Fix crash in CALLBACK KeyedIC stub.

TBR=jkummerow@chromium.org

Review URL: https://chromiumcodereview.appspot.com/9390005

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@10684 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/ic.cc

@@ -1504,6 +1504,14 @@ Handle<Code> KeyedIC::ComputeStub(Handle<JSObject> receiver,
       ? ALLOW_JSARRAY_GROWTH
       : DO_NOT_ALLOW_JSARRAY_GROWTH;
 
+  // Don't handle megamorphic property accesses for INTERCEPTORS or CALLBACKS
+  // via megamorphic stubs, since they don't have a map in their relocation info
+  // and so the stubs can't be harvested for the object needed for a map check.
+  if (target()->type() != NORMAL) {
+    TRACE_GENERIC_IC("KeyedIC", "non-NORMAL target type");
+    return generic_stub;
+  }
+
   bool monomorphic = false;
   MapHandleList target_receiver_maps;
   if (ic_state != UNINITIALIZED && ic_state != PREMONOMORPHIC) {
@@ -1534,14 +1542,6 @@ Handle<Code> KeyedIC::ComputeStub(Handle<JSObject> receiver,
   }
   ASSERT(target() != *generic_stub);
 
-  // Don't handle megamorphic property accesses for INTERCEPTORS or CALLBACKS
-  // via megamorphic stubs, since they don't have a map in their relocation info
-  // and so the stubs can't be harvested for the object needed for a map check.
-  if (target()->type() != NORMAL) {
-    TRACE_GENERIC_IC("KeyedIC", "non-NORMAL target type");
-    return generic_stub;
-  }
-
   // Determine the list of receiver maps that this call site has seen,
   // adding the map that was just encountered.
   Handle<Map> receiver_map(receiver->map());