[string] Don't tail-call into runtime with adaptor frames

TailCallRuntime currently does not seem to handle adaptor frames
correctly.

BUG=chromium:688690

Review-Url: https://codereview.chromium.org/2675133003
Cr-Commit-Position: refs/heads/master@{#42950}

src/builtins/builtins-string.cc

@@ -1208,8 +1208,9 @@ TF_BUILTIN(StringPrototypeReplace, StringBuiltinsAssembler) {
     // slices works only when the replaced string is a single character, being
     // replaced by a simple string and only pays off for long strings.
     // TODO(jgruber): Reevaluate if this is still beneficial.
-    TailCallRuntime(Runtime::kStringReplaceOneCharWithString, context,
-                    subject_string, search_string, replace);
+    // TODO(jgruber): TailCallRuntime when it correctly handles adapter frames.
+    Return(CallRuntime(Runtime::kStringReplaceOneCharWithString, context,
+                       subject_string, search_string, replace));
 
     Bind(&next);
   }

test/mjsunit/regress/regress-688690.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var foo = "01234567";
+
+foo += foo;
+foo += foo;
+foo += foo;
+foo += foo;
+foo += foo;  // foo.length = 256;
+
+// Create an adaptor frame, and take the StringReplaceOneCharWithString runtime
+// fast path. This crashed originally since TailCallRuntime could not handle
+// adaptor frames.
+var bar = foo.replace('x', 'y', 'z');