[turbofan] Fix bug in receiver maps inference

JSCreate can have side effects (by looking up the prototype on an
object), so once we walk past that the analysis result must be marked
as "unreliable".

Bug: chromium:1053604
Change-Id: I36625b14f374e74561c9b539bdf7a02ae767cf7f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2062396
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66329}
diff --git a/src/compiler/node-properties.cc b/src/compiler/node-properties.cc
index f43a348..ab4ced6 100644
--- a/src/compiler/node-properties.cc
+++ b/src/compiler/node-properties.cc
@@ -386,6 +386,7 @@
           // We reached the allocation of the {receiver}.
           return kNoReceiverMaps;
         }
+        result = kUnreliableReceiverMaps;  // JSCreate can have side-effect.
         break;
       }
       case IrOpcode::kJSCreatePromise: {
diff --git a/test/mjsunit/compiler/regress-1053604.js b/test/mjsunit/compiler/regress-1053604.js
new file mode 100644
index 0000000..ef87fbe
--- /dev/null
+++ b/test/mjsunit/compiler/regress-1053604.js
@@ -0,0 +1,30 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+let a = [0, 1, 2, 3, 4];
+
+function empty() {}
+
+function f(p) {
+  a.pop(Reflect.construct(empty, arguments, p));
+}
+
+let p = new Proxy(Object, {
+    get: () => (a[0] = 1.1, Object.prototype)
+});
+
+function main(p) {
+  f(p);
+}
+
+%PrepareFunctionForOptimization(empty);
+%PrepareFunctionForOptimization(f);
+%PrepareFunctionForOptimization(main);
+
+main(empty);
+main(empty);
+%OptimizeFunctionOnNextCall(main);
+main(p);