Another spec issue.

R=titzer@chromium.org, rossberg@chromium.org
TEST=unittests/WasmModuleVerifyTest.DataWithoutMemory

Review-Url: https://codereview.chromium.org/2486973003
Cr-Commit-Position: refs/heads/master@{#40855}

The problem is that writes to nested objects do not lead to a copy of a referencing VirtualObject, and that each VirtualObjects maintains a cache of an ObjectState node. Together, this leads to inappropriate reuse of ObjectState nodes.
This fix simply always copies all virtual objects when a new VirtualState is created. This is clearly not optimal to avoid clones, but determining precisely which virtual objects are affected by a write is a transitive closure computation on the virtual objects of a virtual state. Alternatively, one could change the semantics of the node cache.

BUG=v8:5611

Review-Url: https://codereview.chromium.org/2488713002
Cr-Commit-Position: refs/heads/master@{#40854}

The distinction didn't provide any benefits.

BUG=chromium:651354

Review-Url: https://codereview.chromium.org/2492433002
Cr-Commit-Position: refs/heads/master@{#40853}

The spec defines that indirect calls in WebAssembly code should cause a
validation error if no function table exists.

The CL contains the following changes:
1) Throw a validation error for indirect calls if the function table
   not exist.
2) Do not create TF nodes to throw a runtime error for indirect calls
   if the function table does not exist.
3) Fix existing unit tests by creating a dummy function table.
4) Add new a new test which tests that indirect calls without function
   table cause a validation error.

R=rossberg@chromium.org
CC=titzer@chromium.org

TEST=unittests/AstDecoderTest.IndirectCallsWithoutTableCrash

Review-Url: https://codereview.chromium.org/2484623002
Cr-Commit-Position: refs/heads/master@{#40852}

If an exception is thrown when there is a Promise being created, the Promise
catch prediction code would call into a part implemented in JavaScript to see if
the Promise has a catch handler. If it is not possible to call back into JS,
e.g., due to a stack overflow, then this would lead to a crash. This patch
"speculates" that, if it's impossible to call back into JavaScript, then the
error is unhandled, avoding the issue. In a future patch, the catch prediction
logic should be entirely written in C++, but this patch adds a minimal fix to
be more friendly to backports.

BUG=chromium:662935
R=jgruber

Review-Url: https://codereview.chromium.org/2487833002
Cr-Commit-Position: refs/heads/master@{#40851}

We recently allowed global constants in asm.js validated code.
When used in a return statement, these need to be of an allowed type.

BUG=660813
R=jpp@chromium.org,aseemgarg@chromium.org

Review-Url: https://codereview.chromium.org/2481103002
Cr-Commit-Position: refs/heads/master@{#40850}

R=bradnelson@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2465103002
Cr-Commit-Position: refs/heads/master@{#40849}

Don't rely on carry flags you didn't set yourself.

BUG=chromium:663402

Review-Url: https://codereview.chromium.org/2484283002
Cr-Commit-Position: refs/heads/master@{#40848}

Review-Url: https://codereview.chromium.org/2484963002
Cr-Commit-Position: refs/heads/master@{#40847}

BUG=chromium:662418

Review-Url: https://codereview.chromium.org/2473223004
Cr-Commit-Position: refs/heads/master@{#40846}

It looks like waiting for 4 ticks before optimizing from interpreted
code is hurting performance in sunspider after turning on Ignition
for all TurboFan code. Set it back to 2 ticks.

BUG=chromium:661556

Review-Url: https://codereview.chromium.org/2488703002
Cr-Commit-Position: refs/heads/master@{#40845}

We handle this case specially because otherwise we would have to do
complicated overflow detection.

R=titzer@chromium.org
TEST=cctest/test-run-wasm/RunWasmCompiled_LoadMaxUint32Offset

Review-Url: https://codereview.chromium.org/2490533003
Cr-Commit-Position: refs/heads/master@{#40844}

Seems unused.

Review-Url: https://codereview.chromium.org/2483103002
Cr-Commit-Position: refs/heads/master@{#40843}

Workes by accident when using the JSObject descriptor as it also implements
strong semantics.

BUG=chromium:651354

Review-Url: https://codereview.chromium.org/2485163003
Cr-Commit-Position: refs/heads/master@{#40842}

WeakCells are never allocated in new space.

BUG=chromium:651354

Review-Url: https://codereview.chromium.org/2476323003
Cr-Commit-Position: refs/heads/master@{#40841}

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2487673002
Cr-Commit-Position: refs/heads/master@{#40840}

BUG=v8:5561

Review-Url: https://codereview.chromium.org/2479373006
Cr-Commit-Position: refs/heads/master@{#40839}

R=titzer@chromium.org, rossberg@chromium.org
TEST=unittests/WasmModuleVerifyTest.ExportMutableGlobal

Review-Url: https://codereview.chromium.org/2481263003
Cr-Commit-Position: refs/heads/master@{#40838}

Taken from http://kpdecker.github.io/six-speed/

Review-Url: https://codereview.chromium.org/2467483002
Cr-Commit-Position: refs/heads/master@{#40837}

With this CL, we set the is_source_positions_enabled flag on CompilationInfo when
- a command line flag is enabled that requires Turbofan to preserve source position
  information (e.g. --trace-deopt), and
- when profiling is enabled.

This also removes the --turbo-source-positions flag.

The goal is to eventually only track source position information when needed.

R=mstarzinger@chromium.org
BUG=v8:5439

Review-Url: https://codereview.chromium.org/2484163003
Cr-Commit-Position: refs/heads/master@{#40836}

The set of operands are really small, so STL set performs really poorly.

In Octane/TypeScript, I see move optimization going from >300ms to <100ms.

Review-Url: https://codereview.chromium.org/2481853002
Cr-Commit-Position: refs/heads/master@{#40835}

This adds clearStepping plus the family of
{set,clear}BreakOn{,Uncaught}Exception functions.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2482903002
Cr-Commit-Position: refs/heads/master@{#40834}

This is an experiment to check whether the heuristics is still useful.

BUG=

Review-Url: https://codereview.chromium.org/2482163002
Cr-Commit-Position: refs/heads/master@{#40833}

This adds a new TypedObjectState operator, which is a version of
ObjectState that carries along MachineTypes for the inputs, so we
can tell the deoptimizer how to interpret the inputs, instead of
having to force everything to Tagged.

Drive-by-fix: Remove the unused id parameter from ObjectState.

R=tebbi@chromium.org
BUG=v8:5609

Review-Url: https://codereview.chromium.org/2488623002
Cr-Commit-Position: refs/heads/master@{#40832}

This fixes another spec tests.

R=rossberg@chromium.org, titzer@chromium.org
TEST=WasmModuleVerifyTest.ImportTable_mutable_global

Review-Url: https://codereview.chromium.org/2484803002
Cr-Commit-Position: refs/heads/master@{#40831}

BUG=v8:5599
R=ahaas@chromium.org

Review-Url: https://codereview.chromium.org/2483193002
Cr-Commit-Position: refs/heads/master@{#40830}

The access check is generated as a:
- Equality check of an execution-time and a compile-time native contexts
  for primitive receivers.
- Equality check of an execution-time and a compile-time native contexts
  or equality check of a respective security tokens for global proxy receivers.
- No-op for other kinds of receivers.

BUG=v8:5561

Review-Url: https://codereview.chromium.org/2482913002
Cr-Commit-Position: refs/heads/master@{#40829}

We really should deopt before the for-in index increment.

BUG=chromium:662904

Review-Url: https://codereview.chromium.org/2476423003
Cr-Commit-Position: refs/heads/master@{#40828}

R=jgruber@chromium.org, mstarzinger@chromium.org
BUG=v8:5610

Review-Url: https://codereview.chromium.org/2482133002
Cr-Commit-Position: refs/heads/master@{#40827}

Also add a primitive mjsunit test that uses such a function optimized by
Turbofan.

R=mstarzinger@chromium.org
CC=adamk@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2472143002
Cr-Commit-Position: refs/heads/master@{#40826}

This introduces two new bytecodes LdaModuleVariable and StaModuleVariable,
replacing the corresponding runtime calls.

Support in the bytecode graph builder exists only in the form of runtime calls.

BUG=v8:1569

Review-Url: https://codereview.chromium.org/2471033004
Cr-Commit-Position: refs/heads/master@{#40825}

This moves all tests currently working with the inspector debugger wrapper to
test/debugger.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2480223002
Cr-Commit-Position: refs/heads/master@{#40824}

Review-Url: https://codereview.chromium.org/2477363002
Cr-Commit-Position: refs/heads/master@{#40823}

The memory leak is fixed by calling the GC at the end of the tests. The GC collects the WasmModuleWrapper objects, which deallocates WasmModule c++ object. For the mjsunit tests the GC is already called because of the --invoke_weak_callbacks flag.

BUG=chromium:662388

Review-Url: https://codereview.chromium.org/2476643003
Cr-Commit-Position: refs/heads/master@{#40822}

BUG=chromium:616879
NOTRY=true
TBR=mtrofin@chromium.org

Review-Url: https://codereview.chromium.org/2476273003
Cr-Commit-Position: refs/heads/master@{#40821}

 - When module bytes have a memory maximum defined, compiled module object should set maximum memory
 - Exported memory objects should set maximum value on the memory objects
 - Update tests to use declared maximum values.

R=ahaas@chromium.org

Review-Url: https://codereview.chromium.org/2474333003
Cr-Commit-Position: refs/heads/master@{#40820}

Previously, tests in the newly added test/debugger/debug directory were
not executed on CQ.

BUG=v8:5530

Review-Url: https://codereview.chromium.org/2484713002
Cr-Commit-Position: refs/heads/master@{#40819}

  port 9b308dca (r40721)

  original commit message:

BUG=

Review-Url: https://codereview.chromium.org/2485033002
Cr-Commit-Position: refs/heads/master@{#40818}

This patch is a follow-up patch to enable gc statistics to use
TracingCategoryObserver.

Previously we need to pass --track_gc_object_stats to v8 if we want to enable
gc statistics in tracing. In this patch, we introducce an integer flag
FLAG_gc_stats, and FLAG_track_gc_object_stats and FLAG_trace_gc_object_stats
will set it to 0x01, tracing will set it to 0x10 when we start tracing and
reset the bit when we stop tracing.

BUG=v8:5590

Review-Url: https://codereview.chromium.org/2459903003
Cr-Commit-Position: refs/heads/master@{#40817}

  port 4447405b (r40712)

  original commit message:

BUG=

Review-Url: https://codereview.chromium.org/2486433004
Cr-Commit-Position: refs/heads/master@{#40816}