This makes sure all use-site of {ObjectLiteral::constant_properties} are
adapted to use the correct {BoilerplateDescription} type instead of just
the {FixedArray} base type.

R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2659603003
Cr-Commit-Position: refs/heads/master@{#42738}

R=mstarzinger@chromium.org

BUG=chromium:683566

Review-Url: https://codereview.chromium.org/2653953010
Cr-Commit-Position: refs/heads/master@{#42737}

The StringIndexOf operation is pure on the JS level, but the actual stub
call must be in the effect chain later so that the Scheduler doesn't
place it inside some allocation region (The %StringIndexOf runtime
function may trigger a GC for string flattening).

BUG=chromium:685580
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2657243002
Cr-Commit-Position: refs/heads/master@{#42736}

BUG=chromium:685561

Review-Url: https://codereview.chromium.org/2650273006
Cr-Commit-Position: refs/heads/master@{#42734}

Previously, when restarting a frame, we would rewrite all frames
between the debugger activation and the frame to restart to squash
them, and replace the return address with that of a builtin to
leave that rewritten frame, and restart the function by calling it.

We now simply remember the frame to drop to, and upon returning
from the debugger, we check whether to drop the frame, load the
new FP, and restart the function.

R=jgruber@chromium.org, mstarzinger@chromium.org
BUG=v8:5587

Review-Url: https://codereview.chromium.org/2636913002
Cr-Commit-Position: refs/heads/master@{#42725}

BUG=chromium:685634
R=ishell@chromium.org

Review-Url: https://codereview.chromium.org/2658853002
Cr-Commit-Position: refs/heads/master@{#42713}

This corrects the case when we need to allocate a
blocked register, but the blockage happens after a
use as an instruction input, and there's no place to
split before that.

BUG=v8:5888

Review-Url: https://codereview.chromium.org/2652153005
Cr-Original-Commit-Position: refs/heads/master@{#42706}
Committed: https://chromium.googlesource.com/v8/v8/+/ca779b29a60785d962d7cd636f6b0f09e66130b3
Review-Url: https://codereview.chromium.org/2652153005
Cr-Commit-Position: refs/heads/master@{#42710}

Revert of [turbofan] Correct regalloc blocked register behavior (patchset #2 id:60001 of https://codereview.chromium.org/2652153005/ )

Reason for revert:
Introduces new crashers, e.g.

load("test/mjsunit/wasm/wasm-constants.js");
load("test/mjsunit/wasm/wasm-module-builder.js");

(function() {
  var builder = new WasmModuleBuilder();
  builder.addMemory(16, 32, false);
  builder.addFunction("test", kSig_i_iii)
    .addBodyWithEnd([
// body:
kExprI64Const, 0x42,
kExprI64Const, 0x7a,
kExprI64Ctz,
kExprI64Mul,
kExprI64Ctz,
kExprI64Const, 0x41,
kExprI64Ctz,
kExprI64Ctz,
kExprI64Shl,
kExprI64Const, 0x41,
kExprI64Ctz,
kExprI64Ctz,
kExprI64Shl,
kExprF32SConvertI64,
kExprUnreachable,
kExprEnd,   // @20
            ])
            .exportFunc();
  var module = builder.instantiate();
  module.exports.test(1, 2, 3);
})();

Original issue's description:
> [turbofan] Correct regalloc blocked register behavior
>
>
> This corrects the case when we need to allocate a
> blocked register, but the blockage happens after a
> use as an instruction input, and there's no place to
> split before that.
>
> BUG=v8:5888
>
> Review-Url: https://codereview.chromium.org/2652153005
> Cr-Commit-Position: refs/heads/master@{#42706}
> Committed: https://chromium.googlesource.com/v8/v8/+/ca779b29a60785d962d7cd636f6b0f09e66130b3

TBR=bmeurer@chromium.org,jarin@chromium.org,mtrofin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:5888

Review-Url: https://codereview.chromium.org/2654993007
Cr-Commit-Position: refs/heads/master@{#42707}

This corrects the case when we need to allocate a
blocked register, but the blockage happens after a
use as an instruction input, and there's no place to
split before that.

BUG=v8:5888

Review-Url: https://codereview.chromium.org/2652153005
Cr-Commit-Position: refs/heads/master@{#42706}

When testing turning --verify-csa off to generate better code for builtins, mips
started failing mksnapshot due to an assert in instruction-selection-mips.cc's
VisitBinop routine, which creates a buffer to hold InstructionOperand of size 4
that would be overflowed. This fix is somewhat speculative, assuming that either
the LHS or the RHS operand of a mips binary op can be an immediate (as opposed
to the current code which seems to have a code path where both the left and
right operands are added, leading to the buffer overflow). With this fix, the
assert doesn't fire and all of the mips tests run through successfully in debug
mode.

R=ishell@chromium.org
TBR=dusan.m.milosavljevic@gmail.com

Review-Url: https://codereview.chromium.org/2647283009
Cr-Commit-Position: refs/heads/master@{#42701}

The instance type of an object cannot change, only the concrete map
might. So when searching for an instance type witness, we don't need
to pay attention to potentially side-effecting nodes.

R=mstarzinger@chromium.org

Review-Url: https://codereview.chromium.org/2652893011
Cr-Commit-Position: refs/heads/master@{#42699}

This makes sure that static guarantees about object maps are not used
accross operations on the effect chain that might trigger a map change.
Such operations are missing the {Operator::kNoWrite} property.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-685506
BUG=chromium:685506

Review-Url: https://codereview.chromium.org/2653273004
Cr-Commit-Position: refs/heads/master@{#42697}

Review-Url: https://codereview.chromium.org/2638393002
Cr-Commit-Position: refs/heads/master@{#42695}

According to the WebAssembly spec no arithmetic operation should ever
return a signalling NaN. With the constant folding in V8, however, it
was possible that some arithmetic operations were elided, and if the
input of the arithmetic operation was a signalling NaN, then also the
result was the same signalling NaN. This CL removes some constant
folding optimizations and adjusts others so that even with constant
folding the result of an arithmetic operation is never a signalling NaN.

R=titzer@chromium.org, rossberg@chromium.org, bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2647353007
Cr-Commit-Position: refs/heads/master@{#42694}

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2655533003
Cr-Commit-Position: refs/heads/master@{#42693}

BUG=v8:5267
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2652273003
Cr-Commit-Position: refs/heads/master@{#42691}

The reference map was only recorded when a frame was entered for the
runtime call, but it is also needed when the frame already exists.

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2655243002
Cr-Commit-Position: refs/heads/master@{#42687}

First issue I found with my local fuzzing.

R=titzer@chromium.org
BUG=v8:5884

Review-Url: https://codereview.chromium.org/2656563003
Cr-Commit-Position: refs/heads/master@{#42683}

We turn a JSCallFunction node for

  f.apply(receiver, arguments)

into a JSCallForwardVarargs node, when the arguments refers to the
arguments of the outermost optimized code object, i.e. not an inlined
arguments, and the apply method refers to Function.prototype.apply,
and there's no other user of arguments except in frame states.

We also replace the arguments node in the graph with a marker for
the Deoptimizer similar to Crankshaft to make sure we don't materialize
unused arguments just for the sake of deoptimization. We plan to replace
this with a saner EscapeAnalysis based solution soon.

R=jarin@chromium.org
BUG=v8:5267,v8:5726

Review-Url: https://codereview.chromium.org/2655233002
Cr-Commit-Position: refs/heads/master@{#42680}

- Adds Int16x8, Int8x16 types.
- Adds neg, abs unary ops.
- Adds add, sub, mul, and signed / unsigned min / max, comparison ops.

LOG=N
BUG=v8:4124

Review-Url: https://codereview.chromium.org/2638133002
Cr-Commit-Position: refs/heads/master@{#42674}

List of items:
  1. Avoid zero-extending for subsequent 32-bit operations if current operation does not change upper 32-bit or does zero-extending.
  2. Match complex address mode for binary operation where possible (eg. use Add R,MEM).
  3. Detect instruction forms in selector. Eg. kAllowRRR, kAllowRM
  4. Optimize sequence for Int32MulWithOverflow, Int32Div, etc.
  5. Remove Not32/Not64 which is the same as XOR

R=bjaideep@ca.ibm.com, joransiu@ca.ibm.com
BUG=

Review-Url: https://codereview.chromium.org/2649113007
Cr-Commit-Position: refs/heads/master@{#42669}

BUG=

Review-Url: https://codereview.chromium.org/2650813003
Cr-Commit-Position: refs/heads/master@{#42661}

R=titzer@chromium.org, clemensh@chromium.org

Review-Url: https://codereview.chromium.org/2657443003
Cr-Commit-Position: refs/heads/master@{#42658}

It's a common pattern to create a Variable and immediately initialize
it. This adds a new constructor to make that pattern more natural.

BUG=

Review-Url: https://codereview.chromium.org/2657533003
Cr-Commit-Position: refs/heads/master@{#42649}

This fixes the checks of accumulator usage flags in the computation of
the interpreter register liveness during bytecode analysis. The usage
flags at hand are bit patterns as opposed to flat enum values. Use the
safe accessors instead of plain comparison.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-683581
BUG=chromium:683581

Review-Url: https://codereview.chromium.org/2651653005
Cr-Commit-Position: refs/heads/master@{#42648}

This adds support to constant-fold JSGetSuperConstructor(constructor)
for constructors with stable maps, i.e. where we can add a stability
dependency on the constructors map to get notified when the [[Prototype]]
of constructor changes.

R=petermarshall@chromium.org
BUG=v8:5517

Review-Url: https://codereview.chromium.org/2652763010
Cr-Commit-Position: refs/heads/master@{#42647}

In the JSCallReducer we'd inline certain builtins like the Array
constructor or Function builtins across native contexts, which at
this point should be mostly safe, but might lead to cross context
leaks in the future (as it's not obvious that the JSCallReducer)
doesn't maintain this invariant. So better safe than sorry.

R=yangguo@chromium.org
BUG=v8:5267

Review-Url: https://codereview.chromium.org/2651133002
Cr-Commit-Position: refs/heads/master@{#42643}

Speculative reason for issue 684481.

BUG=chromium:684481
TBR=marja@chromium.org,mstarzinger@chromium.org,ahaas@chromium.org,verwaest@chromium.org,

Original issue's description:
> [Parse] ParseInfo owns the parsing Zone.
>
> Moves ownership of the parsing Zone to ParseInfo with a shared_ptr. This is
> in preperation for enabling background compilation jobs for inner functions
> share the AST in the outer-function's parse zone memory (read-only), with the
> and zone being released when all compilation jobs have completed.
>
> BUG=v8:5203, v8:5215
> Review-Url: https://codereview.chromium.org/2632123006
> Cr-Commit-Position: refs/heads/master@{#42562}
> Committed: https://chromium.googlesource.com/v8/v8/+/4b0101d369af121a6daf5e5c731cb939c026d526

Review-Url: https://codereview.chromium.org/2648383005
Cr-Commit-Position: refs/heads/master@{#42633}

We can share almost all of the architecture-specific builtin code with super-call-with-spread.

Info to port-writers: The code in CheckSpreadAndPushToStack has changed slightly from what was in Generate_ConstructWithSpread, in that we take the length of the spreaded parameters from the JSArray rather than the FixedArray backing store.

BUG=v8:5511

Review-Url: https://codereview.chromium.org/2649143002
Cr-Commit-Position: refs/heads/master@{#42632}

R=mstarzinger@chromium.org, bmeurer@chromium.org

BUG=chromium:669242

Review-Url: https://codereview.chromium.org/2645273003
Cr-Commit-Position: refs/heads/master@{#42630}

Implement stepping by remembering the current step action in the wasm
interpreter handle in WasmDebugInfo, and using it when continuing
execution in the interpreter.
The control flow is as follows: After module compilation, the user sets
a breakpoint in wasm. The respective function is redirected to the
interpreter and the breakpoint is set on the interpreter. When it is
hit, we notify all debug event listeners, which might prepare stepping.
When returning from these listeners, before continuing execution, we
check whether stepping was requested and continue execution in the
interpreter accordingly.

Stepping from Wasm to JS and vice versa will be implemented and tested
in a follow-up CL. Testing this requires breakpoints and stepping in
Wasm to be exposed via the inspector interface, such that we can write
an inspector test. This mixed JS-Wasm-execution is hard to set up in a
cctest.

R=titzer@chromium.org, yangguo@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2649533002
Cr-Commit-Position: refs/heads/master@{#42624}

[RELAND with one change: until literal arrays are rooted in the outer
feedback vector (coming in the next days), the runtime-scope.cc change
is held off.]

When a function is declared in global scope, the closure is created
by the DeclareGlobals runtime service. It needs a pointer to the
literals array, already allocated in the feedback vector. This
fixes a bug where it's behavior wasn't in sync with CreateClosure,
which accepts the literals from the vector.

This enables a follow-on performance improvement in the CompileLazy
builtin.

BUG=680637

Review-Url: https://codereview.chromium.org/2634283003
Cr-Commit-Position: refs/heads/master@{#42620}

Chromium coding standard
(https://chromium.googlesource.com/chromium/src/+/master/styleguide/c++/c++.md#Multiple-inheritance)

In this case, a structure associating the 2 values is sufficient.

BUG=

Review-Url: https://codereview.chromium.org/2651903002
Cr-Commit-Position: refs/heads/master@{#42618}

Port the fast path for accessor inlining to cached property names from
Crankshaft to TurboFan. This constant-folds accesses to document in a
script.

R=jochen@chromium.org
BUG=v8:5548

Review-Url: https://codereview.chromium.org/2646363003
Cr-Commit-Position: refs/heads/master@{#42600}

The hardcoded constant caused a problem for the wasm fuzzer because
when the maximum memory was allocated in a test case, clusterfuzz ran
out of memory. with the command line flag we can set a lower limit
for the fuzzer.

The flag has the value of the constant as its default value, so that
for everything but the fuzzers nothing should change.

R=titzer@chromium.org
BUG=chromium:676888

Review-Url: https://codereview.chromium.org/2626313003
Cr-Commit-Position: refs/heads/master@{#42599}

Add the operator in preparation for actual perf work. The operator is replaced
by the same runtime call as before, during lowering.

BUG=v8:5511

Review-Url: https://codereview.chromium.org/2639233002
Cr-Commit-Position: refs/heads/master@{#42593}

Also, emit a NewWithSpread bytecode for CallNew AST nodes where possible, rather than desugaring in the parser.

BUG=v8:5511

Review-Url: https://codereview.chromium.org/2629363002
Cr-Original-Commit-Position: refs/heads/master@{#42455}
Committed: https://chromium.googlesource.com/v8/v8/+/4bae43471d5685e34d8bd74458889b83e60235a0
Review-Url: https://codereview.chromium.org/2629363002
Cr-Commit-Position: refs/heads/master@{#42590}

  port ea925431 (r42545)

  original commit message:
  On ia32 return statements in C++ automatically convert signalling NaNs
  to quiet NaNs, even when bit_cast is used. This CL removes all uses of
  bit_cast<float> and bit_cast<double> in the wasm compiler and wasm
  interpreter.

BUG=

Review-Url: https://codereview.chromium.org/2648203002
Cr-Commit-Position: refs/heads/master@{#42588}

  port 037200e6 (r42486)

  original commit message:
  The IA32AddPair and IA32SubPair instructions were using an input register as a
  temporary value, which led to registers sometimes being clobbered when they
  shouldn't have been. This led to problems, for example, in calling printf to
  format doubles:

  printf("%f", 1.2345) => 0.61725 (on x86)

BUG=

Review-Url: https://codereview.chromium.org/2645233002
Cr-Commit-Position: refs/heads/master@{#42587}

  port 95a9b761 (r42344)

  original commit message:
  Recognize and emit in-memory comparisons of 8-bit and 16-bit values with
  immediate values that fit.

BUG=

Review-Url: https://codereview.chromium.org/2651553002
Cr-Commit-Position: refs/heads/master@{#42585}