Don't look at abandoned prototype maps when looking for root maps

Bug: chromium:757199, chromium:758773, chromium:758821
Change-Id: I70644853770501b13992bd7bf78d168ca2308d64
Reviewed-on: https://chromium-review.googlesource.com/635223Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47603}

src/compiler/js-native-context-specialization.cc

@@ -2344,10 +2344,12 @@ bool JSNativeContextSpecialization::ExtractReceiverMaps(
     // Try to filter impossible candidates based on inferred root map.
     Handle<Map> receiver_map;
     if (InferReceiverRootMap(receiver).ToHandle(&receiver_map)) {
+      DCHECK(!receiver_map->is_abandoned_prototype_map());
       receiver_maps->erase(
           std::remove_if(receiver_maps->begin(), receiver_maps->end(),
                          [receiver_map](const Handle<Map>& map) {
-                           return map->FindRootMap() != *receiver_map;
+                           return map->is_abandoned_prototype_map() ||
+                                  map->FindRootMap() != *receiver_map;
                          }),
           receiver_maps->end());
     }

test/mjsunit/regress/regress-crbug-757199.js

+/// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var obj1 = {};
+var obj2 = {};
+
+function h() {}
+
+h.prototype = obj2;
+
+function g(v) {
+  v.constructor;
+}
+function f() {
+  g(obj1);
+}
+
+obj1.x = 0;
+f();
+
+obj1.__defineGetter__("x", function() {});
+
+g(obj2);
+
+obj2.y = 0;
+
+%OptimizeFunctionOnNextCall(f);
+f();

test/mjsunit/regress/regress-crbug-758773.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+(0).__defineGetter__(0, function() { });
+Number.prototype[0] = "string";