[deoptimizer] Properly handle in-object properties on JSArrays.

The escape analysis is able to perform scalar replacement on JSArrays
with in-object properties (which currently only happens for subclasses
of the Array constructor), but the Deoptimizer didn't properly
materialized and initialized the values of the in-object fields so far.

Bug: chromium:772689, v8:6399
Change-Id: I6555a46773d2a1543db069142aa05f4337566b9c
Reviewed-on: https://chromium-review.googlesource.com/706781
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48365}

src/deoptimizer.cc

@@ -3609,6 +3609,12 @@ Handle<Object> TranslatedState::MaterializeCapturedObjectAt(
       object->set_raw_properties_or_hash(*properties);
       object->set_elements(FixedArrayBase::cast(*elements));
       object->set_length(*array_length);
+      int in_object_properties = map->GetInObjectProperties();
+      for (int i = 0; i < in_object_properties; ++i) {
+        Handle<Object> value = materializer.FieldAt(value_index);
+        FieldIndex index = FieldIndex::ForPropertyIndex(object->map(), i);
+        object->FastPropertyAtPut(index, *value);
+      }
       return object;
     }
     case JS_BOUND_FUNCTION_TYPE: {

test/mjsunit/regress/regress-crbug-772689.js

@@ -0,0 +1,23 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+const A = class A extends Array {
+  constructor() {
+    super();
+    this.y = 1;
+  }
+}
+
+function foo(x) {
+  var a = new A();
+  if (x) return a.y;
+}
+
+assertEquals(undefined, foo(false));
+assertEquals(undefined, foo(false));
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(undefined, foo(false));
+assertEquals(1, foo(true));