Fix HCheckValue::Canonicalize wrt uninitialized HConstant unique.

R=titzer@chromium.org
BUG=348280
LOG=N

Review URL: https://codereview.chromium.org/183383006

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19642 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/hydrogen-instructions.cc

@@ -1539,7 +1539,7 @@ bool HCheckMaps::HandleSideEffectDominator(GVNFlag side_effect,
     HStoreNamedField* store = HStoreNamedField::cast(dominator);
     if (!store->has_transition() || store->object() != value()) return false;
     HConstant* transition = HConstant::cast(store->transition());
-    if (map_set_.Contains(transition->GetUnique())) {
+    if (map_set_.Contains(Unique<Map>::cast(transition->GetUnique()))) {
       DeleteAndReplaceWith(NULL);
       return true;
     }
@@ -1567,9 +1567,7 @@ void HCheckValue::PrintDataTo(StringStream* stream) {
 
 HValue* HCheckValue::Canonicalize() {
   return (value()->IsConstant() &&
-          HConstant::cast(value())->GetUnique() == object_)
-      ? NULL
-      : this;
+          HConstant::cast(value())->EqualsUnique(object_)) ? NULL : this;
 }
 
 

src/hydrogen-instructions.h

@@ -3541,6 +3541,10 @@ class HConstant V8_FINAL : public HTemplateInstruction<0> {
     return object_;
   }
 
+  bool EqualsUnique(Unique<Object> other) const {
+    return object_.IsInitialized() && object_ == other;
+  }
+
 #ifdef DEBUG
   virtual void Verify() V8_OVERRIDE { }
 #endif

test/mjsunit/regress/regress-348280.js

@@ -0,0 +1,16 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function baz(f) { f(); }
+function goo() {}
+baz(goo);
+baz(goo);
+
+function bar(p) { if (p == 0) baz(1); }
+bar(1);
+bar(1);
+%OptimizeFunctionOnNextCall(bar);
+bar(1);