Port 411c5b7f

Original commit message:
    Also remove the ResultMode from ToBooleanStub and always return true or
    false and use the same mechanism in fullcodegen.  This is in preparation
    for adding ToBoolean hints to TurboFan.

    Drive-by-fix: We can use the power of the ToBooleanIC in TurboFan now
    that the ResultMode is gone (and the runtime always returns true or
    false from the miss handler).

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:4583
LOG=n

Review URL: https://codereview.chromium.org/1490363003

Cr-Commit-Position: refs/heads/master@{#32531}

Revert of Disable non-standard Promise functions in staging (patchset #1 id:1 of https://codereview.chromium.org/1478533002/ )

Reason for revert:
Will test better; there seems to be a bug related to this.

Original issue's description:
> Reland of Disable non-standard Promise functions in staging (patchset #1 id:1 of https://codereview.chromium.org/1473603002/ )
>
> Reason for revert:
> Breakage in Ignition seems unrelated; relanding.
>
> Original issue's description:
> > Revert of Disable non-standard Promise functions in staging (patchset #5 id:80001 of https://codereview.chromium.org/1469543003/ )
> >
> > Reason for revert:
> > [Sheriff] This breaks ignition on arm sim debug:
> > https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm%20-%20sim%20-%20debug/builds/5317
> >
> > Seems to not be caught by the cq bot that builds release with dchecks.
> >
> > Original issue's description:
> > > Disable non-standard Promise functions in staging
> > >
> > > This patch removes Promise functions and methods which are absent
> > > from the ES2015 specification when the --es-staging flag is on.
> > >
> > > BUG=v8:3237
> > > R=rossberg
> > > LOG=Y
> > >
> > > Committed: https://crrev.com/941251af7e04d50ac2243da2870249a42111221a
> > > Cr-Commit-Position: refs/heads/master@{#32194}
> >
> > TBR=rossberg@chromium.org,littledan@chromium.org
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > NOTRY=true
> > BUG=v8:3237
> >
> > Committed: https://crrev.com/86bd2b3c23b562213d5af158849dcd65f347a827
> > Cr-Commit-Position: refs/heads/master@{#32199}
>
> TBR=rossberg@chromium.org,rmcilroy@chromium.org,machenbach@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:3237
>
> Committed: https://crrev.com/9278b7b05a45c2089007e8b61822af96b5d0c8df
> Cr-Commit-Position: refs/heads/master@{#32235}

TBR=rossberg@chromium.org,rmcilroy@chromium.org,machenbach@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3237

Review URL: https://codereview.chromium.org/1493713004

Cr-Commit-Position: refs/heads/master@{#32530}

update.sh is gone in chromium, and using update.py will do the right
thing both before and after the deletion in chromium (previously,
update.py used to call update.sh internally on non-win).

This also has the benefit of working on Windows.

No intended behavior change.

BUG=chromium:494442
LOG=n

Review URL: https://codereview.chromium.org/1495653002

Cr-Commit-Position: refs/heads/master@{#32529}

LOG=Y
BUG=chromium:558998
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1495633002

Cr-Commit-Position: refs/heads/master@{#32528}

This hackily disambiguates multiple calls for the iterator protocols in ForOf / Yield* by adding -2 / -1 to the pos.

BUG=v8:3953
LOG=y

Review URL: https://codereview.chromium.org/1491923003

Cr-Commit-Position: refs/heads/master@{#32527}

While execution will not return to this location, stack iteration
logic will attempt to find the code object associated with the return
address.  This makes sure that it maps to the correct object and not
to the one immediately following it in memory.

R=joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1490343002

Cr-Commit-Position: refs/heads/master@{#32526}

Split out of PropertyAttributes, and used for all filtering purposes.
Also moved PropertyAttributes into the v8::internal:: namespace.

No change in behavior intended.

Review URL: https://codereview.chromium.org/1492653004

Cr-Commit-Position: refs/heads/master@{#32525}

Also remove the ResultMode from ToBooleanStub and always return true or
false and use the same mechanism in fullcodegen.  This is in preparation
for adding ToBoolean hints to TurboFan.

Drive-by-fix: We can use the power of the ToBooleanIC in TurboFan now
that the ResultMode is gone (and the runtime always returns true or
false from the miss handler).

R=mstarzinger@chromium.org
BUG=v8:4583
LOG=n

Review URL: https://codereview.chromium.org/1491223002

Cr-Commit-Position: refs/heads/master@{#32524}

R=mstarzinger@chromium.org
BUG=v8:4586
LOG=n

Review URL: https://codereview.chromium.org/1491903002

Cr-Commit-Position: refs/heads/master@{#32523}

Revert of [heap] Refactor evacuation for young and old gen into visitors. (patchset #1 id:1 of https://codereview.chromium.org/1493523003/ )

Reason for revert:
Speculative revert for crashing Canary.

Original issue's description:
> Reland of [heap] Refactor evacuation for young and old gen into visitors. (patchset #1 id:1 of https://codereview.chromium.org/1483393002/ )
>
> Reason for revert:
> Reland after fixing the potential root cause of the canary crasher.
>
> Original issue's description:
> > Revert of [heap] Refactor evacuation for young and old gen into visitors. (patchset #5 id:80001 of https://codereview.chromium.org/1470253002/ )
> >
> > Reason for revert:
> > Still investigating bad canary.
> >
> > Original issue's description:
> > > [heap] Refactor evacuation for young and old gen into visitors.
> > >
> > > Create a visitor for evacuating objects for young and old generation. This is
> > > the first step of preparing a task to process, both,  newspace and oldspace
> > > pages in parallel.
> > >
> > > BUG=chromium:524425
> > > LOG=N
> > >
> > > Committed: https://crrev.com/138d9bae5d7014e0d205634a49b5eac3697744c8
> > > Cr-Commit-Position: refs/heads/master@{#32349}
> >
> > TBR=mlippautz@chromium.org
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > NOTRY=true
> > BUG=chromium:524425
> >
> > Committed: https://crrev.com/aa24a3135ec308e1f84bce334844caf0cae2437a
> > Cr-Commit-Position: refs/heads/master@{#32462}
>
> TBR=mlippautz@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:524425
>
> Committed: https://crrev.com/120b640dfce5f02cecc5af72ca0b2b3b93ce8652
> Cr-Commit-Position: refs/heads/master@{#32500}

TBR=hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425

Review URL: https://codereview.chromium.org/1495583002

Cr-Commit-Position: refs/heads/master@{#32522}

Revert of [heap] Unify evacuating an object for new and old generation. (patchset #1 id:1 of https://codereview.chromium.org/1494533002/ )

Reason for revert:
Speculative revert for crashing Canary.

Original issue's description:
> Reland of [heap] Unify evacuating an object for new and old generation. (patchset #1 id:1 of https://codereview.chromium.org/1483963004/ )
>
> Reason for revert:
> Reland after fixing the potential root cause of the canary crasher.
>
> Original issue's description:
> > Revert of [heap] Unify evacuating an object for new and old generation. (patchset #2 id:20001 of https://codereview.chromium.org/1481873002/ )
> >
> > Reason for revert:
> > Still investigating bad canary.
> >
> > Original issue's description:
> > > [heap] Unify evacuating an object for new and old generation.
> > >
> > > BUG=chromium:524425
> > > LOG=N
> > >
> > > Committed: https://crrev.com/afb8bcce8ba889280ed747eb218d287ddd233b4a
> > > Cr-Commit-Position: refs/heads/master@{#32365}
> >
> > TBR=mlippautz@chromium.org
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > NOTRY=true
> > BUG=chromium:524425
> >
> > Committed: https://crrev.com/9c60ddc60e96da0c59e646660789c26550ad52a2
> > Cr-Commit-Position: refs/heads/master@{#32460}
>
> TBR=mlippautz@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:524425
>
> Committed: https://crrev.com/7ea8ac98f6eb5ffa9d4976aa22fec9befb814e0c
> Cr-Commit-Position: refs/heads/master@{#32501}

TBR=hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425

Review URL: https://codereview.chromium.org/1491013003

Cr-Commit-Position: refs/heads/master@{#32521}

Revert of "[heap] Clean up stale store buffer entries for aborted pages." (patchset #3 id:40001 of https://codereview.chromium.org/1494503004/ )

Reason for revert:
Still failing on GC stress
  https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux%20-%20gc%20stress/builds/690

Original issue's description:
> Reland of "[heap] Clean up stale store buffer entries for aborted pages."
>
> This reverts commit d4fc4a8c.
>
> 1.  Let X be the aborted slot (slot in an evacuated object in an aborted page)
> 2.  Assume X contains pointer to Y and Y is in the new space, so X is in the
>     store buffer.
> 3.  Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
> 4.  The current mark-sweep finishes. The slot X is in free space and is also in
>     the store buffer.
> 5.  A string of length 9 "abcdefghi" is allocated in the new space. The string
>     looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
>     previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
>     object before.
> 6.  Scavenge happens.
> 7.  Slot X is still in free space and in store buffer. [It causes scavenge of
>     the object Y in
>     store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
>     it is not important].
> 8.  Our string is promoted and is allocated over the slot X, such that NNNNNNNi
>     is written in X.
> 9.  The scavenge finishes.
> 9.  Another scavenge starts.
> 10. We crash in
>     store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
>     processing slot X, because it doesn't point to valid map.
>
> BUG=chromium:524425, chromium:564498
> LOG=N
> R=hpayer@chromium.org, ulan@chromium.org
>
> Committed: https://crrev.com/fc6ff534003480e49dc481d9c665e961ab709c02
> Cr-Commit-Position: refs/heads/master@{#32514}

TBR=hpayer@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425, chromium:564498

Review URL: https://codereview.chromium.org/1492823002

Cr-Commit-Position: refs/heads/master@{#32520}

We can constant fold %_IsJSReceiver(x) based on whether x is always a
receiver or can never be a receiver.  This is important as
%_IsJSReceiver is inserted by the JSInliner.

R=jarin@chromium.org
BUG=v8:4544
LOG=n

Review URL: https://codereview.chromium.org/1486383003

Cr-Commit-Position: refs/heads/master@{#32519}

R=mvstanton@chromium.org, yangguo@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1491683003

Cr-Commit-Position: refs/heads/master@{#32518}

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1493733002

Cr-Commit-Position: refs/heads/master@{#32517}

The new step-in implementation no longer tries to predict the step-in
target, so we don't need the arguments count nor call type anymore.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1484893003

Cr-Commit-Position: refs/heads/master@{#32516}

  port 4f494789 (r32262)

  original commit message:
  The Float32RoundUp operator rounds float32 numbers towards infinity.
  The operator is currently implemented on x64, ia32, arm, and arm64.

BUG=

Review URL: https://codereview.chromium.org/1491843003

Cr-Commit-Position: refs/heads/master@{#32515}

This reverts commit d4fc4a8c.

1.  Let X be the aborted slot (slot in an evacuated object in an aborted page)
2.  Assume X contains pointer to Y and Y is in the new space, so X is in the
    store buffer.
3.  Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
4.  The current mark-sweep finishes. The slot X is in free space and is also in
    the store buffer.
5.  A string of length 9 "abcdefghi" is allocated in the new space. The string
    looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
    previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
    object before.
6.  Scavenge happens.
7.  Slot X is still in free space and in store buffer. [It causes scavenge of
    the object Y in
    store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
    it is not important].
8.  Our string is promoted and is allocated over the slot X, such that NNNNNNNi
    is written in X.
9.  The scavenge finishes.
9.  Another scavenge starts.
10. We crash in
    store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
    processing slot X, because it doesn't point to valid map.

BUG=chromium:524425, chromium:564498
LOG=N
R=hpayer@chromium.org, ulan@chromium.org

Review URL: https://codereview.chromium.org/1494503004

Cr-Commit-Position: refs/heads/master@{#32514}

BUG=

Review URL: https://codereview.chromium.org/1491613002

Cr-Commit-Position: refs/heads/master@{#32513}

Revert of [CQ] Update proto format to fix triggered builders. (patchset #1 id:1 of https://codereview.chromium.org/1495443003/ )

Reason for revert:
Still not working

Original issue's description:
> Reland of [CQ] Update proto format to fix triggered builders. (patchset #1 id:1 of https://codereview.chromium.org/1485813004/ )
>
> Reason for revert:
> Should be fixed after https://codereview.chromium.org/1487413002/
>
> Original issue's description:
> > Revert of [CQ] Update proto format to fix triggered builders. (patchset #1 id:1 of https://codereview.chromium.org/1486963002/ )
> >
> > Reason for revert:
> > Maybe causing problems
> >
> > Original issue's description:
> > > [CQ] Update proto format to fix triggered builders.
> > >
> > > Depends on https://chromereviews.googleplex.com/319777013/
> > >
> > > BUG=chromium:561530
> > > LOG=n
> > > TBR=sergiyb@chromium.org, tandrii@chromium.org
> > > NOTRY=true
> > >
> > > Committed: https://crrev.com/51d6d619330080a76c5bc7a2ebdafebc6a808aa8
> > > Cr-Commit-Position: refs/heads/master@{#32453}
> >
> > TBR=sergiyb@chromium.org,tandrii@chromium.org
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > NOTRY=true
> > BUG=chromium:561530
> >
> > Committed: https://crrev.com/79ded5acc9da6a80cbd739c24c6dfa0cf207ae93
> > Cr-Commit-Position: refs/heads/master@{#32464}
>
> TBR=sergiyb@chromium.org,tandrii@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:561530
>
> Committed: https://crrev.com/3cea13351c1af365013f51c7b67e72eeba79afe6
> Cr-Commit-Position: refs/heads/master@{#32511}

TBR=sergiyb@chromium.org,tandrii@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:561530

Review URL: https://codereview.chromium.org/1493693003

Cr-Commit-Position: refs/heads/master@{#32512}

Reland of [CQ] Update proto format to fix triggered builders. (patchset #1 id:1 of https://codereview.chromium.org/1485813004/ )

Reason for revert:
Should be fixed after https://codereview.chromium.org/1487413002/

Original issue's description:
> Revert of [CQ] Update proto format to fix triggered builders. (patchset #1 id:1 of https://codereview.chromium.org/1486963002/ )
>
> Reason for revert:
> Maybe causing problems
>
> Original issue's description:
> > [CQ] Update proto format to fix triggered builders.
> >
> > Depends on https://chromereviews.googleplex.com/319777013/
> >
> > BUG=chromium:561530
> > LOG=n
> > TBR=sergiyb@chromium.org, tandrii@chromium.org
> > NOTRY=true
> >
> > Committed: https://crrev.com/51d6d619330080a76c5bc7a2ebdafebc6a808aa8
> > Cr-Commit-Position: refs/heads/master@{#32453}
>
> TBR=sergiyb@chromium.org,tandrii@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:561530
>
> Committed: https://crrev.com/79ded5acc9da6a80cbd739c24c6dfa0cf207ae93
> Cr-Commit-Position: refs/heads/master@{#32464}

TBR=sergiyb@chromium.org,tandrii@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:561530

Review URL: https://codereview.chromium.org/1495443003

Cr-Commit-Position: refs/heads/master@{#32511}

NOTRY=true
TBR=hpayer@chromium.org, ulan@chromium.org

Review URL: https://codereview.chromium.org/1490263002

Cr-Commit-Position: refs/heads/master@{#32510}

BUG=v8:2487
LOG=n
R=vogelheim@chromium.org

Review URL: https://codereview.chromium.org/1496493002

Cr-Commit-Position: refs/heads/master@{#32509}

* Add a sibling interface to InterpreterAssembler called
  CodeStubAssembler which provides a wrapper around the
  RawMachineAssembler and is intented to make it easy to build
  efficient cross-platform code stubs. Much of the implementation
  of CodeStubAssembler is shamelessly stolen from the
  InterpreterAssembler, and the idea is to eventually merge the
  two interfaces somehow, probably moving the
  InterpreterAssembler interface over to use the
  CodeStubAssembler. Short-term, however, the two interfaces
  shall remain decoupled to increase our velocity developing the
  two systems in parallel.
* Implement the StringLength stub in TurboFan with the new
  CodeStubAssembler. Replace and remove the old Hydrogen-stub
  version.
* Remove a whole slew of machinery to support JavaScript-style
  code stub generation, since it ultimately proved unwieldy,
  brittle and baroque. This cleanup includes removing the shared
  code stub context, several example stubs and a tangle of build
  file changes.

BUG=v8:4587
LOG=n

Review URL: https://codereview.chromium.org/1475953002

Cr-Commit-Position: refs/heads/master@{#32508}

The main part of the Proxy constructor was already in C++, there's
actually no point in keeping a JavaScript wrapper.

R=cbruni@chromium.org
BUG=v8:1543
LOG=n

Review URL: https://codereview.chromium.org/1491893002

Cr-Commit-Position: refs/heads/master@{#32507}

BUG=

Review URL: https://codereview.chromium.org/1484393002

Cr-Commit-Position: refs/heads/master@{#32506}

Allow to pass new.target (in addition to target) to C++ builtins, and
remove some obsolete/dangerous code from the C++ builtins.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1491883002

Cr-Commit-Position: refs/heads/master@{#32505}

Revert of [heap] Clean up stale store buffer entries for aborted pages. (patchset #4 id:60001 of https://codereview.chromium.org/1493653002/ )

Reason for revert:
Not completely correct fix.

Original issue's description:
> [heap] Clean up stale store buffer entries for aborted pages.
>
> 1.  Let X be the aborted slot (slot in an evacuated object in an aborted page)
> 2.  Assume X contains pointer to Y and Y is in the new space, so X is in the
>     store buffer.
> 3.  Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
> 4.  The current mark-sweep finishes. The slot X is in free space and is also in
>     the store buffer.
> 5.  A string of length 9 "abcdefghi" is allocated in the new space. The string
>     looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
>     previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
>     object before.
> 6.  Scavenge happens.
> 7.  Slot X is still in free space and in store buffer. [It causes scavenge of
>     the object Y in
>     store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
>     it is not important].
> 8.  Our string is promoted and is allocated over the slot X, such that NNNNNNNi
>     is written in X.
> 9.  The scavenge finishes.
> 9.  Another scavenge starts.
> 10. We crash in
>     store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
>     processing slot X, because it doesn't point to valid map.
>
> BUG=chromium:524425,chromium:564498
> LOG=N
> R=hpayer@chromium.org, ulan@chromium.org
>
> Committed: https://crrev.com/2e7eea4aef3403969fe885e30f892d46253b3572
> Cr-Commit-Position: refs/heads/master@{#32495}

TBR=hpayer@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425,chromium:564498

Review URL: https://codereview.chromium.org/1489243004

Cr-Commit-Position: refs/heads/master@{#32504}

Reland of [heap] Remove live weak cells from weak cell list when finalizing incremental marking. (patchset #1 id:1 of https://codereview.chromium.org/1481383004/ )

Reason for revert:
Reland after fixing the potential root cause of the canary crasher.

Original issue's description:
> Revert of [heap] Remove live weak cells from weak cell list when finalizing incremental marking. (patchset #3 id:40001 of https://codereview.chromium.org/1474303002/ )
>
> Reason for revert:
> Still investigating bad canary.
>
> Original issue's description:
> > [heap] Remove live weak cells from weak cell list when finalizing incremental marking.
> >
> > BUG=chromium:548562
> > LOG=n
> >
> > Committed: https://crrev.com/6190c608c8f3ced0f00ff53965e115b78646cecd
> > Cr-Commit-Position: refs/heads/master@{#32372}
>
> TBR=ulan@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:548562
>
> Committed: https://crrev.com/72ae472ccc51ec304a66a8730c1fedbe265c16fa
> Cr-Commit-Position: refs/heads/master@{#32459}

TBR=ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:548562

Review URL: https://codereview.chromium.org/1491743003

Cr-Commit-Position: refs/heads/master@{#32503}

Reland of [heap] Cleanup mark bit usage. (patchset #1 id:1 of https://codereview.chromium.org/1490753003/ )

Reason for revert:
Reland after fixing the potential root cause of the canary crasher.

Original issue's description:
> Revert of [heap] Cleanup mark bit usage. (patchset #1 id:1 of https://codereview.chromium.org/1474203003/ )
>
> Reason for revert:
> Still investigating bad canary.
>
> Original issue's description:
> > [heap] Cleanup mark bit usage.
> >
> > BUG=
> >
> > Committed: https://crrev.com/5874ac783ff9bc4bb4b2fda81f5077f06619f96c
> > Cr-Commit-Position: refs/heads/master@{#32362}
>
> TBR=mlippautz@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=
>
> Committed: https://crrev.com/d3faef8658598e68331208b5a1846ac1c250cb49
> Cr-Commit-Position: refs/heads/master@{#32461}

TBR=mlippautz@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1488393003

Cr-Commit-Position: refs/heads/master@{#32502}

Reland of [heap] Unify evacuating an object for new and old generation. (patchset #1 id:1 of https://codereview.chromium.org/1483963004/ )

Reason for revert:
Reland after fixing the potential root cause of the canary crasher.

Original issue's description:
> Revert of [heap] Unify evacuating an object for new and old generation. (patchset #2 id:20001 of https://codereview.chromium.org/1481873002/ )
>
> Reason for revert:
> Still investigating bad canary.
>
> Original issue's description:
> > [heap] Unify evacuating an object for new and old generation.
> >
> > BUG=chromium:524425
> > LOG=N
> >
> > Committed: https://crrev.com/afb8bcce8ba889280ed747eb218d287ddd233b4a
> > Cr-Commit-Position: refs/heads/master@{#32365}
>
> TBR=mlippautz@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:524425
>
> Committed: https://crrev.com/9c60ddc60e96da0c59e646660789c26550ad52a2
> Cr-Commit-Position: refs/heads/master@{#32460}

TBR=mlippautz@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425

Review URL: https://codereview.chromium.org/1494533002

Cr-Commit-Position: refs/heads/master@{#32501}

Reland of [heap] Refactor evacuation for young and old gen into visitors. (patchset #1 id:1 of https://codereview.chromium.org/1483393002/ )

Reason for revert:
Reland after fixing the potential root cause of the canary crasher.

Original issue's description:
> Revert of [heap] Refactor evacuation for young and old gen into visitors. (patchset #5 id:80001 of https://codereview.chromium.org/1470253002/ )
>
> Reason for revert:
> Still investigating bad canary.
>
> Original issue's description:
> > [heap] Refactor evacuation for young and old gen into visitors.
> >
> > Create a visitor for evacuating objects for young and old generation. This is
> > the first step of preparing a task to process, both,  newspace and oldspace
> > pages in parallel.
> >
> > BUG=chromium:524425
> > LOG=N
> >
> > Committed: https://crrev.com/138d9bae5d7014e0d205634a49b5eac3697744c8
> > Cr-Commit-Position: refs/heads/master@{#32349}
>
> TBR=mlippautz@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:524425
>
> Committed: https://crrev.com/aa24a3135ec308e1f84bce334844caf0cae2437a
> Cr-Commit-Position: refs/heads/master@{#32462}

TBR=mlippautz@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425

Review URL: https://codereview.chromium.org/1493523003

Cr-Commit-Position: refs/heads/master@{#32500}

MIPS R6 introduced new behavior for handling of NaN values
for TRUNC, FLOOR, CEIL and CVT instructions. Adding support for
the new behavior in MIPS and MIPS64 simulators. Fixing tests
for MIPS and MIPS64 to align them with the new behavior.

BUG=

Review URL: https://codereview.chromium.org/1488613007

Cr-Commit-Position: refs/heads/master@{#32499}

This is the first part of escape analysis for turbofan.
At the moment, there is no deopt support, and support
for loops is partial (only binary Phis are handled).

The CL includes 4 unittests.

There are also 8 new mjsunit tests, some of which are
skiped as they require features not yet implemented.

BUG=v8:4586
LOG=n

Review URL: https://codereview.chromium.org/1457683003

Cr-Commit-Position: refs/heads/master@{#32498}

non-constructors are not allowed to have initial maps. The optimizing compilers used to add initial maps unconditionally to functions used as right-hand-side in instanceof.

BUG=

Review URL: https://codereview.chromium.org/1490003003

Cr-Commit-Position: refs/heads/master@{#32497}

And use it to fix Object.keys() for proxies.

BUG=v8:1543
LOG=n
R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1488873003

Cr-Commit-Position: refs/heads/master@{#32496}

1.  Let X be the aborted slot (slot in an evacuated object in an aborted page)
2.  Assume X contains pointer to Y and Y is in the new space, so X is in the
    store buffer.
3.  Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
4.  The current mark-sweep finishes. The slot X is in free space and is also in
    the store buffer.
5.  A string of length 9 "abcdefghi" is allocated in the new space. The string
    looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
    previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
    object before.
6.  Scavenge happens.
7.  Slot X is still in free space and in store buffer. [It causes scavenge of
    the object Y in
    store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
    it is not important].
8.  Our string is promoted and is allocated over the slot X, such that NNNNNNNi
    is written in X.
9.  The scavenge finishes.
9.  Another scavenge starts.
10. We crash in
    store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
    processing slot X, because it doesn't point to valid map.

BUG=chromium:524425,chromium:564498
LOG=N
R=hpayer@chromium.org, ulan@chromium.org

Review URL: https://codereview.chromium.org/1493653002

Cr-Commit-Position: refs/heads/master@{#32495}

R=bmeurer@chromium.org
BUG=v8:4581
LOG=N

Review URL: https://codereview.chromium.org/1495473002

Cr-Commit-Position: refs/heads/master@{#32494}

BUG=chromium:500934
LOG=N
TBR=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1486343003

Cr-Commit-Position: refs/heads/master@{#32493}

  port 74434403 (r32261)

  original commit message:
  I implemented the optional Float32RoundDown operator on x64, ia32, arm,
  and arm64.

  For arm I also had to adjust the simulator.

BUG=

Review URL: https://codereview.chromium.org/1490113003

Cr-Commit-Position: refs/heads/master@{#32492}