Fix for 435073: CHECK failure in CHECK(p->IsSmi()) failed.

Fix for 435073: CHECK failure in CHECK(p->IsSmi()) failed.

The bug was an error when copying arrays in crankshaft. If it's a holey smi
array, the copy must be done as FAST_HOLEY_ELEMENTS to prevent representation
changes from being inserted that deopt on encountering the hole.

Also, prevent inlining array pop() and shift() if the length is read-only.

BUG=435073
LOG=N
R=verwaest@chromium.org

Committed: https://chromium.googlesource.com/v8/v8/+/3d58b82addcdc72755539631b1d5dc603a9b2135

[mvstanton, 2014-11-20 12:45:34]

mvstanton@chromium.org changed reviewers:
+ verwaest@chromium.org

[mvstanton, 2014-11-20 12:45:35]

Hi Toon,
Here is the fix we discussed, thx for the look,
--Michael

[Toon Verwaest, 2014-11-20 12:56:41]

Please add some tests for the additional issues you fixed.
Otherwise looks good.

[mvstanton, 2014-11-20 14:21:19]

Good idea.

* array-shift4.js - this covers the case where a hole is encountered in the copy
step of shifting a holey smi array. Before this fix, the method would
deoptimize.

* array-methods-read-only-length.js change - this test was succeeding only
because of the silent deopt isolated in array-shift4.js. By passing additional
elementskinds we make sure the right thing happens even without that fortuitous
deoptimization.

* regress-435073.js - the clusterfuzz issue.

thx!
--Michael

[Toon Verwaest, 2014-11-21 10:00:55]

lgtm

[mvstanton, 2014-11-21 10:14:26]

Committed patchset #3 (id:40001) manually as
3d58b82addcdc72755539631b1d5dc603a9b2135 (presubmit successful).