The problem manifests itself when parsing manages to return something
meaningful in the presence of a stack overflow. This happens because
calling ParserBase::Next() will still return one valid token on stack
overflow, before starting to return invalid tokens.

Take the following input as example:

        a.map(v => v + 1);
              | |
       already   next token
        parsed   (which will be an invalid token
  (identifier)   because of a stack overflow)

The "v" may have been already parsed into a VariableProxy, then if a
stack overflow occurs, next token will be an invalid token (instead
of Token::ARROW), but the parser will return the VariableProxy.

This always happens when lazy-parsing arrow functions, so the position
in the input stream where the the arrow function code ends is known.
This fix adds a check that ensures that parsing ended at the end
position of the arrow function.

BUG=465671
LOG=N

Review URL: https://codereview.chromium.org/1023483003

Cr-Commit-Position: refs/heads/master@{#27325}

Cannot use Handle<T>::cast in Unique<T>::cast since it will try to do a T::cast (and its typecheck) concurrently, which is unsafe concurrently on moving values

BUG=

Review URL: https://codereview.chromium.org/1022943002

Cr-Commit-Position: refs/heads/master@{#27324}

TBR=verwaest@chromium.org,ulan@chromium.org,ishell@chromium.org
NOTRY=true

Review URL: https://codereview.chromium.org/1027463002

Cr-Commit-Position: refs/heads/master@{#27323}

BUG=chromium:468749
LOG=NO
TEST=Emscripten/NBodyJava

Review URL: https://codereview.chromium.org/1014093005

Cr-Commit-Position: refs/heads/master@{#27322}

Rename kMaxFrameRenderingIdleTime to kMaxActiveIdleTime and adjust it to the currently maximum value of 50ms passed in by the Blink scheduler.

BUG=468692
LOG=n

Review URL: https://codereview.chromium.org/1024543002

Cr-Commit-Position: refs/heads/master@{#27321}

R=dslomov@chromium.org
BUG=v8:3956
LOG=N

Review URL: https://codereview.chromium.org/1019283002

Cr-Commit-Position: refs/heads/master@{#27320}

R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1022783002

Cr-Commit-Position: refs/heads/master@{#27319}

With this patch, it'll look like this:

$ out/x64.optdebug/d8 --expose-trigger-failure test/mjsunit/mjsunit.js test/mjsunit/verify-assert-false.js

==== C stack trace ===============================

 1: V8_Fatal
 2: v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&))
 3: 0x727ced
 4: 0x72b6ba
 5: 0x188c7f607f9b

BUG=none
R=svenpanne@chromium.org
LOG=y

Review URL: https://codereview.chromium.org/1018313003

Cr-Commit-Position: refs/heads/master@{#27318}

BUG=468601
LOG=n

Review URL: https://codereview.chromium.org/1016353002

Cr-Commit-Position: refs/heads/master@{#27317}

BUG=v8:3900
LOG=N
R=dslomov@chromium.org

Review URL: https://codereview.chromium.org/913073003

Cr-Commit-Position: refs/heads/master@{#27316}

BUG=

Review URL: https://codereview.chromium.org/998883002

Cr-Commit-Position: refs/heads/master@{#27315}

BUG=

Review URL: https://codereview.chromium.org/1009603003

Cr-Commit-Position: refs/heads/master@{#27314}

Only adds a counter id, does not count anything.

R=jochen@chromium.org
BUG=v8:3942
LOG=N

Review URL: https://codereview.chromium.org/1020883002

Cr-Commit-Position: refs/heads/master@{#27313}

I was mistaken, cons strings only occur a lot for custom heap snapshots,
not for the default start-up snapshot.

R=erik.corry@gmail.com, mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1023673003

Cr-Commit-Position: refs/heads/master@{#27312}

BUG=

Review URL: https://codereview.chromium.org/1020863003

Cr-Commit-Position: refs/heads/master@{#27311}

With this change, we remember the types of frame state inputs (in a new
operator, called TypedStateValues). Instead of inferring the value types
when building translations, we used the recorded types.

The original approach was not reliable because the passes after
simplified lowering can change node types, and this in turn confuses
the translation builder.

BUG=chromium:468727
LOG=n
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1015423002

Cr-Commit-Position: refs/heads/master@{#27310}

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/1025433002

Cr-Commit-Position: refs/heads/master@{#27309}

The CallInterfaceDescriptor already provides information about the
expected representation of parameters, so we can use that instead of
hardcoding tagged representation for all parameters.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1019293002

Cr-Commit-Position: refs/heads/master@{#27308}

In prevous set-up table switch is rarely generated.

TEST=cctest/test-serialize/SerializeInternalReference
BUG=

Review URL: https://codereview.chromium.org/1019463003

Cr-Commit-Position: refs/heads/master@{#27307}

Revert of Cleanup and unify Isolate::ReportPendingMessages. (patchset #4 id:60001 of https://codereview.chromium.org/999923004/)

Reason for revert:
Failing Blink tests on Win and Mac:
- plugins/netscape-plugin-property-access-exception.html
- http/tests/plugins/cross-frame-object-access.html

Original issue's description:
> Cleanup and unify Isolate::ReportPendingMessages.
>
> Note that this is a pure cleanup CL and shouldn't have an observable
> impact on the functional behavior of message reporting.
>
> R=yangguo@chromium.org

TBR=yangguo@chromium.org,machenbach@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Review URL: https://codereview.chromium.org/1016323002

Cr-Commit-Position: refs/heads/master@{#27306}

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1006173003

Cr-Commit-Position: refs/heads/master@{#27305}

R=bmeurer@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1020873002

Cr-Commit-Position: refs/heads/master@{#27304}

Add support for appending extend modes uxtb or uxth to add and subtract
instructions, and using them in the instruction selector.

BUG=

Review URL: https://codereview.chromium.org/1021533002

Cr-Commit-Position: refs/heads/master@{#27303}

This should be 'host_os'; the build_os variable is going away.

R=jochen@chromium.org
BUG=344767
LOG=n

Review URL: https://codereview.chromium.org/1010683003

Cr-Commit-Position: refs/heads/master@{#27302}

TEST=test-assembler-mips64/jump_tables3
BUG=

Review URL: https://codereview.chromium.org/1011383004

Cr-Commit-Position: refs/heads/master@{#27301}

R=titzer@chromium.org
TEST=cctest/test-run-jsexceptions

Review URL: https://codereview.chromium.org/1022463003

Cr-Commit-Position: refs/heads/master@{#27300}

Use a delegating constructor for CompilationInfo, reducing duplicated
code. Simplified handling of InlinedFunctionInfos on the way: When we
start compiling, we have bigger things to worry about than a default
vector.

Reduced the usage of a SharedFunctionInfo for compiling, this is a
slighty strange concept.

Review URL: https://codereview.chromium.org/1018853004

Cr-Commit-Position: refs/heads/master@{#27299}

If the Maybe is nothing or the MaybeLocal is empty, it means that the
API call either threw an exception or an exception was already pending.

In that case, the embedder needs to handle the exception or otherwise
react to the failed API call.

BUG=v8:3929
R=svenpanne@chromium.org
LOG=y

Review URL: https://codereview.chromium.org/1022803002

Cr-Commit-Position: refs/heads/master@{#27298}

The weaken limits are constants, there's no point in having a separate
copy of those constants per typer that is initialized per Typer
instance.

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1008923004

Cr-Commit-Position: refs/heads/master@{#27297}

BUG=

Review URL: https://codereview.chromium.org/1016073002

Cr-Commit-Position: refs/heads/master@{#27296}

This reduces the overhead of typed lowering, because we lower
JSToBoolean/JSUnaryNot directly if possible, instead of first lowering
to AnyToBoolean, and then letting the SimplifiedOperatorReducer do the
further lowering.

Also remove some obsolete tests from the cctest suite that have since
been removed by proper unittests. And improve unitttest coverage for the
typed lowering cases.

R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/999173003

Cr-Commit-Position: refs/heads/master@{#27295}

This test has been failing flakily on gc-stress, only with --turbo-filter=*

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1024483002

Cr-Commit-Position: refs/heads/master@{#27294}

The first 32 root list items can be encoded very efficiently.
By reordering, we can better encode some often referenced root objects.

R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1019243002

Cr-Commit-Position: refs/heads/master@{#27293}

R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1018263002

Cr-Commit-Position: refs/heads/master@{#27292}

TBR=jkummerow@chromium.org
BUG=v8:3969
LOG=N

Review URL: https://codereview.chromium.org/1019223002

Cr-Commit-Position: refs/heads/master@{#27291}

It's value is hardwired in gin[1] and is referenced in Blink[2]. Since it is treated specially by v8 debugger it should be defined in v8 API and referenced in gin and blink..

[1] https://src.chromium.org/viewvc/chrome/trunk/src/gin/public/context_holder.h?r1=239099&r2=239098&pathrev=239099
[2] https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/bindings/core/v8/V8PerContextData.cpp&q=kDebugIdIndex%20f:V8PerContextData&sq=package:chromium&type=cs

BUG=chromium:466631
LOG=Y

Review URL: https://codereview.chromium.org/1020453002

Cr-Commit-Position: refs/heads/master@{#27290}

When the debugger is active, a host of connected functions get an associated
DebugInfo structure, and their code is copied. The debugger uses the original
code to occasionally patch ICs with their initial value. Although IC learning
can occur, it's thrown away often, depending on the constellation of
breakpoints active or deactivating. Finally, feedback is discarded when the
debugger is turned off.

The type feedback vector needs to be brought into line with this behavior, so
now the debugger clears it's IC slots at appropriate bottlenecks in debug.cc.

R=yangguo@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1014373002

Cr-Commit-Position: refs/heads/master@{#27289}

The control input is only relevant for operations that may "write" (to
prevent hoisting) or "throw" (because they are part of the control chain).

R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1015353004

Cr-Commit-Position: refs/heads/master@{#27288}

Updated excludes to remove SKIPs where possible. Either
removing if no longer needed or replacing with SLOW where
tests just need more time to run

	modified:   test/cctest/cctest.status
	modified:   test/mjsunit/mjsunit.status

R=danno@chromium.org, svenpanne@chromium.org

BUG=

Review URL: https://codereview.chromium.org/1017073003

Cr-Commit-Position: refs/heads/master@{#27287}

TBR=ulan@chromium.org
BUG=v8:3969
LOG=N

Review URL: https://codereview.chromium.org/1020843002

Cr-Commit-Position: refs/heads/master@{#27286}