BUG=chromium:616035
NOTRY=true

Review-Url: https://codereview.chromium.org/2082283002
Cr-Commit-Position: refs/heads/master@{#37248}

Maintain the parent frame pointer in a variable after loading it to avoid
having to reload it each time it is required.

BUG=v8:4280

Review-Url: https://codereview.chromium.org/2085353005
Cr-Commit-Position: refs/heads/master@{#37247}

BUG=chromium:616035
NOTRY=true

Review-Url: https://codereview.chromium.org/2083153003
Cr-Commit-Position: refs/heads/master@{#37246}

  port 8c1ba59a (r36911)

  original commit message:
  RelocInfo modes were not propagated when computing
  MemoryOperands, on IA32. This needed to be fixed so that we can
  compile wasm code before creating instances, since the compiled code
  needs to be patched up for memory and globals references.

  This surfaces in asm-to-wasm scenarios.

  Added testing (rather, enhanced existing tests).
  Note patch#1 where we fail on ia32, and patch#2 with the fix.

BUG=

Review-Url: https://codereview.chromium.org/2097583003
Cr-Commit-Position: refs/heads/master@{#37245}

Replace explicit Object::IsErrorObject() with macro generated functions Object::IsJSError() and HeapObject::IsJSError().

BUG=

Review-Url: https://codereview.chromium.org/2090333002
Cr-Commit-Position: refs/heads/master@{#37244}

  port c8ac0d86(r36888)

  original commit message:
  Instead, always tail call to the runtime. Also, cleanup the various versions
  of the runtime call that is used for Array construction fallback. There can be
  only one.

BUG=

Review-Url: https://codereview.chromium.org/2080223009
Cr-Commit-Position: refs/heads/master@{#37243}

  port d0c7775d(r36880)

  original commit message:
  This switches Math.log to use an fdlibm based version of log, imported
  as base::ieee754::log, and use that consistently everywhere, i.e. change
  the Float64Log TurboFan operators on Intel to use the C++ implementation
  as well (same for Crankshaft).

BUG=

Review-Url: https://codereview.chromium.org/2081653005
Cr-Commit-Position: refs/heads/master@{#37242}

Port fc59eb8a

Original commit message:
Moves between operands with different representations shouldn't happen,
so don't test them. This makes it easier to modify canonicalization to
differentiate between floating point types, which is needed to support
floating point register aliasing for ARM and MIPS.

This change also expands tests to include explicit FP moves (both register and stack slot).

LOG=N
BUG=v8:4124
BUG=chromium:622619

Review-Url: https://codereview.chromium.org/2090993002
Cr-Commit-Position: refs/heads/master@{#37241}

Signature indices are encoded as SMIs in the function table of a wasm
module. To compare a signature index with the index parameter that is
passed to an indirect function call, we now change the signature index
to an int32 instead of encoding the index parameter as a SmiConstant.
SmiConstants get encoded as NumberConstant nodes in the TF graph, which
can cause the allocation of heap numbers. Heap allocation has to be
avoided for parallel compilation.

R=bradnelson@chromium.org, titzer@chromium.org

Review-Url: https://codereview.chromium.org/2090923002
Cr-Commit-Position: refs/heads/master@{#37240}

Skip unicodelctest and friends for some turbo and turbo +
ignition variants.

TBR=Benedikt Meurer, rmcilroy
NOTRY=true
NOTREECHECKS=true

Review-Url: https://codereview.chromium.org/2095873002
Cr-Commit-Position: refs/heads/master@{#37239}

Rolling v8/build to eef98eaf4956bbe8d24e5172acd1ffb44d0089a5

Rolling v8/tools/clang to cff206a88b16f784285391dcc4c444206f967024

Rolling v8/tools/mb to 8687d262d22fb2907b3be774c2643f27200aec62

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review-Url: https://codereview.chromium.org/2099593002
Cr-Commit-Position: refs/heads/master@{#37238}

We have a lot of long-encoded root list items in type feedback vectors.

Review-Url: https://codereview.chromium.org/2090563002
Cr-Commit-Position: refs/heads/master@{#37237}

Revert of Amends the TypedArray constructor to use the path for primitives for all (patchset #3 id:40001 of https://codereview.chromium.org/2096873002/ )

Reason for revert:
[Sheriff] Breaks layout tests. Please rebase upstream if intended:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/7691

Original issue's description:
> Amends the TypedArray constructor to use the path for primitives for all
> types of primitives, not just undefined, booleans, numbers, and strings.
> (The missing cases were null and Symbol.) This is required by the
> specification, and there are test262 tests which we were failing due to
> this bug.
>
> BUG=v8:5124
>
> Committed: https://crrev.com/f788bd9cce19815cba746e47bb65abfe25c16208
> Cr-Commit-Position: refs/heads/master@{#37234}

TBR=littledan@chromium.org,bakkot@google.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5124

Review-Url: https://codereview.chromium.org/2091693004
Cr-Commit-Position: refs/heads/master@{#37236}

Flags removed (all begin with "harmony-"):
  function-name
  instanceof
  iterator-close
  unicode-regexps
  regexp-exec
  regexp-subclass
  species

BUG=v8:3566, v8:3648, v8:3699, v8:4093, v8:4447, v8:4602

Review-Url: https://codereview.chromium.org/2096933002
Cr-Commit-Position: refs/heads/master@{#37235}

types of primitives, not just undefined, booleans, numbers, and strings.
(The missing cases were null and Symbol.) This is required by the
specification, and there are test262 tests which we were failing due to
this bug.

BUG=v8:5124

Review-Url: https://codereview.chromium.org/2096873002
Cr-Commit-Position: refs/heads/master@{#37234}

Merge branch 'master' of https://chromium.googlesource.com/v7/v8 into unused_variables

Removed unused variables "length" from the signature "consume_u32v". The variable length (passed in as a parameter) is not read from the function, rather it set based on the pc_ offset. However, the value set is also not used in the main line of control flow during decoding. This seems to be some dead code.

BUG=

Review-Url: https://codereview.chromium.org/2093823003
Cr-Commit-Position: refs/heads/master@{#37233}

TypedArrays store their true length in an internal slot. This is
normally reflected in the .length property, but that property is
configurable. Algorithms which need the length of a typed array are to
use the internal slot, not the property; TypedArray.prototype.set was
not doing this.

BUG=v8:5133

Review-Url: https://codereview.chromium.org/2091153002
Cr-Commit-Position: refs/heads/master@{#37232}

BUG=

Review-Url: https://codereview.chromium.org/2096673002
Cr-Commit-Position: refs/heads/master@{#37231}

Cleaning up the code to replace all instances of "i++" in for loops with the more efficient "++i".
The latter foregoes an extra intermediate variable.

BUG=v8:5044

Review-Url: https://codereview.chromium.org/2094573002
Cr-Commit-Position: refs/heads/master@{#37230}

It appears to have been dropped accidentally as part of 1150092b's
removal of strong mode for binary ops.

Review-Url: https://codereview.chromium.org/2092493002
Cr-Commit-Position: refs/heads/master@{#37229}

While we properly handled scopes of initializers in destructured parameters,
we never did the right thing for computed properties. This patch fixes that
by factoring out PatternRewriter's scope rewriting logic and calls it
for the computed property case.

BUG=chromium:620119

Review-Url: https://codereview.chromium.org/2084103002
Cr-Commit-Position: refs/heads/master@{#37228}

Reason for revert:
Reland fixing msan and tsan

Original issue's description:
> Revert of Test262 roll (patchset #15 id:280001 of https://codereview.chromium.org/2068263002/ )
>
> Reason for revert:
> Broke msan and tsan; need to add an extra skip
>
> Original issue's description:
> > Test262 roll
> >
> > This roll does not include a test harness change; infrastructure issues
> > still need to be worked out.
> >
> > Committed: https://crrev.com/d3a95b8a78eefabf884a60bc3d6aac5830b44eb3
> > Cr-Commit-Position: refs/heads/master@{#37225}
>
> TBR=adamk@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
>
> Committed: https://crrev.com/8ea2cbea2e65dc506d50a25a81e610f37bc751ec
> Cr-Commit-Position: refs/heads/master@{#37226}

TBR=adamk@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2097573003
Cr-Commit-Position: refs/heads/master@{#37227}

Reason for revert:
Broke msan and tsan; need to add an extra skip

Original issue's description:
> Test262 roll
>
> This roll does not include a test harness change; infrastructure issues
> still need to be worked out.
>
> Committed: https://crrev.com/d3a95b8a78eefabf884a60bc3d6aac5830b44eb3
> Cr-Commit-Position: refs/heads/master@{#37225}

TBR=adamk@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2094613004
Cr-Commit-Position: refs/heads/master@{#37226}

This roll does not include a test harness change; infrastructure issues
still need to be worked out.

Review-Url: https://codereview.chromium.org/2068263002
Cr-Commit-Position: refs/heads/master@{#37225}

Since [1], Logger does not dispatch anymore to the other loggers. This is
now the task of the CodeEventDispatcher, and Logger is just a client.

One use of the Logger as dispatcher wasn't caught in the refactoring, which
caused the entries for bytecode handlers loaded from the snapshot to be
missing from the symbols mapping written by PerfBasicLogger.

[1] https://crrev.com/9df23510eaa12eb5c298cf68a92e90c6e992855c

BUG=v8:4899
LOG=N

Review-Url: https://codereview.chromium.org/2085143003
Cr-Commit-Position: refs/heads/master@{#37224}

Also slightly expand regression test to end with a return instead of
an exception.

R=cbruni@chromium.org
BUG=chromium:618788

Review-Url: https://codereview.chromium.org/2090193002
Cr-Commit-Position: refs/heads/master@{#37223}

As a result LoadGlobalIC requires different slow stubs for each TypeofMode.

This CL is a prerequisite for not passing variable name to LoadGlobalIC:
the interceptor handler is the only kind of handler that requires a name
and therefore LoadGlobalIC dispatcher does not need a variable name as well.

BUG=chromium:576312

Review-Url: https://codereview.chromium.org/2081143002
Cr-Commit-Position: refs/heads/master@{#37222}

Revert of Reland [heap] Avoid the use of cells to point from code to new-space objects. (patchset #3 id:40001 of https://codereview.chromium.org/2091733002/ )

Reason for revert:
This breaks gc-stress bot: https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot

#
# Fatal error in ../../src/heap/mark-compact.cc, line 3715
# Check failed: Page::FromAddress(reinterpret_cast<HeapObject*>(*slot)->address()) ->IsFlagSet(Page::PAGE_NEW_NEW_PROMOTION).
#

I can reproduce locally, and local revert also fixes it -> revert.

Reproduce with:
 out/Debug/d8 --test --random-seed=2140216864 --nohard-abort --nodead-code-elimination --nofold-constants --enable-slow-asserts --debug-code --verify-heap --allow-natives-syntax --harmony-tailcalls test/mjsunit/mjsunit.js  test/mjsunit/es6/tail-call-megatest-shard2.js --gc-interval=500 --stress-compaction --concurrent-recompilation-queue-length=64 --concurrent-recompilation-delay=500 --concurrent-recompilation

(Maybe run in loop; it's flaky when broken; but passes reliably w/ revert.)

Original issue's description:
> Reland [heap] Avoid the use of cells to point from code to new-space objects.
>
> The reason for reverting was: [Sheriff] Breaks arm debug:
> https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm%20-%20sim%20-%20debug/builds/1038.
>
> The problem was the dereferencing of handles for smi checks. It turned out
> that these smi checks can be removed anyways, both on arm and on mips.
>
> Additionally some rebasing was necessary.
>
> Original issue's description:
>
> Cells were needed originally because there was no typed remembered set to
> record direct pointers from code space to new space. A previous
> CL (https://codereview.chromium.org/2003553002/) already introduced
> the remembered set, this CL uses it.
>
> This CL
> * stores direct pointers in code objects, even if the target is in new space,
> * records the slot of the pointer in typed-old-to-new remembered set,
> * adds a list which stores weak code-to-new-space references,
> * adds a test to test-heap.cc for weak code-to-new-space references,
> * removes prints in tail-call-megatest.js
>
> R=mlippautz@chromium.org
>
> Committed: https://crrev.com/5508e16592522658587da71ba6743c8e832fe4d1
> Cr-Commit-Position: refs/heads/master@{#37217}

TBR=mlippautz@chromium.org,ahaas@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2090983002
Cr-Commit-Position: refs/heads/master@{#37221}

R=jarin@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2087483003
Cr-Commit-Position: refs/heads/master@{#37220}

Now we can turn it into a turbofan stub.

Create new instance types JS_ARGUMENTS_TYPE and JS_ERROR_TYPE.

Review-Url: https://codereview.chromium.org/2080243003
Cr-Commit-Position: refs/heads/master@{#37219}

ES2017 draft 19.1.3.6: If @@toStringTag is not a string, Object.prototype.toString()
returns [object Object], except in the following cases:
 - Array
 - String
 - Arguments
 - Function
 - Error
 - Boolean
 - Number
 - Date
 - RegExp.

For anything else, e.g., Maps, Sets, TypedArrays, or the global object, toString() returns
[object Object] if @@toStringTag is absent or not a string. In order to be able to
easily identify the global object in d8, we set @@toStringTag to "global"
for d8.

CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
BUG=

Review-Url: https://codereview.chromium.org/2071343002
Cr-Commit-Position: refs/heads/master@{#37218}

The reason for reverting was: [Sheriff] Breaks arm debug:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm%20-%20sim%20-%20debug/builds/1038.

The problem was the dereferencing of handles for smi checks. It turned out
that these smi checks can be removed anyways, both on arm and on mips.

Additionally some rebasing was necessary.

Original issue's description:

Cells were needed originally because there was no typed remembered set to
record direct pointers from code space to new space. A previous
CL (https://codereview.chromium.org/2003553002/) already introduced
the remembered set, this CL uses it.

This CL
* stores direct pointers in code objects, even if the target is in new space,
* records the slot of the pointer in typed-old-to-new remembered set,
* adds a list which stores weak code-to-new-space references,
* adds a test to test-heap.cc for weak code-to-new-space references,
* removes prints in tail-call-megatest.js

R=mlippautz@chromium.org

Review-Url: https://codereview.chromium.org/2091733002
Cr-Commit-Position: refs/heads/master@{#37217}

R=cbruni@chromium.org

Review-Url: https://codereview.chromium.org/2098483002
Cr-Commit-Position: refs/heads/master@{#37216}

BUG=v8:4822

Review-Url: https://codereview.chromium.org/2097473002
Cr-Commit-Position: refs/heads/master@{#37215}

BUG=chromium:603144

Review-Url: https://codereview.chromium.org/2083353002
Cr-Commit-Position: refs/heads/master@{#37214}

Lowering of Int64Load, Int64Store, BitcastInt64ToFloat64 and
BitcastFloat64ToInt64 was using LE word ordering in memory,
causing failures on some tests.

BUG=mjsunit/regress/regress-599719,mjsunit/regress/regress-599717

Review-Url: https://codereview.chromium.org/2080213004
Cr-Commit-Position: refs/heads/master@{#37213}

CMN is a flag-setting add operation, and therefore is commutative.
{Add,Sub}WithOverflow generate ADD/SUB instructions that cannot
support a ROR shift.

BUG=

Review-Url: https://codereview.chromium.org/2087233005
Cr-Commit-Position: refs/heads/master@{#37212}

R=jgruber@chromium.org
BUG=v8:5117

Review-Url: https://codereview.chromium.org/2093613002
Cr-Commit-Position: refs/heads/master@{#37211}

As part of the page type unification also unify page iterators. Iterating
over a space works the same for all spaces now (new, old, lo).

Iterating over pages of a space follows now the regular C++ iterator pattern:
- for (auto it = space->begin(); it != space->end(); ++it) {}
- for (Page* p : *space) {}

GC only: Loop supporting unlinking/freeing of a Page on the fly:
  for (auto it = space->begin(); != space->end();) {
    Page* p = *(it++);
    p->Unlink();
  }

For iteration of a range of new space pages use NewSpacePageRange which
also verifies that the range is actually a proper new space page range.

BUG=chromium:581412
LOG=N

Review-Url: https://codereview.chromium.org/2088223002
Cr-Commit-Position: refs/heads/master@{#37210}

BUG=chromium:622351
LOG=N
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2097453002
Cr-Commit-Position: refs/heads/master@{#37209}