[turboshaft] Fix a crash in branch elimination

The current reduction of blocks that are branch targets with a known
condition assumes that this is the first time we're seeing the given
condition with the given value. That's no longer the case, so updating
the expectation accordingly.

Bug: chromium:1399627
Change-Id: Id84d80a38801cf6178b476e62160d616b948d8d6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096984
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84780}

src/compiler/turboshaft/branch-elimination-reducer.h

@@ -205,10 +205,12 @@ class BranchEliminationReducer : public Next {
       if (const BranchOp* branch = op.TryCast<BranchOp>()) {
         DCHECK_EQ(new_block, any_of(branch->if_true, branch->if_false));
         bool condition_value = branch->if_true == new_block;
+        if (!known_conditions_.Contains(branch->condition())) {
           known_conditions_.InsertNewKey(branch->condition(), condition_value);
         }
       }
     }
+  }
 
   OpIndex ReduceBranch(OpIndex cond, Block* if_true, Block* if_false,
                        BranchHint hint) {

test/mjsunit/compiler/regress-crbug-1399627.js

@@ -0,0 +1,18 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function foo(arr, value) {
+    if (arr !== value) throw new Error('bad value: ' + arr);
+}
+function slice_array(arr) {
+  return arr.slice();
+}
+for (var i = 0; i < 1e5; ++i) {
+  var arr = [];
+  var sliced = slice_array(arr);
+  foo(arr !== sliced, true);
+  try {
+    foo(sliced.length);
+  } catch (e) {}
+}