Port aafc3e54

Original commit message:
    The FIRST-LAST_NONCALLABLE_SPEC_OBJECT_TYPE range was accidentially used
    in field type tracking, where we should check for JSReceiver instead
    (there's no need to exclude JSProxy or JSFunction from tracking).

    And the use in %_ClassOf was actually wrong and didn't match the C++
    implementation in JSReceiver::class_name() anymore. Now it's consistent
    again.

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=chromium:535408
LOG=n

Review URL: https://codereview.chromium.org/1537013002

Cr-Commit-Position: refs/heads/master@{#32973}

  port aafc3e54 (r32926)

  original commit message:
  The FIRST-LAST_NONCALLABLE_SPEC_OBJECT_TYPE range was accidentially used
  in field type tracking, where we should check for JSReceiver instead
  (there's no need to exclude JSProxy or JSFunction from tracking).

  And the use in %_ClassOf was actually wrong and didn't match the C++
  implementation in JSReceiver::class_name() anymore. Now it's consistent
  again.

BUG=

Review URL: https://codereview.chromium.org/1537613002

Cr-Commit-Position: refs/heads/master@{#32937}

Add Ivica B.

NOTRY=true

Review URL: https://codereview.chromium.org/1525413003

Cr-Commit-Position: refs/heads/master@{#32933}

The FIRST-LAST_NONCALLABLE_SPEC_OBJECT_TYPE range was accidentially used
in field type tracking, where we should check for JSReceiver instead
(there's no need to exclude JSProxy or JSFunction from tracking).

And the use in %_ClassOf was actually wrong and didn't match the C++
implementation in JSReceiver::class_name() anymore. Now it's consistent
again.

R=yangguo@chromium.org
BUG=chromium:535408
LOG=n

Review URL: https://codereview.chromium.org/1535523003 .

Cr-Commit-Position: refs/heads/master@{#32926}

  port 2c75e3d2 (r32903)

  original commit message:
  We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code
  without access-checks (see proxies-cross-realm-ecxeption.js).

BUG=

Review URL: https://codereview.chromium.org/1534663002

Cr-Commit-Position: refs/heads/master@{#32924}

MIPS: Fix `[proxies] fix access issue when having proxies on the prototype-chain of global objects.`

Port 2c75e3d2

Original commit message:
We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code without access-checks (see proxies-cross-realm-ecxeption.js).

BUG=

Review URL: https://codereview.chromium.org/1526253006

Cr-Commit-Position: refs/heads/master@{#32921}

Port 2c75e3d2

R=cbruni@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1530233003

Cr-Commit-Position: refs/heads/master@{#32915}

We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code without access-checks (see proxies-cross-realm-ecxeption.js).

Review URL: https://codereview.chromium.org/1521953002

Cr-Commit-Position: refs/heads/master@{#32903}

BUG=

Review URL: https://codereview.chromium.org/1517673002

Cr-Commit-Position: refs/heads/master@{#32806}

Remove unused obsolete %_StringGetStringLength intrinsic, and properly
optimize the %_SubString, %_RegExpExec, %_RegExpFlags, %_RegExpSource
and %_RegExpConstructResult intrinsics.

Review URL: https://codereview.chromium.org/1516753006

Cr-Commit-Position: refs/heads/master@{#32782}

No need to have an indirection to get to the initial JSArray maps from
the native context; we only cache the fast elements maps anyway, so
those could live on the native context directly. This will also
integrate nicely with the load/store propagation in TurboFan (once we
propagate the immutable flag for FieldAccess as well).

Drive-by-fix: Also don't embed any of the initial JSArray maps in
TurboFan generated code when allocating a new JSArray, but instead
always load the appropriate map from the native context.  This way
we ensure that we never leak a reference to one of those maps and
its as efficient as embedding a constant map.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1516433005

Cr-Commit-Position: refs/heads/master@{#32779}

BUG=

Review URL: https://codereview.chromium.org/1502153007

Cr-Commit-Position: refs/heads/master@{#32721}

This makes the strong link from optimized code to code objects for all
inlined functions explicit. It adds direct references to code objects
into deoptimization data as literals. Note that this is not necessarily
the code that will be deoptimized to, because the code on the shared
function info might be replaced by other components (e.g. debugger).
Those replacement code objects however are all non-flushable, marking
explicit strong links for reachability unnecessary.

R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/1490233009

Cr-Commit-Position: refs/heads/master@{#32654}

  port 086d4598 (r32644)

  original commit message:
  The backing store is only held alive indirectly via the array buffer
  referenced by the holder (typed array), so it's not enough to keep the
  elements alive (or even just the external pointer loaded from the
  elements).

BUG=

Review URL: https://codereview.chromium.org/1503943002

Cr-Commit-Position: refs/heads/master@{#32648}

The backing store is only held alive indirectly via the array buffer
referenced by the holder (typed array), so it's not enough to keep the
elements alive (or even just the external pointer loaded from the
elements).

R=mstarzinger@chromium.org,bmeurer@chromium.org
LOG=n
BUG=v8:1827

Review URL: https://codereview.chromium.org/1493983004

Cr-Commit-Position: refs/heads/master@{#32644}

BUG=

Review URL: https://codereview.chromium.org/1434263003

Cr-Commit-Position: refs/heads/master@{#32630}

Attempt #<really big number>

Parses, and lazily rewrites Destructuring Assignment expressions. The rewriting strategy involves inserting a placeholder RewritableAssignmentExpression into the AST, whose content expression can be completely rewritten at a later time.

Lazy rewriting ensures that errors do not occur due to eagerly rewriting nodes which form part of a binding pattern, thus breaking the meaning of the pattern --- or by eagerly rewriting ambiguous constructs that are not immediately known

BUG=v8:811
LOG=Y
R=adamk@chromium.org, bmeurer@chromium.org, rossberg@chromium.org

Review URL: https://codereview.chromium.org/1309813007

Cr-Commit-Position: refs/heads/master@{#32623}

BUG=v8:1543
LOG=N

Review URL: https://codereview.chromium.org/1496503002

Cr-Commit-Position: refs/heads/master@{#32616}

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1499103002

Cr-Commit-Position: refs/heads/master@{#32613}

  port a330af0e (r32539)

  original commit message:
  The optimized code generated by Crankshaft cannot properly deal
  with proxies (in the prototype chain), and there's probably no
  point in trying to make that work^Wfast with Crankshaft at all.
  TurboFan will handle that properly; Crankshaft just bails out
  to fullcodegen, which then goes to the runtime, which should do
  the right thing soon.

BUG=

Review URL: https://codereview.chromium.org/1495803003

Cr-Commit-Position: refs/heads/master@{#32594}

Port a330af0e

Original commit message:
    The optimized code generated by Crankshaft cannot properly deal
    with proxies (in the prototype chain), and there's probably no
    point in trying to make that work^Wfast with Crankshaft at all.
    TurboFan will handle that properly; Crankshaft just bails out
    to fullcodegen, which then goes to the runtime, which should do
    the right thing soon.

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:1543
LOG=n

Review URL: https://codereview.chromium.org/1496843004

Cr-Commit-Position: refs/heads/master@{#32583}

Reland of Do not remove write barriers for stores of old space references in most recent old space allocation. (patchset #1 id:1 of https://codereview.chromium.org/1482973003/ )

Reason for revert:
Suspect for crashing found, relanding for canary coverage.

Original issue's description:
> Revert of Do not remove write barriers for stores of old space references in most recent old space allocation. (patchset #1 id:1 of https://codereview.chromium.org/1478113002/ )
>
> Reason for revert:
> Broken canary. Trying to find out root cause.
>
> Original issue's description:
> > Do not remove write barriers for stores of old space references in most recent old space allocation.
> >
> > BUG=chromium:561449
> > LOG=n
> >
> > Committed: https://crrev.com/369778ec55a63ebe51e8fa8497edb5b681069b9b
> > Cr-Commit-Position: refs/heads/master@{#32368}
>
> TBR=ulan@chromium.org,bmeurer@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=chromium:561449
>
> Committed: https://crrev.com/da56525478f1820e3da629576ab61acc5f84daac
> Cr-Commit-Position: refs/heads/master@{#32406}

TBR=ulan@chromium.org,bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:561449

Review URL: https://codereview.chromium.org/1493313002

Cr-Commit-Position: refs/heads/master@{#32555}

It didn't support subclassing case at all and in non-subclassing case the runtime
allocation didn't do the slack tracking step.

BUG=chromium:563339
LOG=Y

Review URL: https://codereview.chromium.org/1488023002

Cr-Commit-Position: refs/heads/master@{#32547}

The optimized code generated by Crankshaft cannot properly deal
with proxies (in the prototype chain), and there's probably no
point in trying to make that work^Wfast with Crankshaft at all.
TurboFan will handle that properly; Crankshaft just bails out
to fullcodegen, which then goes to the runtime, which should do
the right thing soon.

BUG=v8:1543
LOG=n

Review URL: https://codereview.chromium.org/1492983002

Cr-Commit-Position: refs/heads/master@{#32539}

non-constructors are not allowed to have initial maps. The optimizing compilers used to add initial maps unconditionally to functions used as right-hand-side in instanceof.

BUG=

Review URL: https://codereview.chromium.org/1490003003

Cr-Commit-Position: refs/heads/master@{#32497}

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1479233002

Cr-Commit-Position: refs/heads/master@{#32470}

This moves the bailout for functions containing new.target variable to
the correct place so that Crankshaft doesn't accidentally inline such
functions, yielding an "undefined" new.target value all the time.

R=bmeurer@chromium.org
TEST=mjsunit/es6/regress/regress-inlined-new-target

Review URL: https://codereview.chromium.org/1484163003

Cr-Commit-Position: refs/heads/master@{#32468}

The fix is to bail out of compilation in that case.

BUG=chromium:551287
LOG=n
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1483373002

Cr-Commit-Position: refs/heads/master@{#32454}

Port 47502a23

Original commit message:
    Previously all contexts had a link to the global object, but what is
    required in most cases (except for the global load, store and delete
    case) is the native context.

    This also removes the second dummy global object that was still linked
    to every native context. We will add a different mechanism to ensure
    that builtins do not pollute the actual global object during
    bootstrapping.

    Drive-by-fix: Unify some MacroAssembler magic and drop obsolete stuff.

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1491433002

Cr-Commit-Position: refs/heads/master@{#32435}

BUG=

Review URL: https://codereview.chromium.org/1453373002

Cr-Commit-Position: refs/heads/master@{#32418}

Revert of Do not remove write barriers for stores of old space references in most recent old space allocation. (patchset #1 id:1 of https://codereview.chromium.org/1478113002/ )

Reason for revert:
Broken canary. Trying to find out root cause.

Original issue's description:
> Do not remove write barriers for stores of old space references in most recent old space allocation.
>
> BUG=chromium:561449
> LOG=n
>
> Committed: https://crrev.com/369778ec55a63ebe51e8fa8497edb5b681069b9b
> Cr-Commit-Position: refs/heads/master@{#32368}

TBR=ulan@chromium.org,bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:561449

Review URL: https://codereview.chromium.org/1482973003

Cr-Commit-Position: refs/heads/master@{#32406}

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1483933002

Cr-Commit-Position: refs/heads/master@{#32403}

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1488493002

Cr-Commit-Position: refs/heads/master@{#32402}

This depends on issue 1476403004.

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1479293002

Cr-Commit-Position: refs/heads/master@{#32401}

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1480273002

Cr-Commit-Position: refs/heads/master@{#32395}

Use {FIRST,LAST}_JS_RECEIVER_TYPE instead.

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1486563002

Cr-Commit-Position: refs/heads/master@{#32393}

  port 47502a23 (r32381)

  original commit message:
  Previously all contexts had a link to the global object, but what is
  required in most cases (except for the global load, store and delete
  case) is the native context.

  This also removes the second dummy global object that was still linked
  to every native context. We will add a different mechanism to ensure
  that builtins do not pollute the actual global object during
  bootstrapping.

  Drive-by-fix: Unify some MacroAssembler magic and drop obsolete stuff.

BUG=

Review URL: https://codereview.chromium.org/1481353002

Cr-Commit-Position: refs/heads/master@{#32387}

Previously all contexts had a link to the global object, but what is
required in most cases (except for the global load, store and delete
case) is the native context.

This also removes the second dummy global object that was still linked
to every native context. We will add a different mechanism to ensure
that builtins do not pollute the actual global object during
bootstrapping.

Drive-by-fix: Unify some MacroAssembler magic and drop obsolete stuff.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
R=yangguo@chromium.org,mstarzinger@chromium.org

Committed: https://crrev.com/d290f204938295bfecc5c8e645ccfcff6e80ddb8
Cr-Commit-Position: refs/heads/master@{#32375}

Review URL: https://codereview.chromium.org/1480003002

Cr-Commit-Position: refs/heads/master@{#32381}

Revert of [runtime] Replace global object link with native context link in all contexts. (patchset #3 id:40001 of https://codereview.chromium.org/1480003002/ )

Reason for revert:
[Sheriff] Breaks:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20nosnap/builds/5472

Original issue's description:
> [runtime] Replace global object link with native context link in all contexts.
>
> Previously all contexts had a link to the global object, but what is
> required in most cases (except for the global load, store and delete
> case) is the native context.
>
> This also removes the second dummy global object that was still linked
> to every native context. We will add a different mechanism to ensure
> that builtins do not pollute the actual global object during
> bootstrapping.
>
> Drive-by-fix: Unify some MacroAssembler magic and drop obsolete stuff.
>
> R=yangguo@chromium.org
>
> Committed: https://crrev.com/d290f204938295bfecc5c8e645ccfcff6e80ddb8
> Cr-Commit-Position: refs/heads/master@{#32375}

TBR=yangguo@chromium.org,mstarzinger@chromium.org,bmeurer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1478303002

Cr-Commit-Position: refs/heads/master@{#32377}

Previously all contexts had a link to the global object, but what is
required in most cases (except for the global load, store and delete
case) is the native context.

This also removes the second dummy global object that was still linked
to every native context. We will add a different mechanism to ensure
that builtins do not pollute the actual global object during
bootstrapping.

Drive-by-fix: Unify some MacroAssembler magic and drop obsolete stuff.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1480003002

Cr-Commit-Position: refs/heads/master@{#32375}