The implication was actually in the wrong direction: If there is no
memory start address, then the size must be 0.
If the size is 0 though, we might allocate nevertheless to have guard
pages around the accessible memory.

R=ahaas@chromium.org
BUG=chromium:736584

Change-Id: I297dece658d5eaf69c58ecb109ff21d3ca0b8a8d
Reviewed-on: https://chromium-review.googlesource.com/548635Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46221}

This partially reverts commit 015edc60.

Reason for revert: Performance regression on richards

Bug: v8:6211
Change-Id: Ib69a1ed90b2015addcc54d7f299bdd654d964b54
Reviewed-on: https://chromium-review.googlesource.com/544992Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46174}

This removes the --turbo flag and solely relies on the filter pattern
provided via --turbo-filter when deciding whether to use TurboFan. Note
that disabling optimization wholesale can still be done with --no-opt,
which should be used in favor of --no-turbo everywhere.

Also note that this contains semantic changes to the TurboFan activation
criteria. We respect the filter pattern more stringently and no longer
activate TurboFan just because the source contains patterns forcing use
of Ignition via {AstNumberingVisitor::DisableFullCodegenAndCrankshaft}.

R=rmcilroy@chromium.org
BUG=v8:6408

Change-Id: I0c855f6a62350eb62283a3431c8cc1baa750950e
Reviewed-on: https://chromium-review.googlesource.com/528121Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46167}

This CL leverages and extends the deopt-to-stub mechanisms previously
introduced to support deopting from CSA-built builtins (e.g. Array.prototype.forEach).

BUG=v8:6373
LOG=N

Review-Url: https://codereview.chromium.org/2890363002
Cr-Commit-Position: refs/heads/master@{#46144}

transition, check to see if we have already done this transition.

BUG=v8:6450

Review-Url: https://codereview.chromium.org/2915863004
Cr-Commit-Position: refs/heads/master@{#46129}

In edge cases such as the following, sloppy-mode block-scoped function
hoisting is expected to occur:

  eval(`
    with({a: 1}) {
      function a() {}
    }
  `)

In this case, there should be the equivalent of a var declaration
outside of the eval, which gets set to the value of the local function
a when the body of the with is executed.

Previously, the way that var declarations are hoisted out of eval
meant that the assignment to that var was an ordinary DYNAMIC_GLOBAL
assignment. However, such a lookup mode meant that the object in the
with scope received the assignment!

This patch fixes that error by marking the assignments produced by
the sloppy mode block scoped function hoisting desugaring so as to
generate a different runtime call which skips with scopes.

Bug: chromium:720247, v8:5135
Change-Id: Ie36322ddc9ca848bf680163e8c016f50d4597748
Reviewed-on: https://chromium-review.googlesource.com/529230
Commit-Queue: Daniel Ehrenberg <littledan@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46116}

Bug: chromium:734108
Change-Id: I696b104e3b6b9dd71a60c21baa558d4f1fec1dfb
Reviewed-on: https://chromium-review.googlesource.com/541624
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46074}

R=marja@chromium.org

Bug: chromium:726625
Change-Id: I3f451a47b5a60a4c367d04a5466acd9e2f90df14
Reviewed-on: https://chromium-review.googlesource.com/530849Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46063}

If one wasm instance imports an exported function of another instance,
we unwrap the js-to-wasm wrapper of the export and use the underlying
code object directly. However, the code object does not keep the wasm
instance alive. It is only connected via a WeakCell.
With this CL, we explicitly store a FixedArray of all wasm instances
from which we imported functions to keep them alive at least as long as
the instance which imports the code.

R=mtrofin@chromium.org, ahaas@chromium.org
BUG=chromium:734345

Change-Id: I8dcfc9a4ea2d791a62d8cb7255039e481c50bdfd
Reviewed-on: https://chromium-review.googlesource.com/539738Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46062}

This makes sure that the coercion of global import values to numbers
remains non-observable to JavaScript. It allows instantiation failures
to fall back to JavaScript proper without accidentally causing some
side-effect to happen twice. Also coercions might invalidate previous
checks done during linking or throw exceptions.

R=clemensh@chromium.org
TEST=mjsunit/regress/regress-6431
BUG=v8:6431

Change-Id: Ibe2f7a336bc0fb25532d526746ecc802e04bbd5c
Reviewed-on: https://chromium-review.googlesource.com/512544
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46051}

The constructor of WireBytesRef checks that offset+length is still in
the uint32_t range. This CL avoids triggering this check on illegally
size strings.

R=ahaas@chromium.org
BUG=chromium:734246

Change-Id: Iab5c7013aa3e0ac5060bc4733e712a1652679b1a
Reviewed-on: https://chromium-review.googlesource.com/539402Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46050}

Bug: chromium:734162, chromium:734051, v8:6211
Change-Id: I5c3e7578e9278b8f19ff16ad4d963f490dcc6c8c
Reviewed-on: https://chromium-review.googlesource.com/541415
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46033}

If we pass in thin-string into a keyed load, the underlying internalized string is used to find the handler. However, the thin string itself was used to interpret the handler. Since the thin string itself isn't unique, this caused existing properties on the prototype chain to not be found in case of dictionary-mode prototypes.

Bug: chromium:731193
Change-Id: Ic98d3789ecf9175e17d9c898ab13231aad59efcc
Reviewed-on: https://chromium-review.googlesource.com/539596Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46005}

Large allocations would fail due to the flag not being set.

Bug: chromium:732836
Change-Id: I31686e382386a2d08582c86b29dc8f89841040d1
Reviewed-on: https://chromium-review.googlesource.com/535563Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45999}

Storing the boilerplate on the first run leads to memory ovehead for code
that is run only once. Hence we directly return the creating literal on the
first run and only start creating copies from the second run on.

Bug: v8:6211
Change-Id: I69b96d124a5b594b991fdbcc76dbf935d973ffad
Reviewed-on: https://chromium-review.googlesource.com/530688
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45975}

Bug: chromium:733059, chromium:724947
Change-Id: Id7abc22ee0975cd609cc06a02552f68e9e0077e8
Reviewed-on: https://chromium-review.googlesource.com/535596
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45952}

For unknown Argument object Maps we have to expect that constants fields
are kept on the Map.

Bug: chromium:729597
Change-Id: I110f77455ce434a431c8de27d021b1a5deb86f30
Reviewed-on: https://chromium-review.googlesource.com/532900Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45935}

TracingCpuProfiler test updates the current plaform while
concurrent marking is running.

This patch also disables stress-incremental-marking for
mjsunit/regress-430201.

BUG=chromium:694255

Change-Id: I85ff538c47bce0300cde3204989ef3f9512b805f
Reviewed-on: https://chromium-review.googlesource.com/533873Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45921}

Bug: chromium:731351
Change-Id: I810986cba2f575da9de2c4bb70c250784148eeb5
Reviewed-on: https://chromium-review.googlesource.com/532634
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45918}

The function that generated a pre-shifted immediate didn't account for the
instruction with post-shift being unencodable. Fix this by passing
information about the target instruction, and use it to limit the application
of pre-shift.

BUG=chromium:725858

Change-Id: Ia0f70b2ea057975d90162aa6889f15b553acd321
Review-Url: https://codereview.chromium.org/2922173004
Cr-Commit-Position: refs/heads/master@{#45911}

This adds missing support for in-object properties within objects having
the {JSGeneratorObject} type to materialization during deoptimization.
For corner-cases where the implicit generator object is statically known
not to escape, object layout might still be arbitrarily complex.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-732169
BUG=chromium:732169,v8:6481

Change-Id: I32f373913d60af64981dc4ed66873cc8a1dbe872
Reviewed-on: https://chromium-review.googlesource.com/530230Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45870}

This adds support for materializing objects of {JSGeneratorObject} type
during deoptimization. Cases where soft-deopts remove any escaping use
of the implicit generator object can cause it to be escape analyzed.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-732169
BUG=chromium:732169

Change-Id: I2ec10b2a509a4f37a456a8ca2fd74b8de2fb55be
Reviewed-on: https://chromium-review.googlesource.com/530847Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45849}

[builtins] Make sure to perform ToPrimitive(key, hint string) in hasOwnProperty even if the receiver is a smi.

Bug: chromium:707580
Change-Id: I38f8740ac0df5d5e4e99808e4fa20bae88a23a11
Reviewed-on: https://chromium-review.googlesource.com/528077Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45790}

Don't treat new prototypes differently depending on how they become a
prototype. This is work towards always keeping prototypes in slow-mode.


Bug: v8:6471
Change-Id: I62de1018e21d91fda3a5da044615f32c718910b1
Reviewed-on: https://chromium-review.googlesource.com/526596Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45781}

When the slow path for Array.prototype.indexOf calls a Proxy's "has"
trap, it must check afterwards whether an exception was thrown.

BUG=chromium:728813

Change-Id: I998bba6ddcd65adfed2eefb63b3285da60d2a43c
Reviewed-on: https://chromium-review.googlesource.com/527173Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45759}

This cl: https://chromium-review.googlesource.com/509613 changed
CheckNotTaggedHole to not produce any value output. This would mean that
in some cases, we could leak hole on value edges. This violates the
assumption that we cannot see a hole on several operators. Fixing this
back to the original state.

Bug: chromium:730254
Change-Id: I3512930e88dbe15e9d9b4b0d276868f354cc2ae2
Reviewed-on: https://chromium-review.googlesource.com/527033Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45757}

It's possible to build circular objects through the reviver function in
JSON.parse. Recursion needs to check for stack overflows and throw as
needed.

BUG=chromium:729671

Change-Id: I52ccd9ed9fea5829810879f8dd8207043fa6d910
Reviewed-on: https://chromium-review.googlesource.com/525812
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45752}

The inlining of Function.prototype.bind can lead to escape analyzed
bound functions, which weren't handled by the Deoptimizer previously.

BUG=chromium:729573
R=jarin@chromium.org,cbruni@chromium.org

Review-Url: https://codereview.chromium.org/2931483003
Cr-Commit-Position: refs/heads/master@{#45751}

The regression is already fixed. This just adds a regression test to
ensure it will never be reintroduced.

R=ahaas@chromium.org
BUG=chromium:729991

Change-Id: I5cf960cc756cbb7723041bc06a78d6a14c66e241
Reviewed-on: https://chromium-review.googlesource.com/525538Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45739}

When optimizing stores to data properties in literals, we need to first
migrate deprecated maps before we lookup the property access infos for
those.

BUG=chromium:724608
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2930433003
Cr-Commit-Position: refs/heads/master@{#45727}

TBR=ishell@chromium.org

Bug: v8:6457
Change-Id: I09d7d6ff8460688b7ddf25f733aea73a620db953
Reviewed-on: https://chromium-review.googlesource.com/523037Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45699}

TBR=machenbach@chromium.org

Bug: v8:6457
Change-Id: I75cf773941fc4f3eb6878df14f757ba1d2e23926
Reviewed-on: https://chromium-review.googlesource.com/522647Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45697}

Execution tests regress-336820 and regress-678917 finished with error
messages "allocation failure GC in old space requested" and "fatal
javascript OOM in CALL_AND_RETRY_LAST". For successful execution,
parameter max_old_space_size must be increased and this is done inside
tests.

TEST=mjsunit/regress/regress-336820,
     mjsunit/regress/regress-678917
BUG=

Review-Url: https://codereview.chromium.org/2907363003
Cr-Original-Commit-Position: refs/heads/master@{#45672}
Committed: https://chromium.googlesource.com/v8/v8/+/1550c869094c5873da9226ae9b4de7084692a857
Review-Url: https://codereview.chromium.org/2907363003
Cr-Commit-Position: refs/heads/master@{#45681}

Revert of [heap] Decrease old space physical memory factor. (patchset #3 id:40001 of https://codereview.chromium.org/2907363003/ )

Reason for revert:
Fails on other bots now:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20debug/builds/16197
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/13170
https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20gc%20stress/builds/6749

Original issue's description:
> Fix tests regress-336820 and regress-678917.
>
> Execution tests regress-336820 and regress-678917 finished with error
> messages "allocation failure GC in old space requested" and "fatal
> javascript OOM in CALL_AND_RETRY_LAST". For successful execution,
> parameter max_old_space_size must be increased and this is done inside
> tests.
>
> TEST=mjsunit/regress/regress-336820,
>      mjsunit/regress/regress-678917
> BUG=
>
> Review-Url: https://codereview.chromium.org/2907363003
> Cr-Commit-Position: refs/heads/master@{#45672}
> Committed: https://chromium.googlesource.com/v8/v8/+/1550c869094c5873da9226ae9b4de7084692a857

TBR=hpayer@chromium.org,jochen@chromium.org,mlippautz@chromium.org,mstarzinger@chromium.org,ulan@chromium.org,ivica.bogosavljevic@imgtec.com,bmeurer@chromium.org,jarin@chromium.org,ishell@chromium.org,Ilija.Pavlovic@imgtec.com,Ilija.Pavlovic@imgtec.com,Ilija.Pavlovic@imgtec.com,Ilija.Pavlovic@imgtec.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review-Url: https://codereview.chromium.org/2917063002
Cr-Commit-Position: refs/heads/master@{#45673}

Execution tests regress-336820 and regress-678917 finished with error
messages "allocation failure GC in old space requested" and "fatal
javascript OOM in CALL_AND_RETRY_LAST". For successful execution,
parameter max_old_space_size must be increased and this is done inside
tests.

TEST=mjsunit/regress/regress-336820,
     mjsunit/regress/regress-678917
BUG=

Review-Url: https://codereview.chromium.org/2907363003
Cr-Commit-Position: refs/heads/master@{#45672}

BUG=chromium:724972

R=clemensh@chromium.org, rossberg@chromium.org

Review-Url: https://codereview.chromium.org/2917603002
Cr-Commit-Position: refs/heads/master@{#45665}

Currently x instanceof Map/Set checks cannot take the fast path, since
the Map/Set constructor has dictionary properties. To avoid that, just
forcibly migrate the Map/Set constructor to fast properties again once
it's fully setup in the bootstrapper.

Bug: v8:5717, v8:5902
Change-Id: I23dfd00456c9206a0ca5af71dfbc9236982936fc
Reviewed-on: https://chromium-review.googlesource.com/520578
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45663}

Bug: 
Change-Id: If4a5408f8ff63a8a2b189f60fda37896a9403d3d
Reviewed-on: https://chromium-review.googlesource.com/519386Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45646}

Causes crashes on canary if there is a GC and the value makes it onto
the stack.

Bug: chromium:727662
Change-Id: I44fa8cf8a83b43d64418896c0a1f5518401b454f
Reviewed-on: https://chromium-review.googlesource.com/519302Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45623}

TBR=jarin@chromium.org
NOTRY=true

Bug: v8:6447
Change-Id: Ied42c4ba8fc19f2441f6c2ffd31d3f56055ac487
Reviewed-on: https://chromium-review.googlesource.com/518823Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45616}