Invoking Object.freeze on either the Object.prototype or the
Array.prototype changes its elements backing store to
DICTIONARY_ELEMENTS kind, which is not properly checked in all
placeswhere we test for elements in the prototype chain, i.e. in
JSObject::PrototypeHasNoElements. This causes several Array
builtins to take the slow path, i.e. Array.prototype.splice.

Fix this for now by consistently checking for either empty_fixed_array
or empty_slow_element_dictionary in both C++ and CSA runtime.

Bug: v8:6689
Change-Id: I3f62643131b3a874b5c2a3d7ed054dd1e799bbaf
Reviewed-on: https://chromium-review.googlesource.com/608127Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47264}