The CreateClosureMode introduced with 2ece046c is still not 100%
fail-safe and doesn't scale. What we really need instead, especially
when we might start removing the SharedFunctionInfo::code field
eventually, is to tell the JSCreateClosure node which code object to
use. So instead of adding magic around it, let's just pass it to the
node.

Bug: v8:2206, v8:7253, v8:7310
Change-Id: Iedb6ae468a763643617975f47d96854d1aeafbe9
Reviewed-on: https://chromium-review.googlesource.com/937121Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51548}

We use JSCreateClosure to also constructs closures for builtins, i.e.
for the callbacks created by the Promise constructor. For these builtins
we cannot set code to CompileLazy builtin, but need to use the code from
the SharedFunctionInfo. The explicit mode tells the lowering what it
should do (instead of relying on SharedFunctionInfo::native(), which is
not the right bit).

Bug: v8:2206, v8:7253, v8:7310
Change-Id: Ic956814e137c57b36ebb5d7b4d964dde5ee51a0d
Reviewed-on: https://chromium-review.googlesource.com/930964
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51547}

This reverts commit 3c62f7ae.
(and commit 4939463c)

The goal of this revert is to contrast the effect on perf bots of
landing it vs reverting it to more easily attribute its impact.

R=hpayer@chromium.org

Bug: chromium:812178
Change-Id: I7c977b1b0b587f787263272400d87f6aae7af634
Reviewed-on: https://chromium-review.googlesource.com/936761
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51546}

This implements the full set of f32 comparisons (f32.eq, f32.ne,
f32.lt, f32.gt, f32.le, f32.ge) on ia32 and x64.

R=titzer@chromium.org

Bug: v8:6600
Change-Id: I2be786431d01b4ed540b70f3e4a27c19b7d2649e
Reviewed-on: https://chromium-review.googlesource.com/928982Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51545}

This is a follow-up to https://chromium-review.googlesource.com/904164
now that I've realized raw TRACE_EVENTs work in v8 (initially thought
had to go through heap()->tracer()).

After adding events to EvacuatePage(), the subitem event for evacuation tasks
became redundant. Since this results in a better output this CL applies
this approach to all paralell work items.

Not using TRACE_BACKGROUND_GC also avoids polluting logs with subitems
when using v8's tracing flags.

R=mlippautz@chromium.org

Bug: chromium:651354
Change-Id: I62efbde69da2a0a9bd255e34093d64924e339974
Reviewed-on: https://chromium-review.googlesource.com/934263
Commit-Queue: Gabriel Charette <gab@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51544}

I think those are safe to keep and add useful information to highlight
the type of evacuate copy step being performed.

This is a prerequisite for https://chromium-review.googlesource.com/c/v8/v8/+/934263
as it will drop tracing individual work items and will
leave it to top-level item trace events like these to
highlight individual work item's work.

Will reland after reverting them all however to confirm the re-adding
these doesn't cause regressions as the fine grain trace events
initially did.

R=hpayer@chromium.org

Bug: chromium:813824
Change-Id: I8e53b880ce0aeae08afa7a2c0f36a455f645bcfa
Reviewed-on: https://chromium-review.googlesource.com/934248Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Gabriel Charette <gab@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51543}

TBR=yangguo@chromium.org
NOTRY=true

Bug: chromium:813833
Change-Id: If9694bebc6576549feb00cbf035c4a5e92a70976
Reviewed-on: https://chromium-review.googlesource.com/936442Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51542}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/787ae8b..b1d6c28

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/13a8b37..8a42ad3

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/7e69312..b3d3f59

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: I7bf829336fd7ded9b95573fc9b95c4988d36d8f6
Reviewed-on: https://chromium-review.googlesource.com/936226
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51541}

Change lowering for Store to use input replacement type.

Change-Id: Ic1fbbb37a3cc938fca7015d838933284bae6068e
Reviewed-on: https://chromium-review.googlesource.com/903266
Commit-Queue: Jing Bao <jing.bao@intel.com>
Reviewed-by: Aseem Garg <aseemgarg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51540}

Fuzzers after switching to ToT mjsunit.js, which accesses
Date.prototype, while for correctness fuzzing it's mocked out as a
proxy.

This makes the proxy return the property correctly.

TBR=yangguo@chromium.org
NOTRY=true

Bug: chromium:813833
Change-Id: Ic4b6412063f42c4e75905fbd568b7f81bc54daff
Reviewed-on: https://chromium-review.googlesource.com/936046
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51539}

TBR=yangguo@chromium.org
NOTRY=true

Bug: chromium:813833
Change-Id: I8f687d27981a54234c37ba2e4b22060696f6dee7
Reviewed-on: https://chromium-review.googlesource.com/936006Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51538}

This patch removes one unnecessary sub instruction in ComputeCodeStartAddress for SpeculationPoison generation at the beginning of each bytecode handler.

leaq rbx,[rip+0x0]      => leaq rbx,[rip+0xfffffff9]
subq rbx,0x7            => To be removed
movq r9,0x0
cmpq rcx,rbx
movq rbx,0xffffffff
cmovzq r9,rbx


Change-Id: I7648ae27d4039488d1fc0f4c25477a5cb889bd6d
Reviewed-on: https://chromium-review.googlesource.com/933593Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Shiyu Zhang <shiyu.zhang@intel.com>
Cr-Commit-Position: refs/heads/master@{#51537}

Previously the API allowed the embedder to re fulfill a non pending
promise. This was changed as part of
c0412961.

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I53dc028fecdcc6ab05c05cfc7795e89519ed9633
Reviewed-on: https://chromium-review.googlesource.com/932968
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51536}

`CodeStubAssembler::ToInteger_Inline` performs a `TaggedIsSmi` check,
and calls `ToInteger` with the appropriate truncation mode if the
input is not a Smi.

When we already know we’re dealing with something that’s not a Smi,
this check is redundant, and we can use
`CallBuiltin(Builtins::kToInteger*)` directly.

Bug: v8:7310
Change-Id: If538e39bcb738014bd03f10edd0051dac72b7ea3
Reviewed-on: https://chromium-review.googlesource.com/934901
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51535}

Since we only need to store 18 different function kinds,
the bitfield approach was wasting space (requiring 11 bits).

This patch replaces the bitfield with a regular enum, and
updates all the FunctionKind predicates to use comparisons
instead of bitwise ops.

For the small amount of builtin code that depended upon being
able to do masking to determine whether something is a class
constructor, we still store two extra bits on FunctionKind,
which are computed when the SFI is initialized.

If this approach causes performance regressions (i.e., if it
turns out that other code was implicitly depending on masking
for fast checks), we can revert this or address it in
other ways (e.g., by doing similar caching of repeated checks
in the caller).

This is a reland of 42667bab.

Bug: v8:7310
Change-Id: I2ec54289ea687399c61d75b7aff2d849861a64f2
Reviewed-on: https://chromium-review.googlesource.com/934864Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51534}

Change-Id: Ic9eaaa2af0106fea85a85599d404b2b304b3db2d
Reviewed-on: https://chromium-review.googlesource.com/930338Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51533}

Currently, atomic operations assume the default to be 32-bit
operations, fix opcode names for differentiation between 32/64-bit
operations.

Bug: v8:6532
Change-Id: Idc7df4e191f54b125271b067891e0a1df07008a4
Reviewed-on: https://chromium-review.googlesource.com/924333Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51532}

NOTRY=true

Bug: v8:7492
Change-Id: Ie25281f8efa30d14574c7b53b4ab8a22d1344535
Reviewed-on: https://chromium-review.googlesource.com/934847Reviewed-by: Fadi Meawad <fmeawad@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51531}

See https://crbug.com/v8/5193#c26

TBR=yangguo@chromium.org
NOTRY=true

Bug: v8:5193
Change-Id: I10f4c57c54b5bf596641a0e4c492bd652941b28e
Reviewed-on: https://chromium-review.googlesource.com/934845Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51530}

This adds printing on failures to compare output when correctness fuzzing.

TBR=yangguo@chromium.org
NOTRY=true

Bug: chromium:813833
Change-Id: I0280561392f6614960608db4e93341552c716142
Reviewed-on: https://chromium-review.googlesource.com/934843
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51529}

Port 25799516

Original Commit Message:

    This introduces masking of loads with speculation bit during code generation.
    At the moment, this is done only under the
    --branch-load-poisoning flag, and this CL enlarges the set of supported
    platforms from {x64} to {x64, arm}.

    Overview of changes:
    - new register configuration configuration with one register reserved for
      the speculation poison/mask (kSpeculationPoisonRegister).
    - in codegen, we introduce an update to the poison register at the starts
      of all successors of branches (and deopts) that are marked as safety
      branches (deopts).
    - in memory optimizer, we lower all field and element loads to PoisonedLoads.
    - poisoned loads are then masked in codegen with the poison register.
      * only integer loads are masked at the moment.

R=tebbi@chromium.org, joransiu@ca.ibm.com, bjaideep@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: Idda9bf06133d8999290cda5bcf6333c064b3e6dc
Reviewed-on: https://chromium-review.googlesource.com/927163
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Joran Siu <joransiu@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#51528}

This reverts commit e234176b.

Reason for revert: goma problem fixed

Original change's description:
> [CQ] Temporarily drop gcc bots from CQ
> 
> NOTRY=true
> NOTREECHECKS=true
> TBR=yangguo@chromium.org
> 
> Bug: chromium:814810
> Change-Id: Ibf9d5d637f4e98a295d0cde6632679c77c3a4eb3
> Reviewed-on: https://chromium-review.googlesource.com/931921
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51478}

TBR=machenbach@chromium.org,yangguo@chromium.org

Change-Id: Ifb4af81d4ccb784ec724d6ca4ab351f1df0db755
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:814810
Reviewed-on: https://chromium-review.googlesource.com/934801Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51527}

The list of runtime function use counts was generated with:

$ grep -o '^ *F(\w*' src/runtime/runtime.h | sed 's/^ *F(//' | sort | while read f; do USE_COUNT=$(git grep "\(Runtime::k\|Runtime::kInline\|%\|%_\)$f" | wc -l); echo $USE_COUNT $f; done

This reduces libv8.so size by 59K on an x64 release build.

Bug: v8:7310
Change-Id: Ib4d097e63ed065f41bf73e9529e4354575be5229
Reviewed-on: https://chromium-review.googlesource.com/934272Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51526}

CSA::Select makes the code compact and cleaner. Use it instead of
branches.

Bug: v8:7310
Change-Id: I3694b5ab5f8085c60266a4ad02640075005f4f94
Reviewed-on: https://chromium-review.googlesource.com/934509Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51525}

The Operand class is small enough to be efficiently passed by value.
This saves binary size and performance because the Operand does not need
to be emitted to the caller's frame and loaded in the callee.
Binary saving is 30kB in release mode on x64.

R=mstarzinger@chromium.org

Bug: v8:7310
Change-Id: Ibad9d438ace23cfe8e4641bd48063ab7035656f4
Reviewed-on: https://chromium-review.googlesource.com/934137
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51524}

BUG=v8:7490, v8:7310

Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I2eb6897d9dcc72cc6f399a8752b9f30d7d7010f8
Reviewed-on: https://chromium-review.googlesource.com/934504Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51523}

Adding the StringSubstring simplified operator is a precursor to
improve inlining of String.p.{substr,substring,slice}.
This also contains a drive-by renaming to normalize different
spellings of 'Substring'.

Bug: v8:7250, v8:7340
Change-Id: I89e0fbafeab80f5d2f3ef348a5303d32c0abfe0a
Reviewed-on: https://chromium-review.googlesource.com/919084
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51522}

A.p.includes can now replace monkey-patched A.p.contains.

Bug: v8:7310, v8:7327
Change-Id: Ibbd6c5526322599c06f5485471cf6a6361b082b9
Reviewed-on: https://chromium-review.googlesource.com/934265
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51521}

The deoptimizer can create argument adaptor frames, in which case we
write a return address onto the stack that jumps into the middle of
the ArgumentsAdaptorTrampoline builtin. Now that this builtin is
off-heap, we need to calculate the return address based on the
off-heap instruction stream, not the on-heap trampoline.

Bug: v8:6666
Change-Id: I55b27fe8b0573f6c6ae66375850352f71bdff618
Reviewed-on: https://chromium-review.googlesource.com/934202
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51520}

Bug: v8:7310
Change-Id: I3b9832c7090d5c4b2f425f85095b0d7bae29fbfd
Reviewed-on: https://chromium-review.googlesource.com/934321
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51519}

Off-heap code may have pc values that are not within
[instruction_start, instruction_end]. Handle these kinds of objects in
heap Code lookup functions.

Bug: v8:6666
Change-Id: Ib7a58f962ef6311c48234e506a35485fd5966814
Reviewed-on: https://chromium-review.googlesource.com/934184
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51518}

Currently, pop_back() doesn't update size. Fix that.

BUG=v8:7489

Change-Id: If11d2ddcaae3223289c168c1e6e1ad94d6775516
Reviewed-on: https://chromium-review.googlesource.com/934456Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51517}

This fixes issues where the stack track contained 'Promise' but
not 'new'.

Bug: v8:7253
Change-Id: I840fcc0a76e2376aab0b64d321f5cf8ccc672956
Reviewed-on: https://chromium-review.googlesource.com/928762
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51516}

Previously, typing errors would be hidden by the SloppyTNode cast. Both
lambdas should always return strictly checked types that match the
templated type of the select, otherwise unchecked values can reach
TNodes.

Bug: v8:7479
Change-Id: Icd316c21a30c8c8305b7740c985efaa54c9a7015
Reviewed-on: https://chromium-review.googlesource.com/934455Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51515}

This is a reland of 3ff4b447.

Original version did not handle V8_INTL_SUPPORT.

Original change's description:
> [turbofan] Move String.* functions to JSCallReducer
>
> Bug: v8:7250, v8:7340
> Change-Id: Ibb8d5badf89c66bd9bcb6bb390256ae81d0e899c
> Reviewed-on: https://chromium-review.googlesource.com/913208
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51505}

Bug: v8:7250, v8:7340
Change-Id: Id908cbcfaa9e9cf5459d6d3289e6ec00e387d287
Reviewed-on: https://chromium-review.googlesource.com/934268Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51514}

Off-heap-safety slightly differs from isolate-independence in that it
allows external references and checks instruction-size constraints.

This adds the new predicate as well as a cctest verifying it. New
DCHECKs are introduced to document assumptions and upcoming work.

Note that this breaks the --stress-off-heap-code flag. Fixes will
follow in upcoming CLs.

Bug: v8:6666
Change-Id: If4f3e0f4428bacc8d293cd864b9b07b81679c423
Reviewed-on: https://chromium-review.googlesource.com/934183
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51513}

This is the follow-up CL to
https://chromium-review.googlesource.com/#/c/v8/v8/+/931122.

Now that HeapConstants can be loaded through the builtins constants
table, the extra CallStub and CallRuntime has become unnecessary.

Bug: v8:6666
Change-Id: I02bb7805ac37bed6fe27fdd0689ac22ad7de034b
Reviewed-on: https://chromium-review.googlesource.com/931123
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51512}

Convert all context, receiver and argc Node*s to their appropriate TNode
type.

Bug: v8:7310
Change-Id: Ic6bf22ffb22199d390731d424b7395c47a8f19cf
Reviewed-on: https://chromium-review.googlesource.com/934442
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51511}

BUG=v8:7478

Change-Id: Iad67d49729dfeb89fde26772689a22098f491b8a
Reviewed-on: https://chromium-review.googlesource.com/931548
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51510}

Bug: v8:7310
Change-Id: I8d3ac3127d5ca3ea88fbb954727a7222de5d75a0
Reviewed-on: https://chromium-review.googlesource.com/934261
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51509}