[turbofan] Fix translation containing arguments elements.

This fixes the de-duplication logic used when writing the deoptimizer
translation of a frame-state containing {kArgumentsElementsState}. The
object counts as a captured object and participates in the numbering of
duplicated objects.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-711166
BUG=chromium:711166

Change-Id: I4a3b892017ab8217197e5f94c1a0975d0cd6979f
Reviewed-on: https://chromium-review.googlesource.com/476631
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44692}

src/compiler/instruction-selector.cc

@@ -513,6 +513,11 @@ size_t InstructionSelector::AddOperandToStateValueDescriptor(
   switch (input->opcode()) {
     case IrOpcode::kArgumentsElementsState: {
       values->PushArgumentsElements(IsRestOf(input->op()));
+      // The elements backing store of an arguments object participates in the
+      // duplicate object counting, but can itself never appear duplicated.
+      DCHECK_EQ(StateObjectDeduplicator::kNotDuplicated,
+                deduplicator->GetObjectId(input));
+      deduplicator->InsertObject(input);
       return 0;
     }
     case IrOpcode::kArgumentsLengthState: {

test/mjsunit/regress/regress-crbug-711166.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+'use strict'
+function g() {
+  var x = 1;
+  try { undefined.x } catch (e) { x = e; }
+  (function() { x });
+  return x;
+}
+function f(a) {
+  var args = arguments;
+  assertInstanceof(g(), TypeError);
+  return args.length;
+}
+assertEquals(1, f(0));
+assertEquals(1, f(0));
+%OptimizeFunctionOnNextCall(f);
+assertEquals(1, f(0));