In the for-of desugaring, IteratorClose is a subtle thing to get right.
When return exists, the logic for which exception to throw is as follows:
1. Get the 'return' property and property any exception that might come from
  the property read
2. Call return, not yet propagating an exception if it's thrown.
3. If we are closing the iterator due to an exception, propagate that error.
4. If return threw, propagate that error.
5. Check if return's return value was not an object, and throw if so

Previously, we were effectively doing step 5 even if an exception "had already
been thrown" by step 3. Because this took place in a finally block, the exception
"won the race" and was the one propagated to the user. The fix is a simple change
to the desugaring to do step 5 only if step 3 didn't happen.

R=rossberg
BUG=v8:4775
LOG=Y

Review URL: https://codereview.chromium.org/1728973002

Cr-Commit-Position: refs/heads/master@{#34261}

Per MIPS O32 ABI the first four arguments must be passed via
the a0-a3 registers and they must be on the stack as well.

TEST=cctest/test-run-wasm/*
BUG=

Review URL: https://codereview.chromium.org/1730763002

Cr-Commit-Position: refs/heads/master@{#34260}

This makes the FullCodeGenerator::EmitNamedPropertyLoad be architecture
independent by adding MacroAssembler::Move helpers.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1734643002

Cr-Commit-Position: refs/heads/master@{#34259}

Revert of [coverage] Filter some files from instrumentation. (patchset #3 id:40001 of https://codereview.chromium.org/1730543002/ )

Reason for revert:
This breaks `gclient sync` because v8_target_arch isn't defined.

gyp: name 'v8_target_arch' is not defined while evaluating condition
'(OS=="linux" or OS=="mac") and (target_arch=="ia32" or target_arch=="x64") and
         (v8_target_arch!="x87" and v8_target_arch!="x32") and coverage==0' in
/media/jfb/ssd/v8/v8/build/all.gyp
Error: Command '/usr/bin/python v8/build/gyp_v8' returned non-zero exit status 1
in /media/jfb/ssd/v8

Original issue's description:
> [coverage] Filter some files from instrumentation.
>
> This filters test and third_party files to get a speed-up
> when running tests and when collecting profile data.
>
> BUG=chromium:568949
> LOG=n
>
> Committed: https://crrev.com/761ee31be5ab4fde05c294e5d632608fbaea8ad4
> Cr-Commit-Position: refs/heads/master@{#34216}
>
> Committed: https://crrev.com/906db7448702a6ac9fab2a445c57cc85f6dd1b1a
> Cr-Commit-Position: refs/heads/master@{#34253}

TBR=tandrii@chromium.org,kjellander@chromium.org,machenbach@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:568949

Review URL: https://codereview.chromium.org/1737433002

Cr-Commit-Position: refs/heads/master@{#34258}

Everything that HCallFunction does can be easily done using more general HCallWithDescriptor, so there's no need to have this dedicated instruction around.

Review URL: https://codereview.chromium.org/1731303002

Cr-Commit-Position: refs/heads/master@{#34257}

This reduces the memory consumption of SourcePositionTable by ca. 2/3.
Over Octane, this reduces the source position table memory consumption
from ~370kB to ~115kB, which makes it ca. 10% of the total bytecode size
(~1.1MB)

----------------

Reland CL in order to relive the glory days, and also fix memory leak w/ ENABLE_SLOW_CHECKS.

SourcePositionTableBuilder used to have a no destructor since everything
was zone allocated. But if ENABLE_SLOW_CHECKS, it has a heap allocated member
and thus needs a proper constructor. ASAN thankfully notices this, and V8 no
longer builds since this is called during mksnapshot.

Breakge example: http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20ASAN%20arm64%20-%20debug%20builder/builds/4829

R=jochen@chromium.org, yangguo@chromium.org, rmcilroy@chromium.org
BUG=v8:4690
LOG=y

Committed: https://crrev.com/a6f41f7b8226555c5900440f6e3092b3545ee0f6
Cr-Commit-Position: refs/heads/master@{#34250}

patch from issue 1704943002 at patchset 200001 (http://crrev.com/1704943002#ps200001)

Review URL: https://codereview.chromium.org/1731883003

Cr-Commit-Position: refs/heads/master@{#34256}

This fixes a corner case that triggered an assert in full-codegens
operand stack depth tracking. We stop pushing operands if we overflow
the C-stack while iterating the AST. This makes the tracking go out of
sync before we fully returned from the tree traversal, at which point
the thrown RangeError will abort compilation.

R=ishell@chromium.org
TEST=mjsunit/regress/regress-crbug-589472
BUG=chromium:589472
LOG=n

Review URL: https://codereview.chromium.org/1732903002

Cr-Commit-Position: refs/heads/master@{#34255}

This patch moves for-of closing to staging. There are a couple of
minor semantics bugs remaining in finalization along edge cases, but
we don't know of any stability issues.

BUG=v8:3566
R=rossberg
LOG=Y

Review URL: https://codereview.chromium.org/1725203002

Cr-Commit-Position: refs/heads/master@{#34254}

This filters test and third_party files to get a speed-up
when running tests and when collecting profile data.

BUG=chromium:568949
LOG=n

Committed: https://crrev.com/761ee31be5ab4fde05c294e5d632608fbaea8ad4
Cr-Commit-Position: refs/heads/master@{#34216}

Review URL: https://codereview.chromium.org/1730543002

Cr-Commit-Position: refs/heads/master@{#34253}

Revert of [Interpreter] Implements calls through CallICStub in the interpreter. (patchset #15 id:270001 of https://codereview.chromium.org/1688283003/ )

Reason for revert:
It is not a good idea to call CallICStub from the builtin. It might be sensitive to the frame structure. Constructing a internal frame might cause problems. It is much better to inline the code  related to the type feedback vector into the builtin.

Original issue's description:
> [Interpreter] Implements calls through CallICStub in the interpreter.
>
> Calls are implemented through CallICStub to collect type feedback. Adds
> a new builtin called InterpreterPushArgsAndCallIC that pushes the
> arguments onto stack and calls CallICStub.
>
> Also adds two new bytecodes CallIC and CallICWide to indicate calls have to
> go through CallICStub.
>
> MIPS port contributed by balazs.kilvady.
>
> BUG=v8:4280, v8:4680
> LOG=N
>
> Committed: https://crrev.com/20362a2214c11a0f2ea5141b6a79e09458939cec
> Cr-Commit-Position: refs/heads/master@{#34244}

TBR=rmcilroy@chromium.org,mvstanton@chromium.org,mstarzinger@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4280, v8:4680

Review URL: https://codereview.chromium.org/1731253003

Cr-Commit-Position: refs/heads/master@{#34252}

Revert of Encode interpreter::SourcePositionTable as variable-length ints. (patchset #10 id:200001 of https://codereview.chromium.org/1704943002/ )

Reason for revert:
Build failure on Linux64 arm64 ASAN:

http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20ASAN%20arm64%20-%20debug%20builder/builds/4829

(Leaks memory, somehow.)

Original issue's description:
> Encode interpreter::SourcePositionTable as variable-length ints.
>
> This reduces the memory consumption of SourcePositionTable by ca. 2/3.
> Over Octane, this reduces the source position table memory consumption
> from ~370kB to ~115kB, which makes it ca. 10% of the total bytecode size
> (~1.1MB)
>
> BUG=
>
> Committed: https://crrev.com/a6f41f7b8226555c5900440f6e3092b3545ee0f6
> Cr-Commit-Position: refs/heads/master@{#34250}

TBR=jochen@chromium.org,rmcilroy@chromium.org,yangguo@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1728193003

Cr-Commit-Position: refs/heads/master@{#34251}

This reduces the memory consumption of SourcePositionTable by ca. 2/3.
Over Octane, this reduces the source position table memory consumption
from ~370kB to ~115kB, which makes it ca. 10% of the total bytecode size
(~1.1MB)

BUG=

Review URL: https://codereview.chromium.org/1704943002

Cr-Commit-Position: refs/heads/master@{#34250}

(a EQ b) is lowered to ((low(a) XOR low(b)) OR (high(a) XOR high(b))) EQ 0

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1729493002

Cr-Commit-Position: refs/heads/master@{#34249}

There was an eval inside the array_natives_test() which prevented
Crankshaft, even tho it's unrelated, and so we always went to TurboFan
now, which both decreased test coverage and increased time for stress
opt runs.

R=machenbach@chromium.org

Review URL: https://codereview.chromium.org/1725383002

Cr-Commit-Position: refs/heads/master@{#34248}

Revert of [coverage] Filter some files from instrumentation. (patchset #2 id:20001 of https://codereview.chromium.org/1730543002/ )

Reason for revert:
[Sheriff] Breaks local make builds.

Original issue's description:
> [coverage] Filter some files from instrumentation.
>
> This filters test and third_party files to get a speed-up
> when running tests and when collecting profile data.
>
> BUG=chromium:568949
> LOG=n
> NOTRY=true
>
> Committed: https://crrev.com/761ee31be5ab4fde05c294e5d632608fbaea8ad4
> Cr-Commit-Position: refs/heads/master@{#34216}

TBR=tandrii@chromium.org,kjellander@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:568949

Review URL: https://codereview.chromium.org/1727383002

Cr-Commit-Position: refs/heads/master@{#34247}

This implements proper handling of local control flow (i.e. break and
continue) that spans the boundary of a do-expression. We can no longer
determine the number of operands to be dropped from the nesting of
statements alone, instead we use the new precise operand stack depth
tracking.

R=jarin@chromium.org
TEST=mjsunit/harmony/do-expressions-control
BUG=v8:4488
LOG=n

Review URL: https://codereview.chromium.org/1724753002

Cr-Commit-Position: refs/heads/master@{#34246}

Apparently, the tarfile Python module spends a lot of time in
grp.getgrid for retrieving a piece information (the name of the
primary group) which we don't need anyway. There is no
proper way to disable these slow calls, but there's a workaround
which relies on the way in which grp (and pwd) is used.

In fact, pwd and grp are imported in this fashion:

    try:
        import grp, pwd
    except ImportError:
        grp = pwd = None

and then used with the following pattern [2]:

      if grp:
          try:
              tarinfo.gname = grp.getgrgid(tarinfo.gid)[0]
          except KeyError:
              pass

By setting grp and pwd to None, thus skipping the calls, I was
able to achieve a 35x speedup on my workstation.

The user and group names are set to test262 when building the tar.

The downside to this approach is that we are relying on an
implementation detail, which is not in the public API.
However, the blamelist shows that the relevant bits of the module
have not been updated since 2003 [3], so we might as well assume
that the workaround will keep working, on cPython 2.x at least.

---

[1] https://hg.python.org/cpython/file/2.7/Lib/tarfile.py#l56
[2] https://hg.python.org/cpython/file/2.7/Lib/tarfile.py#l1933
[3] https://hg.python.org/cpython/rev/f9a5ed092660

BUG=chromium:535160
LOG=N

Review URL: https://codereview.chromium.org/1727773002

Cr-Commit-Position: refs/heads/master@{#34245}

Calls are implemented through CallICStub to collect type feedback. Adds
a new builtin called InterpreterPushArgsAndCallIC that pushes the
arguments onto stack and calls CallICStub.

Also adds two new bytecodes CallIC and CallICWide to indicate calls have to
go through CallICStub.

MIPS port contributed by balazs.kilvady.

BUG=v8:4280, v8:4680
LOG=N

Review URL: https://codereview.chromium.org/1688283003

Cr-Commit-Position: refs/heads/master@{#34244}

The Crankshaft fast case for String.fromCharCode() unconditionally
deoptimizes on all non-int32 inputs, even tho it would be perfectly
valid to just truncate the index to an int32.

R=ishell@chromium.org
BUG=chromium:587068
LOG=n

Review URL: https://codereview.chromium.org/1727873003

Cr-Commit-Position: refs/heads/master@{#34243}

The InstructionSelector::CanCover() heuristic was not correctly set to
match loads that are wired into the effect chain (i.e. when the input
comes from the JavaScript pipeline instead of the RawMachineAssembler).
Also the InstructionSelector on x64 was confused by the
CanBeBetterLeftOperand heuristic, which prevented proper covering for
map checks generated by the JavaScript pipeline.

R=epertoso@chromium.org

Review URL: https://codereview.chromium.org/1734503002

Cr-Commit-Position: refs/heads/master@{#34242}

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1723613002

Cr-Commit-Position: refs/heads/master@{#34241}

Failed after:
https://codereview.chromium.org/1706343002

TBR=ofrobots@google.com, mattloring@google.com, rmcilroy@chromium.org
NOTRY=true

Review URL: https://codereview.chromium.org/1727363002

Cr-Commit-Position: refs/heads/master@{#34240}

These macro operators represent a conditional eager deoptimization exit
without explicit branching, which greatly reduces overhead of both
scheduling and register allocation, and thereby greatly reduces overall
compilation time, esp. when there are a lot of eager deoptimization
exits.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1721103003

Cr-Commit-Position: refs/heads/master@{#34239}

Revert of Replace slots buffer with remembered set. (patchset #14 id:250001 of https://codereview.chromium.org/1703823002/ )

Reason for revert:
Revert because of canary crashes: crbug.com/589413

Original issue's description:
> Replace slots buffer with remembered set.
>
> Slots pointing to evacuation candidates are now recorded in the new RememberedSet<OLD_TO_OLD>.
>
> The remembered set is extended to support typed slots.
>
> During parallel evacuation all migration slots are recorded in local slots buffers.
> After evacuation all local slots are added to the remembered set.
>
> BUG=chromium:578883
> LOG=NO
>
> Committed: https://crrev.com/2285a99ef6f7d52f4f0c4d88a7db4224443ee152
> Cr-Commit-Position: refs/heads/master@{#34212}

TBR=jochen@chromium.org,hpayer@chromium.org,mlippautz@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:578883

Review URL: https://codereview.chromium.org/1725073003

Cr-Commit-Position: refs/heads/master@{#34238}

Since both null and undefined are also marked as undetectable now, we
can just test that bit instead of having the CompareNilIC try to collect
feedback to speed up the general case (without the undetectable bit
being used).

Drive-by-fix: Update the type system to match the new handling of
undetectable in the runtime.

R=danno@chromium.org

Review URL: https://codereview.chromium.org/1722193002

Cr-Commit-Position: refs/heads/master@{#34237}

This is the first step in process of replacing JR and JALR instructions
with JIC and JIALC for r6. Trampoline in r6 now uses JIC. Also
BranchLong and BranchAndLinkLong MacroAssembler functions now use JIC
and JIALC in r6 if branch delay slot is not used.

BUG=

Review URL: https://codereview.chromium.org/1573983002

Cr-Commit-Position: refs/heads/master@{#34236}

Now that JALR to JAL optimization is removed, the value of the constant
kInstructionsFor32BitConstant and comments are adjusted accordingly.

BUG=

Review URL: https://codereview.chromium.org/1690133004

Cr-Commit-Position: refs/heads/master@{#34235}

Implements poisson unsampling. A poisson process is used to determine
which samples to collect based on a sample rate. Unsampling will
approximate the true number of allocations at each site taking into
account that smaller allocations are less likley to be sampled.

This work was originally being done in the agent that
consumes profiles but it is more efficient to do it here
and individual consumers of the API should not have to
worry about the mathematical details of the sampling
process.

R=ofrobots@google.com
BUG=

Review URL: https://codereview.chromium.org/1706343002

Cr-Commit-Position: refs/heads/master@{#34234}

We previously supported use of bitwise operations to convert
from intish to int, but use of kAsmInt in some places and kAsmIntQ
in others prevents this from working with heap accesses.
Switch to use kAsmIntQ where appropriate (even though intish_ != 0
in principle captures the superset of these cases),
as it's more conservative (and uses types.h better).

BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=mjsunit/asm-wasm
R=aseemgarg@chromium.org,titzer@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/1731603002

Cr-Commit-Position: refs/heads/master@{#34233}

Cr-Commit-Position: refs/heads/master@{#34232}

  port 38915ed7 (r34211)

  original commit message:
  This implements a mechanism to track the exact depth of the operand
  stack in full-codegen for every sub-expression visitation. So far we
  only tracked the depth at statement level, but not at expression level.
  With the introduction of do-expressions it will be possible to construct
  local control flow (i.e. break, continue and friends) that target labels
  at an arbitrary operand stack depth, making this tracking a prerequisite
  for full do-expression support.

BUG=

Review URL: https://codereview.chromium.org/1728953003

Cr-Commit-Position: refs/heads/master@{#34231}

The Intl object used to keep around functions which are bound to the
receiver and memoized in the object (as required by the ECMA-402 spec)
in ordinary properties with names like __boundformat__. This patch
instead stores those methods in private symbol properties, so they are
not exposed to users. A search in GitHub didn't find any uses of
__boundformat__ (whereas the same search found plenty of usages of
other V8 Intl features), so I think this should be fine in terms of
web compatibility.

BUG=v8:3785
R=adamk
LOG=Y

Review URL: https://codereview.chromium.org/1728823002

Cr-Commit-Position: refs/heads/master@{#34230}

A recent ES2016 draft spec clarification indicates that, if -0 is
passed into Array.prototype.indexOf or Array.prototype.lastIndexOf
as the starting index, and the result is found at index 0, then +0
rather than -0 should be returned. This patch ensures that V8 has
that result, which is consistent with what some other browsers
return. The patch allows a couple test262 tests to pass.

R=adamk
LOG=Y

Review URL: https://codereview.chromium.org/1729653002

Cr-Commit-Position: refs/heads/master@{#34229}

This allows expressions like:
(x + y) & -1
[intish] & [signed]

The previous conversion condition was too strict (intended to
forbid non-int expression conversion). Expressing in
a different way.

BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=mjsunit/asm-wasm
R=aseemgarg@chromium.org,titzer@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/1717213002

Cr-Commit-Position: refs/heads/master@{#34228}

Port 38915ed7

Original commit message:
    This implements a mechanism to track the exact depth of the operand
    stack in full-codegen for every sub-expression visitation. So far we
    only tracked the depth at statement level, but not at expression level.
    With the introduction of do-expressions it will be possible to construct
    local control flow (i.e. break, continue and friends) that target labels
    at an arbitrary operand stack depth, making this tracking a prerequisite
    for full do-expression support.

R=mstarzinger@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:4755,v8:4488
LOG=n

Review URL: https://codereview.chromium.org/1729613002

Cr-Commit-Position: refs/heads/master@{#34227}

This patch moves the ES2015 Symbol.species feature from staging to
shipping. @@species should be good to ship now that the regression
from fast-path cases in concat, slice and splice have been addressed.

R=adamk
BUG=v8:4093
LOG=Y
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1721993002

Cr-Commit-Position: refs/heads/master@{#34226}

For now WasmFrame doesn't summarize the wasm frames. That'll require adding the
metadata in wasm-compiler similar to DeoptimizationInputData.

Teach the basic backtrace to iterate over stack frames instead of JS frames.

Update the wasm stack test.

`git cl format` touches random lines in files I touch.

R=titzer@chromium.org
TEST=d8 --test --expose-wasm test/mjsunit/mjsunit.js test/mjsunit/wasm/stack.js

Originally landed in: https://codereview.chromium.org/1712003003/
Reverted in: https://codereview.chromium.org/1730673002/

This patch puts the JSFunction on the C++ stack.

Review URL: https://codereview.chromium.org/1724063002

Cr-Commit-Position: refs/heads/master@{#34225}

The first operand to the CallRuntime class of bytecodes is the
ID of the runtime function being called. Before this commit
the ID was printed as plain uint16_t, now we get something like:

  B(CallRuntime) U16(Runtime::Add) ...

This change is intended to make both the golden files more
resistant to modifications of the i::Runtime::FunctionId enum
and the output of generate-bytecode-expectations more readable.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1723223002

Cr-Commit-Position: refs/heads/master@{#34224}

Now that register validation is working again, re-enable
for asm->wasm embenchen tests.

BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=mjsunit/asm-wasm
R=aseemgarg@chromium.org,titzer@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/1724043002

Cr-Commit-Position: refs/heads/master@{#34223}

asm.js permits both:
int * constant
constant * int

It does not, however, allow intishes in multiplies.

BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=mjsunit/asm-wasm,test-asm-validator
R=aseemgarg@chromium.org,titzer@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/1718083004

Cr-Commit-Position: refs/heads/master@{#34222}