Fix^3 cast in HasEnumerableElements

Empty FixedDoubleArrays aren't FixedDoubleArrays.

BUG=chromium:569534
LOG=n
R=yangguo@chromium.org

Review URL: https://codereview.chromium.org/1568863002

Cr-Commit-Position: refs/heads/master@{#33158}

src/objects.cc

@@ -8273,10 +8273,13 @@ bool HasEnumerableElements(JSObject* object) {
       return false;
     }
     case FAST_HOLEY_DOUBLE_ELEMENTS: {
-      FixedDoubleArray* elements = FixedDoubleArray::cast(object->elements());
       int length = object->IsJSArray()
                        ? Smi::cast(JSArray::cast(object)->length())->value()
-                       : elements->length();
+                       : object->elements()->length();
+      // Zero-length arrays would use the empty FixedArray...
+      if (length == 0) return false;
+      // ...so only cast to FixedDoubleArray otherwise.
+      FixedDoubleArray* elements = FixedDoubleArray::cast(object->elements());
       for (int i = 0; i < length; i++) {
         if (!elements->is_the_hole(i)) return true;
       }

test/mjsunit/regress/regress-crbug-569534.js

@@ -0,0 +1,7 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var array = [,0.5];
+array.length = 0;
+for (var i in array) {}