[turbofan] Remove a strong value assumption in the heap broker

Fixed: chromium:1035331
Change-Id: I6ef31910b2e22e4687412c45cc14c98669c6bd3f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1973733Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65502}

src/compiler/js-heap-broker.cc

@@ -3450,10 +3450,13 @@ base::Optional<ObjectRef> MapRef::GetStrongValue(
     InternalIndex descriptor_index) const {
   if (data_->kind() == ObjectDataKind::kUnserializedHeapObject) {
     AllowHandleDereference allow_handle_dereference;
-    return ObjectRef(broker(),
-                     handle(object()->instance_descriptors().GetStrongValue(
-                                descriptor_index),
-                            broker()->isolate()));
+    MaybeObject value =
+        object()->instance_descriptors().GetValue(descriptor_index);
+    HeapObject object;
+    if (value.GetHeapObjectIfStrong(&object)) {
+      return ObjectRef(broker(), handle(object, broker()->isolate()));
+    }
+    return base::nullopt;
   }
   ObjectData* value = data()->AsMap()->GetStrongValue(descriptor_index);
   if (!value) {

test/mjsunit/regress/regress-crbug-1035331.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+const obj = new class C extends async function () {}.constructor {}();
+delete obj.name;
+
+Number.prototype.__proto__ = obj;
+function foo() {
+  return obj.bind();
+}
+
+%PrepareFunctionForOptimization(foo);
+foo();
+obj[undefined] = Map, gc();
+%OptimizeFunctionOnNextCall(foo);
+foo();