CF points to 58ad0bbe15b95640bedd155b7d5323897416e3bc. PTAL.

You need to add materialization code for the regexp instance type in TranslatedState::MaterializeCapturedObjectAt.

Minimal repro:


function force_deopt() {
  try {
    undefined[{}] = /[abc]/gi;
  } catch(e) {}
}

force_deopt(); 
force_deopt(); 
%OptimizeFunctionOnNextCall(force_deopt); 
force_deopt();


The regexp literal is optimized out, and deoptimization needs to know how to reconstruct the object.

 Issue 747826  has been merged into this issue.

How about the repro below? That way you can check in function g that the regexp is usable.



var g = 0;
g = function() {}

function f() {
  var r = /a/;
  g(r);
}

f();
f();
%OptimizeFunctionOnNextCall(f);
g = function(r) { print(r); }
f();

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d8e147752cc925a18cd1dc4bc2c02af1ffe6d781

commit d8e147752cc925a18cd1dc4bc2c02af1ffe6d781
Author: jgruber <jgruber@chromium.org>
Date: Mon Jul 24 10:36:25 2017

[regexp] Teach deoptimizer to materialize JSRegExp objects

Now that literal allocation is inlined, it is possible to optimize out regexp
literal allocation completely. If a lazy deopt is triggered in that situation,
the deoptimizer needs to know how to materialize regexp objects.

Bug:  v8:6605 , v8:6556 , chromium:747825 
Change-Id: Id491053f8e64fec16540efbfdc6c7c524da3e080
Reviewed-on: https://chromium-review.googlesource.com/582609
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46837}
[modify] https://crrev.com/d8e147752cc925a18cd1dc4bc2c02af1ffe6d781/src/deoptimizer.cc
[add] https://crrev.com/d8e147752cc925a18cd1dc4bc2c02af1ffe6d781/test/mjsunit/regress/regress-747825.js

Issue 747821 has been merged into this issue.

Issue 747711 has been merged into this issue.

ClusterFuzz testcase 5617299859177472 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Issue 747813 has been merged into this issue.

Issue 748406 has been merged into this issue.

Your change meets the bar and is auto-approved for M61. Please go ahead and merge the CL to branch 3163 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid @(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Please merge your change to M61 branch #3163 before 4: 00 PM PT, Wednesday (07/26) in order to make it to last M61 dev release. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b45c1c5d589daabfb0f799f52e4c02f7f62cd087

commit b45c1c5d589daabfb0f799f52e4c02f7f62cd087
Author: jgruber <jgruber@chromium.org>
Date: Wed Jul 26 07:02:30 2017

Merged: [regexp] Teach deoptimizer to materialize JSRegExp objects

Revision: d8e147752cc925a18cd1dc4bc2c02af1ffe6d781

BUG= chromium:747825 , v8:6556 , v8:6605 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=jarin@chromium.org

Change-Id: Ie3e68e53f13f28d3ea321a4ff9143eaec10fd787
Reviewed-on: https://chromium-review.googlesource.com/584841
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.1@{#10}
Cr-Branched-From: 1bf2e10ddb194d4c2871a87a4732613419de892d-refs/heads/6.1.534@{#1}
Cr-Branched-From: e825c4318eb2065ffdf9044aa6a5278635c36427-refs/heads/master@{#46746}
[modify] https://crrev.com/b45c1c5d589daabfb0f799f52e4c02f7f62cd087/src/deoptimizer.cc
[add] https://crrev.com/b45c1c5d589daabfb0f799f52e4c02f7f62cd087/test/mjsunit/regress/regress-747825.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c528903d86f8476941283e0c149abf0321ab542f

commit c528903d86f8476941283e0c149abf0321ab542f
Author: Michael Hablich <hablich@chromium.org>
Date: Wed Jul 26 07:22:19 2017

Revert "Merged: [regexp] Teach deoptimizer to materialize JSRegExp objects"

This reverts commit b45c1c5d589daabfb0f799f52e4c02f7f62cd087.

Reason for revert: <INSERT REASONING HERE>

Original change's description:
> Merged: [regexp] Teach deoptimizer to materialize JSRegExp objects
> 
> Revision: d8e147752cc925a18cd1dc4bc2c02af1ffe6d781
> 
> BUG= chromium:747825 , v8:6556 , v8:6605 
> LOG=N
> NOTRY=true
> NOPRESUBMIT=true
> NOTREECHECKS=true
> TBR=jarin@chromium.org
> 
> Change-Id: Ie3e68e53f13f28d3ea321a4ff9143eaec10fd787
> Reviewed-on: https://chromium-review.googlesource.com/584841
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/branch-heads/6.1@{#10}
> Cr-Branched-From: 1bf2e10ddb194d4c2871a87a4732613419de892d-refs/heads/6.1.534@{#1}
> Cr-Branched-From: e825c4318eb2065ffdf9044aa6a5278635c36427-refs/heads/master@{#46746}

TBR=jarin@chromium.org,jgruber@chromium.org

Change-Id: I32aca2f02b8e1dd1aed282ac4a4b3ec40eace3d7
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  chromium:747825 ,  v8:6556 ,  v8:6605 
Reviewed-on: https://chromium-review.googlesource.com/585530
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.1@{#12}
Cr-Branched-From: 1bf2e10ddb194d4c2871a87a4732613419de892d-refs/heads/6.1.534@{#1}
Cr-Branched-From: e825c4318eb2065ffdf9044aa6a5278635c36427-refs/heads/master@{#46746}
[modify] https://crrev.com/c528903d86f8476941283e0c149abf0321ab542f/src/deoptimizer.cc
[delete] https://crrev.com/eb91f0fd02b0e2b77b83101c21414efb1730556d/test/mjsunit/regress/regress-747825.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d096801cdeed5b5faa1b2491f31fbfa187c568b1

commit d096801cdeed5b5faa1b2491f31fbfa187c568b1
Author: jgruber <jgruber@chromium.org>
Date: Wed Jul 26 07:36:31 2017

Merged: [regexp] Teach deoptimizer to materialize JSRegExp objects

Revision: d8e147752cc925a18cd1dc4bc2c02af1ffe6d781

Partially cherry-picked 2bce4880140cf739c0bf19fbd6e5e2e4df5393f4 for last_index
accessor.

BUG= chromium:747825 , v8:6556 , v8:6605 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=jarin@chromium.org

Change-Id: I1e8192a24700fe1468ae6c5d75510c01d19112a8
Reviewed-on: https://chromium-review.googlesource.com/584845
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.1@{#14}
Cr-Branched-From: 1bf2e10ddb194d4c2871a87a4732613419de892d-refs/heads/6.1.534@{#1}
Cr-Branched-From: e825c4318eb2065ffdf9044aa6a5278635c36427-refs/heads/master@{#46746}
[modify] https://crrev.com/d096801cdeed5b5faa1b2491f31fbfa187c568b1/src/deoptimizer.cc
[modify] https://crrev.com/d096801cdeed5b5faa1b2491f31fbfa187c568b1/src/objects-inl.h
[modify] https://crrev.com/d096801cdeed5b5faa1b2491f31fbfa187c568b1/src/objects.h
[add] https://crrev.com/d096801cdeed5b5faa1b2491f31fbfa187c568b1/test/mjsunit/regress/regress-747825.js

Issue 747775 has been merged into this issue.