Add Rcpps and Rsqrtps macros.
Rename SIMD_UNOP macros.

Change-Id: I7e9418a835f085cc0fdd31fc3815c17c8f413b67
Reviewed-on: https://chromium-review.googlesource.com/982575Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Jing Bao <jing.bao@intel.com>
Cr-Commit-Position: refs/heads/master@{#52291}

Just a simple cleanup CL. TryAllocateBackingStore function is only needed in
wasm-memory.cc, so this makes that stronger by putting it in an anonymous
namespace. Additionally, the whole function is moved to the top of the file.

No functional change.

R=gdeepti@chromium.org

Change-Id: I0c5ea07c1ab81f3083eb75f0a6177c503fc827b5
Reviewed-on: https://chromium-review.googlesource.com/985023Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52290}

No-Try: true
Bug: chromium:824214
TBR: hpayer@chromium.org
Change-Id: I8095da413b5ca0ebba65b264b7310afd88d7a499
Reviewed-on: https://chromium-review.googlesource.com/984872
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52289}

R=clemensh@chromium.org

Bug: v8:7539

Change-Id: I1bd02ba84803055dd9e8b808c17622aa4fca42d4
Reviewed-on: https://chromium-review.googlesource.com/984520Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#52288}

R=joransiu@ca.ibm.com

Change-Id: I066b6d14694393cae43285a71bfc6aff91418505
Reviewed-on: https://chromium-review.googlesource.com/984593Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#52287}

This relands commit 496d0596.

Original change's description:
> [heap] Detect ineffective GCs near the heap limit.
>
> Currently V8 can enter CPU thrashing GC loop near the heap limit. In
> such cases it is better to trigger an out-of-memory failure earlier to
> avoid wasting CPU time and to avoid unresponsiveness.
>
> This patch adds a mechanism for tracking consecutive ineffective GCs.
> A GC is considered ineffective if the heap size after the GC is still
> close to the heap limit and if the average mutator utilization dropped
> below a fixed threshold.
>
> V8 execution is aborted after four consecutive ineffective GCs.
>
> Bug: chromium:824214

TBR: hpayer@chromium.org
Change-Id: Ib09d24d6280078ce6c33519309a2563c70fb68e1
Reviewed-on: https://chromium-review.googlesource.com/980555Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52286}

Change-Id: I9d418605b6fe2180f9812fb529af89fa05e7ab8b
Reviewed-on: https://chromium-review.googlesource.com/984352Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52285}

This reverts commit 3f6686c2.

Reason for revert: https://luci-milo.appspot.com/buildbot/client.v8/V8%20Mac64%20GC%20Stress/196

Original change's description:
> [heap] Initialize the heap tear down at the beginning of Isolate::Deinit
> 
> Code in Isolate::Deinit may trigger a GC, e.g. wasm_engine()->TearDown.
> However, the gin platform in Chrome does not allow to post tasks within
> Isolate::Deinit. By initializing heap tear down at the beginning of
> Isolate::Deinit, we can make that no tasks are posted anymore within
> Isolate::Deinit.
> 
> R=​ulan@chromium.org
> 
> Bug: chromium:826105
> Change-Id: I246c324aa23efe82cc8e7059a1cae5efca33a1b0
> Reviewed-on: https://chromium-review.googlesource.com/983598
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52283}

TBR=ulan@chromium.org,ahaas@chromium.org

Change-Id: I98461449b16ae8dcf3b03c51daec92df9f5f6366
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:826105
Reviewed-on: https://chromium-review.googlesource.com/984193Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52284}

Code in Isolate::Deinit may trigger a GC, e.g. wasm_engine()->TearDown.
However, the gin platform in Chrome does not allow to post tasks within
Isolate::Deinit. By initializing heap tear down at the beginning of
Isolate::Deinit, we can make that no tasks are posted anymore within
Isolate::Deinit.

R=ulan@chromium.org

Bug: chromium:826105
Change-Id: I246c324aa23efe82cc8e7059a1cae5efca33a1b0
Reviewed-on: https://chromium-review.googlesource.com/983598
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52283}

Launching too many parallel tasks near OOM increases risk of allocation
failure during GC and OOM crash.

Bug: chromium:824214, v8:7605
Change-Id: I336d1f01e4005fb2a8e16ef92f40532b8ed83f2c
TBR: mlippautz@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/983919
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52282}

Bug: v8:7310
Change-Id: I942d038d8d213b394fe5c6e158a5eb0fc32912db
Reviewed-on: https://chromium-review.googlesource.com/983778Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52281}

R=jgruber@chromium.org

Change-Id: I887d31bcb55a52de6fa984bd9b5854f90182cf1f
Reviewed-on: https://chromium-review.googlesource.com/983776Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52280}

The archiving was removed as part of:
https://crrev.com/c/983573

Bug: v8:5881
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I0c991d4c56c760e6d6ddcaa392e003a46ff96672
Reviewed-on: https://chromium-review.googlesource.com/983772Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52279}

Change-Id: Ifdeda00ad55aa937a6a414e7e566e6640ccd83c0
Reviewed-on: https://chromium-review.googlesource.com/980936Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52278}

All conversions, reinterpretations, promotions and demotions are
implemented in Liftoff on MIPS.

Bug: v8:6600
Change-Id: I8920aea1cabdb59676c2c03fbb6de6156ebf0a62
Reviewed-on: https://chromium-review.googlesource.com/983554Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#52277}

We need to bypass shortcuts when executing accessors defined via FunctionTemplate
if we have break points at function entry.

R=ishell@chromium.org, jgruber@chromium.org

Bug: v8:7596
Change-Id: I0e1bdbbba0f7dcd0fb7fe90d35b18234d073fe94
Reviewed-on: https://chromium-review.googlesource.com/980316
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52276}

This reverts commit 61195eb6.

Reason for revert: breaks gc stress

Original change's description:
> [in-place weak refs] Replace the WeakCell potentially in Map::raw_transitions_.
> 
> BUG=v8:7308
> 
> Change-Id: I3021df5f6dfd02d85ed9fe1903f9c0850f92168d
> Reviewed-on: https://chromium-review.googlesource.com/972962
> Commit-Queue: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52272}

TBR=ulan@chromium.org,marja@chromium.org

Change-Id: I218b4d767da5095e5c5fee650567eb41343b347e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7308
Reviewed-on: https://chromium-review.googlesource.com/983812Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52275}

Since embedded builtins will be disabled by default until after the
M67 branch point, let's enable them on two specific bots to at least
have some continued coverage.

release_x64_internal is a release build (with an internal snapshot).
release_x64_verify_csa is a pseudo-debug build with DEBUG set.

Bug: v8:6666
Change-Id: I7e81c24e3cefc6eeba5d6e5823d47ab52f3e5941
Reviewed-on: https://chromium-review.googlesource.com/983597Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52274}

This is a reland of 712b66da

Breakage is fixed on infra side by:
https://crrev.com/c/983417

Original change's description:
> [build] Remove legacy isolate configurations
>
> Bug: chromium:669910
> Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
> Change-Id: Iad58563fd4bb35501493f88af83362b1206a186c
> Reviewed-on: https://chromium-review.googlesource.com/982630
> Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52267}

Bug: chromium:669910
Change-Id: I6c06a1fe9587206aa4e983befb105327bfec4154
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/983573Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52273}

BUG=v8:7308

Change-Id: I3021df5f6dfd02d85ed9fe1903f9c0850f92168d
Reviewed-on: https://chromium-review.googlesource.com/972962
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52272}

TBR=sergiyb@chromium.org
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

Bug: chromium:669910
Change-Id: I13ac32f3177677f4cf86602bee4038241933f38e
Reviewed-on: https://chromium-review.googlesource.com/983599Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52271}

Removes the deferred handle reference to the native context that
caused a cyclic dependency, which resulted in a memory leak. Instead of
keeping a reference to the native context, we use a phantom reference
to the WasmCompiledModule in order to get the context.
All foreground tasks are now registered in its own foreground task
manager, in order to make sure that we cancel all scheduled
foreground tasks as soon as the CompilationState is collected.

Bug: chromium:825741
Also-by: ahaas@chromium.org
Change-Id: Id69426a15280a14a1dc3ecd035415e7cfa61780b
Reviewed-on: https://chromium-review.googlesource.com/982622Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Kim-Anh Tran <kimanh@google.com>
Cr-Commit-Position: refs/heads/master@{#52270}

Change-Id: I3255e2ed0e370e019cf06e95aaf4fe2eb9ce5de1
Reviewed-on: https://chromium-review.googlesource.com/980760
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52269}

This reverts commit 712b66da.

Reason for revert:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20builder/builds/32049

Original change's description:
> [build] Remove legacy isolate configurations
> 
> Bug: chromium:669910
> Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
> Change-Id: Iad58563fd4bb35501493f88af83362b1206a186c
> Reviewed-on: https://chromium-review.googlesource.com/982630
> Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52267}

TBR=machenbach@chromium.org,yangguo@chromium.org,sergiyb@chromium.org,jgruber@chromium.org

Change-Id: I1955325b0b419b38d793ab205131de8de08cb50a
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:669910
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/983418Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52268}

Bug: chromium:669910
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Iad58563fd4bb35501493f88af83362b1206a186c
Reviewed-on: https://chromium-review.googlesource.com/982630Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52267}

... to avoid breaking jumbo builds.

TBR=cbruni@chromium.org, rmcilroy@chromium.org

Bug: v8:6949, v8:7310, v8:7339
Change-Id: Ifa3ff13fb064fc8716f237f90c82834e41ed7440
Reviewed-on: https://chromium-review.googlesource.com/983392Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52266}

R=delphick@chromium.org

Change-Id: Iad00b090d1576a4a556e0971bbea3003a3aedb3f
Reviewed-on: https://chromium-review.googlesource.com/982631Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52265}

This results in a roughly 10KB reduction in snapshot_blob.bin on x64.

Change-Id: I72aab2db4e3b2a896f624c3c2afc1ac2e9610e23
Reviewed-on: https://chromium-review.googlesource.com/981911Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Kanghua Yu <kanghua.yu@intel.com>
Cr-Commit-Position: refs/heads/master@{#52264}

This prevents the flag from being set from e.g. Chromium. Instead, just use
relative paths like everything else in the build system.

Bug: chromium:825347, v8:7601

Change-Id: I080d9999b0b63bafc2c1978f70322eb48814a3b8
Reviewed-on: https://chromium-review.googlesource.com/980557
Commit-Queue: Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52263}

R=jarin@chromium.org

Bug: v8:7584
Change-Id: I299e49452d70891190490f44f2db299dfa7d864c
Reviewed-on: https://chromium-review.googlesource.com/981150Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52262}

This reverts commit 16aecc5d.

Reason for revert: Breaks several layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/22624

Original change's description:
> Ship BigInts
> 
> Intent to ship:
> https://groups.google.com/d/msg/v8-users/ShhW0Xewph0/1-OT9q0_DQAJ
> 
> Bug: v8:6791
> Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
> Change-Id: Ibcf5ac09c0099496ef2c6a3c23bef9f9e72658f1
> Reviewed-on: https://chromium-review.googlesource.com/981596
> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Mathias Bynens <mathias@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52256}

TBR=adamk@chromium.org,jkummerow@chromium.org,neis@chromium.org,mathias@chromium.org

Change-Id: I32e9f32b501cb72aa364e89d5b2210c0861c68fc
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6791
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/983293Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52261}

Embedding builtins regresses speedometer by roughly 2-3%. Unship
them until M67 is branched.

Bug: v8:6666
Change-Id: Icaddc2cfbc0e52cd6999c648479cb008509a7bf2
Reviewed-on: https://chromium-review.googlesource.com/982053Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52260}

Windows toolchain still needs relies on gyp.

R=sergiyb@chromium.org

Bug: v8:6105, chromium:826218
Change-Id: If7fba3cf986daa23a748681c3e6f1527af68b622
Reviewed-on: https://chromium-review.googlesource.com/980494Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52259}

Port 1ef6c437

Original Commit Message:

    This CL changes the poisoning in the interpreter to use the
    infrastructure used in the JIT.

    This does not change the original flag semantics:

    --branch-load-poisoning enables JIT mitigations as before.

    --untrusted-code-mitigation enables the interpreter mitigations
      (now realized using the compiler back-end), but does not enable
      the back-end based mitigations for the Javascript JIT. So in effect
      --untrusted-code-mitigation makes the CSA pipeline for bytecode handlers
      use the same mechanics (including changed register allocation) that
      --branch-load-poisoning enables for the JIT.

R=tebbi@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: I46ee60541c48ad1e9c5ca1c2aac0d89d81c65333
Reviewed-on: https://chromium-review.googlesource.com/981935Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#52258}

Rolling v8/base/trace_event/common: https://chromium.googlesource.com/chromium/src/base/trace_event/common/+log/e0009bb..8c1ce86

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/9004761..cc2d66c

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/bffbf16..db4e76d

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/7d56ff9..82ac1c9

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: I19d5e07ee4b0ca5686848a13c30af31a14ed521b
Reviewed-on: https://chromium-review.googlesource.com/983112
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52257}

Intent to ship:
https://groups.google.com/d/msg/v8-users/ShhW0Xewph0/1-OT9q0_DQAJ

Bug: v8:6791
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ibcf5ac09c0099496ef2c6a3c23bef9f9e72658f1
Reviewed-on: https://chromium-review.googlesource.com/981596
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52256}

Add Cvtdq2ps macro.
Add pblendw/vpblendw.

Change-Id: I5c8232d17c220fbbb4845cbfad4ce765f0bbbb90
Reviewed-on: https://chromium-review.googlesource.com/961973
Commit-Queue: Jing Bao <jing.bao@intel.com>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52255}

This reverts commit 9732f422.

Reason for revert.

Original change's description:
> [inspector] queryObjects returns result
> 
> queryObjects command line API return array instead of sending
> inspectRequest notification.
> 
> R=​pfeldman@chromium.org
> 
> Bug: chromium:825349
> Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
> Change-Id: Ie6c64419cb108b313c43b66eab533c5a7d5d9024
> Reviewed-on: https://chromium-review.googlesource.com/978464
> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
> Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52197}

TBR=pfeldman@chromium.org,kozyatinskiy@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:825349
Change-Id: I90f93b96981d8218b9ad1dc0f4ebfb5a7cb671bc
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Reviewed-on: https://chromium-review.googlesource.com/982431Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52254}

Bug:v8:6532

Change-Id: I62e62f6584d1d42dc8af713b874daafa1f8d4436
Reviewed-on: https://chromium-review.googlesource.com/969991Reviewed-by: Ben Smith <binji@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52253}

When a wasm function has a large stack frame, the x64 code generator
performs the stack overflow check before constructing the frame. This
requires using the `address_of_real_stack_limit` external reference, as
well as the `ThrowWasmStackOverflow` runtime function.

`ThrowWasmStackOverflow` is called via a generated trampoline, but it is
not a builtin, so the serializer adds it to the `stub_lookup_` map. This
map is encoded by using a monotonically increasing `stub_id` that starts
at 0.

When the function is serialized, a stub is differentiated from a builtin
by which half of the `i32` bits is used, upper or lower. A stub only
uses the lower 16 bits and a builtin only uses the upper 16 bits.

The deserializer checks whether the lower 16 bits are 0; if so, it is
determined to be a builtin. But if the `stub_id` is 0, then it will be
confused with builtin 0 (`RecordWrite`). Calling the builtin instead of
the stub causes a crash.

This CL starts all `stub_id`s at 1, which prevents the builtin/stub
confusion.

There is an additional bug that is not fixed by this CL:
`ThrowWasmStackOverflow` shouldn't be called at all. Currently it is
called because `address_of_real_stack_limit` is a thread-local value
that is not properly relocated.

Bug: chromium:808848
Change-Id: I06b3e650ea58ad717dcc47a3716443e16582e711
Reviewed-on: https://chromium-review.googlesource.com/981687Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52252}