Type feedback introduced DeoptimizeIf node in representation inference
(for Int32AddWithOverflow); we found the frame state for the deopt by
walking the effect chain. Unfortunately, the effect chain can hit
effect merges introduced by simplified lowering (e.g., in LoadBuffer)
and thus fail the assertion (we refuse to go through effect phis).

This CL postpones assignment of the frame state to the effect-control
lninearizer, so that we can correctly propagate the frame state to
the deopt point. The DeoptimizeIf node with unassigned frame state is
called CheckIf.

BUG=

Review-Url: https://codereview.chromium.org/2050813003
Cr-Commit-Position: refs/heads/master@{#36839}

This makes sure {NodeProperties::FindFrameStateBefore} can deal with
effect chains that are marked as dead. This can happen when reducers
looking for frame states run together with other reducers killing some
execution paths within the same reduction phase.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-617567
BUG=chromium:617567,chromium:617224

Review-Url: https://codereview.chromium.org/2041833002
Cr-Commit-Position: refs/heads/master@{#36743}

This removes the frame state input representing the before-state from
nodes having the {JSCallFunction} or {JSCallConstruct} operator. These
frame states can by now be found via checkpoints in the graph.

R=bmeurer@chromium.org
BUG=v8:5021

Review-Url: https://codereview.chromium.org/2025573003
Cr-Commit-Position: refs/heads/master@{#36669}

Review URL: https://codereview.chromium.org/1921483002

Cr-Commit-Position: refs/heads/master@{#35747}

When we specialize to the native context, we can replace loads of the
NATIVE_CONTEXT_INDEX in any known context with the appropriate native
context for that context. This allows us to constant-fold and further
optimize things like %reflect_construct, which are inserted by the
parser.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1697513003

Cr-Commit-Position: refs/heads/master@{#33965}

The idea here is to perform the handler lookup in the deoptimizer, and then take the information from the handler table to build the catch handler frame in the deoptimizer. Specifically, we use the pc offset, context location and stack height (in full-code) to tweak the output frame.

Sadly, this still requires nasty voodoo for the liveness analyzer so that it keeps variables alive if they are used in the catch handler.

Review URL: https://codereview.chromium.org/1416543006

Cr-Commit-Position: refs/heads/master@{#33936}

This CL removes the Config templatization from the types. It is not
necessary anymore, after the HeapTypes have been removed.

The CL also changes the type hierarchy - the specific type kinds are
not inner classes of the Type class and they do not inherit from Type.
This is partly because it seems impossible to make this work without
templates. Instead, a new TypeBase class is introduced and all the
structural (i.e., non-bitset) types inherit from it.

The bitset type still requires the bit-munging hack and some nasty
reinterpret-casts to pretend bitsets are of type Type*. Additionally,
there is now the same hack for TypeBase - all pointers to the sub-types
of TypeBase are reinterpret-casted to Type*. This is to keep the type
constructors in inline method definitions (although it is unclear how
much that actually buys us).

In future, we would like to move to a model where we encapsulate Type*
into a class (or possibly use Type where we used to use Type*). This
would loosen the coupling between bitset size and pointer size, and
eventually we would be able to have more bits.

TBR=bradnelson@chromium.org

Review URL: https://codereview.chromium.org/1655833002

Cr-Commit-Position: refs/heads/master@{#33656}

Introduce a JSCreateArray operator that represents the Array
constructor, and lower call and construct calls to the Array
constructor to JSCreateArray. Currently we don't yet replace
that with an inline allocation, but always use the specialized
stubs for the Array constructor.

This saves a lot of unnecessary deopts and elements transitions
because now we can actually consume the allocation site feedback
for the transitions.

R=mstarzinger@chromium.org
BUG=v8:4470
LOG=n

Review URL: https://codereview.chromium.org/1466643002

Cr-Commit-Position: refs/heads/master@{#32145}

Retrieve the native context/global object from the Node being
specialized in the JSNativeContextSpecialization and the
JSGlobalObjectSpecialization classes. For this we introduce two
new methods NodeProperties::GetSpecializationNativeContext and
NodeProperties::GetSpecializationGlobalObject, which walk up
the context chain and might in the end take the native context
from the outermost activation (if native context specialization
is enabled). This allows us to run the native context specialization
pass as part of the inlining phase without hacking some of that into
the JSInliner.

Also refactor the NodeProperties::GetSpecializationContext method
that was previously local to the JSContextSpecialization.

Also refactor two other oddities in JSNativeContextSpecialization.

R=jarin@chromium.org
BUG=v8:4470, v8:4493
LOG=n

Review URL: https://codereview.chromium.org/1451143005

Cr-Commit-Position: refs/heads/master@{#32076}

This is the first part to refactoring the JSNativeContextSpecialization
class, which has grown way too big recently.

Also don't collect cross context feedback for the CallIC in general.
Neither TurboFan nor Crankshaft can make any use of cross context
JSFunction feedback that is collected by the CallIC, so there's no
point in gathering that feedback at all (it just complicates the
checking that is necessary in the compilers). What we should do
instead at some point (when Crankshaft becomes less important) is
to collect the SharedFunctionInfo as feedback for those cases.

R=yangguo@chromium.org
BUG=v8:4470
LOG=n

Review URL: https://codereview.chromium.org/1451273002

Cr-Commit-Position: refs/heads/master@{#32022}

Adds new Guard[Type] common operator, which takes value and control
inputs and records a guaranty that a certain value has a certain type
in that control path.  This is some kind of ad-hoc SSI similar to what
we have to do in Crankshaft in some places.

Also introduces an ObjectIsNumber simplified operator, which checks
whether a certain value is a number (either a Smi or a HeapNumber).

This doesn't yet support transitioning stores to double fields, which
require support for allocating mutable heap numbers.

R=jarin@chromium.org
BUG=v8:4470
LOG=n

Review URL: https://codereview.chromium.org/1420283009

Cr-Commit-Position: refs/heads/master@{#31675}

In order to properly (lazy) bailout when converting the receiver for
sloppy mode functions (using the newly added JSConvertReceiver
operator), we need to have a bailout location right before every call
(also right before every %_Call and %_CallFunction), otherwise if the
JSConvertReceiver just reuses the lazy bailout frame state from the
JSCallFunction node, it will skip the whole function in case of lazy
bailout.

Note it should be impossible to trigger this currently because we do not
yet support AllocationSite code dependencies in TurboFan, which can
trigger this kind of lazy bailout; therefore it's not possible to write
a regression test (yet).

R=yangguo@chromium.org
BUG=v8:4493
LOG=n

Review URL: https://codereview.chromium.org/1425883004

Cr-Commit-Position: refs/heads/master@{#31668}

Currently we (mostly) infer FunctionType for JSFunction constants, and
match the FunctionType in the typing rule for JSCallFunction. This has
several drawbacks for JavaScript, especially we don't have Constant
types for global functions (i.e. String, Object, Reflect and friends).
Plus the FunctionType magic doesn't actually buy us anything. So this
changes the typing rule for HeapConstant constant to actually infer
Constant types for JSFunction objects and moves the recognition of
builtin functions to the typing rule for JSCallFunction.

Also adapts the specialized lowering in JSTypedLowering to Constant
functions instead of FunctionType, which has the additional advantage
that we can do the receiver wrapping/converting based on the (known)
SharedFunctionInfo.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1420093005

Cr-Commit-Position: refs/heads/master@{#31553}

Review URL: https://codereview.chromium.org/1367423002

Cr-Commit-Position: refs/heads/master@{#30962}

Verifies consistency of node inputs and uses:
- node inputs should agree with the input count computed from the node's operator.
- effect inputs should have effect outputs (or be a sentinel).
- control inputs should have control outputs (or be a sentinel).
- frame state inputs should be frame states (or be a sentinel).
- if the node has control uses, it should produce control.
- if the node has effect uses, it should produce effect.
- if the node has frame state uses, it must be a frame state.

I also removed some tests, either because they did not seem to be useful (scheduler) or they tested dead functionality (diamond effect phi).

Review URL: https://codereview.chromium.org/1368913002

Cr-Commit-Position: refs/heads/master@{#30927}

This introduces the NodeProperties::ChangeOp helper which guards node
operator changes so that additional checking can be done without any
additional dependencies being pulled into the Node class. For now only
the input count is checked, but additional checking might follow.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1366753003

Cr-Commit-Position: refs/heads/master@{#30916}

This fixes the graph wiring of implicit JSToNumber nodes inserted by
JSTypedLowering, to be correctly hooked into a surrounding exceptional
continuation.

R=bmeurer@chromium.org
TEST=mjsunit/compiler/try-binop,test262

Review URL: https://codereview.chromium.org/1178153004

Cr-Commit-Position: refs/heads/master@{#28975}

This is needed in order to allow expansion of a throwing node into a
set of nodes that produce different effects for the successful and the
exceptional continuation.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1179543002

Cr-Commit-Position: refs/heads/master@{#28918}

This deprecates the aforementioned mutator in favor of a simpler
NodeProperties::ReplaceUses that doesn't perform any relaxation.
Preparation for enabling support for try-catch statements.

R=bmeurer@chromium.org
TEST=unittests/NodePropertiesTest

Review URL: https://codereview.chromium.org/1172773003

Cr-Commit-Position: refs/heads/master@{#28897}

This simplifies the handling of the End node. Based on this CL we will
finally fix terminating every loop from the beginning (via Terminate
nodes) and fix inlining of Throw, Deoptimize and Terminate.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1157023002

Cr-Commit-Position: refs/heads/master@{#28620}

This CL contains the first steps towards tail call optimization:

  * Structurally detect tail calls during instruction selection,
    looking for special return/call combinations.

  * Added new architecture-specific instructions for tail calls which
    jump instead of call and take care of frame adjustment.

  * Moved some code around.

Currently we restrict tail calls to callees which only use registers
for arguments/return value and to call sites which are explicitly
marked as being OK for tail calls. This excludes, among other things,
call sites in sloppy JS functions and our IC machinery (both need in
general to be able to access the caller's frame).

All this is behind a flag --turbo-tail-calls, which is currently off
by default, so it can easily be toggled.

Review URL: https://codereview.chromium.org/1108563002

Cr-Commit-Position: refs/heads/master@{#28150}

BUG=

Review URL: https://codereview.chromium.org/1021713005

Cr-Commit-Position: refs/heads/master@{#27470}

BUG=
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/983153002

Cr-Commit-Position: refs/heads/master@{#27060}

BUG=

Review URL: https://codereview.chromium.org/961973002

Cr-Commit-Position: refs/heads/master@{#26993}

R=titzer@chromium.org,bmeurer@chromium.org

Review URL: https://codereview.chromium.org/928213003

Cr-Commit-Position: refs/heads/master@{#26766}

R=bmeurer@chromium.org
TEST=unittests/NodePropertiesTest.CollectControlProjections

Review URL: https://codereview.chromium.org/935033004

Cr-Commit-Position: refs/heads/master@{#26720}

R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/883613006

Cr-Commit-Position: refs/heads/master@{#26316}

- Make Node::Inputs and Node::Uses mostly STL compliant.
- Get rid of some pre-C++11 crappiness.
- Start moving unit tests from cctest to unittests.
- TrimInputCount() now tries to reserve inputs slots for
  later appending.
- Fix numerous style guide violations.

TEST=cctest,unittests
R=dcarney@chromium.org

Review URL: https://codereview.chromium.org/851263002

Cr-Commit-Position: refs/heads/master@{#26098}