Add new relocation type WASM_MEMORY_SIZE_REFERENCE, use relocatable pointers to update wasm memory size references in generated code.
 - Add new RelocInfo mode WASM_MEMORY_SIZE_REFERENCE in the assembler and add relocation information to immediates in compare instructions.
 - Use relocatable constants for MemSize/BoundsCheck in the wasm compiler

R=titzer@chromium.org, yangguo@chromium.org, bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/1921203002
Cr-Commit-Position: refs/heads/master@{#36044}

TEST=mjsunit/array-constructor
R=joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, bjaideep@ca.ibm.com
BUG=

Review-Url: https://codereview.chromium.org/1947233002
Cr-Commit-Position: refs/heads/master@{#36043}

BUG=v8:4959
LOG=N

Review-Url: https://codereview.chromium.org/1949693003
Cr-Commit-Position: refs/heads/master@{#36042}

R=joransiu@ca.ibm.com, cornacch@ca.ibm.com, mbrandy@us.ibm.com
BUG=

Review-Url: https://codereview.chromium.org/1948113002
Cr-Commit-Position: refs/heads/master@{#36041}

Port d2efbf25

R=danno@chromium.org, joransiu@ca.ibm.com, bjaideep@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=chromium:608675
LOG=N

Review-Url: https://codereview.chromium.org/1946193004
Cr-Commit-Position: refs/heads/master@{#36040}

Port 81cb8411

R=binji@chromium.org, joransiu@ca.ibm.com, bjaideep@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=v8:4614
LOG=N

Review-Url: https://codereview.chromium.org/1948043002
Cr-Commit-Position: refs/heads/master@{#36039}

A load instruction will implicitely clear the top 32 bits when writing to a W
register. This patch avoids generating a `mov` instruction to zero-extend the
result in this case.

For example, this occurs in the generated code for dispatching to the next
bytecode in the interpreter:

  kind = BYTECODE_HANDLER
  name = LdaZero
  compiler = turbofan
  Instructions (size = 36)
  0x32e64c60     0  add x19, x19, #0x1 (1)
  0x32e64c64     4  ldrb w0, [x20, x19]
  0x32e64c68     8  mov w0, w0
                    ^^^^^^^^^^
  0x32e64c6c    12  lsl x0, x0, #3
  0x32e64c70    16  ldr x1, [x21, x0]
  0x32e64c74    20  movz x0, #0x0
  0x32e64c78    24  br x1

BUG=

Review-Url: https://codereview.chromium.org/1950013003
Cr-Commit-Position: refs/heads/master@{#36038}

Code common with ObjectHasOwnProperty builtin was moved to CodeStubAssembler.

R=ishell@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com
BUG=v8:2743
LOG=Y

Review-Url: https://codereview.chromium.org/1946303002
Cr-Commit-Position: refs/heads/master@{#36037}

Port fa570e55

R=joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=

Review-Url: https://codereview.chromium.org/1952433002
Cr-Commit-Position: refs/heads/master@{#36036}

R=adamk@chromium.org
BUG=
LOG=N

Review-Url: https://codereview.chromium.org/1952473003
Cr-Commit-Position: refs/heads/master@{#36035}

Move DCHECK to only check for necessary path.

R=joransiu@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com
BUG=

Review-Url: https://codereview.chromium.org/1946003003
Cr-Commit-Position: refs/heads/master@{#36034}

Previously, the species protector was invalidated whenever the __proto__ of
an Array instance was manipulated. Then, if the map's new_target_is_base field
remained set, it was correct to conclude that GetPrototypeOf(array) was
%ArrayPrototype%. However, this choice caused the popular D3 framework to
invalidate the species protector, causing many functions to become slower.

This patch eliminates that aspect of the species protector. Instead, the check
is to look at the instance->map()->prototype(). It is valid to look directly
at the map's prototype slot, ignoring hidden prototypes and proxies, because
- This is only called on Array instances, so the receiver cannot be a Proxy.
- For hidden prototypes, any inaccuracy would only result in conservatively
  taking the slow path.

Theoretically, this patch could make methods applied to arrays from other
contexts slower. However, the slowdown would only affect a particular array
instance and not have a global spill-over effect. Further, the slowdown could
be addressed by tracking, either in the instance's map or in the actual
prototype object, whether it is a %ArrayPrototype% from any context, in a way
which is cheap to query, and use that rather than comparing to the currently
executing native context.

In interactive testing, this patch led the OnShape CAD system to experience
faster load times (110+s -> 40s).

BUG=chromium:606207
LOG=Y

Review-Url: https://codereview.chromium.org/1936393002
Cr-Commit-Position: refs/heads/master@{#36033}

TEST=cctest/test-api/Regress470113 --ignition
R=joransiu@ca.ibm.com, mbrandy@us.ibm.com, michael_dawson@ca.ibm.com, bjaideep@ca.ibm.com
BUG=

Review-Url: https://codereview.chromium.org/1944333002
Cr-Commit-Position: refs/heads/master@{#36032}

This method provides ability to get all properties of the object with passed filter in addition to existing GetOwnPropertyNames(context) method that returns only enumerable properties.

BUG=v8:3861,chromium:581495
R=yangguo@chromium.org
LOG=Y

Review-Url: https://codereview.chromium.org/1943773002
Cr-Commit-Position: refs/heads/master@{#36031}

This removes some low-level accessors from the CompilationInfo which
only delegate to the ParseInfo. Instead we add a helper that computes
the flags passed to DeclareGlobals for all backends.

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/1952623002
Cr-Commit-Position: refs/heads/master@{#36030}

We sometimes used to continue by jumping _back_ to the condition check at the
top of the loop. After my recent generator-related changes, that check is no
longer at the loop header, so a continue could create an additional loop. In
order to avoid this, we now always set the continue target to be the first
instruction following the loop body.

BUG=

Review-Url: https://codereview.chromium.org/1943383003
Cr-Commit-Position: refs/heads/master@{#36029}

Do not visit the constant pool pointer frame slot.

TEST=cctest/test-api/Regress137496 --ignition
R=danno@chromium.org, mcilroy@chromium.org, bjaideep@ca.ibm.com
BUG=

Review-Url: https://codereview.chromium.org/1950623002
Cr-Commit-Position: refs/heads/master@{#36028}

The observer might want to lookup something in the heap, e.g. code objects
it has in the call stack.

BUG=v8:4959
LOG=N

Review-Url: https://codereview.chromium.org/1948893002
Cr-Commit-Position: refs/heads/master@{#36027}

BUG=

Review-Url: https://codereview.chromium.org/1943893003
Cr-Commit-Position: refs/heads/master@{#36026}

BUG=chromium:588893, chromium:325923
LOG=n
R=verwaest@chromium.org

Review-Url: https://codereview.chromium.org/1943303002
Cr-Commit-Position: refs/heads/master@{#36025}

Unlike previous implementation where the 'continue' keyword was a feature of a return statement the keyword is now recognized as a part of expression. Error reporting was significantly improved.

--harmony-explicit-tailcalls option is now orthogonal to --harmony-tailcalls so we can test both modes at the same time.

This CL also adds %GetExceptionDetails(exception) that fetches hidden |start_pos| and |end_pos| values from the exception object.

BUG=v8:4915
LOG=N

Review-Url: https://codereview.chromium.org/1928203002
Cr-Commit-Position: refs/heads/master@{#36024}

The macro was Using SmiTag(Int32Constant()) was causing some unnecessary shifts to be emitted in the deferred code.

Also, when allocating in new space, the macro now uses Runtime::kAllocateInNewSpace.

Review-Url: https://codereview.chromium.org/1945263002
Cr-Commit-Position: refs/heads/master@{#36023}

Now that everything is properly wired to the effect chain when we get to
ChangeLowering, we can safely inline the allocation fast path and only
need to consule the slow path stub fallback when bump pointer allocation
fails.

R=jarin@chromium.org
BUG=v8:4931
LOG=n

Review-Url: https://codereview.chromium.org/1951853002
Cr-Commit-Position: refs/heads/master@{#36022}

This fixes a bug where returning from a class literal inside
a try-finally didn't restore the context properly when
entering the finally clause.

BUG=v8:4965
LOG=n

Review-Url: https://codereview.chromium.org/1952633002
Cr-Commit-Position: refs/heads/master@{#36021}

R=verwaest@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/1949493004
Cr-Commit-Position: refs/heads/master@{#36020}

BUG=

Review-Url: https://codereview.chromium.org/1944813002
Cr-Commit-Position: refs/heads/master@{#36019}

It is already effectively disabled by --scavenge_reclaim_unmodified_objects.

BUG=

Review-Url: https://codereview.chromium.org/1944793002
Cr-Commit-Position: refs/heads/master@{#36018}

Port b994ad45

Original commit message:
Also factor out test cases from test-run-machops.cc into test-run-load-store.cc

TEST=cctest/test-run-load-store/RunLoadStoreZeroExtend64, cctest/test-run-load-store/RunOobCheckedLoadT_pseudo7, cctest/test-run-load-store/RunOobCheckedLoad_pseudo7
BUG=chromium:599717
LOG=Y

Review-Url: https://codereview.chromium.org/1907363002
Cr-Commit-Position: refs/heads/master@{#36017}

Maps that are immortal immovable (i.e. the one pointer filler map) don't
need write barriers.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1945023003
Cr-Commit-Position: refs/heads/master@{#36016}

Since Ignition dispatch counters have been made accessible from
JavaScript via getIgnitionDispatchCounters() in [1], writing
them to a file at the end of the execution does not seem the best
default anymore.

Following this commit, a file is written only if d8 is invoked
with --trace-ignition-dispatches-output-file.

[1] https://crrev.com/905becd13b8696e126255decf130fdb9e1d9aa30

LOG=N
BUG=v8:4899

Review-Url: https://codereview.chromium.org/1943923002
Cr-Commit-Position: refs/heads/master@{#36015}

This allows for top-level eval code to be parsed properly before doing
optimization. It uses the same kind of re-parsing we already perform
when compiling code for debugging.

R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/1884143003
Cr-Commit-Position: refs/heads/master@{#36014}

When storing an immediate integer or floating point zero, use the zero register
as the source value. This avoids the need to sometimes allocate a new register.

BUG=

Review-Url: https://codereview.chromium.org/1945783002
Cr-Commit-Position: refs/heads/master@{#36013}

Sampling heap profiler keeps weak references. These should be marked
independent so that the weak callback can be dispatched on new space
collections.

BUG=v8:4959
LOG=N
R=ulan@chromium.org

Review-Url: https://codereview.chromium.org/1945193002
Cr-Commit-Position: refs/heads/master@{#36012}

BUG=chromium:598319
LOG=N

Review-Url: https://codereview.chromium.org/1948573003
Cr-Commit-Position: refs/heads/master@{#36011}

The language mode is no longer constant accross a compilation unit. For
example the extends clause of a class literal can be in strict mode even
though the surrounding function is in sloppy mode. This makes any global
language mode predicate that reasons over an entire function inherently
dangerous. Instead one should use the appropriate predicate on scopes or
literals directly.

R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/1949013002
Cr-Commit-Position: refs/heads/master@{#36010}

Before this patch, we would emit a cmp or test with a memory operand only if both of the operands in the IR were loads. Now if either of them is a load and the other one is an immediate, we can use a memory operand if the load representation machine size is wide enough to represent the latter.

Review-Url: https://codereview.chromium.org/1948453002
Cr-Commit-Position: refs/heads/master@{#36009}

R=ahaas@chromium.org,bradnelson@chromium.org
BUG=chromium:608630
LOG=Y

Review-Url: https://codereview.chromium.org/1943313002
Cr-Commit-Position: refs/heads/master@{#36008}

The predicate in question was a workaround for when the compilation
pipeline still kept bytecode and baseline code on the same shared
function info. It is not longer needed. In the long run we want a
predicate which can determine the exact tier for each function.

R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/1940913002
Cr-Commit-Position: refs/heads/master@{#36007}

The inline allocation sequence in the optimizing compilers cannot deal
well with funky types like JSRegExp, which have some magic fields in
addition to the inobject properties. In Crankshaft we already use the
FastNewObjectStub for %_NewObject in general, so fix TurboFan to the same.
Hopefully one day we can kill %_NewObject completely.

R=jarin@chromium.org
BUG=chromium:609029
LOG=n

Review-Url: https://codereview.chromium.org/1943403004
Cr-Commit-Position: refs/heads/master@{#36006}

Review-Url: https://codereview.chromium.org/1946883003
Cr-Commit-Position: refs/heads/master@{#36005}