Ensure the constant operand for heap-object store-named-field is not a smi.

BUG=
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/210193002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20208 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/ia32/lithium-codegen-ia32.cc

@@ -4347,7 +4347,7 @@ void LCodeGen::DoStoreNamedField(LStoreNamedField* instr) {
   if (representation.IsHeapObject()) {
     if (instr->value()->IsConstantOperand()) {
       LConstantOperand* operand_value = LConstantOperand::cast(instr->value());
-      if (IsInteger32(operand_value)) {
+      if (chunk_->LookupConstant(operand_value)->HasSmiValue()) {
         DeoptimizeIf(no_condition, instr->environment());
       }
     } else {

src/x64/lithium-codegen-x64.cc

@@ -3953,7 +3953,7 @@ void LCodeGen::DoStoreNamedField(LStoreNamedField* instr) {
   if (representation.IsHeapObject()) {
     if (instr->value()->IsConstantOperand()) {
       LConstantOperand* operand_value = LConstantOperand::cast(instr->value());
-      if (IsInteger32Constant(operand_value)) {
+      if (chunk_->LookupConstant(operand_value)->HasSmiValue()) {
         DeoptimizeIf(no_condition, instr->environment());
       }
     } else {

test/mjsunit/regress/regress-store-heapobject.js

+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var o = {a: undefined};
+
+function store(o, v) {
+  o.a = v;
+}
+
+store(o, undefined);
+store(o, undefined);
+
+function f(bool) {
+  var o = {a: undefined};
+  if (bool) {
+    store(o, 1);
+  }
+  return o;
+}
+
+f(false);
+f(false);
+%OptimizeFunctionOnNextCall(f);
+f(true);