- Simplify the variable-length pop sequence on entry. (It now uses
  smaller code with no branches.)
- Use conditional compare to merge branches where appropriate.
- Make use of Ldrsw + UntagSmiFieldMemOperand to load smis more
  efficiently.
- Only load 'undefined' and 'null' once per builtin.
- A few other small improvements.

BUG=

Review URL: https://codereview.chromium.org/1537903004

Cr-Commit-Position: refs/heads/master@{#32975}

Port 5bd48324

Original commit message:
    Introduce a new Apply builtin that forms a correct and optimizable
    foundation for the Function.prototype.apply, Reflect.construct and
    Reflect.apply builtins (which properly does the PrepareForTailCall
    as required by the ES2015 spec).

    The new Apply builtin avoids going to the runtime if it is safe to
    just access the backing store elements of the argArray, i.e. if you
    pass a JSArray with no holes, or an unmapped, unmodified sloppy or
    strict arguments object.

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=v8:4413, v8:4430
LOG=n

Review URL: https://codereview.chromium.org/1533073003

Cr-Commit-Position: refs/heads/master@{#32974}

Port aafc3e54

Original commit message:
    The FIRST-LAST_NONCALLABLE_SPEC_OBJECT_TYPE range was accidentially used
    in field type tracking, where we should check for JSReceiver instead
    (there's no need to exclude JSProxy or JSFunction from tracking).

    And the use in %_ClassOf was actually wrong and didn't match the C++
    implementation in JSReceiver::class_name() anymore. Now it's consistent
    again.

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=chromium:535408
LOG=n

Review URL: https://codereview.chromium.org/1537013002

Cr-Commit-Position: refs/heads/master@{#32973}

Port 0794c3c9

Original commit message:
    As required by the spec, the second return value now returns success
    also for the range between 0 and -1 where the conversion results in 0.

R=ahaas@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG=

Review URL: https://codereview.chromium.org/1538893002

Cr-Commit-Position: refs/heads/master@{#32972}

Adds support for generating deoptimization translations for interpreter
stack frames, and building interpreter frames for these translations
when a function deopts. Also adds builtins for
InterpreterNotifyDeoptimized which resume the function's continuation at
the correct point in the interpreter after deopt.

MIPS patch contributed by balazs.kilvady@igmtec.com

BUG=v8:4280
LOG=N
TEST=test-deoptimization.cc with --ignition and --turbo

Review URL: https://codereview.chromium.org/1528913003

Cr-Commit-Position: refs/heads/master@{#32971}

This CL prepare newspace evacuation for parallel execution wrt. to actual
allocations. The priority for allocations is:
* Try to allocate from LAB if objects are below kMaxLabObjectSize
* Allocate directly (synchronized) from newspace for larger objects.
* Fall back to old space allocation (which will be backed by a local compaction
  space in future).

Semantical change: Previously we did fall back to regular new space promotion if
we are OOM in old space. With this CL we fall back to new space promotion, which
could fail because of fragmentation, again leading to an old space allocation
that finally bails into OOM.

Newspace evacuation is still single threaded and requires further changes to
allocation site tracking.

BUG=chromium:524425
LOG=N

Review URL: https://codereview.chromium.org/1487853002

Cr-Commit-Position: refs/heads/master@{#32970}

TEST=unittests/InstructionSelectorTest.CombineChangeFloat32ToInt32WithRoundFloat32,
     ChangeFloat64ToInt32OfChangeFloat32ToFloat64, TruncateFloat64ToFloat32OfChangeInt32ToFloat64
BUG=

Review URL: https://codereview.chromium.org/1520503002

Cr-Commit-Position: refs/heads/master@{#32969}

The trunc_l_[s,d] instructions incorrectly returns success when the input is INT64_MAX.

TEST=test-run-machops/RunTryTruncateFloat32ToInt64WithCheck,test-run-machops/RunTryTruncateFloat64ToInt64WithCheck
BUG=

Review URL: https://codereview.chromium.org/1539763003

Cr-Commit-Position: refs/heads/master@{#32968}

BUG=v8:1543,v8:3931
LOG=y

Review URL: https://codereview.chromium.org/1528423002

Cr-Commit-Position: refs/heads/master@{#32967}

Now that we do not support arbitrary step count anymore, we can
make this a lot easier.

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1539483002

Cr-Commit-Position: refs/heads/master@{#32966}

Reason for revert:
Revive left-trimming until new strategies are evaluated and decided on.

Partially reverted changes from:
https://codereview.chromium.org/1474203003/

BUG=v8:4606
LOG=N

Original issue's description:
> [heap] delete Heap::LeftTrimFixedAray
>
> No more uses left for this code (thank goodness.)
>
> R=hpayer@chromium.org
> BUG=
>
> Committed: https://crrev.com/dc3442b1ec803916eb6c1882ab4c3ec6fd44dd55
> Cr-Commit-Position: refs/heads/master@{#32305}

TBR=hpayer@chromium.org,ofrobots@google.com

Review URL: https://codereview.chromium.org/1535933002

Cr-Commit-Position: refs/heads/master@{#32965}

Adds FrameState nodes to graphs built by the Bytecode Graph Builder, in
preparation for adding deopt support. Also adds a new
FrameStateType::kInterpretedFunction to allow for specialized deopt
stack translation for interpreted frames. Finally adds support for
disabling typed lowering of binary ops, since the current approach
relies on a FrameState hack which does not apply to interpreted frames

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1514413002

Cr-Commit-Position: refs/heads/master@{#32964}

Updated toolchain.gypi to support v8 using CLANG on MIPS. These changes
include using integrated assembler with CLANG, and disabling options
used by GCC which are not supported by CLANG.

Reland https://codereview.chromium.org/1519493002 with fix to remove
duplicated 'conditions' sections.

TEST=
BUG=

Review URL: https://codereview.chromium.org/1530153003

Cr-Commit-Position: refs/heads/master@{#32963}

Pretty much everywhere except for a few places where we use
iterators.

BUG=

Review URL: https://codereview.chromium.org/1540453002

Cr-Commit-Position: refs/heads/master@{#32962}

Rolling v8/buildtools to fee7f1e849f59c3fd7bb7b2cacf876edca0572f3

Rolling v8/tools/clang to c745f4763a6af65800a40b6da508f3e943d1804e

TBR=machenbach@chromium.org,vogelheim@chromium.org,hablich@chromium.org

Review URL: https://codereview.chromium.org/1540513002

Cr-Commit-Position: refs/heads/master@{#32961}

  port 5bd48324 (r32929)

  original commit message:
  Introduce a new Apply builtin that forms a correct and optimizable foundation for the Function.prototype.apply, Reflect.construct and Reflect.apply builtins
  (which properly does the PrepareForTailCall as required by the ES2015 spec). The new Apply builtin avoids going to the runtime if it is safe to just access
  the backing store elements of the argArray, i.e. if you pass a JSArray with no holes, or an unmapped, unmodified sloppy or strict arguments object.

  mips/mips64 ports by Balazs Kilvady <balazs.kilvady@imgtec.com>;

BUG=

Review URL: https://codereview.chromium.org/1534543003

Cr-Commit-Position: refs/heads/master@{#32960}

This is based on the Skia Implementation.

More on the project can be found here:
https://docs.google.com/a/chromium.org/document/d/1_4LAnInOB8tM_DLjptWiszRwa4qwiSsDzMkO4tU-Qes/edit#heading=h.p97rw6yt8o2j

The V8 Tracing platform will replace the isolate->event_logger().
But since the current embedders (namely chromium) currently use the isolate->event_logger, I made the default implementation (event-tracer) call into isolate->event_logger if an event_logger was set.
Once the embedders properly implement the interface (for example in chromium it would look like this: https://codereview.chromium.org/707273005/), the default implementation will be doing nothing.

Once the embedders side is fixed, we will change how V8 uses the tracing framework beyond the call from Logger:CallEventLogger. (which would also include a d8 implementation)

BUG=v8:4560
LOG=N

Review URL: https://codereview.chromium.org/988893003

Cr-Commit-Position: refs/heads/master@{#32959}

part of a compile time improvement push. We got from 3 minutes down
to ~30 seconds prior to the change here.

This change further reduces the compile time down to 2 seconds, which
is actually slightly better than the pre-splintering total execution time
of about 3 seconds.

The cause of the regression was the repeated traversal of the children
of a live range, seeking for the one covering a safe point. The fix is to
leverage the intrinsic ordering in the chain of live range children, as well
as that of the safe points.

BUG= chromium:567745
LOG=N

Review URL: https://codereview.chromium.org/1529293002

Cr-Commit-Position: refs/heads/master@{#32958}

Revert of Remove wasm compile time option and enable wasm behind a runtime flag. (patchset #54 id:1050001 of https://codereview.chromium.org/1516753007/ )

Reason for revert:
[Sheriff] Some build failures, e.g.:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20shared/builds/7502

Original issue's description:
> Remove wasm compile time option and enable wasm behind a runtime flag.
>
> R=titzer@chromium.org
> BUG=
>
> Committed: https://crrev.com/153f2bd47cce9d5dfa74074dda34c02731d96924
> Cr-Commit-Position: refs/heads/master@{#32955}

TBR=titzer@chromium.org,bradnelson@google.com
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/1531073003

Cr-Commit-Position: refs/heads/master@{#32957}

BUG=chromium:561973
LOG=N

Review URL: https://codereview.chromium.org/1532573003

Cr-Commit-Position: refs/heads/master@{#32956}

R=titzer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1516753007

Cr-Commit-Position: refs/heads/master@{#32955}

Added structural validation to live ranges, esp. for bugs that may
arise due to splintering / merging.

BUG=

Review URL: https://codereview.chromium.org/1533723002

Cr-Commit-Position: refs/heads/master@{#32954}

If the profiler is started via the API and not stopped, V8 will
 intermittently crash during isolate teardown.

The fix is to run the DeleteAllProfiles function in Isolate::Deinit()
 if cpu_profiler_ still exists.

https://groups.google.com/forum/#!topic/v8-dev/WsIlpbaD4mo

TEST= Run in debug mode, if you start a profile and don't stop it,
 this assert should fail:

  Fatal error in ../src/profiler/cpu-profiler.cc, line 414
  Check failed: !is_profiling_.

Review URL: https://codereview.chromium.org/1526253005

Cr-Commit-Position: refs/heads/master@{#32953}

R=ahaas@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1536663002

Cr-Commit-Position: refs/heads/master@{#32952}

Add an internal field to each wasm function to keep a reference to the module. (So the GC can do the right thing when you only hold references to wasm functions but not the module).

Use Realloc carefully, to avoid copying from out of bounds.

Make snprintf use platform independent.

Don't disconnect external arraybuffers provided for the heap.

R=ahaas@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1531243003

Cr-Commit-Position: refs/heads/master@{#32951}

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1532063002

Cr-Commit-Position: refs/heads/master@{#32950}

Allowing global references to be read through a proxy results in cross-origin information leaks. The ES6 spec currently does not mitigate this in any way. This CL adds a workaround that's easy for V8: throw whenever an unresolved reference would result in a proxy trap to be fired. I'm landing this so we can move forwards with staging proxies without putting users of --harmony at risk.

BUG=chromium:399951
LOG=n

Review URL: https://codereview.chromium.org/1529303003

Cr-Commit-Position: refs/heads/master@{#32949}

Make WasmModule free it's own memory, avoid mixing stack and
heap allocations in tests. This fixes several memory leaks.

Fix several signed compare issues.
Fix several floating point warnings.

Don't setup heap as external, as then the GC can't collect it.

Disable some tests that fail under ASAN.

R=ahaas@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1538543002

Cr-Commit-Position: refs/heads/master@{#32948}

BUG=chromium:570651
LOG=n

Review URL: https://codereview.chromium.org/1532083002

Cr-Commit-Position: refs/heads/master@{#32947}

Fixing several signed/unsigned comparison warnings for wasm.
Fixing a use after free involving ostringsteam::str()

R=ahaas@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1533593004

Cr-Commit-Position: refs/heads/master@{#32946}

BUG=chromium:497632
LOG=y

Review URL: https://codereview.chromium.org/1531583005

Cr-Commit-Position: refs/heads/master@{#32945}

It must call the 'getOwnPropertyDescriptor' trap, not the 'has' trap.

R=cbruni@chromium.org, jkummerow@chromium.org
BUG=v8:1543
LOG=n

Review URL: https://codereview.chromium.org/1532723005

Cr-Commit-Position: refs/heads/master@{#32944}

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1530403004

Cr-Commit-Position: refs/heads/master@{#32943}

BUG=566253
LOG=n

Review URL: https://codereview.chromium.org/1530143002

Cr-Commit-Position: refs/heads/master@{#32942}

BUG=
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1533813002

Cr-Commit-Position: refs/heads/master@{#32941}

Fixing several memory leaks in wasm unittests.
Avoiding std::vector::data() as it isn't supported on all
compilers on the bots.
Use EXCEPT_TRUE / EXPECT_FALSE to avoid warnings on some compilers when testing boolean equality.

R=ahaas@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1536603003

Cr-Commit-Position: refs/heads/master@{#32940}

R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1516003002

Cr-Commit-Position: refs/heads/master@{#32939}

In preparation for switching wasm from a compile to
a runtime option, add the runtime flag to all mjsunit tests.

R=ahaas@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1537643002

Cr-Commit-Position: refs/heads/master@{#32938}

  port aafc3e54 (r32926)

  original commit message:
  The FIRST-LAST_NONCALLABLE_SPEC_OBJECT_TYPE range was accidentially used
  in field type tracking, where we should check for JSReceiver instead
  (there's no need to exclude JSProxy or JSFunction from tracking).

  And the use in %_ClassOf was actually wrong and didn't match the C++
  implementation in JSReceiver::class_name() anymore. Now it's consistent
  again.

BUG=

Review URL: https://codereview.chromium.org/1537613002

Cr-Commit-Position: refs/heads/master@{#32937}

As required by the spec, the second return value now returns success
also for the range between 0 and -1 where the conversion results in 0.

R=bradnelson@chromium.org, mstarzinger@chromium.org, v8-arm-ports@googlegroups.com, v8-mips-ports@googlegroups.com

Review URL: https://codereview.chromium.org/1533503002

Cr-Commit-Position: refs/heads/master@{#32936}