The main impetus is to improve performance when --harmony-tostring
is enabled, thanks to using a generic property load instead of a
megamorphic IC.

This also reduces duplication, as the API function
v8::Object::ObjectProtoToString can share the runtime implementation.

The only functional change in this patch is to drop an accidental difference
between the JS and API implementations: the arguments object should toString
as "[object Arguments]". The JS side was corrected in
https://code.google.com/p/v8/source/detail?r=3279, but the API version was
missed in that patch.

BUG=chromium:555127, v8:3502
LOG=n
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1509533003

Cr-Commit-Position: refs/heads/master@{#32777}

Rolling v8/buildtools to 68e3c238a5ab347436762cb929316aa55ca72563

Rolling v8/tools/clang to 3a1510ccbc295798602abbbffcf61065704e8acb

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review URL: https://codereview.chromium.org/1516193002

Cr-Commit-Position: refs/heads/master@{#32776}

If we model them as memory operands ("SpillOperands"), as we
currently do, they are treated by the register allocator as being defined
in memory, so spilling them up to the first use requiring them in a
register is free.

That's not the case for context and function marker. They come in
registers, and the frame construction also pushes them on the stack.
This conflicts with the goals of frame elision: the allocator should avoid
eagerly spilling them, which would force a frame construction; also,
their not being spilled, should frame elision succeed for the first block,
means modeling them as spill operands incorrect.

The natural choice would be to fully decouple their spilling from frame
construction, and let the register allocator spill them. That means they
need to be presented to the register allocator as vanilla live ranges,
with pre-assigned spill slots.

The main challenge there is that not all instructions (mainly, stack checks) list their dependency on these ranges being spilled. In this
change, we change the model but leave the frame construction as-is.
This has the benefit that it unblocks frame elision, but has the drawback
that we may see double spills in the case where these live ranges spill
only in deferred blocks. I plan to enable frame elision next, after which
tackle this issue with spilling.

BUG= v8:4533
LOG=N

Review URL: https://codereview.chromium.org/1501363002

Cr-Commit-Position: refs/heads/master@{#32775}

Revert of [es6] support AssignmentPattern as LHS in for-in/of loops (patchset #9 id:280001 of https://codereview.chromium.org/1508933004/ )

Reason for revert:
Hits unreachable code (found by fuzzer). Example crasher:

"for(();;);"

Original issue's description:
> [es6] support AssignmentPattern as LHS in for-in/of loops
>
> BUG=v8:811, v8:4599
> LOG=N
> R=adamk@chromium.org, rossberg@chromium.org
>
> Committed: https://crrev.com/e47bdb775564b2cd8365047425898ab4274190a6
> Cr-Commit-Position: refs/heads/master@{#32773}

TBR=rossberg@chromium.org,caitpotter88@gmail.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=v8:811, v8:4599

Review URL: https://codereview.chromium.org/1511773009

Cr-Commit-Position: refs/heads/master@{#32774}

BUG=v8:811, v8:4599
LOG=N
R=adamk@chromium.org, rossberg@chromium.org

Review URL: https://codereview.chromium.org/1508933004

Cr-Commit-Position: refs/heads/master@{#32773}

This patch removes Promise functions and methods which are absent
from the ES2015 specification when the --es-staging flag is on.
The patch is being relanded after being reverted due to an
unrelated bug. This version is slightly different as promise_chain
is installed on the context regardless of the flag value, so that
the Promise::Chain API continues to work until it is deprecated.

BUG=v8:3237
R=rossberg
LOG=Y

Review URL: https://codereview.chromium.org/1513873002

Cr-Commit-Position: refs/heads/master@{#32772}

Native context specialization was missing an SSI renaming.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1520513002

Cr-Commit-Position: refs/heads/master@{#32771}

BUG=chromium:487322
R=adamk
LOG=N

Review URL: https://codereview.chromium.org/1514993002

Cr-Commit-Position: refs/heads/master@{#32770}

There's at least one case of a time zone alias: Asia/Kathmandu aliases
Asia/Katmandu. ICU seems to normalize to the (deprecated) latter choice.
V8 internationalization choked on this change; this patch interprets
ICU's output more precisely and allows it.

BUG=chromium:487322
R=jungshik,adamk
LOG=Y

Review URL: https://codereview.chromium.org/1509273007

Cr-Commit-Position: refs/heads/master@{#32769}

Without this fix, AssignmentExpressions that happen to be arrow functions
would lead to unbalanced Enter/Leave calls on the fni_, causing thrashing
while trying to infer function names. Symptoms include slow parsing
or OOM (when we create too many AstConsStrings).

To try to keep this from happening in the future, added an RAII helper
class to handle Entering/Leaving FNI state.

The included regression test crashes on my workstation without the patch.
Note that it's too slow in debug mode (as well as under TurboFan),
so I've skipped it there.

BUG=v8:4595
LOG=y

Review URL: https://codereview.chromium.org/1507283003

Cr-Commit-Position: refs/heads/master@{#32768}

BUG=

Review URL: https://codereview.chromium.org/1505983008

Cr-Commit-Position: refs/heads/master@{#32767}

An allocation can reenter type feedback code because of a triggered GC. Make
sure the vector state remains coherent at these points.

BUG=568524
LOG=N

Review URL: https://codereview.chromium.org/1517613003

Cr-Commit-Position: refs/heads/master@{#32766}

A.x = B
Change from mark grey A to mark grey B.

BUG=

Review URL: https://codereview.chromium.org/1409813007

Cr-Commit-Position: refs/heads/master@{#32765}

Function subclasses did not have function properties installed (name, prototype, etc.).
Now when an instance of a Function subclass is created it gets initial map that corresponds
to the language mode of the function body. The language mode dependent maps are cached as
special transitions on initial map of the subclass constructor.

BUG=v8:4597, v8:3101, v8:3330
LOG=Y

Review URL: https://codereview.chromium.org/1510753005

Cr-Commit-Position: refs/heads/master@{#32764}

Adds more tests for Delete, InstanceOf, and ToName bytecodes.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1509273005

Cr-Commit-Position: refs/heads/master@{#32763}

Review URL: https://codereview.chromium.org/1510173004

Cr-Commit-Position: refs/heads/master@{#32762}

We either want to add code+literals to the map, or just literals.
A recent change in the structure of the map (it now uses WeakCells)
meant that we have to be more clear about what we want to do the right
thing.

BUG=

Review URL: https://codereview.chromium.org/1516833002

Cr-Commit-Position: refs/heads/master@{#32761}

This is deprecating the ability of TurboFan to access FP-based slots
via LoadField and StoreField nodes. The corresponding constructors for
FieldAccess tuples are being removed.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1512243003

Cr-Commit-Position: refs/heads/master@{#32760}

This will help us to instantiate AccessorPair's getters and setters only when they are needed.

BUG=

Review URL: https://codereview.chromium.org/1510483002

Cr-Commit-Position: refs/heads/master@{#32759}

fly-by fix of Proxy [[Construct]] on mips.

BUG=v8:1543
LOG=N

Review URL: https://codereview.chromium.org/1517463002

Cr-Commit-Position: refs/heads/master@{#32758}

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1513223003

Cr-Commit-Position: refs/heads/master@{#32757}

BUG=v8:1543
LOG=n

Review URL: https://codereview.chromium.org/1510913005

Cr-Commit-Position: refs/heads/master@{#32756}

Only JSArrays ever have packed elements; holey elements can be on any kind of object.

BUG=chromium:568525
LOG=n
R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1515963002

Cr-Commit-Position: refs/heads/master@{#32755}

Revert of Re-land FastAccessorBuilder. (patchset #2 id:20001 of https://codereview.chromium.org/1504713012/ )

Reason for revert:
Meeh. Now "V8 Linux - gcmole" bot has issues; apparently due to a somewhat exotic builder configuration.

Original issue's description:
> Re-land FastAccessorBuilder.
>
> ... using the RawMachineAssembler and the work in crrev.com/1407313004.
>
> The original change collided with crrev.com/1513543003.
>
> BUG=chromium:508898
> LOG=Y
>
> Committed: https://crrev.com/515d9ccd8e6df7bf2ca01e2a55aaad30226399e1
> Cr-Commit-Position: refs/heads/master@{#32742}
>
> patch from issue 1474543004 at patchset 260001 (http://crrev.com/1474543004#ps260001)
>
> Committed: https://crrev.com/ee5c38d7db907ff86dd4049721c0cb4bc90a6c4d
> Cr-Commit-Position: refs/heads/master@{#32753}

TBR=epertoso@chromium.org,mstarzinger@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:508898

Review URL: https://codereview.chromium.org/1517683002

Cr-Commit-Position: refs/heads/master@{#32754}

... using the RawMachineAssembler and the work in crrev.com/1407313004.

The original change collided with crrev.com/1513543003.

BUG=chromium:508898
LOG=Y

Committed: https://crrev.com/515d9ccd8e6df7bf2ca01e2a55aaad30226399e1
Cr-Commit-Position: refs/heads/master@{#32742}

patch from issue 1474543004 at patchset 260001 (http://crrev.com/1474543004#ps260001)

Review URL: https://codereview.chromium.org/1504713012

Cr-Commit-Position: refs/heads/master@{#32753}

Removes the dummy control and effect edges from the RMA Call nodes. This
requires a change to the node matchers to allow them to cope with nodes
which don't have control or effect matchers.

Review URL: https://codereview.chromium.org/1518673002

Cr-Commit-Position: refs/heads/master@{#32752}

BUG=v8:811
LOG=n

Review URL: https://codereview.chromium.org/1512153002

Cr-Commit-Position: refs/heads/master@{#32751}

When the reviver returns undefined, the property in question must be deleted
even for arrays.  So far this only happened for non-array objects.

Also change the property enumeration to be spec-conformant, which is observable when the reviver modifies its "this" object directly.  There are a few further issues that need to be addressed in a separate CL.

R=yangguo@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1506933003

Cr-Commit-Position: refs/heads/master@{#32750}

TEST=
BUG=

Review URL: https://codereview.chromium.org/1508423002

Cr-Commit-Position: refs/heads/master@{#32749}

Review URL: https://codereview.chromium.org/1514063002

Cr-Commit-Position: refs/heads/master@{#32748}

Nowadays, representation inference and simplified lowering can insert the
right truncations based on the use.

Review URL: https://codereview.chromium.org/1512243002

Cr-Commit-Position: refs/heads/master@{#32747}

BUG=

Review URL: https://codereview.chromium.org/1512903002

Cr-Commit-Position: refs/heads/master@{#32746}

R=jochen@chromium.org

Review URL: https://codereview.chromium.org/1506233008

Cr-Commit-Position: refs/heads/master@{#32745}

Revert of Implement Fast Accessor Builder (patchset #14 id:260001 of https://codereview.chromium.org/1474543004/ )

Reason for revert:
Broke the build, apparently.

Original issue's description:
> Implement FastAccessorBuilder.
>
> ... using the RawMachineAssembler and the work in cl/1407313004
>
> BUG=chromium:508898
> LOG=Y
>
> Committed: https://crrev.com/515d9ccd8e6df7bf2ca01e2a55aaad30226399e1
> Cr-Commit-Position: refs/heads/master@{#32742}

TBR=epertoso@chromium.org,bmeurer@chromium.org,jochen@chromium.org,mstarzinger@chromium.org,mvstanton@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:508898

Review URL: https://codereview.chromium.org/1513203002

Cr-Commit-Position: refs/heads/master@{#32744}

Review URL: https://codereview.chromium.org/1511893004

Cr-Commit-Position: refs/heads/master@{#32743}

... using the RawMachineAssembler and the work in cl/1407313004

BUG=chromium:508898
LOG=Y

Review URL: https://codereview.chromium.org/1474543004

Cr-Commit-Position: refs/heads/master@{#32742}

BUG=
TEST=mjsunit/regress/regress-undefined-nan, mjsunit/regress/regress-undefined-nan3, mjsunit/regress/regress-2596

Review URL: https://codereview.chromium.org/1507363002

Cr-Commit-Position: refs/heads/master@{#32741}

NOTRY=true

Review URL: https://codereview.chromium.org/1518663002

Cr-Commit-Position: refs/heads/master@{#32740}

R=ulan@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1510213002

Cr-Commit-Position: refs/heads/master@{#32739}

MachineType is now a class with two enum fields:
- MachineRepresentation
- MachineSemantic

Both enums are usable on their own, and this change switches some places from using MachineType to use just MachineRepresentation. Most notably:
- register allocator now uses just the representation.
- Phi and Select nodes only refer to representations.

Review URL: https://codereview.chromium.org/1513543003

Cr-Commit-Position: refs/heads/master@{#32738}