IdentifierStart::Is and IdentifierContinue::Is both return true for '\'.
The reason for this is lost to history.

Special-case '\' in the regexp parser to handle this.

BUG=v8:5437,v8:5868

Review-Url: https://codereview.chromium.org/2795093003
Cr-Commit-Position: refs/heads/master@{#44396}

Better demarcation between what's mutable because it is code-
specialization specific, and what is provided at initialization.

BUG=

Review-Url: https://codereview.chromium.org/2784233004
Cr-Commit-Position: refs/heads/master@{#44395}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/58260ed..a312720

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/7726dac..b3c4635

Rolling v8/third_party/instrumented_libraries: https://chromium.googlesource.com/chromium/src/third_party/instrumented_libraries/+log/61065eb..05d5695

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: I294769d63e0b53b73260ce824a5a9a4e59728fcb
Reviewed-on: https://chromium-review.googlesource.com/468587Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44394}

Remove destructuring assignments (parsed during arrow function formal
parameters) from queue for rewriting if parsing a lazy top-level arrow function.

Built ontop of https://chromium-review.googlesource.com/c/464769/

BUG=chromium:706234, chromium:706761, v8:6182
R=marja@chromium.org, adamk@chromium.org, vogelheim@chromium.org

Change-Id: Ib35196b907350d1d78e4c3fcbf4cc971bf200948
Reviewed-on: https://chromium-review.googlesource.com/465415
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44393}

R=joransiu@ca.ibm.com, bjaideep@ca.ibm.com

Review-Url: https://codereview.chromium.org/2795803003
Cr-Commit-Position: refs/heads/master@{#44392}

This enables clients like IndexedDB to know when the data format version has
decreased (i.e. the user has switched to an earlier version) and deal with the
resulting incompatibility up front.

BUG=chromium:704293

Review-Url: https://codereview.chromium.org/2772723005
Cr-Commit-Position: refs/heads/master@{#44391}

Bug: v8:6186
Change-Id: If460313ee861f826a89bc7390a5e35d43d175622
Reviewed-on: https://chromium-review.googlesource.com/466549Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44390}

Also rename "Discard" for clarity.

Bug: v8:6092
Change-Id: I8c299ded920e794418e0619b6958fbef35dfda4e
Reviewed-on: https://chromium-review.googlesource.com/466591Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44389}

After discussion with Chrome reviewers for UMA, it was decided that we
would report array buffer allocation sizes in megabytes (not the log).

They also wanted to wait until there is proof that small array buffer
allocations would flood the histogram. Hence, all allocation sizes are
sampled.

There were several ways we could have added the notion of megabyte
samples to V8 code. None of them are a great fit.  This code simply
provides a local function within the code that needs it.

Other possible solutions but rejected were:

a) Use a subclass of histogram to collect data at the megabyte level.
   It has it's own Add() method that converts the size from bytes to
   megabytes, and then call the generic add method AddSample(). This
   solution appears to follow the conventions of subclasses of class
   Histogram.

b) Use Chrome macros - Rejected because it involves changing the
   counter representation of V8.

c) Add a method AddMegabyteSample() to base class Histogram. Rejected
   because it may get confusing if a lot of different measures are
   added the the base class of histograms.

d) Make method AddSample() virtual and override in the derived
   class. Rejected in that sampling is supposed to be fast, and adding
   a virtual call may be breaking that contract.

d) Do not add a derived class. Rather just do the conversions at the
   call sites. Rejected because this duplicates code, and also makes
   it hard to change assumptions on how to calculate.

For Chromes UMA changes see:

CL: https://codereview.chromium.org/2795463002

BUG=chromium:704922
R=bbudge@chromium.org,bradnelson@chromium.org,mtrofin@chromium.org

Review-Url: https://codereview.chromium.org/2795763002
Cr-Commit-Position: refs/heads/master@{#44388}

This reflects both the contract in blink, as well as what we
plan to do in streamed compilation, where we'll want to lay out
bytes received such that each section and each function body is
contiguous, but they may all be separate - which entails a copy.

BUG=chromium:697028

Review-Url: https://codereview.chromium.org/2797653002
Cr-Commit-Position: refs/heads/master@{#44387}

This reverts commit c766727a.

BUG=chromium:651354

Review-Url: https://codereview.chromium.org/2793323002
Cr-Commit-Position: refs/heads/master@{#44386}

The past re-factoring inadvertently increased memory consumption for
AstConsString. This implements a micro-optimization to revert and slightly
improve beyond the original state.

Example, Zone size for parsing closure.js:
  - 20,999,848 B (before refactoring)
  - 21,651,056 B (after refactoring patch; 3.1% regression)
  - 20,641,320 B (after this CL; 1.7% improvement over original)

(Reason: ZoneLinkedList requires 4 pointers to support
the std::list functionality (Zone*, head/tail ptr, payload ptr).
But since we only append and iterate in order and have the Zone*
available in the context, a super simple linked list (value + next ptr)
saves a bit of memory, especially for the common case of having 0 or 1
string segments.)

BUG=v8:6902, chromium:706935

Review-Url: https://codereview.chromium.org/2792353002
Cr-Commit-Position: refs/heads/master@{#44385}

When emitting a frame, we always push the old frame pointer at offset 0 relative
to the new frame pointer. However, we didn't emit DWARF opcodes to inform perf
of this.

BUG=

Review-Url: https://codereview.chromium.org/2795253002
Cr-Commit-Position: refs/heads/master@{#44384}

Revert of [heap] Fix CompactionSpace test and move to unittests (patchset #3 id:40001 of https://codereview.chromium.org/2796033002/ )

Reason for revert:
Breaks
https://uberchromegw.corp.google.com/i/client.v8/builders/V8%20Linux%20-%20shared/builds/17291

Original issue's description:
> [heap] Fix CompactionSpace test and move to unittests
>
> BUG=chromium:651354
>
> Review-Url: https://codereview.chromium.org/2796033002
> Cr-Commit-Position: refs/heads/master@{#44382}
> Committed: https://chromium.googlesource.com/v8/v8/+/ce9a2db1e13131245d8adc2757b9d9202ba568e0

TBR=ulan@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:651354

Review-Url: https://codereview.chromium.org/2793033004
Cr-Commit-Position: refs/heads/master@{#44383}

BUG=chromium:651354

Review-Url: https://codereview.chromium.org/2796033002
Cr-Commit-Position: refs/heads/master@{#44382}

This reverts 1c1edda7. I can't reproduce
the flakes locally anymore, let's see if this sticks.

BUG=v8:5619

Review-Url: https://codereview.chromium.org/2796053002
Cr-Commit-Position: refs/heads/master@{#44381}

Bug: v8:5193
NOTRY=true
TBR=hablich@chromium.org

Change-Id: I54861956c1a7b3c3e5048946618ea98fbe0a7066
Reviewed-on: https://chromium-review.googlesource.com/467246Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44380}

This removes kDeoptTableSerializeEntryCount heuristic constant.

Review-Url: https://codereview.chromium.org/2790573002
Cr-Commit-Position: refs/heads/master@{#44379}

The unwinding information we emit wrongly encodes code locations as relative
offsets. If we look at the .eh_frame section of shared object generated by "perf
inject" using "objdump -g":

~~~
00000000 0000000000000018 00000000 CIE
(snip)
0000001c 0000000000000028 00000020 FDE cie=00000000 pc=fffffffffffffee8..00000000000017f8
(snip)
00000048 ZERO terminator
~~~

We can see the range that the FDE entry covers is incorrect, it should point to
where the .text section is, at address 0x40 on a 64-bit architecture.

The reason for this was that the PerfJitLogger logs a code size that is
different from the one we've used when encoding the unwinding information. The
logger will ignore the safepoint table while the unwinding info assumes it is
part of the code.

BUG=

Review-Url: https://codereview.chromium.org/2790403002
Cr-Commit-Position: refs/heads/master@{#44378}

Revert of [heap] Refactor evacuation verifier (patchset #1 id:1 of https://codereview.chromium.org/2790373002/ )

Reason for revert:
Speculative revert. Breaks https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20debug/builds/16112 and seems to lead to flakes.

Original issue's description:
> [heap] Refactor evacuation verifier
>
> BUG=chromium:651354
>
> Review-Url: https://codereview.chromium.org/2790373002
> Cr-Commit-Position: refs/heads/master@{#44375}
> Committed: https://chromium.googlesource.com/v8/v8/+/396f1e242184b936c61dda7a14d1306d43b1863c

TBR=ulan@chromium.org,mlippautz@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:651354

Review-Url: https://codereview.chromium.org/2795903004
Cr-Commit-Position: refs/heads/master@{#44377}

This makes it easier to match VariableProxys against variables in
Scopes (allocation-based prints such as local[0] or context[0] are not
unique).

R=vogelheim@chromium.org

Bug:

Change-Id: I8f86504f5e1657633286561e032805a8f6cff06e
Reviewed-on: https://chromium-review.googlesource.com/467486
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44376}

BUG=chromium:651354

Review-Url: https://codereview.chromium.org/2790373002
Cr-Commit-Position: refs/heads/master@{#44375}

Support arbitrary arguments in %ArrayBufferNeuter without aborting for
future exposure in ClusterFuzz.

Change-Id: I3053a2139af215c9d417356bdeeda58d594d16aa
Reviewed-on: https://chromium-review.googlesource.com/465830Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44374}

Update according to new spec change at
https://github.com/tc39/ecma262/pull/856

- Call ToNumber only once in BUILTIN
- Remove unused FillNumberSlowPath
- FillImpl assumes obj_value->IsNumber() is true
- Update test

Bug:v8:5929,chromium:702902

Change-Id: Ic83e6754d043582955b81c76e68f95e1c6b7e901
Reviewed-on: https://chromium-review.googlesource.com/465646Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44373}

Getting elements, querying length or copying elements
are now const functions.

Drive-by fix: Noticed a few more getters that should be const.
Add a comment to ArrayList functions that are static functions. 
BUG=

Change-Id: I5de1aed97510dea4e47cb974b3259da51ae663af
Reviewed-on: https://chromium-review.googlesource.com/467249Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44372}

Broke after:
https://codereview.chromium.org/2757593002

NOTRY=true
TBR=yangguo@chromium.org
BUG=v8:6091

Change-Id: Id06860ad6519966a31d768ec9608b48786397e8f
Reviewed-on: https://chromium-review.googlesource.com/467209Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44371}

BUG=

Change-Id: Ia02787bef5fcd38397977d0ba2298d216f25f0df
Reviewed-on: https://chromium-review.googlesource.com/467386
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44370}

BUG=v8:5402
R=mstarzinger@chromium.org

Change-Id: Ib53721867e0978b6f4f127883ae1b72145adb6e8
Reviewed-on: https://chromium-review.googlesource.com/461863Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44369}

Make sure that we call the destructors on all embedded object by
replacing the WasmInterpreterInternals::Delete method by an actual
destructor. This way, the compiler automatically calls destructors on
all embedded objects, in particular the IdentityMap in the CodeMap.

This change also requires to release managed objects *before*
tearing down the heap, because the wasm interpreter, referenced via
Managed<>, contains global handles. When those are destroyed, the
isolate still needs to be intact.

Drive-by: Fix include guard in managed.h.

R=ahaas@chromium.org, ulan@chromium.org, mvstanton@chromium.org
BUG=v8:5822

Change-Id: I9a067f037e013c84e4d697a1e913b27c683bb529
Reviewed-on: https://chromium-review.googlesource.com/466187Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44368}

This makes temporary variables nestable and fixes borked nesting with
function table calls by introducing a {TemporaryVariableScope} helper.

R=clemensh@chromium.org
TEST=mjsunit/regress/regress-6196
BUG=v8:6196

Change-Id: Ie760f27ce9ede3d4d5dacdebdc295c56cc666970
Reviewed-on: https://chromium-review.googlesource.com/467327
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44367}

Fix ff8b1abb

This fixes the problem with the alignment of typed arrays in turbofan. Namely,
Float64 typed arrays weren't properly aligned on 32bit architectures,
and this causes crashes on those architectures that do not support misaligned
memory access.

TEST=mjsunit/es6/typedarray-*
BUG=v8:6075

Review-Url: https://codereview.chromium.org/2784253002
Cr-Commit-Position: refs/heads/master@{#44366}

ArrayList is a FixedArray where kFirstIndex is > 0. The
Elements() methods returns a copy of the elements starting at
kFirstIndex, i.e., without the length that is stored in the first
slot.

Drive-by fix: Rename some variables.

BUG=

Change-Id: Ia1de73c4780a179301007f2ab9080fd08e8ea99d
Reviewed-on: https://chromium-review.googlesource.com/466186Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44365}

Return a structured objet with the type profile
information.

Move the test from message to mjsunit.

BUG=v8:5933

Change-Id: I3e1c592697924d87f82d46b0ddbdb6d82d9c8467
Reviewed-on: https://chromium-review.googlesource.com/464847Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44364}

For sloppy arguments in functions with declared formal parameters, the
apply with arguments optimization in TurboFan wouldn't kick in
currently, because so far there was no guard to see if using the
arguments from the stack or the frame state is safe. One easy to check
guard here is to just check that there's no observable side-effect
between the actual arguments creation and the call to apply.

BUG=v8:5267,v8:6200
R=danno@chromium.org

Review-Url: https://codereview.chromium.org/2789113004
Cr-Commit-Position: refs/heads/master@{#44363}

Revert of [typedarrays] Check detached buffer at start of typed array methods (patchset #10 id:180001 of https://codereview.chromium.org/2778623003/ )

Reason for revert:
Breaks layout tests:
https://build.chromium.org/p/tryserver.v8/builders/v8_linux_blink_rel/builds/18499

Changes:
https://storage.googleapis.com/chromium-layout-test-archives/v8_linux_blink_rel/18499/layout-test-results/results.html

See:
https://github.com/v8/v8/wiki/Blink-layout-tests

Original issue's description:
> [typedarrays] Check detached buffer at start of typed array methods
>
> - Throw TypeError in ValidateTypedArray, matching JSC, SpiderMonkey
>   and ChakraCore.
> - Validate typed arrays at start of each typed array prototype
>   methods in src/js/typedarrays.js
> - Add tests to check detached buffers
> - Remove an unnecessary parameter of TypedArraySpeciesCreate
>   in src/js/typedarrays.js
> - Standardize TypedArray.prototype.subarray
> - Update test262.status to pass detached buffer tests
>
> BUG=v8:4648,v8:4665,v8:4953
>
> Review-Url: https://codereview.chromium.org/2778623003
> Cr-Commit-Position: refs/heads/master@{#44357}
> Committed: https://chromium.googlesource.com/v8/v8/+/238d5b4453d9166aaddce76a5393514d977238d4

TBR=cbruni@chromium.org,adamk@chromium.org,bmeurer@chromium.org,littledan@chromium.org,petermarshall@chromium.org,cwhan.tunz@gmail.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4648,v8:4665,v8:4953

Review-Url: https://codereview.chromium.org/2793233003
Cr-Commit-Position: refs/heads/master@{#44362}

This fixes the name stored with functions where the declaration was
hoisted above the actual function definition. It also extends test
coverage and emits proper source position mapping for such cases.

R=clemensh@chromium.org
TEST=mjsunit/wasm/asm-wasm-stack
BUG=v8:6127

Change-Id: I675a98b244fe2157925e799b5c46b7f6bd53c9da
Reviewed-on: https://chromium-review.googlesource.com/466247Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44361}

BUG=v8:6172

Review-Url: https://codereview.chromium.org/2795693002
Cr-Commit-Position: refs/heads/master@{#44360}

Add support for F32x4Splat, F32x4ExtractLane,
F32x4ReplaceLane, F32x4SConvertI32x4, F32x4UConvertI32x4
operations for mips32 and mips64 architectures.

BUG=

Note: Depends on https://codereview.chromium.org/2753903004/
Review-Url: https://codereview.chromium.org/2780503002
Cr-Commit-Position: refs/heads/master@{#44359}

Revert of [inspector] move console to builtins (patchset #7 id:140001 of https://codereview.chromium.org/2785293002/ )

Reason for revert:
http://crbug.com/v8/6198

Original issue's description:
> [inspector] move console to builtins
>
> What will we get:
> - console would be included into snapshot and allow us to reduce time that we spent in contextCreated function (~5 times faster),
> - it allows us to make further small improvement of console methods, e.g. we can implement super quick return from console.assert if first argument is true,
> - console calls are ~ 15% faster.
>
> BUG=v8:6175
> R=dgozman@chromium.org
>
> Review-Url: https://codereview.chromium.org/2785293002
> Cr-Original-Commit-Position: refs/heads/master@{#44353}
> Committed: https://chromium.googlesource.com/v8/v8/+/55905f85d63d75aaa9313e51eb7bede754a8e41c
> Review-Url: https://codereview.chromium.org/2785293002
> Cr-Commit-Position: refs/heads/master@{#44355}
> Committed: https://chromium.googlesource.com/v8/v8/+/cc74ea0bc4fe4a71fa53d08b62cc18d15e01fbb3

TBR=dgozman@chromium.org,kozyatinskiy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:6175

Review-Url: https://codereview.chromium.org/2790343002
Cr-Commit-Position: refs/heads/master@{#44358}

- Throw TypeError in ValidateTypedArray, matching JSC, SpiderMonkey
  and ChakraCore.
- Validate typed arrays at start of each typed array prototype
  methods in src/js/typedarrays.js
- Add tests to check detached buffers
- Remove an unnecessary parameter of TypedArraySpeciesCreate
  in src/js/typedarrays.js
- Standardize TypedArray.prototype.subarray
- Update test262.status to pass detached buffer tests

BUG=v8:4648,v8:4665,v8:4953

Review-Url: https://codereview.chromium.org/2778623003
Cr-Commit-Position: refs/heads/master@{#44357}