X87: Array() in optimized code can create with wrong ElementsKind in corner cases

port 13459c1a (r27857)

original commit message:

    Array() in optimized code can create with wrong ElementsKind in corner cases.

    Calling new Array(JSObject::kInitialMaxFastElementArray) in optimized code
    makes a stub call that bails out due to the length. Currently, the bailout
    code a) doesn't have the allocation site, and b) wouldn't use it if it did
    because the length is perceived to be too high.

    This CL passes the allocation site to the stub call (rather than undefined),
    and alters the bailout code to utilize the feedback.

BUG=

Review URL: https://codereview.chromium.org/1088423002

Cr-Commit-Position: refs/heads/master@{#27875}

src/x87/lithium-codegen-x87.cc

@@ -4379,7 +4379,15 @@ void LCodeGen::DoCallNewArray(LCallNewArray* instr) {
   DCHECK(ToRegister(instr->result()).is(eax));
 
   __ Move(eax, Immediate(instr->arity()));
+  if (instr->arity() == 1) {
+    // We only need the allocation site for the case we have a length argument.
+    // The case may bail out to the runtime, which will determine the correct
+    // elements kind with the site.
+    __ mov(ebx, instr->hydrogen()->site());
+  } else {
     __ mov(ebx, isolate()->factory()->undefined_value());
+  }
+
   ElementsKind kind = instr->hydrogen()->elements_kind();
   AllocationSiteOverrideMode override_mode =
       (AllocationSite::GetMode(kind) == TRACK_ALLOCATION_SITE)