Reason for revert:
Revive left-trimming until new strategies are evaluated and decided on.

Partially reverted changes from:
https://codereview.chromium.org/1474203003/

BUG=v8:4606
LOG=N

Original issue's description:
> [heap] delete Heap::LeftTrimFixedAray
>
> No more uses left for this code (thank goodness.)
>
> R=hpayer@chromium.org
> BUG=
>
> Committed: https://crrev.com/dc3442b1ec803916eb6c1882ab4c3ec6fd44dd55
> Cr-Commit-Position: refs/heads/master@{#32305}

TBR=hpayer@chromium.org,ofrobots@google.com

Review URL: https://codereview.chromium.org/1535933002

Cr-Commit-Position: refs/heads/master@{#32965}

Adds FrameState nodes to graphs built by the Bytecode Graph Builder, in
preparation for adding deopt support. Also adds a new
FrameStateType::kInterpretedFunction to allow for specialized deopt
stack translation for interpreted frames. Finally adds support for
disabling typed lowering of binary ops, since the current approach
relies on a FrameState hack which does not apply to interpreted frames

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1514413002

Cr-Commit-Position: refs/heads/master@{#32964}

Updated toolchain.gypi to support v8 using CLANG on MIPS. These changes
include using integrated assembler with CLANG, and disabling options
used by GCC which are not supported by CLANG.

Reland https://codereview.chromium.org/1519493002 with fix to remove
duplicated 'conditions' sections.

TEST=
BUG=

Review URL: https://codereview.chromium.org/1530153003

Cr-Commit-Position: refs/heads/master@{#32963}

Pretty much everywhere except for a few places where we use
iterators.

BUG=

Review URL: https://codereview.chromium.org/1540453002

Cr-Commit-Position: refs/heads/master@{#32962}

Rolling v8/buildtools to fee7f1e849f59c3fd7bb7b2cacf876edca0572f3

Rolling v8/tools/clang to c745f4763a6af65800a40b6da508f3e943d1804e

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review URL: https://codereview.chromium.org/1540513002

Cr-Commit-Position: refs/heads/master@{#32961}

  port 5bd48324 (r32929)

  original commit message:
  Introduce a new Apply builtin that forms a correct and optimizable foundation for the Function.prototype.apply, Reflect.construct and Reflect.apply builtins
  (which properly does the PrepareForTailCall as required by the ES2015 spec). The new Apply builtin avoids going to the runtime if it is safe to just access
  the backing store elements of the argArray, i.e. if you pass a JSArray with no holes, or an unmapped, unmodified sloppy or strict arguments object.

  mips/mips64 ports by Balazs Kilvady <balazs.kilvady@imgtec.com>;

BUG=

Review URL: https://codereview.chromium.org/1534543003

Cr-Commit-Position: refs/heads/master@{#32960}

This is based on the Skia Implementation.

More on the project can be found here:
https://docs.google.com/a/chromium.org/document/d/1_4LAnInOB8tM_DLjptWiszRwa4qwiSsDzMkO4tU-Qes/edit#heading=h.p97rw6yt8o2j

The V8 Tracing platform will replace the isolate->event_logger().
But since the current embedders (namely chromium) currently use the isolate->event_logger, I made the default implementation (event-tracer) call into isolate->event_logger if an event_logger was set.
Once the embedders properly implement the interface (for example in chromium it would look like this: https://codereview.chromium.org/707273005/), the default implementation will be doing nothing.

Once the embedders side is fixed, we will change how V8 uses the tracing framework beyond the call from Logger:CallEventLogger. (which would also include a d8 implementation)

BUG=v8:4560
LOG=N

Review URL: https://codereview.chromium.org/988893003

Cr-Commit-Position: refs/heads/master@{#32959}

part of a compile time improvement push. We got from 3 minutes down
to ~30 seconds prior to the change here.

This change further reduces the compile time down to 2 seconds, which
is actually slightly better than the pre-splintering total execution time
of about 3 seconds.

The cause of the regression was the repeated traversal of the children
of a live range, seeking for the one covering a safe point. The fix is to
leverage the intrinsic ordering in the chain of live range children, as well
as that of the safe points.

BUG= chromium:567745
LOG=N

Review URL: https://codereview.chromium.org/1529293002

Cr-Commit-Position: refs/heads/master@{#32958}

Revert of Remove wasm compile time option and enable wasm behind a runtime flag. (patchset #54 id:1050001 of https://codereview.chromium.org/1516753007/ )

Reason for revert:
[Sheriff] Some build failures, e.g.:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20shared/builds/7502

Original issue's description:
> Remove wasm compile time option and enable wasm behind a runtime flag.
>
> R=titzer@chromium.org
> BUG=
>
> Committed: https://crrev.com/153f2bd47cce9d5dfa74074dda34c02731d96924
> Cr-Commit-Position: refs/heads/master@{#32955}

TBR=titzer@chromium.org,bradnelson@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1531073003

Cr-Commit-Position: refs/heads/master@{#32957}

BUG=chromium:561973
LOG=N

Review URL: https://codereview.chromium.org/1532573003

Cr-Commit-Position: refs/heads/master@{#32956}

R=titzer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1516753007

Cr-Commit-Position: refs/heads/master@{#32955}

Added structural validation to live ranges, esp. for bugs that may
arise due to splintering / merging.

BUG=

Review URL: https://codereview.chromium.org/1533723002

Cr-Commit-Position: refs/heads/master@{#32954}

If the profiler is started via the API and not stopped, V8 will
 intermittently crash during isolate teardown.

The fix is to run the DeleteAllProfiles function in Isolate::Deinit()
 if cpu_profiler_ still exists.

https://groups.google.com/forum/#!topic/v8-dev/WsIlpbaD4mo

TEST= Run in debug mode, if you start a profile and don't stop it,
 this assert should fail:

  Fatal error in ../src/profiler/cpu-profiler.cc, line 414
  Check failed: !is_profiling_.

Review URL: https://codereview.chromium.org/1526253005

Cr-Commit-Position: refs/heads/master@{#32953}

R=ahaas@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1536663002

Cr-Commit-Position: refs/heads/master@{#32952}

Add an internal field to each wasm function to keep a reference to the module. (So the GC can do the right thing when you only hold references to wasm functions but not the module).

Use Realloc carefully, to avoid copying from out of bounds.

Make snprintf use platform independent.

Don't disconnect external arraybuffers provided for the heap.

R=ahaas@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1531243003

Cr-Commit-Position: refs/heads/master@{#32951}

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1532063002

Cr-Commit-Position: refs/heads/master@{#32950}

Allowing global references to be read through a proxy results in cross-origin information leaks. The ES6 spec currently does not mitigate this in any way. This CL adds a workaround that's easy for V8: throw whenever an unresolved reference would result in a proxy trap to be fired. I'm landing this so we can move forwards with staging proxies without putting users of --harmony at risk.

BUG=chromium:399951
LOG=n

Review URL: https://codereview.chromium.org/1529303003

Cr-Commit-Position: refs/heads/master@{#32949}

Make WasmModule free it's own memory, avoid mixing stack and
heap allocations in tests. This fixes several memory leaks.

Fix several signed compare issues.
Fix several floating point warnings.

Don't setup heap as external, as then the GC can't collect it.

Disable some tests that fail under ASAN.

R=ahaas@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1538543002

Cr-Commit-Position: refs/heads/master@{#32948}

BUG=chromium:570651
LOG=n

Review URL: https://codereview.chromium.org/1532083002

Cr-Commit-Position: refs/heads/master@{#32947}

Fixing several signed/unsigned comparison warnings for wasm.
Fixing a use after free involving ostringsteam::str()

R=ahaas@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1533593004

Cr-Commit-Position: refs/heads/master@{#32946}

BUG=chromium:497632
LOG=y

Review URL: https://codereview.chromium.org/1531583005

Cr-Commit-Position: refs/heads/master@{#32945}

It must call the 'getOwnPropertyDescriptor' trap, not the 'has' trap.

R=cbruni@chromium.org, jkummerow@chromium.org
BUG=v8:1543
LOG=n

Review URL: https://codereview.chromium.org/1532723005

Cr-Commit-Position: refs/heads/master@{#32944}

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1530403004

Cr-Commit-Position: refs/heads/master@{#32943}

BUG=566253
LOG=n

Review URL: https://codereview.chromium.org/1530143002

Cr-Commit-Position: refs/heads/master@{#32942}

BUG=
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1533813002

Cr-Commit-Position: refs/heads/master@{#32941}

Fixing several memory leaks in wasm unittests.
Avoiding std::vector::data() as it isn't supported on all
compilers on the bots.
Use EXCEPT_TRUE / EXPECT_FALSE to avoid warnings on some compilers when testing boolean equality.

R=ahaas@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1536603003

Cr-Commit-Position: refs/heads/master@{#32940}

R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1516003002

Cr-Commit-Position: refs/heads/master@{#32939}

In preparation for switching wasm from a compile to
a runtime option, add the runtime flag to all mjsunit tests.

R=ahaas@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1537643002

Cr-Commit-Position: refs/heads/master@{#32938}

  port aafc3e54 (r32926)

  original commit message:
  The FIRST-LAST_NONCALLABLE_SPEC_OBJECT_TYPE range was accidentially used
  in field type tracking, where we should check for JSReceiver instead
  (there's no need to exclude JSProxy or JSFunction from tracking).

  And the use in %_ClassOf was actually wrong and didn't match the C++
  implementation in JSReceiver::class_name() anymore. Now it's consistent
  again.

BUG=

Review URL: https://codereview.chromium.org/1537613002

Cr-Commit-Position: refs/heads/master@{#32937}

As required by the spec, the second return value now returns success
also for the range between 0 and -1 where the conversion results in 0.

R=bradnelson@chromium.org, mstarzinger@chromium.org, v8-arm-ports@googlegroups.com, v8-mips-ports@googlegroups.com

Review URL: https://codereview.chromium.org/1533503002

Cr-Commit-Position: refs/heads/master@{#32936}

And remove confusing comment.

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1531843003

Cr-Commit-Position: refs/heads/master@{#32935}

- Before getting the length property, we must check for it
  using [[GetOwnProperty]].  Also, if the obtained length
  is a number, we must properly convert it to an integer.

- In order to get the prototype we must use [[GetPrototypeOf]],
  and do so before checking the length.

R=cbruni@chromium.org, jkummerow@chromium.org
BUG=v8:1543
LOG=n

Review URL: https://codereview.chromium.org/1530893002

Cr-Commit-Position: refs/heads/master@{#32934}

Add Ivica B.

NOTRY=true

Review URL: https://codereview.chromium.org/1525413003

Cr-Commit-Position: refs/heads/master@{#32933}

Reason for revert:
This causes compatibility issues, as documented in https://bugs.chromium.org/p/v8/issues/detail?id=4617#c9

Original issue's description:
> [es6] ship regexp sticky flag.
>
> R=littledan@chromium.org
> BUG=v8:4342
> LOG=Y
>
> Committed: https://crrev.com/86c2dd4042dc9ce293e004234eb094f2b51d9640
> Cr-Commit-Position: refs/heads/master@{#32826}

TBR=yangguo@chromium.org,littledan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4342
LOG=Y

Review URL: https://codereview.chromium.org/1531243002

Cr-Commit-Position: refs/heads/master@{#32932}

In a previous incarnation of live range merging, we needed to cache the
last child in a chain of live ranges. We don't anymore, so removing
unused code.

BUG=

Review URL: https://codereview.chromium.org/1536523003

Cr-Commit-Position: refs/heads/master@{#32931}

Decoupled the Print APIs from RegisterAllocationData, and placed them
on the various APIs. Way easier to use these at debug time even outside
the register allocation pipeline.

BUG=

Review URL: https://codereview.chromium.org/1528983005

Cr-Commit-Position: refs/heads/master@{#32930}

Introduce a new Apply builtin that forms a correct and optimizable
foundation for the Function.prototype.apply, Reflect.construct and
Reflect.apply builtins (which properly does the PrepareForTailCall
as required by the ES2015 spec).

The new Apply builtin avoids going to the runtime if it is safe to
just access the backing store elements of the argArray, i.e. if you
pass a JSArray with no holes, or an unmapped, unmodified sloppy or
strict arguments object.

mips/mips64 ports by Balazs Kilvady <balazs.kilvady@imgtec.com>

CQ_INCLUDE_TRYBOTS=tryserver.v8:v8_linux64_tsan_rel
BUG=v8:4413, v8:4430
LOG=n
R=yangguo@chromium.org

Committed: https://chromium.googlesource.com/v8/v8/+/e4d2538911f6cb4b626830ccbb3c1f5746542697

Review URL: https://codereview.chromium.org/1523753002 .

Cr-Commit-Position: refs/heads/master@{#32929}

Revert of [es6] Correct Function.prototype.apply, Reflect.construct and Reflect.apply. (patchset #5 id:80001 of https://codereview.chromium.org/1523753002/ )

Reason for revert:
Breaks TSAN somewhow: http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN/builds/7000

Original issue's description:
> [es6] Correct Function.prototype.apply, Reflect.construct and Reflect.apply.
>
> Introduce a new Apply builtin that forms a correct and optimizable
> foundation for the Function.prototype.apply, Reflect.construct and
> Reflect.apply builtins (which properly does the PrepareForTailCall
> as required by the ES2015 spec).
>
> The new Apply builtin avoids going to the runtime if it is safe to
> just access the backing store elements of the argArray, i.e. if you
> pass a JSArray with no holes, or an unmapped, unmodified sloppy or
> strict arguments object.
>
> mips/mips64 ports by Balazs Kilvady <balazs.kilvady@imgtec.com>
>
> CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
> BUG=v8:4413, v8:4430
> LOG=n
> R=yangguo@chromium.org
>
> Committed: https://chromium.googlesource.com/v8/v8/+/e4d2538911f6cb4b626830ccbb3c1f5746542697

TBR=yangguo@chromium.org,paul.lind@imgtec.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:4413, v8:4430

Review URL: https://codereview.chromium.org/1533803002 .

Cr-Commit-Position: refs/heads/master@{#32928}

Introduce a new Apply builtin that forms a correct and optimizable
foundation for the Function.prototype.apply, Reflect.construct and
Reflect.apply builtins (which properly does the PrepareForTailCall
as required by the ES2015 spec).

The new Apply builtin avoids going to the runtime if it is safe to
just access the backing store elements of the argArray, i.e. if you
pass a JSArray with no holes, or an unmapped, unmodified sloppy or
strict arguments object.

mips/mips64 ports by Balazs Kilvady <balazs.kilvady@imgtec.com>

CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel
BUG=v8:4413, v8:4430
LOG=n
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1523753002 .

Cr-Commit-Position: refs/heads/master@{#32927}

The FIRST-LAST_NONCALLABLE_SPEC_OBJECT_TYPE range was accidentially used
in field type tracking, where we should check for JSReceiver instead
(there's no need to exclude JSProxy or JSFunction from tracking).

And the use in %_ClassOf was actually wrong and didn't match the C++
implementation in JSReceiver::class_name() anymore. Now it's consistent
again.

R=yangguo@chromium.org
BUG=chromium:535408
LOG=n

Review URL: https://codereview.chromium.org/1535523003 .

Cr-Commit-Position: refs/heads/master@{#32926}