The following situation may happen which reproduces this bug:
(1) We allocate JSObject A on an evacuation candidate.
(2) We allocate JSObject B on a non-evacuation candidate.
(3) Incremental marking starts and marks object A and B.
(4) We create a reference from B.field = A; which records the slot B.field since A is on an evacuation candidate.
(5) After that we write a SMI into B.field.
(6) After that B goes into dictionary mode and shrinks its original size. B.field is now outside of the JSObject, i.e B.field is in memory that will be freed by the sweeper threads.
(7) GC is triggered.
(8) BUG: Slots buffer filtering walks over the slots buffer, SMIs are not filtered out because we assumed that SMIs are just ignored when the slots get updated later. However, recorded SMI slots of dead objects may be overwritten by double values at evacuation time.
(9) During evacuation, a heap number that looks like a valid pointer is moved over B.field.
(10) The slots buffer is scanned for updates, follows B.field since it looks like a pointer (the double value looks like a pointer), and crashes.

BUG=chromium:519577,chromium:454297
LOG=y

Review URL: https://codereview.chromium.org/1286343004

Cr-Commit-Position: refs/heads/master@{#30200}

R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1293113002

Cr-Commit-Position: refs/heads/master@{#30199}

BUG=

Review URL: https://codereview.chromium.org/1209223005

Cr-Commit-Position: refs/heads/master@{#30198}

R=jarin@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1296933002

Cr-Commit-Position: refs/heads/master@{#30197}

Always unlink optimized code on deopt, even when FLAG_always_opt is present, because assumptions that the code made could have become invalid.
BUG=v8:4375
LOG=n
R=mstarzinger@chromium.org

Review URL: https://codereview.chromium.org/1284103006

Cr-Commit-Position: refs/heads/master@{#30196}

R=mlippautz@chromium.org

Review URL: https://codereview.chromium.org/1291833003

Cr-Commit-Position: refs/heads/master@{#30195}

This removes the dependency of the MarkingDeque on the underlying
collector by moving out the live bytes accounting and object color
mutations into a wrapper. The MarkingDeque can now be split into a
separate file.

R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/1293773002

Cr-Commit-Position: refs/heads/master@{#30194}

Previously, UsePositions for Phis that are constant LiveRanges which are also used
as hints for other USePositions would always force-allocate the first register in
the allocatable register file to that range.

Review URL: https://codereview.chromium.org/1289313003

Cr-Commit-Position: refs/heads/master@{#30193}

Based on caitp's https://codereview.chromium.org/1127063003/

R=adamk@chromium.org, littledan@chromium.org
BUG=v8:2160
LOG=N

Review URL: https://codereview.chromium.org/1287063004

Cr-Commit-Position: refs/heads/master@{#30192}

BUG=

Review URL: https://codereview.chromium.org/1287023002

Cr-Commit-Position: refs/heads/master@{#30191}

The interpreter needs to be initialized after the snapshot has been deserialized.

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1290883004

Cr-Commit-Position: refs/heads/master@{#30190}

R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1295093002

Cr-Commit-Position: refs/heads/master@{#30189}

This is to prevent unnecessary script contexts to be created for
native scripts, which could end up with a script context table
containing twenty script contexts for a newly created native context.

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1301533002

Cr-Commit-Position: refs/heads/master@{#30188}

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1299563003

Cr-Commit-Position: refs/heads/master@{#30187}

Add Object::StrictEquals to unify the implementation of strict equality
comparison in the runtime and the api (the api was already missing a
case for SIMD).  Now we (almost) have a single bottleneck for strict
equality, we just need to reduce the amount of unnecessary complexity
for the code stub.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1298603002

Cr-Commit-Position: refs/heads/master@{#30186}

port 19a49abf (r30127).

original commit message:

BUG=

Review URL: https://codereview.chromium.org/1286143009

Cr-Commit-Position: refs/heads/master@{#30185}

Second item in section 13.7.5.1 states that the error should be a
SyntaxError, when previously CheckAndRewriteReferenceExpression
would always emit a ReferenceError.

BUG=v8:4373
R=adamk, rossberg
LOG=N
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_chromium_rel_ng;tryserver.blink:linux_blink_rel

Review URL: https://codereview.chromium.org/1292393002

Cr-Commit-Position: refs/heads/master@{#30184}

Previously, all extras were "experimental" and left out of the snapshot. This
patch moves them to the snapshot, so now all extras are non-experimental. A
future patch will re-introduce experimental extras as part of the linked bug.

R=yangguo@chromium.org
BUG=https://code.google.com/p/chromium/issues/detail?id=507137
LOG=Y

Review URL: https://codereview.chromium.org/1289603002

Cr-Commit-Position: refs/heads/master@{#30183}

BUG=

Review URL: https://codereview.chromium.org/1290963005

Cr-Commit-Position: refs/heads/master@{#30182}

Newly added native context slots are used to avoid accessing
the js builtins object to get native functions.

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1294583006

Cr-Commit-Position: refs/heads/master@{#30181}

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1294783002

Cr-Commit-Position: refs/heads/master@{#30180}

Restricts linux perf-event code range reporting to functions only (i.e. on
stubs.) While this makes the gathered ticks less accurate, it reduces the
growth of the /tmp/perf-${pid}.map file.

BUG=v8:3453
R=hablich@chromium.org,danno@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/1292743002

Cr-Commit-Position: refs/heads/master@{#30179}

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1293793002

Cr-Commit-Position: refs/heads/master@{#30178}

This avoids discovering and compacting the same array repeatedly. No change in resulting snapshots intended.

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1290393002

Cr-Commit-Position: refs/heads/master@{#30177}

[turbofan] Gracefully handle missing info()->context() in CodeGenerator::IsMaterializableFromFrame()

R=mstarzinger@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1292233004

Cr-Commit-Position: refs/heads/master@{#30176}

Using a temporary container object instead.

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1293493003

Cr-Commit-Position: refs/heads/master@{#30175}

- Make the API look like v8::V8::InitializeICU.
  (That is: A static method call, not an object to be created on the stack.)
- Fix path separator on Windows, by calling base::OS::isPathSeparator.
- Move into API, so that it can be called by hello-world & friends.
- Actually call it from hello-world and friends.

R=jochen@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1292053002

Cr-Commit-Position: refs/heads/master@{#30174}

This is no longer necessary. Everything the callee needs should
be in its context chain.

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1289203003

Cr-Commit-Position: refs/heads/master@{#30173}

R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1297583002

Cr-Commit-Position: refs/heads/master@{#30172}

This CL is a pure refactoring that makes an empty compilation unit
including just "foo.h" but not "foo-inl.h" compile without warnings or
errors. This is needed to further reduce the header dependency tangle.

This realizes above state for "spaces.h" and "mark-compact.h".

R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/1288413002

Cr-Commit-Position: refs/heads/master@{#30171}

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1292533003

Cr-Commit-Position: refs/heads/master@{#30170}

Rolling v8/build/gyp to 6ee91ad8659871916f9aa840d42e1513befdf638

TBR=machenbach@chromium.org

Review URL: https://codereview.chromium.org/1292633003

Cr-Commit-Position: refs/heads/master@{#30169}

R=rossberg@chromium.org

Review URL: https://codereview.chromium.org/1290193003

Cr-Commit-Position: refs/heads/master@{#30168}

R=adamk@chromium.org
BUG=

Review URL: https://codereview.chromium.org/1286133003

Cr-Commit-Position: refs/heads/master@{#30167}

In doing so, fix calls CheckAndRewriteReferenceExpression to take proper
start and end positions (instead of just pointing at the first token in
the LHS expression).

BUG=v8:4370
LOG=n

Review URL: https://codereview.chromium.org/1290013002

Cr-Commit-Position: refs/heads/master@{#30166}

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1288893003

Cr-Commit-Position: refs/heads/master@{#30165}

Improves on aec8987b by not forcing external GCs
(blink) through the GC epilogue callback.

BUG=chromium:515795
LOG=N

Review URL: https://codereview.chromium.org/1287323002

Cr-Commit-Position: refs/heads/master@{#30164}

BUG=v8:4280
LOG=N

Review URL: https://codereview.chromium.org/1294523002

Cr-Commit-Position: refs/heads/master@{#30163}

R=mlippautz@chromium.org

Review URL: https://codereview.chromium.org/1291043002

Cr-Commit-Position: refs/heads/master@{#30162}

This tries to remove includes of "-inl.h" headers from normal ".h"
headers, thereby reducing the chance of any cyclic dependencies and
decreasing the average size of our compilation units.

Note that this change still leaves 5 violations of that rule in the
code. It only tackles "node.h" including "types-inl.h".

R=titzer@chromium.org

Review URL: https://codereview.chromium.org/1288053004

Cr-Commit-Position: refs/heads/master@{#30161}