[Complier] Only optimize a function marked for tier-up if it is compiled.

When mark-shared-funtion-for-tier-up is enabled, a function could be marked for
optimization, then the baseline (FCG) code is flushed by the GC. The next time
the function is executed, we shouldn't optimize the code if there isn't
baseline code.

BUG=chromium:673242

Review-Url: https://codereview.chromium.org/2575333003
Cr-Commit-Position: refs/heads/master@{#41751}

src/compiler.cc

@@ -897,7 +897,8 @@ MaybeHandle<Code> GetLazyCode(Handle<JSFunction> function) {
     return cached_code;
   }
 
-  if (function->shared()->marked_for_tier_up()) {
+  if (function->shared()->is_compiled() &&
+      function->shared()->marked_for_tier_up()) {
     DCHECK(FLAG_mark_shared_functions_for_tier_up);
 
     function->shared()->set_marked_for_tier_up(false);

test/mjsunit/regress/regress-673242.js

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --mark-shared-functions-for-tier-up  --allow-natives-syntax --expose-gc
+
+function foo() {
+  function bar() {
+  }
+  return bar;
+}
+
+// Mark bar's shared function info for tier-up
+// (but don't optimize).
+var bar = foo();
+%OptimizeFunctionOnNextCall(bar);
+
+// Avoid flushing foo (and thereby making bar's shared function info
+// dead) by marking it to be optimized.
+%OptimizeFunctionOnNextCall(foo);
+
+// Throw away the JSFunction we have for bar and GC until its code has
+// been flushed.
+bar = null;
+for (var i = 0; i < 6; i++) {
+  gc();
+}
+
+// Now create a new JSFunction from bar's shared function info and call it,
+// we should not optimize without recompiling the baseline code.
+foo()();