Rename IntepreterExceptionEntryHandler builtin to InterpreterEnterBytecodeDispatch
and use it as the return address when building interpreter frames during deopt.
This ensures that we restart execution of the outer frame at the correct
bytecode.

BUG=v8:4280,v8:4678
LOG=N

Review URL: https://codereview.chromium.org/1633633002

Cr-Commit-Position: refs/heads/master@{#33512}

  port a0878333(r33460)

  original commit message:
  We already had hand-written optimized code for %_ToName in fullcodegen,
  but the optimizing compilers always went to the runtime for %_ToName,
  which is pretty bad for many of our builtins. So this CL moves the
  existing native code to a ToNameStub (similar to the existing
  ToStringStub), and uses the ToNameStub consistently in all compilers to
  actually implement %_ToName.

BUG=

Review URL: https://codereview.chromium.org/1622793006

Cr-Commit-Position: refs/heads/master@{#33483}

  port ca51c204(r33463)

  original commit message:
  This fixes the broken return address when the exception handler within
  interpreted bytecode is being entered via stack unwinding. The address
  in question will never actually be taken, but our stack walker uses this
  address to determine whether a frame is interpreted.

BUG=

Review URL: https://codereview.chromium.org/1632453002

Cr-Commit-Position: refs/heads/master@{#33482}

Change the interpreter to always store the current context in the frame's
context slot instead of the function context. This makes it possible to
restore the correct context during deopt.

BUG=v8:4678,v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1604923002

Cr-Commit-Position: refs/heads/master@{#33477}

When accessor getter callback is called the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, since according to ES6 there's no difference between strict and non-strict property loads. For the setter case the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true if the property is set in strict context.

Interceptors follow same idea: for getter, enumerator and query callbacks the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, and for setter and deleter callback the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true in strict context.

This CL also cleans up the CallApiGetterStub and removes bogus asserts from [arm] Push(reg1, reg2, ..., regN) that prevented from pushing a set of registers containing duplicates.

BUG=v8:4267
LOG=Y

Committed: https://crrev.com/1d3e837fcbbd9d9fd5e72dfe85dfd47c025f3c9f
Cr-Commit-Position: refs/heads/master@{#33438}

Review URL: https://codereview.chromium.org/1587073003

Cr-Commit-Position: refs/heads/master@{#33461}

Revert of Array length reduction should throw in strict mode if it can't delete an element. (patchset #7 id:220001 of https://codereview.chromium.org/1587073003/ )

Reason for revert:
[Sheriff] Breaks layout tests. Please fix upstream.
https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/4077

Original issue's description:
> Array length reduction should throw in strict mode if it can't delete an element.
>
> When accessor getter callback is called the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, since according to ES6 there's no difference between strict and non-strict property loads. For the setter case the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true if the property is set in strict context.
>
> Interceptors follow same idea: for getter, enumerator and query callbacks the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, and for setter and deleter callback the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true in strict context.
>
> This CL also cleans up the CallApiGetterStub and removes bogus asserts from [arm] Push(reg1, reg2, ..., regN) that prevented from pushing a set of registers containing duplicates.
>
> BUG=v8:4267
> LOG=Y
>
> Committed: https://crrev.com/1d3e837fcbbd9d9fd5e72dfe85dfd47c025f3c9f
> Cr-Commit-Position: refs/heads/master@{#33438}

TBR=verwaest@chromium.org,ishell@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4267

Review URL: https://codereview.chromium.org/1611313003

Cr-Commit-Position: refs/heads/master@{#33444}

When accessor getter callback is called the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, since according to ES6 there's no difference between strict and non-strict property loads. For the setter case the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true if the property is set in strict context.

Interceptors follow same idea: for getter, enumerator and query callbacks the v8::PropertyCallbackInfo::ShouldThrowOnError() is always false, and for setter and deleter callback the v8::PropertyCallbackInfo::ShouldThrowOnError() returns true in strict context.

This CL also cleans up the CallApiGetterStub and removes bogus asserts from [arm] Push(reg1, reg2, ..., regN) that prevented from pushing a set of registers containing duplicates.

BUG=v8:4267
LOG=Y

Review URL: https://codereview.chromium.org/1587073003

Cr-Commit-Position: refs/heads/master@{#33438}

  port 0b3066b8 (r33414)

  original commit message:
  This implements a first prototype of stack unwinding for interpreted
  frames. The unwinding machinery performs a range-based lookup in the
  given handler table and potentially continues dispatching at the handler
  offset. Note that this does not yet correctly restore the context to the
  correct value when the handler is being entered.

BUG=

Review URL: https://codereview.chromium.org/1616613002

Cr-Commit-Position: refs/heads/master@{#33425}

We no longer have the concept of "JS builtins" exposed to handwritten
native code, so there's no need to keep the InvokeBuiltin macro around.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1611613002

Cr-Commit-Position: refs/heads/master@{#33416}

In many places we over-specify runtime-calls by explicitly mentioning
again the argument count. Except for var-args runtime-functions we can
easily deduce this from the parameters in runtime.h.

BUG=

Review URL: https://codereview.chromium.org/1596293003

Cr-Commit-Position: refs/heads/master@{#33363}

  port 84f8a506 (r33334)

  original commit message:
  Adds a ForInPrepare Runtime function which returns a triple of
  cache_type, cache_array and cache_length.

  This requires adding support to CEntryStub to call runtime functions
  which return a ObjectTriple - a struct containing three Object*
  pointers. Also did some cleanup of the x64 CEntryStub to avoid
  replicated code.

  Replaces the interpreter's use of the ad-hock InterpreterForInPrepare
  Runtime function with ForInPrepare in preparation for fixing deopt in
  BytecodeGraphBuilder for ForIn (which will be done in a followup CL).

  MIPS port contributed by Balazs Kilvady <balazs.kilvady@imgtec.com>.

BUG=

Review URL: https://codereview.chromium.org/1603493002

Cr-Commit-Position: refs/heads/master@{#33352}

The runtime function is no longer used and obsolete by now.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1598113003

Cr-Commit-Position: refs/heads/master@{#33350}

When derived constructors return a non-object (or not undefined) we
currently throw an exception directly in the callee context. This was
achieved by desugaring the return statement for derived classes. To
be spec compliamnt a separate ConstructStubForDerived is introduced.
Instead of trowing directly, the desugared return statement inside
a derived constructor only returns an integer to indicate an incompatible
result.

BUG=v8:4509
LOG=n

Review URL: https://codereview.chromium.org/1593553002

Cr-Commit-Position: refs/heads/master@{#33336}

This splits out the SourcePosition class into a separate header file.
Reason for this refactoring is that said class is mostly used by the
Crankshaft compiler and not needed for all compilers. Also having the
assembler depend on the class creates a dependency cycle.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1581083009

Cr-Commit-Position: refs/heads/master@{#33325}

CompatibleReceiverCheck used by the HandleFastApiCall builtin was terminating with failure upon encountering a hidden prototype.

It should actually stop iterating on the first non-hidden prototype.

BUG=

Review URL: https://codereview.chromium.org/1576423003

Cr-Commit-Position: refs/heads/master@{#33294}

  port 322ffda3 (r33265)

  original commit message:
  Also migrate the Number constructor to a native builtin, using the
  same mechanism already used by the String constructor. Otherwise just
  parsing and compiling the Number constructor to optimized code already
  eats 2ms on desktop for no good reason, and the resulting optimized
  code is not even close to awesome.

  Drive-by-fix: Use correct context for the [[Construct]] case of the
  String constructor as well, and share some code with it.

BUG=

Review URL: https://codereview.chromium.org/1581313002

Cr-Commit-Position: refs/heads/master@{#33280}

  port 12bcba15 (r33258)

  original commit message:
  The API functions are always in sloppy mode, so receiver is always a
  JSReceiver once the actual call trampoline runs, no need to check again
  in various places.

BUG=

Review URL: https://codereview.chromium.org/1582173002

Cr-Commit-Position: refs/heads/master@{#33278}

Failing to do so results in out-of-date marking information, because live bytes
is not properly adjusted.

This CL adds support for right trimming ByteArray and properly DCHECKs that we
do not left trim  ByteArray (as we already do for FixedTypedArrayBase).

BUG=

Review URL: https://codereview.chromium.org/1577263003

Cr-Commit-Position: refs/heads/master@{#33252}

This CL changes the color for encoding black and grey. Moreover, it introduces a higher level live object iterator.

BUG=chromium:561449
LOG=n

Review URL: https://codereview.chromium.org/1517993003

Cr-Commit-Position: refs/heads/master@{#33208}

  port fc5c7e04 (r33172)

  original commit message:
  There's no reason to have JavaScript wrappers for those accessors,
  since the meat is already in hand-written native code (via %_DateField).
  First step now to put them into native builtins. Next step will be to
  completely remove %_DateField.

BUG=

Review URL: https://codereview.chromium.org/1576813003

Cr-Commit-Position: refs/heads/master@{#33196}

  port a94d6d6e (r33108)

  original commit message:
  The mode requires an extra register, and since we aren't supporting it now, we can dispense with it.

BUG=

Review URL: https://codereview.chromium.org/1561943002

Cr-Commit-Position: refs/heads/master@{#33147}

  port 02072112(r33088)

  original commit message:
  Fix stack push issues on non-x64 platforms for
  InterpreterNotifyDeoptimized builtins.

BUG=

Review URL: https://codereview.chromium.org/1553083005

Cr-Commit-Position: refs/heads/master@{#33103}

  port 82ca2a41(r33084)

  original commit message:
  This is preferable because in TurboFan we need to call it, and can't pass
  untagged external pointers on the stack.

BUG=

Review URL: https://codereview.chromium.org/1557283002

Cr-Commit-Position: refs/heads/master@{#33102}

X87: [runtime] TailCallRuntime and CallRuntime should use default argument counts specified in runtime.h.

  port b889d79d(r33066)

  original commit message:
  In the vast majority of the cases when we call into the runtime we use
  the default number of arguments. Hence, there is not need to specify it
  again. This CL also removes TailCallExternalReference as there were no
  users.

BUG=

Review URL: https://codereview.chromium.org/1559693002

Cr-Commit-Position: refs/heads/master@{#33070}

counts specified in runtime.h.

In the vast majority of the cases when we call into the runtime we use
the default number of arguments. Hence, there is not need to specify it
again. This CL also removes TailCallExternalReference as there were no
users.

BUG=

Review URL: https://codereview.chromium.org/1553703002

Cr-Commit-Position: refs/heads/master@{#33066}

JumpToExternalReference ignored the passed-in result_size argument, which
defaulted to 1. This change updates all users to not use a result_size.

BUG=

Review URL: https://codereview.chromium.org/1550923002

Cr-Commit-Position: refs/heads/master@{#33059}

When calling into C++ for a ConstructStub, we need to enter the target
context manually currently, which seems to be too fragile and easy to
forget. So instead of doing that manually, we just always enter the
correct context in the trampoline.

Drive-by-fix: Trivial cleanups for some builtins.

R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1551473002

Cr-Commit-Position: refs/heads/master@{#33051}

  port 97def807 (r33044)

  original commit message:
  According to the ES2015 specification, bound functions are exotic
  objects, and thus don't need to be implemented as JSFunctions. So
  we introduce a new JSBoundFunction type to represent bound functions
  and make them optimizable. This already improves the performance of
  calling or constructing bound functions by 10-100x depending on the
  use case because we avoid the crazy dance between JavaScript and C++
  that was implemented in v8natives.js previously.

  There's still room for improvement in the performance of actually
  creating bound functions, which is also relevant in practice, but
  we already have a plan how to accomplish that later.

  The mips/mips64 ports were contributed by akos.palfi@imgtec.com.

BUG=

Review URL: https://codereview.chromium.org/1548253002

Cr-Commit-Position: refs/heads/master@{#33046}

  port 866f9e6e (r33026)

  original commit message:

BUG=

Review URL: https://codereview.chromium.org/1541323005

Cr-Commit-Position: refs/heads/master@{#33035}

  port d3f074b2 (r33024)

  original commit message:
  We'll be able to optimize rest parameters in TurboFan similarly to the arguments array. This CL restores the previous behavior, and a follow-on will enable TurboFan optimization.

  (TBR for rossberg since we discussed the revert beforehand. The only changes are a few lines related to tests and rebasing.)

BUG=

Review URL: https://codereview.chromium.org/1545053002

Cr-Commit-Position: refs/heads/master@{#33034}

BUG=chromium:561449
LOG=n

Review URL: https://codereview.chromium.org/1542113002

Cr-Commit-Position: refs/heads/master@{#33026}

  port 4acca53e(r32996)

  original commit message:
  There's actually no point trying to do Function.prototype.toString in
  JavaScript, as it always calls into C++ at least once, so it only
  complicates things (esp. once we start optimizing bound functions).

  Drive-by-fix: Rename FunctionApply and FunctionCall builtins to also
  reflect the fact that these are builtins in the Function.prototype and
  not on Function itself.

BUG=

Review URL: https://codereview.chromium.org/1548483003

Cr-Commit-Position: refs/heads/master@{#33017}

  port b10d24ff(r32971)

  original commit message:
  Adds support for generating deoptimization translations for interpreter
  stack frames, and building interpreter frames for these translations
  when a function deopts. Also adds builtins for
  InterpreterNotifyDeoptimized which resume the function's continuation at
  the correct point in the interpreter after deopt.

  MIPS patch contributed by balazs.kilvady@igmtec.com

BUG=

Review URL: https://codereview.chromium.org/1543433002

Cr-Commit-Position: refs/heads/master@{#32981}

  port 5bd48324 (r32929)

  original commit message:
  Introduce a new Apply builtin that forms a correct and optimizable foundation for the Function.prototype.apply, Reflect.construct and Reflect.apply builtins
  (which properly does the PrepareForTailCall as required by the ES2015 spec). The new Apply builtin avoids going to the runtime if it is safe to just access
  the backing store elements of the argArray, i.e. if you pass a JSArray with no holes, or an unmapped, unmodified sloppy or strict arguments object.

  mips/mips64 ports by Balazs Kilvady <balazs.kilvady@imgtec.com>;

BUG=

Review URL: https://codereview.chromium.org/1534543003

Cr-Commit-Position: refs/heads/master@{#32960}

  port 2c75e3d2 (r32903)

  original commit message:
  We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code
  without access-checks (see proxies-cross-realm-ecxeption.js).

BUG=

Review URL: https://codereview.chromium.org/1534663002

Cr-Commit-Position: refs/heads/master@{#32924}

  port 025d476c (r32906)

  original commit message:
  Adds a slot for the bytecode offset to interpreter stack frames and
  saves it on calls, and restores after calls.

  Also fixes RawMachineAssembler::Return() to call MergeControlToEnd.

BUG=

Review URL: https://codereview.chromium.org/1535613003

Cr-Commit-Position: refs/heads/master@{#32922}

We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code without access-checks (see proxies-cross-realm-ecxeption.js).

Review URL: https://codereview.chromium.org/1521953002

Cr-Commit-Position: refs/heads/master@{#32903}

Revert of Removes the Callee parameter from FunctionCallbackInfo. (patchset #1 id:1 of https://codereview.chromium.org/1510483002/ )

Reason for revert:
Need to figure out a better solution for this.

Original issue's description:
> Removes the Callee parameter from FunctionCallbackInfo.
>
> This will help us to instantiate AccessorPair's getters and setters only when they are needed.
>
> BUG=
>
> Committed: https://crrev.com/2fe34ebdcdee0f21b88daa4098a7918e91abb8fb
> Cr-Commit-Position: refs/heads/master@{#32759}

TBR=jochen@chromium.org,verwaest@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1520843002

Cr-Commit-Position: refs/heads/master@{#32787}

No need to have an indirection to get to the initial JSArray maps from
the native context; we only cache the fast elements maps anyway, so
those could live on the native context directly. This will also
integrate nicely with the load/store propagation in TurboFan (once we
propagate the immutable flag for FieldAccess as well).

Drive-by-fix: Also don't embed any of the initial JSArray maps in
TurboFan generated code when allocating a new JSArray, but instead
always load the appropriate map from the native context.  This way
we ensure that we never leak a reference to one of those maps and
its as efficient as embedding a constant map.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1516433005

Cr-Commit-Position: refs/heads/master@{#32779}

This will help us to instantiate AccessorPair's getters and setters only when they are needed.

BUG=

Review URL: https://codereview.chromium.org/1510483002

Cr-Commit-Position: refs/heads/master@{#32759}