[hydrogen] Add crash-hunting instrumentation to Hydrogen too

This extends instrumentation added in r30683 and r30768 to cover
the possibility that the root cause we're after is in optimized code.

This CL is intended to be reverted in a couple of days, but should
cause no harm while it's in the tree (we would crash anyway).

BUG=chromium:527994
LOG=n

Review URL: https://codereview.chromium.org/1348823003

Cr-Commit-Position: refs/heads/master@{#30819}

src/full-codegen/x64/full-codegen-x64.cc

@@ -2257,7 +2257,7 @@ void FullCodeGenerator::EmitNamedPropertyLoad(Property* prop) {
   // to chase after a rare but recurring crash bug. It seems to always
   // occur for functions beginning with "this.foo.bar()", so be selective
   // and only insert the check for the first LoadIC (identified by slot).
-  // TODO(jkummerow): Remove this when it has generated a few crash reports.
+  // TODO(chromium:527994): Remove this when we have a few crash reports.
   // Don't forget to remove the Push() above as well!
   if (FeedbackVector()->GetIndex(prop->PropertyFeedbackSlot()) == 6) {
     __ Pop(LoadDescriptor::ReceiverRegister());

src/hydrogen.cc

@@ -9620,6 +9620,29 @@ void HOptimizedGraphBuilder::VisitCall(Call* expr) {
     CHECK_ALIVE(VisitForValue(prop->obj()));
     HValue* receiver = Top();
 
+    // Sanity check: The receiver must be a JS-exposed kind of object,
+    // not something internal (like a Map, or FixedArray). Check this here
+    // to chase after a rare but recurring crash bug. It seems to always
+    // occur for functions beginning with "this.foo.bar()", so be selective
+    // and only insert the check for the first call (identified by slot).
+    // TODO(chromium:527994): Remove this when we have a few crash reports.
+    if (prop->key()->IsPropertyName() &&
+        prop->PropertyFeedbackSlot().ToInt() == 2) {
+      IfBuilder if_heapobject(this);
+      if_heapobject.IfNot<HIsSmiAndBranch>(receiver);
+      if_heapobject.Then();
+      {
+        IfBuilder special_map(this);
+        Factory* factory = isolate()->factory();
+        special_map.If<HCompareMap>(receiver, factory->fixed_array_map());
+        special_map.OrIf<HCompareMap>(receiver, factory->meta_map());
+        special_map.Then();
+        Add<HDebugBreak>();
+        special_map.End();
+      }
+      if_heapobject.End();
+    }
+
     SmallMapList* maps;
     ComputeReceiverTypes(expr, receiver, &maps, zone());
 

src/ic/ic.cc

@@ -2381,7 +2381,7 @@ RUNTIME_FUNCTION(Runtime_LoadIC_Miss) {
     // Sanity check: The loaded value must be a JS-exposed kind of object,
     // not something internal (like a Map, or FixedArray). Check this here
     // to chase after a rare but recurring crash bug.
-    // TODO(jkummerow): Remove this when it has generated a few crash reports.
+    // TODO(chromium:527994): Remove this when we have a few crash reports.
     if (!result->IsSmi()) {
       InstanceType type =
           Handle<HeapObject>::cast(result)->map()->instance_type();
@@ -3130,7 +3130,7 @@ RUNTIME_FUNCTION(Runtime_LoadIC_MissFromStubFailure) {
     // Sanity check: The loaded value must be a JS-exposed kind of object,
     // not something internal (like a Map, or FixedArray). Check this here
     // to chase after a rare but recurring crash bug.
-    // TODO(jkummerow): Remove this when it has generated a few crash reports.
+    // TODO(chromium:527994): Remove this when we have a few crash reports.
     if (!result->IsSmi()) {
       InstanceType type =
           Handle<HeapObject>::cast(result)->map()->instance_type();

src/ic/x64/ic-x64.cc

@@ -680,7 +680,7 @@ void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // Sanity check: The receiver must be a JS-exposed kind of object,
   // not something internal (like a Map, or FixedArray). Check this here
   // to chase after a rare but recurring crash bug.
-  // TODO(jkummerow): Remove this when it has generated a few crash reports.
+  // TODO(chromium:527994): Remove this when we have a few crash reports.
 
   Label ok, sound_alarm;
   __ JumpIfSmi(receiver, &ok, Label::kNear);