Check IsReferenceVReg during deopt

Required since the quick GC maps may not agree with the verifier
ones. Without this check we may copy stale object references into
the shadow frame.

(cherry picked from commit f00baf56ef647684888a407dbb6adadd704a2039)

Bug: 20736048
Change-Id: I7783c8a8ee45cf601b08b4c38f1dec7f7d11380c

1 files changed, 4 insertions, 1 deletions

diff --git a/runtime/quick_exception_handler.cc b/runtime/quick_exception_handler.cc
index a80eed6073..9e79bd20cb 100644
--- a/runtime/quick_exception_handler.cc
+++ b/runtime/quick_exception_handler.cc
@@ -223,7 +223,10 @@ class DeoptimizeStackVisitor FINAL : public StackVisitor {
           break;
         case kReferenceVReg: {
           uint32_t value = 0;
-          if (GetVReg(h_method.Get(), reg, kind, &value)) {
+          // Check IsReferenceVReg in case the compiled GC map doesn't agree with the verifier.
+          // We don't want to copy a stale reference into the shadow frame as a reference.
+          // b/20736048
+          if (GetVReg(h_method.Get(), reg, kind, &value) && IsReferenceVReg(h_method.Get(), reg)) {
             new_frame->SetVRegReference(reg, reinterpret_cast<mirror::Object*>(value));
           } else {
             new_frame->SetVReg(reg, kDeadValue);