From d99e67358208ab22cc9521b285052abe43c2df12 Mon Sep 17 00:00:00 2001
From: "mstarzinger@chromium.org" <mstarzinger@chromium.org>
Date: Fri, 19 Sep 2014 16:35:42 +0000
Subject: [PATCH] Fix JSBuiltinReducer to deal with non-JSFunction callees.

R=titzer@chromium.org
TEST=mozilla

Review URL: https://codereview.chromium.org/589573002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24097 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/compiler/js-builtin-reducer.cc | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/compiler/js-builtin-reducer.cc b/src/compiler/js-builtin-reducer.cc
index 42becb3..17ce578 100644
--- a/src/compiler/js-builtin-reducer.cc
+++ b/src/compiler/js-builtin-reducer.cc
@@ -34,15 +34,18 @@ class JSCallReduction {
   // constant callee being a well-known builtin with a BuiltinFunctionId.
   bool HasBuiltinFunctionId() {
     if (node_->opcode() != IrOpcode::kJSCallFunction) return false;
-    HeapObjectMatcher<JSFunction> m(NodeProperties::GetValueInput(node_, 0));
-    return m.HasValue() && m.Value().handle()->shared()->HasBuiltinFunctionId();
+    HeapObjectMatcher<Object> m(NodeProperties::GetValueInput(node_, 0));
+    if (!m.HasValue() || !m.Value().handle()->IsJSFunction()) return false;
+    Handle<JSFunction> function = Handle<JSFunction>::cast(m.Value().handle());
+    return function->shared()->HasBuiltinFunctionId();
   }
 
   // Retrieves the BuiltinFunctionId as described above.
   BuiltinFunctionId GetBuiltinFunctionId() {
     DCHECK_EQ(IrOpcode::kJSCallFunction, node_->opcode());
-    HeapObjectMatcher<JSFunction> m(NodeProperties::GetValueInput(node_, 0));
-    return m.Value().handle()->shared()->builtin_function_id();
+    HeapObjectMatcher<Object> m(NodeProperties::GetValueInput(node_, 0));
+    Handle<JSFunction> function = Handle<JSFunction>::cast(m.Value().handle());
+    return function->shared()->builtin_function_id();
   }
 
   // Determines whether the call takes one input of the given type.
-- 
2.7.4