Bug: Runtime_GrowArrayElements provoked unnecessary lazy deopt.

Unnecessary, and unhandled as well.

BUG=488398
R=jarin@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/1141163004

Cr-Commit-Position: refs/heads/master@{#28421}

src/runtime/runtime-array.cc

@@ -1254,7 +1254,8 @@ RUNTIME_FUNCTION(Runtime_GrowArrayElements) {
 
   if (index >= capacity) {
     if (object->WouldConvertToSlowElements(index)) {
-      JSObject::NormalizeElements(object);
+      // We don't want to allow operations that cause lazy deopt. Return a Smi
+      // as a signal that optimized code should eagerly deoptimize.
       return Smi::FromInt(0);
     }
 

test/mjsunit/regress/regress-488398.js

@@ -0,0 +1,18 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var __v_10 = 4294967295;
+__v_0 = [];
+__v_0.__proto__ = [];
+__v_16 = __v_0;
+function __f_17(__v_16, base) {
+  __v_16[base + 1] = 1;
+  __v_16[base + 4] = base + 4;
+}
+__f_17(__v_16, true);
+__f_17(__v_16, 14);
+%OptimizeFunctionOnNextCall(__f_17);
+__f_17(__v_16, 2048);