This CL adds multiple things:
Transition arrays do not directly point at their descriptor array anymore, but rather do so via an indirect pointer (a JSGlobalPropertyCell).

An ownership bit is added to maps indicating whether it owns its own descriptor array or not.

Maps owning a descriptor array can pass on ownership if a transition from that map is generated; but only if the descriptor array stays exactly the same; or if a descriptor is added.

Maps that don't have ownership get ownership back if their direct child to which ownership was passed is cleared in ClearNonLiveTransitions.

To detect which descriptors in an array are valid, each map knows its own NumberOfOwnDescriptors. Since the descriptors are sorted in order of addition, if we search and find a descriptor with index bigger than this number, it is not valid for the given map.

We currently still build up an enumeration cache (although this may disappear). The enumeration cache is always built for the entire descriptor array, even if not all descriptors are owned by the map. Once a descriptor array has an enumeration cache for a given map; this invariant will always be true, even if the descriptor array was extended. The extended array will inherit the enumeration cache from the smaller descriptor array. If a map with more descriptors needs an enumeration cache, it's EnumLength will still be set to invalid, so it will have to recompute the enumeration cache. This new cache will also be valid for smaller maps since they have their own enumlength; and use this to loop over the cache. If the EnumLength is still invalid, but there is already a cache present that is big enough; we just initialize the EnumLength field for the map.

When we apply ClearNonLiveTransitions and descriptor ownership is passed back to a parent map, the descriptor array is trimmed in-place and resorted. At the same time, the enumeration cache is trimmed in-place.

Only transition arrays contain descriptor arrays. If we transition to a map and pass ownership of the descriptor array along, the child map will not store the descriptor array it owns. Rather its parent will keep the pointer. So for every leaf-map, we find the descriptor array by following the back pointer, reading out the transition array, and fetching the descriptor array from the JSGlobalPropertyCell. If a map has a transition array, we fetch it from there. If a map has undefined as its back-pointer and has no transition array; it is considered to have an empty descriptor array.

When we modify properties, we cannot share the descriptor array. To accommodate this, the child map will get its own transition array; even if there are not necessarily any transitions leaving from the child map. This is necessary since it's the only way to store its own descriptor array.

Review URL: https://chromiumcodereview.appspot.com/10909007

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12492 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=ulan@chromium.org
BUG=148378

Review URL: https://chromiumcodereview.appspot.com/10905239

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12491 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=svenpanne@chromium.org

Review URL: https://chromiumcodereview.appspot.com/10909190

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12490 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

This fixes materialization of arguments objects for strict mode functions during
deoptimization. We materialize arguments from the stack area where optimized
code pushes the arguments when entering the inlined environment. For adapted
invocations we use the arguments adaptor frame for materialization.

R=svenpanne@chromium.org
BUG=v8:2261
TEST=mjsunit/regress/regress-2261,mjsunit/compiler/inline-arguments

Review URL: https://chromiumcodereview.appspot.com/10908194

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12489 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=

Review URL: https://chromiumcodereview.appspot.com/10917211

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12488 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

This was part of r12430 (http://codereview.chromium.org/10857030/) which has been reverted.

R=ulan@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/10913220

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12487 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=148389

Review URL: https://chromiumcodereview.appspot.com/10914222

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12486 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=144649

Review URL: https://chromiumcodereview.appspot.com/10914201

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12485 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=141395
TEST=

Review URL: https://chromiumcodereview.appspot.com/10919214

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12484 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

white objects when compacting.  Add flag for incremental code
compaction.
Review URL: https://chromiumcodereview.appspot.com/10907174

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12483 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/10911208

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12480 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=

Review URL: https://chromiumcodereview.appspot.com/10928108

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12479 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=v8:2314

R=yangguo@chromium.org

Review URL: https://chromiumcodereview.appspot.com/10908195

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12478 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Committed: https://code.google.com/p/v8/source/detail?r=12346

Review URL: https://chromiumcodereview.appspot.com/10834376

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12477 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=svenpanne@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/10928083

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12474 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

The deoptimizer searched the stack for activations of the same function to
determine whether to trigger lazy deopting. Since we share optimized code we
actually need to search for activations of the same code (but potentially
different functions).

R=jkummerow@chromium.org
BUG=chromium:147475
TEST=mjsunit/regress/regress-crbug-147475

Review URL: https://chromiumcodereview.appspot.com/10917162

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12473 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=

Review URL: https://chromiumcodereview.appspot.com/10875072

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12472 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=

Review URL: https://chromiumcodereview.appspot.com/10915062

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12471 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

It is necessary to explicitly handle the internal frame lying between the caller
of the getter and the getter itself in the deoptimizer: When the getter is
inlined, leaving the internal frame restores the correct context.

BUG=http://crbug/134609
TEST=mjsunit/regress/regress-crbug-134609

Review URL: https://chromiumcodereview.appspot.com/10910110

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12470 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=mstarzinger@chromium.org

Review URL: https://chromiumcodereview.appspot.com/10908122

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12469 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=yangguo@chromium.org

Review URL: https://chromiumcodereview.appspot.com/10928026

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12464 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10918096

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12463 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=mstarzinger@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/10910091

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12447 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

This implies that the return value of native getters is checked. The nice part
is that one can even see the name of the property in question in the abort
output when the check failed.

Under some circumstances even the return value of interceptors gets checked, but
I'm not 100% sure about this, because the interceptor code is basically tuned to
death.

The change seems to have very low overhead, so it might be feasible to keep this
check enabled unconditionally.

Review URL: https://chromiumcodereview.appspot.com/10918071
Patch from Sven Panne <svenpanne@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12446 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10917088

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12445 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=134609

Review URL: https://chromiumcodereview.appspot.com/10908093

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12444 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10917086

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12443 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10916114

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12442 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=yangguo@chromium.org

Review URL: https://chromiumcodereview.appspot.com/10912092

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12441 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10905093

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12440 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10911063

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12439 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=

Review URL: https://chromiumcodereview.appspot.com/10905075

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12438 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10913062

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12435 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=jkummerow@chromium.org
BUG=chromium:145961
TEST=mjsunit/regress/regress-crbug-145961.js

Review URL: https://chromiumcodereview.appspot.com/10914072

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12434 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

TBR=ulan@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/10917065

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12433 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=ulan@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/10907049

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12432 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Review URL: https://chromiumcodereview.appspot.com/10911058

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12431 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

BUG=

Review URL: https://chromiumcodereview.appspot.com/10857030

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12430 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

R=verwaest@chromium.org
BUG=

Review URL: https://chromiumcodereview.appspot.com/10911056

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12429 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

This prevents a corner case in FindSharedFunctionInfoInScript that would cause
functions to be optimized because an intermittent GC would clear the flag
indicating whether breakpoints are present. Above method was also moved into the
Debug class because it is only used by the debugger.

R=verwaest@chromium.org

Review URL: https://chromiumcodereview.appspot.com/10914065

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12428 ce2b1a6d-e550-0410-aec6-3dcde31c8c00