This reduces the reserved virtual memory size needed for the store buffer.

BUG=chromium:578883
LOG=NO

Review URL: https://codereview.chromium.org/1851473002

Cr-Commit-Position: refs/heads/master@{#35174}

Replace the uses with proper page flag lookups.

BUG=chromium:581412
LOG=N
TEST=mjsunit/allocation-site-info

Review URL: https://codereview.chromium.org/1845463003

Cr-Commit-Position: refs/heads/master@{#35153}

We now have everything in place to fully implement ToLengthStub as
TurboFanCodeStub without any runtime fallback (modulo allocation failure
of course).

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1843933002

Cr-Commit-Position: refs/heads/master@{#35137}

[es6] Add a flag to the Isolate that defines whether ES2015 tail call elimination is enabled or not.

Thus DevTools will be able to disable tail call elimination dynamically upon user's choice.

BUG=v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1837513002

Cr-Commit-Position: refs/heads/master@{#35098}

    In JavaScript code and stubs, JSSP mirrors the CSP but may be unaligned.
    But in WASM code only CSP is used, like native code, and it must be
    aligned.
    Calls into WASM from JS need to carefully align the C stack
    pointer (csp) and restore the previous JSSP, while calls from WASM
    to JS need to compute a new JSSP and restore their CSP after the
    call.

R=ahaas@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1811283003

Cr-Commit-Position: refs/heads/master@{#35096}

The warning notes that we'd want a 'w' register here because the size of
the operand is 32-bit, however, the instruction only takes an 'x'
register and so force that using the 'x' modifier on the instruction.

BUG=

Review URL: https://codereview.chromium.org/1817963003

Cr-Commit-Position: refs/heads/master@{#35008}

This roughly doubles performance for generic Array.prototype.push.

BUG=

Review URL: https://codereview.chromium.org/1816553002

Cr-Commit-Position: refs/heads/master@{#34987}

BUG=v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1819073003

Cr-Commit-Position: refs/heads/master@{#34986}

Now implemented as a builtin that delegates to the InstanceOfStub. That
stub was parameterized to fallback to either Runtime_InstanceOf or to
Runtime_OrdinaryHasInstance depending on the --harmony-instanceof flag.
Once the feature stabilizes and the flag is no longer needed, we can get
rid of this parameterization again.

R=bmeurer@chromium.org
BUG=v8:4447
LOG=n

Review URL: https://codereview.chromium.org/1819813002

Cr-Commit-Position: refs/heads/master@{#34959}

LOG=N
BUG=v8:4124

Review URL: https://codereview.chromium.org/1706053002

Cr-Commit-Position: refs/heads/master@{#34951}

BUG=

Review URL: https://codereview.chromium.org/1820843002

Cr-Commit-Position: refs/heads/master@{#34937}

Split ToNumberStub into the entry ToNumberStub, and two new stubs,
StringToNumberStub and NonNumberToNumberStub, which can be used when we
already know something about the input (i.e. in various branches of the
code stubs, or in TurboFan graphs).

Also introduce an appropriate StringToNumber simplified operator for
TurboFan, that is pure and is lowered to an invocation of the newly
added StringToNumberStub.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1818923002

Cr-Commit-Position: refs/heads/master@{#34922}

Up until now all type conversions (i.e. ToNumber, ToString and friends)
had their own specific call interface descriptors, where some of them
had to match (i.e. ToString and NumberToString have to use the same
argument register). Instead of all the different descriptors, it's
sufficient to have a single TypeConversionDescriptor instead.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1823523002

Cr-Commit-Position: refs/heads/master@{#34916}

This is an experiment to see if it affects crash rates on Nexus 9 devices.
A small performance impact (3-4% on Octane) is expected.

BUG=chromium:524337
LOG=n
R=hablich@chromium.org

Review URL: https://codereview.chromium.org/1808243002

Cr-Commit-Position: refs/heads/master@{#34896}

Repair this to match what the runtime correctly does, by first checking if the
function is a constructor before we access the prototype.

R=verwaest@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1810953002

Cr-Commit-Position: refs/heads/master@{#34863}

 - New RelocInfo mode WASM_MEMORY_REFERENCE as a marker for wasm code objects that need to be relocated on a heap change
 - RelocInfo mode recorded for immediates that use the memory buffer as base
 - Tests to verify address patching works

BUG=

Committed: https://crrev.com/cc815b69c17da368107ed77306a5bb161170c834
Cr-Commit-Position: refs/heads/master@{#34831}

Review URL: https://codereview.chromium.org/1759873002

Cr-Commit-Position: refs/heads/master@{#34836}

Revert of Assembler changes for enabling GrowHeap in Wasm (patchset #13 id:260001 of https://codereview.chromium.org/1759873002/ )

Reason for revert:
Breaks compile:
https://build.chromium.org/p/client.v8/builders/V8%20Mac64/builds/7740

Probably had outdated tryjobs

Original issue's description:
> Assembler changes for enabling GrowHeap in Wasm
>  - New RelocInfo mode WASM_MEMORY_REFERENCE as a marker for wasm code objects that need to be relocated on a heap change
>  - RelocInfo mode recorded for immediates that use the memory buffer as base
>  - Tests to verify address patching works
>
> BUG=
>
> Committed: https://crrev.com/cc815b69c17da368107ed77306a5bb161170c834
> Cr-Commit-Position: refs/heads/master@{#34831}

TBR=titzer@chromium.org,yangguo@chromium.org,bradnelson@chromium.org,bradnelson@google.com,marija.antic@imgtec.com,gdeepti@google.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1808823002

Cr-Commit-Position: refs/heads/master@{#34832}

 - New RelocInfo mode WASM_MEMORY_REFERENCE as a marker for wasm code objects that need to be relocated on a heap change
 - RelocInfo mode recorded for immediates that use the memory buffer as base
 - Tests to verify address patching works

BUG=

Review URL: https://codereview.chromium.org/1759873002

Cr-Commit-Position: refs/heads/master@{#34831}

along with "[arm64] Fix i/d cache line size confusion typo"
and "Fix a warning about inline asm source/destination mismatches..."
which were building on it.

This reverts the following commits:
8d7399f9
474e6a3d
c3ff68b6

Reason for revert: We're getting a large number of crash reports from
arm64 devices that are obviously related to cache flushing after code
patching. Bisection results say that the problems started at revision
c3ff68b6. Since I can't find a bug in that CL except for the typo that
I've fixed in 474e6a3d (which made some of the crashes go away but not
all of them), we have no choice but to revert the changes in order to
get stability under control while we investigate.

BUG=chromium:594646
LOG=n

Review URL: https://codereview.chromium.org/1806853002

Cr-Commit-Position: refs/heads/master@{#34816}

R=mstarzinger@chromium.org,bmeurer@chromium.org,adamk@chromium.org
BUG=v8:3956
LOG=Y

Review URL: https://codereview.chromium.org/1773653002

Cr-Commit-Position: refs/heads/master@{#34669}

NOPRESUBMIT=true
BUG=

Review URL: https://codereview.chromium.org/1776353002

Cr-Commit-Position: refs/heads/master@{#34664}

Reading the registers' values back from the FrameDescription
should use the same offset computation as storing them into it.
The offsets must also match what the deoptimizer expects, which
is rx at offset rx.code() * kDoubleSize, even if some registers
are not saved (leaving gaps).

BUG=v8:4800
LOG=n
R=danno@chromium.org

Review URL: https://codereview.chromium.org/1769833006

Cr-Commit-Position: refs/heads/master@{#34633}

- Eliminate stubs with a variable number of arguments.
  (That only worked due to their very limited use. These
   stubs' interface descriptors were basically lying
   about their number of args, which will fail when used
   generically.)
- Fix all CallApi*Stubs' interface descriptors to no
  longer lie about their arguments.
- Unify CallApi*Stub, for * in Function, Accessor,
  FunctionWithFixedArgs.
  (Since these are now all doing the same thing.)
- Rename the unified stub (and interface descriptors) to
  *ApiCallback*, since that's really what they're doing.
- Refuse inlining an API callback if its number of
  parameters exceeds the supported number of args.

BUG=

Committed: https://crrev.com/d238b953a474272c0e3ea22ef6a9b63fa9729340
Cr-Commit-Position: refs/heads/master@{#34614}

Review URL: https://codereview.chromium.org/1748123003

Cr-Commit-Position: refs/heads/master@{#34627}

Revert of Rework CallApi*Stubs. (patchset #5 id:100001 of https://codereview.chromium.org/1748123003/ )

Reason for revert:
Breaks Chromium.

Original issue's description:
> Rework CallApi*Stubs.
>
> - Eliminate stubs with a variable number of arguments.
>   (That only worked due to their very limited use. These
>    stubs' interface descriptors were basically lying
>    about their number of args, which will fail when used
>    generically.)
> - Fix all CallApi*Stubs' interface descriptors to no
>   longer lie about their arguments.
> - Unify CallApi*Stub, for * in Function, Accessor,
>   FunctionWithFixedArgs.
>   (Since these are now all doing the same thing.)
> - Rename the unified stub (and interface descriptors) to
>   *ApiCallback*, since that's really what they're doing.
> - Refuse inlining an API callback if its number of
>   parameters exceeds the supported number of args.
>
> BUG=
>
> Committed: https://crrev.com/d238b953a474272c0e3ea22ef6a9b63fa9729340
> Cr-Commit-Position: refs/heads/master@{#34614}

TBR=danno@chromium.org,jkummerow@chromium.org,mstarzinger@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1775933005

Cr-Commit-Position: refs/heads/master@{#34624}

- Eliminate stubs with a variable number of arguments.
  (That only worked due to their very limited use. These
   stubs' interface descriptors were basically lying
   about their number of args, which will fail when used
   generically.)
- Fix all CallApi*Stubs' interface descriptors to no
  longer lie about their arguments.
- Unify CallApi*Stub, for * in Function, Accessor,
  FunctionWithFixedArgs.
  (Since these are now all doing the same thing.)
- Rename the unified stub (and interface descriptors) to
  *ApiCallback*, since that's really what they're doing.
- Refuse inlining an API callback if its number of
  parameters exceeds the supported number of args.

BUG=

Review URL: https://codereview.chromium.org/1748123003

Cr-Commit-Position: refs/heads/master@{#34614}

In case when F was called with incompatible number of arguments (and therefore
the arguments adator frame was created), F inlines a tail call of G which then
deopts the deoptimizer should also remove the arguments adaptor frame for F.

This CL adds required machinery to the deoptimizer.

BUG=v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1768263004

Cr-Commit-Position: refs/heads/master@{#34610}

According to https://www.w3.org/TR/html5/obsolete.html#dom-document-all,
comparisons of document.all to other values such as strings or objects,
are unaffected. In fact document.all only gets special treatment in
comparisons with null or undefined according to HTML. Especially setting
the undetectable doesn't make two distinct JSReceivers equal.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1774273002

Cr-Commit-Position: refs/heads/master@{#34608}

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1773593002

Cr-Commit-Position: refs/heads/master@{#34572}

Before this CL, various code stubs used different techniques
for marking their frames to enable stack-crawling and other
access to data in the frame. All of them were based on a abuse
of the "standard" frame representation, e.g. storing the a
context pointer immediately below the frame's fp, and a
function pointer after that. Although functional, this approach
tends to make stubs and builtins do an awkward, unnecessary
dance to appear like standard frames, even if they have
nothing to do with JavaScript execution.

This CL attempts to improve this by:

* Ensuring that there are only two fundamentally different
  types of frames, a "standard" frame and a "typed" frame.
  Standard frames, as before, contain both a context and
  function pointer. Typed frames contain only a minimum
  of a smi marker in the position immediately below the fp
  where the context is in standard frames.
* Only interpreted, full codegen, and optimized Crankshaft and
  TurboFan JavaScript frames use the "standard" format. All
  other frames use the type frame format with an explicit
  marker.
* Typed frames can contain one or more values below the
  type marker. There is new magic macro machinery in
  frames.h that simplifies defining the offsets of these fields
  in typed frames.
* A new flag in the CallDescriptor enables specifying whether
  a frame is a standard frame or a typed frame. Secondary
  register location spilling is now only enabled for standard
  frames.
* A zillion places in the code have been updated to deal with
  the fact that most code stubs and internal frames use the
  typed frame format. This includes changes in the
  deoptimizer, debugger, and liveedit.
* StandardFrameConstants::kMarkerOffset is deprecated,
  (CommonFrameConstants::kContextOrFrameTypeOffset
  and StandardFrameConstants::kFrameOffset are now used
  in its stead).

LOG=N

Review URL: https://codereview.chromium.org/1696043002

Cr-Commit-Position: refs/heads/master@{#34571}

HInvokeFunction and HApplyArguments instructions now support tail calling.

Inlining of calls at tail position is not supported yet and therefore still disabled.

The tail-call-megatest was modified so that the usages of "arguments" object do not disable Crankshaft.

TBR=bmeurer@chromium.org
BUG=v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1760253003

Cr-Commit-Position: refs/heads/master@{#34542}

Add StringLessThanStub, StringLessThanOrEqualStub, StringGreaterThanStub
and StringGreaterThanOrEqualStub, based on the CodeStubAssembler, and
hook them up with TurboFan (and Ignition). The stubs are currently
essentially comparable with the StringCompareStub, which is now
obsolete. We can later extend these stubs to cover more interesting
cases (i.e. two byte sequential string comparisons, etc.).

R=epertoso@chromium.org

Review URL: https://codereview.chromium.org/1765823002

Cr-Commit-Position: refs/heads/master@{#34485}

Per ProxyCreate() (https://tc39.github.io/ecma262/#sec-proxycreate), a Proxy
is only given a [[Call]] slot if the target has a [[Call]] slot as well. This
was previously implemented correctly for [[Construct]], but not for [[Call]].

BUG=v8:4797, v8:4796, v8:1543
LOG=N
R=cbruni@chromium.org, neis@chromium.org, adamk@chromium.org, littledan@chromium.org

Review URL: https://codereview.chromium.org/1752133004

Cr-Commit-Position: refs/heads/master@{#34461}

The support was already removed from the Crankshaft and this CL removes the last piece.

Review URL: https://codereview.chromium.org/1764593002

Cr-Commit-Position: refs/heads/master@{#34456}

Initial version of a new StrictEqualStub written as TurboFan code stub,
that implements the full strict equality comparison and is usable for
both TurboFan and Ignition (and soon for the generic CompareIC case
too). The stub is not fully optimized yet, i.e. we still go to the
runtime for string comparisons, but that'll be addressed in a follow-up
CL.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1753173003

Cr-Commit-Position: refs/heads/master@{#34423}

Add support to log source position offsets to the profiler. As part of
this change PositionsRecorder is split into two, with the subset needed
by log.cc moved into log.h and the remainder kept in assembler.h as
AssemblerPositionsRecorder. The interpreter's source position table
builder is updated to log positions when the profiler is active.

BUG=v8:4766
LOG=N

Review URL: https://codereview.chromium.org/1737043002

Cr-Commit-Position: refs/heads/master@{#34416}

Since both null and undefined are also marked as undetectable now, we
can just test that bit instead of having the CompareNilIC try to collect
feedback to speed up the general case (without the undetectable bit
being used).

Drive-by-fix: Update the type system to match the new handling of
undetectable in the runtime.

R=danno@chromium.org

Committed: https://crrev.com/666aec0348c8793e61c8633dee7ad29a514239ba
Cr-Commit-Position: refs/heads/master@{#34237}

Review URL: https://codereview.chromium.org/1722193002

Cr-Commit-Position: refs/heads/master@{#34344}

The CompareICStub produces an untagged raw word value, which has to be
translated to true or false manually in the TurboFan code. But for lazy
bailout after the CompareIC, we immediately go back to fullcodegen or
Ignition with the raw value, to a location where both fullcodegen and
Ignition expect a boolean value, which might crash or in the worst case
(depending on the exact computation inside the CompareIC) could lead to
arbitrary memory access.

Short-term fix is to use the proper runtime functions (unified with the
interpreter now) for comparisons. Next task is to provide optimized
versions of these based on the CodeStubAssembler, which can then be used
via code stubs in TurboFan or directly in handlers in the interpreter.

R=mstarzinger@chromium.org
BUG=v8:4788
LOG=n

Review URL: https://codereview.chromium.org/1738153002

Cr-Commit-Position: refs/heads/master@{#34335}

Revert of [compiler] Drop the CompareNilIC. (patchset #4 id:60001 of https://codereview.chromium.org/1722193002/ )

Reason for revert:
Speculative revert in attempt to fix #2 crasher on canary.

Original issue's description:
> [compiler] Drop the CompareNilIC.
>
> Since both null and undefined are also marked as undetectable now, we
> can just test that bit instead of having the CompareNilIC try to collect
> feedback to speed up the general case (without the undetectable bit
> being used).
>
> Drive-by-fix: Update the type system to match the new handling of
> undetectable in the runtime.
>
> R=danno@chromium.org
>
> Committed: https://crrev.com/666aec0348c8793e61c8633dee7ad29a514239ba
> Cr-Commit-Position: refs/heads/master@{#34237}

TBR=danno@chromium.org,verwaest@chromium.org,bmeurer@chromium.org
LOG=y
BUG=chromium:589897
NOTRY=true

Review URL: https://codereview.chromium.org/1743433002

Cr-Commit-Position: refs/heads/master@{#34308}

Only use one set of %StrictEquals/%StrictNotEquals and
%Equals/%NotEquals runtime entries for both the interpreter
and the old-style CompareICStub. The long-term plan is to
update the CompareICStub to also return boolean values, and
even allow some more code sharing with the interpreter there.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1738883002

Cr-Commit-Position: refs/heads/master@{#34303}

This makes the FullCodeGenerator::EmitNamedPropertyLoad be architecture
independent by adding MacroAssembler::Move helpers.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1734643002

Cr-Commit-Position: refs/heads/master@{#34259}