[deoptimizer] Add missing HeapNumber allocation

This caused a CHECK failure after my recent CL. Bug: chromium:1084820, chromium:1092650 Change-Id: Icdc2a755c6b30ad01dccc908e0e5e137fedf8918 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2237145 Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#68263}
2020-06-09 15:31:42 +02:00 · 2020-06-09 15:31:42 +02:00 · ebfb8771d1
commit ebfb8771d1
parent 7f69e7f907
2 changed files with 26 additions and 0 deletions
--- a/src/deoptimizer/deoptimizer.cc
+++ b/src/deoptimizer/deoptimizer.cc
@ -3991,6 +3991,9 @@ void TranslatedState::StoreMaterializedValuesAndDeopt(JavaScriptFrame* frame) {

    if (!value.is_identical_to(marker)) {
      if (previously_materialized_objects->get(i) == *marker) {
+        if (value->IsSmi()) {
+          value = isolate()->factory()->NewHeapNumber(value->Number());
+        }
        previously_materialized_objects->set(i, *value);
        value_changed = true;
      } else {
--- a/test/mjsunit/compiler/regress-1092650.js
+++ b/test/mjsunit/compiler/regress-1092650.js
@ -0,0 +1,23 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+// Create map with HeapNumber in field 'a'
+({a: 2**30});
+
+function foo() {
+  return foo.arguments[0];
+}
+
+function main() {
+  foo({a: 42});
+}
+
+%PrepareFunctionForOptimization(foo);
+%PrepareFunctionForOptimization(main);
+main();
+main();
+%OptimizeFunctionOnNextCall(main);
+main();