Previously, it was not possible to specify StackSlotOperands for all
slots in both the caller and callee stacks. Specifically, the region
of the callee's stack including the saved return address, frame
pointer, function pointer and context pointer could not be addressed
by the register allocator/gap resolver.

In preparation for better tail call support, which will use the gap
resolver to reconcile outgoing parameters, this change makes it
possible to address all slots on the stack, because slots in the
previously inaccessible dead zone may become parameter slots for
outgoing tail calls. All caller stack slots are accessible as they
were before, with slot -1 corresponding to the last stack
parameter. Stack slot indices >= 0 access the callee stack, with slot
0 corresponding to the callee's saved return address, 1 corresponding
to the saved frame pointer, 2 corresponding to the current function
context, 3 corresponding to the frame marker/JSFunction, and slots 4
and above corresponding to spill slots.

The following changes were specifically	needed:

* Frame	has been changed to explicitly manage three areas of the
  callee frame, the fixed header, the spill slot area, and the
  callee-saved register area.
* Conversions from stack slot indices to fp offsets all now go through
  a common bottleneck: OptimizedFrame::StackSlotOffsetRelativeToFp
* The generation of deoptimization translation tables has been changed
  to support the new stack slot indexing scheme. Crankshaft, which
  doesn't support the new slot numbering in its register allocator,
  must adapt the indexes when creating translation tables.
* Callee-saved parameters are now kept below spill slots, not above,
  to support saving only the optimal set of used registers, which is
  only known after register allocation is finished and spill slots
  have been allocated.

Review URL: https://codereview.chromium.org/1261923007

Cr-Commit-Position: refs/heads/master@{#30224}

R=hablich@chromium.org
BUG=v8:4378
LOG=N

Review URL: https://codereview.chromium.org/1290383004

Cr-Commit-Position: refs/heads/master@{#30223}

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1303463002

Cr-Commit-Position: refs/heads/master@{#30222}

Bytecode generator for local assignment and basic binary operations.

Command-line flag for printing bytecodes.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1294543002

Cr-Commit-Position: refs/heads/master@{#30221}

%InstallFunctionsFromArray is not entirely equivalent to the old
InstallFunctions implementation, which causes gc stress failures.

TBR=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1287203006

Cr-Commit-Position: refs/heads/master@{#30220}

Makes the following modifications to the interpreter builtins and
InterpreterAssembler:
 - Adds an accumulator register and initializes it to undefined()
 - Adds a register file pointer register and use it instead of FramePointer to
   access registers
 - Modifies builtin to support functions with 0 regiters in the register file
 - Modifies builtin to Call rather than TailCall to first bytecode handler.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1289863003

Cr-Commit-Position: refs/heads/master@{#30219}

* Add types to properly report what has been executed in the GC
* Unify GCPrologueCallback and GCEpilogueCallback into GCCallback
* Report processing of second round weak handels, either synchronously or asynchronously

BUG=chromium:521946
LOG=N

Review URL: https://codereview.chromium.org/1298113003

Cr-Commit-Position: refs/heads/master@{#30218}

R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1294803004

Cr-Commit-Position: refs/heads/master@{#30217}

TBR=hablich@chromium.org
BUG=v8:4378
LOG=N

Review URL: https://codereview.chromium.org/1295813006

Cr-Commit-Position: refs/heads/master@{#30216}

Reland of move property loads from js builtins objects from runtime. (patchset #1 id:1 of https://codereview.chromium.org/1297803003/ )

Reason for revert:
Debug isolate failure has nothing to do with this CL.

Original issue's description:
> Revert of Remove property loads from js builtins objects from runtime. (patchset #2 id:20001 of https://codereview.chromium.org/1293113002/ )
>
> Reason for revert:
> Still failures in debug-isolates tests
>
> Original issue's description:
> > Remove property loads from js builtins objects from runtime.
> >
> > R=cbruni@chromium.org
> >
> > Committed: https://crrev.com/40f6e80d22d2e146b781aa661b76087ab9a492c4
> > Cr-Commit-Position: refs/heads/master@{#30199}
> >
> > Committed: https://crrev.com/f22d0f205031054a5f3116e052c81ae85741e8e0
> > Cr-Commit-Position: refs/heads/master@{#30209}
>
> TBR=cbruni@chromium.org,hpayer@chromium.org
> NOPRESUBMIT=true
> NOTREECHECKS=true
> NOTRY=true
>
> Committed: https://crrev.com/4106a4cbb701b5fe7d0b639e28a4ebfca5c05630
> Cr-Commit-Position: refs/heads/master@{#30213}

TBR=cbruni@chromium.org,hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1298733003

Cr-Commit-Position: refs/heads/master@{#30215}

Adding missing rd register in JALR disassembly, for mips and mipps64

Review URL: https://codereview.chromium.org/1297183002

Cr-Commit-Position: refs/heads/master@{#30214}

Revert of Remove property loads from js builtins objects from runtime. (patchset #2 id:20001 of https://codereview.chromium.org/1293113002/ )

Reason for revert:
Still failures in debug-isolates tests

Original issue's description:
> Remove property loads from js builtins objects from runtime.
>
> R=cbruni@chromium.org
>
> Committed: https://crrev.com/40f6e80d22d2e146b781aa661b76087ab9a492c4
> Cr-Commit-Position: refs/heads/master@{#30199}
>
> Committed: https://crrev.com/f22d0f205031054a5f3116e052c81ae85741e8e0
> Cr-Commit-Position: refs/heads/master@{#30209}

TBR=cbruni@chromium.org,hpayer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1297803003

Cr-Commit-Position: refs/heads/master@{#30213}

BUG=

Review URL: https://codereview.chromium.org/1294913003

Cr-Commit-Position: refs/heads/master@{#30212}

BUG=

Review URL: https://codereview.chromium.org/1299623003

Cr-Commit-Position: refs/heads/master@{#30211}

BUG=chromium:516304
LOG=N

Review URL: https://codereview.chromium.org/1267953002

Cr-Commit-Position: refs/heads/master@{#30210}

R=cbruni@chromium.org

Committed: https://crrev.com/40f6e80d22d2e146b781aa661b76087ab9a492c4
Cr-Commit-Position: refs/heads/master@{#30199}

Review URL: https://codereview.chromium.org/1293113002

Cr-Commit-Position: refs/heads/master@{#30209}

Rolling v8/third_party/icu to 89dcdec16381883782b9cc9cff38e00f047a0f46

Rolling v8/tools/clang to 5b12e334ec0e571a8e1f68d028dc5427b58c17ec

TBR=machenbach@chromium.org

Review URL: https://codereview.chromium.org/1294523005

Cr-Commit-Position: refs/heads/master@{#30208}

BUG=v8:4317
LOG=n
TBR=littledan@chromium.org

Review URL: https://codereview.chromium.org/1285983004 .

Cr-Commit-Position: refs/heads/master@{#30207}

Use macros for factory functions, and in hydrogen code stubs.

LOG=N
BUG=v8:4124

Review URL: https://codereview.chromium.org/1293533003

Cr-Commit-Position: refs/heads/master@{#30206}

This debug check is not needed anymore.

This reverts commit ce311ed0.

BUG=

Review URL: https://codereview.chromium.org/1300663002

Cr-Commit-Position: refs/heads/master@{#30205}

BUG=

Review URL: https://codereview.chromium.org/1290403002

Cr-Commit-Position: refs/heads/master@{#30204}

R=jarin@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1291113003

Cr-Commit-Position: refs/heads/master@{#30203}

R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/1294093003

Cr-Commit-Position: refs/heads/master@{#30202}

Revert of Remove property loads from js builtins objects from runtime. (patchset #1 id:1 of https://codereview.chromium.org/1293113002/ )

Reason for revert:
Reverting because it made the waterfall red http://build.chromium.org/p/client.v8/builders/V8%20Win32%20-%20nosnap%20-%20shared/builds/8390

Original issue's description:
> Remove property loads from js builtins objects from runtime.
>
> R=cbruni@chromium.org
>
> Committed: https://crrev.com/40f6e80d22d2e146b781aa661b76087ab9a492c4
> Cr-Commit-Position: refs/heads/master@{#30199}

TBR=cbruni@chromium.org,yangguo@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1294123002

Cr-Commit-Position: refs/heads/master@{#30201}

The following situation may happen which reproduces this bug:
(1) We allocate JSObject A on an evacuation candidate.
(2) We allocate JSObject B on a non-evacuation candidate.
(3) Incremental marking starts and marks object A and B.
(4) We create a reference from B.field = A; which records the slot B.field since A is on an evacuation candidate.
(5) After that we write a SMI into B.field.
(6) After that B goes into dictionary mode and shrinks its original size. B.field is now outside of the JSObject, i.e B.field is in memory that will be freed by the sweeper threads.
(7) GC is triggered.
(8) BUG: Slots buffer filtering walks over the slots buffer, SMIs are not filtered out because we assumed that SMIs are just ignored when the slots get updated later. However, recorded SMI slots of dead objects may be overwritten by double values at evacuation time.
(9) During evacuation, a heap number that looks like a valid pointer is moved over B.field.
(10) The slots buffer is scanned for updates, follows B.field since it looks like a pointer (the double value looks like a pointer), and crashes.

BUG=chromium:519577,chromium:454297
LOG=y

Review URL: https://codereview.chromium.org/1286343004

Cr-Commit-Position: refs/heads/master@{#30200}

R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1293113002

Cr-Commit-Position: refs/heads/master@{#30199}

BUG=

Review URL: https://codereview.chromium.org/1209223005

Cr-Commit-Position: refs/heads/master@{#30198}

R=jarin@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1296933002

Cr-Commit-Position: refs/heads/master@{#30197}

Always unlink optimized code on deopt, even when FLAG_always_opt is present, because assumptions that the code made could have become invalid.
BUG=v8:4375
LOG=n
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1284103006

Cr-Commit-Position: refs/heads/master@{#30196}

R=mlippautz@chromium.org

Review URL: https://codereview.chromium.org/1291833003

Cr-Commit-Position: refs/heads/master@{#30195}

This removes the dependency of the MarkingDeque on the underlying
collector by moving out the live bytes accounting and object color
mutations into a wrapper. The MarkingDeque can now be split into a
separate file.

R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/1293773002

Cr-Commit-Position: refs/heads/master@{#30194}

Previously, UsePositions for Phis that are constant LiveRanges which are also used
as hints for other USePositions would always force-allocate the first register in
the allocatable register file to that range.

Review URL: https://codereview.chromium.org/1289313003

Cr-Commit-Position: refs/heads/master@{#30193}

Based on caitp's https://codereview.chromium.org/1127063003/

R=adamk@chromium.org, littledan@chromium.org
BUG=v8:2160
LOG=N

Review URL: https://codereview.chromium.org/1287063004

Cr-Commit-Position: refs/heads/master@{#30192}

BUG=

Review URL: https://codereview.chromium.org/1287023002

Cr-Commit-Position: refs/heads/master@{#30191}

The interpreter needs to be initialized after the snapshot has been deserialized.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1290883004

Cr-Commit-Position: refs/heads/master@{#30190}

R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1295093002

Cr-Commit-Position: refs/heads/master@{#30189}

This is to prevent unnecessary script contexts to be created for
native scripts, which could end up with a script context table
containing twenty script contexts for a newly created native context.

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1301533002

Cr-Commit-Position: refs/heads/master@{#30188}

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1299563003

Cr-Commit-Position: refs/heads/master@{#30187}

Add Object::StrictEquals to unify the implementation of strict equality
comparison in the runtime and the api (the api was already missing a
case for SIMD).  Now we (almost) have a single bottleneck for strict
equality, we just need to reduce the amount of unnecessary complexity
for the code stub.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1298603002

Cr-Commit-Position: refs/heads/master@{#30186}

port 19a49abf (r30127).

original commit message:

BUG=

Review URL: https://codereview.chromium.org/1286143009

Cr-Commit-Position: refs/heads/master@{#30185}