[builtins] Replace placeholders in constants table

During builtins generation, parts of the builtins table may be filled
with placeholder code objects.

This CL ensures that such placeholders are replaced by the real
builtin object during finalization of the builtins constants table.

Bug: v8:6666
Change-Id: I3a2635b29b37690fd7e950b9f38d500704671afb
Reviewed-on: https://chromium-review.googlesource.com/934241
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51498}

src/builtins/constants-table-builder.cc

@@ -54,10 +54,19 @@ void BuiltinsConstantsTableBuilder::Finalize() {
   Handle<FixedArray> table =
       isolate_->factory()->NewFixedArray(map_.size(), TENURED);
 
+  Builtins* builtins = isolate_->builtins();
   ConstantsMap::IteratableScope it_scope(&map_);
   for (auto it = it_scope.begin(); it != it_scope.end(); ++it) {
     uint32_t index = *it.entry();
-    table->set(index, it.key());
+    Object* value = it.key();
+    if (value->IsCode() && Code::cast(value)->kind() == Code::BUILTIN) {
+      // Replace placeholder code objects with the real builtin.
+      // See also: SetupIsolateDelegate::PopulateWithPlaceholders.
+      // TODO(jgruber): Deduplicate placeholders and their corresponding
+      // builtin.
+      value = builtins->builtin(Code::cast(value)->builtin_index());
+    }
+    table->set(index, value);
   }
 
 #ifdef DEBUG