[turbofan] Fix OSR-ed callee trigged ty do-expressions.

This fixes a missing SSA-renaming of the callee value used in the frame
state of a call node. An OSR-entry within do-expressions contained in
one of the argument expression can trigger that renaming.

R=rossberg@chromium.org
TEST=mjsunit/regress/regress-crbug-546968
BUG=chromium:546968
LOG=n

Review URL: https://codereview.chromium.org/1430483002

Cr-Commit-Position: refs/heads/master@{#31613}

src/compiler/ast-graph-builder.cc

@@ -1657,6 +1657,7 @@ void AstGraphBuilder::VisitNativeFunctionLiteral(NativeFunctionLiteral* expr) {
 void AstGraphBuilder::VisitDoExpression(DoExpression* expr) {
   VisitBlock(expr->block());
   VisitVariableProxy(expr->result());
+  ast_context()->ReplaceValue();
 }
 
 
@@ -2464,7 +2465,7 @@ void AstGraphBuilder::VisitCall(Call* expr) {
   const Operator* call = javascript()->CallFunction(
       args->length() + 2, flags, language_mode(), feedback, receiver_hint);
   Node* value = ProcessArguments(call, args->length() + 2);
-  environment()->Push(callee_value);
+  environment()->Push(value->InputAt(0));  // The callee passed to the call.
   PrepareFrameState(value, expr->ReturnId(), OutputFrameStateCombine::Push());
   environment()->Drop(1);
   ast_context()->ProduceValue(value);

test/mjsunit/regress/regress-crbug-546968.js

+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --harmony-do-expressions
+
+function f() {
+  print(
+    do {
+      for (var i = 0; i < 10; i++) { if (i == 5) %OptimizeOsr(); }
+    }
+  );
+}
+f();