This was exposed on win64 and manifested as a negative offset during
stack frame collection, i.e. pc < Code::instruction_start() for a
BUILTIN frame.

This happened because StackFrame::LookupCode returns the wrong code
object when call is the last instruction in a code object:
* pc is actually the return address for all but the topmost frame.
* pc points at the next instruction after the call.
* This is beyond the current code object if call is the last
  instruction.
* Lookup itself is naive in that it just returns the first code object
  for which (next_code_obj_addr > pc). It does not check that pc is
  actually within [instruction_start, instruction_end[.
* In this specific case, the pc (== return address) actually pointed
  at the beginning of the header of the next code object.
* We finally calculated offset as (code->instruction_start() - pc),
  but with the wrong code object.

This should be followed up by a proper fix at some point. For instance,
this could be setting pc to (return address - 1) for all but the topmost
frame.

BUG=v8:5311

Review-Url: https://codereview.chromium.org/2284673002
Cr-Commit-Position: refs/heads/master@{#38996}

Rolling v8/build to 52f474cdb9e67007b938fd4a47220cb3c012e5e8

Rolling v8/third_party/WebKit/Source/platform/inspector_protocol to 84d90b2cc3f01a39bf73a8119a5cec0337d00c9f

Rolling v8/tools/clang to 3e1948978834c16073c1b076410df1a80adda1f5

Rolling v8/tools/mb to ac239cc82ef08858d6f2b75216dd13afcdbc6ac3

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review-Url: https://codereview.chromium.org/2289063002
Cr-Commit-Position: refs/heads/master@{#38995}

Fixes the MIPS big-endian build after https://codereview.chromium.org/2276733002/ .

BUG=

Review-Url: https://codereview.chromium.org/2296473002
Cr-Commit-Position: refs/heads/master@{#38994}

  port 56429fc1 (r38978)

  original commit message:
  Introduced MachineType::TaggedSigned() and TaggedPointer().

  The idea is to quit using the representational dimension of Type, and
  instead encode this information in the MachineRepresentation (itself
  lightly wrapped in MachineType, along with MachineSemantic).

  There are three parts to the whole change:

  1) Places that set the machine representation - constant nodes, loads nad
     stores, global object and native context specialization.

  2) Places that propagate type/representation - this is representation
     inference (aka simplified lowering). At the end of this process we
     expect to have a MachineRepresentation for every node. An interesting
     part of this is phi merging.

  3) Places that examine representation - WriteBarrier elimination does this.
     Currently it's looking at the Type representation dimension, but as
     a part of this change (or in a soon-to-follow change) it can simply
     examine the MachineRepresentation.

BUG=

Review-Url: https://codereview.chromium.org/2293603003
Cr-Commit-Position: refs/heads/master@{#38993}

  port 1915762c (r38968)

  original commit message:
  These JavaScript operators were special hacks to ensure that we always
  operate on Smis for the magic for-in index variable, but this never
  really worked in the OSR case, because the OsrValue for the index
  variable didn't have the proper information (that we have for the
  JSForInPrepare in the non-OSR case).

  Now that we have loop induction variable analysis and binary operation
  hints, we can just use JSLessThan and JSAdd instead with appropriate
  Smi hints, which handle the OSR case by inserting Smi checks (that are
  always true). Thanks to OSR deconstruction and loop peeling these Smi
  checks will be hoisted so they don't hurt the OSR case too much.

  Drive-by-change: Rename the ForInDone bytecode to ForInContinue, since
  we have to lower it to JSLessThan to get the loop induction variable
  goodness.

BUG=

Review-Url: https://codereview.chromium.org/2286353003
Cr-Commit-Position: refs/heads/master@{#38992}

TBR=machenbach@chromium.org
BUG=chromium:635798,chromium:638295

Review-Url: https://codereview.chromium.org/2288813003
Cr-Commit-Position: refs/heads/master@{#38991}

This unblocks moving off having to hold on to a compiled module
template.

Once we don't have the template, when we have a single instance, the
instance and wasm module share the same compiled code. We will want
to clear that code off instance-specific stuff, when the instance is
unreferenced and should be GC-ed (stuff like the instance heap, for
instance). However, the deopt data will maintain a strong reference,
blocking the GC: the module object strongly references the compiled
code, which strongly references the instance object through the deopt
data.

This change addresses that by making that last reference weak.

BUG=v8:5316

Review-Url: https://codereview.chromium.org/2284683005
Cr-Commit-Position: refs/heads/master@{#38990}

BUG=None
TEST=None
R=mtrofin@chromium.org

Review-Url: https://codereview.chromium.org/2290803002
Cr-Commit-Position: refs/heads/master@{#38989}

Review-Url: https://codereview.chromium.org/2290583002
Cr-Commit-Position: refs/heads/master@{#38988}

This adds:
* A script (tools/update-wasm-fuzzers.sh), which creates a new fuzzing seed
  corpus and uploads to google storage (you must have the right credentials).
* A new pair of DEPS entries to pull in the current version of the corpus
  based on a checked in pair of hash files.

BUG=None
TEST=None
R=ahaas@chromium.org,kcc@chromium.org,mvstanton@chromium.org

Review-Url: https://codereview.chromium.org/2273303002
Cr-Commit-Position: refs/heads/master@{#38987}

Tail calls don't make sense from async functions and generators, as
each activation of these functions needs to make a new, distnict,
non-reused generator object. These tail calls are not required per
spec. This patch disables both syntactic and implicit tail calls
in async functions and generators.

R=neis
BUG=v8:5301,chromium:639270

Review-Url: https://codereview.chromium.org/2278413003
Cr-Commit-Position: refs/heads/master@{#38986}

V8 can use this metter to better estimate the amount of work that is still to be
done by the embedder. Supposed to be used to decide whether incremental marking
should be finalized or not.

BUG=chromium:468240
R=ulan@chromium.org

Review-Url: https://codereview.chromium.org/2291613002
Cr-Commit-Position: refs/heads/master@{#38985}

The format of this is a little strange, and has to do with the previous
implementation maintaining a "stack" of objects as it works. As a result,
the format writes the array buffer before giving any hint that the reason
for doing so is to obtain a view wrapping it. Handling this without creating
an explicit on-heap stack requires checking whether the next tag is 'V'
after obtaining an array buffer.

BUG=chromium:148757

Review-Url: https://codereview.chromium.org/2287653002
Cr-Commit-Position: refs/heads/master@{#38984}

The new fuzzer constructs a dummy module header and uses the fuzzer
data only as function code.

R=titzer@chromium.org, jochen@chromium.org

Review-Url: https://codereview.chromium.org/2280623002
Cr-Commit-Position: refs/heads/master@{#38983}

Add comments to make it easier to browse the HTML documentation generated with Doxygen.

BUG=v8:5260

Review-Url: https://codereview.chromium.org/2290553003
Cr-Commit-Position: refs/heads/master@{#38982}

These DCHECKs are executed when a wasm module is instantiated. However,
invalid load/store offsets should trigger runtime traps, not
instantiation-time errors.

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2285223002
Cr-Commit-Position: refs/heads/master@{#38981}

This additionally gets rid of old approach to global shortcuts.

BUG=v8:5209

Review-Url: https://codereview.chromium.org/2287173002
Cr-Commit-Position: refs/heads/master@{#38980}

Parser::Declare has a lot of Scope-related logic inside; especially it
does Lookup in Scope. Scope should be the class which knows how to
declare variables in different kinds of Scopes, not Parser.

BUG=

Review-Url: https://codereview.chromium.org/2280033002
Cr-Commit-Position: refs/heads/master@{#38979}

Introduced MachineType::TaggedSigned() and TaggedPointer().

The idea is to quit using the representational dimension of Type, and
instead encode this information in the MachineRepresentation (itself
lightly wrapped in MachineType, along with MachineSemantic).

There are three parts to the whole change:

1) Places that set the machine representation - constant nodes, loads nad
   stores, global object and native context specialization.

2) Places that propagate type/representation - this is representation
   inference (aka simplified lowering). At the end of this process we
   expect to have a MachineRepresentation for every node. An interesting
   part of this is phi merging.

3) Places that examine representation - WriteBarrier elimination does this.
   Currently it's looking at the Type representation dimension, but as
   a part of this change (or in a soon-to-follow change) it can simply
   examine the MachineRepresentation.

BUG=

Review-Url: https://codereview.chromium.org/2258073002
Cr-Commit-Position: refs/heads/master@{#38978}

BUG=
R=jarin

Review-Url: https://codereview.chromium.org/2287313002
Cr-Commit-Position: refs/heads/master@{#38977}

This removes test/webkit/fast/js/stack-overflow-arrity-catch.js, which tests that the stack overflows in a very particular way. It doesn't seem to test anything important, and only used to work because we didn't inline into try-blocks.

BUG=
R=jarin

Review-Url: https://codereview.chromium.org/2216353002
Cr-Commit-Position: refs/heads/master@{#38976}

If we know statically that x and y are both in Unsigned32 or NaN or -0,
and we have SignedSmall or Signed32 feedback for x % y, then we can take
the feedback on the inputs and lower to Uint32Mod.

Drive-by-fix: Refactor this logic into a separate method.

R=jarin@chromium.org
BUG=v8:5267

Review-Url: https://codereview.chromium.org/2287303002
Cr-Commit-Position: refs/heads/master@{#38975}

- Make constants more interesting.
- Add an addition to be done after the inlined call in the try-block.
- On command line, have a bit more output.
- New alternative that deopts from unoptimized code.

BUG=
R=jarin

Review-Url: https://codereview.chromium.org/2285743002
Cr-Commit-Position: refs/heads/master@{#38974}

Infer exact types for the various Date getter builtins, and also inline
the Date.prototype.getTime() builtin, which just returns the Date value
and thus doesn't need to check the cache stamp.

R=epertoso@chromium.org

Review-Url: https://codereview.chromium.org/2285213002
Cr-Commit-Position: refs/heads/master@{#38973}

BUG=

Review-Url: https://codereview.chromium.org/2284303003
Cr-Commit-Position: refs/heads/master@{#38972}

BUG=chromium:639818
R=ulan@chromium.org

Review-Url: https://codereview.chromium.org/2288693002
Cr-Commit-Position: refs/heads/master@{#38971}

Drop the typing rules for the machine operators and replace them
with UNREACHABLE. These typing rules were never correct and there's
also no need to have those rules at all.

Drive-by-fix: Remove the extremely annoying test-simplified-lowering.cc
file, which is not very useful, but consumes a large amount of time to
keep it compiling and passing. Instead we should introduce appropriate
tests for the SimplifiedLowering that also test something meaningful
w/o just cementing the implementation.

R=jarin@chromium.org
BUG=v8:5267

Review-Url: https://codereview.chromium.org/2292463002
Cr-Commit-Position: refs/heads/master@{#38970}

This will be used for scope infos in a follow-up CL.

R=adamk@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2277273002
Cr-Commit-Position: refs/heads/master@{#38969}

These JavaScript operators were special hacks to ensure that we always
operate on Smis for the magic for-in index variable, but this never
really worked in the OSR case, because the OsrValue for the index
variable didn't have the proper information (that we have for the
JSForInPrepare in the non-OSR case).

Now that we have loop induction variable analysis and binary operation
hints, we can just use JSLessThan and JSAdd instead with appropriate
Smi hints, which handle the OSR case by inserting Smi checks (that are
always true). Thanks to OSR deconstruction and loop peeling these Smi
checks will be hoisted so they don't hurt the OSR case too much.

Drive-by-change: Rename the ForInDone bytecode to ForInContinue, since
we have to lower it to JSLessThan to get the loop induction variable
goodness.

R=epertoso@chromium.org
BUG=v8:5267

Review-Url: https://codereview.chromium.org/2289613002
Cr-Commit-Position: refs/heads/master@{#38968}

Used a BitField to for Variable fields instead of relying on the compiler, saving some memory probably.
This reduces sizeof(Variable) from 64 to 40 on x64

BUG=v8:5209

Committed: https://crrev.com/955606506c256ea389d6c4a8e07babfea512d190
Review-Url: https://codereview.chromium.org/2257493002
Cr-Original-Commit-Position: refs/heads/master@{#38891}
Cr-Commit-Position: refs/heads/master@{#38967}

R=jarin@chromium.org
BUG=v8:5267

Review-Url: https://codereview.chromium.org/2291433003
Cr-Commit-Position: refs/heads/master@{#38966}

Typing these operators should never happen and doesn't make any sense
at all.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2286253002
Cr-Commit-Position: refs/heads/master@{#38965}

For asm.js we now have a dedicated AsmTyper, that uses it's own type
system (which is tailored towards asm.js), and so we don't need the
special asm.js types anymore in the TypeCache. This also moves the
TypeCache into the src/compiler directory, because it doesn't make
sense to use outside anyways.

TBR=ahaas@chromium.org
R=jarin@chromium.org
BUG=v8:5267

Review-Url: https://codereview.chromium.org/2289573002
Cr-Commit-Position: refs/heads/master@{#38964}

There's no need to preserve the exact callee for lazy bailouts
from JSCallFunction in the AstGraphBuilder, as fullcodegen code
will never look at that value after the callee returns. So we
just push optimized_out instead.

BUG=v8:5267
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2285183002
Cr-Commit-Position: refs/heads/master@{#38963}

Reland of Fix compiler warnings on "make android_arm" (patchset #1 id:1 of https://codereview.chromium.org/2286163002/ )

Reason for revert:
Roll was unstuck before the revert landed => reland

Original issue's description:
> Revert of Fix compiler warnings on "make android_arm" (patchset #1 id:1 of https://codereview.chromium.org/2264283007/ )
>
> Reason for revert:
> Speculative revert because of roll blocker https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20debug/builds/2241
>
> Original issue's description:
> > Fix compiler warnings on "make android_arm"
> >
> > Committed: https://crrev.com/3e809a6129d0097529c885579ac46e4acf4e99f6
> > Cr-Commit-Position: refs/heads/master@{#38937}
>
> TBR=bmeurer@chromium.org,jkummerow@chromium.org
> # Not skipping CQ checks because original CL landed more than 1 days ago.
>
> Committed: https://crrev.com/d992c1f52f116930239ed90cc033442047e789b4
> Cr-Commit-Position: refs/heads/master@{#38961}

TBR=bmeurer@chromium.org,jkummerow@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2285113002
Cr-Commit-Position: refs/heads/master@{#38962}

Revert of Fix compiler warnings on "make android_arm" (patchset #1 id:1 of https://codereview.chromium.org/2264283007/ )

Reason for revert:
Speculative revert because of roll blocker https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20debug/builds/2241

Original issue's description:
> Fix compiler warnings on "make android_arm"
>
> Committed: https://crrev.com/3e809a6129d0097529c885579ac46e4acf4e99f6
> Cr-Commit-Position: refs/heads/master@{#38937}

TBR=bmeurer@chromium.org,jkummerow@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.

Review-Url: https://codereview.chromium.org/2286163002
Cr-Commit-Position: refs/heads/master@{#38961}

Revert of "[heap] Switch to 500k pages" (patchset #1 id:1 of https://codereview.chromium.org/2278653003/ )

Reason for revert:
Tanks pretty much alle metrics across the board. Probably LO space limit too low but needs investigation.

Original issue's description:
> [heap] Switch to 500k pages
>
> Decrease regular heap object size to 400k. In a follow up, we can now get rid of
> the new space border page while keeping the 1M minimum new space size.
>
> This reverts commit 1617043c.
>
> BUG=chromium:636331
>
> Committed: https://crrev.com/2101e691caeef656eb91f1c98620b3955d337c83
> Cr-Commit-Position: refs/heads/master@{#38916}

TBR=ulan@chromium.org,verwaest@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=chromium:636331
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2289493002
Cr-Commit-Position: refs/heads/master@{#38960}

BUG=v8:5209

Review-Url: https://codereview.chromium.org/2281393002
Cr-Commit-Position: refs/heads/master@{#38959}

Revert of Always deserialize scope infos for parsing (patchset #3 id:40001 of https://codereview.chromium.org/2280933002/ )

Reason for revert:
Significantly tanks parsing. We probably should just keep on doing what we're doing: partially deserialize while resolving variables. If we do scope-info backed resolution after regular resolution based on remaining free variables, we can probably reduce the time-frame of that part. We soon after anyway need to sync with the main thread.

Original issue's description:
> Always deserialize scope infos for parsing
>
> When looking up variables in the ScopeInfo, we did a linear scan of the
> ScopeInfo. Since that's unacceptably slow, a context slot cache was added
> that would speed up repeated lookups of the same variable.
>
> Instead, just always fully convert the ScopeInfo into scopes, so they can
> lookup variables without scanning the ScopeInfo.
>
> This also allows for removing the now unused ContextSlotCache.
>
> R=adamk@chromium.org,verwaest@chromium.org,marja@chromium.org
> BUG=v8:5315
>
> Committed: https://crrev.com/81f824cad18e4dc873a8838943217eb9c9f0c1f0
> Cr-Commit-Position: refs/heads/master@{#38953}

TBR=adamk@chromium.org,marja@chromium.org,jochen@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5315

Review-Url: https://codereview.chromium.org/2287783003
Cr-Commit-Position: refs/heads/master@{#38958}

As part of the work to implement catch prediction for async functions,
the resulting Promise that is the output of the function needs to be
available earlier for a couple reasons:
- To be able to do %DebugPushPromise/%DebugPopPromise over the body
  of the async function
- To be able to pass the resulting promise into AsyncFunctionAwait
  in order to set up the dependency chains

This patch creates the Promise earlier and pushes it onto the debug
stack; a later patch will set up the dependency chain. Although the
debug stack is set up, it's not anticipated that this will change
the catch prediction helpfully yet, as everything will still likely
be predicted as 'caught' for now, as before.

R=caitp@igalia.com,yangguo@chromium.org
CC=neis@chromium.org,gsathya@chromium.org
BUG=v8:5167

Review-Url: https://codereview.chromium.org/2233923003
Cr-Commit-Position: refs/heads/master@{#38957}