[builtins] Enable Torque Array.prototype.splice

Before, splice was implemented with a C++ fast path and a comprehensive JavaScript version. This impl. is entirely in Torque with a fastpath for SMI, DOUBLE and OBJECT arrays, and a comprehensive slow path. The same level of "sparse" array support as given by the array.js implementation is included. This reland addresses several issues: * Removed "sparse" array support from splice. * Addressed ClusterFuzz issue 876443: The test and code that uses the fix is in this CL. The fix in isolation can be seen here: https://chromium-review.googlesource.com/c/v8/v8/+/1199403 * Removed dead code in elements.cc BUG=chromium:876443, v8:8131, v8:1956, v8:7221 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: I2d4a66c24ba1edabeca34e27e6ff8ee6136ed5f1 Reviewed-on: https://chromium-review.googlesource.com/1201783 Commit-Queue: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#55610}

[builtins] Enable Torque Array.prototype.splice
Before, splice was implemented with a C++ fast path and a comprehensive JavaScript version. This impl. is entirely in Torque with a fastpath for SMI, DOUBLE and OBJECT arrays, and a comprehensive slow path. The same level of "sparse" array support as given by the array.js implementation is included. This reland addresses several issues: * Removed "sparse" array support from splice. * Addressed ClusterFuzz issue 876443: The test and code that uses the fix is in this CL. The fix in isolation can be seen here: https://chromium-review.googlesource.com/c/v8/v8/+/1199403 * Removed dead code in elements.cc BUG=chromium:876443, v8:8131, v8:1956, v8:7221 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: I2d4a66c24ba1edabeca34e27e6ff8ee6136ed5f1 Reviewed-on: https://chromium-review.googlesource.com/1201783 Commit-Queue: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#55610}
fd334b32 · Mike Stanton · Commit Bot · 0e460c25 · fd334b32 · fd334b32
Commit fd334b32 authored Sep 04, 2018 by Mike Stanton Committed by Commit Bot Sep 04, 2018
24 changed files
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -883,6 +883,7 @@ torque_files = [
  "src/builtins/array-foreach.tq",
  "src/builtins/array-lastindexof.tq",
  "src/builtins/array-reverse.tq",
+  "src/builtins/array-splice.tq",
  "src/builtins/typed-array.tq",
  "src/builtins/data-view.tq",
  "test/torque/test-torque.tq",

--- a/src/bootstrapper.cc
+++ b/src/bootstrapper.cc
@@ -1747,13 +1747,8 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
                          Builtins::kArrayPrototypeSlice, 2, false);
    SimpleInstallFunction(isolate_, proto, "sort",
                          Builtins::kArrayPrototypeSort, 1, false);
-    if (FLAG_enable_experimental_builtins) {
-      SimpleInstallFunction(isolate_, proto, "splice",
-                            Builtins::kArraySpliceTorque, 2, false);
-    } else {
-      SimpleInstallFunction(isolate_, proto, "splice", Builtins::kArraySplice,
-                            2, false);
-    }
+    SimpleInstallFunction(isolate_, proto, "splice", Builtins::kArraySplice, 2,
+                          false);
    SimpleInstallFunction(isolate_, proto, "includes", Builtins::kArrayIncludes,
                          1, false);
    SimpleInstallFunction(isolate_, proto, "indexOf", Builtins::kArrayIndexOf,

--- a/src/builtins/array-reverse.tq
+++ b/src/builtins/array-reverse.tq
@@ -152,8 +152,8 @@ module array {
    assert(IsFastSmiOrTaggedElementsKind(array.map.elements_kind));

    const length: Smi = array.length_fast;
-    array.elements = ExtractFixedArray(
-        unsafe_cast<FixedArray>(elements), 0, length, length, kFixedArrays);
+    array.elements =
+        ExtractFixedArray(unsafe_cast<FixedArray>(elements), 0, length, length);
  }

  macro TryFastPackedArrayReverse(receiver: Object) labels Slow {

--- a/src/builtins/array-splice.tq
+++ b/src/builtins/array-splice.tq
--- a/src/builtins/array.tq
+++ b/src/builtins/array.tq
--- a/src/builtins/base.tq
+++ b/src/builtins/base.tq
--- a/src/builtins/builtins-array.cc
+++ b/src/builtins/builtins-array.cc
@@ -23,34 +23,6 @@ namespace internal {

 namespace {

-inline bool ClampedToInteger(Isolate* isolate, Object* object, int* out) {
-  // This is an extended version of ECMA-262 7.1.11 handling signed values
-  // Try to convert object to a number and clamp values to [kMinInt, kMaxInt]
-  if (object->IsSmi()) {
-    *out = Smi::ToInt(object);
-    return true;
-  } else if (object->IsHeapNumber()) {
-    double value = HeapNumber::cast(object)->value();
-    if (std::isnan(value)) {
-      *out = 0;
-    } else if (value > kMaxInt) {
-      *out = kMaxInt;
-    } else if (value < kMinInt) {
-      *out = kMinInt;
-    } else {
-      *out = static_cast<int>(value);
-    }
-    return true;
-  } else if (object->IsNullOrUndefined(isolate)) {
-    *out = 0;
-    return true;
-  } else if (object->IsBoolean()) {
-    *out = object->IsTrue(isolate);
-    return true;
-  }
-  return false;
-}
-
 inline bool IsJSArrayFastElementMovingAllowed(Isolate* isolate,
                                              JSArray* receiver) {
  return JSObject::PrototypeHasNoElements(isolate, receiver);
@@ -637,67 +609,6 @@ BUILTIN(ArrayUnshift) {
  return Smi::FromInt(new_length);
 }

-BUILTIN(ArraySplice) {
-  HandleScope scope(isolate);
-  Handle<Object> receiver = args.receiver();
-  if (V8_UNLIKELY(
-          !EnsureJSArrayWithWritableFastElements(isolate, receiver, &args, 3,
-                                                 args.length() - 3) ||
-          // If this is a subclass of Array, then call out to JS.
-          !Handle<JSArray>::cast(receiver)->HasArrayPrototype(isolate) ||
-          // If anything with @@species has been messed with, call out to JS.
-          !isolate->IsArraySpeciesLookupChainIntact())) {
-    return CallJsIntrinsic(isolate, isolate->array_splice(), args);
-  }
-  Handle<JSArray> array = Handle<JSArray>::cast(receiver);
-
-  int argument_count = args.length() - 1;
-  int relative_start = 0;
-  if (argument_count > 0) {
-    DisallowHeapAllocation no_gc;
-    if (!ClampedToInteger(isolate, args[1], &relative_start)) {
-      AllowHeapAllocation allow_allocation;
-      return CallJsIntrinsic(isolate, isolate->array_splice(), args);
-    }
-  }
-  int len = Smi::ToInt(array->length());
-  // clip relative start to [0, len]
-  int actual_start = (relative_start < 0) ? Max(len + relative_start, 0)
-                                          : Min(relative_start, len);
-
-  int actual_delete_count;
-  if (argument_count == 1) {
-    // SpiderMonkey, TraceMonkey and JSC treat the case where no delete count is
-    // given as a request to delete all the elements from the start.
-    // And it differs from the case of undefined delete count.
-    // This does not follow ECMA-262, but we do the same for compatibility.
-    DCHECK_GE(len - actual_start, 0);
-    actual_delete_count = len - actual_start;
-  } else {
-    int delete_count = 0;
-    DisallowHeapAllocation no_gc;
-    if (argument_count > 1) {
-      if (!ClampedToInteger(isolate, args[2], &delete_count)) {
-        AllowHeapAllocation allow_allocation;
-        return CallJsIntrinsic(isolate, isolate->array_splice(), args);
-      }
-    }
-    actual_delete_count = Min(Max(delete_count, 0), len - actual_start);
-  }
-
-  int add_count = (argument_count > 1) ? (argument_count - 2) : 0;
-  int new_length = len - actual_delete_count + add_count;
-
-  if (new_length != len && JSArray::HasReadOnlyLength(array)) {
-    AllowHeapAllocation allow_allocation;
-    return CallJsIntrinsic(isolate, isolate->array_splice(), args);
-  }
-  ElementsAccessor* accessor = array->GetElementsAccessor();
-  Handle<JSArray> result_array = accessor->Splice(
-      array, actual_start, actual_delete_count, &args, add_count);
-  return *result_array;
-}
-
 // Array Concat -------------------------------------------------------------

 namespace {

--- a/src/builtins/builtins-definitions.h
+++ b/src/builtins/builtins-definitions.h
@@ -319,8 +319,6 @@ namespace internal {
  TFJ(ArrayPrototypeShift, SharedFunctionInfo::kDontAdaptArgumentsSentinel)    \
  /* ES6 #sec-array.prototype.slice */                                         \
  TFJ(ArrayPrototypeSlice, SharedFunctionInfo::kDontAdaptArgumentsSentinel)    \
-  /* ES6 #sec-array.prototype.splice */                                        \
-  CPP(ArraySplice)                                                             \
  /* ES6 #sec-array.prototype.unshift */                                       \
  CPP(ArrayUnshift)                                                            \
  /* Support for Array.from and other array-copying idioms */                  \

--- a/src/code-stub-assembler.cc
+++ b/src/code-stub-assembler.cc
@@ -4246,6 +4246,33 @@ void CodeStubAssembler::FillFixedArrayWithValue(
      mode);
 }

+void CodeStubAssembler::StoreFixedDoubleArrayHole(
+    TNode<FixedDoubleArray> array, Node* index, ParameterMode parameter_mode) {
+  CSA_SLOW_ASSERT(this, MatchesParameterMode(index, parameter_mode));
+  Node* offset =
+      ElementOffsetFromIndex(index, PACKED_DOUBLE_ELEMENTS, parameter_mode,
+                             FixedArray::kHeaderSize - kHeapObjectTag);
+  CSA_ASSERT(this, IsOffsetInBounds(
+                       offset, LoadAndUntagFixedArrayBaseLength(array),
+                       FixedDoubleArray::kHeaderSize, PACKED_DOUBLE_ELEMENTS));
+  Node* double_hole =
+      Is64() ? ReinterpretCast<UintPtrT>(Int64Constant(kHoleNanInt64))
+             : ReinterpretCast<UintPtrT>(Int32Constant(kHoleNanLower32));
+  // TODO(danno): When we have a Float32/Float64 wrapper class that
+  // preserves double bits during manipulation, remove this code/change
+  // this to an indexed Float64 store.
+  if (Is64()) {
+    StoreNoWriteBarrier(MachineRepresentation::kWord64, array, offset,
+                        double_hole);
+  } else {
+    StoreNoWriteBarrier(MachineRepresentation::kWord32, array, offset,
+                        double_hole);
+    StoreNoWriteBarrier(MachineRepresentation::kWord32, array,
+                        IntPtrAdd(offset, IntPtrConstant(kPointerSize)),
+                        double_hole);
+  }
+}
+
 void CodeStubAssembler::FillFixedArrayWithSmiZero(TNode<FixedArray> array,
                                                  TNode<IntPtrT> length) {
  CSA_ASSERT(this, WordEqual(length, LoadAndUntagFixedArrayBaseLength(array)));
@@ -10050,6 +10077,10 @@ void CodeStubAssembler::BranchIfNumberRelationalComparison(
                    // Both {left} and {right} are Smi, so just perform a fast
                    // Smi comparison.
                    switch (op) {
+                      case Operation::kEqual:
+                        BranchIfSmiEqual(smi_left, smi_right, if_true,
+                                         if_false);
+                        break;
                      case Operation::kLessThan:
                        BranchIfSmiLessThan(smi_left, smi_right, if_true,
                                            if_false);
@@ -10096,6 +10127,10 @@ void CodeStubAssembler::BranchIfNumberRelationalComparison(
  BIND(&do_float_comparison);
  {
    switch (op) {
+      case Operation::kEqual:
+        Branch(Float64Equal(var_left_float.value(), var_right_float.value()),
+               if_true, if_false);
+        break;
      case Operation::kLessThan:
        Branch(Float64LessThan(var_left_float.value(), var_right_float.value()),
               if_true, if_false);
@@ -12001,6 +12036,15 @@ Node* CodeStubAssembler::ArraySpeciesCreate(TNode<Context> context,
                     len);
 }

+Node* CodeStubAssembler::InternalArrayCreate(TNode<Context> context,
+                                             TNode<Number> len) {
+  Node* native_context = LoadNativeContext(context);
+  Node* const constructor = LoadContextElement(
+      native_context, Context::INTERNAL_ARRAY_FUNCTION_INDEX);
+  return ConstructJS(CodeFactory::Construct(isolate()), context, constructor,
+                     len);
+}
+
 Node* CodeStubAssembler::IsDetachedBuffer(Node* buffer) {
  CSA_ASSERT(this, HasInstanceType(buffer, JS_ARRAY_BUFFER_TYPE));


--- a/src/code-stub-assembler.h
+++ b/src/code-stub-assembler.h
@@ -1210,6 +1210,19 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
      TNode<FixedDoubleArray> object, Node* index, TNode<Float64T> value,
      ParameterMode parameter_mode = INTPTR_PARAMETERS);

+  void StoreFixedDoubleArrayElementSmi(TNode<FixedDoubleArray> object,
+                                       TNode<Smi> index,
+                                       TNode<Float64T> value) {
+    StoreFixedDoubleArrayElement(object, index, value, SMI_PARAMETERS);
+  }
+
+  void StoreFixedDoubleArrayHole(TNode<FixedDoubleArray> array, Node* index,
+                                 ParameterMode mode = INTPTR_PARAMETERS);
+  void StoreFixedDoubleArrayHoleSmi(TNode<FixedDoubleArray> array,
+                                    TNode<Smi> index) {
+    StoreFixedDoubleArrayHole(array, index, SMI_PARAMETERS);
+  }
+
  Node* StoreFeedbackVectorSlot(
      Node* object, Node* index, Node* value,
      WriteBarrierMode barrier_mode = UPDATE_WRITE_BARRIER,
@@ -1445,6 +1458,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {

  Node* ArraySpeciesCreate(TNode<Context> context, TNode<Object> originalArray,
                           TNode<Number> len);
+  Node* InternalArrayCreate(TNode<Context> context, TNode<Number> len);

  void FillFixedArrayWithValue(ElementsKind kind, Node* array, Node* from_index,
                               Node* to_index,
@@ -1520,6 +1534,10 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
    return UncheckedCast<FixedDoubleArray>(base);
  }

+  TNode<Int32T> ConvertElementsKindToInt(TNode<Int32T> elements_kind) {
+    return UncheckedCast<Int32T>(elements_kind);
+  }
+
  enum class ExtractFixedArrayFlag {
    kFixedArrays = 1,
    kFixedDoubleArrays = 2,
@@ -1560,12 +1578,11 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
          ExtractFixedArrayFlag::kAllFixedArrays,
      ParameterMode parameter_mode = INTPTR_PARAMETERS);

-  TNode<FixedArrayBase> ExtractFixedArray(
-      TNode<FixedArrayBase> source, TNode<Smi> first, TNode<Smi> count,
-      TNode<Smi> capacity,
-      ExtractFixedArrayFlags extract_flags =
-          ExtractFixedArrayFlag::kAllFixedArrays) {
-    return ExtractFixedArray(source, first, count, capacity, extract_flags,
+  TNode<FixedArrayBase> ExtractFixedArray(TNode<FixedArrayBase> source,
+                                          TNode<Smi> first, TNode<Smi> count,
+                                          TNode<Smi> capacity) {
+    return ExtractFixedArray(source, first, count, capacity,
+                             ExtractFixedArrayFlag::kAllFixedArrays,
                             SMI_PARAMETERS);
  }

@@ -2561,6 +2578,12 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
                              ElementsKind to_kind, bool is_jsarray,
                              Label* bailout);

+  void TransitionElementsKind(TNode<JSReceiver> object, TNode<Map> map,
+                              ElementsKind from_kind, ElementsKind to_kind,
+                              Label* bailout) {
+    TransitionElementsKind(object, map, from_kind, to_kind, true, bailout);
+  }
+
  void TrapAllocationMemento(Node* object, Label* memento_found);

  TNode<IntPtrT> PageFromAddress(TNode<IntPtrT> address);
@@ -2652,26 +2675,32 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
  void BranchIfNumberRelationalComparison(Operation op, Node* left, Node* right,
                                          Label* if_true, Label* if_false);

-  void BranchIfNumberLessThan(Node* left, Node* right, Label* if_true,
-                              Label* if_false) {
+  void BranchIfNumberEqual(TNode<Number> left, TNode<Number> right,
+                           Label* if_true, Label* if_false) {
+    BranchIfNumberRelationalComparison(Operation::kEqual, left, right, if_true,
+                                       if_false);
+  }
+
+  void BranchIfNumberLessThan(TNode<Number> left, TNode<Number> right,
+                              Label* if_true, Label* if_false) {
    BranchIfNumberRelationalComparison(Operation::kLessThan, left, right,
                                       if_true, if_false);
  }

-  void BranchIfNumberLessThanOrEqual(Node* left, Node* right, Label* if_true,
-                                     Label* if_false) {
+  void BranchIfNumberLessThanOrEqual(TNode<Number> left, TNode<Number> right,
+                                     Label* if_true, Label* if_false) {
    BranchIfNumberRelationalComparison(Operation::kLessThanOrEqual, left, right,
                                       if_true, if_false);
  }

-  void BranchIfNumberGreaterThan(Node* left, Node* right, Label* if_true,
-                                 Label* if_false) {
+  void BranchIfNumberGreaterThan(TNode<Number> left, TNode<Number> right,
+                                 Label* if_true, Label* if_false) {
    BranchIfNumberRelationalComparison(Operation::kGreaterThan, left, right,
                                       if_true, if_false);
  }

-  void BranchIfNumberGreaterThanOrEqual(Node* left, Node* right, Label* if_true,
-                                        Label* if_false) {
+  void BranchIfNumberGreaterThanOrEqual(TNode<Number> left, TNode<Number> right,
+                                        Label* if_true, Label* if_false) {
    BranchIfNumberRelationalComparison(Operation::kGreaterThanOrEqual, left,
                                       right, if_true, if_false);
  }

--- a/src/contexts.h
+++ b/src/contexts.h
@@ -71,46 +71,46 @@ enum ContextLookupFlags {
  V(ASYNC_GENERATOR_AWAIT_CAUGHT, JSFunction, async_generator_await_caught) \
  V(ASYNC_GENERATOR_AWAIT_UNCAUGHT, JSFunction, async_generator_await_uncaught)

-#define NATIVE_CONTEXT_IMPORTED_FIELDS(V)                                      \
-  V(ARRAY_SPLICE_INDEX, JSFunction, array_splice)                              \
-  V(ARRAY_UNSHIFT_INDEX, JSFunction, array_unshift)                            \
-  V(ARRAY_ENTRIES_ITERATOR_INDEX, JSFunction, array_entries_iterator)          \
-  V(ARRAY_FOR_EACH_ITERATOR_INDEX, JSFunction, array_for_each_iterator)        \
-  V(ARRAY_KEYS_ITERATOR_INDEX, JSFunction, array_keys_iterator)                \
-  V(ARRAY_VALUES_ITERATOR_INDEX, JSFunction, array_values_iterator)            \
-  V(CANONICALIZE_LOCALE_LIST_FUNCTION_INDEX, JSFunction,                       \
-    canonicalize_locale_list)                                                  \
-  V(ERROR_FUNCTION_INDEX, JSFunction, error_function)                          \
-  V(ERROR_TO_STRING, JSFunction, error_to_string)                              \
-  V(EVAL_ERROR_FUNCTION_INDEX, JSFunction, eval_error_function)                \
-  V(GLOBAL_EVAL_FUN_INDEX, JSFunction, global_eval_fun)                        \
-  V(GLOBAL_PROXY_FUNCTION_INDEX, JSFunction, global_proxy_function)            \
-  V(MAP_DELETE_INDEX, JSFunction, map_delete)                                  \
-  V(MAP_GET_INDEX, JSFunction, map_get)                                        \
-  V(MAP_HAS_INDEX, JSFunction, map_has)                                        \
-  V(MAP_SET_INDEX, JSFunction, map_set)                                        \
-  V(FUNCTION_HAS_INSTANCE_INDEX, JSFunction, function_has_instance)            \
-  V(OBJECT_VALUE_OF, JSFunction, object_value_of)                              \
-  V(OBJECT_TO_STRING, JSFunction, object_to_string)                            \
-  V(PROMISE_CATCH_INDEX, JSFunction, promise_catch)                            \
-  V(PROMISE_FUNCTION_INDEX, JSFunction, promise_function)                      \
-  V(RANGE_ERROR_FUNCTION_INDEX, JSFunction, range_error_function)              \
-  V(REFERENCE_ERROR_FUNCTION_INDEX, JSFunction, reference_error_function)      \
-  V(CACHED_OR_NEW_SERVICE_LOCALE_FUNCTION_INDEX, JSFunction,                   \
-    cached_or_new_service)                                                     \
-  V(RESOLVE_LOCALE_FUNCTION_INDEX, JSFunction, resolve_locale)                 \
-  V(SET_ADD_INDEX, JSFunction, set_add)                                        \
-  V(SET_DELETE_INDEX, JSFunction, set_delete)                                  \
-  V(SET_HAS_INDEX, JSFunction, set_has)                                        \
-  V(SYNTAX_ERROR_FUNCTION_INDEX, JSFunction, syntax_error_function)            \
-  V(TYPE_ERROR_FUNCTION_INDEX, JSFunction, type_error_function)                \
-  V(URI_ERROR_FUNCTION_INDEX, JSFunction, uri_error_function)                  \
-  V(WASM_COMPILE_ERROR_FUNCTION_INDEX, JSFunction,                             \
-    wasm_compile_error_function)                                               \
-  V(WASM_LINK_ERROR_FUNCTION_INDEX, JSFunction, wasm_link_error_function)      \
-  V(WASM_RUNTIME_ERROR_FUNCTION_INDEX, JSFunction,                             \
-    wasm_runtime_error_function)                                               \
-  V(WEAKMAP_SET_INDEX, JSFunction, weakmap_set)                                \
+#define NATIVE_CONTEXT_IMPORTED_FIELDS(V)                                 \
+  V(ARRAY_SHIFT_INDEX, JSFunction, array_shift)                           \
+  V(ARRAY_UNSHIFT_INDEX, JSFunction, array_unshift)                       \
+  V(ARRAY_ENTRIES_ITERATOR_INDEX, JSFunction, array_entries_iterator)     \
+  V(ARRAY_FOR_EACH_ITERATOR_INDEX, JSFunction, array_for_each_iterator)   \
+  V(ARRAY_KEYS_ITERATOR_INDEX, JSFunction, array_keys_iterator)           \
+  V(ARRAY_VALUES_ITERATOR_INDEX, JSFunction, array_values_iterator)       \
+  V(CANONICALIZE_LOCALE_LIST_FUNCTION_INDEX, JSFunction,                  \
+    canonicalize_locale_list)                                             \
+  V(ERROR_FUNCTION_INDEX, JSFunction, error_function)                     \
+  V(ERROR_TO_STRING, JSFunction, error_to_string)                         \
+  V(EVAL_ERROR_FUNCTION_INDEX, JSFunction, eval_error_function)           \
+  V(GLOBAL_EVAL_FUN_INDEX, JSFunction, global_eval_fun)                   \
+  V(GLOBAL_PROXY_FUNCTION_INDEX, JSFunction, global_proxy_function)       \
+  V(MAP_DELETE_INDEX, JSFunction, map_delete)                             \
+  V(MAP_GET_INDEX, JSFunction, map_get)                                   \
+  V(MAP_HAS_INDEX, JSFunction, map_has)                                   \
+  V(MAP_SET_INDEX, JSFunction, map_set)                                   \
+  V(FUNCTION_HAS_INSTANCE_INDEX, JSFunction, function_has_instance)       \
+  V(OBJECT_VALUE_OF, JSFunction, object_value_of)                         \
+  V(OBJECT_TO_STRING, JSFunction, object_to_string)                       \
+  V(PROMISE_CATCH_INDEX, JSFunction, promise_catch)                       \
+  V(PROMISE_FUNCTION_INDEX, JSFunction, promise_function)                 \
+  V(RANGE_ERROR_FUNCTION_INDEX, JSFunction, range_error_function)         \
+  V(REFERENCE_ERROR_FUNCTION_INDEX, JSFunction, reference_error_function) \
+  V(CACHED_OR_NEW_SERVICE_LOCALE_FUNCTION_INDEX, JSFunction,              \
+    cached_or_new_service)                                                \
+  V(RESOLVE_LOCALE_FUNCTION_INDEX, JSFunction, resolve_locale)            \
+  V(SET_ADD_INDEX, JSFunction, set_add)                                   \
+  V(SET_DELETE_INDEX, JSFunction, set_delete)                             \
+  V(SET_HAS_INDEX, JSFunction, set_has)                                   \
+  V(SYNTAX_ERROR_FUNCTION_INDEX, JSFunction, syntax_error_function)       \
+  V(TYPE_ERROR_FUNCTION_INDEX, JSFunction, type_error_function)           \
+  V(URI_ERROR_FUNCTION_INDEX, JSFunction, uri_error_function)             \
+  V(WASM_COMPILE_ERROR_FUNCTION_INDEX, JSFunction,                        \
+    wasm_compile_error_function)                                          \
+  V(WASM_LINK_ERROR_FUNCTION_INDEX, JSFunction, wasm_link_error_function) \
+  V(WASM_RUNTIME_ERROR_FUNCTION_INDEX, JSFunction,                        \
+    wasm_runtime_error_function)                                          \
+  V(WEAKMAP_SET_INDEX, JSFunction, weakmap_set)                           \
  V(WEAKSET_ADD_INDEX, JSFunction, weakset_add)

 #define NATIVE_CONTEXT_FIELDS(V)                                               \

--- a/src/elements.cc
+++ b/src/elements.cc
@@ -724,18 +724,6 @@ class ElementsAccessorBase : public InternalElementsAccessor {
    UNREACHABLE();
  }

-  Handle<JSArray> Splice(Handle<JSArray> receiver, uint32_t start,
-                         uint32_t delete_count, Arguments* args,
-                         uint32_t add_count) final {
-    return Subclass::SpliceImpl(receiver, start, delete_count, args, add_count);
-  }
-
-  static Handle<JSArray> SpliceImpl(Handle<JSArray> receiver,
-                                    uint32_t start, uint32_t delete_count,
-                                    Arguments* args, uint32_t add_count) {
-    UNREACHABLE();
-  }
-
  Handle<Object> Pop(Handle<JSArray> receiver) final {
    return Subclass::PopImpl(receiver);
  }
@@ -2227,58 +2215,6 @@ class FastElementsAccessor : public ElementsAccessorBase<Subclass, KindTraits> {
    return result_array;
  }

-  static Handle<JSArray> SpliceImpl(Handle<JSArray> receiver,
-                                    uint32_t start, uint32_t delete_count,
-                                    Arguments* args, uint32_t add_count) {
-    Isolate* isolate = receiver->GetIsolate();
-    Heap* heap = isolate->heap();
-    uint32_t length = Smi::ToInt(receiver->length());
-    uint32_t new_length = length - delete_count + add_count;
-
-    ElementsKind kind = KindTraits::Kind;
-    if (new_length <= static_cast<uint32_t>(receiver->elements()->length()) &&
-        IsSmiOrObjectElementsKind(kind)) {
-      HandleScope scope(isolate);
-      JSObject::EnsureWritableFastElements(receiver);
-    }
-
-    Handle<FixedArrayBase> backing_store(receiver->elements(), isolate);
-
-    if (new_length == 0) {
-      receiver->set_elements(ReadOnlyRoots(heap).empty_fixed_array());
-      receiver->set_length(Smi::kZero);
-      return isolate->factory()->NewJSArrayWithElements(
-          backing_store, KindTraits::Kind, delete_count);
-    }
-
-    // Construct the result array which holds the deleted elements.
-    Handle<JSArray> deleted_elements = isolate->factory()->NewJSArray(
-        KindTraits::Kind, delete_count, delete_count);
-    if (delete_count > 0) {
-      DisallowHeapAllocation no_gc;
-      Subclass::CopyElementsImpl(isolate, *backing_store, start,
-                                 deleted_elements->elements(), KindTraits::Kind,
-                                 0, kPackedSizeNotKnown, delete_count);
-    }
-
-    // Delete and move elements to make space for add_count new elements.
-    if (add_count < delete_count) {
-      Subclass::SpliceShrinkStep(isolate, receiver, backing_store, start,
-                                 delete_count, add_count, length, new_length);
-    } else if (add_count > delete_count) {
-      backing_store =
-          Subclass::SpliceGrowStep(isolate, receiver, backing_store, start,
-                                   delete_count, add_count, length, new_length);
-    }
-
-    // Copy over the arguments.
-    Subclass::CopyArguments(args, backing_store, add_count, 3, start);
-
-    receiver->set_length(Smi::FromInt(new_length));
-    Subclass::TryTransitionResultArrayToPacked(deleted_elements);
-    return deleted_elements;
-  }
-
  static void MoveElements(Isolate* isolate, Handle<JSArray> receiver,
                           Handle<FixedArrayBase> backing_store, int dst_index,
                           int src_index, int len, int hole_start,
@@ -2503,50 +2439,6 @@ class FastElementsAccessor : public ElementsAccessorBase<Subclass, KindTraits> {
    return result;
  }

- private:
-  // SpliceShrinkStep might modify the backing_store.
-  static void SpliceShrinkStep(Isolate* isolate, Handle<JSArray> receiver,
-                               Handle<FixedArrayBase> backing_store,
-                               uint32_t start, uint32_t delete_count,
-                               uint32_t add_count, uint32_t len,
-                               uint32_t new_length) {
-    const int move_left_count = len - delete_count - start;
-    const int move_left_dst_index = start + add_count;
-    Subclass::MoveElements(isolate, receiver, backing_store,
-                           move_left_dst_index, start + delete_count,
-                           move_left_count, new_length, len);
-  }
-
-  // SpliceGrowStep might modify the backing_store.
-  static Handle<FixedArrayBase> SpliceGrowStep(
-      Isolate* isolate, Handle<JSArray> receiver,
-      Handle<FixedArrayBase> backing_store, uint32_t start,
-      uint32_t delete_count, uint32_t add_count, uint32_t length,
-      uint32_t new_length) {
-    // Check we do not overflow the new_length.
-    DCHECK((add_count - delete_count) <= (Smi::kMaxValue - length));
-    // Check if backing_store is big enough.
-    if (new_length <= static_cast<uint32_t>(backing_store->length())) {
-      Subclass::MoveElements(isolate, receiver, backing_store,
-                             start + add_count, start + delete_count,
-                             (length - delete_count - start), 0, 0);
-      // MoveElements updates the backing_store in-place.
-      return backing_store;
-    }
-    // New backing storage is needed.
-    int capacity = JSObject::NewElementsCapacity(new_length);
-    // Partially copy all elements up to start.
-    Handle<FixedArrayBase> new_elms = Subclass::ConvertElementsWithCapacity(
-        receiver, backing_store, KindTraits::Kind, capacity, start);
-    // Copy the trailing elements after start + delete_count
-    Subclass::CopyElementsImpl(isolate, *backing_store, start + delete_count,
-                               *new_elms, KindTraits::Kind, start + add_count,
-                               kPackedSizeNotKnown,
-                               ElementsAccessor::kCopyToEndAndInitializeToHole);
-    receiver->set_elements(*new_elms);
-    return new_elms;
-  }
-
  static Handle<Object> RemoveElement(Handle<JSArray> receiver,
                                      Where remove_position) {
    Isolate* isolate = receiver->GetIsolate();

--- a/src/elements.h
+++ b/src/elements.h
@@ -135,10 +135,6 @@ class ElementsAccessor {
  virtual Handle<JSObject> Slice(Handle<JSObject> receiver, uint32_t start,
                                 uint32_t end) = 0;

-  virtual Handle<JSArray> Splice(Handle<JSArray> receiver,
-                                 uint32_t start, uint32_t delete_count,
-                                 Arguments* args, uint32_t add_count) = 0;
-
  virtual Handle<Object> Pop(Handle<JSArray> receiver) = 0;

  virtual Handle<Object> Shift(Handle<JSArray> receiver) = 0;

--- a/src/flag-definitions.h
+++ b/src/flag-definitions.h
@@ -874,8 +874,6 @@ DEFINE_BOOL(expose_trigger_failure, false, "expose trigger-failure extension")
 DEFINE_INT(stack_trace_limit, 10, "number of stack frames to capture")
 DEFINE_BOOL(builtins_in_stack_traces, false,
            "show built-in functions in stack traces")
-DEFINE_BOOL(enable_experimental_builtins, false,
-            "enable new csa-based experimental builtins")
 DEFINE_BOOL(disallow_code_generation_from_strings, false,
            "disallow eval and friends")
 DEFINE_BOOL(expose_async_hooks, false, "expose async_hooks object")

--- a/src/js/array.js
+++ b/src/js/array.js
@@ -200,35 +200,6 @@ function ConvertToString(use_locale, x, locales, options) {
  return TO_STRING(x);
 }

-
-// This function implements the optimized splice implementation that can use
-// special array operations to handle sparse arrays in a sensible fashion.
-function SparseSlice(array, start_i, del_count, len, deleted_elements) {
-  // Move deleted elements to a new array (the return value from splice).
-  var indices = %GetArrayKeys(array, start_i + del_count);
-  if (IS_NUMBER(indices)) {
-    var limit = indices;
-    for (var i = start_i; i < limit; ++i) {
-      var current = array[i];
-      if (!IS_UNDEFINED(current) || i in array) {
-        %CreateDataProperty(deleted_elements, i - start_i, current);
-      }
-    }
-  } else {
-    var length = indices.length;
-    for (var k = 0; k < length; ++k) {
-      var key = indices[k];
-      if (key >= start_i) {
-        var current = array[key];
-        if (!IS_UNDEFINED(current) || key in array) {
-          %CreateDataProperty(deleted_elements, key - start_i, current);
-        }
-      }
-    }
-  }
-}
-
-
 // This function implements the optimized splice implementation that can use
 // special array operations to handle sparse arrays in a sensible fashion.
 function SparseMove(array, start_i, del_count, len, num_additional_args) {
@@ -442,83 +413,6 @@ function ArraySliceFallback(start, end) {
  return null;
 }

-function ComputeSpliceStartIndex(start_i, len) {
-  if (start_i < 0) {
-    start_i += len;
-    return start_i < 0 ? 0 : start_i;
-  }
-
-  return start_i > len ? len : start_i;
-}
-
-
-function ComputeSpliceDeleteCount(delete_count, num_arguments, len, start_i) {
-  // SpiderMonkey, TraceMonkey and JSC treat the case where no delete count is
-  // given as a request to delete all the elements from the start.
-  // And it differs from the case of undefined delete count.
-  // This does not follow ECMA-262, but we do the same for
-  // compatibility.
-  var del_count = 0;
-  if (num_arguments == 1)
-    return len - start_i;
-
-  del_count = TO_INTEGER(delete_count);
-  if (del_count < 0)
-    return 0;
-
-  if (del_count > len - start_i)
-    return len - start_i;
-
-  return del_count;
-}
-
-
-function ArraySpliceFallback(start, delete_count) {
-  var num_arguments = arguments.length;
-  var array = TO_OBJECT(this);
-  var len = TO_LENGTH(array.length);
-  var start_i = ComputeSpliceStartIndex(TO_INTEGER(start), len);
-  var del_count = ComputeSpliceDeleteCount(delete_count, num_arguments, len,
-                                           start_i);
-  var num_elements_to_add = num_arguments > 2 ? num_arguments - 2 : 0;
-
-  const new_len = len - del_count + num_elements_to_add;
-  if (new_len >= 2**53) throw %make_type_error(kInvalidArrayLength);
-
-  var deleted_elements = ArraySpeciesCreate(array, del_count);
-  deleted_elements.length = del_count;
-
-  var changed_elements = del_count;
-  if (num_elements_to_add != del_count) {
-    // If the slice needs to do a actually move elements after the insertion
-    // point, then include those in the estimate of changed elements.
-    changed_elements += len - start_i - del_count;
-  }
-  if (UseSparseVariant(array, len, IS_ARRAY(array), changed_elements)) {
-    %NormalizeElements(array);
-    if (IS_ARRAY(deleted_elements)) %NormalizeElements(deleted_elements);
-    SparseSlice(array, start_i, del_count, len, deleted_elements);
-    SparseMove(array, start_i, del_count, len, num_elements_to_add);
-  } else {
-    SimpleSlice(array, start_i, del_count, len, deleted_elements);
-    SimpleMove(array, start_i, del_count, len, num_elements_to_add);
-  }
-
-  // Insert the arguments into the resulting array in
-  // place of the deleted elements.
-  var i = start_i;
-  var arguments_index = 2;
-  var arguments_length = arguments.length;
-  while (arguments_index < arguments_length) {
-    array[i++] = arguments[arguments_index++];
-  }
-  array.length = new_len;
-
-  // Return the deleted elements.
-  return deleted_elements;
-}
-
-
 function InnerArraySort(array, length, comparefn) {
  // In-place QuickSort algorithm.
  // For short (length <= 10) arrays, insertion sort is used for efficiency.
@@ -755,7 +649,6 @@ utils.Export(function(to) {
  "array_keys_iterator", ArrayKeys,
  "array_values_iterator", ArrayValues,
  // Fallback implementations of Array builtins.
-  "array_splice", ArraySpliceFallback,
  "array_unshift", ArrayUnshiftFallback,
 ]);


--- a/src/runtime/runtime-array.cc
+++ b/src/runtime/runtime-array.cc
@@ -30,6 +30,16 @@ RUNTIME_FUNCTION(Runtime_TransitionElementsKind) {
  return *object;
 }

+RUNTIME_FUNCTION(Runtime_TransitionElementsKindWithKind) {
+  HandleScope scope(isolate);
+  DCHECK_EQ(2, args.length());
+  CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
+  CONVERT_ARG_HANDLE_CHECKED(Smi, elements_kind_smi, 1);
+  ElementsKind to_kind = static_cast<ElementsKind>(elements_kind_smi->value());
+  JSObject::TransitionElementsKind(object, to_kind);
+  return *object;
+}
+
 namespace {
 // Find the next free position. undefined and holes are both considered
 // free spots. Returns "Nothing" if an exception occurred.

--- a/src/runtime/runtime.h
+++ b/src/runtime/runtime.h
@@ -36,21 +36,22 @@ namespace internal {
 // A variable number of arguments is specified by a -1, additional restrictions
 // are specified by inline comments

-#define FOR_EACH_INTRINSIC_ARRAY(F) \
-  F(ArrayIncludes_Slow, 3, 1)       \
-  F(ArrayIndexOf, 3, 1)             \
-  F(ArrayIsArray, 1, 1)             \
-  F(ArraySpeciesConstructor, 1, 1)  \
-  F(EstimateNumberOfElements, 1, 1) \
-  F(GetArrayKeys, 2, 1)             \
-  F(GrowArrayElements, 2, 1)        \
-  F(HasComplexElements, 1, 1)       \
-  F(IsArray, 1, 1)                  \
-  F(MoveArrayContents, 2, 1)        \
-  F(NewArray, -1 /* >= 3 */, 1)     \
-  F(NormalizeElements, 1, 1)        \
-  F(PrepareElementsForSort, 2, 1)   \
-  F(TransitionElementsKind, 2, 1)   \
+#define FOR_EACH_INTRINSIC_ARRAY(F)       \
+  F(ArrayIncludes_Slow, 3, 1)             \
+  F(ArrayIndexOf, 3, 1)                   \
+  F(ArrayIsArray, 1, 1)                   \
+  F(ArraySpeciesConstructor, 1, 1)        \
+  F(EstimateNumberOfElements, 1, 1)       \
+  F(GetArrayKeys, 2, 1)                   \
+  F(GrowArrayElements, 2, 1)              \
+  F(HasComplexElements, 1, 1)             \
+  F(IsArray, 1, 1)                        \
+  F(MoveArrayContents, 2, 1)              \
+  F(NewArray, -1 /* >= 3 */, 1)           \
+  F(NormalizeElements, 1, 1)              \
+  F(PrepareElementsForSort, 2, 1)         \
+  F(TransitionElementsKind, 2, 1)         \
+  F(TransitionElementsKindWithKind, 2, 1) \
  F(TrySliceSimpleNonFastElements, 3, 1)

 #define FOR_EACH_INTRINSIC_ATOMICS(F)  \

--- a/test/mjsunit/array-functions-prototype-misc.js
+++ b/test/mjsunit/array-functions-prototype-misc.js
@@ -31,13 +31,8 @@
 * should work on other objects too, so we test that too.
 */

-var LARGE = 400000;
-var VERYLARGE = 4000000000;
-
-// Nicer for firefox 1.5.  Unless you uncomment the following two lines,
-// smjs will appear to hang on this file.
-//var LARGE = 40000;
-//var VERYLARGE = 40000;
+var LARGE = 40000;
+var VERYLARGE = 40000;

 var fourhundredth = LARGE/400;


--- a/test/mjsunit/array-splice.js
+++ b/test/mjsunit/array-splice.js
@@ -445,3 +445,21 @@
                "array.hasOwnProperty(Math.pow(2, 32) - 2)");
  }
 })();
+
+// Verify that fast implementations aren't confused by empty DOUBLE element arrays
+(function() {
+
+  function foo(dontAddAnything) {
+    let a = [];
+    if (dontAddAnything === undefined) {
+      a[1] = 0.5;
+    }
+    return a.splice(0, 0, 3.5);
+  }
+
+  // Learn via allocation site tracking to create double arrays in foo().
+  foo();
+  foo();
+  // force splice to copy the input array.
+  foo(true);
+})();
--- a/test/mjsunit/regress/regress-crbug-876443.js
+++ b/test/mjsunit/regress/regress-crbug-876443.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags:
+
+var a = [5.65];
+a.splice(0);
+var b = a.splice(-4, 9, 10);
--- a/test/mjsunit/regress/regress-splice-large-index.js
+++ b/test/mjsunit/regress/regress-splice-large-index.js
@@ -32,10 +32,3 @@ assertEquals(0xffffffff, a.length);
 assertEquals(10, a[0xffffffff]);
 assertEquals(0xffffffff, a.length);
 assertEquals(undefined, a[0xfffffffe]);
-
-a = [1,2,3];
-a[0xfffffffe] = 10;
-assertThrows("a.splice(1,1,7,7,7,7,7);", RangeError);
-assertEquals([1,7,7,7,7,7,3], a.slice(0, 7));
-assertEquals(0xffffffff, a.length);
-assertEquals(10, a[0xfffffffe + 5 - 1]);
--- a/test/mozilla/mozilla.status
+++ b/test/mozilla/mozilla.status
@@ -184,6 +184,11 @@
  # characters. This takes a long time to run (~32 seconds).
  'js1_5/GC/regress-348532': [SKIP],

+  # Takes a really long time to run, creating an Array of length
+  # 2^32 - 1. Related to removal of "sparse" array support for
+  # splice and friends:
+  # https://bugs.chromium.org/p/v8/issues/detail?id=8131.
+  'ecma_3/Array/regress-322135-03': [SKIP],

  # Runs for too long: huge array with getters and setters. As it says
  # in the test: "This test will probably run out of memory".

--- a/test/test262/test262.status
+++ b/test/test262/test262.status
@@ -598,9 +598,6 @@
  'intl402/Locale/prototype/toStringTag/toStringTag': [FAIL],
  'intl402/Locale/prototype/toStringTag/toString': [FAIL],

-  # https://bugs.chromium.org/p/v8/issues/detail?id=7814
-  'built-ins/Array/prototype/splice/property-traps-order-with-species': [FAIL],
-
  # https://bugs.chromium.org/p/v8/issues/detail?id=6705
  'built-ins/Object/assign/strings-and-symbol-order': [FAIL],

@@ -683,8 +680,6 @@

  # https://bugs.chromium.org/p/v8/issues/detail?id=6538
  'built-ins/Array/prototype/unshift/throws-if-integer-limit-exceeded': [SKIP],
-  'built-ins/Array/prototype/splice/create-species-length-exceeding-integer-limit': [FAIL],
-  'built-ins/Array/prototype/splice/throws-if-integer-limit-exceeded': [SKIP],

  # https://bugs.chromium.org/p/v8/issues/detail?id=6541
  'language/export/escaped-as-export-specifier': [FAIL],

--- a/test/webkit/array-splice.js
+++ b/test/webkit/array-splice.js
@@ -54,8 +54,3 @@ shouldBe("arr.splice(2, -1)", "[]")
 shouldBe("arr", "['a','b','c']");
 shouldBe("arr.splice(2, 100)", "['c']")
 shouldBe("arr", "['a','b']");
-
-// Check this doesn't crash.
-try {
-    String(Array(0xFFFFFFFD).splice(0));
-} catch (e) { }