[deoptimizer] Fix materialization of sloppy arguments.

This makes sure the deoptimizer can materialize sloppy arguments objects
with the FAST_SLOPPY_ARGUMENTS_ELEMENTS elements kind. TurboFan's escape
analysis treates those as normal JSObject types and hence materializes
them differently than Crankshaft does.

R=verwaest@chromium.org
TEST=mjsunit/regress/regress-crbug-613919
BUG=chromium:613919

Review-Url: https://codereview.chromium.org/2001133002
Cr-Commit-Position: refs/heads/master@{#36440}

src/deoptimizer.cc

@@ -3685,11 +3685,15 @@ Handle<Object> TranslatedState::MaterializeAt(int frame_index,
           return object;
         }
         case JS_OBJECT_TYPE: {
-          Handle<JSObject> object =
-              isolate_->factory()->NewJSObjectFromMap(map, NOT_TENURED);
+          Handle<JSObject> object = isolate_->factory()->NewJSObjectFromMap(
+              map->has_sloppy_arguments_elements()
+                  ? isolate()->sloppy_arguments_map()
+                  : map,
+              NOT_TENURED);
           slot->value_ = object;
           Handle<Object> properties = MaterializeAt(frame_index, value_index);
           Handle<Object> elements = MaterializeAt(frame_index, value_index);
+          object->set_map(*map);  // Correct elements kind for sloppy arguments.
           object->set_properties(FixedArray::cast(*properties));
           object->set_elements(FixedArrayBase::cast(*elements));
           for (int i = 0; i < length - 3; ++i) {

test/mjsunit/regress/regress-crbug-613919.js

@@ -0,0 +1,18 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --turbo-escape
+
+function g(a) {
+  if (a) return arguments;
+  %DeoptimizeNow();
+  return 23;
+}
+function f() {
+  return g(false);
+}
+assertEquals(23, f());
+assertEquals(23, f());
+%OptimizeFunctionOnNextCall(f);
+assertEquals(23, f());