... and use Smi Map::kPrototypeChainValid for the cases where direct receiver's
prototype is not JSObject instead of creating a new valid cell for each such
case. This will make a validity cell checking code simpler.

Bug: v8:5988
Change-Id: I52cf55797171cc8021d80e4e441615d0c8fc8bd4
Reviewed-on: https://chromium-review.googlesource.com/951384
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51803}

... and use it in the implementation of array literal spreads,
replacing calls to %AppendElement.

Array spreads in destructuring will be taken care of in a separate CL.

Bug: v8:5940, v8:7446
Change-Id: Idec52398902a7fd3c1244852cf73246f142404f0
Reviewed-on: https://chromium-review.googlesource.com/915364
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51709}

This check verifies that all .h files in the src/ directory have an
include guard of the form

 #ifndef V8_PATH_TO_FILE_H_
 #define V8_PATH_TO_FILE_H_
 // ...
 #endif  // V8_PATH_TO_FILE_H_

The check can be skipped with a magic comment:

 // PRESUBMIT_INTENTIONALLY_MISSING_INCLUDE_GUARD

Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I0a7b96abec289ad60f64ba8418f1892a6969596d
Reviewed-on: https://chromium-review.googlesource.com/897487Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51079}

... to ease its inlining to the bytecode handlers.
The new code organisation still don't produce unwanted frame creation
code on a fast path.

Bug: v8:7206, chromium:576312
Change-Id: Ib516ae0795ff1788b3a7e0bb521f72dfa68444f0
Reviewed-on: https://chromium-review.googlesource.com/833869
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50257}

This CL removes LoadScriptContextFieldStub and StoreScriptContextFieldStub.

Bug: v8:7206, chromium:576312
Change-Id: I217eeb726ca7d1ec85a67331da4941b9ac2a4b7a
Reviewed-on: https://chromium-review.googlesource.com/831867Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50177}

... by "inlining" the Tuple2 object into the data handler.

Bug: v8:7206, v8:5561
Change-Id: I8517b2faa8d13bd16b8ec99c7ea8ab97c73a5f2a
Reviewed-on: https://chromium-review.googlesource.com/819233Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50164}

Bug: v8:7206, v8:5561
Change-Id: I3b0e569ac52c889e1b1897cd98bcb7799f308ffb
Reviewed-on: https://chromium-review.googlesource.com/819254
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50114}

This CL also adds support for "lookup on dictionary receivers" to store ICs.

Bug: v8:7206, v8:5561
Change-Id: Icebbc2d52c71f5d25b43f2f2a8adf674e4ec2cbc
Reviewed-on: https://chromium-review.googlesource.com/819232
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50113}

This CL also removes LoadICProtoArray* builtins which are no longer necessary.

Bug: v8:7206, v8:5561
Change-Id: Ic5d9a3d4d21c4bd5e5e1cd110bd029ced157a000
Reviewed-on: https://chromium-review.googlesource.com/819252
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50104}

... instead of checking if the property cell is still empty when loading/storing
through JSGlobalObject prototype.

Also invalidate the validity cell when new global lexical variables appear in the
script.

Bug: v8:5561
Change-Id: Iaf122dffe76d57b32e2b69291dee079e772b271c
Reviewed-on: https://chromium-review.googlesource.com/819230Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50100}

The dispatcher is responsible for handling stores to lexical environment
variables and for storing directly to the JSGlobalObject. In the latter
case the dispatcher also ensures that JSGlobalProxy is provided as
a receiver if a setter function has to be called.
Unlike StoreIC the calling convention for the StoreGlobalIC does not include
receiver.

Bug: v8:7206, chromium:576312, v8:5561
Change-Id: Ifa896c7b41bf440785b757c2272ec91211e79c98
Reviewed-on: https://chromium-review.googlesource.com/818965
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50081}

- When a dictionary mode prototype changes, invalidate the validity cell.
- The dictionary mode prototypes don't need to be gathered into an array in InitPrototypeChecks.

Bug: v8:7159
Change-Id: I1c7bbaf4b20556f44df18be1463d38fa4fbabe05
Reviewed-on: https://chromium-review.googlesource.com/793732Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49857}

Thanks Igor and Jakob for the hard work to migrate ICs to data-driven handlers!
This is done as of this CL.

Bug: v8:5561
Change-Id: Icf1ddf0065e3aa85ac7efe4b99f74821ce3c0ac2
Reviewed-on: https://chromium-review.googlesource.com/756842
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49203}

Bug: v8:5561
Change-Id: If3a44d1e40c81a764b776725c7b28ead653437b9
Reviewed-on: https://chromium-review.googlesource.com/756833
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49193}

Bug: v8:5561
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I47b7df39e80a66449a1ebe98e30052ced2ef2bd3
Reviewed-on: https://chromium-review.googlesource.com/753326Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49151}

In the special case of KeyedLoadIC, where the key that is passed in is a
Name that is always the same we only checked for identity in both the
stub and the TurboFan case, which works fine for symbols and internalized
strings, but doesn't really work with non-internalized strings, where
the identity check will fail, the runtime will internalize the string,
and the IC will then see the original internalized string again and not
progress in the feedback lattice. This leads to tricky deoptimization
loops in TurboFan and constantly missing ICs.

This adds fixes the stub to always try to internalize strings first
when the identity check fails and then doing the check again. If the
name is not found in the string table we miss, since in that case the
string cannot match the previously recorded feedback name (which is
always a unique name).

In TurboFan we represent this checks with new CheckEqualsSymbol and
CheckEqualsInternalizedString operators, which validate the previously
recorded feedback, and the CheckEqualsInternalizedString operator does
the attempt to internalize the input.

Bug: v8:6936, v8:6948, v8:6969
Change-Id: I3f3b4a587c67f00f7c4b60d239eb98a9626fe04a
Reviewed-on: https://chromium-review.googlesource.com/730224Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48784}

Bug: chromium:764219
Change-Id: I99d1192c5c0f2b8bf47e0f193a0c4d9c00477466
Reviewed-on: https://chromium-review.googlesource.com/712454
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48492}

Only the error cases of overwriting readonly properties need the
language_mode to decide whether to throw or be silent. Reading it
from the feedback vector's metadata (just like the C++ code in
ic.cc does) removes the need to duplicate each stub for each
language_mode ("StoreIC" + "StoreICStrict" etc.).

Change-Id: Ic0c67f9d40ca36c65e41b4f162b2ab70d155e549
Reviewed-on: https://chromium-review.googlesource.com/647373Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47836}

This is a reland of a9f517e2
Original change's description:
> [builtins] Port Proxy set trap to CSA
> 
> Bug: v8:6560, v8:6557
> Change-Id: I329794607e8de324fc696652555aaaeafcf519ec
> Reviewed-on: https://chromium-review.googlesource.com/625940
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Maya Lekova <mslekova@google.com>
> Cr-Commit-Position: refs/heads/master@{#47760}

Bug: v8:6560, v8:6557
Change-Id: I1b32992eac6cc5583a44703eed901e4ad15f1947
Reviewed-on: https://chromium-review.googlesource.com/647447
Commit-Queue: Maya Lekova <mslekova@google.com>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47772}

This reverts commit a9f517e2.

Reason for revert: Makes array sort flaky? https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20debug/builds/17894/steps/OptimizeForSize%20%28flakes%29/logs/array-sort

Original change's description:
> [builtins] Port Proxy set trap to CSA
> 
> Bug: v8:6560, v8:6557
> Change-Id: I329794607e8de324fc696652555aaaeafcf519ec
> Reviewed-on: https://chromium-review.googlesource.com/625940
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Commit-Queue: Maya Lekova <mslekova@google.com>
> Cr-Commit-Position: refs/heads/master@{#47760}

TBR=neis@chromium.org,franzih@chromium.org,ishell@chromium.org,bmeurer@chromium.org,mslekova@google.com

Change-Id: Ibebf5e694945e59bd2808841108e6686af51efaf
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6560, v8:6557
Reviewed-on: https://chromium-review.googlesource.com/646169Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47764}

Bug: v8:6560, v8:6557
Change-Id: I329794607e8de324fc696652555aaaeafcf519ec
Reviewed-on: https://chromium-review.googlesource.com/625940Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Maya Lekova <mslekova@google.com>
Cr-Commit-Position: refs/heads/master@{#47760}

If we pass in thin-string into a keyed load, the underlying internalized string is used to find the handler. However, the thin string itself was used to interpret the handler. Since the thin string itself isn't unique, this caused existing properties on the prototype chain to not be found in case of dictionary-mode prototypes.

Bug: chromium:731193
Change-Id: Ic98d3789ecf9175e17d9c898ab13231aad59efcc
Reviewed-on: https://chromium-review.googlesource.com/539596Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46005}

In general, deleting a property from a fast-properties object
requires transitioning the object to dictionary mode. However,
when the most-recently-added property is deleted, we can simply
roll back the last map transition that the object went through.

This is a performance experiment: it should make things faster,
but if it turns out to have more negative than positive impact,
we will have to revert it.

TBR=bmeurer@chromium.org (just adding a comment)

Previously reviewed at https://codereview.chromium.org/2830093002
Previously landed as 98acfb36 / r44799

Review-Url: https://codereview.chromium.org/2840583002
Cr-Commit-Position: refs/heads/master@{#44808}

Revert of [builtins] DeleteProperty: Handle last-added fast properties (patchset #2 id:20001 of https://codereview.chromium.org/2830093002/ )

Reason for revert:
Breaks:
https://build.chromium.org/p/client.v8/builders/V8%20Mac%20GC%20Stress/builds/12920
and
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20gc%20stress/builds/10281

Original issue's description:
> [builtins] DeleteProperty: Handle last-added fast properties
>
> In general, deleting a property from a fast-properties object
> requires transitioning the object to dictionary mode. However,
> when the most-recently-added property is deleted, we can simply
> roll back the last map transition that the object went through.
>
> This is a performance experiment: it should make things faster,
> but if it turns out to have more negative than positive impact,
> we will have to revert it.
>
> TBR=bmeurer@chromium.org (just adding a comment)
>
> Review-Url: https://codereview.chromium.org/2830093002
> Cr-Commit-Position: refs/heads/master@{#44799}
> Committed: https://chromium.googlesource.com/v8/v8/+/98acfb36e1acf2ab52ab6b6439eb6356c83dcda6

TBR=ishell@chromium.org,jkummerow@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2843473002
Cr-Commit-Position: refs/heads/master@{#44806}

In general, deleting a property from a fast-properties object
requires transitioning the object to dictionary mode. However,
when the most-recently-added property is deleted, we can simply
roll back the last map transition that the object went through.

This is a performance experiment: it should make things faster,
but if it turns out to have more negative than positive impact,
we will have to revert it.

TBR=bmeurer@chromium.org (just adding a comment)

Review-Url: https://codereview.chromium.org/2830093002
Cr-Commit-Position: refs/heads/master@{#44799}

BUG=v8:5561

Change-Id: I26330670c526390c05e652b3862f0ef7244f7b19
Reviewed-on: https://chromium-review.googlesource.com/456288
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43991}

BUG=v8:5561

Change-Id: If8f166860b4d4f9f25b15badfda531cbef49db16
Reviewed-on: https://chromium-review.googlesource.com/457341Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43985}

Avoiding runtime call overhead.

BUG=v8:5269

Review-Url: https://codereview.chromium.org/2717203002
Cr-Commit-Position: refs/heads/master@{#43799}

This doesn't support "lookup after interceptor", but that should be unnecessary by now since we have non-masking interceptors.

BUG=

Change-Id: I8650a47ab2ce6fa314de25d0c4775b5c165df179
Reviewed-on: https://chromium-review.googlesource.com/453376Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43766}

Polymorphic IC feedback can contain up to four (map, handler) pairs.

HandlePolymorphicCase already unrolled checks for the first two pairs; these
are guaranteed to exist and can omit bound checks.

This CL unrolls checks against the final two pairs as well.

BUG=v8:5917

Review-Url: https://codereview.chromium.org/2728293005
Cr-Commit-Position: refs/heads/master@{#43650}

This inlines common LoadIC cases into the LdaNamedProperty bytecode
handler. Smi handlers resulting in constant/field loads for
monomorphic ICs omit frame construction. The same counts for the
polymorphic case as long as the target handler is in the first two
vector slots.

Other cases (megamorphic, uninitialized) call the new
LoadIC_Noninlined stub.

Local benchmarks show up to 6% improvement on Sunspider with --future.

BUG=v8:5917

Review-Url: https://codereview.chromium.org/2733563002
Cr-Commit-Position: refs/heads/master@{#43630}

... instead of inlining the dispatchers' code. This should reduce the size of the generated
builtins code.

BUG=

Change-Id: Ia3f68ea8b398f049bad87f6ce93c818f0af4674f
Reviewed-on: https://chromium-review.googlesource.com/447938Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43542}

This is mostly prework to also support prototype chain checks using data handlers

BUG=

Change-Id: I70aac1e86e45c78dfdc9f02d06b7e821494a4c9c
Reviewed-on: https://chromium-review.googlesource.com/447679
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43495}

Avoiding runtime call overhead.
There's a fast path for Function.prototype loads, which are very common.

BUG=v8:5269

Review-Url: https://codereview.chromium.org/2711353002
Cr-Commit-Position: refs/heads/master@{#43474}

This CL includes runtime and IC parts of the tracking. It is controlled by
compile-time flag FLAG_constant_field_tracking and currently disabled.

Transition from kConst to kMutable still involves map deprecation.

BUG=v8:5495

Review-Url: https://codereview.chromium.org/2598543003
Cr-Commit-Position: refs/heads/master@{#43081}

LoadGlobalIC will be inlined into ignition's LdaGlobal family of bytecode
handlers.  This CL splits up LoadGlobalIC into three distinct cases (property
cell, handler, and miss) and introduces the ExitPoint abstraction in order
to make inlining easier.

BUG=v8:5917

Review-Url: https://codereview.chromium.org/2688503002
Cr-Commit-Position: refs/heads/master@{#43055}

The spec for String.split() requires loading "separator[@@split]".
The KeyedLoadIC for this goes generic right away, but still requires
a runtime call. To avoid that, reshuffle checks in the generic stub
and do the primitive-string -> String-function translation inline.

Review-Url: https://codereview.chromium.org/2654893003
Cr-Commit-Position: refs/heads/master@{#42797}

- builtins-ic.cc takes the place of the AccessorAssembler shim
- AccessorAssemblerImpl can then be renamed
- some cleanup in code-factory.cc
- drop old _TF name suffixes
- fix Generate##Name##Impl in TF_BUILTIN macro

Review-Url: https://codereview.chromium.org/2647493002
Cr-Commit-Position: refs/heads/master@{#42520}

LoadFieldStub is the last Crankshaft/Hydrogen stub that stands in the way
of being able to run --ignition-staging --turbo without any Crankshaft support,
even for ICs/stubs.

Review-Url: https://codereview.chromium.org/2595343002
Cr-Commit-Position: refs/heads/master@{#41939}

Also fixed handling of load non-existent handlers outside typeof.

BUG=v8:5561, chromium:662854

Review-Url: https://codereview.chromium.org/2511603002
Cr-Commit-Position: refs/heads/master@{#41073}