We also need to do the check before using an existing handler from the
cache

BUG=chromium:505374
R=verwaest@chromium.org
LOG=y

Review URL: https://codereview.chromium.org/1221433010

Cr-Commit-Position: refs/heads/master@{#29511}

BUG=v8:4254
LOG=n
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1219013007

Cr-Commit-Position: refs/heads/master@{#29510}

This unifies the existing frame constants that are the same accross all
architectures. It also adds a new kOriginalConstructorOffset constant
for construct frames and uses is in full-codegen.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1220223005

Cr-Commit-Position: refs/heads/master@{#29509}

port a8a4c364 (r29487).

original commit message:

BUG=

Review URL: https://codereview.chromium.org/1227603002

Cr-Commit-Position: refs/heads/master@{#29508}

TurboFan OSR installs the CompileOptimized builtin on JSFunctions, which
means that we never evict the OSR code objects for such functions from
eager deopts.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1220813018

Cr-Commit-Position: refs/heads/master@{#29507}

Revert of Fix bug when transferring SharedArrayBuffer to multiple Workers. (patchset #3 id:40001 of https://codereview.chromium.org/1215233004/)

Reason for revert:
[Sheriff] Test hangs sometimes and times out flakily. E.g.: http://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20nosse3/builds/4551/steps/Check%20%28flakes%29/logs/d8-worker-sharedarray..

Original issue's description:
> Fix bug when transferring SharedArrayBuffer to multiple Workers.
>
> Previously, the serialization code would call Externalize for every transferred
> ArrayBuffer or SharedArrayBuffer, but that function can only be called once. If
> the buffer is already externalized, we should call GetContents instead.
>
> Also fix use-after-free bug when transferring ArrayBuffers. The transferred
> ArrayBuffer must be internalized in the new isolate, or be managed by the
> Shell. The current code gives it to the isolate externalized and frees it
> immediately afterward when the SerializationData object is destroyed.
>
> BUG=chromium:497295
> R=jarin@chromium.org
> LOG=n
>
> Committed: https://crrev.com/dd7962bf7838f8379ba776ee6b7b0e4d3bec2140
> Cr-Commit-Position: refs/heads/master@{#29499}

TBR=jarin@chromium.org,jochen@chromium.org,binji@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:497295

Review URL: https://codereview.chromium.org/1224843008

Cr-Commit-Position: refs/heads/master@{#29506}

Rolling v8/third_party/icu to c81a1a3989c3b66fa323e9a6ee7418d7c08297af

TBR=machenbach@chromium.org

Review URL: https://codereview.chromium.org/1213043007

Cr-Commit-Position: refs/heads/master@{#29505}

port 1fa4285e (r29436).

original commit message:

    This involves:
    - Enabling the tail call optimization reducer in all cases.
    - Adding an addition flag to CallFunctionParameters to mark call sites
      that can be tail-called enabled.
    - Only set the tail-call flag for %_CallFunction.

BUG=
R=weiliang.lin@intel.com

Review URL: https://codereview.chromium.org/1228463003

Cr-Commit-Position: refs/heads/master@{#29504}

Port a8a4c364

R=yangguo@chromium.org, dstence@us.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1216863005

Cr-Commit-Position: refs/heads/master@{#29503}

R=ishell@chromium.org, dstence@us.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1212343007

Cr-Commit-Position: refs/heads/master@{#29502}

R=titzer@chromium.org, dstence@us.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1218073008

Cr-Commit-Position: refs/heads/master@{#29501}

This implements the proper initialization of the new.target internal
variable in the AstGraphBuilder. For now this uses a runtime call that
cannot handle inlined frames correctly.

R=arv@chromium.org

Review URL: https://codereview.chromium.org/1212813008

Cr-Commit-Position: refs/heads/master@{#29500}

Previously, the serialization code would call Externalize for every transferred
ArrayBuffer or SharedArrayBuffer, but that function can only be called once. If
the buffer is already externalized, we should call GetContents instead.

Also fix use-after-free bug when transferring ArrayBuffers. The transferred
ArrayBuffer must be internalized in the new isolate, or be managed by the
Shell. The current code gives it to the isolate externalized and frees it
immediately afterward when the SerializationData object is destroyed.

BUG=chromium:497295
R=jarin@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1215233004

Cr-Commit-Position: refs/heads/master@{#29499}

Review URL: https://codereview.chromium.org/1218783005

Cr-Commit-Position: refs/heads/master@{#29498}

Revert of Revert of [es6] Bound function names (patchset #1 id:1 of https://codereview.chromium.org/1225793002/)

Reason for revert:
This will prevent rolls. Fixing the root issue instead.

Original issue's description:
> Revert of [es6] Bound function names (patchset #1 id:1 of https://codereview.chromium.org/1195983002/)
>
> Reason for revert:
> Incorrect behavior
>
> Original issue's description:
> > [es6] Bound function names
> >
> > https://people.mozilla.org/~jorendorff/es6-draft.html#sec-function.prototype.bind
> >
> > Bound functions should have a name based on the function that was
> > bound.
> >
> > This reverts the revert f2747ed9. The original
> > CL was reverted because the Blink layout test broke. I have a CL that disables
> > these tests at: https://codereview.chromium.org/1196753003/
> >
> > BUG=N
> > LOG=N
> > R=adamk
> > CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
> >
> > Committed: https://crrev.com/b6d950c979f4348138de0ec54e40dcc48d833926
> > Cr-Commit-Position: refs/heads/master@{#29193}
>
> TBR=adamk@chromium.org,verwaest@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
> BUG=N
>
> Committed: https://crrev.com/744e4d4fd9316674682bc6ca30ded5866494cc1c
> Cr-Commit-Position: refs/heads/master@{#29495}

TBR=adamk@chromium.org,verwaest@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=N

Review URL: https://codereview.chromium.org/1222363002

Cr-Commit-Position: refs/heads/master@{#29497}

where bound functions' length was made configurable. The bootstrapper must be kept in sync to avoid polymorphism.

BUG=chromium:500686
LOG=n
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1221383003

Cr-Commit-Position: refs/heads/master@{#29496}

Revert of [es6] Bound function names (patchset #1 id:1 of https://codereview.chromium.org/1195983002/)

Reason for revert:
Incorrect behavior

Original issue's description:
> [es6] Bound function names
>
> https://people.mozilla.org/~jorendorff/es6-draft.html#sec-function.prototype.bind
>
> Bound functions should have a name based on the function that was
> bound.
>
> This reverts the revert f2747ed9. The original
> CL was reverted because the Blink layout test broke. I have a CL that disables
> these tests at: https://codereview.chromium.org/1196753003/
>
> BUG=N
> LOG=N
> R=adamk
> CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
>
> Committed: https://crrev.com/b6d950c979f4348138de0ec54e40dcc48d833926
> Cr-Commit-Position: refs/heads/master@{#29193}

TBR=adamk@chromium.org,verwaest@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=N

Review URL: https://codereview.chromium.org/1225793002

Cr-Commit-Position: refs/heads/master@{#29495}

Revert of Reland: Fix logic for incremental marking steps on tenured allocation (patchset #4 id:60001 of https://codereview.chromium.org/1077153004/)

Reason for revert:
[Sheriff] Speculative revert, see:
https://code.google.com/p/chromium/issues/detail?id=506875

Original issue's description:
> Reland: Fix logic for incremental marking steps on tenured allocation
>
> BUG=
>
> Committed: https://crrev.com/5000650bde2ec0bc90d959b529c97aea20385043
> Cr-Commit-Position: refs/heads/master@{#29442}

TBR=hpayer@chromium.org,erikcorry@chromium.org
BUG=chromium:506875
LOG=n
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1212063005

Cr-Commit-Position: refs/heads/master@{#29494}

Remove the context specialization hack from the AstGraphBuilder, and
properly specialize to the function context in the context specialization.
And replace the correct context in the JSInliner.

R=mstarzinger@chromium.org
BUG=v8:4273
LOG=n

Review URL: https://codereview.chromium.org/1218873005

Cr-Commit-Position: refs/heads/master@{#29493}

BUG=chromium:507213
LOG=n
NOTRY=true
TBR=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1213613005

Cr-Commit-Position: refs/heads/master@{#29492}

BUG=chromium:502176
LOG=n
NOTRY=true

Review URL: https://codereview.chromium.org/1217503008

Cr-Commit-Position: refs/heads/master@{#29491}

The value output count for Start is currently off by 1 for code stubs,
because the CommonOperatorBuilder hardcodes the receiver parameter.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1217553005

Cr-Commit-Position: refs/heads/master@{#29490}

BUG=v8:4254
LOG=n
NOTRY=true
TBR=jkummerow@chromium.org
NOTREECHECKS=true

Review URL: https://codereview.chromium.org/1226803002

Cr-Commit-Position: refs/heads/master@{#29489}

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1222833002

Cr-Commit-Position: refs/heads/master@{#29488}

BUG=v8:3147,v8:4269
LOG=N

Review URL: https://codereview.chromium.org/1218493005

Cr-Commit-Position: refs/heads/master@{#29487}

[turbofan] Reland "Add new JSFrameSpecialization reducer." and "Perform OSR deconstruction early and remove type propagation.".

We have to reland these two commits at once, because the first breaks
some asm.js benchmarks without the second. The change was reverted
because of bogus checks in the verifier, which will not work in the
presence of OSR (and where hidden because of the type back propagation
hack in OSR so far). Original messages are below:

[turbofan] Add new JSFrameSpecialization reducer.

The JSFrameSpecialization specializes an OSR graph to the current
unoptimized frame on which we will perform the on-stack replacement.
This is used for asm.js functions, where we cannot reuse the OSR
code object anyway because of context specialization, and so we could as
well specialize to the max instead.

It works by replacing all OsrValues in the graph with their values
in the JavaScriptFrame.

The idea is that using this trick we get better performance without
doing the unsound backpropagation of types to OsrValues later. This
is the first step towards fixing OSR for TurboFan.

[turbofan] Perform OSR deconstruction early and remove type propagation.

This way we don't have to deal with dead pre-OSR code in the graph
and risk optimizing the wrong code, especially we don't make
optimistic assumptions in the dead code that leaks into the OSR code
(i.e. deopt guards are in dead code, but the types propagate to OSR
code via the OsrValue type back propagation).

BUG=v8:4273
LOG=n
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1226673005

Cr-Commit-Position: refs/heads/master@{#29486}

`WriteUtf16Slow` should not assume that the output buffer has enough
bytes to hold both words of surrogate pair. It should pass the number of
remaining bytes to the `Utf8::ValueOf` instead, just as we already do in
`Utf8DecoderBase::Reset`. Otherwise it will attempt to write the trail
uint16_t past the buffer boundary, leading to memory corruption and
possible crash.

Originally reported by: Kris Reeves <kris.re@bbhmedia.com>

BUG=v8:4274
R=danno
R=svenpanne
LOG=y

Review URL: https://codereview.chromium.org/1226493003

Cr-Commit-Position: refs/heads/master@{#29485}

BUG=

Review URL: https://codereview.chromium.org/1221363002

Cr-Commit-Position: refs/heads/master@{#29484}

Revert of [test] Move test262-es6 into test262. (patchset #2 id:20001 of https://codereview.chromium.org/1215303008/)

Reason for revert:
[Sheriff] Breaks test262 on mac

Original issue's description:
> [test] Move test262-es6 into test262.
>
> BUG=v8:4254
> LOG=n
>
> Committed: https://crrev.com/aaa457b26f6c0f624cf5887e60dc497f6dccabae
> Cr-Commit-Position: refs/heads/master@{#29479}

TBR=rossberg@chromium.org,arv@chromium.org,littledan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4254

Review URL: https://codereview.chromium.org/1227503002

Cr-Commit-Position: refs/heads/master@{#29483}

BUG=chromium:506952
LOG=n

Review URL: https://codereview.chromium.org/1226783002

Cr-Commit-Position: refs/heads/master@{#29482}

R=ishell@chromium.org
BUG=chromium:505539
LOG=N

Review URL: https://codereview.chromium.org/1214373005

Cr-Commit-Position: refs/heads/master@{#29481}

Also revert "[turbofan] Perform OSR deconstruction early and remove type propagation."

This reverts commit b0a852e8.

This reverts commit cdbb6c48.

NOTRY=true
NOTREECHECKS=true
BUG=v8:4273
LOG=n
TBR=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1225743002

Cr-Commit-Position: refs/heads/master@{#29480}

BUG=v8:4254
LOG=n

Review URL: https://codereview.chromium.org/1215303008

Cr-Commit-Position: refs/heads/master@{#29479}

This way we don't have to deal with dead pre-OSR code in the graph and
risk optimizing the wrong code, especially we don't make optimistic
assumptions in the dead code that leaks into the OSR code (i.e. deopt
guards are in dead code, but the types propagate to OSR code via the
OsrValue type back propagation).

BUG=v8:4273
LOG=n
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1215333005

Cr-Commit-Position: refs/heads/master@{#29478}

BUG=v8:4137
LOG=n

Review URL: https://codereview.chromium.org/1218813012

Cr-Commit-Position: refs/heads/master@{#29477}

The JSFrameSpecialization specializes an OSR graph to the current
unoptimized frame on which we will perform the on-stack replacement.
This is used for asm.js functions, where we cannot reuse the OSR code
object anyway because of context specialization, and so we could as well
specialize to the max instead.

It works by replacing all OsrValues in the graph with their values in
the JavaScriptFrame.

The idea is that using this trick we get better performance without
doing the unsound backpropagation of types to OsrValues later. This is
the first step towards fixing OSR for TurboFan.

R=jarin@chromium.org
BUG=v8:4273
LOG=n

Review URL: https://codereview.chromium.org/1225683004

Cr-Commit-Position: refs/heads/master@{#29476}

Revert of Concurrent sweeping of code space. (patchset #4 id:60001 of https://codereview.chromium.org/1222013002/)

Reason for revert:
[Sheriff] Increased flaky crashes. See:
https://code.google.com/p/v8/issues/detail?id=4275

Original issue's description:
> Concurrent sweeping of code space.
>
> BUG=
>
> Committed: https://crrev.com/3050b52f57d652dc45c8baf416e174f22dc2c159
> Cr-Commit-Position: refs/heads/master@{#29456}

TBR=jochen@chromium.org,hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1223763003

Cr-Commit-Position: refs/heads/master@{#29475}

BUG=v8:4134
R=bmeurer@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1217123004

Cr-Commit-Position: refs/heads/master@{#29474}

BUG=v8:4131
R=bmeurer@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1224623004

Cr-Commit-Position: refs/heads/master@{#29473}

The context constant cannot be materialized from the frame when we are
compiling for OSR, because the context spill slot contains the current
instead of the outermost context in full-codegen.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1220013003

Cr-Commit-Position: refs/heads/master@{#29472}