Add crash instrumentation for crbug.com/621147

src/ic/ic.cc

Index: src/ic/ic.cc
diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index 162e282d6a347fc03461c48d0376f8a37b7dc589..10d8c9fefa49a1a89639570c95cf4e90186ba912 100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -2535,6 +2535,29 @@ MaybeHandle<Object> BinaryOpIC::Transition(
     Handle<Object> right) {
   BinaryOpICState state(isolate(), extra_ic_state());
 
+#ifdef V8_TARGET_ARCH_X64
+  // Crash instrumentation for crbug.com/621147.
+  if (left->IsHeapObject()) {
+    Heap* heap = isolate()->heap();
+    uintptr_t left_raw = HeapObject::cast(*left)->map_word().ToRawValue();

[Igor Sheludko, 2016/06/28 07:07:20]

If left is a broken pointer it will already crash in attempt to load a map. We
should compare the lower part of the left value with the hole value.

[Michael Lippautz, 2016/06/28 08:39:33]

Oops, thought that it was the map. Reading the values now.

+    uintptr_t hole_raw = heap->the_hole_map()->map_word().ToRawValue();
+    if ((hole_raw & ((1ul << 32) - 1)) == (left_raw & ((1ul << 32) - 1))) {
+      if (!heap->map_space()->ContainsSlow(
+              HeapObject::cast(*left)->address())) {
+        Code* c = GetCode();
+        Code::Kind kind = c->kind();
+        USE(kind);
+        int instruction_size = c->instruction_size();
+        byte* instructions = static_cast<byte*>(alloca(instruction_size));
+        for (int i = 0; i < instruction_size; i++) {
+          instructions[i] = c->instruction_start()[i];
+        }
+        isolate()->PushStackTraceAndDie(0xBAAAAAAD, pc(), fp(), 0u);
+      }
+    }
+  }
+#endif  // V8_TARGET_ARCH_X64
+
   // Compute the actual result using the builtin for the binary operation.
   Handle<Object> result;
   switch (state.op()) {