[crankshaft] Fix crash when case labels inline endless loops

The fix is to bail out of compilation in that case.

BUG=chromium:551287
LOG=n
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1483373002

Cr-Commit-Position: refs/heads/master@{#32454}

src/bailout-reason.h

@@ -250,6 +250,7 @@ namespace internal {
   V(kUnsupportedPhiUseOfConstVariable,                                         \
     "Unsupported phi use of const variable")                                   \
   V(kUnexpectedReturnFromThrow, "Unexpectedly returned from a throw")          \
+  V(kUnsupportedSwitchStatement, "Unsupported switch statement")               \
   V(kUnsupportedTaggedImmediate, "Unsupported tagged immediate")               \
   V(kVariableResolvedToWithContext, "Variable resolved to with context")       \
   V(kWeShouldNotHaveAnEmptyLexicalContext,                                     \

src/crankshaft/hydrogen.cc

@@ -5044,7 +5044,8 @@ void HOptimizedGraphBuilder::VisitSwitchStatement(SwitchStatement* stmt) {
     }
 
     // Generate a compare and branch.
-    CHECK_ALIVE(VisitForValue(clause->label()));
+    CHECK_BAILOUT(VisitForValue(clause->label()));
+    if (current_block() == NULL) return Bailout(kUnsupportedSwitchStatement);
     HValue* label_value = Pop();
 
     Type* label_type = clause->label()->bounds().lower;

test/mjsunit/regress/regress-crbug-551287.js

+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() { do { } while (true); }
+
+function boom(x) {
+  switch(x) {
+    case 1:
+    case f(): return;
+  }
+}
+
+%OptimizeFunctionOnNextCall(boom)
+boom(1);