This fix is two-fold:

1) Incremental UTF-8 decoding: Unify incorrect UTF-8 handling between V8 and
Blink.

Incremental UTF-8 decoding used to allow some overlong sequences / invalid code
points which Blink treated as errors. This caused the decoder and the Blink
UTF-8 decoder to produce a different number of bytes, resulting in random
failures when scripts were streamed (especially, this was detected by the
skipping inner functions feature which adds CHECKs against expected function
positions).

2) Non-incremental UTF-8 decoding: return the correct amount of invalid characters.

According to the encoding spec ( https://encoding.spec.whatwg.org/#utf-8-decoder
), the first byte of an overlong sequence / invalid code point generates an
invalid character, and the rest of the bytes are not processed (i.e., pushed
back to the byte stream). When they're handled, they will look like lonely
continuation bytes, and will generate an invalid character each.

As a result, an overlong 4-byte sequence should generate 4 invalid characters
(not 1).

This is a potentially breaking change, since the (non-incremental) UTF-8
decoding is exposed via the API (String::NewFromUtf8). The behavioral difference
happens when the client is passing in invalid UTF-8 (containing overlong /
surrogate sequences).

However, afaict, this doesn't change the semantics of any JavaScript program:
according to the ECMAScript spec, the program is a sequence of Unicode code
points, and there's no way to invoke the UTF-8 decoding functionalities from
inside JavaScript. Though, this changes the behavior of d8 when decoding source
files which are invalid UTF-8.

This doesn't change anything related to URI decoding (it already throws
exceptions for overlong sequences / invalid code points).

BUG: chromium:765608, chromium:758236, v8:5516
Bug: 
Change-Id: Ib029f6a8e87186794b092e4e8af32d01cee3ada0
Reviewed-on: https://chromium-review.googlesource.com/671020
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48105}

No-Try: true
Bug: v8:6845
Change-Id: Ic823fe62e0ee6a954ca704d37a6cb54473720b9c
Reviewed-on: https://chromium-review.googlesource.com/676890
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48104}

This reverts commit 8c4a8250.

Reason for revert: Flaky dcheck on several bots, e.g.:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20debug/builds/17055

Original change's description:
> [heap] Enable concurrent marking for x86 and x64.
> 
> Bug: chromium:694255
> Change-Id: I28c8c6e5ba6c84123f3951e822c132860cb22c1d
> Reviewed-on: https://chromium-review.googlesource.com/641451
> Commit-Queue: Kentaro Hara <haraken@chromium.org>
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Hannes Payer (slow) <hpayer@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48100}

TBR=ulan@chromium.org,haraken@chromium.org,machenbach@chromium.org,hpayer@chromium.org,mlippautz@chromium.org

Change-Id: Id5954676c75e69b66e85f05ffab737ab7f760101
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:694255
Reviewed-on: https://chromium-review.googlesource.com/677203Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48103}

By adding a per test source file namespace, we can avoid a lot of
symbol collisions in jumbo builds.

While we're at it, let's remove some "using" statements that also
cause trouble.

Bug: chromium:746958
Change-Id: I6f8a723e1ba5905888638e0687b23193f3f012ca
Reviewed-on: https://chromium-review.googlesource.com/676803Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Mostyn Bramley-Moore <mostynb@opera.com>
Cr-Commit-Position: refs/heads/master@{#48102}

Bug: chromium:346399
Change-Id: I4d93dbef6deb0fee477f88e20c40106868e99dee
Reviewed-on: https://chromium-review.googlesource.com/674940Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48101}

Bug: chromium:694255
Change-Id: I28c8c6e5ba6c84123f3951e822c132860cb22c1d
Reviewed-on: https://chromium-review.googlesource.com/641451
Commit-Queue: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Hannes Payer (slow) <hpayer@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48100}

Bug: v8:6791
Change-Id: If128758e92e566603fa1e3213f42e1dd7a246793
Reviewed-on: https://chromium-review.googlesource.com/674134
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48099}

This reverts commit ec952aaa.

Reason for revert: https://bugs.chromium.org/p/chromium/issues/detail?id=767144

Original change's description:
> Reland "[profiler] proper observation of old space inline allocations"
> 
> This is a reland of 672a41c3
> Original change's description:
> > [profiler] proper observation of old space inline allocations
> > 
> > Bug: chromium:633920
> > Change-Id: I9a2f4a89f6b9c0f63cb3b166b06a88a12f0a203c
> > Reviewed-on: https://chromium-review.googlesource.com/631696
> > Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#48043}
> 
> Bug: chromium:633920
> Change-Id: I6fe743d31b8ff26f3858488d4c014c62d3c85add
> Reviewed-on: https://chromium-review.googlesource.com/671127
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
> Cr-Commit-Position: refs/heads/master@{#48085}

TBR=ulan@chromium.org,mlippautz@chromium.org,ofrobots@google.com

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:633920
Change-Id: I576cdab4a03f9fe057ebe1bf7da9dfe3c7bf62cd
Reviewed-on: https://chromium-review.googlesource.com/676683Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48098}

Memory instantiate on initialize should always patch memory
references. If memory references are not patched for no initial
memory, on subsequent calls to grow_memory in wasm functions for
instances that share a module, the references will be patched
without resetting cloned compiled values to their correct initial
values.

BUG=chromium:763439

Change-Id: I666439332379b02aa344e99d61ef3dc88ab86cc8
Reviewed-on: https://chromium-review.googlesource.com/674707Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48097}

- Changes x64 AssembleSwap to push/pop to swap 128 bit slot swaps.
- Reorders instructions to simplify 32/64 bit FP slot swaps.
- Refactor ia32 version of this, eliminating OffsetOperand in favor of
  existing ToOperand.

Bug: v8:6020
Change-Id: Ie0ae4c581c9aeb88ee786797851c3c77d5210a3d
Reviewed-on: https://chromium-review.googlesource.com/669748
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48096}

For consistency with surrounding handlified code. No change in
functionality intended.

Change-Id: I8501514ce9caf94fc7e6fb45162fcfd3d730efcd
Reviewed-on: https://chromium-review.googlesource.com/671671Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48095}

Along with BigInt.prototype. Their functions only have skeleton
implementations. The purpose of this change is to make it easier
to gradually increase test coverage (e.g. for toString(radix)).

Of course this is still behind the --harmony-bigint flag.

Bug: v8:6791
Change-Id: Ic307fd9165c56ac782fba18d648ce893daaa718f
Reviewed-on: https://chromium-review.googlesource.com/671209
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48094}

There is no support to emulate atomic WASM operations on big-endian
platforms, since this would require bit swapping as a part of atomic
operations. Therefore, cctest/test-run-wasm-atomics/* will be skipped.

TEST=cctest/test-run-wasm-atomics/*
BUG=

Change-Id: I1a8b085f816f615011788092e6fc8a8390678382
Reviewed-on: https://chromium-review.googlesource.com/671010Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Cr-Commit-Position: refs/heads/master@{#48093}

Do this by deleting code after calls to V8_Fatal() (either through
UNREACHABLE() or FATAL()). Comments suggest that the returns there
were needed to make a compiler happy, but all compilers seem to be
happy with this change too. My guess is that either
https://codereview.chromium.org/1393023003 which marked V8_Fatal()
as noreturn, or https://chromium-review.googlesource.com/#/c/544845/
which switched to the C++11 spelling of noreturn, fixed the warnings
that the explicit code after V8_Fatal() was supposed to silence.

There's one more warning in src/compiler/machine-graph-verifier.cc,
but fixing that changes behavior.  I asked about that one in
https://codereview.chromium.org/2573573004/#msg27 instead.

Bug: chromium:346399
Change-Id: Ie9519d5432bdeaaf382e8390d8254d3b79e622e4
Reviewed-on: https://chromium-review.googlesource.com/669803Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Nico Weber <thakis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48092}

This fixes a few leftovers where we use WASM_EXEC_TEST, but then
unconditionally execute the compiled code, and also changes more tests
to use WASM_EXEC_TEST, hence run in both the interpreter and compiled
code.
Once we have land the baseline compiler, those tests will also execute
in baseline compilation mode.

R=ahaas@chromium.org

Bug: v8:6600
Change-Id: I79598df21a7538934306e01ca6593f05afe19ed3
Reviewed-on: https://chromium-review.googlesource.com/672528
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48091}

Bug: 
Change-Id: I62414a59246af359634b1309b03216c0a5c8764b
Reviewed-on: https://chromium-review.googlesource.com/663728Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Cr-Commit-Position: refs/heads/master@{#48090}

Bug: chromium:758570
Change-Id: Ia2bd72c1756fbc4062c62d975e25bb0ca209a6ad
Reviewed-on: https://chromium-review.googlesource.com/674465Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48089}

This reverts commit f2cd10db.

Reason for revert: Blocks the roll https://chromium-review.googlesource.com/c/chromium/src/+/674623

Original change's description:
> Reland "[Memory] Move VirtualMemory out of base:: platform."
> 
> This is a reland of 4dd293d9
> Original change's description:
> > [Memory] Move VirtualMemory out of base:: platform.
> > 
> > - Moves base::VirtualMemory to v8::internal::VirtualMemory.
> > - Makes VirtualMemory platform-independent by moving internals to new
> >   OS:: static methods, for each platform.
> > 
> > This will make it easier to delegate memory management in VirtualMemory
> > to V8::Platform, so that embedders like Blink can override it. We can't
> > depend on V8::Platform in base/platform.
> > 
> > Bug: chromium:756050
> > Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> > Change-Id: Iadfe230b6850bd917727a373f277afded9883adf
> > Reviewed-on: https://chromium-review.googlesource.com/653214
> > Commit-Queue: Bill Budge <bbudge@chromium.org>
> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#48048}
> 
> Bug: chromium:756050
> Change-Id: Ib492c7c69f1833be127a571808301e96b84b8aa2
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/671125
> Commit-Queue: Bill Budge <bbudge@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48084}

TBR=bbudge@chromium.org,ulan@chromium.org,hpayer@chromium.org,mlippautz@chromium.org,scottmg@chromium.org

Change-Id: I04176d77ca9ad8315b0e1bb2b21f40f2c8ab9536
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:756050
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/674843Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48088}

The work list should be empty in the case we are not tearing down
during incremental marking. Explicitly clear during incremental marking
and rely on DCHECKs for the other case.

Bug: chromium:758570
Change-Id: Iecc8935f0cbfda67f0e7afde42930050e7c94d2d
Reviewed-on: https://chromium-review.googlesource.com/674504Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48087}

When var_type_feedback is nullptr and {lhs} is not a String,
rhs_instance_type is not needed.

Bug: 
Change-Id: Ia39aa39ec7ad0063d2fb9b01fd326d7993ab4d26
Reviewed-on: https://chromium-review.googlesource.com/659340
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48086}

This is a reland of 672a41c3
Original change's description:
> [profiler] proper observation of old space inline allocations
> 
> Bug: chromium:633920
> Change-Id: I9a2f4a89f6b9c0f63cb3b166b06a88a12f0a203c
> Reviewed-on: https://chromium-review.googlesource.com/631696
> Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48043}

Bug: chromium:633920
Change-Id: I6fe743d31b8ff26f3858488d4c014c62d3c85add
Reviewed-on: https://chromium-review.googlesource.com/671127Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
Cr-Commit-Position: refs/heads/master@{#48085}

This is a reland of 4dd293d9
Original change's description:
> [Memory] Move VirtualMemory out of base:: platform.
> 
> - Moves base::VirtualMemory to v8::internal::VirtualMemory.
> - Makes VirtualMemory platform-independent by moving internals to new
>   OS:: static methods, for each platform.
> 
> This will make it easier to delegate memory management in VirtualMemory
> to V8::Platform, so that embedders like Blink can override it. We can't
> depend on V8::Platform in base/platform.
> 
> Bug: chromium:756050
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: Iadfe230b6850bd917727a373f277afded9883adf
> Reviewed-on: https://chromium-review.googlesource.com/653214
> Commit-Queue: Bill Budge <bbudge@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48048}

Bug: chromium:756050
Change-Id: Ib492c7c69f1833be127a571808301e96b84b8aa2
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/671125
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48084}

This reverts commit 37aa13fe.

Reason for revert: Suspected to break 63.0.3219 Canary

Original change's description:
> [Turbofan] Array.prototype.filter inlining.
> 
> Support inlining of Array.prototype.filter in TurboFan.
> 
> Bug: v8:1956
> Change-Id: Iba4d683aaa86c6104e8a1cf4d0f549a0c516576a
> Reviewed-on: https://chromium-review.googlesource.com/657021
> Commit-Queue: Michael Stanton <mvstanton@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48040}

TBR=mvstanton@chromium.org,mstarzinger@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: v8:1956
Change-Id: I125a8caf128890d788e040adfe2fc76bd8d1fbea
Reviewed-on: https://chromium-review.googlesource.com/672783Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48083}

Now hopefully getting it right, but still leaving in the confusing
flag implications.

Bug: v8:6520,chromium:766162
Change-Id: Idc6dca012bf0c9777b4a75cf424410ce5914c885
Reviewed-on: https://chromium-review.googlesource.com/671022Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48082}

Runtime profiler uses bytecode array size for the tiering up decisions.
Bytecode array size includes the header size as well. Inlining
heuristics use bytecode array length instead. Bytecode array length
is just the size of bytecode not inlcuding any headers. This change
is to keep both of them in sync to avoid confusion. Also, the header
contains several pointers and hence the size changes depending on the
size of kPointerSize.

Bug: 
Change-Id: I22a9cf5e0bb9d6853c6a8be8d69c9ff459418a0d
Reviewed-on: https://chromium-review.googlesource.com/670724Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48081}

Use the (D)CHECK_{EQ,NE,GT,...} macros instead of (D)CHECK with an
embedded comparison. This gives better error messages and also does the
right comparison for signed/unsigned mismatches.

This will allow us to reenable the readability/check cpplint check.

R=ahaas@chromium.org

Bug: v8:6837
Change-Id: Ic8966dfeacf02b2684eeef23fde99ec2be4ed81e
Reviewed-on: https://chromium-review.googlesource.com/671364
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48080}

Use the (D)CHECK_{EQ,NE,GT,...} macros instead of (D)CHECK with an
embedded comparison. This gives better error messages and also does the
right comparison for signed/unsigned mismatches.

This will allow us to reenable the readability/check cpplint check.

R=jgruber@chromium.org

Bug: v8:6837
Change-Id: I9c489ac0e1b15fd4789c37fd32c9d3c76121a288
Reviewed-on: https://chromium-review.googlesource.com/671343
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48079}

Removes
- SequentialMarkingDeque
- The ability to handle marking deque overflow
- BlackToGrey transitions

We switched to a different marking work list on M61 that fails
in OOM upon failing to allocate Segments used in the work list.

Bug: chromium:758570
Change-Id: I66e2ab912271bf84b085dccc9b4bdd96076b64fb
Reviewed-on: https://chromium-review.googlesource.com/632676
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48078}

This CL refactors allocation & reservation logic into a new
DefaultSerializerAllocator class.  In upcoming work, this will be
further extended by a custom allocator for builtin serialization.

Additionally, this cleans up a bunch of cosmetics (encapsulation and
other nits).

Bug: v8:6624
Change-Id: Ibcf12a525c8fcb26d9c16b7a12fd598c37a0e10a
Reviewed-on: https://chromium-review.googlesource.com/650357Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48077}

This is primarily to aid in testing the Wasm out of bounds trap handler.  We
keep track of how many faults have been recovered by the Wasm trap handler. This
count is exposed to JavaScript through a testing-only runtime function. This
allows tests to verify whether the trap handler is actually running.

Bug: v8:5277
Change-Id: Ie8037a36d84eb08166c6e40c7225d912683d5786
Reviewed-on: https://chromium-review.googlesource.com/665968
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48076}

Bug: v8:6791
Change-Id: I058db23c03451dc5028c3d39af8607d31048295c
Reviewed-on: https://chromium-review.googlesource.com/667809
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48075}

Sanitize imports before we start the instance building process. This
avoids the possibility of exiting to JS while building instances,
and allowing JS to observe an inconsistent state of the wasm world -
e.g. incomplete specialization chains.

We now validate we never exit to JS during that process.

Bug: chromium:766260

Change-Id: I34930c8b70bdac16af464b3f62a2b6a38107acb3
Reviewed-on: https://chromium-review.googlesource.com/671480
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48074}

Promises can sometimes be resolved after the RealmScope has been destroyed, such
as when a Wasm compile job finishes after the script main has finished. If the
Promise.then function refers to Realm.current, we were getting a use-after free
error when it would search for the list of realms. This change also zeros out
realm_count_ in addition to deleting the realms_ so that RealmFind will not
reference freed memory.

Bug: chromium:761710
Change-Id: I2d42997f363b284ccc5f4b225d3f59e0361e68d6
Reviewed-on: https://chromium-review.googlesource.com/671923Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48073}

Also store the variable directly on ClassLiteral, as the proxy serves
as a useless form of indirection.

Bug: v8:6092
Change-Id: If0182a808cde4e349c1bf5a003a1ecee5bd14b13
Reviewed-on: https://chromium-review.googlesource.com/667800Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48072}

Chromium has rolled the Fuchsia SDK, so this can be removed now, and
the new zx_, etc. names used exclusively.

Bug: chromium:765754
Change-Id: I8bd60239da7a05e62d3b8d5209e1cfe898d8052a
Reviewed-on: https://chromium-review.googlesource.com/671769Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Scott Graham <scottmg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48071}

R=littledan@chromium.org, adamk@chromium.org, caitp@igalia.com
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux_noi18n_rel_ng

Bug: v8:5601
Change-Id: Ifc5fa3e9de05f64d8a6cb82d67fb272800a208a3
Reviewed-on: https://chromium-review.googlesource.com/669720Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Josh Wolfe <jwolfe@igalia.com>
Cr-Commit-Position: refs/heads/master@{#48070}

R=adamk@chromium.org, mstarzinger@chromium.org

Bug: v8:5244, chromium:765479
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I684805acc194a93b96d74e3e64834867dce78dee
Reviewed-on: https://chromium-review.googlesource.com/668677Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Josh Wolfe <jwolfe@igalia.com>
Cr-Commit-Position: refs/heads/master@{#48069}

Enable --harmony-async-iteration (Symbol.asyncIterator, async generator
syntax, and for-await-of syntax) by default, as discussed in
https://groups.google.com/forum/#!topic/v8-users/SlLEsgNv4JY

BUG=v8:5855
R=adamk@chromium.org, gsathya@chromium.org

Change-Id: I77a77124a68813431daceca1b0cbaec5af271fee
Reviewed-on: https://chromium-review.googlesource.com/668877
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48068}

This is a reland of aabb893a
Original change's description:
> fuchsia: Set up for 3-sided roll to convert Magenta->Zircon
> 
> Fuchsia changed their kernel name from Magenta to Zircon and all the
> functions and defines along with it. In order to be able to roll the SDK
> in Chromium, we first need to land with this define added in v8, so that
> can roll in to Chromium, then roll the Fuchsia SDK with this magic
> define set (CHROMIUM_ROLLING_MAGENTA_TO_ZIRCON), then actually update v8
> to reference zx_ instead of mx_ and roll that again.
> 
> Chromium-side for reference: https://chromium-review.googlesource.com/c/chromium/src/+/669139
> 
> Bug: chromium:765754, chromium:707030
> Change-Id: I4ed5027f455d2346f431e7c700e87693348d5b79
> Reviewed-on: https://chromium-review.googlesource.com/668751
> Reviewed-by: Bill Budge <bbudge@chromium.org>
> Commit-Queue: Scott Graham <scottmg@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48047}

TBR=bbudge@chromium.org

Bug: chromium:765754, chromium:707030
Change-Id: Ib6e99ca418af527014622614d07d295b6110f9d5
Reviewed-on: https://chromium-review.googlesource.com/670944Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48067}

The bug occurred when we detected an erroneous char late, and put the last
character in a chunk into the "incomplete char" buffer. It was not correctly
retrieved when seeking.

BUG=v8:6836

Change-Id: I8ca946dfdb39244c5ca0bdcebe047047010b3a07
Reviewed-on: https://chromium-review.googlesource.com/670729
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48066}