Do not inline array resize operations for outdated prototype maps.

BUG=chromium:523213
LOG=N

Review URL: https://codereview.chromium.org/1313303002

Cr-Commit-Position: refs/heads/master@{#30374}

src/hydrogen.cc

@@ -8601,9 +8601,10 @@ bool HOptimizedGraphBuilder::CanInlineArrayResizeOperation(
   return !receiver_map.is_null() &&
          receiver_map->instance_type() == JS_ARRAY_TYPE &&
          IsFastElementsKind(receiver_map->elements_kind()) &&
-         !receiver_map->is_dictionary_map() &&
-         !IsReadOnlyLengthDescriptor(receiver_map) &&
-         !receiver_map->is_observed() && receiver_map->is_extensible();
+         !receiver_map->is_dictionary_map() && !receiver_map->is_observed() &&
+         receiver_map->is_extensible() &&
+         (!receiver_map->is_prototype_map() || receiver_map->is_stable()) &&
+         !IsReadOnlyLengthDescriptor(receiver_map);
 }
 
 

src/objects.cc

@@ -1776,6 +1776,8 @@ void JSObject::MigrateToMap(Handle<JSObject> object, Handle<Map> new_map,
     if (!new_map->is_dictionary_map()) {
       MigrateFastToFast(object, new_map);
       if (old_map->is_prototype_map()) {
+        DCHECK(!old_map->is_stable());
+        DCHECK(new_map->is_stable());
         // Clear out the old descriptor array to avoid problems to sharing
         // the descriptor array without using an explicit.
         old_map->InitializeDescriptors(

test/mjsunit/regress/regress-crbug-523213.js

+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var v1 = [];
+var v2 = [];
+v1.__proto__ = v2;
+
+function f(){
+  var a = [];
+  for(var i=0; i<2; i++){
+    a.push([]);
+    a = v2;
+  }
+}
+
+f();
+%OptimizeFunctionOnNextCall(f);
+f();