[interpreter] Merge {OsrPoll} with {Jump} bytecode.

src/runtime/runtime-compiler.cc

Index: src/runtime/runtime-compiler.cc
diff --git a/src/runtime/runtime-compiler.cc b/src/runtime/runtime-compiler.cc
index 1bce3297c1e09d5806544ea30c9950aa96a30059..c9be2008cd9c3bdd6d67220379ef65903b2515b8 100644
--- a/src/runtime/runtime-compiler.cc
+++ b/src/runtime/runtime-compiler.cc
@@ -11,6 +11,7 @@
 #include "src/deoptimizer.h"
 #include "src/frames-inl.h"
 #include "src/full-codegen/full-codegen.h"
+#include "src/interpreter/bytecode-array-iterator.h"
 #include "src/isolate-inl.h"
 #include "src/messages.h"
 #include "src/v8threads.h"
@@ -292,7 +293,20 @@ BailoutId DetermineEntryAndDisarmOSRForInterpreter(JavaScriptFrame* frame) {
   // Reset the OSR loop nesting depth to disarm back edges.
   bytecode->set_osr_loop_nesting_level(0);
 
-  return BailoutId(iframe->GetBytecodeOffset());
+  // Translate the offset of the jump instruction to the jump target offset of
+  // that instruction so that the derived BailoutId points to the loop header.
+  // TODO(mstarzinger): This can be merged with {BytecodeBranchAnalysis} which
+  // already performs a pre-pass over the bytecode stream anyways.
+  int jump_offset = iframe->GetBytecodeOffset();
+  interpreter::BytecodeArrayIterator iterator(bytecode);
+  while (iterator.current_offset() + iterator.current_prefix_offset() <
+         jump_offset) {
+    iterator.Advance();
+  }
+  DCHECK(interpreter::Bytecodes::IsJump(iterator.current_bytecode()));
+  int jump_target_offset = iterator.GetJumpTargetOffset();
+
+  return BailoutId(jump_target_offset);
 }
 
 }  // namespace