This is a reland of 3dfaf826

Original change's description:
> [debug] liveedit in native
>
> Liveedit step-by-step:
> 1. calculate diff between old source and new source,
> 2. map function literals from old source to new source,
> 3. create new script for new_source,
> 4. mark literals with changed code as changed, all others as unchanged,
> 5. check that for changed literals there are no:
>   - running generators in the heap,
>   - non droppable frames (e.g. running generator) above them on stack.
> 6. mark the bottom most frame with changed function as scheduled for
>    restart if any.
> 7. for unchanged functions:
>   - deoptimize,
>   - remove from cache,
>   - update source positions,
>   - move to new script,
>   - reset feedback information and preparsed scope information if any,
>   - replace any sfi in constant pool with changed one if any.
> 8. for changed functions:
>   - deoptimize
>   - remove from cache,
>   - reset feedback information,
>   - update all links from js functions to old shared with new one.
> 9. swap scripts.
>
> TBR=ulan@chromium.org
>
> Bug: v8:7862,v8:5713
> Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel
> Change-Id: I8f6f6156318cc82d6f36d7ebc1c9f7d5f3aa1461
> Reviewed-on: https://chromium-review.googlesource.com/1105493
> Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54146}

TBR=dgozman@chromium.org

Bug: v8:7862, v8:5713
Change-Id: I163ed2fd2ca3115ba0de74cb35a6fac9e40fdd94
Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel
Reviewed-on: https://chromium-review.googlesource.com/1124879
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54187}

This is an optimization to avoid an unneeded "mov <reg>, #0"
instruction. Instead, we can just directly use the zero register.

R=ahaas@chromium.org

Bug: chromium:854011, v8:6600
Change-Id: I187d7a659c42d7d4a6d5798eddff8b7ee0983bbc
Reviewed-on: https://chromium-review.googlesource.com/1124684
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54186}

We need to push the sign-extended constant instead of just the lower 32
bits. Otherwise, the callee might read stale data from the stack.

Bug: chromium:854011, v8:6600

R=ahaas@chromium.org
CC=rodolph.perfetta@arm.com

Change-Id: Iafcfd6ba9532771615b41215fb4d1a2b85ce5623
Reviewed-on: https://chromium-review.googlesource.com/1124683Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54185}

I forgot to add this test to the previous CL:
https://crrev.com/c/1122409

R=ahaas@chromium.org

Bug: v8:7914
Change-Id: I4ed3bce37ce1e42a56eabc02647d8cf91e4492c9
Reviewed-on: https://chromium-review.googlesource.com/1124687Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54184}

In future the RO_SPACE root accessors in Heap will become private, so
instead convert them all to use ReadOnlyRoots.

Bug: v8:7786
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ifd2f75298bacd2f6a89c551f689d269a59d87e97
Reviewed-on: https://chromium-review.googlesource.com/1124470
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54183}

In future the RO_SPACE root accessors in Heap will become private, so
instead convert them all to use ReadOnlyRoots.

Bug: v8:7786
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ia24803003f1e6ce0782dffe448c662695620f026
Reviewed-on: https://chromium-review.googlesource.com/1124326
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54182}

In future the RO_SPACE root accessors in Heap will become private, so
instead convert them all to use ReadOnlyRoots.

Bug: v8:7786
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I2cc63ffc5b6df537fa7772356acd9e8b3cf59352
Reviewed-on: https://chromium-review.googlesource.com/1124322
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54181}

Using CpuProfile pointer is not safe for id as the profile objects
can be recreated on the same memory address.
Use sequential numbers instead.

Change-Id: I7253605819055bc3396b797f9ce27669e8c2584d
Reviewed-on: https://chromium-review.googlesource.com/1123325Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54180}

Also move some helpers there.

Bug: v8:7902
Change-Id: I1ef3d1e8317102afae2861382e9ba60b0ef6bba4
Reviewed-on: https://chromium-review.googlesource.com/1121461
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54179}

Moves STRUCT_LIST AND ALLOCATION_SITE_LIST into roots.h and adds access
to their associated maps using ReadOnlyRoots.

Also corrects the location of external_map, message_object_map,
empty_script, many_closures_cell, invalid_prototype_validity_cell and
builtins_constants_table which are not in RO_SPACE.

Finally this adds a convenience ReadOnlyRoots(Isolate*) constructor.

Bug: v8:7786
Change-Id: I4982dd0cbea2062a124605678599ba48831f020f
Reviewed-on: https://chromium-review.googlesource.com/1124319Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54178}

Change-Id: I21b0dfb572efab3257e25f2f3b81689c07f8f2d7
Reviewed-on: https://chromium-review.googlesource.com/1124562
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54177}

Tests cctest/test-run-wasm-simd/RunWasm_I16x8ConvertI32x4_turbofan
and cctest/test-run-wasm-simd/RunWasm_I8x16ConvertI16x8_simd_lowered
will be skipped for big endian until implementation for big endian is
done correctly.

Change-Id: Ia6253070ede207f437e4b710a656bce8d65e412e
Reviewed-on: https://chromium-review.googlesource.com/1113307
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Reviewed-by: Aseem Garg <aseemgarg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54176}

An i64 to i32 conversion within the same register is a noop on arm64,
since i32 operations just use the "W" part of the register anyway.

R=ahaas@chromium.org
CC=rodolph.perfetta@arm.com

Bug: v8:6600
Change-Id: Ia7cb49673c4997dc095736a054d052ffd91bb957
Reviewed-on: https://chromium-review.googlesource.com/1124449Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54175}

This CL adds a regression test that will check that the elements
pointer is properly reloaded after the JavaScript comparison
function is called during Array.p.sort.

R=jgruber@chromium.org

Bug: chromium:859809
Change-Id: I15f55fcc1906bd8d0751596e5457367a643b92da
Reviewed-on: https://chromium-review.googlesource.com/1124475
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54174}

R=clemensh@chromium.org

Change-Id: I2a935d87d6f9688af9bd983fc95ae87476c1f612
Reviewed-on: https://chromium-review.googlesource.com/1124464Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54173}

Most scanner logic doesn't need to care about surrogate pairs, so we can just
push it down to identifier scanning.

This CL additionally drops some explicit kEndOfInput checks that are subsumed
by predicates seemlessly returning false for kEndOfInput (-1).

Change-Id: If031a9355ab5fbca0c3b647045e3034f42923979
Reviewed-on: https://chromium-review.googlesource.com/1124447Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54172}

It turns out we can just remove kReturnVariable from the normal change
tracking, since it's always set when jumping to the final label anyway.

Bug: v8:7793
Change-Id: I6d0a777016047aa31b0edddd19c661e2631e1078
Reviewed-on: https://chromium-review.googlesource.com/1124471Reviewed-by: Daniel Clifford <danno@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54171}

Instead of installing code dependencies during graph reduction,
install them after code generation.

Bug: v8:7902, v8:7790
Change-Id: I8a3798254abb5b9ec7c295a1592aeb6b51f24c7a
Reviewed-on: https://chromium-review.googlesource.com/1119913
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54170}

Bug: v8:7793
Change-Id: Ifb03938e15307910ef25b2b95c32fe69bfec1441
Reviewed-on: https://chromium-review.googlesource.com/1124458Reviewed-by: Daniel Clifford <danno@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54169}

R=clemensh@chromium.org

Change-Id: Ia3856921a707e7d58d55a74d3f14cbdc0d69eaa5
Reviewed-on: https://chromium-review.googlesource.com/1124332
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54168}

Variables/return values with constexpr type cannot have multiple
assignments. We check this now.
For conditionals, it is important to always infer a non-constexpr type.
This CL adds the ability to map any type (including union types) to be
mapped to their non-constexpr variant. Conditionals infer their type as
the non-constexpr version of a combination of the two branch types.

In addition, this improves subtyping for constexpr types:
If A extends B, then constexpr A extends constexpr B.
This makes it necessary to clean up "constexpr String", which has nothing
to do with tagged values.

Bug: v8:7793
Change-Id: Ia4d3cd5dc98f45b0ec89adf05c5c6111a0e51cc6
Reviewed-on: https://chromium-review.googlesource.com/1122864
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54167}

This CL is a manual revert of the Array.p.sort Torque QuickSort
implementation.

The plan is to ship TimSort in either Chromium 69 or 70 and not ship
Torque-QuickSort at all (to keep disruption to a minimum). For this
reason we revert back to the implementation in array.js.

R=jgruber@chromium.org

Bug: chromium:859809, v8:7382
Change-Id: I92eb70408883f51d98311e78642f554316bc1e76
Reviewed-on: https://chromium-review.googlesource.com/1124334Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@google.com>
Cr-Commit-Position: refs/heads/master@{#54166}

When calling a builtin via a function pointer, torque tries to find any
builtin with the same parameter types for a descriptor. If no such
builtin exist, we currently crash.

Example:

type DoesNotExistFn = builtin(Context, Smi, Smi, Smi) => Smi;
macro TestMacro(c: Context, fn: DoesNotExistFn) {
  let result: Smi = fn(c, 1, 2, 3);
}

R=tebbi@chromium.org

Bug: v8:7793
Change-Id: Ia7436dc6541aca5de2e8dcb6b2a09978a1af9d39
Reviewed-on: https://chromium-review.googlesource.com/1123821Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Simon Zünd <szuend@google.com>
Cr-Commit-Position: refs/heads/master@{#54165}

The current output of release builds is not very helpful, as it does
not contain the line number, nor the values of {expect_exception} or
{i_isolate->has_pending_exception()}.

R=ahaas@chromium.org

Bug: chromium:854011
Change-Id: I0bc1b8be6151d5420310eb67b2ebd0dc866fc9a6
Reviewed-on: https://chromium-review.googlesource.com/1122869Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54164}

Change-Id: I66426ab06f8cc3f138a9cdd60063a3da1dc4a954
Reviewed-on: https://chromium-review.googlesource.com/1123824Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54163}

This optimization is already done on x64 (7500e507).

Bug: v8:7844
Change-Id: Iccc3bb55aa79ef1d4423576c79d9ce6f829f2828
Reviewed-on: https://chromium-review.googlesource.com/1120343
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54162}

R=binji@chromium.org
Bug: v8:7846

Change-Id: I0843c11a3034062182be99514d092c474116c25c
Reviewed-on: https://chromium-review.googlesource.com/1122415Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54161}

Adds a ReadOnlyRoots class trivially constructable from a Heap* or
Isolate* and which can be obtained from a any HeapObject which provides
access to roots objects that will always be in RO_SPACE. In the longer
term this object will be accessed via a global variable without
requiring an Isolate or using the memory address of a HeapObject to
infer it.

Moves the list macros in heap.h to roots.h and splits some of them into
two parts (read-only and mutable).

Convert cases of heap_object->GetHeap()->root_accessor() to
heap_objects->GetReadOnlyRoots().root_accessor().

Bug: v8:7786
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I14b01052adb2af9a5ec82b970e933d6a423d17a5
Reviewed-on: https://chromium-review.googlesource.com/1122127
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54160}

- display script size overview
- color scripts in overview depending on eval, streaming or other scripts
- fix stats to always take own-bytes into accout
- rename all *Time properties to *Duration for consistency
- extract ScriptSource log event into separate method
- support script source events in parse-processor

Bug: chromium:757467, chromium:850038
Change-Id: I227d1d5952ae9e508ab1a01146fcf47f74a3f7ea
Reviewed-on: https://chromium-review.googlesource.com/1117195
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54159}

This CL adds a comparison for the performance of getting and setting
float32 and float64 values with DataViews and with TypedArrays.

Since TypedArrays do not specify endianness, we can't compare
performance across both possible endiannesses, but this is better
than no comparison at all.

Change-Id: Iea54b942c0bb8168e9d8002d94e2bb9bc6566331
Reviewed-on: https://chromium-review.googlesource.com/1120250Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Théotime Grohens <theotime@google.com>
Cr-Commit-Position: refs/heads/master@{#54158}

This CL adds code to inline the Int8 and Uint8 getters for DataView
objects in TurboFan in js-call-reducer.cc, as well as a new test file.

It already improves execution speed compared to the Torque baseline
implementation, and implements most of the architecture needed
for inlining the other DataView getters and setters as well.

Change-Id: I0e62b98fd6ec995f7db5ec42ea1eff1f03572f97
Reviewed-on: https://chromium-review.googlesource.com/1119909Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Théotime Grohens <theotime@google.com>
Cr-Commit-Position: refs/heads/master@{#54157}

This CL replaces most uses of the V8_EMBEDDED_BUILTIN define
by a new read-only runtime flag called FLAG_embedded_builtins.

The flag is true iff V8_EMBEDDED_BUILTINS is defined.

Bug: v8:6666
Change-Id: Ifcc909dc9b028a2c967f8a0e45029df5e71072df
Reviewed-on: https://chromium-review.googlesource.com/1122401
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54156}

This fixed the {WasmCompiledFrame::Print} method to print the pc offset
(an integer) in hexadecimal notation, and not print it as a pointer
value, which somehow produced weird output in my case.

R=mstarzinger@chromium.org

Change-Id: I417e980d2bf1448f5694a32c28a7c7bca1de9703
Reviewed-on: https://chromium-review.googlesource.com/1122866Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54155}

This is a reland of 20f33823.
Win32 failures should be fixed by https://crrev.com/c/1120175.

Original change's description:
> [wasm] Enable Liftoff by default on ia32 and x64
>
> R=titzer@chromium.org, hablich@chromium.org
>
> Bug: v8:6600, chromium:787421
> Change-Id: Ia8ae56ddef3b27b0721d5a66ff19abe098a2c6ca
> Reviewed-on: https://chromium-review.googlesource.com/1109899
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Hablich <hablich@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#53965}

TBR=titzer@chromium.org, hablich@chromium.org

Bug: v8:6600, chromium:787421
Change-Id: Ia0fc1f152988a2df95d94d002b9ddfdc0a9c4abd
Reviewed-on: https://chromium-review.googlesource.com/1120205Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54154}

Rename method to IsEmpty for Worklist. IsGlobalEmpty is easy to
confuse with IsGlobalPoolEmpty.

Change-Id: Id9744cef2630f7c0642ec37ef9a18296acee87e3
Reviewed-on: https://chromium-review.googlesource.com/1115222
Commit-Queue: Dominik Inführ <dinfuehr@google.com>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54153}

Only use the "W" part (lower 32 bit) of the src register. Otherwise, we
can get results larger than 32.

R=ahaas@chromium.org
CC=​rodolph.perfetta@arm.com

Bug: v8:7914, chromium:854011
Change-Id: I6329231e6cc0ae537c165b2d383fc5a14bd28ca3
Reviewed-on: https://chromium-review.googlesource.com/1122409
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54152}

This reverts commit 3dfaf826.

Reason for revert: Failures - https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux%20gcc%204.8/20394

Original change's description:
> [debug] liveedit in native
> 
> Liveedit step-by-step:
> 1. calculate diff between old source and new source,
> 2. map function literals from old source to new source,
> 3. create new script for new_source,
> 4. mark literals with changed code as changed, all others as unchanged,
> 5. check that for changed literals there are no:
>   - running generators in the heap,
>   - non droppable frames (e.g. running generator) above them on stack.
> 6. mark the bottom most frame with changed function as scheduled for
>    restart if any.
> 7. for unchanged functions:
>   - deoptimize,
>   - remove from cache,
>   - update source positions,
>   - move to new script,
>   - reset feedback information and preparsed scope information if any,
>   - replace any sfi in constant pool with changed one if any.
> 8. for changed functions:
>   - deoptimize
>   - remove from cache,
>   - reset feedback information,
>   - update all links from js functions to old shared with new one.
> 9. swap scripts.
> 
> TBR=ulan@chromium.org
> 
> Bug: v8:7862,v8:5713
> Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel
> Change-Id: I8f6f6156318cc82d6f36d7ebc1c9f7d5f3aa1461
> Reviewed-on: https://chromium-review.googlesource.com/1105493
> Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54146}

TBR=dgozman@chromium.org,ulan@chromium.org,yangguo@chromium.org,kozyatinskiy@chromium.org

Change-Id: I45df5b6f3abaf29e593c6ac11edefbd0177d0109
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7862, v8:5713
Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel
Reviewed-on: https://chromium-review.googlesource.com/1124159Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54151}

This CL changes the NumberDictionary fast-path for Array.p.sort to
throw a TypeError when trying to write to a read-only property.

Previously, the fast-path simply bailed to the slow-path which could
swallow the TypeError by accident. I.e. because the fast-path could
leave the array in an inconsistent state that is already sorted.

Example:

let arr = new Array(10);
Object.defineProperty(arr, 0, {value: 2, writable: false});
Object.defineProperty(arr, 2, {value: 1, writable: false});
arr.sort();

The pre-processing step will move the value 1 to index 1: {0: 2, 1: 1}
When trying to swap those 2 values, the fast-path will write the 2 at
index 1, then try to write the 1 at index 0 and fail, bailing to the
slow-path. As the array looks like {0: 2, 1: 2} its already sorted
and the TypeError will not be thrown.

R=jgruber@chromium.org

Bug: v8:7382, v8:7907
Change-Id: I5d2f2d73478fdca066ce1048dcb2b8301751cb1f
Reviewed-on: https://chromium-review.googlesource.com/1122120
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54150}

For spread calls with arrays with double elements but zero length,
we skip the box-as-heapnumber step; so in this corner case the
Call builtin sees a FixedDoubleArray, which is fine because it
doesn't read any of the raw double values from it.
This patch doesn't change the implementation, it only updates the
assert to match reality.

Bug: chromium:856095
Change-Id: I0227f4ccbc6c61c8f5f7669a266ef7a64c6a9a43
Reviewed-on: https://chromium-review.googlesource.com/1117922Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54149}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/213a0e3..7ac2934

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/34f0d7e..153acbd

Rolling v8/third_party/depot_tools: https://chromium.googlesource.com/chromium/tools/depot_tools/+log/024a331..605dd31

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/dec27d7..39163b8

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: I3ab6664ff80919f7169a14a9522c32b4c432a169
Reviewed-on: https://chromium-review.googlesource.com/1123884
Commit-Queue: V8 Autoroller <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Reviewed-by: V8 Autoroller <v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#54148}