This ensures that the {Code::builtin_index} field is only set during
allocation of new {Code} objects, making this field truly immutable.

R=jgruber@chromium.org
BUG=v8:6792

Change-Id: Ic793346976183149e2d077e92cb9da3c925ea865
Reviewed-on: https://chromium-review.googlesource.com/774439Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49414}

There's not really a point in passing the resume_mode as parameter to
the ResumeGenerator builtin. Instead we could as well just store the
mode to the generator object directly.

Drive-by-fix: On Intel allocate the generator to the new.target register
immediately so we don't need to move it there later.

Bug: v8:6344, v8:6354
Change-Id: I74e98cfffa2b3d72c43d8b6e9fdca03d01c9b4fa
Reviewed-on: https://chromium-review.googlesource.com/774259Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49401}

Bug: chromium:784990
Change-Id: I08c10ec706ccaba765edc7322dc92374863b8a7a
Reviewed-on: https://chromium-review.googlesource.com/771387Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49397}

Even though a previous patch made the number of slots pushed/claimed on
the stack aligned, the boundary between frames was not a multiple of
two slots as well. We were pushing the number of arguments (which belongs
in the stub's frame) together with the arguments to pass to the
constructor function (which belong to the frame of the constructor
function). Those need to be separated so we can drop the arguments without
messing up the alignment.

Bug: v8:6644
Change-Id: I839a4ab9caf451623fbcf03dd8a8afe5879fef99
Reviewed-on: https://chromium-review.googlesource.com/771670Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#49391}

Fix c5c50e18

After the change from the title landed, around 700 tests started
failing on MIPS and MIPS64. The reason for the failure was a typo
in Generate_JSBuiltinsConstructStubHelper in builtin-mips.cc
and builtin-mips64.cc.

Bug: 
Change-Id: Id95a87773d6ab1d4a65c3c7a306629046a44fa7d
Reviewed-on: https://chromium-review.googlesource.com/771652Reviewed-by: Miran Karić <Miran.Karic@imgtec.com>
Commit-Queue: Ivica Bogosavljevic <ivica.bogosavljevic@mips.com>
Cr-Commit-Position: refs/heads/master@{#49382}

Bug: v8:7065
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I7882b719f72561cd22b874eae239000936fad35c
Reviewed-on: https://chromium-review.googlesource.com/768874
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49381}

The backing store fixed array for collections needs to be allocated
in LOS if it exceeds the maximum regular heap object size.

Drive-by-fix: Only store fixed array map once as per TODO.

Bug: chromium:784862
Change-Id: I6b4dd2e45153ae107171e21bc7448e0d9b54b0ed
Reviewed-on: https://chromium-review.googlesource.com/771150Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49378}

Add padding above arguments, as part of JSSP removal.

Bug: v8:6644
Change-Id: Iee03c3c8cd6da3d62b0b4c86a12400a5fdfe99de
Reviewed-on: https://chromium-review.googlesource.com/757136Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Cr-Commit-Position: refs/heads/master@{#49374}

- Remove weak-collection.js
- Adds TFJ builtins for WeakSet and WeakMap constructors
- Unified helpers and constructor behavior into a BaseCollectionsAssembler
- Fast paths for...
  - unmodified constructor function
  - argument is a fast JS array
  - entries are fast JS arrays, for Map/WeakMap
  - no arguments passed

Quick benchmarks shows significant improvements (1.12x - 5.7x!) for ALL collection constructors (weak and non-weak):
https://github.com/peterwmwong/v8-perf/blob/master/weakcollection-constructor/README.md

More could be done for performance.  Currently we always call out to JS to add entries, if we knew the prototype was unmodified, we could call the builtins directly.

Bug: v8:5049, v8:6604
Change-Id: Id7912c1eed5bcf512df7fd6238f04166a8a5937e
Reviewed-on: https://chromium-review.googlesource.com/760385Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49343}

This CL fixes uses of HandleSlackTracking which previously would write
fields twice. Additional checks ensure that only proper initial maps are
used with slack tracking.

Change-Id: Ifb03297635ed6b873eb8b27fec9794c9d36b71b6
Reviewed-on: https://chromium-review.googlesource.com/664810Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49331}

This fixes a corner-case where resuming a suspended generator would not
perform stack overflow checks and hence cause the stack to grow without
bounds.

R=neis@chromium.org
BUG=chromium:781583

Change-Id: Ib04116e489ac6b962cb821263860497abb57bbae
Reviewed-on: https://chromium-review.googlesource.com/765953Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49327}

Bug: chromium:778668
Change-Id: Ie75f2ecb9e6134b6eb57c7d7fb6ea33cbb2fc2bf
Reviewed-on: https://chromium-review.googlesource.com/753324
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49301}

MIPS team has recently migrated to @mips.com e-mail address.
Dusan Simicic is no longer part of MIPS V8 team, therefore
his name is removed from OWNERS.

TBR=mstarzinger@chromium.org
NOTRY=true

Bug: 
Change-Id: I67fde24a5b9214fa3fca05c0399888b8d18fc699
Reviewed-on: https://chromium-review.googlesource.com/758639
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49299}

Align the claimed arguments in Generate_JSConstructStubGeneric by pushing an
extra copy of the receiver as padding.

Bug: v8:6644
Change-Id: I77e92624ff32c21c8f3f310176aa2576c756b56c
Reviewed-on: https://chromium-review.googlesource.com/757098
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49275}

R=mvstanton@chromium.org

Change-Id: Iff5a3741ba93ea2cc9d4b9f9907b22ce768b1cb3
Reviewed-on: https://chromium-review.googlesource.com/758840
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49269}

We need to throw before rethrowing, otherwise the exception does
not trigger a debugger event and is not reported if uncaught.

R=gsathya@chromium.org, jgruber@chromium.org

Bug: v8:7047
Change-Id: I7ce0253883a21d6059e4e0ed0fc56dc55a0dcba6
Reviewed-on: https://chromium-review.googlesource.com/758372Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49237}

There's three common situations in which we need to create JSFunction
objects.  1) from the compiler, 2) from tests, and 3) everything else
(mostly during bootstrapping).

This is an attempt to simplify case 3), which previously relied on
several Factory::NewFunction overloads where it was not clear how the
semantics of each overload differed.

This CL removes all but one overload, and packs arguments into a new
NewFunctionArgs helper class.

It also removes the hacks around
SFI::set_lazy_deserialization_builtin_id by explicitly passing
builtin_id into Factory::NewSharedFunctionInfo.

Drive-by-fix: Properly set is_constructor hint in
SimpleCreateSharedFunctionInfo.

Bug: v8:6624
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ica94d95e72e443055db5e7ff9e8cdf4115201ef1
Reviewed-on: https://chromium-review.googlesource.com/757094
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49224}

The regexp fast path in MaybeCallFunctionAtSymbol had an issue in which
we'd call ToString after checking that the given {object} was a fast
regexp and deciding to take the fast path. This is invalid since
ToString() can call into user-controlled JS and may mutate {object}.

There's no way to place the ToString call correctly in this instance:
1 before BranchIfFastRegExp, it's a spec violation if we end up on the
  slow regexp path;
2 the problem with the current location is already described above;
3 and we can't place it into the fast-path regexp builtin (e.g.
  RegExpReplace) either due to the same reasons as 1.

The solution in this CL is to restrict the fast path to string
arguments only, i.e. cases where ToString would be a nop and can safely
be skipped.

Bug: chromium:782145
Change-Id: Ifd35b3a9a6cf2e77c96cb860a8ec98eaec35aa85
Reviewed-on: https://chromium-review.googlesource.com/758257
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49213}

Thanks Igor and Jakob for the hard work to migrate ICs to data-driven handlers!
This is done as of this CL.

Bug: v8:5561
Change-Id: Icf1ddf0065e3aa85ac7efe4b99f74821ce3c0ac2
Reviewed-on: https://chromium-review.googlesource.com/756842
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49203}

We no longer need the kAlreadyVisitedSlot because we can just check
for undefined in the kPromiseSlot to know if the clsoure was already
fulfilled.

This means we save one word per context per promise resolving closure.

Bug: v8:7037
Change-Id: Ib8f0fb445d2e143714d57fe644ba6d7a3f04c1f7
Reviewed-on: https://chromium-review.googlesource.com/756176Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49200}

Bug: v8:6791
Change-Id: I10f8c6c88c534ee1e3c893176b6563af0c9f99d3
Reviewed-on: https://chromium-review.googlesource.com/753904
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49180}

Use (Seeded)NumberDictionary instead.

Change-Id: I426cd0a33df7d47fe4fec0c108be5632ef7c0f19
Reviewed-on: https://chromium-review.googlesource.com/756697Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49179}

Actually all it does is throw a TypeError.

R=jkummerow@chromium.org

Bug: v8:6791
Change-Id: I884da4eaa937519c07c3516a1713829f52e28ad8
Reviewed-on: https://chromium-review.googlesource.com/753730Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49171}

Previously StaNamedProperty and StaKeyedProperty were in a weird state where
they claimed to not touch the accumulator, but actually did in case they were
deopted in the middle. A frame was added in the middle to overwrite the 
accumulator again with the right value before returning from the setter, using
a lot of complexity in the deoptimizer.

This changes those instructions to be marked as writing to the accumulator
(e.g., the result of the setter), and uses to manually store and reload into
the accumulator the value being stored.

If we want to avoid the additional bytecodes, we could make sure that bytecodes
that claim to leave the accumulator alone don't deopt back to Advance/Dispatch
but LoadAccumulatorWithValue/Advance/Dispatch. That's in a way similar to what
happened before this CL, but I believe could be implemented much simpler.


Bug: 
Change-Id: I4850a690ef5a30976701d0e050951faa46fd1c18
Reviewed-on: https://chromium-review.googlesource.com/753487Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49159}

This adds code-space modification scopes to all sites that still rely on
mutation of {Code} objects after allocation. Currently some scopes also
potentially are in performance-critical places that might regress if the
protection would be enabled in its current form.

R=clemensh@chromium.org
BUG=v8:6792

Change-Id: I8d511e0e452324dae027e50a9da8e6f77224b86f
Reviewed-on: https://chromium-review.googlesource.com/751521
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49147}

R=jkummerow@chromium.org

Bug: v8:6791
Change-Id: I765790d8b163aff6725900f19e95a914c75a0fe9
Reviewed-on: https://chromium-review.googlesource.com/752521
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49132}

V8 provides non-standard Error API through:

Error.captureStackTrace
Error.prepareStackTrace
Error.stackTraceLimit

Let's add use counters to gauge how wide-spread these are used.

This is the V8 side of required changes.
The Chromium-side CL: https://crrev.com/c/753446

Bug: v8:6975
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: I917cd6344a01670799f6cbf88a4bfff8e8d0d6ad
Reviewed-on: https://chromium-review.googlesource.com/753443Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49113}

- Add WeakMapPrototypeDelete and WeakSetPrototypeDelete TFJ builtins
  - Fast paths when it's not necessary to shrink the table
- Add WeakCollectionDelete TFS

Some quick benchmarks shows 1.4x - 2.15x gains in performance.
https://github.com/peterwmwong/v8-perf/blob/master/weakcollection-delete/README.md

Bug: v8:5049, v8:6604
Change-Id: I14036df153f3a0242f9083d751658b868b16660a
Reviewed-on: https://chromium-review.googlesource.com/743864Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49076}

Proxy's call trap can be used to cause recursion.

R=bmeurer@chromium.org, tebbi@chromium.org

Bug: chromium:779344
Change-Id: I19c989f618f7230028ebe18c3415bc3f4bd72b93
Reviewed-on: https://chromium-review.googlesource.com/743782Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49069}

This CL adds support for two byte string comparisons to the StringEqual
builtin, which so far was bailing out to the generic %StringEqual
runtime function whenever any two-byte string was involved. This made
comparisons that involved two-byte strings, either comparing them to
one-byte strings or comparing two two-byte strings, up to 3x slower than
if only one-byte strings were involved.

With this change, all direct string (SeqString or ExternalString)
equality checks are roughly on par now, and the weird performance cliff
is gone. On the micro-benchmark from the bug we go from

  stringEqualBothOneByteSeqString: 162 ms.
  stringEqualTwoByteAndOneByteSeqString: 446 ms.
  stringEqualOneByteAndTwoByteSeqString: 438 ms.
  stringEqualBothTwoByteSeqString: 472 ms.

to

  stringEqualBothOneByteSeqString: 151 ms.
  stringEqualTwoByteAndOneByteSeqString: 158 ms.
  stringEqualOneByteAndTwoByteSeqString: 166 ms.
  stringEqualBothTwoByteSeqString: 160 ms.

which is the desired result. On the esprima test of the
web-tooling-benchmark we seem to improve by 1-2%, which corresponds to
the savings of going to the runtime for many StringEqual comparisons.

Drive-by-cleanup: Introduce LoadAndUntagStringLength helper into the CSA
with proper typing to avoid the unnecessary shifts on 64-bit platforms
when keeping the length tagged initially in StringEqual.

Bug: v8:4913, v8:6365, v8:6371, v8:6936, v8:7022
Change-Id: I566f4b80e217513775ffbd35e0480154abf59b27
Reviewed-on: https://chromium-review.googlesource.com/749223Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49067}

Push cp in EnterFrame for CONSTRUCT type frames, in order to align the stack op,
and adapt the users (Generate_JSBuiltinConstructStub*) to account for it.
Then align the rest of the stack operations in
Generate_JSBuiltinConstructStubHelper.

Bug: v8:6644
Change-Id: I4ffca329d5838902f787a52ac0d362dfbf9174c6
Reviewed-on: https://chromium-review.googlesource.com/746923Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Martyn Capewell <martyn.capewell@arm.com>
Cr-Commit-Position: refs/heads/master@{#49063}

- Add WeakMapPrototypeSet and WeakSetPrototypeAdd TFJ builtins
  - Fast paths for...
    1) existing key
    2) new key when ObjectHashTable has a "sufficient capacity"
- Create WeakCollectionsBuiltinsAssembler to consolidate common WeakMap/WeakSet code generation
- Convert existing WeakMapLookupHashIndex to use WeakCollectionsBuiltinsAssembler

Some quick benchmarks shows performance gains of...
- 1.56x - 1.98x for WeakMap constructor
- 1.66x - 2.06x for WeakSet constructor
- 1.50x - 2.11x for WeakMap.p.set
- 1.54x - 2.26x for WeakSet.p.add

https: //github.com/peterwmwong/v8-perf/blob/master/weakcollection-set/README.md
Bug: v8:5049, v8:6604
Change-Id: I3499d46be6b2b3b1d8d46720ebe86cc5142ee542
Reviewed-on: https://chromium-review.googlesource.com/737935
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49036}

This is preparation for supporting OOB loads from strings, which
requires the KeyedLoadIC to track this information.

Bug: v8:6936, v8:7014
Change-Id: Ide132244ee523397dd418d21fe3377976f6633fd
Reviewed-on: https://chromium-review.googlesource.com/743481Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49026}

Bug: v8:6791
Change-Id: Id85bd701eaa574eea1335cdc916323810616cef9
Reviewed-on: https://chromium-review.googlesource.com/738936
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49014}

This moves the handling of the receiver and the final spread argument
into Generate_InterpreterPushArgs and merges the stack allocation to a
single claim operation for the whole argument setup. When we start
padding arguments in TF, we will simply need to claim one extra slot
and store padreg to it in Generate_InterpreterPushArgs (hence the
remaining TODO).

This also replaces the single use of Generate_CheckStackOverflow with
Generate_StackOverflowCheck and removes the former. This change is also
done for arm, ia32 and x64.

Bug: v8:6644
Change-Id: I8d06dda96dbc4a6f219b73c711f894320c2f6cdf
Reviewed-on: https://chromium-review.googlesource.com/738031
Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49005}

This should avoid changes in code serializer in a follow-up class literals
improvement CL.

Bug: v8:5799
Change-Id: I4e4386333bcc7abb30399d4e9abba4eee80ca932
Reviewed-on: https://chromium-review.googlesource.com/733037
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48996}

We now represent the SameValue operation explicitly in TurboFan and the
operation can thus participate in all kinds of optimizations. Especially
we get rid of the JSCall node in the general case, which blocks several
optimizations across the call. The general, baseline performance is now
always on par with StrictEqual.

Once the StrictEqual operator is also a simplified operator, we should
start unifying the type based optimizations in SimplifiedLowering.

In the micro-benchmark we go from

  testStrictEqual: 1422 ms.
  testObjectIs: 1520 ms.
  testManualSameValue: 1759 ms.

to

  testStrictEqual: 1426 ms.
  testObjectIs: 1357 ms.
  testManualSameValue: 1766 ms.

which gives the expected result.

Bug: v8:7007
Change-Id: I0de3ff6ff6209ab4c3edb69de6a16e387295a9c8
Reviewed-on: https://chromium-review.googlesource.com/741228Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48994}

... and use them to complete the BigInt function.

Bug: v8:6791
Change-Id: Ia36db86b92d1a0cfcb783516e04d6c0e3750f194
Reviewed-on: https://chromium-review.googlesource.com/737643
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48993}

Bug: v8:6791
Change-Id: I10bb316284ba3a0e326daad4f9b995f88d76c2a2
Reviewed-on: https://chromium-review.googlesource.com/739501Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48982}

Rename |property_attributes| to |initial_property_attributes| and ensure
that it is used as a storage of values only for AccessorInfos installed in
API Templates (i.e. ObjectTemplate and FunctionTemplate).
When an AccessorInfo is installed directly into an existing JS object
(via JSObject::SetAccessor) or into a DescriptorArray (when certain V8
objects' shapes are configured) it is not necessary to thread attributes
being set through the AccessorInfo instance.

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng
Change-Id: Ibe61026f08c42549756f694129a286635ffe5769
Reviewed-on: https://chromium-review.googlesource.com/730425
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48978}