args.Call() sets a return value on args. Do not reuse the
same args object, otherwise the return value might be from the previous Call().

Bug: v8:6627
Change-Id: I05fb2d8036f94908a492d46cc5d746bc145e419e
Reviewed-on: https://chromium-review.googlesource.com/651407Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47843}

R=jarin@chromium.org
BUG=v8:6409

Change-Id: Ia0a04ad920b7b5c87e175ba0bcd604ef1e855f0c
Reviewed-on: https://chromium-review.googlesource.com/649727Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47842}

We weren't deleting them correctly - the intention was to delete
them when an instance is finalized; the code was deleting them
only for the last instance in a chain of instances.

Bug: 
Change-Id: I177a64ac9f10a4993927d9654c032cb3f22eca51
Reviewed-on: https://chromium-review.googlesource.com/651238Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47841}

Port f0acede9

This CL removes the weak-list of JS functions from the context
and all the code that iterares over it. This list was being used
mainly during deoptimization (for code unlinking) and during
garbage collection. Removing it will improve performance of
programs that create many closures and trigger many scavenge GC
cycles.

No extra work is required during garbage collection. However,
given that we no longer unlink code from JS functions during
deoptimization, we leave it as it is, and on its next activation
we check whether the mark_for_deoptimization bit of that code is
set, and if it is, than we unlink it and jump to lazy compiled
code. This check happens in the prologue of every code object.

We needed to change/remove the cctests that used to check
something on this list.

R=bjaideep@ca.ibm.com, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=
LOG=N

Change-Id: I8007a837d43b6a339789cfd727e81ad7f4ac3ae1
Reviewed-on: https://chromium-review.googlesource.com/651891Reviewed-by: Jaideep Bajwa <bjaideep@ca.ibm.com>
Commit-Queue: Jaideep Bajwa <bjaideep@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#47840}

Bug: v8:1569
Change-Id: I84317ce1ac145b69caa26452721f71aac88f219e
Reviewed-on: https://chromium-review.googlesource.com/636699
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47839}

This is a reland of 56772de7
Original change's description:
> [api] Add test for EnumeratorCallback and for...in.
> 
> If a QueryCallback is present, it is used to
> filter the result from the EnumeratorCallback for
> enumerable properties. This tests assures that
> for...in loops work correctly with these interceptors.
> 
> Bug: v8:6627
> Change-Id: I1e568beac1e138a330034492b87bd49c22e0c804
> Reviewed-on: https://chromium-review.googlesource.com/609982
> Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47445}

TBR=adamk@chromium.org

Bug: v8:6627
Change-Id: I509016a879d175b01f7cc7918758354fe0df8ebf
Reviewed-on: https://chromium-review.googlesource.com/650906Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47838}

BUG=v8:6749

R=titzer@chromium.org

Change-Id: I4ac2ac8d8ca98d71dbc5a86c3cca268cd836997c
Reviewed-on: https://chromium-review.googlesource.com/645146
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47837}

Only the error cases of overwriting readonly properties need the
language_mode to decide whether to throw or be silent. Reading it
from the feedback vector's metadata (just like the C++ code in
ic.cc does) removes the need to duplicate each stub for each
language_mode ("StoreIC" + "StoreICStrict" etc.).

Change-Id: Ic0c67f9d40ca36c65e41b4f162b2ab70d155e549
Reviewed-on: https://chromium-review.googlesource.com/647373Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47836}

AFAICT this doesn't currently change observable behavior, but should
be fixed nonetheless.

Change-Id: I1dce90ae5bcad39d7d54dddd2559bd7f7ccbb095
Reviewed-on: https://chromium-review.googlesource.com/648354Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47835}

The current usage pattern is always to allocate a {ModuleCompiler}, then
call {CompileToModuleObject}, then deallocate the {ModuleCompiler}.
Hence, the method can be made static and allocate the {ModuleCompiler}
internally.
This also gives back a reason for the existence of
{CompileToModuleObjectInternal}.

R=ahaas@chromium.org

Change-Id: Iac1ba28421ade6728046c0b9a6e9fc249a349491
Reviewed-on: https://chromium-review.googlesource.com/650386Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47834}

Also further tighten-up that calling DCHECK in BytecodeGraphBuilder,
and narrow the other caller to IsValidReferenceExpression.

Bug: v8:6092
Change-Id: I432a3d6f5991f2d1adf4f4f86e80d6ed8be5a0e8
Reviewed-on: https://chromium-review.googlesource.com/648196Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47833}

Fix register corruption and save constant pool register.

R=joransiu@ca.ibm.com, jyan@ca.ibm.com
BUG=
LOG=N

Change-Id: I278b7f9a60e10c5347cdfba52432837f68c82836
Reviewed-on: https://chromium-review.googlesource.com/649812
Commit-Queue: Junliang Yan <jyan@ca.ibm.com>
Reviewed-by: Junliang Yan <jyan@ca.ibm.com>
Cr-Commit-Position: refs/heads/master@{#47832}

The V8 API provides interceptors. They are not part of the
EcmaScript specification. But their behavior should be consistent.
For example, when an EnumeratorInterceptor is defined, Object.keys(),
Object.entries(), and Object.values() should all have the
same number of entries.

This CL creates consistent behavior among these
functions. If a QueryCallback is present, it is used to
filter the result from the EnumeratorCallback for
enumerable properties.

Bug: v8:6627
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I4f4271ddeb99a5e85918148c5033923c149b9468
Reviewed-on: https://chromium-review.googlesource.com/649786Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47831}

Change-Id: I891ff57b7a3a47e3371269b123705cdf6391499b
Reviewed-on: https://chromium-review.googlesource.com/648513Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47830}

And add the helpfully suggested flag to the GDB re-run of mksnapshot.

NOTRY=true

Change-Id: I52011aa580c8d3e557f869b8306b9b978c73b946
Reviewed-on: https://chromium-review.googlesource.com/647693Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47829}

Add a flag which traces which interrupts are being handled by the
StackGuard's HandleInterrupts function.

Change-Id: I18fcf58b03cf6c255d7457d8a55b0a0dadb00931
Reviewed-on: https://chromium-review.googlesource.com/649530
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47828}

The renames capture what the item being unwrapped is - it's always
a js-to-wasm wrapper, which is more closely captured by "export" rather
than "import".

Bug: 
Change-Id: Iffc3d8cb9037afc2d32885301fd13fc12b8277ce
Reviewed-on: https://chromium-review.googlesource.com/648005Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47827}

Always return to the InterpreterEntryTrampoline rather than calling the
InterpreterExitTrampoline from the Return bytecode handler. This fixes a
regression which occured if we upset the call/return stack by skipping the
return to the InterpreterEntryTrampoline from the return bytecode handler.

BUG=chromium:759390,chromium:753705

Change-Id: Ib625654a4a5072ac6c8d8e9611d1b9c0bbced4ca
Reviewed-on: https://chromium-review.googlesource.com/649517
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47826}

Bug: chromium:746958
Change-Id: I4e23608995952efd0f0bd73d9bf4f9a3fc84d478
Reviewed-on: https://chromium-review.googlesource.com/650256Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Mostyn Bramley-Moore <mostynb@opera.com>
Cr-Commit-Position: refs/heads/master@{#47825}

Checked number is not automatically truncating to float64.

Bug: chromium:761892
Change-Id: I34bd5d7867cd38b2be18cd39a810605603f515e2
Reviewed-on: https://chromium-review.googlesource.com/649513
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47824}

Using the Builtins::Name type doesn't give use any range safety benefits
over simply using int id's, and it complicates use sites by always
forcing a static_cast<Builtins::Name>(id).

Bug: v8:6624
Change-Id: Id5fcf6800c781c637145ab1d00d821f9ad473321
Reviewed-on: https://chromium-review.googlesource.com/650247
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47823}

Bug: 
Change-Id: Iedd273d517e2ee2e548a5e9732689114800e6128
Reviewed-on: https://chromium-review.googlesource.com/649749Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47822}

The repo url changed recently in Chromium, which breaks the V8 DEPS roller.

This uses the same url like Chromium again.

TBR=yangguo@chromium.org

Change-Id: Iffb9daa8380d111e77ebcef1da58082e346c1e4a
Reviewed-on: https://chromium-review.googlesource.com/650348Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47821}

Bug: v8:6560, chromium:761639
Change-Id: Idf546f53b20387670e42187692e702ba5e9eab73
Reviewed-on: https://chromium-review.googlesource.com/647550Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Maya Lekova <mslekova@google.com>
Cr-Commit-Position: refs/heads/master@{#47820}

Now that FCG is gone, we don't need to have a code-size multiplier to
distinguish Ignition and FCG code sizes.

Bug: v8:6409
Change-Id: I05e5fa2483bfc17e91de22736b66ad27a5aab49b
Reviewed-on: https://chromium-review.googlesource.com/649149
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47819}

This adds support for lazy deserialization of JS-linkage (TFJ) builtins,
still gated behind the --lazy-deserialization flag. If enabled, we
proceed as follows:

During isolate initialization, only eager builtins are deserialized. All
references to lazy builtins are replaced by the DeserializeLazy builtin.
In particular, this happens in the builtin table (Builtins::builtins_)
and in SharedFunctionInfo objects.

When calling into a not-yet deserialized function (i.e. the JSFunction's
code object is the DeserializeLazy builtin), the DeserializeLazy builtin
takes over.  It checks the builtin table to see if the target builtin
(determined by looking at the builtin id stored on the
SharedFunctionInfo) has already been deserialized. If so, it simply
copies the builtin code object to the JSFunction and SharedFunctionInfo.
Otherwise, we enter Runtime::kDeserializeLazy to deserialize the
builtin.

With --lazy-deserialization, isolate deserialization is 11% faster
(1.5ms vs.  1.7ms), and code_space->Size() is 33% lower (984K vs.
1475K).

Moving relocation infos & handler tables out of the partial snapshot
cache would additionally let us save up to 30K per isolate. Adding code
stubs to that list increases further potential savings to 262K.

Bug: v8:6624
Change-Id: I0ac7d05d165d2466998269bd431ac076a311cbeb
Reviewed-on: https://chromium-review.googlesource.com/649166
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47818}

R=titzer@chromium.org

Change-Id: I0be772d52b561e8664e128a9fb2c291256b2e9c2
Reviewed-on: https://chromium-review.googlesource.com/650287Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47817}

This cl: https://chromium-review.googlesource.com/c/538614/ changes the
number of ticks required for tiering up based on the size of function. An
earlier cl: https://chromium-review.googlesource.com/c/529165/ also resets
ticks when type feedback changes. So, it is reasonable to assume that a
function which has necessary number of ticks has the required type feedback
for optimizing. Hence, removing the check for type feedback from the tierinup
decision.

Bug: 
Change-Id: Ia350ad4dfba5f93f1a17bdc0c309bf6b41b0c1c9
Reviewed-on: https://chromium-review.googlesource.com/647851Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47816}

R=petermarshall@chromium.org

Bug: 
Change-Id: Id7187d9e323951e66655d1c6df4676a8e94787dd
Reviewed-on: https://chromium-review.googlesource.com/649247Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47815}

R=jgruber@chromium.org

Bug: v8:6422
Change-Id: Ib1075259325627451060b3a0a41cad5c917dc30e
Reviewed-on: https://chromium-review.googlesource.com/650246Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47814}

I could not find any usage of this struct and it is in the internal
namespace so I though it might be safe to remove it.

Bug: 
Change-Id: I85d605712ab1ab3218eb03ed4d3b5fc0e541e21a
Reviewed-on: https://chromium-review.googlesource.com/641270Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47813}

[turbofan] Reland^2 "Polymorphic inlining - try merge map check dispatch with function call dispatch."

This reverts commit e26e6d88.

Bug: chromium:758096
Change-Id: I1d8ecda995c93c84a9a3c24da041fdb730dbd3b2
Reviewed-on: https://chromium-review.googlesource.com/628169Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47812}

This is a reland of c0e4e79b
Original change's description:
> [d8] implement setTimeout.
> 
> R=ahaas@chromium.org, jarin@chromium.org
> 
> Bug: v8:6770
> Change-Id: Iebf4dc9f2dd75079c5362e02d859c48e2113cf20
> Reviewed-on: https://chromium-review.googlesource.com/643067
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Yang Guo <yangguo@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47780}

Bug: v8:6770
Change-Id: I765b64cc597aa48871c6b2dca95dec9de94a8511
Reviewed-on: https://chromium-review.googlesource.com/647754Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47811}

For such a simple predicate, calling a(n inline) function that checks against
the values is faster (*) than maintaining the cache.

(*) When scanning a file that contains only comments, we're basically calling
IsLineTerminator in a loop. Parsing such files is now 7-18% faster in local
experiments.

BUG=v8:6092

Change-Id: I6a8f2aba9669a76152292f4e6c7853638d15aae3
Reviewed-on: https://chromium-review.googlesource.com/645633
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47810}

Bug: v8:5267
Change-Id: If2a36a53016f683b9eddb6cba76e3328cd69f98b
Reviewed-on: https://chromium-review.googlesource.com/649847Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47809}

This CL removes the weak-list of JS functions from the context
and all the code that iterares over it. This list was being used
mainly during deoptimization (for code unlinking) and during
garbage collection. Removing it will improve performance of
programs that create many closures and trigger many scavenge GC
cycles.

No extra work is required during garbage collection. However,
given that we no longer unlink code from JS functions during
deoptimization, we leave it as it is, and on its next activation
we check whether the mark_for_deoptimization bit of that code is
set, and if it is, than we unlink it and jump to lazy compiled
code. This check happens in the prologue of every code object.
 
We needed to change/remove the cctests that used to check
something on this list.
 
Working in x64, ia32, arm64, arm, mips64 and mips. 
 

Bug: v8:6637
Change-Id: Ica99a12fd0351ae985e9a287918bf28caf6d2e24
TBR: mstarzinger@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/647596
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47808}

Removed one function that was needed for code patching during
deoptimization, and one function needed for full code gen.

Bug: v8:6563
Change-Id: Iea0c8a3d374cf315ac4903f4e84a7a2f11563b70
Reviewed-on: https://chromium-review.googlesource.com/649747
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47807}

The perf tests results are used by tools/perf-to-html.py to generate
html pages. Since the results are used as divisors to compute
percentages, when the one of them happens to be zero, the script
crashes.  This CL prevent the crash and uses the text "NaN" instead of
the percentage.

R=machenbach@chromium.org
CC=​ahaas@chromium.org,clemensh@chromium.org

Bug: chromium:761816
Change-Id: I482a85150c8323a7a837e6d589feee88279831cd
Reviewed-on: https://chromium-review.googlesource.com/649626
Commit-Queue: Enrico Bacis <enricobacis@google.com>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47806}

Since ignition bakes the interrupt budget into the snapshot (the
bytecode handlers reset the current function's interrupt budget to a
constant value), we should remove the interrupt budget flag, which won't
actually change anything if used.

Change-Id: I9672b73fea7abb6c9b575d3963f107e2397f8e49
Reviewed-on: https://chromium-review.googlesource.com/649148Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47805}

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I7d34ccddeea08f5935e360e8c36791365f27f89e
Reviewed-on: https://chromium-review.googlesource.com/647706Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47804}