[compiler] Don't assume a HeapConstant context input is a Context.

In a generator containing loops, there are always certain control flow
paths that are impossible, due to the way we represent generators at the
bytecode level.  Unfortunately, the graph builder can't tell that these
paths are impossible.  In combination with dead code, it can then happen
that we build a subgraph (for unreachable code) whose incoming context
is the undefined oddball.  JSContextSpecialization did not expect that.

Bug: chromium:794822
Change-Id: I259be5ae6c5f5adc8fca19c64bf71285ee922b7a
Reviewed-on: https://chromium-review.googlesource.com/828954
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50129}

src/compiler/js-context-specialization.cc

@@ -102,8 +102,11 @@ bool IsContextParameter(Node* node) {
 MaybeHandle<Context> GetSpecializationContext(Node* node, size_t* distance,
                                               Maybe<OuterContext> maybe_outer) {
   switch (node->opcode()) {
-    case IrOpcode::kHeapConstant:
-      return Handle<Context>::cast(OpParameter<Handle<HeapObject>>(node));
+    case IrOpcode::kHeapConstant: {
+      Handle<Object> object = OpParameter<Handle<HeapObject>>(node);
+      if (object->IsContext()) return Handle<Context>::cast(object);
+      break;
+    }
     case IrOpcode::kParameter: {
       OuterContext outer;
       if (maybe_outer.To(&outer) && IsContextParameter(node) &&

test/mjsunit/regress/regress-794822.js

@@ -0,0 +1,19 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function* opt(arg = () => arg) {
+  let tmp = opt.x;  // LdaNamedProperty
+  for (;;) {
+    arg;
+    yield;
+    function inner() { tmp }
+    break;
+  }
+}
+
+opt();
+%OptimizeFunctionOnNextCall(opt);
+opt();