[turbofan] Fix inconsistent initialization of JSGeneratorObject.

The register file of the JSGeneratorObject is normally filled with
undefined in the beginning, except in TurboFan where we put the_hole
there. In addition TurboFan used StoreElement to initialize the fields
but then StoreField/LoadField to access them later, which can lead to
aliasing bugs (currently not possible because our alias analysis is
not smart enough).

Bug: v8:7253
Change-Id: Idbff29d138946f110336b9bef0e1889e596d834c
Reviewed-on: https://chromium-review.googlesource.com/952968Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51784}

src/compiler/js-create-lowering.cc

@@ -473,8 +473,13 @@ Reduction JSCreateLowering::ReduceJSCreateGeneratorObject(Node* node) {
     // Allocate a register file.
     DCHECK(js_function->shared()->HasBytecodeArray());
     int size = js_function->shared()->bytecode_array()->register_count();
-    Node* register_file = effect =
-        AllocateElements(effect, control, HOLEY_ELEMENTS, size, NOT_TENURED);
+    AllocationBuilder ab(jsgraph(), effect, control);
+    ab.AllocateArray(size, factory()->fixed_array_map());
+    for (int i = 0; i < size; ++i) {
+      ab.Store(AccessBuilder::ForFixedArraySlot(i),
+               jsgraph()->UndefinedConstant());
+    }
+    Node* register_file = effect = ab.Finish();
 
     // Emit code to allocate the JS[Async]GeneratorObject instance.
     AllocationBuilder a(jsgraph(), effect, control);