[literals] Set the proper Map on the elements store for object literals

Bug: chromium:725201
Change-Id: Ic75f4080b8ef28e64b471887871c526c0bac316b
Reviewed-on: https://chromium-review.googlesource.com/514004Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45518}

src/builtins/builtins-constructor-gen.cc

@@ -53,8 +53,10 @@ Node* ConstructorBuiltinsAssembler::CopyFixedArrayBase(Node* fixed_array) {
     result.Bind(copy);
     Goto(&done);
   }
-
   BIND(&done);
+  // Manually copy over the map of the incoming array to preserve the elements
+  // kind.
+  StoreMap(result.value(), LoadMap(fixed_array));
   return result.value();
 }
 

test/mjsunit/regress/regress-crbug-725201.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function __f_1() {
+  function __f_2() {
+    Array.prototype.__proto__ = { 77e4  : null };
+  }
+  __f_2();
+  %OptimizeFunctionOnNextCall(__f_2);
+  __f_2();
+}
+try {
+__f_1();
+} catch(e) {; }
+for (var __v_6 in [(1.2)]) {  }
+
+%HeapObjectVerify([(1.2)]);