In a fuzzer testcase I found locally the ast-decoder spent a lot of time
in the decoding of kExprBrTable after the decoder already found an
error. I did not add a test because the fuzzer test case did not
actually crash. It only run out of memory in the chromium fuzzer.

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2413863003
Cr-Commit-Position: refs/heads/master@{#40254}

This moves the implementation of @@replace from regexp.js to builtins-regexp.cc
(the TurboFan fast path) and runtime-regexp.cc (slow path). The fast path
handles all cases in which the regexp itself is an unmodified JSRegExp
instance, the given 'replace' argument is not callable and does not contain any
'$' characters (i.e. we are doing a string replacement).

BUG=v8:5339

Review-Url: https://codereview.chromium.org/2398423002
Cr-Commit-Position: refs/heads/master@{#40253}

BUG=

Review-Url: https://codereview.chromium.org/2412493008
Cr-Commit-Position: refs/heads/master@{#40252}

Stack checks in loops allows to interrupt loops.

BUG=cctest/test-run-wasm-module/TestInterruptLoop
R=titzer@chromium.org, bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2405293002
Cr-Commit-Position: refs/heads/master@{#40251}

BUG=chromium:652721

Review-Url: https://codereview.chromium.org/2406363002
Cr-Commit-Position: refs/heads/master@{#40250}

This fixes the code-path in RegExpExec in which both the passed exec
argument and regexp.exec are not callable and regexp is a JSRegExp.

In this case, we fall back to the default RegExp.prototype.exec
implementation. The arguments for Execution::call were incorrect.

BUG=v8:5339

Review-Url: https://codereview.chromium.org/2415073002
Cr-Commit-Position: refs/heads/master@{#40249}

I don't see a reason why we can't benefit from preparsing such functions. We don't necessarily compile them, so fully parsing them when unnecessary is just additional overhead.

BUG=v8:5501

Review-Url: https://codereview.chromium.org/2413213002
Cr-Commit-Position: refs/heads/master@{#40248}

BUG=v8:5501,chromium:655122

Review-Url: https://codereview.chromium.org/2419663005
Cr-Commit-Position: refs/heads/master@{#40247}

BUG=chromium:654377
TEST=mjsunit/regress/wasm/regression-654377
R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2403013002
Cr-Commit-Position: refs/heads/master@{#40246}

BUG=

Review-Url: https://codereview.chromium.org/2402313003
Cr-Commit-Position: refs/heads/master@{#40245}

  port c15c5827 (r40206)

  original commit message:
  This is the next step to unify the Call/Construct feedback collection
  and prepare it to be able to collect SharedFunctionInfo feedback. This
  also reduces the CallICStub overhead quite a bit since we only need one
  stub per mode (and tail call mode), not also one per call arity.

BUG=

Review-Url: https://codereview.chromium.org/2409953005
Cr-Commit-Position: refs/heads/master@{#40244}

R=jgruber@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2407153003
Cr-Commit-Position: refs/heads/master@{#40243}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/dd41141..f9e6643

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapul/+log/daccdeb..5b5774b

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clan/+log/3d97083..6551b7f

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review-Url: https://codereview.chromium.org/2413533004
Cr-Commit-Position: refs/heads/master@{#40242}

Review-Url: https://codereview.chromium.org/2419713002
Cr-Commit-Position: refs/heads/master@{#40241}

This is a much more descriptive name.

BUG=v8:5343
TBR=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2412263002
Cr-Commit-Position: refs/heads/master@{#40240}

This patch results in a 11% improvement over 5 runs in the
bluebird benchmark.

BUG=v8:5343,v8:5046
TBR=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2406343002
Cr-Commit-Position: refs/heads/master@{#40239}

This incorporates recent feedback:
- simpler deserialization API by dropping the std::unique_ptr.
The only purpose there was communicating to the caller that they
own the buffer, and that the deserializer won't delete it. The new
design communicates that through a naming choice.
- renamed *UncompiledBytes to *WasmWireBytes

BUG=

Review-Url: https://codereview.chromium.org/2411263004
Cr-Commit-Position: refs/heads/master@{#40238}

Review-Url: https://codereview.chromium.org/2404663002
Cr-Commit-Position: refs/heads/master@{#40237}

Review-Url: https://codereview.chromium.org/2405173005
Cr-Commit-Position: refs/heads/master@{#40236}

BUG=428099

Review-Url: https://codereview.chromium.org/2404283002
Cr-Commit-Position: refs/heads/master@{#40235}

The over allocated memory of fixed array type didn't equal to the sum of all
fixed array sub types previously, this patch adds over allocated memory of fixed
array sub types to fixed array type when we record fixed array sub type stats.

BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2410083003
Cr-Commit-Position: refs/heads/master@{#40234}

By defining functions with namespace prefix, the compiler checks that
they were previously declared, and checks that the signature matches.
I stumbled across this several times when changing the interface of a
function in the header.
With this change you get a compile error right away instead of a linker
error in the very end.

This change also revealed two functions which could be placed in an
anonymous namespace, saving 5.5kB program size in Debug build, 2.3kB in
Optdebug and 0.3kB in Release. It's also opening more options for
compiler optimizations, as the functions now have internal linkage.

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2415603002
Cr-Commit-Position: refs/heads/master@{#40233}

The state sampling was implemented in chrome, we had an interface for it
V8 but it was not implemented yet.
The chrome version version has been removed in
https://codereview.chromium.org/2406703002/
Therefore following up with its removal in V8 as well.

This CL can land independent of the Chromium related CL.

R=primiano@chromium.org,alph@chromium.org

Review-Url: https://codereview.chromium.org/2410523002
Cr-Commit-Position: refs/heads/master@{#40232}

BUG=v8:5501

Review-Url: https://codereview.chromium.org/2410413003
Cr-Commit-Position: refs/heads/master@{#40231}

Imported and defined globals share an index space, but previously the decoder clobbered the imported global indices with the defined globals.

BUG=none

Review-Url: https://codereview.chromium.org/2410953003
Cr-Commit-Position: refs/heads/master@{#40230}

This CL is in preparation for the upcoming port of
RegExp.prototype.replace, which will need use these methods in
runtime-regexp.cc. Moving them in advance makes that diff less noisy.

BUG=v8:5339

Review-Url: https://codereview.chromium.org/2398413002
Cr-Commit-Position: refs/heads/master@{#40229}

Port c15c5827

Original commit message:

    This is the next step to unify the Call/Construct feedback collection
    and prepare it to be able to collect SharedFunctionInfo feedback. This
    also reduces the CallICStub overhead quite a bit since we only need one
    stub per mode (and tail call mode), not also one per call arity.

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2415583002
Cr-Commit-Position: refs/heads/master@{#40228}

BUG=v8:5501

Review-Url: https://codereview.chromium.org/2413673002
Cr-Commit-Position: refs/heads/master@{#40227}

Unittests for protocol parser are located in core/inspector in blink and separate test runner for inspector tests was added.

BUG=chromium:635948
R=dgozman@chromium.org,yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2376173002
Cr-Commit-Position: refs/heads/master@{#40226}

This location is used at least in Chromium.

BUG=chromium:635948
R=dgozman@chromium.org

Review-Url: https://codereview.chromium.org/2405303002
Cr-Commit-Position: refs/heads/master@{#40225}

R=clemensh@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2415533003
Cr-Commit-Position: refs/heads/master@{#40224}

... because the latter automatically respects the desired calling convention.

BUG=v8:5408

Review-Url: https://codereview.chromium.org/2391043005
Cr-Commit-Position: refs/heads/master@{#40223}

Thus the parameter indices defined in respective CallInterfaceDescriptor can
be used for querying parameters.

BUG=

Review-Url: https://codereview.chromium.org/2389133007
Cr-Commit-Position: refs/heads/master@{#40222}

BUG=chromium:648568

Review-Url: https://codereview.chromium.org/2403423007
Cr-Commit-Position: refs/heads/master@{#40221}

Review-Url: https://codereview.chromium.org/2412613004
Cr-Commit-Position: refs/heads/master@{#40220}

Review-Url: https://codereview.chromium.org/2411793004
Cr-Commit-Position: refs/heads/master@{#40219}

The race can happen if:
1) Fixed array A is right before object B in new space
2) A slot in object C located in old space points to object B (old to new remembered set entry is created)
3) Object C becomes unreachable which held the only reference to object B which also becomes unreachable
4) Fixed array A gets right trimmed
5) The sweeper will sweep the last word of object A and object B. It will write the free space map into the last word of object A and a size field in the first word of object B.
6) Pointer updating may observe the size field now because the recored slot points to the start of object B and will confuse it with a forwarding pointer.

Note a similar race may happen with left trimming. Array A points to its backing store, the backing store gets left trimmed by 1 element, and array A dies.
BUG=

Review-Url: https://codereview.chromium.org/2416563002
Cr-Commit-Position: refs/heads/master@{#40218}

This should restore the codeload regression when FLAG_lazy_inner_functions is turned off

BUG=v8:5501

Review-Url: https://codereview.chromium.org/2412483005
Cr-Commit-Position: refs/heads/master@{#40217}

[stubs] Drop StoreICStub and StoreICTrampolineStub (the non-TurboFan implementations of StoreIC dispatchers).

Because of the planned improvements of IC system it does not make sense to
keep the old platform version of the stub around.

Review-Url: https://codereview.chromium.org/2413653003
Cr-Commit-Position: refs/heads/master@{#40216}

If we're parsing a script or based on a SharedFunctionInfo marked as toplevel, we can implicitly set it. Only manually set in the background parsing task where we manually set up ParseInfo.

BUG=v8:5501

Review-Url: https://codereview.chromium.org/2405263003
Cr-Commit-Position: refs/heads/master@{#40215}