String wrappers (new String("foo")) are special objects: their string
characters are accessed like elements, and they also have an elements
backing store. This used to require a bunch of explicit checks like:

if (obj->IsJSValue() && JSValue::cast(obj)->value()->IsString()) {
  /* Handle string characters */
}
// Handle regular elements (for string wrappers and other objects)
obj->GetElementsAccessor()->Whatever(...);

This CL introduces new ElementsKinds for string wrapper objects (one for
fast elements, one for dictionary elements), which allow folding the
special-casing into new StringWrapperElementsAccessors.

No observable change in behavior is intended.

Review URL: https://codereview.chromium.org/1612323003

Cr-Commit-Position: refs/heads/master@{#33616}

This CL implements PrepareForTailCall() mentioned in ES6 spec for full codegen, Crankshaft and Turbofan.
When debugger is active tail calls are disabled.

Tail calling can be enabled by --harmony-tailcalls flag.

BUG=v8:4698
LOG=Y
TBR=rossberg@chromium.org

Review URL: https://codereview.chromium.org/1609893003

Cr-Commit-Position: refs/heads/master@{#33509}

Cleanup %ForInPrepare runtime entry, and unify common logic with
%ForInEnumerate (renamed from %GetPropertyNamesFast). Also introduce
a TupleType to properly type JSForInPrepare and its projections w/o
special hacks in the Typer. And fix %ForInNext and JSForInNext to be
consistent with fullcodegen again (after the proxy refactorings last
quarter).

R=jarin@chromium.org
BUG=v8:3650
LOG=n

Review URL: https://codereview.chromium.org/1631583002

Cr-Commit-Position: refs/heads/master@{#33487}

There's no need to have HMapEnumLength as a dedicated instruction,
as it can be expressed using a HLoadNamedField plus an HBitwiseAnd
operation.

R=jarin@chromium.org
BUG=v8:3650
LOG=n

Review URL: https://codereview.chromium.org/1614943002

Cr-Commit-Position: refs/heads/master@{#33439}

The PrepareId bailout location was used incorrectly in Crankshaft and,
as it turns out, is not required anyway (once you do it right). Also
there was some premature optimization going on with the CheckEnumCache
(trying to load null from roots only once), plus we can be smarter about
the null/undefined check anyway.

The idea behind this changes is to prepare unification of the two
different ForInPrepare implementations that we now have, with the end
result being that we only use the new implementation that was recently
added for the interpreter.

R=jarin@chromium.org
BUG=v8:3650
LOG=n

Review URL: https://codereview.chromium.org/1618613002

Cr-Commit-Position: refs/heads/master@{#33426}

The motivation for this is that CompilationInfo really shouldn't
explicitly know anything about CodeStubs. This is evident in
the TurboFan stubs pipeline, which only needs to pass down
information about Code::Flags to the code generator and not
any of the CallInterfaceDescriptor silliness that Hydrogen has
to push around, since TF has the Linkage class that
encapsulates everything that is needed for the stub ABI. So,
instead of threading CodeStub machinery through the TF stub
pipeline, it is now removed from CompilationInfo and replaced
by only the explicit bits needed both by the Crankshaft and
TF pipelines in code generation.

Review URL: https://codereview.chromium.org/1604543002

Cr-Commit-Position: refs/heads/master@{#33410}

This is the ia32/x64 version of https://codereview.chromium.org/873703002,
which fixed the same problem on arm/arm64.

BUG=chromium:553441
LOG=n
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1604913002

Cr-Commit-Position: refs/heads/master@{#33386}

This refactoring removes the dependency on the Token class from the
assembler.h header file, the utility function in question has nothing
to do with assembling in the first place.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1594443003

Cr-Commit-Position: refs/heads/master@{#33330}

On Intel, xchg stalls the pipeline. We use xchg to implement swap
moves. In a separate exploration, the presence of xchg in a very hot
loop, due to a change in register allocation, lead to over 20% regression.

Simply changing that instruction with push/mov/pop (almost) eliminated
the regression.

In light of that, I removed uses of xchg. This leads to more instructions,
though. That is particularly problematic for long cycles, which, today,
we translate to successions of swaps.

I plan to address this cycle issue in a separate change. For now, the
goal is to unblock the initial work that lead here.

Review URL: https://codereview.chromium.org/1580233003

Cr-Commit-Position: refs/heads/master@{#33282}

Change the CompilationInfo::IsCodePreAgingActive() predicate to CompilationInfo::GeneratePreagingPrologue() and handle the case of WASM functions, which should not be aged.

R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1577193003

Cr-Commit-Position: refs/heads/master@{#33232}

This migrates the remaining Date builtins to C++ and removes obsolete
intrinsics and JavaScript wrappers. This reduces the overhead imposed
by the Date builtins, and will allow us to optimize them later in the
TurboFan compiler, while the interpreter doesn't need to worry about
them.

R=yangguo@chromium.org
BUG=chromium:576574
LOG=n

Committed: https://crrev.com/1e51af1a5c80b1650de47dd4bc8f846fa2d85281
Cr-Commit-Position: refs/heads/master@{#33228}

Review URL: https://codereview.chromium.org/1579613002

Cr-Commit-Position: refs/heads/master@{#33231}

Revert of [builtins] Refactor the remaining Date builtins. (patchset #2 id:20001 of https://codereview.chromium.org/1579613002/ )

Reason for revert:
[Sheriff] Breaks https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20noi18n%20-%20debug/builds/5711

Original issue's description:
> [builtins] Refactor the remaining Date builtins.
>
> This migrates the remaining Date builtins to C++ and removes obsolete
> intrinsics and JavaScript wrappers. This reduces the overhead imposed
> by the Date builtins, and will allow us to optimize them later in the
> TurboFan compiler, while the interpreter doesn't need to worry about
> them.
>
> R=yangguo@chromium.org
> BUG=chromium:576574
> LOG=n
>
> Committed: https://crrev.com/1e51af1a5c80b1650de47dd4bc8f846fa2d85281
> Cr-Commit-Position: refs/heads/master@{#33228}

TBR=yangguo@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:576574

Review URL: https://codereview.chromium.org/1574223002

Cr-Commit-Position: refs/heads/master@{#33230}

This migrates the remaining Date builtins to C++ and removes obsolete
intrinsics and JavaScript wrappers. This reduces the overhead imposed
by the Date builtins, and will allow us to optimize them later in the
TurboFan compiler, while the interpreter doesn't need to worry about
them.

R=yangguo@chromium.org
BUG=chromium:576574
LOG=n

Review URL: https://codereview.chromium.org/1579613002

Cr-Commit-Position: refs/heads/master@{#33228}

counts specified in runtime.h.

In the vast majority of the cases when we call into the runtime we use
the default number of arguments. Hence, there is not need to specify it
again. This CL also removes TailCallExternalReference as there were no
users.

BUG=

Review URL: https://codereview.chromium.org/1553703002

Cr-Commit-Position: refs/heads/master@{#33066}

The FIRST-LAST_NONCALLABLE_SPEC_OBJECT_TYPE range was accidentially used
in field type tracking, where we should check for JSReceiver instead
(there's no need to exclude JSProxy or JSFunction from tracking).

And the use in %_ClassOf was actually wrong and didn't match the C++
implementation in JSReceiver::class_name() anymore. Now it's consistent
again.

R=yangguo@chromium.org
BUG=chromium:535408
LOG=n

Review URL: https://codereview.chromium.org/1535523003 .

Cr-Commit-Position: refs/heads/master@{#32926}

We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code without access-checks (see proxies-cross-realm-ecxeption.js).

Review URL: https://codereview.chromium.org/1521953002

Cr-Commit-Position: refs/heads/master@{#32903}

BUG=

Review URL: https://codereview.chromium.org/1517673002

Cr-Commit-Position: refs/heads/master@{#32806}

The backing store is only held alive indirectly via the array buffer
referenced by the holder (typed array), so it's not enough to keep the
elements alive (or even just the external pointer loaded from the
elements).

R=mstarzinger@chromium.org,bmeurer@chromium.org
LOG=n
BUG=v8:1827

Review URL: https://codereview.chromium.org/1493983004

Cr-Commit-Position: refs/heads/master@{#32644}

BUG=v8:1543
LOG=N

Review URL: https://codereview.chromium.org/1496503002

Cr-Commit-Position: refs/heads/master@{#32616}

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1499103002

Cr-Commit-Position: refs/heads/master@{#32613}

The optimized code generated by Crankshaft cannot properly deal
with proxies (in the prototype chain), and there's probably no
point in trying to make that work^Wfast with Crankshaft at all.
TurboFan will handle that properly; Crankshaft just bails out
to fullcodegen, which then goes to the runtime, which should do
the right thing soon.

BUG=v8:1543
LOG=n

Review URL: https://codereview.chromium.org/1492983002

Cr-Commit-Position: refs/heads/master@{#32539}

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1479233002

Cr-Commit-Position: refs/heads/master@{#32470}

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1483933002

Cr-Commit-Position: refs/heads/master@{#32403}

Use {FIRST,LAST}_JS_RECEIVER_TYPE instead.

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1486563002

Cr-Commit-Position: refs/heads/master@{#32393}

Previously all contexts had a link to the global object, but what is
required in most cases (except for the global load, store and delete
case) is the native context.

This also removes the second dummy global object that was still linked
to every native context. We will add a different mechanism to ensure
that builtins do not pollute the actual global object during
bootstrapping.

Drive-by-fix: Unify some MacroAssembler magic and drop obsolete stuff.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
R=yangguo@chromium.org,mstarzinger@chromium.org

Committed: https://crrev.com/d290f204938295bfecc5c8e645ccfcff6e80ddb8
Cr-Commit-Position: refs/heads/master@{#32375}

Review URL: https://codereview.chromium.org/1480003002

Cr-Commit-Position: refs/heads/master@{#32381}

Revert of [runtime] Replace global object link with native context link in all contexts. (patchset #3 id:40001 of https://codereview.chromium.org/1480003002/ )

Reason for revert:
[Sheriff] Breaks:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20nosnap/builds/5472

Original issue's description:
> [runtime] Replace global object link with native context link in all contexts.
>
> Previously all contexts had a link to the global object, but what is
> required in most cases (except for the global load, store and delete
> case) is the native context.
>
> This also removes the second dummy global object that was still linked
> to every native context. We will add a different mechanism to ensure
> that builtins do not pollute the actual global object during
> bootstrapping.
>
> Drive-by-fix: Unify some MacroAssembler magic and drop obsolete stuff.
>
> R=yangguo@chromium.org
>
> Committed: https://crrev.com/d290f204938295bfecc5c8e645ccfcff6e80ddb8
> Cr-Commit-Position: refs/heads/master@{#32375}

TBR=yangguo@chromium.org,mstarzinger@chromium.org,bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1478303002

Cr-Commit-Position: refs/heads/master@{#32377}

Previously all contexts had a link to the global object, but what is
required in most cases (except for the global load, store and delete
case) is the native context.

This also removes the second dummy global object that was still linked
to every native context. We will add a different mechanism to ensure
that builtins do not pollute the actual global object during
bootstrapping.

Drive-by-fix: Unify some MacroAssembler magic and drop obsolete stuff.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1480003002

Cr-Commit-Position: refs/heads/master@{#32375}

Moves all files related to AST and scopes into ast/,
and all files related to scanner & parser to parsing/.

Also eliminates a couple of spurious dependencies.

R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1481613002

Cr-Commit-Position: refs/heads/master@{#32351}

This is the initial step towards refactoring the regexp literation
creation code to make it less obscure and more similar to the mechanism
we use to create array and object literals.  There's now a new runtime
entry %CreateRegExpLiteral with the same interface as the entries for
array and object literals, except that we still pass the flags as
string.

Instead of embedding the hand written native to clone JSRegExp instances
we now have a FastCloneRegExpStub, which behaves similar to the other
FastCloneShallowArrayStub and FastCloneShallowObjectStub that we already
had.

R=mlippautz@chromium.org, yangguo@chromium.org

Review URL: https://codereview.chromium.org/1475823003

Cr-Commit-Position: refs/heads/master@{#32255}

This passes the new.target value in a register instead of through a
side-channel via the construct stub. Note that only TurboFan code uses
the register value so far, but unoptimized code will be switched soon.

R=bmeurer@chromium.org
BUG=v8:4544
LOG=n

Review URL: https://codereview.chromium.org/1460503008

Cr-Commit-Position: refs/heads/master@{#32203}

There's no point in collecting feedback for super constructor calls,
because in all (interesting) cases we can gather (better) feedback from
other sources (i.e. via inlining or via using a LOAD_IC to get to the
[[Prototype]] of the target).  So CallConstructStub is now only used
for new Foo(...args) sites where we want to collect feedback in the
baseline compiler.  The optimizing compilers, Reflect.construct and
super constructor calls use the Construct builtin directly, which allows
us to remove some weird code from the CallConstructStub (and opens the
possibility for more code sharing with the CallICStub, maybe even going
for a ConstructICStub).

Also remove the 100% redundant HCallNew instruction, which is just a
wrapper for the Construct builtin anyway (indirectly via the
CallConstructStub).

Drive-by-fix: Drop unused has_function_cache bit on Code objects.

R=mstarzinger@chromium.org, yangguo@chromium.org
BUG=v8:4413, v8:4430
LOG=n

Review URL: https://codereview.chromium.org/1469793002

Cr-Commit-Position: refs/heads/master@{#32172}

This changes all direct function calls in Crankshaft to pass undefined
via the register expected to hold the new.target value. Note that the
register is still ignored by all callees for now.

This is a preparatory CL to allows us passing new.target in a register
instead of via a side-channel through the construct stub frame.

R=bmeurer@chromium.org
BUG=v8:4544
LOG=n

Review URL: https://codereview.chromium.org/1459183002

Cr-Commit-Position: refs/heads/master@{#32125}

The %StringCharFromCode and %CharFromCode runtime function perform
exactly the same task, so we need only one of them.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1417743007

Cr-Commit-Position: refs/heads/master@{#31873}

Introduce receiver conversion mode specialization for the Call and
CallFunction builtins, so we can specialize the builtin functionality
(actually an optimization only) based on static information from the
callsite (this is basically a superset of the optimizations that were
available with the CallFunctionStub and CallICStub, except that these
optimizations are correct now).

This fixes a regression introduced by the removal of CallFunctionStub,
for programs that call a lot.

R=yangguo@chromium.org
BUG=chromium:552244
LOG=n

Review URL: https://codereview.chromium.org/1436493002

Cr-Commit-Position: refs/heads/master@{#31871}

Depends on https://codereview.chromium.org/1407373007/
After that CL, all receiver conversion is handled by the call builtin.

BUG=

Review URL: https://codereview.chromium.org/1414883011

Cr-Commit-Position: refs/heads/master@{#31826}

This fixes receiver conversion since the Call builtin does it correctly.

BUG=v8:4526
LOG=n

Review URL: https://codereview.chromium.org/1407373007

Cr-Commit-Position: refs/heads/master@{#31823}

R=jkummerow@chromium.org, mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1406113007

Cr-Commit-Position: refs/heads/master@{#31714}

    register configurations currently. This CL provides a mechanism so that
    optimizing compilers can select different Register Configuration.

BUG=

Review URL: https://codereview.chromium.org/1405673003

Cr-Commit-Position: refs/heads/master@{#31476}

Remove support for "loads and stores to global vars through property cell shortcuts installed into parent script context" from all compilers.

The plan is to implement the same idea using vector IC machinery.
Stubs implementations and scopes modifications are left untouched for now.

Review URL: https://codereview.chromium.org/1419823003

Cr-Commit-Position: refs/heads/master@{#31458}

Review URL: https://codereview.chromium.org/1405363003

Cr-Commit-Position: refs/heads/master@{#31410}