port 471893cc (r36649)

  original commit message:
  GenerateSmiToDouble on ia32 assumes that it is called from a JSFrame and can restore
  the context from the StandardFrameConstants::kContextObject. In the case of the
  interpreter it is called from a interpreter handler stub frame which doesn't
  push the context onto it's frame. Instead, push and pop esi to explicitly restore it
  correctly.

BUG=

Review-Url: https://codereview.chromium.org/2036083003
Cr-Commit-Position: refs/heads/master@{#36702}

  port 63ea3a50 (r36599)

  original commit message:
  Previously, we used the lowest bit for something else.

BUG=

Review-Url: https://codereview.chromium.org/2032063003
Cr-Commit-Position: refs/heads/master@{#36701}

This CL introduces a DECLARE_DEFAULT_DESCRIPTOR macro that helps defining a CallInterfaceDescriptor in a cases where it is not important which registers to use for passing arguments. One can use such descriptors for new TurboFan stubs.

HasPropertyDescriptor now uses the new machinery.

Review-Url: https://codereview.chromium.org/2002143002
Cr-Commit-Position: refs/heads/master@{#36675}

  port 91c88644 (r36539)

  original commit message:
  We get less "pollution" of type feedback if we have one vector per native
  context, rather than one for the whole system. This CL moves the vector
  appropriately.

BUG=

Review-Url: https://codereview.chromium.org/2019263002
Cr-Commit-Position: refs/heads/master@{#36570}

This was initially used to special case some weird date.js behavior, but
has since been abused in other areas. In case of the string character
access, everything that is outside the Smi range cannot be a valid
string index anyways, so %NumberToSmi is perfect here in either case,
and for ToPositiveInteger it's better to just use ToInteger adding +0 to
turn -0 into +0.

R=ishell@chromium.org
BUG=v8:5049

Review-Url: https://codereview.chromium.org/2010183003
Cr-Commit-Position: refs/heads/master@{#36545}

  port a6ddbef0 (r36472)

  original commit message:
  The TurboFan inliner makes use of these counts.

BUG=

Review-Url: https://codereview.chromium.org/2013453003
Cr-Commit-Position: refs/heads/master@{#36498}

  port 02c8b6f7 (r36463)

  original commit message:

BUG=

Review-Url: https://codereview.chromium.org/2000253004
Cr-Commit-Position: refs/heads/master@{#36468}

For cross-compiler-compatibility and standards compliance %p
requires a void*, rather than any pointer type.

BUG=chromium:474921

Review-Url: https://codereview.chromium.org/2001073002
Cr-Commit-Position: refs/heads/master@{#36466}

  port f241a61a (r36360)

  original commit message:
  We cannot tier up from interpreted to baseline code when there is an
  activation of the function on the stack. This significantly regresses
  the performance of recursive functions since they are unlikely to get
  tiered up.

  This CL adds the ability for a function to be marked for baseline
  compilation when it returns. To do this we patch the
  InterpreterEntryTrampoline return address to point to
  InterpreterMarkBaselineOnReturn, which leaves the
  interpreted frame and recompile the function for
  baseline.

  This improves the score of EarlyBoyer by ~8x for Ignition.

BUG=

Review-Url: https://codereview.chromium.org/1998153002
Cr-Commit-Position: refs/heads/master@{#36396}

  port 5c22cf5a (r36341)

  original commit message:

BUG=

Review-Url: https://codereview.chromium.org/1990133002
Cr-Commit-Position: refs/heads/master@{#36345}

X87: [Interpreter] Remove InterpreterExitTrampoline and replace with returning to the entry trampoline.

  port 39738bc9 (r36310)

  original commit message:
  In order to support compiling to baseline on return we need to be able to
  return to the actual return address. With this change this is what the
  Return bytecode now does, removing the need for the
  InterpreterExitTrampoline.

  This change also removes the InterpreterNotifyDeoptXXX builtins and
  unifies FCG and Igntion to both use NotifyDeoptXXX. As part of this
  change, FullCodegenerator::State is moved to Deoptimize::BailoutState.

BUG=

Review-Url: https://codereview.chromium.org/1987053006
Cr-Commit-Position: refs/heads/master@{#36344}

  port 551e0aa1 (r36275)

  original commit message:
  This adds back the instanceof operator support in the backends and
  introduces a @@hasInstance protector cell on the isolate that guards the
  fast path for the InstanceOfStub. This way we recover the ~10%
  regression on Octane EarleyBoyer in Crankshaft and greatly improve
  TurboFan and Ignition performance of instanceof.

BUG=

Review-Url: https://codereview.chromium.org/1991663002
Cr-Commit-Position: refs/heads/master@{#36303}

This makes the profiler reconstruct inlined function frames at eager
deopt points from the deoptimization data. The main goal of this is to
remove the last side-channel where Crankshaft communicates directly to
the profiler. This is the last preparatory step towards deprecating the
side-channel in question.

R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/1973993002
Cr-Commit-Position: refs/heads/master@{#36229}

  port 40f34541 (r36181)

  original commit message:
  The previous approach taken by FastNew[Sloppy,Strict,Rest]ArgumentsStub
  looked at the function slot in order to skip stub frames
  and find the JS frame. However, stub frames do not have a
  function slot (in fact their fixed frame ends one slot
  before the JS frame's function slot). Therefore, if this
  location in the stub frame happens to have the function
  object the create arguments stubs won't skip this frame
  correctly.

  Replace this approach with one where the stub is
  specialized to either skip a frame if required (since
  there will only ever be one extra frame on Ignition
  the loop approach isn't necessary).

BUG=

Review-Url: https://codereview.chromium.org/1976483002
Cr-Commit-Position: refs/heads/master@{#36197}

This passes the inlining_id of deoptimization points via the relocation
info instead of via a side-channel to the CPU profiler. This is one step
towards deprecating the side-channel in question and avoid the need for
performing a lookup of the return address of the deopt point.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1956693002
Cr-Commit-Position: refs/heads/master@{#36177}

  port 61f5fbbb (r36133)

  original commit message:
  The new allocation folding implementation avoids fragmentation between folded allocation. As a consequence, our heap will always be iterable i.e. we do not have to perform a garbage collection
  before iterating the heap.

BUG=

Review-Url: https://codereview.chromium.org/1969553003
Cr-Commit-Position: refs/heads/master@{#36158}

Rather than pushing zero for the initial bytecode offset, we should push the
offset of the first bytecode handler, Smi tagged. This fixes the line number
for the top stack frame on overflow errors.

BUG=v8:4981
LOG=N

Review-Url: https://codereview.chromium.org/1950913004
Cr-Commit-Position: refs/heads/master@{#36137}

The new allocation folding implementation avoids fragmentation between folded allocation. As a consequence, our heap will always be iterable i.e. we do not have to perform a garbage collection before iterating the heap.

BUG=chromium:580959
LOG=n

Review-Url: https://codereview.chromium.org/1899813003
Cr-Commit-Position: refs/heads/master@{#36133}

This adds a new pass MemoryOptimizer that walks over the effect chain
from Start and lowers all Allocate, LoadField, StoreField, LoadElement,
and StoreElement nodes, trying to fold allocations into allocation
groups and eliminate write barriers on StoreField and StoreElement if
possible (i.e. if the object belongs to the current allocation group and
that group allocates in new space).

R=hpayer@chromium.org, jarin@chromium.org
BUG=v8:4931, chromium:580959
LOG=n

Review-Url: https://codereview.chromium.org/1963583004
Cr-Commit-Position: refs/heads/master@{#36128}

Changes some platform specific class names and uses typedefs
to define FloatRegister, DoubleRegister, etc.

This will be needed to do register allocation on ARM/MIPS where
registers combine to form larger registers.

LOG=N
BUG=v8:4124

Review-Url: https://codereview.chromium.org/1954953002
Cr-Commit-Position: refs/heads/master@{#36117}

  The CL #35926 (https://codereview.chromium.org/1804003002) exposed two hidden bugs in x87 code generation when Ignition was enabled.

  This CL fixed those bugs.

BUG=

Review-Url: https://codereview.chromium.org/1960993002
Cr-Commit-Position: refs/heads/master@{#36099}

  port d2efbf25 (r36000)

  original commit message:

BUG=

Review-Url: https://codereview.chromium.org/1947363002
Cr-Commit-Position: refs/heads/master@{#36061}

X87: Add new relocation type WASM_MEMORY_SIZE_REFERENCE, use relocatable pointers to update wasm memory size references in generated code.

  port 117a56b7 (r36044)

  original commit message:
  - Add new RelocInfo mode WASM_MEMORY_SIZE_REFERENCE in the assembler and add relocation information to immediates in compare instructions.
  - Use relocatable constants for MemSize/BoundsCheck in the wasm compiler

BUG=

Review-Url: https://codereview.chromium.org/1947413003
Cr-Commit-Position: refs/heads/master@{#36058}

  port af677d7b (r35998)

  original commit message:
  https://codereview.chromium.org/1938213002 added xchg_b and xchg_w, but didn't
  add it to the disassembler, and there were no tests that caught it.

BUG=

Review-Url: https://codereview.chromium.org/1947843002
Cr-Commit-Position: refs/heads/master@{#36051}

  port 81cb8411 (r35993)

  original commit message:

BUG=

Review-Url: https://codereview.chromium.org/1947833002
Cr-Commit-Position: refs/heads/master@{#36049}

  port fa570e55 (r35963)

  original commit message:

BUG=

Review-Url: https://codereview.chromium.org/1952583002
Cr-Commit-Position: refs/heads/master@{#36048}

Code common with ObjectHasOwnProperty builtin was moved to CodeStubAssembler.

BUG=v8:2743
LOG=Y

Review-Url: https://codereview.chromium.org/1894953004
Cr-Commit-Position: refs/heads/master@{#35972}

  port d1b3d426 (r35918)

  original commit message:
  Further refactor the pipeline to even run the first scheduler (part of
  the effect control linearization) concurrently. This temporarily
  disables most of the write barrier elimination, but we will get back to
  that later.

  Drive-by-fix: Remove the dead code from ChangeLowering, and stack
  allocate the Typer in the pipeline. Also migrate the AllocateStub to a
  native code builtin, so that we have the code object + a handle to it
  available all the time.

BUG=

Review-Url: https://codereview.chromium.org/1940143002
Cr-Commit-Position: refs/heads/master@{#35961}

  port 306c412c (r35833)

  original commit message:
  This is needed by Blink to implement the Custom Elements spec.

BUG=

Review-Url: https://codereview.chromium.org/1928213002
Cr-Commit-Position: refs/heads/master@{#35889}

  port ef49c6b1 (r35792)

  original commit message:
  Default (and only way) is now to retrieve a tagged object.

BUG=

Review URL: https://codereview.chromium.org/1924643004

Cr-Commit-Position: refs/heads/master@{#35808}

Default (and only way) is now to retrieve a tagged object.

BUG=chromium:606711
LOG=N

Review URL: https://codereview.chromium.org/1922553002

Cr-Commit-Position: refs/heads/master@{#35792}

  port c005029a (r35754)

  original commit message:
  Use the FastNewSloppyArgumentsStub in the interpreter when function doesn't have
  duplicate parameters.

BUG=

Review URL: https://codereview.chromium.org/1922803002

Cr-Commit-Position: refs/heads/master@{#35781}

This adds a baseline tier to the compilation pipeline. Currently this
tier is used to model a path from the interpreter to optimized code via
full-codegen code (to ensure sufficient type feedback). Switching from
the unoptimized tier to the baseline tier is limited to happen only when
there are no activations of the given function on the stack.

R=rmcilroy@chromium.org,bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1903273004

Cr-Commit-Position: refs/heads/master@{#35757}

  port 5c8609de (r35724)

  original commit message:
  This ensures the InterpreterEntryTrampoline heals code entry fields
  inside closures when being called without a valid bytecode array. This
  is preparatory work to allow removal of bytecode when switching some
  functions to other types of code.

BUG=

Review URL: https://codereview.chromium.org/1920713002

Cr-Commit-Position: refs/heads/master@{#35744}

Adds IncStub and DecStub TurboFan code stubs and hooks them up to the
interpreter's Inc and Dec bytecodes (which are used for count
operations, e.g. i++).

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1901083002

Cr-Commit-Position: refs/heads/master@{#35720}

  port 3518e492 (r35660)

  original commit message:
  Short external strings do not cache the resource data, and may be used
  for compressible strings. The assumptions about their lengths is
  invalid and may lead to oob reads.

BUG=

Review URL: https://codereview.chromium.org/1904003003

Cr-Commit-Position: refs/heads/master@{#35681}

BUG=

Review URL: https://codereview.chromium.org/1899183002

Cr-Commit-Position: refs/heads/master@{#35656}

  port 623ad7de (r35618)

  original commit message:
  Removes the register file machine register from the interpreter and
  replaces it will loads from the parent frame pointer. As part of this
  change the raw operand values for register values changes to enable the
  interpreter to keep using the operand value as the offset from the
  parent frame pointer.

BUG=

Review URL: https://codereview.chromium.org/1903093002

Cr-Commit-Position: refs/heads/master@{#35640}

  port d2b0a4b7 (r35606)

  original commit message:
  MIPS port contributed by Balazs Kilvady <balazs.kilvady@imgtec.com>

BUG=

Review URL: https://codereview.chromium.org/1897823005

Cr-Commit-Position: refs/heads/master@{#35611}

This makes IterateBodyFast work without requiring visitors to inherit from ObjectVisitor.

R=ishell@chromium.org

Review URL: https://codereview.chromium.org/1900843002

Cr-Commit-Position: refs/heads/master@{#35604}