This moves deserializer setup boilerplate inside the deserializers, and
makes improper usage less likely. For instance:

  ObjectDeserializer deserializer(&scd);
  /* ... deserializer setup ... */
  MaybeHandle<HeapObject> obj = deserializer.Deserialize(isolate);
  /* ... result checks and casts ... */

has now become:

  /* All setup and casts inside deserializer, impossible to illegally
     use the same instance multiple times. */
  MaybeHandle<SharedFunctionInfo> maybe_result =
      ObjectDeserializer::DeserializeSharedFunctionInfo(
          isolate, &scd, source);

Bug: v8:6624
Change-Id: Id5a1848e024e89cf86e5292389ba7c89f31d8e6b
Reviewed-on: https://chromium-review.googlesource.com/604791
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47219}

Another pure refactoring CL. This extracts methods used only by Deserializer
subclasses.

Bug: v8:6624
Change-Id: Ib4dd7cdc591dff217e282e68a490c8c7129b9c96
Reviewed-on: https://chromium-review.googlesource.com/602188
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47211}

Bug: 749486

The feature is off by default, and could be turned on via
`v8_enable_csa_write_barrier = true`. With this CL, only x64 uses this
feature

Change-Id: Ie024f08b7d796a4cc4d55285dc9fe796780f0e53
Reviewed-on: https://chromium-review.googlesource.com/588891Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Albert Mingkun Yang <albertnetymk@google.com>
Cr-Commit-Position: refs/heads/master@{#47122}

This begins splitting up the Deserializer class into
{Object,Partial,Startup}Deserializer.  For now, all functionality remains in
the Deserializer base clase, to be refactored in future CLs.  Empty .cc files
are added here to avoid having to touch build files again.

Bug: v8:6624
Change-Id: If563e03492991bd55c91cd2e09312c0a26aaab2c
Reviewed-on: https://chromium-review.googlesource.com/598067Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47107}

This is to ensure the snapshot is deterministic.


R=mstarzinger@chromium.org

Bug: v8:4886, v8:3645
Change-Id: I79c8e54ba6b4810f005bc1ece61890790c815cea
Reviewed-on: https://chromium-review.googlesource.com/595740
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47082}

Change-Id: Ida5c537fa94a376a134e60edce889b96b676a8f9
Reviewed-on: https://chromium-review.googlesource.com/584874Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47039}

We must ensure required root objects will be filled when such
objects will be deserialized.

Change-Id: I25136d31cb2e0c0a69a51c5635192f17bbe2a9ba
Reviewed-on: https://chromium-review.googlesource.com/579768
Commit-Queue: Vyacheslav Chigrin <vchigrin@yandex-team.ru>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46944}

This replaces the linked list of weak cells with a worklist.

TBR=yangguo@chromium.org

BUG=chromium:694255

Change-Id: Ia877e25010ebbec9c05fbbe48cff460a92d3a132
Reviewed-on: https://chromium-review.googlesource.com/587067
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46929}

This is so that we can distinguish hash tables by instance type. We can
then introduce maps for each kind of hash tables to further distinguish.

R=mstarzinger@chromium.org

Bug: v8:6593
Change-Id: Ice9e6bb7b85d825207ac489b6930ac9020d60db8
Reviewed-on: https://chromium-review.googlesource.com/582814Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46861}

This switches the "code entry" field on JSFunction to no longer be an
inner pointer into a Code object (i.e. to the start of the instruction
stream), but a properly tagged pointer instead.

Motivation behind this is the ability to treat this field regularly as
part of escape analysis in the optimizing compiler. Also simplifies the
object visitation for JSFunction objects.

R=bmeurer@chromium.org

Change-Id: Ib53a3fc5f3d783a6fed06dbcab319f5568632acc
Reviewed-on: https://chromium-review.googlesource.com/577890
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46844}

This reverts commit 990dd947.

Reason for revert: <INSERT REASONING HERE>

Original change's description:
> Introduce HASH_TABLE_TYPE instance type.
> 
> This is so that we can distinguish hash tables by instance type. We can
> then introduce maps for each kind of hash tables to further distinguish.
> 
> R=​mstarzinger@chromium.org
> 
> Bug: v8:6593
> Change-Id: I1a532884758e571abdfe2e2743fc5ea611d12f7e
> Reviewed-on: https://chromium-review.googlesource.com/581009
> Commit-Queue: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46828}

TBR=yangguo@chromium.org,mstarzinger@chromium.org

Change-Id: Ia47d408e5cf47983940227b4cc445a704d7f8d19
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6593
Reviewed-on: https://chromium-review.googlesource.com/581493Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46833}

This is so that we can distinguish hash tables by instance type. We can
then introduce maps for each kind of hash tables to further distinguish.

R=mstarzinger@chromium.org

Bug: v8:6593
Change-Id: I1a532884758e571abdfe2e2743fc5ea611d12f7e
Reviewed-on: https://chromium-review.googlesource.com/581009
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46828}

when black allocation is on.

The scenario:
1) Incremental marking is off.
2) Partial deserialization starts and calls Heap::ReserveSpace.
2) ReserveSpace creates (white) reservations in old space.
3) ReserveSpace allocates map placeholders. One of these allocations
starts incremental marking, which starts black allocation (currently
when concurrent marking is on). Subsequent maps are black allocated.
4) ReserveSpace succeeds without triggering a GC.
5) Deserialization continues. Some maps are black. Note that
deserialization emits only old->new write barriers and skips
marking write barriers.
6) Deserialization finishes and re-visits the black allocated
reservations and large object. This misses black allocated maps.
7) There is black->white descriptor array pointer in one of these map.

BUG=chromium:723600

Change-Id: Ifffe46f22a7d7dbc5cff2e882190234fcc722ccb
Reviewed-on: https://chromium-review.googlesource.com/581187
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46816}

It used to be that immortal immovable objects have to be on the first page to
not be moved. This is no longer true since we flag pages wrt whether they are
allowed to move.

R=mlippautz@chromium.org

Change-Id: I5c9c88fa358636df119108e16e871815b126ab27
Reviewed-on: https://chromium-review.googlesource.com/575976Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46777}

See https://goo.gl/6aN8xA

Bug: v8:6593
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ic8b0b57195d01d41591397d5d45de3f0f3ebc3d9
Reviewed-on: https://chromium-review.googlesource.com/574527Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46732}

This is to make debugging serialization easier by having a way
to inspect the object graph. Serializer::PrintStack() can be
invoked from the debugger to print the current traversal path.

R=jgruber@chromium.org

Change-Id: Ie67408ade7989dc559904821b3f009fdfe3e459f
Reviewed-on: https://chromium-review.googlesource.com/571219Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46662}

There is just one version now, called IsPowerOfTwo. It accepts any
integral type.
There is one slight semantical change: Called with kMinInt, it
previously returned true, because the argument was implicitly casted to
an unsigned. It's now (correctly) returning false, so I had to add
special handlings of kMinInt in machine-operator-reducer before calling
IsPowerOfTwo on that value.

R=mlippautz@chromium.org,mstarzinger@chromium.org,jgruber@chromium.org,ishell@chromium.org,yangguo@chromium.org

Change-Id: Idc112a89034cdc8c03365b778b33b1c29fefb38d
Reviewed-on: https://chromium-review.googlesource.com/568140Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46627}

BUG=

Review-Url: https://codereview.chromium.org/2970443003
Cr-Commit-Position: refs/heads/master@{#46515}

This is towards closing the perf gap between the MSVC build (which uses link-
time optimization) and Clang (where LTO isn't ready on Windows yet). We did
a study (see bug) to see which non-inlined functions are hit a lot during render
start-up, and which would be inlined during LTO. This should benefit performance
in all builds which currently don't use LTO (Android, Linux, Mac) as well as
the Win/Clang build.

The binary size of chrome_child.dll increases by 2KB with this.

BUG=chromium:728324
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_compile_dbg_ng;master.tryserver.chromium.mac:mac_chromium_compile_dbg_ng

Review-Url: https://codereview.chromium.org/2950993002
Cr-Commit-Position: refs/heads/master@{#46229}

Revert of Make some functions that are hit during renderer startup available for inlining (patchset #3 id:40001 of https://codereview.chromium.org/2950993002/ )

Reason for revert:
Blocks roll:
https://codereview.chromium.org/2954833002/

E.g.:
https://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_compile_dbg_ng/builds/449680
https://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_compile_dbg_ng/builds/324953

Please include those chromium trybots on reland. Maybe missing symbol export?

Original issue's description:
> Make some functions that are hit during renderer startup available for inlining
>
> This is towards closing the perf gap between the MSVC build (which uses link-
> time optimization) and Clang (where LTO isn't ready on Windows yet). We did
> a study (see bug) to see which non-inlined functions are hit a lot during render
> start-up, and which would be inlined during LTO. This should benefit performance
> in all builds which currently don't use LTO (Android, Linux, Mac) as well as
> the Win/Clang build.
>
> The binary size of chrome_child.dll increases by 2KB with this.
>
> BUG=chromium:728324
>
> Review-Url: https://codereview.chromium.org/2950993002
> Cr-Commit-Position: refs/heads/master@{#46191}
> Committed: https://chromium.googlesource.com/v8/v8/+/d00d52be1fce9c1bf5558c8b26bf984efd09e65b

TBR=jochen@chromium.org,mstarzinger@chromium.org,rmcilroy@chromium.org,vogelheim@chromium.org,marja@chromium.org,mlippautz@chromium.org,thakis@chromium.org,hans@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=chromium:728324
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2955793002
Cr-Commit-Position: refs/heads/master@{#46195}

This is towards closing the perf gap between the MSVC build (which uses link-
time optimization) and Clang (where LTO isn't ready on Windows yet). We did
a study (see bug) to see which non-inlined functions are hit a lot during render
start-up, and which would be inlined during LTO. This should benefit performance
in all builds which currently don't use LTO (Android, Linux, Mac) as well as
the Win/Clang build.

The binary size of chrome_child.dll increases by 2KB with this.

BUG=chromium:728324

Review-Url: https://codereview.chromium.org/2950993002
Cr-Commit-Position: refs/heads/master@{#46191}

Storing the boilerplate on the first run leads to memory ovehead for code
that is run only once. Hence we directly return the creating literal on the
first run and only start creating copies from the second run on.

Bug: v8:6211
Change-Id: I69b96d124a5b594b991fdbcc76dbf935d973ffad
Reviewed-on: https://chromium-review.googlesource.com/530688
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45975}

Bug: 
Change-Id: I1a7bd12b39678c926cc74729cc0005e01c487bd9
Reviewed-on: https://chromium-review.googlesource.com/532901Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45910}

This CL
- removes InternalizeStringIfExists/LookupStringIfExists
- makes the distinction between hash_field and hash clear to AstRawString

Bug: 
Change-Id: Ia98c2236be4154a7db2741f2cf73681cfdcf03c7
Reviewed-on: https://chromium-review.googlesource.com/532954
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45902}

With the deprecation of Crankshaft, it's no longer necessary for
FullCodeGen to keep track of its runtime profiler ticks on the code
object, and we can instead unify the behaviour of FCG and Ignition to
both increment the SFI counter instead.

Bug: v8:6408
Change-Id: Idcdd673aa39af06fe15a0fc14dfda2afafb5e417
Reviewed-on: https://chromium-review.googlesource.com/528117Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45892}

Bug: 
Change-Id: I9f0329b69693749c243c05b27c542c4ccdd71a11
Reviewed-on: https://chromium-review.googlesource.com/531244Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45891}

Only the CompilationCache doesn't actually specialize the table to the point where it knows how to hash stored keys. This moves the virtual HashForObject down from HashTableKey to CompilationCacheKey, and moves previous virtual implementations to the respective shapes.

Bug: v8:6474
Change-Id: I0a1ae26a224d602d16692d2b09c96a2ab193f07f
Reviewed-on: https://chromium-review.googlesource.com/529110Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45842}

The code was already careful to use memcpy() here, but then it
added needless casts to wider types that made the compiler think
that it can do 4-byte-aligned accesses when it couldn't.

(It's also a bug that the snapshot got loaded at an unaligned
address, but we can fix both bugs.)

BUG=chromium:729059

Review-Url: https://codereview.chromium.org/2915323002
Cr-Commit-Position: refs/heads/master@{#45698}

The memcpy and memmove externals can end up at the same address; see bug for
details.

BUG=chromium:726896

Review-Url: https://codereview.chromium.org/2906193002
Cr-Commit-Position: refs/heads/master@{#45545}

R=danno@chromium.org
CC=sshruthi@chromium.org
TBR=verwaest@chromium.org,bmeurer@chromium.org,yangguo@chromium.org,rossberg@chromium.org

Change-Id: I32e09193fa6e847ac3336eab62b6d85c46d71164
Reviewed-on: https://chromium-review.googlesource.com/509508
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45447}

When black allocation is turned on at deserialization time, then
slots in deserialized objects have to be visited by the incremental
marker. For spaces with reservations, this has always been done; for
large object space with its special handling, this patch adds it.

Additionally, we must ensure that no incremental steps that might
cause incremental marking to finish are performed while there is an
AlwaysAllocateScope around.

BUG=chromium:718859

Review-Url: https://codereview.chromium.org/2868103002
Cr-Commit-Position: refs/heads/master@{#45231}

There's no point in using our own implemention of List for this.

Bug:v8:6325

Change-Id: Idf3399bbaaf50f9e1fc7b16c67ea2c6246dd6574
Reviewed-on: https://chromium-review.googlesource.com/489949Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Franziska Hinkelmann <franzih@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44980}

kNumberOfSpaces includes map and large object spaces,
kNumberOfPreallocatedSpaces does not. Therefore we need
to output both separately.

R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2843353002
Cr-Commit-Position: refs/heads/master@{#44912}

V8 can bundle user scripts in the start up snapshot. These are
shared across contexts, and do not work well context groups.

R=kozyatinskiy@chromium.org
BUG=v8:6274

Review-Url: https://codereview.chromium.org/2836623002
Cr-Original-Commit-Position: refs/heads/master@{#44847}
Committed: https://chromium.googlesource.com/v8/v8/+/9685cfd310a51b2b32f97223069abaaca77405a8
Review-Url: https://codereview.chromium.org/2836623002
Cr-Commit-Position: refs/heads/master@{#44897}

Also move the responsibility of marking builtins as initialized
to the deserializer.

R=jkummerow@chromium.org

Review-Url: https://codereview.chromium.org/2840493002
Cr-Original-Commit-Position: refs/heads/master@{#44802}
Committed: https://chromium.googlesource.com/v8/v8/+/a2b3a2fbc562584ec298dfe674c97662a125a59e
Review-Url: https://codereview.chromium.org/2840493002
Cr-Commit-Position: refs/heads/master@{#44884}

Revert of [snapshot] full setup delegate should also be able to deserialize. (patchset #2 id:20001 of https://codereview.chromium.org/2840493002/ )

Reason for revert:
prime suspect for https://bugs.chromium.org/p/chromium/issues/detail?id=714976

Original issue's description:
> [snapshot] full setup delegate should also be able to deserialize.
>
> Also move the responsibility of marking builtins as initialized
> to the deserializer.
>
> R=jkummerow@chromium.org
>
> Review-Url: https://codereview.chromium.org/2840493002
> Cr-Commit-Position: refs/heads/master@{#44802}
> Committed: https://chromium.googlesource.com/v8/v8/+/a2b3a2fbc562584ec298dfe674c97662a125a59e

TBR=jkummerow@chromium.org,yangguo@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.

BUG=chromium:714976

Review-Url: https://codereview.chromium.org/2841993002
Cr-Commit-Position: refs/heads/master@{#44870}

Revert of [inspector] always include user scripts in the snapshot. (patchset #3 id:40001 of https://codereview.chromium.org/2836623002/ )

Reason for revert:
So that https://codereview.chromium.org/2841993002/ can be reverted.

Original issue's description:
> [inspector] always include user scripts in the snapshot.
>
> V8 can bundle user scripts in the start up snapshot. These are
> shared across contexts, and do not work well context groups.
>
> R=kozyatinskiy@chromium.org
> BUG=v8:6274
>
> Review-Url: https://codereview.chromium.org/2836623002
> Cr-Commit-Position: refs/heads/master@{#44847}
> Committed: https://chromium.googlesource.com/v8/v8/+/9685cfd310a51b2b32f97223069abaaca77405a8

TBR=kozyatinskiy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:6274

Review-Url: https://codereview.chromium.org/2840923002
Cr-Commit-Position: refs/heads/master@{#44868}

This makes an ObjectVisitor as powerful as a StaticVisitor and allows
slots recording in ObjectVisitor.

This patch also renames VisitCell method of ObjectVisitor to
VisitCellPointer, so that VisitCell is free to be used for actually
visiting a cell.

BUG=chromium:709075

Review-Url: https://codereview.chromium.org/2810653002
Cr-Commit-Position: refs/heads/master@{#44860}

This patch adds a new interface called RootVisitor and changes the root
iteration functions to accept a RootVisitor instead of an ObjectVisitor.

Future CLs will change ObjectVisitor to provide the host object to all
visiting functions, which will bring it in sync with static visitors.

Having separate visitors for roots and objects removes ambiguity in
VisitPointers and reduces chances of forgetting to record slots.

This is intended as pure refactoring. All places that require behavior
change are marked with TODO and will addressed in future CLs.

BUG=chromium:709075

Review-Url: https://codereview.chromium.org/2801073006
Cr-Commit-Position: refs/heads/master@{#44852}

V8 can bundle user scripts in the start up snapshot. These are
shared across contexts, and do not work well context groups.

R=kozyatinskiy@chromium.org
BUG=v8:6274

Review-Url: https://codereview.chromium.org/2836623002
Cr-Commit-Position: refs/heads/master@{#44847}