This reverts commit b4d2f3eb.

Bug: chromium:651354, chromium:788113
Change-Id: I04b7541e7eb69f737d45e90bbfec591cf8f8190f
Reviewed-on: https://chromium-review.googlesource.com/800552Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49765}

This reverts commit 5d4a0903.

Reason for revert: Speculative revert due to timeouts on testing with
--isolates:
https://build.chromium.org/p/client.v8/builders/V8%20Linux/builds/21889
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20debug/builds/18138

Original change's description:
> Add support to produce code cache after execute.
> 
> Adds new API function to request code cache. Earlier code cache was
> produced along with compile requests. This new API allows us to request
> code cache after executing. Also adds support in the code serializer to
> serialize after executing the script.
> 
> Bug: chromium:783124
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: Id7b972a2b4c8dcf7a6d9f5ea210890ae968320bd
> Reviewed-on: https://chromium-review.googlesource.com/781767
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Mythri Alle <mythria@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49717}

TBR=ulan@chromium.org,rmcilroy@chromium.org,yangguo@chromium.org,mythria@chromium.org

Change-Id: Id9e0285e73bbc3ea3908b4b7bbf6599e4f7cd76e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:783124
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/796870Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49722}

Adds new API function to request code cache. Earlier code cache was
produced along with compile requests. This new API allows us to request
code cache after executing. Also adds support in the code serializer to
serialize after executing the script.

Bug: chromium:783124
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Id7b972a2b4c8dcf7a6d9f5ea210890ae968320bd
Reviewed-on: https://chromium-review.googlesource.com/781767Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49717}

This reverts commit b301203e.

Reason for revert: Fixed issues on arm.

Original change's description:
> Revert "[wasm] JIT using WasmCodeManager"
> 
> This reverts commit d4c8393c.
> 
> Reason for revert: Breaks ARM hardware:
> https://build.chromium.org/p/client.v8.ports/builders/V8%20Arm%20-%20debug/builds/5268
> 
> Original change's description:
> > [wasm] JIT using WasmCodeManager
> > 
> > This is the first step towards wasm code sharing. This CL moves wasm
> > code generation outside the JavaScript GC heap using the previously -
> > introduced WasmCodeManager (all this, behind the --wasm-jit-to-native
> > flag).
> > 
> > See design document: go/wasm-on-native-heap-stage-1
> > 
> > This CL doesn't change other wasm architectural invariants. We still
> > have per-Isolate wasm code generation, and per-wasm module instance
> > code specialization.
> > 
> > Bug:v8:6876
> > 
> > Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> > Change-Id: I1e08cecad75f93fb081545c31228a4568be276d3
> > Reviewed-on: https://chromium-review.googlesource.com/674086
> > Reviewed-by: Ben Titzer <titzer@chromium.org>
> > Reviewed-by: Eric Holk <eholk@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#49689}
> 
> TBR=bradnelson@chromium.org,titzer@chromium.org,mtrofin@chromium.org,eholk@chromium.org
> 
> Change-Id: I89af1ea5decd841bc12cd2ceaf74d32bc4433885
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: v8:6876
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/794690
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49691}

TBR=bradnelson@chromium.org,machenbach@chromium.org,titzer@chromium.org,mtrofin@chromium.org,eholk@chromium.org

Change-Id: I1b07638d1bb2ba0664305b4b2dcfc1342dc8444f
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6876
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/794434
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49692}

This reverts commit d4c8393c.

Reason for revert: Breaks ARM hardware:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Arm%20-%20debug/builds/5268

Original change's description:
> [wasm] JIT using WasmCodeManager
> 
> This is the first step towards wasm code sharing. This CL moves wasm
> code generation outside the JavaScript GC heap using the previously -
> introduced WasmCodeManager (all this, behind the --wasm-jit-to-native
> flag).
> 
> See design document: go/wasm-on-native-heap-stage-1
> 
> This CL doesn't change other wasm architectural invariants. We still
> have per-Isolate wasm code generation, and per-wasm module instance
> code specialization.
> 
> Bug:v8:6876
> 
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: I1e08cecad75f93fb081545c31228a4568be276d3
> Reviewed-on: https://chromium-review.googlesource.com/674086
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Eric Holk <eholk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49689}

TBR=bradnelson@chromium.org,titzer@chromium.org,mtrofin@chromium.org,eholk@chromium.org

Change-Id: I89af1ea5decd841bc12cd2ceaf74d32bc4433885
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6876
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/794690Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49691}

This is the first step towards wasm code sharing. This CL moves wasm
code generation outside the JavaScript GC heap using the previously -
introduced WasmCodeManager (all this, behind the --wasm-jit-to-native
flag).

See design document: go/wasm-on-native-heap-stage-1

This CL doesn't change other wasm architectural invariants. We still
have per-Isolate wasm code generation, and per-wasm module instance
code specialization.

Bug:v8:6876

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I1e08cecad75f93fb081545c31228a4568be276d3
Reviewed-on: https://chromium-review.googlesource.com/674086Reviewed-by: Ben Titzer <titzer@chromium.org>
Reviewed-by: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49689}

And also ensure that it doesn't allocate when that's avoidable.

Bug: v8:6791
Change-Id: Ied2d2c9c5718aed9839f17739d743353cbadee88
Reviewed-on: https://chromium-review.googlesource.com/786170Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49683}

These fields relied on the assumption that 64-bit big-endian
architectures had sizeof(int) == 4. Any architecture violating this
assumption would result in an OOB access.

Bug: 
Change-Id: I682ecb6a2da2cf84e8b24f1c1e608d7fc23f5bdc
Reviewed-on: https://chromium-review.googlesource.com/793431Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49673}

1) Make sure we don't enable prototype setup mode for parent class and its prototype
objects.
2) Make sure we create builtins and their prototypes with completed setup mode.
3) Drive-by-fix: setup typed array classes in bootstrapper.cc instead of typedarray.js,
and drop %FunctionSetPrototype().

Bug: v8:7115, v8:5902
Change-Id: I58ac091d85647abc3307bd47baf48e378e3695c5
Reviewed-on: https://chromium-review.googlesource.com/790992
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49655}

... and use it for allocation of FixedArray-based objects with custom maps.

Change-Id: Id31d05cf506e3607210fe7fdaf05f55053de5e2a
Reviewed-on: https://chromium-review.googlesource.com/789113Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49622}

This simplifies handling of DescriptorArray objects in deserializer.

Bug: v8:5799
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ie4f9c6903afd8273d6320e6b0e0b05231db6cc00
Reviewed-on: https://chromium-review.googlesource.com/785676
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49605}

Bug: v8:5799
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Iff62cf07d85b48975d7a21da388bbf6addeb56f1
Reviewed-on: https://chromium-review.googlesource.com/781633
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49589}

This CL ensures that elements kind transitions don't cause silent
mutable-to-constant or any-to-class-type migrations of in-place
generalizable fields.

Bug: v8:5495, chromium:783132
Change-Id: Ie60224db62bd45d27148ae0469c7af5a3fe944fd
Reviewed-on: https://chromium-review.googlesource.com/785190Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49583}

Identify wasm-to-wasm wrappers separately from wasm-to-js ones.

Bug: 
Change-Id: I853ed8fb999297f8a951ebb0e5be1c99bfacc18c
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/782680Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49580}

The unused properties fields number is calculatable via used in-object
properties count and we can drop it now.

Bug: chromium:774644
Change-Id: I7388af7772a8e793593fabc46527886cf2e36095
Reviewed-on: https://chromium-review.googlesource.com/781465Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49542}

Bug: 
Change-Id: Iccc0241859970ad4e04b9a6e5f206491aa7c442e
Reviewed-on: https://chromium-review.googlesource.com/781939Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49541}

R=jarin@chromium.org
BUG=v8:6792

Change-Id: Id97c7a9911eb2c0606f8ea25d0a2c8ebcb4c8ccd
Reviewed-on: https://chromium-review.googlesource.com/753729Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49517}

Free ArrayBuffer backing stores on a background thread, rather than
blocking the main thread after processing. Could potentially cause
contention with the array buffer allocator once JS execution resumes.

The new ArrayBufferCollector class tracks these dead allocations.

Later, the processing of array buffers can happen in parallel.

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng;master.tryserver.v8:v8_linux64_tsan_rel;master.tryserver.v8:v8_linux64_tsan_concurrent_marking_rel_ng;master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Bug: v8:6992
Change-Id: I2b74f008f79521414374f607ed510f66508af160
Reviewed-on: https://chromium-review.googlesource.com/779182
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49505}

This reverts commit b6658ade.

Reason for revert: Breaks TSAN :(

Original change's description:
> [heap] Concurrently free ArrayBuffer allocations.
> 
> Free ArrayBuffer backing stores on a background thread, rather than
> blocking the main thread after processing. Could potentially cause
> contention with the array buffer allocator once JS execution resumes.
> 
> The new ArrayBufferCollector class tracks these dead allocations.
> 
> Later, the processing of array buffers can happen in parallel.
> 
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> 
> Bug: v8:6992
> Change-Id: I49ae4db12ed62d8400ba2bbafeda05a11479d904
> Reviewed-on: https://chromium-review.googlesource.com/739829
> Commit-Queue: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49485}

TBR=hpayer@chromium.org,mlippautz@chromium.org,petermarshall@chromium.org

Change-Id: If6743b83f871c0fd0d6e83a3083dce0eecd99021
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6992
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/779159Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49488}

Free ArrayBuffer backing stores on a background thread, rather than
blocking the main thread after processing. Could potentially cause
contention with the array buffer allocator once JS execution resumes.

The new ArrayBufferCollector class tracks these dead allocations.

Later, the processing of array buffers can happen in parallel.

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng

Bug: v8:6992
Change-Id: I49ae4db12ed62d8400ba2bbafeda05a11479d904
Reviewed-on: https://chromium-review.googlesource.com/739829
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49485}

R=mstarzinger@chromium.org

Bug: v8:6593
Change-Id: Ica794c7b0d779f04647d2b2c5ce7762a537620ae
Reviewed-on: https://chromium-review.googlesource.com/759793
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49469}

This CL creates the invariant that the BigInt class treats
BigInt objects as immutable. Writing to new BigInt objects
as part of their construction is done by the MutableBigInt
helper class, which in turn is hidden as an implementation
detail in bigint.cc.
As a side effect, this refactoring enforces right-trimming
checks for all newly created BigInts, and ensures that all
BigInt allocations possibly exceeding kMaxLength check for
this case and throw a RangeError instead of crashing.

Bug: v8:6791
Tbr: mlippautz@chromium.org
Change-Id: Id239746108e6b076b47a03ba37462001eb501507
Reviewed-on: https://chromium-review.googlesource.com/742329
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49462}

The layout descriptor helper computes the object header size using
map->instance_size() and map->GetInObjectProperties().

It races with finalization of slack tracking, which changes both
the instance size and the in-object properties count.

This patch replaces the in-object properties count byte in the map
with the byte that stores the start offset of in-object properties.

The new byte can be used in the layout descriptor to compute the
object header size and it is immutable.

This patch also renames InstanceSize to InstanceSizeInWords where
the instance size is represented in words.

Bug: chromium:786069, chromium:694255
Change-Id: I4b48c6944d3fe8a950bd7b0ba43d75216b177a78
Reviewed-on: https://chromium-review.googlesource.com/776720
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49461}

This CL also includes fixes for CF issues found while the previous
reland was active.

Bug: v8:5799, chromium:783902, chromium:783926, chromium:783822
Change-Id: I1f7d9b037d90838469c45f5d72771a77444c662e
Reviewed-on: https://chromium-review.googlesource.com/764067Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49457}

Both of these features were shipped in Chrome 62.

Bug: v8:4545, v8:6172
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Ie00dcbeded7517a15696d4a78fcfbbf162919923
Reviewed-on: https://chromium-review.googlesource.com/775601Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49453}

Since we only ever have preparsed scope info data for functions that
haven't been parsed yet, it never overlaps with there being other
function data (such as a bytecode array). So, we can merge the two
fields.

This drops the SharedFunctionInfo size by one pointer.

Bug: chromium:783853
Change-Id: I7166010271cf661b04d3d118ac87c65c79555f96
Reviewed-on: https://chromium-review.googlesource.com/774863Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49445}

"AbsoluteDivSmall" had a shortcut path for abs(divisor) == 1 where
it would simply return the dividend as result. However, its caller
"Divide" was blissfully ignorant of this trick and would therefore
simply set the value's sign as needed, modifying the input.
This CL prevents that, while continuing to avoid the full division
algorithm for abs(divisor) == 1.

Bug: v8:6791
Change-Id: I04cdc93f5ed2a696587c35c754e68f07012dd1a9
Reviewed-on: https://chromium-review.googlesource.com/772332
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49433}

Make the accessors of SharedFunctionInfo instance_class_name take and
return String rather than Object, since it's always a String anyway.

Change-Id: Ic5dacccf3835550e3533356fe7ded37ea107d720
Reviewed-on: https://chromium-review.googlesource.com/774882Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49421}

Previously, we had lazy parsing of class constructor disabled when a
class literal had class fields because we were using a reference to
the initializer function variable to load the function and call it.

Instead, in this patch, we use the scope analysis to lookup this
initializer function variable.

Bug: v8:5367
Change-Id: Ib73d7e6abed33c04d1f574e7976bea4869d54757
Reviewed-on: https://chromium-review.googlesource.com/768384
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49406}

Bug: v8:5799
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I2c412f40aba6135dd0dafc7daa57420071ffee1c
Reviewed-on: https://chromium-review.googlesource.com/768414
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49361}

[snapshot] Use ThinStrings instead of custom forwarding using the hashfield to deserialize internalized strings

This is necessary to be able to store the string length next to the hash field in the same 64bit word on 64bit architectures. Otherwise the forwarding pointer will overwrite the length breaking heap guarantees. ThinStrings already just do the right thing, so just use that instead.

Bug: v8:7065
Change-Id: I4922365e72421995cd11437cb91572ff56f8a9e8
Reviewed-on: https://chromium-review.googlesource.com/763231Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49352}

.. by using macros for defining field offsets.

Bug: v8:5799
Change-Id: Id76e81bedb8f348b2efaa1d553bebac0ff90b474
Reviewed-on: https://chromium-review.googlesource.com/768382Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49351}

The only empty PropertyArray is the empty_property_array object on the
isolate. Allowing empty PropertyArrays causes the turbofan to ignore the
existing hash when growing the backing store again. We currently only end
up with the empty PropertyArray when following back transitions.

Bug: chromium:781218, chromium:783713
Change-Id: If41dd09b965cdc8d957b9ca50ba3c8a7f4254769
Reviewed-on: https://chromium-review.googlesource.com/763230
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49318}

This reverts commit 22932d6b.

Reason for revert: TSAN https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN/builds/18232

Original change's description:
> Reland "[runtime] Slightly optimize creation of class literals."
> 
> Bug: v8:5799
> Change-Id: I782ec131c7194aef20942a19750168a974913c3f
> Reviewed-on: https://chromium-review.googlesource.com/757337
> Commit-Queue: Igor Sheludko <ishell@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49291}

TBR=ulan@chromium.org,rmcilroy@chromium.org,jarin@chromium.org,ishell@chromium.org,verwaest@chromium.org

Change-Id: I0742d25b0e2364efc696d19492ba20614a3821fa
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:5799
Reviewed-on: https://chromium-review.googlesource.com/763458Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49303}

Bug: v8:5799
Change-Id: I782ec131c7194aef20942a19750168a974913c3f
Reviewed-on: https://chromium-review.googlesource.com/757337
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49291}

This is necessary in order to support class literals boilerplates which will
contain descriptor arrays not attached to maps.

This CL introduces Heap::descriptor_array_map() which will be used only for
descriptor arrays templates created as a part of class literal boilerplate.

We don't use the new map for all descriptors for now because in order to handle
chicken-egg problem in deserializer which can be solved in a clean and readable
way only if introduce a DESCRIPTOR_ARRAY_TYPE instance type which we can't
currently do because the InstanceType enum is already "full".

Bug: v8:5799
Change-Id: I732d236b0dda2c436ab3ce3ac5967f6c66162df3
Reviewed-on: https://chromium-review.googlesource.com/758360
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49271}

Bug: v8:6791
Change-Id: I05c8be6ac880c5ab5451db24dd0ad57b74bde8ba
Reviewed-on: https://chromium-review.googlesource.com/757137
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49232}

There's three common situations in which we need to create JSFunction
objects.  1) from the compiler, 2) from tests, and 3) everything else
(mostly during bootstrapping).

This is an attempt to simplify case 3), which previously relied on
several Factory::NewFunction overloads where it was not clear how the
semantics of each overload differed.

This CL removes all but one overload, and packs arguments into a new
NewFunctionArgs helper class.

It also removes the hacks around
SFI::set_lazy_deserialization_builtin_id by explicitly passing
builtin_id into Factory::NewSharedFunctionInfo.

Drive-by-fix: Properly set is_constructor hint in
SimpleCreateSharedFunctionInfo.

Bug: v8:6624
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ica94d95e72e443055db5e7ff9e8cdf4115201ef1
Reviewed-on: https://chromium-review.googlesource.com/757094
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49224}

Bug: v8:6791
Change-Id: I10f8c6c88c534ee1e3c893176b6563af0c9f99d3
Reviewed-on: https://chromium-review.googlesource.com/753904
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49180}

Use (Seeded)NumberDictionary instead.

Change-Id: I426cd0a33df7d47fe4fec0c108be5632ef7c0f19
Reviewed-on: https://chromium-review.googlesource.com/756697Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49179}