[maglev] Fix non-materialized receiver & closure

LeszekSwirski · V8 LUCI CQ · commit 6b455eb2c448 · 2024-09-23T12:08:35.000Z
Stack walks expect the receiver and closure to be materialized. Bug: 368311899 Change-Id: I839d9d68ec39a534083bf86261bc854795945fea Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5881775 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Patrick Thier <pthier@chromium.org> Commit-Queue: Patrick Thier <pthier@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#96228}
diff --git a/src/maglev/maglev-graph-builder.cc b/src/maglev/maglev-graph-builder.cc
@@ -1392,7 +1392,14 @@ DeoptFrame MaglevGraphBuilder::GetDeoptFrameForLazyDeoptHelper(
         current_source_position_, GetParentDeoptFrame());
     ret.frame_state()->ForEachValue(
         *compilation_unit_, [this](ValueNode* node, interpreter::Register reg) {
-          AddDeoptUse(node);
+          // Receiver and closure values have to be materialized, even if
+          // they don't otherwise escape.
+          if (reg == interpreter::Register::receiver() ||
+              reg == interpreter::Register::function_closure()) {
+            node->add_use();
+          } else {
+            AddDeoptUse(node);
+          }
         });
     AddDeoptUse(ret.closure());
     return ret;
