diff --git a/src/deoptimizer/deoptimizer.cc b/src/deoptimizer/deoptimizer.cc index 4cc111cd09..a4606970bd 100644 --- a/src/deoptimizer/deoptimizer.cc +++ b/src/deoptimizer/deoptimizer.cc @@ -3991,6 +3991,9 @@ void TranslatedState::StoreMaterializedValuesAndDeopt(JavaScriptFrame* frame) { if (!value.is_identical_to(marker)) { if (previously_materialized_objects->get(i) == *marker) { + if (value->IsSmi()) { + value = isolate()->factory()->NewHeapNumber(value->Number()); + } previously_materialized_objects->set(i, *value); value_changed = true; } else { diff --git a/test/mjsunit/compiler/regress-1092650.js b/test/mjsunit/compiler/regress-1092650.js new file mode 100644 index 0000000000..ba94375aeb --- /dev/null +++ b/test/mjsunit/compiler/regress-1092650.js @@ -0,0 +1,23 @@ +// Copyright 2020 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +// Create map with HeapNumber in field 'a' +({a: 2**30}); + +function foo() { + return foo.arguments[0]; +} + +function main() { + foo({a: 42}); +} + +%PrepareFunctionForOptimization(foo); +%PrepareFunctionForOptimization(main); +main(); +main(); +%OptimizeFunctionOnNextCall(main); +main();