[elements] Fix GetEntryForIndexImpl to honor array length

Previously, fast holey elements accessors would detect element presence
by simply doing a hole check on any slot within the backing store's
capacity. This relied on the (mostly-true but brittle) assumption that
slots beyond the length are always correctly zapped with The Hole.

Review-Url: https://codereview.chromium.org/2297253002
Cr-Commit-Position: refs/heads/master@{#39051}

src/elements.cc

@@ -1189,13 +1189,13 @@ class ElementsAccessorBase : public ElementsAccessor {
   static uint32_t GetEntryForIndexImpl(JSObject* holder,
                                        FixedArrayBase* backing_store,
                                        uint32_t index, PropertyFilter filter) {
+    uint32_t length = Subclass::GetMaxIndex(holder, backing_store);
     if (IsHoleyElementsKind(kind())) {
-      return index < Subclass::GetCapacityImpl(holder, backing_store) &&
+      return index < length &&
                      !BackingStore::cast(backing_store)->is_the_hole(index)
                  ? index
                  : kMaxUInt32;
     } else {
-      uint32_t length = Subclass::GetMaxIndex(holder, backing_store);
       return index < length ? index : kMaxUInt32;
     }
   }

test/mjsunit/element-accessor.js

@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+// Flags: --allow-natives-syntax
+
 (function () {
   var o = [];
   o.__proto__ = {};
@@ -31,3 +33,18 @@
   Object.defineProperty(o, "0", {get: function(){}});
   assertEquals(undefined, Object.getOwnPropertyDescriptor(o, "0"));
 })();
+
+(function() {
+  function f() {
+    var a = new Array();
+    a[1] = 1.5;
+    return a;
+  }
+
+  f();
+  f();
+  %OptimizeFunctionOnNextCall(f);
+  var a = f();
+  a[2] = 2;
+  assertEquals(3, a.length);
+})();