[builtins] fix mapcheck in Array.includes fast-case when searching for String

Use LoadInstanceType() rather than LoadMapInstanceType(), as this part of the
code is operating on a JS-accessible HeapObject rather than a Map.

BUG=chromium:633883, v8:5162
R=mstarzinger@chromium.org, bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2207903002
Cr-Commit-Position: refs/heads/master@{#38297}

src/builtins/builtins-array.cc

@@ -1517,7 +1517,7 @@ void Builtins::Generate_ArrayIncludes(CodeStubAssembler* assembler) {
           assembler->LoadFixedArrayElement(elements, index_var.value());
       assembler->GotoIf(assembler->WordIsSmi(element_k), &continue_loop);
       assembler->GotoUnless(assembler->Int32LessThan(
-                                assembler->LoadMapInstanceType(element_k),
+                                assembler->LoadInstanceType(element_k),
                                 assembler->Int32Constant(FIRST_NONSTRING_TYPE)),
                             &continue_loop);
 

test/mjsunit/es7/regress/regress-633883.js

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+v5 = new Array();
+v17 = encodeURIComponent(v5);
+v19 = isFinite();
+v34 = new Array(v19);
+v47 = v34.includes(v17);