[crankshaft] Guard against side effects in Array.prototype.shift lowering.

We need to pay attention to potential side effects from parameter
evaluation when inlining the fast case Array.prototype.shift.

R=yangguo@chromium.org
BUG=chromium:614644

Review-Url: https://codereview.chromium.org/2161943002
Cr-Commit-Position: refs/heads/master@{#37850}

src/crankshaft/hydrogen.cc

@@ -9072,16 +9072,16 @@ bool HOptimizedGraphBuilder::TryInlineBuiltinMethodCall(
       HConstant* inline_threshold = Add<HConstant>(static_cast<int32_t>(16));
 
       Drop(args_count_no_receiver);
-      HValue* receiver = Pop();
-      Drop(1);  // Function.
       HValue* result;
+      HValue* receiver = Pop();
+      HValue* checked_object = AddCheckMap(receiver, receiver_map);
+      HValue* length = Add<HLoadNamedField>(
+          receiver, checked_object, HObjectAccess::ForArrayLength(kind));
 
+      Drop(1);  // Function.
       {
         NoObservableSideEffectsScope scope(this);
 
-        HValue* length = Add<HLoadNamedField>(
-            receiver, nullptr, HObjectAccess::ForArrayLength(kind));
-
         IfBuilder if_lengthiszero(this);
         HValue* lengthiszero = if_lengthiszero.If<HCompareNumericAndBranch>(
             length, graph()->GetConstant0(), Token::EQ);

test/mjsunit/regress/regress-crbug-614644.js

@@ -0,0 +1,15 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f(a, x) {
+  a.shift(2, a.length = 2);
+  a[0] = x;
+}
+
+f([ ], 1.1);
+f([1], 1.1);
+%OptimizeFunctionOnNextCall(f);
+f([1], 1.1);