This patch replaces the unused 'take_snapshot' parameter on FatalProcessOutOfMemory()
with a 'is_heap_oom' parameter. The parameter is set to true on error paths where the
JS heap is out of memory, as distinct from a malloc() failure i.e. process out of memory.
The message output to stderr or passed to embedding applications via FatalErrorCallback
is 'Javascript heap out of memory' rather than 'process out of memory'.

BUG=

R=jochen@chromium.org, verwaest@chromium.org, michael_dawson@ca.ibm.com

Review URL: https://codereview.chromium.org/1873443002

Cr-Commit-Position: refs/heads/master@{#35431}

When the embedder sets the heap tracer, V8, during marking, will collect all reachable wrappers, and then ask embedder to trace its heap. The embedder is expected to call PersistentBase::RegisterExternalReference with all wrappers reachable from the given ones. This fixed point iteration happens in MarkCompact::ProcessEphemeralMarking.

For more efficient object visiting during marking, we need a special JS_API_OBJECT_TYPE (in tandem with already existing JS_SPECIAL_API_OBJECT_TYPE) and corresponding visitor (JSApiObjectVisitor).

BUG=chromium:468240
LOG=no

Review URL: https://codereview.chromium.org/1844413002

Cr-Commit-Position: refs/heads/master@{#35412}

This is a convenience API that an embedder can use to do final checks on
the return value. Note that this creates a new handle and thus defeats
the performance optimization done for ReturnValue - an embedder should
only use this in non-performance critical code paths.

BUG=
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1875263003

Cr-Commit-Position: refs/heads/master@{#35409}

BUG=

Committed: https://crrev.com/8764f87a3399ba433a4ce6f32161181c713af95c
Cr-Commit-Position: refs/heads/master@{#35376}

Review URL: https://codereview.chromium.org/1864703003

Cr-Commit-Position: refs/heads/master@{#35386}

Revert of Turn StoreIC::Megamorphic into a builtin, get rid of the non-monomorphic-cache (patchset #5 id:80001 of https://codereview.chromium.org/1864703003/ )

Reason for revert:
[Sheriff] Check during mksnapshot:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20ASAN%20mipsel%20-%20debug%20builder/builds/5950/steps/compile/logs/stdio

Original issue's description:
> Turn StoreIC::Megamorphic into a builtin, get rid of the non-monomorphic-cache
>
> BUG=
>
> Committed: https://crrev.com/8764f87a3399ba433a4ce6f32161181c713af95c
> Cr-Commit-Position: refs/heads/master@{#35376}

TBR=mvstanton@chromium.org,hpayer@chromium.org,verwaest@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1875033003

Cr-Commit-Position: refs/heads/master@{#35379}

BUG=

Review URL: https://codereview.chromium.org/1864703003

Cr-Commit-Position: refs/heads/master@{#35376}

BUG=chromium:600258
LOG=n

Review URL: https://codereview.chromium.org/1864433003

Cr-Commit-Position: refs/heads/master@{#35296}

- MemoryAllocator is now part of Heap
- CodeRange is now part of MemoryAllocator

BUG=chromium:581076
LOG=N

Review URL: https://codereview.chromium.org/1862653002

Cr-Commit-Position: refs/heads/master@{#35294}

The previous code cache system required stubs to be marked with a StubType, causing them to be inserted either into a fixed array or into a dictionary-mode code cache. This could cause names to be in both cases, and lookup would just find the "fast" one first. Given that we clear out the caches on each GC, the memory overhead shouldn't be too bad. Additionally, the dictionary itself should just stay linear for small arrays; that's faster anyway.

This CL additionally deletes some dead IC code.

BUG=

Review URL: https://codereview.chromium.org/1846963002

Cr-Commit-Position: refs/heads/master@{#35291}

R=ulan@chromium.org
BUG=v8:4886
LOG=N

Review URL: https://codereview.chromium.org/1859063003

Cr-Commit-Position: refs/heads/master@{#35266}

This change removes the large contiguous backing store from the young generation
and replaces it regular pages.

We keep a pool of pages that are committed/uncommitted to avoid creating virtual
memory maps during growing and shrinking.

BUG=chromium:581412
LOG=N

Review URL: https://codereview.chromium.org/1853783002

Cr-Commit-Position: refs/heads/master@{#35261}

Revert of [heap] Add optimized RecordWrites (patchset #3 id:40001 of https://codereview.chromium.org/1834373003/ )

Reason for revert:
[Sheriff] Likely causing blink crashes:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064%20%28dbg%29/builds/3667

Original issue's description:
> [heap] Add optimized RecordWrites
> BUG=
>
> Committed: https://crrev.com/5210f167e802a3758aac1f2900a6560c8de07831
> Cr-Commit-Position: refs/heads/master@{#35231}

TBR=ulan@chromium.org,hpayer@chromium.org,mlippautz@chromium.org,cbruni@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1860443003

Cr-Commit-Position: refs/heads/master@{#35235}

BUG=

Review URL: https://codereview.chromium.org/1834373003

Cr-Commit-Position: refs/heads/master@{#35231}

BUG=468240
LOG=no

Review URL: https://codereview.chromium.org/1815153002

Cr-Commit-Position: refs/heads/master@{#35162}

Change x64 to use the external references like all other platforms.

BUG=chromium:581076
LOG=N

Review URL: https://codereview.chromium.org/1844283002

Cr-Commit-Position: refs/heads/master@{#35160}

Replace the uses with proper page flag lookups.

BUG=chromium:581412
LOG=N
TEST=mjsunit/allocation-site-info

Review URL: https://codereview.chromium.org/1845463003

Cr-Commit-Position: refs/heads/master@{#35153}

R=bmeurer@chromium.org, cbruni@chromium.org, ulan@chromium.org
BUG=chromium:124206,chromium:569811
LOG=N

Review URL: https://codereview.chromium.org/1834633003

Cr-Commit-Position: refs/heads/master@{#35145}

Based on CL 1777883002.

BUG=chromium:590975
LOG=NO

Review URL: https://codereview.chromium.org/1813963002

Cr-Commit-Position: refs/heads/master@{#35053}

* Not jump around all memory to gather whether we need to profile
* Cache this information and dispatch to a templatized function

BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1820263002

Cr-Commit-Position: refs/heads/master@{#34988}

Immortal immovable roots must be allocated on the first page of the space.
If serializing the root list exceeds the first page, immortal immovable root
objects might end up outside of the first page. That could cause missing
write barriers.

We now iterate the root list twice. The first time we only serialize immortal
immovable root objects. The second time we serialize the rest.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1811913002

Cr-Commit-Position: refs/heads/master@{#34859}

This introduces {optimized_out} as another Oddball kind to be used by
optimizing compilers when values are being optimized away. The aim is
providing visibility when this value leaks into the application domain.
Currently this will lead to {undefined} values appearing which then
silently propagate through the application. The special oddball can be
identified easily as a bug and also the debugger can treat it specially
when needed.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1810483002

Cr-Commit-Position: refs/heads/master@{#34817}

When black allocation is active, all objects allocated in old space are allocated black. Important: With that change, you cannot assume anymore that new objects are white right after their allocation. Currently, black allocation is enabled when incremental marking is started.

This feature can be turned off via flag: --noblack-allocation

BUG=chromium:561449
LOG=n

Review URL: https://codereview.chromium.org/1420423009

Cr-Commit-Position: refs/heads/master@{#34743}

BUG=chromium:561449
LOG=n

Review URL: https://codereview.chromium.org/1783313003

Cr-Commit-Position: refs/heads/master@{#34722}

Since we record slots for weak list fields, there is no need to iterate over
them after evacuation. We just need to update the roots for which we didn't
record slots.

This speeds up the evacuate_update_pointers_weak phase by ~2.5x.

BUG=

Review URL: https://codereview.chromium.org/1772803002

Cr-Commit-Position: refs/heads/master@{#34555}

Rename the existing (patching) ToBooleanStub to ToBooleanICStub to match
our naming convention, and add a new TurboFan-powered ToBooleanStub,
which just does the ToBoolean conversion without any runtime call or
code patching, so we can use it for Ignition (and TurboFan).

Drive-by-fix: Add an Oddball::to_boolean field similar to the ones we
already have for to_string and to_number, so we don't need to actually
dispatch on the concrete Oddball at all.

R=epertoso@chromium.org, rmcilroy@chromium.org, yangguo@chromium.org

Review URL: https://codereview.chromium.org/1744163002

Cr-Commit-Position: refs/heads/master@{#34361}

BUG=chromium:589413
LOG=NO

Review URL: https://codereview.chromium.org/1733333002

Cr-Commit-Position: refs/heads/master@{#34295}

This patch makes ArraySpeciesCreate fast in V8 by avoiding two property reads
when the following conditions are met:
- No Array instance has had its __proto__ reset
- No Array instance has had a constructor property defined
- Array.prototype has not had its constructor changed
- Array[Symbol.species] has not been reset

For subclasses of Array, or for conditions where one of these assumptions is
violated, the full lookup of species is done according to the ArraySpeciesCreate
algorithm. Although this is a "performance cliff", it does not come up in the
expected typical use case of @@species (Array subclassing), so it is hoped that
this can form a good start. Array subclasses will incur the slowness of looking
up @@species, but their use won't slow down invocations of, for example,
Array.prototype.slice on Array base class instances.

Possible future optimizations:
- For the fallback case where the assumptions don't hold, optimize the two
  property lookups.
- For Array.prototype.slice and Array.prototype.splice, even if the full lookup
  of @@species needs to take place, we still could take the rest of the C++
  fastpath. However, to do this correctly requires changing the calling convention
  from C++ to JS to pass the @@species out, so it is not attempted in this patch.

With this patch, microbenchmarks of Array.prototype.slice do not suffer a
noticeable performance regression, unlike their previous 2.5x penalty.

TBR=hpayer@chromium.org

Review URL: https://codereview.chromium.org/1689733002

Cr-Commit-Position: refs/heads/master@{#34199}

R=mstarzinger@chromium.org, rmcilroy@chromium.org
BUG=v8:4690
LOG=N

Review URL: https://codereview.chromium.org/1703453002

Cr-Commit-Position: refs/heads/master@{#34190}

BUG=chromium:587574
LOG=NO

Review URL: https://codereview.chromium.org/1705183003

Cr-Commit-Position: refs/heads/master@{#34188}

BUG=

Review URL: https://codereview.chromium.org/1704353002

Cr-Commit-Position: refs/heads/master@{#34118}

If sweeping is in progress then we need to filter out slots in free space after
array trimming, because the sweeper will add the free space into free list.

This CL also fixes a bug in SlotSet::RemoveRange.

BUG=chromium:587004
LOG=NO
TBR=hpayer@chromium.org

Review URL: https://codereview.chromium.org/1701963003

Cr-Commit-Position: refs/heads/master@{#34071}

BUG=

Review URL: https://codereview.chromium.org/1705713002

Cr-Commit-Position: refs/heads/master@{#34070}

This new class provides a unified interface for recording and iterating slots in store and slots buffers:

RememberedSet<OLD_TO_NEW>::Insert(page, slot);
RememberedSet<OLD_TO_OLD>::Insert(page, slot);

RememberedSet<OLD_TO_NEW>::Iterate(heap, callback);
RememberedSet<OLD_TO_OLD>::Iterate(heap, callback);

After this change the store buffer is responsible only for collecting slots from the generated code.

Subsequent CLs will remove the slots buffer.

BUG=chromium:578883
LOG=NO

Review URL: https://codereview.chromium.org/1683653002

Cr-Commit-Position: refs/heads/master@{#34031}

EnsureJSArrayWithWritableFastElements

Having several handles pointing to the backing store of an array that gets
left-trimmed might cause the gc to start marking a stale-handle still pointing
to the old backing-store start. By introducing a separate handle scope for
EnsureJSArrayWithWritableFastElements we avoid this issue. Additionally a
SLOW_DCHECK in Heap::LeftTrimFixedArray ensurse that there are no more than one
active handle pointing to the backing store.

BUG=chr:585787
LOG=n

Review URL: https://codereview.chromium.org/1699733003

Cr-Commit-Position: refs/heads/master@{#34022}

This change expands allocation sampling to include old, map, code, and large object spaces. This involved refactoring much of the observation logic out of NewSpace into Space and overriding as needed in sub-classes.

Additionally, the sampling heap profiler now maintains a pair of heap observers. One observer is used for observing new space and resetting the inline allocation limit to be periodically notified of allocations. The other observes allocation across the other spaces where there is no additional work required to observe allocations.

Tests have been updated to ensure that allocations are observed correctly for Paged and LargeObject spaces.

R=ofrobots@google.com, hpayer@chromium.org, ulan@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1625753002

Cr-Commit-Position: refs/heads/master@{#33959}

The FastNewStrictArgumentsStub is very similar to the recently added
FastNewRestParameterStub, it's actually almost a copy of it, except that
it doesn't have the fast case we have for the empty rest parameter. This
patch improves strict arguments in TurboFan and fullcodegen by up to 10x
compared to the previous version.

Also introduce proper JSSloppyArgumentsObject and JSStrictArgumentsObject
for the in-object properties instead of having them as constants in the
Heap class.

Drive-by-fix: Use this stub and the FastNewRestParameterStub in the
interpreter to avoid the runtime call overhead for strict arguments
and rest parameter creation.

R=jarin@chromium.org
TBR=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1693513002

Cr-Commit-Position: refs/heads/master@{#33925}

[runtime/heap] Introduce CopyFixedArrayUpTo to match CopyFixedArrayAndGrow, copying to a smaller array.

This allows the helper to avoid write barriers while copying, speeding up Object.keys by 5-10%.

BUG=

Review URL: https://codereview.chromium.org/1690953002

Cr-Commit-Position: refs/heads/master@{#33916}

Preparing the young generation for (real) non-contiguous backing memory, this
change removes object masks that are used to compute containment in semi and new
space. The masks are replaced by lookups for object tags and page headers, where
possible.

Details:
- Use the fast checks (page header lookups) for containment in regular code.
- Use the slow version that masks out the page start adress and iterates all
  pages of a space for debugging/verification.
- The slow version works for off-heap/unmapped memory.
- Encapsulate all checks for the old->new barrier in Heap::RecordWrite().

BUG=chromium:581412
LOG=N

Review URL: https://codereview.chromium.org/1632913003

Cr-Commit-Position: refs/heads/master@{#33857}

BUG=chromium:578883
LOG=NO

Review URL: https://codereview.chromium.org/1675163003

Cr-Commit-Position: refs/heads/master@{#33841}

This replaces the global remembered set with per-page remembered sets.

Each page in the old space, map space, and large object space keeps track of
the set of slots in the page pointing to the new space.

The data structure for storing slot sets is a two-level bitmap, which allows
us to remove the store buffer overflow and SCAN_ON_SCAVENGE logic.

Design doc: https://goo.gl/sMKCf7

BUG=chromium:578883
LOG=NO

Review URL: https://codereview.chromium.org/1608583002

Cr-Commit-Position: refs/heads/master@{#33806}