[builtins] Properly handle DICTIONARY_ELEMENTS in Promise.all closures.

Bug: chromium:820312
Change-Id: Ie9237a5c53ac7121e469af460a2f0ad5016d9d03
Reviewed-on: https://chromium-review.googlesource.com/957090
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51844}

src/builtins/builtins-promise-gen.cc

@@ -1980,6 +1980,10 @@ TF_BUILTIN(PromiseAllResolveElementClosure, PromiseBuiltinsAssembler) {
   {
     VARIABLE(var_elements, MachineRepresentation::kTagged,
              LoadElements(values_array));
+    // Check that the {values_array} is still in fast mode.
+    Node* const elements_kind = LoadMapElementsKind(LoadMap(values_array));
+    GotoIf(Word32Equal(elements_kind, Int32Constant(DICTIONARY_ELEMENTS)),
+           &runtime_set_element);
     PossiblyGrowElementsCapacity(SMI_PARAMETERS, PACKED_ELEMENTS, values_array,
                                  index, &var_elements, SmiConstant(1),
                                  &runtime_set_element);

test/mjsunit/regress/regress-crbug-820312.js

@@ -0,0 +1,26 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+let arr = new Array(0x10000);
+let resolve_element_closures = new Array(0x10000);
+
+for (let i = 0; i < arr.length; i++) {
+    arr[i] = new Promise(() => {});
+    arr[i].then = ((idx, resolve) => {
+        resolve_element_closures[idx] = resolve;
+    }).bind(null, i);
+}
+
+Promise.all(arr);
+
+// 0xffff is too large, transitions to DICTIONARY_ELEMENTS
+resolve_element_closures[0xffff]();
+
+// grows the capacity, the elements kind of the result array is still DICTIONARY_ELEMENTS, but the elements object of it is no more a dictionary.
+resolve_element_closures[100]();
+
+// You can observe that V8 crashes here in debug mode.
+resolve_element_closures[0xfffe]();