Fix ArrayIteratorPrototypeNext for holes.

It's not sufficient to check the NoElements protector because that
doesn't guard against the array having a custom prototype.

Bug: v8:8449
Change-Id: I843815466a1e4ae197a2b76eec62d04cdc2d619d
Reviewed-on: https://chromium-review.googlesource.com/c/1332232Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57457}

src/builtins/builtins-array-gen.cc

@@ -3467,6 +3467,8 @@ TF_BUILTIN(ArrayIteratorPrototypeNext, CodeStubAssembler) {
     BIND(&if_hole);
     {
       GotoIf(IsNoElementsProtectorCellInvalid(), &if_generic);
+      GotoIfNot(IsPrototypeInitialArrayPrototype(context, array_map),
+                &if_generic);
       var_value.Bind(UndefinedConstant());
       Goto(&allocate_entry_if_needed);
     }

test/mjsunit/regress/regress-8449.js

+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+{
+  const x = [, 1];
+  x.__proto__ = [42];
+  const y = [...x];
+  assertEquals([42, 1], y);
+  assertTrue(y.hasOwnProperty(0));
+}
+
+{
+  const x = [, 1];
+  x.__proto__ = [42];
+  assertEquals(42, x[Symbol.iterator]().next().value);
+}
+
+{
+  const array_prototype = [].__proto__;
+  array_prototype[0] = 42;
+  const x = [, 1];
+  assertEquals(42, x[Symbol.iterator]().next().value);
+  delete array_prototype[0];
+}