According to new store IC calling convention the value, slot and vector are passed
on the stack and there's no need in trying to preserve values or respective registers
in store handlers.

Nice bonus: we also don't need virtual registers anymore.

BUG=v8:5407

Review-Url: https://codereview.chromium.org/2357323003
Cr-Commit-Position: refs/heads/master@{#39672}

This feature has not been used in the past few years and most likely does not
even work anymore.

R=ishell@chromium.org

Review-Url: https://codereview.chromium.org/2186533002
Cr-Commit-Position: refs/heads/master@{#38046}

  port d49d3864 (r37598)

  original commit message:

BUG=

Review-Url: https://codereview.chromium.org/2132303002
Cr-Commit-Position: refs/heads/master@{#37622}

  port 5febc27b (r37416)

  original commit message:
  Prior to this commit, calls to C++ builtins created standard exit
  frames, which are skipped when constructing JS stack traces. In order to
  show these calls on traces, we introduce a new builtin exit frame type.

  Builtin exit frames contain target and new.target on the stack and are
  not skipped during stack trace construction.

BUG=

Review-Url: https://codereview.chromium.org/2120873002
Cr-Commit-Position: refs/heads/master@{#37490}

  port 61f5fbbb (r36133)

  original commit message:
  The new allocation folding implementation avoids fragmentation between folded allocation. As a consequence, our heap will always be iterable i.e. we do not have to perform a garbage collection
  before iterating the heap.

BUG=

Review-Url: https://codereview.chromium.org/1969553003
Cr-Commit-Position: refs/heads/master@{#36158}

The new allocation folding implementation avoids fragmentation between folded allocation. As a consequence, our heap will always be iterable i.e. we do not have to perform a garbage collection before iterating the heap.

BUG=chromium:580959
LOG=n

Review-Url: https://codereview.chromium.org/1899813003
Cr-Commit-Position: refs/heads/master@{#36133}

  port d1b3d426 (r35918)

  original commit message:
  Further refactor the pipeline to even run the first scheduler (part of
  the effect control linearization) concurrently. This temporarily
  disables most of the write barrier elimination, but we will get back to
  that later.

  Drive-by-fix: Remove the dead code from ChangeLowering, and stack
  allocate the Typer in the pipeline. Also migrate the AllocateStub to a
  native code builtin, so that we have the code object + a handle to it
  available all the time.

BUG=

Review-Url: https://codereview.chromium.org/1940143002
Cr-Commit-Position: refs/heads/master@{#35961}

  port 623ad7de (r35618)

  original commit message:
  Removes the register file machine register from the interpreter and
  replaces it will loads from the parent frame pointer. As part of this
  change the raw operand values for register values changes to enable the
  interpreter to keep using the operand value as the offset from the
  parent frame pointer.

BUG=

Review URL: https://codereview.chromium.org/1903093002

Cr-Commit-Position: refs/heads/master@{#35640}

  port 5e9ddf6c (r35453)

  original commit message:
  Reland of (https://codereview.chromium.org/1617503003)

  * New atomic code stubs for x64, ia32, arm, arm64
  * Add convenience functions JumpIfNotValidSmiValue, JumpIfUintNotValidSmiValue
    to macro-assembler-ia32 (API based on x64 macro assembler)
  * Remove runtime implementation of Atomics.load, the code stub should always be
    called instead
  * Add new test to mjsunit atomics test; check that Smi values of different
    sizes are supported when possible, else fall back to HeapNumbers

  These changes were needed to add another codestub:
  * Bump kStubMajorKeyBits from 7 to 8
  * Reduce ScriptContextFieldStub::kSlotIndexBits from 13 to 12

BUG=

Review URL: https://codereview.chromium.org/1894923002

Cr-Commit-Position: refs/heads/master@{#35560}

The current context is stored as a stack slot on the interpreter frame
and therefore we don't need to also maintain a machine register for the
context. Removes this register from bytecode handlers.

In the process modifies this frees up a register on ia32 to keep the
dispatch table pointer in a register rather than on a stack slot on
ia32.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1887493004

Cr-Commit-Position: refs/heads/master@{#35511}

  port 974721c6 (r35283)

  original commit message:
  Introduce a ResumeGeneratorTrampoline, which does the actual stack state
  reconstruction (currently always restores a fullcodegen frame), and
  introduce appropriate TurboFan builtins for %GeneratorPrototype%.next,
  %GeneratorPrototype%.return and %GeneratorPrototype%.throw based on
  this native builtin.

  Also unify the flooding in case of step-in to always work based on
  JSFunction and remove the special casing for JSGeneratorObject.

BUG=

Review URL: https://codereview.chromium.org/1889083002

Cr-Commit-Position: refs/heads/master@{#35510}

  port b7aa4c3a (r34922)

  original commit message:
  Split ToNumberStub into the entry ToNumberStub, and two new stubs,
  StringToNumberStub and NonNumberToNumberStub, which can be used when we
  already know something about the input (i.e. in various branches of the
  code stubs, or in TurboFan graphs).

  Also introduce an appropriate StringToNumber simplified operator for
  TurboFan, that is pure and is lowered to an invocation of the newly
  added StringToNumberStub.

BUG=

Review URL: https://codereview.chromium.org/1816423002

Cr-Commit-Position: refs/heads/master@{#34971}

  port 240b7db9 (r34630)

  original commit message:
  I implemented I64ShrU and I64ShrS the same as I64Shl in https://codereview.chromium.org/1756863002

BUG=

Review URL: https://codereview.chromium.org/1783703003

Cr-Commit-Position: refs/heads/master@{#34656}

  port 9dcd0857 (r34571)

  original commit message:
  Before this CL, various code stubs used different techniques
  for marking their frames to enable stack-crawling and other
  access to data in the frame. All of them were based on a abuse
  of the "standard" frame representation, e.g. storing the a
  context pointer immediately below the frame's fp, and a
  function pointer after that. Although functional, this approach
  tends to make stubs and builtins do an awkward, unnecessary
  dance to appear like standard frames, even if they have
  nothing to do with JavaScript execution.

  This CL attempts to improve this by:

  * Ensuring that there are only two fundamentally different
    types of frames, a "standard" frame and a "typed" frame.
    Standard frames, as before, contain both a context and
    function pointer. Typed frames contain only a minimum
    of a smi marker in the position immediately below the fp
    where the context is in standard frames.
  * Only interpreted, full codegen, and optimized Crankshaft and
    TurboFan JavaScript frames use the "standard" format. All
    other frames use the type frame format with an explicit
    marker.
  * Typed frames can contain one or more values below the
    type marker. There is new magic macro machinery in
    frames.h that simplifies defining the offsets of these fields
    in typed frames.
  * A new flag in the CallDescriptor enables specifying whether
    a frame is a standard frame or a typed frame. Secondary
    register location spilling is now only enabled for standard
    frames.
  * A zillion places in the code have been updated to deal with
    the fact that most code stubs and internal frames use the
    typed frame format. This includes changes in the
    deoptimizer, debugger, and liveedit.
  * StandardFrameConstants::kMarkerOffset is deprecated,
    (CommonFrameConstants::kContextOrFrameTypeOffset
    and StandardFrameConstants::kFrameOffset are now used
    in its stead).

BUG=

Review URL: https://codereview.chromium.org/1774353002

Cr-Commit-Position: refs/heads/master@{#34648}

  port 2aae579c (r34566)

  original commit message:
  In case when F tail calls G we should also remove the potential arguments adaptor frame for F.

  This CL introduces two new machine instructions ArchTailCallCodeObjectFromJSFunction and ArchTailCallJSFunctionFromJSFunction which (unlike existing ArchTailCallCodeObject and ArchTailCallJSFunction)
  also drop arguments adaptor frame if it exists right before jumping to the target function.

BUG=

Review URL: https://codereview.chromium.org/1777563002

Cr-Commit-Position: refs/heads/master@{#34593}

  port ddc626e1 (r34546)

  original commit message:
  I64Shl is lowered to a new turbofan operator, WasmWord64Shl. The new
  operator takes 3 inputs, the low-word input, the high-word input, and
  the shift, and produces 2 output, the low-word output and the high-word
  output.

  At the moment I implemented the lowering only for ia32, but I think the
  CL is already big enough. I will add the other platforms in separate
  CLs.

BUG=

Review URL: https://codereview.chromium.org/1773083002

Cr-Commit-Position: refs/heads/master@{#34591}

  port 22938040 (r34542)

  original commit message:
  HInvokeFunction and HApplyArguments instructions now support tail calling.

  Inlining of calls at tail position is not supported yet and therefore still disabled.

  The tail-call-megatest was modified so that the usages of "arguments" object do not disable Crankshaft.

BUG=

Review URL: https://codereview.chromium.org/1767343003

Cr-Commit-Position: refs/heads/master@{#34590}

This makes the FullCodeGenerator::EmitNamedPropertyLoad be architecture
independent by adding MacroAssembler::Move helpers.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1734643002

Cr-Commit-Position: refs/heads/master@{#34259}

  port ba2077aa (r34136)

  original commit message:
  Move the already existing fast case for %NewObject into a dedicated
  FastNewObjectStub that we can utilize in places where we would otherwise
  fallback to %NewObject immediately, which is rather expensive.

  Also use FastNewObjectStub as the generic implementation of JSCreate,
  which should make constructor inlining based on SharedFunctionInfo (w/o
  specializing to a concrete closure) viable soon.

BUG=

Review URL: https://codereview.chromium.org/1717203002

Cr-Commit-Position: refs/heads/master@{#34182}

  port 477e1336 (r33718)

  original commit message:

BUG=

Review URL: https://codereview.chromium.org/1673533002

Cr-Commit-Position: refs/heads/master@{#33758}

The root register is needed (at least on x64) to access
ExternalReferences.

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1641153003

Cr-Commit-Position: refs/heads/master@{#33631}

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1647653004

Cr-Commit-Position: refs/heads/master@{#33577}

We no longer have the concept of "JS builtins" exposed to handwritten
native code, so there's no need to keep the InvokeBuiltin macro around.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1611613002

Cr-Commit-Position: refs/heads/master@{#33416}

  port 84f8a506 (r33334)

  original commit message:
  Adds a ForInPrepare Runtime function which returns a triple of
  cache_type, cache_array and cache_length.

  This requires adding support to CEntryStub to call runtime functions
  which return a ObjectTriple - a struct containing three Object*
  pointers. Also did some cleanup of the x64 CEntryStub to avoid
  replicated code.

  Replaces the interpreter's use of the ad-hock InterpreterForInPrepare
  Runtime function with ForInPrepare in preparation for fixing deopt in
  BytecodeGraphBuilder for ForIn (which will be done in a followup CL).

  MIPS port contributed by Balazs Kilvady <balazs.kilvady@imgtec.com>.

BUG=

Review URL: https://codereview.chromium.org/1603493002

Cr-Commit-Position: refs/heads/master@{#33352}

  port 322ffda3 (r33265)

  original commit message:
  Also migrate the Number constructor to a native builtin, using the
  same mechanism already used by the String constructor. Otherwise just
  parsing and compiling the Number constructor to optimized code already
  eats 2ms on desktop for no good reason, and the resulting optimized
  code is not even close to awesome.

  Drive-by-fix: Use correct context for the [[Construct]] case of the
  String constructor as well, and share some code with it.

BUG=

Review URL: https://codereview.chromium.org/1581313002

Cr-Commit-Position: refs/heads/master@{#33280}

X87: [runtime] TailCallRuntime and CallRuntime should use default argument counts specified in runtime.h.

  port b889d79d(r33066)

  original commit message:
  In the vast majority of the cases when we call into the runtime we use
  the default number of arguments. Hence, there is not need to specify it
  again. This CL also removes TailCallExternalReference as there were no
  users.

BUG=

Review URL: https://codereview.chromium.org/1559693002

Cr-Commit-Position: refs/heads/master@{#33070}

JumpToExternalReference ignored the passed-in result_size argument, which
defaulted to 1. This change updates all users to not use a result_size.

BUG=

Review URL: https://codereview.chromium.org/1550923002

Cr-Commit-Position: refs/heads/master@{#33059}

  port 97def807 (r33044)

  original commit message:
  According to the ES2015 specification, bound functions are exotic
  objects, and thus don't need to be implemented as JSFunctions. So
  we introduce a new JSBoundFunction type to represent bound functions
  and make them optimizable. This already improves the performance of
  calling or constructing bound functions by 10-100x depending on the
  use case because we avoid the crazy dance between JavaScript and C++
  that was implemented in v8natives.js previously.

  There's still room for improvement in the performance of actually
  creating bound functions, which is also relevant in practice, but
  we already have a plan how to accomplish that later.

  The mips/mips64 ports were contributed by akos.palfi@imgtec.com.

BUG=

Review URL: https://codereview.chromium.org/1548253002

Cr-Commit-Position: refs/heads/master@{#33046}

BUG=chromium:561449
LOG=n

Review URL: https://codereview.chromium.org/1542113002

Cr-Commit-Position: refs/heads/master@{#33026}

  port 1e671030 (r32614)

  original commit message:

BUG=

Review URL: https://codereview.chromium.org/1502053003

Cr-Commit-Position: refs/heads/master@{#32641}

  port c83db2d0 (r32456)

  original commit message:

BUG=

Review URL: https://codereview.chromium.org/1487293002

Cr-Commit-Position: refs/heads/master@{#32486}

  port 9e644881 (r32407)

  original commit message:
  This way we avoid the %_IsSmi magic that is required in TurboFan to
  (efficiently) check abitrary context slots for smi 0. Checking against
  "the hole" is common in the AstGraphBuilder and "the hole" is also used
  to mark other context slots as not initialized.

BUG=

Review URL: https://codereview.chromium.org/1486913002

Cr-Commit-Position: refs/heads/master@{#32441}

  port 47502a23 (r32381)

  original commit message:
  Previously all contexts had a link to the global object, but what is
  required in most cases (except for the global load, store and delete
  case) is the native context.

  This also removes the second dummy global object that was still linked
  to every native context. We will add a different mechanism to ensure
  that builtins do not pollute the actual global object during
  bootstrapping.

  Drive-by-fix: Unify some MacroAssembler magic and drop obsolete stuff.

BUG=

Review URL: https://codereview.chromium.org/1481353002

Cr-Commit-Position: refs/heads/master@{#32387}

BUG=v8:2487
R=yangguo@chromium.org,jkummerow@chromium.org,mstarzinger@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1474763008

Cr-Commit-Position: refs/heads/master@{#32359}

  port 81e131ce (r32339)

  original commit message:

BUG=

Review URL: https://codereview.chromium.org/1474993004

Cr-Commit-Position: refs/heads/master@{#32357}

We always want to have an Isolate, so just use an extra ctor arg

BUG=2487
R=yangguo@chromium.org,mstarzinger@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1476763002

Cr-Commit-Position: refs/heads/master@{#32277}

  port 7c45b005 (r32203)

  original commit message:
  This passes the new.target value in a register instead of through a
  side-channel via the construct stub. Note that only TurboFan code uses
  the register value so far, but unoptimized code will be switched soon.

BUG=

Review URL: https://codereview.chromium.org/1477663002

Cr-Commit-Position: refs/heads/master@{#32240}

  port 2fc2cb99 (r32144)

  original commit message:
  The old code was not ready for properly initialize objects with non standard headers and non zero in-object properties number.

  MacroAssembler::Allocate() implementations now return both start and end addresses of the new object (done by parameter renaming).

BUG=

Review URL: https://codereview.chromium.org/1467923002

Cr-Commit-Position: refs/heads/master@{#32161}

This removes some dead code from the function invocation code when the
arguments adaptor trampoline is called. This seems to be leftover code
from when we used to support calling code objects directly.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1455293004

Cr-Commit-Position: refs/heads/master@{#32126}

This adds an explicit parameter to the call descriptor having kind
kJSCallFunction representing the new.target value. Note that for now
this parameter is not yet passed in and hence cannot be used yet. Also
contains some refactoring of how parameter index value are calculated,
establishing Linkage as the central point for such index computations.

This is a preparatory CL to allows us passing new.target in a register
instead of via a side-channel through the construct stub frame.

R=bmeurer@chromium.org
BUG=v8:4544
LOG=n

Review URL: https://codereview.chromium.org/1461973002

Cr-Commit-Position: refs/heads/master@{#32112}