All graphs for this bug:
  https://chromeperf.appspot.com/group_report?bug_id=705394

Original alerts at time of bug-filing:
  https://chromeperf.appspot.com/group_report?keys=agxzfmNocm9tZXBlcmZyFAsSB0Fub21hbHkYgIDgrL61pwoM


Bot(s) for this bug's original alert(s):

android-one

Started bisect job https://chromeperf.appspot.com/buildbucket_job_status/8983987407581153472

=== Auto-CCing suspected CL author petermarshall@chromium.org ===

Hi petermarshall@chromium.org, the bisect results pointed to your CL, please take a look at the
results.


=== BISECT JOB RESULTS ===
Perf regression found with culprit

Suspected Commit
  Author : Peter Marshall
  Commit : 14e01da1cf6c02628252ed267ca5043f44d63a5d
  Date   : Fri Mar 24 17:40:22 2017
  Subject: [builtins] Port TypedArrayConstructByArrayLike to CodeStubAssembler.

Bisect Details
  Configuration: android_one_perf_bisect
  Benchmark    : v8.infinite_scroll_tbmv2
  Metric       : v8-gc-total_max/flickr
  Change       : 372.99% | 4.41666666667 -> 20.8905

Revision                           Result                   N
chromium@459637                    4.41667 +- 0.610147      6      good
chromium@459640                    4.43533 +- 0.342764      6      good
chromium@459642                    4.47967 +- 0.262414      6      good
chromium@459642,v8@7273f7011a      4.28633 +- 0.396443      6      good
chromium@459642,v8@7e08a77deb      4.52517 +- 0.440483      6      good
chromium@459642,v8@14e01da1cf      21.1777 +- 2.00145       6      bad       <--
chromium@459642,v8@5fdb5a148e      21.037 +- 0.89009        6      bad
chromium@459643                    20.6528 +- 1.23693       6      bad
chromium@459648                    20.8905 +- 1.23699       6      bad

To Run This Test
  src/tools/perf/run_benchmark -v --browser=android-chromium --output-format=chartjson --upload-results --pageset-repeat=1 --also-run-disabled-tests --story-filter=flickr v8.infinite_scroll_tbmv2

Debug Info
  https://chromeperf.appspot.com/buildbucket_job_status/8983987407581153472

Is this bisect wrong?
  https://chromeperf.appspot.com/bad_bisect?try_job_id=5928173532872704


| O O | Visit http://www.chromium.org/developers/speed-infra/perf-bug-faq
|  X  | for more information addressing perf regression bugs. For feedback,
| / \ | file a bug with component Speed>Bisection.  Thank you!

 Issue 706944  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a450c18544df40f7c7cbed206a7cdd1ed38853aa

commit a450c18544df40f7c7cbed206a7cdd1ed38853aa
Author: Peter Marshall <petermarshall@chromium.org>
Date: Fri Mar 31 10:37:57 2017

[builtins] Copy array contents using JS in ConstructByArrayLike.

The last CL https://chromium-review.googlesource.com/c/456707/ caused
some pretty heavy performance regressions. After experimenting, it
seems the easiest and most straight-forward way to copy the elements
into the new typed array is to do it in JS.

Adds a fast path for typed arrays, where the source typed array has
the same elements kind, in which case we can just copy the backing
store using memcpy.

This CL also removes regression test 319120 which is from a pwn2own
vulnerability. The old code path enforced a maximum byte_length
that was too low, which this change removes. The length property of
the typed array must be a Smi, but the byte_length, which can be up
to 8x larger than length for a Float64Array, can be a heap number.

We can also re-use some of the logic from ConstructByLength when
deciding whether to allocate the buffer on- or off-heap, so that
is factored out into InitializeBasedOnLength. We can also re-use
the DoInitialize helper instead of calling into the runtime,
meaning we can remove InitializeFromArrayLike.

BUG=v8:5977,chromium:705503, chromium:705394 

Change-Id: I63372652091d4bdf3a9491acef9b4e3ac793a755
Reviewed-on: https://chromium-review.googlesource.com/459621
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44301}
[modify] https://crrev.com/a450c18544df40f7c7cbed206a7cdd1ed38853aa/src/assembler.cc
[modify] https://crrev.com/a450c18544df40f7c7cbed206a7cdd1ed38853aa/src/assembler.h
[modify] https://crrev.com/a450c18544df40f7c7cbed206a7cdd1ed38853aa/src/builtins/builtins-typedarray-gen.cc
[modify] https://crrev.com/a450c18544df40f7c7cbed206a7cdd1ed38853aa/src/code-stub-assembler.cc
[modify] https://crrev.com/a450c18544df40f7c7cbed206a7cdd1ed38853aa/src/code-stub-assembler.h
[modify] https://crrev.com/a450c18544df40f7c7cbed206a7cdd1ed38853aa/src/contexts.h
[modify] https://crrev.com/a450c18544df40f7c7cbed206a7cdd1ed38853aa/src/external-reference-table.cc
[modify] https://crrev.com/a450c18544df40f7c7cbed206a7cdd1ed38853aa/src/js/typedarray.js
[modify] https://crrev.com/a450c18544df40f7c7cbed206a7cdd1ed38853aa/src/objects.h
[modify] https://crrev.com/a450c18544df40f7c7cbed206a7cdd1ed38853aa/src/runtime/runtime-typedarray.cc
[modify] https://crrev.com/a450c18544df40f7c7cbed206a7cdd1ed38853aa/src/runtime/runtime.h
[modify] https://crrev.com/a450c18544df40f7c7cbed206a7cdd1ed38853aa/test/mjsunit/es6/typedarray-construct-by-array-like.js
[delete] https://crrev.com/42f285fcbb6f2546ce83f8d2e444328f754517ef/test/mjsunit/regress/regress-319120.js