Fix IC handler cache clearing for JSBuiltinsObject

The clearing mechanism relies on comparing the cached handler with the installed handler. If we try to preserve monomorphism by pretending that the IC was in uninitialized state, then it will go premonomorphic first, which means on the next miss there's no installed handler available to compare against. Instead, pretend it was premonomorphic, so the comparison will happen right away, will fail as it should, and the cached handler will be cleared.

Thanks to Weiliang for starting the investigation that led to this.

R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/730383002

Cr-Commit-Position: refs/heads/master@{#25394}

src/ic/ic.cc

@@ -339,7 +339,7 @@ void IC::UpdateState(Handle<Object> receiver, Handle<Object> name) {
   // an inline cache miss for the builtins object after lazily loading
   // JavaScript builtins, we return uninitialized as the state to
   // force the inline cache back to monomorphic state.
-  if (receiver->IsJSBuiltinsObject()) state_ = UNINITIALIZED;
+  if (receiver->IsJSBuiltinsObject()) state_ = PREMONOMORPHIC;
 }