Also move those tests from mjsunit/harmony to mjsunit/es6.

R=littledan@chromium.org

Review URL: https://codereview.chromium.org/1403633007

Cr-Commit-Position: refs/heads/master@{#31314}

In the ES2015 spec, RegExp uses ToLength, not ToInteger, on lastIndex
to coerce it to an integer. This patch switches to ToLength when
the --harmony-tolength flag is on, and adds some tests to verify the
new behavior.

BUG=v8:4244
LOG=Y
R=adamk

Review URL: https://codereview.chromium.org/1394023005

Cr-Commit-Position: refs/heads/master@{#31306}

Review URL: https://codereview.chromium.org/1401703003

Cr-Commit-Position: refs/heads/master@{#31304}

R=rossberg@chromium.org
BUG=chromium:539875
LOG=y

Review URL: https://codereview.chromium.org/1393373005

Cr-Commit-Position: refs/heads/master@{#31303}

The runtime flag in question makes no sense, because the feature cannot
be disabled without keeping the snapshot in sync. We should avoid having
the flag in our "mjsunit" test suite, so that CluserFuzz doesn't pick it
up. The test in question is already skipped, the change will not affect
test results on our waterfall.

R=mvstanton@chromium.org
TEST=mjsunit/call-counts
BUG=v8:4458
LOG=n

Review URL: https://codereview.chromium.org/1409533003

Cr-Commit-Position: refs/heads/master@{#31302}

R=rossberg
BUG=v8:3931
LOG=n

Review URL: https://codereview.chromium.org/1397443013

Cr-Commit-Position: refs/heads/master@{#31299}

R=rossberg@chromium.org
BUG=chromium:451967
LOG=N

Review URL: https://codereview.chromium.org/1404783002

Cr-Commit-Position: refs/heads/master@{#31296}

Revert of Make dates default to the local timezone if none specified  (https://codereview.chromium.org/1229903004/)

Even though the change is ES6 spec compliant, we decided to revert
to be consistent with other browsers and work on fixing the spec.

Original issue's description:
> Make dates default to the local timezone if none specified
>
> In ES5, dates were supposed to default to UTC if no timezone was specified. However, this changed in ES6, which specified that dates should be in the local timezone if no timezone was specified. This CL updates our behavior to match that part of the ES6 spec.

> BUG=chromium:391730, v8:4242
> LOG=Y

> Committed: https://crrev.com/f06754a8e1d305a43560705f6c167d85d40e602d
> Cr-Commit-Position: refs/heads/master@{#29854}

BUG=chromium:543320,chromium:539813
LOG=NO

Review URL: https://codereview.chromium.org/1403153003

Cr-Commit-Position: refs/heads/master@{#31295}

This is in preparation to enabling --turbo-inlining by default, fixing
various issues when general purpose inlining is running against our
entire test suite.

R=bmeurer@chromium.org
BUG=v8:4493
LOG=n

Review URL: https://codereview.chromium.org/1407533004

Cr-Commit-Position: refs/heads/master@{#31294}

This reverts commit dc0adc56.

NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1392853009

Cr-Commit-Position: refs/heads/master@{#31284}

Section 8.10.5 9a specifies that a property descriptor cannot both have
accessors and specify the writability of the property. The previous
error message was misleading because it referred to writable rather
than specifying the writability (which includes writable: false).

BUG=v8:2536
LOG=N

Review URL: https://codereview.chromium.org/1399693003

Cr-Commit-Position: refs/heads/master@{#31273}

For an edge case like the following in sloppy mode
  with ({}) function f() {}
a lexical scope needs to be created around the body in order
to hold the function declaration, so it can be hoisted according
to a loose interpretation of Annex B 3.3 (loose because ES2015
does not permit a function declaration as the body of a with
statement). This patch adds that scope.

BUG=chromium:542100
LOG=N
R=adamk

Review URL: https://codereview.chromium.org/1404803002

Cr-Commit-Position: refs/heads/master@{#31269}

This patch fixes an obscure edge case for functions defined as the
direct body of a for-of/for-in loop, such as the following:

 for (foo in []) function foo() { return foo; }

Here, the first occurrence of foo should point to the outer scope;
however, before this patch, it pointed to the inner foo in an
invalid way which caused an assertion about the scope chain to fail.
This patch fixes the scope chain by inserting an extra scope for
the body of the loop, not including the header.

BUG=chromium:542099
LOG=N
R=rossberg

Review URL: https://codereview.chromium.org/1396663004

Cr-Commit-Position: refs/heads/master@{#31268}

BUG=chromium:542823
LOG=n

Review URL: https://codereview.chromium.org/1391373004

Cr-Commit-Position: refs/heads/master@{#31257}

The flag for deactivating break points also affects stepping, since both
are implemented via debug break slots. Fixing this by introducing a new
flag solely responsible for deactivating actual break points.

R=mvstanton@chromium.org
BUG=chromium:119800
LOG=N

Review URL: https://codereview.chromium.org/1402913002

Cr-Commit-Position: refs/heads/master@{#31236}

R=jkummerow@chromium.org
BUG=chromium:528379
LOG=N

Review URL: https://codereview.chromium.org/1404613002

Cr-Commit-Position: refs/heads/master@{#31233}

Looking up 'name' and 'message' properties at the same time and loading
the properties later can cause assertion failure if one of the properties
is an accessor and calling it changes the holder map. That may invalidate
the other lookup.

R=jkummerow@chromium.org
BUG=chromium:542101
LOG=N

Review URL: https://codereview.chromium.org/1403923002

Cr-Commit-Position: refs/heads/master@{#31229}

BUG=v8:4482
LOG=n

Review URL: https://codereview.chromium.org/1397513004

Cr-Commit-Position: refs/heads/master@{#31218}

The data structure that holds the optimized code is becoming essential for
additional functionality, too.

R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1399033002

Cr-Commit-Position: refs/heads/master@{#31216}

Revert of Don't compile functions in a context the caller doesn't have access to (patchset #1 id:1 of https://codereview.chromium.org/1393713006/ )

Reason for revert:
[Sheriff] Breaks layout tests. Please add needsmanualrebaseline upstream first if intended. E.g.:
http://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/2263

(one of them is a timeout that only happens with this commit)

Original issue's description:
> Don't compile functions in a context the caller doesn't have access to
>
> Instead, just return undefined.
>
> A side effect of this is that it's no longer possible to compile
> functions in a detached context.
>
> Based on https://codereview.chromium.org/294073002 but taking access
> check callbacks into account
>
> BUG=chromium:541703
> R=verwaest@chromium.org
> LOG=y
>
> Committed: https://crrev.com/9a5e2f512c4aa90563eb575605c2a8c2a92ac9f4
> Cr-Commit-Position: refs/heads/master@{#31208}

TBR=verwaest@chromium.org,jochen@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:541703

Review URL: https://codereview.chromium.org/1395583004

Cr-Commit-Position: refs/heads/master@{#31212}

Previously, name conflicts between var and let declarations were only
made into exceptions if they were visible at parse-time. This patch adds
runtime checks so that sloppy-mode direct eval can't introduce conflicting
var declarations. The change is implemented by traversing the scope chain
when a direct eval introduces a var declaration to look for conflicting
let declarations, up to the function boundary.

BUG=v8:4454
R=adamk
LOG=Y

Review URL: https://codereview.chromium.org/1382513003

Cr-Commit-Position: refs/heads/master@{#31211}

Instead, just return undefined.

A side effect of this is that it's no longer possible to compile
functions in a detached context.

Based on https://codereview.chromium.org/294073002 but taking access
check callbacks into account

BUG=chromium:541703
R=verwaest@chromium.org
LOG=y

Review URL: https://codereview.chromium.org/1393713006

Cr-Commit-Position: refs/heads/master@{#31208}

Makes debugging failures a bit easier

BUG=none
R=ulan@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1398703007

Cr-Commit-Position: refs/heads/master@{#31195}

strict mode.

LOG=N
BUG=chromium:423739

Review URL: https://codereview.chromium.org/1381083004

Cr-Commit-Position: refs/heads/master@{#31192}

Make the end position of a regexp literal the first character following the regexp. This matches the behaviour of number literals and string literals, as well as single-character tokens.

This change corrects the lazy-parsing of arrow functions with concise bodies, whose last token is a regular expression literal.

BUG=v8:4474
LOG=N
R=wingo@igalia.com, adamk@chromium.org, rossberg@chromium.org

Review URL: https://codereview.chromium.org/1389313003

Cr-Commit-Position: refs/heads/master@{#31189}

Also add some more tests.

R=rossberg
BUG=

Review URL: https://codereview.chromium.org/1392203002

Cr-Commit-Position: refs/heads/master@{#31181}

This CL depends on #1362363002.

R=rossberg
BUG=

Review URL: https://codereview.chromium.org/1361403003

Cr-Commit-Position: refs/heads/master@{#31180}

NOTRY=true

Review URL: https://codereview.chromium.org/1393713004

Cr-Commit-Position: refs/heads/master@{#31155}

Previously, arrow function scopes had a separate ScopeType. However,
Scope::DeserializeScopeChain() erroneously deserialized ARROW_SCOPE
ScopeInfos as FUNCTION_SCOPE. This could lead to bugs such as the
attached one, where "super" was disallowed where it should have
been allowed.

This patch utilizes the Scope's FunctionKind to distinguish arrow
functions from others. Besides fixing the above bug, this also
simplifies code in various places that had to deal with two different
ScopeTypes both of which meant "function".

BUG=v8:4466
LOG=n

Review URL: https://codereview.chromium.org/1386253002

Cr-Commit-Position: refs/heads/master@{#31154}

Introduce a new JSGlobalSpecialization advanced reducer that runs
during the initial inlining and context specialization, and specializes
the graph to the globals of the native context.  Currently we assume
that we do not inline cross native context, but long-term we will grab
the global object from the JSLoadGlobal/JSStoreGlobal feedback (with the
new global load/store ICs that are currently in the workings), and then
this whole specialization will be fully compositional even across
cross-context inlining.

Note that we cannot really handle most of the stores to global object
property cells because TurboFan doesn't have a mechanism to enforce
certain representations.  Also note that we cannot yet fully benefit
from the type feedback collected on the global object property cells,
because the type system cannot deal with maps in a reasonable way.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
R=jarin@chromium.org
BUG=v8:4470
LOG=n

Committed: https://crrev.com/6fbf7903f94924ea066af481719898bd9667b6eb
Cr-Commit-Position: refs/heads/master@{#31139}

Review URL: https://codereview.chromium.org/1387393002

Cr-Commit-Position: refs/heads/master@{#31148}

This seems to be triggered now with global object specialization.

TEST=mjsunit/regress/regress-crbug-450960
TBR=mstarzinger@chromium.org
BUG=v8:4195
LOG=n

Review URL: https://codereview.chromium.org/1388403002 .

Cr-Commit-Position: refs/heads/master@{#31147}

- Reflect.deleteProperty
- Reflect.get
- Reflect.has
- Reflect.isExtensible

Reflect.get doesn't support the receiver argument yet, and
some of the others don't support proxies yet.

R=rossberg
BUG=v8:3931
LOG=n

Review URL: https://codereview.chromium.org/1379313002

Cr-Commit-Position: refs/heads/master@{#31146}

R=mstarzinger@chromium.org
BUG=chromium:540593
LOG=n

Review URL: https://codereview.chromium.org/1395453002

Cr-Commit-Position: refs/heads/master@{#31145}

Revert of [turbofan] Add initial support for global specialization. (patchset #4 id:60001 of https://codereview.chromium.org/1387393002/ )

Reason for revert:
Breaks GC stress: http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/1984/steps/Bisect%20c5528ac1.Retry/logs/regress-crbug-450960

Original issue's description:
> [turbofan] Add initial support for global specialization.
>
> Introduce a new JSGlobalSpecialization advanced reducer that runs
> during the initial inlining and context specialization, and specializes
> the graph to the globals of the native context.  Currently we assume
> that we do not inline cross native context, but long-term we will grab
> the global object from the JSLoadGlobal/JSStoreGlobal feedback (with the
> new global load/store ICs that are currently in the workings), and then
> this whole specialization will be fully compositional even across
> cross-context inlining.
>
> Note that we cannot really handle most of the stores to global object
> property cells because TurboFan doesn't have a mechanism to enforce
> certain representations.  Also note that we cannot yet fully benefit
> from the type feedback collected on the global object property cells,
> because the type system cannot deal with maps in a reasonable way.
>
> CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
> R=jarin@chromium.org
> BUG=v8:4470
> LOG=n
>
> Committed: https://crrev.com/6fbf7903f94924ea066af481719898bd9667b6eb
> Cr-Commit-Position: refs/heads/master@{#31139}

TBR=jarin@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4470

Review URL: https://codereview.chromium.org/1390073004

Cr-Commit-Position: refs/heads/master@{#31144}

Introduce a new JSGlobalSpecialization advanced reducer that runs
during the initial inlining and context specialization, and specializes
the graph to the globals of the native context.  Currently we assume
that we do not inline cross native context, but long-term we will grab
the global object from the JSLoadGlobal/JSStoreGlobal feedback (with the
new global load/store ICs that are currently in the workings), and then
this whole specialization will be fully compositional even across
cross-context inlining.

Note that we cannot really handle most of the stores to global object
property cells because TurboFan doesn't have a mechanism to enforce
certain representations.  Also note that we cannot yet fully benefit
from the type feedback collected on the global object property cells,
because the type system cannot deal with maps in a reasonable way.

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux_nosnap_rel
R=jarin@chromium.org
BUG=v8:4470
LOG=n

Review URL: https://codereview.chromium.org/1387393002

Cr-Commit-Position: refs/heads/master@{#31139}

R=yangguo@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1378693004

Cr-Commit-Position: refs/heads/master@{#31133}

Previously, cases like
  var [foo]
led to a parser crash because the parser tried to do something with
the initializer, which was not syntactically present.

This patch fixes the parser issue (implicitly creating an undefined
initializer) and inserts a check for array destructuring that the
right-hand side is coercible to an object, so it can have iterator
methods called on it safely.

BUG=v8:4462
LOG=Y
R=adamk

Review URL: https://codereview.chromium.org/1384413002

Cr-Commit-Position: refs/heads/master@{#31128}

When calling into C++ builtins, we need to make sure that the argument
count register contains the correct number of arguments, otherwise the
CEntryStub will not be able to leave the stack in the correct state.

R=ishell@chromium.org
BUG=v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1391543002

Cr-Commit-Position: refs/heads/master@{#31120}

Previously, using legacy const in for-of/in loops led to a check-fail
in the parser. This was due to the fact that the destructuring bind
led to an undefined initialization to undefined in the parser, which
caused the for loop code to go down a strange path. This patch
eliminates the undefined initialization in variables declared in
for-in/of loops, so that that path is not used and the error is
fixed.

BUG=v8:4461
LOG=Y
R=adamk

Review URL: https://codereview.chromium.org/1385913003

Cr-Commit-Position: refs/heads/master@{#31117}

* Promise.resolve is now works with subclasses
* Spec removed [[PromiseConstructor]] now can simply use constructor
* Promise.resolve ignores species

R=littledan@chromium.org,domenic@chromium.org
BUG=v8:4161,v8:4341
LOG=Y

Review URL: https://codereview.chromium.org/1362773002

Cr-Commit-Position: refs/heads/master@{#31116}