Protect the emptiness of Array prototype elements with a PropertyCell.

src/builtins.cc

Index: src/builtins.cc
diff --git a/src/builtins.cc b/src/builtins.cc
index 3c3c7dda1196e095594936a4a71ed4eb21b4f186..5b1eeed15403b945cea5a5d6cf495e16cd5d12c9 100644
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -199,7 +199,21 @@ static bool ArrayPrototypeHasNoElements(Heap* heap, PrototypeIterator* iter) {
 static inline bool IsJSArrayFastElementMovingAllowed(Heap* heap,
                                                      JSArray* receiver) {
   DisallowHeapAllocation no_gc;
-  PrototypeIterator iter(heap->isolate(), receiver);
+  Isolate* isolate = heap->isolate();
+  if (!isolate->IsFastArrayConstructorPrototypeChainIntact()) {
+    return false;
+  }
+
+  // If the array prototype chain is intact (and free of elements), and if the
+  // receiver's prototype is the array prototype, then we are done.
+  Object* prototype = receiver->map()->prototype();
+  if (prototype->IsJSArray() &&
+      isolate->is_initial_array_prototype(JSArray::cast(prototype))) {
+    return true;
+  }
+
+  // Slow case.
+  PrototypeIterator iter(isolate, receiver);
   return ArrayPrototypeHasNoElements(heap, &iter);
 }
 
@@ -236,7 +250,7 @@ static inline MaybeHandle<FixedArrayBase> EnsureJSArrayWithWritableFastElements(
 
   // Adding elements to the array prototype would break code that makes sure
   // it has no elements. Handle that elsewhere.
-  if (array->GetIsolate()->is_initial_array_prototype(*array)) {
+  if (isolate->IsAnyInitialArrayPrototype(array)) {
     return MaybeHandle<FixedArrayBase>();
   }