Change-Id: I7716dab4d6d0ff582acdffb988a05429bccab2ad
Reviewed-on: https://chromium-review.googlesource.com/c/1462006
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59554}

This is a reland of 4e1d7c87.
Failure on arm and arm64 is fixed by https://crrev.com/c/1411885.

Original change's description:
> [wasm] Split compilation in three stages
>
> In order to refactor ownership between objects in wasm compilation, the
> compilation (executed by background tasks) is split in three stages:
> getting a compilation unit (while holding a mutex), executing the work
> (without any mutex and without keeping the NativeModule alive), and
> submitting the work (with a mutex again).
>
> This CL prepares this design by splitting compilation from submission.
> Both steps are still executed right after each other. This will be
> changed in a follow-up CL.
>
> R=titzer@chromium.org
> CC=mstarzinger@chromium.org
>
> Bug: v8:8689
> Change-Id: I2f92aee8e2f2d45470d8c63314ed026341630902
> Reviewed-on: https://chromium-review.googlesource.com/c/1414920
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#58929}

TBR=titzer@chromium.org

Bug: v8:8689
Change-Id: I58ff07d0e0ac8df0f6ee23c416f992954f4673d2
Reviewed-on: https://chromium-review.googlesource.com/c/1422748Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58959}

This reverts commit 4e1d7c87.

Reason for revert:
https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux%20-%20arm%20-%20sim%20-%20debug/14986

Original change's description:
> [wasm] Split compilation in three stages
> 
> In order to refactor ownership between objects in wasm compilation, the
> compilation (executed by background tasks) is split in three stages:
> getting a compilation unit (while holding a mutex), executing the work
> (without any mutex and without keeping the NativeModule alive), and
> submitting the work (with a mutex again).
> 
> This CL prepares this design by splitting compilation from submission.
> Both steps are still executed right after each other. This will be
> changed in a follow-up CL.
> 
> R=​titzer@chromium.org
> CC=​mstarzinger@chromium.org
> 
> Bug: v8:8689
> Change-Id: I2f92aee8e2f2d45470d8c63314ed026341630902
> Reviewed-on: https://chromium-review.googlesource.com/c/1414920
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#58929}

TBR=titzer@chromium.org,clemensh@chromium.org

Change-Id: Ic3d0287b354ef5f834b76bc2cdc096d2231f4477
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:8689
Reviewed-on: https://chromium-review.googlesource.com/c/1422917Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58932}

In order to refactor ownership between objects in wasm compilation, the
compilation (executed by background tasks) is split in three stages:
getting a compilation unit (while holding a mutex), executing the work
(without any mutex and without keeping the NativeModule alive), and
submitting the work (with a mutex again).

This CL prepares this design by splitting compilation from submission.
Both steps are still executed right after each other. This will be
changed in a follow-up CL.

R=titzer@chromium.org
CC=mstarzinger@chromium.org

Bug: v8:8689
Change-Id: I2f92aee8e2f2d45470d8c63314ed026341630902
Reviewed-on: https://chromium-review.googlesource.com/c/1414920Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58929}

Bug: v8:3770
Change-Id: I1d74ffe9e5478b4b8bc0acbf088d20919d458d50
Reviewed-on: https://chromium-review.googlesource.com/c/1363822
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58112}

This is a reland of f849396c

Original change's description:
> [nojit] Remove code stubs
>
> All stubs have been migrated to builtins. This CL removes most related
> code.
>
> Bug: v8:7777, v8:5784
> Change-Id: I4470cfef34788e6c8e0fd5fd09e40e250d088dad
> Reviewed-on: https://chromium-review.googlesource.com/c/1365284
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#58093}

Tbr: mstarzinger@chromium.org,yangguo@chromium.org,jkummerow@chromium.org,bmeurer@chromium.org
Bug: v8:7777, v8:5784
Change-Id: I005ee2a820d49a75a90481d262a310e4ccfd1391
Reviewed-on: https://chromium-review.googlesource.com/c/1367746Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58101}

This reverts commit f849396c.

Reason for revert: arm64: https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux%20-%20arm64%20-%20sim%20-%20MSAN/24229

Original change's description:
> [nojit] Remove code stubs
> 
> All stubs have been migrated to builtins. This CL removes most related
> code.
> 
> Bug: v8:7777, v8:5784
> Change-Id: I4470cfef34788e6c8e0fd5fd09e40e250d088dad
> Reviewed-on: https://chromium-review.googlesource.com/c/1365284
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#58093}

TBR=jkummerow@chromium.org,yangguo@chromium.org,mstarzinger@chromium.org,jarin@chromium.org,jgruber@chromium.org,bmeurer@chromium.org

Change-Id: I52c3abd3f4e5872fe26ed7e527a58b118e02b387
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7777, v8:5784
Reviewed-on: https://chromium-review.googlesource.com/c/1367804Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58095}

All stubs have been migrated to builtins. This CL removes most related
code.

Bug: v8:7777, v8:5784
Change-Id: I4470cfef34788e6c8e0fd5fd09e40e250d088dad
Reviewed-on: https://chromium-review.googlesource.com/c/1365284
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58093}

Bug: v8:3770
Change-Id: I07f48b1ee8814a006e6787ad8261fa8388b4298d
Reviewed-on: https://chromium-review.googlesource.com/c/1345327
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57771}

With BytecodeArray flushing the SFI->BytecodeArray pointer will become pseudo weak.
In order to avoid having to recompile (and potentially stack-overflow) on
deoptimization, we explicitly add strong references to any BytecodeArray's we
might deopt into into the DeoptimizationData, as such the BytecodeArrays won't
be flushed while there is optimized code referencing it.

BUG=v8:8395

Change-Id: If3336dfa9c17b7bccafdb73752c58dfa1f14a371
Reviewed-on: https://chromium-review.googlesource.com/c/1314579
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57543}

With Bytecode flushing, the a SharedFunctionInfo's bytecode might be flushed
while the compiler is expecting it to still exist. Rather than continually
getting the bytecode from the SFI, instead bottleneck the points where we get
BytecodeArray from SFIs and maintain an explicit strong reference to the
BytecodeArray from that point onwards to prevent flushing.

BUG=v8:8395

Change-Id: I6a18adec99402838690971eb37ee0617cdc15920
Reviewed-on: https://chromium-review.googlesource.com/c/1309763
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57536}

R=clemensh@chromium.org

Change-Id: I2ec2fdb2406efeaf3b48d0c58711db7e5172aa58
Reviewed-on: https://chromium-review.googlesource.com/c/1335699
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57525}

R=herhut@chromium.org

Change-Id: I7e81d233211ba29d9c48accda63a365e31f51617
Reviewed-on: https://chromium-review.googlesource.com/c/1319582Reviewed-by: Stephan Herhut <herhut@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57278}

Also fixing DEPS include rules for heap-write-barrier.h

BUG=v8:5402,v8:8015

Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: Ia785da321bc6c6f4c375ae8c866a0bf294e64f5b
Reviewed-on: https://chromium-review.googlesource.com/1238453Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56138}

This mostly pushes code around (from the two specialized public ctors
to the ConfigureFlags method), but does include one behavioral change
in that all builtins/stubs/handlers now disables switch jump tables.

Bug: v8:6666
Change-Id: I801d5bdc7a9c4bcc3bc5eb467a7c049404ffaff0
Reviewed-on: https://chromium-review.googlesource.com/1201785Reviewed-by: Stephan Herhut <herhut@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55652}

The WasmCompilationData was a struct that served as an input/output
mechanism for communicating with the code generator. In particular,
it contained a flag for enabling runtime exception for WASM in the code
generator and it also gathered the protected instruction info from
the code generator to be communicated to the WasmCodeManager.

This CL inlines the exception support flag into OptimizedCompilationInfo
and the protected instruction information into the code generator,
along the lines of other flags and data structures created by the
code generator.

R=mstarzinger@chromium.org

Change-Id: If436636067f1a829a095310a73045fe3301cb694
Reviewed-on: https://chromium-review.googlesource.com/1186409
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55358}

- Move the CompilationDependencies member of OptimizedCompilationInfo
  to Turbofan's PipelineData (and thus into the compiler namespace).
- Move compilation-dependencies.{cc,h} to the compiler directory.

Bug: v8:7902
Change-Id: I5471d0923daf83abe975357325db5bc5ad0a8571
Reviewed-on: https://chromium-review.googlesource.com/1127793
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54295}

This is a reland of 4b9b9b68, which
accidentally disabled optimization after dependency changes (instead
of retrying).

TBR=jarin@chromium.org
TBR=mstarzinger@chromium.org

Original change's description:
> Reland "[turbofan] Rewrite CompilationDependencies"
>
> This is a reland of 52a10e50, after
> eliminating an invalid assumption about maps.
>
> TBR=jarin@chromium.org
> TBR=mstarzinger@chromium.org
>
> Original change's description:
> > [turbofan] Rewrite CompilationDependencies
> >
> > Instead of installing code dependencies during graph reduction,
> > install them after code generation.
> >
> > Bug: v8:7902, v8:7790
> > Change-Id: I8a3798254abb5b9ec7c295a1592aeb6b51f24c7a
> > Reviewed-on: https://chromium-review.googlesource.com/1119913
> > Commit-Queue: Georg Neis <neis@chromium.org>
> > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#54170}
>
> Bug: v8:7902, v8:7790
> Change-Id: I9cbaf98980379b9b17464af5952ec0c47e1cdc6f
> Reviewed-on: https://chromium-review.googlesource.com/1126999
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54254}

Bug: v8:7902, v8:7790
Change-Id: I2b7a7d186e03990350e375470569177e3309683c
Reviewed-on: https://chromium-review.googlesource.com/1127579
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54280}

This reverts commit 4b9b9b68.

Reason for revert: Regresses Octane.

Original change's description:
> Reland "[turbofan] Rewrite CompilationDependencies"
> 
> This is a reland of 52a10e50, after
> eliminating an invalid assumption about maps.
> 
> TBR=jarin@chromium.org
> TBR=mstarzinger@chromium.org
> 
> Original change's description:
> > [turbofan] Rewrite CompilationDependencies
> >
> > Instead of installing code dependencies during graph reduction,
> > install them after code generation.
> >
> > Bug: v8:7902, v8:7790
> > Change-Id: I8a3798254abb5b9ec7c295a1592aeb6b51f24c7a
> > Reviewed-on: https://chromium-review.googlesource.com/1119913
> > Commit-Queue: Georg Neis <neis@chromium.org>
> > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#54170}
> 
> Bug: v8:7902, v8:7790
> Change-Id: I9cbaf98980379b9b17464af5952ec0c47e1cdc6f
> Reviewed-on: https://chromium-review.googlesource.com/1126999
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54254}

TBR=mstarzinger@chromium.org,jarin@chromium.org,neis@chromium.org

Change-Id: Iece193046c48ee96ab7952d2b3bd7ad05f39b190
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7902, v8:7790
Reviewed-on: https://chromium-review.googlesource.com/1127119Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54260}

This is a reland of 52a10e50, after
eliminating an invalid assumption about maps.

TBR=jarin@chromium.org
TBR=mstarzinger@chromium.org

Original change's description:
> [turbofan] Rewrite CompilationDependencies
>
> Instead of installing code dependencies during graph reduction,
> install them after code generation.
>
> Bug: v8:7902, v8:7790
> Change-Id: I8a3798254abb5b9ec7c295a1592aeb6b51f24c7a
> Reviewed-on: https://chromium-review.googlesource.com/1119913
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54170}

Bug: v8:7902, v8:7790
Change-Id: I9cbaf98980379b9b17464af5952ec0c47e1cdc6f
Reviewed-on: https://chromium-review.googlesource.com/1126999Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54254}

This reverts commit 52a10e50.

Reason for revert: https://test-results.appspot.com/data/layout_results/V8-Blink_Linux_64__dbg_/12434/layout-test-results/results.html

Crash e.g. in http/tests/devtools/oopif/oopif-performance-cpu-profiles.js

crash log for devtools (pid <unknown>):
STDOUT: <empty>
STDERR: 
STDERR: 
STDERR: #
STDERR: # Fatal error in ../../v8/src/compilation-dependencies.cc, line 281
STDERR: # Debug check failed: descriptor == owner->LastAdded() (10 vs. 22).
STDERR: #
STDERR: #
STDERR: #
STDERR: #FailureMessage Object: 0x7fff86878630#0 0x0000031c642c base::debug::StackTrace::StackTrace()
STDERR: #1 0x0000046a56bb gin::(anonymous namespace)::PrintStackTrace()
STDERR: #2 0x00000469c528 V8_Fatal()
STDERR: #3 0x00000469c285 v8::base::(anonymous namespace)::DefaultDcheckHandler()
STDERR: #4 0x000001cc5253 v8::internal::CompilationDependencies::DependOnFieldType()
STDERR: #5 0x000001cdcc46 v8::internal::compiler::AccessInfoFactory::ComputePropertyAccessInfo()
STDERR: #6 0x000001cde661 v8::internal::compiler::AccessInfoFactory::ComputePropertyAccessInfos()
STDERR: #7 0x000001dd982b v8::internal::compiler::JSNativeContextSpecialization::ReduceNamedAccess()
STDERR: #8 0x000001ddb715 v8::internal::compiler::JSNativeContextSpecialization::ReduceNamedAccessFromNexus()
STDERR: #9 0x000001dd656d v8::internal::compiler::JSNativeContextSpecialization::ReduceJSLoadNamed()
STDERR: #10 0x000001d53872 v8::internal::compiler::GraphReducer::Reduce()
STDERR: #11 0x000001d534a5 v8::internal::compiler::GraphReducer::ReduceTop()
STDERR: #12 0x000001d52e58 v8::internal::compiler::GraphReducer::ReduceNode()
STDERR: #13 0x000001e4c201 v8::internal::compiler::InliningPhase::Run()
STDERR: #14 0x000001e44f79 v8::internal::compiler::PipelineImpl::Run<>()
STDERR: #15 0x000001e41058 v8::internal::compiler::PipelineImpl::CreateGraph()
STDERR: #16 0x000001e40c75 v8::internal::compiler::PipelineCompilationJob::PrepareJobImpl()
STDERR: #17 0x000001ccd437 v8::internal::OptimizedCompilationJob::PrepareJob()
STDERR: #18 0x000001cd071e v8::internal::(anonymous namespace)::GetOptimizedCode()
STDERR: #19 0x000001cd0c6f v8::internal::Compiler::CompileOptimized()
STDERR: #20 0x00000231fb62 v8::internal::__RT_impl_Runtime_CompileOptimized_Concurrent()
STDERR: #21 0x00000288e535 <unknown>

Original change's description:
> [turbofan] Rewrite CompilationDependencies
> 
> Instead of installing code dependencies during graph reduction,
> install them after code generation.
> 
> Bug: v8:7902, v8:7790
> Change-Id: I8a3798254abb5b9ec7c295a1592aeb6b51f24c7a
> Reviewed-on: https://chromium-review.googlesource.com/1119913
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#54170}

TBR=mstarzinger@chromium.org,jarin@chromium.org,neis@chromium.org

Change-Id: Ic58c2bfadbd34bb6ba7dc0d2b74871cc90b0a74f
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7902, v8:7790
Reviewed-on: https://chromium-review.googlesource.com/1125680Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54192}

Instead of installing code dependencies during graph reduction,
install them after code generation.

Bug: v8:7902, v8:7790
Change-Id: I8a3798254abb5b9ec7c295a1592aeb6b51f24c7a
Reviewed-on: https://chromium-review.googlesource.com/1119913
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54170}

Access Isolate* and Heap* wherever already available.

Roughly:
GetIsolate(): -20
GetHeap(): -22
Handle<>(HeapObject): -315
handle(HeapObject): -21

Bug: v8:7786
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I2da36ed1909d849812a1cb6bf94cb735eedca45b
Reviewed-on: https://chromium-review.googlesource.com/1111707
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53987}

Bug: v8:7327
Change-Id: I6f378f0d36444e8413dfe7ad3e097091e3b86df1
Reviewed-on: https://chromium-review.googlesource.com/1098919
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53712}

Reland "[turbofan] enable switch jump tables with --no-untrusted-code-mitigations, also for stubs and Wasm"

But for builtins, jump tables are disabled
to be compatible with embedded builtins.

This is a reland of 884bec9f

Original change's description:
> [turbofan] enable switch jump tables with --no-untrusted-code-mitigations,
> also for stubs and Wasm
>
> Bug: chromium:845851
> Change-Id: I9b860dc26f8b35d629235b82fc5fffe04bf10493
> Reviewed-on: https://chromium-review.googlesource.com/1076151
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#53525}

Bug: chromium:845851
Change-Id: I66c300f875a46a3f2a68730fda94b8196f38aa97
Reviewed-on: https://chromium-review.googlesource.com/1087468
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53612}

This reverts commit 884bec9f.

Reason for revert: https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8%2FV8_Linux64_TSAN%2F20938%2F%2B%2Frecipes%2Fsteps%2FCheck%2F0%2Flogs%2Fgraceful_shutdown%2F0

Original change's description:
> [turbofan] enable switch jump tables with --no-untrusted-code-mitigations,
> also for stubs and Wasm
> 
> Bug: chromium:845851
> Change-Id: I9b860dc26f8b35d629235b82fc5fffe04bf10493
> Reviewed-on: https://chromium-review.googlesource.com/1076151
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#53525}

TBR=mstarzinger@chromium.org,jarin@chromium.org,tebbi@chromium.org,ben.titzer@gmail.com

Change-Id: If24709e40bc6c442b88c8ba7b804775a9dfafc15
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:845851
Reviewed-on: https://chromium-review.googlesource.com/1087467Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53529}

also for stubs and Wasm

Bug: chromium:845851
Change-Id: I9b860dc26f8b35d629235b82fc5fffe04bf10493
Reviewed-on: https://chromium-review.googlesource.com/1076151
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53525}

This moves the generation of the WasmCode structure into the
PipelineWasmCompilationJob, removing WasmCodeDesc in the process.
WasmCodeDesc was a structure that was not understood by other parts of
the compiler, including the disassembler. Using WasmCode right away
enables printing code comments for turbolizer.

Change-Id: Ie5cca131829bc842c51c999ea14d0dc339b3e028
Reviewed-on: https://chromium-review.googlesource.com/1073312
Commit-Queue: Stephan Herhut <herhut@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53490}

BUG=v8:7490

Change-Id: I53888e391a0ad25407e59431b2fffbd7cacf5273
Reviewed-on: https://chromium-review.googlesource.com/1060060
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53205}

This adds a filter option for --trace-turbo, --trace-turbo-graph
and --trace-turbo-scheduled. The filter is a pattern that matches
function names in this way:
   "*"      all; the default
   "-"      all but the top-level function
   "-name"  all but the function "name"
   ""       only the top-level function
   "name"   only the function "name"
   "name*"  only functions starting with "name"
   "~"      none; the tilde is not an identifier

Bug: v8:7761
Change-Id: I7e8e726023f2c72754b0dd691d790af20b022fd3
Reviewed-on: https://chromium-review.googlesource.com/1059774Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53201}

The idea is to mark all the branches and loads participating in array
bounds checks, and let them contribute-to/use the poisoning register.
In the code, the marks for array indexing operations now contain
"Critical" in their name. By default (--untrusted-code-mitigations),
we only instrument the "critical" operations with poisoning.

With that in place, we also remove the array masking approach based
on arithmetic.

Since we do not propagate the poison through function calls,
we introduce a node for poisoning an index that is passed through
function call - the typical example is the bounds-checked index
that is passed to the CharCodeAt builtin.

Most of the code in this CL is threads through the three levels of
protection (safe, critical, unsafe) for loads, branches and flags.

Bug: chromium:798964

Change-Id: Ief68e2329528277b3ba9156115b2a6dcc540d52b
Reviewed-on: https://chromium-review.googlesource.com/995413
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52883}

With the Ignition + Turbofan pipeline there is very little overlap between the data
needed for unoptimized compilation and optimized compilation. As a result, it is
cleaner to split up the CompilationInfo into UnoptimizedCompilationInfo and
OptimizedCompilationInfo.

Doing so also necessitate splitting up CompilationJob into UnoptimizedCompilationJob
and OptimizedCompilationJob - again there is not much overlap so this seems cleaner.

Change-Id: I1056ad520937b7f8582e4fc3ca8f4910742de30a
Reviewed-on: https://chromium-review.googlesource.com/995895
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52369}

This way we can teach the debugger to disable liveness analysis when
running with (potential) breakpoints, so that the developers always
have (read) access to all scoped variable values.

Bug: v8:7608, chromium:826613
Change-Id: I7e6cea105f111c99d2620546144201624dfe1d8b
Reviewed-on: https://chromium-review.googlesource.com/985838Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52293}

This CL changes the poisoning in the interpreter to use the
infrastructure used in the JIT.

This does not change the original flag semantics:

--branch-load-poisoning enables JIT mitigations as before.

--untrusted-code-mitigation enables the interpreter mitigations
  (now realized using the compiler back-end), but does not enable
  the back-end based mitigations for the Javascript JIT. So in effect
  --untrusted-code-mitigation makes the CSA pipeline for bytecode handlers
  use the same mechanics (including changed register allocation) that
  --branch-load-poisoning enables for the JIT.

Bug: chromium:798964
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: If7f6852ae44e32e6e0ad508e9237f24dec7e5b27
Reviewed-on: https://chromium-review.googlesource.com/928881Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52243}

Change-Id: If8678bd244a0a4e21b1967c15da80e49643a33ea
Reviewed-on: https://chromium-review.googlesource.com/973001Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52101}

This changes the encoding of the {HandlerTable} from an array of Smi
values to a byte array. It allows embedding of said array into the
instruction stream of {Code} objects (similar to how safepoint tables
work). For interpreted bytecode the table is attached as a {ByteArray}
to the bytecode.

The advantage of this approach is a more compact encoding and also the
ability to move such tables easily off the GC'ed heap if needed (as is
done for WebAssembly code for example).

R=jarin@chromium.org

Change-Id: I3320415dff69b3d1053825bda0d667a28232bf6d
Reviewed-on: https://chromium-review.googlesource.com/934642
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51589}

This adds support for poisoning the stack pointer and implicit register
arguments like the context register and the function register in the
prologue of generated code with JavaScript linkage. The speculation
poison is computed similarly to the interpreter by matching expected
with actual code start addresses.

R=jarin@chromium.org,rmcilroy@chromium.org
BUG=chromium:798964

Change-Id: I5fa48844745459cf7b3d00c407a7b835f61c857b
Reviewed-on: https://chromium-review.googlesource.com/919167
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51553}

This makes compilation mode predicates delegate to the underlying code
kind that is already stored in each {CompilationInfo}, thereby removing
potential ambiguity between these two values.

R=mvstanton@chromium.org

Change-Id: I9f4d1bb723074488cc47bdc275984b1abc960069
Reviewed-on: https://chromium-review.googlesource.com/916195Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51291}

R=bmeurer@chromium.org

Change-Id: If92f245852183c85772f25a2e48893a5cfc59dc8
Reviewed-on: https://chromium-review.googlesource.com/916282Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51285}

This introduces masking of loads with speculation bit during code generation.
At the moment, this is done only for x64 optimized code, under the
--branch-load-poisoning flag.

Overview of changes:
- new register configuration configuration with one register reserved for
  the speculation poison/mask (kSpeculationPoisonRegister).
- in codegen, we introduce an update to the poison register at the starts
  of all successors of branches (and deopts) that are marked as safety
  branches (deopts).
- in memory optimizer, we lower all field and element loads to PoisonedLoads.
- poisoned loads are then masked in codegen with the poison register.
  * only integer loads are masked at the moment.

Bug: chromium:798964
Change-Id: Ie51fdbde578fc289dff029794f3cfe8eaf33e1ef
Reviewed-on: https://chromium-review.googlesource.com/901625
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51272}