This adds a new NumberToUint8Clamped simplified operator that does the
round ties to even + clamping necessary to store to Uint8ClampedArrays.

BUG=v8:4470,v8:5267,v8:5615
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2489563004
Cr-Commit-Position: refs/heads/master@{#40861}

The Ldr[Named/Keyed]Property bytecodes are problematic for the deoptimizer when
inlining accessors in TurboFan. Remove them and replace with a Star lookahead
in the bytecode handlers for Lda[Named/Keyed]Property.

BUG=v8:4280

Review-Url: https://codereview.chromium.org/2485383002
Cr-Commit-Position: refs/heads/master@{#40860}

This stages escape analysis by implying --turbo-escape by the --turbo
flag. It broadens the exposure of the optimization in question.

R=jarin@chromium.org
BUG=v8:4586,v8:5267

Review-Url: https://codereview.chromium.org/1992913005
Cr-Commit-Position: refs/heads/master@{#40859}

We cannot generate debug events if JS execution is disallowed since
vital debugging logic is still implemented in JS. Return early from
Debug::OnException if that is the case.

BUG=chromium:662674

Review-Url: https://codereview.chromium.org/2491443002
Cr-Commit-Position: refs/heads/master@{#40858}

This fixes a race between the sweeper and the array buffer tracker
that causes the sweeper to skip unswept pages.

The scenario:
1. Mark-compact GC adds page p to the sweeping_list_ of the sweeper.
2. GC finishes, the main thread starts executinng JS.
3. The main thread takes p->mutex to unregister an array buffer.
4. A sweeper thread removes p from the sweeping_list_ and tries to
   take p->mutex. The try fails. The sweeper drops p and continues
   to the next page.
5. During selection of evacuation candidate in the next GC we hit
   page->SweepingDone() assert.

BUG=chromium:650314

Review-Url: https://codereview.chromium.org/2484153004
Cr-Commit-Position: refs/heads/master@{#40857}

The bounds check in LoadDataSegment was off by one. I also improved the
error message, and fixed an issue where data was initialized even if
the bounds check failed.

In InstantiateModuleForTesting I allow instantiation of modules without
exports. This check was legacy code from the time where instantiation
and execution was still combined in a single function.

R=titzer@chromium.org, rossberg@chromium.org
TEST=cctest/test-run-wasm-module/InitDataAtTheUpperLimit

Review-Url: https://codereview.chromium.org/2486183002
Cr-Commit-Position: refs/heads/master@{#40856}

Another spec issue.

R=titzer@chromium.org, rossberg@chromium.org
TEST=unittests/WasmModuleVerifyTest.DataWithoutMemory

Review-Url: https://codereview.chromium.org/2486973003
Cr-Commit-Position: refs/heads/master@{#40855}

The problem is that writes to nested objects do not lead to a copy of a referencing VirtualObject, and that each VirtualObjects maintains a cache of an ObjectState node. Together, this leads to inappropriate reuse of ObjectState nodes.
This fix simply always copies all virtual objects when a new VirtualState is created. This is clearly not optimal to avoid clones, but determining precisely which virtual objects are affected by a write is a transitive closure computation on the virtual objects of a virtual state. Alternatively, one could change the semantics of the node cache.

BUG=v8:5611

Review-Url: https://codereview.chromium.org/2488713002
Cr-Commit-Position: refs/heads/master@{#40854}

The distinction didn't provide any benefits.

BUG=chromium:651354

Review-Url: https://codereview.chromium.org/2492433002
Cr-Commit-Position: refs/heads/master@{#40853}

The spec defines that indirect calls in WebAssembly code should cause a
validation error if no function table exists.

The CL contains the following changes:
1) Throw a validation error for indirect calls if the function table
   not exist.
2) Do not create TF nodes to throw a runtime error for indirect calls
   if the function table does not exist.
3) Fix existing unit tests by creating a dummy function table.
4) Add new a new test which tests that indirect calls without function
   table cause a validation error.

R=rossberg@chromium.org
CC=titzer@chromium.org

TEST=unittests/AstDecoderTest.IndirectCallsWithoutTableCrash

Review-Url: https://codereview.chromium.org/2484623002
Cr-Commit-Position: refs/heads/master@{#40852}

If an exception is thrown when there is a Promise being created, the Promise
catch prediction code would call into a part implemented in JavaScript to see if
the Promise has a catch handler. If it is not possible to call back into JS,
e.g., due to a stack overflow, then this would lead to a crash. This patch
"speculates" that, if it's impossible to call back into JavaScript, then the
error is unhandled, avoding the issue. In a future patch, the catch prediction
logic should be entirely written in C++, but this patch adds a minimal fix to
be more friendly to backports.

BUG=chromium:662935
R=jgruber

Review-Url: https://codereview.chromium.org/2487833002
Cr-Commit-Position: refs/heads/master@{#40851}

We recently allowed global constants in asm.js validated code.
When used in a return statement, these need to be of an allowed type.

BUG=660813
R=jpp@chromium.org,aseemgarg@chromium.org

Review-Url: https://codereview.chromium.org/2481103002
Cr-Commit-Position: refs/heads/master@{#40850}

R=bradnelson@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2465103002
Cr-Commit-Position: refs/heads/master@{#40849}

Don't rely on carry flags you didn't set yourself.

BUG=chromium:663402

Review-Url: https://codereview.chromium.org/2484283002
Cr-Commit-Position: refs/heads/master@{#40848}

Review-Url: https://codereview.chromium.org/2484963002
Cr-Commit-Position: refs/heads/master@{#40847}

BUG=chromium:662418

Review-Url: https://codereview.chromium.org/2473223004
Cr-Commit-Position: refs/heads/master@{#40846}

It looks like waiting for 4 ticks before optimizing from interpreted
code is hurting performance in sunspider after turning on Ignition
for all TurboFan code. Set it back to 2 ticks.

BUG=chromium:661556

Review-Url: https://codereview.chromium.org/2488703002
Cr-Commit-Position: refs/heads/master@{#40845}

We handle this case specially because otherwise we would have to do
complicated overflow detection.

R=titzer@chromium.org
TEST=cctest/test-run-wasm/RunWasmCompiled_LoadMaxUint32Offset

Review-Url: https://codereview.chromium.org/2490533003
Cr-Commit-Position: refs/heads/master@{#40844}

Seems unused.

Review-Url: https://codereview.chromium.org/2483103002
Cr-Commit-Position: refs/heads/master@{#40843}

Workes by accident when using the JSObject descriptor as it also implements
strong semantics.

BUG=chromium:651354

Review-Url: https://codereview.chromium.org/2485163003
Cr-Commit-Position: refs/heads/master@{#40842}

WeakCells are never allocated in new space.

BUG=chromium:651354

Review-Url: https://codereview.chromium.org/2476323003
Cr-Commit-Position: refs/heads/master@{#40841}

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2487673002
Cr-Commit-Position: refs/heads/master@{#40840}

BUG=v8:5561

Review-Url: https://codereview.chromium.org/2479373006
Cr-Commit-Position: refs/heads/master@{#40839}

R=titzer@chromium.org, rossberg@chromium.org
TEST=unittests/WasmModuleVerifyTest.ExportMutableGlobal

Review-Url: https://codereview.chromium.org/2481263003
Cr-Commit-Position: refs/heads/master@{#40838}

Taken from http://kpdecker.github.io/six-speed/

Review-Url: https://codereview.chromium.org/2467483002
Cr-Commit-Position: refs/heads/master@{#40837}

With this CL, we set the is_source_positions_enabled flag on CompilationInfo when
- a command line flag is enabled that requires Turbofan to preserve source position
  information (e.g. --trace-deopt), and
- when profiling is enabled.

This also removes the --turbo-source-positions flag.

The goal is to eventually only track source position information when needed.

R=mstarzinger@chromium.org
BUG=v8:5439

Review-Url: https://codereview.chromium.org/2484163003
Cr-Commit-Position: refs/heads/master@{#40836}

The set of operands are really small, so STL set performs really poorly.

In Octane/TypeScript, I see move optimization going from >300ms to <100ms.

Review-Url: https://codereview.chromium.org/2481853002
Cr-Commit-Position: refs/heads/master@{#40835}

This adds clearStepping plus the family of
{set,clear}BreakOn{,Uncaught}Exception functions.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2482903002
Cr-Commit-Position: refs/heads/master@{#40834}

This is an experiment to check whether the heuristics is still useful.

BUG=

Review-Url: https://codereview.chromium.org/2482163002
Cr-Commit-Position: refs/heads/master@{#40833}

This adds a new TypedObjectState operator, which is a version of
ObjectState that carries along MachineTypes for the inputs, so we
can tell the deoptimizer how to interpret the inputs, instead of
having to force everything to Tagged.

Drive-by-fix: Remove the unused id parameter from ObjectState.

R=tebbi@chromium.org
BUG=v8:5609

Review-Url: https://codereview.chromium.org/2488623002
Cr-Commit-Position: refs/heads/master@{#40832}

This fixes another spec tests.

R=rossberg@chromium.org, titzer@chromium.org
TEST=WasmModuleVerifyTest.ImportTable_mutable_global

Review-Url: https://codereview.chromium.org/2484803002
Cr-Commit-Position: refs/heads/master@{#40831}

BUG=v8:5599
R=ahaas@chromium.org

Review-Url: https://codereview.chromium.org/2483193002
Cr-Commit-Position: refs/heads/master@{#40830}

The access check is generated as a:
- Equality check of an execution-time and a compile-time native contexts
  for primitive receivers.
- Equality check of an execution-time and a compile-time native contexts
  or equality check of a respective security tokens for global proxy receivers.
- No-op for other kinds of receivers.

BUG=v8:5561

Review-Url: https://codereview.chromium.org/2482913002
Cr-Commit-Position: refs/heads/master@{#40829}

We really should deopt before the for-in index increment.

BUG=chromium:662904

Review-Url: https://codereview.chromium.org/2476423003
Cr-Commit-Position: refs/heads/master@{#40828}

R=jgruber@chromium.org, mstarzinger@chromium.org
BUG=v8:5610

Review-Url: https://codereview.chromium.org/2482133002
Cr-Commit-Position: refs/heads/master@{#40827}

Also add a primitive mjsunit test that uses such a function optimized by
Turbofan.

R=mstarzinger@chromium.org
CC=adamk@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2472143002
Cr-Commit-Position: refs/heads/master@{#40826}

This introduces two new bytecodes LdaModuleVariable and StaModuleVariable,
replacing the corresponding runtime calls.

Support in the bytecode graph builder exists only in the form of runtime calls.

BUG=v8:1569

Review-Url: https://codereview.chromium.org/2471033004
Cr-Commit-Position: refs/heads/master@{#40825}

This moves all tests currently working with the inspector debugger wrapper to
test/debugger.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2480223002
Cr-Commit-Position: refs/heads/master@{#40824}

Review-Url: https://codereview.chromium.org/2477363002
Cr-Commit-Position: refs/heads/master@{#40823}

The memory leak is fixed by calling the GC at the end of the tests. The GC collects the WasmModuleWrapper objects, which deallocates WasmModule c++ object. For the mjsunit tests the GC is already called because of the --invoke_weak_callbacks flag.

BUG=chromium:662388

Review-Url: https://codereview.chromium.org/2476643003
Cr-Commit-Position: refs/heads/master@{#40822}