Fix assert caused by SloppyArgumentsElements introduction

There was a legacy place in map code that wasn't fully ported to use
the strong, new SloppyArgumentsElements type because of code that used
hard-coded constants.

Bug: chromium:1086470
Change-Id: Ieba152e4bd92c89125f831949c2efb4f4219f95c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2215059
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67984}

src/objects/map.cc

@@ -25,6 +25,8 @@
 #include "src/roots/roots.h"
 #include "src/utils/ostreams.h"
 #include "src/zone/zone-containers.h"
+#include "torque-generated/exported-class-definitions-tq-inl.h"
+#include "torque-generated/exported-class-definitions-tq.h"
 #include "torque-generated/field-offsets-tq.h"
 
 namespace v8 {
@@ -1437,8 +1439,9 @@ bool Map::MayHaveReadOnlyElementsInPrototypeChain(Isolate* isolate) {
     }
 
     if (IsSlowArgumentsElementsKind(elements_kind)) {
-      FixedArray parameter_map = FixedArray::cast(current.elements(isolate));
-      Object arguments = parameter_map.get(isolate, 1);
+      SloppyArgumentsElements elements =
+          SloppyArgumentsElements::cast(current.elements(isolate));
+      Object arguments = elements.arguments();
       if (NumberDictionary::cast(arguments).requires_slow_elements()) {
         return true;
       }

test/mjsunit/regress/regress-1086470.js

@@ -0,0 +1,20 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function __f_1( __v_9) {
+  return arguments;
+}
+
+var __v_48 = [];
+var __v_49 = __f_1();
+var __v_50 = 3;
+Object.preventExtensions(__v_49);
+function __f_7(__v_52, __v_53, __v_54) {
+  __v_52[__v_53] =
+  __v_54;
+}
+__v_48.__proto__ = __v_49;
+for (var __v_51 = 0; __v_51 < __v_50; __v_51++) {
+  __f_7(__v_48, __v_51);
+}