R=bmeurer@chromium.org
BUG=v8:5197

Review-Url: https://codereview.chromium.org/2145023002
Cr-Commit-Position: refs/heads/master@{#37740}

Rolling v8/build to 0942801bf0d49016e44591d3e47ad3f41ad2d8a4

Rolling v8/buildtools to 031420bbafaaa8c33e2bc0623c22fb6181a57f47

Rolling v8/tools/mb to 18b92420fb0cb4378c9496b966507842b99d56b5

Rolling v8/tools/swarming_client to 7f63a272f7d9785ce41b6d10bb3106c49a968e57

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review-Url: https://codereview.chromium.org/2145303002
Cr-Commit-Position: refs/heads/master@{#37739}

  port 574f6fe1 (r37701)

  original commit message:
  Previously, the following schedule fragment:

   1: Parameter[0](0)
   2: Parameter[1](0)
   7: Int32Constant[1]
   8: Int32Sub(2, 7)
   9: Load[kRepTagged|kTypeAny](1, 8)

  would generate the following code (on ia32):

   mov eax,[ebp+0x8]
   mov ecx,[ebp+0xc]
   sub eax,0x1
   mov eax,[eax+ecx*1]

  Now it generates:

   mov eax,[ebp+0x8]
   mov ecx,[ebp+0xc]
   mov eax,[eax+ecx*1-1]

  Similar pattern matching also now works on x64.

BUG=

Review-Url: https://codereview.chromium.org/2151753002
Cr-Commit-Position: refs/heads/master@{#37738}

  port fd420203 (r37700)

  original commit message:
  Collect type feedback in the call bytecode handler. The current
  implementation only collects feedback for JS function objects. The other
  objects and Array functions do not collect any feedback. They will be
  marked Megamorphic.

BUG=

Review-Url: https://codereview.chromium.org/2149493005
Cr-Commit-Position: refs/heads/master@{#37737}

Revert of Don't compile functions in a context the caller doesn't have access to (patchset #9 id:160001 of https://codereview.chromium.org/2034083002/ )

Reason for revert:
Causes crashes on Canary

Original issue's description:
> Don't compile functions in a context the caller doesn't have access to
>
> Instead just return undefined
>
> A side effect of this is that it's no longer possible to compile
> functions in a detached context.
>
> BUG=chromium:541703
> R=verwaest@chromium.org,bmeurer@chromium.org
> CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng
>
> Committed: https://crrev.com/992e34c21635b179a993b82ac1d81753e7a6a57a
> Cr-Commit-Position: refs/heads/master@{#37657}

TBR=bmeurer@chromium.org,verwaest@chromium.org,jochen@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=chromium:541703, chromium:628053

Review-Url: https://codereview.chromium.org/2148163002
Cr-Commit-Position: refs/heads/master@{#37736}

[wasm] Adding feature to JIT a wasm function at runtime and hook up the compiled code into the indirect function table

The runtime JIT function is passed in the function table to hook up the compiled code and the starting address of the memory to locate the bytes to be compiled.

BUG=5044

Review-Url: https://codereview.chromium.org/2137993003
Cr-Commit-Position: refs/heads/master@{#37735}

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
TEST= cctest/asmjs/test-asm-typer
LOG=N
R=jpp@chromium.org

Review-Url: https://codereview.chromium.org/2146853004
Cr-Commit-Position: refs/heads/master@{#37734}

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
TEST= cctest/asmjs/test-asm-typer
LOG=N
R=jpp@chromium.org

Review-Url: https://codereview.chromium.org/2147113002
Cr-Commit-Position: refs/heads/master@{#37733}

Revert of [Turbofan] Change AlignSavedCalleeRegisterSlots to AlignFrame. (patchset #2 id:20001 of https://codereview.chromium.org/2124983004/ )

Reason for revert:
Speculative revert to fix perf regression:
https://bugs.chromium.org/p/chromium/issues/detail?id=627803

Original issue's description:
> [Turbofan] Change AlignSavedCalleeRegisterSlots to AlignFrame.
> Clean up call sites.
>
> LOG=N
> BUG=v8:4124
>
> Committed: https://crrev.com/d8d75782fb90da21b92ca3dda59cfa3088ad3912
> Cr-Commit-Position: refs/heads/master@{#37650}

TBR=bmeurer@chromium.org,mtrofin@chromium.org,danno@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:4124

Review-Url: https://codereview.chromium.org/2151563003
Cr-Commit-Position: refs/heads/master@{#37732}

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
TEST= cctest/asmjs/test-asm-typer
LOG=N

Review-Url: https://codereview.chromium.org/2148073002
Cr-Commit-Position: refs/heads/master@{#37731}

The PrettyPrinter may have been valuable once, but with all the desugaring
now done in the parser the output is far from readable, and for some nodes
it's next-to-impossible to recreate the source from the AST. --print-ast is a
much more sensible place to look for human-readable info on what the parser did.

Review-Url: https://codereview.chromium.org/1974623002
Cr-Commit-Position: refs/heads/master@{#37730}

BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
TEST=mjsunit/wasm/*
LOG=N

Review-Url: https://codereview.chromium.org/2134333003
Cr-Commit-Position: refs/heads/master@{#37729}

Reland of Add errors for declarations which conflict with catch parameters. (patchset #1 id:1 of https://codereview.chromium.org/2112223002/ )

Reason for revert:
Correcting issue.

Original issue's description:
> Revert of Add errors for declarations which conflict with catch parameters. (patchset #6 id:100001 of https://codereview.chromium.org/2109733003/ )
>
> Reason for revert:
> Fuzzer claims `try {  \"\" ; } catch(x) { let x1 = [1,,], x = x; }` causes a crash.
>
> Original issue's description:
> > Add errors for declarations which conflict with catch parameters.
> >
> > Catch parameters are largely treated as lexical declarations in the
> > block which contains their body for the purposes of early syntax errors,
> > with some exceptions outlined in B.3.5. This patch introduces most of
> > those errors, except those from `eval('for (var e of ...);')` inside of
> > a catch with a simple parameter named 'e'.
> >
> > Note that annex B.3.5 allows var declarations to conflict with simple
> > catch parameters, except when the variable declaration is the init of a
> > for-of statement.
> >
> > BUG=v8:5112,v8:4231
> >
> > Committed: https://crrev.com/2907c726b2bb5cf20b2bec639ca9e6a521585406
> > Cr-Commit-Position: refs/heads/master@{#37462}
>
> TBR=littledan@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=v8:5112,v8:4231
>
> Committed: https://crrev.com/8834d5ecb559001c87c42322969471da60574a8c
> Cr-Commit-Position: refs/heads/master@{#37464}

R=littledan@chromium.org
BUG=v8:5112,v8:4231

Review-Url: https://codereview.chromium.org/2119933002
Cr-Commit-Position: refs/heads/master@{#37728}

* Rename Atomics.futexWait -> Atomics.wait
* Rename Atomics.futexWake -> Atomics.wake
* Remove Atomics.futexWakeOrRequeue
* Return value of Atomics.wait is now a string: "ok", "not-equal" or
  "timed-out"
* Update comments that reference URL for ecmascript_sharedmem to
  https://github.com/tc39/ecmascript_sharedmem

Review-Url: https://codereview.chromium.org/2143443002
Cr-Commit-Position: refs/heads/master@{#37727}

R=ulan@chromium.org,hpayer@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2145683003
Cr-Commit-Position: refs/heads/master@{#37726}

PPC/s390: [ic] Initialize feedback slots for LoadGlobalIC in Runtime::kDeclareGlobals when possible to avoid misses.

Port b9a7b281

    Fixed minor register mapping issue in ppc/s390 files.

R=ishell@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=chromium:576312
LOG=N

Review-Url: https://codereview.chromium.org/2146053002
Cr-Commit-Position: refs/heads/master@{#37725}

Port fd420203

Original commit message:

    Collect type feedback in the call bytecode handler. The current
    implementation only collects feedback for JS function objects. The other
    objects and Array functions do not collect any feedback. They will be
    marked Megamorphic.

R=mythria@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=v8:4280, v8:4780
LOG=N

Review-Url: https://codereview.chromium.org/2144643005
Cr-Commit-Position: refs/heads/master@{#37724}

TBR=ulan@chromium.org
NOTRY=true

Review-Url: https://codereview.chromium.org/2147983002
Cr-Commit-Position: refs/heads/master@{#37723}

This runtime function in question can indirectly be fuzzed by the two
assertion methods "assertOptimized" and "assertUnoptimized" that our
test harness provides for the "mjsunit" test suite.

R=ishell@chromium.org
BUG=chromium:627841

Review-Url: https://codereview.chromium.org/2145993002
Cr-Commit-Position: refs/heads/master@{#37722}

BUG=v8:4280
LOG=N

Review-Url: https://codereview.chromium.org/2143133004
Cr-Commit-Position: refs/heads/master@{#37721}

NOTRY=true
TBR=ulan@chromium.org

Review-Url: https://codereview.chromium.org/2150563002
Cr-Commit-Position: refs/heads/master@{#37720}

This fixes the deoptimization information for the lazy bailout point
after a [[ToName]] operation inserted for object literals and class
literals. The result value was erroneously ignored.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-627828
BUG=chromium:627828

Review-Url: https://codereview.chromium.org/2149493003
Cr-Commit-Position: refs/heads/master@{#37719}

- Instead of tracing during marking we can now trace in a separate phase in MC.
  (Heap is iterable.)
- Add more subtypes for fixed arrays, reducing the unknown bucket to around ~8%
  (local run).
- Refactor collection calls to have a single bottleneck.
- Provide JSON-based output format that can be "easily" processed in JS.

BUG=
R=ulan@chromium.org,hpayer@chromium.org

Review-Url: https://codereview.chromium.org/2129173002
Cr-Commit-Position: refs/heads/master@{#37718}

Revert of Reland Implement .eh_frame writer and disassembler. (patchset #74 id:2070001 of https://codereview.chromium.org/2023503002/ )

Reason for revert:
Blocks roll https://codereview.chromium.org/2148743003/

See https://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_x64_rel_ng/builds/244252/steps/compile%20%28with%20patch%29/logs/stdio for error message

Original issue's description:
> Reland Implement .eh_frame writer and disassembler.
>
> Original commit message:
>
>   Also, CodeGenerator::MakeCodeEpilogue now accepts an optional pointer
>   to a EhFrameWriter and will attach unwinding information to the code
>   object when passed one.
>
> Reason for reverting:
>
>   The STATIC_CONST_MEMBER_DEFINITION in eh-frame-writer-unittest.cc
>   causes a compiler error on V8 Win64 - clang buildbot.
>
>   Removing that bit.
>
> BUG=v8:4899
> LOG=N
>
> Committed: https://crrev.com/b413f0ebe1a5dde016bfb94bb80bf872ebc24372
> Cr-Commit-Position: refs/heads/master@{#37707}

TBR=rmcilroy@chromium.org,jarin@chromium.org,ssanfilippo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4899

Review-Url: https://codereview.chromium.org/2147883003
Cr-Commit-Position: refs/heads/master@{#37717}

Revert of [turbofan] Do not use the self reference for turbofan functions. (patchset #2 id:20001 of https://codereview.chromium.org/2150523002/ )

Reason for revert:
Dependency of the roll unblocking revert https://codereview.chromium.org/2147883003/

Original issue's description:
> [turbofan] Do not use the self reference for turbofan functions.
>
> The self reference requires the allocation of a handle in the macro
> assembler, which is not possible if we instantiate the macro assembler
> in a worker thread.
>
> R=mstarzinger@chromium.org, bmeurer@chromium.org
>
> Committed: https://crrev.com/49ef529b3af50f5daadacdcdcd6be3a307c10af5
> Cr-Commit-Position: refs/heads/master@{#37713}

TBR=bmeurer@chromium.org,mstarzinger@chromium.org,jarin@chromium.org,ahaas@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2147943002
Cr-Commit-Position: refs/heads/master@{#37716}

This CL reduces the number of dependencies bytecodes.{h,cc} to facilitate
generating the bytecode peephole optimizer table during build. Specifically,
it avoids depending on v8_base.

BUG=v8:4280
LOG=N

Review-Url: https://codereview.chromium.org/2135273002
Cr-Commit-Position: refs/heads/master@{#37715}

- Adds move/swap handling for 4 and 16 bytes to ia32.
- Register allocator now only requests 4 bytes for floats on ia32 and arm.
- We probably need similar support in mips.

LOG=N
BUG=v8:4124

Review-Url: https://codereview.chromium.org/2027043002
Cr-Commit-Position: refs/heads/master@{#37714}

The self reference requires the allocation of a handle in the macro
assembler, which is not possible if we instantiate the macro assembler
in a worker thread.

R=mstarzinger@chromium.org, bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2150523002
Cr-Commit-Position: refs/heads/master@{#37713}

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2146853002
Cr-Commit-Position: refs/heads/master@{#37712}

Extends the truncation and type checks for NumberOrUndefined in
representation selection and truncation analysis to deal with all
oddballs not just undefined. Also extend the type hints to always
report NumberOrOddball. This is necessary for the bitwise and shift
operators where NUMBER feedback actually means NUMBER or ODDBALL.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2149583002
Cr-Commit-Position: refs/heads/master@{#37711}

This CL also combines Runtime::GetGlobalInsideTypeof and Runtime::kGetGlobalNotInsideTypeof
to Runtime::GetGlobal with explicit typeof_mode parameter.

Drive-by-fix: tail call to correct Slow builtin from LoadCallback handlers when --runtime-call-stats is on.

BUG=chromium:576312

Review-Url: https://codereview.chromium.org/2144643004
Cr-Commit-Position: refs/heads/master@{#37710}

[ic] Initialize feedback slots for LoadGlobalIC in Runtime::kDeclareGlobals when possible to avoid misses.

BUG=chromium:576312

Review-Url: https://codereview.chromium.org/2107193002
Cr-Commit-Position: refs/heads/master@{#37709}

After this CL we can avoid using Code::flags in hash computations for megamorphic
stub caches and therefore the unused ICState field can be finally removed from flags.

BUG=chromium:618701

Review-Url: https://codereview.chromium.org/2123983004
Cr-Commit-Position: refs/heads/master@{#37708}

Original commit message:

  Also, CodeGenerator::MakeCodeEpilogue now accepts an optional pointer
  to a EhFrameWriter and will attach unwinding information to the code
  object when passed one.

Reason for reverting:

  The STATIC_CONST_MEMBER_DEFINITION in eh-frame-writer-unittest.cc
  causes a compiler error on V8 Win64 - clang buildbot.

  Removing that bit.

BUG=v8:4899
LOG=N

Review-Url: https://codereview.chromium.org/2023503002
Cr-Commit-Position: refs/heads/master@{#37707}

R=yangguo@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2150483002
Cr-Commit-Position: refs/heads/master@{#37706}

If operands are loaded as unsigned 32-bit integer, they need to be sign extended to 64 bits.

TEST=cctest/test-run-machops/RunWord32AndAndWord32ShrP, cctest/test-run-machops/RunWord32OrP,
cctest/test-run-machops/RunWord32ShrP, cctest/test-run-machops/RunWord32XorP

BUG=

Review-Url: https://codereview.chromium.org/2147883002
Cr-Commit-Position: refs/heads/master@{#37705}

This fully deprecates all uses of the RUNTIME_ASSERT macro and removes
the macro and underlying logging function in question. All uses have
been replaces with CHECK macros which crash safely even in production.

It makes sure we discover abuse of runtime functions in the wild early
and also abort the process safely. Breaking assumptions in any runtime
function can no longer accidentally be caught by JavaScript.

R=yangguo@chromium.org
BUG=v8:5066

Review-Url: https://codereview.chromium.org/2132493002
Cr-Commit-Position: refs/heads/master@{#37704}

Checked integer division and modulus can be done more efficiently
if we know that the inputs are in Unsigned32 range.

Drive-by-fix: Replace the TypeCheckKind on NodeInfo by a proper
restriction type, and thread the feedback type through binary
Number operations similar to what we do for their speculative
versions. Also deal with Unsigned32 inputs for integer multiplication.

R=jarin@chromium.org
BUG=v8:4583,v8:5141

Review-Url: https://codereview.chromium.org/2149493002
Cr-Commit-Position: refs/heads/master@{#37703}

This makes sure the {AstGraphBuilder} respects the catch-prediction that
is provided by the parser along with each {TryStatement}. This is needed
for try-blocks materialized by the parser not to influence predictions
users expect when using the debugger.

R=neis@chromium.org
TEST=mjsunit/debug-exceptions
BUG=v8:5183

Review-Url: https://codereview.chromium.org/2147573002
Cr-Commit-Position: refs/heads/master@{#37702}

Previously, the following schedule fragment:

 1: Parameter[0](0)
 2: Parameter[1](0)
 7: Int32Constant[1]
 8: Int32Sub(2, 7)
 9: Load[kRepTagged|kTypeAny](1, 8)

would generate the following code (on ia32):

 mov eax,[ebp+0x8]
 mov ecx,[ebp+0xc]
 sub eax,0x1
 mov eax,[eax+ecx*1]

Now it generates:

 mov eax,[ebp+0x8]
 mov ecx,[ebp+0xc]
 mov eax,[eax+ecx*1-1]

Similar pattern matching also now works on x64.

BUG=v8:5192
LOG=N

Review-Url: https://codereview.chromium.org/2137323003
Cr-Commit-Position: refs/heads/master@{#37701}