Fix bug 1070: set correct holder for primitive checks.

src/ast.cc

Index: src/ast.cc
diff --git a/src/ast.cc b/src/ast.cc
index fa01be016c038714976af27bb8c532ef39576bb5..2e0beae6a4f95eb5532f9276d8747d6bfe897a06 100644
--- a/src/ast.cc
+++ b/src/ast.cc
@@ -570,7 +570,14 @@ static bool CanCallWithoutIC(Handle<JSFunction> target, int arity) {
 
 
 bool Call::ComputeTarget(Handle<Map> type, Handle<String> name) {
-  holder_ = Handle<JSObject>::null();
+  if (check_type_ == RECEIVER_MAP_CHECK) {
+    // For primitive checks the holder is set up to point to the
+    // corresponding prototype object, i.e. one step of the algorithm
+    // below has been already performed.
+    // For non-primitive checks we clear it to allow computing targets
+    // for polymorphic calls.
+    holder_ = Handle<JSObject>::null();
+  }
   while (true) {
     LookupResult lookup;
     type->LookupInDescriptors(NULL, *name, &lookup);
@@ -640,8 +647,9 @@ void Call::RecordTypeFeedback(TypeFeedbackOracle* oracle) {
       map = receiver_types_->at(0);
     } else {
       ASSERT(check_type_ != RECEIVER_MAP_CHECK);
-      map = Handle<Map>(
-          oracle->GetPrototypeForPrimitiveCheck(check_type_)->map());
+      holder_ = Handle<JSObject>(
+          oracle->GetPrototypeForPrimitiveCheck(check_type_));
+      map = Handle<Map>(holder_->map());
     }
     is_monomorphic_ = ComputeTarget(map, name);
   }