[turbofan] Properly restrict {JSCreate} to constructors.

This makes sure that the lowering of {JSCreate} operator during create
lowering is only applied to operations where both target and new.target
are known to be constructors.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-768080
BUG=chromium:774780,chromium:768080

Change-Id: I55a582a3453bba7e14655b594b7714a3940eeaae
Reviewed-on: https://chromium-review.googlesource.com/725332
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48680}

src/compiler/js-create-lowering.cc

@@ -180,13 +180,14 @@ Reduction JSCreateLowering::ReduceJSCreate(Node* node) {
   Node* const control = NodeProperties::GetControlInput(node);
   // Extract constructor and original constructor function.
   if (target_type->IsHeapConstant() && new_target_type->IsHeapConstant() &&
+      target_type->AsHeapConstant()->Value()->IsJSFunction() &&
       new_target_type->AsHeapConstant()->Value()->IsJSFunction()) {
     Handle<JSFunction> constructor =
         Handle<JSFunction>::cast(target_type->AsHeapConstant()->Value());
+    if (!constructor->IsConstructor()) return NoChange();
     Handle<JSFunction> original_constructor =
         Handle<JSFunction>::cast(new_target_type->AsHeapConstant()->Value());
-    DCHECK(constructor->IsConstructor());
-    DCHECK(original_constructor->IsConstructor());
+    if (!original_constructor->IsConstructor()) return NoChange();
 
     // Check if we can inline the allocation.
     if (IsAllocationInlineable(constructor, original_constructor)) {

test/mjsunit/regress/regress-crbug-768080.js

@@ -12,6 +12,7 @@
   function f() {
     return new g();
   }
+  new C();  // Warm-up!
   assertThrows(f, TypeError);
   assertThrows(f, TypeError);
   %OptimizeFunctionOnNextCall(f);
@@ -29,6 +30,7 @@
   function f() {
     return new g();
   }
+  new C();  // Warm-up!
   assertThrows(f, TypeError);
   assertThrows(f, TypeError);
   %OptimizeFunctionOnNextCall(f);