[turbofan] Fix wrong expectation when serializing API calls

Bug: v8:7790, chromium:985660
Change-Id: I4e931a4a23421982f05e16c8ffa2ccc68fb34b63
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1709423
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62862}

src/compiler/js-call-reducer.cc

@@ -3012,8 +3012,7 @@ Reduction JSCallReducer::ReduceCallApiFunction(
                                        << function_template_info);
     return NoChange();
   }
-  CallHandlerInfoRef call_handler_info =
-      function_template_info.call_code()->AsCallHandlerInfo();
+  CallHandlerInfoRef call_handler_info = *function_template_info.call_code();
   Callable call_api_callback = CodeFactory::CallApiCallback(isolate());
   CallInterfaceDescriptor cid = call_api_callback.descriptor();
   auto call_descriptor = Linkage::GetStubCallDescriptor(

src/compiler/js-heap-broker.cc

@@ -217,10 +217,7 @@ void FunctionTemplateInfoData::SerializeCallCode(JSHeapBroker* broker) {
   DCHECK_NULL(call_code_);
   call_code_ = broker->GetOrCreateData(function_template_info->call_code())
                    ->AsCallHandlerInfo();
-
-  if (call_code_->IsCallHandlerInfo()) {
-    call_code_->Serialize(broker);
-  }
+  call_code_->Serialize(broker);
 }
 
 void CallHandlerInfoData::Serialize(JSHeapBroker* broker) {

src/compiler/js-native-context-specialization.cc

@@ -2039,13 +2039,16 @@ Node* JSNativeContextSpecialization::InlineApiCall(
     Node* receiver, Node* holder, Node* frame_state, Node* value, Node** effect,
     Node** control, SharedFunctionInfoRef const& shared_info,
     FunctionTemplateInfoRef const& function_template_info) {
+  if (!function_template_info.has_call_code()) {
+    return nullptr;
+  }
+
   if (!function_template_info.call_code().has_value()) {
     TRACE_BROKER_MISSING(broker(), "call code for function template info "
                                        << function_template_info);
     return nullptr;
   }
-  auto call_handler_info =
-      function_template_info.call_code()->AsCallHandlerInfo();
+  CallHandlerInfoRef call_handler_info = *function_template_info.call_code();
 
   // Only setters have a value.
   int const argc = value == nullptr ? 0 : 1;

src/compiler/serializer-for-background-compilation.cc

@@ -1989,13 +1989,13 @@ SerializerForBackgroundCompilation::ProcessFeedbackMapsForNamedAccess(
         if (sfi->IsApiFunction()) {
           FunctionTemplateInfoRef fti_ref(
               broker(), handle(sfi->get_api_func_data(), broker()->isolate()));
-          fti_ref.SerializeCallCode();
+          if (fti_ref.has_call_code()) fti_ref.SerializeCallCode();
           ProcessReceiverMapForApiCall(fti_ref, map);
         }
       } else {
         FunctionTemplateInfoRef fti_ref(
             broker(), Handle<FunctionTemplateInfo>::cast(info.constant()));
-        fti_ref.SerializeCallCode();
+        if (fti_ref.has_call_code()) fti_ref.SerializeCallCode();
       }
     }
   }

test/mjsunit/regress/regress-crbug-985660.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+try {
+  Object.defineProperty(Number.prototype, "v", {
+    get: constructor
+  });
+} catch (e) {}
+
+function foo(obj) {
+  return obj.v;
+}
+
+%PrepareFunctionForOptimization(foo);
+%OptimizeFunctionOnNextCall(foo);
+foo(3);
+%PrepareFunctionForOptimization(foo);
+%OptimizeFunctionOnNextCall(foo);
+foo(3);
+foo(4);