Fixes a mistake made in r35618 for register OperandSize calculations.

BUG=605470
LOG=N

Review URL: https://codereview.chromium.org/1908033002

Cr-Commit-Position: refs/heads/master@{#35719}

This is a follow-up to 58429beb
"Fix KeyedStore stub selection for STRING_WRAPPER_ELEMENTS".

BUG=chromium:602184
LOG=n

Review URL: https://codereview.chromium.org/1912443004

Cr-Commit-Position: refs/heads/master@{#35715}

The feature was deprecated in M49 and flagged off in M50.
This patch removes it entirely from the codebase.

Review URL: https://codereview.chromium.org/1909433003

Cr-Commit-Position: refs/heads/master@{#35714}

Non-vectorized KeyedLoadICs used to remember whether they had seen Names
as keys; Crankshaft uses this information to avoid emitting elements
accesses which would always deopt. This CL restores that functionality
for vector ICs.

BUG=chromium:594183
LOG=y
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1912593002

Cr-Commit-Position: refs/heads/master@{#35706}

BUG=

Review URL: https://codereview.chromium.org/1912553002

Cr-Commit-Position: refs/heads/master@{#35699}

BUG=chromium:605060
LOG=n

Review URL: https://codereview.chromium.org/1907953002

Cr-Commit-Position: refs/heads/master@{#35697}

[deoptimizer] Do not modify stack_fp which is used as a key for lookup of previously materialized objects.

BUG=chromium:604680, v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1904663003

Cr-Commit-Position: refs/heads/master@{#35693}

Our previous over-conservative answer caused us to emit hole checks in
full-codegen when eagerly parsing but not when lazily parsing.

With this patch, we use the positions of the BinaryOperations making up
the parameter list (which are the positions of the commas) to determine
the appropriate "end position" for each parameter's initializer. This means
that we get accurate-enough positions for the initializers in the eager
parsing step to get the same answers for hole-check-elimination that we
will later during ParseLazy.

In the included test case, for example:

  (function() { ((s = 17, y = s) => s)(); } )();
                        ^2     ^1

The old code would generate a hole check when trying to load
|s| for assignment to |y| (because it treated the closing parentheses
pointed to by "^1" as the "initialization position" of |s|).

The new code uses the comma pointed to by "^2" as the initialization
position of |s|. Since that occurs textually before the load of |s|,
full-codegen knows it can avoid the hole check.

BUG=v8:4908
LOG=n

Review URL: https://codereview.chromium.org/1900343002

Cr-Commit-Position: refs/heads/master@{#35678}

Also factor out test cases from test-run-machops.cc into test-run-load-store.cc

BUG=chromium:599717
LOG=Y

Review URL: https://codereview.chromium.org/1858323003

Cr-Commit-Position: refs/heads/master@{#35651}

BUG=chromium:603463
LOG=N

Review URL: https://codereview.chromium.org/1894203002

Cr-Commit-Position: refs/heads/master@{#35607}

Add support to optimize certain comparisons of typeof with known
strings to utilize the existing ObjectIs<Type> predicates. Also
add a new ObjectIsCallable, which is used to optimize the common
typeof x === "function" pattern.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1898653003

Cr-Commit-Position: refs/heads/master@{#35562}

Quit using the global array in uri code.

R=yangguo@chromium.org
BUG=chromium:602970
LOG=N

Review URL: https://codereview.chromium.org/1889133003

Cr-Commit-Position: refs/heads/master@{#35530}

R=jkummerow@chromium.org
BUG=chromium:600257
LOG=N

Review URL: https://codereview.chromium.org/1884143002

Cr-Commit-Position: refs/heads/master@{#35496}

Reland of [compiler] Make feedback vector cope with flag changes. (patchset #1 id:1 of https://codereview.chromium.org/1876103002/ )

Reason for revert:
Did not fail on another roll including this CL ..

Original issue's description:
> Revert of [compiler] Make feedback vector cope with flag changes. (patchset #1 id:1 of https://codereview.chromium.org/1869693003/ )
>
> Reason for revert:
> Blocks current roll: https://codereview.chromium.org/1876713002/ according to bisect: https://codereview.chromium.org/1872353002/#ps80001
>
> Original issue's description:
> > [compiler] Make feedback vector cope with flag changes.
> >
> > This fixes corner cases where the layout of feedback vectors baked into
> > the snapshot is different from the expected layout, depending on some
> > runtime flags. We make sure the feedback vector is regenereated for
> > functions that are not compiled. Flag changes of this kind are only
> > allowed when code is not serialized.
> >
> > An alternative solution would be to not serialize the feedback vector
> > for such cases in the first place. That solution however would have a
> > higher overhead, as it would required the serializer to be able to
> > recognize feedback vectors while generating a snapshot.
> >
> > R=mvstanton@chromium.org
> > TEST=mjsunit/regress/regress-crbug-600995
> > BUG=chromium:600995
> > LOG=n
> >
> > Committed: https://crrev.com/460bff5fb6af2bd79e610f89afdf6da9dba3cf0c
> > Cr-Commit-Position: refs/heads/master@{#35339}
>
> TBR=mvstanton@chromium.org,mstarzinger@chromium.org
>
> BUG=chromium:600995
> LOG=N
> NOTRY=true
>
> Committed: https://crrev.com/78049e9c4837f053575d6c71e53ae12fec99f1aa
> Cr-Commit-Position: refs/heads/master@{#35392}

TBR=mvstanton@chromium.org,mstarzinger@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:600995

Review URL: https://codereview.chromium.org/1876973002

Cr-Commit-Position: refs/heads/master@{#35398}

Revert of [compiler] Make feedback vector cope with flag changes. (patchset #1 id:1 of https://codereview.chromium.org/1869693003/ )

Reason for revert:
Blocks current roll: https://codereview.chromium.org/1876713002/ according to bisect: https://codereview.chromium.org/1872353002/#ps80001

Original issue's description:
> [compiler] Make feedback vector cope with flag changes.
>
> This fixes corner cases where the layout of feedback vectors baked into
> the snapshot is different from the expected layout, depending on some
> runtime flags. We make sure the feedback vector is regenereated for
> functions that are not compiled. Flag changes of this kind are only
> allowed when code is not serialized.
>
> An alternative solution would be to not serialize the feedback vector
> for such cases in the first place. That solution however would have a
> higher overhead, as it would required the serializer to be able to
> recognize feedback vectors while generating a snapshot.
>
> R=mvstanton@chromium.org
> TEST=mjsunit/regress/regress-crbug-600995
> BUG=chromium:600995
> LOG=n
>
> Committed: https://crrev.com/460bff5fb6af2bd79e610f89afdf6da9dba3cf0c
> Cr-Commit-Position: refs/heads/master@{#35339}

TBR=mvstanton@chromium.org,mstarzinger@chromium.org

BUG=chromium:600995
LOG=N
NOTRY=true

Review URL: https://codereview.chromium.org/1876103002

Cr-Commit-Position: refs/heads/master@{#35392}

[deoptimizer] Extend assert to also expect kTailCallerFunction as bottommost frame when accessing arguments for inlined function.

BUG=chromium:601617, v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1876753002

Cr-Commit-Position: refs/heads/master@{#35385}

Function bindings are the only variables in LEGACY_CONST mode.
(https://codereview.chromium.org/1819123002/). Since these variables
can also be accessed in strict mode functions we should support
handling such variables. Assigning to a legacy constant throws
a TypeError in strict mode. Also fixes hydrogen.cc to throw a
TypeError for legacy constants.

BUG=v8:4280,chromium:599068
LOG=N
TBR=rmcilroy@chromium.org

Review URL: https://codereview.chromium.org/1845223006

Cr-Commit-Position: refs/heads/master@{#35383}

These were all on by default in M49 without complaint.

R=littledan@chromium.org

Review URL: https://codereview.chromium.org/1858943002

Cr-Commit-Position: refs/heads/master@{#35342}

This fixes corner cases where the layout of feedback vectors baked into
the snapshot is different from the expected layout, depending on some
runtime flags. We make sure the feedback vector is regenereated for
functions that are not compiled. Flag changes of this kind are only
allowed when code is not serialized.

An alternative solution would be to not serialize the feedback vector
for such cases in the first place. That solution however would have a
higher overhead, as it would required the serializer to be able to
recognize feedback vectors while generating a snapshot.

R=mvstanton@chromium.org
TEST=mjsunit/regress/regress-crbug-600995
BUG=chromium:600995
LOG=n

Review URL: https://codereview.chromium.org/1869693003

Cr-Commit-Position: refs/heads/master@{#35339}

Pushing undefined onto a FAST_DOUBLE_ARRAY does not enforce the right representation checks.

BUG=chromuim:599089
LOG=n

Review URL: https://codereview.chromium.org/1868973002

Cr-Commit-Position: refs/heads/master@{#35332}

BUG=chromium:585041
LOG=N

Review URL: https://codereview.chromium.org/1854423003

Cr-Commit-Position: refs/heads/master@{#35331}

We have to preserve control flow so that the liveness analysis is less
confused. This CL fixes loops to preserve teh original control flow.

BUG=chromium:599710
LOG=n

Review URL: https://codereview.chromium.org/1863123002

Cr-Commit-Position: refs/heads/master@{#35318}

R=bradnelson@chromium.org
BUG=chromium:599825
LOG=Y

Review URL: https://codereview.chromium.org/1858263002

Cr-Commit-Position: refs/heads/master@{#35273}

Previously, CreateDataProperty would fail a DCHECK when used to create
an integer indexed property on a TypedArray. This patch makes it throw
a TypeError instead. The issue came up when Array.prototype.concat
was repaired to use CreateDataProperty rather than SetElement; concat
can be tricked into making a new TypedArray if it is given an Array
whose prototype is a TypedArray. This patch prevents the issue.

R=adamk
LOG=Y
BUG=chromium:596394

Review URL: https://codereview.chromium.org/1821723004

Cr-Commit-Position: refs/heads/master@{#35271}

BUG=chromium:599414
LOG=n

Review URL: https://codereview.chromium.org/1863553003

Cr-Commit-Position: refs/heads/master@{#35269}

In simplified numbering, we make sanity checks based on types (e.g.,
NumberSubtract should take numbers as inputs), but this can be
violated if optimization passes make types less precise.

In this CL, we fix load elimination to make sure that types are
smaller in the store -> load elimination by taking an intersection
of the load's type with the store value's type and inserting a guard
with that type. Note that the load type comes from type feedback, so
it can be disjoint from the stored value type (in that case, this
must be dead code because the map chack for the load should prevent
us from using the stored value).

BUG=chromium:599412
LOG=n

Review URL: https://codereview.chromium.org/1857133003

Cr-Commit-Position: refs/heads/master@{#35259}

BUG=chromium:537444, v8:4698
LOG=N
TBR=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1859763005

Cr-Commit-Position: refs/heads/master@{#35253}

This was missing from the previous fix.

R=ishell@chromium.org
BUG=chromium:599714
LOG=n

Review URL: https://codereview.chromium.org/1861583002

Cr-Commit-Position: refs/heads/master@{#35249}

This fixes a corner case where the generator function of a suspended
generator has been marked for optimization. We assume the optimization
approach will cause a bailout because generators are not optimized. But
resuming is more resilient by always activating the unoptimized code.

R=neis@chromium.org,bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-513471
BUG=chromium:513471
LOG=n

Review URL: https://codereview.chromium.org/1856683002

Cr-Commit-Position: refs/heads/master@{#35234}

BUG=chromium:599003
LOG=N

Review URL: https://codereview.chromium.org/1856653002

Cr-Commit-Position: refs/heads/master@{#35232}

... instead of RUNTIME_ASSERT pointing to V8 guts.

BUG=chromium:599067
LOG=N

Review URL: https://codereview.chromium.org/1844223004

Cr-Commit-Position: refs/heads/master@{#35227}

This CL ensures that we build environments/frame states so that tail caller frame will never become topmost.

BUG=chromium:598998, v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1849503002

Cr-Commit-Position: refs/heads/master@{#35188}

The HandlerCompiler did not properly handle the weird edge case when a
sloppy mode function was installed as an accessor on one of the value
wrapper prototypes and then accessed via a load from a primitive value.
In this case we just passed the primitive value untouched instead of
properly wrapping it first. The CallFunction builtin properly deals with
all the funny edge cases, so we use it instead of duplicating almost all
of the logic here (the performance difference is neglible).

R=verwaest@chromium.org
BUG=chromium:599073, v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1845243005

Cr-Commit-Position: refs/heads/master@{#35187}

R=bmeurer@chromium.org, cbruni@chromium.org, ulan@chromium.org
BUG=chromium:124206,chromium:569811
LOG=N

Review URL: https://codereview.chromium.org/1834633003

Cr-Commit-Position: refs/heads/master@{#35145}

Fix and re-enable the flexible representation for Math.floor (which is used to
implement Math.ceil) and Math.round, which allows Math.floor and Math.round to
return double results instead of int32, and therefore allows values outside
the int32 range, especially -0 is now a valid result, which doesn't deopt.

Also port this feature to x64 and ia32 when the CPU supports the SSE4.1
extension.

This addresses all the known deoptimization loops related to Math.round
in the Kraken benchmark suite, and seems to also address most of the
deoptimization loops related to Math.floor in the Oort Online benchmark.

Drive-by-fix: Import the regression tests for the broken HMathFloorOfDiv
optimization that caused the initial revert of the feature (for arm64 only
back then).

BUG=chromium:476477,v8:2890,v8:4059
R=jarin@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1841513003

Cr-Commit-Position: refs/heads/master@{#35094}

It's been on since M49. Also moved tests from harmony -> es6,
one of which was merged with another test of the same name.

While moving stuff over to regexp.js, I also noticed that there
were unused calls to %FunctionSetName and %SetNativeFlag (those
calls are already handled by InstallGetter()).

Review URL: https://codereview.chromium.org/1838563003

Cr-Commit-Position: refs/heads/master@{#35076}

BUG=v8:4737
LOG=n
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1676613002

Cr-Commit-Position: refs/heads/master@{#35074}

A bug in error printing meant that we failed to do proper type checks
before calling into C++ code, which could lead to RUNTIME_ASSERT
failures if methods are called on alternative receivers. This patch
adds the right type checks.

BUG=chromium:596718
LOG=Y
R=adamk

Review URL: https://codereview.chromium.org/1831053003

Cr-Commit-Position: refs/heads/master@{#35069}

Now that ES2015 const has shipped, in Chrome 49, legacy const declarations
are no more. This lets us remove a bunch of code from many parts of the
codebase.

In this patch, I remove parser support for generating legacy const variables
from const declarations. This also removes the special "illegal declaration"
bit from Scope, which has ripples into all compiler backends.

Also gone are any tests which relied on legacy const declarations.

Note that we do still generate a Variable in mode CONST_LEGACY in one case:
function name bindings in sloppy mode. The likely fix there is to add a new
Variable::Kind for this case and handle it appropriately for stores in each
backend, but I leave that for a later patch to make this one completely
subtractive.

Review URL: https://codereview.chromium.org/1819123002

Cr-Commit-Position: refs/heads/master@{#35002}

Both of them shipped in Chrome 49 without incident.

Also move relevant tests from harmony/ to es6/.

Review URL: https://codereview.chromium.org/1815773002

Cr-Commit-Position: refs/heads/master@{#34964}