Rolling v8/build to 5340820b7f216d4f155213173cf678774741788d

Rolling v8/buildtools to c36df184fb212b911d5e0fdee45647610e3ea54d

Rolling v8/tools/mb to e79fc1007f026e7d899abec066b714c750103019

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review-Url: https://codereview.chromium.org/2102393002
Cr-Commit-Position: refs/heads/master@{#37356}

Add a flag harmony_trailing_commas_in_parameters that allows trailing
commas in function parameter declaration lists and function call
parameter lists. Trailing commas are allowed in parenthetical lists like
`(a, b, c,)` only if the next token is `=>`, thereby making it an arrow
function declaration. Only 1 trailing comma is allowed, not `(a,,)`. A
trailing comma must follow a non-rest parameter, so `(,)` and `(...a,)`
are still SyntaxErrors. However, a trailing comma is allowed after a
spread parameter, e.g. `a(...b,);`.

Add parser tests for all of the above.

BUG=v8:5051
LOG=y

Review-Url: https://codereview.chromium.org/2094463002
Cr-Commit-Position: refs/heads/master@{#37355}

BUG=617526
R=bradnelson@chromium.org
TEST=regress-617526.js

Review-Url: https://codereview.chromium.org/2101923003
Cr-Commit-Position: refs/heads/master@{#37354}

Comparisons were allowing asm 'int' values in places
that require strict 'signed' or 'unsigned' but not both.

Fixes crash when these make it to asm-wasm.

BUG=599413
BUG=v8:4203
R=aseemgarg@chromium.org

Review-Url: https://codereview.chromium.org/2106683003
Cr-Commit-Position: refs/heads/master@{#37353}

This reverts commit 1eb1dfab.

The original compilation separation change avoided associating a heap
for the wasm instance if memory was not provided, nor needed. The
grow memory CL assumed the old behavior, where a memory buffer was
always present, but may have had a zero size.

The 2CLS  landed shortly after one another. We decided to treat the
grow memory as the race condition winner, so this CL here re-lands
compilation separation, plus adjusts grow memory to deal with
the undefined mem buffer.

BUG=

Review-Url: https://codereview.chromium.org/2102193003
Cr-Commit-Position: refs/heads/master@{#37352}

This reverts commit 0c7ee927.

BUG=

Review-Url: https://codereview.chromium.org/2103983003
Cr-Commit-Position: refs/heads/master@{#37351}

asm.js forbids mixing signed and unsigned % or /.
We had been allowing these.

Fixes crash.

BUG=618602
BUG=v8:4203
R=aseemgarg@chromium.org

Review-Url: https://codereview.chromium.org/2107683002
Cr-Commit-Position: refs/heads/master@{#37350}

We were not checking that the string passed to instantiateFromAsm
contains a function declaration (any declaration was allowed).

Fixes crash.

BUG=620649
BUG=v8:4203
R=aseemgarg@chromium.org

Review-Url: https://codereview.chromium.org/2109533002
Cr-Commit-Position: refs/heads/master@{#37349}

Support for serializing/deserializing the compiled wasm module.

We want to reuse the javascript snapshotting mechanics, at least in the
short term, when we still use the JS heap for the compiled wasm code.
Given that a module may be compiled in one v8 instance and then
instantiated later, in a different instance, whatever information we need
at instantiation time must also be serializable.

We currently hold on to the un-decoded wasm bytes, for enabling
debugging scenarios. This imposes a ~20% penalty on the memory
requirements of the wasm compiled code. We do not need this data
otherwise, for runtime, and it is sensible to consider eventually loading it
on demand. Therefore, I intentionally avoided relying on it and re-
decoding the wasm module data, and instead saved the information
necessary to support instantiation.

Given how whatever we need to persist must be serializable, the CL
uses a structure made out of serializable objects (fixed arrays mostly)
for storing this information. I preferred going this route rather than
adding more wasm-specific support to the serializer, given that we want
to eventually move off the JS heap, and therefore the serializer.

Additionally, it turns out this extra information is relatively not complex:
minimal structure, little nesting depth, mostly simple data like numbers
or byte blobs, or opaque data like compiled functions.

This CL also moves export compilation ahead of instantiation time.

This change added a helper getter to FixedArray, to make typed retrieval
of elements easier.

BUG=

Review-Url: https://codereview.chromium.org/2094563002
Cr-Commit-Position: refs/heads/master@{#37348}

Revert of [heap] Reland uncommit unused large object page memory. (patchset #1 id:1 of https://codereview.chromium.org/2101383002/ )

Reason for revert:
Crashes unbox-double-arrays

Original issue's description:
> [heap] Reland uncommit unused large object page memory.
>
> BUG=
>
> Committed: https://crrev.com/dd0ee5fd11653ba41a292641ccd66ae7cc5a8398
> Cr-Commit-Position: refs/heads/master@{#37341}

TBR=ulan@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review-Url: https://codereview.chromium.org/2106933003
Cr-Commit-Position: refs/heads/master@{#37347}

Port 5e058540

Original commit message:

    The reason for reverting is: This breaks gc-stress bot:
    https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot

    Abortion of compaction could cause duplicate entries in the typed-old-to-new remembered set.
    These duplicates could cause a DCHECK to trigger which checks that slots recorded in the
    remembered set never point to to-space. This reland-CL allows duplicates in the remembered
    set by removing the DCHECK, and additionally clears entries in the remembered set if objects are moved.

    Original issue's description:

    Cells were needed originally because there was no typed remembered set to
    record direct pointers from code space to new space. A previous
    CL (https://codereview.chromium.org/2003553002/) already introduced
    the remembered set, this CL uses it.

    This CL
    * stores direct pointers in code objects, even if the target is in new space,
    * records the slot of the pointer in typed-old-to-new remembered set,
    * adds a list which stores weak code-to-new-space references,
    * adds a test to test-heap.cc for weak code-to-new-space references,
    * removes prints in tail-call-megatest.js

R=ahaas@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2108673003
Cr-Commit-Position: refs/heads/master@{#37346}

The opcodes for 'cmpw r/m16, r16' and 'cmpw r16, r/m16' were swapped, causing a few issues when less than/greater than comparison were performed.

Adds a regression test.

BUG=621926

Committed: https://crrev.com/efa7095e3e360fbadbe909d831ac11b268ca26b0
Review-Url: https://codereview.chromium.org/2103713003
Cr-Original-Commit-Position: refs/heads/master@{#37339}
Cr-Commit-Position: refs/heads/master@{#37345}

Port e607e12e

Original commit message:
    Introduce a new machine operator Float64Pow that for now is backed by
    the existing MathPowStub to start the unification of Math.pow, and at
    the same time address the main performance issue that TurboFan still has
    with the imaging-darkroom benchmark in Kraken.

    Also migrate the Math.pow builtin itself to a TurboFan builtin and
    remove a few hundred lines of hand-written platform code for special
    handling of the fullcodegen Math.pow version.

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=v8:3599,v8:5086,v8:5157
LOG=N

Review-Url: https://codereview.chromium.org/2106883002
Cr-Commit-Position: refs/heads/master@{#37344}

Addressing comment in https://codereview.chromium.org/2102073002/

BUG=chromium:576312, chromium:623516

Review-Url: https://codereview.chromium.org/2109713002
Cr-Commit-Position: refs/heads/master@{#37343}

Revert of [ia32] Fixes a bug in cmpw. (patchset #3 id:40001 of https://codereview.chromium.org/2103713003/ )

Reason for revert:
Causes "buildbot failure in V8 on V8 Linux gcc 4.8, Check"

Original issue's description:
> [ia32] Fixes a bug in cmpw.
>
> The opcodes for 'cmpw r/m16, r16' and 'cmpw r16, r/m16' were swapped, causing a few issues when less than/greater than comparison were performed.
>
> Adds a regression test.
>
> BUG=621926
>
> Committed: https://crrev.com/efa7095e3e360fbadbe909d831ac11b268ca26b0
> Cr-Commit-Position: refs/heads/master@{#37339}

TBR=bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=621926

Review-Url: https://codereview.chromium.org/2106913002
Cr-Commit-Position: refs/heads/master@{#37342}

BUG=

Review-Url: https://codereview.chromium.org/2101383002
Cr-Commit-Position: refs/heads/master@{#37341}

PERFORMANCE_DEFAULT mode.

BUG=

Review-Url: https://codereview.chromium.org/2108503003
Cr-Commit-Position: refs/heads/master@{#37340}

The opcodes for 'cmpw r/m16, r16' and 'cmpw r16, r/m16' were swapped, causing a few issues when less than/greater than comparison were performed.

Adds a regression test.

BUG=621926

Review-Url: https://codereview.chromium.org/2103713003
Cr-Commit-Position: refs/heads/master@{#37339}

  - GrowMemory runtime function, tests added to checks if memory can be grown
  and relocation information is updated correctly

R=titzer@chromium.org, bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2051043002
Cr-Commit-Position: refs/heads/master@{#37338}

Following the existing model where most committers are top-level OWNERS, this enables easier boilerplate changes to the V8 build environment and tests in the PST time-zone.

R=danno@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2101423002
Cr-Commit-Position: refs/heads/master@{#37337}

The serializer does not support serialization of HashTables in general because
after deserialization it might be necessary to rehash the table.
However the UnseededNumberDictionary does not require rehashing and this CL allows
them to be serialized.

This CL also changes the shape of UnseededNumberDictionary: the details field is
no longer part of the entry since no one needs it.

BUG=chromium:576312, chromium:623516

Review-Url: https://codereview.chromium.org/2102073002
Cr-Commit-Position: refs/heads/master@{#37336}

When re-scoping arrow function parameter initializers, temporaries
should be moved from the closure of the old scope to the closure of
the new scope, if necessary.

R=adamk@chromium.org, rossberg@chromium.org
BUG=chromium:622663
LOG=N

Review-Url: https://codereview.chromium.org/2083083007
Cr-Commit-Position: refs/heads/master@{#37335}

This part of the snapshot API should not be in use yet, so we can still
change this. The motivation for this change is:
- Use MaybeHandle where reasonable.
- Remove ambiguity: when we use index to create context from snapshot,
  we should not have a silent fallback if snapshot is not available.
- Symmetry: rename to Context::FromSnapshot to mirror templates.

R=jochen@chromium.org
BUG=chromium:617892

Review-Url: https://codereview.chromium.org/2100073002
Cr-Commit-Position: refs/heads/master@{#37334}

This cl fixes the long-standing bug for for-in with shadowing properties.

BUG=v8:705

Review-Url: https://codereview.chromium.org/2081733002
Cr-Commit-Position: refs/heads/master@{#37333}

Port d61a5c37

Original commit message:

    As a first step I uncommit the memory on the main thread. Also
    to measure impact and stability of that optimization. In a
    follow-up CL, the uncommitting should be moved on the concurrent thread.

R=jochen@chromium.org, hpayer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2041233003
Cr-Commit-Position: refs/heads/master@{#37332}

This avoids forgetting to add files for either gyp or gn.

While for most executables, this is detected by compilation
errors, for test executables, it can lead to tests silently
not running.

BUG=chromium:474921

Review-Url: https://codereview.chromium.org/2098313002
Cr-Commit-Position: refs/heads/master@{#37331}

It also dereferences the inputs of StoreField, if those were
CheckTaggedPointers. Tested manually.

BUG=

Review-Url: https://codereview.chromium.org/2104893002
Cr-Commit-Position: refs/heads/master@{#37330}

We use CheckNumber to guard values as being proper numbers, i.e. if the
input value is anything but a Number, we deoptimize. This follows the
existing effect/control linearization magic that we already use for the
other checks.

R=jarin@chromium.org
BUG=v8:5141

Review-Url: https://codereview.chromium.org/2109623002
Cr-Commit-Position: refs/heads/master@{#37329}

BUG=chromium:621147
LOG=N
R=ishell@chromium.org,cbruni@chromium.org

Review-Url: https://codereview.chromium.org/2100313002
Cr-Commit-Position: refs/heads/master@{#37328}

    Adding link option -bbigtoc to fix TOC overflow error.
    The option instructs the linker to generate TOC larger
    than 64k.

    TOC: http://www.ibm.com/developerworks/rational/library/overview-toc-aix/

R=machenbach@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2107513002
Cr-Commit-Position: refs/heads/master@{#37327}

BUG=chromium:623912

Review-Url: https://codereview.chromium.org/2109603002
Cr-Commit-Position: refs/heads/master@{#37326}

The reason for reverting is: This breaks gc-stress bot:
https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot

Abortion of compaction could cause duplicate entries in the typed-old-to-new remembered set. These duplicates could cause a DCHECK to trigger which checks that slots recorded in the remembered set never point to to-space. This reland-CL allows duplicates in the remembered set by removing the DCHECK, and additionally clears entries in the remembered set if objects are moved.

Original issue's description:

Cells were needed originally because there was no typed remembered set to
record direct pointers from code space to new space. A previous
CL (https://codereview.chromium.org/2003553002/) already introduced
the remembered set, this CL uses it.

This CL
* stores direct pointers in code objects, even if the target is in new space,
* records the slot of the pointer in typed-old-to-new remembered set,
* adds a list which stores weak code-to-new-space references,
* adds a test to test-heap.cc for weak code-to-new-space references,
* removes prints in tail-call-megatest.js

Review-Url: https://codereview.chromium.org/2097023002
Cr-Commit-Position: refs/heads/master@{#37325}

    Testcase big-array-literal fails with stack overflow error on ppc64,
    increasing stack-size to 1100 resolves the issue, but causes
    other platforms to fail ( https://codereview.chromium.org/2072533002/ ).
    For now, disabling the testcase on ppc64.

R=machenbach@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=
LOG=N
NOTRY=true

Review-Url: https://codereview.chromium.org/2098413002
Cr-Commit-Position: refs/heads/master@{#37324}

Introduce a new machine operator Float64Pow that for now is backed by
the existing MathPowStub to start the unification of Math.pow, and at
the same time address the main performance issue that TurboFan still has
with the imaging-darkroom benchmark in Kraken.

Also migrate the Math.pow builtin itself to a TurboFan builtin and
remove a few hundred lines of hand-written platform code for special
handling of the fullcodegen Math.pow version.

BUG=v8:3599,v8:5086,v8:5157

Review-Url: https://codereview.chromium.org/2103733003
Cr-Commit-Position: refs/heads/master@{#37323}

The ARM64 instruction selector can generate code like this

  negs w0, w1
  b.vs deopt

but then reference the old value of w0 in the frame state, which will
obviously lead to wrong results.

R=jarin@chromium.org
BUG=v8:5158

Review-Url: https://codereview.chromium.org/2103793002
Cr-Commit-Position: refs/heads/master@{#37322}

Simplify bytecode array writing and remove some now unused bytecode traits
definitions.

BUG=v8:4280
LOG=N

Review-Url: https://codereview.chromium.org/2100793003
Cr-Commit-Position: refs/heads/master@{#37321}

  port 1b4e0130(r37181)

  original commit message:
  Previously only stubs built in the snapshot were checked for having an
  eager frame. This caused a regression to creap in on ia32 for
  RegExpConstructResultStub. Change test to always check.

BUG=

Review-Url: https://codereview.chromium.org/2098303003
Cr-Commit-Position: refs/heads/master@{#37320}

X87: [builtins] NonNumberToNumber and StringToNumber now use CallRuntime instead of TailCallRuntime.

  port b5c69cbf (r37132)

  original commit message:
  With the tail call, pointers to the JS heap could be pushed on a
  js-to-wasm frame. On the js-to-wasm frame, however, this pointer would
  not be updated by the GC.

BUG=

Review-Url: https://codereview.chromium.org/2108543002
Cr-Commit-Position: refs/heads/master@{#37319}

With the current approach we only need to track using an unordered set as we can
still access the backing store pointer and length by the time we free the
backing store.

BUG=chromium:619491, chromium:611688
LOG=N
R=ulan@chromium.org

Review-Url: https://codereview.chromium.org/2107443002
Cr-Commit-Position: refs/heads/master@{#37318}

  port cbc6adc8 (r37111)

  original commit message:
  Runtime_DeclareLookupSlot is used when generating code for var and function declarations
  originating in an eval. Over time, it's accumulated quite a bit of cruft, which this CL removes:

    - With legacy const gone, lookup slots never have any property attributes.
    - There was a bit signaling that the variable was from an eval, but that was redundant since
      DeclareLookupSlot is only used for eval.
    - Some Proxy-related code didn't make sense here.

  Its name was also not terribly clear: while "LookupSlot" is used in several places, this
  particular function is only used for declaring variables and functions inside sloppy eval.
  Renamed (and split into two) to make this clear for future archeologists.

  Also added various DCHECKs to check the assumptions being made.

BUG=

Review-Url: https://codereview.chromium.org/2107663002
Cr-Commit-Position: refs/heads/master@{#37317}