[array] Fix wrong receiver when copying from the prototype chain

This CL fixes an issue where getters/setters would get called on a
prototype with the wrong receiver. This happens in the pre-processing
for Array.p.sort when values get copied down from the prototype chain.

R=jgruber@chromium.org

Bug: v8:7682
Change-Id: I0d8ff1dc721c33bd721aaca54ffd357b3d2a2096
Reviewed-on: https://chromium-review.googlesource.com/1198767
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@google.com>
Cr-Commit-Position: refs/heads/master@{#55546}

src/runtime/runtime-array.cc

@@ -303,7 +303,7 @@ Maybe<bool> ConditionalCopy(Isolate* isolate, Handle<JSReceiver> source,
 
   Handle<Object> source_element;
   ASSIGN_RETURN_ON_EXCEPTION_VALUE(
-      isolate, source_element, JSReceiver::GetElement(isolate, source, index),
+      isolate, source_element, JSReceiver::GetElement(isolate, target, index),
       Nothing<bool>());
 
   Handle<Object> set_result;

test/mjsunit/mjsunit.status

@@ -215,9 +215,6 @@
   # Allocates a huge string and then flattens it, very slow in debug mode.
   'regress/regress-752764': [PASS, ['mode == debug', SLOW]],
 
-  # https://crbug.com/v8/7682
-  'regress/regress-v8-7682': [FAIL],
-
   # https://crbug.com/v8/7697
   'array-literal-feedback': [PASS, FAIL],
 

test/mjsunit/regress/regress-v8-7682.js

@@ -18,5 +18,9 @@ class MyArrayLike {
 const xs = new MyArrayLike();
 Array.prototype.sort.call(xs);
 
-assertEquals(1, xs[0]);
-assertEquals(2, xs[1]);
+// Sort-order is implementation-defined as we actually hit two conditions from
+// the spec:
+//   - "xs" is sparse and IsExtensible(xs) is false (its frozen).
+//   - "xs" is sparse and the prototype has properties in the sort range.
+assertEquals(2, xs[0]);
+assertEquals(1, xs[1]);