[crankshaft] Properly deal with null prototype.

Don't assume that the prototype of an object is always a JSObject when
inlining the known receiver map case for abstract relational comparison.

BUG=chromium:679202
R=ishell@chromium.org

Review-Url: https://codereview.chromium.org/2621583002
Cr-Commit-Position: refs/heads/master@{#42123}

src/crankshaft/hydrogen.cc

@@ -11352,8 +11352,11 @@ HControlInstruction* HOptimizedGraphBuilder::BuildCompareInstruction(
           // We depend on the prototype chain to stay the same, because we
           // also need to deoptimize when someone installs @@toPrimitive
           // or @@toStringTag somewhere in the prototype chain.
-          BuildCheckPrototypeMaps(handle(JSObject::cast(map->prototype())),
-                                  Handle<JSObject>::null());
+          Handle<Object> prototype(map->prototype(), isolate());
+          if (prototype->IsJSObject()) {
+            BuildCheckPrototypeMaps(Handle<JSObject>::cast(prototype),
+                                    Handle<JSObject>::null());
+          }
           AddCheckMap(left, map);
           AddCheckMap(right, map);
           // The caller expects a branch instruction, so make it happy.

test/mjsunit/regress/regress-crbug-679202.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var x = Object.prototype;
+
+function f() { return x <= x; }
+
+f();
+f();
+%OptimizeFunctionOnNextCall(f);
+f();