Also clarify some comments.

R=jarin@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1328193003

Cr-Commit-Position: refs/heads/master@{#30708}

These builtins present an optimization for the general addition case,
where one side is already known to be a string. Unfortunately this
optimization is wrong in the presence of @@toPrimitive (there are some
ideas how to implement a similar optimization using the prototype
backpointer mechanism that jkummerow@ introduced earlier). So this
also removes the broken %_IsStringWrapperSafeForDefaultValueOf, which is
the key part of the optimization mentioned above.

R=mstarzinger@chromium.org
BUG=v8:4307
LOG=n

Review URL: https://codereview.chromium.org/1336273002

Cr-Commit-Position: refs/heads/master@{#30707}

The String constructor was somewhat complex with a lot of micro
optimizations that are not relevant or even misguided. It would be
really hard to port that code to ES6, which requires String to be
subclassable. So as a first step we reduced the necessary complexity
to the bare minimum (also removing the last user of the fairly complex
MacroAssembler::LookupNumberStringCache method).

This also removes the counters for the String constructor, which
were not properly exposed anymore (and not kept in sync with inlined
versions of the String constructor anyway).

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1335193002

Cr-Commit-Position: refs/heads/master@{#30706}

In certiain cases the ArgumentsIteratorSetter would trigger an invalid
state in the LookupIterator when being overridden. This is now solved
by bypassing the SetDataProperty and directly using
DefinePropertyOrElementIgnoringAttributes since we know exactly which
property we're going to install

LOG=N
BUG=chromium:521484

Review URL: https://codereview.chromium.org/1332873002

Cr-Commit-Position: refs/heads/master@{#30705}

R=machenbach@chromium.org
BUG=530941
NOTRY=true
NOPRESUBMIT=true

Review URL: https://codereview.chromium.org/1340773002

Cr-Commit-Position: refs/heads/master@{#30704}

The GN default optimization flag is changing from being specific to the
debug/release status of the build to always being "default_optimization" so
it's easier to override without being conditional on the exact setup in
BUILDCONFIG.gn. See https://codereview.chromium.org/1324623005/

Since V8 is DEPS-ed in, it will need to support both modes to allow a landing.
This patch uses a temporary transitional flag I added to BUILDCONFIG to
indicate which variant should be used. After the patch is landed, we can remove
the new conditions and just remove default_optimization.

Review URL: https://codereview.chromium.org/1333963002

Cr-Commit-Position: refs/heads/master@{#30703}

BUG=None
LOG=N

Review URL: https://codereview.chromium.org/1332683002

Cr-Commit-Position: refs/heads/master@{#30702}

R=mlippautz@chromium.org

Review URL: https://codereview.chromium.org/1334273002

Cr-Commit-Position: refs/heads/master@{#30701}

Correctly save and restore FP registers in cctest/ConvertDToI to
avoid accidental register overwriting by the generated code.

Note: This failure is manifested only in R6 mode.

TEST=test/cctest/interpreter/test-interpreter
BUG=

Review URL: https://codereview.chromium.org/1337023002

Cr-Commit-Position: refs/heads/master@{#30700}

Port 622fa0ea

Original commit message:
Currently we do this dance between the CallConstructStub, the
CALL_* builtins and the %GetConstructorDelegate, %GetProxyTrap,
and %Apply runtime functions for every [[Construct]] operation on
non-function callables. This is complexity is unnecessary, and can
be simplified to work without any JS builtin. This will also make it
a lot easier to implement ES6 compliant [[Construct]] for proxies.

Also sanitize the invariant for CallConstructStub, which up until now
always restored the context itself, but that force us to always create
another copy of all arguments in case of proxies and other callables,
so we can relax that constraint by making the caller restore the context
(this only affects fullcodegen, since the optimizing compilers already
properly restore the context anyway).

BUG=

Review URL: https://codereview.chromium.org/1340553002

Cr-Commit-Position: refs/heads/master@{#30699}

Port 9fc4fc14

R=mlippautz@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, dstence@us.ibm.com
BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1339673002

Cr-Commit-Position: refs/heads/master@{#30698}

Port 39604dda

Original commit message:
    Just use a %ThrowStackOverflow runtime function instead, which
    does the trick, especially since the Isolate already has a
    preallocated StackOverflow error for that.

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, dstence@us.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1334303002

Cr-Commit-Position: refs/heads/master@{#30697}

Port 622fa0ea

Original commit message:
    Currently we do this dance between the CallConstructStub, the
    CALL_* builtins and the %GetConstructorDelegate, %GetProxyTrap,
    and %Apply runtime functions for every [[Construct]] operation on
    non-function callables. This is complexity is unnecessary, and can
    be simplified to work without any JS builtin. This will also make it
    a lot easier to implement ES6 compliant [[Construct]] for proxies.

    Also sanitize the invariant for CallConstructStub, which up until now
    always restored the context itself, but that force us to always create
    another copy of all arguments in case of proxies and other callables,
    so we can relax that constraint by making the caller restore the context
    (this only affects fullcodegen, since the optimizing compilers already
    properly restore the context anyway).

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, dstence@us.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1338663003

Cr-Commit-Position: refs/heads/master@{#30696}

BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1332283002

Cr-Commit-Position: refs/heads/master@{#30695}

Cr-Commit-Position: refs/heads/master@{#30694}

Just use a %ThrowStackOverflow runtime function instead, which
does the trick, especially since the Isolate already has a
preallocated StackOverflow error for that.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1337883002

Cr-Commit-Position: refs/heads/master@{#30693}

This is so we can build with the flag on in the snapshot.
D8 then needs to be run with --vector-stores.

BUG=
R=machenbach@chromium.org

Review URL: https://codereview.chromium.org/1339593002

Cr-Commit-Position: refs/heads/master@{#30692}

Currently we do this dance between the CallConstructStub, the
CALL_* builtins and the %GetConstructorDelegate, %GetProxyTrap,
and %Apply runtime functions for every [[Construct]] operation on
non-function callables. This is complexity is unnecessary, and can
be simplified to work without any JS builtin. This will also make it
a lot easier to implement ES6 compliant [[Construct]] for proxies.

Also sanitize the invariant for CallConstructStub, which up until now
always restored the context itself, but that force us to always create
another copy of all arguments in case of proxies and other callables,
so we can relax that constraint by making the caller restore the context
(this only affects fullcodegen, since the optimizing compilers already
properly restore the context anyway).

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1335723002

Cr-Commit-Position: refs/heads/master@{#30691}

Grouping of live ranges that would be beneficial if
allocated on the same register. Currently, that means phi
outputs and inputs.

Review URL: https://codereview.chromium.org/1312473018

Cr-Commit-Position: refs/heads/master@{#30690}

PPC: Vector ICs: The Oracle needs to report feedback for the object literals and the count operation.

Port 752b0308

Original commit message:
    The refactoring is because it's awkward and error-prone to deterimine which IC slot an
    ObjectLiteralProperty uses for feedback. The fix is for each one to know it's own slot. In the
    numbering pass, we allocate slots for the ObjectLiteral, then hand out those slots into the
    properties.

    It adds one word to the ObjectLiteralProperty expression - I'm investigating if thats a
    problem.

    This changes makes compiling the object literal cleaner across the three compilers. Also, the
    slot allocation logic in ObjectLiteral::ComputeFeedbackRequirements() was refactoring to mimic
    the style in full-codegen. This is useful since it must remain in sync with
    FullCodegen::VisitObjectLiteral().

R=mvstanton@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, dstence@us.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1331893003

Cr-Commit-Position: refs/heads/master@{#30689}

When we cannot map top frame's pc to a code object and top frame is JS frame we now assume that it was a frameless invocation of a native function (e.g. __fmod) and try to resolve address on top of the stack into a JS function.

BUG=chromium:529931
LOG=Y

Review URL: https://codereview.chromium.org/1315683007

Cr-Commit-Position: refs/heads/master@{#30688}

Add skeleton version bytecode-graph-builder.{h,cc} for existing
bytecodes.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1291693004

Cr-Commit-Position: refs/heads/master@{#30687}

The refactoring is because it's awkward and error-prone to deterimine which IC slot an
ObjectLiteralProperty uses for feedback. The fix is for each one to know it's own slot. In the
numbering pass, we allocate slots for the ObjectLiteral, then hand out those slots into the
properties.

It adds one word to the ObjectLiteralProperty expression - I'm investigating if thats a
problem.

This changes makes compiling the object literal cleaner across the three compilers. Also, the
slot allocation logic in ObjectLiteral::ComputeFeedbackRequirements() was refactoring to mimic
the style in full-codegen. This is useful since it must remain in sync with
FullCodegen::VisitObjectLiteral().

Review URL: https://codereview.chromium.org/1321993004

Cr-Commit-Position: refs/heads/master@{#30686}

Inner functions must be eagerly parsed for scope analysis, but the full AST is
also kept around even though it's not needed.

This CL mitigates this problem by allocating some AstNodes of the inner function
to a temporary Zone which is deallocated once the scope information has been
built. The remaining nodes (such as VariableProxy) must persist until scope
analysis actually happens, and have to be allocated to a parser-persistent Zone.

BUG=417697
LOG=N

Review URL: https://codereview.chromium.org/1304923004

Cr-Commit-Position: refs/heads/master@{#30685}

Enable loads and stores to global vars through property cell shortcuts installed into parent script context.

Review URL: https://codereview.chromium.org/1330213003

Cr-Commit-Position: refs/heads/master@{#30684}

LoadICs must always return a JS-accessible value (nothing internal).
Dictionary property keys are guaranteed to be unique names.

BUG=chromium:527994
LOG=n

Review URL: https://codereview.chromium.org/1334673003

Cr-Commit-Position: refs/heads/master@{#30683}

BUG=v8:2160
LOG=N
NOTRY=true
R=adamk, machenbach@chromium.org, rossberg

Review URL: https://codereview.chromium.org/1331803003

Cr-Commit-Position: refs/heads/master@{#30682}

Removes deprecated functions from:
- test-unique.cc
- test-unscopables-hidden-prototype.cc
- test-utils-arm64.cc
- test-utils.cc
- test-version.cc
- test-weakmaps.cc
- test-weaksets.cc
- trace-extension.cc
- trace-extension.h

BUG=v8:4134
LOG=n

Review URL: https://codereview.chromium.org/1331013003

Cr-Commit-Position: refs/heads/master@{#30681}

Replace the ADD, SUB, etc. builtins with proper runtime implementations,
and expose them as runtime calls that can be used by the code stubs and
the interpreter (for now).

Also remove all the support runtime functions for ADD, SUB and friends,
namely %NumberAdd, %NumberSub, and so on.

R=mstarzinger@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_layout_dbg,v8_linux_nosnap_dbg

Review URL: https://codereview.chromium.org/1333843002

Cr-Commit-Position: refs/heads/master@{#30680}

This fixes the Runtime_DeclareGlobals performance regression caused by a huge number of global var declarations mentioned in chromium:517778.

BUG=chromium:517778
LOG=N

Review URL: https://codereview.chromium.org/1335633002

Cr-Commit-Position: refs/heads/master@{#30679}

When looking up a special accessor for known TypedArray fields
("length", "byteLength", "byteOffset"), consider the entire prototype
chain, not only the direct prototype.
This allows subclasses of TypedArrays to benefit from fast specialized
accesses.

Review URL: https://codereview.chromium.org/1313493005

Cr-Commit-Position: refs/heads/master@{#30678}

Narrowed the scope of the fix, to make a best effort to avoid DEOPT in
case the hole is loaded, but not to permute the choice of a consolidated
load in case that effort fails.

BUG=chromium:530005
LOG=N

Review URL: https://codereview.chromium.org/1330233004

Cr-Commit-Position: refs/heads/master@{#30677}

BUG=

Review URL: https://codereview.chromium.org/1330153003

Cr-Commit-Position: refs/heads/master@{#30676}

R=conradw@chromium.org

Review URL: https://codereview.chromium.org/1317033009

Cr-Commit-Position: refs/heads/master@{#30675}

The two tests in question got a lot slower and started to timeout now
that the C++ fallback implementation of the %Arguments intrinsics is
composable with respect to inlining.

R=bmeurer@chromium.org,machenbach@chromium.org

Review URL: https://codereview.chromium.org/1330203003

Cr-Commit-Position: refs/heads/master@{#30674}

This removes the aforementioned flag which has been on by default for a
while now. Note that this does not control optimization decisions, only
the last-resort bailout in the graph builder.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1335543002

Cr-Commit-Position: refs/heads/master@{#30673}

port ba7b6413 (r30649)

original commit message:

   This CL makes do with a single dispatcher which inlines the special handling for the Array() call case, loading the allocation site found in the vector and c

BUG=

Review URL: https://codereview.chromium.org/1330993004

Cr-Commit-Position: refs/heads/master@{#30672}

There are now two runtime entries %NewClosure and %NewClosure_Tenured,
with the same signature (one parameter, the SharedFunctionInfo, and the
context of the caller).

Also remove the HFunctionLiteral special case instruction from Crankshaft,
as HCallWithDescriptor with FastNewClosureStub or HCallRuntime with
either %NewClosure or %NewClosure_Tenured can easily do that for you.

Also remove the redundant context parameter from the JSCreateClosure
operator, because every JS operator already takes a context input.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_dbg

Review URL: https://codereview.chromium.org/1329293003

Cr-Commit-Position: refs/heads/master@{#30671}

Fix illegal use of at register when ldc1 and sdc1 are called. Added dchecks to prevent such a usage.

TEST=mjsunit/asm/float64array-negative-offset(r6), mjsunit/asm/float64array-outofbounds(r6)

Review URL: https://codereview.chromium.org/1323763002

Cr-Commit-Position: refs/heads/master@{#30670}

port b37907ff (r30648).

original commit message:

    The number of actual arguments should always be available, there's no
    point in trying to optimize away a simple assignment of an immediate to
    a register before some calls.

    The main motivation is to have a consistent state at the beginning of every
    function. Currently the arguments register (i.e. rax or eax) either contains
    the number of arguments or some random garbage depending on whether
    the callsite decided that the callee might need the information or not.
    This causes trouble with runtime implementations of functions that
    do not set internal_formal_parameter_count to the DontAdaptArguments
    sentinel (we don't have any of those yet), but also makes it impossible
    to sanity check the arguments in the callee, because the callee doesn't
    know whether the caller decided to pass the number of arguments or
    random garbage.

BUG=

Review URL: https://codereview.chromium.org/1335453002

Cr-Commit-Position: refs/heads/master@{#30669}