[turbofan] Unstable prototype maps are not supported currently.

We currently assume that all prototype maps are stable, which is
not guaranteed for certain keyed access patterns. So we explicitly
disallow optimizing the element access there for now.

BUG=chromium:557807, v8:4470
R=jarin@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1456973004

Cr-Commit-Position: refs/heads/master@{#32101}

src/compiler/access-info.cc

@@ -156,6 +156,12 @@ bool AccessInfoFactory::ComputeElementAccessInfo(
       Handle<JSReceiver> prototype =
           PrototypeIterator::GetCurrent<JSReceiver>(i);
       if (!prototype->IsJSObject()) return false;
+      // TODO(bmeurer): We do not currently support unstable prototypes.
+      // We might want to revisit the way we handle certain keyed stores
+      // because this whole prototype chain check is essential a hack,
+      // and I'm not sure that it is correct at all with dictionaries in
+      // the prototype chain.
+      if (!prototype->map()->is_stable()) return false;
       holder = Handle<JSObject>::cast(prototype);
     }
   }

test/mjsunit/regress/regress-crbug-557807.js

+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function bar() { return { __proto__: this }; }
+function foo(a) { a[0] = 0.3; }
+foo(bar());
+%OptimizeFunctionOnNextCall(foo);
+foo(bar());