[ic] Use validity cells to protect keyed element stores against object's prototype chain modificati…

src/builtins/builtins-array.cc

Index: src/builtins/builtins-array.cc
diff --git a/src/builtins/builtins-array.cc b/src/builtins/builtins-array.cc
index 2432e14026a8f7f9645ed5c4a7eb2264051288dc..fc3d9ca1a473fbc7b49695fbb9e8a8c5c6941248 100644
--- a/src/builtins/builtins-array.cc
+++ b/src/builtins/builtins-array.cc
@@ -601,8 +601,9 @@ class ArrayConcatVisitor {
         SeededNumberDictionary::cast(*storage_));
     // The object holding this backing store has just been allocated, so
     // it cannot yet be used as a prototype.
-    Handle<SeededNumberDictionary> result =
-        SeededNumberDictionary::AtNumberPut(dict, index, elm, false);
+    Handle<JSObject> not_a_prototype_holder;
+    Handle<SeededNumberDictionary> result = SeededNumberDictionary::AtNumberPut(
+        dict, index, elm, not_a_prototype_holder);
     if (!result.is_identical_to(dict)) {
       // Dictionary needed to grow.
       clear_storage();
@@ -669,9 +670,10 @@ class ArrayConcatVisitor {
           if (!element->IsTheHole(isolate_)) {
             // The object holding this backing store has just been allocated, so
             // it cannot yet be used as a prototype.
+            Handle<JSObject> not_a_prototype_holder;
             Handle<SeededNumberDictionary> new_storage =
                 SeededNumberDictionary::AtNumberPut(slow_storage, i, element,
-                                                    false);
+                                                    not_a_prototype_holder);
             if (!new_storage.is_identical_to(slow_storage)) {
               slow_storage = loop_scope.CloseAndEscape(new_storage);
             }