Convert to immutable heap number when materializing arguments object.

BUG=chromium:457935
LOG=n
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/935623002

Cr-Commit-Position: refs/heads/master@{#26704}

src/deoptimizer.cc

@@ -3288,8 +3288,13 @@ SlotRefValueBuilder::SlotRefValueBuilder(JavaScriptFrame* frame,
 
 Handle<Object> SlotRef::GetValue(Isolate* isolate) {
   switch (representation_) {
-    case TAGGED:
-      return Handle<Object>(Memory::Object_at(addr_), isolate);
+    case TAGGED: {
+      Handle<Object> value(Memory::Object_at(addr_), isolate);
+      if (value->IsMutableHeapNumber()) {
+        HeapNumber::cast(*value)->set_map(isolate->heap()->heap_number_map());
+      }
+      return value;
+    }
 
     case INT32: {
 #if V8_TARGET_BIG_ENDIAN && V8_HOST_ARCH_64_BIT
@@ -3390,9 +3395,9 @@ Handle<Object> SlotRefValueBuilder::GetNext(Isolate* isolate, int lvl) {
     case SlotRef::INT32:
     case SlotRef::UINT32:
     case SlotRef::DOUBLE:
-    case SlotRef::LITERAL: {
+    case SlotRef::LITERAL:
       return slot.GetValue(isolate);
-    }
+
     case SlotRef::ARGUMENTS_OBJECT: {
       // We should never need to materialize an arguments object,
       // but we still need to put something into the array

test/mjsunit/regress/regress-457935.js

@@ -0,0 +1,26 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function dummy(x) { };
+
+function g() {
+  return g.arguments;
+}
+
+function f(limit) {
+  var i = 0;
+  var o = {};
+  for (; i < limit; i++) {
+    o.y = +o.y;
+    g();
+  }
+}
+
+f(1);
+f(1);
+%OptimizeFunctionOnNextCall(f);
+dummy(f(1));
+dummy(f(2));