[turbofan] Fix missing name check for keyed global load.

This fixes a missing name check for keyed property loads targeting the
global object where the feedback was warmed up with a single name. This
affects {JSLoadProperty} nodes only, syntactic global property loads via
the {JSLoadGlobal} operator are not affected.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-694416
BUG=chromium:694416

Change-Id: I54aa3f27eaa72630539f02602ec7642b04835b27
Reviewed-on: https://chromium-review.googlesource.com/445224Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43344}

src/compiler/js-native-context-specialization.cc

@@ -290,7 +290,7 @@ FieldAccess ForPropertyCellValue(MachineRepresentation representation,
 
 Reduction JSNativeContextSpecialization::ReduceGlobalAccess(
     Node* node, Node* receiver, Node* value, Handle<Name> name,
-    AccessMode access_mode) {
+    AccessMode access_mode, Node* index) {
   Node* effect = NodeProperties::GetEffectInput(node);
   Node* control = NodeProperties::GetControlInput(node);
 
@@ -323,6 +323,13 @@ Reduction JSNativeContextSpecialization::ReduceGlobalAccess(
     }
   }
 
+  // Ensure that {index} matches the specified {name} (if {index} is given).
+  if (index != nullptr) {
+    Node* check = graph()->NewNode(simplified()->ReferenceEqual(), index,
+                                   jsgraph()->HeapConstant(name));
+    effect = graph()->NewNode(simplified()->CheckIf(), check, effect, control);
+  }
+
   // Check if we have a {receiver} to validate. If so, we need to check that
   // the {receiver} is actually the JSGlobalProxy for the native context that
   // we are specializing to.
@@ -540,7 +547,8 @@ Reduction JSNativeContextSpecialization::ReduceNamedAccess(
       Context* receiver_context =
           JSFunction::cast(receiver_map->GetConstructor())->native_context();
       if (receiver_context == *native_context()) {
-        return ReduceGlobalAccess(node, receiver, value, name, access_mode);
+        return ReduceGlobalAccess(node, receiver, value, name, access_mode,
+                                  index);
       }
     }
   }

src/compiler/js-native-context-specialization.h

@@ -88,7 +88,8 @@ class JSNativeContextSpecialization final : public AdvancedReducer {
                               Handle<FeedbackVector> vector, FeedbackSlot slot,
                               Node* index = nullptr);
   Reduction ReduceGlobalAccess(Node* node, Node* receiver, Node* value,
-                               Handle<Name> name, AccessMode access_mode);
+                               Handle<Name> name, AccessMode access_mode,
+                               Node* index = nullptr);
 
   Reduction ReduceSoftDeoptimize(Node* node, DeoptimizeReason reason);
 

test/mjsunit/regress/regress-crbug-694416.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --turbo
+
+var good = 23;
+var boom = 42;
+
+function foo(name) {
+  return this[name];
+}
+
+assertEquals(23, foo('good'));
+assertEquals(23, foo('good'));
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(42, foo('boom'));