Make sure backing store pointer in handles get cleared after use in factory.

BUG=442710
LOG=n

Review URL: https://codereview.chromium.org/813023002

Cr-Commit-Position: refs/heads/master@{#25881}
diff --git a/src/factory.cc b/src/factory.cc
index a61d654..ba62341 100644
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -1682,6 +1682,7 @@
     return;
   }
 
+  HandleScope inner_scope(isolate());
   Handle<FixedArrayBase> elms;
   ElementsKind elements_kind = array->GetElementsKind();
   if (IsFastDoubleElementsKind(elements_kind)) {
diff --git a/test/cctest/test-heap.cc b/test/cctest/test-heap.cc
index 2d15786..edb47d2 100644
--- a/test/cctest/test-heap.cc
+++ b/test/cctest/test-heap.cc
@@ -5006,6 +5006,23 @@
 }
 
 
+TEST(Regress442710) {
+  CcTest::InitializeVM();
+  Isolate* isolate = CcTest::i_isolate();
+  Heap* heap = isolate->heap();
+  Factory* factory = isolate->factory();
+
+  HandleScope sc(isolate);
+  Handle<GlobalObject> global(CcTest::i_isolate()->context()->global_object());
+  Handle<JSArray> array = factory->NewJSArray(2);
+
+  Handle<String> name = factory->InternalizeUtf8String("testArray");
+  JSReceiver::SetProperty(global, name, array, SLOPPY).Check();
+  CompileRun("testArray[0] = 1; testArray[1] = 2; testArray.shift();");
+  heap->CollectGarbage(OLD_POINTER_SPACE);
+}
+
+
 #ifdef DEBUG
 TEST(PathTracer) {
   CcTest::InitializeVM();