Properly handle non-JSFunction constructors in CanRetainOtherContext

BUG=

Review URL: https://codereview.chromium.org/1017263003

Cr-Commit-Position: refs/heads/master@{#27379}

src/type-info.cc

@@ -438,6 +438,9 @@ bool TypeFeedbackOracle::CanRetainOtherContext(Map* map,
   }
   constructor = map->GetConstructor();
   if (constructor->IsNull()) return false;
+  // If the constructor is not null or a JSFunction, we have to conservatively
+  // assume that it may retain a native context.
+  if (!constructor->IsJSFunction()) return true;
   JSFunction* function = JSFunction::cast(constructor);
   return CanRetainOtherContext(function, native_context);
 }

test/mjsunit/regress/regress-filter-contexts.js

@@ -0,0 +1,14 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() { return f.x; }
+f.__proto__ = null;
+f.prototype = "";
+
+f();
+f();
+%OptimizeFunctionOnNextCall(f);
+f();