[compiler] Remove invalid CHECK in JSFunctionData::Cache

A JSFunction object may count as 'ObjectMayBeUninitialized', yet still
be safe to read for other reasons (e.g. because it has been loaded
through a chain of acquire-loads and immutable-after-initialization
guarantees).

Bug: chromium:1235071,v8:7790
Change-Id: I18c81695f001fd67e69d98dde641b71ed7b7e53d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3064606
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76031}

src/compiler/heap-refs.cc

@@ -1076,7 +1076,6 @@ int InstanceSizeWithMinSlack(JSHeapBroker* broker, MapRef map) {
 // IMPORTANT: Keep this sync'd with JSFunctionData::IsConsistentWithHeapState.
 void JSFunctionData::Cache(JSHeapBroker* broker) {
   CHECK(!serialized_);
-  CHECK(!broker->ObjectMayBeUninitialized(HeapObject::cast(*object())));
 
   TraceScope tracer(broker, this, "JSFunctionData::Cache");
   Handle<JSFunction> function = Handle<JSFunction>::cast(object());

test/mjsunit/regress/regress-1235071.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --noanalyze-environment-liveness --interrupt-budget=1000 --allow-natives-syntax
+
+function __f_4() {
+  var __v_3 = function() {};
+  var __v_5 = __v_3.prototype;
+  Number.prototype.__proto__ = __v_3;
+  __v_5, __v_3.prototype;
+}
+%PrepareFunctionForOptimization(__f_4);
+for (let i = 0; i < 100; i++) __f_4();