NOTRY=true

Review URL: https://codereview.chromium.org/1393713004

Cr-Commit-Position: refs/heads/master@{#31155}

Previously, arrow function scopes had a separate ScopeType. However,
Scope::DeserializeScopeChain() erroneously deserialized ARROW_SCOPE
ScopeInfos as FUNCTION_SCOPE. This could lead to bugs such as the
attached one, where "super" was disallowed where it should have
been allowed.

This patch utilizes the Scope's FunctionKind to distinguish arrow
functions from others. Besides fixing the above bug, this also
simplifies code in various places that had to deal with two different
ScopeTypes both of which meant "function".

BUG=v8:4466
LOG=n

Review URL: https://codereview.chromium.org/1386253002

Cr-Commit-Position: refs/heads/master@{#31154}

Introduce a new JSGlobalSpecialization advanced reducer that runs
during the initial inlining and context specialization, and specializes
the graph to the globals of the native context.  Currently we assume
that we do not inline cross native context, but long-term we will grab
the global object from the JSLoadGlobal/JSStoreGlobal feedback (with the
new global load/store ICs that are currently in the workings), and then
this whole specialization will be fully compositional even across
cross-context inlining.

Note that we cannot really handle most of the stores to global object
property cells because TurboFan doesn't have a mechanism to enforce
certain representations.  Also note that we cannot yet fully benefit
from the type feedback collected on the global object property cells,
because the type system cannot deal with maps in a reasonable way.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
R=jarin@chromium.org
BUG=v8:4470
LOG=n

Committed: https://crrev.com/6fbf7903f94924ea066af481719898bd9667b6eb
Cr-Commit-Position: refs/heads/master@{#31139}

Review URL: https://codereview.chromium.org/1387393002

Cr-Commit-Position: refs/heads/master@{#31148}

This seems to be triggered now with global object specialization.

TEST=mjsunit/regress/regress-crbug-450960
TBR=mstarzinger@chromium.org
BUG=v8:4195
LOG=n

Review URL: https://codereview.chromium.org/1388403002 .

Cr-Commit-Position: refs/heads/master@{#31147}

- Reflect.deleteProperty
- Reflect.get
- Reflect.has
- Reflect.isExtensible

Reflect.get doesn't support the receiver argument yet, and
some of the others don't support proxies yet.

R=rossberg
BUG=v8:3931
LOG=n

Review URL: https://codereview.chromium.org/1379313002

Cr-Commit-Position: refs/heads/master@{#31146}

R=mstarzinger@chromium.org
BUG=chromium:540593
LOG=n

Review URL: https://codereview.chromium.org/1395453002

Cr-Commit-Position: refs/heads/master@{#31145}

Revert of [turbofan] Add initial support for global specialization. (patchset #4 id:60001 of https://codereview.chromium.org/1387393002/ )

Reason for revert:
Breaks GC stress: http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/1984/steps/Bisect%20c5528ac1.Retry/logs/regress-crbug-450960

Original issue's description:
> [turbofan] Add initial support for global specialization.
>
> Introduce a new JSGlobalSpecialization advanced reducer that runs
> during the initial inlining and context specialization, and specializes
> the graph to the globals of the native context.  Currently we assume
> that we do not inline cross native context, but long-term we will grab
> the global object from the JSLoadGlobal/JSStoreGlobal feedback (with the
> new global load/store ICs that are currently in the workings), and then
> this whole specialization will be fully compositional even across
> cross-context inlining.
>
> Note that we cannot really handle most of the stores to global object
> property cells because TurboFan doesn't have a mechanism to enforce
> certain representations.  Also note that we cannot yet fully benefit
> from the type feedback collected on the global object property cells,
> because the type system cannot deal with maps in a reasonable way.
>
> CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
> R=jarin@chromium.org
> BUG=v8:4470
> LOG=n
>
> Committed: https://crrev.com/6fbf7903f94924ea066af481719898bd9667b6eb
> Cr-Commit-Position: refs/heads/master@{#31139}

TBR=jarin@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4470

Review URL: https://codereview.chromium.org/1390073004

Cr-Commit-Position: refs/heads/master@{#31144}

Introduce a new JSGlobalSpecialization advanced reducer that runs
during the initial inlining and context specialization, and specializes
the graph to the globals of the native context.  Currently we assume
that we do not inline cross native context, but long-term we will grab
the global object from the JSLoadGlobal/JSStoreGlobal feedback (with the
new global load/store ICs that are currently in the workings), and then
this whole specialization will be fully compositional even across
cross-context inlining.

Note that we cannot really handle most of the stores to global object
property cells because TurboFan doesn't have a mechanism to enforce
certain representations.  Also note that we cannot yet fully benefit
from the type feedback collected on the global object property cells,
because the type system cannot deal with maps in a reasonable way.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
R=jarin@chromium.org
BUG=v8:4470
LOG=n

Review URL: https://codereview.chromium.org/1387393002

Cr-Commit-Position: refs/heads/master@{#31139}

R=yangguo@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1378693004

Cr-Commit-Position: refs/heads/master@{#31133}

Previously, cases like
  var [foo]
led to a parser crash because the parser tried to do something with
the initializer, which was not syntactically present.

This patch fixes the parser issue (implicitly creating an undefined
initializer) and inserts a check for array destructuring that the
right-hand side is coercible to an object, so it can have iterator
methods called on it safely.

BUG=v8:4462
LOG=Y
R=adamk

Review URL: https://codereview.chromium.org/1384413002

Cr-Commit-Position: refs/heads/master@{#31128}

When calling into C++ builtins, we need to make sure that the argument
count register contains the correct number of arguments, otherwise the
CEntryStub will not be able to leave the stack in the correct state.

R=ishell@chromium.org
BUG=v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1391543002

Cr-Commit-Position: refs/heads/master@{#31120}

Previously, using legacy const in for-of/in loops led to a check-fail
in the parser. This was due to the fact that the destructuring bind
led to an undefined initialization to undefined in the parser, which
caused the for loop code to go down a strange path. This patch
eliminates the undefined initialization in variables declared in
for-in/of loops, so that that path is not used and the error is
fixed.

BUG=v8:4461
LOG=Y
R=adamk

Review URL: https://codereview.chromium.org/1385913003

Cr-Commit-Position: refs/heads/master@{#31117}

* Promise.resolve is now works with subclasses
* Spec removed [[PromiseConstructor]] now can simply use constructor
* Promise.resolve ignores species

R=littledan@chromium.org,domenic@chromium.org
BUG=v8:4161,v8:4341
LOG=Y

Review URL: https://codereview.chromium.org/1362773002

Cr-Commit-Position: refs/heads/master@{#31116}

This patch prohibits lexical bindings from being called 'let', even in
sloppy mode, following the ES2015 specification. The change affects
multiple cases of lexical bindings, including simple let/const declarations
and both kinds of for loops. var and legacy const bindings still permit
the name to be let, including in destructuring cases. Tests are added to
verify, though some cases are commented out since they led to (pre-existing)
crashes.

BUG=v8:4403
R=adamk
LOG=Y

Review URL: https://codereview.chromium.org/1371263003

Cr-Commit-Position: refs/heads/master@{#31115}

Clusterfuzz testing discovered that sloppy-mode block-scoped function
declarations introduce lexically-scoped variables in scopes that were
thrown away under the expectation that no lexically-scoped variables
were introduced. These cases are:

  for (;;) function foo() {}
  for (x in y) function foo() {}

This patch ensures that a block is created in those cases to hold the
lexically scoped variable. Usually, scope analysis should discover that
that block is not important, and it should not have a runtime
representation.

BUG=chromium:536750,chromium:536751
LOG=Y
R=adamk

Review URL: https://codereview.chromium.org/1382123002

Cr-Commit-Position: refs/heads/master@{#31109}

BUG=v8:2764
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1378323003

Cr-Commit-Position: refs/heads/master@{#31099}

This reverts commit 280a6f8e.

Reland of https://codereview.chromium.org/1380593002/

BUG=chromium:535160
LOG=n
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel;

Review URL: https://codereview.chromium.org/1390473003

Cr-Commit-Position: refs/heads/master@{#31094}

Revert of [swarming] Isolate v8 testing. (patchset #8 id:140001 of https://codereview.chromium.org/1380593002/ )

Reason for revert:
Prime suspect in breakage of V8 Linux -- no snap

Original issue's description:
> [swarming] Isolate v8 testing.
>
> Add gyp support and isolates for default test suites.
> Add two default isolates, one (default) for using the
> test suite collection we call "default" on the bots. One
> (developer_default) for also supporting the way developers
> call the driver (i.e. without argument, which includes
> the unittests).
>
> BUG=chromium:535160
> LOG=n
>
> Committed: https://crrev.com/9bd83f58f29ab0c7c5b71b00bcb1df3a9e641f05
> Cr-Commit-Position: refs/heads/master@{#31081}

TBR=tandrii@chromium.org,jochen@chromium.org,maruel@chromium.org,machenbach@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:535160

Review URL: https://codereview.chromium.org/1370993008

Cr-Commit-Position: refs/heads/master@{#31084}

Add gyp support and isolates for default test suites.
Add two default isolates, one (default) for using the
test suite collection we call "default" on the bots. One
(developer_default) for also supporting the way developers
call the driver (i.e. without argument, which includes
the unittests).

BUG=chromium:535160
LOG=n

Review URL: https://codereview.chromium.org/1380593002

Cr-Commit-Position: refs/heads/master@{#31081}

BUG=v8:4217
LOG=Y

Review URL: https://codereview.chromium.org/1381543005

Cr-Commit-Position: refs/heads/master@{#31074}

The problem was harmless, but made --enable-slow-asserts unhappy.

BUG=chromium:538086
LOG=n
R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1384673003

Cr-Commit-Position: refs/heads/master@{#31069}

BUG=v8:4458
LOG=N
NOTRY=true

Review URL: https://codereview.chromium.org/1387533002

Cr-Commit-Position: refs/heads/master@{#31067}

Swarming won't support an incremental data file. By just
sorting the lowest hanging fruits to the beginning we
already get a big bang for the buck (>80% of the improvement
we get otherwise).

This will require semi-regular manual updates of the
slowest tests.

BUG=chromium:535160
LOG=n

Review URL: https://codereview.chromium.org/1385443002

Cr-Commit-Position: refs/heads/master@{#31061}

Disable vector store ICs for mjsunit/call-counts because slot indices change when --vector-stores is enabled.

Review URL: https://codereview.chromium.org/1381073003

Cr-Commit-Position: refs/heads/master@{#31059}

Introduce %_ToNumber intrinsic, which just calls to the existing
ToNumberStub, and remove all uses of our custom JavaScript plus
intrinsics based ToNumber and friends.

Also replace the TO_NUMBER_INLINE macro with TO_NUMBER,
which is currently a wrapper for %_ToNumber. Newly written JS
code should use TO_NUMBER (similar to TO_STRING, TO_INT32,
and friends).

Also finally remove the DefaultString/DefaultNumber builtins, which
are basically the ES5 version of ToPrimitive. Now all code uses the
ES6 version, which is implemented in Object::ToPrimitive and
JSReceiver::ToPrimitive in C++.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_layout_dbg,v8_linux_nosnap_dbg
R=jarin@chromium.org
BUG=v8:4307
LOG=n

Review URL: https://codereview.chromium.org/1384443002

Cr-Commit-Position: refs/heads/master@{#31054}

R=rossberg
BUG=v8:2529
LOG=Y

Review URL: https://codereview.chromium.org/1375203004

Cr-Commit-Position: refs/heads/master@{#31051}

Var-bindings may shadow parameters from a non-simple parameter list. When that happens: they create separate bindings, but are initialised with the respective parameter value. Thus:

(function(x, f = () => x) { var x; var y = x; x = 2; return [x, y, f()] })(1) -->  [2, 1, 1]

This CL implements that by inserting a suitable assignment for every shadwowing var-variable (e.g., x = outer_x above) at the beginning of the function's body block.

R=adamk@chromium.org
BUG=v8:4440,v8:811
LOG=N

Review URL: https://codereview.chromium.org/1371333004

Cr-Commit-Position: refs/heads/master@{#31042}

The ES2015 spec is missing an extension of sloppy-mode block-scoped function
behavior to the global scope in scripts, as well as to eval. This patch
brings that hoisting to those two areas. The behavior is not perfectly
spec-compliant since properties created on the global scope should be
set as enumerable even if they are non-enumerable previously, but the
attributes will not be modified if the property already exists under
this patch.

BUG=v8:4441
LOG=Y
R=adamk
TEST=reddit comment functionality seems to be fixed

Review URL: https://codereview.chromium.org/1376623002

Cr-Commit-Position: refs/heads/master@{#31037}

Arrow functions have been enabled by default since the 4.5 branch.

Review URL: https://codereview.chromium.org/1373633002

Cr-Commit-Position: refs/heads/master@{#31031}

Added ScopeDetails.name field for closure scopes. It contains function's debug name of current context of scope.

BUG=493156
LOG=Y
R=yurys@chromium.org,yangguo@chromium.org

Review URL: https://codereview.chromium.org/1375813002

Cr-Commit-Position: refs/heads/master@{#31028}

TEST=
BUG=

Review URL: https://codereview.chromium.org/1334793004

Cr-Commit-Position: refs/heads/master@{#31011}

R=rossberg
BUG=

Review URL: https://codereview.chromium.org/1371963002

Cr-Commit-Position: refs/heads/master@{#30970}

This name makes it clear that the flag (also the variant in the Compiler)
is talking about specializing to the function context instead of i.e. the
native context.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1372513003

Cr-Commit-Position: refs/heads/master@{#30934}

The actual Function.prototype.toMethod was removed some time already,
but there were some stuff (esp. %ToMethod) left in the tree, including
tests for %ToMethod.  This code (and esp. the tests) cause trouble in
the process of moving bound functions away from JSFunction; so since
the code is unused anyway, we can as well remove it.

The original removal of Function.prototype.toMethod was in February
2015 in 68e48975.

R=jarin@chromium.org
BUG=v8:3330
LOG=n

Review URL: https://codereview.chromium.org/1366063002

Cr-Commit-Position: refs/heads/master@{#30925}

Since https://codereview.chromium.org/366103005 the promise tests null out
various globals, to ensure the promise implementation doesn’t itself rely
on functions patchable by monkeys.

Unfortunately, doing so breaks test assertion failures which rely on
those globals.

This isn’t the ideal solution, but does improve the current state.

R=littledan@chromium.org,domenic@chromium.org
LOG=N
BUG=

Review URL: https://codereview.chromium.org/1370583002

Cr-Commit-Position: refs/heads/master@{#30922}

Introduce a new macro TO_STRING that maps to %_ToString and use that
instead of calling into any of the ToString/NonStringToString JavaScript
builtins. Also remove the TO_STRING_INLINE macro, which is basically
obsolete with %_ToString. We still have a few uses of ToString left (via
the utils export mechanism), where we need to investigate whether we
will tank badly if we replace them with TO_STRING as well.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_layout_dbg,v8_linux_nosnap_dbg
R=yangguo@chromium.org
BUG=v8:4307
LOG=n

Review URL: https://codereview.chromium.org/1323543002

Cr-Commit-Position: refs/heads/master@{#30895}

Whenever a generalization is computed, the inputs must be checked for being cleared, and if they are, the generalization must be Type::Any.

Hopefully this fixes Chromium issue 527994 as well.

BUG=v8:4325,chromium:527994
LOG=n

Review URL: https://codereview.chromium.org/1361103002

Cr-Commit-Position: refs/heads/master@{#30887}

NOTRY=true

Review URL: https://codereview.chromium.org/1364583003

Cr-Commit-Position: refs/heads/master@{#30885}

This CL also renames wrongly named test for v8:4173.

BUG=v8:4121
LOG=Y

Review URL: https://codereview.chromium.org/1353363002

Cr-Commit-Position: refs/heads/master@{#30879}

This adds the materialized literal count accumulated while parsing the
parameters (in the parser proper) to that accumulated by the preparser.

This should have been caught in cctest/test-parsing, but it's not covered
because the parsing tests call directly into the preparser rather than
using Parser::ParseFunctionLiteral (which fully-parses the parameters
and then calls into the preparser to skip over the function body).

Note that this further-inflates the materialized literal count for
functions with destructured arguments, since some of the counted
literals are actually binding patterns. But that's not specific to
binding patterns in formal parameters: it happens in function bodies, too.

BUG=v8:4400,v8:4407
LOG=n

Review URL: https://codereview.chromium.org/1350913005

Cr-Commit-Position: refs/heads/master@{#30868}