BUG=v8:4499
LOG=n
NOTRY=true
NOTREECHECKS=true
TBR=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1411203003

Cr-Commit-Position: refs/heads/master@{#31367}

Adds support for throwing exceptions. Adds the bytecode Throw.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1410863002

Cr-Commit-Position: refs/heads/master@{#31366}

BUG=v8:4499
LOG=n
NOTRY=true
NOTREECHECKS=true
TBR=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1411933003

Cr-Commit-Position: refs/heads/master@{#31364}

Depends on https://codereview.chromium.org/1413023002/

BUG=chromium:535160
LOG=n
NOTRY=true

Review URL: https://codereview.chromium.org/1414713002

Cr-Commit-Position: refs/heads/master@{#31363}

The dispatcher failed to MISS properly when configured as a monomorphic
keyed string store, causing a crash.

BUG=v8:4495
LOG=N
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1415533003

Cr-Commit-Position: refs/heads/master@{#31362}

BUG=chromium:535160
LOG=n

Review URL: https://codereview.chromium.org/1411143002

Cr-Commit-Position: refs/heads/master@{#31359}

Use %_ToLength for TO_LENGTH, implemented via a ToLengthStub
that supports a fast path for small integers. Everything else is still
handled in the runtime.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
BUG=v8:4494
LOG=n

Review URL: https://codereview.chromium.org/1412963002

Cr-Commit-Position: refs/heads/master@{#31358}

This removes all locally constructed SimplifiedOperatorBuilder instances
and uses the one passed along the JSGraph. It ensures that the correct
zone is used to allocate operators, no matter where the reducer is used.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1410003002

Cr-Commit-Position: refs/heads/master@{#31355}

This introduces an explicit lazy bailout. It is wrapped in the call
node, mostly because the lazy deoptimization processing is married
to the call processing in the instruction selector and the code generator.

It is still a terrible hack.

R=bmeurer@chromium.org,mstarzinger@chromium.org
BUG=chromium:543994,v8:4195
LOG=n

Review URL: https://codereview.chromium.org/1412443003

Cr-Commit-Position: refs/heads/master@{#31353}

Native context specialization now lowers monomorphic and
polymorphic accesses to data and constant data properties on
object and/or prototype chain. We don't deal with accessors
yet, and we also completely ignore proxies (which is compatible
with what Crankshaft does).

The code is more or less the straightforward implementation. We
will need to refactor that and extract common patterns once the
remaining bits for full load/store support is in.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
R=jarin@chromium.org
BUG=v8:4470
LOG=n

Committed: https://crrev.com/3a0bf860b7177f7abef01ff308a53603389d958e
Cr-Commit-Position: refs/heads/master@{#31340}

Review URL: https://codereview.chromium.org/1396333010

Cr-Commit-Position: refs/heads/master@{#31352}

BUG=v8:4406
LOG=N

Review URL: https://codereview.chromium.org/1411023002

Cr-Commit-Position: refs/heads/master@{#31350}

BUG=v8:4406
LOG=N

Review URL: https://codereview.chromium.org/1411743003

Cr-Commit-Position: refs/heads/master@{#31349}

BUG=v8:4406
LOG=N

Review URL: https://codereview.chromium.org/1406353003

Cr-Commit-Position: refs/heads/master@{#31348}

Removes a branch that checks for a condition that has been checked on dominators of the branch.

This introduces a new reducer that propagates the list of checked conditions (and their boolean values) through the control flow graph. If it encounters a branch checking a condition with a known value, the branch is eliminated.

The analysis relies on loops being reducible: if a condition has been checked on all paths to loop entry, then it is checked in the loop (regardless what of the conditions checked inside the loop).

The implementation is fairly naive and could be improved:

- all the operation on the condition lists could be made allocation-free when revisited.

- we could try to use a map structure rather than a linked list (to make
lookups faster).

- the merging of control flow could be changed to take into account
  conditions from non-dominating paths (as long as all paths check
  the condition).

Review URL: https://codereview.chromium.org/1376293005

Cr-Commit-Position: refs/heads/master@{#31347}

Adds support for creating RegExp literals and adds some tests. Adds the
CreateRegExpLiteral bytecode.

BUG=v8:4280
LOG=N
TBR=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1410853002

Cr-Commit-Position: refs/heads/master@{#31345}

Adds support for local context loads and stores. Also adds support for
creation of new block contexts (e.g., for let variables) and initializing
const / let variables with the hole appropriately.

Also adds some checks to ensure BytecodeArrayBuilder::context_count is set
appropriately and fixes tests to do so.

Adds the bytecode StaContextSlot.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1403943004

Cr-Commit-Position: refs/heads/master@{#31343}

Revert of [turbofan] Initial support for monomorphic/polymorphic property loads. (patchset #3 id:100001 of https://codereview.chromium.org/1396333010/ )

Reason for revert:
Waterfall redness.

Original issue's description:
> [turbofan] Initial support for monomorphic/polymorphic property loads.
>
> Native context specialization now lowers monomorphic and
> polymorphic accesses to data and constant data properties on
> object and/or prototype chain. We don't deal with accessors
> yet, and we also completely ignore proxies (which is compatible
> with what Crankshaft does).
>
> The code is more or less the straightforward implementation. We
> will need to refactor that and extract common patterns once the
> remaining bits for full load/store support is in.
>
> CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
> R=jarin@chromium.org
> BUG=v8:4470
> LOG=n
>
> Committed: https://crrev.com/3a0bf860b7177f7abef01ff308a53603389d958e
> Cr-Commit-Position: refs/heads/master@{#31340}

TBR=bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4470

Review URL: https://codereview.chromium.org/1408123002

Cr-Commit-Position: refs/heads/master@{#31341}

Native context specialization now lowers monomorphic and
polymorphic accesses to data and constant data properties on
object and/or prototype chain. We don't deal with accessors
yet, and we also completely ignore proxies (which is compatible
with what Crankshaft does).

The code is more or less the straightforward implementation. We
will need to refactor that and extract common patterns once the
remaining bits for full load/store support is in.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
R=jarin@chromium.org
BUG=v8:4470
LOG=n

Review URL: https://codereview.chromium.org/1396333010

Cr-Commit-Position: refs/heads/master@{#31340}

Adds the bytecode StaGlobalStrict and replaces StaGlobal with StaGlobalSloppy.

BUG=v8:4280
LOG=N
TBR=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1406183002

Cr-Commit-Position: refs/heads/master@{#31339}

BUG=chromium:535160
LOG=n

Review URL: https://codereview.chromium.org/1409113002

Cr-Commit-Position: refs/heads/master@{#31336}

Contributed by Raymond Toy: http://rtoy.github.io/fdlibm-js/

R=jkummerow@chromium.org
BUG=v8:3495
LOG=N

Review URL: https://codereview.chromium.org/1407213002

Cr-Commit-Position: refs/heads/master@{#31335}

This fixes the lifetime of nodes created by JSGlobalSpecialization that
contain a simplified operator. In the case where this reducer runs as
part of the inliner, the SimplifiedOperatorBuilder was instantiated with
the wrong zone. This led to use-after-free of simplified operators.

To avoid such situations in the future, we decided to move this operator
builder into the JSGraph and make the situation uniform with all other
operator builders.

R=bmeurer@chromium.org
BUG=chromium:543528
LOG=n

Review URL: https://codereview.chromium.org/1409993002

Cr-Commit-Position: refs/heads/master@{#31334}

Revert of "[heap] Divide available memory upon compaction tasks" (patchset #2 id:20001 of https://codereview.chromium.org/1399403002/ )

Reason for revert:
Failing: https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/2115

Original issue's description:
> Reland of "[heap] Divide available memory upon compaction tasks"
>
> This reverts commit ec1046f9.
>
> Original message:
>
> [heap] Divide available memory upon compaction tasks
> - Fairly (round-robin) divide available memory upon compaction tasks.
> - Ensure an upper limit (of memory) since dividing is O(n) for n free-space
>   nodes.
> - Refill from free lists managed by sweeper once a compaction space becomes
>   empty.
>
> Assumption for dividing memory: Memory in the free lists is sparse upon starting
> compaction (which means that only few nodes are available), except for memory
> reducer GCs, which happen in idle time though (so it's less of a problem).
>
> BUG=chromium:524425
> LOG=N
>
> Committed: https://crrev.com/a805be73f6f97645450124f75c0f7417ec7b3e70
> Cr-Commit-Position: refs/heads/master@{#31329}

TBR=hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425

Review URL: https://codereview.chromium.org/1412643002

Cr-Commit-Position: refs/heads/master@{#31332}

R=cbruni@chromium.org, hpayer@chromium.org

Review URL: https://codereview.chromium.org/1411653002

Cr-Commit-Position: refs/heads/master@{#31331}

R=rossberg@chromium.org
BUG=v8:4471
LOG=N

Review URL: https://codereview.chromium.org/1410753002

Cr-Commit-Position: refs/heads/master@{#31330}

This reverts commit ec1046f9.

Original message:

[heap] Divide available memory upon compaction tasks
- Fairly (round-robin) divide available memory upon compaction tasks.
- Ensure an upper limit (of memory) since dividing is O(n) for n free-space
  nodes.
- Refill from free lists managed by sweeper once a compaction space becomes
  empty.

Assumption for dividing memory: Memory in the free lists is sparse upon starting
compaction (which means that only few nodes are available), except for memory
reducer GCs, which happen in idle time though (so it's less of a problem).

BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1399403002

Cr-Commit-Position: refs/heads/master@{#31329}

BUG=v8:4495
LOG=n
NOTRY=true

Review URL: https://codereview.chromium.org/1410723002

Cr-Commit-Position: refs/heads/master@{#31324}

BUG=v8:4406
LOG=N

Review URL: https://codereview.chromium.org/1409873002

Cr-Commit-Position: refs/heads/master@{#31322}

R=titzer@google.com

Review URL: https://codereview.chromium.org/1407933002

Cr-Commit-Position: refs/heads/master@{#31319}

Review URL: https://codereview.chromium.org/1397883003

Cr-Commit-Position: refs/heads/master@{#31316}

BUG=v8:4406
LOG=N

Committed: https://crrev.com/adcbe619a959fe1d8f21d06fbf5984868c4f6b9a
Cr-Commit-Position: refs/heads/master@{#31276}

Review URL: https://codereview.chromium.org/1404903004

Cr-Commit-Position: refs/heads/master@{#31315}

Also move those tests from mjsunit/harmony to mjsunit/es6.

R=littledan@chromium.org

Review URL: https://codereview.chromium.org/1403633007

Cr-Commit-Position: refs/heads/master@{#31314}

Review URL: https://codereview.chromium.org/1405453003

Cr-Commit-Position: refs/heads/master@{#31313}

This change add a new bytecode for operator new and implements it using
the Construct() builtin.

BUG=v8:4280
LOG=N

Committed: https://crrev.com/8e4f9963d53913eab7fbd2f61a5733d8dc2169e7
Cr-Commit-Position: refs/heads/master@{#31293}

Review URL: https://codereview.chromium.org/1402943002

Cr-Commit-Position: refs/heads/master@{#31312}

The CL also fixes various small bugs in context allocation.

Review URL: https://codereview.chromium.org/1404293002

Cr-Commit-Position: refs/heads/master@{#31311}

In the ES2015 spec, RegExp uses ToLength, not ToInteger, on lastIndex
to coerce it to an integer. This patch switches to ToLength when
the --harmony-tolength flag is on, and adds some tests to verify the
new behavior.

BUG=v8:4244
LOG=Y
R=adamk

Review URL: https://codereview.chromium.org/1394023005

Cr-Commit-Position: refs/heads/master@{#31306}

Review URL: https://codereview.chromium.org/1401703003

Cr-Commit-Position: refs/heads/master@{#31304}

R=rossberg@chromium.org
BUG=chromium:539875
LOG=y

Review URL: https://codereview.chromium.org/1393373005

Cr-Commit-Position: refs/heads/master@{#31303}

The runtime flag in question makes no sense, because the feature cannot
be disabled without keeping the snapshot in sync. We should avoid having
the flag in our "mjsunit" test suite, so that CluserFuzz doesn't pick it
up. The test in question is already skipped, the change will not affect
test results on our waterfall.

R=mvstanton@chromium.org
TEST=mjsunit/call-counts
BUG=v8:4458
LOG=n

Review URL: https://codereview.chromium.org/1409533003

Cr-Commit-Position: refs/heads/master@{#31302}

Revert of [turbofan] Splinter into one range. (patchset #2 id:80001 of https://codereview.chromium.org/1391023007/ )

Reason for revert:
Weird endless loop in TopLevelLiveRange::Merge() due to always splitting first and not making progress. See comments, unfortunately no useable repro.

Original issue's description:
> [turbofan] Splinter into one range.
>
> Before this CL, we created one live range per successive set of
> deferred blocks. For scenarios with many such blocks, this creates
> an upfront pressure for the register allocator to deal with many ranges.
> Linear sorts ranges, which is a super-linear operation.
>
> The change places all deferred intervals into one range, meaning that,
> at most, there will be twice as many live ranges as the original set. In
> pathological cases (benchmarks/Compile/slow_nbody1.js), this change
> halves the compilation time. We see some improvements elsewhere,
> notably SQLite at ~4-5%.
>
> We may be able to avoid the subsequent merge. Its cost is the
> additional ranges it may need to create. The sole reason for the merge
> phase is to provide an unchanged view of the world to the subsequent
> phases. With the at-most-one splinter model, we may be able to teach
> the other phases about splintering - should we find perf hindrances
> due to merging.
>
> Committed: https://crrev.com/efdcd20267870276c5824f1ccf4e171ac378f7ae
> Cr-Commit-Position: refs/heads/master@{#31224}

TBR=jarin@chromium.org,mtrofin@google.com,mtrofin@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1403163003

Cr-Commit-Position: refs/heads/master@{#31300}