[turbofan] Fix ReduceNamedAccess for detached global proxies

There is no guarantee that Map::GetConstructor() returns a JSFunction. Specifically, detached global proxies return the |null| sentinel. So we have to check the object type before casting to JSFunction. BUG=chromium:694141 Review-Url: https://codereview.chromium.org/2739303003 Cr-Commit-Position: refs/heads/master@{#43727}
2017-03-10 10:33:35 -08:00 · 2017-03-10 10:33:35 -08:00 · e61add91c1
commit e61add91c1
parent 12ffd366fc
1 changed files with 5 additions and 3 deletions
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@ -570,9 +570,11 @@ Reduction JSNativeContextSpecialization::ReduceNamedAccess(
  if (receiver_maps.length() == 1) {
    Handle<Map> receiver_map = receiver_maps.first();
    if (receiver_map->IsJSGlobalProxyMap()) {
-      Context* receiver_context =
-          JSFunction::cast(receiver_map->GetConstructor())->native_context();
-      if (receiver_context == *native_context()) {
+      Object* maybe_constructor = receiver_map->GetConstructor();
+      // Detached global proxies have |null| as their constructor.
+      if (maybe_constructor->IsJSFunction() &&
+          JSFunction::cast(maybe_constructor)->native_context() ==
+              *native_context()) {
        return ReduceGlobalAccess(node, receiver, value, name, access_mode,
                                  index);
      }