Reviewed by Oliver Hunt.

When JSArray is allocated for the vptr stealing hack, it's not allocated
in the heap, so the JSArray constructor can't safely call Heap::heap().
        
Since this was subtle enough to confuse smart people, I've changed JSArray
to have an explicit vptr stealing constructor.

* JavaScriptCore.xcodeproj/project.pbxproj:
* runtime/JSArray.cpp:
(JSC::JSArray::JSArray):
* runtime/JSArray.h:
(JSC::JSArray::):
* runtime/JSGlobalData.cpp:
(JSC::JSGlobalData::storeVPtrs):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64602 268f45cc-cd09-0410-ab3c-d52691b4dbfc