More -fsanitize=vptr fixes.

This actually fixes 3 different issues when accessing Operand1:

   * Object vs. HeapObject

   * Wrong defaults for equals/hash

   * silently dropping const

TEST=test/mjsunit/regress/regress-441099.js
BUG=chromium:441099
LOG=y

Review URL: https://codereview.chromium.org/812563002

Cr-Commit-Position: refs/heads/master@{#25843}

Introduced PropertyType ACCESSOR_FIELD.

Review URL: https://codereview.chromium.org/805453002

Cr-Commit-Position: refs/heads/master@{#25842}

[turbofan] enable stack slot reuse

BUG=

Review URL: https://codereview.chromium.org/793683002

Cr-Commit-Position: refs/heads/master@{#25841}

[turbofan] Cache conversions inserted during typed lowering.

This greatly reduces the number of nodes in the graph (by more than 20x in
some extreme cases) for the Emscripten python interpreter main function.

BUG=v8:3763
LOG=y
TEST=cctest,mjsunit,unittests
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/802353003

Cr-Commit-Position: refs/heads/master@{#25840}

Limit code size generated for very large regexps

R=jkummerow@chromium.org, yangguo@chromium.org
BUG=

Review URL: https://codereview.chromium.org/799403003

Cr-Commit-Position: refs/heads/master@{#25839}

RegExpParser: Fix Reset()ting to the end.

The bug would occur when we try to Reset() to a position already at the end.

This happens e.g., when the regexp ends with \u. What used to happen in that
case: 1) Advance past \ and u (to the end) (which wouldn't increase next_pos_
enough) 2) Try to parse 4 hex digits 3) When that failed, Reset() to the
position which should've been at the end but wasn't.

To be able to properly Reset() to a position at the end, we need to allow
next_pos_ to move beyond the end (since position() is next_pos_ - 1).

Minimal repro case:

var r = /foo\u/
r.test("foou") // should be true, was false.

(Note that \u not followed by 4 hex didits should be interpreted as an identity
escape. It already worked unless \u was at the end of the regexp.)

BUG=v8:3756
LOG=NO

Review URL: https://codereview.chromium.org/802313003

Cr-Commit-Position: refs/heads/master@{#25838}

[turbofan] First version of loop analysis: loop finder on the soup of nodes.

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/803993002

Cr-Commit-Position: refs/heads/master@{#25837}

[turbofan] Always align loop headers at 16-byte boundaries.

R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/811713002

Cr-Commit-Position: refs/heads/master@{#25836}

Log V8 version in profiler log file

Patch from issue 800293002 authored by ben@strongloop.com

TBR=yangguo@chromium.org

Review URL: https://codereview.chromium.org/806143002

Cr-Commit-Position: refs/heads/master@{#25835}

[base] Add iterator_range helper class.

TEST=unittests
R=titzer@chromium.org

Review URL: https://codereview.chromium.org/810683003

Cr-Commit-Position: refs/heads/master@{#25834}

X87: [turbofan] Remove the no-context hack for JSToNumber.

port d211608a3eb7ef3da4d04fd4f5a8540dedbd1faa

original commit message:
  [turbofan] Remove the no-context hack for JSToNumber.

  The ToNumberStub is now able to handle all plain primitives (Numbers,
  Booleans, Null, Undefined and Strings) without context access.

BUG=

Review URL: https://codereview.chromium.org/810683002

Cr-Commit-Position: refs/heads/master@{#25833}

[turbofan] Relax effects and context for JSToNumber(x:plain-primitive).

Relanded with fix for always returning Change for PlainPrimitive even
if there was no change. The performance regression on primes.js and
corrections.js is due to unlucky loop header alignment; will be addressed
separately.

TEST=unittests
R=svenpanne@chromium.org

Committed: https://chromium.googlesource.com/v8/v8/+/75484e8d16866eba7aa9c3b87841cd6ce2f466b8

Review URL: https://codereview.chromium.org/799413002

Cr-Commit-Position: refs/heads/master@{#25832}

Revert of [turbofan] Relax effects and context for JSToNumber(x:plain-primitive). (patchset #1 id:1 of https://codereview.chromium.org/799413002/)

Reason for revert:
Performance regressions on primes and corrections benchmarks.

Original issue's description:
> [turbofan] Relax effects and context for JSToNumber(x:plain-primitive).
>
> TEST=unittests
> R=svenpanne@chromium.org
>
> Committed: https://chromium.googlesource.com/v8/v8/+/75484e8d16866eba7aa9c3b87841cd6ce2f466b8

TBR=svenpanne@chromium.org
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/806103002

Cr-Commit-Position: refs/heads/master@{#25831}

Update V8 DEPS.

Rolling v8/tools/clang to 6538d768c1dd43ad3942574cfc5ba90a8e1e0517

TBR=machenbach@chromium.org

Review URL: https://codereview.chromium.org/803183005

Cr-Commit-Position: refs/heads/master@{#25830}

Add infrastructure to keep track of references to prototypes.

There are no users of this infrastructure yet, so it's behind an off-by-default flag.

Review URL: https://codereview.chromium.org/768633002

Cr-Commit-Position: refs/heads/master@{#25829}

Use proper ToLength() operation in %ArrayConcat()

LOG=N
R=dslomov@chromium.org
BUG=

Review URL: https://codereview.chromium.org/799853003

Cr-Commit-Position: refs/heads/master@{#25828}

[GN] Output external snapshot blobs in out directory.

The snapshot and natives blob files should be output in the out directory
instead of the gen directory so that they can be picked up by the
executable.

BUG=421063
LOG=N

Review URL: https://codereview.chromium.org/805813004

Cr-Commit-Position: refs/heads/master@{#25827}

Ship ES6 classes.

R=arv@chromium.org
BUG=v8:3330
LOG=Y

Review URL: https://codereview.chromium.org/808433002

Cr-Commit-Position: refs/heads/master@{#25826}

Revert of ES6 computed property names (patchset #9 id:160001 of https://codereview.chromium.org/795573005/)

Reason for revert:
Crashes on Win32

http://build.chromium.org/p/client.v8/builders/V8%20Win32%20-%201/builds/1357

Test: mjsunit/harmony/computed-property-names
Flags: --stress-opt --always-opt
Command: build\Release\d8.exe --test --random-seed=-233815021 --stress-opt --always-opt --nohard-abort --nodead-code-elimination --nofold-constants --harmony-computed-property-names test\mjsunit\mjsunit.js test\mjsunit\harmony\computed-property-names.js

Run #1
Exit code: -1073741819
Result: CRASH
Expected outcomes: PASS

Run #2
Exit code: -1073741819
Result: CRASH
Expected outcomes: PASS

Run #3
Exit code: -1073741819
Result: CRASH
Expected outcomes: PASS

Original issue's description:
> ES6 computed property names
>
> This adds support for computed property names, under the flag
> --harmony-computed-property-names, for both object literals and
> classes.
>
> BUG=v8:3754
> LOG=Y

TBR=dslomov@chromium.org,wingo@igalia.com
NOTREECHECKS=true
NOTRY=true
BUG=v8:3754

Review URL: https://codereview.chromium.org/809433002

Cr-Commit-Position: refs/heads/master@{#25825}

MIPS: [turbofan] Remove the no-context hack for JSToNumber.

Port d211608a3eb7ef3da4d04fd4f5a8540dedbd1faa

Original commit message:
The ToNumberStub is now able to handle all plain primitives (Numbers,
Booleans, Null, Undefined and Strings) without context access.

TEST=cctest,mjsunit,unittests
BUG=

Review URL: https://codereview.chromium.org/803973002

Cr-Commit-Position: refs/heads/master@{#25824}

Add fast path for array indices to Runtime_HasOwnProperty

Review URL: https://codereview.chromium.org/803833004

Cr-Commit-Position: refs/heads/master@{#25823}

Internalize strings being stored into uninitialized property cells

Review URL: https://codereview.chromium.org/804993002

Cr-Commit-Position: refs/heads/master@{#25822}

ES6 computed property names

This adds support for computed property names, under the flag
--harmony-computed-property-names, for both object literals and
classes.

BUG=v8:3754
LOG=Y

Review URL: https://codereview.chromium.org/795573005

Cr-Commit-Position: refs/heads/master@{#25821}

Take the build level into account for the version hash

build is the third number of the V8 version, and very likely to change
(in contrast to the patch level which typically is zero on canaries).

BUG=chromium:440984
R=mvstanton@chromium.org,yangguo@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/802363002

Cr-Commit-Position: refs/heads/master@{#25820}

Reland Call DisableInlineAllocation() in heap setup when flag inline_new is off.

BUG=

Review URL: https://codereview.chromium.org/806783002

Cr-Commit-Position: refs/heads/master@{#25819}

[turbofan] Relax effects and context for JSToNumber(x:plain-primitive).

TEST=unittests
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/799413002

Cr-Commit-Position: refs/heads/master@{#25818}

Hydrogen: fix keyed loads with string keys

Keyed loads should not unconditionally be compiled to element loads. Update KeyedLoadICs to keep track of the key type, so that Hydrogen can emit ICs for string-keyed loads it doesn't have inline support for.

BUG=v8:3167
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/755513003

Cr-Commit-Position: refs/heads/master@{#25817}

LayoutDescriptorHelper is now able to calculate the length of contiguous regions of tagged/non-tagged fields.
This functionality is now used by both object visitor and store buffer.

TEST=cctest/test-unboxed-doubles

Review URL: https://codereview.chromium.org/726713003

Cr-Commit-Position: refs/heads/master@{#25816}

Revert of Call DisableInlineAllocation() in heap setup when flag inline_new is off. (patchset #1 id:1 of https://codereview.chromium.org/790353006/)

Reason for revert:
Fix Windows nosnap.

Original issue's description:
> Call DisableInlineAllocation() in heap setup when flag inline_new is off.
>
> BUG=

TBR=ulan@chromium.org,mstarzinger@chromium.org
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/794053003

Cr-Commit-Position: refs/heads/master@{#25815}

[turbofan] Remove the no-context hack for JSToNumber.

The ToNumberStub is now able to handle all plain primitives (Numbers,
Booleans, Null, Undefined and Strings) without context access.

TEST=cctest,mjsunit,unittests

Review URL: https://codereview.chromium.org/801333002

Cr-Commit-Position: refs/heads/master@{#25814}

Call DisableInlineAllocation() in heap setup when flag inline_new is off.

BUG=

Review URL: https://codereview.chromium.org/790353006

Cr-Commit-Position: refs/heads/master@{#25813}

[turbofan] Correctify TruncateFloat64ToInt32 reduction in MachineOperatorReducer.

TEST=unittests
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/801263002

Cr-Commit-Position: refs/heads/master@{#25812}

[turbofan] Remove obsolete contains_js_nodes_ field.

R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/806653003

Cr-Commit-Position: refs/heads/master@{#25811}

Use C++11 nullptr in Hydrogen to replace static_cast<HValue*>(NULL)

Review URL: https://codereview.chromium.org/805523002

Cr-Commit-Position: refs/heads/master@{#25810}

Make `RegExp.prototype.flags` getter configurable

TEST=mjsunit/harmony
BUG=v8:3751
LOG=N

Review URL: https://codereview.chromium.org/788053003

Cr-Commit-Position: refs/heads/master@{#25809}

Implement ES6 @@isConcatSpreadable / Array.prototype.concat

Add support for Symbol.isConcatSpreadable in Array.prototype.concat. This enables spreading non-Array objects with the symbol.

LOG=N
R=dslomov@chromium.org
BUG=

Review URL: https://codereview.chromium.org/771483002

Cr-Commit-Position: refs/heads/master@{#25808}

[turbofan]: Fix x64 regression during ia32 lea port

Review URL: https://codereview.chromium.org/795353008

Cr-Commit-Position: refs/heads/master@{#25807}

Stop sending Object.observe notifications for API accessor properties

Such properties never notified prior to r21558, but the combination of
that change and r23163 led to sending notifications when they were
set via Object.defineProperty (but not when set via other means).

This also allows some cleanup in v8natives.js and objects.cc,
both of which were doing unnecessary contortions to produce the right
change records.

BUG=v8:3745
LOG=n

Review URL: https://codereview.chromium.org/791243002

Cr-Commit-Position: refs/heads/master@{#25806}

Fix OS::GetCurrentThreadId to work when building Android on Mac.

The Mac version of GetCurrentThreadId should be used when building the host
build of V8 on Android for Mac.

Review URL: https://codereview.chromium.org/799943003

Cr-Commit-Position: refs/heads/master@{#25805}

Whitespace change to trigger bots.

BUG=

Review URL: https://codereview.chromium.org/804543002

Cr-Commit-Position: refs/heads/master@{#25804}

StoreMode enum values renamed.

FORCE_FIELD -> FORCE_IN_OBJECT,
ALLOW_AS_CONSTANT -> ALLOW_IN_DESCRIPTOR.

Review URL: https://codereview.chromium.org/799723003

Cr-Commit-Position: refs/heads/master@{#25803}

Using PropertyKind in transitions instead of PropertyType.

Review URL: https://codereview.chromium.org/801813002

Cr-Commit-Position: refs/heads/master@{#25802}

Revert of revert r25736 (patchset #2 id:20001 of https://codereview.chromium.org/803493002/)

Reason for revert:
performance bots were unchanged by the original revert

Original issue's description:
> revert r25736
>
> R=bmeurer@chromium.org
>
> BUG=

TBR=bmeurer@chromium.org
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/787183003

Cr-Commit-Position: refs/heads/master@{#25801}

Hydrogen code stubs for vector-based ICs.

This patch finally allows running and passing tests with vector-based
Load and KeyedLoad ICs.

BUG=
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/767743002

Cr-Commit-Position: refs/heads/master@{#25800}

Update V8 DEPS.

Rolling v8/buildtools to 4995faa4a7ad968f1fa1917c26edd5cea295582f

Rolling v8/tools/clang to 3569efa494f668b68bd13835ab4f197f6a51b84a

TBR=machenbach@chromium.org

Review URL: https://codereview.chromium.org/801783003

Cr-Commit-Position: refs/heads/master@{#25799}

PropertyType is divided into PropertyKind and PropertyStoreMode.

Review URL: https://codereview.chromium.org/786193004

Cr-Commit-Position: refs/heads/master@{#25798}

Map and Descriptor printing enhanced a bit.

Review URL: https://codereview.chromium.org/801783002

Cr-Commit-Position: refs/heads/master@{#25797}

Fixed an ordering issue found by UBSan_vptr.

We managed to access the scope_ member of CompilationInfo before its
containing object was actually constructed.

Rule of thumb: When constructing an object, never ever pass around
pointers to members which come later in the member initializer list,
you simply can't see locally if this might cause trouble or not.

Review URL: https://codereview.chromium.org/796363002

Cr-Commit-Position: refs/heads/master@{#25796}

revert r25736

R=bmeurer@chromium.org

BUG=

Review URL: https://codereview.chromium.org/803493002

Cr-Commit-Position: refs/heads/master@{#25795}

[turbofan] improve register allocator testing framework

R=bmeurer@chromium.org

BUG=

Review URL: https://codereview.chromium.org/800493002

Cr-Commit-Position: refs/heads/master@{#25794}

[turbofan] Quickfix for invalid number truncation of typed array loads.

TEST=mjsunit/compiler/regress-int32array-outofbounds-nan
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/803483002

Cr-Commit-Position: refs/heads/master@{#25793}

Consistently use only one of virtual/OVERRIDE/FINAL.

FINAL implies OVERRIDE, which in turn implies virtual, so there's no need to use
more than one of these. The Google C++ style guide even requires this, see
http://google-styleguide.googlecode.com/svn/trunk/cppguide.html#Inheritance.

While we're here, port r24662 to x87.

The net result is that v8 compiles again with a current clang.

BUG=v8:3753
LOG=y

Review URL: https://codereview.chromium.org/797943002

Cr-Commit-Position: refs/heads/master@{#25792}

Remove legacy python deps.

BUG=

Review URL: https://codereview.chromium.org/794113004

Cr-Commit-Position: refs/heads/master@{#25791}

[turbofan] Various cleanups.

- Decouple JSBuiltinReducer from JSTypedLowering.
- Unify JSTypedLowering::ReduceJSToXXX() lowering.
- Cleanup several includes and forward declarations.
- Unify helper methods.

TEST=cctest
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/797903003

Cr-Commit-Position: refs/heads/master@{#25790}

Perf tests for Template Literals

Review URL: https://codereview.chromium.org/769113002

Cr-Commit-Position: refs/heads/master@{#25789}

Temporarily remove warning about inconsistent overrides

Otherwise, V8 won't compile with the latest clang anymore

BUG=v8:3753
R=machenbach@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/797583004

Cr-Commit-Position: refs/heads/master@{#25788}

[turbofan] Second round of optimisation for unordered comparisons on arm/arm64.

Avoid explicitly branching to the false label on unordered when the condition
on the true branch will not catch the unordered case and let the code fall
through.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/794203003

Cr-Commit-Position: refs/heads/master@{#25787}

Reland of "Avoid number range holes in bitset types."

This reverts commit 8a6cbf0a8632f39bc5bf740db672aa543e3e0f88.

R=rossberg@chromium.org
BUG=

Review URL: https://codereview.chromium.org/788313002

Cr-Commit-Position: refs/heads/master@{#25786}

Implement Array.from()

A helpful utility which converts iterables and array-like objects into Arrays

https://people.mozilla.org/~jorendorff/es6-draft.html#sec-array.from

LOG=Y
BUG=v8:3336
R=arv@chromium.org, rossberg@chromium.org

Review URL: https://codereview.chromium.org/363833006

Cr-Commit-Position: refs/heads/master@{#25785}

Fix builds w/ component=="shared_library" and v8_use_external_startup_data==1.

R=machenbach@chromium.org
BUG=

Review URL: https://codereview.chromium.org/794213002

Cr-Commit-Position: refs/heads/master@{#25784}

Update tests in preparation for shipping classes.

R=arv@chromium.org
BUG=v8:3330
LOG=N

Review URL: https://codereview.chromium.org/788773003

Cr-Commit-Position: refs/heads/master@{#25783}

Add materialized literals for tagged templates in preparser

LOG=N
R=arv@chromium.org, dslomov@chromium.org, marja@chromium.org
BUG=

Review URL: https://codereview.chromium.org/792083002

Cr-Commit-Position: refs/heads/master@{#25782}

move v8_use_external_startup_data to standalone.gypi

This allows the setting to be overridable by embedders,
at the cost of forcing embedders that don't build v8
using standalone.gypi to add this setting to their build
config.

BUG=chromium:421063
LOG=Y

Review URL: https://codereview.chromium.org/794583002

Cr-Commit-Position: refs/heads/master@{#25781}

When reading the map from a live object, use a barrier load

It could happen that we shrink a live object on the main thread (e.g.
MigrateFastToSlow) while we're sweeping the same page. The main
thread first creates a filler object that the release-stores the new
map. Therefore it's important to barrier load the map word of live
objects from the sweeper thread.

BUG=none
R=ulan@chromium.org,hpayer@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/797623002

Cr-Commit-Position: refs/heads/master@{#25780}

Update V8 DEPS.

Rolling v8/buildtools/clang_format/script to 81edd558fea5dd7855d67a1dc61db34ae8c1fd63

Rolling v8/buildtools to 05dd6a24723170d7c6ff35b537ee02947f619891

TBR=machenbach@chromium.org

Review URL: https://codereview.chromium.org/797613002

Cr-Commit-Position: refs/heads/master@{#25779}

Add a missing DebugPromiseEvent in promise.js

DevTools expects 2 events on Promise.resolve()/Promise.reject():
creation & settlement. The first one was missing.

R=ulan@chromium.org, yangguo@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/792383003

Cr-Commit-Position: refs/heads/master@{#25778}

[turbofan] update SpillRange to use ZoneVector

R=bmeurer@chromium.org

BUG=

Review URL: https://codereview.chromium.org/793323002

Cr-Commit-Position: refs/heads/master@{#25777}

Introduce unsigned representation types

To make space in the type bitset, remove Function, RegExp, and Buffer
types for now, since they aren't really relied upon anyway.

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/795993002

Cr-Commit-Position: refs/heads/master@{#25776}

[turbofan] Avoid some redundant checks of unordered comparison on arm/arm64.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/793303002

Cr-Commit-Position: refs/heads/master@{#25775}

Disable generating of code cache if the debugger is loaded

BUG=440880
R=yangguo@chromium.org,dcarney@chromium.org,vogelheim@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/796823002

Cr-Commit-Position: refs/heads/master@{#25774}

[turbofan] Mark arm64 cbz/cbnz tbz/tbnz instructions as branch instructions.

The instruction selector now selects pseudo instructions: CompareAndBranch or
TestAndBranch which are associated with their continuations so that generic
code in the code generator will treat them as branch instruction and will be
able to apply optimization like avoiding branches when the code can falltrhough.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/798553002

Cr-Commit-Position: refs/heads/master@{#25773}

[turbofan] commit allocated registers early

R=bmeurer@chromium.org
BUG=441107
LOG=N

Review URL: https://codereview.chromium.org/795043003

Cr-Commit-Position: refs/heads/master@{#25772}

[turbofan]: Port lea changes to ia32

Review URL: https://codereview.chromium.org/747283005

Cr-Commit-Position: refs/heads/master@{#25771}

remove Isolate::debugger_initialized_

It's never used.

BUG=none
R=dcarney@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/797543002

Cr-Commit-Position: refs/heads/master@{#25770}

Disable invalid DCHECK_EQ in serializer.cc

BUG=none
R=mvstanton@chromium.org,yangguo@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/791363002

Cr-Commit-Position: refs/heads/master@{#25769}

Implement Math.log2 via ported extract from fdlibm.

Adapted from Raymond Toy's (rtoy@chromium.org) port, extracted from fdlibm's pow implementation.

R=rtoy@chromium.org
BUG=v8:3579
LOG=N

Review URL: https://codereview.chromium.org/786823003

Cr-Commit-Position: refs/heads/master@{#25768}

[V8] Report v8::AfterCompile and v8::CompileError to listener on pause

V8 didn't report compile events on pause before this patch. These events can be important for listener. For example, DevTools allows user to execute some JS code on pause and needs to show correct stack trace in message from it.

BUG=396013
R=yurys@chromium.org

Review URL: https://codereview.chromium.org/781623004

Cr-Commit-Position: refs/heads/master@{#25767}

Switch icu repo to icu.git in v8 DEPS.

This ports https://codereview.chromium.org/769413004 to v8
DEPS.

BUG=chromium:438401
LOG=n
TBR=jshin@chromium.org

Review URL: https://codereview.chromium.org/796813002

Cr-Commit-Position: refs/heads/master@{#25766}

[turbofan] Fix typing of typed array loads/stores.

R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/794113002

Cr-Commit-Position: refs/heads/master@{#25765}

Fix crash in V8 during serializing objects requiring alignment.

Review URL: https://codereview.chromium.org/793753002

Cr-Commit-Position: refs/heads/master@{#25764}

Create optimized versions of the Map/Set clear method

This completes the first round of optimizations for Map and Set.
All non-key-dependent methods now have a Hydrogen version, and
for keyed methods, string versions are optimized.

Review URL: https://codereview.chromium.org/796503002

Cr-Commit-Position: refs/heads/master@{#25763}

Implement the `RegExp.prototype.flags` getter

TEST=mjsunit/harmony
BUG=v8:3751
LOG=N

Review URL: https://codereview.chromium.org/770333005

Cr-Commit-Position: refs/heads/master@{#25762}

Ship ES6 block scoping.

R=rossberg@chromium.org
BUG=v8:2198
LOG=Y

Review URL: https://codereview.chromium.org/792543002

Cr-Commit-Position: refs/heads/master@{#25761}

Update strict mode function declaration tests before block scoping.

R=arv@chromium.org,marja@chromium.org
BUG=v8:2198
LOG=N

Review URL: https://codereview.chromium.org/788143004

Cr-Commit-Position: refs/heads/master@{#25760}

Optimize Object.seal and Object.preventExtensions

They both now run fast (due to utilizing transitions instead of always
creating new maps) and sealed or non-extensible objects can stay in
fast mode after transitioning.

This almost entirely reuses the code for transitioning objects
frozen by Object.freeze(), with the added benefit of freeing
up a bit on the map (we no longer keep track of frozen-ness,
as that bit wasn't used for anything interesting).

BUG=v8:3662,chromium:115960
LOG=y

Review URL: https://codereview.chromium.org/776143005

Cr-Commit-Position: refs/heads/master@{#25759}

Create optimized inline versions of Map and Set initialization

Review URL: https://codereview.chromium.org/779173010

Cr-Commit-Position: refs/heads/master@{#25758}

Ensure class prototype objects have the right Map::constructor field

The null constructor they had previously could be observed as crashes in
the V8 API's Object::CreationContext() method and in Object.observe.

BUG=v8:3750
LOG=n
R=arv@chromium.org, dslomov@chromium.org

Review URL: https://codereview.chromium.org/787763005

Cr-Commit-Position: refs/heads/master@{#25757}

Revert of Avoid number range holes in bitset types. (patchset #5 id:80001 of https://codereview.chromium.org/759013003/)

Reason for revert:
For breaking the waterfall (run-json-stringify test).

Original issue's description:
> Avoid number range holes in bitset types.
>
> BUG=

TBR=rossberg@chromium.org
NOTREECHECKS=true
NOTRY=true
BUG=

Review URL: https://codereview.chromium.org/794663002

Cr-Commit-Position: refs/heads/master@{#25756}

Skip slow webkit/array-iterate-backwards in arm64.debug/gc-stress mode.

BUG=
TBR=hpayer@chromium.org

Review URL: https://codereview.chromium.org/795633002

Cr-Commit-Position: refs/heads/master@{#25755}

Avoid number range holes in bitset types.

BUG=

Review URL: https://codereview.chromium.org/759013003

Cr-Commit-Position: refs/heads/master@{#25754}

Make d8 default to standard location for external snapshots.

This makes tests runnable with the external snapshot, and should be the
last step before enabling external snapshot on >=1 bots.

R=yangguo
BUG=

Review URL: https://codereview.chromium.org/780333004

Cr-Commit-Position: refs/heads/master@{#25753}

Fix mirror-script and debug-script tests when using external natives.

R=yangguo
BUG=

Review URL: https://codereview.chromium.org/792733003

Cr-Commit-Position: refs/heads/master@{#25752}

Make loop assignment analysis a separate phase.

R=dcarney@chromium.org

Review URL: https://codereview.chromium.org/770373003

Cr-Commit-Position: refs/heads/master@{#25751}

Reland of "TransitionArray now uses <is_data_property, name, attributes> tuple as a key, which allows to have several entries for the same property name."

Review URL: https://codereview.chromium.org/793453004

Cr-Commit-Position: refs/heads/master@{#25750}

Disallow object/function templates when creating snapshots.

R=vogelheim@chromium.org

Review URL: https://codereview.chromium.org/791033002

Cr-Commit-Position: refs/heads/master@{#25749}

Consistently use "use strict" where possible.

R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/789163002

Cr-Commit-Position: refs/heads/master@{#25748}

Extract non-IO part of mksnapshot into an API method.

R=vogelheim@chromium.org

Review URL: https://codereview.chromium.org/789213002

Cr-Commit-Position: refs/heads/master@{#25747}

MIPS: Fix after 'Reland remaining parts of 'Use weak cells in map checks in polymorphic ICs''.

Fix d2e54925caa8b14988a46a912a8b061bf4c6cbf3

In 'MIPS: Change CmpWeakValue to a more MIPS like GetWeakValue.'
a25003cfa6eac88635c12b51ec6ad74fed0d91a1
we switched to use GetWeakValue.

BUG=

Review URL: https://codereview.chromium.org/782273004

Cr-Commit-Position: refs/heads/master@{#25746}

Use nobarrier load in store buffer duplicate removal to annotate harmless race.

BUG=

Review URL: https://codereview.chromium.org/787383002

Cr-Commit-Position: refs/heads/master@{#25745}

fix gcmole warning after r25737

TBR=jkummerow@chromium.org

BUG=

Review URL: https://codereview.chromium.org/794563002

Cr-Commit-Position: refs/heads/master@{#25744}