This fixes a rare corner case that was caused by missing recording of
relocation slots when the uninitialized CallIC stub happenes to land on
an evacuation candidate and the IC is cleared via the shared function.

R=ulan@chromium.org
BUG=chromium:144230
TEST=cctest/test-heap/Regression144230

Review URL: https://codereview.chromium.org/10963005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12563 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=150729

Review URL: https://codereview.chromium.org/10959009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12562 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://codereview.chromium.org/10957013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12561 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/10939033

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12560 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Port r12492 (479be376)

Original commit message:
This CL adds multiple things:
Transition arrays do not directly point at their descriptor array anymore, but rather do so via an indirect pointer (a JSGlobalPropertyCell).

An ownership bit is added to maps indicating whether it owns its own descriptor array or not.

Maps owning a descriptor array can pass on ownership if a transition from that map is generated; but only if the descriptor array stays exactly the same; or if a descriptor is added.

Maps that don't have ownership get ownership back if their direct child to which ownership was passed is cleared in ClearNonLiveTransitions.

To detect which descriptors in an array are valid, each map knows its own NumberOfOwnDescriptors. Since the descriptors are sorted in order of addition, if we search and find a descriptor with index bigger than this number, it is not valid for the given map.

We currently still build up an enumeration cache (although this may disappear). The enumeration cache is always built for the entire descriptor array, even if not all descriptors are owned by the map. Once a descriptor array has an enumeration cache for a given map; this invariant will always be true, even if the descriptor array was extended. The extended array will inherit the enumeration cache from the smaller descriptor array. If a map with more descriptors needs an enumeration cache, it's EnumLength will still be set to invalid, so it will have to recompute the enumeration cache. This new cache will also be valid for smaller maps since they have their own enumlength; and use this to loop over the cache. If the EnumLength is still invalid, but there is already a cache present that is big enough; we just initialize the EnumLength field for the map.

When we apply ClearNonLiveTransitions and descriptor ownership is passed back to a parent map, the descriptor array is trimmed in-place and resorted. At the same time, the enumeration cache is trimmed in-place.

Only transition arrays contain descriptor arrays. If we transition to a map and pass ownership of the descriptor array along, the child map will not store the descriptor array it owns. Rather its parent will keep the pointer. So for every leaf-map, we find the descriptor array by following the back pointer, reading out the transition array, and fetching the descriptor array from the JSGlobalPropertyCell. If a map has a transition array, we fetch it from there. If a map has undefined as its back-pointer and has no transition array; it is considered to have an empty descriptor array.

When we modify properties, we cannot share the descriptor array. To accommodate this, the child map will get its own transition array; even if there are not necessarily any transitions leaving from the child map. This is necessary since it's the only way to store its own descriptor array.

BUG=
TEST=

Review URL: https://chromiumcodereview.appspot.com/10918287
Patch from Akos Palfi <palfia@homejinni.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12549 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=v8:2133

Review URL: https://chromiumcodereview.appspot.com/10937013

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12548 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=verwaest@chromium.org
BUG=chromium:146910
TEST=mjsunit/regress/regress-crbug-146910

Review URL: https://codereview.chromium.org/10937026

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12547 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10949018

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12546 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Also split CNLT into small functions.

Review URL: https://chromiumcodereview.appspot.com/10950023

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12545 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10915260

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12544 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

This fixes HleaveInlined to correctly drop pushed arguments on all code
paths and addresses a corner case where the arguments stack height
mismatched at an OSR entry point.

R=jkummerow@chromium.org
BUG=chromium:150545
TEST=mjsunit/regress/regress-crbug-150545

Review URL: https://codereview.chromium.org/10938016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12543 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=

Review URL: https://chromiumcodereview.appspot.com/10944011

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12542 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Port r12534 (4acfb92e)

BUG=
TEST=

Committed: https://code.google.com/p/v8/source/detail?r=12539

Review URL: https://chromiumcodereview.appspot.com/10905313
Patch from Akos Palfi <palfia@homejinni.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12541 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Revert "MIPS: Do not go to slow mode and back to fast in initializer blocks."

This reverts commit 9b05931ec130e831f7496aed6f7ae32e8f2da934.

BUG=

Review URL: https://chromiumcodereview.appspot.com/10939018

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12540 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Port r12534 (4acfb92e)

BUG=
TEST=

Review URL: https://chromiumcodereview.appspot.com/10905313
Patch from Akos Palfi <palfia@homejinni.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12539 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10916336

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12538 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/10941009

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12537 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

The change removes one unused multiply and reschedules
the shift, multiply and jump instructions to reduce
stall. Experiment shows it improve about 20% performance
on x64 for exponetials from about 100 to 2000.

Review URL: https://chromiumcodereview.appspot.com/10939013
Patch from Xi Qian <xi.qian@intel.com>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12535 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10905308

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12534 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/10918273

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12532 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

This fixes a casting error that occured when the receiver of a missed
or uninitialized CallIC is a Smi and there is an interceptor installed
on the prototype chain.

R=yangguo@chromium.org
BUG=chromium:149912
TEST=cctest/test-api/Regress149912

Review URL: https://codereview.chromium.org/10914317

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12531 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=mstarzinger@chromium.org
BUG=v8:2261

Review URL: https://chromiumcodereview.appspot.com/10907254

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12530 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=v8:2336

Review URL: https://chromiumcodereview.appspot.com/10913294

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12529 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Bug=2336
Review URL: https://chromiumcodereview.appspot.com/10911334

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12528 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Removed a dead Lithium instruction on the way.

Review URL: https://codereview.chromium.org/10907234

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12527 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

This refactors the specialized marking of map contents to be done by the
static marking visitor shared between full and incremental marking. This
also fixes an issue where some maps weren't accounted for in the object
stats tracker. But more importantly, it simplifies the code base.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/10919294

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12526 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=140191

R=svenpanne@chromium.org,mkwst@chromium.org

Review URL: https://chromiumcodereview.appspot.com/10837358

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12525 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=v8:1445

Review URL: https://chromiumcodereview.appspot.com/10919314

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12522 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

The change removes one unused multiply and reschedules
the shift, multiply and jump instructions to reduce
stall. Experiment shows it improve about 20% performance
on x86 for exponetials from about 100 to 2000.

Review URL: https://chromiumcodereview.appspot.com/10916311

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12521 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

In WebKit, we would like to store a void* to a data structure that contains
lots of exciting per-context data. The current API restricts us to storing only
Strings, which is less useful.

I've also cleaned up the implementation of GetData to be less convoluted.

Review URL: https://codereview.chromium.org/10907189
Patch from Adam Barth <abarth@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12520 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

TransitionArrays never allocate while being created.

Review URL: https://chromiumcodereview.appspot.com/10908237

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12519 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=verwaest@chromium.org
BUG=v8:2318

Review URL: https://chromiumcodereview.appspot.com/10914290

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12518 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10918245

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12517 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=v8:2297

Review URL: https://chromiumcodereview.appspot.com/10914262

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12515 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10915277

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12513 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10928204

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12512 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10917260

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12511 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

With this CL we clearly distinguish two different views on Lithium
instructions: For register allocation, the actual instruction/operand
is irrelevant, so it has only an iterator/indexed view on the
instruction operands. All other places, most importantly code
generation, use named getters for the operands now, making it easy to
see where each one is used.

Review URL: https://codereview.chromium.org/10919261

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12510 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10913273

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12509 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://codereview.chromium.org/10933087

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12508 ce2b1a6d-e550-0410-aec6-3dcde31c8c00