[deoptimizer] Do not pass arguments markers to the debugger.

This fixes a bug introduced by r28826 (Unify decoding of deoptimization
translations, https://codereview.chromium.org/1136223004), where we
started leaking arguments marker sentinel to the debugger, which would
then cause crashes. This change replaces the sentinel with the undefined
value in the debugger-inspectable frame.

BUG=chromium:514362
LOG=n
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1263333002

Cr-Commit-Position: refs/heads/master@{#29971}

diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc
index 599962a..d29cb60 100644 (file)
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -2266,7 +2266,12 @@ DeoptimizedFrameInfo::DeoptimizedFrameInfo(Deoptimizer* deoptimizer,
   source_position_ = code->SourcePosition(pc);
 
   for (int i = 0; i < expression_count_; i++) {
-    SetExpression(i, output_frame->GetExpression(i));
+    Object* value = output_frame->GetExpression(i);
+    // Replace materialization markers with the undefined value.
+    if (value == deoptimizer->isolate()->heap()->arguments_marker()) {
+      value = deoptimizer->isolate()->heap()->undefined_value();
+    }
+    SetExpression(i, value);
   }
 
   if (has_arguments_adaptor) {
@@ -2277,7 +2282,12 @@ DeoptimizedFrameInfo::DeoptimizedFrameInfo(Deoptimizer* deoptimizer,
   parameters_count_ = output_frame->ComputeParametersCount();
   parameters_ = new Object* [parameters_count_];
   for (int i = 0; i < parameters_count_; i++) {
-    SetParameter(i, output_frame->GetParameter(i));
+    Object* value = output_frame->GetParameter(i);
+    // Replace materialization markers with the undefined value.
+    if (value == deoptimizer->isolate()->heap()->arguments_marker()) {
+      value = deoptimizer->isolate()->heap()->undefined_value();
+    }
+    SetParameter(i, value);
   }
 }
 

diff --git a/test/mjsunit/debug-materialized.js b/test/mjsunit/debug-materialized.js
new file mode 100644 (file)
index 0000000..0b01b78
--- /dev/null
+++ b/test/mjsunit/debug-materialized.js
@@ -0,0 +1,41 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-debug-as debug
+
+function dbg(x) {
+  debugger;
+}
+
+function foo() {
+  arguments[0];
+  dbg();
+}
+
+function bar() {
+  var t = { a : 1 };
+  dbg();
+  return t.a;
+}
+
+foo(1);
+foo(1);
+bar(1);
+bar(1);
+%OptimizeFunctionOnNextCall(foo);
+%OptimizeFunctionOnNextCall(bar);
+
+var Debug = debug.Debug;
+Debug.setListener(function(event, exec_state, event_data, data) {
+  if (event != Debug.DebugEvent.Break) return;
+  for (var i = 0; i < exec_state.frameCount(); i++) {
+    var f = exec_state.frame(i);
+    for (var j = 0; j < f.localCount(); j++) {
+      print("'" + f.localName(j) + "' = " + f.localValue(j).value());
+    }
+  }
+});
+
+foo(1);
+bar(1);