[turbofan] Fix bug in receiver maps inference

JSCreate can have side effects (by looking up the prototype on an
object), so once we walk past that the analysis result must be marked
as "unreliable".

Bug: chromium:1053604
Change-Id: I36625b14f374e74561c9b539bdf7a02ae767cf7f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2062396
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66329}

src/compiler/node-properties.cc

@@ -386,6 +386,7 @@ NodeProperties::InferReceiverMapsResult NodeProperties::InferReceiverMapsUnsafe(
           // We reached the allocation of the {receiver}.
           return kNoReceiverMaps;
         }
+        result = kUnreliableReceiverMaps;  // JSCreate can have side-effect.
         break;
       }
       case IrOpcode::kJSCreatePromise: {

test/mjsunit/compiler/regress-1053604.js

+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+let a = [0, 1, 2, 3, 4];
+
+function empty() {}
+
+function f(p) {
+  a.pop(Reflect.construct(empty, arguments, p));
+}
+
+let p = new Proxy(Object, {
+    get: () => (a[0] = 1.1, Object.prototype)
+});
+
+function main(p) {
+  f(p);
+}
+
+%PrepareFunctionForOptimization(empty);
+%PrepareFunctionForOptimization(f);
+%PrepareFunctionForOptimization(main);
+
+main(empty);
+main(empty);
+%OptimizeFunctionOnNextCall(main);
+main(p);