Previously, arrow function scopes had a separate ScopeType. However,
Scope::DeserializeScopeChain() erroneously deserialized ARROW_SCOPE
ScopeInfos as FUNCTION_SCOPE. This could lead to bugs such as the
attached one, where "super" was disallowed where it should have
been allowed.

This patch utilizes the Scope's FunctionKind to distinguish arrow
functions from others. Besides fixing the above bug, this also
simplifies code in various places that had to deal with two different
ScopeTypes both of which meant "function".

BUG=v8:4466
LOG=n

Review URL: https://codereview.chromium.org/1386253002

Cr-Commit-Position: refs/heads/master@{#31154}

This makes it explicit when the --ignition-filter pattern should be
applied to the script name instead of the function name by using a
proper "s:{name}" pattern. It also hardcodes it to be a prefix match
instead of an exact match, because that is all we need for test262.

R=rmcilroy@chromium.org

Review URL: https://codereview.chromium.org/1389353002

Cr-Commit-Position: refs/heads/master@{#31153}

Allow access to Array Iterator through the API, in order to simplify
setting up interfaces which use these methods. This applies to
WebIDL interfaces with "length" attributes returning integer types and
a getter taking an unsigned long type.

BUG=
LOG=N
R=adamk@chromium.org

Review URL: https://codereview.chromium.org/1378403004

Cr-Commit-Position: refs/heads/master@{#31152}

NOTRY=true

Review URL: https://codereview.chromium.org/1395503002

Cr-Commit-Position: refs/heads/master@{#31151}

This separates the core machinery and the heuristics involved with
inlining functions calls. So far the heuristic only respects our
%SetForceInlineFlag hint, but it will the place where general inlining
heuristics can live without impeding clarity of the core machinery.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1391903002

Cr-Commit-Position: refs/heads/master@{#31150}

Untangles committed memory from capacity in a given space and unifies accounting
for all spaces.

Pre-work for parallel compaction.

R=hpayer@chromium.org
BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1388383002

Cr-Commit-Position: refs/heads/master@{#31149}

Introduce a new JSGlobalSpecialization advanced reducer that runs
during the initial inlining and context specialization, and specializes
the graph to the globals of the native context.  Currently we assume
that we do not inline cross native context, but long-term we will grab
the global object from the JSLoadGlobal/JSStoreGlobal feedback (with the
new global load/store ICs that are currently in the workings), and then
this whole specialization will be fully compositional even across
cross-context inlining.

Note that we cannot really handle most of the stores to global object
property cells because TurboFan doesn't have a mechanism to enforce
certain representations.  Also note that we cannot yet fully benefit
from the type feedback collected on the global object property cells,
because the type system cannot deal with maps in a reasonable way.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
R=jarin@chromium.org
BUG=v8:4470
LOG=n

Committed: https://crrev.com/6fbf7903f94924ea066af481719898bd9667b6eb
Cr-Commit-Position: refs/heads/master@{#31139}

Review URL: https://codereview.chromium.org/1387393002

Cr-Commit-Position: refs/heads/master@{#31148}

This seems to be triggered now with global object specialization.

TEST=mjsunit/regress/regress-crbug-450960
TBR=mstarzinger@chromium.org
BUG=v8:4195
LOG=n

Review URL: https://codereview.chromium.org/1388403002 .

Cr-Commit-Position: refs/heads/master@{#31147}

- Reflect.deleteProperty
- Reflect.get
- Reflect.has
- Reflect.isExtensible

Reflect.get doesn't support the receiver argument yet, and
some of the others don't support proxies yet.

R=rossberg
BUG=v8:3931
LOG=n

Review URL: https://codereview.chromium.org/1379313002

Cr-Commit-Position: refs/heads/master@{#31146}

R=mstarzinger@chromium.org
BUG=chromium:540593
LOG=n

Review URL: https://codereview.chromium.org/1395453002

Cr-Commit-Position: refs/heads/master@{#31145}

Revert of [turbofan] Add initial support for global specialization. (patchset #4 id:60001 of https://codereview.chromium.org/1387393002/ )

Reason for revert:
Breaks GC stress: http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/1984/steps/Bisect%20c5528ac1.Retry/logs/regress-crbug-450960

Original issue's description:
> [turbofan] Add initial support for global specialization.
>
> Introduce a new JSGlobalSpecialization advanced reducer that runs
> during the initial inlining and context specialization, and specializes
> the graph to the globals of the native context.  Currently we assume
> that we do not inline cross native context, but long-term we will grab
> the global object from the JSLoadGlobal/JSStoreGlobal feedback (with the
> new global load/store ICs that are currently in the workings), and then
> this whole specialization will be fully compositional even across
> cross-context inlining.
>
> Note that we cannot really handle most of the stores to global object
> property cells because TurboFan doesn't have a mechanism to enforce
> certain representations.  Also note that we cannot yet fully benefit
> from the type feedback collected on the global object property cells,
> because the type system cannot deal with maps in a reasonable way.
>
> CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
> R=jarin@chromium.org
> BUG=v8:4470
> LOG=n
>
> Committed: https://crrev.com/6fbf7903f94924ea066af481719898bd9667b6eb
> Cr-Commit-Position: refs/heads/master@{#31139}

TBR=jarin@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4470

Review URL: https://codereview.chromium.org/1390073004

Cr-Commit-Position: refs/heads/master@{#31144}

Thus TypeFeedbackMetadata can now be shared between different native contexts.

Review URL: https://codereview.chromium.org/1384673002

Cr-Commit-Position: refs/heads/master@{#31143}

Adds support for compiling top level code to bytecode to be run in the
interpreter.

Also moves PassesFilter to String:: so that it can be used to filter top
level script names as well as functions (used in
https://codereview.chromium.org/1379093002/)

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1372293005

Cr-Commit-Position: refs/heads/master@{#31142}

NOTRY=true

Review URL: https://codereview.chromium.org/1394453002

Cr-Commit-Position: refs/heads/master@{#31141}

The roll ref is no longer used because we
simply roll the lkgr ref.

LOG=N
NOTRY=true
R=machenbach@chromium.org

Review URL: https://codereview.chromium.org/1391153002

Cr-Commit-Position: refs/heads/master@{#31140}

Introduce a new JSGlobalSpecialization advanced reducer that runs
during the initial inlining and context specialization, and specializes
the graph to the globals of the native context.  Currently we assume
that we do not inline cross native context, but long-term we will grab
the global object from the JSLoadGlobal/JSStoreGlobal feedback (with the
new global load/store ICs that are currently in the workings), and then
this whole specialization will be fully compositional even across
cross-context inlining.

Note that we cannot really handle most of the stores to global object
property cells because TurboFan doesn't have a mechanism to enforce
certain representations.  Also note that we cannot yet fully benefit
from the type feedback collected on the global object property cells,
because the type system cannot deal with maps in a reasonable way.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
R=jarin@chromium.org
BUG=v8:4470
LOG=n

Review URL: https://codereview.chromium.org/1387393002

Cr-Commit-Position: refs/heads/master@{#31139}

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1388343002

Cr-Commit-Position: refs/heads/master@{#31138}

Revert of improve perf_basic_prof filename reporting (patchset #1 id:1 of https://codereview.chromium.org/1388543002/ )

Reason for revert:
Suspected to cause crbug.com/539892

Original issue's description:
> improve perf_basic_prof filename reporting
>
> The buffer used for appending filenames to the string printed to the
> perf_basic_prof log was unnecessarily too small. Bump it up to be at least
> kUtf8BufferSize.
>
> Truncation of filenames makes it really hard to work with profiles gathered on
> Node.js. Because of the way Node.js works, you can have node module dependencies
> in deeply nested directories. The last thing you want when investigating a
> performance problem is to have script names be truncated.
>
> This patch is a stop-gap. Ideally, I want no truncation of the filename at all
> and use a dynamically growing buffer. That would be a larger change, and I
> wanted to have a quick fix available that can be back-ported to Node.js LTS
> release.
>
> R=yangguo@chromium.org,yurys@chromium.org
> BUG=
>
> Committed: https://crrev.com/03ef3cd004c2fd31ae7e48772f106df67b8c2feb
> Cr-Commit-Position: refs/heads/master@{#31092}

TBR=yangguo@chromium.org,yurys@chromium.org,ofrobots@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1390923004

Cr-Commit-Position: refs/heads/master@{#31137}

BUG=

Review URL: https://codereview.chromium.org/1393833002

Cr-Commit-Position: refs/heads/master@{#31136}

Optimizing global constants such as "NaN", "Infinity" and "undefined" is
best performed during graph building. Then the optimization and lowering
passes only need to deal with real loads in case of JSLoadGlobal.

R=mstarzinger@chromium.org
BUG=v8:4470
LOG=n

Review URL: https://codereview.chromium.org/1384953002

Cr-Commit-Position: refs/heads/master@{#31135}

Adds support for strict mode load / store ICs and cleans up BinaryOp and
CompareOp to only trigger an UNIMPLEMENTED abort if called with STRONG
mode (which is the only language mode which has different compare/binary ops.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1385623002

Cr-Commit-Position: refs/heads/master@{#31134}

R=yangguo@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1378693004

Cr-Commit-Position: refs/heads/master@{#31133}

As discussed, shipping early in the M48 branch will likely have greater
exposure than staging, in order to find any remaining bugs with this feature,
and provides plenty of time to unship if needed.

BUG=
LOG=N
R=adamk@chromium.org, wingo@chromium.org, rossberg@chromium.org

Review URL: https://codereview.chromium.org/1391643003

Cr-Commit-Position: refs/heads/master@{#31132}

Symbols marked as "well-known" now return an undefined value when loaded with a failed access check, instead of throwing.

Currently, only @@isConcatSpreadable is marked as well-known, until the correct behaviour is properly specified.

BUG=v8:4289, 507553
LOG=N
R=adamk@chromium.org, jochen@chromium.org, verwaest@chromium.org

Review URL: https://codereview.chromium.org/1230793002

Cr-Commit-Position: refs/heads/master@{#31131}

Revert of Changed scavenge GC to collect unmodified references (patchset #9 id:160001 of https://codereview.chromium.org/1358703003/ )

Reason for revert:
[Sheriff] Speculative revert due to crbug.com/539814

Original issue's description:
> Changed scavenge GC to collect unmodified references
>
> Added a scavenge GC pass that collects unmodified references instead of
> processing object groups.  This mode can be controlled by setting
> FLAG_scavenge_remove_unmodified_objects. By default this is turned off.
> Also, modified a test case to suit the handle the new GC pass.
>
> BUG=v8:4421
> LOG=N
>
> Committed: https://crrev.com/6254019238a853c9f3c09d615ba153043f6957c7
> Cr-Commit-Position: refs/heads/master@{#31102}

TBR=jochen@chromium.org,rmcilroy@chromium.org,mythria@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4421,chromium:539814

Review URL: https://codereview.chromium.org/1388133002

Cr-Commit-Position: refs/heads/master@{#31130}

Revert of [heap] Prepare code for smaller large object allocation limit than max allocatable memory. (patchset #10 id:180001 of https://codereview.chromium.org/1361853005/ )

Reason for revert:
[Sheriff] Need to revert for reverting https://codereview.chromium.org/1358703003/

Original issue's description:
> [heap] Prepare heap for smaller large object allocation limit than max allocatable memory.
>
> BUG=chromium:524425
> LOG=n
>
> Committed: https://crrev.com/c2bce747993c445daf78975392e587bff20c6677
> Cr-Commit-Position: refs/heads/master@{#31107}

TBR=mlippautz@chromium.org,mstarzinger@chromium.org,hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425

Review URL: https://codereview.chromium.org/1376413005

Cr-Commit-Position: refs/heads/master@{#31129}

Previously, cases like
  var [foo]
led to a parser crash because the parser tried to do something with
the initializer, which was not syntactically present.

This patch fixes the parser issue (implicitly creating an undefined
initializer) and inserts a check for array destructuring that the
right-hand side is coercible to an object, so it can have iterator
methods called on it safely.

BUG=v8:4462
LOG=Y
R=adamk

Review URL: https://codereview.chromium.org/1384413002

Cr-Commit-Position: refs/heads/master@{#31128}

ASLR is much weaker in a 2GB address space. Plus the vast
majority of 32-bit Windows hosts are XP, which don't have
ASLR anyway. So, avoid the fragmentation and skip it in
this case.

BUG=chromium:394591
LOG=Y
R=jochen@chromium.org

Review URL: https://codereview.chromium.org/1385023002

Cr-Commit-Position: refs/heads/master@{#31127}

Port 9c8262f1

Original commit message:
    When calling into C++ builtins, we need to make sure that the argument
    count register contains the correct number of arguments, otherwise the
    CEntryStub will not be able to leave the stack in the correct state.

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, dstence@us.ibm.com
BUG=v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1388993002

Cr-Commit-Position: refs/heads/master@{#31126}

Unwanted promotions resulted into check_eq errors from this CR:
 https://codereview.chromium.org/1384873002/
 http://build.chromium.org/p/client.v8/builders/V8%20Arm/builds/3141/steps/Check/logs/4

Found via -Wdouble-promotion.

Review URL: https://codereview.chromium.org/1372133006

Cr-Commit-Position: refs/heads/master@{#31125}

Implementations and tests for typeof, void, and logical not.

Add missing string type to Object::TypeOf.

BUG=v8:4280
LOG=NO

Review URL: https://codereview.chromium.org/1390483002

Cr-Commit-Position: refs/heads/master@{#31124}

Adds an ignition variant to the test runner and adds support to test262 for
filtering such that only test scripts (not the test harness) get run by
the interpreter.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1379093002

Cr-Commit-Position: refs/heads/master@{#31123}

This adds the unittests to the "default" test set. Now that
the "default" and the DEFAULT_TESTS (i.e. runner with
no arguments) are the same, removed DEFAULT_TESTS and use
TEST_MAP["default"] instead.

On the bots, where unittests and default were run in
separation before, the explicit unittests step should now
be skipped.

This is necessary for swarming, as the unittests step is
too small to justify its own swarming job.

BUG=chromium:535160
LOG=n

Review URL: https://codereview.chromium.org/1374733006

Cr-Commit-Position: refs/heads/master@{#31122}

TBR=machenbach@chromium.org

Review URL: https://codereview.chromium.org/1377643003 .

Cr-Commit-Position: refs/heads/master@{#31121}

When calling into C++ builtins, we need to make sure that the argument
count register contains the correct number of arguments, otherwise the
CEntryStub will not be able to leave the stack in the correct state.

R=ishell@chromium.org
BUG=v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1391543002

Cr-Commit-Position: refs/heads/master@{#31120}

R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/1388813002

Cr-Commit-Position: refs/heads/master@{#31119}

Rolling v8/buildtools to 5fc8d3943e163ee627c8af50366c700c0325bba2

Rolling v8/tools/clang to 6ab82bf7484ae7c06316c095e93b8b0dc6ea806a

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review URL: https://codereview.chromium.org/1388043002

Cr-Commit-Position: refs/heads/master@{#31118}

Previously, using legacy const in for-of/in loops led to a check-fail
in the parser. This was due to the fact that the destructuring bind
led to an undefined initialization to undefined in the parser, which
caused the for loop code to go down a strange path. This patch
eliminates the undefined initialization in variables declared in
for-in/of loops, so that that path is not used and the error is
fixed.

BUG=v8:4461
LOG=Y
R=adamk

Review URL: https://codereview.chromium.org/1385913003

Cr-Commit-Position: refs/heads/master@{#31117}

* Promise.resolve is now works with subclasses
* Spec removed [[PromiseConstructor]] now can simply use constructor
* Promise.resolve ignores species

R=littledan@chromium.org,domenic@chromium.org
BUG=v8:4161,v8:4341
LOG=Y

Review URL: https://codereview.chromium.org/1362773002

Cr-Commit-Position: refs/heads/master@{#31116}

This patch prohibits lexical bindings from being called 'let', even in
sloppy mode, following the ES2015 specification. The change affects
multiple cases of lexical bindings, including simple let/const declarations
and both kinds of for loops. var and legacy const bindings still permit
the name to be let, including in destructuring cases. Tests are added to
verify, though some cases are commented out since they led to (pre-existing)
crashes.

BUG=v8:4403
R=adamk
LOG=Y

Review URL: https://codereview.chromium.org/1371263003

Cr-Commit-Position: refs/heads/master@{#31115}