This is so we can build with the flag on in the snapshot.
D8 then needs to be run with --vector-stores.

BUG=
R=machenbach@chromium.org

Review URL: https://codereview.chromium.org/1339593002

Cr-Commit-Position: refs/heads/master@{#30692}

Currently we do this dance between the CallConstructStub, the
CALL_* builtins and the %GetConstructorDelegate, %GetProxyTrap,
and %Apply runtime functions for every [[Construct]] operation on
non-function callables. This is complexity is unnecessary, and can
be simplified to work without any JS builtin. This will also make it
a lot easier to implement ES6 compliant [[Construct]] for proxies.

Also sanitize the invariant for CallConstructStub, which up until now
always restored the context itself, but that force us to always create
another copy of all arguments in case of proxies and other callables,
so we can relax that constraint by making the caller restore the context
(this only affects fullcodegen, since the optimizing compilers already
properly restore the context anyway).

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1335723002

Cr-Commit-Position: refs/heads/master@{#30691}

Grouping of live ranges that would be beneficial if
allocated on the same register. Currently, that means phi
outputs and inputs.

Review URL: https://codereview.chromium.org/1312473018

Cr-Commit-Position: refs/heads/master@{#30690}

PPC: Vector ICs: The Oracle needs to report feedback for the object literals and the count operation.

Port 752b0308

Original commit message:
    The refactoring is because it's awkward and error-prone to deterimine which IC slot an
    ObjectLiteralProperty uses for feedback. The fix is for each one to know it's own slot. In the
    numbering pass, we allocate slots for the ObjectLiteral, then hand out those slots into the
    properties.

    It adds one word to the ObjectLiteralProperty expression - I'm investigating if thats a
    problem.

    This changes makes compiling the object literal cleaner across the three compilers. Also, the
    slot allocation logic in ObjectLiteral::ComputeFeedbackRequirements() was refactoring to mimic
    the style in full-codegen. This is useful since it must remain in sync with
    FullCodegen::VisitObjectLiteral().

R=mvstanton@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, dstence@us.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1331893003

Cr-Commit-Position: refs/heads/master@{#30689}

When we cannot map top frame's pc to a code object and top frame is JS frame we now assume that it was a frameless invocation of a native function (e.g. __fmod) and try to resolve address on top of the stack into a JS function.

BUG=chromium:529931
LOG=Y

Review URL: https://codereview.chromium.org/1315683007

Cr-Commit-Position: refs/heads/master@{#30688}

Add skeleton version bytecode-graph-builder.{h,cc} for existing
bytecodes.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1291693004

Cr-Commit-Position: refs/heads/master@{#30687}

The refactoring is because it's awkward and error-prone to deterimine which IC slot an
ObjectLiteralProperty uses for feedback. The fix is for each one to know it's own slot. In the
numbering pass, we allocate slots for the ObjectLiteral, then hand out those slots into the
properties.

It adds one word to the ObjectLiteralProperty expression - I'm investigating if thats a
problem.

This changes makes compiling the object literal cleaner across the three compilers. Also, the
slot allocation logic in ObjectLiteral::ComputeFeedbackRequirements() was refactoring to mimic
the style in full-codegen. This is useful since it must remain in sync with
FullCodegen::VisitObjectLiteral().

Review URL: https://codereview.chromium.org/1321993004

Cr-Commit-Position: refs/heads/master@{#30686}

Inner functions must be eagerly parsed for scope analysis, but the full AST is
also kept around even though it's not needed.

This CL mitigates this problem by allocating some AstNodes of the inner function
to a temporary Zone which is deallocated once the scope information has been
built. The remaining nodes (such as VariableProxy) must persist until scope
analysis actually happens, and have to be allocated to a parser-persistent Zone.

BUG=417697
LOG=N

Review URL: https://codereview.chromium.org/1304923004

Cr-Commit-Position: refs/heads/master@{#30685}

Enable loads and stores to global vars through property cell shortcuts installed into parent script context.

Review URL: https://codereview.chromium.org/1330213003

Cr-Commit-Position: refs/heads/master@{#30684}

LoadICs must always return a JS-accessible value (nothing internal).
Dictionary property keys are guaranteed to be unique names.

BUG=chromium:527994
LOG=n

Review URL: https://codereview.chromium.org/1334673003

Cr-Commit-Position: refs/heads/master@{#30683}

BUG=v8:2160
LOG=N
NOTRY=true
R=adamk, machenbach@chromium.org, rossberg

Review URL: https://codereview.chromium.org/1331803003

Cr-Commit-Position: refs/heads/master@{#30682}

Removes deprecated functions from:
- test-unique.cc
- test-unscopables-hidden-prototype.cc
- test-utils-arm64.cc
- test-utils.cc
- test-version.cc
- test-weakmaps.cc
- test-weaksets.cc
- trace-extension.cc
- trace-extension.h

BUG=v8:4134
LOG=n

Review URL: https://codereview.chromium.org/1331013003

Cr-Commit-Position: refs/heads/master@{#30681}

Replace the ADD, SUB, etc. builtins with proper runtime implementations,
and expose them as runtime calls that can be used by the code stubs and
the interpreter (for now).

Also remove all the support runtime functions for ADD, SUB and friends,
namely %NumberAdd, %NumberSub, and so on.

R=mstarzinger@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_layout_dbg,v8_linux_nosnap_dbg

Review URL: https://codereview.chromium.org/1333843002

Cr-Commit-Position: refs/heads/master@{#30680}

This fixes the Runtime_DeclareGlobals performance regression caused by a huge number of global var declarations mentioned in chromium:517778.

BUG=chromium:517778
LOG=N

Review URL: https://codereview.chromium.org/1335633002

Cr-Commit-Position: refs/heads/master@{#30679}

When looking up a special accessor for known TypedArray fields
("length", "byteLength", "byteOffset"), consider the entire prototype
chain, not only the direct prototype.
This allows subclasses of TypedArrays to benefit from fast specialized
accesses.

Review URL: https://codereview.chromium.org/1313493005

Cr-Commit-Position: refs/heads/master@{#30678}

Narrowed the scope of the fix, to make a best effort to avoid DEOPT in
case the hole is loaded, but not to permute the choice of a consolidated
load in case that effort fails.

BUG=chromium:530005
LOG=N

Review URL: https://codereview.chromium.org/1330233004

Cr-Commit-Position: refs/heads/master@{#30677}

BUG=

Review URL: https://codereview.chromium.org/1330153003

Cr-Commit-Position: refs/heads/master@{#30676}

R=conradw@chromium.org

Review URL: https://codereview.chromium.org/1317033009

Cr-Commit-Position: refs/heads/master@{#30675}

The two tests in question got a lot slower and started to timeout now
that the C++ fallback implementation of the %Arguments intrinsics is
composable with respect to inlining.

R=bmeurer@chromium.org,machenbach@chromium.org

Review URL: https://codereview.chromium.org/1330203003

Cr-Commit-Position: refs/heads/master@{#30674}

This removes the aforementioned flag which has been on by default for a
while now. Note that this does not control optimization decisions, only
the last-resort bailout in the graph builder.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1335543002

Cr-Commit-Position: refs/heads/master@{#30673}

port ba7b6413 (r30649)

original commit message:

   This CL makes do with a single dispatcher which inlines the special handling for the Array() call case, loading the allocation site found in the vector and c

BUG=

Review URL: https://codereview.chromium.org/1330993004

Cr-Commit-Position: refs/heads/master@{#30672}

There are now two runtime entries %NewClosure and %NewClosure_Tenured,
with the same signature (one parameter, the SharedFunctionInfo, and the
context of the caller).

Also remove the HFunctionLiteral special case instruction from Crankshaft,
as HCallWithDescriptor with FastNewClosureStub or HCallRuntime with
either %NewClosure or %NewClosure_Tenured can easily do that for you.

Also remove the redundant context parameter from the JSCreateClosure
operator, because every JS operator already takes a context input.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_dbg

Review URL: https://codereview.chromium.org/1329293003

Cr-Commit-Position: refs/heads/master@{#30671}

Fix illegal use of at register when ldc1 and sdc1 are called. Added dchecks to prevent such a usage.

TEST=mjsunit/asm/float64array-negative-offset(r6), mjsunit/asm/float64array-outofbounds(r6)

Review URL: https://codereview.chromium.org/1323763002

Cr-Commit-Position: refs/heads/master@{#30670}

port b37907ff (r30648).

original commit message:

    The number of actual arguments should always be available, there's no
    point in trying to optimize away a simple assignment of an immediate to
    a register before some calls.

    The main motivation is to have a consistent state at the beginning of every
    function. Currently the arguments register (i.e. rax or eax) either contains
    the number of arguments or some random garbage depending on whether
    the callsite decided that the callee might need the information or not.
    This causes trouble with runtime implementations of functions that
    do not set internal_formal_parameter_count to the DontAdaptArguments
    sentinel (we don't have any of those yet), but also makes it impossible
    to sanity check the arguments in the callee, because the callee doesn't
    know whether the caller decided to pass the number of arguments or
    random garbage.

BUG=

Review URL: https://codereview.chromium.org/1335453002

Cr-Commit-Position: refs/heads/master@{#30669}

port ccbb4ff0 (r30629)

original commit message:

    The new Call and CallFunction builtins supersede the current
    CallFunctionStub (and CallIC magic) and will be the single bottleneck
    for all calling, including the currently special Function.prototype.call
    and Function.prototype.apply builtins, which had handwritten (and
    not fully compliant) versions of CallFunctionStub, and also the
    CallIC(s), which where also slightly different.

    This also reduces the overhead for API function calls, which is still
    unnecessary high, but let's do that step-by-step.

    This also fixes a bunch of cases where the implicit ToObject for
    sloppy receivers was done in the wrong context (in the caller
    context instead of the callee context), which basically meant
    that we allowed cross context access to %ObjectPrototype%.

BUG=

Review URL: https://codereview.chromium.org/1332703002

Cr-Commit-Position: refs/heads/master@{#30668}

port db2ba190 (r30634).

original commit message:

    The semantics of the %_CallFunction intrinsic seem to be very unclear,
    which resulted in a lot of bugs. Especially the combination with
    %IsSloppyModeFunction is always a bug, because the receiver would be
    wrapped in the wrong context. So the %IsSloppyModeFunction helper is
    gone now, and many of the buggy uses of %_CallFunction are also
    eliminated.

    If you ever need to call something with a different receiver, then
    %_Call is your friend now. It does what you want and implements the
    call sequence fully (and correct).

Review URL: https://codereview.chromium.org/1336443002

Cr-Commit-Position: refs/heads/master@{#30667}

R=mstarzinger@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, dstence@us.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1303333009

Cr-Commit-Position: refs/heads/master@{#30666}

A LiveRange is identified by 2 integers: the vreg() of its TopLevel,
which is the virtual register (operand) ID; and a relative_id(), which has
no meaning in the program, but is valuable in debugging or tracing
scenarios.

This change ensures that relative_id is unique even in cases of splinter
ranges and their children.

Review URL: https://codereview.chromium.org/1318493005

Cr-Commit-Position: refs/heads/master@{#30665}

This desugars the loading of the super constructor function using the
%GetPrototype runtime function in the parser. The produced code remains
the same while fewer parts need to be glued together.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1321343004

Cr-Commit-Position: refs/heads/master@{#30664}

R=binji@chromium.org

Review URL: https://codereview.chromium.org/1327743004

Cr-Commit-Position: refs/heads/master@{#30663}

Port b37907ff

Original commit message:
    The number of actual arguments should always be available, there's no
    point in trying to optimize away a simple assignment of an immediate to
    a register before some calls.

    The main motivation is to have a consistent state at the beginning of every
    function. Currently the arguments register (i.e. rax or eax) either contains
    the number of arguments or some random garbage depending on whether
    the callsite decided that the callee might need the information or not.
    This causes trouble with runtime implementations of functions that
    do not set internal_formal_parameter_count to the DontAdaptArguments
    sentinel (we don't have any of those yet), but also makes it impossible
    to sanity check the arguments in the callee, because the callee doesn't
    know whether the caller decided to pass the number of arguments or
    random garbage.

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, dstence@us.ibm.com
BUG=v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1314353007

Cr-Commit-Position: refs/heads/master@{#30662}

PPC: On a call to Array(), we patched a call ic. This CL makes do with a single dispatcher which inlines the special handling for the Array() call case, loading the allocation site found in the vector and calling the array constructor stub appropriately.

Port ba7b6413

R=mvstanton@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, dstence@us.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1322103005

Cr-Commit-Position: refs/heads/master@{#30661}

Adds support for property store operations via Store/KeyedStore ICs. Adds the
following bytecodes:
 - StoreIC
 - KeyedStoreIC

The --vector_store flag is now required for --ignition.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1319833004

Cr-Commit-Position: refs/heads/master@{#30660}

Update the consolidated load case to carefully chose the load mode
based on the consolidated elements kind.

BUG=v8:4380
LOG=N

Review URL: https://codereview.chromium.org/1329793003

Cr-Commit-Position: refs/heads/master@{#30659}

Fix additional cases where the AIX compiler reports that a variable
may be used uninitialized.

R=danno@chromium.org, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1323313003

Cr-Commit-Position: refs/heads/master@{#30658}

Port 40fbed06

Original commit message:
    The last changes for vector store functionality, they are in 3 areas:

    1) The new vector [keyed] store code stubs - implementation.
    2) IC and handler compiler adjustments
    3) Odds and ends. A change in ast.cc, a test update, a small Oracle fix.

R=mvstanton@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, dstence@us.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1330883002

Cr-Commit-Position: refs/heads/master@{#30657}

Port ccbb4ff0

Original commit message:
    The new Call and CallFunction builtins supersede the current
    CallFunctionStub (and CallIC magic) and will be the single bottleneck
    for all calling, including the currently special Function.prototype.call
    and Function.prototype.apply builtins, which had handwritten (and
    not fully compliant) versions of CallFunctionStub, and also the
    CallIC(s), which where also slightly different.

    This also reduces the overhead for API function calls, which is still
    unnecessary high, but let's do that step-by-step.

    This also fixes a bunch of cases where the implicit ToObject for
    sloppy receivers was done in the wrong context (in the caller
    context instead of the callee context), which basically meant
    that we allowed cross context access to %ObjectPrototype%.

    MIPS and MIPS64 ports contributed by akos.palfi@imgtec.com.

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, dstence@us.ibm.com
BUG=v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1327093002

Cr-Commit-Position: refs/heads/master@{#30656}

Port db2ba190

Original commit message:
    The semantics of the %_CallFunction intrinsic seem to be very unclear,
    which resulted in a lot of bugs. Especially the combination with
    %IsSloppyModeFunction is always a bug, because the receiver would be
    wrapped in the wrong context. So the %IsSloppyModeFunction helper is
    gone now, and many of the buggy uses of %_CallFunction are also
    eliminated.

    If you ever need to call something with a different receiver, then
    %_Call is your friend now. It does what you want and implements the
    call sequence fully (and correct).

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, dstence@us.ibm.com
BUG=v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1310303008

Cr-Commit-Position: refs/heads/master@{#30655}

This makes the C++ fallback implementations for the two intrinsics,
%Arguments and %ArgumentsLength composable with respect to inlining.
Using deoptimization information gives us accurate data here.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-4374
BUG=v8:4374
LOG=n

Review URL: https://codereview.chromium.org/1328363002

Cr-Commit-Position: refs/heads/master@{#30654}

Port ba7b6413

Original commit message:
This CL makes do with a single dispatcher which inlines the special handling for the Array() call case, loading the allocation site found in the vector and calling the array constructor stub appropriately.

BUG=

Review URL: https://codereview.chromium.org/1324093005

Cr-Commit-Position: refs/heads/master@{#30653}