Fix Map::TryUpdate assertion.

This makes the DCHECK consistent with the map updater.
See https://cs.chromium.org/chromium/src/v8/src/map-updater.cc?l=330&rcl=5671f8b940b0fcdb550e318e449ded0f866e935a

Bug: chromium:949435
Change-Id: Id4fef60cdca094e638a1db38878953ecb2422c4f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1552797Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60640}

src/objects/map.cc

@@ -1018,9 +1018,10 @@ Map Map::TryUpdateSlow(Isolate* isolate, Map old_map) {
     // Bail out if there were some private symbol transitions mixed up
     // with the integrity level transitions.
     if (!info.has_integrity_level_transition) return Map();
-    // Make sure replay the original elements kind transitions, before
+    // Make sure to replay the original elements kind transitions, before
     // the integrity level transition sets the elements to dictionary mode.
     DCHECK(to_kind == DICTIONARY_ELEMENTS ||
+           to_kind == SLOW_STRING_WRAPPER_ELEMENTS ||
            IsFixedTypedArrayElementsKind(to_kind));
     to_kind = info.integrity_level_source_map->elements_kind();
   }

test/mjsunit/compiler/regress-949435.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() {
+  const v6 = new String();
+  v6.POSITIVE_INFINITY = 1337;
+  const v8 = Object.seal(v6);
+  v8.POSITIVE_INFINITY = Object;
+}
+
+f();
+%OptimizeFunctionOnNextCall(f)
+f();