Revert of [tools] Support custom script injection for callstats.py (patchset #1 id:1 of https://codereview.chromium.org/2455623002/ )

Reason for revert:
speculative revert to address regressions on cnn.com benchmark.

Original issue's description:
> [tools] Support custom script injection for callstats.py
>
> This is a poor-man's solution to trigger page interactions.
>
> BUG=

TBR=jochen@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=

Review-Url: https://codereview.chromium.org/2464053005
Cr-Commit-Position: refs/heads/master@{#40710}

Make RuntimeCallTimer::parent_ and RuntimeCallStats::current_timer_
fields atomic as they are accessed from the signal handler.

BUG=chromium:660428

Review-Url: https://codereview.chromium.org/2464973002
Cr-Commit-Position: refs/heads/master@{#40709}

The wasm interpreter crashed because it interpreted the table of
br_table as a table of uint8, but according to the spec it is a table of
varint32. Therefore the wasm interpreter misinterpreted 0x80 0x00 as 128
and not as 0, which caused a crash.

R=tizer@chromium.org
BUG=chromium:660262
TEST=cctest/test-run-wasm/RunWasmInterpreted_Regression_660262

Review-Url: https://codereview.chromium.org/2463063002
Cr-Commit-Position: refs/heads/master@{#40708}

Apparently the previous clean up has regressed performance in some
cases. This is an attempt to recover these regressions.

R=ulan@chromium.org
BUG=chromium:661567

Review-Url: https://codereview.chromium.org/2471493003
Cr-Commit-Position: refs/heads/master@{#40707}

BUG=v8:4680

Review-Url: https://codereview.chromium.org/2469283002
Cr-Commit-Position: refs/heads/master@{#40706}

Original CL description:
> Create internal fields on global proxy objects
>
> BUG=v8:5588
> R=verwaest@chromium.org

BUG=v8:5588
TBR=verwaest@chromium.org

Review-Url: https://codereview.chromium.org/2472573004
Cr-Commit-Position: refs/heads/master@{#40705}

This ensures that the newly allocated object immediatly precedes the
linear allocation area, which is needed for allocation folding.

For more info see:
https://bugs.chromium.org/p/chromium/issues/detail?id=659165#c13

BUG=chromium:659165

Review-Url: https://codereview.chromium.org/2464393002
Cr-Commit-Position: refs/heads/master@{#40704}

This reduces per-scope overhead from minimally 6 words to 2 words, with one additional pointer per entry, rather than an average of 2 per entry for larger-than-4 element lists. For temp zone parsed functions it additionally makes the declaration-list actually freeable.

This introduces ThreadedList to implement the details of dealing with such a list.

BUG=v8:5209

Review-Url: https://codereview.chromium.org/2457393003
Cr-Commit-Position: refs/heads/master@{#40703}

To enable the global object prototype chain to be frozen, all objects
in the chain need to be marked as immutable prototype exotic objects.
However, a bug in the previous implementation of immutable prototype
exotic objects left the check in place when initially setting up the
object, which made it impossible to allow inheritance chains. This
patch removes that mistaken check.

BUG=v8:5149

Review-Url: https://codereview.chromium.org/2449163004
Cr-Commit-Position: refs/heads/master@{#40702}

Revert of [ic] Experiment: disable map-specific handler cache. (patchset #1 id:1 of https://codereview.chromium.org/2462973003/ )

Reason for revert:
Causes performance regressions (up to 10% on the "IC" bucket). :-(

Original issue's description:
> [ic] Experiment: disable map-specific handler cache.
>
> IC data handlers support most of the hot cases nowdays. Let's see if
> the map-specific code cache still help us to improve things.
>
> BUG=v8:5561

TBR=ishell@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=v8:5561

Review-Url: https://codereview.chromium.org/2474653002
Cr-Commit-Position: refs/heads/master@{#40701}

In the process, add a more general mechanism for passing around
and amending list of CodeStubAssembler Variables. That change
makes it possible to more easily add Variables to loops that are
generated by utility functions, e.g. BuildFastLoop.

LOG=N

Review-Url: https://codereview.chromium.org/2461363002
Cr-Commit-Position: refs/heads/master@{#40700}

This is preparation for using TF to create builtins that handle variable number of
arguments and have to remove these arguments dynamically from the stack upon
return.

The gist of the changes:
- Added a second argument to the Return node which specifies the number of stack
  slots to pop upon return in addition to those specified by the Linkage of the
  compiled function.
- Removed Tail -> Non-Tail fallback in the instruction selector. Since TF now should
  handles all tail-call cases except where the return value type differs, this fallback
  was not really useful and in fact caused unexpected behavior with variable
  sized argument popping, since it wasn't possible to materialize a Return node
  with the right pop count from the TailCall without additional context.
- Modified existing Return generation to pass a constant zero as the additional
  pop argument since the variable pop functionality

LOG=N

Review-Url: https://codereview.chromium.org/2446543002
Cr-Commit-Position: refs/heads/master@{#40699}

Delayed chunks in the unmapper are chunks that should be unmapped but could
potentially still be accessed by the sweeper (page header), hence their
unmapping is delayed.

During TearDown, however, we need to properly unmap those pages, i.e., check
that they can now be unmapped (should always hold) and properly unmap them.

BUG=chromium:656537
R=ulan@chromium.org

Review-Url: https://codereview.chromium.org/2472573003
Cr-Commit-Position: refs/heads/master@{#40698}

BUG=v8:4280

Review-Url: https://codereview.chromium.org/2463353002
Cr-Commit-Position: refs/heads/master@{#40697}

Only ARM should have fixed live range arrays for float / simd128.

LOG=N
BUG=v8:4124

Review-Url: https://codereview.chromium.org/2471533002
Cr-Commit-Position: refs/heads/master@{#40696}

R=epertoso@chromium.org

Review-Url: https://codereview.chromium.org/2223873002
Cr-Commit-Position: refs/heads/master@{#40695}

R=rmcilroy@chromium.org
BUG=v8:1569

Review-Url: https://codereview.chromium.org/2460403002
Cr-Commit-Position: refs/heads/master@{#40694}

Cr-Commit-Position: refs/heads/master@{#40693}

  port 5ef1bddf (r40690)

  original commit message:
  All vector ICs use the TypeFeedbackVector::ComputeCounts method now,
  while the remaining patching ICs still use the traditional way of
  counting on the TypeFeedbackInfo hanging off the fullcodegen code
  object. This fixes the problem that counts were sometimes off.

BUG=

  Drive-by-fix: Move FullCodeGenerator::CallIC to fullcodegen.cc.
Review-Url: https://codereview.chromium.org/2470063002

Cr-Commit-Position: refs/heads/master@{#40692}

Revert of [turbofan] Support variable size argument popping in TF-generated functions (patchset #13 id:240001 of https://codereview.chromium.org/2446543002/ )

Reason for revert:
Seems to break arm64 sim debug and blocks roll:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20debug/builds/3294

Original issue's description:
> [turbofan] Support variable size argument removal in TF-generated functions
>
> This is preparation for using TF to create builtins that handle variable number of
> arguments and have to remove these arguments dynamically from the stack upon
> return.
>
> The gist of the changes:
> - Added a second argument to the Return node which specifies the number of stack
>   slots to pop upon return in addition to those specified by the Linkage of the
>   compiled function.
> - Removed Tail -> Non-Tail fallback in the instruction selector. Since TF now should
>   handles all tail-call cases except where the return value type differs, this fallback
>   was not really useful and in fact caused unexpected behavior with variable
>   sized argument popping, since it wasn't possible to materialize a Return node
>   with the right pop count from the TailCall without additional context.
> - Modified existing Return generation to pass a constant zero as the additional
>   pop argument since the variable pop functionality
>
> LOG=N

TBR=bmeurer@chromium.org,mstarzinger@chromium.org,epertoso@chromium.org,danno@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2473643002
Cr-Commit-Position: refs/heads/master@{#40691}

All vector ICs use the TypeFeedbackVector::ComputeCounts method now,
while the remaining patching ICs still use the traditional way of
counting on the TypeFeedbackInfo hanging off the fullcodegen code
object. This fixes the problem that counts were sometimes off.

Drive-by-fix: Move FullCodeGenerator::CallIC to fullcodegen.cc.

R=yangguo@chromium.org

Review-Url: https://codereview.chromium.org/2472653002
Cr-Commit-Position: refs/heads/master@{#40690}

BUG=none
R=dgozman@chromium.org

Review-Url: https://codereview.chromium.org/2474483003
Cr-Commit-Position: refs/heads/master@{#40689}

BUG=none
R=dgozman@chromium.org

Review-Url: https://codereview.chromium.org/2473563002
Cr-Commit-Position: refs/heads/master@{#40688}

This roll includes one change: "[inspector_protocol] support fall through and moveable Maybe" [1].

[1] https://codereview.chromium.org/2468923002/

BUG=none
R=dgozman@chromium.org

Review-Url: https://codereview.chromium.org/2469063002
Cr-Commit-Position: refs/heads/master@{#40687}

This reverts commit 26547761.

Breaks layout tests:
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/bui...

See also:
https://github.com/v8/v8/wiki/Blink-layout-tests

BUG=v8:5588
TBR=jochen@chromium.org, verwaest@chromium.org, hablich@chromium.org

Review-Url: https://codereview.chromium.org/2467073002
Cr-Commit-Position: refs/heads/master@{#40686}

IC data handlers support most of the hot cases nowdays. Let's see if
the map-specific code cache still help us to improve things.

BUG=v8:5561

Review-Url: https://codereview.chromium.org/2462973003
Cr-Commit-Position: refs/heads/master@{#40685}

  port 5319b50c (r40678)

  original commit message:
  This is preparation for using TF to create builtins that handle variable number of
  arguments and have to remove these arguments dynamically from the stack upon
  return.

  The gist of the changes:
  - Added a second argument to the Return node which specifies the number of stack
    slots to pop upon return in addition to those specified by the Linkage of the
    compiled function.
  - Removed Tail -> Non-Tail fallback in the instruction selector. Since TF now should
    handles all tail-call cases except where the return value type differs, this fallback
    was not really useful and in fact caused unexpected behavior with variable
    sized argument popping, since it wasn't possible to materialize a Return node
    with the right pop count from the TailCall without additional context.
  - Modified existing Return generation to pass a constant zero as the additional
    pop argument since the variable pop functionality

BUG=

Review-Url: https://codereview.chromium.org/2469623002
Cr-Commit-Position: refs/heads/master@{#40684}

Both --harmony-object-values-entries and --harmony-object-own-property-descriptors
are on by default in v8 5.4, which has now shipped to
stable as Chrome 54.

R=caitp@igalia.com

Review-Url: https://codereview.chromium.org/2464733003
Cr-Commit-Position: refs/heads/master@{#40683}

Port 5319b50c

Original commit message:

    This is preparation for using TF to create builtins that handle variable number of
    arguments and have to remove these arguments dynamically from the stack upon
    return.

    The gist of the changes:
    - Added a second argument to the Return node which specifies the number of stack
      slots to pop upon return in addition to those specified by the Linkage of the
      compiled function.
    - Removed Tail -> Non-Tail fallback in the instruction selector. Since TF now should
      handles all tail-call cases except where the return value type differs, this fallback
      was not really useful and in fact caused unexpected behavior with variable
      sized argument popping, since it wasn't possible to materialize a Return node
      with the right pop count from the TailCall without additional context.
    - Modified existing Return generation to pass a constant zero as the additional
      pop argument since the variable pop functionality

R=danno@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG=
LOG=N

Review-Url: https://codereview.chromium.org/2462173002
Cr-Commit-Position: refs/heads/master@{#40682}

We only need included categories list, excluded categories list will only work
if we use regular expression in categories list, which is not supported in V8.

TBR=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2462143002
Cr-Commit-Position: refs/heads/master@{#40681}

By not dumping the module of the test, we avoid adding code of an
infinite loop to the corpus of the wasm fuzzer.

R=bradnelson@chromium.org

NOTRY=true

Review-Url: https://codereview.chromium.org/2460313002
Cr-Commit-Position: refs/heads/master@{#40680}

This CL adds Load/StoreIC_Premonomorphic and detailizes IC_HandlerCacheHit bucket.

BUG=v8:5561

Review-Url: https://codereview.chromium.org/2459333003
Cr-Commit-Position: refs/heads/master@{#40679}

This is preparation for using TF to create builtins that handle variable number of
arguments and have to remove these arguments dynamically from the stack upon
return.

The gist of the changes:
- Added a second argument to the Return node which specifies the number of stack
  slots to pop upon return in addition to those specified by the Linkage of the
  compiled function.
- Removed Tail -> Non-Tail fallback in the instruction selector. Since TF now should
  handles all tail-call cases except where the return value type differs, this fallback
  was not really useful and in fact caused unexpected behavior with variable
  sized argument popping, since it wasn't possible to materialize a Return node
  with the right pop count from the TailCall without additional context.
- Modified existing Return generation to pass a constant zero as the additional
  pop argument since the variable pop functionality

LOG=N

Review-Url: https://codereview.chromium.org/2446543002
Cr-Commit-Position: refs/heads/master@{#40678}

This function is implemented in other JavaScript shells

BUG=None

R=titzer

Review-Url: https://codereview.chromium.org/2458963003
Cr-Commit-Position: refs/heads/master@{#40677}

The old code does not work properly when the allocation memento object ends exactly at page boundary.

This CL addresses DBC mentioned in https://codereview.chromium.org/2313093002/

BUG=v8:5269

Review-Url: https://codereview.chromium.org/2466573002
Cr-Commit-Position: refs/heads/master@{#40676}

While this seems like it should be true, the array buffer is not actually
neutered until the end of cloning. This is so that, if an exception is thrown
during serialization, the original array buffer is not left neutered. As a
result, Blink will not have neutered the buffer.

This fixes some DCHECK failures during layout tests.

BUG=chromium:148757

Review-Url: https://codereview.chromium.org/2466563002
Cr-Commit-Position: refs/heads/master@{#40675}

BUG=

Review-Url: https://codereview.chromium.org/2468433002
Cr-Commit-Position: refs/heads/master@{#40674}

This CL adds support for primitive maps to
1) PrototypeIterator,
2) PropertyHandlerCompiler::CheckPrototypes(),
3) Map::GetOrCreatePrototypeChainValidityCell(),
4) Prototype checks in data-driven ICs.

BUG=v8:5561

Review-Url: https://codereview.chromium.org/2466553002
Cr-Commit-Position: refs/heads/master@{#40673}

This exposes a couple of broken tests that used to silently throw within
the listener. Mark these as failing for now

BUG=v8:5330, v8:5581

Review-Url: https://codereview.chromium.org/2460833002
Cr-Commit-Position: refs/heads/master@{#40672}

Using a global proxy (e.g. 'window.f', 'w.f' or 'this.f') is considerably slower than evaluating just 'f'. This CL aims to perform the necessary checks at compile time and inline the accesses.

This is a follow-on CL to crrev.com/2369933005:
- The initial upload is crrev.com/2369933005 + a rebase.
- The remaining issues are the fixes requested by the reviewers on that CL.

BUG=chromium:634276, chromium:654716, chromium:656959

Committed: https://crrev.com/8f43d748272536117008aa6a1b53ea52126261c1
Committed: https://crrev.com/041314524952a3c1bc71bd3beafbbb37319f1d22
Review-Url: https://codereview.chromium.org/2403003002
Cr-Original-Original-Commit-Position: refs/heads/master@{#40153}
Cr-Original-Commit-Position: refs/heads/master@{#40365}
Cr-Commit-Position: refs/heads/master@{#40671}