BytecodeList::New() returns a reference to the BytecodeLabel added to the list.
Since ZoneVector can resize, this reference could become invalid. Instead
move to a ZoneLinkedList so the references never move.

Since we were using zone vectors, the old references were still valid, and
they were only mutated to set is_bound_, so only DCHECKs should have been
affected.

Change-Id: I5da850af2596dcd7f56578a6e5badd332350cb5b
Reviewed-on: https://chromium-review.googlesource.com/544941
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46145}

This CL leverages and extends the deopt-to-stub mechanisms previously
introduced to support deopting from CSA-built builtins (e.g. Array.prototype.forEach).

BUG=v8:6373
LOG=N

Review-Url: https://codereview.chromium.org/2890363002
Cr-Commit-Position: refs/heads/master@{#46144}

Bug: 
Change-Id: I45414453378c77f00ba01ca79fd4d84245c5a423
Reviewed-on: https://chromium-review.googlesource.com/544862Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46143}

Removed the unnecessary macro.

R=machenbach@chromium.org, dpranke@chromium.org, adamk@chromium.org
BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2949053003
Cr-Commit-Position: refs/heads/master@{#46142}

Bug: 
Change-Id: I52bd9573735ac7c28a03e070064fe89b38d479ef
Reviewed-on: https://chromium-review.googlesource.com/544957Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46141}

If the fuzzer input cannot be executed in the interpreter within a step
limit, then the interpreter does not calculate the result but instead
finishes with a RangeError. The problem with the input of the bug report
was that the interpreter finished with that RangeError, but the
execution of the compiled code still returned a result, which was
naturally not a RangeError and therefore caused the result check to fail.
With this CL the compiled code is not even executed when there is a
RangeError after the execution in the interpreter. Thereby we also
avoid executing an infinite loop.

BUG=chromium:734435
R=clemensh@chromium.org

Change-Id: If9d0fb9e14e84f06d6f11d22f882363d56c1c20b
Reviewed-on: https://chromium-review.googlesource.com/544838
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46140}

This patch also adds handling of NativeContext and BytecodeArray.

BUG=chromium:694255

Change-Id: I6d4b2db03ece7346200853bd0b80daf65672787f
Reviewed-on: https://chromium-review.googlesource.com/543237
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46139}

This is a reland of 54b42a55
Original change's description:
> [build] Add filter script for official build
> 
> This adds a V8-side script to list the files contained in an official archive.
> 
> This'll accompany the infra-side archive recipe:
> https://chromium-review.googlesource.com/c/544298/
> 
> Keeping this script on the V8-side will make it easy to change the
> archived build product.
> 
> NOTRY=true
> 
> Bug: v8:5918
> Change-Id: I9fcb2eae183a26e7ce11c839d95a583a049cbe75
> Reviewed-on: https://chromium-review.googlesource.com/544877
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46135}

TBR=vogelheim@chromium.org
NOTRY=true

Bug: v8:5918
Change-Id: I87b58c78a2cbd97f4da37ac93fe1e8ee77bf5ca0
Reviewed-on: https://chromium-review.googlesource.com/544979Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46138}

This reverts commit 54b42a55.

Reason for revert: Fails on native arm builders.

Original change's description:
> [build] Add filter script for official build
> 
> This adds a V8-side script to list the files contained in an official archive.
> 
> This'll accompany the infra-side archive recipe:
> https://chromium-review.googlesource.com/c/544298/
> 
> Keeping this script on the V8-side will make it easy to change the
> archived build product.
> 
> NOTRY=true
> 
> Bug: v8:5918
> Change-Id: I9fcb2eae183a26e7ce11c839d95a583a049cbe75
> Reviewed-on: https://chromium-review.googlesource.com/544877
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46135}

TBR=machenbach@chromium.org,vogelheim@chromium.org,tandrii@chromium.org,jochen@chromium.org

Change-Id: Ic3bb59b5f0864941c8f8b590b0a351c103988f93
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:5918
Reviewed-on: https://chromium-review.googlesource.com/544978Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46137}

In the failing case (see test), the loop variable (which should be context
allocated) is in a hidden scope, so we need to save and restore data for hidden
scopes too.

The !is_hidden() check was overly limiting - NeedsScopeData already handles the
"hidden leaf scope" case which is the one we want to avoid.

(Btw, this also means that the previous assumption "variables in hidden scopes
are not context allocated" was wrong.)

BUG=v8:5516

Change-Id: I1c6116654b19ef0cfd64e8a743b46af683a9fcd5
Reviewed-on: https://chromium-review.googlesource.com/544938
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46136}

This adds a V8-side script to list the files contained in an official archive.

This'll accompany the infra-side archive recipe:
https://chromium-review.googlesource.com/c/544298/

Keeping this script on the V8-side will make it easy to change the
archived build product.

NOTRY=true

Bug: v8:5918
Change-Id: I9fcb2eae183a26e7ce11c839d95a583a049cbe75
Reviewed-on: https://chromium-review.googlesource.com/544877
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46135}

The DCHECKs were checking that the data we stored about a Scope (param count
etc) matches the Scope where we're restoring the data to.

But for skipped functions, this data is not in the Scope, so it doesn't make
sense to DCHECK them.

BUG=v8:5516

Change-Id: I6ad66ec4dd5fe31da52c0d5b533b336e3956ee1d
Reviewed-on: https://chromium-review.googlesource.com/544300
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46134}

let f = function g() { ... } declares "g" inside the function. This
CL makes the preparser declare it too, and saves + restores the scope data for
it.

BUG=v8:5516

Change-Id: Id4c64f446d30f5252038cfb0f0f473b85ba24a9b
Reviewed-on: https://chromium-review.googlesource.com/544816
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46133}

Re-enable a couple of WebAssembly tests previously disabled by mistake.

Change-Id: I315b991bc1bb2a22aa5238e85e477704e3dc94df
Bug: 
Reviewed-on: https://chromium-review.googlesource.com/543123Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#46132}

Currently the descriptors are moved from the old map to the new map,
which is unsafe for the concurrent marker. This patch removes the map
mutation.

Change-Id: I3f7ce455c7344148a122c7443cf32a4eef0307be
Reviewed-on: https://chromium-review.googlesource.com/535480
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46131}

Change-Id: I918bf4752c66537015cc67bd81ec68a57b4dac52
Reviewed-on: https://chromium-review.googlesource.com/544878Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46130}

transition, check to see if we have already done this transition.

BUG=v8:6450

Review-Url: https://codereview.chromium.org/2915863004
Cr-Commit-Position: refs/heads/master@{#46129}

The test setup was as follows:
- Preparse function test() { ... }, get scope allocation data.
- Apply the scope allocation data to (function test() { ... })();
- Compare against normal scope allocation for (function test() { ... })();

But the IIFE is unnecessary - we already disable lazy parsing.

Cleaning this up is needed because in the next CL, I want to fix the Scopes
produced by PreParser in this case:

let f = function g() {
  // Here we should declare g!
}

And that fix will make the variables in
function test() {
  // Here we don't declare test
}
and
(function test() {
  // Here we do declare test
})();
not match any more, so it doesn't make sense to compare them against each other.

BUG=v8:5516

Change-Id: I93d154c6977bb3cbe405b6ca193cf6283df297bc
Reviewed-on: https://chromium-review.googlesource.com/543341Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46128}

Bug: 
Change-Id: Iafd8174f567365ece3b124685bf50a10b57fbd09
Reviewed-on: https://chromium-review.googlesource.com/543499
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46127}

BUG=chromium:694255

Change-Id: I1e8104831a9d31177bfaffc2a99300e2022edfd3
Reviewed-on: https://chromium-review.googlesource.com/544918Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46126}

Bug: 
Change-Id: Iab8fc855808b22a2786476ddc4568f3f474c73d8
Reviewed-on: https://chromium-review.googlesource.com/543079
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46125}

SeededNumberDictionaries are used to implement element backing stores of JSObjects, not internally used dictionaries. This saves space for the anyway unused PropertyDetails entry (1/3 fields).

Bug: 
Change-Id: I6fe9fae6de500dd0bcb722f51a7543952c7813e9
Reviewed-on: https://chromium-review.googlesource.com/543343
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46124}

Bug: 
Change-Id: I252a293cfb6c7cce41d4c585078d78609f4419b7
Reviewed-on: https://chromium-review.googlesource.com/543035
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46123}

This switches all uses of the patching {BinaryOpICStub} over to the
respective existing and non-patching CSA-builtins, and removes some
supporting code. It also removes the inlined SMI handling.

R=verwaest@chromium.org
BUG=v8:6408

Change-Id: If547c0127bfcafbd01ccb33b702b1868006ebcb1
Reviewed-on: https://chromium-review.googlesource.com/541398
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46122}

Bug: 
Change-Id: I335dc1259f2468e91f8fb6d5a3b13a601c807a79
Reviewed-on: https://chromium-review.googlesource.com/544875Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46121}

This CL does same changes as
https://chromium-review.googlesource.com/c/540763/, but for async
compilation instead of for parallel compilation. The biggest difference
is that for async compilation I start background tasks again when half
of the memory is free again and not when all the memory is free again.

Original description:

It is possible that the foreground task is unable to clear the
scheduled unfinished work, eventually leading to an OOM.

We use either code_range on 64 bit, or the capacity of the code space,
as a heuristic for how much memory to use for compilation.

The change avoids blocking the background threads while we're over the
memory threshold. This is to avoid starving the GC.

R=mtrofin@chromium.org

Change-Id: I7399e2474f72f6727e6e50176dd7ba95cdcd3238
Reviewed-on: https://chromium-review.googlesource.com/543477
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46120}

Bug: chromium:651354
Change-Id: I8aa122f48986f494146d4e896b254846de7ce295
Reviewed-on: https://chromium-review.googlesource.com/543500
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46119}

This will allow for embedders to easily implement their own Platform
without duplicating the tracing controller code.

BUG=v8:6511
R=fmeawad@chromium.org

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I7c64933d12b2cf53f0636fbc87f6ad5d22019f5c
Reviewed-on: https://chromium-review.googlesource.com/543015
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Fadi Meawad <fmeawad@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46118}

Bug: 
Change-Id: Id05ac179899cfa802575c90ea1745375e2833825
Reviewed-on: https://chromium-review.googlesource.com/542617
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46117}

In edge cases such as the following, sloppy-mode block-scoped function
hoisting is expected to occur:

  eval(`
    with({a: 1}) {
      function a() {}
    }
  `)

In this case, there should be the equivalent of a var declaration
outside of the eval, which gets set to the value of the local function
a when the body of the with is executed.

Previously, the way that var declarations are hoisted out of eval
meant that the assignment to that var was an ordinary DYNAMIC_GLOBAL
assignment. However, such a lookup mode meant that the object in the
with scope received the assignment!

This patch fixes that error by marking the assignments produced by
the sloppy mode block scoped function hoisting desugaring so as to
generate a different runtime call which skips with scopes.

Bug: chromium:720247, v8:5135
Change-Id: Ie36322ddc9ca848bf680163e8c016f50d4597748
Reviewed-on: https://chromium-review.googlesource.com/529230
Commit-Queue: Daniel Ehrenberg <littledan@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46116}

R=marja@chromium.org

Change-Id: I8a1ad2e64f5ec755fe5ce5949bf9b455696bd3f4
Reviewed-on: https://chromium-review.googlesource.com/543056Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46115}

This CL addresses some post-commit comments on
https://chromium-review.googlesource.com/c/532993/.

R=mtrofin@chromium.org

Change-Id: I1e078faf5e3fdb3bb4cbe6d6e1434fbd253f77df
Reviewed-on: https://chromium-review.googlesource.com/543236Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46114}

R=marja@chromium.org

Change-Id: I34ace4425d091e7104b37079a455176af08c250d
Reviewed-on: https://chromium-review.googlesource.com/543498Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46113}

BUG=chromium:732736
R=marja@chromium.org

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I3b3dfdd0c55a7ec267ae26765901497611d39d29
Reviewed-on: https://chromium-review.googlesource.com/543158Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46112}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/9ffcabd..68d4fc6

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/a64c010..76def89

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: I6ecd01bde7a297b42539fcc5a31a367b2406e606
Reviewed-on: https://chromium-review.googlesource.com/544595Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46111}

Collect code coverage by compiling for one or more target architectures
and then running tests, in the same directory. This way, gcov aggregates
results.

Bug: 
Change-Id: I3bf05416c535c0c566e48d4e73adc4eb49ba2793
Reviewed-on: https://chromium-review.googlesource.com/527522
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46110}

Port 24b7026d

Original Commit Message:

    For interpreted functions, use the optimized code slot in the feedback
    vector to store an optimization marker (optimize/in optimization queue)
    rather than changing the JSFunction's code object. Then, adapt the
    self-healing mechanism to also dispatch based on this optimization
    marker. Similarly, replace SFI marking with optimization marker checks
    in CompileLazy.

    This allows JSFunctions to share optimization information (replacing
    shared function marking) without leaking this information across native
    contexts. Non I+TF functions (asm.js or --no-turbo) use a
    CheckOptimizationMarker shim which generalises the old
    CompileOptimized/InOptimizationQueue builtins and also checks the same
    optimization marker as CompileLazy and InterpreterEntryTrampoline.

    This is a reland of https://chromium-review.googlesource.com/c/509716

R=leszeks@chromium.org, joransiu@ca.ibm.com, bjaideep@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2947903002
Cr-Commit-Position: refs/heads/master@{#46109}

This was left over from the previous CL to change S128LoadMem/S128StoreMem to
use prefixed opcodes. Decoding prefixed opcodes already checks for the
prototype flag.

BUG=V8:6020

R=bbudge@chromium.org

Review-Url: https://codereview.chromium.org/2946303002
Cr-Commit-Position: refs/heads/master@{#46108}

This will make it easier if we want to split it into two intrinsics, one
for creating an object with `done == true` and one with `done == false`.

Also remove apparently-dead method FullCodegen::EmitCreateIteratorResult.

Bug: v8:6408, v8:6409
Change-Id: I3d6022a9eff517dd8b664d65950502c22447b364
Reviewed-on: https://chromium-review.googlesource.com/543567Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46107}

(Reland: NeedsManualRebaseline'd newly-fixed layout test in Chromium.)

This was never legal; the spec only allows '\0' in strict-mode strings
or templates when not followed by a decimal digit. Previously we were
only enforcing that it not be followed by an _octal_ digit.

This was already fixed for numeric literals, but not for escape
sequences in strings.

BUG=v8:6504

Review-Url: https://codereview.chromium.org/2948903002
Cr-Commit-Position: refs/heads/master@{#46106}