Currently SIMD integer comparison ops are implemented using Lt/Le, this is
sub-optimal on Intel, because all compares are done using pcmpgt(d/w/b) that
clobber the destination register, and will need additional instructions to
when using Lt/Le as the base implementation. This CL proposes moving to Gt/Ge
as the underlying implementation as this will only require swapping operands
on MIPS and is consistent with x86/ARM instructions.

BUG=v8:6020

R=bbudge@chromium.org, bmeurer@chromium.org, bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2874403002
Cr-Commit-Position: refs/heads/master@{#45440}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/c11a9f7..1caf3a6

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: I9f6bc987a022b085a0baaf1eb67ea23fa5513794
Reviewed-on: https://chromium-review.googlesource.com/509232Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45439}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/8da5cdf..c11a9f7

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/b1c6aa7..08a6e0a

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/ba46613..05f3060

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: I4e2d640fd4963ca190325ffeb1dce6a71e4346e5
Reviewed-on: https://chromium-review.googlesource.com/509174Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45438}

Bug:v8:6055

Change-Id: Ifeac048e5bee2d1782cdaaabe9f5257129b7be0e
Reviewed-on: https://chromium-review.googlesource.com/508528Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Loo Rong Jie <loorongjie@gmail.com>
Cr-Commit-Position: refs/heads/master@{#45437}

The WebAssembly code now uses these new APIs to allocate memory with guard
regions. Guarded array buffers are no longer always external, which eliminates
a lot of special cases around WebAssembly memory.

Bug: chromium:720302
Change-Id: I355b74ac30a05a18c8b363bd256d57458742849f
Reviewed-on: https://chromium-review.googlesource.com/505715Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45436}

All targets (at least on sanitizer builds) unconditionally depend
on //build/config/sanitizers:deps.

It is necessary for bug 593874 that all targets now also depend
on //buildtools/third_party/libc++:libcxx_proxy.  This requires
adding a new "global dependency": //build/config:exe_and_shlib_deps.

This CL updates references to sanitizers:deps to instead refer to
//build/config:exe_and_shlib_deps.

BUG=chromium:723069
R=bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2894013003
Cr-Commit-Position: refs/heads/master@{#45435}

GeneratorClose is pretty simple, we can handle it in the interpreter.

BUG=v8:6351

Review-Url: https://codereview.chromium.org/2891353002
Cr-Commit-Position: refs/heads/master@{#45434}

This CL enforces passing an AssemblerDebugInfo object to Bind, most convently
acheived by the BIND macro.

Change-Id: I092714f10803f529d01d2fe716b96275b2bee806
Reviewed-on: https://chromium-review.googlesource.com/508729Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45433}

Change-Id: Id3b29978232ab7838224d6a38da345915fa00f22
Reviewed-on: https://chromium-review.googlesource.com/507307
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45432}

Bug: chromium:720477
Change-Id: I49af460d06f045731d847d68b7276edae72d95a4
Reviewed-on: https://chromium-review.googlesource.com/509690Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45431}

Call the templated handle(T) function instead of
Handle<T>() as it's slighly simpler to read.

Bug: 
Change-Id: I7d8dc6ffae1dc1c609cd6bce230adbe62aaf451b
Reviewed-on: https://chromium-review.googlesource.com/509568
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45430}

This fixes crashes during validation when trying to construct modules
with excessively large function tables. The {WasmModuleBuilder} now
gracefully checks against existing WebAssembly implementation limits.

R=clemensh@chromium.org
TEST=mjsunit/regress/regress-crbug-715455
BUG=chromium:715455

Change-Id: Ia9738cb0b49a1eb4caf073b75301c0303f295699
Reviewed-on: https://chromium-review.googlesource.com/509530
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45429}

In the current implementation the decision to inline polymorphic function
calls applies to all functions. Either we inline all of them or none of
them. Also, we decide to inline if the size of one of function is less
than the FLAG_max_inlined_nodes.

This cl changes it to a decision on individual functions. In the case of
polymorphic calls, we might inline some of the functions and not inline
others.

Bug: 
Change-Id: I2f4049b5e55445b4858b260d289c96090c6aaa74
Reviewed-on: https://chromium-review.googlesource.com/508668
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45428}

On map change of an object this patch checks that
- either GC was notified about this change,
- or the change leaves the slot set of the object the same.

BUG=chromium:694255

Review-Url: https://codereview.chromium.org/2886223002
Cr-Commit-Position: refs/heads/master@{#45427}

This is in order to avoid triggering the generation of deopt entries
later during code assembly.

R=jarin@chromium.org

Bug: v8:6048
Change-Id: I51fb508cfc5d715b6a5b2fded90b19c9f21d4d9f
Reviewed-on: https://chromium-review.googlesource.com/508789
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45426}

Task creation often dominates the actual work that is being done.

Bug: chromium:722989
Change-Id: Ibdd6ffa6f3154f17dc6ccbd30475710b97e802e7
Reviewed-on: https://chromium-review.googlesource.com/508783Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45425}

Bug: chromium:723802
Change-Id: I8f23d016a5aaf785fcd27cd139a196a148a37069
Reviewed-on: https://chromium-review.googlesource.com/508712
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45424}

[builtins] Enable %TypedArray%.prototype.{some,every,reduce,reduceRight,map} CSA builtins by default

R=danno@chromium.org

Change-Id: I3365642b2682c09d745b7bcc9f983179604e7c3a
Reviewed-on: https://chromium-review.googlesource.com/509549
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45423}

Currently only relies on private stacks of segments, i.e., doesn't steal
anything, yet.

Bug: chromium:651354
Change-Id: Icedad3e3169b61afe988a1ece10f73f3a973bdb2
Reviewed-on: https://chromium-review.googlesource.com/508351
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45422}

This adds reporting of linking failures (i.e. module instantiation)
similar to the existing reporting for validation failures. Note that
the messages in question are deterministic and can be tested.

R=clemensh@chromium.org

Change-Id: Ibecebefb86f1d878f626702c05fd0cb21189dc2a
Reviewed-on: https://chromium-review.googlesource.com/507488
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45421}

Revert of Add DEPS.chromium for recursive DEPS tracking. (patchset #1 id:1 of https://codereview.chromium.org/2880293002/ )

Reason for revert:
Going a different way with this, as Chromium don't want the additional files.

Original issue's description:
> Add DEPS.chromium for recursive DEPS tracking.
>
> DEPS.chromium allows the Chromium build system's DEPS to recurse into V8's own
> dependencies. Initially, this is populated with some tests files for the ARM64
> simulator.
>
> BUG=chromium:718439
>
> Review-Url: https://codereview.chromium.org/2880293002
> Cr-Commit-Position: refs/heads/master@{#45310}
> Committed: https://chromium.googlesource.com/v8/v8/+/f8a6c6c48e79ef4267d03c80aa768e8362341e4a

TBR=machenbach@chromium.org,bmeurer@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=chromium:718439

Review-Url: https://codereview.chromium.org/2891323002
Cr-Commit-Position: refs/heads/master@{#45420}

This simplifies the growing strategy used in {ZoneBuffer} and also tunes
the initial sizes used for various instances of these buffers. Note that
such a {ZoneBuffer} is used for entire modules and individual function
bodies.

R=clemensh@chromium.org

Change-Id: I99a0898589984e1830c681845fabb0ed5f8317ab
Reviewed-on: https://chromium-review.googlesource.com/508711
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45419}

We can avoid some runtime calls by implementing intrinsics.

BUG=

Review-Url: https://codereview.chromium.org/2889973002
Cr-Commit-Position: refs/heads/master@{#45418}

In a recent CL I moved the corpus of the wasm fuzzer and of the
wasm-asmjs fuzzer to a different directory
(wasm_corpus and wasm_asmjs_corpus) so that the corpus is not executed
on the try-bots. With this CL I remove the old corpus from the
.gitignore file.

In addition I removed the hooks for wasm_corpus and
wasm_asmjs_corpus from the V8 DEPS file, because in a V8 checkout
they are not used anyway.

I also added code to the test runner to delete all *.wasm files
from the directories test/fuzzer/wasm and test/fuzzer/wasm_asmjs.
This code should be removed in a week, but it will help my coworkers
to cleanup their V8 checkout.



R=bradnelson@chromium.org
CC=machenbach@chromium.org

Change-Id: I9fdf9d77b71b133f84f7e744763d65fdf127d624
Reviewed-on: https://chromium-review.googlesource.com/505614
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45417}

NOTRY=true
TBR=franzih@chromium.org

Bug: v8:6154
Change-Id: Ief1e1acb353ba1c857616c32607979aec462207a
Reviewed-on: https://chromium-review.googlesource.com/509488Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45416}

In crrev.com/2856103002 sentinel frequency values were introduced, using
NaN as the sentinel. However the comparison function was not *fully*
updated to support these - comparing two NaNs would give ambiguous
results. This caused test failures when building with VS 2017, probably
because of subtle changes in the arrangement of nodes in the tree.

This change uses the the node ID to break ties. An alternative would be
to use a non-NaN sentinel value.

R=bmeurer@chromium.org
BUG=chromium:722480

Review-Url: https://codereview.chromium.org/2894433004
Cr-Commit-Position: refs/heads/master@{#45415}

Introduce a flag --max-inlined-nodes-absolute that is used to limit the
number of nodes that we inline even in the presence of small function
inlining, so that TurboFan graphs don't grow arbitrary large.

BUG=chromium:724084,v8:6395,v8:6278,v8:6344,v8:6394
TBR=mvstanton@chromium.org

Review-Url: https://codereview.chromium.org/2894523005
Cr-Commit-Position: refs/heads/master@{#45414}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/ce01161..8da5cdf

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/d76621c..b1c6aa7

Rolling v8/third_party/icu: https://chromium.googlesource.com/chromium/deps/icu/+log/fd2abab..c844075

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/162cac4..ba46613

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: I59daef22f238d257f577dc1617aa5401c952e708
Reviewed-on: https://chromium-review.googlesource.com/509229Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45413}

This refactoring makes it easier to write advanced tests and
gives full control over what's happening to the test code.
It also forces description for every test.

BUG=none

Review-Url: https://codereview.chromium.org/2891213002
Cr-Commit-Position: refs/heads/master@{#45412}

As per spec, (https://github.com/WebAssembly/design/pull/1068), we
don't have compile/instantiate overloads anymore, instead, we
have explicitly named members.

This change introduces the new APIs, implements instantiateStreaming
based on compileStreaming, and uses the existing embedder mechanism.
It does not yet remove the functionality from compile/instantiate -
we do that after we adopt the new APIs on the blink side.

Also, it temporarily handles exceptions on the v8 side, which is also
something we'll move to the blink side.

Bug: 
Change-Id: I77673b1c0d395dfcf13b2f25464fd5dfd99c8d82
Reviewed-on: https://chromium-review.googlesource.com/508852
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45411}

Port 73d21080

Original Commit Message:

    Now that the optimized code hangs off the feedback vector, it is possible
    to check whether a function has optimized code available every time it's
    called in the interpreter entry trampoline. If optimized code exists, the
    interpreter entry trampoline 'self-heals' the closure to point to the
    optimized code and links the closure into the optimized code list.

R=rmcilroy@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:6246
LOG=N

Review-Url: https://codereview.chromium.org/2897483002
Cr-Commit-Position: refs/heads/master@{#45410}

- moved all extensions to inspector_test.cc;
- properly supported multiple context groups and sessions;
- better isolation between components;
- better infrastructure in protocol-test.

BUG=chromium:590878

Review-Url: https://codereview.chromium.org/2890463004
Cr-Commit-Position: refs/heads/master@{#45409}

If the new Free function is not implemented, but we are freeing a Normal
allocation, as opposed to one with guard regions, we can fall back on the
existing Free function.

Because guard regions are not yet used in normal circumstances, this will let
embedders who have not implemented the improve ArrayBuffer::Allocator interface
to continue working.

Bug: 
Change-Id: I2e30b523ef7493ab288110b90d8f994bfcfbc9b7
Reviewed-on: https://chromium-review.googlesource.com/508897
Commit-Queue: Eric Holk <eholk@chromium.org>
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45408}

WebAssembly needs to be able to allocate memory with guard regions, which
requires more functionality from the array buffer allocator. This change adds
functions for reserving memory regions and changing the memory protection.

This CL also includes some minor refactoring of the code to free array buffers.

Bug: chromium:720302
Change-Id: Iab9a266003043b0d36592a79668d1eea53952abf
Reviewed-on: https://chromium-review.googlesource.com/506377Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45407}

Split BytecodeGenerator::VisitSuspend into two pieces, one for
building the suspension code and one for resumption (these
are split into separate Build methods for convenience).
Each gets its own RegisterAllocationScope, which allows us to
reduce the register file size of the empty generator by 1.

For consistency, rename VisitGeneratorPrologue() to
BuildGeneratorPrologue() to match the names of the two
newly-created methods.

This relands the patch originally committed in
98927ea5, as the test failure
due to that change was a code flushing bug. Code flushing was
disabled in de4a4095.

R=rmcilroy@chromium.org

Bug: v8:6379
Change-Id: Ifb4deafea99693c0a4e8646cf4e9884c7374cfc6
Reviewed-on: https://chromium-review.googlesource.com/508814Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45406}

Varblock scopes can be treated as the "same scope" as their surrounding
function scope for the purposes of hole check elimination, as
source position comparison is sufficient to determine statically that
uses in the varblock scope are after initialization in the function scope.

This allows the elimination of hole checks of lexically-bound parameter
variables in functions with complex parameters, including rest parameters.

The pre-existing code compared DeclarationScopes for legacy reasons:
varblock scopes (and Scope::GetClosureScope()) did not exist at the
time this code was originally written.

R=neis@chromium.org

Bug: v8:6344, v8:6414
Change-Id: Ie787d58d1ea172e893788a9c716d3b6868980ab8
Reviewed-on: https://chromium-review.googlesource.com/508242
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45405}

This reverts commit ce538f70.

Reason for revert: breaks BOM handling (thus breaking Outlook web apps).

Original change's description:
> [parser] Refactor streaming scanner streams.
> 
> Unify, simplify logic, reduce UTF8 specific handling.
> 
> Intend of this is also to have stream views.
> Stream views can be used concurrently by multiple threads, but
> only one thread may fetch new data from the underlying source.
> This together with unified stream view creation is intended to be
> used for parse tasks.
> 
> BUG=v8:6093
> 
> Change-Id: Ied8e93090c506d4735080298f0fdaeed32043915
> Reviewed-on: https://chromium-review.googlesource.com/501789
> Commit-Queue: Wiktor Garbacz <wiktorg@google.com>
> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#45336}

TBR=marja@chromium.org,vogelheim@chromium.org,jochen@chromium.org,wiktorg@google.com
BUG=v8:6093, chromium:724166

Change-Id: I022a23b8052d20d83a640c07b7864c622548bf90
Reviewed-on: https://chromium-review.googlesource.com/508888Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45404}

This patch adds HeapObject::set_map_after_allocation method that
initializes the map of the object without object layout checks.

All other map setters now check that transitions unsafe for
concurrent marking properly notify the GC.

BUG=chromium:694255

Review-Url: https://codereview.chromium.org/2885883004
Cr-Commit-Position: refs/heads/master@{#45403}

Port bfa319e5

Original Commit Message:

    We already had an optimization to turn Function.prototype.apply with
    arguments object, i.e.

      function foo() { return bar.apply(this, arguments); }

    into a special operator JSCallForwardVarargs, which avoids the
    allocation and deconstruction of the arguments object, but just passes
    along the incoming parameters. We can do the same for rest parameters
    and spread calls/constructs, i.e.

      class A extends B {
        constructor(...args) { super(...args); }
      }

    or

      function foo(...args) { return bar(1, 2, 3, ...args); }

    where we basically pass along the parameters (plus maybe additional
    statically known parameters).

    For this, we introduce a new JSConstructForwardVarargs operator and
    generalize the CallForwardVarargs builtins that are backing this.

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:6407,v8:6278,v8:6344
LOG=N

Review-Url: https://codereview.chromium.org/2887153004
Cr-Commit-Position: refs/heads/master@{#45402}

Revert of [csa] Add assertions to CSA (patchset #11 id:200001 of https://codereview.chromium.org/2847923003/ )

Reason for revert:
Seems to have made nosnap debug very slow and also leads to check failures:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20nosnap%20-%20debug/builds/13248

Original issue's description:
> [csa] Add assertions to CSA
>
> This adds a bunch of assertions to CSA, mostly about documenting and checking
> parameter types.
>
> Drive-by-change: Removed unused function.
>
> BUG=v8:6325
>
> Review-Url: https://codereview.chromium.org/2847923003
> Cr-Commit-Position: refs/heads/master@{#45398}
> Committed: https://chromium.googlesource.com/v8/v8/+/b14a981496ad1f841683479d2f9188dfa2d6b4bd

TBR=cbruni@chromium.org,ishell@chromium.org,jgruber@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:6325

Review-Url: https://codereview.chromium.org/2892023002
Cr-Commit-Position: refs/heads/master@{#45401}