Remove broken optimization unwrapping number wrappers on setting array.length

src/accessors.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/v8.h"
 
 #include "src/accessors.h"
 #include "src/api.h"
 #include "src/contexts.h"
 #include "src/deoptimizer.h"
@@ skipping 175 matching lines @@
 
 
 // Tries to non-observably convert |value| to a valid array length.
 // Returns false if it fails.
 static bool FastAsArrayLength(Isolate* isolate, Handle<Object> value,
                               uint32_t* length) {
   if (value->ToArrayLength(length)) return true;
   // We don't support AsArrayLength, so use AsArrayIndex for now. This just
   // misses out on kMaxUInt32.
   if (value->IsString()) return String::cast(*value)->AsArrayIndex(length);
-  if (!value->IsJSValue()) return false;
-  Handle<JSValue> wrapper = Handle<JSValue>::cast(value);
-  DCHECK(wrapper->GetIsolate()
-             ->native_context()
-             ->number_function()
-             ->has_initial_map());
-  // Only support fast unwrapping for the initial map. Otherwise valueOf might
-  // have been overwritten, in which case unwrapping is invalid.
-  if (wrapper->map() != isolate->number_function()->initial_map()) return false;
-  return wrapper->value()->ToArrayIndex(length);
+  return false;
 }
 
 
 void Accessors::ArrayLengthSetter(
     v8::Local<v8::Name> name,
     v8::Local<v8::Value> val,
     const v8::PropertyCallbackInfo<void>& info) {
   i::Isolate* isolate = reinterpret_cast<i::Isolate*>(info.GetIsolate());
   HandleScope scope(isolate);
 
@@ skipping 1283 matching lines @@
   Handle<Object> getter = v8::FromCData(isolate, &ModuleGetExport);
   Handle<Object> setter = v8::FromCData(isolate, &ModuleSetExport);
   info->set_getter(*getter);
   if (!(attributes & ReadOnly)) info->set_setter(*setter);
   return info;
 }
 
 
 }  // namespace internal
 }  // namespace v8