[ic] Fix handling of JSArray.length accessor info.

Bug: chromium:716804
Change-Id: I0ef5169e2af34ec2d794c99e99d9e31035599744
Reviewed-on: https://chromium-review.googlesource.com/493146
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45011}

src/code-stub-assembler.cc

@@ -5435,9 +5435,10 @@ Node* CodeStubAssembler::CallGetterIfAccessor(Node* value, Node* details,
     // JSArray AccessorInfo case.
     BIND(&if_array);
     {
-      // The only AccessorInfo on JSArray is the "length" property.
-      CSA_ASSERT(this, IsLengthString(LoadObjectField(
-                           accessor_info, AccessorInfo::kNameOffset)));
+      // We only deal with the "length" accessor on JSArray.
+      GotoIfNot(IsLengthString(
+                    LoadObjectField(accessor_info, AccessorInfo::kNameOffset)),
+                if_bailout);
       var_value.Bind(LoadJSArrayLength(receiver));
       Goto(&done);
     }

test/mjsunit/regress/regress-crbug-716804.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var v = [];
+v.__proto__ = function() {};
+v.prototype;
+
+var v = [];
+v.__proto__ = new Error();
+v.stack;