[ic] Don't crash if the global object leaks into the ICs

Bug: chromium:714580
Change-Id: I8969fb83c6c29eccb29fc1b4a9a35d7abb0ba0d6
Reviewed-on: https://chromium-review.googlesource.com/496148Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45102}

src/counters.h

@@ -788,6 +788,7 @@ class RuntimeCallTimer final {
   V(LoadIC_LoadConstantFromPrototypeDH)          \
   V(LoadIC_LoadFieldDH)                          \
   V(LoadIC_LoadFieldFromPrototypeDH)             \
+  V(LoadIC_LoadGlobalDH)                         \
   V(LoadIC_LoadGlobalFromPrototypeDH)            \
   V(LoadIC_LoadIntegerIndexedExoticDH)           \
   V(LoadIC_LoadInterceptorDH)                    \

src/ic/ic.cc

@@ -1229,6 +1229,13 @@ Handle<Object> LoadIC::GetMapIndependentHandler(LookupIterator* lookup) {
       if (lookup->is_dictionary_holder()) {
         smi_handler = LoadHandler::LoadNormal(isolate());
         if (receiver_is_holder) {
+          if (holder->IsJSGlobalObject()) {
+            // TODO(verwaest): This is a workaround for code that leaks the
+            // global object.
+            TRACE_HANDLER_STATS(isolate(), LoadIC_LoadGlobalDH);
+            smi_handler = LoadHandler::LoadGlobal(isolate());
+            return LoadFromPrototype(map, holder, lookup->name(), smi_handler);
+          }
           DCHECK(!holder->IsJSGlobalObject());
           TRACE_HANDLER_STATS(isolate(), LoadIC_LoadNormalDH);
           return smi_handler;