[turbofan] Fix memory corruption

Bug: chromium:997057
Change-Id: I821b91ff51f82e6325dae5719e1669142c82b05e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768579
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63369}

src/compiler/js-native-context-specialization.cc

@@ -1094,7 +1094,8 @@ Reduction JSNativeContextSpecialization::ReduceNamedAccess(
   ZoneVector<PropertyAccessInfo> access_infos(zone());
   FilterMapsAndGetPropertyAccessInfos(feedback, access_mode, receiver, effect,
                                       &access_infos_for_feedback);
-  AccessInfoFactory access_info_factory(broker(), dependencies(), zone());
+  AccessInfoFactory access_info_factory(broker(), dependencies(),
+                                        graph()->zone());
   if (!access_info_factory.FinalizePropertyAccessInfos(
           access_infos_for_feedback, access_mode, &access_infos)) {
     return NoChange();

test/mjsunit/regress/regress-crbug-997057.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --no-lazy-feedback-allocation
+
+arr0 = [];
+
+var obj = {};
+
+Array.prototype[12] = 10;
+arr0 = [];
+Array.prototype[0] = 153;
+
+for (var elem in arr0) {
+  obj.length = {
+    toString: function () {
+    }
+  };
+}
+
+function baz() {
+  obj.length, arr0.length;
+}
+
+var arr = [{}, [], {}];
+for (var i in arr) {
+  baz();
+  for (var j = 0; j < 100000; j++) {
+  }
+}