Fix Load Elimination crash involving transitioning const stores in loops

R=tebbi@chromium.org

Bug: chromium:964833 chromium:970120
Change-Id: I0fc179aa1e8fc5c13279342501f8639fce9ee7d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1645315
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Georg Schmid <gsps@google.com>
Cr-Commit-Position: refs/heads/master@{#61995}

src/compiler/load-elimination.cc

@@ -1244,9 +1244,7 @@ LoadElimination::AbstractState const* LoadElimination::ComputeLoopState(
           }
           case IrOpcode::kStoreField: {
             FieldAccess access = FieldAccessOf(current->op());
-            if (access.constness == PropertyConstness::kMutable) {
-              state = ComputeLoopStateForStoreField(current, state, access);
-            }
+            state = ComputeLoopStateForStoreField(current, state, access);
             break;
           }
           case IrOpcode::kStoreElement: {

test/mjsunit/regress/regress-crbug-964833.js

@@ -0,0 +1,32 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() {
+  var n = 3;
+  var obj = {};
+
+  var m = n;
+  for (;;) {
+    m++;
+
+    if (m == 456) {
+      break;
+    }
+
+    var i = 0;
+    var j = 0;
+    while (i < 1) {
+      j = i;
+      i++;
+    }
+    obj.y = j;
+  }
+}
+
+f();
+f();
+%OptimizeFunctionOnNextCall(f);
+f();