[ic] Fix GenericKeyedLoadIC to correctly handle when receiver is null

When receiver is null or undefined we should not look into key. Calling
ToName on key is observable. This cl fixes the GenericKeyedLoadIC to
miss into runtime when the receiver is null or undefined.

Bug: v8:8394
Change-Id: Iaed07cd1b77b63e550284108777e165141af57a0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1605948Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61481}

src/ic/accessor-assembler.cc

@@ -2873,6 +2873,7 @@ void AccessorAssembler::KeyedLoadICGeneric(const LoadICParameters* p) {
 
   Node* receiver = p->receiver;
   GotoIf(TaggedIsSmi(receiver), &if_runtime);
+  GotoIf(IsNullOrUndefined(receiver), &if_runtime);
 
   TryToName(p->name, &if_index, &var_index, &if_unique_name, &var_unique,
             &if_other, &if_notunique);

test/mjsunit/keyed-load-null-receiver.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var count = 0;
+function load(a) {
+  var prop = {
+    toString: function() {
+      count++;
+      return 'z';
+    }
+  };
+
+  a[prop] ^= 1;
+}
+
+function f(null_or_undefined) {
+  // Turn the LoadIC megamorphic
+  load({a0:1, z:2});
+  load({a1:1, z:2});
+  load({a2:1, z:2});
+  load({a3:1, z:2});
+  load({a4:1, z:2});
+  // Now try null to check if generic IC handles this correctly.
+  // It shouldn't call prop.toString.
+  load(null_or_undefined);
+}
+
+try {
+  f(null);
+} catch(error) {
+  assertInstanceof(error, TypeError);
+  assertSame(10, count);
+}
+
+try {
+  count = 0;
+  f(undefined);
+} catch(error) {
+  assertInstanceof(error, TypeError);
+  assertSame(10, count);
+}