[frames] Also properly deal with TF builtins in OptimizedFrame::GetFunctions().

This was missing from the previous fix.

R=ishell@chromium.org
BUG=chromium:599714
LOG=n

Review URL: https://codereview.chromium.org/1861583002

Cr-Commit-Position: refs/heads/master@{#35249}

src/frames.cc

@@ -1146,8 +1146,9 @@ void OptimizedFrame::GetFunctions(List<JSFunction*>* functions) const {
 
   // Delegate to JS frame in absence of turbofan deoptimization.
   // TODO(turbofan): Revisit once we support deoptimization across the board.
-  if (LookupCode()->is_turbofanned() && function()->shared()->asm_function() &&
-      !FLAG_turbo_asm_deoptimization) {
+  Code* code = LookupCode();
+  if (code->kind() == Code::BUILTIN ||
+      CannotDeoptFromAsmCode(code, function())) {
     return JavaScriptFrame::GetFunctions(functions);
   }
 

test/mjsunit/regress/regress-crbug-599714.js

@@ -0,0 +1,13 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var custom_toString = function() {
+  var boom = custom_toString.caller;
+  return boom;
+}
+
+var object = {};
+object.toString = custom_toString;
+
+try { Object.hasOwnProperty(object); } catch (e) {}