[turbofan] Use correct map for special JSObject accessors.

src/compiler/js-native-context-specialization.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/js-native-context-specialization.h"
 
 #include "src/accessors.h"
 #include "src/compilation-dependencies.h"
 #include "src/compiler/access-builder.h"
 #include "src/compiler/js-graph.h"
@@ skipping 295 matching lines @@
          // TODO(verwaest): Whitelist contexts to which we have access.
          !map->is_access_check_needed();
 }
 
 }  // namespace
 
 
 bool JSNativeContextSpecialization::ComputePropertyAccessInfo(
     Handle<Map> map, Handle<Name> name, PropertyAccessInfo* access_info) {
   MaybeHandle<JSObject> holder;
-  Handle<Map> receiver_map = map;
-  Type* receiver_type = Type::Class(receiver_map, graph()->zone());
+  Type* receiver_type = Type::Class(map, graph()->zone());
   while (CanInlinePropertyAccess(map)) {
     // Check for special JSObject field accessors.
     int offset;
     if (Accessors::IsJSObjectFieldAccessor(map, name, &offset)) {
       FieldIndex field_index = FieldIndex::ForInObjectOffset(offset);
       Representation field_representation = Representation::Tagged();
       Type* field_type = Type::Tagged();
-      if (receiver_type->Is(Type::String())) {
+      if (map->IsStringMap()) {
         DCHECK(Name::Equals(factory()->length_string(), name));
         // The String::length property is always a smi in the range
         // [0, String::kMaxLength].
         field_representation = Representation::Smi();
         field_type = Type::Intersect(
             Type::Range(0.0, String::kMaxLength, graph()->zone()),
             Type::TaggedSigned(), graph()->zone());
-      } else if (receiver_map->IsJSArrayMap()) {
+      } else if (map->IsJSArrayMap()) {
         DCHECK(Name::Equals(factory()->length_string(), name));
         // The JSArray::length property is a smi in the range
         // [0, FixedDoubleArray::kMaxLength] in case of fast double
         // elements, a smi in the range [0, FixedArray::kMaxLength]
         // in case of other fast elements, and [0, kMaxUInt32-1] in
         // case of other arrays.
         double field_type_upper = kMaxUInt32 - 1;
-        if (IsFastElementsKind(receiver_map->elements_kind())) {
+        if (IsFastElementsKind(map->elements_kind())) {
           field_representation = Representation::Smi();
-          field_type_upper =
-              IsFastDoubleElementsKind(receiver_map->elements_kind())
-                  ? FixedDoubleArray::kMaxLength
-                  : FixedArray::kMaxLength;
+          field_type_upper = IsFastDoubleElementsKind(map->elements_kind())
+                                 ? FixedDoubleArray::kMaxLength
+                                 : FixedArray::kMaxLength;
         }
         field_type =
             Type::Intersect(Type::Range(0.0, field_type_upper, graph()->zone()),
                             Type::TaggedSigned(), graph()->zone());
       }
       *access_info = PropertyAccessInfo::Data(
           receiver_type, field_index, field_representation, field_type, holder);
       return true;
     }
 
@@ skipping 353 matching lines @@
 }
 
 
 SimplifiedOperatorBuilder* JSNativeContextSpecialization::simplified() const {
   return jsgraph()->simplified();
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8