[turbofan] Avoid dereferencing empty handle when inlining a tail call.

BUG=chromium:593697,v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1781303002

Cr-Commit-Position: refs/heads/master@{#34716}

src/compiler/js-inlining.cc

@@ -265,8 +265,8 @@ Node* JSInliner::CreateArtificialFrameState(Node* node, Node* outer_frame_state,
 
 Node* JSInliner::CreateTailCallerFrameState(Node* node, Node* frame_state) {
   FrameStateInfo const& frame_info = OpParameter<FrameStateInfo>(frame_state);
-  Handle<SharedFunctionInfo> shared =
-      frame_info.shared_info().ToHandleChecked();
+  Handle<SharedFunctionInfo> shared;
+  frame_info.shared_info().ToHandle(&shared);
 
   Node* function = frame_state->InputAt(kFrameStateFunctionInput);
 
@@ -274,8 +274,8 @@ Node* JSInliner::CreateTailCallerFrameState(Node* node, Node* frame_state) {
   // arguments adaptor if it exists.
   frame_state = NodeProperties::GetFrameStateInput(frame_state, 0);
   if (frame_state->opcode() == IrOpcode::kFrameState) {
-    FrameStateInfo state_info = OpParameter<FrameStateInfo>(frame_state);
-    if (state_info.type() == FrameStateType::kArgumentsAdaptor) {
+    FrameStateInfo const& frame_info = OpParameter<FrameStateInfo>(frame_state);
+    if (frame_info.type() == FrameStateType::kArgumentsAdaptor) {
       frame_state = NodeProperties::GetFrameStateInput(frame_state, 0);
     }
   }

test/mjsunit/regress/regress-crbug-593697-2.js

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --harmony-tailcalls
+
+"use strict";
+
+%SetForceInlineFlag(Math.cos);
+
+var f5 = (function f6(stdlib) {
+  "use asm";
+  var cos = stdlib.Math.cos;
+  function f5() {
+    return cos();
+  }
+  return { f5: f5 };
+})(this, {}).f5();