This is in preparation of adding a dedicated StringLength operator that
loads the string length. This way operations on strings don't sit in the
effect chain anymore until the EffectControlLinearizer, which wires them.

The NewConsString semantics could still be better, i.e. it could try to
figure out the proper map instead of going for the CONS_STRING_TYPE
always. But this change is meant to be just about pushing the logic down
to the EffectControlLinearizer, which we didn't have initially when the
ConsString handling was done.

This also allows us to remove the handling of CONS_STRING_TYPE from the
Deoptimizer, since the escape analysis no longer sees cons strings.

Bug: v8:5269, v8:6936, v8:7109, v8:7137
Change-Id: If6c4a6d7cf63a3a3f7a34a920c8e50a94dfa67fa
Reviewed-on: https://chromium-review.googlesource.com/796413
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49729}

Some embedders primitive can trigger execution in current JavaScript
instance or in another (e.g. MessageChannel).
With this CL external async task can be local as well.

R=dgozman@chromium.org

Bug: chromium:661705
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I82c68a021c2c25bc67a706c4bfed8c1a2b2388c5
Reviewed-on: https://chromium-review.googlesource.com/792015
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49728}

The disassembler currently shows calls from JS code objects to wasm
code as:
REX.W movq r10,0x58466fd5120                   ;; js to wasm call

This does not show which code kind is being called (wasm function, lazy
compile stub, or wasm-to-wasm wrapper).

This CL extends the output to:
REX.W movq r10,0x58466fd5120 (wasm-to-wasm)    ;; js to wasm call

R=mtrofin@chromium.org, titzer@chromium.org

Bug: v8:6876, v8:7140
Change-Id: Ib350088017f767528ec0acd7d4c1c347758adcf2
Reviewed-on: https://chromium-review.googlesource.com/796270
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49727}

Bug=v8:6532

Change-Id: Icad4a697dd82233f939f0e6606fb6f92870622eb
Reviewed-on: https://chromium-review.googlesource.com/795040
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49726}

In the presence of bigints, this optimization is no longer valid.

Bug: v8:6791
Change-Id: I996ac78f8ae4aef5494dd0089374d04c6db6e72f
Reviewed-on: https://chromium-review.googlesource.com/796070Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49725}

Adds histogram timing for main-thread portions of streaming source
compilation. Also adds a histogram timer for capturing the amount of time
spent for off-thread parse / compile of streaming sources.

BUG=v8:5203

Change-Id: Ie9f16052205832a620cfbf266d3d66d3fe9d6c12
Reviewed-on: https://chromium-review.googlesource.com/797038Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49724}

The FuzzerSupport was keeping a single instance of itself. With this CL,
this instance is now stored in a unique_ptr. Therefore it is not
necessary to register an onExit callback to delete the FuzzerSupport
instance.

Drive-by changes: Some cleanup with the FuzzerSupport.

R=clemensh@chromium.org

Bug: chromium:787723
Change-Id: I5188c7aa7e778ccd45fc80ed0115c947d23a0dee
Reviewed-on: https://chromium-review.googlesource.com/792949Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49723}

This reverts commit 5d4a0903.

Reason for revert: Speculative revert due to timeouts on testing with
--isolates:
https://build.chromium.org/p/client.v8/builders/V8%20Linux/builds/21889
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20debug/builds/18138

Original change's description:
> Add support to produce code cache after execute.
> 
> Adds new API function to request code cache. Earlier code cache was
> produced along with compile requests. This new API allows us to request
> code cache after executing. Also adds support in the code serializer to
> serialize after executing the script.
> 
> Bug: chromium:783124
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: Id7b972a2b4c8dcf7a6d9f5ea210890ae968320bd
> Reviewed-on: https://chromium-review.googlesource.com/781767
> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Mythri Alle <mythria@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49717}

TBR=ulan@chromium.org,rmcilroy@chromium.org,yangguo@chromium.org,mythria@chromium.org

Change-Id: Id9e0285e73bbc3ea3908b4b7bbf6599e4f7cd76e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:783124
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/796870Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49722}

This fixes debug-evaluate in the presence of a de-materialized function
object. The creation of an arguments object is now requested based on a
given frame (potentially inlined) instead of a target function. It makes
sure that multiple calls to {StandardFrame::Summarize} don't cause any
confusion when they give back non-identical function objects.

R=jgruber@chromium.org
TEST=debugger/debug/debug-evaluate-arguments
BUG=chromium:788647

Change-Id: I575bb6cb20b4657dc09019e631b5d6e36c1b5189
Reviewed-on: https://chromium-review.googlesource.com/796474Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49721}

This reduces the overhead of calling the builtin.
Quick measurements show >5x improvement. As the
typed array's size grows, iterating dominates
and the performance gap closes.
https://github.com/peterwmwong/v8-perf/blob/master/typedarray-findIndex/README.md

Bug: v8:5929
Change-Id: I27d67776c83cbe28f4f9f5ef479a7eeabf594654
Reviewed-on: https://chromium-review.googlesource.com/792394
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49720}

Ensure that bound-checking CHECKs do not overflow and properly access
the JSTypedArray's length value.

This addresses remaining comments from
https://crrev.com/c/788857/9/src/runtime/runtime-typedarray.cc#233

Bug: v8:3590
Change-Id: Ic06ff2ecd64a23ab9724c25d7b6cb689b9e7932b
Reviewed-on: https://chromium-review.googlesource.com/796611Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49719}

R=jgruber@chromium.org

Bug: chromium:789472
Change-Id: I578c0fb13abaeaedcecf862c4e5aa7680b4067e8
Reviewed-on: https://chromium-review.googlesource.com/795972
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49718}

Adds new API function to request code cache. Earlier code cache was
produced along with compile requests. This new API allows us to request
code cache after executing. Also adds support in the code serializer to
serialize after executing the script.

Bug: chromium:783124
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Id7b972a2b4c8dcf7a6d9f5ea210890ae968320bd
Reviewed-on: https://chromium-review.googlesource.com/781767Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49717}

R=ulan@chromium.org

Bug: 
Change-Id: Ifba0b1bb649f0ee90fc76f738b7912d300c77447
Reviewed-on: https://chromium-review.googlesource.com/796470Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49716}

When exporting an imported wasm function, we generate a js-to-wasm
wrapper which calls the wasm-to-wasm wrapper (which then tail-calls
the WasmCompileLazy stub).
This wasm-to-wasm wrapper also needs to be patched.

R=titzer@chromium.org

Bug: chromium:788441, v8:5991
Change-Id: Ibf27618a0511851cb55714b720fe7299a21c2959
Reviewed-on: https://chromium-review.googlesource.com/795990
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49715}

The stlxr (store-release exclusive register) instructions in Arm64 have similar
restrictions to Arm's strex instructions - the status register must not alias
the source or address registers.

Enforce this in the assembler and simulator, and modify Turbofan and cctest to
conform to this. Also, make a small improvement to the code generated for
compare and exchange.

This is a port of 44c52f7b.

Bug: 
Change-Id: Ia3a8c39b09c5cb579357a5f61c3d88f13d61b724
Reviewed-on: https://chromium-review.googlesource.com/793037Reviewed-by: Ben Smith <binji@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#49714}

This also updates the README with guidelines.

Bug: chromium:788104
Change-Id: I0ca0ea78c5990204b0242be9c7fe6368439a5dd1
Reviewed-on: https://chromium-review.googlesource.com/796311Reviewed-by: Sergiy Byelozyorov <sergiyb@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49713}

This addresses two TODOs in Ignition where the Construct and the
ConstructWithSpread bytecodes didn't collect JSBoundFunction
new.target feedback. This is fairly trivial to add now with the
existing machinery and the TurboFan side of this was already fixed
before, so we can leverage the new feedback.

Bug: v8:5267, v8:7109
Change-Id: Iae257836716c14f05f5d301326cbe8b2acaeb38b
Reviewed-on: https://chromium-review.googlesource.com/793048Reviewed-by: Mythri Alle <mythria@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49712}

Bug: v8:5367
Change-Id: If10539597c07a497d0e9c89af9529ae90f92ddf3
Reviewed-on: https://chromium-review.googlesource.com/794470
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49711}

R=jarin@chromium.org

Change-Id: I07bde35a44734b49e143a6dafa17dd7c20587412
Reviewed-on: https://chromium-review.googlesource.com/795950Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49710}

Cross-instance calls call through a wasm-to-wasm stub, which
tail-calls and hence does not show up on the stack. It was not being
patched so far, leading to repeatedly calling through the
WasmCompileLazy stub. Even though this did not crash, it resulted in
significant overhead.
This CL fixes this and also adds checks to ensure that we patch at
least one call site whenever we execute the WasmCompileLazy stub.

R=titzer@chromium.org

Bug: chromium:788441, v8:5991
Change-Id: I1c2cd52497c577252a64dbf1cfa92d2f2e60b06c
Reviewed-on: https://chromium-review.googlesource.com/794132Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49709}

R=jarin@chromium.org

Change-Id: I2b2d5095e7c5c06c509a0e1b1b1121e78a80735a
Reviewed-on: https://chromium-review.googlesource.com/796031Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49708}

This reverts commit 0269965b.

Reason for revert: Successfully got some stack traces:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Arm%20-%20debug/builds/5274

Original change's description:
> V8: Temporary run wasm_traps on native arm debug
> 
> This will break the bot. This is for getting a stack trace and then
> revert.
> 
> TBR=mtrofin@chromium.org
> 
> Bug: v8:7138
> Change-Id: I244492ca81f817d64ef7c12e291a6ed9b97e68de
> Reviewed-on: https://chromium-review.googlesource.com/795718
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49698}

TBR=machenbach@chromium.org,mtrofin@chromium.org

Change-Id: Id81736508fd7eb2b9220bf41188f7687c4046960
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7138
Reviewed-on: https://chromium-review.googlesource.com/796290Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49707}

This reduces the overhead of calling the builtin.
Quick measurements show >5x improvement. As the
typed array's size grows, iterating dominates
and the performance gap closes.
https://github.com/peterwmwong/v8-perf/blob/master/typedarray-find/README.md

Bug: v8:5929
Change-Id: Ia74546bb46d446c6161c8956e350d4b5cdc1b328
Reviewed-on: https://chromium-review.googlesource.com/792454
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49706}

This reverts commit d3104923.

Reason for revert: Breaks win debug, causes lots of timeouts.
https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20debug/builds/20387

Original change's description:
> Implement and use VectorSegment to avoid repeated allocation of ZoneVector properties.
> 
> The parser holds a single vector whose backing storage is reused in calls
> to ParseJsonObject, so that once we reach the peak number of unstored
> properties no more allocations are required.
> 
> This improves performance of parsing inputs like those in Speedometer VanillaJS
> by about 2% in my local measurement, and would presumably do better on more
> pathological inputs.
> 
> This should also have the side effect of reducing peak memory usage at this time
> slightly, since we do fewer zone allocations which cannot be freed until the
> parse finishes.
> 
> Bug: chromium:771227
> Change-Id: I8aa1514b37a74f82539f95f94292c8fa1582d66a
> Reviewed-on: https://chromium-review.googlesource.com/789511
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Marja Hölttä <marja@chromium.org>
> Commit-Queue: Jeremy Roman <jbroman@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49693}

TBR=jbroman@chromium.org,marja@chromium.org,cbruni@chromium.org

Change-Id: I5b198aeffed6f1543f6110709dc74b311d4ba144
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:771227
Reviewed-on: https://chromium-review.googlesource.com/796151Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49705}

In TurboFan we can easily recognize calls to String.prototype.slice
where the start parameter is -1 and the end parameter is either
undefined or not present. These calls either return an empty string if
the input string is empty, or the last character of the input string
as a single character string. So we can just make use of the existing
StringCharAt operator.

This reduces the overhead of the String.prototype.slice calls from
optimized code in the chai test of the web-tooling-benchmark
significantly. We observe a 2-3% improvement on the test.

Bug: v8:6936, v8:7137
Change-Id: Iebe02667446880f5760e3e8c80f8b7cc712df663
Reviewed-on: https://chromium-review.googlesource.com/795726
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49704}

This reverts commit 99cb4d35.

Reason for revert:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20nosnap%20-%20debug/builds/16445

Original change's description:
> [cleanup] Harden the SubString CSA/Runtime implementations.
> 
> Remove the self-healing for invalid parameters in the
> CodeStubAssembler::SubString helper and the %SubString runtime function,
> which is used as a fallback for the CodeStubAssembler implementation.
> All call sites must do appropriate parameter validation anyways now that
> the self-hosted JavaScript builtins using these helpers are gone, and we
> have proper contracts with the uses.
> 
> Also remove the context parameter from the CodeStubAssembler::SubString
> method, which is unnecessary, since this can no longer throw an
> exception.
> 
> Bug: v8:5269, v8:6936, v8:7109, v8:7137
> Change-Id: I19d93bad5f41faa0561c4561a48f78fcba99a549
> Reviewed-on: https://chromium-review.googlesource.com/795720
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49702}

TBR=jgruber@chromium.org,bmeurer@chromium.org

Change-Id: I2900b5f087e78f1d321724f03bd063a5ff094183
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:5269, v8:6936, v8:7109, v8:7137
Reviewed-on: https://chromium-review.googlesource.com/796150Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49703}

Remove the self-healing for invalid parameters in the
CodeStubAssembler::SubString helper and the %SubString runtime function,
which is used as a fallback for the CodeStubAssembler implementation.
All call sites must do appropriate parameter validation anyways now that
the self-hosted JavaScript builtins using these helpers are gone, and we
have proper contracts with the uses.

Also remove the context parameter from the CodeStubAssembler::SubString
method, which is unnecessary, since this can no longer throw an
exception.

Bug: v8:5269, v8:6936, v8:7109, v8:7137
Change-Id: I19d93bad5f41faa0561c4561a48f78fcba99a549
Reviewed-on: https://chromium-review.googlesource.com/795720Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49702}

This updates various typing and verification rules to take bigints into
account.

R=jarin@chromium.org

Bug: v8:6791
Change-Id: I38fc4c6551bba878623373c69013da8ce2b50c7d
Reviewed-on: https://chromium-review.googlesource.com/788910
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49701}

R=jkummerow@chromium.org

Change-Id: Idc29d9cfe1900554c6ecac5f170e9dea001430ca
Reviewed-on: https://chromium-review.googlesource.com/793191Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49700}

This is a reland of acfef3ec
Original change's description:
> [log] Properly log all maps creating during bootstrapping
> 
> Logger::LogMaps will print all maps currently present on the heap.
> 
> Note that currently this does not properly log the detailed transitions
> for these maps.
> 
> Change-Id: Ia3218d371549d7634fe3eda9e8e59b0b0bd8bebb
> Reviewed-on: https://chromium-review.googlesource.com/753885
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Commit-Queue: Camillo Bruni <cbruni@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49444}

Change-Id: I57830f1e22c09981761bb92b9d28c96fbcc1ee80
Reviewed-on: https://chromium-review.googlesource.com/775958
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49699}

This will break the bot. This is for getting a stack trace and then
revert.

TBR=mtrofin@chromium.org

Bug: v8:7138
Change-Id: I244492ca81f817d64ef7c12e291a6ed9b97e68de
Reviewed-on: https://chromium-review.googlesource.com/795718Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49698}

TBR=mtrofin@chromium.org
NOTRY=true

Bug: v8:7138
Change-Id: I164cc637953f1a8aaf50d5d0d734a5bb768e1e82
Reviewed-on: https://chromium-review.googlesource.com/795713Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49697}

Prior to this change, the exponentiation operator was rewritten by the
parser to a call of the Math.pow builtin. However, Math.pow does not
accept BigInt arguments, while the exponentiation operator must accept
them.

This CL
- removes the parser's special treatment of ** and **=, treating them
  like any other binary op instead.
- adds a TFC builtin Exponentiate that does the right thing for
  all inputs.
- adds interpreter bytecodes Exp and ExpSmi whose handlers call the
  Exponentiate builtin. For simplicity, they currently always collect
  kAny feedback.
- adds a Turbofan operator JSExponentiate with a typed-lowering to
  the existing NumberPow and a generic-lowering to the Exponentiate
  builtin. There is currently no speculative lowering.

Note that exponentiation for BigInts is actually not implemented yet,
so we can't yet test it.

Bug: v8:6791
Change-Id: Id90914c9c3fce310ce01e715c09eaa9f294f4f8a
Reviewed-on: https://chromium-review.googlesource.com/785694Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49696}

The two helper functions CanBePrimitive and NeedsConvertReceiver did
essentially the same, just in a slightly different way, and both weren't
really robust wrt. to the list of JSConstruct* and JSCreate* operators
that they were handling. There's now a single helper in the
NodeProperties and a couple of extra macro lists to keep this list up
to date more easily.

Drive-by-fix: Also moved the CanBeNullOrUndefined helper to the
NodeProperties class.

Bug: v8:5267, v8:7109
Change-Id: Ibbf387040e3f424ee224c53fac15c2b3207b1926
Reviewed-on: https://chromium-review.googlesource.com/793734Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49695}

Rolling v8/build: https://chromium.googlesource.com/chromium/src/build/+log/cc674b0..9338ce5

Rolling v8/third_party/catapult: https://chromium.googlesource.com/catapult/+log/884db23..11d7efb

TBR=machenbach@chromium.org,hablich@chromium.org,sergiyb@chromium.org

Change-Id: Ic02409f5ddd02fcbee6c4bf1beb425915ea344c2
Reviewed-on: https://chromium-review.googlesource.com/795434Reviewed-by: v8 autoroll <v8-autoroll@chromium.org>
Commit-Queue: v8 autoroll <v8-autoroll@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49694}

The parser holds a single vector whose backing storage is reused in calls
to ParseJsonObject, so that once we reach the peak number of unstored
properties no more allocations are required.

This improves performance of parsing inputs like those in Speedometer VanillaJS
by about 2% in my local measurement, and would presumably do better on more
pathological inputs.

This should also have the side effect of reducing peak memory usage at this time
slightly, since we do fewer zone allocations which cannot be freed until the
parse finishes.

Bug: chromium:771227
Change-Id: I8aa1514b37a74f82539f95f94292c8fa1582d66a
Reviewed-on: https://chromium-review.googlesource.com/789511Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Jeremy Roman <jbroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49693}

This reverts commit b301203e.

Reason for revert: Fixed issues on arm.

Original change's description:
> Revert "[wasm] JIT using WasmCodeManager"
> 
> This reverts commit d4c8393c.
> 
> Reason for revert: Breaks ARM hardware:
> https://build.chromium.org/p/client.v8.ports/builders/V8%20Arm%20-%20debug/builds/5268
> 
> Original change's description:
> > [wasm] JIT using WasmCodeManager
> > 
> > This is the first step towards wasm code sharing. This CL moves wasm
> > code generation outside the JavaScript GC heap using the previously -
> > introduced WasmCodeManager (all this, behind the --wasm-jit-to-native
> > flag).
> > 
> > See design document: go/wasm-on-native-heap-stage-1
> > 
> > This CL doesn't change other wasm architectural invariants. We still
> > have per-Isolate wasm code generation, and per-wasm module instance
> > code specialization.
> > 
> > Bug:v8:6876
> > 
> > Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> > Change-Id: I1e08cecad75f93fb081545c31228a4568be276d3
> > Reviewed-on: https://chromium-review.googlesource.com/674086
> > Reviewed-by: Ben Titzer <titzer@chromium.org>
> > Reviewed-by: Eric Holk <eholk@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#49689}
> 
> TBR=bradnelson@chromium.org,titzer@chromium.org,mtrofin@chromium.org,eholk@chromium.org
> 
> Change-Id: I89af1ea5decd841bc12cd2ceaf74d32bc4433885
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug: v8:6876
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/794690
> Reviewed-by: Michael Achenbach <machenbach@chromium.org>
> Commit-Queue: Michael Achenbach <machenbach@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49691}

TBR=bradnelson@chromium.org,machenbach@chromium.org,titzer@chromium.org,mtrofin@chromium.org,eholk@chromium.org

Change-Id: I1b07638d1bb2ba0664305b4b2dcfc1342dc8444f
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6876
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/794434
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49692}

This reverts commit d4c8393c.

Reason for revert: Breaks ARM hardware:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Arm%20-%20debug/builds/5268

Original change's description:
> [wasm] JIT using WasmCodeManager
> 
> This is the first step towards wasm code sharing. This CL moves wasm
> code generation outside the JavaScript GC heap using the previously -
> introduced WasmCodeManager (all this, behind the --wasm-jit-to-native
> flag).
> 
> See design document: go/wasm-on-native-heap-stage-1
> 
> This CL doesn't change other wasm architectural invariants. We still
> have per-Isolate wasm code generation, and per-wasm module instance
> code specialization.
> 
> Bug:v8:6876
> 
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
> Change-Id: I1e08cecad75f93fb081545c31228a4568be276d3
> Reviewed-on: https://chromium-review.googlesource.com/674086
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Eric Holk <eholk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49689}

TBR=bradnelson@chromium.org,titzer@chromium.org,mtrofin@chromium.org,eholk@chromium.org

Change-Id: I89af1ea5decd841bc12cd2ceaf74d32bc4433885
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:6876
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/794690Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49691}

While investigating loop peeling, I found that relatively simple code
like "if (x) { throw new Error('oh hai'); }" in a loop would fail to
peel. The reason is that the call (new Error(...)) was recorded by
loop analysis as being inside the loop but the only usage was in the throw,
which we currently model as being outside of the loop.

We have a regime that inserts LoopExit nodes to mark control exits from
the loops, and LoopExitValues that are meant to mark exiting values.
This wasn't done because of a bug in the bytecode graph builder
VisitThrow() method -- it used the *out* liveness to construct the
appropriate loop exit nodes, and it's more appropriate to use the *in*
liveness.

This addressed the concern. It doesn't fix bug 7099, but is a step on the
way.

Bug: v8:7099
Change-Id: Iaeea794843166063a55c6917e7b0ad4341581261
Reviewed-on: https://chromium-review.googlesource.com/793834Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49690}