[heap-verify] Relax arguments verification

For unknown Argument object Maps we have to expect that constants fields
are kept on the Map.

Bug: chromium:729597
Change-Id: I110f77455ce434a431c8de27d021b1a5deb86f30
Reviewed-on: https://chromium-review.googlesource.com/532900Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45935}

src/objects-debug.cc

@@ -484,7 +484,6 @@ void JSArgumentsObject::JSArgumentsObjectVerify() {
 
 void JSSloppyArgumentsObject::JSSloppyArgumentsObjectVerify() {
   Isolate* isolate = GetIsolate();
-  if (!map()->is_dictionary_map()) VerifyObjectField(kCalleeOffset);
   if (isolate->IsInAnyContext(map(), Context::SLOPPY_ARGUMENTS_MAP_INDEX) ||
       isolate->IsInAnyContext(map(),
                               Context::SLOW_ALIASED_ARGUMENTS_MAP_INDEX) ||

test/mjsunit/regress/regress-crbug-729597.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --verify-heap
+
+function __f_3(f) {
+  arguments.__defineGetter__('length', f);
+  return arguments;
+}
+function __f_4() { return "boom"; }
+
+__v_4 = [];
+__v_13 = "";
+
+for (var i = 0; i < 12800; ++i) {
+  __v_13 +=  __v_4.__proto__ = __f_3(__f_4);
+}