This fixes the lifetime of nodes created by JSGlobalSpecialization that
contain a simplified operator. In the case where this reducer runs as
part of the inliner, the SimplifiedOperatorBuilder was instantiated with
the wrong zone. This led to use-after-free of simplified operators.

To avoid such situations in the future, we decided to move this operator
builder into the JSGraph and make the situation uniform with all other
operator builders.

R=bmeurer@chromium.org
BUG=chromium:543528
LOG=n

Review URL: https://codereview.chromium.org/1409993002

Cr-Commit-Position: refs/heads/master@{#31334}

To be useful for narrowing down bugs, --hydrogen-filter shouldn't prevent any
inlining that the function(s) being allowed to get optimized want(s) to do.

Free bonus content in this CL: support FLAG_stop_at in lithium-codegen-arm64,
copied from full-codegen-arm64.

Review URL: https://codereview.chromium.org/1407043004

Cr-Commit-Position: refs/heads/master@{#31333}

Revert of "[heap] Divide available memory upon compaction tasks" (patchset #2 id:20001 of https://codereview.chromium.org/1399403002/ )

Reason for revert:
Failing: https://chromegw.corp.google.com/i/client.v8/builders/V8%20Linux64%20GC%20Stress%20-%20custom%20snapshot/builds/2115

Original issue's description:
> Reland of "[heap] Divide available memory upon compaction tasks"
>
> This reverts commit ec1046f9.
>
> Original message:
>
> [heap] Divide available memory upon compaction tasks
> - Fairly (round-robin) divide available memory upon compaction tasks.
> - Ensure an upper limit (of memory) since dividing is O(n) for n free-space
>   nodes.
> - Refill from free lists managed by sweeper once a compaction space becomes
>   empty.
>
> Assumption for dividing memory: Memory in the free lists is sparse upon starting
> compaction (which means that only few nodes are available), except for memory
> reducer GCs, which happen in idle time though (so it's less of a problem).
>
> BUG=chromium:524425
> LOG=N
>
> Committed: https://crrev.com/a805be73f6f97645450124f75c0f7417ec7b3e70
> Cr-Commit-Position: refs/heads/master@{#31329}

TBR=hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425

Review URL: https://codereview.chromium.org/1412643002

Cr-Commit-Position: refs/heads/master@{#31332}

R=cbruni@chromium.org, hpayer@chromium.org

Review URL: https://codereview.chromium.org/1411653002

Cr-Commit-Position: refs/heads/master@{#31331}

R=rossberg@chromium.org
BUG=v8:4471
LOG=N

Review URL: https://codereview.chromium.org/1410753002

Cr-Commit-Position: refs/heads/master@{#31330}

This reverts commit ec1046f9.

Original message:

[heap] Divide available memory upon compaction tasks
- Fairly (round-robin) divide available memory upon compaction tasks.
- Ensure an upper limit (of memory) since dividing is O(n) for n free-space
  nodes.
- Refill from free lists managed by sweeper once a compaction space becomes
  empty.

Assumption for dividing memory: Memory in the free lists is sparse upon starting
compaction (which means that only few nodes are available), except for memory
reducer GCs, which happen in idle time though (so it's less of a problem).

BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1399403002

Cr-Commit-Position: refs/heads/master@{#31329}

NOTRY=true

Review URL: https://codereview.chromium.org/1413563002

Cr-Commit-Position: refs/heads/master@{#31328}

Review URL: https://codereview.chromium.org/1407883003

Cr-Commit-Position: refs/heads/master@{#31327}

The stub is used for Turbofan's fast path allocation.

Review URL: https://codereview.chromium.org/1404773002

Cr-Commit-Position: refs/heads/master@{#31326}

Revert of VectorICs: turn on vectors for STORE and KEYED_STORE ics. (patchset #1 id:1 of https://codereview.chromium.org/1396523005/ )

Reason for revert:
We harvested enough information now about the windows crash. We'll investigate that and reland when fixed.

Original issue's description:
> VectorICs: turn on vectors for STORE and KEYED_STORE ics.
>
> R=jkummerow@chromium.org
> BUG=
>
> Committed: https://crrev.com/52225f39df578e77b4804506ca4bc15e096f5cab
> Cr-Commit-Position: refs/heads/master@{#31252}
>
> Committed: https://crrev.com/31487015de401892b4d12b5faef0c47c201308da
> Cr-Commit-Position: refs/heads/master@{#31305}

TBR=jkummerow@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1406163002

Cr-Commit-Position: refs/heads/master@{#31325}

BUG=v8:4495
LOG=n
NOTRY=true

Review URL: https://codereview.chromium.org/1410723002

Cr-Commit-Position: refs/heads/master@{#31324}

BUG=v8:4406
LOG=N

Review URL: https://codereview.chromium.org/1408983002

Cr-Commit-Position: refs/heads/master@{#31323}

BUG=v8:4406
LOG=N

Review URL: https://codereview.chromium.org/1409873002

Cr-Commit-Position: refs/heads/master@{#31322}

    port 924b0ecf (r31057).

    contributed by zhengxing.li@intel.com

    original commit message:

BUG=

Review URL: https://codereview.chromium.org/1408893002

Cr-Commit-Position: refs/heads/master@{#31321}

Rolling v8/tools/swarming_client to 3db878084b52a5e4eac0a32095e490e1b6ef9526

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review URL: https://codereview.chromium.org/1412573002

Cr-Commit-Position: refs/heads/master@{#31320}

R=titzer@google.com

Review URL: https://codereview.chromium.org/1407933002

Cr-Commit-Position: refs/heads/master@{#31319}

R=joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, dstence@us.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1403333002

Cr-Commit-Position: refs/heads/master@{#31318}

Cr-Commit-Position: refs/heads/master@{#31317}

Review URL: https://codereview.chromium.org/1397883003

Cr-Commit-Position: refs/heads/master@{#31316}

BUG=v8:4406
LOG=N

Committed: https://crrev.com/adcbe619a959fe1d8f21d06fbf5984868c4f6b9a
Cr-Commit-Position: refs/heads/master@{#31276}

Review URL: https://codereview.chromium.org/1404903004

Cr-Commit-Position: refs/heads/master@{#31315}

Also move those tests from mjsunit/harmony to mjsunit/es6.

R=littledan@chromium.org

Review URL: https://codereview.chromium.org/1403633007

Cr-Commit-Position: refs/heads/master@{#31314}

Review URL: https://codereview.chromium.org/1405453003

Cr-Commit-Position: refs/heads/master@{#31313}

This change add a new bytecode for operator new and implements it using
the Construct() builtin.

BUG=v8:4280
LOG=N

Committed: https://crrev.com/8e4f9963d53913eab7fbd2f61a5733d8dc2169e7
Cr-Commit-Position: refs/heads/master@{#31293}

Review URL: https://codereview.chromium.org/1402943002

Cr-Commit-Position: refs/heads/master@{#31312}

The CL also fixes various small bugs in context allocation.

Review URL: https://codereview.chromium.org/1404293002

Cr-Commit-Position: refs/heads/master@{#31311}

Review URL: https://codereview.chromium.org/1404283002

Cr-Commit-Position: refs/heads/master@{#31310}

Adds Scope::MaxNestedContextChainLength() which calculates the maximum length
of the context chain for the given scope. This is used by the interpreter to
preallocate the approprate number of context registers when compiling the
function.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1404793004

Cr-Commit-Position: refs/heads/master@{#31309}

BUG=chromium:535160
LOG=n

Review URL: https://codereview.chromium.org/1397593004

Cr-Commit-Position: refs/heads/master@{#31308}

- The bug is that we did not handle end_ properly in SearchForNodeInList.
- We now consistently account for sizes on page level in FreeList, except when
  filtering evacuation candidates (those are accounted for in FreeListCategory)

BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1389293005

Cr-Commit-Position: refs/heads/master@{#31307}

In the ES2015 spec, RegExp uses ToLength, not ToInteger, on lastIndex
to coerce it to an integer. This patch switches to ToLength when
the --harmony-tolength flag is on, and adds some tests to verify the
new behavior.

BUG=v8:4244
LOG=Y
R=adamk

Review URL: https://codereview.chromium.org/1394023005

Cr-Commit-Position: refs/heads/master@{#31306}

R=jkummerow@chromium.org
BUG=

Committed: https://crrev.com/52225f39df578e77b4804506ca4bc15e096f5cab
Cr-Commit-Position: refs/heads/master@{#31252}

Review URL: https://codereview.chromium.org/1396523005

Cr-Commit-Position: refs/heads/master@{#31305}

Review URL: https://codereview.chromium.org/1401703003

Cr-Commit-Position: refs/heads/master@{#31304}

R=rossberg@chromium.org
BUG=chromium:539875
LOG=y

Review URL: https://codereview.chromium.org/1393373005

Cr-Commit-Position: refs/heads/master@{#31303}

The runtime flag in question makes no sense, because the feature cannot
be disabled without keeping the snapshot in sync. We should avoid having
the flag in our "mjsunit" test suite, so that CluserFuzz doesn't pick it
up. The test in question is already skipped, the change will not affect
test results on our waterfall.

R=mvstanton@chromium.org
TEST=mjsunit/call-counts
BUG=v8:4458
LOG=n

Review URL: https://codereview.chromium.org/1409533003

Cr-Commit-Position: refs/heads/master@{#31302}

Also update comments.

BUG=

Review URL: https://codereview.chromium.org/1392343004

Cr-Commit-Position: refs/heads/master@{#31301}

Revert of [turbofan] Splinter into one range. (patchset #2 id:80001 of https://codereview.chromium.org/1391023007/ )

Reason for revert:
Weird endless loop in TopLevelLiveRange::Merge() due to always splitting first and not making progress. See comments, unfortunately no useable repro.

Original issue's description:
> [turbofan] Splinter into one range.
>
> Before this CL, we created one live range per successive set of
> deferred blocks. For scenarios with many such blocks, this creates
> an upfront pressure for the register allocator to deal with many ranges.
> Linear sorts ranges, which is a super-linear operation.
>
> The change places all deferred intervals into one range, meaning that,
> at most, there will be twice as many live ranges as the original set. In
> pathological cases (benchmarks/Compile/slow_nbody1.js), this change
> halves the compilation time. We see some improvements elsewhere,
> notably SQLite at ~4-5%.
>
> We may be able to avoid the subsequent merge. Its cost is the
> additional ranges it may need to create. The sole reason for the merge
> phase is to provide an unchanged view of the world to the subsequent
> phases. With the at-most-one splinter model, we may be able to teach
> the other phases about splintering - should we find perf hindrances
> due to merging.
>
> Committed: https://crrev.com/efdcd20267870276c5824f1ccf4e171ac378f7ae
> Cr-Commit-Position: refs/heads/master@{#31224}

TBR=jarin@chromium.org,mtrofin@google.com,mtrofin@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1403163003

Cr-Commit-Position: refs/heads/master@{#31300}

R=rossberg
BUG=v8:3931
LOG=n

Review URL: https://codereview.chromium.org/1397443013

Cr-Commit-Position: refs/heads/master@{#31299}

Revert of [Interpreter] Support for operator new. (patchset #17 id:290001 of https://codereview.chromium.org/1402943002/ )

Reason for revert:
[Sheriff] Breaks arm64 debug:
http://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20arm64%20-%20sim%20-%20debug/builds/4595

Original issue's description:
> [Interpreter] Support for operator new.
>
> This change add a new bytecode for operator new and implements it using
> the Construct() builtin.
>
> BUG=v8:4280
> LOG=N
>
> Committed: https://crrev.com/8e4f9963d53913eab7fbd2f61a5733d8dc2169e7
> Cr-Commit-Position: refs/heads/master@{#31293}

TBR=rmcilroy@chromium.org,bmeurer@chromium.org,oth@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4280

Review URL: https://codereview.chromium.org/1402153004

Cr-Commit-Position: refs/heads/master@{#31298}

Review URL: https://codereview.chromium.org/1404983002

Cr-Commit-Position: refs/heads/master@{#31297}

R=rossberg@chromium.org
BUG=chromium:451967
LOG=N

Review URL: https://codereview.chromium.org/1404783002

Cr-Commit-Position: refs/heads/master@{#31296}

Revert of Make dates default to the local timezone if none specified  (https://codereview.chromium.org/1229903004/)

Even though the change is ES6 spec compliant, we decided to revert
to be consistent with other browsers and work on fixing the spec.

Original issue's description:
> Make dates default to the local timezone if none specified
>
> In ES5, dates were supposed to default to UTC if no timezone was specified. However, this changed in ES6, which specified that dates should be in the local timezone if no timezone was specified. This CL updates our behavior to match that part of the ES6 spec.

> BUG=chromium:391730, v8:4242
> LOG=Y

> Committed: https://crrev.com/f06754a8e1d305a43560705f6c167d85d40e602d
> Cr-Commit-Position: refs/heads/master@{#29854}

BUG=chromium:543320,chromium:539813
LOG=NO

Review URL: https://codereview.chromium.org/1403153003

Cr-Commit-Position: refs/heads/master@{#31295}