[turbofan] Properly handle Array.prototype and Object.prototype in the runtime.

We don't use ICs for the Array.prototype and the Object.prototype
because the runtime has to be able to intercept them properly (for the
global protectors). So we better make sure that TurboFan doesn't
outsmart the system by storing to elements of either prototype directly.

Bug: chromium:781116
Change-Id: I0f521601ef02c1b21018abd1bf1028fd8a811e84
Reviewed-on: https://chromium-review.googlesource.com/753089
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49101}

src/compiler/node-properties.cc

@@ -365,12 +365,26 @@ NodeProperties::InferReceiverMapsResult NodeProperties::InferReceiverMaps(
     Node* receiver, Node* effect, ZoneHandleSet<Map>* maps_return) {
   HeapObjectMatcher m(receiver);
   if (m.HasValue()) {
-    Handle<Map> receiver_map(m.Value()->map());
-    if (receiver_map->is_stable()) {
-      // The {receiver_map} is only reliable when we install a stability
-      // code dependency.
-      *maps_return = ZoneHandleSet<Map>(receiver_map);
-      return kUnreliableReceiverMaps;
+    Handle<HeapObject> receiver = m.Value();
+    Isolate* const isolate = m.Value()->GetIsolate();
+    // We don't use ICs for the Array.prototype and the Object.prototype
+    // because the runtime has to be able to intercept them properly, so
+    // we better make sure that TurboFan doesn't outsmart the system here
+    // by storing to elements of either prototype directly.
+    //
+    // TODO(bmeurer): This can be removed once the Array.prototype and
+    // Object.prototype have NO_ELEMENTS elements kind.
+    if (!isolate->IsInAnyContext(*receiver,
+                                 Context::INITIAL_ARRAY_PROTOTYPE_INDEX) &&
+        !isolate->IsInAnyContext(*receiver,
+                                 Context::INITIAL_OBJECT_PROTOTYPE_INDEX)) {
+      Handle<Map> receiver_map(receiver->map(), isolate);
+      if (receiver_map->is_stable()) {
+        // The {receiver_map} is only reliable when we install a stability
+        // code dependency.
+        *maps_return = ZoneHandleSet<Map>(receiver_map);
+        return kUnreliableReceiverMaps;
+      }
     }
   }
   InferReceiverMapsResult result = kReliableReceiverMaps;

test/mjsunit/regress/regress-crbug-781116-1.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function baz(obj, store) {
+  if (store === true) obj[0] = 1;
+}
+function bar(store) {
+  baz(Array.prototype, store);
+  baz(this.arguments, true);
+}
+bar(false);
+bar(false);
+%OptimizeFunctionOnNextCall(bar);
+bar(true);
+
+function foo() { [].push(); }
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();

test/mjsunit/regress/regress-crbug-781116-2.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function baz(obj, store) {
+  if (store === true) obj[0] = 1;
+}
+function bar(store) {
+  baz(Object.prototype, store);
+  baz(this.arguments, true);
+}
+bar(false);
+bar(false);
+%OptimizeFunctionOnNextCall(bar);
+bar(true);
+
+function foo() { [].push(); }
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();