One of the top runtime calls in many workloads is Runtime_Call. Add an
intrinsic for the interpreter to inline this runtime call.

BUG=v8:4280
LOG=N

Review-Url: https://codereview.chromium.org/2019433003
Cr-Commit-Position: refs/heads/master@{#36565}

Port 91c88644

Original commit message:

    We get less "pollution" of type feedback if we have one vector per native
    context, rather than one for the whole system. This CL moves the vector
    appropriately.

R=mvstanton@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com
BUG=

Review-Url: https://codereview.chromium.org/2011183005
Cr-Commit-Position: refs/heads/master@{#36564}

The busted logic caused us to go down the SCRIPT path internally,
causing us to fail the test262 tests that attempt to induce parse
errors at the top level.

R=littledan@chromium.org
BUG=v8:4985

Review-Url: https://codereview.chromium.org/2008743002
Cr-Commit-Position: refs/heads/master@{#36563}

We now have data that 0.011% of websites use the pattern
  for (var i = 0 in j) { ... }
This pattern was banned by ES2015, with the idea to revisit if
it presents a web compatibility problem. Informally, after
the May 2016 TC39 meeting, the new data was discussed, and there
was interest in reversing the decision. Although the specification
is not yet updated, it seems likely to come soon.

This patch turns off the flag which bans that construct, reenabling
it. The change should prevent websites from breaking.

BUG=v8:4942

Review-Url: https://codereview.chromium.org/2011223003
Cr-Commit-Position: refs/heads/master@{#36562}

Some tests, e.g. in test262, want to create a new same-origin
realm. This patch exposes a new function,
Realm.createAllowCrossRealmAccess(), which vends a new realm with
the same security token as the currently executing one.

Review-Url: https://codereview.chromium.org/1973363004
Cr-Commit-Position: refs/heads/master@{#36561}

Port 91c88644

Original commit message:

    We get less "pollution" of type feedback if we have one vector per native
    context, rather than one for the whole system. This CL moves the vector
    appropriately.

R=mvstanton@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2017983002
Cr-Commit-Position: refs/heads/master@{#36560}

R=littledan@chromium.org
BUG=v8:4628

Review-Url: https://codereview.chromium.org/2017753002
Cr-Commit-Position: refs/heads/master@{#36559}

- Renames UnallocatedOperandenum values to reflect the fact that there are
multiple FP machine representations.
- Renames enum values for RegisterAllocatorVerifier enum.
- Template-izes DefineAsFixed and UseFixed methods to handle multiple FP
register types.

BUG=v8:4124

Review-Url: https://codereview.chromium.org/2017733002
Cr-Commit-Position: refs/heads/master@{#36558}

Annex B 3.3 applies only for ordinary FunctionDeclarations, not
GeneratorDeclarations or AsyncFunctionDeclarations. This patch
- Skips applying Annex B 3.3 to async functions
- Adds a flag to refrain from applying it to generators
- UseCounter for how often duplicate function in block occurs
  with generators (unclear how to measure need for hoisting from block)

BUG=v8:4806

Review-Url: https://codereview.chromium.org/1995863002
Cr-Commit-Position: refs/heads/master@{#36557}

This got left behind from the changes in
https://codereview.chromium.org/2007803002/

PromiseSet only takes 3 arguments.

BUG=v8:5046

Review-Url: https://codereview.chromium.org/2016183002
Cr-Commit-Position: refs/heads/master@{#36556}

intl/number-format/parse-percent.js
intl/date-format/parse-mdyhms.js
intl/number-format/parse-decimal.js
intl/date-format/parse-MMMdy.js

Also added a few more test cases.

BUG=v8:3454
TEST=The tests listed above.

Review-Url: https://codereview.chromium.org/1988073003
Cr-Commit-Position: refs/heads/master@{#36555}

This is a temporary band-aid to turn an uncontrolled segfault into
a safe crash. The proper fix will probably be to abort compilation.

BUG=chromium:582702

Review-Url: https://codereview.chromium.org/2021433003
Cr-Commit-Position: refs/heads/master@{#36554}

These builtins do call into C++ anyways, so there's no point in keeping
the JavaScript wrappers for them.

R=franzih@chromium.org
BUG=v8:5049

Review-Url: https://codereview.chromium.org/2018963002
Cr-Commit-Position: refs/heads/master@{#36553}

Rename some methods to reflect the fact that there are multiple FP
machine representations.

LOG=N
BUG=v8:4124

Review-Url: https://codereview.chromium.org/2013193002
Cr-Commit-Position: refs/heads/master@{#36552}

Online optimization stage for reducing redundant transfers between registers.

BUG=V8:4280
LOG=N

Review-Url: https://codereview.chromium.org/1997653002
Cr-Commit-Position: refs/heads/master@{#36551}

This CL makes sure that Symbols-keys are printed the same way for
fast and slow properties. Additionally the elements and properties
are marked clearer in the output.

BUG=

Review-Url: https://codereview.chromium.org/2008893002
Cr-Commit-Position: refs/heads/master@{#36550}

R=titzer@chromium.org, bradnelson@chromium.org, ahaas@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2014283002
Cr-Commit-Position: refs/heads/master@{#36549}

BUG=mjsunit/wasm/asm-wasm-f*,mjsunit/wasm/asm-wasm-i*

Review-Url: https://codereview.chromium.org/2013393002
Cr-Commit-Position: refs/heads/master@{#36548}

This allows sloppy arguments objects to be allocated by the generic
Heap::AllocateJSObjectFromMap allocation function. An empty elements
backing store for such objects is provided. This is needed in order to
materialize such objects without access to a specific native context.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-613919
BUG=chromium:613919

Review-Url: https://codereview.chromium.org/2014343004
Cr-Commit-Position: refs/heads/master@{#36547}

R=ahaas@chromium.org,bradnelson@chromium.org,aseemgarg@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2017853003
Cr-Commit-Position: refs/heads/master@{#36546}

This was initially used to special case some weird date.js behavior, but
has since been abused in other areas. In case of the string character
access, everything that is outside the Smi range cannot be a valid
string index anyways, so %NumberToSmi is perfect here in either case,
and for ToPositiveInteger it's better to just use ToInteger adding +0 to
turn -0 into +0.

R=ishell@chromium.org
BUG=v8:5049

Review-Url: https://codereview.chromium.org/2010183003
Cr-Commit-Position: refs/heads/master@{#36545}

Adding optional operators for FNeg for WebAssembly, as the current implementation was significantly suboptimal for ARM.

Review-Url: https://codereview.chromium.org/2011303002
Cr-Commit-Position: refs/heads/master@{#36544}

Rewrite decodeURI and decodeURIComponent as builtin functions
and install them in the bootstrapper.

Delete unused runtime functions:
 - TruncateString
 - NewString
 - OneByteSeqStringGetChar
 - OneByteSeqStringSetChar
 - TwoByteSeqStringGetChar
 - TwoByteSeqStringSetChar

Add regression test for decoding large strings. Clusterfuzz detected
a problem with %TruncateString, see
https://bugs.chromium.org/p/chromium/issues/detail?id=612109#c6
This is automatically fixed by this rewrite because %TruncateString
is deleted anyways.

Crude benchmark on 585 decodeURI and decodeURIComponent tests
averaged over five runs:

* builtin functions
real	0m9.69s
user	2m39.8816s
sys    	0m12.6398s

* JS functions calling into the runtime e.g., for %TruncateString
real	0m11.0598s
user	3m6.7026s
sys	0m13.5756s

By running:
$  time tools/run-tests.py   --arch=x64  --mode=Release --buildbot
  test262/built-ins/decodeURI* mjsunit/uri
>>> Running tests for x64.Release

BUG=v8:4912, chromium:612109
R=yangguo@chromium.org, bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/1994733003
Cr-Commit-Position: refs/heads/master@{#36543}

This inlines the test and compare binary operations into Ignition.
With this CL all binary ops are inlined into Ignition's bytecode
handlers.

Some blocks were shuffled around in Equals/NotEquals stubs to avoid
creating frames unecessarily. Some labels were also marked as non-
deferred in both Equals/NotEquals and the AbstractRelationalComparison
stubs for the same reason.

BUG=v8:4280
LOG=N

Review-Url: https://codereview.chromium.org/2013573004
Cr-Commit-Position: refs/heads/master@{#36542}

Commit c86f1897 corrected the way context from which a specific error is
thrown, but the in-line comment was not updated to reflect this.

Update the comment to accurately describe the intended behavior.

LOG=N
R=littledan@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/1999483002
Cr-Commit-Position: refs/heads/master@{#36541}

This intrinsic (and the matching runtime entry) are no longer used by
now and can thereby be removed.

BUG=v8:5049

Review-Url: https://codereview.chromium.org/2016993003
Cr-Commit-Position: refs/heads/master@{#36540}

We get less "pollution" of type feedback if we have one vector per native
context, rather than one for the whole system. This CL moves the vector
appropriately.

BUG=

Review-Url: https://codereview.chromium.org/1906823002
Cr-Commit-Position: refs/heads/master@{#36539}

Currently Mac ComputeThreadTicks only uses user time, this patch adds system
time in order to get more accurate CPU time.

BUG=v8:4984
LOG=n

Review-Url: https://codereview.chromium.org/2016513002
Cr-Commit-Position: refs/heads/master@{#36538}

Rolling v8/build to d96032ba08a39623c95c377a5f592f9931c93385

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review-Url: https://codereview.chromium.org/2017003002
Cr-Commit-Position: refs/heads/master@{#36537}

For the common use case of having a single resolve or reject callback,
the callbacks are stored directly. Only when an additional callback is
registered, we create an array to store these callbacks.

There are 3 possible states for the resolve, reject symbols when we add
a new callback --
1) UNDEFINED -- This is the zero state where there is no callback
registered. When we see this state, we directly attach the callbacks to
the symbol.
2) !IS_ARRAY -- There is a single callback directly attached to the
symbols. We need to create a new array to store additional callbacks.
3) IS_ARRAY -- There are multiple callbacks already registered,
therefore we can just push the new callback to the existing array.

Also, this change creates a new symbol for storing the deferred objects.
Previously the deferred objects were stored in the callback arrays, but
since we no longer create arrays for the initial case, we need this new
symbol. The cctest has been updated to account for this new symbol.

This patch results in a 19% improvement(over 5 runs) in the bluebird benchmark.

BUG=v8:5046

Review-Url: https://codereview.chromium.org/2007803002
Cr-Commit-Position: refs/heads/master@{#36536}

Review-Url: https://codereview.chromium.org/2001283006
Cr-Commit-Position: refs/heads/master@{#36535}

Adds an API to request the total size of code/bytecode and their associated
metadata in the heap. When requested, the code_space, old_space and
large_object_space  is scanned to find any code/bytecode array objects.
This could be slow and hence it should be used with caution.

BUG=v8:5019
LOG=N

Review-Url: https://codereview.chromium.org/1997363002
Cr-Commit-Position: refs/heads/master@{#36534}

Rolling v8/build to a11885a5fd2ae5b45d97a2bbfe3e33ab13a88f68

Rolling v8/third_party/icu to 4745cccafba8cdb646263fa48b959f386722c155

Rolling v8/tools/clang to 5c08263d87fd4fe23df4f73323cd6146f5dfe7b2

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review-Url: https://codereview.chromium.org/2015453004
Cr-Commit-Position: refs/heads/master@{#36533}

This patch does five things:

1. Extracts sampler as libsampler to provide sampling functionality support.
2. Makes SampleStack virtual so embedders can override the behaviour of sample collecting.
3. Removes sampler.[h|cc].
4. Moves sampling thread into log.cc as workaround to keep the --prof functionality.
5. Creates SamplerManager to manage the relationship between samplers and threads.

The reason we port hashmap.h is that in debug mode, STL containers are using
mutexes from a mutex pool, which may lead to deadlock when using asynchronously
signal handler.

Currently libsampler is used in V8 temporarily.

BUG=v8:4789
LOG=n

Committed: https://crrev.com/06cc9b7c176a6223971deaa9fbcafe1a05058c7b
Cr-Commit-Position: refs/heads/master@{#36527}

Review-Url: https://codereview.chromium.org/1922303002
Cr-Commit-Position: refs/heads/master@{#36532}

Revert of "[heap] Fine-grained JSArrayBuffer tracking" (patchset #1 id:1 of https://codereview.chromium.org/2009383002/ )

Reason for revert:
https://build.chromium.org/p/chromium.gpu.fyi/builders/Linux%20Debug%20%28NVIDIA%29/builds/29860/steps/maps_pixel_test%20on%20NVIDIA%20GPU%20on%20Linux%20on%20Linux/logs/stdio

Original issue's description:
> Reland of "[heap] Fine-grained JSArrayBuffer tracking" (patchset #1 id:1 of https://codereview.chromium.org/2011563003/ )
>
> Reason for revert:
> Premature revert. Chromium roll included an earlier version.
>
> Original issue's description:
> > Revert of "[heap] Fine-grained JSArrayBuffer tracking" (patchset #3 id:80001 of https://codereview.chromium.org/2007253002/ )
> >
> > Reason for revert:
> > Breaks webgl2 conformance tests
> >   https://bugs.chromium.org/p/chromium/issues/detail?id=614730
> >
> > Original issue's description:
> > > Reland of "[heap] Fine-grained JSArrayBuffer tracking"
> > >
> > > Track based on JSArrayBuffer addresses on pages instead of the attached
> > > backing store.
> > >
> > > Details of tracking:
> > > - Scavenge: New space pages are processes in bulk on the main thread
> > > - MC: Unswept pages are processed in bulk in parallel. All other pages
> > >   are processed by the sweeper concurrently.
> > >
> > > This reverts commit 93fe04af.
> > >
> > > R=hpayer@chromium.org
> > > BUG=chromium:611688
> > > LOG=N
> > > CQ_EXTRA_TRYBOTS=tryserver.v8:v8_linux_arm64_gc_stress_dbg,v8_linux_gc_stress_dbg,v8_mac_gc_stress_dbg,v8_linux64_tsan_rel,v8_mac64_asan_rel
> > >
> > > Committed: https://crrev.com/863d015e573798e263b35b31d2ab979739706533
> > > Cr-Commit-Position: refs/heads/master@{#36513}
> >
> > TBR=hpayer@chromium.org
> > # Skipping CQ checks because original CL landed less than 1 days ago.
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > NOTRY=true
> > BUG=chromium:611688
> >
> > Committed: https://crrev.com/b9b0868ec49a52c9a80c9beea862a61707b292e5
> > Cr-Commit-Position: refs/heads/master@{#36524}
>
> TBR=hpayer@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:611688
>
> Committed: https://crrev.com/b23e008885c4c452ae2b329c9dad167a76e4d7be
> Cr-Commit-Position: refs/heads/master@{#36530}

TBR=hpayer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:611688

Review-Url: https://codereview.chromium.org/2009893003
Cr-Commit-Position: refs/heads/master@{#36531}

Reland of "[heap] Fine-grained JSArrayBuffer tracking" (patchset #1 id:1 of https://codereview.chromium.org/2011563003/ )

Reason for revert:
Premature revert. Chromium roll included an earlier version.

Original issue's description:
> Revert of "[heap] Fine-grained JSArrayBuffer tracking" (patchset #3 id:80001 of https://codereview.chromium.org/2007253002/ )
>
> Reason for revert:
> Breaks webgl2 conformance tests
>   https://bugs.chromium.org/p/chromium/issues/detail?id=614730
>
> Original issue's description:
> > Reland of "[heap] Fine-grained JSArrayBuffer tracking"
> >
> > Track based on JSArrayBuffer addresses on pages instead of the attached
> > backing store.
> >
> > Details of tracking:
> > - Scavenge: New space pages are processes in bulk on the main thread
> > - MC: Unswept pages are processed in bulk in parallel. All other pages
> >   are processed by the sweeper concurrently.
> >
> > This reverts commit 93fe04af.
> >
> > R=hpayer@chromium.org
> > BUG=chromium:611688
> > LOG=N
> > CQ_EXTRA_TRYBOTS=tryserver.v8:v8_linux_arm64_gc_stress_dbg,v8_linux_gc_stress_dbg,v8_mac_gc_stress_dbg,v8_linux64_tsan_rel,v8_mac64_asan_rel
> >
> > Committed: https://crrev.com/863d015e573798e263b35b31d2ab979739706533
> > Cr-Commit-Position: refs/heads/master@{#36513}
>
> TBR=hpayer@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:611688
>
> Committed: https://crrev.com/b9b0868ec49a52c9a80c9beea862a61707b292e5
> Cr-Commit-Position: refs/heads/master@{#36524}

TBR=hpayer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:611688

Review-Url: https://codereview.chromium.org/2009383002
Cr-Commit-Position: refs/heads/master@{#36530}

Revert of Create libsampler as V8 sampler library. (patchset #24 id:460001 of https://codereview.chromium.org/1922303002/ )

Reason for revert:
V8 Linux64 TSAN failure because ThreadSanitizer indicated data race.

Original issue's description:
> Create libsampler as V8 sampler library.
>
> This patch does five things:
>
> 1. Extracts sampler as libsampler to provide sampling functionality support.
> 2. Makes SampleStack virtual so embedders can override the behaviour of sample collecting.
> 3. Removes sampler.[h|cc].
> 4. Moves sampling thread into log.cc as workaround to keep the --prof functionality.
> 5. Creates SamplerManager to manage the relationship between samplers and threads.
>
> The reason we port hashmap.h is that in debug mode, STL containers are using
> mutexes from a mutex pool, which may lead to deadlock when using asynchronously
> signal handler.
>
> Currently libsampler is used in V8 temporarily.
>
> BUG=v8:4789
> LOG=n
>
> Committed: https://crrev.com/06cc9b7c176a6223971deaa9fbcafe1a05058c7b
> Cr-Commit-Position: refs/heads/master@{#36527}

TBR=jochen@chromium.org,alph@chromium.org,fmeawad@chromium.org,yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4789

Review-Url: https://codereview.chromium.org/2000323007
Cr-Commit-Position: refs/heads/master@{#36529}

Removes the DONT_DELETE enum bit from the properties to make them
configurable.

Also, updates the regress-typedarray-length test to --
- Check for true boolean return value on deletion of these
  properties.
- Check for undefined return value on trying to access these
  properties after deletion.

BUG=v8:4902
LOG=Y

Review-Url: https://codereview.chromium.org/2001393004
Cr-Commit-Position: refs/heads/master@{#36528}

This patch does five things:

1. Extracts sampler as libsampler to provide sampling functionality support.
2. Makes SampleStack virtual so embedders can override the behaviour of sample collecting.
3. Removes sampler.[h|cc].
4. Moves sampling thread into log.cc as workaround to keep the --prof functionality.
5. Creates SamplerManager to manage the relationship between samplers and threads.

The reason we port hashmap.h is that in debug mode, STL containers are using
mutexes from a mutex pool, which may lead to deadlock when using asynchronously
signal handler.

Currently libsampler is used in V8 temporarily.

BUG=v8:4789
LOG=n

Review-Url: https://codereview.chromium.org/1922303002
Cr-Commit-Position: refs/heads/master@{#36527}

Bootstrapper previously created %ThrowTypeError% before the strict
function maps existed, so making that function strict required a small
amount of code reordering.

This fixes a few test262 tests, but we're still non-compliant due to the
fact that we have two functions instead of one (see issue 4034).

BUG=v8:4925
LOG=y

Review-Url: https://codereview.chromium.org/2006733004
Cr-Commit-Position: refs/heads/master@{#36526}