Bug: v8:7066
Change-Id: I5aa7e976eee6b197586a656ee2e38b9d429ec07b
Reviewed-on: https://chromium-review.googlesource.com/955587Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51881}

Bug: chromium:774108
Change-Id: I640a4f0f17244ee77fa5480ec9faa773310b9caf
Reviewed-on: https://chromium-review.googlesource.com/958907Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51880}

Change-Id: I5ee7de89a262fce7db25a970a3c56c25eb6f6803
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/958924
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51879}

This is to increase test coverage (ClusterFuzz and such).

Bug: chromium:798964
Change-Id: I4923fb62b52b79636bfc24b76f9642135335c96c
Reviewed-on: https://chromium-review.googlesource.com/958463Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51878}

This CL now uses StringCharCodeAt + StringFromCharCode to replace
StringCharAt. Optimizations are easier to implement if we have both
operators; however, if this tanks performance a lot we have to revert.

R=bmeurer@chromium.org

Bug: v8:7531
Change-Id: I75590cc8b8db57715bc2de9f5b98d0878d62a394
Reviewed-on: https://chromium-review.googlesource.com/956134
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51877}

Not used yet apart from tests.

BUG=v8:7308

Change-Id: Ibbe12597007cba123236c9fab85c524df3d5dd4a
Reviewed-on: https://chromium-review.googlesource.com/955427
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51876}

This reverts commit 73408095.

Reason for revert:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20debug/builds/21075
https://build.chromium.org/p/client.v8/builders/V8%20Win32/builds/12955

Original change's description:
> [heap] Turn on --write-protect-code-memory.
> 
> Bug: chromium:774108
> Change-Id: I8001013d1ee75d0847fd6a804c9e37774d900992
> Reviewed-on: https://chromium-review.googlesource.com/957088
> Commit-Queue: Hannes Payer <hpayer@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51873}

TBR=hpayer@chromium.org,ahaas@chromium.org

Change-Id: I52bd5085b9778f85687925e8fcb9c2a4b9c5934c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:774108
Reviewed-on: https://chromium-review.googlesource.com/958862Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51875}

Bug: chromium:798964
Change-Id: Ia2f0ade9e69aeb4eb0497ff91abb7ffa1d02e03f
Reviewed-on: https://chromium-review.googlesource.com/958515Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51874}

Bug: chromium:774108
Change-Id: I8001013d1ee75d0847fd6a804c9e37774d900992
Reviewed-on: https://chromium-review.googlesource.com/957088
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51873}

Add support for f32.demote/f64 and f64.promote/f32.
Both are straight forward to implement on ia32 and x64.

R=titzer@chromium.org

Bug: v8:6600
Change-Id: I75213ddf5f422d0aa1d5d9a3bbc90ac32f6950f5
Reviewed-on: https://chromium-review.googlesource.com/955849
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51872}

Use IteratorToList to implement CallWithSpread and ConstructWithSpread
instead.

Bug: v8:7310
Change-Id: Ic1c44cc97914fa4fb92da8c568ac66f3ae78e520
Reviewed-on: https://chromium-review.googlesource.com/956073Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51871}

The single argument version of String.fromCharCode had an unneccessary
runtime call in it; this CL removes it.

Bug: v8:7531
Change-Id: Ieeb7d8aaffb0eabf814a52c51eaff50cb57d87c9
Reviewed-on: https://chromium-review.googlesource.com/955646
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51870}

Bug: v8:6666
Change-Id: I23be9d77e7216932bd81cc75e2d5872ce0248c3c
Reviewed-on: https://chromium-review.googlesource.com/958514Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51869}

TBR=machenbach@chromium.org
NOTRY=true

Bug: v8:178
Change-Id: Id13721946dc0dd2f4154dda516a79d5599b26c56
Reviewed-on: https://chromium-review.googlesource.com/958513Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51868}

R=clemensh@chromium.org, jgruber@chromium.org

Bug: v8:178
Change-Id: I6f180c5539935cd91cfbbb777d5900a55c681b1f
Reviewed-on: https://chromium-review.googlesource.com/957094
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51867}

This is a reland of ce8f5141

Original change's description:
> Skip Execution::Call in CompileFunctionInContext.
> 
> We execute the top-level function only to get to the wrapped function.
> We could do the same by simply instantiating it.
> 
> Other approaches would change the parser so that the top-level function
> is the wrapped function. However, that change violates existing scoping
> invariants and fixing it would add a lot more complexity to the parser.
> 
> R=adamk@chromium.org, marja@chromium.org
> 
> Bug: v8:7172
> Change-Id: I7272b8b58fc739d47a44da3a9d4a914af3e8cf3d
> Reviewed-on: https://chromium-review.googlesource.com/836367
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50333}

Bug: v8:7172
Change-Id: Ie0e4b3db46f84a30cff8613c89eb11534ce3c1ac
Reviewed-on: https://chromium-review.googlesource.com/956146Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51866}

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/b6fe934..0a9737b

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: I85267bc7ecb1fc6cb53cfd761f414147b3d47d73
Reviewed-on: https://chromium-review.googlesource.com/958684Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51865}

After the refactoring for supporting f32 conversions, adding f64
conversions is straight forward.

R=titzer@chromium.org

Bug: v8:6600
Change-Id: I8f76fbef3f1e67ecdb02dd1d103868f2d1d3226f
Reviewed-on: https://chromium-review.googlesource.com/957026
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51864}

The analysis phase used to skip TypeGuard nodes, which are
normally re-introduced by the reduction phase. However, phi nodes
are created during the analysis phase already, and so it could happen
that a phi input skips a TypeGuard.

This CL solves the problem by not removing TypeGuard nodes in the first
place, but only forwarding the VirtualObject. This is analogous to how
we already treat FinishRegion nodes, which are similar in that they are
a renaming too.

Bug: chromium:741225
Change-Id: Icf8aa2d40a30d89788d875b37b9986111f9c966f
Reviewed-on: https://chromium-review.googlesource.com/958442
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51863}

This reverts commit 8ae19e08.

Reason for revert:
Speculative revert for layout test:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/22215

See:
https://github.com/v8/v8/wiki/Blink-layout-tests

Original change's description:
> [esnext] re-implement template strings
> 
> - Add a new bytecode for the ToString operation, replacing the old
> intrinsic call (currently does not collect type feedback).
> - Add a new AST node to represent TemplateLiterals, and avoid
> generating unnecessary ToString operations in some simple cases.
> - Use a single feedback slot for each string addition, because the
> type feedback should always be the same for each addition
> 
> This seems to produce a very slight improvement on JSTests benchmarks
> and bench-ruben.js from v8:7415, and it's possible that type feedback
> for the ToString bytecode could provide more opportunities to eliminate
> the runtime call in TurboFan.
> 
> Doesn't touch tagged templates
> 
> BUG=v8:7415
> R=​rmcilroy@chromium.org, ishell@chromium.org, bmeurer@chromium.org
> 
> Change-Id: If5a8c68558431f058db894d65776324abf54218e
> Reviewed-on: https://chromium-review.googlesource.com/945408
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Commit-Queue: Caitlin Potter <caitp@igalia.com>
> Cr-Commit-Position: refs/heads/master@{#51853}

TBR=rmcilroy@chromium.org,caitp@igalia.com,ishell@chromium.org,bmeurer@chromium.org

Change-Id: Id0529b065493ffc20c8f2b1abacc4c1484c3c046
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7415
Reviewed-on: https://chromium-review.googlesource.com/958163Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51862}

This reverts commit 0802e2b2.

Reason for revert: For reverting https://crrev.com/c/945408

Original change's description:
> [esnext] fix OOB read in ASTPrinter::VisistTemplateLiteral
> 
> Fixes an error where TemplateLiteral printing in --print-ast
> would try to read an element beyond the length of a vector.
> 
> BUG=v8:7415, chromium:820596
> R=​adamk@chromium.org, gsathya@chromium.org
> 
> Change-Id: Idf9e0da8c165ee62bc1a348a91c2ed5ed798404a
> Reviewed-on: https://chromium-review.googlesource.com/957883
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Caitlin Potter <caitp@igalia.com>
> Cr-Commit-Position: refs/heads/master@{#51857}

TBR=adamk@chromium.org,gsathya@chromium.org,caitp@igalia.com

Change-Id: I5fe950cd823ae350b5f6c09227a62aef9dc2a008
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7415, chromium:820596
Reviewed-on: https://chromium-review.googlesource.com/957724Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51861}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/d8b353b..8e843a9

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/df668c3..1537dce

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: I7f9c08d17ba2fb7b03547eb01a7a875194c2b94d
Reviewed-on: https://chromium-review.googlesource.com/958202
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51860}

Add BigInt to the list of allowed result types.

Bug: v8:6791, chromium:819871
Change-Id: Ib636859da07b38c462ce7017d720e5370ba618d6
Reviewed-on: https://chromium-review.googlesource.com/957422Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51859}

TBR=sergiyb@chromium.org

Bug: chromium:819555
Change-Id: I70e05a4b7fa917f3da22c9cf98ccd175f7b6a3ec
Reviewed-on: https://chromium-review.googlesource.com/957723Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51858}

Fixes an error where TemplateLiteral printing in --print-ast
would try to read an element beyond the length of a vector.

BUG=v8:7415, chromium:820596
R=adamk@chromium.org, gsathya@chromium.org

Change-Id: Idf9e0da8c165ee62bc1a348a91c2ed5ed798404a
Reviewed-on: https://chromium-review.googlesource.com/957883Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#51857}

TBR=sergiyb@chromium.org

No-Try: true
No-Presubmit: true
Bug: chromium:793687
Change-Id: Iaa076a1dbbf2494e05763c71903ef569c76de519
Reviewed-on: https://chromium-review.googlesource.com/955858Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51856}

- Label as "bigint" in DevTools heap snapshot viewer
- Treat as new primitive in injected-script-source
- Show primitive value as property for BigIntObject
- Adds the "n" suffix onto description, both with/without inspector
  being present

Bug: v8:7486
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I47a02e32f9bdd9124a6c91056965574ecd443867
Reviewed-on: https://chromium-review.googlesource.com/940804
Commit-Queue: Erik Luo <luoe@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Alexei Filippov <alph@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51855}

TBR=machenbach@chromium.org

No-Try: true
Bug: chromium:813065
Change-Id: Ic502079f66432aefe33a765d212389b4ab191c1d
Reviewed-on: https://chromium-review.googlesource.com/955652
Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51854}

- Add a new bytecode for the ToString operation, replacing the old
intrinsic call (currently does not collect type feedback).
- Add a new AST node to represent TemplateLiterals, and avoid
generating unnecessary ToString operations in some simple cases.
- Use a single feedback slot for each string addition, because the
type feedback should always be the same for each addition

This seems to produce a very slight improvement on JSTests benchmarks
and bench-ruben.js from v8:7415, and it's possible that type feedback
for the ToString bytecode could provide more opportunities to eliminate
the runtime call in TurboFan.

Doesn't touch tagged templates

BUG=v8:7415
R=rmcilroy@chromium.org, ishell@chromium.org, bmeurer@chromium.org

Change-Id: If5a8c68558431f058db894d65776324abf54218e
Reviewed-on: https://chromium-review.googlesource.com/945408Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#51853}

https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8.ports%2FV8_Linux_-_mipsel_-_sim%2F9763%2F%2B%2Frecipes%2Fsteps%2FCheck%2F0%2Flogs%2FBreakPointJSBuiltin%2F0
https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8%2FV8_Linux64_-_debug_-_fyi%2F1461%2F%2B%2Frecipes%2Fsteps%2FCheck_-_stress_off_heap_code%2F0%2Flogs%2FBreakPointBuiltin%2F0

TBR=yangguo@chromium.org

Bug: v8:7543
Change-Id: I137372b3330102fbd24f356d365206ce785eca83
Reviewed-on: https://chromium-review.googlesource.com/956048
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51852}

TBR=sergiyb@chromium.org

No-Try: true
No-Presubmit: true
Bug: chromium:820458
Change-Id: I962cdb57a89b1b852e92919812fcf67c7e38e3ed
Reviewed-on: https://chromium-review.googlesource.com/955853
Commit-Queue: Sergiy Byelozyorov <sergiyb@chromium.org>
Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51851}

The macro list avoids duplication in external-reference-table and will
allow us to statically determine the size of the table in a follow-up.

TBR=mlippautz@chromium.org

Bug: v8:6666
Change-Id: I06bb2e8c25970b3c1047dafd6c63d7ca291fe37e
Reviewed-on: https://chromium-review.googlesource.com/956187
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51850}

This was a shim for the non-I+TF codepath, which is now the only
codepath (that still uses this tier-up mechanism anyway). There were a
couple of places we were accidentally using it due to CompileLazy or
deopts, so this also fixes those.

Reland of https://chromium-review.googlesource.com/951490

Change-Id: I1101eeda7b16651610c6f120062771bdc3c8a49f
Reviewed-on: https://chromium-review.googlesource.com/957032Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51849}

Mips big-endian builders don't like embedded builtins. Disable embedded
builtins on mips for now and defer investigation for when there's time.

Example failures:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Mips%20-%20big%20endian%20-%20nosnap%20-%201/builds/6666
https://build.chromium.org/p/client.v8.ports/builders/V8%20Mips%20-%20big%20endian%20-%20nosnap%20-%202/builds/5188

Two issues: test failures due to big-endianness and mismatches in the
isolate-independence list.

TBR=yangguo@chromium.org

Bug: v8:6666
Change-Id: I73750668c03c132a9bb4d4ae9ed2bafd6d91f816
Reviewed-on: https://chromium-review.googlesource.com/955699Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51848}

We can reduce boilerplate if we pass the continuation to
some InstructionSelector::Emit.* methods.

Change-Id: I0221f446129cc086122d3f77a00de7d1256d3ee1
bug: v8:7310
Reviewed-on: https://chromium-review.googlesource.com/934454
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51847}

Since there are some regression tests that use this instruction
many times in a row, trampoline pool can't be emitted. This commit
fixes this issue.

Change-Id: I7b575c4920f7e72a39051dee1ccca4baf9562ff1
Reviewed-on: https://chromium-review.googlesource.com/955696
Commit-Queue: Sreten Kovacevic <sreten.kovacevic@mips.com>
Reviewed-by: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#51846}

If the value can be converted, we can skip the write barrier.

Change-Id: I88ac7f3756ddfaf4b8e58dc36a9b26faf544f0d9
Reviewed-on: https://chromium-review.googlesource.com/957033
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51845}

Bug: chromium:820312
Change-Id: Ie9237a5c53ac7121e469af460a2f0ad5016d9d03
Reviewed-on: https://chromium-review.googlesource.com/957090
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51844}

This patch removes the TypedArrayConstructor_ConstructStub builtin,
merging its functionality into the refactored TypedArrayConstructor
TurboFan builtin.

This brings us closer to our goal of deprecating the `construct_stub`
field in `SharedFunctionInfo`.

Bug: v8:7503, v8:7518
Change-Id: I264aa0933b3c80814e021b05033636196dc289da
Reviewed-on: https://chromium-review.googlesource.com/956044
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51843}

Previously we used a FixedArray for the FeedbackMetadata, packing bits
of information into Smi fields. On 64-bit platforms, we waste at least
half of the available memory by using the Smi representation.

Given that this is just raw data (no pointers), we can just use a new
type that uses the existing packing scheme to store the data in int32
format instead.

This CL changes FeedbackMetadata to a new subclass of HeapObject. This
is to reduce the API surface exposed, in comparison to extending/using
a more general purpose data structure like ByteArray, which is also just
raw data.

FeedbackMetadata only exposes general purpose methods for accessing
slots, but hides the implementation detail of packing bits into int32
fields.

This CL also introduces a sentinal EmptyFeedbackMetadata, because there
are ~750 empty FeedbackMetadata objects when running an empty program in
V8. These are probably for builtins.

Bug: v8:7500
Change-Id: Ic85563153abbd71a22854cee8519260c32b1e9ab
Reviewed-on: https://chromium-review.googlesource.com/945730
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51842}