BUG=chromium:621147
LOG=N
R=ishell@chromium.org,cbruni@chromium.org

Review-Url: https://codereview.chromium.org/2100313002
Cr-Commit-Position: refs/heads/master@{#37328}

    Adding link option -bbigtoc to fix TOC overflow error.
    The option instructs the linker to generate TOC larger
    than 64k.

    TOC: http://www.ibm.com/developerworks/rational/library/overview-toc-aix/

R=machenbach@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2107513002
Cr-Commit-Position: refs/heads/master@{#37327}

BUG=chromium:623912

Review-Url: https://codereview.chromium.org/2109603002
Cr-Commit-Position: refs/heads/master@{#37326}

The reason for reverting is: This breaks gc-stress bot:
https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot

Abortion of compaction could cause duplicate entries in the typed-old-to-new remembered set. These duplicates could cause a DCHECK to trigger which checks that slots recorded in the remembered set never point to to-space. This reland-CL allows duplicates in the remembered set by removing the DCHECK, and additionally clears entries in the remembered set if objects are moved.

Original issue's description:

Cells were needed originally because there was no typed remembered set to
record direct pointers from code space to new space. A previous
CL (https://codereview.chromium.org/2003553002/) already introduced
the remembered set, this CL uses it.

This CL
* stores direct pointers in code objects, even if the target is in new space,
* records the slot of the pointer in typed-old-to-new remembered set,
* adds a list which stores weak code-to-new-space references,
* adds a test to test-heap.cc for weak code-to-new-space references,
* removes prints in tail-call-megatest.js

Review-Url: https://codereview.chromium.org/2097023002
Cr-Commit-Position: refs/heads/master@{#37325}

    Testcase big-array-literal fails with stack overflow error on ppc64,
    increasing stack-size to 1100 resolves the issue, but causes
    other platforms to fail ( https://codereview.chromium.org/2072533002/ ).
    For now, disabling the testcase on ppc64.

R=machenbach@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=
LOG=N
NOTRY=true

Review-Url: https://codereview.chromium.org/2098413002
Cr-Commit-Position: refs/heads/master@{#37324}

Introduce a new machine operator Float64Pow that for now is backed by
the existing MathPowStub to start the unification of Math.pow, and at
the same time address the main performance issue that TurboFan still has
with the imaging-darkroom benchmark in Kraken.

Also migrate the Math.pow builtin itself to a TurboFan builtin and
remove a few hundred lines of hand-written platform code for special
handling of the fullcodegen Math.pow version.

BUG=v8:3599,v8:5086,v8:5157

Review-Url: https://codereview.chromium.org/2103733003
Cr-Commit-Position: refs/heads/master@{#37323}

The ARM64 instruction selector can generate code like this

  negs w0, w1
  b.vs deopt

but then reference the old value of w0 in the frame state, which will
obviously lead to wrong results.

R=jarin@chromium.org
BUG=v8:5158

Review-Url: https://codereview.chromium.org/2103793002
Cr-Commit-Position: refs/heads/master@{#37322}

Simplify bytecode array writing and remove some now unused bytecode traits
definitions.

BUG=v8:4280
LOG=N

Review-Url: https://codereview.chromium.org/2100793003
Cr-Commit-Position: refs/heads/master@{#37321}

  port 1b4e0130(r37181)

  original commit message:
  Previously only stubs built in the snapshot were checked for having an
  eager frame. This caused a regression to creap in on ia32 for
  RegExpConstructResultStub. Change test to always check.

BUG=

Review-Url: https://codereview.chromium.org/2098303003
Cr-Commit-Position: refs/heads/master@{#37320}

X87: [builtins] NonNumberToNumber and StringToNumber now use CallRuntime instead of TailCallRuntime.

  port b5c69cbf (r37132)

  original commit message:
  With the tail call, pointers to the JS heap could be pushed on a
  js-to-wasm frame. On the js-to-wasm frame, however, this pointer would
  not be updated by the GC.

BUG=

Review-Url: https://codereview.chromium.org/2108543002
Cr-Commit-Position: refs/heads/master@{#37319}

With the current approach we only need to track using an unordered set as we can
still access the backing store pointer and length by the time we free the
backing store.

BUG=chromium:619491, chromium:611688
LOG=N
R=ulan@chromium.org

Review-Url: https://codereview.chromium.org/2107443002
Cr-Commit-Position: refs/heads/master@{#37318}

  port cbc6adc8 (r37111)

  original commit message:
  Runtime_DeclareLookupSlot is used when generating code for var and function declarations
  originating in an eval. Over time, it's accumulated quite a bit of cruft, which this CL removes:

    - With legacy const gone, lookup slots never have any property attributes.
    - There was a bit signaling that the variable was from an eval, but that was redundant since
      DeclareLookupSlot is only used for eval.
    - Some Proxy-related code didn't make sense here.

  Its name was also not terribly clear: while "LookupSlot" is used in several places, this
  particular function is only used for declaring variables and functions inside sloppy eval.
  Renamed (and split into two) to make this clear for future archeologists.

  Also added various DCHECKs to check the assumptions being made.

BUG=

Review-Url: https://codereview.chromium.org/2107663002
Cr-Commit-Position: refs/heads/master@{#37317}

R=jgruber@chromium.org

Review-Url: https://codereview.chromium.org/2107693002
Cr-Commit-Position: refs/heads/master@{#37316}

The main fix is to mark stack memory the SafeStackFrameIterator
accesses as initialied.

Drive-by: Make sure we bail out when the simulator is in the
process of updating FP/SP registers.

BUG=v8:5156

Review-Url: https://codereview.chromium.org/2104763002
Cr-Commit-Position: refs/heads/master@{#37315}

When calling the throw method on a generator suspended inside a yield*, yield*
in turn tries to call throw on its iterable.  If the iterable does not provide a
throw method, yield* must try to call the return method instead and then throw a
TypeError.  Due to a bug in our desugaring, we never threw the TypeError.

R=adamk@chromium.org
BUG=v8:5132

Review-Url: https://codereview.chromium.org/2094253002
Cr-Commit-Position: refs/heads/master@{#37314}

  port c87168bc (r37087)

  original commit message:
  Import base::ieee754::tan() from fdlibm and introduce Float64Tan TurboFan
  operator based on that, similar to what we do for Float64Cos and Float64Sin.
  Rewrite Math.tan() as TurboFan builtin and use those operators to also
  inline Math.tan() into optimized TurboFan functions.

  Drive-by-fix: Kill the %_ConstructDouble intrinsics, and provide only
  the %ConstructDouble runtime entry for writing tests.

BUG=

Review-Url: https://codereview.chromium.org/2101233002
Cr-Commit-Position: refs/heads/master@{#37313}

Removing a bad test case because:
- The test case makes wrong assumptions about compilation. We now
  may run bytecode with the interpreter.
- The test exposes internal implementation details such as pc offset
  of JIT code.
- The test uses a runtime function specially written to cater to, and
  used only by this test. Being unmaintained, this runtime function
  is already returning bogus results, making this test useless.

R=jgruber@chromium.org

Review-Url: https://codereview.chromium.org/2101223002
Cr-Commit-Position: refs/heads/master@{#37312}

R=adamk@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2081733004
Cr-Commit-Position: refs/heads/master@{#37311}

When calling the return method on a generator suspended inside a yield*, yield*
in turn calls return on its iterable.  If this results in a "done" iterator,
yield* must return immediately, thus terminating the generator.  For some
reason, we didn't terminate the generator but continued right after the yield*.

R=adamk@chromium.org
BUG=v8:5131

Review-Url: https://codereview.chromium.org/2100093002
Cr-Commit-Position: refs/heads/master@{#37310}

R=bmeurer@chromium.org, jgruber@chromium.org
BUG=v8:5117

Review-Url: https://codereview.chromium.org/2095893002
Cr-Commit-Position: refs/heads/master@{#37309}

    variable hz is defined as a macro in AIX system header
    /usr/include/sys/m_param.h (as "ticks per second of the clock").
    The pre-processor replaces hz with the numeric value defined in
    system header file and therefore emits an error.
    Re-naming variable name to "iz".

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2104483002
Cr-Commit-Position: refs/heads/master@{#37308}

  port c1d01aea (r37086)

  original commit message:
  Compilation of wasm functions happens before instantiation. Imports are linked afterwards, at instantiation time. Globals and memory are also
  allocated and then tied in via relocation at instantiation time.

  This paves the way for implementing Wasm.compile, a prerequisite to
  offering the compiled code serialization feature.

  Currently, the WasmModule::Compile method just returns a fixed array
  containing the code objects. More appropriate modeling of the compiled module to come.

  Opportunistically centralized the logic on how to update memory
  references, size, and globals, since that logic is the exact same on each
  architecture, except for the actual storing of values back in the
  instruction stream.

BUG=

Review-Url: https://codereview.chromium.org/2100393003
Cr-Commit-Position: refs/heads/master@{#37307}

Add NumberAbs operator to implement an inline version of Math.abs, that
can be optimized and eliminated. We don't use any speculation here, but
for now stick to the information we can infer (this way we avoid the
inherent deopt loops that Crankshaft has around Math.abs).

CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel
R=jarin@chromium.org
BUG=v8:5086

Review-Url: https://codereview.chromium.org/2096403002
Cr-Commit-Position: refs/heads/master@{#37306}

Rolling v8/build to 87e063014aa0f343b15f5de495a28e5f8572bf8d

Rolling v8/tools/clang to 2ad431ac7823581e1f39c5b770704e1e1ca6cb32

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review-Url: https://codereview.chromium.org/2101893002
Cr-Commit-Position: refs/heads/master@{#37305}

  port c781e831 (r37072)

  original commit message:
  Import base::ieee754::cos() and base::ieee754::sin() from fdlibm and
  introduce Float64Cos and Float64Sin TurboFan operator based on that,
  similar to what we do for Float64Log. Rewrite Math.cos() and Math.sin()
  as TurboFan builtins and use those operators to also inline Math.cos()
  and Math.sin() into optimized TurboFan functions.

BUG=

Review-Url: https://codereview.chromium.org/2105613002
Cr-Commit-Position: refs/heads/master@{#37304}

Reland of Include file names in trace_turbo output (patchset #1 id:1 of https://codereview.chromium.org/2083153004/ )

Reason for revert:
Ready to test fix and reland.

Original issue's description:
> Revert of Include file names in trace_turbo output (patchset #3 id:40001 of https://codereview.chromium.org/2083863004/ )
>
> Reason for revert:
> Many build bots are failing with a message of the form:
>
> Missing or invalid v8 JSON file: /tmp/tmp2qcEUy_swarming/0/output.json
>
> Can be relanded once we understand why these failures are occuring.
>
> Original issue's description:
> > Include file names in trace_turbo output
> >
> > The trace turbo output will overwrite itself when functions in different
> > files share the same name. Output files now have the form
> > `turbo-<function_name>:<opt_file_name>-<opt_phase>.suffix`.
> >
> > R=ofrobots@google.com
> > BUG=
> >
> > Committed: https://crrev.com/a53b9bf02f31e5647c37e0392afa19f74df1a3ba
> > Cr-Commit-Position: refs/heads/master@{#37199}
>
> TBR=ofrobots@google.com,bmeurer@chromium.org,danno@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=
>
> Committed: https://crrev.com/97c2bc362f234bd58515a0faf6af23b4f8ad183a
> Cr-Commit-Position: refs/heads/master@{#37204}

TBR=ofrobots@google.com,bmeurer@chromium.org,danno@chromium.org,machenbach@google.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review-Url: https://codereview.chromium.org/2081323007
Cr-Commit-Position: refs/heads/master@{#37303}

In addition to recording the BindingPattern error, also record an
AsyncArrowFormalParameters error for shorthand property "await" in object
literals.

BUG=v8:4483, v8:5148
R=littledan@chromium.org, jwolfe@igalia.com, adamk@chromium.org, nikolaos@chromium.org

Review-Url: https://codereview.chromium.org/2100623002
Cr-Commit-Position: refs/heads/master@{#37302}

When reading malformed input, the length of variable-length types can be very large. Computing operand length with this and adding it to PC will overflow and screw up decode.

This patch switches to unsigned int for arity and lengths, terminates loop analysis on error, adds overflow checking to BranchTableOperand, and adds a unit test.

Review-Url: https://codereview.chromium.org/2052623003
Cr-Commit-Position: refs/heads/master@{#37301}

    Constantpool register is being used with no frame, and
    therefore it points to its parent stub's constantpool
    causing segfault.
    Disable constantpool before CallStub if frame not set.

R=joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2106493002
Cr-Commit-Position: refs/heads/master@{#37300}

Revert of Refactor CreateApiFunction (patchset #2 id:20001 of https://codereview.chromium.org/2095953002/ )

Reason for revert:
[Sheriff] Changes a layout test. Please rebase upstream if intended:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/7742

Original issue's description:
> Refactor CreateApiFunction
>
> BUG=
>
> Committed: https://crrev.com/705574970f3899a6eda0c61130c8c31693df4039
> Cr-Commit-Position: refs/heads/master@{#37290}

TBR=jochen@chromium.org,verwaest@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=

Review-Url: https://codereview.chromium.org/2099983004
Cr-Commit-Position: refs/heads/master@{#37299}

Removes failure expectation for observer-expectations layout test.

BUG=v8:4280,v8:5096
LOG=N

Review-Url: https://codereview.chromium.org/2094353002
Cr-Commit-Position: refs/heads/master@{#37298}

Replaces ArchDefault method with Crankshaft and Turbofan getters.
Eliminates IsAllocated method on Register, FloatRegister, DoubleRegister.
Eliminates ToString method too.
Changes call sites to access appropriate arch default RegisterConfiguration.

LOG=N
BUG=

Review-Url: https://codereview.chromium.org/2092413002
Cr-Commit-Position: refs/heads/master@{#37297}

the .eh_frame format as part of the jitdump generated when
FLAG_perf_prof is enabled. The final goal is allowing precise unwinding
of callchains that include JITted code when profiling V8 using perf.

Unwinding information is stored in the body of code objects after the
code itself, prefixed with its length and aligned to a 8-byte boundary.
A boolean flag in the header signals its presence, resulting in zero
memory overhead when the generation of unwinding info is disabled or
no such information was attached to the code object.

A new jitdump record type (with id 4) is introduced for specifying
optional unwinding information for code load records. The EhFrameHdr
struct is also introduced, together with a constructor to initialise it
from the associated code object.

At this stage no unwinding information is written to the jitdump, but
the infrastructure for doing so is ready in place.

BUG=v8:4899
LOG=N

Review-Url: https://codereview.chromium.org/1993653003
Cr-Commit-Position: refs/heads/master@{#37296}

BUG=

Review-Url: https://codereview.chromium.org/2069933003
Cr-Commit-Position: refs/heads/master@{#37295}

This adds a missing lazy bailout point when defining data properties
with computed property names in object literals. The runtime call to
Runtime::kDefineDataPropertyInLiteral can trigger deopts. The necessary
bailout ID already exists and is now properly used.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-621816
BUG=chromium:621816

Review-Url: https://codereview.chromium.org/2099133003
Cr-Commit-Position: refs/heads/master@{#37294}

Instead of a JS implementation that calls C++ runtime functions, migrate String.fromCodePoint() to C++.

BUG=v8:5049

Review-Url: https://codereview.chromium.org/2038563003
Cr-Commit-Position: refs/heads/master@{#37293}

R=yangguo@chromium.org,danno@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2094293002
Cr-Commit-Position: refs/heads/master@{#37292}

This is a building block for GetPropertyStub. It supports querying fast,
slow and global objects without native accessors and interceptors.

BUG=v8:4911
LOG=Y

Review-Url: https://codereview.chromium.org/2079823002
Cr-Commit-Position: refs/heads/master@{#37291}

BUG=

Review-Url: https://codereview.chromium.org/2095953002
Cr-Commit-Position: refs/heads/master@{#37290}

Proxy objects need special treatment in toString(). Usually, we use the
@@toStringTag, if it is set, otherwise we determine the result of toString()
by checking IsArray() and other internal slots. According to
ES2017 19.1.3.6, IsArray() and the internal slots  must be checked first,
then get(@@toStringTag). The result of IsArray() and internal slots is discarded if
@@toStringTag is set. For proxy
objects, we must obey this order, because get() can have side-effects, i.e.,
revoke the proxy. For all other objects, we can skip the check of the
internal slots, if @@toStringTag is set.

BUG=

CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review-Url: https://codereview.chromium.org/2090773006
Cr-Commit-Position: refs/heads/master@{#37289}