There was already a bit on the Map named "function with prototype",
which basically meant that the Map was a map for a JSFunction that could
be used as a constructor. Now this CL generalizes that bit to
IsConstructor, which says that whatever (Heap)Object you are looking at
can be used as a constructor (i.e. the bit is also set for bound
functions that can be used as constructors and proxies that have a
[[Construct]] internal method).

This way we have a single chokepoint for IsConstructor checking, which
allows us to get rid of the various ways in which we tried to guess
whether something could be used as a constructor or not.

Drive-by-fix: Renamed IsConstructor on FunctionKind to
IsClassConstructor to resolve the weird name clash, and the
IsClassConstructor name also matches the spec.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_layout_dbg,v8_linux_nosnap_dbg
R=jarin@chromium.org, rossberg@chromium.org
BUG=v8:4413, v8:4430
LOG=n

Committed: https://crrev.com/8de4d9351df4cf66c8a128d561a6e331d196be54
Cr-Commit-Position: refs/heads/master@{#30900}

Review URL: https://codereview.chromium.org/1358423002

Cr-Commit-Position: refs/heads/master@{#30902}

Revert of [es6] Introduce spec compliant IsConstructor. (patchset #2 id:20001 of https://codereview.chromium.org/1358423002/ )

Reason for revert:
Failed on Fuzzer and MIPS bot.

Original issue's description:
> [es6] Introduce spec compliant IsConstructor.
>
> There was already a bit on the Map named "function with prototype",
> which basically meant that the Map was a map for a JSFunction that could
> be used as a constructor. Now this CL generalizes that bit to
> IsConstructor, which says that whatever (Heap)Object you are looking at
> can be used as a constructor (i.e. the bit is also set for bound
> functions that can be used as constructors and proxies that have a
> [[Construct]] internal method).
>
> This way we have a single chokepoint for IsConstructor checking, which
> allows us to get rid of the various ways in which we tried to guess
> whether something could be used as a constructor or not.
>
> Drive-by-fix: Renamed IsConstructor on FunctionKind to
> IsClassConstructor to resolve the weird name clash, and the
> IsClassConstructor name also matches the spec.
>
> R=jarin@chromium.org, rossberg@chromium.org
> BUG=v8:4430
> LOG=n
>
> Committed: https://crrev.com/8de4d9351df4cf66c8a128d561a6e331d196be54
> Cr-Commit-Position: refs/heads/master@{#30900}

TBR=jarin@chromium.org,rossberg@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4430

Review URL: https://codereview.chromium.org/1360403002

Cr-Commit-Position: refs/heads/master@{#30901}

There was already a bit on the Map named "function with prototype",
which basically meant that the Map was a map for a JSFunction that could
be used as a constructor. Now this CL generalizes that bit to
IsConstructor, which says that whatever (Heap)Object you are looking at
can be used as a constructor (i.e. the bit is also set for bound
functions that can be used as constructors and proxies that have a
[[Construct]] internal method).

This way we have a single chokepoint for IsConstructor checking, which
allows us to get rid of the various ways in which we tried to guess
whether something could be used as a constructor or not.

Drive-by-fix: Renamed IsConstructor on FunctionKind to
IsClassConstructor to resolve the weird name clash, and the
IsClassConstructor name also matches the spec.

R=jarin@chromium.org, rossberg@chromium.org
BUG=v8:4430
LOG=n

Review URL: https://codereview.chromium.org/1358423002

Cr-Commit-Position: refs/heads/master@{#30900}

We somehow try to push some stuff on the stack when we detect a stack
overflow, that we don't need. Even worse we might access outside the
valid stack bounds. Since we don't need this, it's gone.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_layout_dbg,v8_linux_nosnap_dbg
R=jarin@chromium.org
BUG=chromium:534881
LOG=n

Review URL: https://codereview.chromium.org/1360953003

Cr-Commit-Position: refs/heads/master@{#30883}

Now both Execution::Call and Execution::New can deal with any
kind of target and will raise a proper exception if the target is not
callable (which is not yet spec compliant for New, as we would
have to check IsConstructor instead, which we don't have yet).

Now we no longer need to do any of these weird call/construct
delegate gymnastics in C++, and we finally have a single true
bottleneck for Call/Construct abstract operations in the code
base, with only a few special handlings left in the compilers to
optimize the JSFunction case.

R=jarin@chromium.org
BUG=v8:4430, v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1360793002

Cr-Commit-Position: refs/heads/master@{#30874}

Introduce new builtins Construct and ConstructFunction (in line
with the Call and CallFunction builtins that we already have) as
proper bottleneck for Construct and [[Construct]] on JSFunctions.
Use these builtins to support passing NewTarget from C++ to
JavaScript land.

Long-term we want the CallConstructStub to be used for
gathering feedback on entry to construction chain (i.e. the
initial new Foo), and use the Construct builtins to do the
actual work inside the construction chain (i.e. calling into
super and stuff).

MIPS and MIPS64 ports contributed by akos.palfi@imgtec.com.

R=jarin@chromium.org
BUG=v8:4430
LOG=n

Review URL: https://codereview.chromium.org/1359583002

Cr-Commit-Position: refs/heads/master@{#30857}

Currently Execution::Call (and friends) still duplicate a lot of the
Call sequence logic that should be encapsulated in the Call and
CallFunction builtins. So the plan now is to switch Execution::Call
to accept any Callable and just pass that through to the Call builtin.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_dbg
R=jarin@chromium.org
BUG=v8:4413
LOG=n

Committed: https://crrev.com/359645f48156e15f235e9a9ede7910e0bcd9ae45
Cr-Commit-Position: refs/heads/master@{#30791}

Review URL: https://codereview.chromium.org/1353723002

Cr-Commit-Position: refs/heads/master@{#30808}

Revert of [runtime] Initial step towards switching Execution::Call to callable. (patchset #1 id:1 of https://codereview.chromium.org/1353723002/ )

Reason for revert:
[Sheriff] Causes a dcheck failure in layout tests (and some test changes in release):
https://storage.googleapis.com/chromium-layout-test-archives/V8-Blink_Linux_64__dbg_/1442/layout-test-results/virtual/android/fullscreen/api/element-request-fullscreen-top-stderr.txt
from
http://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064%20%28dbg%29/builds/1442

Original issue's description:
> [runtime] Initial step towards switching Execution::Call to callable.
>
> Currently Execution::Call (and friends) still duplicate a lot of the
> Call sequence logic that should be encapsulated in the Call and
> CallFunction builtins. So the plan now is to switch Execution::Call
> to accept any Callable and just pass that through to the Call builtin.
>
> CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_dbg
> R=jarin@chromium.org
> BUG=v8:4413
> LOG=n
>
> Committed: https://crrev.com/359645f48156e15f235e9a9ede7910e0bcd9ae45
> Cr-Commit-Position: refs/heads/master@{#30791}

TBR=jarin@chromium.org,bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4413

Review URL: https://codereview.chromium.org/1346763005

Cr-Commit-Position: refs/heads/master@{#30793}

Currently Execution::Call (and friends) still duplicate a lot of the
Call sequence logic that should be encapsulated in the Call and
CallFunction builtins. So the plan now is to switch Execution::Call
to accept any Callable and just pass that through to the Call builtin.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_dbg
R=jarin@chromium.org
BUG=v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1353723002

Cr-Commit-Position: refs/heads/master@{#30791}

There isn't a plan to turn it on soon, so we'll take it out in favor of cleaner code.

BUG=

Review URL: https://codereview.chromium.org/1202173002

Cr-Commit-Position: refs/heads/master@{#30767}

Implement the String constructor completely as native builtin,
avoiding the need to do gymnastics in JavaScript builtin to
properly detect the no argument case (which is different from
the undefined argument case) and also allowing to just
tailcall through to ToString or SymbolDescriptiveString for
the common case. Also the JavaScript builtin was misleading
since the case for construct call was unused, but could be
triggered in a wrong way once we support tail calls from
constructor functions.

This refactoring allows us to properly implement subclassing
for String builtins, once we have the correct initial_map on
derived classes (it's merely a matter of using NewTarget
instead of the target register now).

This introduces a new %SymbolDescriptiveString runtime
entry, which is also used by Symbol.toString() now.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1344893002

Cr-Commit-Position: refs/heads/master@{#30759}

BUG=v8:4423
LOG=N

Review URL: https://codereview.chromium.org/1342013003

Cr-Commit-Position: refs/heads/master@{#30758}

Adds support for JS calls to the interpreter. In order to support
calls from the interpreter, the PushArgsAndCall builtin is added
which pushes a sequence of arguments onto the stack and calls
builtin::Call.

Adds the Call bytecode.

MIPS port contributed by akos.palfi@imgtec.com in https://codereview.chromium.org/1334873002/

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1323463005

Cr-Commit-Position: refs/heads/master@{#30710}

The String constructor was somewhat complex with a lot of micro
optimizations that are not relevant or even misguided. It would be
really hard to port that code to ES6, which requires String to be
subclassable. So as a first step we reduced the necessary complexity
to the bare minimum (also removing the last user of the fairly complex
MacroAssembler::LookupNumberStringCache method).

This also removes the counters for the String constructor, which
were not properly exposed anymore (and not kept in sync with inlined
versions of the String constructor anyway).

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1335193002

Cr-Commit-Position: refs/heads/master@{#30706}

Just use a %ThrowStackOverflow runtime function instead, which
does the trick, especially since the Isolate already has a
preallocated StackOverflow error for that.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1337883002

Cr-Commit-Position: refs/heads/master@{#30693}

The new Call and CallFunction builtins supersede the current
CallFunctionStub (and CallIC magic) and will be the single bottleneck
for all calling, including the currently special Function.prototype.call
and Function.prototype.apply builtins, which had handwritten (and
not fully compliant) versions of CallFunctionStub, and also the
CallIC(s), which where also slightly different.

This also reduces the overhead for API function calls, which is still
unnecessary high, but let's do that step-by-step.

This also fixes a bunch of cases where the implicit ToObject for
sloppy receivers was done in the wrong context (in the caller
context instead of the callee context), which basically meant
that we allowed cross context access to %ObjectPrototype%.

MIPS and MIPS64 ports contributed by akos.palfi@imgtec.com.

R=mstarzinger@chromium.org, jarin@chromium.org, mvstanton@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_layout_dbg,v8_linux_nosnap_dbg
BUG=v8:4413
LOG=n

Committed: https://crrev.com/ef268a83be4dead004047c25b702319ea4be7277
Cr-Commit-Position: refs/heads/master@{#30627}

Review URL: https://codereview.chromium.org/1311013008

Cr-Commit-Position: refs/heads/master@{#30629}

Revert of [builtins] Unify the various versions of [[Call]] with a Call builtin. (patchset #10 id:260001 of https://codereview.chromium.org/1311013008/ )

Reason for revert:
Breaks nosnap, needs investigation

Original issue's description:
> [builtins] Unify the various versions of [[Call]] with a Call builtin.
>
> The new Call and CallFunction builtins supersede the current
> CallFunctionStub (and CallIC magic) and will be the single bottleneck
> for all calling, including the currently special Function.prototype.call
> and Function.prototype.apply builtins, which had handwritten (and
> not fully compliant) versions of CallFunctionStub, and also the
> CallIC(s), which where also slightly different.
>
> This also reduces the overhead for API function calls, which is still
> unnecessary high, but let's do that step-by-step.
>
> This also fixes a bunch of cases where the implicit ToObject for
> sloppy receivers was done in the wrong context (in the caller
> context instead of the callee context), which basically meant
> that we allowed cross context access to %ObjectPrototype%.
>
> MIPS and MIPS64 ports contributed by akos.palfi@imgtec.com.
>
> R=mstarzinger@chromium.org, jarin@chromium.org, mvstanton@chromium.org
> CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_layout_dbg
> BUG=v8:4413
> LOG=n
>
> Committed: https://crrev.com/ef268a83be4dead004047c25b702319ea4be7277
> Cr-Commit-Position: refs/heads/master@{#30627}

TBR=rmcilroy@chromium.org,jarin@chromium.org,mstarzinger@chromium.org,mvstanton@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4413

Review URL: https://codereview.chromium.org/1328963004

Cr-Commit-Position: refs/heads/master@{#30628}

The new Call and CallFunction builtins supersede the current
CallFunctionStub (and CallIC magic) and will be the single bottleneck
for all calling, including the currently special Function.prototype.call
and Function.prototype.apply builtins, which had handwritten (and
not fully compliant) versions of CallFunctionStub, and also the
CallIC(s), which where also slightly different.

This also reduces the overhead for API function calls, which is still
unnecessary high, but let's do that step-by-step.

This also fixes a bunch of cases where the implicit ToObject for
sloppy receivers was done in the wrong context (in the caller
context instead of the callee context), which basically meant
that we allowed cross context access to %ObjectPrototype%.

MIPS and MIPS64 ports contributed by akos.palfi@imgtec.com.

R=mstarzinger@chromium.org, jarin@chromium.org, mvstanton@chromium.org
CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_layout_dbg
BUG=v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1311013008

Cr-Commit-Position: refs/heads/master@{#30627}

The call protocol requires that the register dedicated to the number of
actual arguments (i.e. rax on x64) always contains the actual arguments.
That means after adapting arguments it should match the number of
expected arguments.  But currently we pass some semi-random value
(usually some stack address) after adapting arguments.

It looks like this is currently not observable anywhere, because our
builtins and functions either don't look at the number of arguments and
just make hard coded (unchecked) assumptions, or are marked as "don't
adapt arguments", which bypasses the broken code in the trampoline for
arguments adaption.  Nevertheless this should be fixed.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1306423003

Cr-Commit-Position: refs/heads/master@{#30467}

This adds a new ToString runtime function and a fast-path ToStringStub
(which is just a simple dispatcher for existing functionality), and also
implements %_ToName using the ToStringStub.

R=mstarzinger@chromium.org, yangguo@chromium.org
BUG=v8:4307
LOG=n

Review URL: https://codereview.chromium.org/1319973007

Cr-Commit-Position: refs/heads/master@{#30442}

Adds support for parameters to the BytecodeArrayBuilder and BytecodeGenerator.
Parameters are accessed as negative interpreter registers.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1303403004

Cr-Commit-Position: refs/heads/master@{#30403}

R=bmeurer@chromium.org, mstarzinger@chromium.org, rmcilroy@chromium.org

Review URL: https://codereview.chromium.org/1316943002

Cr-Commit-Position: refs/heads/master@{#30402}

Makes the following modifications to the interpreter builtins and
InterpreterAssembler:
 - Adds an accumulator register and initializes it to undefined()
 - Adds a register file pointer register and use it instead of FramePointer to
   access registers
 - Modifies builtin to support functions with 0 regiters in the register file
 - Modifies builtin to Call rather than TailCall to first bytecode handler.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1289863003

Cr-Commit-Position: refs/heads/master@{#30219}

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1299563003

Cr-Commit-Position: refs/heads/master@{#30187}

This way we can greatly simplify the different variants of ToObject in
our codebase and make them more uniform and robust.  Adding a new
primitive doesn't require finding and changing all those places again,
but it is sufficient to setup the constructor function index when
allocating the map.

We use the inobject properties field of Map, which is invalid primitive
maps anyway.

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1276533003

Cr-Commit-Position: refs/heads/master@{#30119}

Since we need the notion of a dummy vector ic, we can use that to avoid
a special case of the IC constructor. Also, consolidate the two dummy
ICs into one.

BUG=

Review URL: https://codereview.chromium.org/1268783004

Cr-Commit-Position: refs/heads/master@{#29956}

This is the initial (big) step towards a more uniform implementation of
the ToObject abstract operation (ES6 7.1.13), where we have a fallback
implementation in JSReceiver::ToObject() and a fast (hydrogen) CodeStub
to deal with the fast case (we should be able to do more cleanup on this
in a followup CL).  For natives we expose the abstract operation via a
%_ToObject intrinsic, also exposed via a macro TO_OBJECT, that unifies
the previous confusion with TO_OBJECT_INLINE, ToObject, TO_OBJECT,
$toObject and %$toObject.  Now the whole implementation of the abstract
operation is context independent, meaning we don't need any magic in the
builtins object nor the native context.

R=mvstanton@chromium.org,yangguo@chromium.org

Review URL: https://codereview.chromium.org/1266013006

Cr-Commit-Position: refs/heads/master@{#29953}

R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1265923002

Cr-Commit-Position: refs/heads/master@{#29951}

Adds interpreter entry and exit trampoline builtins. Also implements the
Return bytecode handler and fixes a few bugs in InterpreterAssembler
highlighted by running on other architectures.

MIPS and MIPS64 port contributed by Paul Lind (paul.lind@imgtec.com)

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1245133002

Cr-Commit-Position: refs/heads/master@{#29929}

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1248443003

Cr-Commit-Position: refs/heads/master@{#29840}

Additionally, push the allocation site or undefined independently of creating a memento to preserve a fixed size for the construct frames.

BUG=

Review URL: https://codereview.chromium.org/1239593003

Cr-Commit-Position: refs/heads/master@{#29719}

This changes the calling convention of the CallConstructStub to take
the original constructor (i.e. new.target in JS-speak) in a register
instead of magically via the operand stack. For optimizing compilers
the operand stack doesn't exist, hence cannot be peeked into.

R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1237813002

Cr-Commit-Position: refs/heads/master@{#29681}

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1227163011

Cr-Commit-Position: refs/heads/master@{#29617}

Note that there are currently no objects that require a pre-allocated
properties backing store, all such slots are in-object properties from
the begining. Hence {unused + pre_allocated - inobject == 0} holds.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1226203011

Cr-Commit-Position: refs/heads/master@{#29590}

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1213623020

Cr-Commit-Position: refs/heads/master@{#29562}

Revert "Revert relanded strong property access CL"

Regression issues should be solved. Initial patchset is the original, subsequent patchsets are the fixing modifications.

This reverts commit 4ac7be56.

BUG=v8:3956
LOG=N

Review URL: https://codereview.chromium.org/1199983002

Cr-Commit-Position: refs/heads/master@{#29384}

This makes new.target work in [[Call]] and [[Construct]] of ordinary
functions.

We achieve this by introducing a new construct stub for functions that
uses the new.target variable. The construct stub pushes the original
constructor just above the receiver in the construct frame.

BUG=v8:3887
LOG=N
R=adamk@chromium.org, dslomov@chromium.org

Review URL: https://codereview.chromium.org/1203813002

Cr-Commit-Position: refs/heads/master@{#29358}

The stack layout was different for different ports.

BUG=v8:3887
LOG=N
R=dslomov@chromium.org, adamk@chromium.org

Review URL: https://codereview.chromium.org/1203103003

Cr-Commit-Position: refs/heads/master@{#29292}

JSConstructStub for subclass constructors instead locates new.target in
a known location on the stack.

R=arv@chromium.org,adamk@chromium.org
BUG=v8:3886
LOG=N

Review URL: https://codereview.chromium.org/1196193014

Cr-Commit-Position: refs/heads/master@{#29238}

BUG=

Review URL: https://codereview.chromium.org/1180713007

Cr-Commit-Position: refs/heads/master@{#29175}