[in-place weak refs] Fix regression (crash).

The regressing change was:

https://chromium-review.googlesource.com/c/v8/v8/+/1090922/17/src/heap/factory.cc

This difference (empty list vs uninitialized) is important for other parts of
the code, mainly JSObject::UnregisterPrototypeUser whose return value depends on
this difference.

Other parts of the CL already talk about + prepare for using
Smi::kZero as a placeholder for "uninitialized" list.

No regression test added since without this bug, the regressesion test doesn't
crash but hangs.

BUG=chromium:903245

Change-Id: Id3efe955fbd7e08cc4048d23c5b519c504f0201c
Reviewed-on: https://chromium-review.googlesource.com/c/1328924Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57383}

src/heap/factory.cc

@@ -209,7 +209,7 @@ Handle<HeapObject> Factory::NewFillerObject(int size, bool double_align,
 Handle<PrototypeInfo> Factory::NewPrototypeInfo() {
   Handle<PrototypeInfo> result =
       Handle<PrototypeInfo>::cast(NewStruct(PROTOTYPE_INFO_TYPE, TENURED));
-  result->set_prototype_users(*empty_weak_array_list());
+  result->set_prototype_users(Smi::kZero);
   result->set_registry_slot(PrototypeInfo::UNREGISTERED);
   result->set_bit_field(0);
   result->set_module_namespace(*undefined_value());

src/objects.cc

@@ -12831,6 +12831,9 @@ void InvalidatePrototypeChainsInternal(Map* map) {
   Object* maybe_proto_info = map->prototype_info();
   if (!maybe_proto_info->IsPrototypeInfo()) return;
   PrototypeInfo* proto_info = PrototypeInfo::cast(maybe_proto_info);
+  if (!proto_info->prototype_users()->IsWeakArrayList()) {
+    return;
+  }
   WeakArrayList* prototype_users =
       WeakArrayList::cast(proto_info->prototype_users());
   // For now, only maps register themselves as users.