[ic] Turn megamorphic when storing into an array with readonly length

The store element handlers don't check if the array length is writable
before updating the length. Since this is not expected to be a common
case no need of handling this in the element handlers. Just moving to
megamorphic would be sufficient.

Bug: chromium:967104
Change-Id: I7a7f9ea768266b9ffd6289328d61d2297d455619
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1658154
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62152}

src/ic/ic.cc

@@ -2043,6 +2043,9 @@ MaybeHandle<Object> KeyedStoreIC::Store(Handle<Object> object,
     if (!old_receiver_map.is_null()) {
       if (is_arguments) {
         set_slow_stub_reason("arguments receiver");
+      } else if (object->IsJSArray() && IsGrowStoreMode(store_mode) &&
+                 JSArray::HasReadOnlyLength(Handle<JSArray>::cast(object))) {
+        set_slow_stub_reason("array has read only length");
       } else if (key_is_valid_index) {
         if (old_receiver_map->is_abandoned_prototype_map()) {
           set_slow_stub_reason("receiver with prototype map");

test/mjsunit/regress/regress_967104.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Check that arrays with non-writable length are handled correctly
+
+arr = new Array();
+Object.defineProperty(arr, "length", {value: 3, writable: false});
+function foo(i, v) { arr[i] = v; }
+foo(3);
+foo(3, 3);
+assertEquals(arr[3], undefined);