[turbofan] Fix a bug in DepenOnStablePrototypeChains

When asked to start at the receiver and the receiver is a primitive, the
dependency should be taken on the primitive map (which is a no-op)
rather than the wrapper object's map.

Bug: chromium:958716
Change-Id: I9c8b2b56436d134b2f79dbe458c0c527fe6d17a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593086
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61174}

src/compiler/compilation-dependencies.cc

@@ -585,9 +585,9 @@ template <class MapContainer>
 void CompilationDependencies::DependOnStablePrototypeChains(
     MapContainer const& receiver_maps, WhereToStart start,
     base::Optional<JSObjectRef> last_prototype) {
-  // Determine actual holder and perform prototype chain checks.
   for (auto map : receiver_maps) {
     MapRef receiver_map(broker_, map);
+    if (start == kStartAtReceiver) DependOnStableMap(receiver_map);
     if (receiver_map.IsPrimitiveMap()) {
       // Perform the implicit ToObject for primitives here.
       // Implemented according to ES6 section 7.3.2 GetV (V, P).
@@ -595,7 +595,6 @@ void CompilationDependencies::DependOnStablePrototypeChains(
           broker_->native_context().GetConstructorFunction(receiver_map);
       if (constructor.has_value()) receiver_map = constructor->initial_map();
     }
-    if (start == kStartAtReceiver) DependOnStableMap(receiver_map);
     DependOnStablePrototypeChain(this, receiver_map, last_prototype);
   }
 }

test/mjsunit/compiler/regress-958716.js

@@ -0,0 +1,17 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+for (let i = 0; i < 2; i++) {
+  (new String()).valueOf = Symbol;
+}
+
+function foo() {
+  Promise.resolve("");
+}
+
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();