Fix representation issue in FastArrayPushStub

Pushing undefined onto a FAST_DOUBLE_ARRAY does not enforce the right representation checks.

BUG=chromuim:599089
LOG=n

Review URL: https://codereview.chromium.org/1868973002

Cr-Commit-Position: refs/heads/master@{#35332}

src/code-stubs-hydrogen.cc

@@ -721,9 +721,15 @@ HValue* CodeStubGraphBuilderBase::BuildPushElement(HValue* object, HValue* argc,
     {
       HInstruction* argument =
           Add<HAccessArgumentsAt>(argument_elements, argc, key);
-      Representation r = IsFastSmiElementsKind(kind) ? Representation::Smi()
-                                                     : Representation::Double();
-      AddUncasted<HForceRepresentation>(argument, r);
+      IfBuilder can_store(this);
+      can_store.IfNot<HIsSmiAndBranch>(argument);
+      if (IsFastDoubleElementsKind(kind)) {
+        can_store.And();
+        can_store.IfNot<HCompareMap>(argument,
+                                     isolate()->factory()->heap_number_map());
+      }
+      can_store.ThenDeopt(Deoptimizer::kFastArrayPushFailed);
+      can_store.End();
     }
     builder.EndBody();
   }

test/mjsunit/regress/regress-599089-array-push.js

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+
+var array = [1.2, 1.2];
+array.length = 0;
+array.push(undefined);
+assertEquals(1, array.length);
+assertEquals([undefined], array);