The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/eab2f2e654da8c0edfdd8a47a73432b07127321c

commit eab2f2e654da8c0edfdd8a47a73432b07127321c
Author: Camillo Bruni <cbruni@chromium.org>
Date: Mon Nov 13 10:56:53 2017

Disallow empty PropertyArray as properties backing store

The only empty PropertyArray is the empty_property_array object on the
isolate. Allowing empty PropertyArrays causes the turbofan to ignore the
existing hash when growing the backing store again. We currently only end
up with the empty PropertyArray when following back transitions.

Bug:  chromium:781218 ,  chromium:783713 
Change-Id: If41dd09b965cdc8d957b9ca50ba3c8a7f4254769
Reviewed-on: https://chromium-review.googlesource.com/763230
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49318}
[modify] https://crrev.com/eab2f2e654da8c0edfdd8a47a73432b07127321c/src/code-stub-assembler.cc
[modify] https://crrev.com/eab2f2e654da8c0edfdd8a47a73432b07127321c/src/factory.cc
[modify] https://crrev.com/eab2f2e654da8c0edfdd8a47a73432b07127321c/src/heap/heap.cc
[modify] https://crrev.com/eab2f2e654da8c0edfdd8a47a73432b07127321c/src/objects-debug.cc
[modify] https://crrev.com/eab2f2e654da8c0edfdd8a47a73432b07127321c/src/objects-printer.cc
[modify] https://crrev.com/eab2f2e654da8c0edfdd8a47a73432b07127321c/src/objects.cc
[modify] https://crrev.com/eab2f2e654da8c0edfdd8a47a73432b07127321c/src/objects.h
[modify] https://crrev.com/eab2f2e654da8c0edfdd8a47a73432b07127321c/src/objects/map.h
[modify] https://crrev.com/eab2f2e654da8c0edfdd8a47a73432b07127321c/src/runtime/runtime-object.cc
[modify] https://crrev.com/eab2f2e654da8c0edfdd8a47a73432b07127321c/src/runtime/runtime-test.cc
[modify] https://crrev.com/eab2f2e654da8c0edfdd8a47a73432b07127321c/src/runtime/runtime.h
[add] https://crrev.com/eab2f2e654da8c0edfdd8a47a73432b07127321c/test/mjsunit/regress/regress-781218.js

Fixed by Camillo in #2.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/7fc2305cee2e12eef37d1707b43f2bc91a059bf7

commit 7fc2305cee2e12eef37d1707b43f2bc91a059bf7
Author: Camillo Bruni <cbruni@chromium.org>
Date: Fri Nov 17 16:48:30 2017

Merged: Disallow empty PropertyArray as properties backing store

Revision: eab2f2e654da8c0edfdd8a47a73432b07127321c

BUG= chromium:781218 , chromium:783713 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=ishell@chromium.org

Change-Id: Iea6f73e16f2702dd20b01642e7d813f86b14f5ac
Reviewed-on: https://chromium-review.googlesource.com/776800
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.3@{#75}
Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
[modify] https://crrev.com/7fc2305cee2e12eef37d1707b43f2bc91a059bf7/src/code-stub-assembler.cc
[modify] https://crrev.com/7fc2305cee2e12eef37d1707b43f2bc91a059bf7/src/factory.cc
[modify] https://crrev.com/7fc2305cee2e12eef37d1707b43f2bc91a059bf7/src/heap/heap.cc
[modify] https://crrev.com/7fc2305cee2e12eef37d1707b43f2bc91a059bf7/src/objects-debug.cc
[modify] https://crrev.com/7fc2305cee2e12eef37d1707b43f2bc91a059bf7/src/objects-printer.cc
[modify] https://crrev.com/7fc2305cee2e12eef37d1707b43f2bc91a059bf7/src/objects.cc
[modify] https://crrev.com/7fc2305cee2e12eef37d1707b43f2bc91a059bf7/src/objects.h
[modify] https://crrev.com/7fc2305cee2e12eef37d1707b43f2bc91a059bf7/src/objects/map.h
[modify] https://crrev.com/7fc2305cee2e12eef37d1707b43f2bc91a059bf7/src/runtime/runtime-object.cc
[modify] https://crrev.com/7fc2305cee2e12eef37d1707b43f2bc91a059bf7/src/runtime/runtime-test.cc
[modify] https://crrev.com/7fc2305cee2e12eef37d1707b43f2bc91a059bf7/src/runtime/runtime.h
[add] https://crrev.com/7fc2305cee2e12eef37d1707b43f2bc91a059bf7/test/mjsunit/regress/regress-781218.js