Add a new permission kRead to PageAllocator::Permission and
OS::MemoryPermission and implement it in platform-*.

Not used yet, because it needs corresponding changes in chromium.

Bug: v8:7464
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I9f84251eff593536cbcc1cde04641d696c79d65c
Reviewed-on: https://chromium-review.googlesource.com/1006756Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52636}

R=machenbach@chromium.org

No-Try: true
Bug: chromium:793687
Change-Id: If4f125a0c1a2b818cdcc61200b14b73f56f65507
Reviewed-on: https://chromium-review.googlesource.com/1013523
Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52635}

Consolidate nearly identical implementations and move them to
TurboAssembler, such that they can be reused for Liftoff.

R=neis@chromium.org

Bug: v8:6600
Change-Id: I197445404df033ac1a05f4aa88501263ae4b75f3
Reviewed-on: https://chromium-review.googlesource.com/1013561
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52634}

Make values which are referenced via ExternalReference constexpr, and
initialize them statically. This avoids dynamic initialization and
protects them against being overwritten from generated code.

R=neis@chromium.org

Bug: v8:7570
Change-Id: I1c6c10fbffea12dc1f5bf726313bf8388e6530a1
Reviewed-on: https://chromium-review.googlesource.com/1013518Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52633}

This doesn't change the API, it just makes it functional: the
functions were declared already, but they lacked an implementation
so far. Trying to use them in Blink detects that issue.

Bug: v8:6791
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I48902a5bba4a42f2922eafd22858d584731fc777
Reviewed-on: https://chromium-review.googlesource.com/1014668Reviewed-by: Daniel Clifford <danno@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52632}

Casting from a floating-point type to an integer type is undefined behavior
if the integral part of the float cannot be represented in the range of the
int.

Bug: v8:3770, chromium:831145
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I2e85ea8b0f09bbeeb3e0dcc1135fc747fa312f6d
Reviewed-on: https://chromium-review.googlesource.com/1011651
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52631}

Bug: chromium:831984
Change-Id: Ie13b22bc2491acc255557ba0325d8d53c22d6acb
Reviewed-on: https://chromium-review.googlesource.com/1012874Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52630}

Now that tables and stack frames properly root instances, there is no
longer any need to disallow mutations that could unroot instances
while their code is on the stack.

Bug: v8:7232
Change-Id: I907b9522ac12ad7a67fb4124774713b6b3b40bb7
Reviewed-on: https://chromium-review.googlesource.com/1007004
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52629}

This removes the support to serialize copies of {CodeStub} codes during
native module serialization. It is still possible to serialize builtins
and all code objects copied from the GC heap are builtins by now.

R=ahaas@chromium.org

Change-Id: If009a82a9d7c7080f70f344040ebb91f20b8cc1a
Reviewed-on: https://chromium-review.googlesource.com/1012081
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52628}

This will give us much better testing coverage for trap-based bounds
checks.

Note that this will not enable the trap handler by default in Chrome.
Instead, Chrome will need to explicitly enable the feature using
V8::EnableWebAssemblyTrapHandler.

Bug: v8:5277
Change-Id: I7d81f40c6f831c6fe7926375c677908952b78fa2
Reviewed-on: https://chromium-review.googlesource.com/964711Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52627}

This adds another fixed spill slot to the {WasmCompiledFrame} layout,
holding a reference to the current {WasmInstanceObject}. This slot
allows the stack walker to retrieve instances for WebAssembly frames
without having each code object be coupled to an instance. Hence it
enables sharing code across instances in the future.

R=titzer@chromium.org
BUG=v8:7424

Change-Id: I7fa095c6255754caf564edce4ee7e84dea666783
Reviewed-on: https://chromium-review.googlesource.com/1005516
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52626}

The Cvtui2ss method did overwrite the {src} register, and the given
{tmp} register. Because of this, the Turbofan code generator passed two
temporary registers.
This CL fixes this to avoid the overwrite of the {src} register (which
is now an Operand).

R=neis@chromium.org

Change-Id: I33e523ac3d7bb377899739e95058b87adefa6b65
Reviewed-on: https://chromium-review.googlesource.com/1014082
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52625}

If the new length is too large, we must throw a TypeError.

Bug: v8:7652
Change-Id: I47268c04405f7a5f5bbc971cd434f2d786af9ca1
Reviewed-on: https://chromium-review.googlesource.com/1013563Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52624}

At is used in Macro Assembler, so we need other registers to hold temporary values.

Change-Id: Iffeddba7b3319666a605eea62ecc3cd01b065ad7
Reviewed-on: https://chromium-review.googlesource.com/1013978Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Commit-Queue: Sreten Kovacevic <sreten.kovacevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#52623}

First version which can compile a very basic code.

Change-Id: I3b98412a5ca39a28f8fe5b60516b82c6981dd187
Reviewed-on: https://chromium-review.googlesource.com/993232
Commit-Queue: Vincent Belliard <vincent.belliard@arm.com>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52622}

NOTRY=true
TBR=sergiyb@chromium.org

Change-Id: I285b32a5acbc302c29ca6085ab6998dbb1609539
Reviewed-on: https://chromium-review.googlesource.com/1013568
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52621}

Name type conversions from int to float and vice versa consistently,
and move them to the TurboAssembler, such that we can reuse them for
Liftoff.

R=jarin@chromium.org

Bug: v8:6600
Change-Id: Idced658a228eeb611dd4785aa277bd758c201eea
Reviewed-on: https://chromium-review.googlesource.com/1014037Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52620}

Change-Id: I6a97005943b36c0dab70fe8f18bbfcab443c3e03
Reviewed-on: https://chromium-review.googlesource.com/1013566
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52619}

An overview of motivation behind Torque and some of its principles
can be found here: https://bit.ly/2qAI5Ep

Note that there is quite a bit of work left to do in order to get
Torque production-ready for any non-trivial amount of code, but
landing the prototype as-is will allow for much faster iteration.

Bugs will be filed for all of the big-ticket items that are not
landing blockers but called out in this patch as important to fix.

Cq-Include-Trybots: luci.v8.try:v8_linux_nosnap_rel;luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ib07af70966d5133dc57344928885478b9c6b8b73
Reviewed-on: https://chromium-review.googlesource.com/845682
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52618}

Implement i64 binops (`add`, `sub`, `mul`, `and`, `or` and `xor` on MIPS64
and `add`, `mul` and `sub` on MIPS).

Bug: v8:6600
Change-Id: I96640a6b4420789f075b1d919789a72163c954d2
Reviewed-on: https://chromium-review.googlesource.com/1010203
Commit-Queue: Sreten Kovacevic <sreten.kovacevic@mips.com>
Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#52617}

The recent changes related to the Address type broke this.

R=bmeurer@chromium.org

Change-Id: I404930435e9f48750a735beed7d79108b9cc96ee
Reviewed-on: https://chromium-review.googlesource.com/1014081
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52616}

Previously Isolate and Factory relied on the undefined behavior of
reinterpret_cast to switch between the two unrelated classes (which worked
because Factory had no data members).

With Isolate inheriting from Factory, it's now possible to switch between the
two classes using c-style casts. These are allowed under the C++ standard.

The inheritance is private which allows the continuing separation of the
Factory and Isolate namespaces.

This is a defensive clean-up, since ubsan does not yet detect the previous
undefined behavior.

Bug: v8:3770
Change-Id: I0ccf09f1d34f747550812ce698ab7e182812409e
Reviewed-on: https://chromium-review.googlesource.com/1010122Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52615}

The embedder should not need to keep track of the source string.

R=jgruber@chromium.org

Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Ie27df755a22fbcae7b6e87a435419d2d8f545558
Reviewed-on: https://chromium-review.googlesource.com/1013482Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52614}

BUG=v8:7308

Change-Id: I5e9f371b1db5515b723d9a2864bf2038706e2015
Reviewed-on: https://chromium-review.googlesource.com/960032
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52613}

This adds tests for 'oddly' behaving comparison functions.
I.e. functions that cause an element kind change and/or
modify the array. The tests check that sort does not crash in these
instances.

R=jgruber@chromium.org

Bug: v8:7382
Change-Id: I4ac9aa081fda9088d1848a960dc66aba671872e5
Reviewed-on: https://chromium-review.googlesource.com/1010062
Commit-Queue: Simon Zünd <szuend@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52612}

Spec change: https://github.com/tc39/proposal-bigint/pull/138

Bug: v8:6791
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I7367273ed1e98971be3b277f6486333a96412185
Reviewed-on: https://chromium-review.googlesource.com/1004120
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52611}

Bug: v8:5988
Change-Id: I2e90ed8df6b966e04299774e50aeb2913a8c1922
Reviewed-on: https://chromium-review.googlesource.com/999603
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52610}

Per the spec change at [1], Abstract Relational Comparison between a
BigInt and a String converts the String to BigInt via StringToBigInt
before performing the comparison. Before this change, the String was
converted to a Number, and a BigInt/Number comparison was performed.

[1] https://github.com/tc39/proposal-bigint/pull/139

Bug: v8:6791
Change-Id: I40b4f4ddc78977adb0d44180eb58e0f9a8a70cb6
Reviewed-on: https://chromium-review.googlesource.com/1004117
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52609}

R=gdeepti@chromium.org

Change-Id: I3d0a21c6db671718b9f41fb8392f6900b2fecf27
Reviewed-on: https://chromium-review.googlesource.com/1013197Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52608}

Port 2459046c

Original Commit Message:

    The "Address" type is V8's general-purpose type for manipulating memory
    addresses. Per the C++ spec, pointer arithmetic and pointer comparisons
    are undefined behavior except within the same array; since we generally
    don't operate within a C++ array, our general-purpose type shouldn't be
    a pointer type.

R=jkummerow@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: Ic30ef19019e5b39b01f90587011c6a1b06c4b7a1
Reviewed-on: https://chromium-review.googlesource.com/1012461Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#52607}

Port a3b60675

Original Commit Message:

    This is mostly a simple copy & paste of the stub implementation from
    code-stubs-arch.cc to builtins-arch.cc.

    The conversion allows removal of a special case for the DoubleToIStub
    within the compiler & wasm pipelines, and also makes the following
    builtins isolate-independent (in conjunction with
    https://crrev.com/c/1006581):

    TFC BitwiseAnd
    TFC BitwiseOr
    TFC BitwiseXor
    TFC Exponentiate
    TFC ShiftLeft
    TFC ShiftRight
    TFC ShiftRightLogical
    TFJ AtomicsAdd
    TFJ AtomicsAnd
    TFJ AtomicsCompareExchange
    TFJ AtomicsExchange
    TFJ AtomicsLoad
    TFJ AtomicsOr
    TFJ AtomicsStore
    TFJ AtomicsSub
    TFJ AtomicsXor
    TFJ MathClz32
    TFJ MathImul
    TFJ MathPow
    TFJ NumberParseInt
    TFJ StringFromCharCode
    TFJ TypedArrayFrom
    TFJ TypedArrayOf
    TFJ TypedArrayPrototypeMap

R=jgruber@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: Iee9fc5671646772625556717db052b78089c5c66
Reviewed-on: https://chromium-review.googlesource.com/1013247Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#52606}

Port 87557649

Original Commit Message:

    This changes DoubleToIStub to return its result on the stack instead
    of a specific return register.

    In a follow-up, the DoubleToIStub could be converted into a builtin.

R=jgruber@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: I952fec4fbe004e2734a84ba853f4f5a33c8dd8ce
Reviewed-on: https://chromium-review.googlesource.com/1013418Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#52605}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/7726657..80b7a3c

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/67d01a2..f718fb1

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/d7c36b0..5395a74

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: I2981aa8a42866ecc06091a0090ea69f3d5829a5d
Reviewed-on: https://chromium-review.googlesource.com/1012820
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52604}

This is a reland of deb875f7

Original change's description:
> [inspector] added timeout argument for Runtime.evaluate
> 
> R=yangguo@chromium.org,dgozman@chromium.org
> 
> Bug: none
> Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel
> Change-Id: I31667b3d5f39db9d899d58acd5205a9c34e570db
> Reviewed-on: https://chromium-review.googlesource.com/1005985
> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52594}

Bug: none
Change-Id: Ib8aff5d9f83e41fc6c2019712708fda074bd1ad9
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel
Reviewed-on: https://chromium-review.googlesource.com/1012724Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52603}

Bug: none
Change-Id: I156bfe9846d0890ffdf482bcc8c84da53fe1af61
TBR: jkummerow@chromium.org
NOTREECHECKS: true
NOTRY: true
Reviewed-on: https://chromium-review.googlesource.com/1013392
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52602}

The "Address" type is V8's general-purpose type for manipulating memory
addresses. Per the C++ spec, pointer arithmetic and pointer comparisons
are undefined behavior except within the same array; since we generally
don't operate within a C++ array, our general-purpose type shouldn't be
a pointer type.

Bug: v8:3770
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: Ib96016c24a0f18bcdba916dabd83e3f24a1b5779
Reviewed-on: https://chromium-review.googlesource.com/988657
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52601}

Change-Id: I4e32786d7c100161daf3d245d887dfe19b164394
Reviewed-on: https://chromium-review.googlesource.com/1013046Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52600}

This was missed in the original CL switching |is_posix| to false for
Fuchsia.

Bug: chromium:812974
Change-Id: I532516296c6b6ece9805c2f986c8dded00a798df
Reviewed-on: https://chromium-review.googlesource.com/1011251Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Fabrice de Gans-Riberi <fdegans@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52599}

 - Add Implementation for I64Atomic{Load, Store, Exchange,
CompareExchange} for supported MemTypes/Representations
 - Refactoring to simplify instruction selection
 - Enable tests for ARM64

Bug: v8:6532
Change-Id: I4c4a65fd3bbdc6955eda29d7e08d6eef29c55628
Reviewed-on: https://chromium-review.googlesource.com/1003225Reviewed-by: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52598}

This allows an embedder to check if a Value is a module namespace object.

Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Idffceff451dd5f5c6a53d4cb3ce02c1c2c5b653c
Reviewed-on: https://chromium-review.googlesource.com/1011762Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52597}