[crankshaft] Don't inline array resize operations if receiver's proto is not a JSObject.

BUG=chromium:571064
LOG=Y
TBR=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1548363003

Cr-Commit-Position: refs/heads/master@{#33058}

src/crankshaft/hydrogen.cc

@@ -8703,7 +8703,7 @@ bool HOptimizedGraphBuilder::IsReadOnlyLengthDescriptor(
 // static
 bool HOptimizedGraphBuilder::CanInlineArrayResizeOperation(
     Handle<Map> receiver_map) {
-  return !receiver_map.is_null() &&
+  return !receiver_map.is_null() && receiver_map->prototype()->IsJSObject() &&
          receiver_map->instance_type() == JS_ARRAY_TYPE &&
          IsFastElementsKind(receiver_map->elements_kind()) &&
          !receiver_map->is_dictionary_map() && !receiver_map->is_observed() &&

test/mjsunit/regress/regress-crbug-571064.js

@@ -0,0 +1,19 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --enable-slow-asserts
+
+Array.prototype.__proto__ = null;
+var func = Array.prototype.push;
+var prototype = Array.prototype;
+function CallFunc(a) {
+  func.call(a);
+}
+function CallFuncWithPrototype() {
+  CallFunc(prototype);
+}
+CallFunc([]);
+CallFunc([]);
+%OptimizeFunctionOnNextCall(CallFuncWithPrototype);
+CallFuncWithPrototype();