Add instrumentation to track down a crasher

src/ic/ic.cc

Index: src/ic/ic.cc
diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index e6a34797163b29aa720343c7bea2ccffef0de3a6..9d4540edded2faba77380d9b830230de46272fbe 100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -2377,6 +2377,17 @@ RUNTIME_FUNCTION(Runtime_LoadIC_Miss) {
     LoadIC ic(IC::NO_EXTRA_FRAME, isolate, &nexus);
     ic.UpdateState(receiver, key);
     ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result, ic.Load(receiver, key));
+
+    // Sanity check: The loaded value must be a JS-exposed kind of object,
+    // not something internal (like a Map, or FixedArray). Check this here
+    // to chase after a rare but recurring crash bug.
+    // TODO(jkummerow): Remove this when it has generated a few crash reports.
+    if (!result->IsSmi()) {
+      InstanceType type =
+          Handle<HeapObject>::cast(result)->map()->instance_type();
+      CHECK(type <= LAST_PRIMITIVE_TYPE || type >= FIRST_JS_RECEIVER_TYPE);
+    }
+
   } else {
     DCHECK(vector->GetKind(vector_slot) == Code::KEYED_LOAD_IC);
     KeyedLoadICNexus nexus(vector, vector_slot);
@@ -3118,6 +3129,17 @@ RUNTIME_FUNCTION(Runtime_LoadIC_MissFromStubFailure) {
     LoadIC ic(IC::EXTRA_CALL_FRAME, isolate, &nexus);
     ic.UpdateState(receiver, key);
     ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result, ic.Load(receiver, key));
+
+    // Sanity check: The loaded value must be a JS-exposed kind of object,
+    // not something internal (like a Map, or FixedArray). Check this here
+    // to chase after a rare but recurring crash bug.
+    // TODO(jkummerow): Remove this when it has generated a few crash reports.
+    if (!result->IsSmi()) {
+      InstanceType type =
+          Handle<HeapObject>::cast(result)->map()->instance_type();
+      CHECK(type <= LAST_PRIMITIVE_TYPE || type >= FIRST_JS_RECEIVER_TYPE);
+    }
+
   } else {
     DCHECK(vector->GetKind(vector_slot) == Code::KEYED_LOAD_IC);
     KeyedLoadICNexus nexus(vector, vector_slot);