In the JSCallReducer we'd inline certain builtins like the Array
constructor or Function builtins across native contexts, which at
this point should be mostly safe, but might lead to cross context
leaks in the future (as it's not obvious that the JSCallReducer)
doesn't maintain this invariant. So better safe than sorry.

R=yangguo@chromium.org
BUG=v8:5267

Review-Url: https://codereview.chromium.org/2651133002
Cr-Commit-Position: refs/heads/master@{#42643}

  port f9367847 (r42632)

  original commit message:
  We can share almost all of the architecture-specific builtin code with super-call-with-spread.

  Info to port-writers: The code in CheckSpreadAndPushToStack has changed slightly from what was in Generate_ConstructWithSpread,
  in that we take the length of the spreaded parameters from the JSArray rather than the FixedArray backing store.

BUG=

Review-Url: https://codereview.chromium.org/2652153002
Cr-Commit-Position: refs/heads/master@{#42642}

  port d287c819 (r42620)

  original commit message:
  [RELAND with one change: until literal arrays are rooted in the outer
  feedback vector (coming in the next days), the runtime-scope.cc change
  is held off.]

  When a function is declared in global scope, the closure is created
  by the DeclareGlobals runtime service. It needs a pointer to the
  literals array, already allocated in the feedback vector. This
  fixes a bug where it's behavior wasn't in sync with CreateClosure,
  which accepts the literals from the vector.

  This enables a follow-on performance improvement in the CompileLazy
  builtin.

BUG=

Review-Url: https://codereview.chromium.org/2653893002
Cr-Commit-Position: refs/heads/master@{#42641}

Array.prototype.concat does not properly handle JSProxy species that will
modify the currently visited array.

BUG=682194

Review-Url: https://codereview.chromium.org/2655623004
Cr-Commit-Position: refs/heads/master@{#42640}

We're converting the build_overrides system to the new default_args list of
overrides that can be listed in the toplevel .gn file. This will allow args to
be set on a per-repo basis.

This change conditionally adds the variables currently defined in
build_overrides/v8.gni to build args. This allows V8's build to be used in both
the new and old systems. Once all Chrome and pdfium have been updated, v8's
build overrides and the conditional checks around the new args can be removed.

BUG=684096

Review-Url: https://codereview.chromium.org/2654663003
Cr-Commit-Position: refs/heads/master@{#42639}

Since JumpLoop is always backwards, and other jumps are always forwards,
we can store the jump offset as an always positive integer and decide on
the jump direction based on the bytecode. This will save a small amount
of space for large-ish for loops (>128 bytecodes).

Review-Url: https://codereview.chromium.org/2641443002
Cr-Commit-Position: refs/heads/master@{#42638}

The property backing store size depends on the number of
index keys. Pass index keys to the factory function instead
calculating the size outside.

R=verwaest@chromium.org

BUG=v8:5625

Review-Url: https://codereview.chromium.org/2651533002
Cr-Commit-Position: refs/heads/master@{#42637}

BUG=v8:5885

Review-Url: https://codereview.chromium.org/2649163004
Cr-Commit-Position: refs/heads/master@{#42636}

BUG=v8:5549

Review-Url: https://codereview.chromium.org/2653643004
Cr-Commit-Position: refs/heads/master@{#42635}

R=ahaas@chromium.org,rossberg@chromium.org
BUG=chromium:575167

Review-Url: https://codereview.chromium.org/2626263004
Cr-Commit-Position: refs/heads/master@{#42634}

Speculative reason for issue 684481.

BUG=chromium:684481
TBR=marja@chromium.org,mstarzinger@chromium.org,ahaas@chromium.org,verwaest@chromium.org,

Original issue's description:
> [Parse] ParseInfo owns the parsing Zone.
>
> Moves ownership of the parsing Zone to ParseInfo with a shared_ptr. This is
> in preperation for enabling background compilation jobs for inner functions
> share the AST in the outer-function's parse zone memory (read-only), with the
> and zone being released when all compilation jobs have completed.
>
> BUG=v8:5203, v8:5215
> Review-Url: https://codereview.chromium.org/2632123006
> Cr-Commit-Position: refs/heads/master@{#42562}
> Committed: https://chromium.googlesource.com/v8/v8/+/4b0101d369af121a6daf5e5c731cb939c026d526

Review-Url: https://codereview.chromium.org/2648383005
Cr-Commit-Position: refs/heads/master@{#42633}

We can share almost all of the architecture-specific builtin code with super-call-with-spread.

Info to port-writers: The code in CheckSpreadAndPushToStack has changed slightly from what was in Generate_ConstructWithSpread, in that we take the length of the spreaded parameters from the JSArray rather than the FixedArray backing store.

BUG=v8:5511

Review-Url: https://codereview.chromium.org/2649143002
Cr-Commit-Position: refs/heads/master@{#42632}

Using a Handle<Foo> as a member doesn't require including foo.h

R=mstarzinger@chromium.org
BUG=v8:5402

Review-Url: https://codereview.chromium.org/2650973003
Cr-Commit-Position: refs/heads/master@{#42631}

R=mstarzinger@chromium.org, bmeurer@chromium.org

BUG=chromium:669242

Review-Url: https://codereview.chromium.org/2645273003
Cr-Commit-Position: refs/heads/master@{#42630}

R=ahaas@chromium.org
BUG=v8:5882

Review-Url: https://codereview.chromium.org/2657463003
Cr-Commit-Position: refs/heads/master@{#42629}

BUG=chromium:679724

Review-Url: https://codereview.chromium.org/2627033002
Cr-Commit-Position: refs/heads/master@{#42628}

It was a scary function which handled all possible old-fashioned and
for-each statements at one go. Split it to multiple smaller functions
and made the top level logic clearer.

BUG=

Review-Url: https://codereview.chromium.org/2645353002
Cr-Commit-Position: refs/heads/master@{#42627}

This disables optimizations when using typed float arrays in
correctness fuzzer test cases. Otherwise, different NaN patterns
in float typed arrays might lead to different observations when
using the buffer in an int array view.

BUG=chromium:683579
NOTRY=true
TBR=Jarin, mvstanton, Igor Sheludko

Review-Url: https://codereview.chromium.org/2649923008
Cr-Commit-Position: refs/heads/master@{#42626}

The "sloppy eval in default param" cases will be useful for the future
tests which assert that parser and preparser produce the same scopes.

BUG=v8:5501, v8:5516

Review-Url: https://codereview.chromium.org/2644333002
Cr-Commit-Position: refs/heads/master@{#42625}

Implement stepping by remembering the current step action in the wasm
interpreter handle in WasmDebugInfo, and using it when continuing
execution in the interpreter.
The control flow is as follows: After module compilation, the user sets
a breakpoint in wasm. The respective function is redirected to the
interpreter and the breakpoint is set on the interpreter. When it is
hit, we notify all debug event listeners, which might prepare stepping.
When returning from these listeners, before continuing execution, we
check whether stepping was requested and continue execution in the
interpreter accordingly.

Stepping from Wasm to JS and vice versa will be implemented and tested
in a follow-up CL. Testing this requires breakpoints and stepping in
Wasm to be exposed via the inspector interface, such that we can write
an inspector test. This mixed JS-Wasm-execution is hard to set up in a
cctest.

R=titzer@chromium.org, yangguo@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2649533002
Cr-Commit-Position: refs/heads/master@{#42624}

Similar to the maximum memory size this limit caused problems for
the fuzzer due to oom issues. With the command line flag we can limit
the maximum table size for the fuzzer.

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2648223004
Cr-Commit-Position: refs/heads/master@{#42623}

BUG=v8:5860
R=rossberg@chromium.org

Review-Url: https://codereview.chromium.org/2653533003
Cr-Commit-Position: refs/heads/master@{#42622}

BUG=chromium:678917

Review-Url: https://codereview.chromium.org/2653623002
Cr-Commit-Position: refs/heads/master@{#42621}

[RELAND with one change: until literal arrays are rooted in the outer
feedback vector (coming in the next days), the runtime-scope.cc change
is held off.]

When a function is declared in global scope, the closure is created
by the DeclareGlobals runtime service. It needs a pointer to the
literals array, already allocated in the feedback vector. This
fixes a bug where it's behavior wasn't in sync with CreateClosure,
which accepts the literals from the vector.

This enables a follow-on performance improvement in the CompileLazy
builtin.

BUG=680637

Review-Url: https://codereview.chromium.org/2634283003
Cr-Commit-Position: refs/heads/master@{#42620}

BUG=chromium:683494
NOTRY=true
TBR=yangguo@chromium.org, jarin@chromium.org

Review-Url: https://codereview.chromium.org/2651713005
Cr-Commit-Position: refs/heads/master@{#42619}

Chromium coding standard
(https://chromium.googlesource.com/chromium/src/+/master/styleguide/c++/c++.md#Multiple-inheritance)

In this case, a structure associating the 2 values is sufficient.

BUG=

Review-Url: https://codereview.chromium.org/2651903002
Cr-Commit-Position: refs/heads/master@{#42618}

  port 3a9152ec (r42594)

  original commit message:
  We are planning to add a few more debugger related bits, and are running
  out of compiler hints bits. The new bit field is going to be part of the
  debug info struct. If the debug info is not available, we store the bit
  field in its place on the shared function info.

BUG=

Review-Url: https://codereview.chromium.org/2649893004
Cr-Commit-Position: refs/heads/master@{#42617}

A recent change to disallow wasm compilation in contexts where
CSP unsafe-eval would disallow eval also ended up banning asm.js there:
https://codereview.chromium.org/2646713002

This ends up banning non-evaled asm.js even in some places it should be
allowed.

NOTE: Although asm.js code converted to wasm generates an intermediate wasm
module. asm.js code evaled in a disallowed context can't even get
that far (as it's stoped at the eval site).

BUG=683867
R=mtrofin@chromium.org,titzer@chromium.org,adamk@chromium.org

Review-Url: https://codereview.chromium.org/2656463004
Cr-Commit-Position: refs/heads/master@{#42616}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/0081085..dbe38ca

Rolling v8/buildtools: https://chromium.googlesource.com/chromium/buildtools/+log/cb12d6e..8e94621

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/49e3f62..e1e778d

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/fa8cd67..58fecbe

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review-Url: https://codereview.chromium.org/2649983004
Cr-Commit-Position: refs/heads/master@{#42615}

V8 has internal mechanism to ignore steps and breaks inside internal scripts, in this CL it's reused for blackboxing implementation.
Advantages:
- much faster blackboxing implementation (before we at least wrap and collect current call stack for each step),
- get rid of StepFrame action and potential pause in blackboxed code after N StepFrame steps,
- simplification of debugger agent logic.
Disadvtanges:
- currently when user was paused in blackboxed code (e.g. on breakpoint) and then makes step action, debugger ignores blackboxed state of the script and allows to use step actions as usual - this behavior is regressed, we still able to support it on frontend side.

Current state and proposed changes for blackboxing: https://docs.google.com/document/d/1hnzaXPAN8_QC5ENxIgxgMNDbXLraM_OXT73rAyijTF8/edit?usp=sharing

BUG=v8:5842
R=yangguo@chromium.org,dgozman@chromium.org,alph@chromium.org

Review-Url: https://codereview.chromium.org/2633803002
Cr-Commit-Position: refs/heads/master@{#42614}

Check that number of properties < Code:kMaxArguments when object
destructuring with a rest property otherwise throw an error.

BUG=v8:5549

Review-Url: https://codereview.chromium.org/2650863002
Cr-Commit-Position: refs/heads/master@{#42613}

Also introduces FFIType separate from MachineType for express ffi
signatures.

BUG=v8:4456

Review-Url: https://codereview.chromium.org/2639163004
Cr-Commit-Position: refs/heads/master@{#42612}

Atomics.wait is a function which may block, which is not allowed on the
main thread. Since V8 doesn't know whether a particular isolate is the
"main thread", this CL adds an option to Isolate::CreateParams to choose
whether this function is allowed.

Review-Url: https://codereview.chromium.org/2642293002
Cr-Commit-Position: refs/heads/master@{#42611}

LOG=N
BUG=v8:4124

Review-Url: https://codereview.chromium.org/2629223005
Cr-Commit-Position: refs/heads/master@{#42610}

Manipulating the signaling NaN used for the hole and uninitialized double
field sentinel in C++, e.g. with bit_cast or HeapNumber::value()/set_value(),
will change its value on ia32 (the x87 stack is used to return values and
stores to the stack silently clear the signalling bit).

BUG=v8:5495

Review-Url: https://codereview.chromium.org/2652553003
Cr-Commit-Position: refs/heads/master@{#42609}

Port 3a9152ec

Original Commit Message:

    We are planning to add a few more debugger related bits, and are running
    out of compiler hints bits. The new bit field is going to be part of the
    debug info struct. If the debug info is not available, we store the bit
    field in its place on the shared function info.

R=yangguo@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2653673002
Cr-Commit-Position: refs/heads/master@{#42608}

Also fixes check for table segments to be performed against actual size not declared one.

Makes us pass memory.wast and linking.wast tests (modulo issue 5860).

R=titzer@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2649553002
Cr-Commit-Position: refs/heads/master@{#42607}

BUG=chromium:683617

Review-Url: https://codereview.chromium.org/2651553003
Cr-Commit-Position: refs/heads/master@{#42606}

BUG=chromium:683515

Review-Url: https://codereview.chromium.org/2654433003
Cr-Commit-Position: refs/heads/master@{#42605}

Revert of [wasm] Turn on trap-if by default. (patchset #1 id:1 of https://codereview.chromium.org/2647323002/ )

Reason for revert:
gc-stress failures

Original issue's description:
> [wasm] Turn on trap-if by default.
>
> This CL turns on trap-if by default, and it changes the tests so that
> traps in the cctests are also tested without trap-if.
>
> R=titzer@chromium.org, clemensh@chromium.org, bradnelson@chromium.org
>
> Review-Url: https://codereview.chromium.org/2647323002
> Cr-Commit-Position: refs/heads/master@{#42603}
> Committed: https://chromium.googlesource.com/v8/v8/+/01c87ebe70fb569205432597f3105c708bba0fef

TBR=bradnelson@chromium.org,titzer@chromium.org,ahaas@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2645403005
Cr-Commit-Position: refs/heads/master@{#42604}