[runtime] %GrowArrayElements doesn't have a native context in TurboFan.

When we compile a growing store in TurboFan, we don't pass a (native)
context to the %GrowArrayElements fallback function, as the whole logic
is actually context independent. However, that means that we need to
bailout early in case the object is a prototype, which requires context
dependent checks in the array protector code.

R=cbruni@chromium.org
BUG=chromium:635798

Review-Url: https://codereview.chromium.org/2224253003
Cr-Commit-Position: refs/heads/master@{#38491}

src/runtime/runtime-array.cc

@@ -374,7 +374,8 @@ RUNTIME_FUNCTION(Runtime_GrowArrayElements) {
   uint32_t index = static_cast<uint32_t>(key);
 
   if (index >= capacity) {
-    if (object->WouldConvertToSlowElements(index)) {
+    if (object->map()->is_prototype_map() ||
+        object->WouldConvertToSlowElements(index)) {
       // We don't want to allow operations that cause lazy deopt. Return a Smi
       // as a signal that optimized code should eagerly deoptimize.
       return Smi::FromInt(0);

test/mjsunit/regress/regress-crbug-635798.js

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() {
+  var x = [];
+  var y = [];
+  x.__proto__ = y;
+  for (var i = 0; i < 200000; ++i) {
+    y[i] = 1;
+  }
+}
+foo();