Fix polymorphic keyed load handler selection for string elements

src/ic/ic.cc

Index: src/ic/ic.cc
diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index 8ff1119791f43064e1c74e92dd66a01e587c5c71..ed03b91811a691dd92ec64857b65dfa61965c7f3 100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -1288,10 +1288,10 @@ static Handle<Object> TryConvertKey(Handle<Object> key, Isolate* isolate) {
 Handle<Code> KeyedLoadIC::LoadElementStub(Handle<HeapObject> receiver) {
   Handle<Code> null_handle;
   Handle<Map> receiver_map(receiver->map(), isolate());
+  DCHECK(receiver_map->instance_type() != JS_VALUE_TYPE);  // Checked by caller.
   MapHandleList target_receiver_maps;
   TargetMaps(&target_receiver_maps);
 
-
   if (target_receiver_maps.length() == 0) {
     Handle<Code> handler =
         PropertyICCompiler::ComputeKeyedLoadMonomorphicHandler(
@@ -1300,6 +1300,14 @@ Handle<Code> KeyedLoadIC::LoadElementStub(Handle<HeapObject> receiver) {
     return null_handle;
   }
 
+  for (int i = 0; i < target_receiver_maps.length(); i++) {
+    if (!target_receiver_maps.at(i).is_null() &&
+        target_receiver_maps.at(i)->instance_type() == JS_VALUE_TYPE) {
+      TRACE_GENERIC_IC(isolate(), "KeyedLoadIC", "JSValue");
+      return megamorphic_stub();
+    }
+  }
+
   // The first time a receiver is seen that is a transitioned version of the
   // previous monomorphic receiver type, assume the new ElementsKind is the
   // monomorphic type. This benefits global arrays that only transition