Fix deoptmization of inlined TF InstanceOf to call ToBoolean

Fix deoptmization of inlined TF instanceOf to call ToBoolean

This CL leverages and extends the deopt-to-stub mechanisms previously 
introduced to support deopting from CSA-built builtins (e.g. Array.prototype.forEach).

BUG=v8:6373
LOG=N

Review-Url: https://codereview.chromium.org/2890363002
Cr-Commit-Position: refs/heads/master@{#46144}
Committed: https://chromium.googlesource.com/v8/v8/+/e2544f6c03cb6725328036192a64fd80fad0ff1d

[danno, 2017-05-22 05:40:30]

The CQ bit was checked by danno@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-05-22 05:40:35]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-05-22 05:41:44]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-05-22 05:41:45]

Dry run: Try jobs failed on following builders:
  v8_linux64_asan_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_asan_rel_ng/buil...)
  v8_linux64_verify_csa_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_verify_csa_rel_n...)
  v8_linux_arm64_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux_arm64_rel_ng/build...)
  v8_mac_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_mac_rel_ng/builds/22839)

[danno, 2017-05-22 05:55:39]

The CQ bit was checked by danno@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-05-22 05:55:44]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-05-22 05:59:14]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-05-22 05:59:15]

Dry run: Try jobs failed on following builders:
  v8_linux_gcc_compile_rel on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux_gcc_compile_rel/bu...)
  v8_linux_mipsel_compile_rel on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux_mipsel_compile_rel...)
  v8_linux_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux_rel_ng/builds/26191)
  v8_win64_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_win64_rel_ng/builds/27874)

[danno, 2017-05-22 06:34:50]

Patchset #3 (id:40001) has been deleted

[danno, 2017-05-22 12:55:50]

Patchset #2 (id:20001) has been deleted

[danno, 2017-05-22 12:55:58]

Patchset #2 (id:60001) has been deleted

[danno, 2017-06-07 18:59:01]

The CQ bit was checked by danno@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-07 18:59:06]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-07 19:01:29]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-07 19:01:30]

Dry run: Try jobs failed on following builders:
  v8_android_arm_compile_rel on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_android_arm_compile_rel/...)
  v8_linux64_verify_csa_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_verify_csa_rel_n...)
  v8_linux_arm64_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux_arm64_rel_ng/build...)
  v8_linux_mipsel_compile_rel on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux_mipsel_compile_rel...)
  v8_linux_verify_csa_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux_verify_csa_rel_ng/...)

[danno, 2017-06-08 08:05:16]

The CQ bit was checked by danno@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-08 08:05:24]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-08 08:19:56]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-08 08:19:57]

Dry run: Try jobs failed on following builders:
  v8_linux64_gyp_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_gyp_rel_ng/build...)
  v8_linux64_gyp_rel_ng_triggered on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_gyp_rel_ng_trigg...)

[danno, 2017-06-08 10:47:02]

The CQ bit was checked by danno@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-08 10:47:07]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-08 11:02:43]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-08 11:02:44]

Dry run: Try jobs failed on following builders:
  v8_linux64_verify_csa_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_verify_csa_rel_n...)
  v8_linux64_verify_csa_rel_ng_triggered on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_verify_csa_rel_n...)

[danno, 2017-06-22 09:46:45]

The CQ bit was checked by danno@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-22 09:46:51]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-22 10:08:01]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-22 10:08:02]

Dry run: Try jobs failed on following builders:
  v8_linux64_gyp_rel_ng on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_gyp_rel_ng/build...)
  v8_linux64_gyp_rel_ng_triggered on master.tryserver.v8 (JOB_FAILED,
http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_gyp_rel_ng_trigg...)

[danno, 2017-06-22 11:09:06]

The CQ bit was checked by danno@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-22 11:09:11]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[danno, 2017-06-22 11:35:20]

Description was changed from

==========
Fix deoptmization of inlined TF InstanceOf to call ToBoolean

BUG=v8:6373
LOG=N
==========

to

==========
Fix deoptmization of inlined TF InstanceOf to call ToBoolean

This CL leverages and extends the deopt-to-stub mechanisms previously 
introduced to support deopting from CSA-built builtins (e.g.
Array.prototype.forEach).

BUG=v8:6373
LOG=N
==========

[commit-bot: I haz the power, 2017-06-22 11:37:21]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-22 11:37:22]

Dry run: This issue passed the CQ dry run.

[danno, 2017-06-22 12:57:14]

danno@chromium.org changed reviewers:
+ mstarzinger@chromium.org

[danno, 2017-06-22 12:57:15]

PTAL

[danno, 2017-06-22 13:08:45]

Description was changed from

==========
Fix deoptmization of inlined TF InstanceOf to call ToBoolean

This CL leverages and extends the deopt-to-stub mechanisms previously 
introduced to support deopting from CSA-built builtins (e.g.
Array.prototype.forEach).

BUG=v8:6373
LOG=N
==========

to

==========
Fix deoptmization of inlined TF instanceOf to call ToBoolean

This CL leverages and extends the deopt-to-stub mechanisms previously 
introduced to support deopting from CSA-built builtins (e.g.
Array.prototype.forEach).

BUG=v8:6373
LOG=N
==========

[Michael Starzinger, 2017-06-22 14:16:12]

Looking good. Just minor comments.

https://codereview.chromium.org/2890363002/diff/160001/src/builtins/builtins-...
File src/builtins/builtins-conversion-gen.cc (right):

https://codereview.chromium.org/2890363002/diff/160001/src/builtins/builtins-...
src/builtins/builtins-conversion-gen.cc:260: // Requires parameter on stack to
that it can be used as a continuation from a
nit: s/to/so/

https://codereview.chromium.org/2890363002/diff/160001/src/compiler/frame-sta...
File src/compiler/frame-states.cc (right):

https://codereview.chromium.org/2890363002/diff/160001/src/compiler/frame-sta...
src/compiler/frame-states.cc:162: js_graph, name, context,
&actual_parameters[0],
The "&actual_parameters[0]" is not safe for empty vectors. This is crashing on
me when I compile this with C++ stdlib assert enabled. With C++11 we can use
"actual_parameters.data()" here instead.

~/Development/v8.git/build/linux/debian_jessie_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.8/346:
    error: attempt to subscript container with out-of-bounds index 0, but     
    container only holds 0 elements.

Objects involved in the operation:
sequence "this" @ 0x0x7ffd01d08958 {
}

https://codereview.chromium.org/2890363002/diff/160001/src/compiler/js-native...
File src/compiler/js-native-context-specialization.cc (right):

https://codereview.chromium.org/2890363002/diff/160001/src/compiler/js-native...
src/compiler/js-native-context-specialization.cc:178: Node* outer_frame_state =
NodeProperties::GetFrameStateInput(node);
nit: s/outer_frame_state/frame_state/

https://codereview.chromium.org/2890363002/diff/160001/src/compiler/js-native...
src/compiler/js-native-context-specialization.cc:248: Node* frame_state =
CreateStubBuiltinContinuationFrameState(
nit: Please add a comment explaining the reasoning behind this frame-state and
what it is needed for.

https://codereview.chromium.org/2890363002/diff/160001/src/compiler/js-native...
src/compiler/js-native-context-specialization.cc:248: Node* frame_state =
CreateStubBuiltinContinuationFrameState(
nit: s/frame_state/continuation_frame_state/

https://codereview.chromium.org/2890363002/diff/160001/src/interface-descript...
File src/interface-descriptors.h (right):

https://codereview.chromium.org/2890363002/diff/160001/src/interface-descript...
src/interface-descriptors.h:518: void InitializePlatformIndependent(
nit: Can we use DECLARE_DESCRIPTOR_WITH_CUSTOM_FUNCTION_TYPE to include this
declaration?

[danno, 2017-06-22 15:02:53]

The CQ bit was checked by danno@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-22 15:03:01]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[danno, 2017-06-22 15:04:01]

Feedback addressed, please take another look.

https://codereview.chromium.org/2890363002/diff/160001/src/builtins/builtins-...
File src/builtins/builtins-conversion-gen.cc (right):

https://codereview.chromium.org/2890363002/diff/160001/src/builtins/builtins-...
src/builtins/builtins-conversion-gen.cc:260: // Requires parameter on stack to
that it can be used as a continuation from a
On 2017/06/22 14:16:11, Michael Starzinger wrote:
> nit: s/to/so/

Done.

https://codereview.chromium.org/2890363002/diff/160001/src/compiler/frame-sta...
File src/compiler/frame-states.cc (right):

https://codereview.chromium.org/2890363002/diff/160001/src/compiler/frame-sta...
src/compiler/frame-states.cc:162: js_graph, name, context,
&actual_parameters[0],
On 2017/06/22 14:16:11, Michael Starzinger wrote:
> The "&actual_parameters[0]" is not safe for empty vectors. This is crashing on
> me when I compile this with C++ stdlib assert enabled. With C++11 we can use
> "actual_parameters.data()" here instead.
> 
>
~/Development/v8.git/build/linux/debian_jessie_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.8/346:
>     error: attempt to subscript container with out-of-bounds index 0, but     
>     container only holds 0 elements.
> 
> Objects involved in the operation:
> sequence "this" @ 0x0x7ffd01d08958 {
> }

Done.

https://codereview.chromium.org/2890363002/diff/160001/src/compiler/js-native...
File src/compiler/js-native-context-specialization.cc (right):

https://codereview.chromium.org/2890363002/diff/160001/src/compiler/js-native...
src/compiler/js-native-context-specialization.cc:178: Node* outer_frame_state =
NodeProperties::GetFrameStateInput(node);
On 2017/06/22 14:16:11, Michael Starzinger wrote:
> nit: s/outer_frame_state/frame_state/

Done.

https://codereview.chromium.org/2890363002/diff/160001/src/compiler/js-native...
src/compiler/js-native-context-specialization.cc:248: Node* frame_state =
CreateStubBuiltinContinuationFrameState(
On 2017/06/22 14:16:11, Michael Starzinger wrote:
> nit: s/frame_state/continuation_frame_state/

Done.

https://codereview.chromium.org/2890363002/diff/160001/src/compiler/js-native...
src/compiler/js-native-context-specialization.cc:248: Node* frame_state =
CreateStubBuiltinContinuationFrameState(
On 2017/06/22 14:16:11, Michael Starzinger wrote:
> nit: s/frame_state/continuation_frame_state/

Done.

https://codereview.chromium.org/2890363002/diff/160001/src/interface-descript...
File src/interface-descriptors.h (right):

https://codereview.chromium.org/2890363002/diff/160001/src/interface-descript...
src/interface-descriptors.h:518: void InitializePlatformIndependent(
On 2017/06/22 14:16:12, Michael Starzinger wrote:
> nit: Can we use DECLARE_DESCRIPTOR_WITH_CUSTOM_FUNCTION_TYPE to include this
> declaration?

Done.

[commit-bot: I haz the power, 2017-06-22 15:31:11]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-22 15:31:12]

Dry run: This issue passed the CQ dry run.

[Michael Starzinger, 2017-06-22 15:39:47]

LGTM. Cool stuff. Thanks!

[danno, 2017-06-22 15:42:02]

The CQ bit was checked by danno@chromium.org

[commit-bot: I haz the power, 2017-06-22 15:42:12]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-22 15:43:36]

CQ is committing da patch.

Bot data: {"patchset_id": 180001, "attempt_start_ts": 1498146122226790,
"parent_rev": "731d1b73af90f1e5507adfc53a00d4418e509158", "commit_rev":
"e2544f6c03cb6725328036192a64fd80fad0ff1d"}

[commit-bot: I haz the power, 2017-06-22 15:43:42]

Description was changed from

==========
Fix deoptmization of inlined TF instanceOf to call ToBoolean

This CL leverages and extends the deopt-to-stub mechanisms previously 
introduced to support deopting from CSA-built builtins (e.g.
Array.prototype.forEach).

BUG=v8:6373
LOG=N
==========

to

==========
Fix deoptmization of inlined TF instanceOf to call ToBoolean

This CL leverages and extends the deopt-to-stub mechanisms previously 
introduced to support deopting from CSA-built builtins (e.g.
Array.prototype.forEach).

BUG=v8:6373
LOG=N

Review-Url: https://codereview.chromium.org/2890363002
Cr-Commit-Position: refs/heads/master@{#46144}
Committed:
https://chromium.googlesource.com/v8/v8/+/e2544f6c03cb6725328036192a64fd80fad...
==========

[commit-bot: I haz the power, 2017-06-22 15:43:43]

Committed patchset #7 (id:180001) as
https://chromium.googlesource.com/v8/v8/+/e2544f6c03cb6725328036192a64fd80fad...