Now that {DeoptimizationOutputData} does not exists anymore we can
rename {DeoptimizationInputData} to just {DeoptimizationData}.

R=jarin@chromium.org

Change-Id: Ib67967539d33714cc15e5d5b6dde522a9ede64b2
Reviewed-on: https://chromium-review.googlesource.com/725349Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48684}

Analog to other interceptors, intercept the DefineProperty
call only after obtaining the property descriptor.

This behavior allows us to mirror calls on a sandboxed object
as it is needed in Node. See for example
https://github.com/nodejs/node/pull/13265

Bug: 
Change-Id: I73b8f8908d13473939b37fb6727858d0bee6bda3
Reviewed-on: https://chromium-review.googlesource.com/725295Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48683}

A while ago, CharacterRange::AddCaseEquivalents used to operate on a
single range (the `this` value) and add case equivalents for that to
`ranges`.

This was changed in a2baaaac to use `ranges` as a list of incoming
operands instead. When we now determine that the current range does not
have case equivalents, we need to `continue` instead of `return` to
avoid skipping the remaining ranges in the list.

Bug: v8:6940
Change-Id: I9face88a2ef8b9408f177e503f3399a25e688e06
Reviewed-on: https://chromium-review.googlesource.com/725430Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48682}

We never read this pointer, and it could cause crashes when the GC
inspects it.

Bug: v8:6956
Change-Id: Ib493c2f0418de3e89975fd1f5a7e86cc66868ec7
Reviewed-on: https://chromium-review.googlesource.com/725331Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48681}

This makes sure that the lowering of {JSCreate} operator during create
lowering is only applied to operations where both target and new.target
are known to be constructors.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-768080
BUG=chromium:774780,chromium:768080

Change-Id: I55a582a3453bba7e14655b594b7714a3940eeaae
Reviewed-on: https://chromium-review.googlesource.com/725332Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48680}

Bug: v8:5267
Change-Id: I52d208d3520ad9c06c7e33378e2308631c598e33
Reviewed-on: https://chromium-review.googlesource.com/725386Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48679}

This allocates and populates potential exception handler tables before
the underlying {Code} objects is allocated. It essentially makes the
field holding said table immutable after allocation.

R=verwaest@chromium.org
BUG=v8:6792

Change-Id: I52ca374d40e3a72a4de022aca10faead6422db79
Reviewed-on: https://chromium-review.googlesource.com/723299Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48677}

The interface will now only be called for reachable code, hence the
check in the graph builder is not needed any more. We DCHECK instead.

R=titzer@chromium.org

Change-Id: I24ef96d62d6a5cda18d9efefcbd089d5f324f624
Reviewed-on: https://chromium-review.googlesource.com/716176Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48675}

All effectful nodes should be wired into the effect chain.

Bug: v8:6929
Change-Id: I8a0b4148bb65628657df8019434a33a85127e92a
Reviewed-on: https://chromium-review.googlesource.com/723359Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48674}

Bug: v8:6906
Change-Id: I8e9ef0fe6314cac34396c9690db993f09e67c806
Reviewed-on: https://chromium-review.googlesource.com/725343Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48673}

They did not preserve the bit pattern of nans before. Now they do.
Also, add some tests for these instructions.

R=ahaas@chromium.org, rodolph.perfetta@arm.com

Bug: v8:6947
Change-Id: I189720cd47e1768194567a41371fc9586b414c45
Reviewed-on: https://chromium-review.googlesource.com/722979
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Rodolph Perfetta <rodolph.perfetta@arm.com>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48672}

The DoubleToI stub is no longer called outside of TurboFan, and always in the
same way:

  - The parameter is on top of the stack.
  - The stub is always called in a slow path.
  - It truncates.

Therefore, we can simplify it to only support this case and remove dead
code.

On top of this, since the stub is always considered to be on a slow path for all
backends, this patch takes the opportunity to remove the `skip_fastpath`
optimisation. This would generate a stub which does not handle all inputs,
assuming that the backend already handled some of the inputs in a fast
path. Removing this allows the stub to have the same behaviour on all targets.

On Arm, this patch reworks the stub a little. We could use ip instead of saving
and restoring a register on the stack. Also, comments would mention that we
assume the exponent to be greater than 31 when the it can be 30 or higher. As
done for Arm64, let's check this at runtime in debug mode.

On Arm64, we can also implement the stub without pushing and poping off the
stack. It needs 2 general purpose and a double scratch registers which we have
reserved already (ip0, ip1 and d30). This removes the need to check that the
stack pointer is always 16-bytes aligned.

Finally, this also fixes a potential bug on Arm64, in the
`GetAllocatableRegisterThatIsNotOneOf` method which is now removed. We were
picking an allocatable double register when we meant to pick a general one.

Bug: v8:6644
Change-Id: I88d4597f377c9fc05432d5922a0d7129b6d19b47
Reviewed-on: https://chromium-review.googlesource.com/720963Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
Cr-Commit-Position: refs/heads/master@{#48671}

This CL fixes all occurences that don't require special OWNER reviews,
or can be reviewed by Michi.

After this one, we should be able to reenable the readability/check
cpplint check.

R=mstarzinger@chromium.org

Bug: v8:6837, v8:6921
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng;master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Ic81d68d5534eaa795b7197fed5c41ed158361d62
Reviewed-on: https://chromium-review.googlesource.com/721120
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48670}

Also updates TurboAssembler::DropArguments to simplify dropping the receiver
and the arguments.

Bug: v8:6644
Change-Id: Ief3b529ffc574c213816a533948c7b1f5d014bd7
Reviewed-on: https://chromium-review.googlesource.com/723466Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#48669}

Removes the interrupt check and runtime call to TryInstallOptimizedCode
from the optimization marker checks (i.e. CompileLazy and
InterpreterEntryTrampoline). Instead, we rely on the other interrupt
sources (in particular stack checks at function entries and loop
headers) to install optimized code for us.

This will hopefully not cause regressions, as we have plenty of other
interrupt checks, but it may delay optimized code execution for
some function by one function call.

Bug: v8:6933
Change-Id: Ieadfff7ae2078d2a84085294158ad9a706eb9c64
Reviewed-on: https://chromium-review.googlesource.com/723475Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48667}

This is a reland of 526c31d0
Original change's description:
> Reland "[snapshot] Add BuiltinDeserializerAllocator"
> 
> This is a reland of 2b9a6d89
> Original change's description:
> > [snapshot] Add BuiltinDeserializerAllocator
> > 
> > Encapsulates special reservation / allocation behavior for builtin
> > deserialization.
> > 
> > Bug: v8:6624
> > Change-Id: Ic784ed43b607c881b356c6e535c9dbe185e1d4cd
> > Reviewed-on: https://chromium-review.googlesource.com/716229
> > Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> > Reviewed-by: Yang Guo <yangguo@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#48638}
> 
> TBR=yangguo@chromium.org
> 
> Bug: v8:6624
> Change-Id: I07c49263b4ef128dfe9b97d364e9a279b343aa24
> Reviewed-on: https://chromium-review.googlesource.com/723520
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48647}

TBR=yangguo@chromium.org

Bug: v8:6624
Change-Id: I4186fcf89b9fce3433a02fc864346a300b90ffb5
Reviewed-on: https://chromium-review.googlesource.com/725439Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48666}

Bug: chromium:774824
Change-Id: Id3d0af0bb55c0985393fe3b139308b6b706e7bc0
Reviewed-on: https://chromium-review.googlesource.com/725339Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48665}

Bug: v8:5049
Change-Id: Ia4f5729be64794e9080eb0e644b86cd5d8c88a11
Reviewed-on: https://chromium-review.googlesource.com/722168Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48661}

This fixes https://bugs.chromium.org/p/chromium/issues/detail?id=773954.
The issue was that in the EffectControlLinearizer, the effect input of an
{Unreachable} node was not updated, leaving a {Checkpoint} behind.

This is a reland of 4cf47645
Original change's description:
> Reland^3 "[turbofan] eagerly prune None types and deadness from the graph"
> 
> This fixes the issues 
> https://bugs.chromium.org/p/chromium/issues/detail?id=772873 
> and https://bugs.chromium.org/p/chromium/issues/detail?id=772872.
> 
> One problem was that mutating an effect node into Unreachable confused 
> the LoadElimination sidetables, so I just always create a new node now.
> 
> The other problem was that UpdateBlockControl() was executed after 
> UpdateEffectPhi() in the lazy case. This reverted the update to the Merge input.
> So now I make sure that UpdateEffectPhi() is always executed last.
> 
> This is a reland of 6ddb5e7d
> Original change's description:
> > Reland^2 "[turbofan] eagerly prune None types and deadness from the graph"
> > 
> > Now, the EffectControlLinearizer connects all occurrences of Unreachable to the 
> > graph end. This fixes issues with later phases running DeadCodeElimination and
> > introducing new DeadValue nodes when processing uses of Unreachable.
> > 
> > This is a reland of 3c4bc27f
> > Original change's description:
> > > Reland "[turbofan] eagerly prune None types and deadness from the graph"
> > > 
> > > This is a reland of e1cdda25
> > > Original change's description:
> > > > [turbofan] eagerly prune None types and deadness from the graph
> > > > 
> > > > In addition to using the {Dead} node to prune dead control nodes and nodes that 
> > > > depend on them, we introduce a {DeadValue} node representing an impossible value 
> > > > that can occur at any position in the graph. The extended {DeadCodeElimination}
> > > > prunes {DeadValue} and its uses, inserting a crashing {Unreachable} node into
> > > > the effect chain when possible. The remaining uses of {DeadValue} are handled
> > > > in {EffectControlLinearizer}, where we always have access to the effect chain.
> > > > In addition to explicitly introduced {DeadValue} nodes, we consider any value use
> > > > of a node with type {None} as dead.
> > > > 
> > > > Bug: chromium:741225
> > > > Change-Id: Icc4b636d1d018c452ba1a2fa7cd3e00e522f1655
> > > > Reviewed-on: https://chromium-review.googlesource.com/641250
> > > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> > > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> > > > Cr-Commit-Position: refs/heads/master@{#48208}
> > > 
> > > Bug: chromium:741225
> > > Change-Id: I21316913dae02864f7a6d7c9269405a79f054138
> > > Reviewed-on: https://chromium-review.googlesource.com/692034
> > > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> > > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> > > Cr-Commit-Position: refs/heads/master@{#48232}
> > 
> > Bug: chromium:741225
> > Change-Id: I5702ec34856c075717162153adc765774453c45f
> > Reviewed-on: https://chromium-review.googlesource.com/702264
> > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#48366}
> 
> Bug: chromium:741225
> Change-Id: I4054a694d2521c2e1f0c4a3ad0f3cf100b5c536f
> Reviewed-on: https://chromium-review.googlesource.com/709214
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48469}

Bug: chromium:741225
Change-Id: Id9d4f3a3ae36cb3e38f80edcdba88efa7922ca24
Reviewed-on: https://chromium-review.googlesource.com/715716Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48660}

Bug: v8:5244
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I3528b6786be4a820ecb7570df83164fcce80ec5c
Reviewed-on: https://chromium-review.googlesource.com/724209Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48658}

They can have unboxed double fields and embedder fields.

Bug: chromium:775055
Change-Id: Idff67c776cb4209d78006b8f3f8ebc07aa509c42
Reviewed-on: https://chromium-review.googlesource.com/723425Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48655}

BUG=chromium:760649

Change-Id: If108830a1869238102e1c3475fe99e1ffb78d48d
Reviewed-on: https://chromium-review.googlesource.com/706140Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48654}

While change crrev.com/c/718338 was changing NULL to nullptr, change
crrev.com/c/711334 was adding another NULL. I noticed this (eventually)
because I was simultaneously trying to write a change which was very
dependent on the precise value being used for null pointers.

BUG=v8:6928,v8:6921

Change-Id: Ib42cccf90c91c050032cc9e34e44c99fd14ff1bb
Reviewed-on: https://chromium-review.googlesource.com/722619
Commit-Queue: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48651}

This reverts commit 526c31d0.

Reason for revert: cfi still unhappy:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20cfi/builds/11905

Original change's description:
> Reland "[snapshot] Add BuiltinDeserializerAllocator"
> 
> This is a reland of 2b9a6d89
> Original change's description:
> > [snapshot] Add BuiltinDeserializerAllocator
> > 
> > Encapsulates special reservation / allocation behavior for builtin
> > deserialization.
> > 
> > Bug: v8:6624
> > Change-Id: Ic784ed43b607c881b356c6e535c9dbe185e1d4cd
> > Reviewed-on: https://chromium-review.googlesource.com/716229
> > Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> > Reviewed-by: Yang Guo <yangguo@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#48638}
> 
> TBR=yangguo@chromium.org
> 
> Bug: v8:6624
> Change-Id: I07c49263b4ef128dfe9b97d364e9a279b343aa24
> Reviewed-on: https://chromium-review.googlesource.com/723520
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48647}

TBR=yangguo@chromium.org,jgruber@chromium.org

Change-Id: I2a0534505d646a3ba90523f06f726b5059b90e35
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6624
Reviewed-on: https://chromium-review.googlesource.com/723521Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48650}

Ensure we only lower SpeculativeNumberBinops to a pure operator for
non-string plain primitives. Previously we could lower if a value might be
the-hole, however this would fail a CHECK in ConvertInputsToNumber which
expects a plain primitive.

BUG=chromium:772420

Change-Id: I0c755d10db7afd9cabfb638eca5662d70dfc8d51
Reviewed-on: https://chromium-review.googlesource.com/715717
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48649}

This prepares fixes in the implementations of vabs and vneg (potentially
more). In order to implement them correctly, we need to preserve the
exact bit pattern.

R=ahaas@chromium.org, rodolph.perfetta@arm.com

Bug: v8:6947
Change-Id: I7194a60371a6e3c9ffba32981c90090ffafaa610
Reviewed-on: https://chromium-review.googlesource.com/722941Reviewed-by: Rodolph Perfetta <rodolph.perfetta@arm.com>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48648}

This is a reland of 2b9a6d89
Original change's description:
> [snapshot] Add BuiltinDeserializerAllocator
> 
> Encapsulates special reservation / allocation behavior for builtin
> deserialization.
> 
> Bug: v8:6624
> Change-Id: Ic784ed43b607c881b356c6e535c9dbe185e1d4cd
> Reviewed-on: https://chromium-review.googlesource.com/716229
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48638}

TBR=yangguo@chromium.org

Bug: v8:6624
Change-Id: I07c49263b4ef128dfe9b97d364e9a279b343aa24
Reviewed-on: https://chromium-review.googlesource.com/723520Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48647}

This feature is turned off in flag-definitions but reenabled in a non-standard
way in d8. Given that the situations in which the trap handler are disabled are
more limited now due to integration problems, disabling this feature for now, since
we lack enough coverage to have confidence to turn it on by default.

We should probably introduce a proper test variant for this feature so that it
can be handled in a more standard way.

R=eholk@chromium.org
CC=​mlippautz@chromium.org,hablich@chromium.org,mstarzinger@chromium.org

Bug: 
Change-Id: Ic2e13181036ace8802736be847ae16ff889e3cea
Reviewed-on: https://chromium-review.googlesource.com/723221
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48646}

Bug: chromium:726584
Change-Id: I1d413b5568e533e4f517c0687716689dd15da70d
Reviewed-on: https://chromium-review.googlesource.com/723459
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48645}

Bug: v8:6923
Change-Id: Ic8c8829d39d482463309507719379cd17346b52a
Reviewed-on: https://chromium-review.googlesource.com/723179Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48644}

Instead of re-iterating over the heap all the time, use the
list of feedback vectors on the isolate. This also avoids GC of vectors.

Bug: v8:5935
Change-Id: I0bb96fcf2b0feb9856e9806f812188de1fc7b37e
Reviewed-on: https://chromium-review.googlesource.com/668396Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48643}

This reverts commit 2b9a6d89.

Reason for revert: Fails ubsan:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20UBSanVptr/builds/770

Original change's description:
> [snapshot] Add BuiltinDeserializerAllocator
> 
> Encapsulates special reservation / allocation behavior for builtin
> deserialization.
> 
> Bug: v8:6624
> Change-Id: Ic784ed43b607c881b356c6e535c9dbe185e1d4cd
> Reviewed-on: https://chromium-review.googlesource.com/716229
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48638}

TBR=yangguo@chromium.org,jgruber@chromium.org

Change-Id: I0c6eceb88efe65526499e124acc4a45ee2904c1c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6624
Reviewed-on: https://chromium-review.googlesource.com/723141Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48641}

Mechanical move simplifying a follow up that removes the recursive
locking strategy by properly partitioning pages.

Bug: v8:6923
Change-Id: I688e61131731e2b9dc9c311b0b43f0902c149359
Reviewed-on: https://chromium-review.googlesource.com/723020Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48640}

So far the inlining of Function#bind into TurboFan optimized code was
limited to cases where TurboFan could infer the constant JSFunction that
was bound. However we can easily extend that to cover JSBoundFunction as
well, and obviously also take the LOAD_IC feedback if we don't have a
known JSFunction or JSBoundFunction.

This adds a new operator JSCreateBoundFunction that contains the logic
for the creation of the bound function object and the arguments.

On the micro-benchmarks we go from

  functionBindParameter0: 1239 ms.
  functionBindConstant0: 478 ms.
  functionBindBoundConstant0: 1256 ms.
  functionBindParameter1: 1278 ms.
  functionBindConstant1: 475 ms.
  functionBindBoundConstant1: 1253 ms.
  functionBindParameter2: 1431 ms.
  functionBindConstant2: 616 ms.
  functionBindBoundConstant2: 1437 ms.

to

  functionBindParameter0: 462 ms.
  functionBindConstant0: 485 ms.
  functionBindBoundConstant0: 474 ms.
  functionBindParameter1: 478 ms.
  functionBindConstant1: 474 ms.
  functionBindBoundConstant1: 474 ms.
  functionBindParameter2: 617 ms.
  functionBindConstant2: 614 ms.
  functionBindBoundConstant2: 616 ms.

which is a ~2.5x improvement. On the jshint benchmark in the
web-tooling-benchmark we observe a 2-3% improvement, which corresponds
to the time we had seen it running in the generic version.

Bug: v8:6936, v8:6946
Change-Id: I940d13220ff35ae602dbaa33349ba4bbe0c9a9d3
Reviewed-on: https://chromium-review.googlesource.com/723080Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48639}

Encapsulates special reservation / allocation behavior for builtin
deserialization.

Bug: v8:6624
Change-Id: Ic784ed43b607c881b356c6e535c9dbe185e1d4cd
Reviewed-on: https://chromium-review.googlesource.com/716229
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48638}

Bug: 
Change-Id: I28d6905a0c527a171deae89374ef54c2b4b97d3d
Reviewed-on: https://chromium-review.googlesource.com/722960Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48637}

This removes the builtins area from the startup snapshot. It's now
completely contained in the separate builtins blob area.

Bug: v8:6624
Change-Id: Id3c43a177c7e1ed418eec59cf620fa461eb6df81
Reviewed-on: https://chromium-review.googlesource.com/715759
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48636}

A continuation of the work in 59e4b751, this extracts logic around
memory reservation and allocations out of the Deserializer class.

Follow-up work is planned to create a specialized allocator for
builtin deserialization.

Bug: v8:6624
Change-Id: I7081cdc557ab8fb2571aadb816399e136ea2cdbb
Reviewed-on: https://chromium-review.googlesource.com/716036
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48634}

R=bmeurer@chromium.org
BUG=v8:6792

Change-Id: I8ed3e6ec06bfba117781efc63d79bc7641b7ec24
Reviewed-on: https://chromium-review.googlesource.com/722641Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48633}

OSR for functions which use arguments no longer needs to be disabled, since
TurboFan handles the case.

Bug: 
Change-Id: I121f1190a142c18f113bd5f875e258812645c43f
Reviewed-on: https://chromium-review.googlesource.com/721661Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48631}