This is a type confusion bug in ic.cc::LoadIC::ComputeHandler.

IC system is used to cache the object's map and its corresponding handler. If next time access the object's map is the same with map cache, it will use the same handler to access property.

The bug is in function |ComputeHandler| : 

"""
Handle<Map> map = lookup_start_object_map();
  bool holder_is_lookup_start_object =
      lookup_start_object.is_identical_to(lookup->GetHolder<JSReceiver>());

  switch (lookup->state()) {
    ........

    case LookupIterator::ACCESSOR: {
      Handle<JSObject> holder = lookup->GetHolder<JSObject>();
      ........

      if (holder->IsJSModuleNamespace()) {
        Handle<ObjectHashTable> exports(
            Handle<JSModuleNamespace>::cast(holder)->module().exports(),
            isolate());
        InternalIndex entry =
            exports->FindEntry(isolate(), roots, lookup->name(),
                               Smi::ToInt(lookup->name()->GetHash()));
        // We found the accessor, so the entry must exist.
        DCHECK(entry.is_found());
        int index = ObjectHashTable::EntryToValueIndex(entry);
        return LoadHandler::LoadModuleExport(isolate(), index);
      }
"""

When the holder is |JSModuleNamespace|, it does not check |holder_is_lookup_start_object| is ture or false, so the holder may be different with lookup_start_object, but the cache map is from lookup_start_object and handler is compute from holder. So this will lead to cache map mismatch with handler. This will lead to type confusion in builtins generate ic code.