Now TurboFan always uses the newly introduced %ForInPrepare, no matter
whether baseline is the interpreter or fullcodegen. For fullcodegen, we
introduce a new PrepareId bailout point for this purpose.

Drive-by-fix: Avoid the NoObservableSideEffectsScope in Crankshaft and
use the PrepareId bailout point instead.

R=jarin@chromium.org
BUG=v8:3650
LOG=n

Review URL: https://codereview.chromium.org/1630523002

Cr-Commit-Position: refs/heads/master@{#33480}

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1557883002

Cr-Commit-Position: refs/heads/master@{#33105}

Adds FrameState nodes to graphs built by the Bytecode Graph Builder, in
preparation for adding deopt support. Also adds a new
FrameStateType::kInterpretedFunction to allow for specialized deopt
stack translation for interpreted frames. Finally adds support for
disabling typed lowering of binary ops, since the current approach
relies on a FrameState hack which does not apply to interpreted frames

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1514413002

Cr-Commit-Position: refs/heads/master@{#32964}

Introduce JSCreateIterResultObject operator, as a way to optimize the
%_CreateIterResultObject intrinsic, which is used to provide uniform,
non-polymorphic result objects for iterators (and generators).  We
cannot utilize the existing JSCreate operator here, because there's no
constructor function for iterator result objects (as required by the
spec).

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1531753002

Cr-Commit-Position: refs/heads/master@{#32901}

Lower JSCallConstruct with known target JSFunction to a direct call to
the target's construct_stub, and JSCallConstruct with function target to
direct call to ConstructFunction builtin.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1517593003

Cr-Commit-Position: refs/heads/master@{#32735}

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1515513002

Cr-Commit-Position: refs/heads/master@{#32709}

Also remove the ResultMode from ToBooleanStub and always return true or
false and use the same mechanism in fullcodegen.  This is in preparation
for adding ToBoolean hints to TurboFan.

Drive-by-fix: We can use the power of the ToBooleanIC in TurboFan now
that the ResultMode is gone (and the runtime always returns true or
false from the miss handler).

R=mstarzinger@chromium.org
BUG=v8:4583
LOG=n

Review URL: https://codereview.chromium.org/1491223002

Cr-Commit-Position: refs/heads/master@{#32524}

Previously all contexts had a link to the global object, but what is
required in most cases (except for the global load, store and delete
case) is the native context.

This also removes the second dummy global object that was still linked
to every native context. We will add a different mechanism to ensure
that builtins do not pollute the actual global object during
bootstrapping.

Drive-by-fix: Unify some MacroAssembler magic and drop obsolete stuff.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
R=yangguo@chromium.org,mstarzinger@chromium.org

Committed: https://crrev.com/d290f204938295bfecc5c8e645ccfcff6e80ddb8
Cr-Commit-Position: refs/heads/master@{#32375}

Review URL: https://codereview.chromium.org/1480003002

Cr-Commit-Position: refs/heads/master@{#32381}

Revert of [runtime] Replace global object link with native context link in all contexts. (patchset #3 id:40001 of https://codereview.chromium.org/1480003002/ )

Reason for revert:
[Sheriff] Breaks:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20nosnap/builds/5472

Original issue's description:
> [runtime] Replace global object link with native context link in all contexts.
>
> Previously all contexts had a link to the global object, but what is
> required in most cases (except for the global load, store and delete
> case) is the native context.
>
> This also removes the second dummy global object that was still linked
> to every native context. We will add a different mechanism to ensure
> that builtins do not pollute the actual global object during
> bootstrapping.
>
> Drive-by-fix: Unify some MacroAssembler magic and drop obsolete stuff.
>
> R=yangguo@chromium.org
>
> Committed: https://crrev.com/d290f204938295bfecc5c8e645ccfcff6e80ddb8
> Cr-Commit-Position: refs/heads/master@{#32375}

TBR=yangguo@chromium.org,mstarzinger@chromium.org,bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1478303002

Cr-Commit-Position: refs/heads/master@{#32377}

Previously all contexts had a link to the global object, but what is
required in most cases (except for the global load, store and delete
case) is the native context.

This also removes the second dummy global object that was still linked
to every native context. We will add a different mechanism to ensure
that builtins do not pollute the actual global object during
bootstrapping.

Drive-by-fix: Unify some MacroAssembler magic and drop obsolete stuff.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1480003002

Cr-Commit-Position: refs/heads/master@{#32375}

We use comparisons with the_hole to implement temporal dead zones, so we
should also optimize those, as they currently turn into CompareIC calls.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1473593002

Cr-Commit-Position: refs/heads/master@{#32198}

Add support for using inline allocations for arrays in lowering of
JSCreateArray when target equals new.target.  Currently we are only
concerend with the straight-forward Array() and Array(length) cases,
but at some point TurboFan should also be able to support the more
complex initializing cases.

R=mvstanton@chromium.org
BUG=v8:4470
LOG=n

Review URL: https://codereview.chromium.org/1465203002

Cr-Commit-Position: refs/heads/master@{#32191}

Introduce a JSCreateArray operator that represents the Array
constructor, and lower call and construct calls to the Array
constructor to JSCreateArray. Currently we don't yet replace
that with an inline allocation, but always use the specialized
stubs for the Array constructor.

This saves a lot of unnecessary deopts and elements transitions
because now we can actually consume the allocation site feedback
for the transitions.

R=mstarzinger@chromium.org
BUG=v8:4470
LOG=n

Review URL: https://codereview.chromium.org/1466643002

Cr-Commit-Position: refs/heads/master@{#32145}

This adds initial support for fast inline allocations of JSObject
instances. It currently has exactly the same limitations as Crankshaft.

R=mstarzinger@chromium.org
BUG=v8:4544
LOG=n

Review URL: https://codereview.chromium.org/1441573004

Cr-Commit-Position: refs/heads/master@{#31957}

This patch extends the typed lowering with a specialized version of 'instanceof' that is used if the "class", i.e. the constructor function, is a known constant.

Unittests check that replacement occurs as intended. Functional correctness is ensured by extensive unit tests covering instanceof already in the testsuite.

TESTS=unittests/JSTypedLoweringTest.{JSInstanceOfSpecializationWithSmiCheck,JSInstanceOfSpecializationWithoutSmiCheck,JSInstanceOfNoSpecialization}

Review URL: https://codereview.chromium.org/1407413014

Cr-Commit-Position: refs/heads/master@{#31916}

This moves the optimization for variables loads targeting lookup slots
in DYNAMIC_GLOBAL and DYNAMIC_LOCAL mode into the AstGraphBuilder. This
way we implicitly get all optimizations that target global loads and
context loads for free.

R=bmeurer@chromium.org
BUG=v8:4513
LOG=n

Review URL: https://codereview.chromium.org/1424943008

Cr-Commit-Position: refs/heads/master@{#31713}

This adds optimized lowering for JSConvertReceiver (in the general case)
and JSToObject in typed lowering. It also uses JSConvertReceiver for
direct calls in typed lowering.

R=mstarzinger@chromium.org
BUG=v8:4493
LOG=n

Review URL: https://codereview.chromium.org/1431543002

Cr-Commit-Position: refs/heads/master@{#31676}

This lowers JSCreateArguments nodes within inline (i.e. non-outermost)
frames that create "mapped arguments objects" to inline allocations.

The arguments count as well as each value is statically known and can be
directly stored into the arguments object. Note that the object is still
context-dependent and the map is loaded from the current context. The
object size is not taken into account for now, we might want to limit it
later though to keep code size bounded.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1403363004

Cr-Commit-Position: refs/heads/master@{#31619}

Typed lowering can lower JSConvertReceiver either based on the operator
hints or the (statically) known receiver type.

R=jarin@chromium.org
BUG=chromium:548557, v8:4493, v8:4470
LOG=n

Review URL: https://codereview.chromium.org/1426893002

Cr-Commit-Position: refs/heads/master@{#31618}

This lowers JSCreateArguments nodes within inline (i.e. non-outermost)
frames that create "unmapped arguments objects" to inline allocations.

The arguments count as well as each value is statically known and can be
directly stored into the arguments object. Note that the object is still
context-dependent and the map is loaded from the current context. The
object size is not taken into account for now, we might want to limit it
later though to keep code size bounded.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1412113004

Cr-Commit-Position: refs/heads/master@{#31550}

This removes all locally constructed SimplifiedOperatorBuilder instances
and uses the one passed along the JSGraph. It ensures that the correct
zone is used to allocate operators, no matter where the reducer is used.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1410003002

Cr-Commit-Position: refs/heads/master@{#31355}

Optimizing global constants such as "NaN", "Infinity" and "undefined" is
best performed during graph building. Then the optimization and lowering
passes only need to deal with real loads in case of JSLoadGlobal.

R=mstarzinger@chromium.org
BUG=v8:4470
LOG=n

Review URL: https://codereview.chromium.org/1384953002

Cr-Commit-Position: refs/heads/master@{#31135}

This lowers JSCreateFunctionContext nodes to call the above stub for
help with allocating function contexts when possible. It also contains
an implementation for inlined allocations of such contexts, which is
still behind a flag until inlined allocations are ready for prime time.

TEST=unittests/JSTypedLoweringTest.JSCreateFunctionContext
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1380113002

Cr-Commit-Position: refs/heads/master@{#31068}

This lowers JSCreateArgument nodes to call the ArgumentsAccessStub for
help with materializing arguments objects when possible. Along the way
this changes the calling convention of said stub to take parameters in
registers instead of on the stack.

R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1348773002

Cr-Commit-Position: refs/heads/master@{#30919}

Optimize string "length" property access based on static type
information if possible, but also optimistically optimize the access
based on type feedback from the LoadIC.

R=jarin@chromium.org

Committed: https://crrev.com/17add22ff4b9c5ca638502e7708f0d9d99baca40
Cr-Commit-Position: refs/heads/master@{#29543}

Review URL: https://codereview.chromium.org/1216593003

Cr-Commit-Position: refs/heads/master@{#29588}

Revert of [turbofan] Optimize string "length" property access based on types. (patchset #2 id:20001 of https://codereview.chromium.org/1216593003/)

Reason for revert:
Causes crash when running benchmarks/octane/regexp.js on ARM:
http://build.chromium.org/p/client.v8/builders/V8%20Arm/builds/2492/steps/Benchmarks/logs/regexp

Original issue's description:
> [turbofan] Optimize string "length" property access based on types.
>
> Optimize string "length" property access based on static type
> information if possible, but also optimistically optimize the access
> based on type feedback from the LoadIC.
>
> R=jarin@chromium.org
>
> Committed: https://crrev.com/17add22ff4b9c5ca638502e7708f0d9d99baca40
> Cr-Commit-Position: refs/heads/master@{#29543}

TBR=mstarzinger@chromium.org,jarin@chromium.org,bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1224083002

Cr-Commit-Position: refs/heads/master@{#29544}

Optimize string "length" property access based on static type
information if possible, but also optimistically optimize the access
based on type feedback from the LoadIC.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1216593003

Cr-Commit-Position: refs/heads/master@{#29543}

Currently we lower shifts directly to machine operators, and add an
appropriate Word32And to implement the & 0x1F operation on the right
hand side required by the specification. However for Word32And we assume
Int32 in simplified lowering, which is basically changes the right hand
side bit interpretation for the shifts from Uint32 to Int32, which is
obviously wrong. So now we represent that explicitly by proper
simplified operators for the shifts, which are lowered to machine in
simplified lowering.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1213803008

Cr-Commit-Position: refs/heads/master@{#29465}

This is a precursor to using specialized LoadIC and StoreIC stubs for
global variable access. It also removes the need to keep track of the
global object in the type system, hence freeing up one bit.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1205473004

Cr-Commit-Position: refs/heads/master@{#29231}

The TryLowerDirectJSCall method tried to lower to a direct JavaScript
function call depending on the type of the receiver, but only if the
target is a cosntant JSFunction. Since this depends on types and is not
required for correctness, it shouldn't be part of generic lowering
anyway. So this functionality was moved to typed lowering instead, and
we use proper types for the target instead.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1182193005

Cr-Commit-Position: refs/heads/master@{#29028}

This adds handling of JSLoadDynamicContext nodes to JSTypedLowering to
perform extension checks and an inline fast path. The fast path is a
context slot load targeting a specific context.

R=bmeurer@chromium.org
BUG=v8:4131
LOG=N

Review URL: https://codereview.chromium.org/1155543003

Cr-Commit-Position: refs/heads/master@{#28823}

The IC for modulus is usually way faster than converting the inputs to
numbers and doing a Float64Mod on them.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1170433002

Cr-Commit-Position: refs/heads/master@{#28787}

This adds handling of JSLoadDynamicGlobal nodes to JSTypedLowering to
perform extension checks and an inline fast path. The fast path is a
global variable load from the global object.

R=bmeurer@chromium.org
BUG=v8:4131
LOG=N

Review URL: https://codereview.chromium.org/1150723005

Cr-Commit-Position: refs/heads/master@{#28750}

Unfortunately StringAdd is not pure in V8 because we might throw an
exception if the resulting string length is outside the valid bounds, so
there's no point in having a simplified StringAdd operator.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1164743002

Cr-Commit-Position: refs/heads/master@{#28747}

This is basically a port of the majority of optimizations that are
applied to for-in in full codegen. But it is not done during graph
building, but instead during typed lowering, which way less adhoc than
what the other compilers do.

Review URL: https://codereview.chromium.org/1155313008

Cr-Commit-Position: refs/heads/master@{#28726}

This in turn allows usage of AdvancedReducer::ReplaceWithValue which
has access to the underlying graph reducer. It will allow us to deal
with exception continuations correctly.

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1134303003

Cr-Commit-Position: refs/heads/master@{#28468}

Use these check points to optimize comparisons where we already know
that one side cannot be a String (or turn into a string via
ToPrimitive).

Also remove bunch of useless DoNotCrash tests for the scheduler that are
painful to maintain and add almost no value.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1140583004

Cr-Commit-Position: refs/heads/master@{#28383}

This should not be done during typed lowering, but should be part of a
dedicated truncation/conversion analysis.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1132773002

Cr-Commit-Position: refs/heads/master@{#28314}

This introduces a simplified allocation operator which can be used to
model inline allocations in TurboFan. It is currently used for context
allocations, but still disabled because change lowering introduces
floating allocations outside the effect chain that interfere.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1109773002

Cr-Commit-Position: refs/heads/master@{#28195}

This uses explicit operators instead of intrinsic runtime calls to
create literals froms boilerplates. It allows for easier access of
static parameters and syncs it with other allocating operators.

R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/1104453006

Cr-Commit-Position: refs/heads/master@{#28062}