When calling into C++ for a ConstructStub, we need to enter the target
context manually currently, which seems to be too fragile and easy to
forget. So instead of doing that manually, we just always enter the
correct context in the trampoline.

Drive-by-fix: Trivial cleanups for some builtins.

R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1551473002

Cr-Commit-Position: refs/heads/master@{#33051}

  port 97def807 (r33044)

  original commit message:
  According to the ES2015 specification, bound functions are exotic
  objects, and thus don't need to be implemented as JSFunctions. So
  we introduce a new JSBoundFunction type to represent bound functions
  and make them optimizable. This already improves the performance of
  calling or constructing bound functions by 10-100x depending on the
  use case because we avoid the crazy dance between JavaScript and C++
  that was implemented in v8natives.js previously.

  There's still room for improvement in the performance of actually
  creating bound functions, which is also relevant in practice, but
  we already have a plan how to accomplish that later.

  The mips/mips64 ports were contributed by akos.palfi@imgtec.com.

BUG=

Review URL: https://codereview.chromium.org/1548253002

Cr-Commit-Position: refs/heads/master@{#33046}

  port 866f9e6e (r33026)

  original commit message:

BUG=

Review URL: https://codereview.chromium.org/1541323005

Cr-Commit-Position: refs/heads/master@{#33035}

  port d3f074b2 (r33024)

  original commit message:
  We'll be able to optimize rest parameters in TurboFan similarly to the arguments array. This CL restores the previous behavior, and a follow-on will enable TurboFan optimization.

  (TBR for rossberg since we discussed the revert beforehand. The only changes are a few lines related to tests and rebasing.)

BUG=

Review URL: https://codereview.chromium.org/1545053002

Cr-Commit-Position: refs/heads/master@{#33034}

BUG=chromium:561449
LOG=n

Review URL: https://codereview.chromium.org/1542113002

Cr-Commit-Position: refs/heads/master@{#33026}

  port 4acca53e(r32996)

  original commit message:
  There's actually no point trying to do Function.prototype.toString in
  JavaScript, as it always calls into C++ at least once, so it only
  complicates things (esp. once we start optimizing bound functions).

  Drive-by-fix: Rename FunctionApply and FunctionCall builtins to also
  reflect the fact that these are builtins in the Function.prototype and
  not on Function itself.

BUG=

Review URL: https://codereview.chromium.org/1548483003

Cr-Commit-Position: refs/heads/master@{#33017}

  port b10d24ff(r32971)

  original commit message:
  Adds support for generating deoptimization translations for interpreter
  stack frames, and building interpreter frames for these translations
  when a function deopts. Also adds builtins for
  InterpreterNotifyDeoptimized which resume the function's continuation at
  the correct point in the interpreter after deopt.

  MIPS patch contributed by balazs.kilvady@igmtec.com

BUG=

Review URL: https://codereview.chromium.org/1543433002

Cr-Commit-Position: refs/heads/master@{#32981}

  port 5bd48324 (r32929)

  original commit message:
  Introduce a new Apply builtin that forms a correct and optimizable foundation for the Function.prototype.apply, Reflect.construct and Reflect.apply builtins
  (which properly does the PrepareForTailCall as required by the ES2015 spec). The new Apply builtin avoids going to the runtime if it is safe to just access
  the backing store elements of the argArray, i.e. if you pass a JSArray with no holes, or an unmapped, unmodified sloppy or strict arguments object.

  mips/mips64 ports by Balazs Kilvady <balazs.kilvady@imgtec.com>;

BUG=

Review URL: https://codereview.chromium.org/1534543003

Cr-Commit-Position: refs/heads/master@{#32960}

  port 2c75e3d2 (r32903)

  original commit message:
  We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code
  without access-checks (see proxies-cross-realm-ecxeption.js).

BUG=

Review URL: https://codereview.chromium.org/1534663002

Cr-Commit-Position: refs/heads/master@{#32924}

  port 025d476c (r32906)

  original commit message:
  Adds a slot for the bytecode offset to interpreter stack frames and
  saves it on calls, and restores after calls.

  Also fixes RawMachineAssembler::Return() to call MergeControlToEnd.

BUG=

Review URL: https://codereview.chromium.org/1535613003

Cr-Commit-Position: refs/heads/master@{#32922}

We can no longer just walk the prototype chain without doing proper access-checks. When installing a proxy as the __proto__ of the global object we might accidentally end up invoking cross-realm code without access-checks (see proxies-cross-realm-ecxeption.js).

Review URL: https://codereview.chromium.org/1521953002

Cr-Commit-Position: refs/heads/master@{#32903}

Revert of Removes the Callee parameter from FunctionCallbackInfo. (patchset #1 id:1 of https://codereview.chromium.org/1510483002/ )

Reason for revert:
Need to figure out a better solution for this.

Original issue's description:
> Removes the Callee parameter from FunctionCallbackInfo.
>
> This will help us to instantiate AccessorPair's getters and setters only when they are needed.
>
> BUG=
>
> Committed: https://crrev.com/2fe34ebdcdee0f21b88daa4098a7918e91abb8fb
> Cr-Commit-Position: refs/heads/master@{#32759}

TBR=jochen@chromium.org,verwaest@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1520843002

Cr-Commit-Position: refs/heads/master@{#32787}

No need to have an indirection to get to the initial JSArray maps from
the native context; we only cache the fast elements maps anyway, so
those could live on the native context directly. This will also
integrate nicely with the load/store propagation in TurboFan (once we
propagate the immutable flag for FieldAccess as well).

Drive-by-fix: Also don't embed any of the initial JSArray maps in
TurboFan generated code when allocating a new JSArray, but instead
always load the appropriate map from the native context.  This way
we ensure that we never leak a reference to one of those maps and
its as efficient as embedding a constant map.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1516433005

Cr-Commit-Position: refs/heads/master@{#32779}

This will help us to instantiate AccessorPair's getters and setters only when they are needed.

BUG=

Review URL: https://codereview.chromium.org/1510483002

Cr-Commit-Position: refs/heads/master@{#32759}

Lower JSCallConstruct with known target JSFunction to a direct call to
the target's construct_stub, and JSCallConstruct with function target to
direct call to ConstructFunction builtin.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1517593003

Cr-Commit-Position: refs/heads/master@{#32735}

LOG=N
BUG=v8:1543

Review URL: https://codereview.chromium.org/1509603005

Cr-Commit-Position: refs/heads/master@{#32718}

Review URL: https://codereview.chromium.org/1506683004

Cr-Commit-Position: refs/heads/master@{#32698}

  port 2b63d6b0 (r32693)

  original commit message:
  It's cumbersome to maintain IC profiler statistics all the time.
  Let's just do it as needed.

BUG=

Review URL: https://codereview.chromium.org/1511903002

Cr-Commit-Position: refs/heads/master@{#32697}

  port 72994124(r32675)

  original commit message:

BUG=

Review URL: https://codereview.chromium.org/1502343009

Cr-Commit-Position: refs/heads/master@{#32686}

BUG=v8:1543
LOG=N

Review URL: https://codereview.chromium.org/1499593003

Cr-Commit-Position: refs/heads/master@{#32675}

This makes the implementations of MacroAssembler::InvokeBuiltin go
through the InvokeFunctionCode helper on all architectures. This helper
knows how to correctly set up all registers (i.e. argument count and the
new target value).

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1488303008

Cr-Commit-Position: refs/heads/master@{#32646}

  port 0ed08780 (r32642)

  original commit message:
  There's no reason to limit the CompareIC to (known) JSObject instances,
  as all JSReceivers behave the same wrt. abstract and strict equality.
  So remove this historical limitation and track JSReceivers instead.

BUG=

Review URL: https://codereview.chromium.org/1501373003

Cr-Commit-Position: refs/heads/master@{#32645}

  port 1e671030 (r32614)

  original commit message:

BUG=

Review URL: https://codereview.chromium.org/1502053003

Cr-Commit-Position: refs/heads/master@{#32641}

X87: Revert of Provide call counts for constructor calls, surface them as a vector IC. (patchset #4 id:60001 of https://codereview.chromium.org/1476413003/ )

  port e89e08ca (r32599)

  original commit message:
  Reason for revert:
  Seems to be (mostly) responsible for the most recent Speedometer regression, not 100% sure. Let's see what the bots have to say.

  Original issue's description:
  > Provide call counts for constructor calls, surface them as a vector IC.
  >
  > CallIC and CallConstructStub look so alike, at least in the feedback they gather even if the implementation differs...and CallIC has such a nice way of surfacing the feedback (CallICNexus), that ther
  >
  > BUG=
  >
  > Committed: https://crrev.com/66d5a9df62da458a51e8c7ed1811dc9660f4f418
  > Cr-Commit-Position: refs/heads/master@{#32452}

  additional description:
  Revert "X87: Provide call counts for constructor calls, surface them as a vector IC." as r32599 does

  This reverts commit 54a9d349.

BUG=

Review URL: https://codereview.chromium.org/1506723002

Cr-Commit-Position: refs/heads/master@{#32638}

  port eaa0e596 (r32550)

  original commit message:
  This drops the specific slot containing the new.target value from our
  construct stub frames. This side-channel has been deprecated and will
  no longer be accessed by any consumers.

BUG=

Review URL: https://codereview.chromium.org/1504703002

Cr-Commit-Position: refs/heads/master@{#32636}

  port 0e956833 (r32549)

  original commit message:
  Whenever the InstanceOfStub finds a proxy (either passed as object or
  somewhere on the prototype chain), it should bailout to the
  %HasInPrototypeChain runtime function, which will do the right thing
  (soonish).

BUG=

Review URL: https://codereview.chromium.org/1508553002

Cr-Commit-Position: refs/heads/master@{#32634}

  port 5d38d681 (r32547)

  original commit message:
  It didn't support subclassing case at all and in non-subclassing case the runtime
  allocation didn't do the slack tracking step.

BUG=

Review URL: https://codereview.chromium.org/1506713002

Cr-Commit-Position: refs/heads/master@{#32633}

BUG=v8:1543
LOG=N

Review URL: https://codereview.chromium.org/1496503002

Cr-Commit-Position: refs/heads/master@{#32616}

  port 531dde9f (r32516)

  original commit message:
  The new step-in implementation no longer tries to predict the step-in
  target, so we don't need the arguments count nor call type anymore.

BUG=

Review URL: https://codereview.chromium.org/1493993002

Cr-Commit-Position: refs/heads/master@{#32540}

  port 3e7e3ed7 (r32508)

  original commit message:
  * Add a sibling interface to InterpreterAssembler called
    CodeStubAssembler which provides a wrapper around the
    RawMachineAssembler and is intented to make it easy to build
    efficient cross-platform code stubs. Much of the implementation
    of CodeStubAssembler is shamelessly stolen from the
    InterpreterAssembler, and the idea is to eventually merge the
    two interfaces somehow, probably moving the
    InterpreterAssembler interface over to use the
    CodeStubAssembler. Short-term, however, the two interfaces
    shall remain decoupled to increase our velocity developing the
    two systems in parallel.
  * Implement the StringLength stub in TurboFan with the new
    CodeStubAssembler. Replace and remove the old Hydrogen-stub
    version.
  * Remove a whole slew of machinery to support JavaScript-style
    code stub generation, since it ultimately proved unwieldy,
    brittle and baroque. This cleanup includes removing the shared
    code stub context, several example stubs and a tangle of build
    file changes.

BUG=

Review URL: https://codereview.chromium.org/1492213002

Cr-Commit-Position: refs/heads/master@{#32538}

Allow to pass new.target (in addition to target) to C++ builtins, and
remove some obsolete/dangerous code from the C++ builtins.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1491883002

Cr-Commit-Position: refs/heads/master@{#32505}

Sanitize ConstructStub handling and add a test case to ensure that the
Symbol constructor is using the correct context.

R=jarin@chromium.org
BUG=v8:4413
LOG=n

Review URL: https://codereview.chromium.org/1489323002

Cr-Commit-Position: refs/heads/master@{#32491}

  port d2f78c6b (r32476)

  original commit message:
  This becomes visible if an exception is thrown by the constructor.
  We do this on "new Array(3.5)", throwing a RangeError.

BUG=

Review URL: https://codereview.chromium.org/1491153002

Cr-Commit-Position: refs/heads/master@{#32489}

  port 66d5a9df (r32452)

  original commit message:
  CallIC and CallConstructStub look so alike, at least in the feedback they gather even if the implementation differs...and CallIC has such a nice way of surfacing the feedback (CallICNexus), that there

BUG=

Review URL: https://codereview.chromium.org/1491063003

Cr-Commit-Position: refs/heads/master@{#32488}

  port 2f559f21 (r32449)

  original commit message:

BUG=

Review URL: https://codereview.chromium.org/1494453002

Cr-Commit-Position: refs/heads/master@{#32487}

  port c83db2d0 (r32456)

  original commit message:

BUG=

Review URL: https://codereview.chromium.org/1487293002

Cr-Commit-Position: refs/heads/master@{#32486}

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1474293002

Cr-Commit-Position: refs/heads/master@{#32449}

  port 9e644881 (r32407)

  original commit message:
  This way we avoid the %_IsSmi magic that is required in TurboFan to
  (efficiently) check abitrary context slots for smi 0. Checking against
  "the hole" is common in the AstGraphBuilder and "the hole" is also used
  to mark other context slots as not initialized.

BUG=

Review URL: https://codereview.chromium.org/1486913002

Cr-Commit-Position: refs/heads/master@{#32441}

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1483933002

Cr-Commit-Position: refs/heads/master@{#32403}

Use {FIRST,LAST}_JS_RECEIVER_TYPE instead.

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1486563002

Cr-Commit-Position: refs/heads/master@{#32393}