Currently when the module has memory specified in the compiled bytes, but with no initial memory
exported memory assigns a bogus buffer to the instance. When grow_memory is called on this buffer, it tries to patch an incorrect address.
 - Fix exported memory to handle no initial memory
 - Fix grow_memory to handle uninitialized buffers

BUG=chromium:710844
R=bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2820223002
Cr-Commit-Position: refs/heads/master@{#44671}

- separated V8StackTraceImpl and AsyncStackTrace,
- V8Debugger owns all AsyncStackTrace and cleanup half of them when limit is reached (first created - first cleaned),
- V8StackTraceImpl, AsyncStackTrace and async-task-related tables in V8Debugger have weak reference to other async stack traces.
- async tasks are cleared with related async stacks.

BUG=v8:6189
R=dgozman@chromium.org

Review-Url: https://codereview.chromium.org/2816043006
Cr-Commit-Position: refs/heads/master@{#44670}

Today, the semantics of:

WebAssembly.instantiate

and

WebAssembly.compile().then(new WebAssemblyInstance)

are subtly different, to the point where attempting the proposed
change uncovered bugs.

In the future, it's possible that .instantiate actually have different
semantics - if we pre-specialized to the provided ffi, for example.
Right now that's not the case.

This CL:
- gets our implementation closer to what developers may write using
the compile -> new Instance alternative, in particular wrt promise
creation. By reusing code paths, we uncover more bugs, and keep
maintenance cost lower.

- it gives us the response-based WebAssembly.instantiate implicitly.
Otherwise, we'd need that same implementation on the blink side. The
negative is maintenance: imagine if the bugs I mentioned could only be
found when running in Blink.

BUG=chromium:697028

Review-Url: https://codereview.chromium.org/2806073002
Cr-Original-Commit-Position: refs/heads/master@{#44592}
Committed: https://chromium.googlesource.com/v8/v8/+/7829af3275ff4644a2d0a1270abe1a1e4415e9fb
Review-Url: https://codereview.chromium.org/2806073002
Cr-Commit-Position: refs/heads/master@{#44669}

Bug=chromium:707066
R=littledan@chromium.org, adamk@chromium.org, caitp@igalia.com
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel

Change-Id: I24ce0a08816940ef4646d0f2de188d4832c823a0
Reviewed-on: https://chromium-review.googlesource.com/474990Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Josh Wolfe <jwolfe@igalia.com>
Cr-Commit-Position: refs/heads/master@{#44668}

This flag was shipped with V8 5.7 (Chrome 57).

Bug: v8:5244
Change-Id: I044edb8d7e74ea3c84bf46ec5cf81b8ff1b7a3de
Reviewed-on: https://chromium-review.googlesource.com/477975Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44667}

Bug: v8:4806
Change-Id: I612615f92c56f10a9c53237e0c5da26c527fc6f3
Reviewed-on: https://chromium-review.googlesource.com/478411Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44666}

Inspector doesn't use debugger context and this entering only slow down our async instrumentation.

BUG=v8:6189
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2816373004
Cr-Commit-Position: refs/heads/master@{#44665}

 - Add I16x8 Splat, ExtractLane, ReplaceLane, shift ops, Some BinOps and compare ops
 - Add pshufhw, pshuflw in the assembler, disassembler
 - Fix incorrect modrm for pextrw, this bug disregards the register allocated and always makes pextrw use rax.
 - Fix pextrw disasm to take the 0 - 7 bits of the immediate instead of 0 - 3.
 - Pextrw, pinsrw are in the assembler use 128 bit encodings, pextrw, pinsrw in the disassembler use legacy encodings, fix inconsistencies causing weird code gen when --print-code is used.

Review-Url: https://codereview.chromium.org/2767983002
Cr-Commit-Position: refs/heads/master@{#44664}

BUG=None
TEST=None
R=mtrofin@chromium.org
LOG=N

Review-Url: https://codereview.chromium.org/2824793002
Cr-Commit-Position: refs/heads/master@{#44663}

R=bradnelson@chromium.org, mtrofin@chromium.org

Review-Url: https://codereview.chromium.org/2823953002
Cr-Commit-Position: refs/heads/master@{#44662}

NOTRY=true
TBR=hablich@chromium.org

Change-Id: I36418c2d0198c52a52ba3426a2792b2f52c29d67
Reviewed-on: https://chromium-review.googlesource.com/479411Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44661}

This reverts commit 8faf3d6f.

Reason: blocks roll https://codereview.chromium.org/2820753003/

TBR=martyn.capewell@arm.com,jarin@chromium.org,bmeurer@chromium.org,machenbach@chromium.org

NOTRY=true

Review-Url: https://codereview.chromium.org/2819093002
Cr-Commit-Position: refs/heads/master@{#44660}

Also simplify usage of Object.prototype methods in JS natives: now
that they're added in bootstrapper, no need to import them.

Change-Id: I0db53dd5acaed3aa0a5b46f730b31baa376e282d
Reviewed-on: https://chromium-review.googlesource.com/478574
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44659}

Change-Id: I9973858f2596a9bc4d66afbb26612189fbded7f3
Reviewed-on: https://chromium-review.googlesource.com/478413Reviewed-by: Caitlin Potter <caitp@igalia.com>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44658}

- creating JSArray and further setter and getter calls are slower then on fixed array.

BUG=v8:6189
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2813773002
Cr-Commit-Position: refs/heads/master@{#44657}

If the current context is overwritten by doing Realm.navigate(0) we
fail to delete the module embedder data from the correct current
context, because we have an handle to the old context which was
already cleaned up by calling DisposeRealm in RealmNavigate.

This patch disallows navigation to the first realm.

Bug: chromium:711165
Change-Id: I6b9d3187367dae9d1fe38c0efa361d461c94c917
Reviewed-on: https://chromium-review.googlesource.com/476970Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44656}

Enabling on trunk after having landed change to add flag and disable for
branch.

BUG=None
R=mtrofin@chromium.org,ahaas@chromium.org
LOG=N

Review-Url: https://codereview.chromium.org/2813213004
Cr-Commit-Position: refs/heads/master@{#44655}

TBR=martyn.capewell@arm.com
NOTRY=true

Review-Url: https://codereview.chromium.org/2818563005
Cr-Commit-Position: refs/heads/master@{#44654}

Adding a flag to explicitly enable/disable async compile.
Will cherrypick this to M59.
Separately will land a change to re-enable this by default.

BUG=v8:6264
R=mtrofin@chromium.org,ahaas@chromium.org,hablich@chromium.org

Review-Url: https://codereview.chromium.org/2820553003
Cr-Commit-Position: refs/heads/master@{#44653}

This reverts commit cc047635.
The CL was reverted due to a missing DEPS mirror.

Original issue's description:
> ARM64: Add NEON support
>
> Add assembler, disassembler and simulator support for NEON in the ARM64 backend.
>
> BUG=
>
> Review-Url: https://codereview.chromium.org/2622643005
> Cr-Commit-Position: refs/heads/master@{#44306}

BUG=

Review-Url: https://codereview.chromium.org/2812573003
Cr-Commit-Position: refs/heads/master@{#44652}

TBR=ishell@chromium.org
NOTRY=true

Review-Url: https://codereview.chromium.org/2818773002
Cr-Commit-Position: refs/heads/master@{#44651}

Taking the slow runtime path for every non-internalized string key
can be avoided by doing optimistic string table lookups: if there
is a matching entry, use that; if there isn't, then no existing
object has a property with that name.
The hashing/internalizing logic is in C++ and called directly.

Review-Url: https://codereview.chromium.org/2811333002
Cr-Commit-Position: refs/heads/master@{#44650}

https://github.com/tc39/proposal-async-iteration/commit/e3246ad69cc6f83b34bdd3451c3c6abce37fd1f3
removed some redundancies in yield and yield*.

In particular:
- AsyncGeneratorRawYield becomes unnecessary, and is deleted in this CL
- Parser::RewriteYieldStar() is updated to perform the IteratorValue() algorithm as appropriate

BUG=v8:6187, v8:5855
R=rmcilroy@chromium.org, adamk@chromium.org, littledan@chromium.org, vogelheim@chromium.org

Change-Id: I05e8429b9cbd4531c330ee53a05656b90162064c
Reviewed-on: https://chromium-review.googlesource.com/471806Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#44649}

R=tebbi@chromium.org

Change-Id: I28cdf18616e16a681e2cab3f36263f3c09953b8b
Reviewed-on: https://chromium-review.googlesource.com/476612
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44648}

Currently we count optimizations to decide to disable optimization, and
count deopts to detect this decision and allow re-enabling optimizations
after a while.

However, throwing out TurboFan OSR code and GC optimized code evictions
do not count as deopts, which means that the optimization count
increases without increasing the deopt count. This increased optimization
count disables further optimization -- which is bad, because these are
not "true" deopts -- and can stop the optimization from being re-enabled,
because the deopt count can't go high enough.

Instead, we now only ever look at deopts to disable/re-enable
optimization, and opt counts are only used for naming log files and in
tests.

Change-Id: I0c7d6be497545449a38cf952cd2f007ee51982ba
Reviewed-on: https://chromium-review.googlesource.com/468811
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44647}

This option doesn't work for ARM any more.

BUG=

Review-Url: https://codereview.chromium.org/2816703002
Cr-Commit-Position: refs/heads/master@{#44646}

If the new.target passed to the Array constructor cannot be a Proxy,
then we know that the Array constructor cannot trigger any observable
side-effects.

R=jarin@chromium.org
BUG=v8:6262

Review-Url: https://codereview.chromium.org/2821453002
Cr-Commit-Position: refs/heads/master@{#44645}

The JSArgumentsObject::length representation is initially Smi, so we can
record that on the initial map and use it to optimize the accesses in
TurboFan based on that. Similar for JSSloppyArgumentsObject::caller.

BUG=v8:6262
R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2810333004
Cr-Commit-Position: refs/heads/master@{#44644}

R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2812603002
Cr-Commit-Position: refs/heads/master@{#44643}

TBR=machenbach@chromium.org,vogelheim@chromium.org
NOTRY=true

Review-Url: https://codereview.chromium.org/2814993006 .
Cr-Commit-Position: refs/heads/master@{#44642}

This is requested for Node.js N-API. Tests to be added.

Review-Url: https://codereview.chromium.org/2812613002
Cr-Commit-Position: refs/heads/master@{#44641}

Previously, we would only consider it if it pointed to a full-code JS function.
Thus we could miss both optimized functions and bytecode handlers if they
called frame-less code.

Review-Url: https://codereview.chromium.org/2822433002
Cr-Commit-Position: refs/heads/master@{#44640}

This fixes the validation of "|0" annotations of call sites that are
used to indicate a "signed" return type of functions. We use lookahead
during call validation and request deferred validation as part of the
actual OR-expression. Special care has to be taken to get precedence
levels of all involved operators right.

R=clemensh@chromium.org
TEST=mjsunit/asm/call-annotation
BUG=v8:6183

Change-Id: If0586f669e7cee26a13425b0fd9f41098e852d68
Reviewed-on: https://chromium-review.googlesource.com/475871
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44639}

The condition only applies in unicode mode, where any lone surrogates
are desugared into a character class (and will not be considered in this
optimization). Non-unicode mode treats lone surrogates exactly like
any other codepoint.

BUG=chromium:711092

Review-Url: https://codereview.chromium.org/2808403006
Cr-Commit-Position: refs/heads/master@{#44638}

In eval scripts, the source code position can be 0 rather
than greater than 0.

Add regression test.

Drive-by fix: unrelated typo.

Bug: 707223
Change-Id: If52c0736daac3ad42ac6d324eb8ec5f1798f6f5a
Reviewed-on: https://chromium-review.googlesource.com/476630Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44637}

This issue was fixed in VisitWord64And in 2f8ad11f. Port the fix to
VisitWord32And.

BUG=

Review-Url: https://codereview.chromium.org/2815853002
Cr-Commit-Position: refs/heads/master@{#44636}

Bug: chromium:710428,v8:6248
Change-Id: I70430d5a200199563bf5468a6cc80614307f63e6
Reviewed-on: https://chromium-review.googlesource.com/474847Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44635}

When optimizing calls to get Object.prototype.__proto__ in
JSCallReducer, we can also consume unreliable receiver map
information, as long as the receiver maps are stable. In
that case we also need to install proper stability dependencies.

BUG=chromium:711195,v8:5267,v8:6241
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2816993002
Cr-Commit-Position: refs/heads/master@{#44634}

This CL implements the proposed change to show information about
WebAssembly values and call frames via the inspector interface.
Each interpreted WebAssembly frame will have two scopes: A global scope
showing information about the memory (to be extended for globals), and
a local scope showing information about parameters, local variables, and
stack values.
Names of local variables will be added later.

R=ahaas@chromium.org, yangguo@chromium.org
BUG=v8:6245,v8:5822

Change-Id: I0a35fddd0a353933c86adf62083233b08098a2c7
Reviewed-on: https://chromium-review.googlesource.com/474865
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44633}

This fixes the existing lowering of {JSGetSuperConstructor} nodes to
unconditional throws. The above operator is marked as {kNoWrite} but
runtime calls are not marked as such. Any deoptimizing operation after
the throw would not be able to find a valid {Checkpoint}. We remove the
lowering case in question.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-6248
BUG=v8:6248

Change-Id: I22c922947336254502f698b02f944cf35dd8688a
Reviewed-on: https://chromium-review.googlesource.com/476570Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44632}