This CL modifies the following to be LEB128:
* Function table indices
* Import table signature indices
* Export table function indices
* Function signature param count
* br/br_if break depth
* br_table target count
* block/loop expression count

Still to do:
* Import/export names (LEB128 count + inline data)
* Data segments (LEB128 offset + size + inline data)
* Function header stuff (should seperate into function sig and body sections)
* Memory access alignment + offset (still discussing)

BUG=
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1775873002

Cr-Commit-Position: refs/heads/master@{#34603}

This mechanism was used to ensure that functions ended up as constants on the map of prototypes defined using object literals, e.g.,:

function.prototype = {
  method: function() { ... }
}

Nowadays we treat prototypes specially, and make all their functions constants when an object turns prototype. Hence this special custom code isn't necessary anymore.

This also affects boilerplates that do not become prototypes. Their functions will not be constants but fields instead. Calling their methods will slow down. However, multiple instances of the same boilerplate will stay monomorphic. We'll have to see what the impact is for such objects, but preliminary benchmarks do not show this as an important regression.

BUG=chromium:593008
LOG=n

Review URL: https://codereview.chromium.org/1772423002

Cr-Commit-Position: refs/heads/master@{#34602}

A previous spec compliance fix for TypedArrays caused a ~4x performance
regression. This patch removes the regression by calling out
to a path within the runtime which implements array copying more
efficiently.

BUG=chromium:592007
R=adamk
LOG=Y

Review URL: https://codereview.chromium.org/1767893002

Cr-Commit-Position: refs/heads/master@{#34601}

R=binji@chromium.org,dschuff@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1780483002

Cr-Commit-Position: refs/heads/master@{#34600}

The initial species protector hooked into property declaration in an
incomplete place, and missed definitions of accessors. This patch repairs
them by calling out to update the protector from an additional location.

R=adamk
CC=verwaest,cbruni
BUG=v8:4093
LOG=Y

Review URL: https://codereview.chromium.org/1746323002

Cr-Commit-Position: refs/heads/master@{#34599}

The below instructions were fixed so that the produced condition
codes in simulator matched behaviour in native s390 CPUs:

CFDBR
CGDBR
CGEBR
CFEBR
CLFDBR
CLGDBR
CLGEBR

Also implemented the CLFEBR instruction in s390 simulator.

(Copypaste of 1763663003, which was pointing at wrong branch - should be master, not lkgr)

R=danno@chromium.org,jkummerow@chromium.org,jochen@chromium.org,joransiu@ca.ibm.com,michael_dawson@ca.ibm.com,mbrandy@us.ibm.com,jyan@ca.ibm.com

BUG=

Review URL: https://codereview.chromium.org/1773813002

Cr-Commit-Position: refs/heads/master@{#34598}

We have compatibility workarounds to return 'undefined' on accessors
to RegExp.prototype. This patch adds two UseCounters for two categories
of this non-spec-compliant path:
- source
- ignorecase, multiline, global

R=yangguo
BUG=chromium:581577
LOG=Y

Review URL: https://codereview.chromium.org/1762423002

Cr-Commit-Position: refs/heads/master@{#34597}

Also move GetProperty with string-name to JSReceiver

BUG=

Review URL: https://codereview.chromium.org/1775973002

Cr-Commit-Position: refs/heads/master@{#34596}

BUG=chromium:589679
LOG=N

Review URL: https://codereview.chromium.org/1771323003

Cr-Commit-Position: refs/heads/master@{#34595}

This adds the number of properties to be expected within the boilerplate
object for object literals to the TurboFan IR. The reason is that this
length can no longer be easily inferred from just the constants array.
The length is potentially non-zero for empty object literals and might
also diverge in the presence of constant functions or duplicate property
names.

For future safety and for symmetry reasons, the same change was applied
to array literals as well, even though inferring the length from the
constant elements is still possible there.

R=verwaest@chromium.org
BUG=chromium:593008
LOG=n

Review URL: https://codereview.chromium.org/1772803003

Cr-Commit-Position: refs/heads/master@{#34594}

  port 2aae579c (r34566)

  original commit message:
  In case when F tail calls G we should also remove the potential arguments adaptor frame for F.

  This CL introduces two new machine instructions ArchTailCallCodeObjectFromJSFunction and ArchTailCallJSFunctionFromJSFunction which (unlike existing ArchTailCallCodeObject and ArchTailCallJSFunction)
  also drop arguments adaptor frame if it exists right before jumping to the target function.

BUG=

Review URL: https://codereview.chromium.org/1777563002

Cr-Commit-Position: refs/heads/master@{#34593}

R=danno@chromium.org,jkummerow@chromium.org,jochen@chromium.org,joransiu@ca.ibm.com,michael_dawson@ca.ibm.com,mbrandy@us.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1768383002

Cr-Commit-Position: refs/heads/master@{#34592}

  port ddc626e1 (r34546)

  original commit message:
  I64Shl is lowered to a new turbofan operator, WasmWord64Shl. The new
  operator takes 3 inputs, the low-word input, the high-word input, and
  the shift, and produces 2 output, the low-word output and the high-word
  output.

  At the moment I implemented the lowering only for ia32, but I think the
  CL is already big enough. I will add the other platforms in separate
  CLs.

BUG=

Review URL: https://codereview.chromium.org/1773083002

Cr-Commit-Position: refs/heads/master@{#34591}

  port 22938040 (r34542)

  original commit message:
  HInvokeFunction and HApplyArguments instructions now support tail calling.

  Inlining of calls at tail position is not supported yet and therefore still disabled.

  The tail-call-megatest was modified so that the usages of "arguments" object do not disable Crankshaft.

BUG=

Review URL: https://codereview.chromium.org/1767343003

Cr-Commit-Position: refs/heads/master@{#34590}

Port 2aae579c

Original commit message:
    In case when F tail calls G we should also remove the potential arguments adaptor frame for F.

    This CL introduces two new machine instructions ArchTailCallCodeObjectFromJSFunction and
    ArchTailCallJSFunctionFromJSFunction which (unlike existing ArchTailCallCodeObject and
    ArchTailCallJSFunction) also drop arguments adaptor frame if it exists right before jumping
    to the target function.

R=ishell@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1773053002

Cr-Commit-Position: refs/heads/master@{#34589}

Port ddc626e1

Original commit message:
    I64Shl is lowered to a new turbofan operator, WasmWord64Shl. The new
    operator takes 3 inputs, the low-word input, the high-word input, and
    the shift, and produces 2 output, the low-word output and the high-word
    output.

R=ahaas@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1765383004

Cr-Commit-Position: refs/heads/master@{#34588}

R=ahaas@chromium.org,binji@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1770383002

Cr-Commit-Position: refs/heads/master@{#34587}

I removed some stale comments and added a missing unit test.

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1772843003

Cr-Commit-Position: refs/heads/master@{#34586}

BUG=

Review URL: https://codereview.chromium.org/1774943002

Cr-Commit-Position: refs/heads/master@{#34585}

BUG=chromium:592707
LOG=n

Review URL: https://codereview.chromium.org/1775913002

Cr-Commit-Position: refs/heads/master@{#34584}

Previously, the assertion does not include code executed in
the custom heap snapshot.

TBR=hablich@chromium.org
BUG=v8:4810
LOG=N

Review URL: https://codereview.chromium.org/1771313002

Cr-Commit-Position: refs/heads/master@{#34583}

BUG=

Review URL: https://codereview.chromium.org/1768203002

Cr-Commit-Position: refs/heads/master@{#34582}

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1770333002

Cr-Commit-Position: refs/heads/master@{#34581}

BailoutId points to the next bytecode in the bytecode array. Code offset
is set to one less than the bail out id. This would point to the end of the
current instruction. Since we use it only for summarizing the frame and to
compute the source position, it should be safe to set it to the end of current
instruction.

BUG=v8:4280, v8:4689
LOG=N

Review URL: https://codereview.chromium.org/1763783003

Cr-Commit-Position: refs/heads/master@{#34580}

This is a pure refactoring and renaming of methods in the compiler API
with the goal to increase readability. Also the compiler API is moved to
the top of the file, as it is the central piece in that file.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1766623004

Cr-Commit-Position: refs/heads/master@{#34579}

This adds sanitizer-coverage compilation, test-runner
features and post processing.

Sanitizer coverage is expected to be used together with
asan.

During test runner execution, the produced sancov files
are disambiguated and match the pattern:
<executable name>.test.<test id>.sancov.

Two additional scripts are added for merging raw sancov
files and for generating json data containing all
instrumented lines + all covered lines from merged sancov
files. Both scripts use multiprocessing for speed.

The json data will later be uploaded to google storage
for further use, e.g. to show coverage data in rietveld.

Sancov documentation:
http://clang.llvm.org/docs/SanitizerCoverage.html

BUG=chromium:568949
LOG=n
NOTRY=true
TEST=python -m unittest sancov_formatter_test
TEST=python -m unittest sancov_merger_test

Review URL: https://codereview.chromium.org/1737263003

Cr-Commit-Position: refs/heads/master@{#34578}

This changes the compiler API that finalizes a previously queued
optimization job on the main thread, to not deal with code objects
directly. This is in sync with the rest of the API now.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1773663003

Cr-Commit-Position: refs/heads/master@{#34577}

Review URL: https://codereview.chromium.org/1776593002

Cr-Commit-Position: refs/heads/master@{#34576}

R=adamk@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1767063002

Cr-Commit-Position: refs/heads/master@{#34575}

TBR=machenbach@chromium.org
NOTRY=true
NOTREECHECKS=true

Review URL: https://codereview.chromium.org/1777473002

Cr-Commit-Position: refs/heads/master@{#34574}

R=rmcilroy@chromium.org, vogelheim@chromium.org
BUG=v8:4690
LOG=N

Committed: https://crrev.com/4a7722c9930a42ba0e8feeece286d74834211a7e
Cr-Commit-Position: refs/heads/master@{#34569}

Review URL: https://codereview.chromium.org/1770773002

Cr-Commit-Position: refs/heads/master@{#34573}

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1773593002

Cr-Commit-Position: refs/heads/master@{#34572}

Before this CL, various code stubs used different techniques
for marking their frames to enable stack-crawling and other
access to data in the frame. All of them were based on a abuse
of the "standard" frame representation, e.g. storing the a
context pointer immediately below the frame's fp, and a
function pointer after that. Although functional, this approach
tends to make stubs and builtins do an awkward, unnecessary
dance to appear like standard frames, even if they have
nothing to do with JavaScript execution.

This CL attempts to improve this by:

* Ensuring that there are only two fundamentally different
  types of frames, a "standard" frame and a "typed" frame.
  Standard frames, as before, contain both a context and
  function pointer. Typed frames contain only a minimum
  of a smi marker in the position immediately below the fp
  where the context is in standard frames.
* Only interpreted, full codegen, and optimized Crankshaft and
  TurboFan JavaScript frames use the "standard" format. All
  other frames use the type frame format with an explicit
  marker.
* Typed frames can contain one or more values below the
  type marker. There is new magic macro machinery in
  frames.h that simplifies defining the offsets of these fields
  in typed frames.
* A new flag in the CallDescriptor enables specifying whether
  a frame is a standard frame or a typed frame. Secondary
  register location spilling is now only enabled for standard
  frames.
* A zillion places in the code have been updated to deal with
  the fact that most code stubs and internal frames use the
  typed frame format. This includes changes in the
  deoptimizer, debugger, and liveedit.
* StandardFrameConstants::kMarkerOffset is deprecated,
  (CommonFrameConstants::kContextOrFrameTypeOffset
  and StandardFrameConstants::kFrameOffset are now used
  in its stead).

LOG=N

Review URL: https://codereview.chromium.org/1696043002

Cr-Commit-Position: refs/heads/master@{#34571}

Revert of [interpreter, debugger] add some missing statement positions. (patchset #1 id:1 of https://codereview.chromium.org/1770773002/ )

Reason for revert:
failing tests with ignition.

Original issue's description:
> [interpreter, debugger] add some missing statement positions.
>
> R=rmcilroy@chromium.org, vogelheim@chromium.org
> BUG=v8:4690
> LOG=N
>
> Committed: https://crrev.com/4a7722c9930a42ba0e8feeece286d74834211a7e
> Cr-Commit-Position: refs/heads/master@{#34569}

TBR=rmcilroy@chromium.org,vogelheim@chromium.org,mstarzinger@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4690

Review URL: https://codereview.chromium.org/1772293002

Cr-Commit-Position: refs/heads/master@{#34570}

R=rmcilroy@chromium.org, vogelheim@chromium.org
BUG=v8:4690
LOG=N

Review URL: https://codereview.chromium.org/1770773002

Cr-Commit-Position: refs/heads/master@{#34569}

Rolling v8/build/gyp to 61259d585ce99d9de8b35188cd0025bdbcb58411

Rolling v8/tools/clang to 7f949627a42e2b8b229522ab74de5b1b6a1ced3e

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review URL: https://codereview.chromium.org/1768263003

Cr-Commit-Position: refs/heads/master@{#34568}

When possible (non-Proxy receiver, expecting only String-names), walk the instance_descriptors() array rather than performing [[OwnPropertyKeys]]. If the map changes during a call to an accessor property, resort to a slower property lookup.

For now, the fast path is not taken if the object contains any element keys.

Offers a measurable improvement over the existing version, in select situations.

BUG=v8:4663
LOG=N
R=cbruni@chromium.org, verwaest@chromium.org, adamk@chromium.org

Review URL: https://codereview.chromium.org/1751643003

Cr-Commit-Position: refs/heads/master@{#34567}

In case when F tail calls G we should also remove the potential arguments adaptor frame for F.

This CL introduces two new machine instructions ArchTailCallCodeObjectFromJSFunction and ArchTailCallJSFunctionFromJSFunction which (unlike existing ArchTailCallCodeObject and ArchTailCallJSFunction) also drop arguments adaptor frame if it exists right before jumping to the target function.

BUG=v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1702423002

Cr-Commit-Position: refs/heads/master@{#34566}

R=dschuff@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1767203002

Cr-Commit-Position: refs/heads/master@{#34565}

Local declarations were previously encoded as an optional set of
4 uint16 values as part of the function declaration. This CL
implements the current design of moving these declarations to
a list of pairs of (type, count) that is part of the body.

R=bradnelson@chromium.org,binji@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1763433002

Cr-Commit-Position: refs/heads/master@{#34564}