TryPrototypeChainLookup: Bailout for Smi receiver

a7732341 missed a case when receiver is
Smi in TryPrototypeChainLookup.

Bug: chromium:980292, chromium:980226
Change-Id: Ife6be4541d6b280253a7e87cf6f57c96efe8300f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1687283
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62608}

src/codegen/code-stub-assembler.cc

@@ -9857,9 +9857,8 @@ void CodeStubAssembler::TryPrototypeChainLookup(
     const LookupInHolder& lookup_element_in_holder, Label* if_end,
     Label* if_bailout, Label* if_proxy) {
   // Ensure receiver is JSReceiver, otherwise bailout.
-  Label if_objectisnotsmi(this);
-  Branch(TaggedIsSmi(object), if_bailout, &if_objectisnotsmi);
-  BIND(&if_objectisnotsmi);
+  GotoIf(TaggedIsSmi(receiver), if_bailout);
+  CSA_ASSERT(this, TaggedIsNotSmi(object));
 
   Node* map = LoadMap(object);
   Node* instance_type = LoadMapInstanceType(map);

test/mjsunit/regress/regress-crbug-980292.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+let v2 = Object;
+const v4 = new Proxy(Object,v2);
+const v6 = (9).__proto__;
+v6.__proto__ = v4;
+function v8(v9,v10,v11) {
+    let v14 = 0;
+    do {
+      const v16 = (0x1337).prototype;
+      v14++;
+    } while (v14 < 24);
+}
+const v7 = [1,2,3,4];
+const v17 = v7.findIndex(v8);