Don't use StoreIC_ArrayLength on frozen arrays

Don't use StoreIC_ArrayLength on frozen arrays

The code previously assumed that an array with fast properties must have
a writable length property. But Object.freeze() now exposes a way to make
length read-only without moving the object into slow mode. This patch
simply adds a !is_frozen check to the IC code. Any future optimizations
to attribute-setting on JSArrays will need to make similar accomodations.

R=danno
BUG=v8:2711,259548

Review URL: https://chromiumcodereview.appspot.com/19115002
Patch from Adam Klein <adamk@chromium.org>.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15651 ce2b1a6d-e550-0410-aec6-3dcde31c8c00