[turbofan] Fix bogus materialization from frame with OSR.

The context constant cannot be materialized from the frame when we are
compiling for OSR, because the context spill slot contains the current
instead of the outermost context in full-codegen.

R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1220013003

Cr-Commit-Position: refs/heads/master@{#29472}

src/compiler/code-generator.cc

@@ -231,7 +231,7 @@ void CodeGenerator::RecordSafepoint(ReferenceMap* references,
 bool CodeGenerator::IsMaterializableFromFrame(Handle<HeapObject> object,
                                               int* offset_return) {
   if (linkage()->GetIncomingDescriptor()->IsJSFunctionCall()) {
-    if (object.is_identical_to(info()->context())) {
+    if (object.is_identical_to(info()->context()) && !info()->is_osr()) {
       *offset_return = StandardFrameConstants::kContextOffset;
       return true;
     } else if (object.is_identical_to(info()->closure())) {

test/mjsunit/regress/regress-osr-context.js

+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --context-specialization --turbo-filter=f
+
+(function() {
+  "use strict";
+  var a = 23;
+  function f() {
+    for (let i = 0; i < 5; ++i) {
+      a--;  // Make sure {a} is non-immutable, hence context allocated.
+      function g() { return i }  // Make sure block has a context.
+      if (i == 2) %OptimizeOsr();
+    }
+    return a;
+  }
+  assertEquals(18, f());
+})();