Fix deoptmization of inlined TF InstanceOf to call ToBoolean

src/compiler/js-native-context-specialization.cc

Index: src/compiler/js-native-context-specialization.cc
diff --git a/src/compiler/js-native-context-specialization.cc b/src/compiler/js-native-context-specialization.cc
index 73db511256be08708d6c70feebc2610c56e57861..2c79f35c65dac1ca1e2b954291a50d7807dd6ede 100644
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@@ -175,6 +175,7 @@ Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) {
   Node* constructor = NodeProperties::GetValueInput(node, 1);
   Node* context = NodeProperties::GetContextInput(node);
   Node* effect = NodeProperties::GetEffectInput(node);
+  Node* outer_frame_state = NodeProperties::GetFrameStateInput(node);

[Michael Starzinger, 2017/06/22 14:16:11]

nit: s/outer_frame_state/frame_state/

[danno, 2017/06/22 15:04:00]

Done.

   Node* control = NodeProperties::GetControlInput(node);
 
   // Check if the right hand side is a known {receiver}.
@@ -244,11 +245,16 @@ Reduction JSNativeContextSpecialization::ReduceJSInstanceOf(Node* node) {
     effect = BuildCheckMaps(constructor, effect, control,
                             access_info.receiver_maps());
 
+    Node* frame_state = CreateStubBuiltinContinuationFrameState(

[Michael Starzinger, 2017/06/22 14:16:11]

nit: s/frame_state/continuation_frame_state/

[Michael Starzinger, 2017/06/22 14:16:11]

nit: Please add a comment explaining the reasoning behind this frame-state and
what it is needed for.

[danno, 2017/06/22 15:04:00]

Done.

[danno, 2017/06/22 15:04:00]

Done.

+        jsgraph(), Builtins::kToBooleanLazyDeoptContinuation, context, nullptr,
+        0, outer_frame_state, ContinuationFrameStateMode::LAZY);
+
     // Call the @@hasInstance handler.
     Node* target = jsgraph()->Constant(constant);
     node->InsertInput(graph()->zone(), 0, target);
     node->ReplaceInput(1, constructor);
     node->ReplaceInput(2, object);
+    node->ReplaceInput(4, frame_state);
     node->ReplaceInput(5, effect);
     NodeProperties::ChangeOp(
         node, javascript()->Call(3, CallFrequency(), VectorSlotPair(),