Instead of directly looking up Uint8Array.__proto__, to get a hold of
the TypedArray prototype, use object_get_prototype_of. This is a
functionally equivalent, but cleaner approach.

Review-Url: https://codereview.chromium.org/1990983002
Cr-Commit-Position: refs/heads/master@{#36340}

Prevent crash/UB during stack frame iteration through functions, which occurs
when debugging, when building stacktraces, etc.

Also prevents these functions from appearing in stacktraces, by unsetting the "native" flag.

BUG=v8:4483, v8:5025
R=yangguo@chromium.org, littledan@chromium.org, adamk@chromium.org

Review-Url: https://codereview.chromium.org/1990803005
Cr-Commit-Position: refs/heads/master@{#36339}

R=joransiu@ca.ibm.com,michael_dawson@ca.ibm.com,mbrandy@us.ibm.com,jyan@ca.ibm.com

BUG=

Review-Url: https://codereview.chromium.org/1992703004
Cr-Commit-Position: refs/heads/master@{#36338}

BUG=chromium:612847
LOG=N

Review-Url: https://codereview.chromium.org/1989973002
Cr-Commit-Position: refs/heads/master@{#36337}

PPC/S390: [Interpreter] Remove InterpreterExitTrampoline and replace with returning to the entry trampoline.

port 39738bc9

Original Commit Message:
  In order to support compiling to baseline on return we need to be able to
  return to the actual return address. With this change this is what the
  Return bytecode now does, removing the need for the
  InterpreterExitTrampoline.

  This change also removes the InterpreterNotifyDeoptXXX builtins and
  unifies FCG and Igntion to both use NotifyDeoptXXX. As part of this
  change, FullCodegenerator::State is moved to Deoptimize::BailoutState.

R=rmcilroy@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com
BUG=v8:4280
LOG=N

Review-Url: https://codereview.chromium.org/1989983002
Cr-Commit-Position: refs/heads/master@{#36336}

Revert of [heap] Do not invoke GC to make heap iterable. (patchset #5 id:80001 of https://codereview.chromium.org/1961373003/ )

Reason for revert:
Breaks https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20gc%20stress/builds/3551

Original issue's description:
> [heap] Do not invoke GC to make heap iterable.
>
> Remove kMakeHeapIterableMask since the heap is always iterable.
>
> BUG=chromium:580959
> LOG=n
>
> Committed: https://crrev.com/7c1cac4888a248fda3fa6de3624f32a6babb37e9
> Cr-Commit-Position: refs/heads/master@{#36333}

TBR=ulan@chromium.org,yangguo@chromium.org,hpayer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:580959

Review-Url: https://codereview.chromium.org/1987363002
Cr-Commit-Position: refs/heads/master@{#36335}

Properly records entries individually instead of using the hammer that requires
visiting the whole code object during pointer updating.

BUG=chromium:612847
LOG=N

Review-Url: https://codereview.chromium.org/1994653002
Cr-Commit-Position: refs/heads/master@{#36334}

Remove kMakeHeapIterableMask since the heap is always iterable.

BUG=chromium:580959
LOG=n

Review-Url: https://codereview.chromium.org/1961373003
Cr-Commit-Position: refs/heads/master@{#36333}

R=mstarzinger@chromium.org,ahaas@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/1990923002
Cr-Commit-Position: refs/heads/master@{#36332}

BUG=v8:5023
R=mythria@chromium.org,machenbach@chromium.org
NOTRY=true

Review-Url: https://codereview.chromium.org/1993663002
Cr-Commit-Position: refs/heads/master@{#36331}

This patch ensures that Intl bound method getters can't be retargeted
to other Intl types. If that were to happen, then a RUNTIME_ASSERT
would trigger later. This patch throws a TypeError instead, as the
specification requires.

BUG=v8:4870

Review-Url: https://codereview.chromium.org/1986763003
Cr-Commit-Position: refs/heads/master@{#36330}

BUG=chromium:474921
LOG=n
NOTRY=true

Review-Url: https://codereview.chromium.org/1988023003
Cr-Commit-Position: refs/heads/master@{#36329}

NOTRY=true

Review-Url: https://codereview.chromium.org/1995473002
Cr-Commit-Position: refs/heads/master@{#36328}

R=vogelheim@chromium.org

Review-Url: https://codereview.chromium.org/1991793002
Cr-Commit-Position: refs/heads/master@{#36327}

Updates blink_tests/TestExpecations by removing failure expectation for
gc related tests. These tests are modified to work with ignition by
the following cls:
https://codereview.chromium.org/1972943002/
https://codereview.chromium.org/1950613005/

BUG=v8:4280,chromium:595672
LOG=N

Review-Url: https://codereview.chromium.org/1985673002
Cr-Commit-Position: refs/heads/master@{#36326}

This is a pure refactoring that removes unnecessary wrapper methods from
the EscapeAnalysis class. This completely removes the notion of "Alias"
from the interface.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1989243002
Cr-Commit-Position: refs/heads/master@{#36325}

This promotes the escape analysis from an experimental feature to be a
fully supported feature. The main goal is to unleach ClusterFuzz on the
implementation so that we can stabilize it.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1989833002
Cr-Commit-Position: refs/heads/master@{#36324}

port 8e303dd0

R=bmeurer@chromium.org, yangguo@chromium.org, joransiu@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com
BUG=v8:5010

Review-Url: https://codereview.chromium.org/1986343002
Cr-Commit-Position: refs/heads/master@{#36323}

This is pure refactoring that moves many internal details of the escape
analysis from the header into the compilation unit. The goal of this is
to simplify the interface for readability.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1991723003
Cr-Commit-Position: refs/heads/master@{#36322}

Move most of JSReceiver::GetKeys to the KeyAccumulator

BUG=

Review-Url: https://codereview.chromium.org/1989263002
Cr-Commit-Position: refs/heads/master@{#36321}

BUG=

Review-Url: https://codereview.chromium.org/1987253002
Cr-Commit-Position: refs/heads/master@{#36320}

BUG=chromium:474921
LOG=n

Review-Url: https://codereview.chromium.org/1989193002
Cr-Commit-Position: refs/heads/master@{#36319}

Currently attached references are only used for global proxy, source
string and code stubs. Mid-term future we want to use attached
references for arbitrary objects (in fixed order) provided from outside.

This change renames BackReference to SerializerReference to include both
back references and attached references.

R=mtrofin@chromium.org, vogelheim@chromium.org

Review-Url: https://codereview.chromium.org/1992723002
Cr-Commit-Position: refs/heads/master@{#36318}

We have evidence (see r34896) that this avoids crashes.

BUG=chromium:524337

Review-Url: https://codereview.chromium.org/1995483002
Cr-Commit-Position: refs/heads/master@{#36317}

BUG=

Review-Url: https://codereview.chromium.org/1984313002
Cr-Commit-Position: refs/heads/master@{#36316}

MIPS64: Fix '[Interpreter] Remove InterpreterExitTrampoline and replace with returning to the entry trampoline.'

Port 39738bc9

BUG=

Review-Url: https://codereview.chromium.org/1990823002
Cr-Commit-Position: refs/heads/master@{#36315}

BUG=v8:4280
LOG=N

Review-Url: https://codereview.chromium.org/1980463003
Cr-Commit-Position: refs/heads/master@{#36314}

When setting a generator function's  "prototype" property to a non-object, the
prototype of new generator instances should be %GeneratorPrototype%, not
%ObjectPrototype%.

R=verwaest@chromium.org
BUG=v8:5011

Review-Url: https://codereview.chromium.org/1982203003
Cr-Commit-Position: refs/heads/master@{#36313}

R=bmeurer@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/1981323002
Cr-Commit-Position: refs/heads/master@{#36312}

R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/1980503002
Cr-Commit-Position: refs/heads/master@{#36311}

In order to support compiling to baseline on return we need to be able to
return to the actual return address. With this change this is what the
Return bytecode now does, removing the need for the
InterpreterExitTrampoline.

This change also removes the InterpreterNotifyDeoptXXX builtins and
unifies FCG and Igntion to both use NotifyDeoptXXX. As part of this
change, FullCodegenerator::State is moved to Deoptimize::BailoutState.

BUG=v8:4280
LOG=N

Committed: https://crrev.com/34c9626e2ee56fe805de549697ca5323aed7cb66
Cr-Commit-Position: refs/heads/master@{#36288}

Review-Url: https://codereview.chromium.org/1969423002
Cr-Commit-Position: refs/heads/master@{#36310}

Revert of Ship Turbofan optimization for try-catch and try-finally. (patchset #1 id:1 of https://codereview.chromium.org/1946883003/ )

Reason for revert:
Reverted because of
BUG=chromium:611885

Original issue's description:
> Ship Turbofan optimization for try-catch and try-finally.
>
> Committed: https://crrev.com/b84b01e6d2d8a0ed1e6b9186a5af755bab4bac9a
> Cr-Commit-Position: refs/heads/master@{#36005}

TBR=bmeurer@chromium.org,jarin@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.

Review-Url: https://codereview.chromium.org/1994543002
Cr-Commit-Position: refs/heads/master@{#36309}

Remove dead code to optimize Int64Constants as branch/select conditions,
because we either have tagged booleans or bits represented as word32.

R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1994533002
Cr-Commit-Position: refs/heads/master@{#36308}

One of the Arm OutOfLineRecordWrite was missing initialiation of must_save_lr

Review-Url: https://codereview.chromium.org/1988623003
Cr-Commit-Position: refs/heads/master@{#36307}

This moves collection of function information from its previous spot in
the standard compiler pipeline (GetSharedFunctionInfo() and
CompileTopLevel()) to its new location in CompileForLiveEdit. Nesting
information is reconstructed by traversing the AST.

R=yangguo@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/1971683002
Cr-Commit-Position: refs/heads/master@{#36306}

  port 8e303dd0 (r36276)

  original commit message:

BUG=

Review-Url: https://codereview.chromium.org/1989153002
Cr-Commit-Position: refs/heads/master@{#36305}

The type guard should never be used after the effect/control
linearization pass, so making it a simplified operator better
expresses the intended use. Also this way none of the common
operators actually has any dependency on the type system.

Drive-by-fix: Properly print the type parameter to a TypeGuard operator.

BUG=chromium:612142
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1994503002
Cr-Commit-Position: refs/heads/master@{#36304}

  port 551e0aa1 (r36275)

  original commit message:
  This adds back the instanceof operator support in the backends and
  introduces a @@hasInstance protector cell on the isolate that guards the
  fast path for the InstanceOfStub. This way we recover the ~10%
  regression on Octane EarleyBoyer in Crankshaft and greatly improve
  TurboFan and Ignition performance of instanceof.

BUG=

Review-Url: https://codereview.chromium.org/1991663002
Cr-Commit-Position: refs/heads/master@{#36303}

These guards are useless anyways once you make it throw the
effect/control linearizer because all memory operations and
calls are connected to the control and/or effect chain anyways
afterwards.

Drive-by-fix: Fail in the InstructionSelector if we ever see
a Guard node.

R=jarin@chromium.org
BUG=chromium:612142

Review-Url: https://codereview.chromium.org/1980383002
Cr-Commit-Position: refs/heads/master@{#36302}

This operator will be used to carry eager frame states, and is hooked up
to the effect chain with a control dependency to avoid hosting out of
control structures.

R=jarin@chromium.org
BUG=v8:5021

Review-Url: https://codereview.chromium.org/1993593002
Cr-Commit-Position: refs/heads/master@{#36301}