com/606701
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47352}

It expected its argument to be a JSFunction, but fuzzer tests can
pass anything. Non-JSFunction arguments should just silently be
ignored, just like similar CF-whitelisted runtime functions do.

Bug: chromium:754177
Change-Id: I41b29528bbe72f24b3d84f021b22602160769d26
Reviewed-on: https://chromium-review.googlesource.com/610706Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47316}

This is a reland of edc4ae14

With fixes for crbug.com/752846, crbug.com/752712, crbug.com/752850

Previously landed as: 47a97aa5 / 47113
Previously landed as: 15ef03cb / 47159
Previously landed as: e86c066b / 47235
Previously landed as: edc4ae14 / 47245

TBR=jkummerow@chromium.org, franzih@chromium.org, bmeurer@chromium.org,
jgruber@chromium.org, mstarzinger@chromium.org

Bug: v8:6559, v8:6557
Change-Id: I956486e90aab36ba95676bd4ec2febebed509fc1
Reviewed-on: https://chromium-review.googlesource.com/609781Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
Commit-Queue: Maya Lekova <mslekova@google.com>
Cr-Commit-Position: refs/heads/master@{#47299}

When lazy-compiling, it is important we reconstitute the
ModuleEnv accurately. Besides addressing a bug, this change
also does away with the need to relocate memory and globals
parameters (in lazy compilation), by using "the right ones" upfront.

Bug: chromium:753496
Change-Id: I1412a499f05d02d49319fced1b3047698328f3b5
Reviewed-on: https://chromium-review.googlesource.com/609376Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47280}

This is in preparation to the removal of the FullCodeGenerator, we no
longer need the ability to stress the underlying implementation.

R=rmcilroy@chromium.org
BUG=v8:6409

Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Iad3177d6de4a68b57c12a770b6e85ed7a9710254
Reviewed-on: https://chromium-review.googlesource.com/584747Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47276}

This changes the DCHECK (which could correctly fail) to be part of the
conditional that checks if we're in an async function.

Bug: chromium:751789
Change-Id: I3b8c1239ac93190055622c41fa1122e83b69d255
Reviewed-on: https://chromium-review.googlesource.com/607356Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47261}

Because SizeFor only returns aligned values, when we check values
returned there against kMaxSize, they can be larger if they were
rounded up.

It wasn't possible to write a test for the 2-byte version that didn't
regularly OOM.

Bug: chromium:752764
Change-Id: Id2f387449e0fafe633a2fde1ac728be31487f62d
Reviewed-on: https://chromium-review.googlesource.com/607935Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47252}

BUG=chromium:752423
R=mtrofin@chromium.org,bradnelson@chromium.org

Change-Id: Ie6d80a82cd40b598e917a79842e6639e73be9194
Reviewed-on: https://chromium-review.googlesource.com/606587Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47251}

This reverts commit edc4ae14.

Reason for revert: There's still this problem:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20nosnap%20-%20debug/builds/5835

Original change's description:
> Reland ^3 "[builtins] Port getting property from Proxy to CSA""
> 
> This is a reland of e86c066b
>  
> With fixes for crbug.com/752846, crbug.com/752712, crbug.com/752850
> 
> Previously landed as: 47a97aa5 / 47113
> Previously landed as: 15ef03cb / 47159
> 
> TBR=jkummerow@chromium.org, franzih@chromium.org, bmeurer@chromium.org,
> jgruber@chromium.org, mstarzinger@chromium.org
> 
> Bug: v8:6559, v8:6557
> Change-Id: I12ccae44331b05dd3f304ac538c0154133b43c35
> Reviewed-on: https://chromium-review.googlesource.com/608187
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47245}

TBR=jkummerow@chromium.org,mstarzinger@chromium.org,neis@chromium.org,franzih@chromium.org,jgruber@chromium.org,ishell@chromium.org,bmeurer@chromium.org,mslekova@google.com

Change-Id: Ib46b68f011c056675f2024f91c7f1024767b4dd0
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6559, v8:6557
Reviewed-on: https://chromium-review.googlesource.com/608189Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47247}

This is a reland of e86c066b
 
With fixes for crbug.com/752846, crbug.com/752712, crbug.com/752850

Previously landed as: 47a97aa5 / 47113
Previously landed as: 15ef03cb / 47159

TBR=jkummerow@chromium.org, franzih@chromium.org, bmeurer@chromium.org,
jgruber@chromium.org, mstarzinger@chromium.org

Bug: v8:6559, v8:6557
Change-Id: I12ccae44331b05dd3f304ac538c0154133b43c35
Reviewed-on: https://chromium-review.googlesource.com/608187Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47245}

This fixes a bug affecting module namespace objects, which are currently
implemented using native accessors.

Bug: v8:6681, v8:1569
Change-Id: I6a678652573a332c47315497d927c390d9da0926
Reviewed-on: https://chromium-review.googlesource.com/606027
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47238}

This reverts commit e86c066b.

Reason for revert: <INSERT REASONING HERE>

Original change's description:
> Reland^2 "[builtins] Port getting property from Proxy to CSA"
> 
> With fixes for crbug.com/752846, crbug.com/752712, crbug.com/752850
> 
> Previously landed as: 47a97aa5 / 47113
> Previously landed as: 15ef03cb / 47159
> 
> Bug: v8:6559, v8:6557
> This is a reland of 15ef03cb
> 
> Change-Id: Ia53ffb80ebe44581fdb923d9f572be92ee3ed080
> Reviewed-on: https://chromium-review.googlesource.com/603796
> Commit-Queue: Maya Lekova <mslekova@google.com>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47235}

TBR=jkummerow@chromium.org,mstarzinger@chromium.org,franzih@chromium.org,jgruber@chromium.org,ishell@chromium.org,bmeurer@chromium.org,mslekova@google.com

Change-Id: Ibf0b9f786f3df247acaf9e7ffe9f49ec1db905d8
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6559, v8:6557
Reviewed-on: https://chromium-review.googlesource.com/607928Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47236}

With fixes for crbug.com/752846, crbug.com/752712, crbug.com/752850

Previously landed as: 47a97aa5 / 47113
Previously landed as: 15ef03cb / 47159

Bug: v8:6559, v8:6557
This is a reland of 15ef03cb

Change-Id: Ia53ffb80ebe44581fdb923d9f572be92ee3ed080
Reviewed-on: https://chromium-review.googlesource.com/603796
Commit-Queue: Maya Lekova <mslekova@google.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47235}

This avoid introduction of {TypeGuard} nodes during load elimination.
Such type guard could lead to contradicting type information where a
constant {NumberConstant} node was guarded to have {ExternalPointer}
type, which would lead to an impossible constraint on representation
selection.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-752826
BUG=chromium:752826

Change-Id: Ida3815af24ccc8a48474b8d66117b9718f61adda
Reviewed-on: https://chromium-review.googlesource.com/605547Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47218}

This code appears to have been wrong forever, as it only
threw in strict mode (presumably predating ES2015 const).

In order to get exactly the right behavior, special
handling of sloppy named function expressions is required.
Rather than polluting PropertyAttributes with another
dummy value, this CL simply adds a bool output argument
to Context::Lookup to indicate that case.

Bug: v8:6677
Change-Id: I34daa5080d291808f10cbaefc91d716f0b22963b
Reviewed-on: https://chromium-review.googlesource.com/602690Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47207}

The ConstructFunctionForwardVarargs and ConstructForwardVarargs
builtins, which are used when inlining the Reflect.construct
builtin into TurboFan optimized code, didn't properly check the
new.target parameter whether it's a constructor.

Bug: chromium:752481
Change-Id: I9b8f8c429d6eaed0ff8d27fc3f6b52eb906766a2
Reviewed-on: https://chromium-review.googlesource.com/604187
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47206}

This fixes a missing fast-path check in the code-stub implementation of
the {Array.prototype.filter} method. Appending to the target JSArray is
only correct if the underlying length did not change.

R=jgruber@chromium.org
TEST=mjsunit/regress/regress-6657
BUG=v8:6657

Change-Id: Ida8d3511485b649b70d9a4b161742d494ebe4dac
Reviewed-on: https://chromium-review.googlesource.com/600467Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47156}

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-751715
BUG=chromium:751715

Change-Id: Ibc5d2ce958b6f0c94b41926eb215e81d70833a9d
Reviewed-on: https://chromium-review.googlesource.com/598227Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47108}

This behavior has been staged successfully without a bug report, and
has been shipped in the latest versions of Firefox and Safari.

Bug: v8:5070
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I084cae2cc303d6a213bd6789297b91656e162d6b
Reviewed-on: https://chromium-review.googlesource.com/595129Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47098}

This fixes a corner case of rewriting the transition trees, where the
"interesting symbols" bit was not properly forwarded.

Drive-by-fix: Introduce additional checking in Map::ConnectTransition to
make it easier for clusterfuzz to detect cases we might have missed.

R=mstarzinger@chromium.org

Bug: chromium:751109
Change-Id: I3f1a1e6232db9b3694064b3d4e9f37255b018acc
Reviewed-on: https://chromium-review.googlesource.com/597669Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47075}