String wrappers (new String("foo")) are special objects: their string
characters are accessed like elements, and they also have an elements
backing store. This used to require a bunch of explicit checks like:

if (obj->IsJSValue() && JSValue::cast(obj)->value()->IsString()) {
  /* Handle string characters */
}
// Handle regular elements (for string wrappers and other objects)
obj->GetElementsAccessor()->Whatever(...);

This CL introduces new ElementsKinds for string wrapper objects (one for
fast elements, one for dictionary elements), which allow folding the
special-casing into new StringWrapperElementsAccessors.

No observable change in behavior is intended.

Review URL: https://codereview.chromium.org/1612323003

Cr-Commit-Position: refs/heads/master@{#33616}

This replace HeapType with a dedicated class that implements just what we need for field type tracking. In the next CL, I plan to remove FieldType::Iterator because FieldType can iterate over at most one map.

The ultimate plan is to get rid of templates in types.(h|cc) and remove type-inl.h.

TBR=rossberg@chromium.org

Review URL: https://codereview.chromium.org/1636013002

Cr-Commit-Position: refs/heads/master@{#33521}

BUG=chromium:570131
LOG=N

Review URL: https://codereview.chromium.org/1546933002

Cr-Commit-Position: refs/heads/master@{#33029}

During property reconfiguring ensure that the first map that gets new descriptors is the one that owns the whole descriptor array.

This is necessary to guarantee that the whole descriptor would be marked, otherwise DescriptorArray pretenuring would cause crashes.

Review URL: https://codereview.chromium.org/1520613006

Cr-Commit-Position: refs/heads/master@{#32812}

* Move most heap related tests into heap/ subdir
* IWYU for heap utility functions

R=ulan@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1512553002

Cr-Commit-Position: refs/heads/master@{#32706}

Embedders still can use those APIs by default

test-api.cc still has an exception to use the old APIs...

BUG=v8:4143
R=vogelheim@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1505803004

Cr-Commit-Position: refs/heads/master@{#32701}

The test expectations should fail consistently in both release and debug
builds. DCHECK is only meant for debug-only checks in production code.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1506753002

Cr-Commit-Position: refs/heads/master@{#32639}

BUG=none
R=verwaest@chromium.org,rossberg@chromium.org,bmeurer@chromium.org,neis@chromium.org
LOG=y

Review URL: https://codereview.chromium.org/1413463006

Cr-Commit-Position: refs/heads/master@{#32014}

BUG=

Review URL: https://codereview.chromium.org/1374163002

Cr-Commit-Position: refs/heads/master@{#30998}

Revert of [heap] Remove retry space from AllocateRaw. (patchset #3 id:40001 of https://codereview.chromium.org/1370123002/ )

Reason for revert:
Breaks arm64 nosnap simulator (bogus cctest?): https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20nosnap%20-%20debug%20-%201/builds/2934/steps/Bisect%202786ceec.Retry/logs/IncrementalWriteBarri..

Original issue's description:
> [heap] Remove retry space from AllocateRaw.
>
> BUG=
>
> Committed: https://crrev.com/2786ceec1eb491494d24d29a59eefbe3b6704be2
> Cr-Commit-Position: refs/heads/master@{#30984}

TBR=mstarzinger@chromium.org,hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1379493003

Cr-Commit-Position: refs/heads/master@{#30991}

BUG=

Review URL: https://codereview.chromium.org/1370123002

Cr-Commit-Position: refs/heads/master@{#30984}

BUG=chromium:490559
LOG=NO

Review URL: https://codereview.chromium.org/1352453004

Cr-Commit-Position: refs/heads/master@{#30944}

Removes deprecated functions from the following files:

test/cctest/compiler/function-tester.h
test/cctest/test-thread-termination.cc
test/cctest/test-threads.cc
test/cctest/test-transitions.cc
test/cctest/test-typedarrays.cc
test/cctest/test-types.cc
test/cctest/test-typing-reset.cc
test/cctest/test-unbound-queue.cc
test/cctest/test-unboxed-doubles.cc

BUG=v8:4134
LOG=n

Review URL: https://codereview.chromium.org/1344583002

Cr-Commit-Position: refs/heads/master@{#30846}

BUG=

Review URL: https://codereview.chromium.org/1343043002

Cr-Commit-Position: refs/heads/master@{#30746}

BUG=

Review URL: https://codereview.chromium.org/1293283003

Cr-Commit-Position: refs/heads/master@{#30301}

This way we can greatly simplify the different variants of ToObject in
our codebase and make them more uniform and robust.  Adding a new
primitive doesn't require finding and changing all those places again,
but it is sufficient to setup the constructor function index when
allocating the map.

We use the inobject properties field of Map, which is invalid primitive
maps anyway.

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1276533003

Cr-Commit-Position: refs/heads/master@{#30119}

Note that there are currently no objects that require a pre-allocated
properties backing store, all such slots are in-object properties from
the begining. Hence {unused + pre_allocated - inobject == 0} holds.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1226203011

Cr-Commit-Position: refs/heads/master@{#29590}

Boolean "is_strong" parameters have begun to proliferate across areas where
strong mode semantics are different. This CL repurposes the existing
ObjectStrength enum as a replacement for them.

BUG=v8:3956
LOG=N

Review URL: https://codereview.chromium.org/1144183004

Cr-Commit-Position: refs/heads/master@{#28839}

Copied, with permission, from https://codereview.chromium.org/1151853003/

Initial patch set is an unmodified copy, rebased on top of related fixes from
https://codereview.chromium.org/1158933002/

Subsequent patch sets contain fixes for remaining bugs in the CL.

BUG=v8:3956
LOG=N

Review URL: https://codereview.chromium.org/1152093003

Cr-Commit-Position: refs/heads/master@{#28760}

BUG=

Review URL: https://codereview.chromium.org/1099783003

Cr-Commit-Position: refs/heads/master@{#28024}

Revert of Reland "LayoutDescriptor should inherit from JSTypedArray" (patchset #3 id:40001 of https://codereview.chromium.org/1094333002/)

Reason for revert:
Breaks gbemu

Original issue's description:
> Reland "LayoutDescriptor should inherit from JSTypedArray"
>
> Original issue's description:
> > LayoutDescriptor should inherit from JSTypedArray
> >
> > It can't just inherit from a FixedTypedArray-like type, as we soon
> > assume that a FixedTypedArray-like type is always held by an
> > ArrayBufferView-like type
> >
> > BUG=v8:3996
> > R=ishell@chromium.org,verwaest@chromium.org
> > LOG=n
>
> BUG=v8:3996
> R=ishell@chromium.org,verwaest@chromium.org
> LOG=n

TBR=ishell@chromium.org,verwaest@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3996

Review URL: https://codereview.chromium.org/1080403004

Cr-Commit-Position: refs/heads/master@{#27975}

Original issue's description:
> LayoutDescriptor should inherit from JSTypedArray
>
> It can't just inherit from a FixedTypedArray-like type, as we soon
> assume that a FixedTypedArray-like type is always held by an
> ArrayBufferView-like type
>
> BUG=v8:3996
> R=ishell@chromium.org,verwaest@chromium.org
> LOG=n

BUG=v8:3996
R=ishell@chromium.org,verwaest@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1094333002

Cr-Commit-Position: refs/heads/master@{#27973}

Revert of LayoutDescriptor should inherit from JSTypedArray (patchset #1 id:1 of https://codereview.chromium.org/1084793004/)

Reason for revert:
breaks mjsunit on debug bots

Original issue's description:
> LayoutDescriptor should inherit from JSTypedArray
>
> It can't just inherit from a FixedTypedArray-like type, as we soon
> assume that a FixedTypedArray-like type is always held by an
> ArrayBufferView-like type
>
> BUG=v8:3996
> R=ishell@chromium.org,verwaest@chromium.org
> LOG=n

TBR=ishell@chromium.org,verwaest@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:3996

Review URL: https://codereview.chromium.org/1073053006

Cr-Commit-Position: refs/heads/master@{#27968}

It can't just inherit from a FixedTypedArray-like type, as we soon
assume that a FixedTypedArray-like type is always held by an
ArrayBufferView-like type

BUG=v8:3996
R=ishell@chromium.org,verwaest@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1084793004

Cr-Commit-Position: refs/heads/master@{#27964}

Revert of Force full GCwhenever CollectAllGarbage is meant to trigger a full GC. (patchset #4 id:60001 of https://codereview.chromium.org/1082973003/)

Reason for revert:
[Sheriff] Breaks http://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20nosnap%20-%20debug/builds/3348 and maybe leads to timeouts/crashes on layout test bots:
http://build.chromium.org/p/client.v8/builders/V8-Blink%20Linux%2064/builds/3002

Original issue's description:
> Force full GC whenever CollectAllGarbage is meant to trigger a full GC.
>
> Add a finalize incremental marking mode for CollectAllGarbage to finalize incremental marking when incremental marking is in progress, but we want a full gc at a given CollectAllGarbage call site.
>
> Default mode for CollectAllGarbage is finalize incremental marking and perform a full GC.
>
> BUG=
>
> Committed: https://crrev.com/9c105f0940ba757364ac18fcdf649815ec5ab2d1
> Cr-Commit-Position: refs/heads/master@{#27831}

TBR=ulan@chromium.org,hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1088083002

Cr-Commit-Position: refs/heads/master@{#27834}

Add a finalize incremental marking mode for CollectAllGarbage to finalize incremental marking when incremental marking is in progress, but we want a full gc at a given CollectAllGarbage call site.

Default mode for CollectAllGarbage is finalize incremental marking and perform a full GC.

BUG=

Review URL: https://codereview.chromium.org/1082973003

Cr-Commit-Position: refs/heads/master@{#27831}

This reverts commit cbfcee55.

BUG=

Review URL: https://codereview.chromium.org/1051233002

Cr-Commit-Position: refs/heads/master@{#27623}

BUG=chromium:470804
LOG=Y

Review URL: https://codereview.chromium.org/1033273005

Cr-Commit-Position: refs/heads/master@{#27528}

And reland "Use a slot that is located on a heap page when removing
invalid entries from the SlotsBuffer."

This reverts commits de018fbd and
d23a9f7a.

Reason for relanding: looking fine on Canary, let's get these fixes back in.

BUG=chromium:454297,chromium:470801
LOG=y
TBR=ishell@chromium.org

Review URL: https://codereview.chromium.org/1043703003

Cr-Commit-Position: refs/heads/master@{#27507}

This CL also adds useful machinery that helps triggering incremental write barriers.

BUG=chromium:469146
LOG=Y

Review URL: https://codereview.chromium.org/1039733003

Cr-Commit-Position: refs/heads/master@{#27503}

Revert of Reland "Filter invalid slots out from the SlotsBuffer after marking." (patchset #2 id:2 of https://codereview.chromium.org/1032833002/)

Reason for revert:
Reverting risky GC changes that block v8 roll.

Original issue's description:
> Reland "Filter invalid slots out from the SlotsBuffer after marking."
>
> > There are two reasons that could cause invalid slots appearance in SlotsBuffer:
> > 1) If GC trims "tail" of an array for which it has already recorded a slots and then migrate another object to the "tail".
> > 2) Tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).
>
> > This CL also adds useful machinery that helps triggering incremental write barriers.
>
> > BUG=chromium:454297
> > LOG=Y
>
> NOTRY=true
>
> Committed: https://crrev.com/f86aadd1d45c756467dff8e08a055b462d7a060b
> Cr-Commit-Position: refs/heads/master@{#27433}

TBR=machenbach@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1041593002

Cr-Commit-Position: refs/heads/master@{#27491}

> There are two reasons that could cause invalid slots appearance in SlotsBuffer:
> 1) If GC trims "tail" of an array for which it has already recorded a slots and then migrate another object to the "tail".
> 2) Tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).

> This CL also adds useful machinery that helps triggering incremental write barriers.

> BUG=chromium:454297
> LOG=Y

NOTRY=true

Review URL: https://codereview.chromium.org/1032833002

Cr-Commit-Position: refs/heads/master@{#27433}

Revert of Filter invalid slots out from the SlotsBuffer after marking. (patchset #6 id:220001 of https://codereview.chromium.org/1010363005/)

Reason for revert:
Need to revert in order to revert https://codereview.chromium.org/1029323003/

Original issue's description:
> Filter invalid slots out from the SlotsBuffer after marking.
>
> There are two reasons that could cause invalid slots appearance in SlotsBuffer:
> 1) If GC trims "tail" of an array for which it has already recorded a slots and then migrate another object to the "tail".
> 2) Tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).
>
> This CL also adds useful machinery that helps triggering incremental write barriers.
>
> BUG=chromium:454297
> LOG=Y
>
> Committed: https://crrev.com/5c47c1c0d3e4a488f190c16a64ee02f5a14e6561
> Cr-Commit-Position: refs/heads/master@{#27423}

TBR=hpayer@chromium.org,erik.corry@gmail.com,ishell@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:454297

Review URL: https://codereview.chromium.org/1033453005

Cr-Commit-Position: refs/heads/master@{#27426}

There are two reasons that could cause invalid slots appearance in SlotsBuffer:
1) If GC trims "tail" of an array for which it has already recorded a slots and then migrate another object to the "tail".
2) Tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).

This CL also adds useful machinery that helps triggering incremental write barriers.

BUG=chromium:454297
LOG=Y

Review URL: https://codereview.chromium.org/1010363005

Cr-Commit-Position: refs/heads/master@{#27423}

TBR=verwaest@chromium.org,ulan@chromium.org,ishell@chromium.org
NOTRY=true

Review URL: https://codereview.chromium.org/1027463002

Cr-Commit-Position: refs/heads/master@{#27323}

BUG=

Review URL: https://codereview.chromium.org/1012023002

Cr-Commit-Position: refs/heads/master@{#27259}

Revert of Reland of Remove slots that point to unboxed doubles from the StoreBuffer/SlotsBuffer. (patchset #3 id:40001 of https://codereview.chromium.org/988363002/)

Reason for revert:
Increased rate of Chrome crashes. Requires further investigation.

Original issue's description:
> Reland of Remove slots that point to unboxed doubles from the StoreBuffer/SlotsBuffer.
>
> The problem is that tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).
> This CL also adds useful machinery that helps triggering incremental write barriers.
>
> BUG=chromium:454297, chromium:465273
> LOG=Y
>
> Committed: https://crrev.com/6d0677d845c47ab9fa297de61d0e3d8e5480a02a
> Cr-Commit-Position: refs/heads/master@{#27141}

TBR=hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:454297, chromium:465273

Review URL: https://codereview.chromium.org/1004623003

Cr-Commit-Position: refs/heads/master@{#27207}

The problem is that tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).
This CL also adds useful machinery that helps triggering incremental write barriers.

BUG=chromium:454297, chromium:465273
LOG=Y

Review URL: https://codereview.chromium.org/988363002

Cr-Commit-Position: refs/heads/master@{#27141}

Revert of Remove slots that point to unboxed doubles from the StoreBuffer/SlotsBuffer. (patchset #4 id:230001 of https://codereview.chromium.org/957273002/)

Reason for revert:
It caused a lot of Canary crashes.

Original issue's description:
> Remove slots that point to unboxed doubles from the StoreBuffer/SlotsBuffer.
>
> The problem is that tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).
> This CL also adds useful machinery that helps triggering incremental write barriers.
>
> BUG=chromium:454297
> LOG=Y
>
> Committed: https://crrev.com/9633ebabd405c264d33f603f8798c31f59418dcd
> Cr-Commit-Position: refs/heads/master@{#27054}

TBR=verwaest@chromium.org,hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:454297

Review URL: https://codereview.chromium.org/991793002

Cr-Commit-Position: refs/heads/master@{#27063}

The problem is that tagged slot could become a double slot after migrating of an object to another map with "shifted" fields (for example as a result of generalizing immutable data property to a data field).
This CL also adds useful machinery that helps triggering incremental write barriers.

BUG=chromium:454297
LOG=Y

Review URL: https://codereview.chromium.org/957273002

Cr-Commit-Position: refs/heads/master@{#27054}