Split TFS builtins into

* TFC: TF builtins with stub linkage that use a custom interface descriptor
       (e.g. because of a non-standard return size or untagged arguments)
* TFS: the rest.

Automatically generate interface descriptors for TFS builtins to reduce
boilerplate involved in setting up stub calls. These are now as simple as
creating the TFS stub and using CSA::CallBuiltin, no extra work required.

BUG=v8:6116

Review-Url: https://codereview.chromium.org/2777203007
Cr-Commit-Position: refs/heads/master@{#44490}

and out of the main library. This saves about 5% of binary size
(800KB on x64, 373KB on android_arm).

Only the GN build is supported; the GYP build is maintained working
but does not support the feature.

Previously landed as 4782bc0d / r44412.

BUG=v8:6055
CQ_INCLUDE_TRYBOTS=master.tryserver.v8:v8_linux_nosnap_rel;

Review-Url: https://codereview.chromium.org/2760233005
Cr-Commit-Position: refs/heads/master@{#44489}

This reverts commit d3e9aade.

Reason for revert: Speculative for:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20nosnap%20-%20debug/builds/4449

Bisect points to this CL.

Original change's description:
> [Interpreter] Move BinaryOp Smi transformation into BytecodeGenerator.
> 
> Perform the transformation to <BinaryOp>Smi for Binary ops which take Smi
> literals in the BytecodeGenerator. This enables us to perform the
> transformation for literals on either side for commutative operations, and
> Avoids having to do the check on every bytecode in the peephole optimizer.
> 
> In the process, adds Smi bytecode variants for all binary operations, adding
>  - MulSmi
>  - DivSmi
>  - ModSmi
>  - BitwiseXorSmi
>  - ShiftRightLogical
> 
> BUG=v8:6194
> 
> Change-Id: If1484252f5385c16957004b9cac8bfbb1f209219
> Reviewed-on: https://chromium-review.googlesource.com/466246
> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Reviewed-by: Igor Sheludko <ishell@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#44477}

TBR=rmcilroy@chromium.org,yangguo@chromium.org,mstarzinger@chromium.org,mythria@chromium.org,ishell@chromium.org,v8-reviews@googlegroups.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:6194

Change-Id: If57dbdbe40be77804bf437463b855d3167e2d473
Reviewed-on: https://chromium-review.googlesource.com/471308Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44488}

The spec requires truncation while ToUint32 originally rounded down.
This also adds a bunch of test cases to check edge case behavior.

BUG=v8:6212

Review-Url: https://codereview.chromium.org/2805783003
Cr-Commit-Position: refs/heads/master@{#44487}

The LoadElimination (and potentially earlier passes too) might have
removed or lowered side-effecting operations, which allows for further
combining of check points in the graph, removing unnecessary StateValue
uses for the later truncation analysis.

BUG=chromium:709398
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2807563002
Cr-Commit-Position: refs/heads/master@{#44486}

The serializer already has code that special cases for some external
strings. We can handle all external strings in one place instead of
splitting the logic between the serializer and the object visitor.

The main benefit is that we remove two virtual functions from the
ObjectVisitor and thus simplify it for all other users.

BUG=chromium:709075

Review-Url: https://codereview.chromium.org/2799943002
Cr-Commit-Position: refs/heads/master@{#44485}

Add a dedicated operator for ToNumber(x) with feedback instead of
translating to SpeculativeNumberMultiply(x,1), which allows us to
treat the case where x is already a Number specially, ignoring the
feedback on the operator. This recovers most of the regression in
the crypto benchmark.

BUG=chromium:709398,v8:6214,v8:5267
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2802113003
Cr-Commit-Position: refs/heads/master@{#44484}

InternalResolvePromise, InternalPromiseReject and
InternalPerformPromiseThen generate quite a lot of code.

This change adds 3 new TF stubs which inline calls to these builtins.
These stubs are invoked rather than inlining those operations listed
above directly. This is done for Async Iteration builtins, as well as
Async Function builtins. Promise builtins are left as they were, and
continue to inline these calls.

This results in a roughly 99kb reduction in snapshot_blob.bin on an x64
release build.

BUG=v8:5855
R=gsathya@chromium.org, jgruber@chromium.org

Change-Id: I83e2f096782db685fe316dd071980cd8d696fe53
Reviewed-on: https://chromium-review.googlesource.com/469927Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44483}

R=ahaas@chromium.org
TEST=message/asm-function-mismatch-def
BUG=v8:6208

Change-Id: I415281d63bb376da3220ba31bbdf0b3d60e03299
Reviewed-on: https://chromium-review.googlesource.com/469947
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44482}

To avoid the need for including list-inl.h when you include spaces.h

Review-Url: https://codereview.chromium.org/2806493002
Cr-Commit-Position: refs/heads/master@{#44481}

Revert of [turbofan] Better representation selection for comparison with Float64. (patchset #2 id:20001 of https://codereview.chromium.org/2790833004/ )

Reason for revert:
Doesn't really move the needle, but tanks Kraken/imaging-gaussian-blur (crbug.com/709396), so reverting for now.

Original issue's description:
> [turbofan] Better representation selection for comparison with Float64.
>
> For speculative number comparisons with SignedSmall feedback, we always
> enforce either TaggedSigned or Word32 comparisons. But this is not
> really beneficial if one of the inputs is already in Float64
> representation; in that case it's cheaper to just convert the other
> input to a Float64.
>
> R=jarin@chromium.org
>
> Review-Url: https://codereview.chromium.org/2790833004
> Cr-Commit-Position: refs/heads/master@{#44327}
> Committed: https://chromium.googlesource.com/v8/v8/+/8af394d6d385daf05b73765a2545ac8f266c64c7

TBR=jarin@chromium.org
BUG=chromium:709396

Review-Url: https://codereview.chromium.org/2801233002
Cr-Commit-Position: refs/heads/master@{#44480}

Rather than doing nop elision in the peephole optimizer, be smarter about
emitting nops for elided register transfers in the bytecode optimizer.

BUG=v8:6194

Change-Id: Ib1a7168a0d143e4f2da7c6d43080998793c30822
Reviewed-on: https://chromium-review.googlesource.com/468929
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44479}

No longer invalidate the tick sample if there is no JS frame or only one
non-interpreted JS frame on the stack.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2799603005
Cr-Original-Commit-Position: refs/heads/master@{#44465}
Committed: https://chromium.googlesource.com/v8/v8/+/57bef9a1e2621555f70b9258593ae4a4235307ef
Review-Url: https://codereview.chromium.org/2799603005
Cr-Commit-Position: refs/heads/master@{#44478}

Perform the transformation to <BinaryOp>Smi for Binary ops which take Smi
literals in the BytecodeGenerator. This enables us to perform the
transformation for literals on either side for commutative operations, and
Avoids having to do the check on every bytecode in the peephole optimizer.

In the process, adds Smi bytecode variants for all binary operations, adding
 - MulSmi
 - DivSmi
 - ModSmi
 - BitwiseXorSmi
 - ShiftRightLogical

BUG=v8:6194

Change-Id: If1484252f5385c16957004b9cac8bfbb1f209219
Reviewed-on: https://chromium-review.googlesource.com/466246
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44477}

This removes one virtual function from ObjectVisitor.

BUG=chromium:709075

Review-Url: https://codereview.chromium.org/2798923004
Cr-Commit-Position: refs/heads/master@{#44476}

R=ahaas@chromium.org
TEST=message/asm-function-variable-collision
BUG=v8:6127

Change-Id: I75658f0bf58a8b3de5eb42f4f054476f8d2c139b
Reviewed-on: https://chromium-review.googlesource.com/469651
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44475}

Update docs and tests for recent changes in the spec for unicode escapes
in capture group names.

https://github.com/tc39/proposal-regexp-named-groups/issues/23

BUG=v8:5437

Review-Url: https://codereview.chromium.org/2788423003
Cr-Commit-Position: refs/heads/master@{#44474}

Change-Id: If074bb297201470d688ecd7b01e5e9ce9bab464e
Reviewed-on: https://chromium-review.googlesource.com/469730
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44473}

The WebIDL spec expects iterator objects from interfaces that declare pair
iterators to ultimately inherit from %IteratorPrototype%. Expose the
intrinsic object in the public API so we can use it in Blink's bindings
code.

BUG=chromium:689576
R=caitp@igalia.com,jkummerow@chromium.org,jochen@chromium.org

Review-Url: https://codereview.chromium.org/2784543004
Cr-Commit-Position: refs/heads/master@{#44472}

References to invalid names (i.e. not specified as a named group in the
pattern) throw a SyntaxError. Unmatched groups are still replaced by the
empty string.

See https://github.com/tc39/proposal-regexp-named-groups/issues/14.

BUG=v8:5437

Review-Url: https://codereview.chromium.org/2791183002
Cr-Commit-Position: refs/heads/master@{#44471}

This gives us more precise type information, so we can avoid some type
guards to refine the type information back.

The motivation for this is to help escape analysis by not introducing
redundant type guards (which escape analysis cannot handle yet even
though it could and should do).

Motivating example:

In the example below, the out-of-object property array for properties
fld5 and fld6 gets type Any when it is created by "o.fld5 = 5" (for
object literals, we store 4 properties in-objeca, the rest goes out
of object).

When we run load elimination for the load the out-of-object property
array (to store 6 into o.fld6), load elimination inserts TypeGuard to
enforce the Type::Internal() type. This makes escape analysis bail out
on this object, and we do not eliminate the object creation.

function f() {
  var o = {};
  o.fld1 = 1;
  o.fld2 = 2;
  o.fld3 = 3;
  o.fld4 = 4;
  o.fld5 = 5;
  o.fld6 = 6;
}

f();
f();
%OptimizeFunctionOnNextCall(f);
f();

Review-Url: https://codereview.chromium.org/2797993006
Cr-Commit-Position: refs/heads/master@{#44470}

Revert of [profiler] reduce incorrectly unaccounted ticks. (patchset #4 id:60001 of https://codereview.chromium.org/2799603005/ )

Reason for revert:
https://build.chromium.org/p/client.v8/builders/V8%20Win32%20-%20debug/builds/8247/steps/Check%20%28flakes%29/logs/CollectOptimizedTople..

Original issue's description:
> [profiler] reduce incorrectly unaccounted ticks.
>
> No longer invalidate the tick sample if there is no JS frame or only one
> non-interpreted JS frame on the stack.
>
> R=jarin@chromium.org
>
> Review-Url: https://codereview.chromium.org/2799603005
> Cr-Commit-Position: refs/heads/master@{#44465}
> Committed: https://chromium.googlesource.com/v8/v8/+/57bef9a1e2621555f70b9258593ae4a4235307ef

TBR=jarin@chromium.org,cbruni@chromium.org,yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2804593005
Cr-Commit-Position: refs/heads/master@{#44469}

FinishCompilationUnits used the assumption that FinishCompilationUnit
only return null if there is no compilation unit left to be finished.
This assumption was wrong though, because also a compilation error can
cause the result to be null. Therefore I switched to use the function
index as a new indicator.

BUG=chromium:709174

Change-Id: I3e9689fd71b8364422e1c74404921df2799191aa
Reviewed-on: https://chromium-review.googlesource.com/471347
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44468}

See https://github.com/tc39/ecma262/pull/303.

BUG=v8:5937,v8:6201

Review-Url: https://codereview.chromium.org/2793313002
Cr-Commit-Position: refs/heads/master@{#44467}

This ensures that capture names containing surrogate pairs are parsed
correctly even in non-unicode RegExp patterns by introducing a new
scanning mode which unconditionally combines surrogate pairs.

BUG=v8:5437,v8:6192

Review-Url: https://codereview.chromium.org/2791163003
Cr-Commit-Position: refs/heads/master@{#44466}

No longer invalidate the tick sample if there is no JS frame or only one
non-interpreted JS frame on the stack.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2799603005
Cr-Commit-Position: refs/heads/master@{#44465}

Port of http://crrev.com/2805613002 in TurboFan to Crankshaft.

We have a weird performance cliff, where using an object literal for
allocation is way slower than using a constructor function, or starting
from the empty object literal and using transitioning stores. The reason
is that we limit the inlining of object literal nodes into Crankshaft
to max. 8 fast properties. So as soon as you get above 8, you'll get a
runtime function call to %CreateObjectLiteral, which is a lot slower
than the inlined allocation and initialization. Still not ideal, but
less unpredictable (hopefully).

TBR=jarin@chromium.org
BUG=v8:6211

Review-Url: https://codereview.chromium.org/2800053002
Cr-Commit-Position: refs/heads/master@{#44464}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/2a0adf9..1314c9a

Rolling v8/third_party/catapult: https://chromium.googlesource.com/external/github.com/catapult-project/catapult/+log/80a58af..e650872

Rolling v8/tools/clang: https://chromium.googlesource.com/chromium/src/tools/clang/+log/5bc7c5e..70cd354

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Change-Id: Ie57670e0de37c1a91b19973c57ff4ff61d8885e7
Reviewed-on: https://chromium-review.googlesource.com/471006Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44463}

TBR=jbudorick@chromium.org
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

Review-Url: https://codereview.chromium.org/2805613003
Cr-Commit-Position: refs/heads/master@{#44462}

R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2803643004
Cr-Commit-Position: refs/heads/master@{#44461}

This patch fixes build error for 64bit platforms introduces in
https://codereview.chromium.org/2793323002
Error message from MIPS64 buildbot: error: implicit conversion loses
integer precision: 'long' to 'int' [-Werror,-Wshorten-64-to-32]

BUG=

Review-Url: https://codereview.chromium.org/2801713004
Cr-Commit-Position: refs/heads/master@{#44460}

Revert of [heap] Remove size specializations in static object visitors. (patchset #4 id:60001 of https://codereview.chromium.org/2763413007/ )

Reason for revert:
Speculative revert due to canary crashes.

BUG=chromium:708339,chromium:707790

Original issue's description:
> [heap] Remove size specializations in static object visitors.
>
> Apart from that this patch adds kVisitJSObjectFast for JSObjects that
> do not have any unboxed double fields and can be visited without
> run-time layout check.
>
> BUG=chromium:694255
>
> Review-Url: https://codereview.chromium.org/2763413007
> Cr-Commit-Position: refs/heads/master@{#44237}
> Committed: https://chromium.googlesource.com/v8/v8/+/dbb1cbe3a85d5c5528ce876d905e78d2ab35f00b

TBR=mlippautz@chromium.org,hpayer@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=chromium:694255

Review-Url: https://codereview.chromium.org/2800923004
Cr-Commit-Position: refs/heads/master@{#44459}

This fixes behavior for HeapNumber {index} arguments passed to
AdvanceStringIndex.

Previously, we'd blindly treat {index} as a Smi. Passing a HeapNumber instead
would result in a Smi addition on the tagged HeapNumber pointer.

BUG=chromium:709015

Review-Url: https://codereview.chromium.org/2798933003
Cr-Commit-Position: refs/heads/master@{#44458}

The original CL: https://chromium-review.googlesource.com/c/469610/

R=clemensh@chromium.org

Change-Id: I5ba6aa9964eff63dd19854745aaacee73c071224
Reviewed-on: https://chromium-review.googlesource.com/470206
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44457}

In predictable mode DoSync and DoAsync are only normal
function calls. Therefore I had to do some adjustments
to async compilation to make it work with --predictable:
* I moved all calls to DoSync and DoAsync out of
  DisallowHandleAllocation and DisallowHeapAllocation
  scopes.
* I turned off the use of the semaphore which
  synchronizes the background compilation tasks with
  the main thread. It caused a deadlock.
* Adjust when the AsyncCompileJob is deleted, namely
  after the start function and not after the execution
  of the last compilation task. The reason is that in
  predictable mode all previous tasks are still on the
  stack after the last compilation task.


Bug:

Change-Id: I2f96f64febeee6b8bd5f4da3cec882797d249400
Reviewed-on: https://chromium-review.googlesource.com/469610
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44456}

Review-Url: https://codereview.chromium.org/2806463002
Cr-Commit-Position: refs/heads/master@{#44455}

Bug:

Change-Id: Iddd693d12e55a7a423eb3236006f3c22b41d1f83
Reviewed-on: https://chromium-review.googlesource.com/469829Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44454}

The actual value was always &-ed with 0 so technically correct. ASAN
rightfully complains when allocating an external bitmap though.

BUG=chromium:651354
R=ulan@chromium.org

Review-Url: https://codereview.chromium.org/2799283002
Cr-Commit-Position: refs/heads/master@{#44453}

Why not?

Bug: v8:6215
Change-Id: I29f3731cbd0d03af6858eb475a1df8b8988cb89f
Reviewed-on: https://chromium-review.googlesource.com/469848Reviewed-by: Franziska Hinkelmann <franzih@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44452}

This CL fixes two more cases in which a regexp could unintentionally transition
to slow mode while on the fast path, leading to possible OOB accesses of
lastIndex.

In both cases, the fix is to re-check the shape and possibly bail to runtime.

BUG=chromium:708247,v8:6210

Review-Url: https://codereview.chromium.org/2803603005
Cr-Commit-Position: refs/heads/master@{#44451}