[builtins] Fix no elements check on the prototype chain.

Invoking Object.freeze on either the Object.prototype or the
Array.prototype changes its elements backing store to
DICTIONARY_ELEMENTS kind, which is not properly checked in all
placeswhere we test for elements in the prototype chain, i.e. in
JSObject::PrototypeHasNoElements. This causes several Array
builtins to take the slow path, i.e. Array.prototype.splice.

Fix this for now by consistently checking for either empty_fixed_array
or empty_slow_element_dictionary in both C++ and CSA runtime.

Bug: v8:6689
Change-Id: I3f62643131b3a874b5c2a3d7ed054dd1e799bbaf
Reviewed-on: https://chromium-review.googlesource.com/608127Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47264}

src/code-stub-assembler.cc

@@ -725,7 +725,9 @@ void CodeStubAssembler::BranchIfPrototypesHaveNoElements(
   CSA_SLOW_ASSERT(this, IsMap(receiver_map));
   VARIABLE(var_map, MachineRepresentation::kTagged, receiver_map);
   Label loop_body(this, &var_map);
-  Node* empty_elements = LoadRoot(Heap::kEmptyFixedArrayRootIndex);
+  Node* empty_fixed_array = LoadRoot(Heap::kEmptyFixedArrayRootIndex);
+  Node* empty_slow_element_dictionary =
+      LoadRoot(Heap::kEmptySlowElementDictionaryRootIndex);
   Goto(&loop_body);
 
   BIND(&loop_body);
@@ -741,10 +743,11 @@ void CodeStubAssembler::BranchIfPrototypesHaveNoElements(
     GotoIf(Int32LessThanOrEqual(LoadMapInstanceType(prototype_map),
                                 Int32Constant(LAST_CUSTOM_ELEMENTS_RECEIVER)),
            possibly_elements);
-    GotoIf(WordNotEqual(LoadElements(prototype), empty_elements),
-           possibly_elements);
+    Node* prototype_elements = LoadElements(prototype);
     var_map.Bind(prototype_map);
-    Goto(&loop_body);
+    GotoIf(WordEqual(prototype_elements, empty_fixed_array), &loop_body);
+    Branch(WordEqual(prototype_elements, empty_slow_element_dictionary),
+           &loop_body, possibly_elements);
   }
 }
 

src/objects-inl.h

@@ -902,11 +902,17 @@ bool JSObject::PrototypeHasNoElements(Isolate* isolate, JSObject* object) {
   DisallowHeapAllocation no_gc;
   HeapObject* prototype = HeapObject::cast(object->map()->prototype());
   HeapObject* null = isolate->heap()->null_value();
-  HeapObject* empty = isolate->heap()->empty_fixed_array();
+  HeapObject* empty_fixed_array = isolate->heap()->empty_fixed_array();
+  HeapObject* empty_slow_element_dictionary =
+      isolate->heap()->empty_slow_element_dictionary();
   while (prototype != null) {
     Map* map = prototype->map();
     if (map->instance_type() <= LAST_CUSTOM_ELEMENTS_RECEIVER) return false;
-    if (JSObject::cast(prototype)->elements() != empty) return false;
+    HeapObject* elements = JSObject::cast(prototype)->elements();
+    if (elements != empty_fixed_array &&
+        elements != empty_slow_element_dictionary) {
+      return false;
+    }
     prototype = HeapObject::cast(map->prototype());
   }
   return true;