Based on assembler changes from this patch:
https://codereview.chromium.org/90643003/

BUG=https://bugs.chromium.org/p/v8/issues/detail?id=4124
R=titzer@chromium.org,bbudge@chromium.org
LOG=N

Review-Url: https://codereview.chromium.org/1994083003
Cr-Commit-Position: refs/heads/master@{#36383}

We cannot tier up from interpreted to baseline code when there is an
activation of the function on the stack. This significantly regresses
the performance of recursive functions since they are unlikely to get
tiered up.

This CL adds the ability for a function to be marked for baseline
compilation when it returns. To do this we patch the
InterpreterEntryTrampoline return address to point to
InterpreterMarkBaselineOnReturn, which leaves the
interpreted frame and recompile the function for
baseline.

This improves the score of EarlyBoyer by ~8x for Ignition.

BUG=v8:4280
LOG=N

Review-Url: https://codereview.chromium.org/1965343002
Cr-Commit-Position: refs/heads/master@{#36360}

Review-Url: https://codereview.chromium.org/1986113004
Cr-Commit-Position: refs/heads/master@{#36341}

In order to support compiling to baseline on return we need to be able to
return to the actual return address. With this change this is what the
Return bytecode now does, removing the need for the
InterpreterExitTrampoline.

This change also removes the InterpreterNotifyDeoptXXX builtins and
unifies FCG and Igntion to both use NotifyDeoptXXX. As part of this
change, FullCodegenerator::State is moved to Deoptimize::BailoutState.

BUG=v8:4280
LOG=N

Committed: https://crrev.com/34c9626e2ee56fe805de549697ca5323aed7cb66
Cr-Commit-Position: refs/heads/master@{#36288}

Review-Url: https://codereview.chromium.org/1969423002
Cr-Commit-Position: refs/heads/master@{#36310}

Revert of [Interpreter] Remove InterpreterExitTrampoline and replace with returning to the entry trampoline. (patchset #6 id:170001 of https://codereview.chromium.org/1969423002/ )

Reason for revert:
Breaks
https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm%20-%20sim/builds/619

Might only affect pure release builds?

Original issue's description:
> [Interpreter] Remove InterpreterExitTrampoline and replace with returning to the entry trampoline.
>
> In order to support compiling to baseline on return we need to be able to
> return to the actual return address. With this change this is what the
> Return bytecode now does, removing the need for the
> InterpreterExitTrampoline.
>
> This change also removes the InterpreterNotifyDeoptXXX builtins and
> unifies FCG and Igntion to both use NotifyDeoptXXX. As part of this
> change, FullCodegenerator::State is moved to Deoptimize::BailoutState.
>
> BUG=v8:4280
> LOG=N
>
> Committed: https://crrev.com/34c9626e2ee56fe805de549697ca5323aed7cb66
> Cr-Commit-Position: refs/heads/master@{#36288}

TBR=mstarzinger@chromium.org,oth@chromium.org,rmcilroy@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4280

Review-Url: https://codereview.chromium.org/1986353002
Cr-Commit-Position: refs/heads/master@{#36294}

In order to support compiling to baseline on return we need to be able to
return to the actual return address. With this change this is what the
Return bytecode now does, removing the need for the
InterpreterExitTrampoline.

This change also removes the InterpreterNotifyDeoptXXX builtins and
unifies FCG and Igntion to both use NotifyDeoptXXX. As part of this
change, FullCodegenerator::State is moved to Deoptimize::BailoutState.

BUG=v8:4280
LOG=N

Review-Url: https://codereview.chromium.org/1969423002
Cr-Commit-Position: refs/heads/master@{#36288}

This adds back the instanceof operator support in the backends and
introduces a @@hasInstance protector cell on the isolate that guards the
fast path for the InstanceOfStub. This way we recover the ~10%
regression on Octane EarleyBoyer in Crankshaft and greatly improve
TurboFan and Ignition performance of instanceof.

R=ishell@chromium.org
TBR=hpayer@chromium.org,rossberg@chromium.org
BUG=chromium:597249, v8:4447
LOG=n

Review-Url: https://codereview.chromium.org/1980483003
Cr-Commit-Position: refs/heads/master@{#36275}

This makes the profiler reconstruct inlined function frames at eager
deopt points from the deoptimization data. The main goal of this is to
remove the last side-channel where Crankshaft communicates directly to
the profiler. This is the last preparatory step towards deprecating the
side-channel in question.

R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/1973993002
Cr-Commit-Position: refs/heads/master@{#36229}

The previous approach taken by FastNew[Sloppy,Strict,Rest]ArgumentsStub
looked at the function slot in order to skip stub frames
and find the JS frame. However, stub frames do not have a
function slot (in fact their fixed frame ends one slot
before the JS frame's function slot). Therefore, if this
location in the stub frame happens to have the function
object the create arguments stubs won't skip this frame
correctly.

Replace this approach with one where the stub is
specialized to either skip a frame if required (since
there will only ever be one extra frame on Ignition
the loop approach isn't necessary).

BUG=v8:4928
LOG=N
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_dbg

Review-Url: https://codereview.chromium.org/1949023003
Cr-Commit-Position: refs/heads/master@{#36181}

This passes the inlining_id of deoptimization points via the relocation
info instead of via a side-channel to the CPU profiler. This is one step
towards deprecating the side-channel in question and avoid the need for
performing a lookup of the return address of the deopt point.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1956693002
Cr-Commit-Position: refs/heads/master@{#36177}

Rather than pushing zero for the initial bytecode offset, we should push the
offset of the first bytecode handler, Smi tagged. This fixes the line number
for the top stack frame on overflow errors.

BUG=v8:4981
LOG=N

Review-Url: https://codereview.chromium.org/1950913004
Cr-Commit-Position: refs/heads/master@{#36137}

The new allocation folding implementation avoids fragmentation between folded allocation. As a consequence, our heap will always be iterable i.e. we do not have to perform a garbage collection before iterating the heap.

BUG=chromium:580959
LOG=n

Review-Url: https://codereview.chromium.org/1899813003
Cr-Commit-Position: refs/heads/master@{#36133}

This adds a new pass MemoryOptimizer that walks over the effect chain
from Start and lowers all Allocate, LoadField, StoreField, LoadElement,
and StoreElement nodes, trying to fold allocations into allocation
groups and eliminate write barriers on StoreField and StoreElement if
possible (i.e. if the object belongs to the current allocation group and
that group allocates in new space).

R=hpayer@chromium.org, jarin@chromium.org
BUG=v8:4931, chromium:580959
LOG=n

Review-Url: https://codereview.chromium.org/1963583004
Cr-Commit-Position: refs/heads/master@{#36128}

Changes some platform specific class names and uses typedefs
to define FloatRegister, DoubleRegister, etc.

This will be needed to do register allocation on ARM/MIPS where
registers combine to form larger registers.

LOG=N
BUG=v8:4124

Review-Url: https://codereview.chromium.org/1954953002
Cr-Commit-Position: refs/heads/master@{#36117}

Assembler::testw(Register, Immediate) and Assembler::testw(const Operand&, Immediate) were emitting only the first 8 bits of a 16-bit immediate, causing unexpected crashes.

This went unnoticed because before http://crrev.com/1948453002 no compiler was using them.

Review-Url: https://codereview.chromium.org/1962563003
Cr-Commit-Position: refs/heads/master@{#36110}

Add new relocation type WASM_MEMORY_SIZE_REFERENCE, use relocatable pointers to update wasm memory size references in generated code.
 - Add new RelocInfo mode WASM_MEMORY_SIZE_REFERENCE in the assembler and add relocation information to immediates in compare instructions.
 - Use relocatable constants for MemSize/BoundsCheck in the wasm compiler

R=titzer@chromium.org, yangguo@chromium.org, bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/1921203002
Cr-Commit-Position: refs/heads/master@{#36044}

BUG=chromium:608675
LOG=N

Review-Url: https://codereview.chromium.org/1948433002
Cr-Commit-Position: refs/heads/master@{#36000}

BUG=v8:4614
R=bmeurer@chromium.org,jarin@chromium.org
LOG=n

Review-Url: https://codereview.chromium.org/1938213002
Cr-Commit-Position: refs/heads/master@{#35993}

Code common with ObjectHasOwnProperty builtin was moved to CodeStubAssembler.

BUG=v8:2743
LOG=Y

Review-Url: https://codereview.chromium.org/1894953004
Cr-Commit-Position: refs/heads/master@{#35972}

Review-Url: https://codereview.chromium.org/1903723003
Cr-Commit-Position: refs/heads/master@{#35963}

Further refactor the pipeline to even run the first scheduler (part of
the effect control linearization) concurrently. This temporarily
disables most of the write barrier elimination, but we will get back to
that later.

Drive-by-fix: Remove the dead code from ChangeLowering, and stack
allocate the Typer in the pipeline. Also migrate the AllocateStub to a
native code builtin, so that we have the code object + a handle to it
available all the time.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux64_tsan_rel
R=mstarzinger@chromium.org
BUG=v8:4969
LOG=n

Review-Url: https://codereview.chromium.org/1926023002
Cr-Commit-Position: refs/heads/master@{#35918}

Revert of [turbofan] Run everything after representation selection concurrently. (patchset #2 id:20001 of https://codereview.chromium.org/1926023002/ )

Reason for revert:
[Sheriff] Flaky crashed here and there:
https://build.chromium.org/p/client.v8/builders/V8%20Linux/builds/9867
https://build.chromium.org/p/client.v8/builders/V8%20Linux64/builds/9589
https://build.chromium.org/p/client.v8/builders/V8%20Mac/builds/7679

Original issue's description:
> [turbofan] Run everything after representation selection concurrently.
>
> Further refactor the pipeline to even run the first scheduler (part of
> the effect control linearization) concurrently. This temporarily
> disables most of the write barrier elimination, but we will get back to
> that later.

TBR=mstarzinger@chromium.org,bmeurer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review-Url: https://codereview.chromium.org/1925073002
Cr-Commit-Position: refs/heads/master@{#35863}

Further refactor the pipeline to even run the first scheduler (part of
the effect control linearization) concurrently. This temporarily
disables most of the write barrier elimination, but we will get back to
that later.

Review-Url: https://codereview.chromium.org/1926023002
Cr-Commit-Position: refs/heads/master@{#35861}

This is needed by Blink to implement the Custom Elements spec.

BUG=v8:4261
LOG=y

Review-Url: https://codereview.chromium.org/1910253005
Cr-Commit-Position: refs/heads/master@{#35833}

Default (and only way) is now to retrieve a tagged object.

BUG=chromium:606711
LOG=N

Review URL: https://codereview.chromium.org/1922553002

Cr-Commit-Position: refs/heads/master@{#35792}

This adds a baseline tier to the compilation pipeline. Currently this
tier is used to model a path from the interpreter to optimized code via
full-codegen code (to ensure sufficient type feedback). Switching from
the unoptimized tier to the baseline tier is limited to happen only when
there are no activations of the given function on the stack.

R=rmcilroy@chromium.org,bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1903273004

Cr-Commit-Position: refs/heads/master@{#35757}

Use the FastNewSloppyArgumentsStub in the interpreter when function doesn't have
duplicate parameters.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1909903003

Cr-Commit-Position: refs/heads/master@{#35754}

This ensures the InterpreterEntryTrampoline heals code entry fields
inside closures when being called without a valid bytecode array. This
is preparatory work to allow removal of bytecode when switching some
functions to other types of code.

R=rmcilroy@chromium.org
BUG=v8:4280
LOG=n

Review URL: https://codereview.chromium.org/1904093002

Cr-Commit-Position: refs/heads/master@{#35724}

Adds IncStub and DecStub TurboFan code stubs and hooks them up to the
interpreter's Inc and Dec bytecodes (which are used for count
operations, e.g. i++).

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1901083002

Cr-Commit-Position: refs/heads/master@{#35720}

Short external strings do not cache the resource data, and may be used
for compressible strings. The assumptions about their lengths is
invalid and may lead to oob reads.

R=jkummerow@chromium.org
BUG=v8:4923,chromium:604897
LOG=N

Review URL: https://codereview.chromium.org/1901573003

Cr-Commit-Position: refs/heads/master@{#35660}

BUG=

Review URL: https://codereview.chromium.org/1899183002

Cr-Commit-Position: refs/heads/master@{#35656}

Reland of Change calling convention of CallApiGetterStub to accept the AccessorInfo (patchset #1 id:1 of https://codereview.chromium.org/1906453002/ )

Reason for revert:
Needs other reverts too.

Original issue's description:
> Revert of Change calling convention of CallApiGetterStub to accept the AccessorInfo (patchset #8 id:140001 of https://codereview.chromium.org/1892533004/ )
>
> Reason for revert:
> Blocks roll: https://codereview.chromium.org/1896103002/
>
> Can also be seen on internal waterfall: https://chromegw.corp.google.com/i/internal.client.v8/builders/v8_cros_perf_1/builds/7558
>
> Original issue's description:
> > Change calling convention of CallApiGetterStub to accept the AccessorInfo
> >
> > MIPS port contributed by Balazs Kilvady <balazs.kilvady@imgtec.com>
> >
> > Committed: https://crrev.com/d2b0a4b727f77f97960c7fa71da3431591dc959f
> > Cr-Commit-Position: refs/heads/master@{#35606}
>
> TBR=rodolph.perfetta@arm.com,jkummerow@chromium.org,jacob.bramley@arm.com,verwaest@chromium.org
> # Skipping CQ checks because original CL landed less than 1 days ago.
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true

TBR=rodolph.perfetta@arm.com,jkummerow@chromium.org,jacob.bramley@arm.com,verwaest@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1903093003

Cr-Commit-Position: refs/heads/master@{#35645}

Revert of Change calling convention of CallApiGetterStub to accept the AccessorInfo (patchset #8 id:140001 of https://codereview.chromium.org/1892533004/ )

Reason for revert:
Blocks roll: https://codereview.chromium.org/1896103002/

Can also be seen on internal waterfall: https://chromegw.corp.google.com/i/internal.client.v8/builders/v8_cros_perf_1/builds/7558

Original issue's description:
> Change calling convention of CallApiGetterStub to accept the AccessorInfo
>
> MIPS port contributed by Balazs Kilvady <balazs.kilvady@imgtec.com>
>
> Committed: https://crrev.com/d2b0a4b727f77f97960c7fa71da3431591dc959f
> Cr-Commit-Position: refs/heads/master@{#35606}

TBR=rodolph.perfetta@arm.com,jkummerow@chromium.org,jacob.bramley@arm.com,verwaest@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1906453002

Cr-Commit-Position: refs/heads/master@{#35644}

Removes the register file machine register from the interpreter and
replaces it will loads from the parent frame pointer. As part of this
change the raw operand values for register values changes to enable the
interpreter to keep using the operand value as the offset from the
parent frame pointer.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1894063002

Cr-Commit-Position: refs/heads/master@{#35618}

MIPS port contributed by Balazs Kilvady <balazs.kilvady@imgtec.com>

Review URL: https://codereview.chromium.org/1892533004

Cr-Commit-Position: refs/heads/master@{#35606}

This makes IterateBodyFast work without requiring visitors to inherit from ObjectVisitor.

R=ishell@chromium.org

Review URL: https://codereview.chromium.org/1900843002

Cr-Commit-Position: refs/heads/master@{#35604}

Reland of (https://codereview.chromium.org/1891033002)

This is a much cleaner solution, which won't require nearly as much
architecture-specific code. Thanks bmeurer@!

BUG=v8:4614
LOG=y
TBR=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1902433003

Cr-Commit-Position: refs/heads/master@{#35596}

Behind --ignition-generators. Does not yet support Turbofan.

TBR=bmeurer@chromium.org
BUG=v8:4907
LOG=n

Review URL: https://codereview.chromium.org/1884183002

Cr-Commit-Position: refs/heads/master@{#35584}

Adds code to call FunctionEntryHook on entry to the InterpreterEntryTrampoline.
This should give SyzyProf enough information to build non-discontinous profile
graphs, however since interpreter functions aren't uniquely identified they will
all get lumped into one bucket. This should be good enough for SyzyProf's current
use-case.

BUG=v8:4763
LOG=N

Review URL: https://codereview.chromium.org/1884133002

Cr-Commit-Position: refs/heads/master@{#35568}

Revert of [Atomics] Remove Atomics code stubs; use TF ops (patchset #6 id:100001 of https://codereview.chromium.org/1891033002/ )

Reason for revert:
[Sheriff] Breaks
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20ASAN%20mipsel%20-%20debug%20builder/builds/6121

Original issue's description:
> [Atomics] Remove Atomics code stubs; use TF ops
>
> This is a much cleaner solution, which won't require nearly as much
> architecture-specific code. Thanks bmeurer@!
>
> BUG=v8:4614
> LOG=y
> R=bmeurer@chromium.org,jarin@chromium.org
>
> Committed: https://crrev.com/6ff5881b1def45b35384572f61327e42563a89c3
> Cr-Commit-Position: refs/heads/master@{#35547}

TBR=bmeurer@chromium.org,jarin@chromium.org,rodolph.perfetta@gmail.com,binji@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4614

Review URL: https://codereview.chromium.org/1895643002

Cr-Commit-Position: refs/heads/master@{#35548}