Nested arrow functions can have the same end positions, so
the end position is unsuitable to decide whether a scope is
an inner function scope.

BUG=chromium:696202
R=jgruber@chromium.org, kozyatinskiy@chromium.org

Review-Url: https://codereview.chromium.org/2751573003
Cr-Commit-Position: refs/heads/master@{#43797}

Change-Id: I622c3aca07580051c84c86cf895c23af70c11294
Reviewed-on: https://chromium-review.googlesource.com/453021Reviewed-by: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43796}

- Implements vuzp, vtrn instructions for q-registers.
- Refactors vmvn, vswp to use common unary op helper fn.

LOG=N
BUG=v8:6020

Review-Url: https://codereview.chromium.org/2739033002
Cr-Commit-Position: refs/heads/master@{#43795}

Set undefined to the first argument (search element) if the first
argument is not given in %TypedArray%.prototype.indexOf or
%TypedArray%.prototype.includes

BUG=chromium:700894

Review-Url: https://codereview.chromium.org/2748113002
Cr-Commit-Position: refs/heads/master@{#43794}

This is a cleanup in preparation to implement calling imported
functions via the wasm interpreter.
For imported functions, we do not create entries in the
interpreter_code_ vector any more.

I also simplified the interface and removed unused or redundant return
values. More things are now DCHECKed instead of bailing out.

Also, we previously had two PushFrame methods: One is supposed to
initialize the interpreter from external code (i.e. adds the first
frame to the stack), the other one is used to push new frames on the
frame stack for called functions. This CL renames the first to
InitFrame, and makes it use the second one. The other remaining user is
the DoCall method.

R=titzer@chromium.org
BUG=v8:5822

Change-Id: Id09ff1e3256428fbd8c955e4664507a0c3167e53
Reviewed-on: https://chromium-review.googlesource.com/453482
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43793}

This enforces the prefix for v8 and chromium, as otherwise the links don't work in code review. Also prevents using html links to not confuse bugdroid.

NOTRY=true

Change-Id: Iaf3b97c9a7d7a87c27736d4b1f8c286daaffd452
Reviewed-on: https://chromium-review.googlesource.com/454796
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43792}

Collect type information for JavaScript variables and display it
in Chrome DevTools.
Design Doc: https://docs.google.com/a/google.com/document/d/1O1uepXZXBI6IwiawTrYC3ohhiNgzkyTdjn3R8ysbYgk/edit?usp=sharing

When debugging JavaScript, it’s helpful to know the type of
a variable, parameter, and return values. JavaScript is
dynamically typed, and for complex
source code it’s often hard to infer types. With type profiling, we
can provide type information to JavaScript developers.

This CL is a proof of concept. It collects type profile for
assignments and simply prints the types to stdout.

The output looks something like this:

#my_var1
  #Object
  #number
  #string
  #number
  #undefined
  #string
  #Object
  #Object

We use an extra slot in the feedback vector of assignments to
carry the list of types for that assignment. The extra slot is
only added when the flag --type-profile is given.

Missing work:
* Collect data for parameters and return values (currently only assignments).
* Remove duplicates from the list of collected types and use a common base class.
* Add line numbers or source position instead of the variable name.

BUG=v8:5935

Review-Url: https://codereview.chromium.org/2707873002
Cr-Commit-Position: refs/heads/master@{#43791}

NOTRY=true

Change-Id: Idfcc2481ae65f8098ecc94c20f992f3f3b874b8c
Reviewed-on: https://chromium-review.googlesource.com/454716Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43790}

Review-Url: https://codereview.chromium.org/2749843002
Cr-Commit-Position: refs/heads/master@{#43789}

BUG=

Change-Id: I62c570ee929b8fbbba99acabd2d149dde99887e5
Reviewed-on: https://chromium-review.googlesource.com/454041Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43788}

This reverts commit 822aef29.

Reason for revert: Makes getters-on-elements flaky on many bots. E.g.:
https://build.chromium.org/p/client.v8/builders/V8%20Linux/builds/16848/steps/Check%20-%20isolates%20%28flakes%29/logs/getters-on-elements

Bisected locally and tested with:
tools/run-tests.py --gn --variants=asm_wasm mjsunit/getters-on-elements --isolates --random-seed-stress-count=500

Original change's description:
> [compiler] Mark shared functions which have an optimization job
> 
> Marking shared functions for tier-up was optimizing the functions
> non-concurrently, to avoid the case where the same shared function is
> optimized concurrently by multiple JS functions. This was particularly a
> problem for small functions, which (if called in a loop) could get
> marked for optimisation quite quickly.
> 
> In this CL, the shared function is instead marked as having an active
> optimization job running, and these do not spawn a compilation job.
> 
> BUG=693590
> 
> Change-Id: I3df93fbf9cec7eda8229fcf416d7c429c06bec86
> Reviewed-on: https://chromium-review.googlesource.com/446836
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Michael Stanton <mvstanton@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#43778}

TBR=mvstanton@chromium.org,leszeks@chromium.org,hablich@chromium.org,v8-reviews@googlegroups.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=693590

Change-Id: If7dbdf3de302ec595c44e7f4795554db7674f22f
Reviewed-on: https://chromium-review.googlesource.com/454042Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43787}

R=rmcilroy@chromium.org,mlippautz@chromium.org
BUG=v8:6069

Change-Id: Iea0134ef3a0252f5a6f4ae2154218776dc6ff96d
Reviewed-on: https://chromium-review.googlesource.com/453960Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43786}

BUG=chromium:700883

Review-Url: https://codereview.chromium.org/2750803002
Cr-Commit-Position: refs/heads/master@{#43785}

BUG=v8:6093

Change-Id: Icdc0706a3af23fbf538021a7e80fedaf0b5ae866
Reviewed-on: https://chromium-review.googlesource.com/453699
Commit-Queue: Wiktor Garbacz <wiktorg@google.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43784}

IsString should not count FIRST_NON_STRING_TYPE as a string type.

BUG=

Change-Id: I093945763c3d2b56de5b4b5745ba207fe2d8b5d1
Reviewed-on: https://chromium-review.googlesource.com/453899Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43783}

BUG=v8:6093

Change-Id: I7268abd56769d4cbaefdaa901c532871837cc47e
Reviewed-on: https://chromium-review.googlesource.com/452340Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Wiktor Garbacz <wiktorg@google.com>
Cr-Commit-Position: refs/heads/master@{#43782}

NOTRY=true
R=machenbach@chromium.org
BUG=v8:6091

Review-Url: https://codereview.chromium.org/2747123002
Cr-Commit-Position: refs/heads/master@{#43781}

marja already introduced a std::is_base_of check in one of the Handle
constructors. This CL uses this check for all templatized constructors
in Handle and MaybeHandle instead of the current pointer assignment
hack.

R=marja@chromium.org, mstarzinger@chromium.org

Change-Id: I0bdd77ccff4e95015e3b82e2db782a3ec57654fe
Reviewed-on: https://chromium-review.googlesource.com/453480
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43780}

When a FunctionEntryHook parameter was passed to isolate creation,
we ignored any existing snapshots anyway. Since the ability to
bootstrap from scratch will be removed from snapshot builds, the
FunctionEntryHook feature must depend on a no-snapshot build.

BUG=v8:6055

Review-Url: https://codereview.chromium.org/2733203002
Cr-Commit-Position: refs/heads/master@{#43779}

Marking shared functions for tier-up was optimizing the functions
non-concurrently, to avoid the case where the same shared function is
optimized concurrently by multiple JS functions. This was particularly a
problem for small functions, which (if called in a loop) could get
marked for optimisation quite quickly.

In this CL, the shared function is instead marked as having an active
optimization job running, and these do not spawn a compilation job.

BUG=693590

Change-Id: I3df93fbf9cec7eda8229fcf416d7c429c06bec86
Reviewed-on: https://chromium-review.googlesource.com/446836
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43778}

Instead of storing call_pc and ret_pc, store just one pc. This
simplifies frame inspection (no distinction between top frame and other
frames). The previous ret_pc can easily be computed from the stored pc,
since we know that we must be at a indirect or direct call site when
returning to a previous frame.
It also slightly simplifies the upcoming CL to call imported functions,
which would also have to set the call_pc.

R=titzer@chromium.org, ahaas@chromium.org
BUG=v8:5822

Change-Id: I5876c09ec36450dc1474a760282fd5e41eab38be
Reviewed-on: https://chromium-review.googlesource.com/453159
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43777}

BUG=chromium:682617
TBR=mstarzinger@chromium.org,mvstanton@chromium.org,rmcilroy@chromium.org
NOTRY=true

Change-Id: If121a5d01bba113374bc1673780fc713997e54a9
Reviewed-on: https://chromium-review.googlesource.com/454618Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43776}

This fixes a corner-case in {KeyAccumulator::CollectOwnJSProxyKeys}
where the keys returned by {JSReceiver::OwnPropertyKeys} for an array
are not internalized and hence have a diverging identity from keys
returned by the "ownKeys" trap of a proxy.

R=cbruni@chromium.org
TEST=mjsunit/regress/regress-crbug-700678
BUG=chromium:700678

Change-Id: I5efd012eade14bd45c69e4abb0aeda684baf38f0
Reviewed-on: https://chromium-review.googlesource.com/452979Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43775}

Those tests do real calls to rietveld. As we're moving away from this, we can skip testing it now.

BUG=chromium:701296
NOTRY=true
TBR=hablich@chromium.org

Change-Id: I44249160f7e35d4e2fac7aeb40889a825cfc5678
Reviewed-on: https://chromium-review.googlesource.com/454040Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43774}

If this flag is set, all code will be executed in the interpreter.
At some point in the future we might want to have a variant for testing
all code with this flag. Currently, I am using it for finding
unimplemented functionality in the interpreter and testing existing
functionality.
Mjsunit tests in follow-up CLs will use this flag too.

R=ahaas@chromium.org, titzer@chromium.org
BUG=v8:5822

Change-Id: I1393b4aedbb9f9070e011362ec95cb89f296dab4
Reviewed-on: https://chromium-review.googlesource.com/453700
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43773}

In Isolate::CaptureSimpleStackTrace, we were ignoring interpreter entry
frames so far. This CLs changes this to gets the interpreted stack from
the wasm interpreter and add the frames to the FrameArray.

R=ahaas@chromium.org, titzer@chromium.org
BUG=v8:5822

Change-Id: I705909532ff28af412ff809da94522866eaa1c0d
Reviewed-on: https://chromium-review.googlesource.com/452378
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43772}

BUG=chromium:682617
R=mstarzinger@chromium.org,mvstanton@chromium.org,rmcilroy@chromium.org

Change-Id: Id0c904e080bb09e4ac1a127a02b110459442f7f3
Reviewed-on: https://chromium-review.googlesource.com/452484
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43771}

BUG=

Change-Id: Ib7d6f1c8cc20f4170607d4f595756a534e3eceb8
Reviewed-on: https://chromium-review.googlesource.com/452382
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43770}

R=titzer@chromium.org
NOTRY=true

Change-Id: Ib1957f83010acd7603fbdf36780be80cf3f514c5
Reviewed-on: https://chromium-review.googlesource.com/452298Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43769}

BUG=v8:6091
R=machenbach@chromium.org
NOTRY=true

Review-Url: https://codereview.chromium.org/2751513003
Cr-Commit-Position: refs/heads/master@{#43768}

BUG=
R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2749783002
Cr-Commit-Position: refs/heads/master@{#43767}

This doesn't support "lookup after interceptor", but that should be unnecessary by now since we have non-masking interceptors.

BUG=

Change-Id: I8650a47ab2ce6fa314de25d0c4775b5c165df179
Reviewed-on: https://chromium-review.googlesource.com/453376Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43766}

I plan to change the constructor field of maps, and instead of patching
the intrinsics all over the place, just fall back to the runtime.

R=bmeurer@chromium.org
BUG=v8:6084

Change-Id: Ie294b74ab615fd794d7fc47488e2e30e2b49b4db
Reviewed-on: https://chromium-review.googlesource.com/454616Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43765}

NOTRY=true

R=franzih@chromium.org, machenbach@chromium.org, ofrobots@google.com

Review-Url: https://codereview.chromium.org/2744663005
Cr-Commit-Position: refs/heads/master@{#43764}

As the code isn't used, but would have to be ported from hand-written
assembly to CodeStubAssembler anyways, I propose to remove it and
restore it if we decide that we actually need it.

R=vogelheim@chromium.org
BUG=

Change-Id: Iffd7fc6ec534b1dd7a9144da900424355c8a7a02
Reviewed-on: https://chromium-review.googlesource.com/453461
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43763}

psll/rl/raw(xmm, imm)
psrad(xmm, imm)
vpsll/rl/raw(xmm, xmm, imm)
vpsll/rl/rad(xmm, xmm, imm)

BUG=

Review-Url: https://codereview.chromium.org/2747783004
Cr-Commit-Position: refs/heads/master@{#43762}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/1748b43..7de5863

Rolling v8/buildtools: https://chromium.googlesource.com/chromium/buildtools/+log/b3771b1..e6b510a

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/4550ebc..1ec68b3

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/49cece5..f091611

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: Ibd5bcb1d56b09bb898bfc14b1a100746cdba1708
Reviewed-on: https://chromium-review.googlesource.com/454398Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43761}

Add instructions in following format:
instr(xmm, xmm/mem)
vinstr(xmm, xmm, xmm/mem)

BUG=

Review-Url: https://codereview.chromium.org/2744643004
Cr-Commit-Position: refs/heads/master@{#43760}

This is basically the minimum viable signal handler for Wasm bounds checks.
It includes the TLS check and the fine grained instructions checks. These
two checks provide most of the safety for the signal handler. Future CLs will
add code range and data range checks for more robustness.

The trap handling code and data structures are all in src/trap-handler, with
the code that actually runs in the signal handler confined to
src/trap-handler/signal-handler.cc.

This changes adds a new V8 API that the embedder should call from a signal
handler that will give V8 the chance to handle the fault first. For hosts that
do not want to implement their own signal handler, we include the option to
install a simple one. This simple handler is also used for the tests.

When a Wasm module is instantiated, information about each function is passed
to the trap handler, which is used to classify faults. These are removed during
the instance finalizer.

Several future enhancements are planned before turning this on by default.
Obviously, the additional checks will be added to MaybeHandleFault. We are
also planning to add a two-level CodeObjectData table that is grouped by
isolates to make cleanup easier and also reduce potential for contending on
a single data structure.

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=5277

Review-Url: https://codereview.chromium.org/2371833007
Cr-Original-Original-Commit-Position: refs/heads/master@{#43523}
Committed: https://chromium.googlesource.com/v8/v8/+/a5af7fe9ee388a636675f4a6872b1d34fa7d1a7a
Review-Url: https://codereview.chromium.org/2371833007
Cr-Original-Commit-Position: refs/heads/master@{#43755}
Committed: https://chromium.googlesource.com/v8/v8/+/338622d7cae787a63cece1f2e79a8b030023940b
Review-Url: https://codereview.chromium.org/2371833007
Cr-Commit-Position: refs/heads/master@{#43759}

This reverts the previous revert, commit
5a04f4fd.

Previously reverted changes:

>    Revert "[SAB] Move Atomics builtins to C++"
>
>     This reverts commit 2b9840d8.
>
>     Revert "[SAB] Remove unreachable Uint8Clamped atomics paths"
>
>     This reverts commit d1160fb1.
>
>     Revert "Remove tiny unit test for MinSimple/MaxSimple"
>
>     This reverts commit 837760ec.
>
>     Revert "Remove infrastructure for experimental JS natives"
>
>     This reverts commit 8cfe45b6.

These changes were reverted to improve a perf regression on a Chrome
bot. Since then, the regression has reappeared, then disappeared again
all from seemingly unrelated changes.

BUG=v8:6033
TBR=adamk@chromium.org,hpayer@chromium.org,yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2732213005
Cr-Commit-Position: refs/heads/master@{#43758}