R=adamk@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2452543003
Cr-Commit-Position: refs/heads/master@{#40584}

The tail-call operator for invoking a JSFunction object from within stub
code has been dead for a while and untested by now. This removes support
for such a construct.

R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2452943002
Cr-Commit-Position: refs/heads/master@{#40583}

Revert of [compiler] Properly validate stable map assumption for globals. (patchset #3 id:40001 of https://codereview.chromium.org/2444233004/ )

Reason for revert:
Breaks tree: http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/8789

Original issue's description:
> [compiler] Properly validate stable map assumption for globals.
>
> For global object property cells, we did not check that the map on the
> previous object is still the same for which we actually optimized. So
> the optimized code was not in sync with the actual state of the property
> cell. When loading from such a global object property cell, Crankshaft
> optimizes away any map checks (based on the stable map assumption),
> leading to arbitrary memory access in the worst case.
>
> TurboFan has the same bug for stores, but is safe on loads because we
> do appropriate map checks there. However mixing TurboFan and Crankshaft
> still exposes the bug.
>
> R=yangguo@chromium.org
> BUG=chromium:659475

TBR=yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:659475

Review-Url: https://codereview.chromium.org/2454513003
Cr-Commit-Position: refs/heads/master@{#40582}

BUG=

Review-Url: https://codereview.chromium.org/2449223002
Cr-Commit-Position: refs/heads/master@{#40581}

The original reason for the extra output on windows is
obsolete since a while. Now the extra output just spams
the logs and causes traffic.

BUG=chromium:485932

Review-Url: https://codereview.chromium.org/2452763003
Cr-Commit-Position: refs/heads/master@{#40580}

Native setters (see AccessorInfo in accessors.h) didn't have the ability
to return a result value. As a consequence of this, for instance, Reflect.set
on the length property of arrays had the wrong behavior:

var y = [];
Object.defineProperty(y, 0, {value: 42, configurable: false})
Reflect.set(y, 'length', 0)

The Reflect.set call used to return true. Now it returns false as
required by the spec.

BUG=v8:5401

Review-Url: https://codereview.chromium.org/2397603003
Cr-Commit-Position: refs/heads/master@{#40579}

For global object property cells, we did not check that the map on the
previous object is still the same for which we actually optimized. So
the optimized code was not in sync with the actual state of the property
cell. When loading from such a global object property cell, Crankshaft
optimizes away any map checks (based on the stable map assumption),
leading to arbitrary memory access in the worst case.

TurboFan has the same bug for stores, but is safe on loads because we
do appropriate map checks there. However mixing TurboFan and Crankshaft
still exposes the bug.

R=yangguo@chromium.org
BUG=chromium:659475

Review-Url: https://codereview.chromium.org/2444233004
Cr-Commit-Position: refs/heads/master@{#40578}

The meaning of the HValue::kAllowUndefinedAsNaN is actually ToNumber
conversion (except for the uses in HBranch and HCompareHoleAndBranch,
which were confusing and useless anyways), so fix the naming to match
that.

Also properly integrate the handling of this flag with the existing
truncation analysis that is run as part of the representation changes
phase (i.e. where we already deal with truncating to int32 and smi).

This is done in preparation of allowing Crankshaft to handle any kind
of Oddball in the ToNumber truncation, instead of just undefined for
truncation ToNumber and undefined or boolean for ToInt32. It also helps
to make Crankshaft somewhat more compatible with the (saner)
implementation in TurboFan.

R=yangguo@chromium.org
BUG=v8:5400

Review-Url: https://codereview.chromium.org/2449353002
Cr-Commit-Position: refs/heads/master@{#40577}

Fix failing assertions in the CodeStubAssembler that cause Object.create(null,
global) fail.
Drive-by-fix: convert some Assert to CSA_ASSERT.

BUG=chromium:657692

Review-Url: https://codereview.chromium.org/2446203003
Cr-Commit-Position: refs/heads/master@{#40576}

All uses of NeanderObject have been replaced by FixedArrays.

BUG=

Review-Url: https://codereview.chromium.org/2447123002
Cr-Commit-Position: refs/heads/master@{#40575}

A GC might cause the just created dictionary object to have an invalid backing
store, which breaks heap verification.

BUG=chromium:659088

Review-Url: https://codereview.chromium.org/2452653002
Cr-Commit-Position: refs/heads/master@{#40574}

For Math builtins that likely yield double results, i.e. Math.sin,
Math.cos and friends, don't bother trying to canonicalize the result
to Smi. The rationale behind this is that other parts of V8 use the
HeapNumber representation as a hint to assume that certain values
should be represented as double (i.e. for the array elements kind
and for double field tracking). This way the chance that we make
the ideal decision early on is better.

For Math.abs we establish the contract that if the input value is a
Smi, then we try hard to return a Smi (doesn't work for minimal Smi
value), otherwise we preserve the HeapNumberness of the input.

Same for the generic Add, Subtract, Multiply, etc. code stubs.

R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2451973003
Cr-Commit-Position: refs/heads/master@{#40573}

BUG=chromium:658426
R=ahaas@chromium.org,titzer@chromium.org,gdeepti@chromium.org

Review-Url: https://codereview.chromium.org/2447683004
Cr-Commit-Position: refs/heads/master@{#40572}

Simple "Print" API for the compiler graph.

BUG=

Review-Url: https://codereview.chromium.org/2447993002
Cr-Commit-Position: refs/heads/master@{#40571}

This causes a 3.1% regression because we unconditionally call out to a
runtime function.

This patch refactors out most of EnqueuePromiseReactionJob
runtime function into a separate function.

BUG=v8:5343

Review-Url: https://codereview.chromium.org/2449053003
Cr-Commit-Position: refs/heads/master@{#40570}

This reverts commit 59fb0956.

BUG=chromium:658718

Review-Url: https://codereview.chromium.org/2445283003
Cr-Commit-Position: refs/heads/master@{#40569}

Emit the compare and branch on zero (CBZ) instruction when
possible for deoptimisations, as we do for normal branches.

BUG=

Review-Url: https://codereview.chromium.org/2448113002
Cr-Commit-Position: refs/heads/master@{#40568}

Port dc6b5109

BUG=

Review-Url: https://codereview.chromium.org/2437593006
Cr-Commit-Position: refs/heads/master@{#40567}

Setting variables is not yet implemented.

R=adamk@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2445683002
Cr-Commit-Position: refs/heads/master@{#40566}

BUG=v8:5561

Review-Url: https://codereview.chromium.org/2446983002
Cr-Commit-Position: refs/heads/master@{#40565}

Revert of [modules] Add partial support for debug-scopes. (patchset #1 id:1 of https://codereview.chromium.org/2445683002/ )

Reason for revert:
Breaks https://build.chromium.org/p/client.v8/builders/V8%20Mac%20GC%20Stress/builds/9349

Original issue's description:
> [modules] Add partial support for debug-scopes.
>
> Setting variables is not yet implemented..
>
> R=adamk@chromium.org
> BUG=v8:1569

TBR=adamk@chromium.org,yangguo@chromium.org,neis@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2449883002
Cr-Commit-Position: refs/heads/master@{#40564}

This lets us investigate regressions caused by this marking while
letting others continue their work without being impacted.

BUG=v8:5512

Review-Url: https://codereview.chromium.org/2446673002
Cr-Commit-Position: refs/heads/master@{#40563}

Removes PromiseEnqueue and moves debugging code to a separate
function which gets called when the debugger is active.

BUG=v8:5343

Review-Url: https://codereview.chromium.org/2450763002
Cr-Commit-Position: refs/heads/master@{#40562}

BUG=

Review-Url: https://codereview.chromium.org/2446993002
Cr-Commit-Position: refs/heads/master@{#40561}

BUG=v8:5557
R=cbruni@chromium.org

Review-Url: https://codereview.chromium.org/2448473002
Cr-Commit-Position: refs/heads/master@{#40560}

Setting variables is not yet implemented..

R=adamk@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2445683002
Cr-Commit-Position: refs/heads/master@{#40559}

This is a partial revert of 438c5eb2 to avoid huge increases in
testing times due to expensive bytecode handler generation in debug
modes. The additional coverage does not warrant a 2x to 3x increase
in testing time at the moment. We can revisit this later.

TBR=rmcilroy@chromium.org
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2445403002
Cr-Commit-Position: refs/heads/master@{#40558}

This brings the BytecodeGenerator in line with FullCodeGenerator, now that
more requests for hole checks are flowing through BuildVariableAssignment.

BUG=chromium:658528

Review-Url: https://codereview.chromium.org/2447783002
Cr-Commit-Position: refs/heads/master@{#40557}

FulfillPromise is always called when a promise is in a pending state
which makes this check redundant.

Review-Url: https://codereview.chromium.org/2442373002
Cr-Commit-Position: refs/heads/master@{#40556}

This makes sure that bytecode handlers are regenerated when debugging
code within handlers is being requested. We cannot use the handlers
baked into the snapshot in this case.

R=rmcilroy@chromium.org

Review-Url: https://codereview.chromium.org/2443923002
Cr-Commit-Position: refs/heads/master@{#40555}

R=bradnelson@chromium.org, rossberg@chromium.org
BUG=v8:5507

Review-Url: https://codereview.chromium.org/2443353002
Cr-Commit-Position: refs/heads/master@{#40554}

And add a test case for more than one entry ;)

R=titzer@chromium.org,ahaas@chromium.org

Review-Url: https://codereview.chromium.org/2448833004
Cr-Commit-Position: refs/heads/master@{#40553}

The function name table is not used any more since
https://chromiumcodereview.appspot.com/2424623002, so remove it.

R=titzer@chromium.org,ahaas@chromium.org

Review-Url: https://codereview.chromium.org/2451693002
Cr-Commit-Position: refs/heads/master@{#40552}

Object.create(null) is most likely to be used for dictionary-like objects.
Hence it would be beneficial to directly create a slow-mode object and avoid
additional overhead later-on.

BUG=

Review-Url: https://codereview.chromium.org/2430273007
Cr-Commit-Position: refs/heads/master@{#40551}

The interpreter is currently too aggressive in tiering up to TurboFan,
especially for (expensive) OSR. Make it slightly less aggressive by
choosing a more realistic code size multiplier.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2448043002
Cr-Commit-Position: refs/heads/master@{#40550}

R=jgruber@chromium.org
BUG=v8:5559

Review-Url: https://codereview.chromium.org/2445233004
Cr-Commit-Position: refs/heads/master@{#40549}

BUG=

Review-Url: https://codereview.chromium.org/2445993002
Cr-Commit-Position: refs/heads/master@{#40548}

This CL removes code that is now unused since the port of regexp.js has been
completed. Removed functions / classes are:

* regexp.js (GetSubstitution moved to string.js)
* RegExpConstructResult stub
* RegExpFlags intrinsic
* RegExpSource intrinsic
* RegExpInitializeAndCompile runtime function

BUG=v8:5339

Review-Url: https://codereview.chromium.org/2448463002
Cr-Commit-Position: refs/heads/master@{#40547}

To achieve this:
- fixed crash on windows - String16::fromInteger used "%zu" which doesn't support by VS2013 compiler, wrapped with ifdef else.
- fixed asan for d8 - unique_ptr on array has single element type.
- force Debugger.disable at the end of test.

BUG=chromium:635948
R=dgozman@chromium.org,yangguo@chromium.org,machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2450653002
Cr-Commit-Position: refs/heads/master@{#40546}

BUG=v8:5339

Review-Url: https://codereview.chromium.org/2442333002
Cr-Commit-Position: refs/heads/master@{#40545}