Also prevent division by zero.

R=tebbi@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2731723002
Cr-Commit-Position: refs/heads/master@{#43590}

The callsite in ConstructByArrayBuffer could have a length that is
above Smi range if the buffer had such a length. Check this before
calling. Add a test too.

BUG=v8:5977, chromium:698201

Change-Id: Ic22046a31607f1f85642c8caf7f5ed064edb3110
Reviewed-on: https://chromium-review.googlesource.com/449813
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43589}

This refactoring is preparatory work to enable ICU to be the backend
for timezone information rather than system calls. In the process, a
bit of code duplication that was inserted in the Solaris port patch is
eliminated here among modern POSIX backends.

One possible performance downside of this patch is that it introduces
a virtual method call for operations which were previously not virtual
methods. However, a couple factors mitigate this effect:
- The DateCache minimizes the need for calls into the TimezoneCache
- These calls were already not very high performance, as they included
  a system call which requires an RPC to get out of the sandbox, and
  they are surrounded by C++ builtins, which require a JS to C++
  transition.
- A future transition to ICU, enabled by this refactoring, may improve
  performance by eliminating the system call.

BUG=v8:6031

Review-Url: https://codereview.chromium.org/2731463003
Cr-Commit-Position: refs/heads/master@{#43588}

Following the design of https://codereview.chromium.org/2692753004, also compute the arguments length in the deoptimizer sucht that it does not have to be computed in optimized code.

R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2729163002
Cr-Commit-Position: refs/heads/master@{#43587}

BUG=chromium:694255

Review-Url: https://codereview.chromium.org/2728113002
Cr-Commit-Position: refs/heads/master@{#43586}

BUG=v8:6030
NOTRY=true
TBR=hablich@chromium.org

Change-Id: I28815078e1f3d27411fa985df35ff70ac49dbcb4
Reviewed-on: https://chromium-review.googlesource.com/449833Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43585}

BUG=v8:6039

Change-Id: I69bae9ed49d91b0bc67a8e66e469d57ea7799cca
Reviewed-on: https://chromium-review.googlesource.com/449793Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43584}

If the imported wasm function is being debugged (i.e. redirects to the
interpreter), call it via the JS_TO_WASM stub, such that we can disable
the breakpoint later by patching the exported function.

This also contains a drive-by fix in wasm-translation.cc (for the case
that all known positions are bigger than the requested one).

R=titzer@chromium.org, kozyatinskiy@chromium.org
BUG=v8:5971, v8:5822

Review-Url: https://codereview.chromium.org/2720813002
Cr-Commit-Position: refs/heads/master@{#43583}

We should throw a RangeError for offset % elementSize before
length.toPrimitive is observable. Adds a test that checks this, too.

BUG=v8:6037

Change-Id: Ie9f2551c8e8fb0018b508762ac93cdc470e15dde
Reviewed-on: https://chromium-review.googlesource.com/449792Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43582}

The parameters for ConstructWithSpread and CallWithSpread both
contain the arity for JavaScript calls with a spread as the
last parameter and have the same functionality. Simplify them as
one parameter.

BUG=

Review-Url: https://codereview.chromium.org/2729143002
Cr-Commit-Position: refs/heads/master@{#43581}

Second part of relanding d2c093bc.

BUG=chromium:651354

Change-Id: I4d48e870ac3a630ee1c286a86e630b8cf52cadf9
Reviewed-on: https://chromium-review.googlesource.com/449712Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43580}

Materialized literal removal is a follow up to https://chromium-review.googlesource.com/443246

In addtion, remove ParserBase::Checkpoint; it was for restoring materialized
literal counts and expected property counts, but actually the expected property
count tracking was incorrect ("this" in arrow function param list binds to the
outside, so it's correct without the checkpoint):

(a, b = this.c = 0) => { }

BUG=

Change-Id: Ic097f6d2e7cb235166fb3a76af3bf5584bc167f0
Reviewed-on: https://chromium-review.googlesource.com/449733Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43579}

Change-Id: Ib2a0a0ae56f68c865ab1602b3f6c36bc2e66b304
Reviewed-on: https://chromium-review.googlesource.com/448224Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43578}

This should improve generated code. It is also one step in preparation
for LoadIC inlining - explicitly deferred blocks are currently necessary
to help the scheduler omit frame construction.

BUG=v8:5917

Review-Url: https://codereview.chromium.org/2732613002
Cr-Commit-Position: refs/heads/master@{#43577}

NOTRY=true
TBR=jarin@chromium.org

Change-Id: If1b42341798f890dab5d45235ae93efe069b8309
Reviewed-on: https://chromium-review.googlesource.com/449772Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43576}

BUG=chromium:691589,chromium:691587
NOTRY=true
TBR=marja@chromium.org

Change-Id: I769af6472caa38f0a5d383cb8d5e30540f7c988a
Reviewed-on: https://chromium-review.googlesource.com/449713Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43575}

The pattern of creating a hidden catch scope occurs several times, so
define a helper for it.

BUG=

Change-Id: I5831378341d86d41bfb015bd3e687183cc79ac20
Reviewed-on: https://chromium-review.googlesource.com/448559
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43574}

In lazy compilation, we only compile one function at a time, and we
might not have the wire bytes of the whole module available.
This CL prepares the WasmCompilationUnit for this setting.
It will also be helpful for streaming compilation.

Also, the ErrorThrower (which might heap-allocate) is not stored in the
WasmCompilationUnit any more. Instead, it is passed to the
FinishCompilation method which is allowed to heap-allocate.

R=titzer@chromium.org, ahaas@chromium.org
BUG=v8:5991

Review-Url: https://codereview.chromium.org/2726553003
Cr-Commit-Position: refs/heads/master@{#43573}

We can compile a !== a and Number.isNaN(a) to ObjectIsNaN. The former is
commonly used to check for NaN, i.e. in case of equals in AngularJS.

R=jarin@chromium.org
BUG=v8:5267

Review-Url: https://codereview.chromium.org/2722483003
Cr-Commit-Position: refs/heads/master@{#43572}

This is always the single variable declared in the catch scope.

BUG=

Change-Id: I05ccc48f57394268432c9b5b8c76f9db1b3b6312
Reviewed-on: https://chromium-review.googlesource.com/448041Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43571}

Later manipulation of Array.prototype.concat could lead to calling the Date constructor with empty arguments list. This let a non-mocked date slip in.

BUG=chromium:698097
NOTRY=true
TBR=yangguo@chromium.org,mstarzinger@chromium.org

Change-Id: Ib4bd97e06ea7be8c32d0057d42943f9f82ea6b5f
Reviewed-on: https://chromium-review.googlesource.com/449732Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43570}

The old proxy only mocked out constructor calls and didn't intercept function application. It also kept the original constructor property, through which non-mocked dates could be constructed again.

BUG=chromium:697870
NOTRY=true
R=mstarzinger@chromium.org,yangguo@chromium.org

Change-Id: Icb4ef22342424f95463a7a9c57fa0bb8d910ac19
Reviewed-on: https://chromium-review.googlesource.com/448564Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43569}

WASM interpreter requires that parameters are stored in big-endian natural
memory order (higher bits on lower addresses and lower bits on higher address).
On the other hand, WASM compiled code naturally stores data in memory in
little-endian order. This CL implements big-endian support for passing
double and int64 parameters to WASM interpreter.

TEST=cctest/test-wasm-interpreter-entry/TestArgumentPassing_int64,
     cctest/test-wasm-interpreter-entry/TestArgumentPassing_AllTypes

Review-Url: https://codereview.chromium.org/2721053002
Cr-Commit-Position: refs/heads/master@{#43568}

BUG=chromium:698077
R=lushnikov@chromium.org,alph@chromium.org

Review-Url: https://codereview.chromium.org/2730813002
Cr-Commit-Position: refs/heads/master@{#43567}

Original issue: https://codereview.chromium.org/2724833002/

BUG=v8:6005
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
R=bmeurer@chromium.org,yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2725053007
Cr-Commit-Position: refs/heads/master@{#43566}

- No callbacks for std::sort of integer typed arrays when user-defined
  comparison is not given
- Use template function, instead of macro, for comparison function
- Do not sort if the array size is less than or equal to 1

BUG=v8:5953

Review-Url: https://codereview.chromium.org/2726153003
Cr-Commit-Position: refs/heads/master@{#43565}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/2930f01..8ce7164

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/b068264..7ef7617

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/37d701b..c9f2fc0

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: I39deed72065ec038bc8852c4383d2f1f4746d43e
Reviewed-on: https://chromium-review.googlesource.com/449572Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43564}

R=bradnelson@chromium.org

Change-Id: Ifc492b2c2d361ebde5b143b599175b13860781ca
Reviewed-on: https://chromium-review.googlesource.com/448576
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43563}

R=bbudge@chromium.org,titzer@chromium.org,gdeepti@chromium.org,bradnelson@chromium.org,mtrofin@chromium.org
BUG=v8:6020

Review-Url: https://codereview.chromium.org/2728823005
Cr-Commit-Position: refs/heads/master@{#43562}

This fixes and relands https://codereview.chromium.org/2718323003.

R=bbudge@chromium.org,titzer@chromium.org,ahaas@chromium.org,machenbach@chromium.org,bradnelson@chromium.org
BUG=v8:6020

Review-Url: https://codereview.chromium.org/2724973003
Cr-Commit-Position: refs/heads/master@{#43561}

BUG=chromium:694255

Review-Url: https://codereview.chromium.org/2728723004
Cr-Commit-Position: refs/heads/master@{#43560}

BUG=

Change-Id: I3d85ad84f5069f7fe349dcd82092696d0360cc94
Reviewed-on: https://chromium-review.googlesource.com/448225Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43559}

This involved adding a count_ member to SloppyBlockFunctionMap, so
to avoid making DeclarationScope larger, this patch makes the
creation of the map lazy, thus reducing the size of DeclarationScope
by several words in the process.

BUG=chromium:688567

Change-Id: If9a9eb2ccc01690fe10edadb3aa9625454ff4a19
Reviewed-on: https://chromium-review.googlesource.com/448701
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43558}

This makes the assumption about new-space allocation in the CSA more clear.
Additionally AllocateInNewSpace asserts that the allocation will fit in the
new-space in a debug build.

Change-Id: Ica5e7e12656dcdaa2c739b3d300fdcbaeb2355a2
Reviewed-on: https://chromium-review.googlesource.com/448043Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43557}

- Implements Select instructions using a single ARM vbsl instruction.
- Renames boolean machine operators to match renamed S1xN machine types.
- Implements S1xN vector logical ops, AND, OR, XOR, NOT for ARM.
- Implements S1xN AnyTrue, AllTrue ops for ARM.
- Eliminates unused SIMD op categories in opcodes.h.

LOG=N
BUG=v8:6020

Review-Url: https://codereview.chromium.org/2711863002
Cr-Commit-Position: refs/heads/master@{#43556}

This CL fixes a bug in the implementation of the code generation of
kArm64Tst32, where the shift input operand of kArm64Tst32 was ignored.
Please take a special look at the fix in kArm64Tst. I applied the fix
there as well, but because of differences in the instruction selector
I was not able to write a test for it.

R=v8-arm-ports@googlegroups.com
BUG=v8:6028

Review-Url: https://codereview.chromium.org/2729853003
Cr-Commit-Position: refs/heads/master@{#43555}

This hack is causing false "last-resort" garbage collections.

When incremental marking is in progress and overshoots the limit,
our heuristics in the allocator request finishing the mark-compact
because V8 is in optimize-for-memory mode.

However, the mark-compact gets replaced by scavenger which leads to
retrying the allocation two times and eventually doing last resort GC
(which throws away all the marking info).

BUG=chromium:697119

Review-Url: https://codereview.chromium.org/2723003003
Cr-Commit-Position: refs/heads/master@{#43554}

BUG=chromium:694255

Review-Url: https://codereview.chromium.org/2723853006
Cr-Commit-Position: refs/heads/master@{#43553}

BinopMatcher does not notify the reducers using it when it flips inputs to commutative operators. This leads to value numbering not being re-executed in this case. Together with the fact that value numbering might still reduce such a modified node in the case of a hash collision merging the buckets of two equivalent nodes, this leads to unpredictable behaviour.

This is the easiest fix for the problem: Always running value numbering last. This is also a performance improvement because value numbering never changes but only replaces nodes.

R=mstarzinger@chromium.org

Review-Url: https://codereview.chromium.org/2728983002
Cr-Commit-Position: refs/heads/master@{#43552}

Enbedders should switch to EmbedderHeapTracer API.

BUG=v8:5828

Change-Id: I82f2bc583d246617865a17f5904e02cd35f92fec
Reviewed-on: https://chromium-review.googlesource.com/448539Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43551}