Bug: 
Change-Id: I824f42cf6159f94204ee3e3c26a6af18e717b11e
Reviewed-on: https://chromium-review.googlesource.com/702874Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48327}

This repairs the performance regression on Octane/EarleyBoyer and
JetStream/EarleyBoyer benchmarks.

Bug: chromium:772268, v8:6367, v8:6278, v8:6344
Change-Id: Ibc144a35b37c5822f88712550d8db09386241341
Reviewed-on: https://chromium-review.googlesource.com/704574Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48326}

Array (subclass) constructor calls with 0 parameters are now properly
turned into inline allocations, also Array (subclass) constructor calls
with exactly one parameter, which is either known to not be a Number
or which is a known integer in the valid loop unrolling range.

Also refactor the general JSCreateArray lowering logic to properly
support Array subclasses, i.e. deal with inobject properties and
initial maps correctly.

This boosts performance of those cases significantly (and will allow
us to reduce the complexity of the Array constructor significantly
long-term). For example the simple case

  new Array("a", "b", "c", "d", "e", "f", "g")

is now around 10x faster than before.

Bug: v8:6399
Change-Id: I70661971398524ee0c6a349ee559b98a962a6266
Reviewed-on: https://chromium-review.googlesource.com/703134
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48325}

Fix disassembly of atomic operations for the inspector.

BUG=v8:6842,v8:6532

Change-Id: I3701b55c28b10561d1726e2c0b9fe2e1b2c76b8e
Reviewed-on: https://chromium-review.googlesource.com/703468
Commit-Queue: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48324}

Power-of-two radixes were supported already; this adds all others
(with 2 <= radix <= 36).

Bonus: fix digit_div fallback path for divisors with no leading zeros.

Bug: v8:6791
Change-Id: Id472667f057ad13338e0d8257a899490490e6f8f
Reviewed-on: https://chromium-review.googlesource.com/693316
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48323}

This adds a new simd lowering execution mode for
simd and re-enables the lowering tests

R=titzer@chromium.org,gdeepti@chromium.org,bbudge@chromium.org,mtrofin@chromium.org
BUG=v8:6020

Change-Id: Ice6b7ff2f5973804d379c88241d49b811429a965
Reviewed-on: https://chromium-review.googlesource.com/698928
Commit-Queue: Aseem Garg <aseemgarg@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48322}

BUG=chromium:760649

Change-Id: I13f3ad28ce3870ef57aa53eef684727656dcdff2
Reviewed-on: https://chromium-review.googlesource.com/701264
Commit-Queue: Alexei Filippov <alph@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48321}

The code used to rely on all such loops having a block scope around
them, but that is no longer the case for loops whose loop variables
are VAR-declared.

This patch introduces a new DeclarationDescriptor::Kind for such
variables, and sets it during parsing, allowing the variable
declaration code to note them as assigned appropriately.

Bug: chromium:768158
Change-Id: I0cd60e8c8c735681be9dbb9344a93156af09c952
Reviewed-on: https://chromium-review.googlesource.com/701624Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48320}

This allows us to remove the loop while calculating the hash value and
just use the HashMask as the mask for ComputeIntegerHash. This
previously overflowed on 32-bit systems failing the Smi::IsValid
check.

Bug: v8:6404
Change-Id: I84610a7592fa9d7ce4fa5cef7903bd50b8e8a4df
Reviewed-on: https://chromium-review.googlesource.com/702675Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48319}

Bug: v8:6644
Change-Id: I35c5a5095d0e154b4df0b6903e510587e869a2d4
Reviewed-on: https://chromium-review.googlesource.com/686822Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#48318}

R=ahaas@chromium.org, ochang@chromium.org

Bug: Chromium:539572
Change-Id: I9e94a03c9173d0a17cb1a18dc8740972ff794368
Reviewed-on: https://chromium-review.googlesource.com/701601
Commit-Queue: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48317}

Bug: chromium:771966
Change-Id: Iac5ee55c0d31de477f21f091f4be015a1ca8d00c
Reviewed-on: https://chromium-review.googlesource.com/702382Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48316}

The default component for src/ was Blink>JavaScript>Runtime
before. Unfortunately this is only partly true and tools
that use the information in the OWNERS file often misassign
issues because of it.

R=machenbach@chromium.org
NOTRY=true

Change-Id: I81457da1394a410fd494702f206af69857109c1c
Reviewed-on: https://chromium-review.googlesource.com/701758Reviewed-by: Michael Hablich <hablich@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48315}

At the moment we check only in the module-decoder if the sections in a
module appear at most once. The code section, however, we process
already before this check. With this CL we check that there is at most
one code section before we start processing it.

R=clemensh@chromium.org
TEST=WasmStreamingDecoderTest.TwoCodeSections

Bug: chromium:771916
Change-Id: Icc79d5a87ab39f450a35c688f74ea5e67cae4b3c
Reviewed-on: https://chromium-review.googlesource.com/702379Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48314}

This makes the test robust for stress GC flags.

Bug: 
Change-Id: Ica65987f0ee09fbdb4aab233dea4c51db5b19459
Reviewed-on: https://chromium-review.googlesource.com/702436Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48313}

If sweeping is not making progress and there are many young generation
GCs happening, then this can lead to accumulation of memory chunks in
the unmapper queue.

Bug: chromium:771966
Change-Id: Ief73ada0d17198a80b668850c6d2e7ea413113e7
Reviewed-on: https://chromium-review.googlesource.com/702479Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48312}

This fixes some of the old legacy API that used empty Handle<>

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I861e31a4a6f65bc497bfc512174adba39c17abca
Reviewed-on: https://chromium-review.googlesource.com/701634Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48311}

Bug: 
Change-Id: Iddb8dde328af42b99c74195a13975346437c7259
Reviewed-on: https://chromium-review.googlesource.com/700635Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48310}

Port f0acede9
Original commit message:
`This CL removes the weak-list of JS functions from the context
and all the code that iterares over it. This list was being used
mainly during deoptimization (for code unlinking) and during
garbage collection. Removing it will improve performance of
programs that create many closures and trigger many scavenge GC
cycles.

No extra work is required during garbage collection. However,
given that we no longer unlink code from JS functions during
deoptimization, we leave it as it is, and on its next activation
we check whether the mark_for_deoptimization bit of that code is
set, and if it is, than we unlink it and jump to lazy compiled
code. This check happens in the prologue of every code object.

We needed to change/remove the cctests that used to check
something on this list.

Working in x64, ia32, arm64, arm, mips64 and mips.`

On mips64 big endian flags are in upper part of register.

Bug: 
Change-Id: Ib2f171f9c14e49c64dec31299dcf30496bfcf782
Reviewed-on: https://chromium-review.googlesource.com/700680Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@imgtec.com>
Cr-Commit-Position: refs/heads/master@{#48309}

The catch variable is a special VAR-mode variable which is not in a declaration
scope. Normally creating such a variable is not possible with DeclareVariable,
but Parser bypasses it by calling DeclareLocal directly (which doesn't have the
hoisting check).

PreParser used to cut corners and declare the catch variable as a LET-mode
variable to prevent hoisting.

But since LET and VAR variables behave differently when deciding whether they
block sloppy block function hoisting, that approach doesn't fly.

BUG=v8:5516,chromium:771474

Change-Id: Ic6f5f4996416c9fa59132725c8b0b6b570c72f48
Reviewed-on: https://chromium-review.googlesource.com/700634
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48308}

Evacuating and compacting LayoutDescriptor is meta-circular, i.e., we
need the descriptor to iterate the objects that are copied. Separate the
phases to avoid requiring a publishing store for object payloads.

This reverts commit 6f4a86c1.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Bug: v8:6884
Change-Id: I71472eaf7671ede20ff4b19f1f0c9490cdb0b629
Reviewed-on: https://chromium-review.googlesource.com/702255Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48307}

Change-Id: Ib36b6e27476f7cc1e2064e147fbfa7d3d1e28b49

These will be used in subsequent CLs to add spec-compliant builtins
on Array.prototype built with the CSA.

Change-Id: Ib36b6e27476f7cc1e2064e147fbfa7d3d1e28b49
Reviewed-on: https://chromium-review.googlesource.com/700694
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48306}

Some comments to clarify the structure of Map objects
for new contributors (and myself).

BUG=
R=adamk@chromium.org, verwaest@chromium.org, littledan@chromium.org

Change-Id: I5b107e2917440a18888599f52f53f0cb07902ab0
Reviewed-on: https://chromium-review.googlesource.com/675565
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48305}

Change-Id: Idd8b5c30607575e3cb5e54177308e68183aa78bb
Reviewed-on: https://chromium-review.googlesource.com/700676Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48304}

This reverts commit d0651bd1.

Reason for revert: Breaks gc stress with embedded snapshot:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/15355

Original change's description:
> [language] Implement optional catch binding proposal
> 
> This allows the syntax `try {} catch {}` (with no binding after the
> `catch`).
> 
> See https://github.com/michaelficarra/optional-catch-binding-proposal/
> 
> Currently behind --harmony-optional-catch-binding.
> 
> As part of the implementation, this allows TryCatchStatements to not
> have an associated catch scope; various paths which assumed they
> would have been updated to handle this case.
> 
> Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
> Change-Id: Ic525b45199eef025eb05da562e10fbd4f3d7465f
> Reviewed-on: https://chromium-review.googlesource.com/571453
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Commit-Queue: Kevin Gibbons <bakkot@gmail.com>
> Cr-Commit-Position: refs/heads/master@{#48300}

TBR=rmcilroy@chromium.org,adamk@chromium.org,marja@chromium.org,gsathya@chromium.org,bakkot@gmail.com

Change-Id: I63d68160ec75b87e28d3dcdddca2d8b7d0503b46
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/702334Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48303}

This reverts commit 0f5d3ed1.

Reason for revert: Reland button relands right away...

Original change's description:
> [heap] Separate map space pointers updating from main bulk
> 
> Evacuating and compacting LayoutDescriptor is meta-circular, i.e., we
> need the descriptor to iterate the objects that are copied. Separate the
> phases to avoid requiring a publishing store for object payloads.
> 
> Bug: v8:6884
> Change-Id: Icc3bb80a938fbd9eec60c79d88ab8fdd9bda0840
> Reviewed-on: https://chromium-review.googlesource.com/700437
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48288}

TBR=ulan@chromium.org,mlippautz@chromium.org

Change-Id: Ie91ef6ea5a55f4e8165b3fa97b2c2042376998f1
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6884
Reviewed-on: https://chromium-review.googlesource.com/701756Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48302}

Sometimes, the embedder might want to merge a fix to an abandoned branch
or to a supported branch but the fix is not relevant to Chromium.
This adds a new version string that the embedder can set at compile time
and that will be appended to the official V8 version.
The separator must be provided in the string. For instance, to have a
full version string like "6.0.287.53-emb.1", the embedder must set
V8_EMBEDDER_STRING to "-emb.1".

Related Node.js issue: https://github.com/nodejs/node/pull/9754

BUG=v8:5740
R=machenbach@chromium.org

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ifa2d9bd213795e6d54886436f8c3787ac6162823
Reviewed-on: https://chromium-review.googlesource.com/690475Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Michaël Zasso <mic.besace@gmail.com>
Cr-Commit-Position: refs/heads/master@{#48301}

This allows the syntax `try {} catch {}` (with no binding after the
`catch`).

See https://github.com/michaelficarra/optional-catch-binding-proposal/

Currently behind --harmony-optional-catch-binding.

As part of the implementation, this allows TryCatchStatements to not
have an associated catch scope; various paths which assumed they
would have been updated to handle this case.

Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Ic525b45199eef025eb05da562e10fbd4f3d7465f
Reviewed-on: https://chromium-review.googlesource.com/571453Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Kevin Gibbons <bakkot@gmail.com>
Cr-Commit-Position: refs/heads/master@{#48300}

Bug: v8:6791
Change-Id: I5e91832bcb74e895eaf7a3d6ee493c832abba7bf
Reviewed-on: https://chromium-review.googlesource.com/699635
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48299}

Previously, we would first fire the PromiseRejectCallback before
fulfilling the promise. This patch changes the behavior to first
fulfill the promise. This behavior is more intuitive.

This patch also merges the check for PromiseHook callback with the
debug callback, since they use the same boolean bit on the isolate.

Bug: v8:6880
Change-Id: Ia04867e16423a1d6006f0f3f93a14fa6026e17ed
Reviewed-on: https://chromium-review.googlesource.com/700980
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48298}

CCalls have significantly less overhead than runtime calls which will improve
runtime performance on programs that make lots of transitions between JS and
Wasm.

Bug: v8:5277
Change-Id: If09dea97f24eb43753847e2b894ebc1ba5168c23
Reviewed-on: https://chromium-review.googlesource.com/688481
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48297}

This reverts commit 0f5d3ed1.

Reason for revert: Needs to consider invalidated slots too. Roll flaking on GPU bots: https://chromium-review.googlesource.com/c/chromium/src/+/700721

Original change's description:
> [heap] Separate map space pointers updating from main bulk
> 
> Evacuating and compacting LayoutDescriptor is meta-circular, i.e., we
> need the descriptor to iterate the objects that are copied. Separate the
> phases to avoid requiring a publishing store for object payloads.
> 
> Bug: v8:6884
> Change-Id: Icc3bb80a938fbd9eec60c79d88ab8fdd9bda0840
> Reviewed-on: https://chromium-review.googlesource.com/700437
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48288}

TBR=ulan@chromium.org,mlippautz@chromium.org

Change-Id: I854687c5e40541c62a0bcf15ad251afe5ddaa8d1
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6884
Reviewed-on: https://chromium-review.googlesource.com/701534Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48296}

Bug: v8:6791
Change-Id: Id889823ff2cf20cf504010ffce3283f0d75bf72f
Reviewed-on: https://chromium-review.googlesource.com/699420Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48295}

This reverts commit 5e76ff5a.

Reason for revert: tsan failures - https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN/builds/17574

Original change's description:
> Reland "[wasm] always allocate memory when guard regions are needed"
> 
> This reverts commit 7cf29d8d.
> 
> Original change's description:
> > [wasm] always allocate memory when guard regions are needed
> >
> > When using trap handlers, memory references do not get any checks inserted. This
> > means there is no check for a null memory as happens when the memory size is
> > 0. Normally this would be correctly caught as an out of bounds access, since the
> > low memory addresses are not normally mapped. However, if they were mapped for
> > some reason, we would not catch the out of bounds access.
> >
> > The fix is to ensure WebAssembly instances always have a guard region even if
> > the memory is size 0.
> >
> > Bug: chromium:769637
> 
> Change-Id: I09fdaea92b7ccb3a6cc9e28392171ec098538a00
> Reviewed-on: https://chromium-review.googlesource.com/695812
> Commit-Queue: Eric Holk <eholk@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48293}

TBR=gdeepti@chromium.org,mtrofin@chromium.org,mlippautz@chromium.org,eholk@chromium.org,eholk@google.com,clemensh@chromium.org

Change-Id: I52d5354126158a92602b08c48703d562ac95075b
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/699599Reviewed-by: Eric Holk <eholk@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48294}

This reverts commit 7cf29d8d.

Original change's description:
> [wasm] always allocate memory when guard regions are needed
>
> When using trap handlers, memory references do not get any checks inserted. This
> means there is no check for a null memory as happens when the memory size is
> 0. Normally this would be correctly caught as an out of bounds access, since the
> low memory addresses are not normally mapped. However, if they were mapped for
> some reason, we would not catch the out of bounds access.
>
> The fix is to ensure WebAssembly instances always have a guard region even if
> the memory is size 0.
>
> Bug: chromium:769637

Change-Id: I09fdaea92b7ccb3a6cc9e28392171ec098538a00
Reviewed-on: https://chromium-review.googlesource.com/695812
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48293}

No-try: true
Bug: v8:6886
Change-Id: I994b998e9e5006c6de183328603f3545158bd32c
Reviewed-on: https://chromium-review.googlesource.com/700536Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48292}

Fix an error overwriting the `prototype` property of async generator
functions when FLAG_enable_slow_asserts is enabled.

Previously, the `initial_async_generator_prototype` field was never
written to the native context, and was always undefined. This caused
some incorrect runtime behaviour, and would crash when loading the field
using the Context::initial_aysnc_generator_prototype accessor when
attempting to cast the Undefined oddball to a JSObject.

BUG=chromium:771470, v8:5855
R=adamk@chromium.org, verwaest@chromium.org, gsathya@chromium.org

Change-Id: I13f2a518c59852bc77c2de1f2468a4eea457609e
Reviewed-on: https://chromium-review.googlesource.com/700261Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#48291}

The code in `AsmJsScanner::Next()` checks for both
end of input and parse error:

  if (token_ == kEndOfInput || token_ == kParseError) {
    return;
  }

but until now the code in the parsing loop only checked
for `kEndOfInput`, resulting in an infinite loop on
`kParseError`.

R=bradnelson@chromium.org, mstarzinger@chromium.org

Bug: chromium:771428
Change-Id: I9170f090503590b3b9b949a0d00ab4daef85bf66
Reviewed-on: https://chromium-review.googlesource.com/699994
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48290}

In the process, also enable support for PACKED_DOUBLE_ELEMENTS arrays.

Change-Id: I16dd79276f1023e30b072d45216396533077f53c
Reviewed-on: https://chromium-review.googlesource.com/571006
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48289}

Evacuating and compacting LayoutDescriptor is meta-circular, i.e., we
need the descriptor to iterate the objects that are copied. Separate the
phases to avoid requiring a publishing store for object payloads.

Bug: v8:6884
Change-Id: Icc3bb80a938fbd9eec60c79d88ab8fdd9bda0840
Reviewed-on: https://chromium-review.googlesource.com/700437Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48288}