[TurboFan] Fix null-dereference on code-gen failure.

BUG=chromium:801097

Change-Id: Ie631822a668b55b0f0790b719e7d8cdde78d95c6
Reviewed-on: https://chromium-review.googlesource.com/861882
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50544}

src/compiler/code-generator.cc

@@ -310,7 +310,10 @@ MaybeHandle<HandlerTable> CodeGenerator::GetHandlerTable() const {
 }
 
 Handle<Code> CodeGenerator::FinalizeCode() {
-  if (result_ != kSuccess) return Handle<Code>();
+  if (result_ != kSuccess) {
+    tasm()->AbortedCodeGeneration();
+    return Handle<Code>();
+  }
 
   // Allocate exception handler table.
   Handle<HandlerTable> table = HandlerTable::Empty(isolate());

src/compiler/pipeline.cc

@@ -2205,6 +2205,8 @@ Handle<Code> PipelineImpl::FinalizeCode() {
   Run<FinalizeCodePhase>();
 
   Handle<Code> code = data->code();
+  if (code.is_null()) return code;
+
   if (data->profiler_data()) {
 #if ENABLE_DISASSEMBLER
     std::ostringstream os;

test/mjsunit/compiler/regress-801097.js

+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function GetFunction() {
+  var source = "return ((dividend | 0) / ((";
+  for (var i = 0; i < 0x8000; i++) {
+    source += "a,"
+  }
+  source += "a) | 0)) | 0";
+  return Function("dividend", source);
+}
+
+var func = GetFunction();
+assertThrows("func();");
+%OptimizeFunctionOnNextCall(func);
+assertThrows("func()");