Bug: v8:8477, v8:8562
Change-Id: Iebb60551a461304539d943a080ce107eecf6fdbf
Reviewed-on: https://chromium-review.googlesource.com/c/1384264Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58371}

As per (https://github.com/tc39/proposal-string-matchall/pull/41), String.p.matchAll's fallback was removed.
Additionally, removed a IsNullOrUndefined check that was already covered by MaybeCallFunctionAtSymbol.
Updates to Test262 has been submitted: https://github.com/tc39/test262/pull/1990

Bug: v8:6890
Change-Id: I246cbbcb4641ebded704c5f772809f182deaa30e
Reviewed-on: https://chromium-review.googlesource.com/c/1369091
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58172}

For this to work, I had to move PropertyCell out of objects.h too, since
otherwise there would be an inl include cycle which makes the code not compile.

BUG=v8:5402,v8:8238

Change-Id: I3233f86b68c1e2fd32d135fcf0bbba8101af8cb2
Reviewed-on: https://chromium-review.googlesource.com/c/1356510Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58004}

This updates fast path checks in string's search/match/replace/split/matchAll
methods.

Bug: v8:8361
Change-Id: I0377aff21e380d6c718e7471f8964e10c030281b
Reviewed-on: https://chromium-review.googlesource.com/c/1333668
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57509}

[builtins] Adjust String.prototype.matchAll as per spec changes (https://github.com/tc39/proposal-string-matchall/pull/38)

- Removes IsRegExp check and special handling when false
- Removes MatchAllIterator
- Extracts previously inlined CreateRegExpStringIterator
- Update comments to match spec text and numbering

Bug: v8:6890
Change-Id: Ie81757a499acc77910f029835fb042e70d86d83d
Reviewed-on: https://chromium-review.googlesource.com/c/1317830
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57488}

The fast paths for sets and maps did not support allocation in
large object space, yet they were taken in these cases. This CL
adds support, simply by passing the kAllowLargeObjectAllocation
argument to AllocateJSArray.

It also changes the fast path for strings to use this argument
rather than take the slow path.

Bug: v8:7980, v8:8410
Change-Id: I18e88cb4ceb7ebeca250edd8b8b0eb401fdbd6e4
Reviewed-on: https://chromium-review.googlesource.com/c/1317507
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57232}

Tbr: ishell@chromium.org
Bug: v8:8238
Change-Id: I3fe3b821105d2ce58df717970085098f6336f937
Reviewed-on: https://chromium-review.googlesource.com/c/1301512Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57039}

The assumption behind this optimization was invalid. Even if the
string's prototype is unchanged, the symbol could exist somewhere
further up the prototype chain.

GetProperty has been sped up significantly so it might be fine to just
skip this fast path. An alternative would be to use a protector cell.

Bug: v8:8357
Change-Id: Ia577107a58157350eb15780c02aa63d77e600637
Reviewed-on: https://chromium-review.googlesource.com/c/1301498
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57038}

This is a reland of ec969ea3

Temporarily removes high memory usage test.

Original change's description:
> [builtins] Fix Array.p.join length overflow and invalid string length handling
>
> - Fixes and simplify allocating the temporary fixed array for ToString-ed elements.
>   - When the array size is greater than representable by an intptr, it overflowed into a negative value causing a non-negative assert to fail.
>   - Simplify fallback behavior by always allocating a conservatively sized temporary fixed array. Previously, if the array had dictionary elements, the temporary fixed array was sized based on %GetNumberDictionaryNumberOfElements() and then resized when entering the fallback.
>
> - Fixes related invalid string length handling. When the running total of the resulting string length overflowed or exceeded String::kMaxLength, a RangeError is thrown. Previously, this thrown RangeError bypassed JoinStackPop and left the receiver on the stack.
>
> Bug: chromium:897404
> Change-Id: I157b71ef04ab06125a5b1c3454e5ed3713bdb591
> Reviewed-on: https://chromium-review.googlesource.com/c/1293070
> Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#56907}

Bug: chromium:897404
Change-Id: I4995893f6f9724b26c231d05619ad65dbccc7223
Reviewed-on: https://chromium-review.googlesource.com/c/1297675Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Cr-Commit-Position: refs/heads/master@{#56946}

Previously StringToList use the length of the original string, which is
not the right value: we expect the length of the new array to be the
number of characters (codepoints).

Bug: v8:7980
Change-Id: I2efca5715323c4399cb45c53871ae349207f3458
Reviewed-on: https://chromium-review.googlesource.com/c/1297320
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56944}

This reverts commit ec969ea3.

Reason for revert: test fails consistently on arm bots.
I can't repro the failure locally, but it does consume ~512MB of memory (for a single string, I think?), so my guess is that the bots don't have enough contiguous address space.

Original change's description:
> [builtins] Fix Array.p.join length overflow and invalid string length handling
> 
> - Fixes and simplify allocating the temporary fixed array for ToString-ed elements.
>   - When the array size is greater than representable by an intptr, it overflowed into a negative value causing a non-negative assert to fail.
>   - Simplify fallback behavior by always allocating a conservatively sized temporary fixed array. Previously, if the array had dictionary elements, the temporary fixed array was sized based on %GetNumberDictionaryNumberOfElements() and then resized when entering the fallback.
> 
> - Fixes related invalid string length handling. When the running total of the resulting string length overflowed or exceeded String::kMaxLength, a RangeError is thrown. Previously, this thrown RangeError bypassed JoinStackPop and left the receiver on the stack.
> 
> Bug: chromium:897404
> Change-Id: I157b71ef04ab06125a5b1c3454e5ed3713bdb591
> Reviewed-on: https://chromium-review.googlesource.com/c/1293070
> Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#56907}

TBR=danno@chromium.org,peter.wm.wong@gmail.com,jgruber@chromium.org,tebbi@chromium.org

Change-Id: I8ca80bd75833aacc94ccb25ceb82bbc8880991db
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:897404
Reviewed-on: https://chromium-review.googlesource.com/c/1297471Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56915}

- Fixes and simplify allocating the temporary fixed array for ToString-ed elements.
  - When the array size is greater than representable by an intptr, it overflowed into a negative value causing a non-negative assert to fail.
  - Simplify fallback behavior by always allocating a conservatively sized temporary fixed array. Previously, if the array had dictionary elements, the temporary fixed array was sized based on %GetNumberDictionaryNumberOfElements() and then resized when entering the fallback.

- Fixes related invalid string length handling. When the running total of the resulting string length overflowed or exceeded String::kMaxLength, a RangeError is thrown. Previously, this thrown RangeError bypassed JoinStackPop and left the receiver on the stack.

Bug: chromium:897404
Change-Id: I157b71ef04ab06125a5b1c3454e5ed3713bdb591
Reviewed-on: https://chromium-review.googlesource.com/c/1293070
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56907}

AllocateJSArray always allocates in new space, so we bailout of the fast
path for strings if the new array does not fit in new space.

Bug found by ClusterFuzz. Regression test added.

This also switches to the BranchIf pattern to avoid materialize a bool.

Bug: chromium:895860, v8:7980
Change-Id: Ic7c41268c394ac2796b7694252390ab50fd74838
Reviewed-on: https://chromium-review.googlesource.com/c/1286337Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Hai Dang <dhai@google.com>
Cr-Commit-Position: refs/heads/master@{#56759}

This is a reland of ef2a19a2.
Use AllocateJSArray to avoid allocating an empty fixed array.

Original change's description:
> Add fast path for spreading primitive strings.
>
> This improves the performance on primitive strings of
> IterableToListWithSymbolLookup, which implements the
> CreateArrayFromIterable bytecode. The fast path is only
> taken if the string iterator protector is valid (that is,
> String.prototype[Symbol.iterator] and
> String.prototype[Symbol.iterator]().next are untouched).
>
> This brings spreading of primitive strings closer to the
> performance of the string iterator optimizations.
> (see https://docs.google.com/document/d/13z1fvRVpe_oEroplXEEX0a3WK94fhXorHjcOMsDmR-8/).
>
> Bug: chromium:881273, v8:7980
> Change-Id: Ic8d8619da2f2afcc9346203613a844f62653fd7a
> Reviewed-on: https://chromium-review.googlesource.com/1243110
> Commit-Queue: Hai Dang <dhai@google.com>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#56329}

Bug: chromium:881273, v8:7980
Change-Id: I746c57ddfc300e1032057b5125bc824adf5c2cd3
Reviewed-on: https://chromium-review.googlesource.com/c/1267497
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56438}

This reverts commit ef2a19a2.

Reason for revert: Broken layout tests: https://ci.chromium.org/p/chromium/builders/luci.chromium.try/linux_chromium_rel_ng/201392

Original change's description:
> Add fast path for spreading primitive strings.
> 
> This improves the performance on primitive strings of
> IterableToListWithSymbolLookup, which implements the
> CreateArrayFromIterable bytecode. The fast path is only
> taken if the string iterator protector is valid (that is,
> String.prototype[Symbol.iterator] and
> String.prototype[Symbol.iterator]().next are untouched).
> 
> This brings spreading of primitive strings closer to the
> performance of the string iterator optimizations.
> (see https://docs.google.com/document/d/13z1fvRVpe_oEroplXEEX0a3WK94fhXorHjcOMsDmR-8/).
> 
> Bug: chromium:881273, v8:7980
> Change-Id: Ic8d8619da2f2afcc9346203613a844f62653fd7a
> Reviewed-on: https://chromium-review.googlesource.com/1243110
> Commit-Queue: Hai Dang <dhai@google.com>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#56329}

TBR=ulan@chromium.org,neis@chromium.org,sigurds@chromium.org,bmeurer@chromium.org,dhai@google.com

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:881273, v8:7980
Change-Id: I4868160b87bdebf9fd2ff346aefd4cdce23681a1
Reviewed-on: https://chromium-review.googlesource.com/c/1261022Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56365}

This improves the performance on primitive strings of
IterableToListWithSymbolLookup, which implements the
CreateArrayFromIterable bytecode. The fast path is only
taken if the string iterator protector is valid (that is,
String.prototype[Symbol.iterator] and
String.prototype[Symbol.iterator]().next are untouched).

This brings spreading of primitive strings closer to the
performance of the string iterator optimizations.
(see https://docs.google.com/document/d/13z1fvRVpe_oEroplXEEX0a3WK94fhXorHjcOMsDmR-8/).

Bug: chromium:881273, v8:7980
Change-Id: Ic8d8619da2f2afcc9346203613a844f62653fd7a
Reviewed-on: https://chromium-review.googlesource.com/1243110
Commit-Queue: Hai Dang <dhai@google.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56329}

The protector is useful for follow-up optimizations on string iterator.
Tests are also added.

Change-Id: I416037c742628c4d4d3b878d0df727a9ae7162f7
Reviewed-on: https://chromium-review.googlesource.com/1251122Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Hai Dang <dhai@google.com>
Cr-Commit-Position: refs/heads/master@{#56315}

and introduce RootsTable - a V8 heap roots storage.

So, the renaming part looks like this:
  Heap::RootListIndex -> RootIndex
  Heap::kBlahBlahRootIndex -> RootIndex::kBlahBlah

Bug: v8:8015, v8:8182
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: I38e1f3e3f6813ef35e37b0bed35e9ae14a62134f
Reviewed-on: https://chromium-review.googlesource.com/1234613Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56067}

This changes the Name::hash_field and Symbol::flags to uint32_t as
well, so that both Symbols and Strings consume one fewer word on 64-bit
architectures now. More importantly the access to String::length is
always a 32-bit field load now, even with 31-bit Smis (i.e. on ARM or
on 64-bit with pointer compression), so the access should be faster.

Bug: v8:7065, v8:8171
Change-Id: I1a38f4470d62fbeba2b3bc5fcf4ecdbada7d6b8a
Tbr: ulan@chromium.org, yangguo@chromium.org, ishell@chromium.org
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/1224432Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55861}

Since the removal of Crankshaft there's no use for StringAdd with
pretenuring anymore, so we can remove the extra code and builtins.

Bug: v8:8015
Change-Id: If178c6f1d08841428f42b1baece231268cdae2ad
Reviewed-on: https://chromium-review.googlesource.com/1213206
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55843}

This reverts commit a03cec2c.

Reason for revert: https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/21320

Original change's description:
> Reland "[objects] Change String::length field to uint32_t."
> 
> This is a reland of 1f1eb625, the
> breakage on the GCStress bot seems to be unrelated (maybe flushed
> out by this change). We decided to reland to figure out whether it's
> a random flake or really triggered by this particular change.
> 
> Original change's description:
> > [objects] Change String::length field to uint32_t.
> >
> > This changes the Name::hash_field and Symbol::flags to uint32_t as
> > well, so that both Symbols and Strings consume one fewer word on 64-bit
> > architectures now. More importantly the access to String::length is
> > always a 32-bit field load now, even with 31-bit Smis (i.e. on ARM or
> > on 64-bit with pointer compression), so the access should be faster.
> >
> > Bug: v8:7065, v8:8171
> > Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
> > Change-Id: I5523deb1f84ece91fa2fea775d50318bd1300493
> > Reviewed-on: https://chromium-review.googlesource.com/1221288
> > Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> > Reviewed-by: Yang Guo <yangguo@chromium.org>
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Reviewed-by: Igor Sheludko <ishell@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#55825}
> 
> Bug: v8:7065, v8:8171
> Tbr: tebbi@chromium.org, yangguo@chromium.org, ishell@chromium.org, ulan@chromium.org
> Change-Id: I2be24ac018591c04c826e7e8db82e007b738d156
> Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/1222308
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55838}

TBR=yangguo@chromium.org,tebbi@chromium.org,ishell@chromium.org,bmeurer@chromium.org

Change-Id: Ic741c3d407d4257a8c86b3082b9a19e33dc89215
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7065, v8:8171
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/1222368Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55839}

This is a reland of 1f1eb625, the
breakage on the GCStress bot seems to be unrelated (maybe flushed
out by this change). We decided to reland to figure out whether it's
a random flake or really triggered by this particular change.

Original change's description:
> [objects] Change String::length field to uint32_t.
>
> This changes the Name::hash_field and Symbol::flags to uint32_t as
> well, so that both Symbols and Strings consume one fewer word on 64-bit
> architectures now. More importantly the access to String::length is
> always a 32-bit field load now, even with 31-bit Smis (i.e. on ARM or
> on 64-bit with pointer compression), so the access should be faster.
>
> Bug: v8:7065, v8:8171
> Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
> Change-Id: I5523deb1f84ece91fa2fea775d50318bd1300493
> Reviewed-on: https://chromium-review.googlesource.com/1221288
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55825}

Bug: v8:7065, v8:8171
Tbr: tebbi@chromium.org, yangguo@chromium.org, ishell@chromium.org, ulan@chromium.org
Change-Id: I2be24ac018591c04c826e7e8db82e007b738d156
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/1222308Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55838}

This reverts commit df6157ae.

Reason for revert: trybots didn't rerun :-/

Original change's description:
> Reland "[objects] Change String::length field to uint32_t."
> 
> This is a reland of 1f1eb625, the
> breakage on the GCStress bot seems to be unrelated (maybe flushed
> out by this change). We decided to reland to figure out whether it's
> a random flake or really triggered by this particular change.
> 
> Original change's description:
> > [objects] Change String::length field to uint32_t.
> >
> > This changes the Name::hash_field and Symbol::flags to uint32_t as
> > well, so that both Symbols and Strings consume one fewer word on 64-bit
> > architectures now. More importantly the access to String::length is
> > always a 32-bit field load now, even with 31-bit Smis (i.e. on ARM or
> > on 64-bit with pointer compression), so the access should be faster.
> >
> > Bug: v8:7065, v8:8171
> > Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
> > Change-Id: I5523deb1f84ece91fa2fea775d50318bd1300493
> > Reviewed-on: https://chromium-review.googlesource.com/1221288
> > Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> > Reviewed-by: Yang Guo <yangguo@chromium.org>
> > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> > Reviewed-by: Igor Sheludko <ishell@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#55825}
> 
> Tbr: tebbi@chromium.org, yangguo@chromium.org, ishell@chromium.org
> Bug: v8:7065, v8:8171
> Change-Id: I3c7d0b00abb15fa98ab622f9ecd8602fc798cbc3
> Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/1221290
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55836}

TBR=ulan@chromium.org,yangguo@chromium.org,tebbi@chromium.org,ishell@chromium.org,bmeurer@chromium.org

Change-Id: Ieaf3be31166abb02e37370ad846c38fa3d114693
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7065, v8:8171
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/1222306Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55837}

This is a reland of 1f1eb625, the
breakage on the GCStress bot seems to be unrelated (maybe flushed
out by this change). We decided to reland to figure out whether it's
a random flake or really triggered by this particular change.

Original change's description:
> [objects] Change String::length field to uint32_t.
>
> This changes the Name::hash_field and Symbol::flags to uint32_t as
> well, so that both Symbols and Strings consume one fewer word on 64-bit
> architectures now. More importantly the access to String::length is
> always a 32-bit field load now, even with 31-bit Smis (i.e. on ARM or
> on 64-bit with pointer compression), so the access should be faster.
>
> Bug: v8:7065, v8:8171
> Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
> Change-Id: I5523deb1f84ece91fa2fea775d50318bd1300493
> Reviewed-on: https://chromium-review.googlesource.com/1221288
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55825}

Tbr: tebbi@chromium.org, yangguo@chromium.org, ishell@chromium.org
Bug: v8:7065, v8:8171
Change-Id: I3c7d0b00abb15fa98ab622f9ecd8602fc798cbc3
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/1221290
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55836}

This reverts commit 1f1eb625.

Reason for revert: GC Stress failure (https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/21311) 

Original change's description:
> [objects] Change String::length field to uint32_t.
> 
> This changes the Name::hash_field and Symbol::flags to uint32_t as
> well, so that both Symbols and Strings consume one fewer word on 64-bit
> architectures now. More importantly the access to String::length is
> always a 32-bit field load now, even with 31-bit Smis (i.e. on ARM or
> on 64-bit with pointer compression), so the access should be faster.
> 
> Bug: v8:7065, v8:8171
> Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
> Change-Id: I5523deb1f84ece91fa2fea775d50318bd1300493
> Reviewed-on: https://chromium-review.googlesource.com/1221288
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55825}

TBR=yangguo@chromium.org,tebbi@chromium.org,ishell@chromium.org,bmeurer@chromium.org

Change-Id: I73f3200902f9d52e5664d48c938e37d9dfb7bce7
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7065, v8:8171
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/1221706Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55826}

This changes the Name::hash_field and Symbol::flags to uint32_t as
well, so that both Symbols and Strings consume one fewer word on 64-bit
architectures now. More importantly the access to String::length is
always a 32-bit field load now, even with 31-bit Smis (i.e. on ARM or
on 64-bit with pointer compression), so the access should be faster.

Bug: v8:7065, v8:8171
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng;luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I5523deb1f84ece91fa2fea775d50318bd1300493
Reviewed-on: https://chromium-review.googlesource.com/1221288
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55825}

In these cases the std::function state does not change, hence, it can be
a const ref. Fixing clang-tidy warning.

Bug: v8:8015
Change-Id: I221b0c3e18c5c1f54d35d671445d2e947cf64c02
Reviewed-on: https://chromium-review.googlesource.com/1209822
Commit-Queue: Florian Sattler <sattlerf@google.com>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55712}

"short" external strings are not short, they mean that the external data
pointer is not cached. Rename the various classes and objects to align
with the actual meaning.

Bug: chromium:877044
Change-Id: Ie3d5baa9ad352ac6ca89f5ba1d066760825e4beb
Reviewed-on: https://chromium-review.googlesource.com/1185192Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Benoit L <lizeb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55432}

If maxLength is larger than String::kMaxLength, we used to throw
immediately. However, we must first look at the filler argument, which
is observable. Moreover, if the filler is empty, we must return the
input unchanged.

Bug: v8:8078
Change-Id: Ic3d135f9e25da56df45b059144e45e19dda9c3d8
Reviewed-on: https://chromium-review.googlesource.com/1188313
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55414}

drive-by change: fix wrong typing in CSA.

Change-Id: I9234306e8568a64157b44a86a58f09e65116b298
Reviewed-on: https://chromium-review.googlesource.com/1172583
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55093}

This enables fast bounds checks on FixedArray's.

Change-Id: I0ae57b2c6981d8e1b2c7017ba658fd9c890d2bad
Reviewed-on: https://chromium-review.googlesource.com/1163614
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54946}

RegExp builtins were the first to be ported to CSA roughly two years
ago. Back then, we weren't really aware of issues surrounding code
size and CSA inlining, and thus some of these builtins were bigger
than they should be.

This CL adds a few new helper builtins and removes inlined calls to
SubString, RegExpExecInternal, and StringAdd. It significantly
reduces the size of affected builtins. Minor performance regressions
due to call overhead are expected.

Before:
TFS Builtin, RegExpReplace, 20008
TFS Builtin, RegExpSplit, 17340
TFS Builtin, RegExpMatchFast, 17064
TFJ Builtin, RegExpStringIteratorPrototypeNext, 12862

After:
TFS Builtin, RegExpReplace, 5067
TFS Builtin, RegExpSplit, 6329
TFS Builtin, RegExpMatchFast, 8164
TFJ Builtin, RegExpStringIteratorPrototypeNext, 6652

Bug: v8:5737
Change-Id: I1c077a084da85bb73c0c5adb7118b941f488e0ec
Reviewed-on: https://chromium-review.googlesource.com/1127796Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54293}

Now TFJ builtins can use their own descriptors so there's no need to
keep the hacky BuiltinDescriptor around.

Bug: v8:7754
Change-Id: Ia7f23a21fb979370fd2149fef13186b83a3d5d30
Reviewed-on: https://chromium-review.googlesource.com/1104428
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53806}

This is a preliminary step before removing BuiltinDescriptor.

Bug: v8:7754
Change-Id: I752134aa29431e5773c9813361a3c6bda6f8872d
Reviewed-on: https://chromium-review.googlesource.com/1104169Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53794}

Type users of AllocateFixedArray with intptr parameters.

Bug: v8:7796
Change-Id: I4b155fb3fcb90fe66a3c20a24f0cea678a5d85bc
Reviewed-on: https://chromium-review.googlesource.com/1078347
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53436}

ToDirectStringAssembler::PointerToData returns a raw pointer, which
is invalidated when GC moves the original string and hence must not
be accessed after any allocations. This fixes the bug introduced in
b4ebbc57 / r53260.

Bug: chromium:845060
Tbr: jgruber@chromium.org
Change-Id: I248d0dd2a275bf9308269b3f65d00c4c4c3d4292
Reviewed-on: https://chromium-review.googlesource.com/1068213
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53272}

Optimize String.p.split for the case when the separator is empty and
the subject is a direct one-byte string.

Bug: v8:7103
Change-Id: Ica277d2c426679a1f77a1ef8ecb523bd596f65fb
Reviewed-on: https://chromium-review.googlesource.com/1045950
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53260}

Bug: v8:7754
Change-Id: Id22020984e10bd2ddb22119c50b490419c897174
Reviewed-on: https://chromium-review.googlesource.com/1062272Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53232}

Stubs and builtins are very similar. The main differences are that
stubs can be parameterized and may be generated at runtime, whereas
builtins are generated at mksnapshot-time and shipped with the snapshot
(or embedded into the binary).

My main motivation for these conversions is that we can generate
faster calls and jumps to (embedded) builtins callees from (embedded)
builtin callers. Instead of going through the builtins constants table
indirection, we can simply do a pc-relative call/jump.

This also unlocks other refactorings, e.g. removal of
CallRuntimeDelayed.

TBR=mlippautz@chromium.org

Bug: v8:6666
Change-Id: I4cd63477f19a330ec70bbf20e2af8a42fb05fabb
Reviewed-on: https://chromium-review.googlesource.com/1044245Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53027}

Bug: v8:7570
Change-Id: I74b482b670ce0e78dca012cbe8d9c2f65fdae5b9
Reviewed-on: https://chromium-review.googlesource.com/1030554
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52846}